Glossary for the Linux FreeS/WAN project

Entries are in alphabetical order. Some entries are only one line or one paragraph long. Others run to several paragraphs. I have tried to put the essential information in the first paragraph so you can skip the other paragraphs if that seems appropriate.

Jump to a letter in the glossary

numeric A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Other glossaries

Other glossaries which overlap this one include:

The VPN Consortium's glossary of VPN terms.
glossary portion of the Cryptography FAQ
an extensive crytographic glossary on Terry Ritter's page.
The NSA's glossary of computer security on the SANS Institute site.
a small glossary for Internet Security at PC magazine
The glossary from Richard Smith's book Internet Cryptography

Several Internet glossaries are available as RFCs:

More general glossary or dictionary information:

Free Online Dictionary of Computing (FOLDOC)
There are many more mirrors of this dictionary.
The Jargon File, the definitive resource for hacker slang and folklore
There are also many mirrors of this. See the home page for a list.
A general technology glossary
An online dictionary resource page with pointers to many dictionaries for many languages
A search engine that accesses several hundred online dictionaries
O'Reilly Dictionary of PC Hardware and Data Communications Terms
Connected Internet encyclopedia
whatis.com

Definitions

0

3DES (Triple DES)

Using three DES encryptions on a single data block, with at least two different keys, to get higher security than is available from a single DES pass. The three-key version of 3DES is the default encryption algorithm for Linux FreeS/WAN.

IPsec always does 3DES with three different keys, as required by RFC 2451. For an explanation of the two-key variant, see two key triple DES. Both use an EDE encrypt-decrypt-encrpyt sequence of operations.

Single DES is insecure.

Double DES is ineffective. Using two 56-bit keys, one might expect an attacker to have to do 2¹¹² work to break it. In fact, only 2⁵⁷ work is required with a meet-in-the-middle attack, though a large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just reduces the work factor from the 2¹⁶⁸ one might expect to 2¹¹². That provides adequate protection against brute force attacks, and no better attack is known.

3DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. However, the speed we get is quite acceptable for many uses. See our performance document for details.

A

Active attack

An attack in which the attacker does not merely eavesdrop (see passive attack) but takes action to change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is man-in-the-middle. In general, authentication is a useful defense against active attacks.

AES

The Advanced Encryption Standard -- a new block cipher standard to replace DES -- developed by NIST, the US National Institute of Standards and Technology. DES used 64-bit blocks and a 56-bit key. AES ciphers use a 128-bit block and 128, 192 or 256-bit keys. The larger block size helps resist birthday attacks while the large key size prevents brute force attacks.

Fifteen proposals meeting NIST's basic criteria were submitted in 1998 and subjected to intense discussion and analysis, "round one" evaluation. In August 1999, NIST narrowed the field to five "round two" candidates:

Mars from IBM
RC6 from RSA
Rijndael from two Belgian researchers
Serpent, a British-Norwegian-Israeli collaboration
Twofish from the consulting firm Counterpane

Three of the five finalists -- Rijndael, Serpent and Twofish -- have completely open licenses.

In October 2000, NIST announced the winner -- Rijndael.

For more information, see:

NIST's AES home page
the Block Cipher Lounge AES page
Brian Gladman's code and benchmarks
Helger Lipmaa's survey of implementations

AES will be added to a future release of Linux FreeS/WAN. Likely we will add all three of the finalists with good licenses. User-written AES patches are already available.

Adding AES may also require adding stronger hashes, SHA-256, SHA-384 and SHA-512.

AH

The IPsec Authentication Header, added after the IP header. For details, see our IPsec document and/or RFC 2402.

Alice and Bob

A and B, the standard example users in writing on cryptography and coding theory. Carol and Dave join them for protocols which require more players.

Bruce Schneier extends these with many others such as Eve the Eavesdropper and Victor the Verifier. His extensions seem to be in the process of becoming standard as well. See page 23 of Applied Cryptography

Alice and Bob have an amusing biography on the web.

ARPA

see DARPA

ASIO

Australian Security Intelligence Organisation.

Asymmetric cryptography

See public key cryptography.

Authentication

Ensuring that a message originated from the expected sender and has not been altered on route. IPsec uses authentication in two places:

peer authentication, authenticating the players in IKE's Diffie-Hellman key exchanges to prevent man-in-the-middle attacks. This can be done in a number of ways. The methods supported by FreeS/WAN are discussed in our advanced configuration document.
packet authentication, authenticating packets on an established SA, either with a separate authentication header or with the optional authentication in the ESP protocol. In either case, packet authentication uses a hashed message athentication code technique.

Outside IPsec, passwords are perhaps the most common authentication mechanism. Their function is essentially to authenticate the person's identity to the system. Passwords are generally only as secure as the network they travel over. If you send a cleartext password over a tapped phone line or over a network with a packet sniffer on it, the security provided by that password becomes zero. Sending an encrypted password is no better; the attacker merely records it and reuses it at his convenience. This is called a replay attack.

A common solution to this problem is a challenge-response system. This defeats simple eavesdropping and replay attacks. Of course an attacker might still try to break the cryptographic algorithm used, or the random number generator.

Automatic keying

A mode in which keys are automatically generated at connection establisment and new keys automaically created periodically thereafter. Contrast with manual keying in which a single stored key is used.

IPsec uses the Diffie-Hellman key exchange protocol to create keys. An authentication mechansim is required for this. FreeS/WAN normally uses RSA for this. Other methods supported are discussed in our advanced configuration document.

Having an attacker break the authentication is emphatically not a good idea. An attacker that breaks authentication, and manages to subvert some other network entities (DNS, routers or gateways), can use a man-in-the middle attack to break the security of your IPsec connections.

However, having an attacker break the authentication in automatic keying is not quite as bad as losing the key in manual keying.

An attacker who reads /etc/ipsec.conf and gets the keys for a manually keyed connection can, without further effort, read all messages encrypted with those keys, including any old messages he may have archived.
Automatic keying has a property called perfect forward secrecy. An attacker who breaks the authentication gets none of the automatically generated keys and cannot immediately read any messages. He has to mount a successful man-in-the-middle attack in real time before he can read anything. He cannot read old archived messages at all and will not be able to read any future messages not caught by man-in-the-middle tricks.

That said, the secrets used for authentication, stored in ipsec.secrets(5), should still be protected as tightly as cryptographic keys.

B

Bay Networks

A vendor of routers, hubs and related products, now a subsidiary of Nortel. Interoperation between their IPsec products and Linux FreeS/WAN was problematic at last report; see our interoperation section.

benchmarks

Our default block cipher, triple DES, is slower than many alternate ciphers that might be used. Speeds achieved, however, seem adequate for many purposes. For example, the assembler code from the LIBDES library we use encrypts 1.6 megabytes per second on a Pentium 200, according to the test program supplied with the library.

For more detail, see our document on FreeS/WAN performance.

BIND

Berkeley Internet Name Daemon, a widely used implementation of DNS (Domain Name Service). See our bibliography for a useful reference. See the BIND home page for more information and the latest version.

Birthday attack

A cryptographic attack based on the mathematics exemplified by the birthday paradox. This math turns up whenever the question of two cryptographic operations producing the same result becomes an issue:

collisions in message digest functions.
identical output blocks from a block cipher
repetition of a challenge in a challenge-response system

Resisting such attacks is part of the motivation for:

hash algorithms such as SHA and RIPEMD-160 giving a 160-bit result rather than the 128 bits of MD4, MD5 and RIPEMD-128.
AES block ciphers using a 128-bit block instead of the 64-bit block of most current ciphers
IPsec using a 32-bit counter for packets sent on an automatically keyed SA and requiring that the connection always be rekeyed before the counter overflows.

Birthday paradox

Not really a paradox, just a rather counter-intuitive mathematical fact. In a group of 23 people, the chance of a least one pair having the same birthday is over 50%.

The second person has 1 chance in 365 (ignoring leap years) of matching the first. If they don't match, the third person's chances of matching one of them are 2/365. The 4th, 3/365, and so on. The total of these chances grows more quickly than one might guess.

Block cipher

A symmetric cipher which operates on fixed-size blocks of plaintext, giving a block of ciphertext for each. Contrast with stream cipher. Block ciphers can be used in various modes when multiple block are to be encrypted.

DES is among the the best known and widely used block ciphers, but is now obsolete. Its 56-bit key size makes it highly insecure today. Triple DES is the default block cipher for Linux FreeS/WAN .

The current generation of block ciphers -- such as Blowfish, CAST-128 and IDEA -- all use 64-bit blocks and 128-bit keys. The next generation, AES, uses 128-bit blocks and supports key sizes up to 256 bits.

The Block Cipher Lounge web site has more information.

Blowfish

A block cipher using 64-bit blocks and keys of up to 448 bits, designed by Bruce Schneier and used in several products.

This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.

Brute force attack (exhaustive search)

Breaking a cipher by trying all possible keys. This is always possible in theory (except against a one-time pad), but it becomes practical only if the key size is inadequate. For an important example, see our document on the insecurity of DES with its 56-bit key. For an analysis of key sizes required to resist plausible brute force attacks, see this paper.

Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of possible keys and therefore doubles the work a brute force attack must do. A large enough key defeats any brute force attack.

For example, the EFF's DES Cracker searches a 56-bit key space in an average of a few days. Let us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a second (a few hundred thousand times faster). For a 96-bit key, that attacker needs 2³² seconds, about 135 years. Against a 128-bit key, he needs 2³² times that, over 500,000,000,000 years. Your data is then obviously secure against brute force attacks. Even if our estimate of the attacker's speed is off by a factor of a million, it still takes him over 500,000 years to crack a message.

This is why

single DES is now considered dangerously insecure
all of the current generation of block ciphers use a 128-bit or longer key
AES ciphers support keysizes 128, 192 and 256 bits
any cipher we add to Linux FreeS/WAN will have at least a 128-bit key

Cautions:
Inadequate keylength always indicates a weak cipher but it is important to note that adequate keylength does not necessarily indicate a strong cipher. There are many attacks other than brute force, and adequate keylength only guarantees resistance to brute force. Any cipher, whatever its key size, will be weak if design or implementation flaws allow other attacks.

Also, once you have adequate keylength (somewhere around 90 or 100 bits), adding more key bits make no practical difference , even against brute force. Consider our 128-bit example above that takes 500,000,000,000 years to break by brute force. We really don't care how many zeroes there are on the end of that, as long as the number remains ridiculously large. That is, we don't care exactly how large the key is as long as it is large enough.

There may be reasons of convenience in the design of the cipher to support larger keys. For example Blowfish allows up to 448 bits and RC4 up to 2048, but beyond 100-odd bits it makes no difference to practical security.

Bureau of Export Administration

see BXA

BXA

The US Commerce Department's Bureau of Export A dministration which administers the EAR Export Administration Regulations controling the export of, among other things, cryptography.

C

CA

Certification Authority, an entity in a public key infrastructure that can certify keys by signing them. Usually CAs form a hierarchy. The top of this hierarchy is called the root CA.

See Web of Trust for an alternate model.

CAST-128

A block cipher using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products such as Entrust and recent versions of PGP.

This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.

CAST-256

Entrust's candidate cipher for the AES standard, largely based on the CAST-128 design.

CBC mode

Cipher Block Chaining mode, a method of using a block cipher in which for each block except the first, the result of the previous encryption is XORed into the new block before it is encrypted. CBC is the mode used in IPsec.

An initialisation vector (IV) must be provided. It is XORed into the first block before encryption. The IV need not be secret but should be different for each message and unpredictable.

CIDR

Classless Inter-Domain Routing, an addressing scheme used to describe networks not restricted to the old Class A, B, and C sizes. A CIDR block is written address/mask, where address is a 32-bit Internet address. The first mask bits of address are part of the gateway address, while the remaining bits designate other host addresses. For example, the CIDR block 192.0.2.96/27 describes a network with gateway 192.0.2.96, hosts 192.0.2.96 through 192.0.2.126 and broadcast 192.0.2.127.

FreeS/WAN policy group files accept CIDR blocks of the formataddress/[mask], where address may take the form name.domain.tld. An absent mask is assumed to be /32.

Certification Authority

see CA

Challenge-response authentication

An authentication system in which one player generates a random number, encrypts it and sends the result as a challenge. The other player decrypts and sends back the result. If the result is correct, that proves to the first player that the second player knew the appropriate secret, required for the decryption. Variations on this technique exist using public key or symmetric cryptography. Some provide two-way authentication, assuring each player of the other's identity.

This is more secure than passwords against two simple attacks:

If cleartext passwords are sent across the wire (e.g. for telnet), an eavesdropper can grab them. The attacker may even be able to break into other systems if the user has chosen the same password for them.
If an encrypted password is sent, an attacker can record the encrypted form and use it later. This is called a replay attack.

A challenge-response system never sends a password, either cleartext or encrypted. An attacker cannot record the response to one challenge and use it as a response to a later challenge. The random number is different each time.

Of course an attacker might still try to break the cryptographic algorithm used, or the random number generator.

Cipher Modes

Different ways of using a block cipher when encrypting multiple blocks.

Four standard modes were defined for DES in FIPS 81. They can actually be applied with any block cipher.

ECB	Electronic CodeBook	encrypt each block independently
CBC	Cipher Block Chaining	XOR previous block ciphertext into new block plaintext before encrypting new block
CFB	Cipher FeedBack
OFB	Output FeedBack

IPsec uses CBC mode since this is only marginally slower than ECB and is more secure. In ECB mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In CBC mode, this does not occur.

Various other modes are also possible, but none of them are used in IPsec.

Ciphertext

The encrypted output of a cipher, as opposed to the unencrypted plaintext input.

Cisco

A vendor of routers, hubs and related products. Their IPsec products interoperate with Linux FreeS/WAN; see our interop section.

Client

This term has at least two distinct uses in discussing IPsec:

The clients of an IPsec gateway are the machines it protects, typically on one or more subnets behind the gateway. In this usage, all the machines on an office network are clients of that office's IPsec gateway. Laptop or home machines connecting to the office, however, are not clients of that gateway. They are remote gateways, running the other end of an IPsec connection. Each of them is also its own client.
IPsec client software is used to describe software which runs on various standalone machines to let them connect to IPsec networks. In this usage, a laptop or home machine connecting to the office is a client, and the office gateway is the server.

We generally use the term in the first sense. Vendors of Windows IPsec solutions often use it in the second. See this discussion.

Common Criteria

A set of international security classifications which are replacing the old US Rainbow Book standards and similar standards in other countries.

Web references include this US government site and this global home page.

Conventional cryptography

See symmetric cryptography

Collision resistance

The property of a message digest algorithm which makes it hard for an attacker to find or construct two inputs which hash to the same output.

Copyleft

see GNU General Public License

CSE

Communications Security Establishment, the Canadian organisation for signals intelligence.

D

DARPA (sometimes just ARPA)

The US government's Defense Advanced Research Projects Agency. Projects they have funded over the years have included the Arpanet which evolved into the Internet, the TCP/IP protocol suite (as a replacement for the original Arpanet suite), the Berkeley 4.x BSD Unix projects, and Secure DNS.

For current information, see their web site.

Denial of service (DoS) attack

An attack that aims at denying some service to legitimate users of a system, rather than providing a service to the attacker.

One variant is a flooding attack, overwhelming the system with too many packets, to much email, or whatever.
A closely related variant is a resource exhaustion attack. For example, consider a "TCP SYN flood" attack. Setting up a TCP connection involves a three-packet exchange:
- Initiator: Connection please (SYN)
- Responder: OK (ACK)
- Initiator: OK here too
If the attacker puts bogus source information in the first packet, such that the second is never delivered, the responder may wait a long time for the third to come back. If responder has already allocated memory for the connection data structures, and if many of these bogus packets arrive, the responder may run out of memory.
Another variant is to feed the system undigestible data, hoping to make it sick. For example, IP packets are limited in size to 64K bytes and a fragment carries information on where it starts within that 64K and how long it is. The "ping of death" delivers fragments that say, for example, that they start at 60K and are 20K long. Attempting to re-assemble these without checking for overflow can be fatal.

The two example attacks discussed were both quite effective when first discovered, capable of crashing or disabling many operating systems. They were also well-publicised, and today far fewer systems are vulnerable to them.

DES

The Data Encryption Standard, a block cipher with 64-bit blocks and a 56-bit key. Probably the most widely used symmetric cipher ever devised. DES has been a US government standard for their own use (only for unclassified data), and for some regulated industries such as banking, since the late 70's. It is now being replaced by AES .

DES is seriously insecure against current attacks.

Linux FreeS/WAN does not include DES, even though the RFCs specify it. We strongly recommend that single DES not be used.

See also 3DES and DESX, stronger ciphers based on DES.

DESX

An improved DES suggested by Ron Rivest of RSA Data Security. It XORs extra key material into the text before and after applying the DES cipher.

This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN. DESX would be the easiest additional transform to add; there would be very little code to write. It would be much faster than 3DES and almost certainly more secure than DES. However, since it is not in the RFCs other IPsec implementations cannot be expected to have it.

DH

see Diffie-Hellman

DHCP

Dynamic Host C onfiguration Protocol, a method of assigning dynamic IP addresses, and providing additional information such as addresses of DNS servers and of gateways. See this DHCP resource page.

Diffie-Hellman (DH) key exchange protocol

A protocol that allows two parties without any initial shared secret to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a key for a block cipher or as the basis for key exchange.

The protocol is secure against all passive attacks , but it is not at all resistant to active man-in-the-middle attacks. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. IPsec can use any of several authentication mechanisims. Those supported by FreeS/WAN are discussed in our configuration section.

The Diffie-Hellman key exchange is based on the discrete logarithm problem and is secure unless someone finds an efficient solution to that problem.

Given a prime p and generator g (explained under discrete log below), Alice:

generates a random number a
calculates A = g^a modulo p
sends A to Bob

Meanwhile Bob:

generates a random number b
calculates B = g^b modulo p
sends B to Alice

Now Alice and Bob can both calculate the shared secrets = g^(ab). Alice knows a and B, so she calculates s = B^a. Bob knows A and b so he calculates s = A^b.

An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s.

Digital signature

Sender:

calculates a message digest of a document
encrypts the digest with his or her private key, using some public key cryptosystem.
attaches the encrypted digest to the document as a signature

Receiver:

calculates a digest of the document (not including the signature)
decrypts the signature with the signer's public key
verifies that the two results are identical

If the public-key system is secure and the verification succeeds, then the receiver knows

that the document was not altered between signing and verification
that the signer had access to the private key

Such an encrypted message digest can be treated as a signature since it cannot be created without both the document and the private key which only the sender should possess. The legal issues are complex, but several countries are moving in the direction of legal recognition for digital signatures.

discrete logarithm problem

The problem of finding logarithms in a finite field. Given a field defintion (such definitions always include some operation analogous to multiplication) and two numbers, a base and a target, find the power which the base must be raised to in order to yield the target.

The discrete log problem is the basis of several cryptographic systems, including the Diffie-Hellman key exchange used in the IKE protocol. The useful property is that exponentiation is relatively easy but the inverse operation, finding the logarithm, is hard. The cryptosystems are designed so that the user does only easy operations (exponentiation in the field) but an attacker must solve the hard problem (discrete log) to crack the system.

There are several variants of the problem for different types of field. The IKE/Oakley key determination protocol uses two variants, either over a field modulo a prime or over a field defined by an elliptic curve. We give an example modulo a prime below. For the elliptic curve version, consult an advanced text such as Handbook of Applied Cryptography.

Given a prime p, a generator g for the field modulo that prime, and a number x in the field, the problem is to find y such that g^y = x.

For example, let p = 13. The field is then the integers from 0 to 12. Any integer equals one of these modulo 13. That is, the remainder when any integer is divided by 13 must be one of these.

2 is a generator for this field. That is, the powers of two modulo 13 run through all the non-zero numbers in the field. Modulo 13 we have:

          y      x
        2^0  ==  1
        2^1  ==  2
        2^2  ==  4
        2^3  ==  8
        2^4  ==  3 that is, the remainder from 16/13 is 3
        2^5  ==  6          the remainder from 32/13 is 6
        2^6  == 12 and so on
        2^7  == 11
        2^8  ==  9
        2^9  ==  5
        2^10 == 10
        2^11 ==  7
        2^12 ==  1

Exponentiation in such a field is not difficult. Given, say,y = 11,calculating x = 7is straightforward. One method is just to calculate 2^11 = 2048,then2048 mod 13 == 7.When the field is modulo a large prime (say a few 100 digits) you need a silghtly cleverer method and even that is moderately expensive in computer time, but the calculation is still not problematic in any basic way.

The discrete log problem is the reverse. In our example, givenx = 7,find the logarithm y = 11.When the field is modulo a large prime (or is based on a suitable elliptic curve), this is indeed problematic. No solution method that is not catastrophically expensive is known. Quite a few mathematicians have tackled this problem. No efficient method has been found and mathematicians do not expect that one will be. It seems likely no efficient solution to either of the main variants the discrete log problem exists.

Note, however, that no-one has proven such methods do not exist. If a solution to either variant were found, the security of any crypto system using that variant would be destroyed. This is one reason IKE supports two variants. If one is broken, we can switch to the other.

discretionary access control

access control mechanisms controlled by the user, for example Unix rwx file permissions. These contrast with mandatory access controls.

DNS

Domain Name Service, a distributed database through which names are associated with numeric addresses and other information in the Internet Protocol Suite. See also the DNS background section of our documentation.

DOS attack

see Denial Of Service attack

dynamic IP address

an IP address which is automatically assigned, either by DHCP or by some protocol such as PPP or PPPoE which the machine uses to connect to the Internet. This is the opposite of a static IP address, pre-set on the machine itself.

EAR

The US government's Export Administration R egulations, administered by the Bureau of Export Administration. These have replaced the earlier ITAR regulations as the controls on export of cryptography.

ECB mode

Electronic CodeBook mode, the simplest way to use a block cipher. See Cipher Modes.

EDE

The sequence of operations normally used in either the three-key variant of triple DES used in IPsec or the two-key variant used in some other systems.

The sequence is:

Encrypt with key1
Decrypt with key2
Encrypt with key3

For the two-key version, key1=key3.

The "advantage" of this EDE order of operations is that it makes it simple to interoperate with older devices offering only single DES. Set key1=key2=key3 and you have the worst of both worlds, the overhead of triple DES with the "security" of single DES. Since both the security of single DES and the overheads of triple DES are seriously inferior to many other ciphers, this is a spectacularly dubious "advantage".

Entrust

A Canadian company offerring enterprise PKI products using CAST-128 symmetric crypto, RSA public key and X.509 directories. Web site

EFF

Electronic Frontier Foundation, an advocacy group for civil rights in cyberspace.

Encryption

Techniques for converting a readable message ( plaintext) into apparently random material ( ciphertext) which cannot be read if intercepted. A key is required to read the message.

Major variants include symmetric encryption in which sender and receiver use the same secret key and public key methods in which the sender uses one of a matched pair of keys and the receiver uses the other. Many current systems, including IPsec, are hybrids combining the two techniques.

ESP

Encapsulated Security Payload, the IPsec protocol which provides encryption. It can also provide authentication service and may be used with null encryption (which we do not recommend). For details see our IPsec document and/or RFC 2406.

Extruded subnet

A situation in which something IP sees as one network is actually in two or more places.

For example, the Internet may route all traffic for a particular company to that firm's corporate gateway. It then becomes the company's problem to get packets to various machines on their subnets in various departments. They may decide to treat a branch office like a subnet, giving it IP addresses "on" their corporate net. This becomes an extruded subnet.

Packets bound for it are delivered to the corporate gateway, since as far as the outside world is concerned, that subnet is part of the corporate network. However, instead of going onto the corporate LAN (as they would for, say, the accounting department) they are then encapsulated and sent back onto the Internet for delivery to the branch office.

For information on doing this with Linux FreeS/WAN, look in our advanced configuration section.

Exhaustive search

See brute force attack.

FIPS

Federal Information Processing Standard, the US government's standards for products it buys. These are issued by NIST. Among other things, DES and SHA are defined in FIPS documents. NIST have a FIPS home page.

Free Software Foundation (FSF)

An organisation to promote free software, free in the sense of these quotes from their web pages

"Free software" is a matter of liberty, not price. To understand the concept, you should think of "free speech", not "free beer."
"Free software" refers to the users' freedom to run, copy, distribute, study, change and improve the software.

See also GNU, GNU General Public License, and the FSF site.

FreeS/WAN

see Linux FreeS/WAN

Fullnet

The CIDR block containing all IPs of its IP version. The IPv4 fullnet is written 0.0.0.0/0. Also known as "all" and "default", fullnet may be used in a routing table to specify a default route, and in a FreeS/WAN policy group file to specify a default IPsec policy.

FSF

see Free software Foundation

GCHQ

Government Communications Headquarters, the British organisation for signals intelligence.

generator of a prime field

see discrete logarithm problem

GILC

Global Internet Liberty Campaign, an international organisation advocating, among other things, free availability of cryptography. They have a campaign to remove cryptographic software from the Wassenaar Arrangement.

Global Internet Liberty Campaign

see GILC.

Global Trust Register

An attempt to create something like a root CA for PGP by publishing both as a book and on the web the fingerprints of a set of verified keys for well-known users and organisations.

GMP

The GNU Multi-Precision library code, used in Linux FreeS/WAN by Pluto for public key calculations. See the GMP home page.

GNU

GNU's Not Unix, the Free Software Foundation's project aimed at creating a free system with at least the capabilities of Unix. Linux uses GNU utilities extensively.

GOST

a Soviet government standard block cipher. Applied Cryptography has details.

GPG

see GNU Privacy Guard

GNU General Public License(GPL, copyleft)

The license developed by the Free Software Foundation under which Linux, Linux FreeS/WAN and many other pieces of software are distributed. The license allows anyone to redistribute and modify the code, but forbids anyone from distributing executables without providing access to source code. For more details see the file COPYING included with GPLed source distributions, including ours, or the GNU site's GPL page.

GNU Privacy Guard

An open source implementation of Open PGP as defined in RFC 2440. See their web site

GPL

see GNU General Public License.

Hash

see message digest

Hashed Message Authentication Code (HMAC)

using keyed message digest functions to authenticate a message. This differs from other uses of these functions:

In normal usage, the hash function's internal variable are initialised in some standard way. Anyone can reproduce the hash to check that the message has not been altered.
For HMAC usage, you initialise the internal variables from the key. Only someone with the key can reproduce the hash. A successful check of the hash indicates not only that the message is unchanged but also that the creator knew the key.

The exact techniques used in IPsec are defined in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96 because they output only 96 bits of the hash. This makes some attacks on the hash functions harder.

HMAC

see Hashed Message Authentication Code

HMAC-MD5-96

see Hashed Message Authentication Code

HMAC-SHA-96

see Hashed Message Authentication Code

Hybrid cryptosystem

A system using both public key and symmetric cipher techniques. This works well. Public key methods provide key management and digital signature facilities which are not readily available using symmetric ciphers. The symmetric cipher, however, can do the bulk of the encryption work much more efficiently than public key methods.

IAB

Internet Architecture Board.

ICMP

Internet Control M essage Protocol. This is used for various IP-connected devices to manage the network.

IDEA

International Data Encrypion Algorithm, developed in Europe as an alternative to exportable American ciphers such as DES which were too weak for serious use. IDEA is a block cipher using 64-bit blocks and 128-bit keys, and is used in products such as PGP.

IDEA is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.

IDEA is patented and, with strictly limited exceptions for personal use, using it requires a license from Ascom.

IEEE

Institute of Electrical and Electronic Engineers, a professional association which, among other things, sets some technical standards

IESG

Internet Engineering Steering Group .

IETF

Internet Engineering Task Force, the umbrella organisation whose various working groups make most of the technical decisions for the Internet. The IETF IPsec working group wrote the RFCs we are implementing.

IKE

Internet Key Exchange, based on the Diffie-Hellman key exchange protocol. For details, see RFC 2409 and our IPsec document. IKE is implemented in Linux FreeS/WAN by the Pluto daemon.

IKE v2

A proposed replacement for IKE. There are other candidates, such as JFK, and at time of writing (March 2002) the choice between them has not yet been made and does not appear imminent.

iOE

See Initiate-only opportunistic encryption .

Internet Protocol.

IP masquerade

A mostly obsolete term for a method of allowing multiple machines to communicate over the Internet when only one IP address is available for their use. The more current term is Network Address Translation or NAT.

IPng

"IP the Next Generation", see IPv6.

IPv4

The current version of the Internet protocol suite .

IPv6 (IPng)

Version six of the Internet protocol suite, currently being developed. It will replace the current version four. IPv6 has IPsec as a mandatory component.

See this web site for more details, and our compatibility document for information on FreeS/WAN and the Linux implementation of IPv6.

IPsec or IPSEC

Internet Protocol SECurity, security functions (authentication and encryption) implemented at the IP level of the protocol stack. It is optional for IPv4 and mandatory for IPv6.

This is the standard Linux FreeS/WAN is implementing. For more details, see our IPsec Overview. For the standards, see RFCs listed in our RFCs document.

IPX

Novell's Netware protocol tunnelled over an IP link. Our firewalls document includes an example of using this through an IPsec tunnel.

ISAKMP

Internet Security Association and Key Management Protocol, defined in RFC 2408.

ITAR

International Traffic in Arms R egulations, US regulations administered by the State Department which until recently limited export of, among other things, cryptographic technology and software. ITAR still exists, but the limits on cryptography have now been transferred to the Export Administration Regulations under the Commerce Department's Bureau of Export Administration.

see Initialisation vector

Initialisation Vector (IV)

Some cipher modes, including the CBC mode which IPsec uses, require some extra data at the beginning. This data is called the initialisation vector. It need not be secret, but should be different for each message. Its function is to prevent messages which begin with the same text from encrypting to the same ciphertext. That might give an analyst an opening, so it is best prevented.

Initiate-only opportunistic encryption (iOE)

A form of opportunistic encryption (OE) in which a host proposes opportunistic connections, but lacks the reverse DNS records necessary to support incoming opportunistic connection requests. Common among hosts on cable or pppoe connections where the system administrator does not have write access to the DNS reverse map for the host's external IP.

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

In the Linux release numbering system, an even second digit as in 2. 2.x indicates a stable or production kernel while an odd number as in 2.3.x indicates an experimental or development kernel. Most users should run a recent kernel version from the production series. The development kernels are primarily for people doing kernel development. Others should consider using development kernels only if they have an urgent need for some feature not yet available in production kernels.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

Lightweight Directory Access Protocol, defined in RFCs 1777 and 1778, a method of accessing information stored in directories. LDAP is used by several PKI implementations, often with X.501 directories and X.509 certificates. It may also be used by IPsec to obtain key certifications from those PKIs. This is not yet implemented in Linux FreeS/WAN.

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

A freely available Unix-like operating system based on a kernel originally written for the Intel 386 architecture by (then) student Linus Torvalds. Once his 32-bit kernel was available, the GNU utilities made it a usable system and contributions from many others led to explosive growth.

Today Linux is a complete Unix replacement available for several CPU architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple CPUs on some architectures.

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

Our implementation of the IPsec protocols, intended to be freely redistributable source code with a GNU GPL license and no constraints under US or other export laws. Linux FreeS/WAN is intended to interoperate with other IPsec implementations. The name is partly taken, with permission, from the S/WAN multi-vendor IPsec compatibility effort. Linux FreeS/WAN has two major components, KLIPS (KerneL IPsec Support) and the Pluto daemon which manages the whole thing.

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

This allows multiple security projects to take different approaches to security enhancement without tying the kernel down to one particular approach. As I understand the history, several projects were pressing Linus to incorporate their changes, the various sets of changes were incompatible, and his answer was more-or-less "a plague on all your houses; I'll give you an interface, but I won't incorporate anything".

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

For example, if Alice and Bob are negotiating a key via the Diffie-Hellman key agreement, and are not using authentication to be certain they are talking to each other, then an attacker able to insert himself in the communication path can deceive both players.

Call the attacker Mallory. For Bob, he pretends to be Alice. For Alice, he pretends to be Bob. Two keys are then negotiated, Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key they have is Alice-to-Bob.

A message from Alice to Bob then goes to Mallory who decrypts it, reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key and sends it along to Bob. Bob decrypts successfully and sends a reply which Mallory decrypts, reads, re-encrypts and forwards to Alice.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

If he manages it, however, it is devastating. He not only gets to read all the messages; he can alter messages, inject his own, forge anything he likes, . . . In fact, he controls the communication completely.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

For example, a document labelled "secret, zebra" might be readable only by someone with secret clearance working on Project Zebra. Ideally, the system will prevent any transfer outside those boundaries. For example, even if you can read it, you should not be ion is to prevent messages which begin with the same text from encrypting to the same ciphertext. That might give an analyst an opening, so it is best prevented.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

Keyed message digest

See HMAC.

Key length

see brute force attack

KLIPS

Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.

LDAP

LIBDES

A publicly available library of DES code, written by Eric Young, which Linux FreeS/WAN uses in both KLIPS and Pluto.

Linux

Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.

Linux FreeS/WAN

See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.

Linux Security Modules (LSM)

a project to create an interface in the Linux kernel that supports plug-in modules for various security policies.

It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.

LSM

see Linux Security Modules

Mailing list

The Linux FreeS/WAN project has several public email lists for bug reports and software development discussions. See our document on mailing lists.

Man-in-the-middle attack

An active attack in which the attacker impersonates each of the legitimate players in a protocol to the other.

To make this attack effective, Mallory must

subvert some part of the network in some way that lets him carry out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server, ...
beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
work in real time, delivering messages without introducing a delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some situations.

mandatory access control

access control mechanisims which are not settable by the user (see discretionary access control), but are enforced by the system.

Initiate-only opportunistic encryption (iOE)

Configuring for initiate-only opportunistic encryption is described in our quickstart document.

JFK

Just Fast Keying, a proposed simpler replacement for IKE.

Kernel

The basic part of an operating system (e.g. Linux) which controls the hardware and provides services to all other programs.

In the Linux release numbering system, an even second digit as in 2. 2.x indicates a stable or production