Entries are in alphabetical order. Some entries are only one line or one paragraph long. Others run to several paragraphs. I have tried to put the essential information in the first paragraph so you can skip the other paragraphs if that seems appropriate.
Other glossaries which overlap this one include:
Several Internet glossaries are available as RFCs:
More general glossary or dictionary information:
There are many more mirrors of this dictionary.
There are also many mirrors of this. See the home page for a list.
IPsec always does 3DES with three different keys, as required by RFC 2451. For an explanation of the two-key variant, see two key triple DES. Both use an EDE encrypt-decrypt-encrpyt sequence of operations.
Double DES is ineffective. Using two 56-bit keys, one might expect an attacker to have to do 2112 work to break it. In fact, only 257 work is required with a meet-in-the-middle attack, though a large amount of memory is also required. Triple DES is vulnerable to a similar attack, but that just reduces the work factor from the 2168 one might expect to 2 112. That provides adequate protection against brute force attacks, and no better attack is known.
3DES can be somewhat slow compared to other ciphers. It requires three DES encryptions per block. DES was designed for hardware implementation and includes some operations which are difficult in software. However, the speed we get is quite acceptable for many uses. See our performance document for details.
Fifteen proposals meeting NIST's basic criteria were submitted in 1998 and subjected to intense discussion and analysis, "round one" evaluation. In August 1999, NIST narrowed the field to five "round two" candidates:
Three of the five finalists -- Rijndael, Serpent and Twofish -- have completely open licenses.
In October 2000, NIST announced the winner -- Rijndael.
For more information, see:
AES will be added to a future release of Linux FreeS/WAN. Likely we will add all three of the finalists with good licenses. User-written AES patches are already available.
Adding AES may also require adding stronger hashes, SHA-256, SHA-384 and SHA-512.
Bruce Schneier extends these with many others such as Eve the Eavesdropper and Victor the Verifier. His extensions seem to be in the process of becoming standard as well. See page 23 of Applied Cryptography
Alice and Bob have an amusing biography on the web.
Outside IPsec, passwords are perhaps the most common authentication mechanism. Their function is essentially to authenticate the person's identity to the system. Passwords are generally only as secure as the network they travel over. If you send a cleartext password over a tapped phone line or over a network with a packet sniffer on it, the security provided by that password becomes zero. Sending an encrypted password is no better; the attacker merely records it and reuses it at his convenience. This is called a replay attack.
A common solution to this problem is a challenge-response system. This defeats simple eavesdropping and replay attacks. Of course an attacker might still try to break the cryptographic algorithm used, or the random number generator.
IPsec uses the Diffie-Hellman key exchange protocol to create keys. An authentication mechansim is required for this. FreeS/WAN normally uses RSA for this. Other methods supported are discussed in our advanced configuration document.
Having an attacker break the authentication is emphatically not a good idea. An attacker that breaks authentication, and manages to subvert some other network entities (DNS, routers or gateways), can use a man-in-the middle attack to break the security of your IPsec connections.
However, having an attacker break the authentication in automatic keying is not quite as bad as losing the key in manual keying.
That said, the secrets used for authentication, stored in ipsec.secrets(5), should still be protected as tightly as cryptographic keys.
For more detail, see our document on FreeS/WAN performance.
Resisting such attacks is part of the motivation for:
The second person has 1 chance in 365 (ignoring leap years) of matching the first. If they don't match, the third person's chances of matching one of them are 2/365. The 4th, 3/365, and so on. The total of these chances grows more quickly than one might guess.
DES is among the the best known and widely used block ciphers, but is now obsolete. Its 56-bit key size makes it highly insecure today. Triple DES is the default block cipher for Linux FreeS/WAN .
The current generation of block ciphers -- such as Blowfish, CAST-128 and IDEA -- all use 64-bit blocks and 128-bit keys. The next generation, AES, uses 128-bit blocks and supports key sizes up to 256 bits.
The Block Cipher Lounge web site has more information.
This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.
Longer keys protect against brute force attacks. Each extra bit in the key doubles the number of possible keys and therefore doubles the work a brute force attack must do. A large enough key defeats any brute force attack.
For example, the EFF's DES Cracker searches a 56-bit key space in an average of a few days. Let us assume an attacker that can find a 64-bit key (256 times harder) by brute force search in a second (a few hundred thousand times faster). For a 96-bit key, that attacker needs 232 seconds, about 135 years. Against a 128-bit key, he needs 232 times that, over 500,000,000,000 years. Your data is then obviously secure against brute force attacks. Even if our estimate of the attacker's speed is off by a factor of a million, it still takes him over 500,000 years to crack a message.
This is why
Cautions:
Inadequate keylength always indicates a weak cipher but it
is important to note that adequate keylength does not necessarily
indicate a strong cipher. There are many attacks other than brute
force, and adequate keylength only guarantees resistance to
brute force. Any cipher, whatever its key size, will be weak if design
or implementation flaws allow other attacks.
Also, once you have adequate keylength (somewhere around 90 or 100 bits), adding more key bits make no practical difference , even against brute force. Consider our 128-bit example above that takes 500,000,000,000 years to break by brute force. We really don't care how many zeroes there are on the end of that, as long as the number remains ridiculously large. That is, we don't care exactly how large the key is as long as it is large enough.
There may be reasons of convenience in the design of the cipher to support larger keys. For example Blowfish allows up to 448 bits and RC4 up to 2048, but beyond 100-odd bits it makes no difference to practical security.
See Web of Trust for an alternate model.
This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.
An initialisation vector (IV) must be provided. It is XORed into the first block before encryption. The IV need not be secret but should be different for each message and unpredictable.
FreeS/WAN policy group files accept CIDR blocks of the format address/[mask], where address may take the form name.domain.tld. An absent mask is assumed to be /32.
This is more secure than passwords against two simple attacks:
A challenge-response system never sends a password, either cleartext or encrypted. An attacker cannot record the response to one challenge and use it as a response to a later challenge. The random number is different each time.
Of course an attacker might still try to break the cryptographic algorithm used, or the random number generator.
Four standard modes were defined for DES in FIPS 81. They can actually be applied with any block cipher.
| ECB | Electronic CodeBook | encrypt each block independently | |
| CBC | Cipher Block Chaining
| XOR previous block ciphertext into new block plaintext before encrypting new block | |
| CFB | Cipher FeedBack | ||
| OFB | Output FeedBack |
IPsec uses CBC mode since this is only marginally slower than ECB and is more secure. In ECB mode the same plaintext always encrypts to the same ciphertext, unless the key is changed. In CBC mode, this does not occur.
Various other modes are also possible, but none of them are used in IPsec.
We generally use the term in the first sense. Vendors of Windows IPsec solutions often use it in the second. See this discussion.
Web references include this US government site and this global home page.
For current information, see their web site.
If the attacker puts bogus source information in the first packet, such that the second is never delivered, the responder may wait a long time for the third to come back. If responder has already allocated memory for the connection data structures, and if many of these bogus packets arrive, the responder may run out of memory.
The two example attacks discussed were both quite effective when first discovered, capable of crashing or disabling many operating systems. They were also well-publicised, and today far fewer systems are vulnerable to them.
DES is seriously insecure against current attacks.
Linux FreeS/WAN does not include DES, even though the RFCs specify it. We strongly recommend that single DES not be used.
This is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN. DESX would be the easiest additional transform to add; there would be very little code to write. It would be much faster than 3DES and almost certainly more secure than DES. However, since it is not in the RFCs other IPsec implementations cannot be expected to have it.
The protocol is secure against all passive attacks , but it is not at all resistant to active man-in-the-middle attacks. If a third party can impersonate Bob to Alice and vice versa, then no useful secret can be created. Authentication of the participants is a prerequisite for safe Diffie-Hellman key exchange. IPsec can use any of several authentication mechanisims. Those supported by FreeS/WAN are discussed in our configuration section.
The Diffie-Hellman key exchange is based on the discrete logarithm problem and is secure unless someone finds an efficient solution to that problem.
Given a prime p and generator g (explained under discrete log below), Alice:
Meanwhile Bob:
Now Alice and Bob can both calculate the shared secret s = g^(ab). Alice knows a and B, so she calculates s = B^a. Bob knows A and b so he calculates s = A^b.
An eavesdropper will know p and g since these are made public, and can intercept A and B but, short of solving the discrete log problem, these do not let him or her discover the secret s.
Receiver:
If the public-key system is secure and the verification succeeds, then the receiver knows
Such an encrypted message digest can be treated as a signature since it cannot be created without both the document and the private key which only the sender should possess. The legal issues are complex, but several countries are moving in the direction of legal recognition for digital signatures.
The discrete log problem is the basis of several cryptographic systems, including the Diffie-Hellman key exchange used in the IKE protocol. The useful property is that exponentiation is relatively easy but the inverse operation, finding the logarithm, is hard. The cryptosystems are designed so that the user does only easy operations (exponentiation in the field) but an attacker must solve the hard problem (discrete log) to crack the system.
There are several variants of the problem for different types of field. The IKE/Oakley key determination protocol uses two variants, either over a field modulo a prime or over a field defined by an elliptic curve. We give an example modulo a prime below. For the elliptic curve version, consult an advanced text such as Handbook of Applied Cryptography.
Given a prime p, a generator g for the field modulo that prime, and a number x in the field, the problem is to find y such that g^y = x.
For example, let p = 13. The field is then the integers from 0 to 12. Any integer equals one of these modulo 13. That is, the remainder when any integer is divided by 13 must be one of these.
2 is a generator for this field. That is, the powers of two modulo 13 run through all the non-zero numbers in the field. Modulo 13 we have:
y x
2^0 == 1
2^1 == 2
2^2 == 4
2^3 == 8
2^4 == 3 that is, the remainder from 16/13 is 3
2^5 == 6 the remainder from 32/13 is 6
2^6 == 12 and so on
2^7 == 11
2^8 == 9
2^9 == 5
2^10 == 10
2^11 == 7
2^12 == 1
Exponentiation in such a field is not difficult. Given, say,
Note, however, that no-one has proven such methods do not exist. If a solution to either variant were found, the security of any crypto system using that variant would be destroyed. This is one reason IKE supports two variants. If one is broken, we can switch to the other.
The sequence is:
For the two-key version, key1=key3.
The "advantage" of this EDE order of operations is that it makes it simple to interoperate with older devices offering only single DES. Set key1=key2=key3 and you have the worst of both worlds, the overhead of triple DES with the "security" of single DES. Since both the security of single DES and the overheads of triple DES are seriously inferior to many other ciphers, this is a spectacularly dubious "advantage".
Major variants include symmetric encryption in which sender and receiver use the same secret key and public key methods in which the sender uses one of a matched pair of keys and the receiver uses the other. Many current systems, including IPsec, are hybrids combining the two techniques.
For example, the Internet may route all traffic for a particular company to that firm's corporate gateway. It then becomes the company's problem to get packets to various machines on their subnets in various departments. They may decide to treat a branch office like a subnet, giving it IP addresses "on" their corporate net. This becomes an extruded subnet.
Packets bound for it are delivered to the corporate gateway, since as far as the outside world is concerned, that subnet is part of the corporate network. However, instead of going onto the corporate LAN (as they would for, say, the accounting department) they are then encapsulated and sent back onto the Internet for delivery to the branch office.
For information on doing this with Linux FreeS/WAN, look in our advanced configuration section.
"Free software" is a matter of liberty, not price. To understand the concept, you should think of "free speech", not "free beer.""Free software" refers to the users' freedom to run, copy, distribute, study, change and improve the software.
See also GNU, GNU General Public License, and the FSF site.
The exact techniques used in IPsec are defined in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96 because they output only 96 bits of the hash. This makes some attacks on the hash functions harder.
IDEA is not required by the IPsec RFCs and not currently used in Linux FreeS/WAN.
IDEA is patented and, with strictly limited exceptions for personal use, using it requires a license from Ascom.
See this web site for more details, and our compatibility document for information on FreeS/WAN and the Linux implementation of IPv6.
This is the standard Linux FreeS/WAN is implementing. For more details, see our IPsec Overview. For the standards, see RFCs listed in our RFCs document.
Configuring for initiate-only opportunistic encryption is described in our quickstart document.
In the Linux release numbering system, an even second digit as in 2. 2.x indicates a stable or production kernel while an odd number as in 2.3.x indicates an experimental or development kernel. Most users should run a recent kernel version from the production series. The development kernels are primarily for people doing kernel development. Others should consider using development kernels only if they have an urgent need for some feature not yet available in production kernels.
Today Linux is a complete Unix replacement available for several CPU architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit SPARC and the 64-bit UltraSPARC, SrongARM, . . . -- with support for multiple CPUs on some architectures.
Linux FreeS/WAN is intended to run on all CPUs supported by Linux and is known to work on several. See our compatibility section for a list.
See our IPsec section for more detail. For the code see our primary site or one of the mirror sites on this list.
This allows multiple security projects to take different approaches to security enhancement without tying the kernel down to one particular approach. As I understand the history, several projects were pressing Linus to incorporate their changes, the various sets of changes were incompatible, and his answer was more-or-less "a plague on all your houses; I'll give you an interface, but I won't incorporate anything".
It seems to be working. There is a fairly active LSM mailing list, and several projects are already using the interface.
For example, if Alice and Bob are negotiating a key via the Diffie-Hellman key agreement, and are not using authentication to be certain they are talking to each other, then an attacker able to insert himself in the communication path can deceive both players.
Call the attacker Mallory. For Bob, he pretends to be Alice. For Alice, he pretends to be Bob. Two keys are then negotiated, Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key they have is Alice-to-Bob.
A message from Alice to Bob then goes to Mallory who decrypts it, reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key and sends it along to Bob. Bob decrypts successfully and sends a reply which Mallory decrypts, reads, re-encrypts and forwards to Alice.
To make this attack effective, Mallory must
If he manages it, however, it is devastating. He not only gets to read all the messages; he can alter messages, inject his own, forge anything he likes, . . . In fact, he controls the communication completely.
For example, a document labelled "secret, zebra" might be readable only by someone with secret clearance working on Project Zebra. Ideally, the system will prevent any transfer outside those boundaries. For example, even if you can read it, you should not be able to e-mail it (unless the recipient is appropriately cleared) or print it (unless certain printers are authorised for that classification).
Mandatory access control is a required feature for some levels of Rainbow Book or Common Criteria classification, but has not been widely used outside the military and government. There is a good discussion of the issues in Anderson's Security Engineering.
The Security Enhanced Linux project is adding mandatory access control to Linux.
MD5 is one of two message digest algorithms available in IPsec. The other is SHA. SHA produces a longer hash and is therefore more resistant to birthday attacks, but this is not a concern for IPsec. The HMAC method used in IPsec is secure even if the underlying hash is not particularly strong against this attack.
Hans Dobbertin found a weakness in MD5, and people often ask whether this means MD5 is unsafe for IPsec. It doesn't. The IPsec RFCs discuss Dobbertin's attack and conclude that it does not affect MD5 as used for HMAC in IPsec.
Double DES encryption and decryption can be written:
C = E(k2,E(k1,P))
P = D(k1,D(k2,C))
Where C is ciphertext, P is plaintext, E is encryption, D is decryption, k1 is one key, and k2 is the other key. If we know a P, C pair, we can try and find the keys with a brute force attack, trying all possible k1, k2 pairs. Since each key is 56 bits, there are 2 112 such pairs and this attack is painfully inefficient.
The meet-in-the middle attack re-writes the equations to calculate a middle value M:
M = E(k1,P)
M = D(k2,C)
Now we can try some large number of D(k2,C) decryptions with various values of k2 and store the results in a table. Then start doing E(k1,P) encryptions, checking each result to see if it is in the table.
The memory requirements for such attacks can be prohibitive, but there is a whole body of research literature on methods of reducing them.
IP packets, which can be up to 64K bytes each, must be packaged into lower-level packets of the appropriate size for the underlying network(s) and re-assembled on the other end. When a packet must pass over multiple networks, each with its own MTU, and many of the MTUs are unknown to the sender, this becomes a fairly complex problem. See path MTU discovery for details.
Often the MTU is a few hundred bytes on serial links and 1500 on Ethernet. There are, however, serial link protocols which use a larger MTU to avoid fragmentation at the ethernet/serial boundary, and newer (especially gigabit) Ethernet networks sometimes support much larger packets because these are more efficient in some applications.
Almost invariably, the phrase "non-routable address" means one of the addresses reserved by RFC 1918 for private networks:
These addresses are commonly used on private networks, e.g. behind a Linux machines doing IP masquerade. Machines within the private network can address each other with these addresses. All packets going outside that network, however, have these addresses replaced before they reach the Internet.
If any packets using these addresses do leak out, they do not go far. Most routers automatically discard all such packets.
Various other addresses -- the 127.0.0.0/8 block reserved for local use, 0.0.0.0, various broadcast and network addresses -- cannot be routed over the Internet, but are not normally included in the meaning when the phrase "non-routable address" is used.
Some history of NSA documents were declassified in response to a FOIA (Freedom of Information Act) request.
Linux FreeS/WAN currently supports the three groups based on finite fields modulo a prime (Groups 1, 2 and 5) and does not support the elliptic curve groups (3 and 4). For a description of the difference of the types, see discrete logarithms.
Given those three conditions, it can easily be proved that the cipher is perfectly secure, in the sense that an attacker with intercepted message in hand has no better chance of guessing the message than an attacker who has not intercepted the message and only knows the message length. No such proof exists for any other cipher.
There are, however, several problems with this "perfect" cipher.
First, it is wildly impractical for most applications. Key management is at best difficult, often completely impossible.
Second, it is extremely fragile. Small changes which violate the conditions listed above do not just weaken the cipher liitle. Quite often they destroy its security completely.
Marketing claims about the "unbreakable" security of various products which somewhat resemble one-time pads are common. Such claims are one of the surest signs of cryptographic snake oil; most systems marketed with such claims are worthless.
Finally, even if the system is implemented and used correctly, it is highly vulnerable to a substitution attack. If an attacker knows some plaintext and has an intercepted message, he can discover the pad.
In general then, despite its theoretical perfection, the one-time-pad has very limited practical application.
See also the one time pad FAQ.
Setting up for opportunistic encryption is described in our quickstart document.
Configuring passive OE is described in our policy groups document.
Configuring passive OE is described in our policy groups document.
This is done as follows:
Since this requires co-operation of many systems, and since the next packet may travel a different path, this is one of the trickier areas of IP programming. Bugs that have shown up over the years have included:
Since IPsec adds a header, it increases packet size and may require fragmentation even where incoming and outgoing MTU are equal.
then the system has PFS. The attacker needs the short-term keys in order to read the trafiic and merely having the long-term key does not allow him to infer those. Of course, it may allow him to conduct another attack (such as man-in-the-middle) which gives him some short-term keys, but he does not automatically get them just by acquiring the long-term key.
See also Phil Karn's definition.
The 2.xx versions of PGP used the RSA public key algorithm and used IDEA as the symmetric cipher. These versions are described in RFC 1991 and in Garfinkel's book. Since version 5, the products from PGP Inc. have used Diffie-Hellman public key methods and CAST-128 symmetric encryption. These can verify signatures from the 2.xx versions, but cannot exchange encryted messages with them.
An IETF working group has issued RFC 2440 for an "Open PGP" standard, similar to the 5.x versions. PGP Inc. staff were among the authors. A free Gnu Privacy Guard based on that standard is now available.
For more information on PGP, including how to obtain it, see our cryptography links.
Versions 6.5 and later of the PGP product include PGPnet, an IPsec client for Macintosh or for Windows 95/98/NT. See our interoperation document.
There are several PKI products on the market. Typically they use a hierarchy of Certification Authorities (CAs). Often they use LDAP access to X.509 directories to implement this.
See Web of Trust for a different sort of infrastructure.
This is required, for example, when users of a corporate PKI need to communicate with people at client, supplier or government organisations, any of which may have a different PKI in place. I should be able to talk to you securely whenever:
At time of writing (March 1999), this is not yet widely implemented but is under quite active development by several groups.
One half of each pair, called the public key, is made public. The other half, called the private key, is kept secret. Messages can then be sent by anyone who knows the public key to the holder of the private key. Encrypt with the public key and you know that only someone with the matching private key can decrypt.
Public key techniques can be used to create digital signatures and to deal with key management issues, perhaps the hardest part of effective deployment of symmetric ciphers. The resulting hybrid cryptosystems use public key methods to manage keys for symmetric ciphers.
Many organisations are currently creating PKIs, public key infrastructures to make these benefits widely available.
See this reference page.
The Rainbow books are now mainly obsolete, replaced by the international Common Criteria standards.
See RFC 1750 for the theory.
See the manual pages for ipsec_ranbits(8) and ipsec_prng(3) for more on FreeS/WAN's use of randomness. Both depend on the random(4) device driver..
A couple of years ago, there was extensive mailing list discussion (archived here )of Linux /dev/random and FreeS/WAN. Since then, the design of the random(4) driver has changed considerably. Linux 2.4 kernels have the new driver..
Our list of IPsec and other security-related RFCs is here, along with information on methods of obtaining them.
There are also several classes of non-routable IP addresses.
RSA can be used to provide either encryption or digital signatures. In IPsec, it is used only for signatures. These provide gateway-to-gateway authentication for IKE negotiations.
For a full explanation of the algorithm, consult one of the standard references such as Applied Cryptography . A simple explanation is:
The great 17th century French mathematician Fermat proved that,
for any prime p and number x, 0 <= x < p:
x^p == x modulo p
x^(p-1) == 1 modulo p, non-zero x
From this it follows that if we have a pair of primes p, q and two numbers e, d such that:
ed == 1 modulo lcm( p-1, q-1)
where lcm() is least common multiple, then
x^ed == x modulo pq
So we construct such as set of numbers p, q, e, d and publish the product N=pq and e as the public key. Using c for ciphertext and i for the input plaintext, encryption is then:
c = i^e modulo N
An attacker cannot deduce i from the cyphertext c, short of either factoring N or solving the discrete logarithm problem for this field. If p, q are large primes (hundreds or thousands of bits) no efficient solution to either problem is known.
The receiver, knowing the private key (N and d), can readily recover the plaintext p since:
c^d == (i^e)^d modulo N
== i^ed modulo N
== i modulo N
This gives an effective public key technique, with only a couple of problems. It uses a good deal of computer time, since calculations with large integers are not cheap, and there is no proof it is necessarily secure since no-one has proven either factoring or discrete log cannot be done efficiently. Quite a few good mathematicians have tried both problems, and no-one has announced success, but there is no proof they are insoluble.
An SA is defined by three things -- the destination, the protocol ( AH orESP) and the SPI, security parameters index. It is used as an index to look up other things such as session keys and intialisation vectors.
For more detail, see our section on IPsec and/or RFC 2401.
According to their web pages, this work will include extending mandatory access controls to IPsec tunnels.
Recent versions of SE Linux code use the Linux Security Module interface.
IPsec can use this plus Diffie-Hellman key exchange to bootstrap itself. This allows opportunistic encryption. Any pair of machines which can authenticate each other via DNS can communicate securely, without either a pre-existing shared secret or a shared PKI.
For automatic keying mode, the IPsec RFCs require that the sender generate sequence numbers for each packet, but leave it optional whether the receiver does anything with them.
SHA is one of two message digest algorithms available in IPsec. The other is MD5. Some people do not trust SHA because it was developed by the NSA. There is, as far as we know, no cryptographic evidence that SHA is untrustworthy, but this does not prevent that view from being strongly held.
The NSA made one small change after the release of the original SHA. They did not give reasons. Iit may be a defense against some attack they found and do not wish to disclose. Technically the modified algorithm should be called SHA-1, but since it has replaced the original algorithm in nearly all applications, it is generally just referred to as SHA..
For more detail, see our IPsec section and/or RFC 2401.
For more information on SSH, including how to obtain it, see our cryptography links.
IPsec does not use stream ciphers. Their main application is link-level encryption, for example of voice, video or data streams on a wire or a radio signal.
The '24' is shorthand for a mask with the top 24 bits one and the rest zero. This is exactly the same as 255.255.255.0 which has three all-ones bytes and one all-zeros byte.
These indicate that, for this range of addresses, the top 24 bits are to be treated as naming a network (often referred to as "the 101.101.101.0/24 subnet") while most combinations of the low 8 bits can be used to designate machines on that network. Two addresses are reserved; 101.101.101.0 refers to the subnet rather than a specific machine while 101.101.101.255 is a broadcast address. 1 to 254 are available for machines.
It is common to find subnets arranged in a hierarchy. For example, a large company might have a /16 subnet and allocate /24 subnets within that to departments. An ISP might have a large subnet and allocate /26 subnets (64 addresses, 62 usable) to business customers and /29 subnets (8 addresses, 6 usable) to residential clients.
Symmetric cryptography contrasts with public key or asymmetric systems where the two players use different keys.
The great difficulty in symmetric cryptography is, of course, key management. Sender and receiver must have identical keys and those keys must be kept secret from everyone else. Not too much of a problem if only two people are involved and they can conveniently meet privately or employ a trusted courier. Quite a problem, though, in other circumstances.
It gets much worse if there are many people. An application might be written to use only one key for communication among 100 people, for example, but there would be serious problems. Do you actually trust all of them that much? Do they trust each other that much? Should they? What is at risk if that key is compromised? How are you going to distribute that key to everyone without risking its secrecy? What do you do when one of them leaves the company? Will you even know?
On the other hand, if you need unique keys for every possible connection between a group of 100, then each user must have 99 keys. You need either 99*100/2 = 4950 secure key exchanges between users or a central authority that securely distributes 100 key packets, each with a different set of 99 keys.
Either of these is possible, though tricky, for 100 users. Either becomes an administrative nightmare for larger numbers. Moreover, keys must be changed regularly, so the problem of key distribution comes up again and again. If you use the same key for many messages then an attacker has more text to work with in an attempt to crack that key. Moreover, one successful crack will give him or her the text of all those messages.
In short, the hardest part of conventional cryptography is key management. Today the standard solution is to build a hybrid system using public key techniques to manage keys.
In an industrial espionage situation, one might deduce something interesting just by knowing that company A and company B were talking, especially if one were able to tell which departments were involved, or if one already knew that A was looking for acquisitions and B was seeking funds for expansion.
In general, traffic analysis by itself is not very useful. However, in the context of a larger intelligence effort where quite a bit is already known, it can be very useful. When you are solving a complex puzzle, every little bit helps.
IPsec itself does not defend against traffic analysis, but carefully thought out systems using IPsec can provide at least partial protection. In particular, one might want to encrypt more traffic than was strictly necessary, route things in odd ways, or even encrypt dummy packets, to confuse the analyst. We discuss this here.
3DES with three keys has 3*56 = 168 bits of key but has only 112-bit strength against a meet-in-the-middle attack, so it is possible that the two key version is just as strong. Last I looked, this was an open question in the research literature.
RFC 2451 defines triple DES for IPsec as the three-key variant. The two-key variant should not be used and is not implemented directly in Linux FreeS/WAN . It cannot be used in automatically keyed mode without major fiddles in the source code. For manually keyed connections, you could make Linux FreeS/WAN talk to a two-key implementation by setting two keys the same in /etc/ipsec.conf.
IPsec is not the only technique available for building VPNs, but it is the only method defined by RFCs and supported by many vendors. VPNs are by no means the only thing you can do with IPsec, but they may be the most important application for many users.
See Global Trust Register for an interesting addition to the web of trust.
Critics refer to WEP as "Wiretap Equivalent Privacy", and consider it a horribly flawed design based on bogus "requirements". You do not control radio waves as you might control your wires, so the metaphor in the rationale is utterly inapplicable. A security policy that chooses not to invest resources in protecting against certain attacks which can only be conducted by people physically plugged into your LAN may or may not be reasonable. The same policy is completely unreasonable when someone can "plug in" from a laptop half a block away..
There has been considerable analysis indicating that WEP is seriously flawed. A FAQ on attacks against WEP is available. Part of it reads:
... attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network. Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well.
WEP appears to be yet another instance of governments, and unfortunately some vendors and standards bodies, deliberately promoting hopelessly flawed "security" products, apparently mainly for the benefit of eavesdropping agencies. See this discussion.
Use of X.509 services, via the LDAP protocol, for certification of keys is allowed but not required by the IPsec RFCs. It is not yet implemented in Linux FreeS/WAN.