• AES Advanced Encryption Standard
• Authentication
• AH (Authentication
  Header)
• Anti-Replay
• CHAP (Challenge Handshake Authentication Protocol
• Data Integrity
• DES (Data Encryption Standard)
• 3DES (Triple DES)
• Digital Certificate
• Denial of Service
• Diffie-Hellman
• Eavesdropping
• Encryption
• ESP (Encapsulating Security Payload)
  

• Hash
• HMAC (Hashed Message Authentication Code)
• IKE (Internet Key Exchange)
• IPsec ( IP security protocol)
• Man-in-the-Middle
• MD5 (Message Digest 5)
• NAT
• Nonrepudiation
• PAP (Password Authentication Protocol
• PPP (Point-to-Point Protocol)
• PFS (Perfect Forward Secrecy)
• PSTN (Public Switched Telephone Network)
• Public Key Cryptography (Asynchronous Encryption)
• RC4
• RC5

• Re-keying
• Replay Attack
• RSA
• SCADA
• Secret Key Cryptography (Symmetric Encryption)
• Security Association
• SHA (Secure Hash Algorithm)
• SPI (Security Parameter Index)
• Transport Mode
• Triple DES
• Tunnel Mode
• VPN
• X.509

AES (Advanced Encryption Standard) A crypto-graphic algorithm (symmetric block cipher) that supports three key sizes: 128, 192 and 256 bits. AES is the standard name for the Rijndael algorithm that was approved by NIST to succeed the Data Encryption Standard (DES). The official description of the standard is FIPS PUB 197.

Top

AH (Authentication Header) An IPsec protocol that provides for anti-replay and verifies that the contents of the packet haven't been modified in transit. AH is a mathematical code that is embedded and transmitted in the IP packet. May be applied alone or in combination with ESP. Top

Anti-Replay A security feature of IPsec that uses sequence numbers combined with authentication to defeat replay attacks (i.e., a message received more than once). Top

Authentication There are two types of authentication. User authentication verifies an identity and data authentication ensures that data has not been altered in transit (using data integrity checking). Top

CHAP (Challenge Handshake Authentication Protocol) An authentication scheme that uses a three-way handshake (challenge, response, and verify messages) to authenticate the identity of the peer. The client transmits a response to the server's challenge message; if the server verifies the response the authentication is successful, otherwise a failure results in link termination. The handshake can take place once at initial link establishment or multiple times during a session and each time with a unique challenge message. Contrast to PAP. Top

Data Integrity Cryptographic checksum to ensure that data in transit arrives without error. Top

DES (Data Encryption Standard) U.S. standard (1977) that uses a symmetric 56-bit key (the same key) for encryption and decryption. The official description of the standard is FIPS PUB 46. Top

3DES (Triple DES)  (Used for ESP) A simple variant on the DES-CBC algorithm in which three rounds of DES are performed -- an encryption process followed by a decryption process followed by an encryption process, where each process uses an independent key. Top

Denial of Service Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks. Top

Diffie-Hellman A public-key method (over an insecure medium) for establishing an ephemeral shared secret between parties. It is a component of IKE that establishes Perfect Forward Secrecy.

In a Diffie-Hellman exchange, two people independently generate random public and private values. Each sends their public value to the other (using authentication to foil man-in-the-middle attacks); the private values remain secret. Each then combines the public key received with their own private key - the resulting key is called the shared secret and it is identical for both sides. The shared secret can be used for fast symmetric encryption or to encrypt and transport another random key. Top

Digital certificate A digital data file whose purpose is to provide a user access to another user's public key. Along with a user's public key, a digital certificate also includes the name of the Certificate Authority (CA) that issued the certificate, the name of the entity to which the certificate was issued, and time stamps that indicate the certificate's expiration date. X.509 is the most widely used standard for generating a digital certificate. Top

Digital signature A block of data attached to a message that serves to "digitally sign" the message; it is transmitted along with the message to a recipient. The purpose of the digital signature is to identify the sender, verify the message has not been altered in transit, and provide support for nonrepudiation. It is a two-step cryptographic process: first, the message to be transmitted undergoes a hash algorithm (for example, SHA-1) to obtain a message digest (or hash value). Second, the message digest gets encrypted by a sender's private key. This encrypted message digest is referred to as the "digital signature" that is appended to the sender's message. The recipient verifies integrity and authenticity of the message by validating the signed message digest using the sender's public key. Digital Signature Standard (DSS) is a standard for digital signatures using the Digital Signature Algorithm (DSA). Top

Eavesdropping Information remains intact, but its privacy is compromised. For example, intercepting credit card numbers or classified information. Top

Encryption Renders packet data unusable to ensure its confidentiality and integrity. Encryption uses a mathematical algorithm and a digital key (series of bits) based on the algorithm to code a message at one end of a transmission and then decode it at the other end. Top

ESP (Encapsulating Security Payload)  An IPsec protocol that provides data confidentiality (encryption), anti-replay, and authentication. ESP encapsulates data in the IP packet and may be applied alone or in combination with AH. Top

HASH A mathematical computation that takes a variable-size message and returns a fixed-size string to authenticate (prove the integrity) of a message. Examples are SHA and M5. A component of IKE, IPsec and digital signatures. Top

HMAC (Hashed Message Authentication Code)  HMAC is not a hash function but rather a cryptographically strong way to use a specific hash function such as SHA or MD5 for MAC calculation. Top

IKE (Internet Key Exchange) The flexible, powerful negotiation protocol that allows IPsec users to agree on security services, i.e., authentication and encryption methods, the keys to use, and how long the keys are valid before new keys are automatically exchanged. Technically, IKE is a dual phase protocol, phase 1 authenticates each peer and creates a secure encrypted link for doing phase 2 -- the actual negotiation of security services for the IPsec-compliant VPN channel. After phase 2 is completed, the protected link in phase 1 is torn down and data traffic abides by security services set forth in the phase 2 negotiation, e.g., ESP tunneling with triple DES encryption. 

The methods used in IKE protect against denial of service and man-in-the-middle attacks and ensures non-repudiation, perfect forward secrecy, and key security (via periodic refreshing of keys). Top

IPsec (IP security protocol) Two protocols for the IP layer: IP Authentication Header (AH) and the Encapsulating Security Protocol (ESP). These protocols may be applied alone or in combination with each other. Top

Man-in-the-Middle An attack in which an enemy hacker not only listens to the messages between two parties but can also modify, delete, and replay the messages. Top

MD5 (Message Digest 5) Used for AH and/or ESP. A one-way hash function that creates a 16-byte (128-bit) hash or message digest to authenticate packet data. Top

NAT Automatic translation of internal private IP addresses to different global addresses. Top

Nonrepudiation Proves communications took place so that the sender (or receiver) cannot refute sending (or receiving) information. A digital signature may provide proof of nonrepudiation as it links the sender with the message. Top

PAP (Password Authentication Protocol) A non-secure authentication scheme to validate the identity of the originator of the connection. An ID and password (requested by the remote access server) is transmitted in the clear from the originator (client). This two-way handshake results in link success or failure (termination). Contrast to CHAP. Top

PFS (Perfect Forward Secrecy) A feature of IKE protocol (using a Diffie-Hellman exchange) that forbids previous or subsequent encryption keys from being derived by the key that is protecting data. Top

PPP (Point-to-Point Protocol) A well-known protocol that allows a computer to make a TCP/IP connection to the Internet over a serial link, typically using a dial-up analog connection.
In the Open Systems Interconnection (OSI) model, PPP provides Data Link (Layer 2) service. PPP is a full-duplex protocol that supports PAP and CHAP authentication schemes and handles both asynchronous and synchronous communication. Top

PSTN (Public Switched Telephone Network) The worldwide telephone network used when making telephone calls. Often called POTS (Plain Old Telephone Service). Top

Public Key Cryptography (Asymmetric Encryption) Uses a key pair: one key for encryption (called a public key) and a separate key (called a private key) for decryption. The sender uses the recipient's public key to encrypt data and the recipient uses their own private key to decrypt data. As the name suggests, public keys are known (made public), but the private keys are not. The longer key lengths make this method slower than secret key cryptography, hence it is commonly used for encrypting keys during key exchanges and for digital signatures. Common examples are RSA and DSS. Top

RC4  Used for ESP.  Variable key size stream cipher using one variable-size key. Top

RC5  Used for ESP. Fast block size cipher with a key range up to 2048 bits. Top

Re-keying  A feature of IKE protocol that maximizes key security by scheduling the time interval between automated encryption key changes, e.g., every 8 or 24 hours. Top

Replay Attack  The interception and recording of messages for sending out at a later time; the receiver unknowingly thinks the bogus traffic is legitimate. Top

RSA   A commonly used public key algorithm (named after its inventors, Rivest, Shamir and Adleman) that can be used both for encryption and for signing. It is generally considered to be secure when sufficiently long keys are used (512 bits is insecure, 768 bits is moderately secure, and 1024 bits is good).  Top

SCADA (supervisory control and data acquisition) is a category of software application program for process control, the gathering of data in real time from remote locations in order to control equipment and conditions. SCADA systems include hardware and software components. The hardware gathers and feeds data into a computer that has SCADA software installed. The computer then processes this data and presents it in a timely manner. SCADA also records and logs all events into a file stored on a hard disk or sends them to a printer. SCADA warns when conditions become hazardous by sounding alarms. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. Top

Secret Key Cryptography (Symmetric Encryption) This fast-performing algorithm is typically used for bulk (large volume of data ) encryption. The same key is applied to the encryption and decryption process. As the name suggest, the key is kept secret between sender and receiver. Widely used examples are DES, Triple DES and RC4. Top

Security Association (SA)  A secure "connection" between two endpoints that applies a security policy and keys to protect information. There are two types of SAs, IKE SA and IPsec SA.
IKE SA (Used by IKE only) The bi-directional secure "connection" that is used for negotiating the IPsec SA. The IKE SA is deleted when the IPsec SA is established.
IPsec SA The unidirectional "connection" for securing data flow. To secure typical, bi-directional communications, one SA is needed for each direction. The IPsec SA is uniquely identified by destination address (endpoint), security protocol (AH or ESP) and security parameter index (SPI). Top

SHA (Secure Hash Algorithm) Used for AH and/or ESP. A one-way hash function that creates a 20-byte (160-bit) hash or message digest to authenticate packet data. SHA is more resistant to attacks than MD5, but slower to compute. Top

SPI (Security Parameter Index) An arbitrary 32-bit value included in the ESP or AH header. Top

Transport mode Used for AH and ESP and only between peers that are the end points of a connection. Transport mode encapsulates the upper layer payload of the original IP packet, but reuses IP header. As a result, protection is applied to upper layer protocols (TCP or UDP) - layers that are higher than IP. The contrast is Tunnel Mode. Top

Tunnel mode A technology that encapsulates (wraps) an entire IP packet inside a new IP packet and attaches a new IP header, before transmission through the public network. The destination address contained in the new header is an IPsec entity that will unwrap the packet and send it to its ultimate destination. A benefit of tunneling is the ability to hide source and destination addresses before data is sent. The receiving device recovers the hidden addresses and delivers the packet to its intended address. Top

VPN A secure connection through an insecure public network, typically the Internet. Tunneling, encryption and authentication are deployed to ensure security of data. Top

X.509 The most widely used standard format for digital certificates. Top