Glossary from the VPN Mailing List

Last modified: 20 January 2000

This information is based on the glossary from Richard Smith's book Internet Cryptography, with modifications, additions and enhancements from the readers of the VPN mailing list. Definitions in red are taken directly from the book and are subject to the publisher's copyright listed below. Definitions in black are modified or contributed by readers of the mailing list, and are not subject to the Addison Wesley Longman copyright.


Many thanks to Rick and his Web programmer, Anne Chenette, for contributing the Internet Cryptography glossary.



Index:
A | B | C | D | E | F| H | I | K | L | M | N | O| P | R | S | T | V | W | X


A


active attack
An attack in which the attacker must create or modify information.
Advanced Research Projects Agency (ARPA)
Agency of the U. S. Department of Defense that promotes exploratory research in areas that carry long term promise for military applications. ARPA funded the major packet switching experiments in the United States that led to the Internet, particularly the ARPANET.
 
algorithm
Procedure; a crypto algorithm defines a particular procedure for encrypting or decrypting data. Specific algorithms include DES, IDEA, RC4>, SKIPJACK.
 
American National Standards Institute (ANSI)
Organization that endorses and publishes standards for various industries.
annual solar limit
Refers to the total amount of energy produced by the sun in a year. It is possible to calculate a worst case upper limit for the number of keys that can be tested with that amount of energy: 2^192 keys. This suggests that a secret key containing 192 bits is impractical to crack using brute force methods. Here's a lengthier explanation Rick posted to the Firewall Wizards mailing list.
ANSI X9.17
ANSI standard for secret key exchange using the DES algorithm.
 
anti-replay
Security feature that detects when a message on the network has been received more than once. This applies stronger restrictions on duplicate packets than are enforced by typical networking protocols that don't anticipate messages being replayed maliciously.
 
application encryption
Cryptographic functions built into the communications protocols for a specific application, like e-mail. Examples include PEM, PGP, and SHTTP.
application software
Software that provides a service to a user, as opposed to lower level software that makes useful services possible.
ARPANET
A pioneering wide area, packet switched computer network developed by ARPA. The ARPANET was the original backbone for the modern Internet, and many of its protocols were adapted to work on the Internet, including those for e-mail, FTP, and remote terminal connections. Designed, implemented and operated by Bolt, Baranek & Newman under ARPA contract.
asymmetric algorithm
A crypto algorithm that uses different keys for encryption and decryption, most often a public key algorithm.
authentication
The process of verifying that a particular name really belongs to a particular entity. For example, a server will authenticate Alice to ensure that the person at the other end of the network connection isn't Henry the Forger instead. In addition to authenticating users, data and computers can be authenticated using cryptographic techniques.
Authentication Header (AH)
IPSEC header used to verify that the contents of a packet haven't been modified in transit. The latest IPSEC implementations include anti-replayfeatures in the AH, and typically include AH features in the ESP.
authenticity
The ability to ensure that the given information was in fact produced by the entity whose name it carries and that it was not forged or modified.
autokey
Block cipher mode in which the cipher is used to generate the key stream. Also called output feedback (OFB) mode.
 


B


Bailey the Switcher
Attacks network traffic by modifying the contents of other peoples' messages.
block cipher
Cipher that encrypts data in blocks of a fixed size. DES, IDEA, and SKIPJACK are block ciphers.
browser
Client application software for accessing data on the World Wide Web.
brute force cracking
The process of trying to recover a crypto key by trying all reasonable possibilities.
bucket brigade
Attack against public key exchange in which the attacker substitutes their own public key for the requested public key. Also called Man-in-Middle attack.
bypass
Flaw in a security device that allows messages to go around the security mechanisms. Crypto bypass refers to flaws that allow plaintext to leak out.
 


C


CAPSTONE
Integrated circuit containing crypto functions for e-mail applications using the SKIPJACK cipher and the Escrowed Encryption Standard. It failed to find a customer base and is no longer manufactured.
certificate, public key
Specially formatted block of data that contains a public key and the name of its owner. The certificate carries the digital signature of a certification authority to authenticate it.
certification authority
Trusted entity that signs public key certificates.
checksum
Numeric value used to verify the integrity of a block of data. The value is computed using a checksum procedure. A crypto checksum incorporates secret information in the checksum procedure so that it can't be reproduced by third parties that don't know the secret information.
cipher
Procedure that transforms data between plaintext and ciphertext; a crypto algorithm.
cipher block chaining (CBC)
Block cipher mode that combines the previous block of ciphertext with the current block of plaintext before encrypting it. Very widely used.
cipher feedback (CFB)
Block cipher mode that feeds previously encrypted ciphertext through the block cipher to generate the key that encrypts the next block of ciphertext. Also called CTAK.
ciphertext
Data that has been encrypted with a cipher, as opposed to plaintext.
ciphertext autokey (CTAK)
Block cipher mode that feeds previously encrypted ciphertext through the block cipher to generate the key that encrypts the next block of ciphertext. Also called CFB.
client
A computing entity in a network that seeks service from other entities on the network. Client software generally resides on personal workstations and is used to contact network servers to retrieve information and perform other activities.
CLIPPER
Integrated circuit containing crypto functions for voice and telephone using the SKIPJACK cipher and the Escrowed Encryption Standard. It failed to find a customer base and is no longer manufactured.
compression
Technique used to minimize the number of bits required to express the information in a data file or stream. Used to improve network performance and to maximize use of storage facilities on computers.
Computer Emergency Response Team (CERT)
Organization that collects and distributes information on computer security incidents and software problems relating to publicly used networks like the Internet.
Computer Incident Advisory Capability (CIAC)
Organization established by the Department of Energy to track and report on computer security relevant events and situations.
confidentiality
The ability to ensure that information is not disclosed to people who aren't explicitly intended to receive it.
Consulting Committee, International Telephone and Telegraph (CCITT)
International standards committee for telephone communications systems.
cracking
The process of overcoming a security measure. Cracking a key means an attempt to recover the key's value; cracking some ciphertext means an attempt to recover the corresponding plaintext.
critical application
Computing application where an attacker could cause incredibly serious damage, including loss of life.
cryptanalysis
Process of trying to recover crypto keys or plaintext associated with a crypto system.
cryptography; crypto
Mechanisms to protect information by applying transformations to it that are hard to reverse without some secret knowledge.
cryptoperiod
Amount of time a particular key is used; some times refers to the amount of data encrypted with it.
cut and paste attack
Attack in which a forgery is assembled from pieces of valid messages to yield a message that will be decrypted more or less correctly.
 


D


Data Encryption Standard (DES)
Block cipher that is widely used in commercial systems. It is a Federal FIPS standard so it is deemed acceptable by many financial institutions. However, its key length (56 bits) makes it vulnerable to attack by well funded adversaries.
data key
Crypto key that encrypts data as opposed to a key that encrypts other keys. Also called a session key.
 
data link
The portion of a system of computers that transfers data between them, including wiring, hardware, interfaces, and device driver software.
decipher; decrypt; decode
Convert ciphertext back into plaintext.
Defense Message System (DMS)
System being developed by the U. S. Department of Defense to provide secure e-mail services for critical applications.
device driver
Software component that controls a peripheral device. For data link devices, it manages the process of sending and receiving data across the data link.
device driver interface
Standard interface used by a host's software to communicate with peripheral devices, including data link devices.
differential cryptanalysis
Technique for attacking a cipher by feeding it chosen plaintext and watching for patterns in the ciphertext.
Diffie-Hellman (DH)
Public key crypto algorithm that generates a shared secret between two entities after they publicly share some randomly generated data.
digital signature
Data value generated by a public key algorithm based on the contents of a block of data and a private key, yielding an individualized crypto checksum.
Digital Signature Standard (DSS)
Digital signature algorithm developed by the NSA and endorsed by NIST.
domain name
The textual name assigned to a host on the Internet. The Domain Name Service (DNS) protocol translates between domain names and numerical IP addresses.
 


E


electronic codebook (ECB)
Block cipher mode that consists of simply applying the cipher to blocks of data in sequence, one block at a time.
electronic mail (e-mail)
Application protocol for sending messages between users on a network. Messages may be queued, stored, relayed, or delayed and still eventually be delivered to the intended recipients.
Encapsulating Security Payload (ESP)
IPSEC header that encrypts the contents of an IP packet. The most recent implementations of IPSEC may also provide authentication and anti-replay protection of the AH to the packets.
encipher; encrypt; encode
Convert plaintext to ciphertext.
entering wedge
Weakness in a crypto system or other security system that gives an attacker a way to break down some of the system's protections.
Escrowed Encryption Standard (EES)
Standard developed by NSA and published by NIST for crypto systems that allows law enforcement and other authorized agencies to tap the encrypted communications by providing a method to recover the crypto keys being used. This standard is not used in any currently avaliable systems or products.
exclusive or
Computational operation on bits that adds the two bits together and discards the carry. This is the basis of the Vernam cipher and key splitting.
 
executable contents
Data whose contents represent an executable computer program that is capable of modifying persistent data on a host computer.
export control
Laws and regulations intended to prevent products from being exported when not in the government's interest. Typically, munitions are placed under export control.
 


F


Federal Information Processing Standard (FIPS)
Standards published by NIST that the U. S. government's computer systems should comply with.
File Transfer Protocol (FTP)
Internet application and network protocol for transferring files between host computers.
firewall
A device installed at the point where network connections enter a site that applies rules to control the type of networking traffic that flows in and out. Most commercial firewalls are built to handle Internet protocols.
forgery
Data item whose contents misleads the recipient to believe the item and its contents were produced by someone other than the actual author.
FORTEZZA
PC card (formerly called PCMCIA cards) containing the SKIPJACK encryption algorithm and providing crypto services needed to support e-mail applications.
 


H


hash
Improved checksum in which it is hard for someone to construct a data block that generates a predetermined checksum or hash value.
headers
Formatted information attached to the front of data sent through a computer network. The headers contain information used to correctly deliver and process the data being sent.
Henry the Forger
Attacker that generates completely forged network messages to try to fool victims.
high risk application
Computer application in which the enterprise operating it can suffer a significant loss through a computer security incident.
hijacking
Attack in which the attacker takes over a live connection between two entities so that the attacker can masquerade as one of the entities.
host
Computer system residing on an network and capable of independently communicating with other systems on the network.
host address
The address used by others on the network to communicate with a particular host.
Hypertext Markup Language (HTML)
Textual format used for pages on the World Wide Web.
Hypertext Transfer Protocol (HTTP)
Application protocol used to carry requests and replies on the World Wide Web.
 


I


in line encryptor
Product that applies encryption automatically to all data passing along a data link.
information security (INFOSEC)
Technical security measures that involve communications security, cryptography, and computer security.
Integrated Services Digital Network (ISDN)
Standard for simultaneous transmission of digital voice, data and video signals over standard telephone circuitry.
integrity
The ability to ensure that information is not modified except by people who are explicitly intended to modify it.
International Data Encryption Algorithm (IDEA)
Block cipher developed in Switzerland and used in PGP.
International Standards Organization (ISO)
International organization that published a large number of networking standards (the OSI protocols), most of which are incompatible with the Internet protocols. Protocols originally developed by the CCITT are generally ISO protocols.
 
internet; Internet
Computer network that uses the internet protocol family. When capitalized, it refers to the single, well known, globally connected network using those protocols.
Internet Address and Numbering Authority (IANA)
Administrative organization that assigns host addresses and other numeric constants used in the Internet protocols.
Internet Engineering Task Force (IETF)
Technical organization that establishes and maintains Internet protocol standards.
Internet Key Exchange (IKE)
Key management protocol for IPSEC based on ISAKMP and tailored for typical Internet applications.
Internet Protocol (IP)
Protocol that carries individual packets between hosts, and allows packets to be automatically routed through multiple networks if the destination host isn't on the same network as the originating host.
Internet Security Association Key Management Protocol (ISAKMP)
Key management application protocol for IPSEC that has been endorsed by the IETFas a required part of any complete IPSEC implementation.
intranet
A private network, usually within an organization, that uses the Internet protocols but is not connected directly to the global Internet.
IP address
Host address used in IP packets.
IP Security Protocol (IPSEC)
Network crypto protocol for protecting IP packets.
 


K


key
Information that causes a cipher to encrypt or decrypt information in a distinctive way. Individual keys are usually associated with individual entities, or at most a pair of entities.
key distribution center (KDC)
A device that provides secret keys to allow pairs of hosts to encrypt traffic directly between themselves. This is the basis of the Kerberos system.
key encrypting key (KEK)
Crypto key used to encrypt session or data keys, and never used to encrypt the data itself.
key escrow
Mechanism for storing copies of crypto keys so that third parties can recover them if necessary to read information encrypted by others.
key recovery
Mechanism for determining the key used to encrypt some data, possibly through the use of an escrowed key.
 


L


latency
The time between transmission and reception of data across a network. On the Internet, latency is due to delays in routing equipment, collisions on the network backbone, and congestion in the exchange points between backbone service providers (amongst other things). Latency can lead to unacceptable performance across VPNs, especially for distributed database applications and multimedia protocols.
leased line
Point-to-point, non-switched, dedicated circuit between two locations. Data capacity is reserved for an individual customers, unlike frame relay or Internet access, which is shared between multiple entities.
least privilege
Feature of a system in which operations are granted the fewest permissions possible in order to perform their tasks.
lightweight crypto
Set of crypto capabilities that is as strong as possible but still sufficiently weak to qualify for favorable treatment under U. S. export regulations.
link encryption
Crypto services applied to data as it travels on data links.
local area network (LAN)
Network that consists of a single type of data link and can reside entirely within a physically protected area.
low risk application
Computer applications that, if penetrated or disrupted, would not cause a serious loss for an enterprise.
Layer 2 Tunnelling Protocol (L2TP)
A hybrid protocol created by combining PPTP and Cisco's Layer 2 Forwarding, to provide encapsulation of non-TCP/IP LAN protocols more efficiently than either protocol did on its own.
 


M


Man in Middle (MIM)
Attack against public key exchange in which the attacker substitutes their own public key for the requested public key. Also called a bucket brigade attack.
mandatory protection
Security mechanism in a computer that unconditionally blocks particular types of activities. For example, most multiuser systems have a "user mode" that unconditionally blocks users from directly accessing shared peripherals. In networking applications, a small number of vendors use mandatory protection to prevent attacks on Internet servers from penetrating other portions of the host system.
masquerade
Attack in which an entity takes on the identity of a different entity without authorization.
medium risk application
Computer application in which a disruption or other security problem could cause losses to the enterprise, and some such losses are an acceptable cost of doing business.
medium strength crypto
Set of crypto capabilities that may qualify for favorable export treatment by the U. S. government if the vendor is actively developing crypto products that contain key escrow features. The typical medium strength algorithm is DES with 56 bit keys.
message
Information sent from one entity to another on the network. A single message may be divided into several packets for delivery to the destination and then reassembled by the receiving host.
Message Digest #5 (MD5)
One way hash algorithm that is widely used in crypto applications.
Message Security Protocol (MSP)
E-mail crypto protocol developed as part of the SDNS program and being used in the Defense Message System.
mode
One of several ways to apply a block cipher to a data stream. Typical modes include CBC, CFB, and OFB.
modulus
In public key crypto, this refers to part of the public key.
munition
Anything that is useful in warfare. Crypto systems are munitions according to U. S. law. This is the rationale behind export controls on crypto systems.
 


N


National Computer Security Center (NCSC)
U. S. government organization that evaluates computing equipment for high security applications.
National Institute of Standards and Technology (NIST)
Agency of the U. S. government that establishes national standards.
National Security Agency (NSA)
Agency of the U. S. government responsible for intercepting foreign communications for intelligence reasons and for developing crypto systems to protect U. S. government communications.
network encryption
Crypto services applied to information above the data link level but below the application software level. This allows crypto protections to use existing networking services and existing application software transparently.
network protocol stack
Software package that provides general purpose networking services to application software, independent of the particular type of data link being used.
nonce
Random value sent in a communications protocol exchange, often used to detect replay attacks.
 


O


one time pad
Vernam cipher in which one bit of new, purely random key is used for every bit of data being encrypted.
one time password
Password that can only be used once; usually produced by special password generating software or by a hardware token.
one way hash
Hash function for which it is extremely difficult to construct two blocks of data that yield exactly the same hash result. Ideally, it should require a brute force search to find two data blocks that yield the same result.
Open System Interconnection (OSI)
Family of communications protocols and related abstract model (the "OSI reference model") developed by the ISO, most of which are incompatible with the Internet protocols.
output feedback (OFB)
Block cipher mode in which the cipher is used to generate the key stream. Also called autokey mode.
 


P


packet
A block of data carried by a network. When one host sends a message to another, the message is broken into one or more packets, which are individually sent across the network.
packet switching
Network technology in which data is transmitted in packets. The traditional alternative was to establish a connection between source and destination and to transmit data as a sequence of bits. Packets travel from source to destination along whatever route is immediately available, and different packets in the same message might take different paths.
passive attack
Attack in which data is observed but not modified. This is the type of attack performed by Peeping Tom.
password; passcode
Secret data item that is used to authenticate an entity. Passwords are often words that an individual is supposed to memorize; the system authenticates the person on the assumption that the password is only known by the person it belongs to.
password sniffing
Attack in which someone examines data traffic that includes secret passwords in order to recover the passwords, presumably to use them later in masquerades.
PC card; PCMCIA card
A small, standard plug-in peripheral card often used in laptops as well as workstation computer systems. Modems are often packaged in PC cards. They are also used to hold crypto facilities and to safely store keying material.
Peeping Tom
Attacker whose attacks are based on examining network data traffic: password sniffing, for example.
perimeter
Physical boundary between inside and outside. Security measures rely on being able to trust individuals within a perimeter at least to some degree.
physical network address
Host address on a data link.
plaintext
Data that has not been encrypted, or data that was decrypted from ciphertext.
Play-it-again Sam
Attacker whose attacks are based on intercepting legitimate messages and transmitting them over again in order to trick the system or its users somehow.
Point to Point Tunneling Protocol (PPTP)
An IP tunneling protocol designed to encapsulate the LAN protocols IPX and Apple Talk within IP, for transmission across the Internet or other IP-based networks. See the VPN FAQ for more information.
port number
Number carried in internet transport protocols to identify which service or program is supposed to receive an incoming packet. Certain port numbers are permanently assigned to particular protocols by the IANA. For example, e-mail generally uses port 25 and Web services traditionally use port 80.
Post Office Protocol (POP)
Internet protocol for retrieving e-mail from a server host.
Pretty Good Privacy (PGP)
E-mail crypto protocol that uses RSA and IDEA, implemented in software package widely distributed on the Internet.
Privacy Enhanced Mail (PEM)
E-mail crypto protocol published by the IETF and provided in some commercial products. It has essentially been superceded by PGP, MSP, and S/MIME.
private key
Key used in public key crypto that belongs to an individual entity and must be kept secret.
private virtual circuit (PVC)
Logical connection between two sites built on a digital switched network. Direction and speed of the link are defined for each connection, but the physical path taken between the two locations is determined on an "as needed" basis.
programmed attack
Attack on a computer device or protocol that can be embodied in a computer program. Such attacks can be used by attackers with limited expertise.
protocol suite
A collection of communications protocols that work together to provide useful services. There are two widely known protocol suites: the Internet protocols and the ISO/OSI protocols.
proxy
Facility that indirectly provides some service. Proxy crypto applies crypto services to network traffic without individual hosts having to support the services themselves. Firewall proxies provide access to Internet services that are on the other side of the firewall while controlling access to services in either direction.
pseudo random number generator (PRNG)
Procedure that generates a sequence of numerical values that appear random. Cryptographic PRNGs strive to generate sequences that are almost impossible to predict. Most PRNGs in commercial software are statistical PRNGs that strive to produce randomly distributed data whose sequence may in fact be somewhat predictable.
public key
Key used in public key crypto that belongs to an individual entity and is distributed publicly. Others can use the public key to encrypt data that only the key's owner can decrypt.
public key algorithm
A cipher that uses a pair of keys, a public key and private key, for encryption and decryption. Also called an asymmetric algorithm.
Public Key Cryptography Standards (PKCS)
Standards published by RSA Data Security that describe how to use public key crypto in a reliable, secure, and interoperable fashion.
 


R


RADIUS (Remote Access Dial-In User Service
Internet standard protocol for providing user authentication, authorization and accounting to computers on a network. Provides a central point of administration for users on a large number of remote access servers and other devices.
random number
A number whose value can not be predicted. Truly random numbers are often generated by physical events that are believed to occur randomly.
red/black separation
Design concept for crypto systems that keeps the portions of the system that handle plaintext rigidly separate from portions that handle ciphertext. Portions that handle both are vigorously minimized and then very carefully implemented.
replay
Attack that attempts to trick the system by retransmitting a legitimate message. Some protocols include anti-replay mechanisms to detect and reject such attacks.
reusable password
Password that can be used over and over, as opposed to a one time password. Most passwords used today are reusable passwords.
rewrite
Attack that modifies an encrypted message's contents without decrypting it first.
Rivest Cipher #2 (RC2)
Block cipher sold by RSA Data Security, Inc. RC2 used with a 40 bit crypto key was treated as lightweight crypto under older U. S. crypto export rules.
Rivest Cipher #4 (RC4)
Stream cipher that is widely used in commercial products. RC4 with a 40 bit key provides exportable lightweight crypto in typical Web browsers.
Rivest, Shamir, Adelman (RSA)
Public key crypto system that can encrypt or decrypt data and also apply or verify a digital signature.
RSA Data Security, Inc. (RSADSI)
The company primarily responsible for selling and licensing public key crypto for commercial purposes.
router
Device that carries IP packets between a pair of networks when the packets' destination host is either on the receiving network or nearer to the receiving network. Routers are dedicated to this task and rarely provide other services.
routing host
A host that routes IP packets between networks as well as providing other services.
 


S


secret key
Crypto key that is used in a secret key ("symmetric") algorithm. The secrecy of encrypted data depends solely on the secrecy of the secret key.
secret key algorithm
Crypto algorithm that uses the same key to encrypt data and to decrypt data. Also called a "symmetric" algorithm.
Secure Hypertext Transfer Protocol (SHTTP)
Extension to HTTP to apply crypto services to Web data and transactions.
Secure Multipart Internet Message Extensions (S/MIME)
Proposed protocol for embedding crypto protected messages in Internet e-mail.
Secure Sockets Layer (SSL)
Crypto protocol applied to data at the socket interface. Often bundled with applications, and widely used to protect World Wide Web traffic.
seed, random
A random data value used when generating a random sequence of data values with a PRNG.
server
The entity in a networking relationship that provides service to clients and other entities on the network. Server software generally resides on hosts with constant, well known network addresses so that clients can reliably contact them. Servers provide information and perform other activities in response to client requests.
session key
Crypto key intended to encrypt data for a limited period of time, typically only for a single communications session between a pair of entities. Once the session is over, the key will be discarded and a new one established when a new session takes place. Also called a data key.
 
shim
A software component inserted at a well known interface between two other software components. "Shim" versions of IPSEC are often implemented at the device driver interface, below the host's TCP/IP network protocol stack.
Simple Key Interchange Protocol (SKIP)
Protocol that establishes session keys to use with IPSEC protocol headers. SKIP data is carried in packet headers and travel in every IPSEC protected packet.
Simple Mail Transfer Protocol (SMTP)
Internet protocol for transmitting e-mail between e-mail servers.
SKIPJACK
Block cipher developed by NSA and provided in the CAPSTONE, CLIPPER, and FORTEZZA devices.
snake oil
Derogatory term applied to a product whose developers describe it with misleading, inconsistent, or incorrect technical statements.
sniffing
Attack that collects information from network messages by making copies of their contents. Password sniffing is the most widely publicized example.
socket interface
The software interface between a host's network protocol stack and applications programs that use the network.
splitting
Dividing a crypto key into two separate keys so that an attacker can not reconstruct the actual crypto key even if one of the split keys is intercepted.
stream cipher
Cipher that operates on a continuous data stream instead of processing a block of data at a time.
strong crypto
Crypto facilities that exceed the standards for lightweight or medium strength crypto and therefore face significant restrictions under U. S. export rules.
symmetric algorithm
Crypto algorithm that uses the same crypto key for encrypting and decrypting. Also called a "secret key" algorithm.
 


T


TCP/IP
Common acronym for the protocols packaged in a network protocol stack for the Internet protocols.
Telnet
Internet protocol that supports remote terminal connections.
token, authentication
Hardware device that generates a one time password to authenticate its owner. Also sometimes applied to software programs that generate one time passwords.
token, e-mail
Data item in the header of an encrypted e-mail message that holds an encrypted copy of the secret key used to encrypt the message. The token is usually encrypted with the recipient's public key so that only the recipient can decrypt it.
Transmission Control Protocol (TCP)
Internet protocol that provides a reliable connection between a server and a client.
transport encryption
Crypto services applied to information above the network level but below the application software level. This allows crypto protections to be applied to an existing application protocol and also use the existing network protocol stack and underlying networking services. Transport encryption is typically packaged with the application that it is protecting.
transport mode
ESP mode that encrypts the data contents of a packet and leaves the original IP addresses in plaintext.
triple DES (3DES)
Cipher that applies the DES cipher three times with either two or three different DES keys.
Trojan horse
Program with secret functions in it that surreptitiously access information without the operator's knowledge, usually to circumvent security protections.
tunnelling
Encapsulation of complete datagrams within other datagrams. Frequently used to transmit non-IP protocols across IP networks.
tunnel mode
ESP mode that encrypts an entire IP packet including the IP header.
 


V


VENONA
U. S. military project to cryptanalyze Soviet one time pad ciphertext from the 1940s.
Vernam cipher
Cipher developed for encrypting teletype traffic by computing the exclusive or of the data bits and the key bits. This is a common approach for constructing stream ciphers.
virtual private network (VPN)
Private network built atop a public network. Hosts within the private network use encryption to talk to other hosts; the encryption excludes hosts from outside the private network even if they are on the public network.
virus
Small program that attaches itself to a legitimate program. When the legitimate program runs, the virus copies itself onto other legitimate programs in a form of reproduction.
 


W


wide area network (WAN)
A network that connects host computers and sites across a wide geographical area.
work factor
The amount of work an attacker must perform to overcome security measures.
World Wide Web (WWW)
International information network using HTTP and HTML residing on Internet host computers.
worm
Computer program that copies itself into other host computers across a network. In 1988 the Internet Worm infected several thousand hosts.
 


X


X.400
E-mail protocol developed by the CCITT and endorsed by the ISO as part of the OSI protocol family.
X.500
Specification of the directory service required to support X.400 e-mail.
X.509
Public key certificate specification developed as part of the X.500 directory specification, and often used in public key systems.
 


Publisher's Copyright: Copyright 1997 by Addison Wesley Longman, Inc. All rights reserved. No part of this material may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher.