|
Advanced Encryption Standard (AES)
|
Encryption algorithm that uses a fixed block size of 128 bits,
key sizes of 128, 192, or 256 bits, and multiple rounds of processing
to encrypt data.
|
|
Authentication Header (AH)
|
Component of the IPsec protocol used to verify that the contents
of a data packet have not changed, and to validate the identity of
the sender. See also ESP.
|
|
certificate
|
Secure electronic identifier conforming to the X.509 standard,
definitively identifying an individual, system, company, or organization.
In addition to identification data, the digital certificate contains
a serial number, a copy of the certificate holder’s public key,
the identity and digital signature of the issuing certificate authority
(CA), and an expiration date.
|
|
certificate authority (CA)
|
Third-party organization or company that issues digital certificates
used to create digital signatures and public-private key pairs. The
CA guarantees the identity of the individual or device that presents
the digital certificate.
|
|
certificate revocation list (CRL)
|
Document maintained and published by a CA that lists revoked
or suspended certificates.
|
|
Data Encryption Standard (DES)
|
Encryption algorithm that uses a 64-bit key (56 bits for encryption
and 8 bits for error checking) to encrypt data. DES is considered
a legacy method and insecure for many applications. See 3DES and AES.
|
|
Diffie-Hellman (DH) protocol
|
Asymmetric cryptographic key agreement protocol developed by
Diffie and Hellman in 1976. The protocol enables two users to exchange
a secret key over an insecure medium without any prior secrets. Diffie-Hellman
is used by the IKE protocol.
|
|
digital signature
|
A digital code that is attached to an electronically transmitted
message to uniquely identify the sender.
|
|
Encapsulating Security Payload (ESP)
|
A protocol for securing packet flows for IPsec using encryption,
data integrity checks, and sender authentication, which are added
as a header to an IP packet. If an ESP packet is successfully decrypted,
and no other party knows the secret key the peers share, the packet
was not wiretapped in transit. See also AH.
|
|
Hashed Message Authentication Code (HMAC)
|
Method for message authentication that uses cryptographic hash
functions. HMAC can be used with any iterative cryptographic hash
function, such as MD5 or SHA-1, in combination with a secret shared
key. The cryptographic strength of HMAC depends on the properties
of the underlying hash function.
|
|
Internet Key Exchange (IKE)
|
Protocol that provides authentication of the IPsec peers, negotiates
security associations (SAs), and establishes IPsec keys.
|
|
IP security (IPsec)
|
Framework of open standards that provides data confidentiality,
data integrity, and data authentication between participating peers.
The secure aspects of IPsec are usually implemented in three parts:
the Authentication Header (AH), the Encapsulating Security Payload
(ESP), and the Internet Key Exchange (IKE).
|
|
Message Digest 5 (MD5)
|
Authentication algorithm that takes a data message of arbitrary
length and produces a 128-bit message digest.
|
|
Perfect Forward Secrecy (PFS)
|
Key-establishment protocol used to secure VPN communications.
A property which ensures that the compromise of an encryption key
does not compromise security of previous or future encrypted sessions,
because new keys are negotiated for each exchange and keys are securely
deleted after use.
|
|
public key infrastructure (PKI)
|
Framework for public key cryptography on which other applications
and network security components are built.
|
|
replay attack
|
Type of network attack in which valid data is maliciously transmitted
repeatedly.
|
|
security association (SA)
|
In IPsec, an agreement between two network devices about what
rules to use for authentication and encryption algorithms, key exchange
mechanisms, and secure communications.
|
|
security parameter index (SPI)
|
Unique identifier for a security association (SA) at a network
host or routing platform.
|
|
Secure Hash Algorithm 1 (SHA-1)
|
Authentication algorithm that takes a data message of less than
264 bits and produces a 160-bit message digest. SHA-1 is the most
commonly used cryptographic function in the SHA family of authentication
algorithms.
|
|
triple Data Encryption Standard (3DES)
|
Enhanced DES algorithm that provides 168-bit encryption by processing
data three times with three different keys.
|