This file is part of the documentation for the Linux FreeS/WAN project.
`See the documentation index or project home page for more information.
`
`Glossary for the Linux FreeS/VVAN project
`
`Entries are in alphabetical order. Some entries are only one line or one paragraph long. Others run to
`several paragraphs. I have tried to put the essential information in the first paragraph so you can skip the
`other paragraphs if that seems appropriate.
`
`Jump to a letter in the glossary-
`
`niuL1ei:EA.B£2.l)_EEQH1;II£L’MNQJZS2_1iSIIl¥YZXXZ
`
`Other glossaries
`
`Other glossaries which overlap this one include:
`
`- glossaxy portion of the §_rxp_t2gta;2ln£1_°-$2
`an extensive erytographic glossary on Iei:1:jL11it1,erLs page.
`The 11lSA's
`os a of com ter secu '
`onme site.
`an Intg1x_eLDrafl Crypto Glossary
`the 11313 provide-a gl9ss.ai3r_o£Inten1e_t_tenns as RFC 1983
`a small glossary forintemet Security at BC magazine
`The glgssg fiom Richard Smith's book Intemet gyptggraphy
`
`More general glossary or dictionary information:
`
`o Free Online Dictionary of Computing (FOLDOC)
`o Nm1iLAmeris:a
`0 Europe
`io leper;
`There are many more mirrors of this dictionary.
`o C
`diction
`of m ter Science
`- The Jargon File, the definitive resource for hacker slang and folklore
`
`0 Holland
`0 l1_o_rn.e_nag<:
`There are also many mirrors of this. See the home page for a list.
`_
`A general gb§sm
`_
`_
`_
`An online dictiongr resource page with pointers to many dictionaries for many languages
`A _s_garch_e_r_1gi$ that accesses several hundred online dictionaries
`O'Reilly Di<zi9nary.Q£P.Q_Iiard@;an<1_lEcaQ.In_n;11_rficat_i<2n_s._T‘enns
`
`
`http://liberty.fieeswan.oryfieeswan__trees/fi'eeswa.n—l .3/doc/g10SS31'Y-lltml
`
`.
`
`2/2 1/2002
`
`Page 1 of 25
`
`VIRNETX EXHIBIT 2027
`
`Mangrove V. VirnetX
`Trial IPR2015-01046
`
`VIRNETX EXHIBIT 2027
`Mangrove v. VirnetX
`Trial IPR2015-01046
`
`Page 1 of 25
`
`

`
`Definitions
`
`3DES (Triple DES)
`Using three D_E_S encryptions on a single data block, with at least two different keys, to get higher
`security than is available from a single DES pass. The three—key version of 3DES is the default
`encryption algorithm for __L_i_nu;_g__l_?_r§_:_e§1
`
`IESEQ always does 3DES with three different keys, as required by RFC 2451. For an explanation
`of the two-key variant, see _t_gm_key_tr,_ip_l_e._I_),_E_S_. Both use an
`encrypt-decrypt-encrpyt
`sequence of operations.
`
`Single DES is
`
`Double DES is ineffective. Using two 56-bit keys, one might expect an attacker to have to do 2112
`work to break it. In fact, only 257 work is required with a ineet-in-the-middle,attack, though a
`large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just
`reduces the work factor from the 2168 one might expect to 2112. That provides adequate protection
`against 1_)_r,,u_,_t§_ fQ_r__c_:_e attacks, and no better attack is known.
`
`3DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per
`block. DES was designed for hardware implementation and includes some operations which are
`difficult in software. However, the speed we get is quite acceptable for many uses. See
`llenchinarks below for details.
`
`Active attack
`
`An attack in which the attacker does not merely eavesdrop (see p_ass.i,ye,,a_‘t_t,a,qlg) but takes action to
`change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is
`tl_1__e_:;i_ni_d_d_l§. In general, authentication is a usefiil defense against active attacks.
`
`AES
`
`The Advanced Encryption Standard, a new block,cip_her standard to replace being developed
`by _l}Il_S_"l:, the US National Institute of Standards and Technology. DES used 64-bit blocks and a
`56-bit key. AES ciphers use a 128-bit block and are required to support 128, 192 and 256-bit keys.
`Some of them support other sizes as well. The larger block size helps resist _birth_(_1_ay__a_tta_c_l;§ while
`the large key size prevents _l_:;r_utg:_fo_r_c_e__'att2_1gks.
`
`Fifteen proposals meeting NIST's basic criteria were submitted in 1998 and subjected to intense
`discussion and analysis, "round one" evaluation. In August 1999, NIST narrowed the field to five
`"round two" candidates:
`0 Mars from IBM
`
`o _l§_1;j_g;g_i_a;g_l from two Belgian researchers
`o Serpent, a British-Norwegian-Israeli research collaboration
`,
`o
`fiom the consulting firm Counterpane
`We expect _l_B§_EC_ will eventually use the AES winner, and we expect to see a winner (or more
`than one; there is an ongoing discussion on that point) declared in the summer of 2000.
`
`Adding one or more AES ciphers to I_._i_r_11ix,,Er_e_e:_S_[W_A,_l§[ would be useful undertaking, and
`considerable fieely available code exists to start from. One complication is that our code is built
`for a 64-bit block cipher and AES uses a 128-bit block. Volunteers Via the rnai1.i.ng..li..s.t Would be
`
`http://liberty.freeswan.org/freeswan_trees/fieeswan-1.3/doc/g1ossary.html
`
`2/21/2002
`
`Page 2 of 25
`
`Page 2 of 25
`
`

`
`welcome.
`
`For more information, see the 1_\lI_SI.A.E_.S_h9n.1epage or the 13.1991:.Qiphe:..Loung__AE.S._page. For
`code and benchmarks see Brian Gladman's page .
`
`AH
`
`The _I_.E_S,_E_,Q Authentication Header, added after the IP header. For details, see our
`Overview document and/or RFC 2402.
`Alice and Bob
`A and B, the standard example users in writing on cryptography and coding theory. Carol and
`Dave join them for protocols which require more players.
`
`I
`
`i_er extends these with many others such as Eve the Eavesdropper and Victor the
`extensions seem to be in the process of becoming standard as well. See page 23 of
`Verifier.
`A2m: im
`
`Alice and Bob have an amusing biography on the web.
`
`ARPA
`see QAREA
`
`ASIO
`
`Australian Security Intelligence Organisation.
`Asymmetric cryptography
`See public key ciagy.
`Authentication
`Ensuring that a message originated from the expected sender and has not been altered on route.
`_I_PSEC uses authentication in two places:
`
`D__iffi_e;Hellman_ key exchanges to prevent rnanein_;the:
`o authenticating the players in
`_I_1f1_l§$1_lfC_ajtaclg. This can be done in a number of ways. The methods supported by
`FreeS/WAN are discussed in our configuration document.
`a authenticating packets on an established §A_, either with a separate autlie_r_it_igatiggn_he.adeii or
`with the optional authentication in the _E§_1?_ protocol. In either case, packet authentication
`uses a hashed message athentication code technique.
`
`Outside IPSEC, passwords are perhaps the most common authentication mechanism. Their
`function is essentially to authenticate the person's identity to the system. Passwords are generally
`only as secure as the network they travel over. If you send a cleaxtext password over a tapped
`phone line or over a network with a packet sniffer on it, the security provided by that password
`becomes zero. Sending an encrypted password is no better; the attacker merely records it and
`reuses it at his convenience. This is called a _r_ep_lay attack.
`
`A common solution to this problem is a _9.1.L3=1_1§ng§'.[§L$pQ_I_l_§§ system. This defeats simple
`eavesdropping and replay attacks. Of course an attacker might still try to break the cryptographic
`algorithm used, or the __I_‘_§l_'_l__d_V()1'_I1,_VI'l_1_,_l__I__lf_1_"l_'.]__Q_1: generator.
`
`Automatic keying
`A mode in which keys are automatically generated at connection establisment and new keys
`automaically created periodically thereafter. Contrast with rnanuaflceyuig in which a single stored
`key is used.
`
`httn://libertv.fieeswan.oryfreeswan_trees/freeswan—1 .3/doc/glossary.htm1
`
`2/2 1/2002
`
`Page 3 of 25
`
`

`
`IPSEC uses the Diffie—Hellman key exchange protocol to create keys. An authentication
`mechansim is required for this. The methods supported by FreeS/WAN are discussed in our
`_cp_n_f1g_L__1_r_at_i_on document.
`
`Having .an attacker break the authentication is emphatically not a good idea. An attacker that
`breaks authentication, and manages to subvert some other network entities (DNS, routers or
`gateways), can use a 1:1Tl@;[lr_l_I),:_l;l_1§_._I_1’_l_i=§151l__6__§3.j5_t_£§._C_l§ to break the security of your IPSEC connections.
`
`However, having an attacker break the authentication in automatic keying is not quite as bad as
`losing the key in manual keying.
`0 An attacker who reads /etc/ipsec.conf and gets the keys for a manually keyed connection
`can, without further effort, read all messages encrypted with those keys, including any old
`messages he may have archived.
`Automatic keying has a property called perfect forward secrecy. An attacker who breaks the
`authentication gets none of the automatically generated keys and cannot immediately read
`any messages. He has to mount a successful rnan;in;tl1_e_;_rnidd1_emattaelg in real time before he
`can read anything. He cannot read old archived messages at all and will not be able to read
`any future messages not caught by man-in—the-middle tricks.
`That said, the secrets used for authentication, stored in _ipsec_.__secrets(_,5_,), should still be protected as
`tightly as cryptographic keys.
`Bay Networks
`A vendor of routers, hubs and related products, now a subsidiary of Northern Telecom.
`Interoperation between their IPSEC products and Linux FreeS/VVAN was problematic at last
`report; see our compatibility document.
`benchmarks
`
`Our default block cipher, tijp1§_l2l3_S, is slower than many alternate ciphers that might be used.
`Speeds achieved, however, seem adequate for many purposes. For example, the assembler code
`from the L_I_B_D_E§_ library we use encrypts 1.6 megabytes per second on a Pentium 200, according
`to the test program supplied with the library.
`
`The University of Wales at Aberystwyth has done quite detailed tests and put their results on the
`web.
`
`Even a 486 can handle a T1 line, according to this mailing list message:
`
`IPSec Masquerade
`linux—ipsec:
`Subject: Re:
`Date: Fri, 15 Jan 1999 11:13:22 -0500
`From: Michael Richardson
`
`. A 486/66 has been clocked by Phil Karn to do
`.
`.
`1OMb/s encryption..
`that uses all the CPU, so half that to get some CPU,
`and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....
`
`From an Internet Drafi Ute ESP Triple DES Transform:
`
`Phil Karn has tuned DES—EDE3—CBC software to achieve 6.22 Mbps with a
`133 MHZ Pentium. Other DES speed estimates may be found at
`[Schneier95, page 279] . Your milage may vary.
`
`If you want to measure the loads Frees/WAN puts on a system, note that tools such as top or
`measurements such as load average are more—or-less useless for this. They are not designed to
`measure something that does most of its work inside the kernel.
`
`http://liberty.freeswan.org/fieeswan__trees/freeswan- 1 .3/doc/glossary.htInl
`
`2/21 /2002
`
`Page 4 of 25
`
`

`
`BIND
`
`Berkeley Internet Name Daemon, a widely used implementation of _D1§I§, (Domain Name Service).
`See our bibliography for a u_se_ii1__l,_re_fe_1;e_n_cg;. See the B_1N_l2_h_o_rne_page for more information and
`the latest version.
`
`Birthday attack
`A cryptographic attack based on the mathematics exemplified by the birthday_par_a__§lo_3g. This math
`turns up whenever the question of two cryptographic operations producing the same result
`becomes an issue:
`
`- 9ol.1i§i.9ns. in n.1es.sage...digest functions.
`a identical output blocks from a _b_l_c_)__ck,g;j__pl__1_e__r
`. repetition of a challenge in a challggflésilqnie System
`Resisting such attacks is part of the motivation for:
`. hash algorithms such as __S__H,A_._ and B_l_l?fEMD;l,_6_Q giving a 160-bit result rather than the 128
`bits of MD4, MD5 and RIPEMD—l28.
`block ciphers using a 128-bit block instead of the 64-bit block of most current ciphers
`c
`o ,I._P,$__E,C using a 32-bit counter for packets sent on an automatically keyed
`and requiring
`that the connection always be rekeycd before the counter overflows.
`Birthday paradox
`A
`Not really a paradox, just a rather counter-intuitive mathematical fact. In a group of 23 people, the
`chance of a least one pair having the same birthday is over 50%.
`
`The second person has 1 chance in 365 (ignoring leap years) of matching the first. If they don't
`match, the third person's chances of matching one of them are 2/365. The 4th, 3/365, and so on.
`The total of these chances grows more quickly than one might guess.
`
`Block cipher
`A s_v1_nmetric cipher which operates on fixed-size blocks of plaintext, giving a block of ciphextext
`for each. Contrast with s_tr§a_rn___(.;ip1_i§r. Block ciphers can be used in various modes when multiple
`block are to be encrypted.._
`
`lD__E_1§_ is among the the best known and widely used block ciphers, but is now obsolete. Its 56-bit
`key size makes it highly ,ir_,1,_s.___e___ci_1__r_e today.
`is the default transform for
`_If1;<_:_e_S_/__A_r_l_\.1 because it is the only cipher which is both required in the
`and apparently
`secure.
`'
`
`The current generation of block ciphers -- such as B-_1.9_w_fish, §_:A5_x_._S'I_-_l_,_2___8__ and _II_)_l-EA, -- all use 64-bit
`blocks and 128-bit keys. The next generation, AES, uses 128-bit blocks and supports key sizes up
`to 256 bits.
`
`The Block Cipher Lounge web site has more information.
`
`.
`Blowfish
`A blgg;_lg_§;_i_p_her using 64-bit blocks and keys of up to 448 bits, designed by Brus:_e_.S_.9.hnei.er and
`used in several products.
`
`This is not required by the 1__l3_§1_EQ RFCs and not currently used in __I,,_iI‘1l.1}(_,,.F__1.‘_€,_€,‘_S__/__\A/_A_N__.
`
`Brute force attack (exhaustive search)
`Breaking a cipher by trying all possible keys. This is always possible in theory (except against a
`one-_t_i$_pgi), but it becomes practical only if the key size is inadequate. For an important
`
`» http://liberty.freeswan.org/freeswan_trees/freeswan-1 .3/doc/glossary.htm1
`
`2/21/2002
`
`Page 5 of 25
`
`

`
`example, see our document on the insecurity of DES with its 56-bit key. For an analysis of key
`sizes required to resist plausible brute force attacks, see this paper.
`
`Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of
`possible keys and therefore doubles the work a brute force attack must do. A large enough key
`defeats any brute force attack.
`
`For example, the EFF's QES Cracker searches a 56-bit key space in an average of a few days. Let
`us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a
`second (a few hundred thousand times faster). For a 96-bit key, that attacker needs 232 seconds,
`just over a century. Against a 128-bit key, he needs 232 centuries or about 400,000,000,000 years.
`Your data is then obviously secure against brute force attacks. Even if our estimate of the
`attackers speed is off by a factor of a million, it still takes him 400,000 years to crack a message.
`
`This is why
`- single DES is now considered s1_a.ug§t_91.1.s.1}£
`a any cipher we add to Linux FreeS/WAN will have at least a 90-bit key
`o all of the current generation of _lglge_k___ciphers use a 128-bit or longer key
`a
`ciphers support keysizes 128, 192 and 256 bits
`Cautions:
`.
`
`Inadequate keylength always indicates a weak cipher but it is important to note that adequate
`keylength does not necessarily indicate a strong cipher. There are many attacks other than brute
`force, and adequate keylength only guarantees resistance to brute force. Any cipher, whatever its
`key size, will be weak if design or implementation flaws allow other attacks.
`
`Also, once you have adequate keylength (somewhere around 90 or 100 bits), adding more key bits
`make no practical dzflerence, even against brute force. Consider our 128-bit example above that
`takes 400 billion years to break by brute force. Do we care if an extra 16 bits of key put that into
`the quadrillions? No. What about 16 fewer bits reducing it to the 112-bit security level of I[_i__[3_l§
`_D__l_3_S__, which our example attacker could break in just over a billion years? No again, unless we're
`being really paranoid about safety margins.
`
`There may be reasons of convenience in the design of the cipher to support larger keys. For
`example B_l_gyyf1_s_l_1_ allows up to 448 bits and R§_I_4 up to 2048, but beyond 100—odd bits it makes no
`difference to practical security.
`
`Bureau of Export Administration
`see
`
`BXA
`
`CA
`
`The US Commerce Department's Bureau of Export Administration which administers the EAR
`Export Administration Regulations controling the export of, among other things, cryptography.
`
`Certification Authority, an entity in a publie,_key_.,infrastructure that can certify keys by signing
`them. Usually CA3 form a hierarchy. The top of this hierarchy is called the
`
`See Web of Trust for an alternate model.
`
`CAST— 1 2 8
`A block cipher using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products
`such as
`and recent versions of 1293.
`
`httn://liberty.freeswan.org/freeswan_trees/freeswan—1 .3/doc/glossary.htm1
`
`2/21/2002
`
`Page 6 of 25
`
`Page 6 of 25
`
`

`
`This is not required by the ILS_E_C_ RFCs and not currently used in Linux Frees/WAN.
`
`CAST-256
`gntrusfs candidate cipher for the AES_s‘c;1n@d, largely based on the Qgiggfi design.
`CBC mode
`Cipher Block Chaining mode, a method of using a blog:l§__c_iph_er in which for each block except the
`first, the result of the previous ‘encryption is XORed into the new block before it is encrypted.
`CBC is the mode used in l1’__§EQ_.
`
`An l_l1l_ti§_ll_$_:gl_l_QQ_X§gLQ: (IV) must be provided. It is XORed into the first block before encryption.
`The IV need not be secret but should be different for each message and unpredictable.
`
`Certification Authority
`see C_A
`
`Cipher Modes
`Different ways of using a block cipher when encrypting multiple blocks.
`
`in Ellfifi 81. They can actually be applied with any
`
`encrypt each block independently
`
`Four standard modes were defined for
`block cipher.
`Electronic
`"E"Q“B‘ CodeBook
`Cipher Block
`-
`-
`Chaimng
`
`939
`
`XOR previous block ciphertext into new block plaintext before
`-
`encrypting new block
`
`CFB Cipher FeedBack
`OFB Output FeedBack
`and is more secure. In ECB
`1l3___S_EC uses
`mode since this is only marginally slower than
`mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In
`CBC mode, this does not occur.
`
`Various other modes are also possible, but none of them are used in IPSEC.
`
`Chal1enge—resp0nse authentication
`An authentication system in which one player generates a r_anglom__r_ni_r_r__i_1;er, encrypts it and sends
`the result as a challenge. The other player decrypts and sends back the result. If the result is
`correct, that proves to the first player that the second player knew the appropriate secret, required
`for the decryption.
`
`Variations on this technique exist using publi_c“__Alg§y or §yr_r_n_n_e_tr;(_; cryptography. Some provide
`two—way authentication, assuring each player of the other's identity.
`
`Because the random number is different each time, this defeats simple eavesdropping and replay
`attacks. Of course an attacker might still try to break the cryptographic algorithm used, or the
`t_a_r..1_<.1Qrn... generator-
`
`Ciphertext
`The encrypted output of a cipher, as opposed to the unencrypted pl_ai_nte_:_:_s;t input.
`
`Cisco
`
`A
`
`A vendor of routers, hubs and related products. Their IPSEC products interoperate with Linux
`Frees/WAN; see our .9_o..r..t1p.ati.12.i.1itx...s1Q.9ums:.nt.
`
`him://lihertv.fieeswanorg/freeswan trees/freeswan—1 .3/doc/glossary.htm1
`
`2/2 1/2002
`
`Page 7 of 25
`
`

`
`Conventional cryptography
`See‘
`c.....crypt9.grapluy..
`Collision resistance
`The property of a messagggfiggst algorithm which makes it hard for an attacker to find or
`construct two inputs which hash to the same output.
`Copyleft
`see GNU Ci_en§.r..al_.B.ul21ickiccnse
`
`CSE
`
`§2ornmuni.c.ations..§_e.c.urityEstablishrnent, the Canadian organisation for sig11als.intell.ig§n.Q§.
`DARPA (sometimes just ARPA)
`The US government's Defense Advanced Research Projects Agency. Projects they have funded
`over the years have included the Arpanet which evolved into the lntemet, the TCP/IP protocol
`suite (as a replacement for the original Arpanet suite), the Berkeley 4.x BSD Unix projects, and
`Secure DNS.
`
`For current information, see their _site.
`
`Denial of service (DOS) attack
`An attack that aims at denying some service to legitimate users of a system, rather than providing
`a service to the attacker.
`o One variant is a flooding attack, overwhelming the system with too many packets, to much
`email, or whatever.
`»
`A closely related variant is a resource exhaustion attack. For example, consider a "TCP
`SYN flood" attack. Setting up a TCP connection involves a three-packet exchange:
`0 Initiator: Connection please (SYN)
`o Responder: OK (ACK)
`0 Initiator: OK here too
`If the attacker puts bogus source information in the first packet, such that the second is
`never delivered, the responder may wait a long time for the third to come back. If responder
`has already allocated memory for the connection data structures, and if many of these bogus
`packets arrive, the responder may run out of memory.
`Another variant is to feed the system undigestible data, hoping to make it sick. For example,
`IP packets are limited in size to 64K bytes and a fragment carries information on where it
`starts within that 64K and how long it is. The "ping of death" delivers fragments that say,
`for example, that they start at 60K and are 20K long. Attempting to re-assemble thse
`without checking for overflow can be fatal.
`The two example attacks discussed were both quite effective when first discovered, capable of
`crashing or disabling many operating systems. They were also well-publicised, and today far
`fewer systems are vulnerable to them.
`
`ipl_1_e_r__ with 64-bit blocks and a 56-bit key. Probably the
`The Data Encryption Standard, 6. b__l_Q_C__1_g__§;
`most widely used _sy1.runetr_i,§_ everdevised. DES has been a US government standard for
`their own use (only for unclassified _data), and for some regulated industries such as banking, since
`the late 70's.
`
`DES_is_s.mgu§ly_u1secu.r§_against_.cunent.an_ac_..s..
`
`l_4___l,l:)_.__l!_)$,I“_If§_3___§,S_/_, includes DES since the RFCs require it, but our default configuration refuses
`to negotiate a connection using it. We strongly recommend that single DES not be used.
`
`See also 3_D_E§ and _l2__E__S_}__(__, stronger ciphers based on DES.
`
`htto://1ibertv.freeswan.or.<z/freeswan_trees/freeswan—l .3/doc/glossary.hlIn1
`
`2/21/2002
`
`Page 8 of 25
`
`

`
`DESX
`
`An improved DES suggested by Ron Rivest of RSA Data Security. It XORs extra key material
`into the text before and after applying the DES cipher.
`
`This is not required by the _l_lf__S_‘___l_;j_(_; RFCs and not currently used in Linux Ere,_e_S[V_s[,/3._l__\_J_. DESX
`would be the easiest additional transform to add; there would be very little code to write. It would
`be much faster than 3DES and almost certainly more secure than DES. However, since it is not in
`the RFCs other IPSEC implementations cannot be expected to have it.
`
`‘DH
`
`see _D_if_fre-Hellr_n_ar_1
`Diffie-Hellman (DH) key exchange protocol
`A protocol that allows two parties without any initial shared secret to create one in a manner
`immune to eavesdropping. Once they have done this, they can communicate privately by using
`that shared secret as a key for a block cipher or as the basis for key exchange.
`
`The protocol is secure against all pgsfiattacks, but it is not at all resistant to active rnan—in—t&
`1_ni(_1_<:1l_e___a_tt_z__1_g;l§_§. If a third party can impersonate Bob to Alice and vice versa, then no useful secret
`can be created. Authentication is a prerequisite for safe Diftie-Hellman key exchange.
`
`IPSEC can use any of several
`discussed in our g_o_rif__rgurat_iqn
`
`tign mechanisims. Those supported by FreeS/‘WAN are
`t.
`
`Digital signature
`Take a ;n_e§_s_age_diges._t of a document and encrypt it with your private key for some p_Lil)_li_<_>__k_e__y
`g:_ryptg_sy_s_te_m. I can decrypt with your public key and Verify that the result matches the digest I
`calculate. This proves that the encrypted digest was created with your private key.
`
`Such an encrypted message digest can be treated as a signature since it cannot be created without
`both the document and the private key which only you should possess. The legal issues are
`complex, but several countries are moving in the direction of legal recognition for digital
`signatures.
`
`Domain Name Service, a distributed database through which names are associated with numeric
`addresses and other information in the Internet Protocol Suite. See also _l_:_’-.ll,\J__l_v),,, the Berkeley
`Internet Name Daemon which implements DNS services and _S_ec1_r_e_l__3_I_\I_S_. See our bibliography
`for a useful reference on both.
`
`DOS attack
`see Denial Of Service attack
`
`EAR
`
`The US government's Export Administration Regulations, administered by the
`Administration. These have replaced the earlier 11511 regulations as the controls on export of
`cryptography.
`ECB mode
`
`Electronic CodeBook mode, the simplest way to use a block cipher. See .__C_I_i_pl,1_§:1r_l\_/.[_,,c_)_<jlges.
`
`EDE
`
`The sequence of operations normally used in either the three-key variantof used in
`_I_ESE_(_; or the ,ty_&.'9:_l<_e_y Variant used in some other systems.
`
`hfintllI ihertvfieeswan. nrglfreeswan trees/fi'eeswan—l .3/doc/2lossa1'v.html
`
`2/21/2002
`
`Page 9 of 25
`
`

`
`The sequence is:
`- Encrypt with keyl
`o Decrypt with key2
`- Encrypt with key3
`For the two—key Version, keyl=key3.
`
`The "advantage" of this EDE order of operations is that it makes it simple to interoperate with
`older devices offering only single DES. Set key1=key2=key3 and you have the worst of both
`worlds, the overhead of triple DES with the security of single DES. Since _singl_e_,DE§___is____insecure,
`this is a rather dubious "advantage".
`
`The EDE two—key variant can also interoperate with the EDE three-key variant used in IPS_E_C;
`just set k1=k3.
`
`Entrust
`
`A Canadian company offerring enterprise PKI products using C}A§'lf_—_128 symmetric crypto,
`public key and }_(_._5_O_9 directories.
`
`EFF
`
`Electijoqnic ME§QQ§i,§§>Eg}J"Lt§1_§t_lQ[1_, an advocacy group for civil rights in cyberspace.
`Encryption
`Techniques for converting a readable message (p_lai_nte_x__t) into apparently random material
`(_c_i_
`xt) which cannot be read if intercepted. A key is required to read the message.
`
`Major variants include sylnmetrg encryption in which sender and receiver use the same secret key
`and p_ub_lic__key methods in which the sender uses one of a matched pair of keys and the receiver
`uses the other. Many current systems, including _I_13_Sj:Z;Q_, are h_yI.zr_i_d_s combining the two
`techniques.
`
`Encapsulated Security Payload, the l_PSEC protocol which provides m_c_ryp_ti@. It can also
`provide _a_u__then_t__i_ca_ti_o_n service and may be used with null encryption (which we do not
`recommend). For details seeour document and/or RFC 2406.
`Extruded subnet
`-
`.
`A situation in which something IP sees as one network is actually in two or more places.
`
`For example, the Internet may route all traffic for a particular company to that firm's corporate
`gateway. It then becomes the company's problem to get packets to various machines on their
`sg1m_et_s_ in various departments. They may decide to treat a branch office like a subnet, giving it IP
`addresses "on" their corporate net. This becomes an extruded subnet.
`
`‘Packets bound for it are delivered to the corporate gateway, since as far as the outside world is
`concerned, that subnet is part of the corporate network. However, instead of going onto the
`corporate LAN (as they would for, say, the accounting department) they are then encapsulated and
`sent back onto the Internet for delivery to the branch office.
`V
`
`For information on doing this with Linux FreeS/WAN, look in our Qgnfiguration file.
`
`Exhaustive search
`
`See brute__f_<_>_r§eattac1_<..
`
`FIPS
`
`htto://libertv.freeswan.or.<z/fi'eeswan_trees/freeswan- 1 .3/doc/tZ.10SSafy.html
`
`2/2 1 /2002
`
`Page 10 of 25
`
`

`
`Federal Information Processing Standard, the US government's standards for products it buys.
`These are issued by 1}l_I_§_T__f. Among other things,
`and
`are defined in FIPS documents.
`NIST have a EI_l3'_S _ho_r_ne_ page.
`Free Software Foundation (FSF)
`An organisation to promote free software, free in the sense of these quotes from their web pages
`
`"Free software" is a matter of liberty, not price. To understand the concept, you
`should think of "free speech", not "free beer."
`
`"Free sofiware" refers to the users‘ freedom to run, copy, distribute, study, change and
`improve the sofiware.
`
`See also
`FreeSWAN
`see
`
`FSF
`
`see Free sofiwarefggiglafil
`GCHQ
`
`GILC
`
`and th
`
`the British organisation for signals. intelligence.
`
`Global Internet LibertyCaInpaign, an international organisation advocating, among other things,
`fi'ee availability of b cryptography. They have a
`to remove cryptographic software from
`the )?_\{as_senaar_A..rranger_11e;1t.
`Global Internet Liberty Campaign
`
`An attempt to create something like a root CA for PGP by publishing both as a book and on the
`Eb the fingerprints of a set of verified keys for well-known users and organisations.
`
`The GNU Multi-Precision library code, used in Linux_ Fr_eeS/WAN by Pluto for public key
`calculations.
`
`GNU's Not Unix, the _I:fr_ee_§_qfl:yg{_are_Ijo_1gnt_i_atiqri{s project aimed at creating a free system with at
`least the capabilities of Unix. Linux uses GNU utilities extensively.
`
`GMP
`
`GNU
`
`GPG
`
`see _C_iI1U_B_rjy.a<_:yQ11.,ard
`.
`GNU General Public L_ic@s_§ (GPL, copyleft)
`The license developed by the .Ifl'ee..So_ft1v_aL<:_F.9Lndation under which Linus, L_i.nii.>g_lr7_r_ee_S_/\_?\/_Al_\_l_
`and many other pieces of software are distributed. The license allows anyone to redistribute and
`modify the code, but forbids anyone from distributing executables without providing access to
`source code. For more details see the file COPYING included with GPLed source distributions,
`including Ours, or !;h.e_G.1ZL.._.p.age.
`_Ci1_\ll_J___I’n'\r,agL_C_i_11aE<i.
`An open source implementation of Open 1Z__G__l3 as defined in RFC 2440.
`
`GPL
`
`see _C.i_1\ll_3_Ci§n_eral_£uhli9__L_i9_en§e.
`
`Hash
`
`see rne§.s_ag.e...digest
`Hashed Message Authentication Code (HMAC)
`using keyed _r_r_1essage_g_i_gest fiinctions to authenticate a message. This differs from other uses of
`these functions:
`
`hm)://libertv.freeswan.org/freeswan_trees/freeswan-1 .3/doc/glossary-html
`
`2/2 1/2002
`
`Page 11 of 25
`
`

`
`o In normal usage, the hash function's internal variable are initialised in some standard way.
`Anyone can reproduce the hash to check that the message has not been altered.
`o For HMAC usage, you initialise the internal variables from the key. Only someone with the
`key can reproduce the hash. A successfirl check of the hash indicates not only- that the
`A message is unchanged but also that the creator knew the key.
`The exact techniques used in Il?,S,E_C are defined in RFC 2104. They are referred to as HMAC-
`MD5-96 and HMAC—SHA—96 because they output only 96 bits of the hash. This makes some
`attacks on the hash functions harder.
`HMAC
`see .H_:4__s.h.es1..._Ms:ssage_Aut11euti9ati9.n_Qos1e
`HMAC-MD5-96
`see _I:I£i_S_1.1__€.S.1_l...\_/l§_S..S.¥3...g’,€2_.A.!;tl15:[1'£.i9fl£iQ£l..QQ€l§
`HMAC-SHA-96
`see Hashegi/Iessage Authentication Code
`Hybrid cryptosystem
`A system using both p,ub_lic_,key and techniques. This works well. Public key
`methods provide key management and _d_igi_tal signature facilities which are not readily available
`using symmetric ciphers. The symmetric cipher, however, can do the bulk of the encryption work
`much more efficiently than public key methods.
`
`IAB
`
`I_rte;r_r1_e_t;!g_cl_1i_‘tecture Board.
`
`Internet Control Message Protocol. This is used for various IP—connected devices to manage the
`network.
`
`International Data Encrypion Algorithm, developed in Europe as an alternative to exportable
`American ciphers such as DES which were too weak for serious use. IDEA is a block cipher using
`64-bit blocks and 128-bit keys, and is used in products such as I’_§_}_E_.
`
`IDEA is not required by the IE§_E_(_,3_ RFCS and not currently used in
`
`.F.ri§:e_S_/__\_}\/__’_A,,_l\jI_ .
`
`IDEA is patented and, with strictly limited exceptions for personal use, using it requires a license
`from Aaqoiu.
`
`1r1_t_§rn_§=t Engineering. Steering Group.
`
`Internet Engineering Task Force, the umbrella organisation whose various working groups make
`most of the technical decisions for the Internet. The IETF _I_,lZ__S____E__C_3__\,1yg_r,_l,_c_ir1g_,,g_1_.‘_gup wrote the
`We are implementing.
`
`ICMP
`
`IDEA
`
`IESG
`
`IETF
`
`IKE
`
`Internet Key Exchange, based on the
`in _L.»i.r.1_1.l_3_.(__l_ir.e_<:..S_./_\.?_V_A1§T.. by the 1:1L1LQ.<.ia¢.m9n.
`lnitialisation Vector (IV)
`mode which IPSEC uses, require some extra data at the
`Some cipher rn_g_d_e__s_, including the
`beginning. This data is called the initialisation vector. It need not be secret, but should be different
`for each message. Its fiinction is to prevent messages which begin with the same text from
`encrypting to the same ciphertext. That might give an analyst an opening, so it is best prevented.
`
`key exchange protocol. IKE is impl