throbber
VIRNETX EXHIBIT 2008
`Apple v. VirnetX
`Trial IPR2015-008(cid:25)(cid:28)
`
`

`
`LinLg{31§[e:e§S'§)g,—‘§x£{T(}(5l(g’§s(Ja-II).,ED Document 194-?‘ Filed 12130103 Page 3 of 26 P8.gefi,l2g?:I2%%£§
`
`Definitions
`
`3DES (Triple DES)
`Using three DE_S_ encryptions on a single data block, with at least two different keys, to get higher
`security than is available from a single DES pass- The three—key version of 3DES is the default
`encryption algorithm for _I:_,__i_1"’!T'|;‘|“§*(ml:l‘§§§_/“wé;El‘_.
`
`_I;[iS_l;1Q aiways does SDES with three different keys, as required by RFC 2451. For an explanation
`Of the tW0—key Variant, S66 :mo_.1;_cy_t_1.:i.plel_3_E§. Both use an
`enc1'ypt—dec1‘ypt-encrpyt
`sequence of operations.
`
`Single DES is
`
`Double DES is ineffective. Using two 56-bit keys, one might expect an attacker to have to do 2112
`work. to break it. In fact, only 257 work is required with a rr1_c_=.__t_:_t_-_i_r_1_;_t_li_e;«mn_1i§,i_t,i,l,emattacl-;, though a
`large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just
`reduces the work factor from the 2163 one might expect to 2112. That provides adequate protection
`against ];t;ute__£ot;c_e attacks, and no better attack is lcnown.
`
`3DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per
`block. DES was designed for hardware implementation and includes some operations which are
`difficult in software. However, the speed we get is quite acceptable for many uses. See
`b_e_nchinark_s below for details.
`
`Active attack
`An attack in which the attacker does not merely eavesdrop (see ajttack) but takes action to
`change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is
`tl;i__e;_rr_1ifi_d1__e. In general, alighegigatipn is a usefiil defense against active attacks.
`AES '
`being developed
`standard to replace
`The Advanced Encryption Standard, a new
`by §~I_I_S__'l:, the US National Institute of Standards and Technology. DES used 64-bit blocks and a
`56~bit key. AES ciphers use A 128-bit block and are required to support 128, 192 and 256-bit keys.
`Some ofthem support other sizes as we1l..'Ihe larger block size helps resist hir_t11_day_aLtacks while
`the large key size prevents b_tute_£o_;ce,attac_ks.
`
`‘
`
`IIIO
`
`Fifteen proposals meeting NIST’s basic criteria were submitted in 1998 and subjected to intense
`discussion and analysis, "round one" evaluation. In August 1999, NEST narrowed the field to five
`"round two" candidates:
`Mars from IBM
`RQQ irotn RSA
`B.i.i.IJn§1.from two Belgian researchers
`fierpent, a British-Norwegiamlsraeli research collaboration
`,
`fiorn the consulting firm Counterpane
`-
`We expect I_I_’_S_E_.Q will eventually use the ABS winner, and we expect to see a winner (or more
`than one; there is an ongoing discussion on that point) declared in the summer of 2000.
`Adding one or more ABS ciphers to L_i_tn.1_2;_Er_e§S_M& W01-lid 136 useful undertaking; and
`considerable freely available code exists to start from. One complication is that our code is built
`for a 64-bit block cipher and ABS uses a 128-bit block. Volunteers via the rn_a_iling___li_s_t would be
`
`http :/flibertyfreeswan.org/freeswan__t:rees/freeswan— 1 .3/doc/g1ossary.html
`
`-
`
`2/21 /2002
`
`Page 2 of 25
`
`VNETOO221396
`
`

`
`. Case 6:07-cv-00080-LED Document 194-? Fiied 12f30lO8 Page 4 of 26 PagelD #: 8915
`Linux FreeS/WAN Glossary
`A
`page 3 of25
`
`welcome.
`
`For more information, see the I>llS.I_;.tES_I'1o_n1_e_nage‘or the 13.1.os;lg.._.....ip_-e.:;._L_ou1gaaE§_nage. For
`code and benchmarks see Brian Gladman's page.
`
`AH
`
`The 1E,SE_Q Authentication Header, added after the IP header. For details, see our _1__1_3f_§_EQ
`Overview document and/or RFC 2402..
`Alice and Bob
`.
`_
`A and B, the standard example users in writing on cryptography and coding theory. Carol and
`Dave join them for protocols which require more players.
`
`extends these with many others such as Eve the Eavesdropper and Victor the
`Verifier. His extensions seem to be in the process ofbecoming standard as well. See page 23 of
`aualtecjgrxatagaphx
`
`Alice and Bob have an amusing biography on the web.
`
`T ARPA
`see Qialifla
`
`ASIO
`
`Australian Security Intelligence Organisation.
`Asyntrnetric cryptography
`See 1L1.lplic key__c13cpLgr_a1i1y.
`Authentication
`Ensuring that a message originated from the expected sender and has not been altered on route.
`IPSEC uses authentication in two places:
`l_3_‘i_f_i1e;_‘_¥_Ie-,l1r3t1_ayri key exchanges to prevent
`- authenticating the players in
`__I31§gL.Ll_e_a_‘ttaclg§. This can be done in a number ofways. The methods supported by
`FreeS/WAN are discussed in our configuration document.
`0 authenticating paeketson an established §_._A_.__, either with a separate gn_._rt_hentig_at_ign___headei: or
`with the optional authentication in the ESL’, protocol. In either case, packet authentication
`"uses a hashed rnessaggathentication code technique.
`
`4
`
`Outside IPSEC, passwords are perhaps the most common authentication mechanism. Their
`filnction is essentially to authenticate the person's identity to the system. ?asswo1'ds are generally
`only as secure as the network they travel over. If you send a cleartext password over a tapped
`phone line or over a network with a packet sniffer on it, the security provided by that password
`becomes zero. Sending an encrypted password is no better, the attacker merely records it and
`reuses it at his convenience. This is called a gala: attack.
`A common solution to this problem is a g;_,__a_l_l_enge_~_rs_§po_nse system. This defeats simple
`eavesdropping and replay attacks. Ofcourse an attacker might still try to break the cryptographic
`algorithm used, or the
`generator.
`
`Automatic keying
`-
`A mode in which keys are automatically generated at connection establisment and new keys
`autornaically created periodically thereafter. Contrast with rnanuallceyiiig in Which ‘<1 single Stoffid
`key is used.
`
`htto://liberty.freeswan.org/freeswan__trees/freeswan—1 .3/doc/g10SSa1'Y-hliII11
`
`2/21/2002
`
`Page 3 of 25
`
`VN ETOO221397
`
`

`
`_ Case 6:O7—cv—00O80—LED Document 194-‘? A Filed 12/30l08 Page 5 of 26 Pa eID #: 8916
`age 4 of 25
`Linux FreeS/WAN Glossary
`
`
`
`IPSEC uses the Diffie- ellman ke exchange protocol to create keys. An authentication
`mechansim is required for this. The methods supported by FreeS/WAN are discussed in our
`cnniimtratinn document-
`
`Having an attacker break the authentication is emphaticaliy not a good idea. An attacker that
`breaks authentication, and manages to subvert some other network entities (DNS, routers or
`gateways), can use a rna;_1;j_rr-,t_he_rnig1dle_a;ta_c_1g to break the security of your IPSEC connections.
`
`However, having an attacker break the authentication in automatic keying is not quite as bad as
`losingthe key in manual keying.
`- An attacker who reads /6tC./lpSBC.COI1fEl1’ld gets the keys for a manually keyed connection
`can, without further effort, read all messages encrypted with those keys, including any old
`messages he may have archived.
`9 Automatic keying has a property called perfect forward secrecy. An attacker who breaks the
`authentication gets none of the automatically generated keys and cannot immediately read
`any messages. He has to mount a successful 1nan;in;_tl1e
`ttaclg in real time before he
`can read anything. He cannot read old archived messages
`nd will not be able to read
`any future messages not caught by man-in-thevmiddle tricks.
`That said, the secrets used for authentication, stored in ,i1;::._5:».€.3_c.:.§_€_;.tT,,r_o;:nt;;:.(.’.§”), should still be protected as
`tightly as cryptographic keys.
`flay Networks
`A vendor of routers, hubs and related products, now a subsidiary of Northern Telecom.
`Interoperation between their IPSEC products and Linux FreeS/WAN was problematic at last
`report; see our compatibility document.
`benchmarks
`Our default block cipher, tr-_ip;§;_12I:2__S__, is slower than many alternate ciphers that might be used.
`Speeds achieved, however, seem adequate for many purposes. For example, the assembler code
`from the 1J_ED_fi§_ library we use encrypts 1.6 megabytes per second on a Pentium 200, according
`to the test program supplied with the library.
`
`
`
`
`
`The University ofWales at Ab erystwyth has done quite detailed tests and put their results on the
`Vveb.
`
`Even a 486 can handle a T1 line, according to this mailing list message:
`
`IPSec Masquerade
`subject: Re: 1inux—ipsec:
`Date: Fri, 15 Jan 1999 11:13:22 ~O500
`From: Michael Richardson
`
`. A 486/66 has been clocked by Phil Karn to do
`.
`10Mb/s encryption..
`that uses all the CPU,
`so half that to get some CPU,
`and you have 5Mb/s. 1/3 that for 3DES and you get 1,6Mb/5....
`
`From an Internet Draft The ESP Triple DES Transform:
`
`Phil Karn has tuned DES-EDE3—CBC software to achieve 6.22 Mbps with a
`133 MHZ Pentium. Other DES speed estimates may be found at
`[Schneier95, page 279] . Your milage may vary.
`
`If you want to measure the loads FreeS/WAN puts on a system, note that tools such as top or
`measurements such as load average are more—or-less useless for this. They are not designed to
`measure something that does most of its work inside the kernel.
`
`http://liberty. freeswan.org/:EreesWanH_trees/fieeswan- 1 .3/doc/glossary.htm'l
`
`2/21/2002
`
`Page 4 of 25
`
`VNETOO221398
`
`

`
`Case 6:077-cv~O0O80—LED Document 194-7 Filed 12i30f08 Page 6 of 26 PagelD #: 8917
`Linux FreeSfWAN Glossary
`_
`Page; 5 of 25
`
`BIND
`
`Berkeley Internet Name Daemon, a Widely used implementation of Qlflfi (Domain Name Service).
`See our bibliography for a usefu_l_re_fe_renc_e_. See the l3_ll}I_l;J_h_qrne,,page for more information and
`the latest Version.
`
`Birthday attack
`A cryptographic attack based on the mathematics exemplified by the bir,tl;§_1__ay__,p,ar_a_do2g. This math
`turns up whenever the question of two cryptographic operations producing the same result
`becomes an issue:
`- collisions in mss_sag.erl.ige.st functions.
`o identical output blocks from a 121gg_<_;1c“_gj_.php;r
`- repetition of a challenge in a _r_.:h&1ge:r_esp_c+_t_1,se system
`Resisting such attacks is part of the motivation for:
`o hash algorithms such as _,S,_i_-__l_A and l__{yII_’1'*;l\__/_llQ;l(3_(_) giving a l60~bit result rather than the 128
`bits of MD4, MD5 and RIPEMD~128.
`.
`- _¢_§§ block ciphers using a 128-bit block instead of the 6-'-iwbit block of most current ciphers
`o l,R§_EQ using a 32-bit counter for packets sent on an au_tQ_;_n,ati_gai_ly,,,}_£_§y§£l EA. and requiring
`that the connection always be rekeyed before the counter overflows.
`Birthday paradox
`‘
`Not really a paradox, just a rather counter-intuitive mathematical fact. In a group of 23 people, the
`chance of a least one pair having the same birthday is over 50%.
`
`The second person has 1 chance in 365 (ignoring leap years) ofmatching the first If they don't
`match, the third person's chances ofmatching one of them are 2/365. The 4th, 3/3 65, and so on.
`The total of these chances grows more quickly than one might guess.
`
`Block cipher
`A sy_rng:tr'c cipher which operates on fixed-size blocks of plaintext, giving a block of ciphertext
`for each. Contrast with s’_t_r§_a.rn__(;ipl'_1_§1_'. Block ciphers can be used in various rrgies when multiple
`block are to be encrypted. j
`
`is among the the best known and widely used block ciphers, but is now obsolete. Its 56-bit
`key size makes it highl
`today. _'I,1;iple,_I;l#;§, is the default transform for
`E;e_e;S_L_\NWA___N_ because i
`is the only cipher which is both required in the
`and apparently
`secure.
`‘
`
`The current generation of block ciphers —— such as _l_3_1__o_vymh, Q_at_S_I_—_I__?,§, and IJLQEA -— all use 64-bit
`blocks and 128-bit keys, The next generation, AES, uses l28—bit blocks and supports key sizes up
`to 256'bits.
`
`The Block Cipher Lounge web site has more information.
`
`Blowfish
`,
`A 1_)lgg;,lc_c_i_p_h__c:.3.: using 64~bit blocks and keys ofup to 448 bits, designed by l_3rt_rr;e___,§chr_tei_e_1; and
`used in several products.
`
`This is not required by the _I_l3§,]:Zj_3_ RFCs and not currently used in L_irn1_2~;___.E,r_<:;:_t:_'_S_/_‘\_7VmAl§3l_.
`
`Brute force attack (exhaustive search}
`Breaking a cipher by trying all possible keys. This is always possible in theory (except against a
`one-t_im_pa;l_), but it becomes practical only if the key size is inadequate. For an important
`
`'http:/'/1iberty.freeswan.org/freeswan__trees/freeswan-l .3/doc/glossaryhtrnl
`
`2/21/2002
`
`Page 5 of 25
`
`VN ETOO221399
`
`

`
`Case 6:07-CV-OOO80—LED Document 194-7 Filed l2i30/08 Page 7 of 26 Pagelf) #: 8918
`io
`-1 Linux Frees/WAN Glossary
`Page 6 of 25
`
`example, see our document on the insecurity of DES with its 56-bit key. For an analysis of key
`sizes required to resist plausible brute force attacks, see this paper.
`
`Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of
`possible keys and therefore doubles the work a brute force attack must do. A large enough key
`defeats any brute force attack.
`
`For example, the EFF‘s DES Cracker searches a 56-bit key space in an average of a few days- Let
`us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a
`second (a few hundred thousand times faster). For a 96-bit key, that attacker needs 232 seconds,
`just over a century. Against a 128-bit key, he needs 232 centuries or about 400,000,DO0,000 years.
`Your data is then obviously secure against brute force attacks. Even if our estimate of the
`attackers speed is offby a factor of a rniilion, it still takes him 400,000 years to crack a message.
`
`This is why
`- single Djifi is now considered da_ngerously___in_secu_r_e
`- any cipher we add to Linux FreeS/‘WAN will have at least a 90-bit key
`- all of the current generation of Iglock_c_ipher_s use a 128-bit or longer key
`0
`ciphers support keysizes 128, 192 and 256 bits
`Cautions:
`r
`Inadequate keyiength always indicates a weak cipher but it is important to note that adequate ‘
`keylength does not necessarily indicate a strong cipher. There are many attacks other than brute
`force, and adequate keylength only guarantees resistance to brute force. Any cipher, whatever its
`key size, will be weak if design or implementation flaws allow other attacks.
`
`Also, once you have adequateykeylength (somewhere around 90 or 100 bits), adding more key bits
`make no practical difi:reriee,_e\_z.en against brute force. Consider our 128-bit example above that
`takes 400 biiiion years to break by brute force. Do we care if an extra 16 bits of key put that into
`the quadrillions? No. What about 16 fewer bits reducing it to the 1 12-bit security level of yang
`Q13.-_S_, which our example attacker could break in just over a billion years‘? No again, unless we're
`being really paranoid about safety margins.
`
`There may be reasons of convenience in the design of the cipher to support larger keys. For
`example _];‘§l,o,y_yf§l_1_ allows up to 448 bits and 1309,51. up to 2048, but beyond 100-odd bits it makes no
`difference to practical security.
`
`Bureau of Export Administration
`see
`
`BXA
`
`The US Commerce Department's Bureau of Export Aciministration which administers the _lf:_‘_A,L{
`Export Administration Regulations controling the export of, among other things, cryptography.
`
`CA
`
`Certification Authority, an entity in a p3;l;2l_Lg_1§:_e_y_iw11f1'g1§_trwu_-;;t_1;I1.'_§ that can certify keys by signing
`them. Usually CAs form a hierarchy. The top of this hierarchy is called the rgo_t_Q_A_.
`
`See Web of Trust for an aiternate model.
`
`CAST—l28
`A block cipfi using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products
`such as
`and recent versions of1.’.C_3£.
`
`http:/."1ibe1tv.freeswan.org/freeswangtreeslfreeswan-1 .3/doc/glossary-hfinl
`
`8
`
`2/21/2002
`
`Page 6 of 25
`
`VN ETO02214OO
`
`

`
`c
`-
`-
`-
`-
`5
`ase 6.07_cv 00080 LED Document 194-? Filed 1280/08 Page 8 of 26 PagelD #: 8919
`Linux FreeSfWAN Glossary
`Page 7 of25
`
`This is not required by the lLS_E_Q RFCs and not currently used in Linux Frees/WAN.
`
`.
`CAST-256
`gm-_i_1st's candidate cipher for the $8_i'£i_lQ(.l8.I'(1, largely based on the _AST-128 design.
`‘died of using a
`in which for each block except the
`Cipher Block Chaining mode, a me
`first, the result of the previous ‘encryption is XORed into the new block before it is encrypted.
`CBC is the mode used in _l_1?__S__§C;.
`
`rA1'1i_1_1l,t_l§}_i_,S_a__l_L()j!,_X§§;LQ§ (IV) must be provided. It is XORed into the first block before encryption.
`The IV need not be secret but should be different for each message and unpredictable-
`
`Certification Authority
`see gig
`
`Cipher Modes
`Different ways of using a block cipher when encrypting multiple blocks.
`
`in ]E__I_l_’_§ 81. They can actually be applied with any
`
`Four standard modes were defined for
`block cipher.
`E1
`t
`'
`E,_C_L__l5: Csgelgggfc
`Cipher Block
`Charming
`CFB Cipher FeedB ack
`OFB Output FeedB ack
`and is more secure. In ECB
`1__P_§,E_C, uses
`mode since this is only marginally slower than
`mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In
`CBC mode, this does not occur.
`'
`
`.
`encrypt each block independently
`XOR previous block ciphertext into new block plaintext before
`encrypting new block
`
`Various other modes are also possible, but none of them are used in IP SEC.
`
`Challenge~response authentication
`rar;i1_cr_n_r1.urnb;c.t, encryptsit and Sends
`An aiitiienticatigii system in which one player generates a
`ride back the result. If the result is
`the result as a challenge. The other player decrypts and se
`lcnew the appropriate secret, required
`correct, that proves to the first player that the second player
`for the decryption.
`
`cryptography. Some provide
`ique exist using p_,ubmlic,1g_:3y or
`Variations on this techn
`assuring each player of the other's identity.
`two—Way authentication,
`number is different each time, this defeats simple eavesdropping and replay
`Because the random
`ght still try to break the cryptographic algorithm used, or the
`attacks. Of course an attacker mi
`L‘=3.1.'l_.(_1_(-TL1.'l'.lJ.1_1lI_.1Lb§.K 831161‘aim‘-
`
`Ciphertext
`output of a cipher, as opposed to the uriericrypted p1a_i_ri_tex_t input.
`The encrypted
`A vendor ofrouters, hubs and related products. Their IPSEC products interoperatewith Linux
`
`..§.I..1..L
`FreeSfWAN; see our 9.otnpri£ii2il.iIY...§19
`
`Sim
`'
`
`httn://liheztv_Freeswanore/freeswan tree
`
`s/freeswan—1 .3i'doc/p;lossary.htrnl
`
`2/21/2002
`
`Page 7 of 25
`
`VNETOD221401
`
`

`
`Case 6:O7—cv—OO080—LED Document 194-? Fil d 12f30/O8
`3
`
`'°a9e9°*26 taster-2§920
`
`' Linux Frees/WAN Glossary
`
`Conventional cryptography
`See
`Collision resistance
`The property of a messaggcflggt algorithm which makes it hard for an attacker to find or
`construct two inputs which hash to the same output.
`Copyleft
`see GNU
`
`CSE
`
`The Canadian organisation for sig.iais_iate1.1i.gens<:..
`DARPA (sometimes just ARPA)
`_
`The US government's Defense Advanced Research Projects Agency. Projects they have funded
`over the years have included the Arpanet which evolved into the Internet, the TCP/IP protocol
`suite (as a replacement for the original Arpanet suite), the Berkeley 4.): BSD Unix projects, and
`
`Secure DN S.
`'
`
`For current information, see their
`
`,s_'1_t_e_.
`
`Denial of service (DOS) attack
`An attack that aims at denying some service to legitimate users of a system, rather than providing
`a service to the attacker.
`0 One variant is a flooding attack, overwhelming the system with too many packets, to much
`email, or whatever.
`-
`o A closely related variant is a resource exhaustion attack. For example, consider a "TCP
`SYN flood" attack. Setting up a TCP connection involves a three-packet exchange:
`0 Initiator: Connection please (SYN)
`o Responder: OK (ACK)
`0 Initiator: OK here too
`Ifthe attacker puts bogus source information in the first packet, such that the second is
`never delivered, the responder may wait a long time for the third to come back. Ifresponder
`has already allocated memory for the connection data structures, and ifmany of these bogus
`packets arrive, the responder may run out of memory.
`o Another variant is to feed the system undigesfble data, hoping to make it sick. For example,
`IP packets are limited in size to 64K bytes and a fragment carries information on where it
`starts within that 64K and how long it is. The "ping of deat " delivers fragments that say,
`for example, that they start at 60K and are 20K. long. Attempting to reassemble thse
`without checking for overflow can be fatal.
`.
`The two example attacks discussed were both quite effective when first discovered, capable of
`crashing or disabling many operating systems. They were also we11—publicised, and today far
`fewer systems are vulnerable to them.
`The Data Encryption Standard, ahloclg5_:ipj,1er with 64-bit blocks and a 56-bit key. Probably the
`most widely used
`ever devised. DES has been a US government standard for
`their own use (only for unclassified data), and for some regulated industries such as banking, since
`the late 70's.
`
`DES
`
`DES ia.snri9_1;§ly_insesI_Jre.asainsL<;um:nt_a.c_tmks..
`l;inn_>r_Er,ee_Sfl7_\{Al§l includes DES since the RFCS require it, but our default configuration refuses
`to negotiate a connection using it. We strongly recommend that single DES not be used.
`See also _3;D_E._S_- and DE_S_2§, stronger ciphers based on DES.
`
`htto:f/1ibertv.freeswan.ora/freeswan_treesffreeswan—1 .3/doc/g10SSary.html
`
`2/21/2002
`
`Page 8 of 25
`
`VNETOD221402
`
`

`
`Case 6:D7~cv-00080-LED Document 194-? Filed 1230/08 Page 10 of 26 PagelD #: 8921
`Linux FreeS/WAN Glossary
`Page 9 of25
`
`DESX
`suggested by Ron Rivest of RSA Data Security. It XORS extra key material
`An improved
`into the text before and afier applying the DES cipher.
`
`This is not required by the ,1,E_t1J_;Q RFCs and not currently used in J,_._inu;:__£ree_Sfl&_[ DESX
`would be the easiest additional transform to add; there would be very little code to write. It would
`be much faster than 333138 and almost certainly more secure than DES, However, since it is not in
`the RFCs other IPSEC implementations cannot be expected to have it.
`
`-DH
`
`'
`see _I}_if_fe:_H_e,1LmWan
`Difl-’1e—Hellman (DH) key exchange protocol
`A protocol that allows two parties without any initial shared secret to create one in a manner
`immune to eavesdropping. Once they have done this, they can communicate privately by using
`that shared secret as a key for a block cipher or as the basis for key exchange.
`
`The protocol is secure against all passive attacks, but it is not at all resistant to active rnan—iu—th§;
`gddl_<_:; a__tj;ag_.1gs. If a third party can impersonate Bob to Alice and vice versa, then no useful secret
`can be created. Authentication is a prerequisite for safe Diffie-Hellman key exchange.
`
`IPSEC can use any of several authenjcicatiygn mechanisirns. Those supported by FreeS/WAN are
`discussed in our
`document.
`
`Digital signature
`Take a inemsswagedigest of a document and encrypt it with your private key for some public,1_<:§_y
`s3£3!T£2I<_2_S_3{§!:_<_3,t_1_:r. I can decrypt with your public key and verify that the result matches the digest I
`calculate. This proves that the encrypted digest was created with your private key.
`
`Such an encrypted message digest can be treated as a signattire since it cannot be created Without
`both the document and the private key which only you should possess. The legal issues are
`complex, but several countries are moving in the direction of Iegal recognition for digital
`signatures.
`
`DNS
`
`Domain Name Service, a distributed database through which names are associated with numeric
`addresses and other information in the Internet Protocol Suite. See also BIND, the Berkeley
`Internet Name Daemon which implements DNS services and _S_efioure_ See our bibliography
`for a useful reference on both.
`DOS attack
`see Denial Of Selig: attack
`
`EAR
`
`The US government's Export Administration Regulations, administered by the B1J,{§;§t].1__Q£fl,2_{_p_Q_l{§
`A__d_rrmLini_str_a_ti9_n_. These have replaced the earlier 1_Ig3t_I; regulations as the controls on export of
`cryptography.
`ECB mode
`Electronic CodeBo0k mode, the simplest way to use a block cipher. See ,,C_iph_e1;l\_/[.m_o_<1es.
`
`EDE
`
`The sequence of operations normally used in either the th.ree—key variant of
`1£§_E_C_I or the tw_o_—Eg_ey variant used in some other systems.
`
`used in
`
`hnn:/niheriv_Freeswan_n1-g/fieeswan trees/freeswan—1.3/doc/slossarvhtrnl
`
`Z/21/2002
`
`Page 9 of 25
`
`VNETOO221403
`
`

`
`C
`6:07— —
`—
`—
`‘
`'
`-
`Linuxa1§rt:eSflN_fic\1{I£%g)lEJ)§:grt§ED Document 194 7 Filed 12130108 Page 11 OT 26 Pe}gatsglé31fi.0§gg2
`
`The sequence is:
`o Encrypt with keyl
`o Decrypt with kcy2
`.
`- Encrypt with key3
`For the two~key version, keyl=lrey3.
`
`The "advantage" of this EDE order of operations is that it makes it simple to interoperate with
`older devices offering only single DES. Set key1=key2~=l<ey3 and you have the worst of both
`worlds, the overhead of triple DES with the security of single DES. Since single_L2_E_S_,_is__‘,i_nsecp,re,
`this is a rather dubious "advantage".
`
`The EDE two—l<ey variant can also interoperate with the EDE three—key variant used in _I_1?_S_.,EQ;
`just set k1=k3.
`
`Entrust
`A Canadian company offerring enterprise
`public key and )_{_.§Q2 directories.
`
`EFF
`
`products using Q_A§I:1__2$ symmetric crypto,
`
`l3_l§ctrorij_c_E_rontie1:,1Eoundation, an advocacy group for civil rights in cyberspace.
`Encryption
`I
`Techniques for converting a readable message (p_1_;_i_i_nteggj;) into apparently random material
`(_c_iph§r_te);t) which cannot be read if intercepted. A key is required to read the message.
`
`Major variants include symmetric encryption in which sender and receiver use the same secret key
`and p_u.];,>_1iHgM_lgey methods in which the sender uses one of a matched pair of keys and the receiver
`uses the other. Many current systems, including 1Ej$__]§._Q, are hybrids combining the two
`techniques.
`
`ESP
`
`'
`Encapsulated Security Payload, the LPS EC protocol which provides myjption. It can also
`provide antlienticafion service and may he used with null encryption (which We do not
`
`recommend). For details see our 1],"-,’A_.S__‘l_Ej,_Q,_“(_)
`document and/or RFC 2406.
`Extruded subnet
`i
`_
`A situation in which something IP sees as one network is actually in two or more places.
`
`For example, the Internet may route all traffic for a particular company to that firnfs corporate
`gateway. It then becomes the company's problem to get packets to various machines on their
`fllmefi in various departments. They may decide to treat abranch office tike a subnet, giving it IP
`addresses "on" their corporate net. This becomes an extruded subnet.
`'
`
`Packets bound for it are delivered to the corporate gateway, since as far as the outside world is
`concerned, that subnet is part of the corporate network. However, instead of going onto the
`corporate LAN (as they would for, say, the accounting department) they are then encapsulated and
`sent back onto the Internet for delivery to the branch office.
`-
`
`For information on doing this with Linux Frees/WAN, look in our §__3_on_i:igg_r_atig_n file.
`
`Exhaustive search
`S66 l;2;J.tte_£orse_a_t_tad<.
`
`FIP S
`
`htto:/flibertv.freeswan.org/fi—eeswan__trees/freeswan—1.3/doc/gl0ssa1'y.html
`
`2/21/2002
`
`Page 10 of 25
`
`VNETO0221404
`
`

`
`Linuggsgegi/Q‘;/[—fi§/[—((}(l3OCg:§gJI—3l(_ED Document 194-? Filed 1230/08 Page 12 of 26 Pggglqi#:0f§3523
`
`Federal Information Processing Standard, the US government's standards for products it buys.
`These are issued by 1f:LI§:l"_. Among other things,
`and fiS___l;l_£_§t are defined in FIPS documents.
`NIST have a 1_?_Il’_S__l_r;gme_page.
`Free Software Foundation (FSF)
`AI]. organisation to promote free software, free in the sense of these quotes from their web pages
`
`"Free software“ is a matter of liberty, not price. To understand the concept, you
`should think of "free speech", not "free beer.“
`
`"Free software" refers to the users‘ freedom to run, copy, distribute, study, change and
`improve the software.
`-
`-
`
`See also
`FreeSWAN
`see
`
`FSF
`
`see Free sofiwarefggridn
`GCI-IQ
`-
`
`GILC
`
`and the._E_S»._F_...site.
`
`the British organisation for signals...i,ntelli.genc.e.
`
`Global Inte1:ne_t Liberty Campaign, an international organisation advocating, among other things,
`flee availability of b cryptography. They have a
`to remove cryptographic software fiorn
`the _V_‘[as_ssnae_r_£trr_angsraent.
`-
`Global Internet Liberty Campaign
`see §jL§_.
`fG_lo‘L1.1?_rust1:egist_er
`An attempt to create something like a root CA for E by publishing both as a book and on the
`ygeb the fingerprints of ‘a set of verified keys for well—lcnown users and organisations.
`t
`-
`The GNU Multi-Precision library code, used in Limz '_Er,eeS/WAN by Pluto for public key
`calculations.
`
`GMP
`
`GNU
`
`GPG
`
`.
`GNU‘s Not Unix, the _E_r_e_§:__WSWc>_tlyg_z;re_E9_1;r_1t,1a;1;i_Qr3_{§ project aimed at creating a free system with at
`least the capabilities of Unix. Linux uses GNU utilities extensively.
`'
`
`see _<3I;i_Uml’.u'3ac3.'._(iua_rd
`.
`GNU General Public fieénse (GPL, copyleft)
`_..t..r_.e:
`The license developed by the E1;ee§o_ftw_are_‘F_o;1_ng_latign under which Linux Linmc_Er_eeSJ3_N_Al\l
`and many other pieces of software are distributed. The license allows anyone to redistribute and
`modify the code, but forbids anyone fiom distributing executables without providing access to
`source code. For more details see the file Qfiflflfi included with GPLed source distributions,
`including Ours, or _G1?:lLl.si_teis,.S3.EL.p.age.
`_Ci1_\lLIir'ua£I_@.ard
`An open source implementation of Open 1?_(_}_lZ as defined in RFC 2440.
`
`GPL
`
`see §l\lll_G§neral_B1thuc.Li9_ense.
`
`Hash
`
`see .n1es.sag§.=_..diges1
`Hashed Message Authentication Code (HMAC)
`using keyed Lnessagedigest fimctions to authenticate a message. This differs from other uses of
`these functions:
`
`http://1ibertv.fi'eeswan.or;_r/freeswan_tIeeslfreeswan—1 .3/docfg1°533I‘Y-html
`
`2/21/2002
`
`Page 11 of 25
`
`VNETOO22‘l405
`
`

`
`LinuX§3§e%,%fi;QQ{N::¢;Q,gQ,§9«LED Document 194-? Filed 12/30/08 Page 13 of 26 P@1Def28924
`
`- In normal usage, the hash fi1nction's internal variable are initialised in some standard way.
`Anyone can reproduce the hash to check that the message has not been altered.
`- For HMAC usage, you initiaiise the internal variables from the key. Only someone with the
`key can reproduce the hash. A successful check of the hash indicates not only that the
`_ message is unchanged but also that the creator knew the key.
`The exact techniques used in
`are defined in RFC 2104. They are referred to as HMAC-
`MD5—96 and HMAC-SI-IA-96 because they output only 96 bits of the hash. This makes some
`attacks on the hash functions harder.
`HMAC
`..........................,.._; -.._..__._._.._.___......__._..__,-,_....._.
`see I-Lashed Message Authentication Code
`HIVIAC-MZD5-96
`see I:L3.§h.§_d._L/£.§.§§é1g.€£..£tilIli$;L1IiQ@§lQI1_.C.Q._§
`HIVIAC-SI-IA~96
`see Hashed Message Authentication Code
`Hybrid cryptosystem
`A system using both puh_lic_,l,<;§;_y and techniques. This Works well. Public key
`methods provide key management and digital signature facilities which are not readily available
`using symmetric ciphers. The symmetric cipher, however, can do the bulk of the encryption work
`much more efficiently than public key methods.
`
`IAB
`
`ICMP
`
`IDEA
`
`kl_1Z§_1‘_I1fi_.:_’-fsm_fi‘,~l_1l_t8Ctl1IE) Board.
`
`Internet Control Message Protocol. This is used for various IP—oonnected devices to manage the
`network.
`
`International Data Encrypion Algorithm, developed in Europe as an alternative to exportable
`American ciphers such as DES which were too weak for serious use. IDEA is a block cipher using
`64-bit blocks and 128-bit keys, and is used in products such as I’_Q_:l?,.
`
`IDEA is not required by the 1_Ij__§_l_3__._C; RFCs and not currently used in £_i_'_e_e_S__f
`
`IDEA is patented and, with strictly limited exceptions for personal use, using it requires a license
`from Asqoln.
`
`IESG
`
`lETF
`
`IKE
`
`I.._ts::rnet Engineering. Steerinafirbup.
`'
`K
`Internet Engmceringjask Force, the umbrella organisation whose various working groups make
`most of the technical decisions for the Internet. The IETF l_1:_'_S_E,§L\§1v'_(_J_1“_l_(__i,;‘l__,g;group wrote the
`we are implementing.
`Internet Key Exchange, based on the 1Q.i_ffi_e;1fi_e1lrna_ri key exchange protocol. IKE is implemented
`in Lin.u>_<_F_r;=:eS»__fV§L2_k_1>E by the 1E1x;‘:n_<.:l.ae.=t_r_:.t;e.I.1..
`-
`initialisation Vector (IV)
`Some cipher rng_d§_s_, including the
`mode which IPSEC uses, require some extra data at the
`beginning. This data is called the initialisation vector. It need not be secret, but should be different
`for each message. Its function is_ to prevent messages which begin with the same text from
`encrypting to the same ciphertext. That might give an analyst an opening, so it is best prevented.
`
`IP
`
`Internet Protocol.
`IP masquerade
`
`httu1//liberty.fi-eeswan.or,ajfieesWan_1Iees/freeswan-1 .3/doc!glossa1'y.html
`
`2/21/200?.
`
`Page 12 of 25
`
`VNETOO221406
`
`

`
`Linugigseeegfwioy-gpoggélr-YLEDp Document 194-? Filed 12/30/08 Page 14 of 26 Plag§é|%f8Z%25
`
`A method of allowing

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket