Glossary

This glossary contains definitions of network security terms.

AES

Advanced Encryption Standard. A symmetric 128-bit block data encryption technique. The U.S. government adopted the Rijndael variant of the algorithm as its encryption standard in October 2000. AES replaces DES encryption as the government standard.

asymmetric key cryptography

An encryption system in which the sender and receiver of a message use different keys to encrypt and decrypt the message. Asymmetric keys are used to establish a secure channel for symmetric key encryption. Diffie-Hellman is an example of an asymmetric key protocol. Contrast with symmetric key cryptography.

authentication header

An extension header that provides authentication and integrity, without confidentiality, to IP datagrams.

bidirectional tunnel

A tunnel that can transmit datagrams in both directions.

Blowfish

A symmetric block cipher algorithm that takes a variable-length key from 32 bits to 448 bits. Its author, Bruce Schneier, claims that Blowfish is optimized for applications where the key does not change often.

Certificate Authority (CA)

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The CA guarantees the identity of the individual who is granted the unique certificate.

DES

Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.

digital signature

A digital code that is attached to an electronically transmitted message that uniquely identifies the sender.

DSA

Digital Signature Algorithm. A public key algorithm with a variable key size from 512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024 bits. DSA relies on SHA-1 for input.

Diffie-Hellman protocol

Also known as public key cryptography. An asymmetric cryptographic key agreement protocol that was developed by Diffie and Hellman in 1976. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets. Diffie-Hellman is used by the IKE protocol.

encapsulating security header

An extension header that provides integrity and confidentiality to datagrams.

encapsulation

The process of a header and payload being placed in the first packet, which is subsequently placed in the second packet's payload.

firewall

Any device or software that protects an organization's private network or intranet from intrusion by external networks such as the Internet.

hash value

A number that is generated from a string of text. Hash functions are used to ensure that transmitted messages have not been tampered with. MD5 and SHA-1 are examples of one-way hash functions.

HMAC

Keyed hashing method for message authentication. HMAC is used with an iterative cryptographic hash function, such as MD5 or SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

IKE

Internet Key Exchange. IKE automates the provision of authenticated keying material for IPsec security associations.

IP in IP encapsulation

The mechanism for tunneling IP packets within IP packets.

IPsec

The security architecture (IPsec) that provides protection for IP datagrams.

IPv4

Internet Protocol, version 4. IPv4 is sometimes referred to as IP. This version supports a 32–bit address space.

IPv6

Internet Protocol, version 6. This version supports a 128–bit address space.

key management

The way in which you manage security associations.

MD5

An iterative cryptographic hash function that is used for message authentication, including digital signatures. The function was developed in 1991 by Rivest.

multicast address

An IP address that identifies a group of interfaces in a particular way. A packet that is sent to a multicast address is delivered to all of the interfaces in the group.

network interface card (NIC)

Network adapter that is either internal or a separate card that serves as an interface to a link.

node

A host or a router.

packet

A group of information that is transmitted as a unit over communications lines. Contains a header plus payload.

physical interface

A node's attachment to a link. This attachment is often implemented as a device driver plus a network adapter. Some network adapters can have multiple points of attachment, for example, qfe. The usage of network adapter in this document refers to a “single point of attachment.”

PKI

Public Key Infrastructure. A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

private address

An IP address that is not routable through the Internet.

public key cryptography

A cryptographic system that uses two different keys. The public key is known to everyone. The private key is known only to the recipient of the message. IKE provides public keys for IPsec.

RSA

A method for obtaining digital signatures and public-key cryptosystems. The method was first described in 1978 by its developers, Rivest, Shamir, and Adleman.

SADB

Security Associations Database. A table that specifies cryptographic keys and cryptographic algorithms. The keys and algorithms are used in the secure transmission of data.

security association

An association that specifies security properties from one host to a second host.

Security Parameter Index (SPI)

An integer that specifies the row in the security associations database (SADB) that a receiver should use to decrypt a received packet.

SHA-1

Secure Hashing Algorithm. The algorithm operates on any input length less than 2⁶⁴ to produce a message digest. It is input to DSA.

SPI

Security Parameters Index. An integer that specifies the row in the SADB that a receiver should use to decrypt a received packet.

symmetric key cryptography

An encryption system in which the sender and receiver of a message share a single, common key. This common key is used to encrypt and decrypt the message. Symmetric keys are used to encrypt the bulk of data transmission in IPsec. DES is one example of a symmetric key system.

Triple-DES

Triple-Data Encryption Standard. A symmetric-key encryption method which provides a key length of 168 bits.

tunnel

The path that is followed by a datagram while it is encapsulated.

Virtual Private Network (VPN)

A single, secure, logical network that uses tunnels across a public network such as the Internet.