glossary
3DES | Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts |
| data three times, using a different |
| suitable for bulk data encryption. |
AES | Advanced Encryption Standard. Uses a symmetric key block encryption. |
| AES with a |
AH | The AH (Authentication Header) protocol provides data integrity, |
| for IP packets. It can also provide |
| protocol suite. |
authentication | The process of verifying a user's identity or integrity of data, or the identity of the party that |
| sent data. |
DES | Data Encryption Standard. Uses a |
| for encrypting large amounts of data. |
| DES has been cracked (data encoded using DES has been decoded by a third party). |
Method to generate a symmetric key where two parties can publicly exchange values and | |
| generate the same shared key. Start with prime p and generator g, which may be publicly |
| known (typically these numbers are from a |
| selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). |
| They exchange the public values. Each party then uses its private value and the other party's |
| public value to generate the same shared key, (g**a)**b mod p and (g**b)**a mod p, which both |
| evaluate to g**(a*b) mod p for future communication. |
| The |
| or third party attacks (spoofing) attacks. For example, |
| or preshared key authentication. |
ESP | The ESP (Encapsulating Security Payload) protocol provides confidentiality (encryption), data |
| authentication, and an |
| provides limited traffic flow confidentiality. The ESP protocol is part of the IPsec protocol suite. |
IKE | The Internet Key Exchange (IKE) protocol is used before the ESP or AH protocol exchanges to |
| determine which encryption and/or authentication services will be used. IKE also manages the |
| distribution and update of the symmetric (shared) encryption keys used by ESP and AH. |
IKE | The method used by IKE peers to authenticate each party's identity. |
authentication | IKE authentication methods: preshared keys and RSA signatures using certificates. |
IKE SA | IKE Security Association. An IKE SA is a |
| IKE uses to negotiate IPsec SAs. IKE can establish IKE SAs using either Main Mode or Aggressive |
| Mode negotiations. Also referred to as IKE Phase One SA, ISAKMP SA, ISAKMP/MM SA, |
| Aggressive Mode SA, Main Mode SA. |
IPsec SA | IPsec Security Association. An IPsec SA is a |
| The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode |
| (transport or tunnel), the cryptographic algorithms (such as AES and |
| keys, the SA lifetime, and the endpoints (IP addresses, protocol and port numbers). IKE |
| establishes IPsec SAs using Quick Mode negotiations. Also referred to as IKE Phase Two SA, |
| IPsec SA, Quick Mode SA. |
Perfect Forward | With Perfect Forward Secrecy the exposure of one key permits access only to data protected |
Secrecy (PFS) | by that key. |
| configured to create a new IKE SA for each IPsec negotiation). |
| PFS for keys only (the IKE SA is |
| |
SA | See Security Association. A secure communication channel and its parameters, such as encryption |
| and authentication method, keys and lifetime.. |
SHA1 | (Secure Hash |
| using a |
47