SunScreen SKIP User's Guide, Release 1.5.1

Glossary

3DES

Also called triple-DES or DES-EDE-IT. It means encryption is performed on a block three times with the two keys: first with the first key, then with the second key, and finally with the first key again. The resulting key length is 112-bits. See DES and EDE.

ACL

Access control list. Limits and controls who uses a host system or applications through communications link

address

In networking, a unique code that identifies a node to the network.

ADP

Algorithm discovery protocol. Enables one entity to inform another of the capabilities it supports.

AH

Authentication header. A mechanism for providing strong integrity and authentication for IP datagrams. It may also provide nonrepudiation, depending on which cryptographic algorithm is used and how keying is performed. It does not provide confidentiality or protection from traffic analysis.

algorithm

A sequence of steps designed to solve a problem or execute a process such as drawing a curve from a set of control points, or encrypting a block of data.

alias

Used with the Log Browser to refer to a textual representation of a numerical filter parameter, such as a port, IP address, or error code.

API

Application programmer's interface. A set of calling conventions defining how a service is invoked through a software package.

argument

An item of information following a command. It may, for example, modify the command or identify a file to be affected.

attack

An attempted cryptanalysis or an attempt to compromise system security.

authentication

The property of knowing that the claimed sender is in fact the actual sender.

block

Groups of bits are called blocks.

block cipher or block algorithm

An encryption algorithm that encrypts while blocks at once. (See stream algorithm or stream cipher)

Bourne shell

The shell used by the standard Bell Labs UNIX.

broadcast

A packet delivery system where a copy of a given packet is given to all hosts attached to the network.

button

A one-choice element of a control area or a menu that starts an activity. Buttons execute commands (command button), display pop-up windows (window button), and display menus (menu button).

CA

Certification authority. A trusted network entity that digitally signs a certificate containing information identifying the user; such as, the user's name, public key, and the key's expiration date.

cache

A buffer of high-speed memory used to store frequently accessed memory or values. A cache increases effective memory transfer rates and processor speed.

CBC

Cipher block chaining (see also DES). A mode used to chain a feedback mechanism, which essentially means the previous block is used to modify the encryption of the next block.

CDP

Certificate discovery protocol. A request/response protocol used by two parties to transfer certificates.

CD-ROM

Compact disc, read-only memory. A form of storage characterized by high capacity (roughly 600 megabytes) and the use of laser optics rather than magnetic means for reading data.

certificate

A certificate is a data structure that binds the identity of an entity with a public-key value. SunScreen uses X.509 certificates.

CFB

Cipher feedback. Uses a block cipher (such as DES) to implement a stream algorithm or stream cipher.

cipher

A cryptographic algorithm used for encryption or decryption.

ciphertext

An encrypted message.

CLI

Command line interface

command

In a graphical user interface (GUI), a button, menu item, or controls.

command button

The button used to execute application commands.

compiler

A translation program that converts a high-level computer language (such as FORTRAN) into machine language.

confidentiality

The property of communicating such that the intended recipients know what is being sent, but unintended parties cannot determine what is sent.

controls

Objects in a menu that are used to perform an action.

cookie

(In cryptography) A cookie is a pseudo-random number used to prevent a nial-of-service attack.

cryptanalysis

The art and science of breaking ciphertext.

cryptography

The art and science of keeping messages secure.

C shell

The standard shell provided with Berkeley standard versions of UNIX.

daemon

A process that runs in the background to perform a task on behalf of the system.

data compression

Application of an algorithm to reduce the bit rate of a digital signal.

data encrypting key

A key used to encipher and decipher data intended for programs that perform encryption.

decoder

A facility that takes data that have been encoded, or compressed, by an encoder and decompresses them.

decryption

The process of turning ciphertext back into plaintext.

DES

A commonly used, highly sophisticated algorithm developed by IBM for the U.S. National Bureau of Standards for encrypting and decrypting data. See CBC.

DH

Diffie-Hellman. A classic cryptographic construction that uses exponentiations over a prime field.

digital signatures

The bit string attached to the document to authenticate it when signed.

diskette

A 3.5-inch removable storage medium supported by some Sun systems.

DN

Distinguished name. A numeric string representation of a list of IP addresses or equivalent identifier for principals in the network, such as IP nodes or users.

DNS

Domain name system. The distributed name/address mechanism used in the Internet.

DSA

Digital signature algorithm. Each DSA is responsible for the directory information for a single organization or organizational unit.

dynamic packet screening

Examines traffic to be either allowed or rejected.

dynamic translation

A NAT address translation that converts a set of internal private addresses into external public addresses. It allows internal hosts to contact external hosts, but it cannot be used to allow external hosts to contact internal hosts.

EDE

Encrypt-decrypt-encrypt (See 3DES)

EFS

Encryption Firewall Server. A software solution that can reside on any Sun machine running the Solaris 2.4 or 2.5 operating environment. It can secure all the servers on a corporate intranet. A corporation may have any number of database servers--one each for marketing, accounting, and engineering divisions, for example. Each server's data should be protected by EFS. The majority of break-ins that companies experience happen from within the company's own network. This product locks down each server. Since it works at the network IP layer, it can "talk" to any other machine and thus can be placed in "front" of any competitor's machine to protect it.

EKE

Encrypted key exchange

encapsulation

The technique used by layered protocols in which a layer adds header information to the protocol data unit from the layer above. In Internet terminology, for example, a packet would contain a header from the physical layer, followed by a header from the network layer (IP), followed by a header from the transport layer (TCP/IP), followed by the application protocol data.

encryption

A mechanism commonly used to provide confidentiality.

encryption key

A value that controls how information is enciphered or deciphered. Often called the public key. (See data encrypting key)

entity

Terminology for a layer protocol machine. An entity within a layer performs the functions of the layer within a single computer system, accessing the layer entity below and providing services to the layer entity above at local service access points.

ESP

Encapsulating security payload. A mechanism for providing integrity and confidentiality to IP datagrams. In some circumstances it can also provide authentication to IP datagrams, depending on which algorithm or algorithm mode is used. It does not provide nonrepudiation and protection from traffic analysis.

Ethernet

A type of local area network that enables communication between machines connected directly together through cables.

FDDI

Fiber distributed data interface. A high-speed networking standard. The underlying medium is fiber optics, and the topology is a dual-attached, counter-rotating token ring network. FDDI networks can often be spotted by the orange fiber "cable."

filters

Allow selection of a subset of packets based on specific attributes of the logged packets.

Filter Catalog

Used with the Log Browser as part of the hierarchical structure of saved filters. Filter groups are saved in filter catalogs.

Filter Directory Service

Used with the Log Browser as the hierarchical structure into which filters are grouped and saved.

Filter Group

Used with the Log Browser and refers to a set of filters created by the administrator, then saved so they can be applied to multiple log files.

GUI

Graphical user interface. Provides the user with a method of interacting with the computer and its special applications, usually via a mouse or other selection device. The GUI usually includes such things as windows, an intuitive method of manipulating directories and files, and icons.

hash

A message digest or cryptographic checksum.

header file

A file of information, identified at the beginning of the program, that contains the definitions of data types and variables used by the functions in the program.

hidden file

A special type of file, such as .login, that does not show up in normal file listings. Special files usually pertain to system configuration.

host computer

The primary or controlling computer in a multiple computer installation.

hung

A condition in which the system is frozen and unresponsive to commands.

IANA

Internet Assigned Numbers Authority. SKIP was assigned the protocol decimal number 57. SKIP Version 1 was assigned protocol decimal number 79 by IANA.

ICG

Internet Commerce Group. A business unit of Sun Microsystems, Inc., that is committed above all else to developing solutions to communicate securely over unsecured public networks. Formed in 1994, ICG already has three strong SunScreen security product lines that stand at the head of the class. Each depends on the public-key cryptography invented by Sun's Distinguished Engineer Whitfield Diffie, along with Stanford's Martin Hellman. Building upon public-key cryptography, ICG developed SKIP--Simple Key-management for Internet Protocols--the premier protocol that makes key management easier to use than previous innovations. SKIP is the central cryptographic protocol upon which ICG draws in its products.

ICMP

Internet control message protocol

icon

(1) An on-screen symbol that simplifies access to a program, command, or data file. (2) A small pictorial representation of a base window. Displaying objects as icons conserves space on the screen while keeping the window available for easy access.

IDEA

International data encryption algorithm

integrity

The property of ensuring that data are transmitted from the source to destination without undetected alteration.

IP

Internet Protocol. The network layer protocol for the Internet protocol suite.

IPSEC

IP security

ISDN

Integrated Services Digital Network

IV

Initialization vector

kernel

The core of the operating system software. The kernel manages the hardware and supplies fundamental services such as filing that the hardware does not provide.

Key and Certificate Diskette

Diskettes that contain both the private key and the certificate containing the public key. The identifier for this certificate is on the label. The information is extremely sensitive and should be kept secure.

key encrypting key

A key used to encipher and decipher other keys, as part of a key management and distribution system.

keyspace

The range of possible values of the key.

layer

A set of structures and routines that handle a particular class of events. For example, in the seven-layer International Organization of Standardization's open systems interconnection model, the network layer is responsible for routing the signals to their intended recipients.

locally stored secret

Thesecret key that corresponds to a public key. Used to encrypt and decrypt messages.

Log Browser

The main window for examining log files.

MAC

Message authentication code. The term "MAC" is synonymous with the term "authentication data."

man pages

Stands for manual pages, the UNIX online documentation.

MD

Message digest. An authentication code that cryptographically guarantees that data have not been forged or tampered with.

MD5

A message digest one-way hash function designed by Ron Rivest. The algorithm produces a 128-bit hash, or message digest, of the input message.

MD5-NAT

Uses the same hash function as MD5 except that in this case, the source and destination IP addresses are not authenticated.

MDC

Message digest cipher

menu button

A multiple-choice control that has a menu mark and is used to display a menu.

menu mark

A hollow triangle in the border of a button or following a menu item that has a submenu attached to it. The triangle points to where the menu or submenu is displayed.

MIC

Message integrity check

MI

Message indicator

MKID

Master Key-ID. A generic term used to identify a particular key. MKIDs effectively decouple the identification of a master key for purposes of key lookup and access control from issues of network topology, routing, and IP addresses.

modulus

An arithmetic operation used in programming whose result is the remainder of a division operation. The plural is moduli.

MSP

Message security protocol. An X.400-compatible application-level protocol for securing electronic mail that was developed by NSA.

MTU

Maximum transmission unit

multicast

A special form of broadcast where copies of the packet are delivered to only a subset of all possible destinations.

NAT

Network Address Translation. An address translation function used in SKIP where packets passing through a box have their addresses changed (or translated) between sets of addresses to hide internal addresses such that they cannot be used as an attack point. It is also useful on the Internet as you must use registered addresses so no two systems use the same address. However, many internal networks were built without registering their addresses because they were built before the Internet was considered vital to business. Address translation can be used to translate unregistered (that is, illegal) addresses into a smaller set of registered addresses, thus allowing internal systems with unregistered addresses to access systems on the Internet.

network

The hardware connecting various systems enabling them to communicate.

network administrator

The person who maintains a network.

network layer

The third of the seven layers in the International Organization for Standardization's open systems interconnection model for standardizing computer-to-computer communications.

network mask

A number used by software to separate the local subnet address from the rest of a given Internet protocol address.

NeWS

Network extensible window system that Sun developed and licenses. It is based on Abobe's PostScript.

NFS

A distributed file system developed by Sun that enables a set of computers to cooperatively access each other's files in a transparent manner.

NIS

Network information service. A distributed network database containing key information about the systems and the users on the network. The NIS database is stored on the master server and all the slave servers.

node

A point at which subsidiary parts originate or center.

nonrepudiation

The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later desire to deny ever having sent these data.

NSA

National Security Agency. The United States of America's official cryptographic organ.

NSID

Name-space identifier. Used to identify a naming scheme for a key.

OFB

Output feedback

one-way hash

A cryptographically secure hash function that cannot be reversed. (See MD5, SHA, hash)

OSPF

Open shortest path first

packet

A group of information in a fixed format that is transmitted as a unit over communications lines.

passphrase

A passphrase than a password. Letters in both upper and lower case can be used, as well as special characters and numbers.

password

A security measure used to restrict access to computer systems and sensitive files. A password is a unique string of characters that a user types in as an identification code. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows the user access, at whatever security level has been approved for the owner of the password.

peer

Any functional unit in the same layer as another entity.

peer-to-peer communication

Interaction between devices that operate on the same communications level on a network based on a layered architecture.

PFS

Perfect forward secrecy. Ephemeral Diffie-Hellman key exchange used in conjunction with the SKIP key distributions protocol provides PFS where required.

PGP

Pretty Good Privacy. A public-domain encryption program that uses IDEA for data encryption, RSA for key management, and MD5 as a one-way hash function.

ping

Packet Internet groper. A program used to test reachability of destinations by sending them an Internet control message protocol (ICMP) echo request and waiting for a reply.

plaintext

An unencrypted message.

PMSP

Preliminary Message Security Protocol. Used for "unclassified but sensitive" messages (this protocol is also called "Mosaic").

pop-up window

A window that displays to perform a specific function and then is dismissed.

private key

Often called the decryption key and sometimes called the secret key.

protocol

A protocol is a series of steps, involving two or more parties, designed to accomplish a task.

POSIX

An acronym created from the phrase "portable operating system interface," which is an IEEE standard that defines a set of operating-system services. Programs that adhere to the POSIX standard can be easily ported from one system to another.

pseudo-random

Something that is statistically random.

Public Certificate Diskette

Contains only the certificate containing the public key. The identifier for this certificate is on the label.

public key

Often called the encryption key.

public-key certificate

Someone's public key, signed by a trustworthy person.

public-key cryptography

Also known as asymmetric key cryptography. In public-key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (also frequently called a private key). Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the same kind of secure channels that a conventional cryptosystem requires.

push

To add a new element to a stack, a data structure generally used to hold, temporarily, pieces of data being transferred or the partial result of an arithmetic operation.

query

The process by which a master station asks a slave station to identify itself and give its status.

quit

To stop in an orderly manner; to execute the normal shutdown of a program and return control to the operating system.

radio button

In graphical user interfaces, a means of selecting one of several mutually exclusive options, usually within an option-selection area such as a dialog box. The presence of radio buttons in a list of options means that only one of the options can be selected at any given time. Visually, a radio button is a small circle that, when selected, has a smaller, filled circle inside it.

RC2 and RC4

RC2 and RC4 are variable-key-size encryption algorithms designed by Ron Rivest for RSA Data Security, Inc. Apparently, "RC" stands for "Ron's Code." RC2 is a variable-key-size block cipher, designed to be a replacement for DES. RC4 is a variable-key-size stream cipher that is, according to the company, ten times faster than DES. Both algorithms are quite compact, and their speed is independent of the key's size. It is notable, however, that neither RC2 nor RC4 has survived the 20 years of intense cryptanalysis that DES has. See DES.

RC2-40 and RC4-40

A globally exportable encryption algorithm from RSA, Inc.

robust

Reliable or dependable. Not prone to error. Usually used in reference to an application program.

root user name

SunOS user name that grants special privileges to the person who logs in with that ID. The user who can supply the correct password for the root user name is given superuser privileges for the particular machine.

router

A system responsible for making decisions about which of several paths network (or Internet) traffic will follow. To do this it uses a routing protocol to gain information about the network, and algorithms to choose the best route based on several criteria known as "routing metrics."

rules

There are three types of rules: Encryption, Pass (in the clear), and Fail. An encryption rule determines how data are secured and always takes precedent over pass or fail rules. Pass rules take precedence over fail rules.

RSA

The most popular public-key algorithm named after the three inventors, Ron Rivest, Adi Shamir, and Leonard Adleman.

SDNS

Secure Data Network System

secret key

See private key

security association

The set of security information relating to a given network connection or set of connections.

session key

A common cryptographic technique to encrypt each individual conversation between two people with a separate key.

SHA

Secure hash algorithm

shared-key cryptography

Also known as symmetric key cryptography. Shared-key cryptography is cryptography where each party must have the same key to encrypt or decrypt ciphertext.

SKCS

Symmetric Key CryptoSystem

SKID

Secret-key identification

SKIP

Simple Key-management for Internet Protocols. SKIP is a public key certificate-based key-management scheme that provides key-management for Internet protocols. SKIP uses certified Diffie-Hellman public values, which obviates the need for pseudo-session state establishment and for prior communications between two participating ends in order to acquire and change traffic encryption keys.

SKIP addresses the problems inherent in companies that have employees telecommuting from home, a sales force on the road working from laptops, or customers purchasing their products off the Web. The SunScreen SKIP allows employees, partners, and consumers to communicate with encryption, while protecting their data as they go out on the Internet.

SNMP

Simple network management protocol. The network management protocol of choice for TCP/IP-based internets.

source code

The uncompiled version of a program written in a language such as C or Pascal. The source code must be translated to machine language by a program known as the compiler before the computer can execute the program.

SPARC

A RISC processor.

special characters

Or, metacharacters, is a character having a special meaning to UNIX. For example, the UNIX shell interprets the ? character to stand for any single character.

SPI

Security parameters index. An unstructured opaque index that is used in conjunction with the destination address to identify a particular security association.

stack

A list constructed and maintained so that the next item to be retrieved and removed is the most recently stored item still in the list.

static translation

A NAT address translation that provides fixed translation between an external public address and internal private (possibly illegal) address. It provides a way for external hosts to initiate connections to internal hosts at the expense of "using up" an external address.

stream algorithm or stream cipher

A symmetric algorithm that operates on the plaintext a single bit (or byte) at a time. (See block cipher or block algorithm)

submenu

A menu that displays additional choices that is displayed through a menu item on a menu.

SunScreen

The name of a family of security products produced by the Internet Commerce Group. SunScreen is a dedicated hardware security solution enabling companies to connect securely to and conduct business privately over an unsecured public network.

SunScreen SPF-100

Winner of LAN magazine's 1996 Product-of-the-Year Award in the firewall category, the SunScreen SPF-100 acts as a traditional firewall, while securing communications over the Internet by engaging in encryption, authentication and key agreement procedures. One of the best uses of the SunScreen SPF-100 is as an Internet gateway which protects a corporate network from break-ins. The SunScreen SPF-100 also encrypts data sent out on the Internet or intranet and protects it. It is a complete hardware/software solution. The SunScreen SPF-100 is a stealthy machine that encrypts and decrypts without being detected. In short, the SunScreen SPF-100 is invisible on the network, and you can't break something you can't see.

superuser

A special user who has privileges to perform all administrative tasks on the system. Also known as root.

Telnet

The virtual terminal protocol in the Internet suite of protocols. Enables users of one host to log into a remote host and interact as normal terminal users of that host.

TIFF

Tag image file format

TCP/IP

Transport control protocol/Internet protocol. The protocol suite originally developed for the Internet. It is also called the Internet protocol suite. SunOS networks run on TCP/IP by default.

token

A unique structured data object or message that circulates continuously among the nodes of a token ring and describes the current state of the network. Before any node can send a message, it must first gain control of the token.

token ring network

An LAN formed in a ring (closed loop) topology that uses token passing as a means of regulating traffic on the line.

topology hiding

The tunnel address is generally used for encrypted gateways where the IP address of the host entered here serves as the intermediary for any or all hosts on a network whose topography must remain unknown or hidden from the rest of the world.

traffic analysis

The analysis of network traffic flow for the purpose of deducing information that is useful to an adversary. Examples of such information are frequency of transmission, the identities of the conversing parties, sizes of packets, flow identifiers used, and the like.

transport mode

Encrypts only IP packet data, but not the headers.

tunneling

The process of encrypting an entire IP packet, and wrapping it in another (unencrypted) IP packet. The source and destination addresses on the inner and outer packets may be different.

tunnel address

The address to which tunnels packets are sent. This will be the destination address on the outer (unencrypted) IP packet.

tunnel mode

The process of tunneling, as opposed to "transport mode."

user ID

A number that identifies a user to the system.

UDH

Unsigned Diffie-Hellman. The UDH public value can only be used when entities are named using the message digest (hash) of their DH public value, and these names are securely communicated.

UDP

User datagram protocol. All CDP communication uses UDP.

unicast

A packet sent to a single destination.

VPN

Virtual private network

window

In applications and graphical interfaces, a portion of the screen that can contain its own document or message. In window-based programs, the screen can be divided into several windows, each of which has its own boundaries and can contain a different document (or another view into the same document).

window button

A button used to display a window containing additional controls.