Entries are in alphabetical order. Some entries are only one line or one
paragraph long. Others run to several paragraphs. I have tried to put the
essential information in the first paragraph so you can skip the other
paragraphs if that seems appropriate.
- 3DES (Triple DES)
- Using three DES encryptions on a single data
block, with at least two different keys, to get higher security than is
available from a single DES pass. The three-key version of 3DES is the
default encryption algorithm for Linux
IPsec always does 3DES with three different
keys, as required by RFC 2451. For an explanation of the two-key
variant, see two key triple DES. Both use an EDE encrypt-decrypt-encrpyt sequence of operations.
Single DES is insecure.
Double DES is ineffective. Using two 56-bit keys, one might expect
an attacker to have to do 2112 work to break it. In fact,
only 257 work is required with a meet-in-the-middle attack, though a large amount of
memory is also required. Triple DES is vulnerable to a similar attack,
but that just reduces the work factor from the 2168 one
might expect to 2112. That provides adequate protection
against brute force attacks, and no better attack
3DES can be somewhat slow compared to other ciphers. It requires
three DES encryptions per block. DES was designed for hardware
implementation and includes some operations which are difficult in
software. However, the speed we get is quite acceptable for many uses.
See our performance document for
- Active attack
- An attack in which the attacker does not merely eavesdrop (see passive attack) but takes action to change, delete,
reroute, add, forge or divert data. Perhaps the best-known active
attack is man-in-the-middle. In general, authentication is a useful defense against
- The Advanced Encryption Standard -- a new block cipher standard to replace DES -- developed by NIST, the US National Institute of Standards and
Technology. DES used 64-bit blocks and a 56-bit key. AES ciphers use a
128-bit block and 128, 192 or 256-bit keys. The larger block size helps
resist birthday attacks while the large key
size prevents brute force attacks.
Fifteen proposals meeting NIST's basic criteria were submitted in
1998 and subjected to intense discussion and analysis, "round one"
evaluation. In August 1999, NIST narrowed the field to five "round two"
Three of the five finalists -- Rijndael, Serpent and Twofish -- have
completely open licenses.
In October 2000, NIST announced the winner -- Rijndael.
For more information, see:
AES will be added to a future release of Linux
FreeS/WAN. Likely we will add all three of the finalists with good
licenses. User-written AES patches are
Adding AES may also require adding stronger hashes, SHA-256, SHA-384 and SHA-512.
- The IPsec Authentication Header,
added after the IP header, as defined in RFC 2402.
As of version 2.05, FreeS/WAN no longer
- Alice and Bob
- A and B, the standard example users in writing on cryptography and
coding theory. Carol and Dave join them for protocols which require
Bruce Schneier extends these with many others such as Eve the
Eavesdropper and Victor the Verifier. His extensions seem to be in the
process of becoming standard as well. See page 23 of Applied Cryptography
Alice and Bob have an amusing biography on the
- see DARPA
- Australian Security Intelligence Organisation.
- Asymmetric cryptography
- See public key cryptography.
- Ensuring that a message originated from the expected sender and has
not been altered on route. IPsec uses
authentication in two places:
Outside IPsec, passwords are perhaps the most common authentication
mechanism. Their function is essentially to authenticate the person's
identity to the system. Passwords are generally only as secure as the
network they travel over. If you send a cleartext password over a
tapped phone line or over a network with a packet sniffer on it, the
security provided by that password becomes zero. Sending an encrypted
password is no better; the attacker merely records it and reuses it at
his convenience. This is called a replay
A common solution to this problem is a challenge-response system. This defeats simple
eavesdropping and replay attacks. Of course an attacker might still try
to break the cryptographic algorithm used, or the random number generator.
- Automatic keying
- A mode in which keys are automatically generated at connection
establisment and new keys automaically created periodically thereafter.
Contrast with manual keying in which a single
stored key is used.
IPsec uses the Diffie-Hellman key exchange
protocol to create keys. An authentication mechansim is required for
this. FreeS/WAN normally uses RSA for this. Other
methods supported are discussed in our advanced configuration document.
Having an attacker break the authentication is emphatically not a
good idea. An attacker that breaks authentication, and manages to
subvert some other network entities (DNS, routers or gateways), can use
a man-in-the middle attack to break the security
of your IPsec connections.
However, having an attacker break the authentication in automatic
keying is not quite as bad as losing the key in manual keying.
- An attacker who reads /etc/ipsec.conf and gets the keys for a
manually keyed connection can, without further effort, read all
messages encrypted with those keys, including any old messages he
may have archived.
- Automatic keying has a property called perfect
forward secrecy. An attacker who breaks the authentication gets
none of the automatically generated keys and cannot immediately
read any messages. He has to mount a successful man-in-the-middle attack in real time before he
can read anything. He cannot read old archived messages at all and
will not be able to read any future messages not caught by
That said, the secrets used for authentication, stored in ipsec.secrets(5), should
still be protected as tightly as cryptographic keys.
- Bay Networks
- A vendor of routers, hubs and related products, now a subsidiary of
Nortel. Interoperation between their IPsec products and Linux FreeS/WAN
was problematic at last report; see our interoperation section.
- Our default block cipher, triple DES, is slower
than many alternate ciphers that might be used. Speeds achieved,
however, seem adequate for many purposes. For example, the assembler
code from the LIBDES library we use encrypts 1.6
megabytes per second on a Pentium 200, according to the test program
supplied with the library.
For more detail, see our document on FreeS/WAN performance.
- Berkeley Internet Name Daemon, a widely
used implementation of DNS (Domain Name Service).
See our bibliography for a useful reference. See the
BIND home page for more
information and the latest version.
- Birthday attack
- A cryptographic attack based on the mathematics exemplified by the birthday paradox. This math turns up whenever the
question of two cryptographic operations producing the same result
becomes an issue:
Resisting such attacks is part of the motivation for:
- hash algorithms such as SHA and RIPEMD-160 giving a 160-bit result rather than
the 128 bits of MD4, MD5 and
- AES block ciphers using a 128-bit block
instead of the 64-bit block of most current ciphers
- IPsec using a 32-bit counter for packets
sent on an automatically keyed SA and requiring that the connection always be
rekeyed before the counter overflows.
- Birthday paradox
- Not really a paradox, just a rather counter-intuitive mathematical
fact. In a group of 23 people, the chance of a least one pair having
the same birthday is over 50%.
The second person has 1 chance in 365 (ignoring leap years) of
matching the first. If they don't match, the third person's chances of
matching one of them are 2/365. The 4th, 3/365, and so on. The total of
these chances grows more quickly than one might guess.
- Block cipher
- A symmetric cipher which operates on
fixed-size blocks of plaintext, giving a block of ciphertext for each.
Contrast with stream cipher. Block ciphers can
be used in various modes when multiple block are to
DES is among the the best known and widely used
block ciphers, but is now obsolete. Its 56-bit key size makes it highly insecure today. Triple
DES is the default block cipher for Linux
The current generation of block ciphers -- such as Blowfish, CAST-128 and IDEA -- all use 64-bit blocks and 128-bit keys. The
next generation, AES, uses 128-bit blocks and
supports key sizes up to 256 bits.
The Block Cipher
Lounge web site has more information.
- A block cipher using 64-bit blocks and keys of
up to 448 bits, designed by Bruce Schneier and
used in several products.
This is not required by the IPsec RFCs and not
currently used in Linux FreeS/WAN.
- Brute force attack (exhaustive search)
- Breaking a cipher by trying all possible keys. This is always
possible in theory (except against a one-time pad),
but it becomes practical only if the key size is inadequate. For an
important example, see our document on the insecurity of DES with its 56-bit key. For an
analysis of key sizes required to resist plausible brute force attacks,
see this paper.
Longer keys protect against brute force attacks. Each extra bit in
the key doubles the number of possible keys and therefore doubles the
work a brute force attack must do. A large enough key defeats
any brute force attack.
For example, the EFF's DES Cracker searches a
56-bit key space in an average of a few days. Let us assume an attacker
that can find a 64-bit key (256 times harder) by brute force search in
a second (a few hundred thousand times faster). For a 96-bit key, that
attacker needs 232 seconds, about 135 years. Against a
128-bit key, he needs 232 times that, over 500,000,000,000
years. Your data is then obviously secure against brute force attacks.
Even if our estimate of the attacker's speed is off by a factor of a
million, it still takes him over 500,000 years to crack a message.
This is why
- single DES is now considered dangerously insecure
- all of the current generation of block
ciphers use a 128-bit or longer key
- AES ciphers support keysizes 128, 192 and 256
- any cipher we add to Linux FreeS/WAN will have at least
a 128-bit key
Inadequate keylength always indicates a weak cipher but it is
important to note that adequate keylength does not necessarily
indicate a strong cipher. There are many attacks other than brute
force, and adequate keylength only guarantees resistance to
brute force. Any cipher, whatever its key size, will be weak if design
or implementation flaws allow other attacks.
Also, once you have adequate keylength (somewhere around 90
or 100 bits), adding more key bits make no practical
difference, even against brute force. Consider our 128-bit example
above that takes 500,000,000,000 years to break by brute force. We
really don't care how many zeroes there are on the end of that, as long
as the number remains ridiculously large. That is, we don't care
exactly how large the key is as long as it is large enough.
There may be reasons of convenience in the design of the cipher to
support larger keys. For example Blowfish
allows up to 448 bits and RC4 up to 2048, but beyond
100-odd bits it makes no difference to practical security.
- Bureau of Export Administration
- see BXA
- The US Commerce Department's Bureau of Export
Administration which administers the EAR
Export Administration Regulations controling the export of, among other
- Certification Authority, an entity in a public key infrastructure that can certify keys by
signing them. Usually CAs form a hierarchy. The top of this hierarchy
is called the root CA.
See Web of Trust for an alternate model.
- A block cipher using 64-bit blocks and 128-bit
keys, described in RFC 2144 and used in products such as Entrust and recent versions of PGP.
This is not required by the IPsec RFCs and not
currently used in Linux FreeS/WAN.
- Entrust's candidate cipher for the AES standard, largely based on the CAST-128 design.
- CBC mode
- Cipher Block Chaining mode,
a method of using a block cipher in which for each
block except the first, the result of the previous encryption is XORed
into the new block before it is encrypted. CBC is the mode used in IPsec.
An initialisation vector (IV) must be provided. It
is XORed into the first block before encryption. The IV need not be
secret but should be different for each message and unpredictable.
- Classless Inter-Domain Routing,
an addressing scheme used to describe networks not
restricted to the old Class A, B, and C sizes.
A CIDR block is written
address/mask, where address is
a 32-bit Internet address.
The first mask bits of address
are part of the gateway address, while the remaining bits designate
other host addresses.
For example, the CIDR block 192.0.2.96/27 describes a network with
192.0.2.96, hosts 192.0.2.96 through 192.0.2.126 and broadcast
FreeS/WAN policy group files accept CIDR blocks of the format
address/[mask], where address may
take the form name.domain.tld. An absent mask
is assumed to be /32.
- Certification Authority
- see CA
- Challenge-response authentication
- An authentication system in which one
player generates a random number, encrypts it and
sends the result as a challenge. The other player decrypts and sends
back the result. If the result is correct, that proves to the first
player that the second player knew the appropriate secret, required for
the decryption. Variations on this technique exist using public key or symmetric
cryptography. Some provide two-way authentication, assuring each player
of the other's identity.
This is more secure than passwords against two simple attacks:
- If cleartext passwords are sent across the wire (e.g. for
telnet), an eavesdropper can grab them. The attacker may even be
able to break into other systems if the user has chosen the same
password for them.
- If an encrypted password is sent, an attacker can record the
encrypted form and use it later. This is called a replay
A challenge-response system never sends a password, either cleartext
or encrypted. An attacker cannot record the response to one challenge
and use it as a response to a later challenge. The random number is
different each time.
Of course an attacker might still try to break the cryptographic
algorithm used, or the random number
- Cipher Modes
- Different ways of using a block cipher when encrypting multiple
Four standard modes were defined for DES in FIPS 81. They can actually be applied with any block
||encrypt each block independently
||Cipher Block Chaining
|XOR previous block ciphertext into new block plaintext before
encrypting new block
IPsec uses CBC mode since
this is only marginally slower than ECB and is more
secure. In ECB mode the same plaintext always encrypts to the same
ciphertext, unless the key is changed. In CBC mode, this does not
Various other modes are also possible, but none of them are used in
- The encrypted output of a cipher, as opposed to the unencrypted plaintext input.
- A vendor of routers, hubs and related products. Their IPsec products
interoperate with Linux FreeS/WAN; see our interop section.
- This term has at least two distinct uses in discussing IPsec:
- The clients of an IPsec gateway are the machines
it protects, typically on one or more subnets behind the gateway.
In this usage, all the machines on an office network are clients of
that office's IPsec gateway. Laptop or home machines connecting to
the office, however, are not clients of that gateway. They
are remote gateways, running the other end of an IPsec connection.
Each of them is also its own client.
- IPsec client software is used to describe
software which runs on various standalone machines to let them
connect to IPsec networks. In this usage, a laptop or home machine
connecting to the office is a client, and the office gateway is the
We generally use the term in the first sense. Vendors of Windows
IPsec solutions often use it in the second. See this discussion.
- Common Criteria
- A set of international security classifications which are replacing
the old US Rainbow Book standards and similar
standards in other countries.
Web references include this US
government site and this global home page.
- Conventional cryptography
- See symmetric cryptography
- Collision resistance
- The property of a message digest algorithm
which makes it hard for an attacker to find or construct two inputs
which hash to the same output.
- see GNU General Public License
- Communications Security
Establishment, the Canadian organisation for signals intelligence.
- DARPA (sometimes just ARPA)
- The US government's Defense Advanced Research
Projects Agency. Projects they have funded over the years
have included the Arpanet which evolved into the Internet, the TCP/IP
protocol suite (as a replacement for the original Arpanet suite), the
Berkeley 4.x BSD Unix projects, and Secure DNS.
For current information, see their web site.
- Denial of service (DoS) attack
- An attack that aims at denying some service to legitimate users of a
system, rather than providing a service to the attacker.
- One variant is a flooding attack, overwhelming the system with
too many packets, to much email, or whatever.
- A closely related variant is a resource exhaustion attack. For
example, consider a "TCP SYN flood" attack. Setting up a TCP
connection involves a three-packet exchange:
- Initiator: Connection please (SYN)
- Responder: OK (ACK)
- Initiator: OK here too
If the attacker puts bogus source information in the first
packet, such that the second is never delivered, the responder may
wait a long time for the third to come back. If responder has
already allocated memory for the connection data structures, and if
many of these bogus packets arrive, the responder may run out of
- Another variant is to feed the system undigestible data, hoping
to make it sick. For example, IP packets are limited in size to 64K
bytes and a fragment carries information on where it starts within
that 64K and how long it is. The "ping of death" delivers fragments
that say, for example, that they start at 60K and are 20K long.
Attempting to re-assemble these without checking for overflow can
The two example attacks discussed were both quite effective when
first discovered, capable of crashing or disabling many operating
systems. They were also well-publicised, and today far fewer systems
are vulnerable to them.
- The Data Encryption Standard, a block cipher with 64-bit blocks and a 56-bit key.
Probably the most widely used symmetric cipher
ever devised. DES has been a US government standard for their own use
(only for unclassified data), and for some regulated industries such as
banking, since the late 70's. It is now being replaced by AES.
DES is seriously insecure
against current attacks.
Linux FreeS/WAN does not include DES, even
though the RFCs specify it. We strongly recommend that single DES
not be used.
See also 3DES and DESX,
stronger ciphers based on DES.
- An improved DES suggested by Ron Rivest of RSA
Data Security. It XORs extra key material into the text before and
after applying the DES cipher.
This is not required by the IPsec RFCs and not
currently used in Linux FreeS/WAN. DESX would
be the easiest additional transform to add; there would be very little
code to write. It would be much faster than 3DES and almost certainly
more secure than DES. However, since it is not in the RFCs other IPsec
implementations cannot be expected to have it.
- see Diffie-Hellman
- Dynamic Host
Configuration Protocol, a method of
assigning dynamic IP addresses, and providing
additional information such as addresses of DNS servers and of
gateways. See this DHCP resource
- Diffie-Hellman (DH) key exchange protocol
- A protocol that allows two parties without any initial shared secret
to create one in a manner immune to eavesdropping. Once they have done
this, they can communicate privately by using that shared secret as a
key for a block cipher or as the basis for key exchange.
The protocol is secure against all passive
attacks, but it is not at all resistant to active man-in-the-middle attacks. If a third party can
impersonate Bob to Alice and vice versa, then no useful secret can be
created. Authentication of the participants is a prerequisite for safe
Diffie-Hellman key exchange. IPsec can use any of several authentication mechanisims. Those supported
by FreeS/WAN are discussed in our configuration section.
The Diffie-Hellman key exchange is based on the discrete logarithm problem and is secure unless
someone finds an efficient solution to that problem.
Given a prime p and generator g (explained
under discrete log below), Alice:
- generates a random number a
- calculates A = g^a modulo p
- sends A to Bob
- generates a random number b
- calculates B = g^b modulo p
- sends B to Alice
Now Alice and Bob can both calculate the shared secret s =
g^(ab). Alice knows a and B, so she
calculates s = B^a. Bob knows A and b
so he calculates s = A^b.
An eavesdropper will know p and g since these
are made public, and can intercept A and B but,
short of solving the discrete log problem, these do
not let him or her discover the secret s.
- Digital signature
- calculates a message digest of a
- encrypts the digest with his or her private key, using some public key cryptosystem.
- attaches the encrypted digest to the document as a signature
- calculates a digest of the document (not including the
- decrypts the signature with the signer's public key
- verifies that the two results are identical
If the public-key system is secure and the verification succeeds,
then the receiver knows
- that the document was not altered between signing and
- that the signer had access to the private key
Such an encrypted message digest can be treated as a signature since
it cannot be created without both the document and
the private key which only the sender should possess. The legal issues are complex, but several
countries are moving in the direction of legal recognition for digital
- discrete logarithm problem
- The problem of finding logarithms in a finite field. Given a field
defintion (such definitions always include some operation analogous to
multiplication) and two numbers, a base and a target, find the power
which the base must be raised to in order to yield the target.
The discrete log problem is the basis of several cryptographic
systems, including the Diffie-Hellman key exchange
used in the IKE protocol. The useful property is
that exponentiation is relatively easy but the inverse operation,
finding the logarithm, is hard. The cryptosystems are designed so that
the user does only easy operations (exponentiation in the field) but an
attacker must solve the hard problem (discrete log) to crack the
There are several variants of the problem for different types of
field. The IKE/Oakley key determination protocol uses two variants,
either over a field modulo a prime or over a field defined by an
elliptic curve. We give an example modulo a prime below. For the
elliptic curve version, consult an advanced text such as Handbook of Applied Cryptography.
Given a prime p, a generator g for the field
modulo that prime, and a number x in the field, the problem
is to find y such that g^y = x.
For example, let p = 13. The field is then the integers from 0 to
12. Any integer equals one of these modulo 13. That is, the remainder
when any integer is divided by 13 must be one of these.
2 is a generator for this field. That is, the powers of two modulo
13 run through all the non-zero numbers in the field. Modulo 13 we
2^0 == 1
2^1 == 2
2^2 == 4
2^3 == 8
2^4 == 3 that is, the remainder from 16/13 is 3
2^5 == 6 the remainder from 32/13 is 6
2^6 == 12 and so on
2^7 == 11
2^8 == 9
2^9 == 5
2^10 == 10
2^11 == 7
2^12 == 1
Exponentiation in such a field is not difficult. Given, say,
y = 11,calculating x =
7is straightforward. One method is just to calculate
2^11 = 2048,then 2048 mod 13 ==
7.When the field is modulo a large prime (say a few 100
digits) you need a silghtly cleverer method and even that is moderately
expensive in computer time, but the calculation is still not
problematic in any basic way.
The discrete log problem is the reverse. In our example, given
x = 7,find the logarithm y =
11.When the field is modulo a large prime (or is based on
a suitable elliptic curve), this is indeed problematic. No solution
method that is not catastrophically expensive is known. Quite a few
mathematicians have tackled this problem. No efficient method has been
found and mathematicians do not expect that one will be. It seems
likely no efficient solution to either of the main variants the
discrete log problem exists.
Note, however, that no-one has proven such methods do not exist. If
a solution to either variant were found, the security of any crypto
system using that variant would be destroyed. This is one reason IKE supports two variants. If one is broken, we can
switch to the other.
- discretionary access control
- access control mechanisms controlled by the user, for example Unix
rwx file permissions. These contrast with mandatory access controls.
- Domain Name Service, a distributed database
through which names are associated with numeric addresses and other
information in the Internet Protocol Suite. See also the DNS background section of our
- DOS attack
- see Denial Of Service attack
- dynamic IP address
- an IP address which is automatically assigned, either by DHCP or by some protocol such as PPP or PPPoE which the machine
uses to connect to the Internet. This is the opposite of a static IP address, pre-set on the machine
- The US government's Export Administration
Regulations, administered by the Bureau of Export
Administration. These have replaced the earlier ITAR regulations as the controls on export of
- ECB mode
- Electronic CodeBook mode, the simplest way to
use a block cipher. See Cipher Modes.
- The sequence of operations normally used in either the three-key
variant of triple DES used in IPsec or the two-key variant used
in some other systems.
The sequence is:
- Encrypt with key1
- Decrypt with key2
- Encrypt with key3
For the two-key version, key1=key3.
The "advantage" of this EDE order of operations is that it makes it
simple to interoperate with older devices offering only single DES. Set
key1=key2=key3 and you have the worst of both worlds, the overhead of
triple DES with the "security" of single DES. Since both the security of single DES and the
overheads of triple DES are seriously inferior to many other ciphers,
this is a spectacularly dubious "advantage".
- A Canadian company offerring enterprise PKI
products using CAST-128 symmetric crypto, RSA public key and X.509
directories. Web site
- Electronic Frontier Foundation, an
advocacy group for civil rights in cyberspace.
- Techniques for converting a readable message (plaintext) into apparently random material (ciphertext) which cannot be read if intercepted.
A key is required to read the message.
Major variants include symmetric encryption
in which sender and receiver use the same secret key and public key methods in which the sender uses one of a
matched pair of keys and the receiver uses the other. Many current
systems, including IPsec, are hybrids combining the two techniques.
- Encapsulated Security Payload, the IPsec protocol which provides encryption. It can also provide authentication service and may be used with
null encryption (which we do not recommend). For details see our IPsec document and/or RFC 2406.
- Extruded subnet
- A situation in which something IP sees as one network is actually in
two or more places.
For example, the Internet may route all traffic for a particular
company to that firm's corporate gateway. It then becomes the company's
problem to get packets to various machines on their subnets in various departments. They may decide to
treat a branch office like a subnet, giving it IP addresses "on" their
corporate net. This becomes an extruded subnet.
Packets bound for it are delivered to the corporate gateway, since
as far as the outside world is concerned, that subnet is part of the
corporate network. However, instead of going onto the corporate LAN (as
they would for, say, the accounting department) they are then
encapsulated and sent back onto the Internet for delivery to the branch
For information on doing this with Linux FreeS/WAN, look in our advanced configuration
- Exhaustive search
- See brute force attack.
- Federal Information Processing Standard,
the US government's standards for products it buys. These are issued by
NIST. Among other things, DES
and SHA are defined in FIPS documents. NIST have a
FIPS home page.
- Free Software Foundation (FSF)
- An organisation to promote free software, free in the sense of these
quotes from their web pages
"Free software" is a matter of liberty, not price. To understand the
concept, you should think of "free speech", not "free beer."
"Free software" refers to the users' freedom to run, copy,
distribute, study, change and improve the software.
See also GNU, GNU General Public
License, and the FSF site.
- see Linux FreeS/WAN
- The CIDR block containing all IPs of its IP version.
The IPv4 fullnet is written 0.0.0.0/0.
Also known as "all" and "default",
fullnet may be used in a routing table
to specify a default route,
and in a FreeS/WAN
policy group file to
specify a default IPsec policy.
- see Free software Foundation
- Government Communications
Headquarters, the British organisation for signals intelligence.
- generator of a prime field
- see discrete logarithm problem
- Global Internet Liberty Campaign,
an international organisation advocating, among other things, free
availability of cryptography. They have a campaign to remove
cryptographic software from the Wassenaar
- Global Internet Liberty Campaign
- see GILC.
- Global Trust Register
- An attempt to create something like a root CA
for PGP by publishing both as a book and on the
web the fingerprints of a set of verified keys for well-known users
- The GNU Multi-Precision library code, used in Linux FreeS/WAN by Pluto for
public key calculations. See the GMP home page.
- GNU's Not Unix, the Free Software
Foundation's project aimed at creating a free system with at least
the capabilities of Unix. Linux uses GNU utilities
- a Soviet government standard block cipher. Applied Cryptography has details.
- see GNU Privacy Guard
- GNU General Public License(GPL, copyleft)
- The license developed by the Free Software
Foundation under which Linux, Linux FreeS/WAN and many other pieces of software
are distributed. The license allows anyone to redistribute and modify
the code, but forbids anyone from distributing executables without
providing access to source code. For more details see the file COPYING included with GPLed source distributions,
including ours, or the
GNU site's GPL page.
- GNU Privacy Guard
- An open source implementation of Open PGP as
defined in RFC 2440. See their web
- see GNU General Public License.
- see message digest
- Hashed Message Authentication Code (HMAC)
- using keyed message digest functions to
authenticate a message. This differs from other uses of these functions:
- In normal usage, the hash function's internal variable are
initialised in some standard way. Anyone can reproduce the hash to
check that the message has not been altered.
- For HMAC usage, you initialise the internal variables from the
key. Only someone with the key can reproduce the hash. A successful
check of the hash indicates not only that the message is unchanged
but also that the creator knew the key.
The exact techniques used in IPsec are defined
in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96
because they output only 96 bits of the hash. This makes some attacks
on the hash functions harder.
- see Hashed Message Authentication Code
- see Hashed Message Authentication Code
- see Hashed Message Authentication Code
- Hybrid cryptosystem
- A system using both public key and symmetric cipher techniques. This works well.
Public key methods provide key management and digital signature facilities which are not
readily available using symmetric ciphers. The symmetric cipher,
however, can do the bulk of the encryption work much more efficiently
than public key methods.
- Internet Architecture Board.
- Internet Control
Message Protocol. This is used for
various IP-connected devices to manage the network.
- International Data Encrypion Algorithm,
developed in Europe as an alternative to exportable American ciphers
such as DES which were too
weak for serious use. IDEA is a block cipher
using 64-bit blocks and 128-bit keys, and is used in products such as
IDEA is not required by the IPsec RFCs and not
currently used in Linux FreeS/WAN.
IDEA is patented and, with strictly limited exceptions for personal
use, using it requires a license from Ascom.
- Institute of Electrical and Electronic
Engineers, a professional association which, among other things,
sets some technical standards
- Internet Engineering Steering
- Internet Engineering Task Force,
the umbrella organisation whose various working groups make most of the
technical decisions for the Internet. The IETF IPsec
working group wrote the RFCs we are
- Internet Key Exchange, based on the Diffie-Hellman key exchange protocol. For details, see
RFC 2409 and our IPsec document. IKE is
implemented in Linux FreeS/WAN by the Pluto daemon.
- IKE v2
- A proposed replacement for IKE. There are other
candidates, such as JFK, and at time of writing
(March 2002) the choice between them has not yet been made and does not
- See Initiate-only opportunistic
- Internet Protocol.
- IP masquerade
- A mostly obsolete term for a method of allowing multiple machines to
communicate over the Internet when only one IP address is available for
their use. The more current term is Network Address Translation or NAT.
- "IP the Next Generation", see IPv6.
- The current version of the Internet protocol
- IPv6 (IPng)
- Version six of the Internet protocol suite,
currently being developed. It will replace the current version four. IPv6 has IPsec as a
See this web
site for more details, and our compatibility document for information on
FreeS/WAN and the Linux implementation of IPv6.
- IPsec or IPSEC
- Internet Protocol SECurity, security functions
(authentication and encryption) implemented at the IP level of the
protocol stack. It is optional for IPv4 and
mandatory for IPv6.
This is the standard Linux FreeS/WAN is
implementing. For more details, see our IPsec
Overview. For the standards, see RFCs listed in our RFCs document.
- Novell's Netware protocol tunnelled over an IP link. Our firewalls document includes an
example of using this through an IPsec tunnel.
- Internet Security Association and Key
Management Protocol, defined in RFC 2408.
- International Traffic in Arms
Regulations, US regulations administered by the State Department
which until recently limited export of, among other things,
cryptographic technology and software. ITAR still exists, but the
limits on cryptography have now been transferred to the Export Administration Regulations under the Commerce
Department's Bureau of Export Administration.
- see Initialisation vector
- Initialisation Vector (IV)
- Some cipher modes, including the CBC mode which IPsec uses, require some extra data at
the beginning. This data is called the initialisation vector. It need
not be secret, but should be different for each message. Its function
is to prevent messages which begin with the same text from encrypting
to the same ciphertext. That might give an analyst an opening, so it is
- Initiate-only opportunistic
- A form of
opportunistic encryption (OE) in which
a host proposes opportunistic connections, but lacks the reverse DNS
records necessary to support incoming opportunistic connection requests.
Common among hosts on cable or pppoe connections where the system
administrator does not have write access to the DNS reverse map
for the host's external IP.
Configuring for initiate-only opportunistic encryption
is described in our
- Just Fast Keying,
a proposed simpler replacement for IKE.
- The basic part of an operating system (e.g. Linux) which controls the
hardware and provides services to all other programs.
In the Linux release numbering system, an even second digit as in
2.2.x indicates a stable or production kernel while an
odd number as in 2.3.x indicates an experimental or
development kernel. Most users should run a recent kernel version from
the production series. The development kernels are primarily for people
doing kernel development. Others should consider using development
kernels only if they have an urgent need for some feature not yet
available in production kernels.
- Keyed message digest
- See HMAC.
- Key length
- see brute force attack
- Kernel IP Security, the Linux FreeS/WAN project's changes to the Linux kernel to support the IPsec protocols.
- Lightweight Directory Access Protocol,
defined in RFCs 1777 and 1778, a method of accessing information
stored in directories. LDAP is used by several PKI
implementations, often with X.501 directories and X.509 certificates. It may also be used by IPsec to obtain key certifications from those PKIs.
This is not yet implemented in Linux
- A publicly available library of DES code, written
by Eric Young, which Linux FreeS/WAN uses in
both KLIPS and Pluto.
- A freely available Unix-like operating system based on a kernel
originally written for the Intel 386 architecture by (then) student
Linus Torvalds. Once his 32-bit kernel was available, the GNU utilities made it a usable system and contributions
from many others led to explosive growth.
Today Linux is a complete Unix replacement available for several CPU
architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC
and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple
CPUs on some architectures.
Linux FreeS/WAN is intended to run on all
CPUs supported by Linux and is known to work on several. See our compatibility section for a list.
- Linux FreeS/WAN
- Our implementation of the IPsec protocols,
intended to be freely redistributable source code with a
GNU GPL license and no constraints under US or other export laws. Linux FreeS/WAN is intended
to interoperate with other IPsec implementations.
The name is partly taken, with permission, from the S/WAN multi-vendor IPsec compatability effort. Linux
FreeS/WAN has two major components, KLIPS (KerneL
IPsec Support) and the Pluto daemon which manages
the whole thing.
See our IPsec section for more detail. For
the code see our primary site or one
of the mirror sites on this list.
- Linux Security Modules (LSM)
- a project to create an interface in the Linux kernel that supports
plug-in modules for various security policies.
This allows multiple security projects to take different approaches
to security enhancement without tying the kernel down to one particular
approach. As I understand the history, several projects were pressing
Linus to incorporate their changes, the various sets of changes were
incompatible, and his answer was more-or-less "a plague on all your
houses; I'll give you an interface, but I won't incorporate
It seems to be working. There is a fairly active LSM
mailing list, and several projects are already using the
- see Linux Security Modules
- Mailing list
- The Linux FreeS/WAN project has several
public email lists for bug reports and software development
discussions. See our document on mailing
- Man-in-the-middle attack
- An active attack in which the attacker
impersonates each of the legitimate players in a protocol to the other.
For example, if Alice and Bob are
negotiating a key via the Diffie-Hellman key
agreement, and are not using authentication to be certain they are
talking to each other, then an attacker able to insert himself in the
communication path can deceive both players.
Call the attacker Mallory. For Bob, he pretends to be Alice. For
Alice, he pretends to be Bob. Two keys are then negotiated,
Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key
they have is Alice-to-Bob.
A message from Alice to Bob then goes to Mallory who decrypts it,
reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key
and sends it along to Bob. Bob decrypts successfully and sends a reply
which Mallory decrypts, reads, re-encrypts and forwards to Alice.
To make this attack effective, Mallory must
- subvert some part of the network in some way that lets him carry
out the deception
possible targets: DNS, router, Alice or Bob's machine, mail server,
- beat any authentication mechanism Alice and Bob use
strong authentication defeats the attack entirely; this is why IKE requires authentication
- work in real time, delivering messages without introducing a
delay large enough to alert the victims
not hard if Alice and Bob are using email; quite difficult in some
If he manages it, however, it is devastating. He not only gets to
read all the messages; he can alter messages, inject his own, forge
anything he likes, . . . In fact, he controls the communication
- mandatory access control
- access control mechanisims which are not settable by the user (see discretionary access control), but are
enforced by the system.
For example, a document labelled "secret, zebra" might be readable
only by someone with secret clearance working on Project Zebra.
Ideally, the system will prevent any transfer outside those boundaries.
For example, even if you can read it, you should not be able to e-mail
it (unless the recipient is appropriately cleared) or print it (unless
certain printers are authorised for that classification).
Mandatory access control is a required feature for some levels of Rainbow Book or Common Criteria
classification, but has not been widely used outside the military and
government. There is a good discussion of the issues in Anderson's Security Engineering.
The Security Enhanced Linux project is adding
mandatory access control to Linux.
- Manual keying
- An IPsec mode in which the keys are provided by the administrator. In
FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, automatic keying, is preferred in most cases. See this
- Message Digest Algorithm Four from Ron Rivest
of RSA. MD4 was widely used a few years ago, but
is now considered obsolete. It has been replaced by its descendants MD5 and SHA.
- Message Digest Algorithm Five from Ron Rivest
of RSA, an improved variant of his MD4. Like MD4, it produces a 128-bit hash. For details
see RFC 1321.
MD5 is one of two message digest algorithms available in IPsec. The
other is SHA. SHA produces a longer hash and is
therefore more resistant to birthday attacks,
but this is not a concern for IPsec. The HMAC
method used in IPsec is secure even if the underlying hash is not
particularly strong against this attack.
Hans Dobbertin found a weakness in MD5, and people often ask whether
this means MD5 is unsafe for IPsec. It doesn't. The IPsec RFCs discuss
Dobbertin's attack and conclude that it does not affect MD5 as used for
HMAC in IPsec.
- Meet-in-the-middle attack
- A divide-and-conquer attack which breaks a cipher into two parts,
works against each separately, and compares results. Probably the best
known example is an attack on double DES. This applies in principle to
any pair of block ciphers, e.g. to an encryption system using, say,
CAST-128 and Blowfish, but we will describe it for double DES.
Double DES encryption and decryption can be written:
C = E(k2,E(k1,P))
P = D(k1,D(k2,C))
Where C is ciphertext, P is plaintext, E is encryption, D is
decryption, k1 is one key, and k2 is the other key. If we know a P, C
pair, we can try and find the keys with a brute force attack, trying
all possible k1, k2 pairs. Since each key is 56 bits, there are
2112 such pairs and this attack is painfully inefficient.
The meet-in-the middle attack re-writes the equations to calculate a
middle value M:
M = E(k1,P)
M = D(k2,C)
Now we can try some large number of D(k2,C) decryptions with various
values of k2 and store the results in a table. Then start doing E(k1,P)
encryptions, checking each result to see if it is in the table.
With enough table space, this breaks double DES with
256 + 256 = 257work.
Against triple DES, you need 256 + 2112 ~=
The memory requirements for such attacks can be prohibitive, but
there is a whole body of research literature on methods of reducing
- Message Digest Algorithm
- An algorithm which takes a message as input and produces a hash or
digest of it, a fixed-length set of bits which depend on the message
contents in some highly complex manner. Design criteria include making
it extremely difficult for anyone to counterfeit a digest or to change
a message without altering its digest. One essential property is collision resistance. The main applications are
in message authentication and digital signature schemes. Widely used algorithms
include MD5 and SHA. In IPsec,
message digests are used for HMAC authentication of
- Maximum Transmission
Unit, the largest size of packet that can be sent over
a link. This is determined by the underlying network, but must be taken
account of at the IP level.
IP packets, which can be up to 64K bytes each, must be packaged into
lower-level packets of the appropriate size for the underlying
network(s) and re-assembled on the other end. When a packet must pass
over multiple networks, each with its own MTU, and many of the MTUs are
unknown to the sender, this becomes a fairly complex problem. See path MTU discovery for details.
Often the MTU is a few hundred bytes on serial links and 1500 on
Ethernet. There are, however, serial link protocols which use a larger
MTU to avoid fragmentation at the ethernet/serial boundary, and newer
(especially gigabit) Ethernet networks sometimes support much larger
packets because these are more efficient in some applications.
- Network Associates, a conglomerate
formed from PGP Inc., TIS (Trusted Information
Systems, a firewall vendor) and McAfee anti-virus products. Among other
things, they offer an IPsec-based VPN product.
- Network Address Translation, a process by which
firewall machines may change the addresses on packets as they go
through. For discussion, see our background section.
- The US National Institute of Standards
and Technology, responsible for FIPS standards
including DES and its replacement, AES.
- A random value used in an authentication protocol.
- Non-routable IP address
- An IP address not normally allowed in the "to" or "from" IP address
field header of IP packets.
Almost invariably, the phrase "non-routable address" means one of
the addresses reserved by RFC 1918 for private networks:
- 172.x.anything with 16 <= x <= 31
These addresses are commonly used on private networks, e.g. behind a
Linux machines doing IP masquerade. Machines within
the private network can address each other with these addresses. All
packets going outside that network, however, have these addresses
replaced before they reach the Internet.
If any packets using these addresses do leak out, they do not go
far. Most routers automatically discard all such packets.
Various other addresses -- the 127.0.0.0/8 block reserved for local
use, 0.0.0.0, various broadcast and network addresses -- cannot be
routed over the Internet, but are not normally included in the meaning
when the phrase "non-routable address" is used.
- The US National Security Agency,
the American organisation for signals
intelligence, the protection of US government messages and the
interception and analysis of other messages. For details, see Bamford's
"The Puzzle Palace".
of NSA documents were declassified in response to a FOIA (Freedom
of Information Act) request.
- A key determination protocol, defined in RFC 2412.
- Oakley groups
- The groups used as the basis of Diffie-Hellman key
exchange in the Oakley protocol, and in IKE. Four
were defined in the original RFC, and a fifth has been added since.
Linux FreeS/WAN currently supports the three groups based on finite
fields modulo a prime (Groups 1, 2 and 5) and does not support the
elliptic curve groups (3 and 4). For a description of the difference of
the types, see discrete logarithms.
- One time pad
- A cipher in which the key is:
- as long as the total set of messages to be enciphered
- absolutely random
- never re-used
Given those three conditions, it can easily be proved that the
cipher is perfectly secure, in the sense that an attacker with
intercepted message in hand has no better chance of guessing the
message than an attacker who has not intercepted the message and only
knows the message length. No such proof exists for any other cipher.
There are, however, several problems with this "perfect" cipher.
First, it is wildly impractical for most
applications. Key management is at best difficult, often completely
Second, it is extremely fragile. Small changes
which violate the conditions listed above do not just weaken the cipher
liitle. Quite often they destroy its security completely.
- Re-using the pad weakens the cipher to the point where it can be
broken with pencil and paper. With a computer, the attack is
- Using anything less than truly random numbers completely invalidates
the security proof.
- In particular, using computer-generated pseudo-random numbers may
give an extremely weak cipher. It might also produce a good stream
cipher, if the pseudo-random generator is both well-designed and
Marketing claims about the "unbreakable" security of various
products which somewhat resemble one-time pads are common. Such claims
are one of the surest signs of cryptographic snake
oil; most systems marketed with such claims are worthless.
Finally, even if the system is implemented and used correctly, it is
highly vulnerable to a substitution attack. If an
attacker knows some plaintext and has an intercepted message, he can
discover the pad.
- This does not matter if the attacker is just a passive eavesdropper. It gives him no plaintext
he didn't already know and we don't care that he learns a pad which
we will never re-use.
- However, an active attacker who knows the
plaintext can recover the pad, then use it to encode with whatever
he chooses. If he can get his version delivered instead of yours,
this may be a disaster. If you send "attack at dawn", the delivered
message can be anything the same length -- perhaps "retreat to
east" or "shoot generals".
- An active attacker with only a reasonable guess at the plaintext
can try the same attack. If the guess is correct, this works and
the attacker's bogus message is delivered. If the guess is wrong, a
garbled message is delivered.
In general then, despite its theoretical perfection, the
one-time-pad has very limited practical application.
See also the one
time pad FAQ.
- Opportunistic encryption (OE)
- A situation in which any two IPsec-aware machines can secure their
communications, without a pre-shared secret and without a common PKI or previous exchange of public keys. This is one of
the goals of the Linux FreeS/WAN project, discussed in our introduction section.
Setting up for opportunistic encryption is described in our quickstart document.
- Opportunistic responder
- A host which accepts, but does not initiate, requests for
opportunistic encryption (OE).
An opportunistic responder has enabled OE in its
passive form (pOE) only.
A web server or file server may be usefully set up as an opportunistic
Configuring passive OE is described in our
policy groups document.
- Orange book
- the most basic and best known of the US government's Rainbow Book series of computer security
- P1363 standard
- An IEEE standard for public key cryptography. Web page.
- See Passive opportunistic encryption.
- Passive attack
- An attack in which the attacker only eavesdrops and attempts to
analyse intercepted messages, as opposed to an active
attack in which he diverts messages or generates his own.
- Passive opportunistic encryption (pOE)
- A form of
opportunistic encryption (OE) in which the
host will accept opportunistic connection requests, but will not
initiate such requests. A host which runs OE in its passive form only
is known as an opportunistic responder.
Configuring passive OE is described in our
policy groups document.
- Path MTU discovery
- The process of discovering the largest packet size which all links on
a path can handle without fragmentation -- that is, without any router
having to break the packet up into smaller pieces to match the MTU of its outgoing link.
This is done as follows:
- originator sends the largest packets allowed by MTU of the first link, setting the DF
(don't fragment) bit in the
- any router which cannot send the packet on (outgoing MTU is too
small for it, and DF prevents fragmenting it to match) sends back
an ICMP packet reporting the problem
- originator looks at ICMP message and tries a smaller size
- eventually, you settle on a size that can pass all routers
- thereafter, originator just sends that size and no-one has to
Since this requires co-operation of many systems, and since the next
packet may travel a different path, this is one of the trickier areas
of IP programming. Bugs that have shown up over the years have
- malformed ICMP messages
- hosts that ignore or mishandle these ICMP messages
- firewalls blocking the ICMP messages so host does not see
Since IPsec adds a header, it increases packet size and may require
fragmentation even where incoming and outgoing MTU are equal.
- Perfect forward secrecy (PFS)
- A property of systems such as Diffie-Hellman key
exchange which use a long-term key (such as the shared secret in IKE)
and generate short-term keys as required. If an attacker who acquires
the long-term key provably can
- neither read previous messages which he may have
- nor read future messages without performing additional
then the system has PFS. The attacker needs the short-term keys in
order to read the trafiic and merely having the long-term key does not
allow him to infer those. Of course, it may allow him to conduct
another attack (such as man-in-the-middle) which
gives him some short-term keys, but he does not automatically get them
just by acquiring the long-term key.
- see Perfect Forward Secrecy
- Pretty Good Privacy, a personal encryption
system for email based on public key technology, written by Phil
The 2.xx versions of PGP used the RSA public key
algorithm and used IDEA as the symmetric cipher.
These versions are described in RFC 1991 and in Garfinkel's book. Since version 5, the products from PGP Inc. have used Diffie-Hellman
public key methods and CAST-128 symmetric
encryption. These can verify signatures from the 2.xx versions, but
cannot exchange encryted messages with them.
An IETF working group has issued RFC 2440 for an
"Open PGP" standard, similar to the 5.x versions. PGP Inc. staff were
among the authors. A free Gnu Privacy Guard based on
that standard is now available.
For more information on PGP, including how to obtain it, see our
- PGP Inc.
- A company founded by Zimmerman, the author of PGP,
now a division of NAI. See the corporate website. Zimmerman left in
2001, and early in 2002 NAI announced that they would no longer sell
Versions 6.5 and later of the PGP product include PGPnet, an IPsec
client for Macintosh or for Windows 95/98/NT. See our interoperation document.
- Another key negotiation protocol, an alternative to IKE, described in RFCs 2522 and 2523.
- Point-to-Point Protocol, originally a method of
connecting over modems or serial lines, but see also PPPoE.
- PPP over Ethernet, a somewhat odd protocol that
makes Ethernet look like a point-to-point serial link. It is widely
used for cable or ADSL Internet services, apparently mainly because it
lets the providers use access control and address assignmment
mechanisms developed for dialup networks. Roaring Penguin provide a
widely used Linux implementation.
- Point-to-Point Tunneling Protocol, used
in some Microsoft VPN implementations. Papers discussing weaknesses in
it are on counterpane.com. It
is now largely obsolete, replaced by L2TP.
- Public Key Infrastructure, the things an
organisation or community needs to set up in order to make public key cryptographic technology a standard part
of their operating procedures.
There are several PKI products on the market. Typically they use a
hierarchy of Certification Authorities (CAs). Often
they use LDAP access to X.509
directories to implement this.
See Web of Trust for a different sort of
- PKI eXchange, an IETF standard that
allows PKIs to talk to each other.
This is required, for example, when users of a corporate PKI need to
communicate with people at client, supplier or government
organisations, any of which may have a different PKI in place. I should
be able to talk to you securely whenever:
- your organisation and mine each have a PKI in place
- you and I are each set up to use those PKIs
- the two PKIs speak PKIX
- the configuration allows the conversation
At time of writing (March 1999), this is not yet widely implemented
but is under quite active development by several groups.
- The unencrypted input to a cipher, as opposed to the encrypted ciphertext output.
- The Linux FreeS/WAN daemon which handles key
exchange via the IKE protocol, connection
negotiation, and other higher-level tasks. Pluto calls the KLIPS kernel code as required. For details, see the
manual page ipsec_pluto(8).
- Public Key Cryptography
- In public key cryptography, keys are created in matched pairs.
Encrypt with one half of a pair and only the matching other half can
decrypt it. This contrasts with symmetric or
secret key cryptography in which a single key known to both parties
is used for both encryption and decryption.
One half of each pair, called the public key, is made public. The
other half, called the private key, is kept secret. Messages can then
be sent by anyone who knows the public key to the holder of the private
key. Encrypt with the public key and you know that only someone with
the matching private key can decrypt.
Public key techniques can be used to create digital signatures and to deal with key
management issues, perhaps the hardest part of effective deployment of
symmetric ciphers. The resulting hybrid cryptosystems use public key methods to
manage keys for symmetric ciphers.
Many organisations are currently creating PKIs,
public key infrastructures to make these benefits widely
- Public Key Infrastructure
- see PKI
- Rainbow books
- A set of US government standards for evaluation of "trusted computer
systems", of which the best known was the Orange
Book. One fairly often hears references to "C2 security" or a
product "evaluated at B1". The Rainbow books define the standards
referred to in those comments.
See this reference
The Rainbow books are now mainly obsolete, replaced by the
international Common Criteria standards.
- A remarkably tricky term, far too much so for me to attempt a
definition here. Quite a few cryptosystems have been broken via attacks
on weak random number generators, even when the rest of the system was
1750 for the theory.
See the manual pages for ipsec_ranbits(8) and
ipsec_prng(3) for more on FreeS/WAN's use of randomness. Both depend on
the random(4) device driver..
A couple of years ago, there was extensive mailing list discussion
(archived here)of Linux
/dev/random and FreeS/WAN. Since then, the design of the random(4)
driver has changed considerably. Linux 2.4 kernels have the new
- A firewall product for Windows NT offerring IPsec-based VPN services.
Linux FreeS/WAN interoperates with Raptor; see our interop document for details. Raptor
have recently merged with Axent.
- Rivest Cipher four, designed by Ron Rivest of RSA and widely used. Believed highly secure with
adequate key length, but often implemented with inadequate key length
to comply with export restrictions.
- Rivest Cipher six, RSA's AES candidate cipher.
- Replay attack
- An attack in which the attacker records data and later replays it in
an attempt to deceive the recipient.
- Reverse map
- In DNS, a table where IP addresses can be used as
the key for lookups which return a system name and/or other
- Request For Comments, an Internet document. Some
RFCs are just informative. Others are standards.
Our list of IPsec and other security-related
RFCs is here, along with information on
methods of obtaining them.
- a block cipher designed by two Belgian
cryptographers, winner of the US government's AES
contest to pick a replacement for DES. See the Rijndael home
- A message digest algorithm. The current version
is RIPEMD-160 which gives a 160-bit hash.
- Root CA
- The top level Certification Authority in a hierachy
of such authorities.
- Routable IP address
- Most IP addresses can be used as "to" and "from" addresses in packet
headers. These are the routable addresses; we expect routing to be
possible for them. If we send a packet to one of them, we expect (in
most cases; there are various complications) that it will be delivered
if the address is in use and will cause an ICMP error packet to come back to us if not.
There are also several classes of non-routable IP addresses.
- RSA algorithm
- Rivest Shamir Adleman public
key algorithm, named for its three inventors. It is widely used and
likely to become moreso since it became free of patent encumbrances in
RSA can be used to provide either encryption or digital
signatures. In IPsec, it is used only for signatures. These provide
gateway-to-gateway authentication for IKE negotiations.
For a full explanation of the algorithm, consult one of the standard
references such as Applied
Cryptography. A simple explanation is:
The great 17th century French mathematician Fermat
for any prime p and number x, 0 <= x < p:
x^p == x modulo p
x^(p-1) == 1 modulo p, non-zero x
From this it follows that if we have a pair of primes p, q and two
numbers e, d such that:
ed == 1 modulo lcm( p-1, q-1)
where lcm() is least common multiple, then
for all x, 0 <= x < pq:
x^ed == x modulo pq
So we construct such as set of numbers p, q, e, d and publish the
product N=pq and e as the public key. Using c for ciphertext and i for the input plaintext, encryption is then:
c = i^e modulo N
An attacker cannot deduce i from the cyphertext c, short of either
factoring N or solving the discrete logarithm
problem for this field. If p, q are large primes (hundreds or thousands
of bits) no efficient solution to either problem is known.
The receiver, knowing the private key (N and d), can readily recover
the plaintext p since:
c^d == (i^e)^d modulo N
== i^ed modulo N
== i modulo N
This gives an effective public key technique, with only a couple of
problems. It uses a good deal of computer time, since calculations with
large integers are not cheap, and there is no proof it is necessarily
secure since no-one has proven either factoring or discrete log cannot
be done efficiently. Quite a few good mathematicians have tried both
problems, and no-one has announced success, but there is no proof they
- RSA Data Security
- A company founded by the inventors of the RSA
public key algorithm.
- Security Association, the channel negotiated by the
higher levels of an IPsec implementation (IKE) and used by the lower (ESP.
SAs are unidirectional; you need a pair of them
for two-way communication.
An SA is defined by three things -- the destination, the protocol
(e.g. ESP) and the SPI, security parameters index. It is used as an index
to look up other things such as session keys and intialisation
For more detail, see our section on IPsec
and/or RFC 2401.
- SE Linux
- Security Enhanced Linux, an NSA-funded project to add mandatory access control to Linux. See the project home page.
According to their web pages, this work will include extending
mandatory access controls to IPsec tunnels.
Recent versions of SE Linux code use the Linux
Security Module interface.
- Secure DNS
- A version of the DNS or Domain Name Service
enhanced with authentication services. This is being designed by the IETF DNS security working group.
Check the Internet Software
Consortium for information on implementation progress and for the
latest version of BIND. Another site has more information.
IPsec can use this plus Diffie-Hellman key exchange to bootstrap itself. This
allows opportunistic encryption. Any pair of
machines which can authenticate each other via DNS can communicate
securely, without either a pre-existing shared secret or a shared PKI.
- Secret key cryptography
- See symmetric cryptography
- Security Association
- see SA
- Security Enhanced Linux
- see SE Linux
- Sequence number
- A number added to a packet or message which indicates its position in
a sequence of packets or messages. This provides some security against
For automatic keying mode, the IPsec RFCs require that the sender generate sequence
numbers for each packet, but leave it optional whether the receiver
does anything with them.
- Secure Hash Algorithm, a message digest algorithm developed by the NSA for use in the Digital Signature standard, FIPS number 186 from NIST. SHA is
an improved variant of MD4 producing a 160-bit hash.
SHA is one of two message digest algorithms available in IPsec. The
other is MD5. Some people do not trust SHA because
it was developed by the NSA. There is, as far as we
know, no cryptographic evidence that SHA is untrustworthy, but this
does not prevent that view from being strongly held.
The NSA made one small change after the release of the original SHA.
They did not give reasons. Iit may be a defense against some attack
they found and do not wish to disclose. Technically the modified
algorithm should be called SHA-1, but since it has replaced the
original algorithm in nearly all applications, it is generally just
referred to as SHA..
- Newer variants of SHA designed to match the strength of the 128, 192
and 256-bit keys of AES. The work to break an
encryption algorithm's strength by brute force is
operations but a birthday attack on a hash
needs only 2
, so as a general rule you need a hash twice the size of the key to
get similar strength. SHA-256, SHA-384 and SHA-512 are designed to
match the 128, 192 and 256-bit key sizes of AES, respectively.
- Signals intelligence (SIGINT)
- Activities of government agencies from various nations aimed at
protecting their own communications and reading those of others.
Cryptography, cryptanalysis, wiretapping, interception and monitoring
of various sorts of signals. The players include the American NSA, British GCHQ and Canadian CSE.
- Simple Key management for Internet
Protocols, an alternative to IKE developed by
Sun and being marketed by their Internet Commerce Group.
- Snake oil
- Bogus cryptography. See the
Snake Oil FAQ or this
paper by Schneier.
- Security Parameter Index, an index used within
IPsec to keep connections distinct. A Security Association (SA) is defined by destination,
protocol and SPI. Without the SPI, two connections to the same gateway
using the same protocol could not be distinguished.
For more detail, see our IPsec section
and/or RFC 2401.
- Secure SHell, an encrypting replacement for the
insecure Berkeley commands whose names begin with "r" for "remote":
rsh, rlogin, etc.
For more information on SSH, including how to obtain it, see our
- SSH Communications Security
- A company founded by the authors of SSH. Offices
are in Finland and California. They have a toolkit for
developers of IPsec applications.
- Secure Sockets Layer,
a set of encryption and authentication services for web browsers,
developed by Netscape. Widely used in Internet commerce. Also known as
- A free implementation of SSL by Eric Young (eay)
and others. Developed in Australia; not subject to US export
- static IP address
- an IP adddress which is pre-set on the machine itself, as opposed to
a dynamic address which is assigned by a DHCP server or obtained as part of the process of
establishing a PPP or PPPoE
- Stream cipher
- A symmetric cipher which produces a stream
of output which can be combined (often using XOR or bytewise addition)
with the plaintext to produce ciphertext. Contrasts with block cipher.
IPsec does not use stream ciphers. Their main
application is link-level encryption, for example of voice, video or
data streams on a wire or a radio signal.
- A group of IP addresses which are logically one network, typically
(but not always) assigned to a group of physically connected machines.
The range of addresses in a subnet is described using a subnet mask.
See next entry.
- subnet mask
- A method of indicating the addresses included in a subnet. Here are
two equivalent examples:
- 188.8.131.52 with mask 255.255.255.0
The '24' is shorthand for a mask with the top 24 bits one and the
rest zero. This is exactly the same as 255.255.255.0 which has three
all-ones bytes and one all-zeros byte.
These indicate that, for this range of addresses, the top 24 bits
are to be treated as naming a network (often referred to as "the
184.108.40.206/24 subnet") while most combinations of the low 8 bits can
be used to designate machines on that network. Two addresses are
reserved; 220.127.116.11 refers to the subnet rather than a specific
machine while 18.104.22.168 is a broadcast address. 1 to 254 are
available for machines.
It is common to find subnets arranged in a hierarchy. For example, a
large company might have a /16 subnet and allocate /24 subnets within
that to departments. An ISP might have a large subnet and allocate /26
subnets (64 addresses, 62 usable) to business customers and /29 subnets
(8 addresses, 6 usable) to residential clients.
- Secure Wide Area Network, a project involving RSA
Data Security and a number of other companies. The goal was to
ensure that all their IPsec implementations would
interoperate so that their customers can communicate with each other
- Symmetric cryptography
- Symmetric cryptography, also referred to as conventional or secret
key cryptography, relies on a shared secret key, identical for
sender and receiver. Sender encrypts with that key, receiver decrypts
with it. The idea is that an eavesdropper without the key be unable to
read the messages. There are two main types of symmetric cipher, block ciphers and stream
Symmetric cryptography contrasts with public
key or asymmetric systems where the two players use different
The great difficulty in symmetric cryptography is, of course, key
management. Sender and receiver must have identical keys and
those keys must be kept secret from everyone else. Not too
much of a problem if only two people are involved and they can
conveniently meet privately or employ a trusted courier. Quite a
problem, though, in other circumstances.
It gets much worse if there are many people. An application might be
written to use only one key for communication among 100 people, for
example, but there would be serious problems. Do you actually trust all
of them that much? Do they trust each other that much? Should they?
What is at risk if that key is compromised? How are you going to
distribute that key to everyone without risking its secrecy? What do
you do when one of them leaves the company? Will you even know?
On the other hand, if you need unique keys for every possible
connection between a group of 100, then each user must have 99 keys.
You need either 99*100/2 = 4950 secure key exchanges between
users or a central authority that securely distributes 100 key
packets, each with a different set of 99 keys.
Either of these is possible, though tricky, for 100 users. Either
becomes an administrative nightmare for larger numbers. Moreover, keys
must be changed regularly, so the problem of key distribution
comes up again and again. If you use the same key for many messages
then an attacker has more text to work with in an attempt to crack that
key. Moreover, one successful crack will give him or her the text of
all those messages.
In short, the hardest part of conventional cryptography is key
management. Today the standard solution is to build a hybrid system using public key
techniques to manage keys.
- Trusted Information Systems, a firewall vendor now part of NAI. Their Gauntlet product offers IPsec VPN services.
TIS implemented the first version of Secure DNS on
a DARPA contract.
- Transport Layer Security, a newer name for SSL.
- TOS field
- The Type Of
Service field in an IP header, used to control
qualkity of service routing.
- Traffic analysis
- Deducing useful intelligence from patterns of message traffic,
without breaking codes or reading the messages. In one case during
World War II, the British guessed an attack was coming because all
German radio traffic stopped. The "radio silence" order, intended to
preserve security, actually gave the game away.
In an industrial espionage situation, one might deduce something
interesting just by knowing that company A and company B were talking,
especially if one were able to tell which departments were involved, or
if one already knew that A was looking for acquisitions and B was
seeking funds for expansion.
In general, traffic analysis by itself is not very useful. However,
in the context of a larger intelligence effort where quite a bit is
already known, it can be very useful. When you are solving a complex
puzzle, every little bit helps.
IPsec itself does not defend against traffic
analysis, but carefully thought out systems using IPsec can provide at
least partial protection. In particular, one might want to encrypt more
traffic than was strictly necessary, route things in odd ways, or even
encrypt dummy packets, to confuse the analyst. We discuss this here.
- Transport mode
- An IPsec application in which the IPsec gateway is the destination of
the protected packets, a machine acts as its own gateway. Contrast with
- Triple DES
- see 3DES
- Time To Live, used
to control DNS caching. Servers discard cached
records whose TTL expires
- Tunnel mode
- An IPsec application in which an IPsec gateway provides protection
for packets to and from other systems. Contrast with transport mode.
- Two-key Triple DES
- A variant of triple DES or 3DES in which only two
keys are used. As in the three-key version, the order of operations is
EDE or encrypt-decrypt-encrypt, but in the two-key
variant the first and third keys are the same.
3DES with three keys has 3*56 = 168 bits of key but has only 112-bit
strength against a meet-in-the-middle attack, so it
is possible that the two key version is just as strong. Last I looked,
this was an open question in the research literature.
RFC 2451 defines triple DES for IPsec as the
three-key variant. The two-key variant should not be used and is not
implemented directly in Linux FreeS/WAN. It
cannot be used in automatically keyed mode without major fiddles in the
source code. For manually keyed connections, you could make Linux
FreeS/WAN talk to a two-key implementation by setting two keys the same
- Virtual Interface
- A Linux feature which allows one physical
network interface to have two or more IP addresses. See the Linux
Network Administrator's Guide in book form or on the web for
- Virtual Private Network
- see VPN
- Virtual Private Network, a network which can
safely be used as if it were private, even though some of its
communication uses insecure connections. All traffic on those
connections is encrypted.
IPsec is not the only technique available for
building VPNs, but it is the only method defined by RFCs and supported by many vendors. VPNs are by no
means the only thing you can do with IPsec, but they may be the most
important application for many users.
- Virtual Private Network Consortium,
an association of vendors of VPN products.
- Wassenaar Arrangement
- An international agreement restricting export of munitions and other
tools of war. Unfortunately, cryptographic software is also restricted
under the current version of the agreement. Discussion.
- Web of Trust
- PGP's method of certifying keys. Any user can sign
a key; you decide which signatures or combinations of signatures to
accept as certification. This contrasts with the hierarchy of CAs (Certification Authorities) used in many PKIs (Public Key Infrastructures).
See Global Trust Register for an interesting
addition to the web of trust.
- WEP (Wired Equivalent Privacy)
- The cryptographic part of the IEEE standard for
wireless LANs. As the name suggests, this is designed to be only as
secure as a normal wired ethernet. Anyone with a network conection can
tap it. Its advocates would claim this is good design, refusing to
build in complex features beyond the actual requirements.
Critics refer to WEP as "Wiretap Equivalent Privacy", and
consider it a horribly flawed design based on bogus "requirements". You
do not control radio waves as you might control your wires, so the
metaphor in the rationale is utterly inapplicable. A security policy
that chooses not to invest resources in protecting against certain
attacks which can only be conducted by people physically plugged into
your LAN may or may not be reasonable. The same policy is completely
unreasonable when someone can "plug in" from a laptop half a block
There has been considerable analysis indicating that WEP is
seriously flawed. A FAQ on attacks against WEP is available. Part of it
... attacks are practical to mount using only inexpensive
off-the-shelf equipment. We recommend that anyone using an 802.11
wireless network not rely on WEP for security, and employ other
security measures to protect their wireless network. Note that our
attacks apply to both 40-bit and the so-called 128-bit versions of
WEP equally well.
WEP appears to be yet another instance of governments, and
unfortunately some vendors and standards bodies, deliberately promoting
hopelessly flawed "security" products, apparently mainly for the
benefit of eavesdropping agencies. See this discussion.
- A standard from the ITU (International
Telecommunication Union), for hierarchical directories with
authentication services, used in many PKI
Use of X.509 services, via the LDAP protocol,
for certification of keys is allowed but not required by the IPsec RFCs. It is not yet implemented in Linux FreeS/WAN.
- A vendor of router and Internet access products, now part of Lucent.
Their QVPN products interoperate with Linux FreeS/WAN; see our interop document.