|
Advanced Encryption Standard (AES)
|
Encryption algorithm that uses a fixed block size of 128 bits, key sizes
of 128, 192, or 256 bits, and multiple rounds of processing to encrypt data.
|
|
Authentication Header (AH)
|
Component of the IPSec protocol used to verify that the contents of
a data packet have not changed, and to validate the identity of the sender.
See also ESP.
|
|
certificate
|
Secure electronic identifier conforming to the X.509 standard, definitively
identifying an individual, system, company, or organization. In addition to
identification data, the digital certificate contains a serial number, a copy
of the certificate holder’s public key, the identity and digital signature
of the issuing certificate authority (CA), and an expiration date.
|
|
certificate authority (CA)
|
Third-party organization or company that issues digital certificates
used to create digital signatures and public-private key pairs. The CA guarantees
the identity of the individual or device that presents the digital certificate.
|
|
Data Encryption Standard (DES)
|
Encryption algorithm that uses a 64-bit key (56 bits for encryption
and 8 bits for error checking) to encrypt data. DES is considered a legacy
method and insecure for many applications. See 3DES and AES.
|
|
Diffie-Hellman (DH) protocol
|
Asymmetric cryptographic key agreement protocol developed by Diffie
and Hellman in 1976. The protocol enables two users to exchange a secret key
over an insecure medium without any prior secrets. Diffie-Hellman is used
by the IKE protocol.
|
|
digital signature
|
A digital code that is attached to an electronically transmitted message
to uniquely identify the sender.
|
|
Encapsulating Security Payload (ESP)
|
A protocol for securing packet flows for IPSec using encryption, data
integrity checks, and sender authentication, which are added as a header to
an IP packet. If an ESP packet is successfully decrypted, and no other party
knows the secret key the peers share, the packet was not wiretapped in transit.
See also AH.
|
|
Hashed Messages Authentication Code (HMAC)
|
Method for message authentication that uses cryptographic hash functions.
HMAC can be used with any iterative cryptographic hash function, such as MD5
or SHA-1, in combination with a secret shared key. The cryptographic strength
of HMAC depends on the properties of the underlying hash function.
|
|
Internet Key Exchange (IKE)
|
Protocol that provides authentication of the IPSec peers, negotiates
security associations (SAs), and establishes IPSec keys.
|
|
IP security (IPSec)
|
Framework of open standards that provides data confidentiality, data
integrity, and data authentication between participating peers. The secure
aspects of IPSec are usually implemented in three parts: the Authentication
Header (AH), the Encapsulating Security Payload (ESP), and the Internet Key
Exchange (IKE).
|
|
Message Digest 5 (MD5)
|
Authentication algorithm that takes a data message of arbitrary length
and produces a 128-bit message digest.
|
|
public key infrastructure (PKI)
|
Framework for public key cryptography on which other applications and
network security components are built.
|
|
replay attack
|
Type of network attack in which valid data is maliciously transmitted
repeatedly.
|
|
security association (SA)
|
In IPSec, an agreement between two network devices about what rules
to use for authentication and encryption algorithms, key exchange mechanisms,
and secure communications.
|
|
security parameter index (SPI)
|
Unique identifier for a security association (SA) at a network host
or routing platform.
|
|
Secure Hash Algorithm 1 (SHA-1)
|
Authentication algorithm that takes a data message of less than 264
bits and produces a 160-bit message digest. SHA-1 is the most commonly used
cryptographic function in the SHA family of authentication algorithms.
|
|
triple Data Encryption Standard (3DES)
|
Enhanced DES algorithm that provides 168-bit encryption by processing
data three times with three different keys.
|