List of Algorithms

This section provides a descriptive list of cryptographic algorithms and terms for reference purposes. Symmetric methods use the same key for encryption and decryption, while asymmetric methods (preferred) use different keys for encryption and decryption.

• AES—The advanced encryption standard (AES) is defined in FIPS PUB 197. The AES algorithm uses keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.
• AH—The authentication header (AH) is part of IPSec and provides an authenticity guarantee for packets. If an AH packet contains a correct checksum hash, and no other party knows the secret key the peers share, the packet was not spoofed by an imposter and the packet was not modified in transit. JUNOS-FIPS does not allow use of IPSec with AH only.
• Diffie-Hellman—A method of key exchange across a nonsecure environment (such as the Internet). The Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network by allowing each party to pick a partial key independently and send part of that key to the other. Each side then calculates a common key value. This is a symmetrical method and keys are typically used only for a short time, discarded, and regenerated.
• ESP—The Encapsulating Security Payload (ESP) is part of IPSec and provides a confidentiality guarantee for packets through encryption. If an ESP packet is successfully decrypted, and no other party knows the secret key the peers share, the packet was not wiretapped in transit.
• Hashing—A method of message authentication that applies a cryptographic technique over and over (iteratively) to a message of arbitrary length and produces a hash “message digest” or “signature” of fixed length that is appended to the message when sent.
• HMAC—Defined as “Keyed-Hashing for Message Authentication” in RFC 2104, HMAC combines hashing algorithms with cryptographic keys for message authentication. HMAC can use one of several iterated cryptographic hash functions such as MD5 or SHA-1 (designated as HMAC-MD5 and HMAC-SHA1), along with a secret key.
• IKE—The Internet Key Exchange (IKE) is part of IPSec and provides ways to securely negotiate the shared private keys that the AH and ESP portions of IPSec need to function properly. IKE employs Diffie-Hellman methods and is optional in IPSec (the shared keys can be entered manually at the endpoints).
• IPSec—The IP Security protocol (IPSec) is a standard way to add security to Internet communications. The secure aspects of IPSec are usually implemented in three parts: AH, ESP, and IKE.
• MAC—Any general method of message authentication code (MAC) that uses encryption to compute a digital fingerprint (signature) for the original message. The recipient recomputes the fingerprint and compares it to the sent fingerprint.
• SA—A security association (SA) in IPSec is a set of parameters used by IPSec to determine how the security protocols (AH and ESP) operate, such as the private keys. The SA can be established by IKE (and expire) or set by manual configuration (and does not expire). SAs are unidirectional and are created in pairs.
• SHA-1—A Secure Hash Algorithm (SHA) standard defined in FIPS PUB 180-1 (SHA-1). Developed by the National Institute of Science and Technology (NIST), SHA-1 (which effectively replaces SHA-0) produces a 160-bit hash for message authentication. Longer-hash variants include SHA-224, SHA-256, SHA-384, and SHA-512 (all are sometimes grouped under the name “SHA-2”).
• SPI—A security parameter index (SPI) in IPSec is a numeric identifier used with the destination address and security protocol to identify an SA. When IKE is used to establish the SA, the SPI is randomly derived. When manual configuration is used for an SA, the SPI must be entered as a parameter.
• SSH—The Secure Shell (SSH) uses strong authentication and encryption for remote access across a nonsecure network. SSH provides remote login, remote program execution, file copy, and other functions. It is intended as a secure replacement for rlogin, rsh, and rcp in a UNIX environment.
• SSL—The secure sockets layer (SSL) is an Internet standard method used to secure communications over the Internet. SSL was developed by Netscape for securing Web sessions, but there is nothing Web-specific about SSL. SSL has goals similar to SSH, but with several important differences in terms of cryptographic protection.
• TLS—Transport Layer Security (TLS) is an Internet standard method used to secure communications over the Internet. It is the name of a standard protocol based on SSL 3.0, and is defined in RFC 2246. TLS in JUNOS-FIPS uses FIPS-restricted cipher sets in a FIPS environment.
• 3DES (3des-cbc)—A data encryption standard from the 1970s, the original DES used a 56-bit key (cracked in 1997). It is now enhanced with three multiple stages, effective key lengths of about 112 bits, and is often implemented with cipher block chaining (cbc).

Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice.