`
`“4
`
`Lames,EREGY BO-LED | Document 194-7 Filed 12/30/08 Page 2 of 26 Paggiofi d O13
`
`This file is part ofthe documentation for the Linux FreeS/WAN project.
`See the documentation index or projecthomepare for more information.
`
`Glossary for the Linux FreeS/WAN project
`Entries are in alphabetical order. Someentries are only one Tine or one paragraph long. Others run to
`several paragraphs.I have tried to put the essential information in the first paragraph so you can skip the
`other paragraphs if that seems appropriate.
`
`Jumpto a letter in the glossary.
`
`numexic ABC DEFGHIJKLMNOPORSTUVWEYZ
`
`Other glossaries
`Other glossaries which overlap this one include:
`
`« glossary portion of the CryptographyFAQ
`« an extensive crytographic glossary on TemyRitter's page.
`« The NSA's glossaryofcomputersecurity
`on the SANSTiInstitute site.
`
`+ an IntemetDraftCrypto Glossary
`
`« the ETE provide-a glossaryofIntemettermsas RFC 1983
`» asmall glossary for Intemet Security atPCmagazine
`
`
`+ The glossary from Richard Smith's bookIntemetCryptopraphy
`Moregeneral glossary or dictionary information:
`
`* Free Online Dictionary of Computing (FOLDOC)
`
`oNorthAmerica ,
`
`o Europe
`o Japan
`There are many more mirrors ofthis dictionary.
`+CRCdictionaryofComputerScience
`The Jargon File, the definitive resource for hacker slang and folldore
`© NorthAmerica
`o
`Holian
`
`ohomepage
`There are also many mirrors ofthis. See the home pagefora list.
`A general technologyglossary
`An online dictionary resource page with pointers to many dictionaries for many languages
`en
`that accesses several hundred online dictionaries
`
`Asearchenzing
`
`O'Reilly DictionaryofPCHardwareand.DataCommunicationsTerms
`eeennrEELSTI
`
`* e
`
`eote
`
`httpy//libertyfreeswan_org/freeswan_trees/frecewan-1.3/doc/glossaryhtml
`
`2/21/2002
`
`VNET00221385
`
`Page 1 of 25
`
`VirnetX Exhibit 2005
`Black Swamp IP, LLC v. VirnetX Inc.
`IPR2016-00957
`
`VirnetX Exhibit 2005
`Black Swamp IP, LLC v. VirnetX Inc.
`IPR2016-00957
`Trial PGR2016-00007
`
`Page 1 of 25
`
`

`

`
`
`LintOBRBOKEXEPGOGOLED Document 194-7 Filed 12/30/08 Page 3 of 26 Page|#8958
`
`Definitions
`
`3DES (Triple DES)
`Using three DES encryptions on a single data block, with at least two different keys, to get higher
`security than is available from a single DES pass. The three-key version of 3DESis the default
`encryption algorithm for LinuxFrees/WAN.
`
`IPSEC always does 3DES with three different keys, as required by RFC 2451. For an explanation
`of the two-key variant, sec twokeytripleDES. Both use an EDE encrypt-decrypt-encrpyt
`sequence of operations.
`
`Single DESis insecure:
`
`Double DESis ineffective. Using two 56-bit keys, one might expect an attacker to have to do ghi2
`work to break it. In fact, only 2°7 work is required with a meet-in-the-middle attack, though a
`large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just
`reduces the work factor from the 2'68 one might expect to 2112. That provides adequate protection
`against bruteforce attacks, and no better attack is known.
`.
`
`3DES can be somewhat slow compared to other ciphers.It requires three DES encryptions per
`block. DES was designed for hardware implementation and includes some operations which are
`difficult in software. However, the speed we get is quite acceptable for many uses. See
`benchmarks below for details.
`
`Active attack
`An attack in whichthe attacker does not merely eavesdrop (see passiveattack) but takes action to
`change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is man-in-
`
`AES —
`The Advanced Encryption Standard, a new blockcipher standard to replace DESbeing developed
`by NIST, the US National Institute of Standards and Technology. DES used 64-bit blocks and a
`56-bit key. AES ciphers usea 128-bit block and are required to support 128, 192 and 256-bit keys.
`Someofthem support other sizes as well. The larger block size helps resist birthdayattacks while
`the large key size prevents bruteforceattacks.
`
`*eee
`
`Fifteen proposals meeting NIST's basic criteria were submitted in 1998 and subjected to intense
`discussion and analysis, "round one" evaluation. In August 1999, NIST narrowed the field to five
`"round two" candidates:
`Mars from TBM
`RC6 from RSA
`Rijndaelfrom two Belgian researchers
`Serpent, a British-Norwegian-Israeli research collaboration
`« Twofish from the consulting firm Counterpane
`We expect IPSEC will eventually use the AES winner, and we expect to see a winner (or more
`than one;there is an ongoing discussion on that point) declared in the summer of 2000.
`Adding one or more AES ciphers to Linux FreeS/WAN would be useful undertaking, and
`considerable freely available code exists to start from. One complication is that our codeis built
`for a 64-bit block cipher and AES uses 4 128-bit block. Volunteers via the mailinglist would be
`
`http://liberty-freeswan.org/freeswan_trees/freeswan-1.3/doc/glossary.html
`
`2/21/2002
`
`Page 2 of 25
`
`VNET00221395
`
`Page 2 of 25
`
`

`

`
`
`Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 4 of 26 PagelD #, 8915
`Linux FreeS/WAN Glossary
`Page 3 of25
`
`welcome.
`For more information, see the NISTAEShomepageor the Block.CipherLoungeAESpage. For
`
`code and benchmarks see Brian Gladman's page.
`
`AH
`
`The IPSEC Authentication Header, added after the IP header, For details, see our
`Overview document and/or RFC 2402.
`Alice and Bob
`,
`A and B,the standard example users in writing on cryptography and coding theory. Carol and
`Dave join them for protocols which require more players.
`BruceSchneier extends these with many others such as Eve the Eavesdropper and Victor the
`Verifier. His extensions seem to be in the process ofbecoming standard as well. See page 23 of
`Applied Cryptography
`
`IPSEC
`
`Alice and Bob have an amusing biography on the web.
`
`ARPA
`
`ASIO
`
`Australian Security Intelligence Organisation.
`Asymmetric cryptography
`See public keycryptography.
`Authentication
`Ensuring that a message originated from the expected sender and has not been altered on route.
`IPSEC uses authentication in two places:
`* authenticating the players in IKE's Liffie-Hellman key exchanges to prevent man-in-the:
`middleattacks. This can be done in a number ofways. The methods supported by
`FreeS/WAN are discussed in our configuration document.
`e authenticating packets.on an established SA, either with a separate authenticationheader or
`with the optional authentication in the ESP protocol. In either case, packet authentication
`‘uses a hashed messageathentication code technique,
`Outside IPSEC, passwords are perhaps the most common authentication mechanism. Their
`function is essentially to authenticate the person's identity to the system. Passwords are generally
`only as secure as the network they travel over. Ifyou send a cleartext password over a tapped
`phoneline or over a network with a packet sniffer on it, the security provided by that password
`‘becomes zero. Sending an encrypted password is no better; the attacker merely records it and
`reuses it at his convenience. This is called a replay attack.
`A common solution to this problem is a challenge-response system. This defeats simple
`eavesdropping and replay attacks. Ofcourse an attacker mightstill try to break the cryptographic
`algorithm used, or the randomnumber generator.
`
`-
`
`Automatic keying
`A modein which keys are automatically generated at connection establisment and new keys
`automuically created periodically thereafter. Contrast with manualkeying in which a single stored
`key is used.
`
`http:/Miberty.freeswan.org/freeswan_trees/freeswan-}.3/doc/glossary.html
`
`9/21/2002
`
`Page 3 of 25
`
`VNET00221397
`
`Page 3 of 25
`
`

`

`_ Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 5 of 26 Page|D # 8916
`Linux FreeS/WAN Glossary _
`age 4 of 25
`
`
`
`
`IPSEC uses the Diffie-Hellman key exchange protocolto create keys, An authentication
`mechansim is required for this. The methods supported by FreeS/WANare discussed in our
`
`Having an attacker break the authentication is emphatically not a good idea. An attackerthat
`breaks authentication, and manages to subvert some other network entities (DNS, routers or
`gateways), can use a man-in-themiddleattack to break the security of your IPSEC connections.
`
`However, having an attacker break the authentication in automatic keying is not quite as bad as
`losingthe key in manual keying.
`« An attacker who reads/etc/ipsec.conf and gets the keys for a manually keyed connection
`can, without further effort, read all messages encrypted with those keys, including any old
`messages he may have archived.
`« Automatic keying has a property called perfect forward secrecy, An attacker who breaks the
`authentication gets none ofthe automatically generated keys and cannot immediately read
`any messages. He has to mount a successful man-in-the-1
`attack in real time before he
`
`can read anything. He cannot read old archived messages
`nd will not be able to read
`
`any future messages not caught by man-in-the-middle tricks.
`That said, the secrets used for authentication, stored in ipsec.secrets(5), should still be protected as
`tightly as cryptographic keys.
`Bay Networks
`A vendor of routers, bubs and related products, now a subsidiary of Northern Telecom.
`Interoperation betweentheir IPSEC products and Linux FreeS/WAN wasproblematicat last
`report; see our compatibility document.
`benchmarks
`Our default block cipher, triple DES, is slower than many alternate ciphers that might be used.
`Speeds achieved, however, seem adequate for many purposes. For example, the assembler code
`from the LUBDESlibrary we use encrypts 1.6 megabytes per second on a Pentium 200, according
`to the test program supplied with the library.
`
`The University ofWales at Aberystwyth has done quite detailed tests and put their results on the
`web.
`
`Even a 486 can handle a T! line, according to this mailing list message:
`
`IPSec Masquerade
`linux-ipsec:
`Subject: Re:
`Date: Fri, 15 Jan 1999 11:13;22 -0500
`From; Michael Richardson
`
`. A 486/66 has been clocked by Phil Karn to do
`:
`10Mb/s encryption...
`that uses all the CPU,
`so half that to get some cpu,
`and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....
`
`From an Intemet Draft The ESP Triple DES Transform:
`
`Phil Karn has tuned DES-EDB3-CBC software to achieve 6.22 Mbps with a
`133 MHz Pentium. Other DES speed estimates may be found at
`[Schneier95, page 279]. Your milage may vary.
`
`if you wantto measure the loads FreeS/WANputs on a system, note that tools such as top or
`measurements such as load average are more-or-less uscless for this. They are not designed to
`measure something that does mostof its work inside the kernel.
`
`http://liberty.freeswan.org/freeswan,_trees/freeswan-1 3/doc/glossaryhtml
`
`2/21/2002
`
`Page 4 of 25
`
`VNET00221398
`
`Page 4 of 25
`
`

`

`
`
`Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 6 of 26 PagelD #. 8917
`Linux FreeS/WAN Glossary
`;
`,
`Page 5 of 25
`
`BIND
`
`Berkeley Internet Name Daemon, a widely used implementation ofDNS (Domain Name Service}.
`See our bibliography for a usefulreference. See the BINDhomepage for more information and
`the latest version.
`Birthday attack
`A cryptographicattack based on the mathematics exemplified by the birthdayparadox. This math
`turns up whenever the question oftwo cryptographic operations producing the same result
`becomes an issue:
`* collisions in messagedigest functions.
`e identical output blocks from a blockcipher
`e repetition of a challenge in a chalienge-response system
`Resisting such attacks is part of the motivation for:
`« hash algorithms such as SHA and RIPEMD-160 giving a 160-bit result rather than the 128
`bits of MD4, MDS and RIPEMD-128.
`« AES block ciphers using a 128-bit block instead of the 64-bit block of most current ciphers
`« IPSEC using a 32-bit counter for packets sent on an automaticallykeyed SA and requiring
`that the connection always be rekeyed before the counter overflows.
`Birthday paradox
`Notreally a paradox,just a rather counter-intuitive mathematical fact. In a group of23 people, the
`chance ofa least one pair having the samebirthday is over 50%.
`The second person has 1 chance in 365 (ignoring leap years) ofmatchingthe first. Ifthey don't
`match, the third person's chances ofmatching one of them are 2/365. The 4th, 3/365, and so on.
`Thetotal of these chances grows more quickly than one might guess.
`
`Block cipher
`A symmetric cipher which operates on fixed-size blocks of plaintext, giving a block ofciphertext
`for each. Contrast withstreamcipher. Block ciphers can be used in various modes when multiple
`block are to be encrypted.
`DESis amongthe the best known and widely used block ciphers, but is now obsolete. Its 56-bit
`key size makes it highly insecuretoday. TripleDESis the default transform for Linux
`FreeS/WAN because i
`is the only cipher which is both required in the RFCs and apparently
`
`The current generation ofblock ciphers -- such as Blowfish, CAST-128 and IDEA - all use 64-bit
`blocks and 128-bit keys. The next generation, AES, uses 128-bit blocks and supports key sizes up
`to 256bits.
`
`The Block Cipher Lounge web site has more information,
`
`Blowfish
`.
`A blockcipher using 64-bit blocks and keys ofup to 448 bits, designed by BruceSchneier and
`used in several products.
`This is not required by the IPSEC RFCs and not currently used in LinuxFreeS/WAN.
`
`Brute force attack (exhaustive search)
`Breaking a cipher by trying all possible keys. This is always possible in theory (except against a
`one-timepad), but it becomes practical only ifthe key sizeis inadequate. For an important
`
`http://iberty.freeswan.ore/freeswan_trees/freeswan-] 3/doc/elossaryhtml
`
`2/21/2002
`
`VNET00221399
`
`
`
`Page 5 of 25
`
`Page 5 of 25
`
`

`

`
`
`Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 7 of 26 PagelD #. 8918
`.
`: Linux FreeS/WAN Glossary
`Page 6 of25
`
`example, see our document on the insecurity ofDES with its 56-bit key. For an analysis ofkey
`sizes required to resist plausible brute force attacks, see this paper.
`
`Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of
`possible keys and therefore doubles the work a brute force attack must do. A large enough key
`defeats any brute force attack.
`
`For example, the EFF’s DES Cracker searches a 56-bit key space in an average of afew days. Let
`us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a
`second (a few hundred thousand timesfaster). For a 96-bit key, that attacker needs 23” seconds,
`just over a century. Against a 128-bit key, he needs 232 centuries or about 400,000,000,006 years.
`‘Your data is then obviously secure against brute force attacks. Even if our estimate of the
`attacker's speed is offby a factor of a million,it still takes him 400,000 years to crack a message.
`
`This is why
`« single DES is now considered dangerouslyinsecure
`e any cipher we add to Linux FreeS/WAN will have at least a 90-bit key
`« all ofthe current generation of blockciphers use a 128-bit or longer key
`e AESciphers support keysizes 128, 192 and 256 bits
`Cautions:
`Inadequate keylength always indicates a weak cipher butitis important to note that adequate
`keylength does not necessarily indicate a strong cipher. There are many attacks other than brute
`force, and adequate keylength only guarantees resistance to brute force. Any cipher, whatever its
`key size, will be weak if design or implementation flaws allow other attacks.
`Also, once you have adequatekeylength (somewhere around 90 or 100 bits), adding more key bits
`make no practical difference, even against brute force. Consider our 128-bit example above that
`takes 400 biflion years to break by brute force. Do we care if an extra 16 bits ofkey put that into
`the quadrillions? No. What about 16 fewer bits reducing it to the 112-bit security level ofTriple
`DES, which our example attacker could break in just over a billion years? No again, unless we're
`being really paranoid about safety margins.
`There may be reasons of conveniencein the design ofthe cipher to support larger keys. For
`example Blowfish allows up to 448 bits and RC4 wp to 2048, but beyond 100-odd bits it makes no
`difference to practical security.
`
`Bureau of Export Administration
`see BXA
`
`BXA
`
`CA
`
`The US Commerce Department's Bureau of Export Administration which administers the RAR
`Export Administration Regulations controling the export of, among other things, cryptography.
`Certification Authority, an entity in a publickeyinfrastructure that can certify keys by signing
`them. Usually CAs form a hierarchy. The top of this hierarchy is called the raat CA.
`
`See Web of Trust for an alternate model.
`
`CAST-i28
`/
`A block cipher using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products
`such as Entrust and recent versions ofROP.
`
`http://libertyfreeswan.org/freeswan_trees/freeswan-1.3/doc/glossaryhtml
`
`9/91/2002
`
`Page 6 of 25
`
`VNETOO0221400
`
`Page 6 of 25
`
`

`

`
`
`Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 8 of 26 PagelD #. 8919
`Linux FreeS/WAN Glossary
`Page 7 of25
`
`
`This is not required by the IPSEC RFCs and not currently used in Linux FreeS/(WAN.
`
`CAST-256Entrust's candidate cipher for the AESstandard,largely based on the CAST-128 design.
`CBC modeCipher Block Chaining mode, a method ofusing a blockcipher in which for each block except the
`first, the result ofthe previous encryption is KORed into the new block beforeit is encrypted.
`CBCis the mode used in IPSEC.
`An initialisationvector (TV) must be provided.It is XORed into the first block before encryption.
`The IV need not be secret but should be different for each message and unpredictable.
`
`
`
`Certification Authority
`see CA
`Cipher Modes
`Different ways of using a block cipher when encrypting multiple blocks.
`Four standard modes were defined for DESin FIPS 81. They can actually be applied with any
`block cipher.
`Electronic
`ECB CodeBook
`crc Cipher Block
`nerChaining
`CFB Cipher FeedBack
`OFB Output FeedBack
`IPSEC uses CBCmodesincethis is only marginally slower than ECBand is more secure. In ECB
`mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In
`CBC mode, this does not occur,
`~
`Various other modesare also possible, but none ofthem are used in IPSEC.
`
`encrypt each block independently
`XORprevious block ciphertext into new block plaintext before
`encrypting new block
`
`.
`
`Challenge-response authentication
`An authentication system in which one player generates a randomnumiber, encrypts‘it and sends
`the result as a challenge. The other player decrypts and sends backtheresult. Ifthe result is
`correct, that provesto the first player that the second player knew the appropriate secret, required
`
`for the decryption.
`Variations on this technique exist using public.key or syrametric cryptography. Some provide
`two-way authentication, assuring each player of the other's identity.
`Because the random numberis different each time, this defeats simple eavesdropping and replay
`attacks. Ofcourse an attacker might still try to break the cryptographic algorithm used, or the
`randomnumber generator.
`
`Ciphertext
`The encrypted output of a cipher, as opposed fo the unencrypted plaintext input.
`Cisco A-vendor ofrouters, hubs and related products. Their IPSEC products interoperatewith Linux
`FreeS/WAN;see our compatibilitydocument.
`
`;
`
`hitr-//lihertv.freeswan.ore/freeswan trees/freeswan-1 3/doc/glossaryhtml
`
`,
`
`2/21/2002
`
`Page 7 of 25
`
`VNETO0221401
`
`Page 7 of 25
`
`

`

`
`
`,
`
`Linux FreeS/WAN Glossary
`
`-
`Case 6:07-cv-00080-LED Document 194-7 Fil
`
`ed 12/30/08
`
`Page 9 of 26 Fagelpsf28920
`:
`
`Conventional cryptography
`See symmetriccryptography
`The property ofa messagedigest algorithm which makes it hard for an attacker to find or
`Collision resistance
`construct two inputs which hash to the same output.
`Copyleft
`see GNU GeneralPublicLicense
`CSE CommunicationsSecurityEstablishment,the Canadian organisation for signalsintelligence.
`The US government's Defense Advanced Research Projects Agency. Projects theyhave funded
`DARPA(sometimes just ARPA)
`over the years have included the Arpanet which evolved into the Internet, theTCPAP protecel
`suite (as a replacement for the original Arpanet suite), the Berkeley 4.x BSD Unix projects, and
`Secure DNS.
`
`For current information, see their website.
`
`Denial of service (DOS) attack
`An attack that aims at denying some service to legitimate users ofa system, rather than providing
`e Onevariantis a flooding attack, overwhelming the system with too many packets, to much
`a service to the attaclcer.
`- email, or whatever.
`:
`« Aclosely related variant is a resource exhaustion attack. For example, consider a "TCP
`SYN flood"attack. Setting up a TCP connection involves a three-packet exchange:
`o Initiator: Connection please (SYN)
`o Responder: OK (ACK)
`o Initiator: OK here too
`Ifthe attacker putsbogus source information in the first packet, such that the second is
`never delivered, the responder may wait a long time for the third to come back. ifresponder
`has already allocated memory for the connection data structures, and ifmany ofthese bogus
`packets arrive, the responder may run out ofmemory.
`e Another variant is to feed the system undigestible data, hoping to make it sick. For example,
`IP packets are limited in size to 64K. bytes and a fragment carries information on whereit
`starts within that 64K and how long it is. The "ping ofdeath" delivers fragments that say,
`for example, that they start at 60K and are 20K long. Attempting to re-assemble thse
`without checking for overflow can be fatal.
`The two example attacks discussed were both quite effective when first discovered, capable of
`crashing or disabling many operating systems. They were also well-publicised, and today fax
`fewer systems are vulnerable to them.
`DES The Data Encryption Standard, ablockcipher with 64-bitblocks and a 56-bit key. Probably the
`most widely used symmetriccipher ever devised. DES has been a US government standard for
`their own use (only for unclassified data), and for some regulated industries such as banking, since
`
`the late 70's.
`DESisseriouslyingecureagainstcurrentattacks.
`LinuxFreeS/WAN includes DESsince the RFCs requireit, butour defaultconfigurationrefuses
`to negotiatea connection using it, We strongly recommendthat single DES not be used.
`See also 3DES and DESX,stronger ciphers based on DES.
`htto://libertv.freeswan.ore/freeswan,trees/freeswan-1.3/doc/glossaryhtml
`
`3/21/2002
`
`Page 8 of 25
`
`VNET00221402
`
`Page 8 of 25
`
`

`

`Case 6:07-cv-00080-LED Document 194-7 Filed 12/30/08 Page 10 of 26 PagelD #: 8921
`Linux Frees/WAN Glossary
`Page 9 of25
`
`.
`DESX
`‘An improved DESsuggested by Ron Rivest of RSA Data Security. It XORs extra key material
`into the text before and after applying the DES cipher.
`
`This is not required by the IPSEC RFCs and not currently used in LinuxFreeS/WAN. DESX
`would be the easiest additional transform to add; there would be very little code to write. It would
`be much faster than 3DES and almost certainly more secure than DES. However, since it is not in
`the RFCs other IPSEC implementations cannot be expected. to haveit.
`
`-DH
`
`see Diffie-Hellman
`Diffie-Hellman (DEH) key exchange pretocol
`A protocol that allows two parties without any initial shared secret to create one in a manner
`immune to eavesdropping. Once they have donethis, they can communicate privately by using
`that shared secret as a key for a block cipher or as the basis for key exchange.
`
`Theprotocol is secure against all passive attacks, butit is notatall resistant to active man-in-the-
`middleattacks. if a third party can impersonate Bob to Alice and vice versa, then no useful secret
`can be created. Authentication is a prerequisite for safe Diffie-Hellman key exchange.
`
`IPSEC can use any of several authentication mechanisims. Those supported by FreeS/WANare
`discussed in our configuration document.
`
`Digital signature
`Take a message digest of a document and encrypt it with your private key for some publickey
`cryptosystem. I can decrypt with your public key and verify that the result matches the digest I
`calculate. This proves that the encrypted digest was created with yourprivate key.
`
`Such an encrypted message digest can be treated as a signature since it cannot be created without
`both the document andthe private key which only you should possess. The legal issues are
`complex, but several countries are moving in the direction of legal recognition for digital
`signatures.
`
`DNS
`
`Domain NameService, a distributed database through which names are associated with numeric
`addresses and other information in the Internet Protocol Suite. See also BIND,the Berkeley
`Internet Name Daemon which implements DNSservices and SecureIDNS.See our bibliography
`for a useful reference on both.
`DOSattack
`see Denial Of Service attack
`The US government's Export Administration Regulations, administered by the Bureau.ofExport
`Administration. These have replaced the earlier ITAR regulations as the controls on export of
`cryptography.
`ECB mode
`Electronic CodeBook mode, the simplest way to use a block cipher. See CipherModes.
`
`EAR
`
`EDE
`
`The sequenceof operations normally used in either the three-key variant of tipleDES used mn
`IPSEC or the two-key variant used in some other systems.
`
`httn-//lherty.freeswan_ore/freeswan trees/freeswan-1.3/doc/elossary.html
`
`2/21/2062.
`
`Page 9 of 25
`
`VNET00221403
`
`Page 9 of 25
`
`

`

`
`
`pin SeOREEK 09080.
`Case 6:07-cv-00080-LED D
`
`ocument 194-7 Filed 12/30/08 Page 11 of 26 PagelD§:8922
`-7
`Fi
`;
`:
`
`The sequenceis:
`« Encrypt with key
`e Decrypt with key2
`;
`« Encrypt with key3
`Forthe two-key version, keyl=key3.
`The "advantage" of this EDE order of operationsis thatit makes it simple to interoperate with
`older devices offering only single DES. Set keyl=key2=key3 and you have the worst ofboth
`worlds, the overhead of triple DES with the security of single DES. Since singleDESisinsecure,
`this is a rather dubious "advantage".
`
`The EDE two-key variant can also interoperate with the EDE three-key variant used in IPSEC;
`just set k1=k3.
`
`EFF
`
`Entrust
`A Canadian company offerring enterprise PKI products using CAST-128 symmetric crypto,RSA
`public key and X.509 directories.
`ElectronicFrontierFoundation, an advocacy group for civil rights in cyberspace.
`EncryptionTechniques for converting a readable message (plaintext) into apparently random material
`(ciphertext) which cannotberead if intercepted. A key is required to read the message.
`
`Major variants include symmetric encryption in which sender and receiver use the same secret key
`and publickey methods in which the sender uses one of a matched pair of keys and the receiver
`uses the other. Many current systems, including IPSEC,are hybrids combining the two
`techniques.
`
`ESP
`
`:
`Encapsulated Security Payload, the IPSEC protocol which provides encryption. it can also
`provide authentication service and may be used with null encryption (which we do not
`
`recommend). For details see our IPSEC0
`x document and/or RFC 2406.
`Extruded subnet
`A situation in which something IP sees as one network is actually in two or more places.
`
`For example, the Internet may routeall traffic for a particular companyto that firm's corporate
`gateway.It then becomesthe company's problem fo get packets to various machines on their
`subnets in various departments. They may decide to treat a branch office like a subnet, giving it IP
`addresses "on"their corporate net. This becomes an extruded subnet.
`Packets boundforit are delivered to the corporate gateway, since as far as the outside world is
`concerned, that subnet is part ofthe corporate network. However, instead of going onto the
`corporate LAN (as they would for, say, the accounting department) they are then encapsulated and
`sent back onto the Internet for delivery to the branch office.
`
`For information on doing this with Linux FreeS/WAN,look in our Configuration file.
`
`Exhaustive search
`See biteforceattack.
`
`FIPS
`
`htto://libertv.freeswan.org/freeswan._trees/freeswail-13idoo!glossary.-himl
`
`2/21/2002
`
`Page 10 of 25
`
`VNET00221404
`
`Page 10 of 25
`
`

`

`F rip SeAFARQPOBGLED Document 194-7 Filed 12/30/08 Page 12 of 26 Paggl{8223
`
`Federal Information Processing Standard, the US government's standards for products it buys.
`These are issued by NIST. Amongother things, DES and SHA are defined in FIPS documents.
`NIST have a FIPShomepage.
`Free Software Foundation (FSF)
`An organisation to promote free software, free in the sense of these quotes from their web pages
`
`"Free software" is a matter of liberty, not price. To understand the concept, you
`should think of "free speech", not "free beer."
`
`"Free software"refers to the users’ freedom to run, copy, distribute, study, change and
`improve the software.
`:
`.
`
`
`
`FSF
`
`GILC
`
`see Free software Foundation
`GCHQ
`GovernmentCommunicationsHeadquarters, the British organisation for signalsintelligence.
`
`Global Internet Liberty Campaign, an international organisation advocating, among other things,
`free availability ofb cryptography. They have a campaignto remove cryptographic software from
`the WassenaarArrangement.
`Global Internet Liberty Campaign
`
`GlobalTrustRegister
`
`An attempt to create something like a root CA for PGP by publishing both ag.a book and on the
`web the fingerprints ofa set of verified keys for well-known users and organisations.
`The GNU Multi-Precision library code, used in Linux FreeS/WAN by Pluto for pubhoe key
`calculations.
`
`GMP
`
`GNU
`
`GPG
`
`GNU's Not Unix, the FreeSoftwareFoundation's project aimed at creating a free system with at
`
`least the capabilities of Unix. Linux uses GNU utilities extensively.
`
`see GNUPrivacyGuard
`.
`GNU General Public License (GPL, copyleft)
`The license developed by the Free.SoftwareFoundation under which Linux, LinuxFreeSAWAN
`and many other pieces of software are distributed. The license allows anyone to redistribute and
`modify the code, but forbids anyone from distributing executables without providing access to
`source code. For more details see the file COPYING included with GPLed source distributions,
`including ours, or the GNUsite'sGPLpage.
`
`GPL
`
`Hash
`
`see GNUGeneralPublicLicense.
`
`see messagedigest
`Hashed Message Authentication Code (HMAC)
`using keyed messagedigest functions to authenticate a message. This differs from other uses of
`these functions:
`
`http://libertyfreeswan.ore/freeswan_trees/freeswan-1 3i/doc/glossaryhtml
`
`2/21/2002
`
`Page 11 of 25
`
`VNET00221405
`
`Page 11 of 25
`
`

`

`
`
`LinuxPRRBAONEGREGRY-LED Document 194-7 Filed 12/30/08. Page 13 of 26 PaggelD af28924
`
`e Innormal usage, the hash function's internal vatiable are initialised in some standard way.
`Anyonecan reproduce the hash to check that the message has not been altered.
`« For HMAC usage, you initialise the intemal variables from the key. Only someone with the
`key can reproduce the hash. A successful check ofthe hash indicates not only that the
`message is unchanged but also that the creator knew the key.
`The exact techniques used in IPSECare defined in RFC 2104, They are referred to as HMAC-
`MDS-96 and HMAC-SHA-96 becausethey output only 96 bits of the hash. This makes some
`attacks on the hash functions harder.
`HMAC
`see HashedMessageAuthenticationCode
`HMAC-MD5-96
`see HashedMessageAuthenticationCode
`HMAC-SHA-96
`see Hashed Message Authentication Code
`Hybrid cryptosystem
`A system using both public.key and symmetric.cipher techniques. This works well. Public key
`methods provide key management and digital signature facilities which are not readily available
`using symmetric ciphers. The symmetric cipher, however, can do the bulk of the encryption work
`much more efficiently than public key methods.
`
`TAB
`
`InternetArchitecture Board.
`ICMP Internet Control Message Protocol. This is used for various IP-connected devices to manage the
`
`network.
`
`IDEAInternational Data Encrypion Algorithm, developed in Europe as an alternative to exportable
`
`American ciphers such as DES which were too weak for serious use. IDEA is ablockcipher using
`
`64-bit blocks and 128-bit keys, and is used in products such as PGP.
`IDBAis not required by the IPSEC RFCsand not currently used in LinuxFreeS/WAN-
`IDEAis patented and, with strictly timited exceptions for personal use, using it requires a license
`from Ascom.
`
`TESG
`
`Intemet EngineeringSteeringGroup.
`TETF Internet EngineeringTask Force,the umbrella organisation whose various working groups make
`most ofthe technical decisions for the Internet. The FETF IPSECworkinggroup wrote the RECs
`we are implementing.
`IKE Internet Key Exchange, based on the Diffie-Hellman key exchange protocol. IKE is implemented
`in LinuxFreeS/WAN by the Plutodaemon.
`Initialisation Vector (TV)
`Some cipher modes, including the CBC mode which IPSEC uses, require some extra data at the
`beginning. This data is called the initialisation vector. It need not be secret, but should be different
`for each message.lis function isto prevent messages which begin