VIRNETX EXHIBIT 2008
`Apple v. VirnetX
`Trial IPR2015-00866
`
`

`
`LinLg{31§[e:e§S'§)g,—‘§x£{T(}(5l(g’§s(Ja-II).,ED Document 194-?‘ Filed 12130103 Page 3 of 26 P8.gefi,l2g?:I2%%£§
`
`Definitions
`
`3DES (Triple DES)
`Using three DE_S_ encryptions on a single data block, with at least two different keys, to get higher
`security than is available from a single DES pass- The three—key version of 3DES is the default
`encryption algorithm for _I:_,__i_1"’!T'|;‘|“§*(ml:l‘§§§_/“wé;El‘_.
`
`_I;[iS_l;1Q aiways does SDES with three different keys, as required by RFC 2451. For an explanation
`Of the tW0—key Variant, S66 :mo_.1;_cy_t_1.:i.plel_3_E§. Both use an
`enc1'ypt—dec1‘ypt-encrpyt
`sequence of operations.
`
`Single DES is
`
`Double DES is ineffective. Using two 56-bit keys, one might expect an attacker to have to do 2112
`work. to break it. In fact, only 257 work is required with a rr1_c_=.__t_:_t_-_i_r_1_;_t_li_e;«mn_1i§,i_t,i,l,emattacl-;, though a
`large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just
`reduces the work factor from the 2163 one might expect to 2112. That provides adequate protection
`against ];t;ute__£ot;c_e attacks, and no better attack is lcnown.
`
`3DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per
`block. DES was designed for hardware implementation and includes some operations which are
`difficult in software. However, the speed we get is quite acceptable for many uses. See
`b_e_nchinark_s below for details.
`
`Active attack
`An attack in which the attacker does not merely eavesdrop (see ajttack) but takes action to
`change, delete, reroute, add, forge or divert data. Perhaps the best-known active attack is
`tl;i__e;_rr_1ifi_d1__e. In general, alighegigatipn is a usefiil defense against active attacks.
`AES '
`being developed
`standard to replace
`The Advanced Encryption Standard, a new
`by §~I_I_S__'l:, the US National Institute of Standards and Technology. DES used 64-bit blocks and a
`56~bit key. AES ciphers use A 128-bit block and are required to support 128, 192 and 256-bit keys.
`Some ofthem support other sizes as we1l..'Ihe larger block size helps resist hir_t11_day_aLtacks while
`the large key size prevents b_tute_£o_;ce,attac_ks.
`
`‘
`
`IIIO
`
`Fifteen proposals meeting NIST’s basic criteria were submitted in 1998 and subjected to intense
`discussion and analysis, "round one" evaluation. In August 1999, NEST narrowed the field to five
`"round two" candidates:
`Mars from IBM
`RQQ irotn RSA
`B.i.i.IJn§1.from two Belgian researchers
`fierpent, a British-Norwegiamlsraeli research collaboration
`,
`fiorn the consulting firm Counterpane
`-
`We expect I_I_’_S_E_.Q will eventually use the ABS winner, and we expect to see a winner (or more
`than one; there is an ongoing discussion on that point) declared in the summer of 2000.
`Adding one or more ABS ciphers to L_i_tn.1_2;_Er_e§S_M& W01-lid 136 useful undertaking; and
`considerable freely available code exists to start from. One complication is that our code is built
`for a 64-bit block cipher and ABS uses a 128-bit block. Volunteers via the rn_a_iling___li_s_t would be
`
`http :/flibertyfreeswan.org/freeswan__t:rees/freeswan— 1 .3/doc/g1ossary.html
`
`-
`
`2/21 /2002
`
`Page 2 of 25
`
`VNETOO221396
`
`

`
`. Case 6:07-cv-00080-LED Document 194-? Fiied 12f30lO8 Page 4 of 26 PagelD #: 8915
`Linux FreeS/WAN Glossary
`A
`page 3 of25
`
`welcome.
`
`For more information, see the I>llS.I_;.tES_I'1o_n1_e_nage‘or the 13.1.os;lg.._.....ip_-e.:;._L_ou1gaaE§_nage. For
`code and benchmarks see Brian Gladman's page.
`
`AH
`
`The 1E,SE_Q Authentication Header, added after the IP header. For details, see our _1__1_3f_§_EQ
`Overview document and/or RFC 2402..
`Alice and Bob
`.
`_
`A and B, the standard example users in writing on cryptography and coding theory. Carol and
`Dave join them for protocols which require more players.
`
`extends these with many others such as Eve the Eavesdropper and Victor the
`Verifier. His extensions seem to be in the process ofbecoming standard as well. See page 23 of
`aualtecjgrxatagaphx
`
`Alice and Bob have an amusing biography on the web.
`
`T ARPA
`see Qialifla
`
`ASIO
`
`Australian Security Intelligence Organisation.
`Asyntrnetric cryptography
`See 1L1.lplic key__c13cpLgr_a1i1y.
`Authentication
`Ensuring that a message originated from the expected sender and has not been altered on route.
`IPSEC uses authentication in two places:
`l_3_‘i_f_i1e;_‘_¥_Ie-,l1r3t1_ayri key exchanges to prevent
`- authenticating the players in
`__I31§gL.Ll_e_a_‘ttaclg§. This can be done in a number ofways. The methods supported by
`FreeS/WAN are discussed in our configuration document.
`0 authenticating paeketson an established §_._A_.__, either with a separate gn_._rt_hentig_at_ign___headei: or
`with the optional authentication in the ESL’, protocol. In either case, packet authentication
`"uses a hashed rnessaggathentication code technique.
`
`4
`
`Outside IPSEC, passwords are perhaps the most common authentication mechanism. Their
`filnction is essentially to authenticate the person's identity to the system. ?asswo1'ds are generally
`only as secure as the network they travel over. If you send a cleartext password over a tapped
`phone line or over a network with a packet sniffer on it, the security provided by that password
`becomes zero. Sending an encrypted password is no better, the attacker merely records it and
`reuses it at his convenience. This is called a gala: attack.
`A common solution to this problem is a g;_,__a_l_l_enge_~_rs_§po_nse system. This defeats simple
`eavesdropping and replay attacks. Ofcourse an attacker might still try to break the cryptographic
`algorithm used, or the
`generator.
`
`Automatic keying
`-
`A mode in which keys are automatically generated at connection establisment and new keys
`autornaically created periodically thereafter. Contrast with rnanuallceyiiig in Which ‘<1 single Stoffid
`key is used.
`
`htto://liberty.freeswan.org/freeswan__trees/freeswan—1 .3/doc/g10SSa1'Y-hliII11
`
`2/21/2002
`
`Page 3 of 25
`
`VN ETOO221397
`
`

`
`_ Case 6:O7—cv—00O80—LED Document 194-‘? A Filed 12/30l08 Page 5 of 26 Pa eID #: 8916
`age 4 of 25
`Linux FreeS/WAN Glossary
`
`
`
`IPSEC uses the Diffie- ellman ke exchange protocol to create keys. An authentication
`mechansim is required for this. The methods supported by FreeS/WAN are discussed in our
`cnniimtratinn document-
`
`Having an attacker break the authentication is emphaticaliy not a good idea. An attacker that
`breaks authentication, and manages to subvert some other network entities (DNS, routers or
`gateways), can use a rna;_1;j_rr-,t_he_rnig1dle_a;ta_c_1g to break the security of your IPSEC connections.
`
`However, having an attacker break the authentication in automatic keying is not quite as bad as
`losingthe key in manual keying.
`- An attacker who reads /6tC./lpSBC.COI1fEl1’ld gets the keys for a manually keyed connection
`can, without further effort, read all messages encrypted with those keys, including any old
`messages he may have archived.
`9 Automatic keying has a property called perfect forward secrecy. An attacker who breaks the
`authentication gets none of the automatically generated keys and cannot immediately read
`any messages. He has to mount a successful 1nan;in;_tl1e
`ttaclg in real time before he
`can read anything. He cannot read old archived messages
`nd will not be able to read
`any future messages not caught by man-in-thevmiddle tricks.
`That said, the secrets used for authentication, stored in ,i1;::._5:».€.3_c.:.§_€_;.tT,,r_o;:nt;;:.(.’.§”), should still be protected as
`tightly as cryptographic keys.
`flay Networks
`A vendor of routers, hubs and related products, now a subsidiary of Northern Telecom.
`Interoperation between their IPSEC products and Linux FreeS/WAN was problematic at last
`report; see our compatibility document.
`benchmarks
`Our default block cipher, tr-_ip;§;_12I:2__S__, is slower than many alternate ciphers that might be used.
`Speeds achieved, however, seem adequate for many purposes. For example, the assembler code
`from the 1J_ED_fi§_ library we use encrypts 1.6 megabytes per second on a Pentium 200, according
`to the test program supplied with the library.
`
`
`
`
`
`The University ofWales at Ab erystwyth has done quite detailed tests and put their results on the
`Vveb.
`
`Even a 486 can handle a T1 line, according to this mailing list message:
`
`IPSec Masquerade
`subject: Re: 1inux—ipsec:
`Date: Fri, 15 Jan 1999 11:13:22 ~O500
`From: Michael Richardson
`
`. A 486/66 has been clocked by Phil Karn to do
`.
`10Mb/s encryption..
`that uses all the CPU,
`so half that to get some CPU,
`and you have 5Mb/s. 1/3 that for 3DES and you get 1,6Mb/5....
`
`From an Internet Draft The ESP Triple DES Transform:
`
`Phil Karn has tuned DES-EDE3—CBC software to achieve 6.22 Mbps with a
`133 MHZ Pentium. Other DES speed estimates may be found at
`[Schneier95, page 279] . Your milage may vary.
`
`If you want to measure the loads FreeS/WAN puts on a system, note that tools such as top or
`measurements such as load average are more—or-less useless for this. They are not designed to
`measure something that does most of its work inside the kernel.
`
`http://liberty. freeswan.org/:EreesWanH_trees/fieeswan- 1 .3/doc/glossary.htm'l
`
`2/21/2002
`
`Page 4 of 25
`
`VNETOO221398
`
`

`
`Case 6:077-cv~O0O80—LED Document 194-7 Filed 12i30f08 Page 6 of 26 PagelD #: 8917
`Linux FreeSfWAN Glossary
`_
`Page; 5 of 25
`
`BIND
`
`Berkeley Internet Name Daemon, a Widely used implementation of Qlflfi (Domain Name Service).
`See our bibliography for a usefu_l_re_fe_renc_e_. See the l3_ll}I_l;J_h_qrne,,page for more information and
`the latest Version.
`
`Birthday attack
`A cryptographic attack based on the mathematics exemplified by the bir,tl;§_1__ay__,p,ar_a_do2g. This math
`turns up whenever the question of two cryptographic operations producing the same result
`becomes an issue:
`- collisions in mss_sag.erl.ige.st functions.
`o identical output blocks from a 121gg_<_;1c“_gj_.php;r
`- repetition of a challenge in a _r_.:h&1ge:r_esp_c+_t_1,se system
`Resisting such attacks is part of the motivation for:
`o hash algorithms such as _,S,_i_-__l_A and l__{yII_’1'*;l\__/_llQ;l(3_(_) giving a l60~bit result rather than the 128
`bits of MD4, MD5 and RIPEMD~128.
`.
`- _¢_§§ block ciphers using a 128-bit block instead of the 6-'-iwbit block of most current ciphers
`o l,R§_EQ using a 32-bit counter for packets sent on an au_tQ_;_n,ati_gai_ly,,,}_£_§y§£l EA. and requiring
`that the connection always be rekeyed before the counter overflows.
`Birthday paradox
`‘
`Not really a paradox, just a rather counter-intuitive mathematical fact. In a group of 23 people, the
`chance of a least one pair having the same birthday is over 50%.
`
`The second person has 1 chance in 365 (ignoring leap years) ofmatching the first If they don't
`match, the third person's chances ofmatching one of them are 2/365. The 4th, 3/3 65, and so on.
`The total of these chances grows more quickly than one might guess.
`
`Block cipher
`A sy_rng:tr'c cipher which operates on fixed-size blocks of plaintext, giving a block of ciphertext
`for each. Contrast with s’_t_r§_a.rn__(;ipl'_1_§1_'. Block ciphers can be used in various rrgies when multiple
`block are to be encrypted. j
`
`is among the the best known and widely used block ciphers, but is now obsolete. Its 56-bit
`key size makes it highl
`today. _'I,1;iple,_I;l#;§, is the default transform for
`E;e_e;S_L_\NWA___N_ because i
`is the only cipher which is both required in the
`and apparently
`secure.
`‘
`
`The current generation of block ciphers —— such as _l_3_1__o_vymh, Q_at_S_I_—_I__?,§, and IJLQEA -— all use 64-bit
`blocks and 128-bit keys, The next generation, AES, uses l28—bit blocks and supports key sizes up
`to 256'bits.
`
`The Block Cipher Lounge web site has more information.
`
`Blowfish
`,
`A 1_)lgg;,lc_c_i_p_h__c:.3.: using 64~bit blocks and keys ofup to 448 bits, designed by l_3rt_rr;e___,§chr_tei_e_1; and
`used in several products.
`
`This is not required by the _I_l3§,]:Zj_3_ RFCs and not currently used in L_irn1_2~;___.E,r_<:;:_t:_'_S_/_‘\_7VmAl§3l_.
`
`Brute force attack (exhaustive search}
`Breaking a cipher by trying all possible keys. This is always possible in theory (except against a
`one-t_im_pa;l_), but it becomes practical only if the key size is inadequate. For an important
`
`'http:/'/1iberty.freeswan.org/freeswan__trees/freeswan-l .3/doc/glossaryhtrnl
`
`2/21/2002
`
`Page 5 of 25
`
`VN ETOO221399
`
`

`
`Case 6:07-CV-OOO80—LED Document 194-7 Filed l2i30/08 Page 7 of 26 Pagelf) #: 8918
`io
`-1 Linux Frees/WAN Glossary
`Page 6 of 25
`
`example, see our document on the insecurity of DES with its 56-bit key. For an analysis of key
`sizes required to resist plausible brute force attacks, see this paper.
`
`Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of
`possible keys and therefore doubles the work a brute force attack must do. A large enough key
`defeats any brute force attack.
`
`For example, the EFF‘s DES Cracker searches a 56-bit key space in an average of a few days- Let
`us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a
`second (a few hundred thousand times faster). For a 96-bit key, that attacker needs 232 seconds,
`just over a century. Against a 128-bit key, he needs 232 centuries or about 400,000,DO0,000 years.
`Your data is then obviously secure against brute force attacks. Even if our estimate of the
`attackers speed is offby a factor of a rniilion, it still takes him 400,000 years to crack a message.
`
`This is why
`- single Djifi is now considered da_ngerously___in_secu_r_e
`- any cipher we add to Linux FreeS/‘WAN will have at least a 90-bit key
`- all of the current generation of Iglock_c_ipher_s use a 128-bit or longer key
`0
`ciphers support keysizes 128, 192 and 256 bits
`Cautions:
`r
`Inadequate keyiength always indicates a weak cipher but it is important to note that adequate ‘
`keylength does not necessarily indicate a strong cipher. There are many attacks other than brute
`force, and adequate keylength only guarantees resistance to brute force. Any cipher, whatever its
`key size, will be weak if design or implementation flaws allow other attacks.
`
`Also, once you have adequateykeylength (somewhere around 90 or 100 bits), adding more key bits
`make no practical difi:reriee,_e\_z.en against brute force. Consider our 128-bit example above that
`takes 400 biiiion years to break by brute force. Do we care if an extra 16 bits of key put that into
`the quadrillions? No. What about 16 fewer bits reducing it to the 1 12-bit security level of yang
`Q13.-_S_, which our example attacker could break in just over a billion years‘? No again, unless we're
`being really paranoid about safety margins.
`
`There may be reasons of convenience in the design of the cipher to support larger keys. For
`example _];‘§l,o,y_yf§l_1_ allows up to 448 bits and 1309,51. up to 2048, but beyond 100-odd bits it makes no
`difference to practical security.
`
`Bureau of Export Administration
`see
`
`BXA
`
`The US Commerce Department's Bureau of Export Aciministration which administers the _lf:_‘_A,L{
`Export Administration Regulations controling the export of, among other things, cryptography.
`
`CA
`
`Certification Authority, an entity in a p3;l;2l_Lg_1§:_e_y_iw11f1'g1§_trwu_-;;t_1;I1.'_§ that can certify keys by signing
`them. Usually CAs form a hierarchy. The top of this hierarchy is called the rgo_t_Q_A_.
`
`See Web of Trust for an aiternate model.
`
`CAST—l28
`A block cipfi using 64-bit blocks and 128-bit keys, described in RFC 2144 and used in products
`such as
`and recent versions of1.’.C_3£.
`
`http:/."1ibe1tv.freeswan.org/freeswangtreeslfreeswan-1 .3/doc/glossary-hfinl
`
`8
`
`2/21/2002
`
`Page 6 of 25
`
`VN ETO02214OO
`
`

`
`c
`-
`-
`-
`-
`5
`ase 6.07_cv 00080 LED Document 194-? Filed 1280/08 Page 8 of 26 PagelD #: 8919
`Linux FreeSfWAN Glossary
`Page 7 of25
`
`This is not required by the lLS_E_Q RFCs and not currently used in Linux Frees/WAN.
`
`.
`CAST-256
`gm-_i_1st's candidate cipher for the $8_i'£i_lQ(.l8.I'(1, largely based on the _AST-128 design.
`‘died of using a
`in which for each block except the
`Cipher Block Chaining mode, a me
`first, the result of the previous ‘encryption is XORed into the new block before it is encrypted.
`CBC is the mode used in _l_1?__S__§C;.
`
`rA1'1i_1_1l,t_l§}_i_,S_a__l_L()j!,_X§§;LQ§ (IV) must be provided. It is XORed into the first block before encryption.
`The IV need not be secret but should be different for each message and unpredictable-
`
`Certification Authority
`see gig
`
`Cipher Modes
`Different ways of using a block cipher when encrypting multiple blocks.
`
`in ]E__I_l_’_§ 81. They can actually be applied with any
`
`Four standard modes were defined for
`block cipher.
`E1
`t
`'
`E,_C_L__l5: Csgelgggfc
`Cipher Block
`Charming
`CFB Cipher FeedB ack
`OFB Output FeedB ack
`and is more secure. In ECB
`1__P_§,E_C, uses
`mode since this is only marginally slower than
`mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In
`CBC mode, this does not occur.
`'
`
`.
`encrypt each block independently
`XOR previous block ciphertext into new block plaintext before
`encrypting new block
`
`Various other modes are also possible, but none of them are used in IP SEC.
`
`Challenge~response authentication
`rar;i1_cr_n_r1.urnb;c.t, encryptsit and Sends
`An aiitiienticatigii system in which one player generates a
`ride back the result. If the result is
`the result as a challenge. The other player decrypts and se
`lcnew the appropriate secret, required
`correct, that proves to the first player that the second player
`for the decryption.
`
`cryptography. Some provide
`ique exist using p_,ubmlic,1g_:3y or
`Variations on this techn
`assuring each player of the other's identity.
`two—Way authentication,
`number is different each time, this defeats simple eavesdropping and replay
`Because the random
`ght still try to break the cryptographic algorithm used, or the
`attacks. Of course an attacker mi
`L‘=3.1.'l_.(_1_(-TL1.'l'.lJ.1_1lI_.1Lb§.K 831161‘aim‘-
`
`Ciphertext
`output of a cipher, as opposed to the uriericrypted p1a_i_ri_tex_t input.
`The encrypted
`A vendor ofrouters, hubs and related products. Their IPSEC products interoperatewith Linux
`
`..§.I..1..L
`FreeSfWAN; see our 9.otnpri£ii2il.iIY...§19
`
`Sim
`'
`
`httn://liheztv_Freeswanore/freeswan tree
`
`s/freeswan—1 .3i'doc/p;lossary.htrnl
`
`2/21/2002
`
`Page 7 of 25
`
`VNETOD221401
`
`

`
`Case 6:O7—cv—OO080—LED Document 194-? Fil d 12f30/O8
`3
`
`'°a9e9°*26 taster-2§920
`
`' Linux Frees/WAN Glossary
`
`Conventional cryptography
`See
`Collision resistance
`The property of a messaggcflggt algorithm which makes it hard for an attacker to find or
`construct two inputs which hash to the same output.
`Copyleft
`see GNU
`
`CSE
`
`The Canadian organisation for sig.iais_iate1.1i.gens<:..
`DARPA (sometimes just ARPA)
`_
`The US government's Defense Advanced Research Projects Agency. Projects they have funded
`over the years have included the Arpanet which evolved into the Internet, the TCP/IP protocol
`suite (as a replacement for the original Arpanet suite), the Berkeley 4.): BSD Unix projects, and
`
`Secure DN S.
`'
`
`For current information, see their
`
`,s_'1_t_e_.
`
`Denial of service (DOS) attack
`An attack that aims at denying some service to legitimate users of a system, rather than providing
`a service to the attacker.
`0 One variant is a flooding attack, overwhelming the system with too many packets, to much
`email, or whatever.
`-
`o A closely related variant is a resource exhaustion attack. For example, consider a "TCP
`SYN flood" attack. Setting up a TCP connection involves a three-packet exchange:
`0 Initiator: Connection please (SYN)
`o Responder: OK (ACK)
`0 Initiator: OK here too
`Ifthe attacker puts bogus source information in the first packet, such that the second is
`never delivered, the responder may wait a long time for the third to come back. Ifresponder
`has already allocated memory for the connection data structures, and ifmany of these bogus
`packets arrive, the responder may run out of memory.
`o Another variant is to feed the system undigesfble data, hoping to make it sick. For example,
`IP packets are limited in size to 64K bytes and a fragment carries information on where it
`starts within that 64K and how long it is. The "ping of deat " delivers fragments that say,
`for example, that they start at 60K and are 20K. long. Attempting to reassemble thse
`without checking for overflow can be fatal.
`.
`The two example attacks discussed were both quite effective when first discovered, capable of
`crashing or disabling many operating systems. They were also we11—publicised, and today far
`fewer systems are vulnerable to them.
`The Data Encryption Standard, ahloclg5_:ipj,1er with 64-bit blocks and a 56-bit key. Probably the
`most widely used
`ever devised. DES has been a US government standard for
`their own use (only for unclassified data), and for some regulated industries such as banking, since
`the late 70's.
`
`DES
`
`DES ia.snri9_1;§ly_insesI_Jre.asainsL<;um:nt_a.c_tmks..
`l;inn_>r_Er,ee_Sfl7_\{Al§l includes DES since the RFCS require it, but our default configuration refuses
`to negotiate a connection using it. We strongly recommend that single DES not be used.
`See also _3;D_E._S_- and DE_S_2§, stronger ciphers based on DES.
`
`htto:f/1ibertv.freeswan.ora/freeswan_treesffreeswan—1 .3/doc/g10SSary.html
`
`2/21/2002
`
`Page 8 of 25
`
`VNETOD221402
`
`

`
`Case 6:D7~cv-00080-LED Document 194-? Filed 1230/08 Page 10 of 26 PagelD #: 8921
`Linux FreeS/WAN Glossary
`Page 9 of25
`
`DESX
`suggested by Ron Rivest of RSA Data Security. It XORS extra key material
`An improved
`into the text before and afier applying the DES cipher.
`
`This is not required by the ,1,E_t1J_;Q RFCs and not currently used in J,_._inu;:__£ree_Sfl&_[ DESX
`would be the easiest additional transform to add; there would be very little code to write. It would
`be much faster than 333138 and almost certainly more secure than DES, However, since it is not in
`the RFCs other IPSEC implementations cannot be expected to have it.
`
`-DH
`
`'
`see _I}_if_fe:_H_e,1LmWan
`Difl-’1e—Hellman (DH) key exchange protocol
`A protocol that allows two parties without any initial shared secret to create one in a manner
`immune to eavesdropping. Once they have done this, they can communicate privately by using
`that shared secret as a key for a block cipher or as the basis for key exchange.
`
`The protocol is secure against all passive attacks, but it is not at all resistant to active rnan—iu—th§;
`gddl_<_:; a__tj;ag_.1gs. If a third party can impersonate Bob to Alice and vice versa, then no useful secret
`can be created. Authentication is a prerequisite for safe Diffie-Hellman key exchange.
`
`IPSEC can use any of several authenjcicatiygn mechanisirns. Those supported by FreeS/WAN are
`discussed in our
`document.
`
`Digital signature
`Take a inemsswagedigest of a document and encrypt it with your private key for some public,1_<:§_y
`s3£3!T£2I<_2_S_3{§!:_<_3,t_1_:r. I can decrypt with your public key and verify that the result matches the digest I
`calculate. This proves that the encrypted digest was created with your private key.
`
`Such an encrypted message digest can be treated as a signattire since it cannot be created Without
`both the document and the private key which only you should possess. The legal issues are
`complex, but several countries are moving in the direction of Iegal recognition for digital
`signatures.
`
`DNS
`
`Domain Name Service, a distributed database through which names are associated with numeric
`addresses and other information in the Internet Protocol Suite. See also BIND, the Berkeley
`Internet Name Daemon which implements DNS services and _S_efioure_ See our bibliography
`for a useful reference on both.
`DOS attack
`see Denial Of Selig: attack
`
`EAR
`
`The US government's Export Administration Regulations, administered by the B1J,{§;§t].1__Q£fl,2_{_p_Q_l{§
`A__d_rrmLini_str_a_ti9_n_. These have replaced the earlier 1_Ig3t_I; regulations as the controls on export of
`cryptography.
`ECB mode
`Electronic CodeBo0k mode, the simplest way to use a block cipher. See ,,C_iph_e1;l\_/[.m_o_<1es.
`
`EDE
`
`The sequence of operations normally used in either the th.ree—key variant of
`1£§_E_C_I or the tw_o_—Eg_ey variant used in some other systems.
`
`used in
`
`hnn:/niheriv_Freeswan_n1-g/fieeswan trees/freeswan—1.3/doc/slossarvhtrnl
`
`Z/21/2002
`
`Page 9 of 25
`
`VNETOO221403
`
`

`
`C
`6:07— —
`—
`—
`‘
`'
`-
`Linuxa1§rt:eSflN_fic\1{I£%g)lEJ)§:grt§ED Document 194 7 Filed 12130108 Page 11 OT 26 Pe}gatsglé31fi.0§gg2
`
`The sequence is:
`o Encrypt with keyl
`o Decrypt with kcy2
`.
`- Encrypt with key3
`For the two~key version, keyl=lrey3.
`
`The "advantage" of this EDE order of operations is that it makes it simple to interoperate with
`older devices offering only single DES. Set key1=key2~=l<ey3 and you have the worst of both
`worlds, the overhead of triple DES with the security of single DES. Since single_L2_E_S_,_is__‘,i_nsecp,re,
`this is a rather dubious "advantage".
`
`The EDE two—l<ey variant can also interoperate with the EDE three—key variant used in _I_1?_S_.,EQ;
`just set k1=k3.
`
`Entrust
`A Canadian company offerring enterprise
`public key and )_{_.§Q2 directories.
`
`EFF
`
`products using Q_A§I:1__2$ symmetric crypto,
`
`l3_l§ctrorij_c_E_rontie1:,1Eoundation, an advocacy group for civil rights in cyberspace.
`Encryption
`I
`Techniques for converting a readable message (p_1_;_i_i_nteggj;) into apparently random material
`(_c_iph§r_te);t) which cannot be read if intercepted. A key is required to read the message.
`
`Major variants include symmetric encryption in which sender and receiver use the same secret key
`and p_u.];,>_1iHgM_lgey methods in which the sender uses one of a matched pair of keys and the receiver
`uses the other. Many current systems, including 1Ej$__]§._Q, are hybrids combining the two
`techniques.
`
`ESP
`
`'
`Encapsulated Security Payload, the LPS EC protocol which provides myjption. It can also
`provide antlienticafion service and may he used with null encryption (which We do not
`
`recommend). For details see our 1],"-,’A_.S__‘l_Ej,_Q,_“(_)
`document and/or RFC 2406.
`Extruded subnet
`i
`_
`A situation in which something IP sees as one network is actually in two or more places.
`
`For example, the Internet may route all traffic for a particular company to that firnfs corporate
`gateway. It then becomes the company's problem to get packets to various machines on their
`fllmefi in various departments. They may decide to treat abranch office tike a subnet, giving it IP
`addresses "on" their corporate net. This becomes an extruded subnet.
`'
`
`Packets bound for it are delivered to the corporate gateway, since as far as the outside world is
`concerned, that subnet is part of the corporate network. However, instead of going onto the
`corporate LAN (as they would for, say, the accounting department) they are then encapsulated and
`sent back onto the Internet for delivery to the branch office.
`-
`
`For information on doing this with Linux Frees/WAN, look in our §__3_on_i:igg_r_atig_n file.
`
`Exhaustive search
`S66 l;2;J.tte_£orse_a_t_tad<.
`
`FIP S
`
`htto:/flibertv.freeswan.org/fi—eeswan__trees/freeswan—1.3/doc/gl0ssa1'y.html
`
`2/21/2002
`
`Page 10 of 25
`
`VNETO0221404
`
`

`
`Linuggsgegi/Q‘;/[—fi§/[—((}(l3OCg:§gJI—3l(_ED Document 194-? Filed 1230/08 Page 12 of 26 Pggglqi#:0f§3523
`
`Federal Information Processing Standard, the US government's standards for products it buys.
`These are issued by 1f:LI§:l"_. Among other things,
`and fiS___l;l_£_§t are defined in FIPS documents.
`NIST have a 1_?_Il’_S__l_r;gme_page.
`Free Software Foundation (FSF)
`AI]. organisation to promote free software, free in the sense of these quotes from their web pages
`
`"Free software“ is a matter of liberty, not price. To understand the concept, you
`should think of "free speech", not "free beer.“
`
`"Free software" refers to the users‘ freedom to run, copy, distribute, study, change and
`improve the software.
`-
`-
`
`See also
`FreeSWAN
`see
`
`FSF
`
`see Free sofiwarefggridn
`GCI-IQ
`-
`
`GILC
`
`and the._E_S»._F_...site.
`
`the British organisation for signals...i,ntelli.genc.e.
`
`Global Inte1:ne_t Liberty Campaign, an international organisation advocating, among other things,
`flee availability of b cryptography. They have a
`to remove cryptographic software fiorn
`the _V_‘[as_ssnae_r_£trr_angsraent.
`-
`Global Internet Liberty Campaign
`see §jL§_.
`fG_lo‘L1.1?_rust1:egist_er
`An attempt to create something like a root CA for E by publishing both as a book and on the
`ygeb the fingerprints of ‘a set of verified keys for well—lcnown users and organisations.
`t
`-
`The GNU Multi-Precision library code, used in Limz '_Er,eeS/WAN by Pluto for public key
`calculations.
`
`GMP
`
`GNU
`
`GPG
`
`.
`GNU‘s Not Unix, the _E_r_e_§:__WSWc>_tlyg_z;re_E9_1;r_1t,1a;1;i_Qr3_{§ project aimed at creating a free system with at
`least the capabilities of Unix. Linux uses GNU utilities extensively.
`'
`
`see _<3I;i_Uml’.u'3ac3.'._(iua_rd
`.
`GNU General Public fieénse (GPL, copyleft)
`_..t..r_.e:
`The license developed by the E1;ee§o_ftw_are_‘F_o;1_ng_latign under which Linux Linmc_Er_eeSJ3_N_Al\l
`and many other pieces of software are distributed. The license allows anyone to redistribute and
`modify the code, but forbids anyone fiom distributing executables without providing access to
`source code. For more details see the file Qfiflflfi included with GPLed source distributions,
`including Ours, or _G1?:lLl.si_teis,.S3.EL.p.age.
`_Ci1_\lLIir'ua£I_@.ard
`An open source implementation of Open 1?_(_}_lZ as defined in RFC 2440.
`
`GPL
`
`see §l\lll_G§neral_B1thuc.Li9_ense.
`
`Hash
`
`see .n1es.sag§.=_..diges1
`Hashed Message Authentication Code (HMAC)
`using keyed Lnessagedigest fimctions to authenticate a message. This differs from other uses of
`these functions:
`
`http://1ibertv.fi'eeswan.or;_r/freeswan_tIeeslfreeswan—1 .3/docfg1°533I‘Y-html
`
`2/21/2002
`
`Page 11 of 25
`
`VNETOO22‘l405
`
`

`
`LinuX§3§e%,%fi;QQ{N::¢;Q,gQ,§9«LED Document 194-? Filed 12/30/08 Page 13 of 26 P@1Def28924
`
`- In normal usage, the hash fi1nction's internal variable are initialised in some standard way.
`Anyone can reproduce the hash to check that the message has not been altered.
`- For HMAC usage, you initiaiise the internal variables from the key. Only someone with the
`key can reproduce the hash. A successful check of the hash indicates not only that the
`_ message is unchanged but also that the creator knew the key.
`The exact techniques used in
`are defined in RFC 2104. They are referred to as HMAC-
`MD5—96 and HMAC-SI-IA-96 because they output only 96 bits of the hash. This makes some
`attacks on the hash functions harder.
`HMAC
`..........................,.._; -.._..__._._.._.___......__._..__,-,_....._.
`see I-Lashed Message Authentication Code
`HIVIAC-MZD5-96
`see I:L3.§h.§_d._L/£.§.§§é1g.€£..£tilIli$;L1IiQ@§lQI1_.C.Q._§
`HIVIAC-SI-IA~96
`see Hashed Message Authentication Code
`Hybrid cryptosystem
`A system using both puh_lic_,l,<;§;_y and techniques. This Works well. Public key
`methods provide key management and digital signature facilities which are not readily available
`using symmetric ciphers. The symmetric cipher, however, can do the bulk of the encryption work
`much more efficiently than public key methods.
`
`IAB
`
`ICMP
`
`IDEA
`
`kl_1Z§_1‘_I1fi_.:_’-fsm_fi‘,~l_1l_t8Ctl1IE) Board.
`
`Internet Control Message Protocol. This is used for various IP—oonnected devices to manage the
`network.
`
`International Data Encrypion Algorithm, developed in Europe as an alternative to exportable
`American ciphers such as DES which were too weak for serious use. IDEA is a block cipher using
`64-bit blocks and 128-bit keys, and is used in products such as I’_Q_:l?,.
`
`IDEA is not required by the 1_Ij__§_l_3__._C; RFCs and not currently used in £_i_'_e_e_S__f
`
`IDEA is patented and, with strictly limited exceptions for personal use, using it requires a license
`from Asqoln.
`
`IESG
`
`lETF
`
`IKE
`
`I.._ts::rnet Engineering. Steerinafirbup.
`'
`K
`Internet Engmceringjask Force, the umbrella organisation whose various working groups make
`most of the technical decisions for the Internet. The IETF l_1:_'_S_E,§L\§1v'_(_J_1“_l_(__i,;‘l__,g;group wrote the
`we are implementing.
`Internet Key Exchange, based on the 1Q.i_ffi_e;1fi_e1lrna_ri key exchange protocol. IKE is implemented
`in Lin.u>_<_F_r;=:eS»__fV§L2_k_1>E by the 1E1x;‘:n_<.:l.ae.=t_r_:.t;e.I.1..
`-
`initialisation Vector (IV)
`Some cipher rng_d§_s_, including the
`mode which IPSEC uses, require some extra data at the
`beginning. This data is called the initialisation vector. It need not be secret, but should be different
`for each message. Its function is_ to prevent messages which begin with the same text from
`encrypting to the same ciphertext. That might give an analyst an opening, so it is best prevented.
`
`IP
`
`Internet Protocol.
`IP masquerade
`
`httu1//liberty.fi-eeswan.or,ajfieesWan_1Iees/freeswan-1 .3/doc!glossa1'y.html
`
`2/21/200?.
`
`Page 12 of 25
`
`VNETOO221406
`
`

`
`Linugigseeegfwioy-gpoggélr-YLEDp Document 194-? Filed 12/30/08 Page 14 of 26 Plag§é|%f8Z%25
`
`A method of allowing multiple machi