Last news

DJ Mix Pro 3.0 build 78.7 Activated version
Elenco Download Crack Serial Keygen Gratis. - Level-up! SlimDrivers DriverUpdate - Update Drivers for Windows XP Crackers Beat Adobe CS4 License Activation Using A BSR Screen Recorder Full Keygen MASTER kreatif HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jun 2016 22:58:11 GMT Content-Type: text/html;...
Read more
NotePro 4.21 with serial key
Excel Calendar Template - Free download and software Efficient Calendar Free - Free download and software Mortal Kombat 9 Komplete Edition Free Download Free After entering your eMail addres and receipt of your registration you'll simultaneously receive your personal access data from us. This is...
Read more
DVBViewer 5.1 Serial number and patch
ISAM database format originally created in dBase but used by many other systems and still widely used for information interchange. learn more… | top users | synonyms 21 views C# - Convert .DBF to .XLS [closed] Hello is there any way to convert .DBF...
Read more

Fund Manager Personal 2016.14.0 and activation code


Expense and Income Manager Software 7.0 Crack plus License Key


1. INTRODUCTION

Does increased security provide comfort to paranoid people? Or does security provide some very basic protections that we are naive to believe that we don't need? During this time when the Internet provides essential communication between literally billions of people and is used as a tool for commerce, social interaction, and the exchange of an increasing amount of personal information, security has become a tremendously important issue for every user to deal with.

There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting health care information. One essential aspect for secure communications is that of cryptography. But it is important to note that while cryptography is necessary for secure communications, it is not by itself sufficient. The reader is advised, then, that the topics covered here only describe the first of many steps necessary for better security in any number of situations.

This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today. (See Section A.4 for some additional commentary on this...)

DISCLAIMER: Several companies, products, and services are mentioned in this tutorial. Such mention is for example purposes only and, unless explicitly stated otherwise, should not be taken as a recommendation or endorsement by the author.


2. BASIC CONCEPTS OF CRYPTOGRAPHY

Cryptography is the science of secret writing is an ancient art; the first documented use of cryptography in writing dates back to circa 1900 B.C. when an Egyptian scribe used non-standard hieroglyphs in an inscription. Some experts argue that cryptography appeared spontaneously sometime after writing was invented, with applications ranging from diplomatic missives to war-time battle plans. It is no surprise, then, that new forms of cryptography came soon after the widespread development of computer communications. In data and telecommunications, cryptography is necessary when communicating over any untrusted medium, which includes just about any network, particularly the Internet.

There are five primary functions of cryptography today:

  1. Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
  2. Authentication: The process of proving one's identity.
  3. Integrity: Assuring the receiver that the received message has not been altered in any way from the original.
  4. Non-repudiation: A mechanism to prove that the sender really sent this message.
  5. Key exchange: The method by which crypto keys are shared between sender and receiver.

In cryptography, we start with the unencrypted data, referred to as plaintext. Plaintext is encrypted into ciphertext, which will in turn (usually) be decrypted back into usable plaintext. The encryption and decryption is based upon the type of cryptography scheme being employed and some form of key. For those who like formulas, this process is sometimes written as:

C = Ek(P)
P = Dk(C)

      where P = plaintext, C = ciphertext, E = the encryption method, D = the decryption method, and k = the key.

In many of the descriptions below, two communicating parties will be referred to as Alice and Bob; this is the common nomenclature in the crypto field and literature to make it easier to identify the communicating parties. If there is a third and fourth party to the communication, they will be referred to as Carol and Dave, respectively. A malicious party is referred to as Mallory, an eavesdropper as Eve, and a trusted third party as Trent.

Finally, cryptography is most closely associated with the development and creation of the mathematical algorithms used to encrypt and decrypt messages, whereas cryptanalysis is the science of analyzing and breaking encryption schemes. Cryptology is the term referring to the broad study of secret writing, and encompasses both cryptography and cryptanalysis.


3. TYPES OF CRYPTOGRAPHIC ALGORITHMS

There are several ways of classifying cryptographic algorithms. For purposes of this paper, they will be categorized based on the number of keys that are employed for encryption and decryption, and further defined by their application and use. The three types of algorithms that will be discussed are (Figure 1):

  • Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption; also called symmetric encryption. Primarily used for privacy and confidentiality.
  • Public Key Cryptography (PKC): Uses one key for encryption and another for decryption; also called asymmetric encryption. Primarily used for authentication, non-repudiation, and key exchange.
  • Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information, providing a digital fingerprint. Primarily used for message integrity.

FIGURE 1: Three types of cryptography: secret key, public key,
and hash function.


3.1. Secret Key Cryptography

Secret key cryptography methods employ a single key for both encryption and decryption. As shown in Figure 1A, the sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.

With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key (more on that later in the discussion of public key cryptography).

Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers.



A) Self-synchronizing stream cipher. (From Schneier, 1996, Figure 9.8)

B) Synchronous stream cipher. (From Schneier, 1996, Figure 9.6)

FIGURE 2: Types of stream ciphers.

Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. Stream ciphers come in several flavors but two are worth mentioning here (Figure 2). Self-synchronizing stream ciphers calculate each bit in the keystream as a function of the previous n bits in the keystream. It is termed "self-synchronizing" because the decryption process can stay synchronized with the encryption process merely by knowing how far into the n-bit keystream it is. One problem is error propagation; a garbled bit in transmission will result in n garbled bits at the receiving side. Synchronous stream ciphers generate the keystream in a fashion independent of the message stream but by using the same keystream generation function at sender and receiver. While stream ciphers do not propagate transmission errors, they are, by their nature, periodic so that the keystream will eventually repeat.



FIGURE 3: Feistel cipher. (Source: Wikimedia Commons)

A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher. The most common construct for block encryption algorithms is the Feistel cipher, named for cryptographer Horst Feistel (IBM). As shown in Figure 3, a Feistel cipher combines elements of substitution, permutation (transposition), and key expansion; these features create a large amount of "confusion and diffusion" (per Claude Shannon) in the cipher. One advantage of the Feistel design is that the encryption and decryption stages are similar, sometimes identical, requiring only a reversal of the key operation, thus dramatically reducing the size of the code (software) or circuitry (hardware) necessary to implement the cipher. One of Feistel's early papers describing this operation is "Cryptography and Computer Privacy" (Scientific American, May 1973, 228(5), 15-23).

Block ciphers can operate in one of several modes; the following are the most important:

  • Electronic Codebook (ECB) mode is the simplest, most obvious application: the secret key is used to encrypt the plaintext block to form a ciphertext block. Two identical plaintext blocks, then, will always generate the same ciphertext block. ECB is susceptible to a variety of brute-force attacks (because of the fact that the same plaintext block will always encrypt to the same ciphertext), as well as deletion and insertion attacks. In addition, a single bit error in the transmission of the ciphertext results in an error in the entire block of decrypted plaintext.
  • Cipher Block Chaining (CBC) mode adds a feedback mechanism to the encryption scheme; the plaintext is exclusively-ORed (XORed) with the previous ciphertext block prior to encryption so that two identical plaintext blocks will encrypt differently. While CBC protects against many brute-force, deletion, and insertion attacks, a single bit error in the ciphertext yields an entire block error in the decrypted plaintext block and a bit error in the next decrypted plaintext block.
  • Cipher Feedback (CFB) mode is a block cipher implementation as a self-synchronizing stream cipher. CFB mode allows data to be encrypted in units smaller than the block size, which might be useful in some applications such as encrypting interactive terminal input. If we were using one-byte CFB mode, for example, each incoming character is placed into a shift register the same size as the block, encrypted, and the block transmitted. At the receiving side, the ciphertext is decrypted and the extra bits in the block (i.e., everything above and beyond the one byte) are discarded. CFB mode generates a keystream based upon the previous ciphertext (the initial key comes from an Initialization Vector [IV]). In this mode, a single bit error in the ciphertext affects both this block and the following one.
  • Output Feedback (OFB) mode is a block cipher implementation conceptually similar to a synchronous stream cipher. OFB prevents the same plaintext block from generating the same ciphertext block by using an internal feedback mechanism that generates the keystream independently of both the plaintext and ciphertext bitstreams. In OFB, a single bit error in ciphertext yields a single bit error in the decrypted plaintext.
  • Counter (CTR) mode is a relatively modern addition to block ciphers. Like CFB and OFB, CTR mode operates on the blocks as in a stream cipher; like ECB, CTR mode operates on the blocks independently. Unlike ECB, however, CTR uses different key inputs to different blocks so that two identical blocks of plaintext will not reuslt in the same ciphertext. Finally, each block of ciphertext has specific location within the encrypted message. CTR mode, then, allows blocks to be processed in parallel — thus offering performance advantages when parallel processing and multiple processors are available — but is not susceptible to ECB's brute-force, deletion, and insertion attacks.

A good overview of these different modes can be found at CRYPTO-IT.

Secret key cryptography algorithms in use today — or, at least, important today even if not in use — include:

  • Data Encryption Standard (DES): One of the most well-known and well-studied SKC schemes, DES was designed by IBM in the 1970s and adopted by the National Bureau of Standards (NBS) [now the National Institute for Standards and Technology (NIST)] in 1977 for commercial and unclassified government applications. DES is a Feistel block-cipher employing a 56-bit key that operates on 64-bit blocks. DES has a complex set of rules and transformations that were designed specifically to yield fast hardware implementations and slow software implementations, although this latter point is not significant today since the speed of computer processors is several orders of magnitude faster today than even twenty years ago. DES was based somewhat on an earlier cipher from Feistel called Lucifer which, some sources report, had a 112-bit key. This was rejected, partially in order to fit the algorithm onto a single chip and partially because of the National Security Agency (NSA). The NSA also proposed a number of tweaks to DES that many thought were introduced in order to weaken the cipher, but analysis in the 1990s showed that the NSA suggestions actually strengthed DES (see "The Legacy of DES" by Bruce Schneier [2004]).

    DES was defined in American National Standard X3.92 and three Federal Information Processing Standards (FIPS), all withdrawn in 2005:

    • FIPS 46-3: DES (Archived file)
    • FIPS 74: Guidelines for Implementing and Using the NBS Data Encryption Standard
    • FIPS 81: DES Modes of Operation

    Information about vulnerabilities of DES can be obtained from the Electronic Frontier Foundation.

    Two important variants that strengthen DES are:

    • Triple-DES (3DES): A variant of DES that employs up to three 56-bit keys and makes three encryption/decryption passes over the block; 3DES is also described in FIPS 46-3 and is the recommended replacement to DES.

    • DESX: A variant devised by Ron Rivest. By combining 64 additional key bits to the plaintext prior to encryption, effectively increases the keylength to 120 bits.

    More detail about DES, 3DES, and DESX can be found below in Section 5.4.

  • Advanced Encryption Standard (AES): In 1997, NIST initiated a very public, 4-1/2 year process to develop a new secure cryptosystem for U.S. government applications (as opposed to the very closed process in the adoption of DES 25 years earlier). The result, the Advanced Encryption Standard, became the official successor to DES in December 2001. AES uses an SKC scheme called Rijndael, a block cipher designed by Belgian cryptographers Joan Daemen and Vincent Rijmen. The algorithm can use a variable block length and key length; the latest specification allowed any combination of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits. NIST initially selected Rijndael in October 2000 and formal adoption as the AES standard came in December 2001. FIPS PUB 197 describes a 128-bit block cipher employing a 128-, 192-, or 256-bit key. The AES process and Rijndael algorithm are described in more detail below in Section 5.9.

  • As an aside, the AES selection process managed by NIST was very public. A similar project, the New European Schemes for Signatures, Integrity and Encryption (NESSIE), was designed as an independent project meant to augment the work of NIST by putting out an open call for new cryptographic primitives. NESSIE ran from about 2000-2003. While several new algorithms were found during the NESSIE process, no new stream cipher survived cryptanalysis. As a result, the ECRYPT Stream Cipher Project (eSTREAM) was created, which has approved a number of new stream ciphers for both software and hardware implementation.

    Similar — but different — is the Japanese Government Cryptography Research and Evaluation Committees (CRYPTREC) efforts to evaluate algorithms submitted for government and industry applications. They, too, have approved a number of cipher suites for various applications.

  • CAST-128/256: CAST-128, described in Request for Comments (RFC) 2144, is a DES-like substitution-permutation crypto algorithm, employing a 128-bit key operating on a 64-bit block. CAST-256 (RFC 2612) is an extension of CAST-128, using a 128-bit block size and a variable length (128, 160, 192, 224, or 256 bit) key. CAST is named for its developers, Carlisle Adams and Stafford Tavares, and is available internationally. CAST-256 was one of the Round 1 algorithms in the AES process.

  • International Data Encryption Algorithm (IDEA): Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. Also available internationally.

  • Rivest Ciphers (aka Ron's Code): Named for Ron Rivest, a series of SKC algorithms.

    • RC1: Designed on paper but never implemented.

    • RC2: A 64-bit block cipher using variable-sized keys designed to replace DES. It's code has not been made public although many companies have licensed RC2 for use in their products. Described in RFC 2268.

    • RC3: Found to be breakable during development.

    • RC4: A stream cipher using variable-sized keys; it is widely used in commercial cryptography products. An update to RC4, called Spritz (see also), was designed by Rivest and Jacob Schuldt. More detail about RC4 (and a little about Spritz) can be found below in Section 5.13.

    • RC5: A block-cipher supporting a variety of block sizes (32, 64, or 128 bits), key sizes, and number of encryption passes over the data. Described in RFC 2040.

    • RC6: A 128-bit block cipher based upon, and an improvement over, RC5; RC6 was one of the AES Round 2 algorithms.

  • Blowfish: A symmetric 64-bit block cipher invented by Bruce Schneier; optimized for 32-bit processors with large data caches, it is significantly faster than DES on a Pentium/PowerPC-class machine. Key lengths can vary from 32 to 448 bits in length. Blowfish, available freely and intended as a substitute for DES or IDEA, is in use in a large number of products.

  • Twofish: A 128-bit block cipher using 128-, 192-, or 256-bit keys. Designed to be highly secure and highly flexible, well-suited for large microprocessors, 8-bit smart card microprocessors, and dedicated hardware. Designed by a team led by Bruce Schneier and was one of the Round 2 algorithms in the AES process.

  • Camellia: A secret-key, block-cipher crypto algorithm developed jointly by Nippon Telegraph and Telephone (NTT) Corp. and Mitsubishi Electric Corporation (MEC) in 2000. Camellia has some characteristics in common with AES: a 128-bit block size, support for 128-, 192-, and 256-bit key lengths, and suitability for both software and hardware implementations on common 32-bit processors as well as 8-bit processors (e.g., smart cards, cryptographic hardware, and embedded systems). Also described in RFC 3713. Camellia's application in IPsec is described in RFC 4312 and application in OpenPGP in RFC 5581.

  • MISTY1: Developed at Mitsubishi Electric Corp., a block cipher using a 128-bit key and 64-bit blocks, and a variable number of rounds. Designed for hardware and software implementations, and is resistant to differential and linear cryptanalysis. Described in RFC 2994.

  • Secure and Fast Encryption Routine (SAFER): A series of block ciphers designed by James Massey for implementation in software and employing a 64-bit block. SAFER K-64, published in 1993, used a 64-bit key and SAFER K-128, published in 1994, employed a 128-bit key. After weaknesses were found, new versions were released called SAFER SK-40, SK-64, and SK-128, using 40-, 64-, and 128-bit keys, respectively. SAFER+ (1998) used a 128-bit block and was an unsuccessful candidate for the AES project; SAFER++ (2000) was submitted to the NESSIE project.

  • KASUMI: A block cipher using a 128-bit key that is part of the Third-Generation Partnership Project (3gpp), formerly known as the Universal Mobile Telecommunications System (UMTS). KASUMI is the intended confidentiality and integrity algorithm for both message content and signaling data for emerging mobile communications systems.

  • SEED: A block cipher using 128-bit blocks and 128-bit keys. Developed by the Korea Information Security Agency (KISA) and adopted as a national standard encryption algorithm in South Korea. Also described in RFC 4269.

  • ARIA: A 128-bit block cipher employing 128-, 192-, and 256-bit keys to encrypt 128-bit blocks in 12, 14, and 16 rounds, depending on the key size. Developed by large group of researchers from academic institutions, research institutes, and federal agencies in South Korea in 2003, and subsequently named a national standard. Described in RFC 5794.

  • CLEFIA: Described in RFC 6114, CLEFIA is a 128-bit block cipher employing key lengths of 128, 192, and 256 bits (which is compatible with AES). The CLEFIA algorithm was first published in 2007 by Sony Corporation. CLEFIA is one of the new-generation lightweight blockcipher algorithms designed after AES, offering high performance in software and hardware as well as a lightweight implementation in hardware.

  • SMS4: SMS4 is a 128-bit block cipher using 128-bit keys and 32 rounds to process a block. Declassified in 2006, SMS4 is used in the Chinese National Standard for Wireless Local Area Network (LAN) Authentication and Privacy Infrastructure (WAPI). SMS4 had been a proposed cipher for the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard on security mechanisms for wireless LANs, but has yet to be accepted by the IEEE or International Organization for Standardization (ISO). SMS4 is described in SMS4 Encryption Algorithm for Wireless Networks (translated and typeset by Whitfield Diffie and George Ledin, 2008) or in the original Chinese.

  • Skipjack: SKC scheme proposed, along with the Clipper chip, as part of the never-implemented Capstone project. Although the details of the algorithm were never made public, Skipjack was a block cipher using an 80-bit key and 32 iteration cycles per 64-bit block. Capstone, proposed by NIST and the NSA as a standard for public and government use, met with great resistance by the crypto community laregly because the design of Skipjack was classified (coupled with the key escrow requirement of the Clipper chip).

  • Tiny Encryption Algorithm (TEA): A family of block ciphers developed by Roger Needham and David Wheeler. TEA was originally developed in 1994, and employed a 128-bit key, 64-bit block, and 64 rounds of operation. To correct certain weaknesses in TEA, eXtended TEA (XTEA), aka Block TEA, was released in 1997. To correct weaknesses in XTEA and add versatility, Corrected Block TEA (XXTEA) was published in 1998. XXTEA also uses a 128-bit key, but block size can be any multiple of 32-bit words (with a minimum block size of 64 bits, or two words) and the number of rounds is a function of the block size (52+6words).

  • GSM (Global System for Mobile Communications, originally Groupe Spécial Mobile) encryption: GSM mobile phone systems use several stream ciphers for over-the-air communication privacy. A5/1 was developed in 1987 for use in Europe and the U.S. A5/2, developed in 1989, is a weaker algorithm and intended for use outside of Europe and the U.S. Significant flaws were found in both ciphers after the "secret" specifications were leaked in 1994, however, and A5/2 has been withdrawn from use. The newest version, A5/3, employs the KASUMI block cipher. NOTE: Unfortunately, although A5/1 has been repeatedly "broken" (e.g., see "Secret code protecting cellphone calls set loose" [2009] and "Cellphone snooping now easier and cheaper than ever" [2011]), this encryption scheme remains in widespread use, even in 3G and 4G mobile phone networks. Use of this scheme is reportedly one of the reasons that the National Security Agency (NSA) can easily decode voice and data calls over mobile phone networks.

  • GPRS (General Packet Radio Service) encryption: GSM mobile phone systems use GPRS for data applications, and GPRS uses a number of encryption methods, offering different levels of data protection. GEA/0 offers no encryption at all. GEA/1 and GEA/2 are proprietary stream ciphers, employing a 64-bit key and a 96-bit or 128-bit state, respectively. GEA/1 and GEA/2 are most widely used by network service providers today although both have been reportedly broken. GEA/3 is a 128-bit block cipher employing a 64-bit key that is used by some carriers; GEA/4 is a 128-bit clock cipher with a 128-bit key, but is not yet deployed.

  • KCipher-2: Described in RFC 7008, KCipher-2 is a stream cipher with a 128-bit key and a 128-bit initialization vector. Using simple arithmetic operations, the algorithms offers fast encryption and decryption by use of efficient implementations. KCipher-2 has been used for industrial applications, especially for mobile health monitoring and diagnostic services in Japan.

  • Salsa and ChaCha: Salsa20 is a stream cipher proposed for the eSTREAM project by Daniel Bernstein. Salsa20 uses a pseudorandom function based on 32-bit (whole word) addition, bitwise addition (XOR), and rotation operations, aka add-rotate-xor (ARX) operations. Salsa20 uses a 256-bit key although a 128-bit key variant also exists. In 2008, Bernstein published ChaCha, a new family of ciphers related to Salsa20. ChaCha20, defined in RFC 7539, is employed (with the Poly1305 authenticator) in Internet Engineering Task Force (IETF) protocols, most notably for IPsec and Internet Key Exchange (IKE), per RFC 7634, and Transaction Layer Security (TLS), per RFC 7905. In 2014, Google adopted ChaCha20/Poly1305 for use in OpenSSL, and they are also a part of OpenSSH.

  • FFX-A2 and FFX-A10: FFX (Format-preserving, Feistel-based encryption) is a type of Format Preserving Encryption (FPE) scheme that is designed so that the ciphertext has the same format as the plaintext. FPE schemes are used for such purposes as encrypting social security numbers, credit card numbers, limited size protocol traffic, etc.; this means that an encrypted social security number, for example, would still be a nine-digit string. FFX can theoretically encrypt strings of arbitrary length, although it is intended for message sizes smaller than that of AES-128 (2128 points). The FFX version 1.1 specification describes FFX-A2 and FFX-A10, which are intended for 8-128 bit binary strings or 4-36 digit decimal strings.

There are several other references that describe interesting algorithms and even SKC codes dating back decades. Two that leap to mind are the Crypto Museum's Crypto List and John J.G. Savard's (albeit old) A Cryptographic Compendium page.

3.2. Public Key Cryptography

Public key cryptography has been said to be the most significant new development in cryptography in the last 300-400 years. Modern PKC was first described publicly by Stanford University professor Martin Hellman and graduate student Whitfield Diffie in 1976. Their paper described a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to share a secret key.

PKC depends upon the existence of so-called one-way functions, or mathematical functions that are easy to compute whereas their inverse function is relatively difficult to compute. Let me give you two simple examples:

  1. Multiplication vs. factorization: Suppose you have two prime numbers, 3 and 7, and you need to calculate the product; it should take almost no time to calculate that value, which is 21. Now suppose, instead, that you have a number that is a product of two primes, 21, and you need to determine those prime factors. You will eventually come up with the solution but whereas calculating the product took milliseconds, factoring will take longer. The problem becomes much harder if we start with primes that have, say, 400 digits or so, because the product will have 800 digits.
  2. Exponentiation vs. logarithms: Suppose you take the number 3 to the 6th power; again, it is relatively easy to calculate 36 = 729. But if you start with the number 729 and need to determine the two integers, x and y so that logx 729 = y, it will take longer to find the two values.

While the examples above are trivial, they do represent two of the functional pairs that are used with PKC; namely, the ease of multiplication and exponentiation versus the relative difficulty of factoring and calculating logarithms, respectively. The mathematical "trick" in PKC is to find a trap door in the one-way function so that the inverse calculation becomes easy given knowledge of some item of information.

Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. The important point here is that it does not matter which key is applied first, but that both keys are required for the process to work (Figure 1B). Because a pair of keys are required, this approach is also called asymmetric cryptography.

In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party. It is straight forward to send messages under this scheme. Suppose Alice wants to send Bob a message. Alice encrypts some information using Bob's public key; Bob decrypts the ciphertext using his private key. This method could be also used to prove who sent a message; Alice, for example, could encrypt some plaintext with her private key; when Bob decrypts using Alice's public key, he knows that Alice sent the message (authentication) and Alice cannot deny having sent the message (non-repudiation).

Public key cryptography algorithms that are in use today for key exchange or digital signatures include:

  • RSA: The first, and still most common, PKC implementation, named for the three MIT mathematicians who developed it — Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA today is used in hundreds of software products and can be used for key exchange, digital signatures, or encryption of small blocks of data. RSA uses a variable size encryption block and a variable size key. The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure. (Some descriptions of PKC erroneously state that RSA's safety is due to the difficulty in factoring large prime numbers. In fact, large prime numbers, like small prime numbers, only have two factors!) The ability for computers to factor large numbers, and therefore attack schemes such as RSA, is rapidly improving and systems today can find the prime factors of numbers with more than 200 digits. Nevertheless, if a large number is created from two prime factors that are roughly the same size, there is no known factorization algorithm that will solve the problem in a reasonable amount of time; a 2005 test to factor a 200-digit number took 1.5 years and over 50 years of compute time (see the Wikipedia article on integer factorization.) Regardless, one presumed protection of RSA is that users can easily increase the key size to always stay ahead of the computer processing curve. As an aside, the patent for RSA expired in September 2000 which does not appear to have affected RSA's popularity one way or the other. A detailed example of RSA is presented below in Section 5.3.

  • Diffie-Hellman: After the RSA algorithm was published, Diffie and Hellman came up with their own algorithm. D-H is used for secret-key key exchange only, and not for authentication or digital signatures. More detail about Diffie-Hellman can be found below in Section 5.2.

  • Digital Signature Algorithm (DSA): The algorithm specified in NIST's Digital Signature Standard (DSS), provides digital signature capability for the authentication of messages. Described in FIPS 186-4.

  • ElGamal: Designed by Taher Elgamal, a PKC system similar to Diffie-Hellman and used for key exchange.

  • Elliptic Curve Cryptography (ECC): A PKC algorithm based upon elliptic curves. ECC can offer levels of security with small keys comparable to RSA and other PKC methods. It was designed for devices with limited compute power and/or memory, such as smartcards and PDAs. More detail about ECC can be found below in Section 5.8. Other references include the Elliptic Curve Cryptography page and the Online ECC Tutorial page, both from Certicom. See also RFC 6090 for a review of fundamental ECC algorithms and The Elliptic Curve Digital Signature Algorithm (ECDSA) for details about the use of ECC for digital signatures.

  • Public Key Cryptography Standards (PKCS): A set of interoperable standards and guidelines for public key cryptography, designed by RSA Data Security Inc.

    • PKCS #1: RSA Cryptography Standard (Also RFC 8017)
    • PKCS #2: Incorporated into PKCS #1.
    • PKCS #3: Diffie-Hellman Key-Agreement Standard
    • PKCS #4: Incorporated into PKCS #1.
    • PKCS #5: Password-Based Cryptography Standard (PKCS #5 V2.1 is also RFC 8018)
    • PKCS #6: Extended-Certificate Syntax Standard (being phased out in favor of X.509v3)
    • PKCS #7: Cryptographic Message Syntax Standard (Also RFC 2315)
    • PKCS #8: Private-Key Information Syntax Standard (Also RFC 5208)
    • PKCS #9: Selected Attribute Types (Also RFC 2985)
    • PKCS #10: Certification Request Syntax Standard (Also RFC 2986)
    • PKCS #11: Cryptographic Token Interface Standard
    • PKCS #12: Personal Information Exchange Syntax Standard (Also RFC 7292)
    • PKCS #13: Elliptic Curve Cryptography Standard
    • PKCS #14: Pseudorandom Number Generation Standard is no longer available
    • PKCS #15: Cryptographic Token Information Format Standard
  • Cramer-Shoup: A public key cryptosystem proposed by R. Cramer and V. Shoup of IBM in 1998.

  • Key Exchange Algorithm (KEA): A variation on Diffie-Hellman; proposed as the key exchange method for the NIST/NSA Capstone project.

  • LUC: A public key cryptosystem designed by P.J. Smith and based on Lucas sequences. Can be used for encryption and signatures, using integer factoring.

  • McEliece: A public key cryptosystem based on algebraic coding theory.

For additional information on PKC algorithms, see "Public Key Encryption" (Chapter 8) in Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone (CRC Press, 1996).

A digression: Who invented PKC? I tried to be careful in the first paragraph of this section to state that Diffie and Hellman "first described publicly" a PKC scheme. Although I have categorized PKC as a two-key system, that has been merely for convenience; the real criteria for a PKC scheme is that it allows two parties to exchange a secret even though the communication with the shared secret might be overheard. There seems to be no question that Diffie and Hellman were first to publish; their method is described in the classic paper, "New Directions in Cryptography," published in the November 1976 issue of IEEE Transactions on Information Theory (IT-22(6), 644-654). As shown in Section 5.2, Diffie-Hellman uses the idea that finding logarithms is relatively harder than performing exponentiation. And, indeed, it is the precursor to modern PKC which does employ two keys. Rivest, Shamir, and Adleman described an implementation that extended this idea in their paper, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems," published in the February 1978 issue of the Communications of the ACM (CACM) (2192), 120-126). Their method, of course, is based upon the relative ease of finding the product of two large prime numbers compared to finding the prime factors of a large number.

Diffie and Hellman (and other sources) credit Ralph Merkle with first describing a public key distribution system that allows two parties to share a secret, although it was not a two-key system, per se. A Merkle Puzzle works where Alice creates a large number of encrypted keys, sends them all to Bob so that Bob chooses one at random and then lets Alice know which he has selected. An eavesdropper (Eve) will see all of the keys but can't learn which key Bob has selected (because he has encrypted the response with the chosen key). In this case, Eve's effort to break in is the square of the effort of Bob to choose a key. While this difference may be small it is often sufficient. Merkle apparently took a computer science course at UC Berkeley in 1974 and described his method, but had difficulty making people understand it; frustrated, he dropped the course. Meanwhile, he submitted the paper "Secure Communication Over Insecure Channels," which was published in the CACM in April 1978; Rivest et al.'s paper even makes reference to it. Merkle's method certainly wasn't published first, but he is often credited to have had the idea first.

An interesting question, maybe, but who really knows? For some time, it was a quiet secret that a team at the UK's Government Communications Headquarters (GCHQ) had first developed PKC in the early 1970s. Because of the nature of the work, GCHQ kept the original memos classified. In 1997, however, the GCHQ changed their posture when they realized that there was nothing to gain by continued silence. Documents show that a GCHQ mathematician named James Ellis started research into the key distribution problem in 1969 and that by 1975, James Ellis, Clifford Cocks, and Malcolm Williamson had worked out all of the fundamental details of PKC, yet couldn't talk about their work. (They were, of course, barred from challenging the RSA patent!) By 1999, Ellis, Cocks, and Williamson began to get their due credit in a break-through article in WIRED Magazine. And the National Security Agency (NSA) claims to have knowledge of this type of algorithm as early as 1966. For some additional insight on who knew what when, see Steve Bellovin's "The Prehistory of Public Key Cryptography."

3.3. Hash Functions

Hash functions, also called message digests and one-way encryption, are algorithms that, in essence, use no key (Figure 1C). Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.

Let me reiterate that hashes are one-way encryption. You cannot take a hash and "decrypt" it to find the original string that created it, despite the many web sites that claim or suggest otherwise, such as CrackStation, HashKiller.co.uk, MD5 Online, md5cracker, OnlineHashCrack, and RainbowCrack.

Note that these sites search databases and/or use rainbow tables to find a suitable string that produces the hash in question but one can't definitively guarantee what string originally produced the hash. This is an important distinction. Suppose that you want to crack someone's password, where the hash of the password is stored on the server. Indeed, all you then need is a string that produces the correct hash and you're in! However, you cannot prove that you have discovered the user's password, only a "duplicate key."

Hash algorithms that are in common use today include:

  • Message Digest (MD) algorithms: A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.

    • MD2 (RFC 1319): Designed for systems with limited memory, such as smart cards. (MD2 has been relegated to historical status, per RFC 6149.)

    • MD4 (RFC 1320): Developed by Rivest, similar to MD2 but designed specifically for fast processing in software. (MD4 has been relegated to historical status, per RFC 6150.)

    • MD5 (RFC 1321): Also developed by Rivest after potential weaknesses were reported in MD4; this scheme is similar to MD4 but is slower because more manipulation is made to the original data. MD5 has been implemented in a large number of products although several weaknesses in the algorithm were demonstrated by German cryptographer Hans Dobbertin in 1996 ("Cryptanalysis of MD5 Compress").

  • Secure Hash Algorithm (SHA): Algorithm for NIST's Secure Hash Standard (SHS), described in FIPS 180-4 The status of NIST hash algorithms can be found on their " Policy on Hash Functions" page.

    • SHA-1 produces a 160-bit hash value and was originally published as FIPS PUB 180-1 and RFC 3174. SHA-1 was deprecated by NIST as of the end of 2013 although it is still widely used.

    • SHA-2, originally described in FIPS PUB 180-2 and eventually replaced by FIPS PUB 180-3 (and FIPS PUB 180-4), comprises five algorithms in the SHS: SHA-1 plus SHA-224, SHA-256, SHA-384, and SHA-512 which can produce hash values that are 224, 256, 384, or 512 bits in length, respectively. SHA-2 recommends use of SHA-1, SHA-224, and SHA-256 for messages less than 264 bits in length, and employs a 512 bit block size; SHA-384 and SHA-512 are recommended for messages less than 2128 bits in length, and employs a 1,024 bit block size. FIPS PUB 180-4 also introduces the concept of a truncated hash in SHA-512/t, a generic name referring to a hash value based upon the SHA-512 algorithm that has been truncated to t bits; SHA-512/224 and SHA-512/256 are specifically described. SHA-224, -256, -384, and -512 are also described in RFC 4634.

    • SHA-3 is the current SHS algorithm. Although there had not been any successful attacks on SHA-2, NIST decided that having an alternative to SHA-2 using a different algorithm would be prudent. In 2007, they launched a SHA-3 Competition to find that alternative; a list of submissions can be found at The SHA-3 Zoo. In 2012, NIST announced that after reviewing 64 submissions, the winner was Keccak (pronounced "catch-ack"), a family of hash algorithms based on sponge functions. The NIST version can support hash output sizes of 256 and 512 bits.

  • RIPEMD: A series of message digests that initially came from the RIPE (RACE Integrity Primitives Evaluation) project. RIPEMD-160 was designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, and optimized for 32-bit processors to replace the then-current 128-bit hash functions. Other versions include RIPEMD-256, RIPEMD-320, and RIPEMD-128.

  • HAVAL (HAsh of VAriable Length): Designed by Y. Zheng, J. Pieprzyk and J. Seberry, a hash algorithm with many levels of security. HAVAL can create hash values that are 128, 160, 192, 224, or 256 bits in length. More details can be found in a AUSCRYPT '92 paper.

  • Whirlpool: Designed by V. Rijmen (co-inventor of Rijndael) and P.S.L.M. Barreto, Whirlpool is one of two hash functions endorsed by the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) competition (the other being SHA). Whirlpool operates on messages less than 2256 bits in length and produces a message digest of 512 bits. The design of this hash function is very different than that of MD5 and SHA-1, making it immune to the same attacks as on those hashes.

  • Tiger: Designed by Ross Anderson and Eli Biham, Tiger is designed to be secure, run efficiently on 64-bit processors, and easily replace MD4, MD5, SHA and SHA-1 in other applications. Tiger/192 produces a 192-bit output and is compatible with 64-bit architectures; Tiger/128 and Tiger/160 produce a hash of length 128 and 160 bits, respectively, to provide compatibility with the other hash functions mentioned above.

  • eD2k: Named for the EDonkey2000 Network (eD2K), the eD2k hash is a root hash of an MD4 hash list of a given file. A root hash is used on peer-to-peer file transfer networks, where a file is broken into chunks; each chunk has its own MD4 hash associated with it and the server maintains a file that contains the hash list of all of the chunks. The root hash is the hash of the hash list file.

Readers might be interested in HashCalc, a Windows-based program that calculates hash values using a dozen algorithms, including MD5, SHA-1 and several variants, RIPEMD-160, and Tiger. Command line utilities that calculate hash values include sha_verify by Dan Mares (Windows; supports MD5, SHA-1, SHA-2) and md5deep (cross-platform; supports MD5, SHA-1, SHA-256, Tiger, and Whirlpool).

A digression on hash collisions. Hash functions are sometimes misunderstood and some sources claim that no two files can have the same hash value. This is, in theory if not in fact, incorrect. Consider a hash function that provides a 128-bit hash value. There are, then, 2128 possible hash values. But there are an infinite number of possible files and ∞ >>&nbsp2128. Therefore, there have to be multiple files — in fact, there have to be an infinite number of files! — that have the same 128-bit hash value. (Now, while even this is theoretically correct, it is not true in practice because hash algorithms are designed to work with a limited message size, as mentioned above. For example, SHA-1, SHA-224, and SHA-256 produce hash values that are 160, 224, and 256 bits in length, respectively, and limit the message length to less than 264 bits; SHA-384 and all SHA-256 variants limit the message length to less than 2128 bits. Nevertheless, hopefully you get my point.)

The difficulty is not necessarily in finding two files with the same hash, but in finding a second file that has the same hash value as a given first file. Consider this example. A human head has, generally, no more than 150,000 hairs. Since there are more than 7 billion people on earth, we know that there are a lot of people with the same number of hairs on their heads. Finding two people with the same number of hairs, then, would be relatively simple. The harder problem is choosing one person (say, you, the reader) and then finding another person who has the same number of hairs on their head as you have on yours.

This is somewhat similar to the Birthday Problem. We know from probability that if you choose a random group of 23 people, the probability is about 50% that two will share a birthday (the probability goes up to 99.9% with a group of 70 people). However, if you randomly select one person in a group of 23 and try to find a match to that person, the probability is only about 6% of finding a match; you'd need a group of 253 for a 50% probability of a shared birthday to one of the people chosen at random (and a group of more than 4,000 to obtain a 99.9% probability).

What is hard to do, then, is to try to create a file that matches a given hash value so as to force a hash value collision — which is the reason that hash functions are used extensively for information security and computer forensics applications. Alas, researchers in 2004 found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms. Readers interested in this problem should read the following:

  • AccessData. (2006, April). MD5 Collisions: The Effect on Computer Forensics. AccessData White Paper.
  • Burr, W. (2006, March/April). Cryptographic hash standards: Where do we go from here? IEEE Security & Privacy, 4(2), 88-91.
  • Dwyer, D. (2009, June 3). SHA-1 Collision Attacks Now 252. SecureWorks Research blog.
  • Gutman, P., Naccache, D., & Palmer, C.C. (2005, May/June). When hashes collide. IEEE Security & Privacy, 3(3), 68-71.
  • Kessler, G.C. (2016). The Impact of MD5 File Hash Collisions on Digital Forensic Imaging. Journal of Digital Forensics, Security & Law, 11(4), 129-138.
  • Kessler, G.C. (2016). The Impact of SHA-1 File Hash Collisions on Digital Forensic Imaging: A Follow-Up Experiment. Journal of Digital Forensics, Security & Law, 11(4), 139-148.
  • Klima, V. (March 2005). Finding MD5 Collisions - a Toy For a Notebook.
  • Lee, R. (2009, January 7). Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes. SANS Computer Forensics blog.
  • Stevens, M., Bursztein, E., Karpman, P., Albertini, A., & Markov, Y. (2017). The first collision for full SHA-1.
  • Stevens, M., Karpman, P., & Peyrin, T. (2015, October 8). Freestart collision on full SHA-1. Cryptology ePrint Archive, Report 2015/967.
  • Thompson, E. (2005, February). MD5 collisions and the impact on computer forensics. Digital Investigation, 2(1), 36-40.
  • Wang, X., Feng, D., Lai, X., & Yu, H. (2004, August). Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD.
  • Wang, X., Yin, Y.L., & Yu, H. (2005, February 13). Collision Search Attacks on SHA1.

Readers are also referred to the Eindhoven University of Technology HashClash Project Web site. for For dditional information on hash functions, see David Hopwood's MessageDigest Algorithms page and Peter Selinger's MD5 Collision Demo page. For historical purposes, take a look at the situation with hash collisions, circa 2005, in RFC 4270.

In October 2015, the SHA-1 Freestart Collision was announced; see a report by Bruce Schneier and the developers of the attack (as well as the paper above by Stevens, Karpman, and Peyrin (2015)). In February 2017, the first SHA-1 collision was announced on the Google Security Blog and Centrum Wiskunde & Informatica's Shattered page. See also the paper by Stevens et al. (2017), listed above.

For an interesting twist on this discussion, read about the Nostradamus attack reported at Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 (by M. Stevens, A.K. Lenstra, and B. de Weger, November 2007).

Finally, note that certain extensions of hash functions are used for a variety of information security and digital forensics applications, such as:

  • Hash libraries, aka hashsets, are sets of hash values corresponding to known files. A hashset containing the hash values of all files known to be a part of a given operating system, for example, could form a set of known good files, and could be ignored in an investigation for malware or other suspicious file, whereas as hash library of known child pornographic images could form a set of known bad files and be the target of such an investigation.
  • Rolling hashes refer to a set of hash values that are computed based upon a fixed-length "sliding window" through the input. As an example, a hash value might be computed on bytes 1-10 of a file, then on bytes 2-11, 3-12, 4-13, etc.
  • Fuzzy hashes are an area of intense research and represent hash values that represent two inputs that are similar. Fuzzy hashes are used to detect documents, images, or other files that are close to each other with respect to content. See "Fuzzy Hashing" (PDF) by Jesse Kornblum for a good treatment of this topic.

3.4. Why Three Encryption Techniques?

So, why are there so many different types of cryptographic schemes? Why can't we do everything we need with just one?

The answer is that each scheme is optimized for some specific cryptographic application(s). Hash functions, for example, are well-suited for ensuring data integrity because any change made to the contents of a message will result in the receiver calculating a different hash value than the one placed in the transmission by the sender. Since it is highly unlikely that two different messages will yield the same hash value, data integrity is ensured to a high degree of confidence.

Secret key cryptography, on the other hand, is ideally suited to encrypting messages, thus providing privacy and confidentiality. The sender can generate a session key on a per-message basis to encrypt the message; the receiver, of course, needs the same session key in order to decrypt the message.

Key exchange, of course, is a key application of public key cryptography (no pun intended). Asymmetric schemes can also be used for non-repudiation and user authentication; if the receiver can obtain the session key encrypted with the sender's private key, then only this sender could have sent the message. Public key cryptography could, theoretically, also be used to encrypt messages although this is rarely done because secret key cryptography values can generally be computed about 1000 times faster than public key cryptography values.



FIGURE 4: Use of the three cryptographic techniques for secure communication.


Figure 4 puts all of this together and shows how a hybrid cryptographic scheme combines all of these functions to form a secure transmission comprising a digital signature and digital envelope. In this example, the sender of the message is Alice and the receiver is Bob.

A digital envelope comprises an encrypted message and an encrypted session key. Alice uses secret key cryptography to encrypt her message using the session key, which she generates at random with each session. Alice then encrypts the session key using Bob's public key. The encrypted message and encrypted session key together form the digital envelope. Upon receipt, Bob recovers the session secret key using his private key and then decrypts the encrypted message.

The digital signature is formed in two steps. First, Alice computes the hash value of her message; next, she encrypts the hash value with her private key. Upon receipt of the digital signature, Bob recovers the hash value calculated by Alice by decrypting the digital signature with Alice's public key. Bob can then apply the hash function to Alice's original message, which he has already decrypted (see previous paragraph). If the resultant hash value is not the same as the value supplied by Alice, then Bob knows that the message has been altered; if the hash values are the same, Bob should believe that the message he received is identical to the one that Alice sent.

This scheme also provides nonrepudiation since it proves that Alice sent the message; if the hash value recovered by Bob using Alice's public key proves that the message has not been altered, then only Alice could have created the digital signature. Bob also has proof that he is the intended receiver; if he can correctly decrypt the message, then he must have correctly decrypted the session key meaning that his is the correct private key.

This diagram purposely suggests a cryptosystem where the session key is used for just a single session. Even if this session key is somehow broken, only this session will be compromised; the session key for the next session is not based upon the key for this session, just as this session's key was not dependent on the key from the previous session. This is known as Perfect Forward Secrecy; you might lose one session key due to a compromise but you won't lose all of them. (This was an issue in the 2014 OpenSSL vulnerability known as Heartbleed.)

3.5. The Significance of Key Length

In a 1998 article in the industry literature, a writer made the claim that 56-bit keys did not provide as adequate protection for DES at that time as they did in 1975 because computers were 1000 times faster in 1998 than in 1975. Therefore, the writer went on, we needed 56,000-bit keys in 1998 instead of 56-bit keys to provide adequate protection. The conclusion was then drawn that because 56,000-bit keys are infeasible (true), we should accept the fact that we have to live with weak cryptography (false!). The major error here is that the writer did not take into account that the number of possible key values double whenever a single bit is added to the key length; thus, a 57-bit key has twice as many values as a 56-bit key (because 257 is two times 256). In fact, a 66-bit key would have 1024 times more values than a 56-bit key.

But this does bring up the question, "What is the significance of key length as it affects the level of protection?"

In cryptography, size does matter. The larger the key, the harder it is to crack a block of encrypted data. The reason that large keys offer more protection is almost obvious; computers have made it easier to attack ciphertext by using brute force methods rather than by attacking the mathematics (which are generally well-known anyway). With a brute force attack, the attacker merely generates every possible key and applies it to the ciphertext. Any resulting plaintext that makes sense offers a candidate for a legitimate key. This was the basis, of course, of the EFF's attack on DES.

Until the mid-1990s or so, brute force attacks were beyond the capabilities of computers that were within the budget of the attacker community. By that time, however, significant compute power was typically available and accessible. General-purpose computers such as PCs were already being used for brute force attacks. For serious attackers with money to spend, such as some large companies or governments, Field Programmable Gate Array (FPGA) or Application-Specific Integrated Circuits (ASIC) technology offered the ability to build specialized chips that could provide even faster and cheaper solutions than a PC. As an example, the AT&T Optimized Reconfigurable Cell Array (ORCA) FPGA chip cost about 0 and could test 30 million DES keys per second, while a ASIC chip could test 200 million DES keys per second; compare that to a PC which might be able to test 40,000 keys per second. Distributed attacks, harnessing the power of up to tens of thousands of powerful CPUs, are now commonly employed to try to brute-force crypto keys.

The table below — from a 1995 article discussing both why exporting 40-bit keys was, in essence, no crypto at all and why DES' days were numbered — shows what DES key sizes were needed to protect data from attackers with different time and financial resources. This information was not merely academic; one of the basic tenets of any security system is to have an idea of what you are protecting and from whom are you protecting it! The table clearly shows that a 40-bit key was essentially worthless against even the most unsophisticated attacker. On the other hand, 56-bit keys were fairly strong unless you might be subject to some pretty serious corporate or government espionage. But note that even 56-bit keys were clearly on the decline in their value and that the times in the table were worst cases.

TABLE 1. Minimum Key Lengths for Symmetric Ciphers (1995).Type of Attacker Budget Tool Time and Cost
Per Key Recovered Key Length Needed
For Protection
In Late-1995 40 bits 56 bits
Pedestrian Hacker Tiny Scavenged
computer
time
1 week Infeasible 45
0 FPGA 5 hours
(

Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients Overview. The first step in building an.

.08)
38 years
(,000)
50
Small Business ,000 FPGA 12 minutes
(

  Data File Formats and File Extensions - Complete List

.!bt BitTorrent Incomplete Download file
.!qb qBittorrent Partial Download file
.!ut uTorrent Incomplete Download file
.#24 Printer data file for 24 pin matrix printer (LocoScript)
.#ib Printer data file (LocoScript)
.#sc Printer data file (LocoScript)
.#st Standard mode printer definitions (LocoScript)
.$#! Cryptext
.$$$ Temporary file
. Pipe file (DOS)
. Pipe file (DOS)
.$db Temporary file (dBASE IV)
.$ed Editor temporary file (MS C)
.$er GroupWise Database
.$o1 Pipe file (DOS)
.$vm Virtual manager temporary file (Windows 3.x)
.^^^ Pervasive.SQL Database file
.__a File Splitter & Joiner Encrypted file
.__b File Splitter & Joiner Encrypted Archive file
._dd Norton Disk Doctor Recovered file
._eml Windows Live Mail Email file
._nws Windows Live Mail Newsgroup Copy file
._p Malicious Software Removal Tool Temporary file
.$ Temporary file (1st Reader)
.ap Old AppExpert project database (Borland C++ 4.5)
.de Project backup (Borland C++ 4.5)
.hm HostMonitor TestList Backup file
.mn Menu backup (Norton Commander)
.{pb Corel WordPerfect Document Index file
.1$1 Temporary file (1st Reader)
.000 Image Data Recovery file
Compressed harddisk data (DoubleSpace)
.001 Norton Ghost Span file
Multiple Volume Compressed file
Fax (many)
.075 75x75 dpi display font (Ventura Publisher)
.085 85x85 dpi display font (Ventura Publisher)
.091 91x91 dpi display font (Ventura Publisher)
.096 96x96 dpi display font (Ventura Publisher)
.0b Printer font with lineDraw extended character set (PageMaker)
.0xe F-Secure Renamed Virus file
.1 Inno Setup Binary file
Roff/nroff/troff/groff source for manual page (cawf2.zip)
.10 IBM Voice Type Script file
.113 Iomega Backup file
.123 Lotus 1-2-3 Spreadsheet file
.15u Printer font with PI font set (PageMaker)
.1pe TurboTax Form file
.1ph TurboTax file
.1st Usually README.1ST text
.2 Setup Factory 6.0 setup launcher
.264 Ripped Video Data file
.2d 2d Drawings (VersaCad)
.2da 2 Dimensional Data Array file
.2dl 2d Libraries (VersaCad)
.3d 3d Drawings (VersaCad)
.3dl 3d Libraries (VersaCad)
.3dv 3D VRML World
.301 Fax (Super FAX 2000 - Fax-Mail 96)
.386 Intel 80386 processor driver (Windows 3.x)
.3da 3D Assembly file
.3dd ArcGlobe Document file
.3dr 3DMark Benchmark file
.3ds Graphics (3D Studio)
.3dt Database for 3D mind map / concept map (3D Topicscape)
.3fx Effect (CorelChart)
.3g2 3GPP2 file format
.3gp 3GPP Multimedia file
.3gr Data file (Windows Video Grabber)
.3ko NGRAIN Mobilizer
.3me TurboTax Form file
.3mm 3D Movie Maker Movie Project
.3pe TurboTax 2008 Form file
.3t4 Binary file converter to ASCII (Util3)
.411 Sony Mavica Data file
.4c$ Datafile (4Cast/2)
.4dv 4D View Ultrasound file
.4mp 4-MP3 Database file
.4sw 4dos Swap File
.4th Forth source code file (ForthCMP - LMI Forth)
.5cr Preconfigured drivers for System 5cr and System 5cr Plus
.669 Music (8 channels) (The 669 Composer)
.6cm Music (6 Channel Module) (Triton FastTracker)
.777 7-Zip compressed file archive
.7z 7-Zip archiving format
.8 A86 assembler source code file
.8b? Adobe Photoshop Plugin file
.8ba Adobe Photoshop Plugin file
.8bf Adobe Photoshop Plugin file
.8bi Adobe Photoshop Plugin file
.8cm Music (8 Channel Module) (Triton FastTracker)
.8li Photoshop Scripting Plug-in
.8m Printer font with Math 8 extended character set (PageMaker)
.8pbs Adobe Photoshop Macintosh file
.8u Printer font with Roman 8 extended character set (PageMaker)
.a Ada source code file
Library (unix)
.a0? ALZip Split Archive file
.a11 Graphics AIIM image file
.a2b A2B Player Playlist
.a3d Amapi 3D Modeling file
.a3m Unpackaged Authorware MacIntosh file
.a3w Unpackaged Authorware Windows file
.a4a Authorware 4.x Library
.a4m Unpackaged Authorware MacIntosh file
.a4p Authorware file packaged without runtime
.a4w Unpackaged Authorware Windows file
.a5w Unpackaged Authorware Windows file
.aa Audible Audio file
.aab Macromedia Authorware Binary
.aac Advanced Audio Coding MPEG-2, MPEG-4
.aam Authorware shocked file
.aax Audible Audiobook file
.ab2 Parson's Address Book
.ab6 Datafile (ABStat)
.ab8 Datafile (ABStat)
.aba Palm Address Book file
.abc ActionScript Byte Code File
ABC FLOWCHARTER 1.x flowchart
ABC2K Audio/Video Controller Software
.abd AmBiz Bonus Calculator data file
Adventure Builder database
.abf Adobe Binary Font
.abi ABI CODER Encryption software
AOL extension: AOL 6 Organizer
.abk Automatic backup file (CorelDRAW)
.abm ImagePals Photo Album Document
Montage Photo Album file
PhotoPlus Album file
.abr Adobe Photoshop brush file
.abs Abstracts (info file)
Data file (Abscissa)
MPEG audio sound file
.abw AbiWord document
.abx WordPerfect Address Book file
.aby AOL file (located in AOL program directory)
.ac3 AC3 Audio File Format
.aca Microsoft Agent Character file
Project (Project Manager Workbench)
.acb Graphics (ACMB)
.acc Program (DR-DOS - ViewMax) (GEM / resident)
.acd Sonic Foundry Acid music file
.ace Ace Archiver / WinAce compressed file
.acf Microsoft Agent Character file
Adobe Photoshop Custom Filter
.aci ACI Development Appraisal
.acl Microsoft Office Auto Correction file
Document file (Audit Command Language)
ArborText Command Language
.acm Audio Compression Manager Driver
Photoshop command button
Windows system file
ACBM image file
Interplay compressed Sound file
.acorn ACORN Graphics format
.acs MS Agent Character file
.acs2 AIMP2 Media Player Skin file
.acsm Adobe Content Server Message file
.act Actor source code file
Foxdoc Action Diagrams (FoxPro)
Presentation (Action!)
.acv OS/2 Audio Drivers
Photoshop Saved Curve
.ad Screen saver data (AfterDark)
.ada Ada source code file
.adb Ada Package Body
.adc Bitmap graphics (16 colors) (Scanstudio)
.ade Microsoft Access Project
.adf Adapter Description file
Admin Config file
Amiga Disk File
Dog Creek QC Mask file
.adi Graphics (AutoCAD)
.adl Mca adapter description library (QEMM)
.adm After Dark Screen Saver Module
Windows Policy Template
Addict Compiled Dictionary
Administrative template files for protected mode in Internet Explorer 7.0
Advantage Data Server Database Memo file
.adn Add-in (Lotus 1-2-3)
.ado Photoshop Duotone Options
Stata Program
.adp FaxWorks Modem setup file
Astound Dynamite file
MS Access Project
AOLserver Dynamic Page file
.adr Address Book
Address Plus Database
After Dark Random Screen Saver Module
Opera Web Browser Bookmark file
Smart Address Address Book
.ads Ada Package Specification
.adt Datafile for cardfile application (HP NewWave)
Fax (AdTech)
.adx Document (Archetype Designer)
.adz GZ-Packed Amiga Disk file
.aeh iPer Advanced Embedded Hypertext
.aep Adobe After Effects Project file
.aex PGP Armored Extracted Public Encryption Key
After Effects Plugin file
.af2 Flowchart (ABC FlowCharter 2.0)
.aff AnyForm Form file
.afi Truevision bitmap graphics
.afl Font file (for Allways) (Lotus 1-2-3)
.afm Type 1 font metric ASCII data for font installer (ATM - many)
Datafile for cardfile application (HP NewWave)
.afs Adobe Type Manager font set
.aft AnyForm template file
.ag Applixware graphics file
.agp Aspen Graphics Pages
.agw Aspen Graphics Windows
.ai Vector graphics (Adobe Illustrator)
.aiff Audio interchange file format
.ain Compressed file archive created by AIN
.aio APL file transfer format file
.air Adobe AIR Installation Package file
Automatic Image Registration
.ais Array of Intensity Samples graphics (Xerox)
.aix Datafile for cardfile application (HP NewWave)
.ajp JPEG2000 Digital closed-circuit television (CCTV) security camera video format
.alb JASC Image Commander Album
Photo Soap2 file
Steinberg Cubase or VST Backup Song file
.albm webAlbum Photo Album
HP Photosmart Photo Printing Album
.all Format file for working pages (Always)
General printer information (WordPerfect for Win)
Symbol and font files (Arts & Letters)
.als Alias Image
Calmira Shortcut file
.alt Menu file (WordPerfect Library)
.alx ActiveX Layout file
.alz ALZip Compressed file
.amf Music (Advanced Module Format)
.amff Amiga Metafile
.amg Compressed file archive created by AMGC
System image file (Actor)
.amp Photoshop Arbitrary Map Settings
.amr Adaptive Multi-Rate ACELP Codec
Above audio file extension
.amv AMV Video file
.amx After Effects Motion Exchange file
.anc Animation file format (MorphInk)
.ani Animation (Presidio - many)
.anm Animation (Deluxe Paint Animator)
.ann Help Annotations (Windows 3.x)
.ans Ansi graphics (character animation)
Ascii text ANSI character set (NewWave Write)
.aos Add-On Software (Nokia 9000)
ARCHOS 504 media
.ap Compressed Amiga file archive created by WHAP
Datafile (Datalex EntryPoint 90)
Artwork Systems Program (ArtPro)
.apc Printer driver (Lotus 1-2-3)
.apd Printer driver (Lotus 1-2-3)
.ape Music format (different players)
.apf Printer driver (Lotus 1-2-3)
.api Adobe Acrobat Plugin file
Passed parameter file (1st Reader)
Printer driver (Lotus 1-2-3)
.apk Android Package file
.apl APL work space format file
.apm ArcPad 6 file
.app Add-in application file (Symphony)
Application object file (dBASE Application Generator)
Executable application file (DR-DOS - NeXTstep - Atari)
Generated application (FoxPro)
.apr Employee performance review (Employee Appraiser)
.aps MS Visual C++ file
ArcPad 5 Symbology file
.apx Appexpert database file (Borland C++ 4.5)
.arc Compressed file archive created by ARC (arc602.exe/pk361.exe)
Compressed file archive created by SQUASH (squash.arc)
.arf Automatic Response file
.arg AutoCAD Profile Export file
.ari Compressed file archive created by ARI
.arj Compressed file archive created by ARJ (arj241.exe)
.arl AOL Organizer File
.ark Arc file archive created by CP/M port of ARC file archiver
Compressed file archive created by QUARK
.arr Arrangement (Atari Cubase)
.ars Adobe After Effects Render
.art Graphics (scrapbook) (Art Import)
Raster graphics (First Publisher)
.arv Arsiv File
AutoRoute User Information
.arx Compressed file archive created by ARX
.asa MS Visual InterDev file
Active Server Document
.asc Ascii text file
Adobe ActionScript Communication file
Transport armor file (PGP)
.ascx Microsoft ASP.NET user control file
.asd Autosave file (Word for Windows)
Presentation (Astound)
Screen driver (Lotus 1-2-3)
.asf Datafile (STATGRAPHICS)
Screen font (Lotus 1-2-3)
.ash Assembly language header file (TASM 3.0)
.asi Assembler include file (Turbo C - Borland C++)
.asl Adobe Photoshop Layer file
.asm Assembly source code file
Pro/Engineer Assembly file
.asmx Microsoft .NET Web Service file
.aso Assembler object (object orientated) file (Turbo Assembler)
.asp Microsoft Active Server Page
Aspect source code file (Procomm Plus)
Association of Shareware Professionals OMBUDSMN.ASP notice
.aspx Microsoft ASP.NET file
.asr Ms Automap Route
Photoshop Scratch Area
.asx Microsoft Windows Media Active Stream Redirector file
.asx Microsoft Advanced Streaming Format
.at2 Auto template (Aldus Persuasion 2.0)
.atm Adobe Type Manager data/info
.atn Adobe Photoshop Action file
.atr Lightscape Material Library
.att AT&T Group 4 Bitmap
.aty 3D Topicscape (Exported association type)
.au Sound (audio) file (SUN Microsystems)
.au3 Autoit3 script file
.aud Audio file
.aut AutoIt Script
PocketWear Car Lease Kit vehicle data file
TLG Workplace CD search file
Xitami Webserver Admin Password file
GPSMan-autoMapic file
Signwave Auto-Illustrator file
Descent Manager Mission file
Authentication file (various)
Interactive Pictures iPIX Format
.aux Auxillary references (TeX/LaTeX)
Auxiliary dictionary (ChiWriter)
.ava Publication (Avagio)
.avb Inoculan Anti-Virus virus infected file
Microsoft Chat character file
.avd Avery Label Pro Data file
.avi Audio Video Interleaved animation file (Video for Windows)
.avr Audio Visual Research file
.avs Animation file
Application Visualization System Format
Stardent AVS-X image
Winamp Advanced Visualization Studio file
.avx ArcView file
.aw Text file (HP AdvanceWrite)
Answer Wizard for Microsoft Help
.awb Lavasoft Ad-aware backup file
.awd AWD MS Fax
Award BIOS file
AWK Language Source Code file
.awe Adobe Acrobat Bookmark XML file
.awk Awk script/program
.awm Movie (Animation Works)
.awp Microsoft Fax key viewer
.awr Telsis Digital Audio file
.aws Data (STATGRAPHICS)
.ax DirectShow Filter
.axd Avery Label Pro Re-Index file
Actrix Technical file
.axe Paradigm C++ Integrated Debugger file
ChordMaster
MS Autoroute export file
.axg MS Autoroute Trip file
.axl ArcIMS XML Project file
.axs AMX Axcess control system file format
HTML Active X script
.axt ZenWorks snAPPshot ASCII Application Object template
Photoshop Replace Color/Color Range
.axx axxess files used as backups of Inter-Tel databases
.azw Amazon Kindle eBook File
.azz AZZ Cardfile
.b Batch list (APPLAUSE)
.b&w Black and white graphics (atari - mac)
.bk backup file
Mono binary screen image (1st Reader)
.b00 CD Image Segment file
.b16 PCO Graphic file
.b1n Both mono and color binary screen image (1st Reader)
.b1s Booksmith
.b30 Printer font (JLaser - Cordata) (Ventura Publisher)
.b3d 3D Builder file
.b5i Blindwrite 5 Disk Image file
.b5t Blindwrite 5 Image Information file
.b6i Blindwrite 6 Disk Image file
.b6t Blindwrite 6 Image Information file
.b8 Raw graphics (one byte per pixel) plane two (PicLab)
.b_w Black and white graphics (atari - mac)
.bad Bad file (Oracle)
.bag PMMail Mail Index file
OS/2 Netfinity Manager Sysinfo file
AOL Instant Messenger file
.backup Ad-Aware Reference file
.bak Backup file
.bal Music score (Ballade)
.ban Sierra Print Artist Banner
.bar Horizontal bar menu object file (dBASE Application Generator)
.bas Basic source code file
Microsoft Visual Basic class module
.bat Batch file (DOS)
.bb Database backup (Papyrus)
.bba Settler IV Archive file
.bbl Bibliographic reference (TeX/BibTeX)
.bbm Brush (Deluxe Paint)
.bbs Bulletin Board System announce or text info file
.bc! Bitcomet Incompleted Download file
.bcf ConfigSafe Snapshot index
Belarc Advisor Content File
The Sims (Maxis) File
.bch Batch process object file (dBASE Application Generator)
Datafile (Datalex EntryPoint 90)
.bck Backup
.bcm MS Works Communications file
.bcn Business Card Pro Design
.bco Outline font description (Bitstream)
.bcp Borland C++ makefile
.bct Business Card Designer template
.bcw Environment settings (Borland C++ 4.5)
.bde Borland Database Engine
.bdf Bitmap Distribution Format font file (X11)
Datafile (Egret)
.bdm AVCHD Index file
.bdmv Blu-ray information file
.bdr Border (MS Publisher)
.bez Outline font description (Bitstream)
.bf2 Bradford 2 font
.bff Binary file format
.bfm Font metrics (unix/Frame)
.bfs Tivoli Storage Manager file
.bfx Fax (BitFax)
.bga Bitmap graphics
.bgt Quicken 2002 Internet Common File
.bgi Borland Graphics Interface device driver
.bgl Flight Simulator scenery file
.bgt Quicken 2002 Internet Common File
.bib Bibliography (ASCII)
Database - not compatible with TeX format (Papyrus)
Literature database (TeX/BibTeX)
.bic Civilization III Scenario
.bid BidMaker 2002 file
.bif Binary Image Format b&w graphics (Image Capture board)
.bik BioCharter Profile backup file
Bink Game video file
.bin Binary file
.bio OS/2 BIOS
.bip Free-motion capture files for character studio biped
.bit Bitmap Image
Worms Armageddon Imported Map
Worms World Party Imported Map
.bk Faxbook (JetFax)
.bk! Document backup (WordPerfect for Win)
.bk1 Timed backup file for document window 1 (WordPerfect for Win)
.bk2 Timed backup file for document window 2 (WordPerfect for Win)
.bk3 Timed backup file for document window 3 (WordPerfect for Win)
.bk4 Timed backup file for document window 4 (WordPerfect for Win)
.bk5 Timed backup file for document window 5 (WordPerfect for Win)
.bk6 Timed backup file for document window 6 (WordPerfect for Win)
.bk7 Timed backup file for document window 7 (WordPerfect for Win)
.bk8 Timed backup file for document window 8 (WordPerfect for Win)
.bk9 Timed backup file for document window 9 (WordPerfect for Win)
.bkf Microsoft Backup file
.bkg Background file
UWXAFS Binary Format Data file
.bkp Backup file (Write - TurboVidion DialogDesigner)
.bkw Mirror image of font set (FontEdit)
.blb DreamWorks Resource Archive
.bld Bloadable picture (BASIC)
.blend Blender 3D file
.blf Windows Registry Recovery file
Bantec Scanner Driver file
.blg Binary Performance Log File
.blk Temporary file (WordPerfect for Win)
Lightscape Block Library
Alias Wavefront Image
VersaPro Block
.blob Steam Archive file
.blt Saved AIM Buddy List file
Wordperfect for DOS file
.bm Bitmap graphics
.bmf Corel Image file
.bmi 3ds max Executable
.bmk Help Bookmarks (Windows 3.x)
.bmp Bitmap graphics (PC Paintbrush - many)
.bmx Buzz music file
.bnd Typequick file
.bndl Bundle file
.bnk Adlib instrument bank file
.bob BobDown Downloading Program
Bob Raytracer
.bom MicroSim PCBoard Bill of Materials
Orcad Schematic Capture Bill of Materials file
Softshare Delta Business Object Model
.boo Compressed file ASCII archive created by BOO (msbooasm.arc)
.book Adobe FrameMaker Book
HTMLDOC document
.bot Linkbot file
.box Myriad Jukebox file
Notes Mailbox
.bpc Chart (Business Plan Toolkit)
.bpl Delphi Library
.bpt Bitmap fills file (CorelDRAW)
.bqy BrioQuery file
.br Script (Bridge)
.brd Eagle Layout file
.brf Braille ASCII file
.brk Fax (Brooktrout Fax-Mail)
.brn BornoSoft Bangla2000 (a Bengali word processor) File extension
.bro Tree Professional Broadleaf Creator file
.brp Tree Professional Broadleaf Creator image
.brt Micrografx Picture Publisher file
.brx Multimedia browsing index
.bsa Compressed file archive created by BSARC
.bsb MapInfo Sea Chart
SWAT Sub-basin Output file
.bsc Compressed Apple II file archive created by BINSCII
Database (Source Browser)
Pwbrmake object file (MS Fortran)
.bsdl Boundary Scan Description Language
.bsl BSPlayer Configuration file
.bsp Half-life/TFC/CS Map
Quake Map
.bst BibTeX Style file
.bsv Bluespec System Verilog file
.bt! BitTorrent Partial Download file
.btm Batch To Memory batch file (4DOS)
.btn Buttonware file
.bto Baytex Organix! 2001 Language Kit
.btr Btrieve Database file
MS Frontpage-related file
.btx DB/TextWorks Database Term & Indexes
.bud Quicken Backup
.bug Bugs and Problems
.bun Bundled Audio files
.bup DVD Backup file
.but Button definitions (Buttons!)
.buy Datafile format (movie)
.bv1 Overflow file below insert point in Doc 1 (WordPerfect for Win)
.bv2 Overflow file below insert point in Doc 2 (WordPerfect for Win)
.bv3 Overflow file below insert point in Doc 3 (WordPerfect for Win)
.bv4 Overflow file below insert point in Doc 4 (WordPerfect for Win)
.bv5 Overflow file below insert point in Doc 5 (WordPerfect for Win)
.bv6 Overflow file below insert point in Doc 6 (WordPerfect for Win)
.bv7 Overflow file below insert point in Doc 7 (WordPerfect for Win)
.bv8 Overflow file below insert point in Doc 8 (WordPerfect for Win)
.bv9 Overflow file below insert point in Doc 9 (WordPerfect for Win)
.bwa BlindWrite Disk Image Information file
.bwb Spreadsheet application (Visual Baler)
.bwi Blindread/Blindwrite
.bwr Beware (buglist) (Kermit)
.bws Blindwrite Sub Channel Data File
.bwt Blindread/Blindwrite
.bxx blaxxun Contact
.bz2 Bzip 2 UNIX Compressed file
.c C source code file
Compressed unix file archive created by COMPACT
.c++ C++ source code file
.c-- Source code (Sphinx C--)
.c00 Print file (Ventura Publisher)
WinAce Split Archive file
.c01 Genesis 2000
.c2d WinOnCD CD Image
.c4d MAXON Cinema 4D File (Graphics)
.c60 Midtronics Battery Management Software
.c86 C source code file (Computer Innovation C86)
.ca Initial cache data for root domain servers (Telnet)
.cab Cabinet File (Microsoft installation archive)
.cache Cache file (typically Web cache)
.cad Softdesk Drafix CAD File
.cac dBASE IV executable when caching on/off (see cachedb.bat)
.cad Document (Drafix Windows CAD)
.cag MS Clip Gallery Catalog file
.cal Calendar file (Windows 3.x)
Calendar Maker Pro
.calb Coolect Album file (Coolect Album Player)
Spreatsheet (SuperCalc)
.cam Casio Camera Graphic
.can Fax (Navigator Fax)
.cap Caption (Ventura Publisher)
Session capture file (Telix)
.car AtHome Assistant file
Carrara Environment
NeoBook Cartoon
.cas Comma-delimited ASCII File
.cat Catalog (dBASE IV)
.cb Clean Boot File (Microsoft)
Brief Macro Source Code
.cbc Fuzzy logic system (CubiCalc)
.cbf Calendar Builder file
.cbl Cobol source code file
.cbm Compiled bitmap graphics (XLib)
.cbp CentralBuilder Project
.cbr ComicBook Reader File archive (CDisplay image viewer)
.cbt Computer Based Training (many)
.cbz ComicBook Reader File archive (CDisplay image viewer)
.cc C++ source code file
.cca CC:Mail archive file
.ccb Visual Basic Animated Button Configuration
.ccc Bitmap graphics (native format) (Curtain Call)
.ccd CloneCD Related file
Vector CAD Program file
.cce Calendar Creator 2 Event file
.ccf Communications configuration file (Symphony)
.cch Chart (CorelChart)
.ccl Communication Command Language file (Intalk)
.cco Btx Graphics file (XBTX)
.cct Macromedia Director Shockwave file
.ccx Corel PrintHouse file
.cda CD Audio Track
.cdb Card database (CardScan)
Main database (TCU Turbo C Utilities)
.cdd ConceptDraw Document file
.cde Honeywell Hybrid Control Designer
.cdf Component Definition file
Graphics (netcdf)
.cdg Compact Disc Plus Graphics file
.cdi Phillips Compact Disk Interactive format
DiscJuggler Image file
.cdk Document (Atari Calamus)
.cdl CaseWare Working Papers Document Link
SignLab Vector Graphic
.cdm Media Maker Disk Image file
Visual dBASE Custom Data Module
.cdp Visual Objects Developer file
CD/Spectrum Pro
.cdr Vector graphics (CorelDRAW native format)
.cdt Data (CorelDraw 4.0)
.cdx CorelDraw Compressed Image file
Compound index (FoxPro)
.ce Main.ce (The FarSide Computer Calendar)
.ceb Apabi eBook file
.ceg Bitmap graphics (Tempra Show - Edsun Continuous Edge Graphics)
.cel Graphics (Autodesk Animator - Lumena)
.cf Sendmail Configuration file
Configuration file (imake)
.cfb Comptons multimedia file
.cfc Macromedia Coldfusion component extension
.cfg Configuration
.cfl Chart (CorelFLOW)
.cfm ColdFusion Markup Language (Allaire)
.cfn Font data (Atari Calamus)
.cfo C Form Object internal format object file (TCU Turbo C Utilities)
.cfp Quicken Cash Flow Projection file
Fax (The Complete Fax Portable)
.cfr Crossfire Replay file
.cga CGA display font (Ventura Publisher)
.cgd Cricket Graph Data file
.cge CCD Astrocamera
.cgi Common Gateway Interface script
.cgm Computer Graphics Metafile vector graphics (A&L - HG - many)
.ch Header file (Clipper 5)
.ch3 Chart (Harvard Graphics 3.0)
.ch4 Presentation (Charisma 4.0)
.chd Font descriptor (FontChameleon)
.chi Document (ChiWriter)
.chk Recovered data (ChkDsk)
Temporary file (WordPerfect for Win)
.chl Configuration History Log
.chm Compiled HTML
.chn Data (Ethnograph 3)
.cho ChordPro file
.chp Chapter file (Ventura Publisher)
.chr Character set (Turbo C - Turbo Pascal)
.cht Chart (Harvard Graphics 2.0 - SoftCraft Presenter)
Interface file for ChartMaster (dBASE)
.chw Compiled Help Index file
.cid AnalogX Caller ID file
.cif Caltech Intermediate Format graphics
Chapter information (Ventura Publisher)
.ciff Canon CIFF
.cil Clip Gallery Download Package
.cit Intergraph Raster File Reference
.cix Database index (TCU Turbo C Utilities)
.ckb Keyboard mapping (Borland C++ 4.5)
.cl Common LISP source code file
.cl3 Easy CD Creator Layout file
.cl4 Easy CD Creator Layout file
.cl5 Easy CD Creator Layout file
.class Java class file
.clb ICQ Contact List
MS Office XP Developer Code Librarian
cdrLabel Compact Disc Label
.clg Windows Catalog file
.cli Client Management System Customer file
.clm COLIMO file
.clp Clip art graphics (Quattro Pro)
Clipboard file (Windows 3.x)
Compiler script file (clip list) (Clipper 5)
.clpi Blue-ray Disc Clip Information file
.clr Color binary screen image (1st Reader)
Color definitions (Photostyler)
.cls C++ class definition file
.cm Data file (CraftMan)
.cmd Batch file (OS/2)
Command (dBASE - Waffle)
External command menu (1st Reader)
.cmf FM-music file (Creative Music File)
.cmg CMG file
.cmk Card (Card Shop Plus)
.cml COMAL programming language
.cmm Cmm script (batch) file (CEnvi)
.cmo Virtools Composition file
.cmp Header file for PostScript printer files (CorelDRAW)
User dictionary (MS Word for DOS)
Bitmap graphics (Lead CMP compression)
.cmq Culturemetrics file
.cmt Culturemetrics file
.cms TrialDirector media storage
.cmv Animation (CorelMove CorelDraw 4.0)
.cmx Corel PhotoPaint Image
Corel Presentation Exchange Image
The Sims (Maxis) 3D Body Mesh Data
Apple Viewer file
.cnc CNC general program data
.cnd ControlDraw file
Embroidery Design file
.cnf Configuration (program - printer setup)
.cnt Helpfile contents
.cnv Data conversion support file (Word for Windows)
Temporary file (WordPerfect for Win)
.cob Cobol source code file
.cod Datafile (Forecast Plus - MS Multiplan - StatPac Gold)
Program compiled code (FORTRAN)
Template source file (dBASE Application Generator)
Videotext file
.col Color palette (Autodesk Animator - many)
Spreadsheet (MS Multiplan)
.com Command (memory image of executable program) (DOS)
.con Configuration file (Simdir)
.conf Configuration file
.config Configuration file
.cor Protein Structure file
Web GPS Correction Server Export file
WMOVIEC Input file
.cpd Script (Complaints Desk)
.cpe MS Fax Cover Sheet
.cpf Fax (The Complete Fax)
Clever Cache Profile file
.cph Corel Print House image
.cpi Code Page Information file (DOS)
AVCHD Clip Information
Colorlab Processed Image bitmap graphics
.cpl Control panel file (Windows 3.x)
Presentation (Compel)
.cpo Corel Print House file
.cpp C++ source code file
Presentation (CA-Cricket Presents)
.cpr Cubase Project file
.cps Backup of startup files by Central Point PC Tools autoexec.cps
coloured postscript files
.cpt Compressed Mac file archive created by COMPACT PRO (ext-pc.zip)
Corel Photo-Paint Image
Encrypted memo file (dBASE)
Template (CA-Cricket Presents)
.cpx Control Panel Applet
Corel Presentation Exchange Compressed Drawing
.cpy Copy Books Data file
.cpz Music text file (COMPOZ)
.cr2 Canon Raw Image file
.crc Total Commander CRC file
.crd Cardfile (Windows 3.x - YourWay)
ColdRED Script file
Guitar Chord file
.crf Cross-reference (MS MASM - Zortech C++)
.crh Links Games Course file
MS Golf Image file
.crp Encrypted database (dBASE IV)
.crs File Conversion Resource (WordPerfect 5.1)
.crt Terminal settings information (Oracle)
Security certificate (Windows Sharepoint)
.crtr Multi-Ad Creator 7 document
.crtx Microsoft Chart Template file
.cru Compressed file archive created by CRUSH
.crw Canon RAW Image file
.crx Chrome Extension file
Links Games Course file
.crz Links Games Course file
.cs Visual C# Source file
.csa Comma Deliminated Text
Ultimate Ride Roller Coaster
.csf Adobe Colour Settings file
Van Dyke's CRT/SecureCRT Script file
.csg Graph (Statistica/w)
.csh Hamilton Labs C Shell Script file
.csk Claris Works
.csm Precompiled headers (Borland C++ 4.5)
.cso Compressed ISO Image file
.csp PC Emcee Screen Image file (Computer Support Corporation)
.css Cascading Sheet Style file
Datafile (CSS - Stats+)
Datasheet (Statistica/w)
.cst Macromedia Director Cast file
Panasonic music file (keyboard)
.csv Comma Separated Values text file format (ASCII)
Adjusted EGA/VGA palette (CompuShow)
.ct Continous Tone file
.ctc Control file (PC Installer)
.ctd Cobra Track Dump
Cardtable file
Marine Data file
Simpsons Cartoon Studio Export file
.ctf Character code translation file (Symphony)
.ctg Canon Catalog file
Cartridge Definition file
ChessBase Opening Book
Canon Powershot Pro 70 Info file
.ctl Microsoft Visual Basic Control file
Control file (dBASE IV - Aldus Setup)
Setup information
.ctn CADTERNS file
.ctt Messenger contacts file
Labview file
.ctu CZTU, a gamma-ray analysis program. Need the CTZU.exe file to work
.ctx Course TeXt file (Microsoft online guides)
Ciphertext file (Pretty Good Privacy RSA System)
.cty SimCity City file
.cue MS Cue Cards data
.cuf C Utilities Form definition (TCU Turbo C Utilities)
.cul Windows cursor library (IconForge, ImageForge, ImageForge PRO)
.cur Cursor image file (Windows 3.x)
.cut Bitmap graphics (Dr. Halo)
Dr Halo CUT files
.cv4 Color file (CodeView)
.cv5 Canvas version 5
.cva ACD Canvas Sequence Set file
Compaq Diagnostics
.cvb Borland BDE File
.cvd Bitdefender
.cvp Cover page (WinFax)
.cvr WinFax Cover Sheet
ElectraSoft Fax Cover Sheet
.cvs Graphics (Canvas)
.cvt Backup file for CONVERTed database file (dBASE IV)
.cvw Color file (CodeView)
.cwk Claris Works data
.cwz CropWalker file
.cxf Google Picasa Collage file
.cxp Core Media Player XML-based Playlist File
.cxt Macromedia Director Protected Cast file
.cxx C++ source code file (Zortech C++)
.d D programming language source code
GBG DraftMaker Drawing File
.d00 Blaster Master Pro File
AdLib Format File
.d10 H&R Block Deduction Pro file
Drake Software Dat file
.d2s Character file (Diablo 2)
.d3d File Extension for Desktop-3D Notes
Compressed Draw 3D file
.d64 Commodore 64 Emulator Disk Image
.dat Data file in special format or ASCII
Gunlok Archive
Mitsubishi DJ-1000 and Photorun Native Format
Nascar Racing Archive
SPOT Graphic
WordPerfect Merge Data
.data Sid Tune audio file
.day Journal file
.db Configuration (dBASE IV - dBFast)
Database (Paradox - Smartware)
.db$ Temperature debug info (Clarion Modula-2)
Temporary file (dBASE)
.db2 Database (dBASE II)
.db3 Database (dBASE III)
.dba Datafile (DataEase)
Palm Desktop Date Book Archive
.dbb ANSYS Database Backup
Mopheus music file
.dbd Business data (Business Insight)
Debug info (Clarion Modula-2)
.dbf Database file (dBASE III/IV - FoxPro - dBFast - DataBoss)
Oracle 8.x Tablespace File
.dbg Symbolic debugging information (MS C/C++)
.dbk Database backup (dBASE IV)
.dbl Windows XP Activation file
.dbm Datafile (DataEase)
Cold Fusion Template
Menu template (DataBoss)
.dbo Compiled program (dBASE IV)
.dbs Database in SQL Windows format
Datafile (PRODAS)
Printer description file (Word - Works)
.dbt Data Base Text (Clipper)
Foxbase+ style memo (FoxPro)
Memo file for database w/same name (dBASE IV - dBFast)
.dbw Windows file (DataBoss)
.dbx Database
DataBeam Image
MS Visual Foxpro Table
Outlook Express e-mail folder file
.dca Document Content Architecture text file (IBM DisplayWrite)
.dcf Disk image file
.dcm DCM Module Format
Dicom
.dcp Data CodePage (OS/2)
.dcr Kodak Proprietary Image Format
Shockwave file
.dcs Bitmap graphics (CYMK format) (QuarkXPress)
Datafile (ACT! Activity Files)
.dct Database dictionary (Clarion Database Developer)
Spell checking dictionary (Harvard Graphics 3.0 - Symphony)
.dcx FAX Image
ElectraSoft Fax
PC-Paintbrush file
Bitmap Graphics (Multipage PCX)
Macros
MS Visual Foxpro Database Container
.dd Compressed Macintosh file archive created by DISKDOUBLER
.ddat DivX Temporary file
.ddb Bitmap graphics
.ddc DivX Descriptor Description File
.ddf MS Data Definition Language file
.ddi Diskdupe Image file (ddupe322.zip)
.ddp Device Driver Profile file (OS/2)
.de MetaProducts Download Express incompletely downloaded file
.de7 Dance E jay 7 File
.deb Debug script (DOS Debug)
.dec VersaPro Declaration file
.def Assembly header file (Geoworks)
DATAIR data entry format file
Defaults - definitions
.dem Demonstration
Graphics (VistaPro)
.des Description Text
Tribes 2 Game file
Quickbooks Template
Pro/DESKTOP file
Interscope BlackBox file
.dev Device driver
.dfd Data Flow Diagram graphic (Prosa)
.dff Criterion RenderWare 3.x 3D object format
.dfi Outline font description (Digifont)
.dfl Default program settings (Signature)
FreshDownloads (FreshDownload List temp file)
File Extension for Desktop-3D Notes
.dfm Data Flow Diagram model file (Prosa)
.dfs Delight Sound file
.dft Fakt2000 file
SolidEdge CAD file
Workshare Synergy file
PC Draft file
.dfv Printing form (Word)
.dfx Drafix file
.dgn Graphics (MicroStation)
.dgr Fax Page (MS Outlook Express)
DART Pro 98 File Group Details
.dgs Diagnostics
.dh Dependency information for .ph (Geoworks)
.dhp Dr. Halo PIC Format graphics (Dr. Halo II - III)
.dht Datafile (Gauss)
.dhy Adobe Bridge file
.dia Diagraph graphics (Computer Support Corporation)
.dib Bitmap graphics (Device-Independent Bitmap)
.dic Lotus Notes / Domino dictonary file
.dif Database (VisiCalc)
Output from Diff command - script for Patch command
Text file (Data Interchange Format)
.dig Digilink Format
Sound Designer Audio File
Text Document
.dip Graphics
.dir Adobe Director Movie File
Dialing directory file (Procomm Plus)
Directory file (VAX)
Movie (MacroMind Director 4.x)
.dis DATAIR data import specification file
Distribution file (VAX Mail)
Thesaurus (CorelDraw)
>
.divx DivX Encoded Movie file
.diz Description file (Description In Zip)
.dje MattBatt iAM-player
.djv DJVu Scanned file
.djvu DJVu file
.dkb Raytraced graphics (DKBTrace)
.dl Animation (Italian origin)
.dl_ Compressed .dll file in an Install Archive
.dld Data (Lotus 1-2-3)
.dlg Dialog resource script file (MS Windows SDK)
.dll Dynamic Link Library (Windows 3.x - OS/2)
Export/import filter (CorelDRAW)
.dls Setup (Norton Disklock)
.dmf Delusion/XTracker digital music file
Packed Amiga Disk Image
.dmg Macintosh OS X Disk Image file
.dml Medical Manager DML System Script
.dmo Demo (Derive)
.dmp Dump file (eg. screen or memory)
.dms Compressed Amiga file archive created by DISKMASHER
.dmsk DivX Web Player Temporary file
.dna Desktop DNA data storage file
.dnasym Desktop DNA compiled application script
.dnax Desktop DNA exclusion list (text)
.dne Netica Bayes net file (Norsys Software Corp.)
.dng Adobe Digital Negative fFile
Dungeon file
.dnl DigitalWebBook Electronic Book
netMod Modem Firmware Upgrade file
.do ModelSim Filter Design HDL Coder
.doc Document text file
.docm Open XML Macro-enabled Document file (Microsoft Word 2007 / Word 2010)
.docx Open XML Document text file (Microsoft Office 2007 / Office 2010)
.dog Screen file (Laughing Dog Screen Maker)
.doh Dependency information for .poh (Geoworks)
.dol Nintendo Executable file
.dos External command file (1st Reader)
Network driver (eg. pkt_dis.dos)
Text file containing DOS specific info
.dot Line-type definition file (CorelDRAW)
Template (Word for Windows)
.dotx Microsoft Word 2007 / Word 2010 Template file
.dox Text file (MultiMate 4.0)
.doz Description Out of Zip (VENDINFO)
.dp Calendar file (Daily Planner)
Data file (DataPhile)
.dpg Nintendo DS MPEG Video File
.dpk Delphi Package file
.dpp Serif DrawPlus Drawing
.dpr Default project- and state-related information (Borland C++)
.dps DivX Player Skin file
.dpt Desktop DNA template
.dpx Digital moving picture exchange format
.dra Map Maker Pro GIS vector layer
.drs Display Resource (WordPerfect for Win)
.drv Device driver eg. for printer
.drw Drawing (various)
Vector graphics (Micrografx Designer)
.ds Twain Data Source file
.ds4 Vector graphics (Micrografx Designer 4.0)
.dsa DasyTec DASYLab file
.dsb DasyTec DASYLab file
.dsc Discard file (Oracle)
.dsd Database (DataShaper)
.dsf Micrografx Designer
PC-TRUST Document Signer
Delusion/XTracker Digital Sample
.dsk Project desktop file (Borland C++ - Turbo Pascal)
Simple IDs (database)
.dsm Digital sound module (DSI)
.dsn ODBC Data Source file
Design (Object System Designer)
.dsp Display parameters (Signature)
Graphics display driver (Dr.Halo)
MS Developer Studio Project
ReaderX and DragonStar Pro Ltd file extensions
.dsp2 ReaderX and DragonStar Pro Ltd file extensions
.dsr Driver Resource (WordPerfect for Win)
.dss Screensaver file (DCC)
Sound (Digital Soup)
.dst PC-RDist Distribution file
Embroidery Machine Stitch file (VeePro)
.dsw Desktop settings (Borland C++ 4.5)
.dsy PC Draft Symbol Library
.dt_ Data fork of a Macintosh file (Mac-ette)
.dta Data file (Turbo Pascal - PC-File - Stata)
.dtd SGML Document Definition file
.dtf Database file (PFS - Q&A)
.dtp Document (Timeworks Publisher3)
Publication (Publish-It!)
.dup Duplicate Backup
.dus Readiris font dictionary
.dvc Data (Lotus 1-2-3)
.dvf DV Studio Camcorder Graphics file
.dvi Device Independent document (TeX)
.dvp Desqview Program Information file (DESQview)
Device parameter file (AutoCAD)
.dvr Windows Media Center Recorded file
DR-92 Manager file
.dvr-ms files created by Stream Buffer Engine(SBE)
.dw2 Drawing (DesignCAD for windows)
.dwc Compressed file archive created by DWC (dwc-a501.exe)
.dwd Davka Writer file
DiamondWare Digitized file
.dwf Autodesk WHIP! Drawing Web file
MS WHIP autoCAD REader Drawing Web file
.dwg Drawing (Drafix)
Drawing database (AutoCAD)
.dwk DADiSP Worksheet File
.dwl Drawing Lock file
.dwt AutoCAD Template/Prototype file
Macromedia Dreamweaver Template file
Demon's World Game Texture file
.dwz DVD movieFactory 3
.dx Text file (DEC WPS/DX format - DEC WPS Plus)
.dxf Drawing Interchange File Format vector graphics (AutoCAD)
.dxn Fax (Fujitsu dexNET)
.dxr Adobe Director Movie File
Dependable Strengths Administrator Resources
Green Building Advisor file
Macromedia Director Protected Movie file
.dyc ICUII Videochat file
.dylib Apple osx extension for lib
.dyn Data (Lotus 1-2-3)
.dz Dzip Compressed file
.e3p CIM-Team E3.series parts file
.e3s CIM-Team E3.series project file format
.e3t CIM-Team E3.series template file
.e3v CIM-Team E3.series viewer project file format
.eap Enterprise Architect Project file
.ear Java Enterprise Application Packaging Unit
.eas Elite Visual Basic API Spy
.ebj Error-checking object file (Geoworks)
.ebo MS Reader Ebook Format
.ebp Pocket PC WindowsCE Project file
.ecf Microsoft Outlook Add-on file
Microsoft Exchange Extended Configuration file
WinFax Office Add-in file
.eco NetManage ECCO file
.ecw Ensoniq Waveset Format
EclipseCrossword Crossword Puzzle
.edb MS Exchange Database
ROOTS3 geneological data
.edl Edit Decision List (management for video/film post production)
.edr Portable energy file - GROMACS 3.3
.eds Ensoniq SQ80 disk image
.edt Default settings (VAX Edt editor)
.eeb Button bar for Equation Editor (WordPerfect for Win)
.efe Ensoniq EPS file
.eft High resolution screen font (ChiWriter)
.efx Fax (Everex EFax)
.ega EGA display font (Ventura Publisher)
.ek5 SonarData Echoview file
.ek6 SonarData Echoview file
.ekm EXP: The Scientific Word Processor Macro
.el Elisp source code file (Emacs lisp)
.elc Compiled ELISP code (Emacs lisp)
.elm MS FrontPage Theme-Pack file
.elt Event list text file (Prosa)
.email Outlook Express Mail Message
.emb Everest Embedded Bank File
.emd ABT Extended Module
.emf Enchanced Metafile graphics
.eml Electronic Mail (Email) Message file
.emp E-Music File Format
.ems PC Tools Enhanced Menu System Config
.emu Terminal emulation data (BITCOM)
.emx Ensuredmail encrypted file/e-mail message
IBM Rational modeller software
.emz Windows Compressed Enhanced Metafile
.enc Encoded file - UUENCODEd file (Lotus 1-2-3 - uuexe515.exe)
Music (Encore)
.end Arrow-head definition file (CorelDRAW)
.eng Dictionary engine (Sprint)
Graphics (charting) (EnerGraphics)
.ens EndNote Styles file
.env Enveloper macro (WOPR)
Environment file (WordPerfect for Win)
.eot MS WEFT Embedded OpenType file
.epd Publication (Express Publisher)
.epf Encryption Protection (encrypted file format)
The extension of the Entrust Profile files.
.epi Document (Express Publisher)
.epp EditPad Pro Project
.eps Encapsulated PostScript vector graphics (Adobe Illustrator)
Printer font (Epson - Xerox...) (Ventura Publisher)
.epub Open Electronic Book file
.eqn Equation (WordPerfect for Win)
.erd Entity Relationship Diagram graphic file (Prosa)
.erm Entity Relationship Diagram model file (Prosa)
.err Error log
Error messages for command line compilers
.esp Ventura file
.esh Extended Shell batch file
.esl MS Visual FoxPro Distributable Support Library
.ess EXP: The Scientific Word Processor Style Sheet
.est MS Streets & Trips 2001 Trip file
.etf Enriched Text file
PolyEdit file
.eth Document (Ethnograph 3)
.ets eSignal Time and Sales file
.etx Structure Enhanced (setext) text
.ev SonarData Echoview file
.evi SonarData Echoview file
.evl SonarData Echoview file
.evr SonarData Echoview file
.evt Event log
.evy Document (WordPerfect Envoy)
.ewd Document (Express Publisher for Windows)
.ewl EclipseCrossword Word List
Microsoft Encarta Document
.ex Norton Ghost Template File
.ex_ Compressed .EXE File in an Install Archive
.ex3 Device driver (Harvard Graphics 3.0)
.exc Rexx source code file (VM/CMS)
Exclude file for Optimize (do not process) (QEMM)
.exd Control Information Cache
.exe Directly executable program (DOS)
.exm Msdos executable, system-manager compliant (HP calculator)
.exp ICQ Saved Chat file
QuickBooks file
.ext Extension file (Norton Commander)
.ext2fs filesystem driver in the Linux kernel
.exx Intermediate file by MsgPut (IBM LinkWay)
.ezf Fax (Calculus EZ-Fax)
.ezm Text file
.ezp Edify Electronic Workforce Backup Utility
.ezz eZBackup backup file
.f Fortran source code file
Compressed file archive created by FREEZE
.f_i Print IPS file
.f01 Fax (perfectfax)
.f06 Dos screen text font - height 6 pixels (fntcol13.zip)
.f07 Dos screen text font - height 7 pixels (fntcol13.zip)
.f08 Dos screen text font - height 8 pixels (fntcol13.zip)
.f09 Dos screen text font - height 9 pixels (fntcol13.zip)
.f10 Dos screen text font - height 10 pixels (fntcol13.zip)
.f11 Dos screen text font - height 11 pixels (fntcol13.zip)
.f12 Dos screen text font - height 12 pixels (fntcol13.zip)
.f13 Dos screen text font - height 13 pixels (fntcol13.zip)
.f14 Dos screen text font - height 14 pixels (fntcol13.zip)
.f16 Dos screen text font - height 16 pixels (fntcol13.zip)
.f2 FLASH BIOS file
.f2r Linear module (music) (Farandole)
.f3r Blocked module (music) (Farandole)
.f4v MP4 Video file
.f77 Fortran 77 source code file
.f90 Fortran file
.f96 Fax (Frecom FAX96)
.fac Face graphics
.faq Frequently Asked Questions text file
.far Farandoyle Tracker Music Module
The Sims (Maxis) Archive file
.fav MS Outlook Bar Shortcuts
.fax Fax (raster graphics) (most Fax programs)
.fbc FamilyTree Compressed backup file
.fbk Navison Financials Backup
FamilyTree Backup file
.fc Spell checking dictionary (Harvard Graphics 2.0)
.fcd Virtual CD-ROM
FastCAD/EasyCAD Output
Patton & Patton Flow Charting 3 file
IsoBuster file
.fcm Binary file patch file (forward compression)(jlpak10.zip)
.fcp FLAMES Checkpoint Restart file (Ternion)
.fcs Flow Cytometry Standard Format
Fantasy Football League Organizer file
RealProducer Pro Settings
c-tree Server/Plus Data file
Canon Zoom Browser EX file
CD Trustee file
Spectrum Server Log file
.fcw Campaign Cartographer 2 file
.fd Declaration file (MS Fortran)
Field offsets for compiler (DataFlex)
.fdb Art Explosion Portfolio Catalog file
Legacy Family Tree Database
Navison Financials Database
.fde FLAMES Dataset Export file (Ternion)
.fdf Adobe Acrobat Forms document
.fdr Final Draft Document file
Embroidery Design file
.fdw Form (F3 Design and Mapping)
.feb Button bar for Figure Editor (WordPerfect for Win)
.fef Steuer2001 file
.fes Fabio Editing Software
3D Topicscape - exported fileless occurrence
.fev FLAMES Environment Variable file (Ternion)
.ff Outline font description (Agfa Compugraphics)
.ffa MS Fast Find file
.fff Fax (defFax)
.ffl MS Fast Find file
.ffo MS Fast Find file
.fft Dca/FFT Final Form Text text file (DisplayWrite)
.ffx Microsoft Fast Find file
.fgd Folder Guard Data
Half-life Modification Map Configuration file
Digital Raster Graphic Metadata file
.fh3 Vector graphics (Aldus FreeHand 3.x)
.fh4 Vector graphics (Aldus FreeHand 4.x)
.fh5 Freehand 5
.fh6 Freehand 6
.fh7 Freehand 7
.fh8 Macromedia Freehand 8
.fh9 Macromedia Freehand 9
.fh10 Macromedia Freehand 10
.fi Interface file (MS Fortran)
.fif Fractal Image Format file
.fig REND386/AVRIL Graphic
Super Nintendo Game-console ROM Image
.fil File template (Application Generator)
Files list object file (dBASE Application Generator)
Overlay (WordPerfect)
.fin Print-formatted text file (Perfect Writer - Scribble - MINCE)
.fio PhotoStyler graphics (filter)
ULead Viewer (support file)
.fit Fits graphics
File Index Table (WindowsNT)
.fix Patch file
.fky Macro file (FoxPro)
.fla Adobe Flash file
.flac Free Lossless Audio Codec
.flb Format library (Papyrus)
.flc Animation (Autodesk Animator)
.fld Folder (Charisma)
.fle Flea program: outbound file and attachment required by the given mailer environment
.flf Corel Paradox Form
Firehand Lightning Graphic Collection
Navison Financials License file
OS/2 Driver file
FLAMES License file, Enterprise Edition (Ternion)
.fli Tex font library (EmTeX)
Animation (Autodesk Animator)
.flk File Locker Encrypted file
.flm Film Roll (AutoCAD/AutoShade)
.flo Micrografx FlowCharter
.flp Adobe Flash Project file
FlipAlbum file
Fruityloops Saved file
.flt Asymetrix Graphics Filter Support file
CoolEdit Pro Filter
Corel Graphic Filter
FileMaker Filter
FLIC Animation (DTA)
Micrografx Picture Publisher Filter
MS Graphics Filter
MulitGen Open Flight file
OS/2 Warp Filter Device Driver
StarTrekker Music Module
WinFlash Educator Flashcard Compiled Test file
.flv Adobe Flash Video file
.flx Compiled binary (DataFlex)
.fm Spreatsheet (FileMaker Pro)
FrameMaker file
.fm1 Spreadsheet (Lotus 1-2-3 release 2.x)
.fm3 Device driver (Harvard Graphics 3.0)
Spreadsheet (Lotus 1-2-3 release 3.x)
.fmb File Manager Button bar (WordPerfect for Win)
.fmf Font or icon file (IBM LinkWay)
.fmg FreeMarkets Graphics Browser
.fmk Makefile (Fortran PowerStation)
.fmo Compiled format file (dBASE IV)
.fmp FileMaker Pro Document
FLAMES Model Prototype file for components written in C (Ternion)
.fmpp FLAMES Model Prototype file for components written in C++ (Ternion)
.fmt Format file (dBASE IV - FoxPro - Clipper 5 - dBFast)
Style sheet (Sprint)
.fmv Frame Vector Metafile
.fmz Form Z Program files (drawing program)
.fn3 Font file (Harvard Graphics 3.0)
.fnt Font file (many)
.fnx Inactive font (Exact)
.fo1 Font file (Borland Turbo C)
.fo2 Font file (Borland Turbo C)
.fol Folder of saved messages (1st Reader)
.fon Dialing directory file (Telix)
Font file (many - Windows 3.x font library)
Log of all calls (Procomm Plus)
.for Fortran source code file
Form (WindowBase)
.fot Installed Truetype font (Windows Font Installer)
.fp Configuration file (FoxPro)
.fp3 FileMaker Pro 3.0 and earlier files
Floor Plan 3D Drawing file
.fp4 FileMaker Pro 4.0
.fp5 FileMaker Pro 5.0 and later files
.fpb FLAMES Playback Recorder file (Ternion)
.fpc Catalog (FoxPro)
.fpk JetForm FormFlow file
.fpr FLAMES Prototype file (Ternion)
.fpt Memo (FoxPro)
.fpw Floorplan drawing (FloorPLAN plus for Windows)
.fpx FlashPix Bitmap
.fqy FLAMES FLARE Command file (Ternion)
.fr3 Renamed dBASE III+ form file (dBASE IV)
.frc FLAMES Recorder Output file; FLARE Input file (Ternion)
.frd Files which contain loudspeaker frequency response data
.fre Creative Digital Blaster Digital VCR file
Male Normal CT
.frf Font (FontMonger)
.frg Uncompiled report file (dBASE IV)
.frl FormFlow file
.frm MySQL Database Format file
Form (Visual Basic)
Report file (dBASE IV - Clipper 5 - dBFast)
Text (order form)
.fro Compiled report file (dBASE IV)
.frp Form (PerForm PRO Plus - FormFlow)
.frs Screen Font Resource (WordPerfect for Win)
.frt Report memo (FoxPro)
.frx Report (FoxPro)
.fs F# Source Code file
.fsc FLAMES Scenario file (Ternion)
.fsh EA Sports Game Graphic Editor file
.fsl Form (Paradox for Windows)
.fsm Farandoyle Sample format music
.fst Linkable program (dBFast)
.fsproj Store Firestarter projects used to generate class mapping definitions for Habanero Firestarter
.fsx Data (Lotus 1-2-3)
.fsy Fileware's Filesync
.ftm Font file (Micrografx)
.fts Windows Help Full-Text Search Index file
.ftw Family file
FontTwister
.ftp Configuration (FTP Software PC/TCP)
.fus Files that store user settings for various FLAMES applications (Ternion)
.fvt Interlock Public Computer Utility
.fw Database (FrameWork)
.fw2 Database (Framework II)
.fw3 Database (Framework III)
.fwp FLAMES Window Viewer project file (Ternion).
.fx DirectX Effects file
On-line guide (FastLynx)
.fxd Phonebook (FAXit)
.fxm WinFax/WinFax MiniViewer Fax
.fxo Fax Image Document
.fxp Compiled format (FoxPro)
.fxr WinFax Received Document
.fxs Fax Transmit Format graphics (WinFax)
.g Data chart (APPLAUSE)
.g3 Group 3 Fax document; Group 3 Fax
.g3f Zetafax TIFF file (fine resolution)
.g3n Zetafax TIFF file (normal resolution)
.g8 Raw graphics (one byte per pixel) plane three (PicLab)
.gab Global Address Book file
.gal Corel Multimedia Manager Album
.gam Saved Game file
Fax (GammaFax)
TADS 2.x Game file
Baldur's Gate Game file
Animated E-mail
.gat Gator file
.gb Pagefox Bitmap Image file
GameBoy ROM
.gba Game Boy Advanced ROM
GrabIt Batch files
.gbc Game Boy COlor ROM
.gbd Gator Banner file
.gbl Global definitions (VAXTPU editor)
.gbr GIMP Brush file
Gerber Format file
.gbx Gerber file
.gc1 Lisp source code (Golden Common Lisp 1.1)
.gc3 Lisp source code (Golden Common Lisp 3.1)
.gcd Graphics
.gcf Steam GCF File
.gdb Interbase Database
Group Mail file
.gdf Dictionary file (GEOS)
.gdr Bitmap Font file (SymbianOS)
.ged Editor's native file format (Arts & Letters)
GEDCOM Family History file
Graphic Environment Document
Graphics editor file (EnerGraphics)
Game Editor Project File
.gem Vector graphics (GEM - Ventura Publisher)
.gen Compiled template (dBASE Application Generator)
Generated text (Ventura Publisher)
Genius Family Tree
.geo Geode (Geoworks)
.gfb Compressed GIF image created by GIFBLAST (gifblast.exe)
.gft Font (NeoPaint)
.gfx Genigraphics Graphics Link Presentation
Graphic format used by Allen Bradley SCADA Software (RSView Works)
.gg Google Desktop Gadget file
.gho Symantec Ghost Disk image file
.ghs Lasertank High Scores
Symantec Ghost Disk Image Span file
.gib Chart (Graph-in-the-Box)
.gid Windows Help index file
.gif Graphics Interchange Format bitmap graphics (CompuShow)
.gig Sound file
.giw Presentation (Graph-in-the-Box for Windows)
.gl Animation (GRASP GRAphical System for Presentation)
.glm Datafile (Glim)
.gls Datafile (Across)
.gly Glossary (MS Word)
.gmd Game Maker file format
.gmf CGM graphics (APPLAUSE)
.gml Geography Markup Language file
.gmp Geomorph tile map (SPX)
.gno Genopro Genealogy Document file
.gnt In MF COBOL a compiled .cbl file
.goc Goc source code file (Geoworks)
.goh Goc header file (Geoworks)
.gp Geode parameter file (Geoworks Glue)
.gp3 CCITT Group 3 file
GuitarPro 3
.gp4 Guitar Pro version 4.06
.gpd VISUAL EPR Input Data for PARAMS.EXE
.gph Graph (Lotus 1-2-3/G)
.gpk Omnigo program package
.gpx GPS eXchange Format
.gr2 Screen driver (Windows 3.x)
.gra Datafile (SigmaPlot)
.grb Ms-DOS Shell Monitor file (MS-DOS 5)
.grd Gradebook Power file
Map Projection Grid file
.grf Micrografix Image file
Graph file (Graph Plus - Charisma)
.grl Matlab Graphic Format
.grp Group file (Windows 3.x - Papyrus)
Pictures group (PixBase)
.grx File list (GetRight)
.gry Raw GREY graphics
.gs1 Presentation (GraphShow)
.gsd Vector graphics (Professional Draw)
GSplit file splitting utility (GDGsoft.com)
.gsm Raw GSM 6.10 Audio Stream
Sound file
US Robotics modem file
.gsp Geometer's Sketchpad Material file
.gsw Worksheet (GraphShow)
.gtp Gnome Desktop Theme file
GuitarPro file
.gts Genome Software Tempo Alarm Clock
.gup Data (PopMail)
.gwi Groupwise File
.gwp Greetings WorkShop file
.gxd General CADD Pro file
GX-Reports file
Jeol EX Spectrometer Data file
.gxl Graphics library (Genus)
.gxt GTA2 Game file
.gym Sega Genesis Music Logged Format
.gz Compressed file archive created by GZIP (GNU zip)
.gzip Compressed file archive created by GZIP (GNU zip)
.h Header file
.h! On-line help file (Flambeaux Help! Display Engine)
.h++ Header file (C++)
.h-- Header file (Sphinx C--)
.ha Compressed file archive created by HA (ha098.zip)
.ham Image file
.hap Compressed file archive created by HAP (hap303re.zip)
.hbk Handbook (Mathcad)
.hbs eBerry Transparent Animation - compressed bitmap files
.hcr IBM HCD/HCM Production Configuration
.hdf Hierarchical Data File graphics (SDSC Image Tools)
Help file (Help Development Kit)
.hdl Alternate download file listing (Procomm Plus)
.hdp HD Photo File
Magix Music/Video
.hdr InstallShield Setup header
Pc-File+ Database header
Datafile (Egret)
Message header text (Procomm Plus - 1st Reader)
.hds Windows Digital Right Management file
.hdw Vector graphics (Harvard Draw)
.hdx Help index (AutoCAD - Zortech C++)
.hed HighEdit document
.hex Hex dump
.hfi Hp Font Info file (GEM)
.hfx HotFax file
US Robotics Rapid Comm Voice Data file
.hgl Hp Graphics Language graphics
.hh C++ header file
.hhc Table of Contents file
TurboTax Contents file
.hhh Precompiled header file (Power C)
.hhk Help Workshop Index file
.hhp Help information for remote users (Procomm Plus)
.hht MS Messenger file
.hin Molecule (HyperChem)
.his Insight II Dynamics Trajectory History file
Spy-CD CD Search Database file
.hlb Help library (VAX)
.hlp Help information
.hlz Multi-Edit Packed Help file
.hm3 Help & Manual 3 project Format
.hmm Alternate Mail Read option menu (Procomm Plus)
.hnc CNC program files Heidenhain (?) dialog
.hof Hall Of Fame (game scores)
.hp8 Ascii text HP Roman8 character set (NewWave Write)
.hpf Hp LaserJet fonts (PageMaker)
.hpg HPGL plotter file vector graphics (AutoCad - Harvard Graphics)
.hpi Font information file (GEM)
.hpj Help project (MS Help Compiler)
.hpk Compressed file archive created by HPACK (hpack75.zip)
.hpm Emm text (HP NewWave)
Alternate Main menu for privileged users (Procomm Plus)
.hpp C++ header file (Zortech C++)
.hqx Compressed Macintosh ASCII archive created by BINHEX (xbin23.zip)
.hrf Graphics (Hitachi Raster Format)
.hrm Alternate Main menu for limited/normal users (Procomm Plus)
.hs2 Monochrome image (Postering)
.hsi Handmade Software Inc. graphics - almost JPEG (Image Alchemy)
.hst Yahoo Messenger History file
History file (Procomm Plus)
.hta Hypertext application
.htc HTML Component (mechanism for implementing Dynamic HTML in script)
.htf WebBase File
.hti WebBase File
.htm HyperText Markup Language document
.html HyperText Markup Language document
.htr Motion Analysis Software Skeletal file
.htt Hypertext template
.htx Hypertext file
.hus Husqvarna Designer I Embroidery Machine Format
.hwd Presentation (Hollywood)
.hxm Alternate Protocol Selection menu for all users (Procomm Plus)
.hxx C++ header file
.hy1 Hyphenation algorithms (Ventura Publisher)
.hy2 Hyphenation algorithms (Ventura Publisher)
.hyc Data (WordPerfect)
.hyd Hyphenation dictionary (WordPerfect for Win)
.hyp Compressed file archive created by HYPER (hyper25.zip)
.hyt VFSMOD Project output file
.i Intermediate file (Borland C++ 4.5)
.iaf MS Outlook 97 and 2000 e-mail account settings
.iax Bitmap graphics (IBM Image Access eXecutive)
.ibm Compressed file archive created by ARCHDOS (Internal IBM only)
.ibd Installer Dialog Resource file
.ibp Isobuster Image file
.ibq Isobuster Managed Image file
.ica Bitmap graphics (Image Object Content Architecture)
.icb Bitmap graphics
.icc Kodak Printer Image
IronCAD Catalog
.icd IronCAD 2D CAD file
.icl Icon library (ActivIcons, IconForge, ImageForge, ImageForge PRO)
.icm Image Color Matching Profile file
ICC Profile, Acer Monotor Drive
.icn Icon source code file
.ico Icon (Windows 3.x)
.ics iCalendar Calendar file
.id Disk identification file
Lotus Notes User ID file
.id2 Windows Live Messenger Emoticon file
.idb Database Used by Disassembler
MS Developer Intermediate file
.ide Project (Borland C++ 4.5)
.idf ARTiSAN Real-time Studio ID file
MIDI Instruments Drivers file
.idl MS Visual C++ Interface Definition file
OMG CORBA Interface Definition Language
.idw Vector graphics (IntelliDraw)
.idx Index (many - FoxPro)
.ies Photometric file data
.ifd Form (JetForm Design)
.iff Interchange File Format bitmap graphics/sound (Amiga)
Maxis The Sims Object file
Philips CDI File
Sun TAAC Image File Format (SDSC Image Tool)
.ifo Saved graphic objects (ImageForge PRO)
.ifp Script (KnowledgeMan)
.ifs Fractal image compressed file (Yuvpak)
System file (OS/2) hpfs.ifs
.igr Intergraph SmartSketch Drawing
.igs IGES-Format
.igx iGrafx Process
.iif QuickBooks for Windows Interchange file
.ilb Data (Scream Tracker)
.ilk Outline of program's format (MS ILink incremental linker)
.im30 Sun Raster image file
.im8 Sun raster graphics
.ima Mirage vector graphics (EGO, Chart, Autumn)
.imb IncrediMail file
.imc IncrediMail file
.imd Caseware IDEA (GIS data file)
.imf ImageForge/IconForge saved filtered brushes(IconForge, ImageForge, ImageForge PRO)
.img Bitmap graphics (Ventura Publisher - GEM Paint)
.imm IncrediMail Trash
.imn IncrediMail Notifier
.imp Spreadsheet (Lotus Improv)
Impaticized PowerPoint file
.imq Image presentation (ImageQ)
.ims Incredimail Graphic
.imv Yahoo Instant Messenger IMVironment
Impaticized Video format
.imw Imageware Surfacer 3D CAD Surface Geometry
IncrediMail Sound
.imz Compressed floppy image
.in$ Installation file (HP NewWave)
.in3 Input device driver (Harvard Graphics 3.0)
.inb Test script (Vermont HighTest)
.inc Include file (several programming languages)
.ind Index (dBASE IV)
Adobe InDesign document file
.indd Adobe InDesign file format
.inf Type 1 LaserJet font information file (soft font installers)
Information text file (ASCII)
Install script
.ini Initialization file
.ink Pantone reference fills file (CorelDRAW)
.inl MS Visual C++ Inline Function file
.inp GIS Software Text Input file
Oracle Source Code
Self-Extracting Archive Utility Project
.ins Data (WordPerfect)
Installation script (1st Reader)
Instrument music file (Adlib)
.int Borland Interface Units
Program saved in Internal (semi-compiled) format (Signature)
.inv Rogue Spear Inventory file
.inx Foxpro Index (Foxbase)
.io Compressed file archive created by CPIO
.iob 3d graphics database in TDDD format
.ioc Organizational chart (Instant ORGcharting!)
.ion 4dos descript.ion file (file descriptions)
.ipa iPod/iPhone Application file
.ipd BlackBerry Backup file
InstallPROG 6 EDBS Install Database
.ipg Mindjongg Format
.ipj Impatica OnCue Project file
.ipl Pantone Spot reference palette file (CorelDRAW)
.ipp Help & Manual Proprietary Image
.ips Game Patch file
MENSI 3Dipsos
.ipsw IPod/IPad/IPhone Software file
.ipx IPIX AV file
.ipz ICQ Skin Plus
.iri IR Image file
.irs Resource (WordPerfect)
.isd Spelling Checker dictionary (RapidFile)
.ish Compressed file archive created by ISH
.isk Command file
.iso Easy CD Creator Disc Image
File List for CD-ROM
InstallShield Uninstall file
ISO Buster file
ISO-9660 Table
RichWin
Vector Graphics (IsoDraw Illustration)
.isr MS Streets & Trips Route file
.iss InstallShield Response file
ISS Graphic
.ist Digitrakker Instrument File (n-FaCToR)
.isu InstallShield Uninstall Script
Easy CD Creator 4 Uninstall file
Netscape file
.isz An extension on .ISO that allows compression and splitting of an archive
.it Settings (intalk)
.itc2 iTunes Album Data file
.itdb iTunes Database file
.itf Interface file (JPI TopSpeed Pascal)
.ith InTether technology secured file
.itl Music Library file
.iv OpenInventor files (the successor to Inventor)
.iva security video data file
.ivt MS Infoviewer Title
.iw Presentation flowchart (IconAuthor - HSC InterActive)
.iwa Text file (IBM Writing Assistant)
.iwd Call of Duty Game Data file
.iwp Text file (Wang)
.izt Izl binary token file (IZL)
.j01 File Extension from ADP Payroll Company
.jad Java Application Descriptor extension (for installing MIDlets)
.jar Java archive file
.jas Graphics
.jav Java source code file
.java Java source code file
.jbc Jam Byte-Code Hex file
BestCrypt File
.jbd Datafile (SigmaScan)
.jbf Paint Shop Pro browser file
.jbk Juno Backup file
.jbr Jasc Paint Shop Pro Brush
.jbx Project file (Project Scheduler 4)
.jdt Accelio Capture Classic Filler
.jef Janome NH10000 Sewing Machine file
.jet Fax (Hybrid JetFax)
.jff Bitmap graphics (JPEG File Interchange Format)
.jfif JPEG image
.jfx J2 Fax File
.jhtml Dynamo Server Page
.jif JPEG/JIFF Image
Jeff's Image Format
.jmx JMeter file
.jnb Sigma Plot Workbook file
.jnl Ingres Journal file
.jnlp Java Web Start file
.jnt Windows Journal Note file
.job Job file
Task Scheduler Task Object
AI Research file
QuestVision Vector Graphics file
.jor Journal file SQL
.jou Journal backup (VAX Edt editor)
.jp2 JPEG 2000 file
.jpc Graphics (Japan PIC)
.jpeg JPEG image
.jpf JPEG 2000 file
.jpg Bitmap graphics (Joint Photography Experts Group)
.jps Stereo Image
.jpx JBuilder Project file
.js Microsoft Scripting Language "JScript" file extension
.jsd eFAX Jet Suite Document
.jse JScript Encoded Script file
.jsf Fireworks Batch Script file
.jsh Henter-Joyce, Inc. Jaws Script Header file
.json JavaScript Object Notation file
.jsp Java Server page
.jtf Fax (Hayes JT Fax)
Bitmap graphics (JPEG Tagged Interchange Format)
.jtp Jetform file
.jup (New Planet Software) Code Crusader user's project preferences file
.jw Text document (JustWrite)
.jwl Library (JustWrite)
.jwp Easy CD Creator Label file
JWP Document
.jxr JPEG XR file
.jzz Spreadsheet (Jazz)
.kar Midi file with karaoke word track
.kau Sassafras KeyAudit Audit file
.kb Keyboard script (Borland C++ 4.5)
Program source (Knowledge Pro)
.kbd Keyboard mapping (LocoScript - Signature - Procomm Plus)
.kbm Keyboard mapping (Reflection 4.0)
.kcl Lisp source code (Kyoto Common Lisp)
.kcp Keychamp file
.kdc Kaspersky Virus Database file
Kodak Photo-Enhancer/Photogen file
.keo Older, outdated Print Shop extension
.ket Older, outdated Print Shop extension
.kex Macro (KEDIT)
.kext Mac OS X Kernel Extension
.key Datafile (Forecast Pro)
Keyboard macros
WinRAR License file
Security file eg. Shareware Registration info
.kgb KGB Archive file
.kit Raven Toolkit file
.kix KixTart Script
.kma Kodak Memory Book file
Correlate K-Map
.kml Keyhole Markup Language file
.kmp Korg Trinity KeyMaP file
.kmx Kaufman Mmail Warrior Mail Folder
.kmz Google Earth Map Location file
.kos MicroType Pro Document
.kp2 Kruptos Encrypted file
.kpl Kazaa Playlist
KPL Source Code
.kpp Toolpad (SmartPad)
.kps Ibm KIPS bitmap graphics
.kqb Knowledge Question Base file
.kqe W32/Spybot.KQE Worm virus
.kqp Konica Quality Picture
.krz Kurzweil 2000 Sample
.ksd Native Instruments Audio Patch file
.ktk Kutoka's Mia
.kwi Navigation Data file
.kwm WebMoney Private Key file
.kyb Keyboard mapping (FTP Software PC/TCP)
.l Lex source code file
Lisp source code file
Linker directive file (WATCOM wlink)
.l01 ARC Digitized Raster Graphics
.lab Datafile (NCSS - SOLO)
Mailing labels (Q+E for MS Excel)
.lang Skype Language file
.lat Crossword Express Lattice file
.latex LaTeX typesetting system
.lay Word chart layout (APPLAUSE)
.lbg Label generator data (dBASE IV)
.lbl Label (dBASE IV - Clipper 5 - dBFast)
.lbm Bitmap graphics (DeluxePaint)
Linear bitmap graphics (XLib)
.lbo Compiled label (dBASE IV)
.lbr Compressed file archive created by LU (lue220.arc)
Display driver (Lotus 1-2-3)
.lbt Label memo (FoxPro)
.lbx Label (FoxPro)
.lcf Linker Control File (Norton Guides compiler)
.lck Lockfile (Paradox)
.lcl Data (FTP Software PC/TCP)
.lcn Lection (WordPerfect)
.lcs Datafile (ACT! History Files)
L0phtCrack Audit file
.lcw Spreadsheet (Lucid 3-D)
.ld Long Distance codes file (Telix)
.ld1 Overlay file (dBASE)
.ldb Data (MS Access)
.ldf Library definition file (Geoworks Glue)
locking data file or (locking security file)
IBM Works for OS/2 Filer Form
Microsoft SQL Server Transaction Log File
.ldif LDAP Data Interchange Format
.leg Legacy Graphic Format
.les Lesson (check .cbt)
.let Letter
.lev Level file (NetHack 3.x)
.lex Lexicon (dictionary) (many)
.lfa LifeForm file
.lft Laser printer font (ChiWriter)
.lg Logo procedure definitions (LSRHS Logo)
.lgc Program Use Log file
.lgo Logo for header and footer (SuperFax)
Startup logo code (Windows 3.x)
.lgx Gerber file
.lha Compressed file archive created by LHA/LHARC (lha255b.exe)
.lhw Compressed Amiga file archive created by LHWARP
.lib Library file (several programming languages)
.lic License file (Shareware)
FLAMES License File Professional Edition (Ternion)
.lid Kodak Gallery Album file
WinDVD file
Light Field Description file
Dylan Library Interchange Description
LabelVision Auto Incrementing Value file
Maple V Setup file
Scholar's Aid Backup file
.lif Logical Interchange Format data file (Hewlett-Packard)
Compressed file archive
.lim Compressed file archive created by LIMIT (limit12.zip)
.lin Line types (AutoCAD)
.lis Listing (VAX)
.lit MS Reader eBook file
.lix Extend Simulation Library file
Libronix DLS Resource (LLS 2.x Index)
.lj Text file for HP LJ II printer
.lko MS Outlook Express Linked Object
.ll3 Laplink III related file (document) (LapLink III)
.lmp Lump File
.lmt Nokia PC Suite Log file
RPG Maker map tree file
.lnd 3D Landscape Data
.lng Adobe Acrobat Language Plugin file
Diablo II file
NRG SDR Language file
.lnk Windows Shortcut file
Linker response file (.RTLink)
.loc MicroSim PCBoard Component Locations Report
Suppose Locations file
Download format for search results on Geocaching.com
.lod Load file
.log Log file
.lok Encrypted and compressed archive format (FileWrangler, SecurDesk!, ZipWrangler)
.lpc Printer driver (TEKO)
.lpd Helix Nuts and Bolts File
Avery Label Pro
.lpf Lytec's Direct Electronic Medical Claims ClaimsDirect
.lpi Live Pictures
.lpk Licensed ActiveX Control for Internet Explorer.
.lrf Linker response file (MS C/C++)
.lrs Language Resource File (WordPerfect for Win)
.lse Nokia Audio Manager
.lsf Streaming Audio/Video file
Libronix DLS Resource
.lsl Lotus Script Library
.lsp Lisp source code file (Xlisp)
.lss Spreadsheet (Legato)
.lst Keyboard macro (1st Reader)
List file (archive index - compiler listfile)
Spool file (Oracle)
SAS Program file
.lt2 e frontier Poser file
.ltm Form (Lotus Forms)
.ltr Letter
.lua Lua Source Code file
.lvl Game Level file
.lvp Lucent Voice Player
LView Pro
.lwa LightWorks Archive Material/Scene file
.lwd Text document (LotusWorks)
.lwo NewTek Lightwave Object
.lwp IBM Word Pro / Lotus Word Pro 96/97 document file
.lwz MS Linguistically Enhanced Sound file
.lx Lexico - files with source code
.lyr DataCAD Layer file
.lzd Difference file for binaries (Ldiff 1.20)
.lzh Compressed file archive created by LHA/LHARC (lha255b.exe)
.lzs Compressed file archive created by LARC (larc333.zip)
.lzw Compressed Amiga file archive created by LHWARP
.lzx Compressed file
.m Function (program) (Matlab)
Macro module (Brief)
Standard package (Mathematica)
.m11 Text file (MASS11)
.m1v MPEG-1 Video file
.m2p MPEG-2 Program Stream Format file
.m2ts BDAV MPEG-2 file
.m2v MPEG-2 Video Only file
.m3 Modula 3 source code file
.m3d 3D animation macro
.m3u Music Playlist (Winamp)
.m4 M4 preprocessor file (unix)
.m4a MPEG-4 Audio Layer
.m4b MPEG-4 Audio Book file
.m4p MPEG-4 Encoded Audio file
.m4r iPhone Ringtone file
.m4v Apple Video file
.m_u Backup of boot sector, FAT and boot dir (MazeGold)
.ma3 Macro (Harvard Graphics 3.0)
.mac Bitmap graphics (Macintosh MacPaint)
Macro
.mad MS Access Module Shortcut
.maff Mozilla Archive Format file
.mag Woody Lynn's MAG graphics format (MPS Magro Paint System)
.mai Mail (VAX)
.mak Makefile
Project file (Visual Basic)
.man Command manual
.map Color palette
Format data (Micrografx Picture Publisher)
Linker map file
Map (Atlas MapMaker)
Network map (AccView)
.mar Mozilla Archive
Microsoft Access Report file
Assembly program (VAX Macro)
.mas Smartmaster set (Freelance Graphics)
.mat Data file (Matlab)
Microsoft Access Shortcut file
.max Max source code file
Microsoft Data Analyser View
.mb Memo field values for database (Paradox)
.mbf MS Money Backup file
.mbk Multiple index file backup (dBASE IV)
Medisoft for Windows Backup
.mbx Mailbox (Eudora/Zerberus)
.mcc Configuration file (Mathcad)
.mcd Document (Mathcad)
.mcf Mathcad font
Meta Content Format file
Master Command file
TMPGEnc template
.mci Mci command script (Media Control Interface)
.mcp Application script (Capsule)
Printer driver (Mathcad)
.mcr DataCAD Keyboard macro file
.mcw Text file (MacWrite II)
.mcx Graphic file
.md Compressed file archive created by MDCD (mdcd10.arc)
.md5 MD5 Checksum file
Message Digest 5 (Easy MD5 Creator)
.mda Data (MS Access)
.mdb Database (MS Access)
.mde Microsoft Access MDE database
.mdf Accelio Capture Classic (JetForm) Filler
I-deas Master Drafting Machine Data file
Menu Definition file
MS-SQL Master Database file
Alcohol 120% CD Image File
.mdi Microsoft Office 2003 imaging format
Borland multiple document interface
.mdk Keyboard Map file
.mdl Model (3D Design Plus)
Spreadsheet (CA-Compete!)
.mdm Modem definition (TELIX)
.mdmp Microsoft Windows XP Trouble Report
.mdr FaxTalk Modem Doctor Modem Report file
.mdt Data table (MS ILink incremental linker)
.mdx Multiple index file (dBASE IV)
.mdz MS Access Wizard Template
.me Usually ASCII text file READ.ME
.meb Macro Editor bottom overflow file (WordPerfect Library)
.med Macro Editor delete save (WordPerfect Library)
Music (OctaMED)
.mem Macro Editor macro (WordPerfect Library)
Memory variable save file (Clipper - dBASE IV - FoxPro)
.meq Macro Editor print queue file (WordPerfect Library)
.mer Macro Editor resident area (WordPerfect Library) (vakioalue)
.mes Macro Editor work space file (WordPerfect Library)
Message
.met Document (Omnipage Pro)
eDonkey2000 file
Macro Editor top overflow file (WordPerfect Library)
Presentation Manager Meta file
.meu Menu group (DOS Shell)
.mex Mex file (executable command) (Matlab)
Macro Editor expound file (WordPerfect Library)
Mioplanet mex reader interactive file
.mf Metafont text file
.mfx ImageMAKER Fax Viewer folder file
.mgf Font (Micrografx)
.mgi Modular Gateway Interface
.mgp MagicPoint Presentation file
.mhp MS Home Publishing Project
.mht MS MHTML Document
.mia MusicIndiaOnline player music file
.mib Snmp MIB file
.mic Microsoft Image Composer file
.mid Standard MIDI file (music synthetizers)
.mif Maker Interchange Format (FrameMaker)
.mii Datafile (MicroStat-II)
.mim MIME file
.mio Multimedia Interactive Object
.mip Paint Shop Pro Multiple Image Print file
.mis Delta Force Land Warrior Mission
MagicInstall Installation Script
Tribes 2 Game file
.mix Object file (Power C)
.mk Makefile
.mkd Pervasive Btrieve files
.mke Makefile (MS Windows SDK)
.mki Japanese graphics MAKIchan format (MagView 0.5)
.mks Data (TACT)
.ml3 Project (Milestones 3.x)
.mlb Macro library file (Symphony)
.mlm Novel Groupwise e-mail file
.mm Text file (MultiMate Advantage II)
.mmc Media Catalog
MSoffice Media Content
.mmd Peristudio/PeriProducer file
.mmf Mail message file (MS Mail)
.mml Mail Meta Language
.mmm Movie (RIFF RMMP format) (MacroMind Director 3.x)
.mmo Memo writer file (RapidFile)
.mmp Output video format from Bravado board
.mmx Command & Conquer Red Alert 2 Map file
Oracle Forms Compiled Menu
.mmz MusicMatch Theme file
.mnd Menu source (AutoCAD Menu Compiler)
.mng Map (DeLorme Map'n'Go)
.mnt Menu memo (FoxPro)
.mnu Advanced macro (HP NewWave)
Menu (AutoCAD Menu Compiler - Norton Commander - Signature)
.mnx Compiled menu (AutoCAD)
Menu (FoxPro)
.mny Account book (MS Money)
.mob Device definition (PEN Windows)
.mod Modula-2 source code file (Clarion Modula-2)
Windows kernel module
Music (FastTracker - many)
.mol MDL Molfile
.mon Monitor description (ReadMail)
.mov QuickTime Video Clip
Apple QuickTime Audio
AutoCAD AutoFlix Movie
.mp2 Mpeg audio file (xing)
.mp3 mp3PRO Audio file
MPEG Audio Stream, Layer III
SHARP MZ-series Emulator file
Wrapster Wrapped file
.mp4 MPEG-4 Video File
.mpa MPEG Audio Stream, Layer I, II or III
.mpc Calender file (MS Project)
.mpd MS Project database file
.mpe MPEG Movie Clip
.mpeg MPEG Movie Clip
.mpf MS Design Gallery
MosASCII Project Workspace file
.mpg MPEG-1 animation
.mpl Playlist Data file
.mpls Blu-ray Information file
.mpm Mathplan macro (WordPerfect Library)
.mpp Project file (MS Project)
CAD Drawing File
.mpq Blizzard Game Data file
.mpr Generated program (FoxPro)
.mps Multimedia File
Casio PDL Pocket Streets Map
.mpt Bitmap graphics (Multipage TIFF)
Template File (MS Project)
.mpv View file (MS Project)
.mpw MosASCII Project Workspace file
.mpx Compiled menu program (FoxPro)
.mrb Multiple Resolution Bitmap graphics (MS C/C++)
.mrc MIRC Script file
Bibliographic Data Format
.mrk Informative Graphics markup file
.mrs Macro Resource file (WordPerfect for Win)
.msc MS C makefile
.msd MS Diagnostic Utility Report
.msf Multiple Sequence file
.msg Message
.msi Windows Installer file
.msm MultiSIM Circuit Diagram
.msn MSN Content Plus file
.mso Math Script Object file
MS FrontPage file
MS Word OLE Web Page Storage Stream
.msp Bitmap graphics (Microsoft Paint)
.mspx XML based Web Page
.mss Manuscript text file (Perfect Writer - Scribble - MINCE - Jove)
.mst ChemFinder Chemical Structure Index
DATAIR Pension System Master file
Minispecification file (Prosa)
Setup script (MS Windows SDK)
Visual Test Source file
.msu Windows Update file
.msv Sony Memory Stick Format
.msw Text file (MS Word)
.mswmm Windows Movie Maker Project
.msx Compressed CP/M file archive created by MSX
.mtd Digital Sheet Music
.mth Math file (Derive)
.mtm Multitracker Module music
.mts AVCHD Video file
Viewpoint iPix file
.mtv MTV Music Generator
.mtw Datafile (Minitab)
.mtx Temporary File often used by a browser or TWAIN device
Viewpoint iPix file
Max Magic Microtuner tuning text file
.mu Menu (Quattro Pro)
.mu3 Myriad Music file (packed sounds & digital tracks)
.muf ProtoMuck Multi User Forth Program
.mul Ultima Online Game
.mus MusicTime Sound file
Myriad Music file
.mvb Database
MS Multimedia viewer file
MvPCbase www.mvsoft-comp.com
.mvc Music Collector Collection Manager file
.mvd MicroDVD (DVD movie file)
.mvf Stop frame file (AutoCAD AutoFlix)
.mvi Movie command file (AutoCAD AutoFlix)
.mvw Log file (Saber LAN)
.mwf Animation (ProMotion)
.mwp Lotus Wordpro 97 Smartmaster file
MegaWorks Pack file
.mws Maple Worksheet File
.mwv MovieWorks file
.mxd GIS Project file
.mxe Macro Express
Mindex Effect Album
.mxf Material eXchange Format for the interchange of audio-visual
Material with associated data and metadata.
.mxl Moxcel Spreadsheet File
.mxm MS Project/Outlook Team Assign Task
.mxp Macromedia Extension Manager
ArcReader Published Map
.mxt Data (MS C)
.myp Presentation (MM Make Your Point)
.myr Myriad Music file
.mys Myst Saved Game
.myt Myriad Tutorial file
.mzp Maxscript Compressed File
.na2 Netscape Mail file
.nam MS Office Name file
.nap Naplps file (VideoShow) (EnerGraphics)
.nav MSN Application Extension
.nb Text file (Nota Bene)
.nbf Backup Now Backup file
.nbu Nokia PC Suite Backup file
.nc Graphics (netcdf)
Instructions for NC (Numerical Control) machine (CAMS)
.ncb MS Developer Studio file
.ncc Cnc (Computer Numeric Control) control file (CamView 3D)
.ncd Nero CoverDesigner Document file
Norton Change Directory support file (Norton Commander)
NTI CD-Maker file
.ncf Lotus Notes Internal Clipboard
Steam Configuration file
Netware Command file
.nch Outlook Express folder file
On Hold message/music file
.nd5 NDS Renamed file
.ndb Network database (Intellicom - Compex)
.nde Video format - various manufactures of surveillance camera systems
.ndf NeoPlanet Browser File
.ndk Lotus Notes(containing the files related to workspace)
.ndx Index file (dBASE II - III - IV - dBFast)
.neb Nortec H.E.L.P.
.ned MSN Application Extension
.nef Nikon's RAW format for digital cameras (Nikon Electronic Format)
.neo Raster graphics (Atari Neochrome)
.nes Nintendo Entertainment System ROM Image
.net Network configuration/info file
.new New info
.nfo Info file
.ng Online documentation database (Norton Guide)
.ngf Enterasys Networks NetSight generated format file
.ngg Nokia Group Graphics
.nh NetHack file
.nib Adobe AIR file
.nif NetImmerse File Format
.njb Photo Index file
.nlm Netware Loadable Module
.nls Code Page National Language Support
.nlx Form (FormWorx 3.0)
.nmd SwordSearcher file
.nmi SwordSearcher file
.nmo Virtools Behavioral Objects
.nms Numega Softice's Loader file
Virtools Graphical Scripts
.nnb newnovelist Story Outline
.nob VersaPro Word Exchange file
.nol Nokia Operator Logo
.not Acrobat Spelling file
ActiveNote Post-It-Notes
.now Text file
.np Project schedule (Nokia Planner) (Visual Planner 3.x)
.npa ReliaSoft Weibull++ 6
.npf Backup Now Image file
.npi Source for DGEN.EXE intepreter (dBASE Application Generator)
.nra Nero Audio-CD Compilation
.nrb Nero CD-ROM Boot Compilation
.nrg Norton Registration Entries
Nero CD-Image
IsoBuster file
NRG File Format
.nri Nero ISO CD-ROM compilation
.nrl iManage file
.nrw Nero WMA Compilation file
Nikon RAW file
.nsc Noder file (Polish)
Windows Media Station file
.nsf Lotus Notes / Domino database
.nsi Nullsoft Install System Script
.nst Music (NoiseTracker)
.nt Startup files (Windows NT)
.ntf Lotus Notes / Domino template file
.nth Nokia Theme file
.ntp Neato CD Labels
.ntr Executable ASCII text file (strip header and rename) (netrun31.zip)
.nts Tutorial (Norton)
Executable ASCII text file (strip header and rename) (netsend1.zip)
.ntx Index (Clipper 5)
.ntz InVircible Directory Integrity Information
.nu4 Norton Utilities Root File (DLL) Symantec Corporation
.nuf Message for new users on their 1st call (Procomm Plus)
.numbers iWork Numbers Spreadsheet file
.nup Program Component Update files
.nvc Nero Vision Project file
.nvm AOLpress Help file
.nwc Noteworthy Composer song file
.nws Info text file (latest news) (ASCII)
.nwr New World Report Aegis/MSP Law Enforcement Records (New World Systems)
.nwt New World Text Aegis/MSP Law Enforcement Records (New World Systems)
.nxt Sound (NeXT format)
.nzb NewsBin Index file
.o Object file (unix - Atari - GCC)
.o$$ Outfile (Sprint)
.oaz Fax (NetFax Manager)
.ob Object cut/paste file (IBM LinkWay)
.obd MS Office Binder
.obj Object code (Intel Recolatable Object Module)
.obr Object browser data file (Borland C++)
.obs Script (ObjectScript)
.obv Visual interface (ObjectScript)
.oca Control Typelib Cache
.ocf Object Craft File (Object Craft)
.ocm AOL Advertising Control files
Internet Odyssey 2 Update
.ocp Advanced Art Studio
Offline Commander Project file
.ocr Incoming fax transcribed to text (FAXGrapper)
.oct Radiance Octree Format
.ocx OLE ActiveX custom control
.odf Open Document Interchange
BattleZone Cartographers Guild file
Star Trek Armada Ship/Structure Infomation
.odg OpenDocument Graphic file
.odl Type library source (Visual C++)
.odp OpenOffice Presentation file
.ods OpenOffice Spreadsheet file
.odt OpenOffice OpenDocument text document
.oeb Outlook Express Backup Wizard
.oem TextSetup OEM file
.ofc Open Financial Connectivity file
.ofd Form definition (ObjectView)
.off Object File Format vector graphics
.ofm Adobe font
.oft MS Outlook Item Template
.ofx Olicom Fax
Open Financial Exchange file
.ogg Ogg Vorbis Codec Compressed WAV file
.ogm Ogg Vorbis Compressed Video file
.ogv Video Container file
.okt Music (Oktalizer)
.olb Object library (VAX)
.old Backup file
.ole Object Linking and Embedding Object
.oli Text file (Olivetti)
.oma OpenMG Music file
.omf Open Media file
.omg OpenMG Jukebox
.oms Briggs Softworks Order Maven
Macintosh MP3 Music Format
Omega Downloader Configuration file
.ond Lotus Notes-related file
.one OneNote Document File
.ont Bible file
.oom Swap file (Shroom)
.opd Omnipage file
.opf Flip Album file
Open Packaging Format file
.opl Psion Organiser Programming Language Source file
.opn Active options (Exact)
.ops Microsoft Office profile settings file
.opt Optimize support file (QEMM)
.opw Organization chart (Org Plus for Windows)
.opx Inactive options (Exact)
.or2 Lotus Organizer 2 file
.or3 Lotus Organizer 97 file
.or4 Lotus Organizer file
.or5 Lotus Organizer file
.ora Parameter file (Oracle)
.org Calendar file (Lotus Organizer)
.osd Open Software Description file
.oss MS Office Saved Search
.ost Microsoft Outlook Offline file
.otf Open Type Format
.otl Outline font description (Z-Soft Type Foundry)
.otx Text file (Olivetti Olitext Plus)
.out Output file
.ov1 Overlay file (part of program to be loaded when needed)
.ov2 Overlay file (part of program to be loaded when needed)
.ovd Datafile (ObjectVision)
.ovl Overlay file (part of program to be loaded when needed)
.ovr Overlay file (part of program to be loaded when needed)
.ovw Cool Edit Pro Overviewfile
Cubase .WAV File Image
DIANA Overview file
.ows Web Studio 2 Project file
.oxt Open Office Extension file
.p Pascal source code file
Rea-C-Time application parameter file (ReaGeniX code generator)
Picture file (APPLAUSE)
.p16 Music (16 channels) (ProTracker Studio 16)
.p22 Patch file (Patch22)
.p65 Adobe Pagemaker v6.5
.p7m PKCS #7 MIME Message
.pa Print Artist
.pa1 Worktable (PageAhead)
.pab Microsoft Outlook personal address book
.pac Stad Image (graphics ?)
Package (SBStudio II)
.pack Pack 2000 Compressed file
.pad Keypad definition (Telemate)
.paf PARIS audio format
Personal Ancestral file
.pages Pages document
.pak Compressed file archive created by PAK (pak251.exe)
.pal Adobe Pagemaker Library Palette
Color Palette
Compressed File
Tree Professional Palm Creator file
.pan Printer-specific file (copy to coreldrw.ink) (CorelDRAW)
.par Parts application (Digitalk PARTS)
Parameter file (Fractint)
Permanent output file (Windows 3.x)
.pas Pascal source code file
.pat Hatch patterns (AutoCAD - Photostyler)
Vector fill files (CorelDRAW)
.pax Pax Archive file
.pb Fax (FAXability Plus)
Phonebook (WinFax Pro)
Setup file (PixBase)
.pb1 Document (First Publisher for Windows)
.pba Powerbasic BASIC source code (Genus)
.pbd Phone book (FaxNOW! - Faxit)
.pbf Turtle Beach Pinnacle Bank file
Grand Prix Legends BMAP file
PBook E-book Format (renamed ZIP file)
Portable Bitmap Format file
.pbi Powerbasic include file (Genus)
Profiler Binary Input (MS Source Profiler)
.pbk Microsoft XP Remote Access Phonebook file
.pbl Powerbasic library (Genus)
.pbm Pbm Portable Bit Map graphics
Planar bitmap graphics (XLib)
.pbo Profiler Binary Output (MS Source Profiler)
.pbr Microsoft Publisher backup file
.pbt Profiler Binary Table (MS Source Profiler)
.pc Text file containing IBM PC specific info
.pc3 Custom palette (Harvard Graphics 3.0)
.pc8 Ascii text IBM8 character set (NewWave Write)
.pca Cash Register Express program
.pcb Broderbund Print Shop Business Card
Ivex Winboard Design file
MS PowerPoint Application Data file
Protel Technology Advanced PCB Design
.pcc Cutout picture vector graphics (PC Paintbrush)
.pcd Graphics (Kodak PhotoCD)
Microsoft Visual Test compiled script
.pcf Profile Configuration file
Profiler Command File (MS Source Profiler)
.pch Patch file
Precompiled header (MS C/C++)
.pcj Multimedia authoring tool graphics (IBM's Linkaway-Live)
.pck Received Package file
Pickfile (Turbo Pascal)
.pcl HP-PCL graphics data (HP Printer Control Language)
.pcm Plasmacam CAD/CAM system file
.pcs PICS Animation
.pct Bitmap Graphic
Honeywell GUS Display Builder
Macintosh Quickdraw/PICT Drawing
NIST IHDR
.pcw Text file (PC Write)
.pcx Bitmap graphics (PC Paintbrush)
.pd SynerGEE Stoner software files (compressible pipe flow program)
.pda Bitmap graphics
.pdb Data (TACT)
.pdc Personal Database Creator file
.pdd Adobe PhotoDeluxe Image
.pde Principalm Data Extract files
Processing Environment text files
.pdf Adobe Portable Document Format
Package Definition File
Graphics file (ED-SCAN 24bit format)
.pdg Printshop Deluxe files
.pdl Project Description Language file (Borland C++ 4.5)
.pdr Port or printer driver
.pds Incredimail
Source Code File
Telsis HiCall Program File
Pds graphics
Planetary Data System
Pldasm source code file (hardware assembly)
Print Shop Graphic
.pdt ProCite Primary Database
VersaPro Compiled Block
.pdv Printer driver (Paintbrush)
.pdw Document (Professional Draw)
.pdx Adobe Acrobat Index file
.pe4 Photo Explorer Thumbnail
.pea PeaZip Compressed FileArchived files
.peb Program Editor bottom overflow file (WordPerfect Library)
.ped Program Editor delete save (WordPerfect Library)
.pem Program Editor macro (WordPerfect Library)
Privacy Enhanced Mail Certificate file
.peq Program Editor print queue file (WordPerfect Library)
.per Program Editor resident area (WordPerfect Library) (vakioalue)
.pes Program Editor work space file (WordPerfect Library)
.pet Program Editor top overflow file (WordPerfect Library)
.pf Windows Prefetch file
Monitor/printer profile file
.pfa Type 3 font file (unhinted PostScript font)
.pfb Type 1 PostScript font file
.pfc Text file (First Choice)
.pfg jEEPers file
.pfk Programmable function keys (XTreePro)
.pfl Family Lawyer Data file
.pfm Windows Type 1 font metric file
.pfs Database (PFS:FILE) - text file (PFS:Write)
.pft Printer font (ChiWriter)
.pg Pagefox File
Page cut/paste file (IBM LinkWay)
.pgi Printer Graphics File device driver (PGRAPH library)
.pgm Portable Grayscale bitMap graphics
Program (Signature)
.pgp Support file (Pretty Good Privacy RSA System)
.pgs Manual page (man4dos)
.ph Optimized .goh file (Geoworks)
Perl header file
Phrase-table (MS C/C++)
.phb NewLeaf PhraseBook
ClustaW Tree file
TreeView file
PhoneB Phonebook file
.phn Phone list (UltraFax - QmodemPro)
.php PHP Script
MS Picture It! Publishing Project File
PhotoParade
.pho Phone database (Metz Phone for Windows)
.phr Phrases (LocoScript)
.phtml PHP Script
.pic Pixar picture file (SDSC Image Tool)
Bitmap graphics (Macintosh b&w PICT1 - color PICT2)
Bitmap graphics (many eg. Lotus 1-2-3 - PC Paint)
.pif Program Information File (Windows 3.x)
Vector graphics GDF format (IBM mainframe computers)
Shortcut to MS-DOS program
.pim PIM Archive file
.pip Personalized menu and toolbar (MS Office)
.pit Compressed Mac file archive created by PACKIT (unpackit.zoo)
.pix Alias image file (SDSC Image Tool)
.pj64 Project 64 game files.mswmm Windows Movie Maker Project file
.pj Project (CA-SuperProject)
.pjt Project memo (FoxPro)
.pjx Project (FoxPro)
.pk Packed bitmap font bitmap file (TeX DVI drivers)
.pk3 American McGee Alice Archive
Return to Castle Wolfenstein file
Heavy Metal: F.A.K.K.2 Archive
Quake 3 Arena Archive (renamed zip file)
.pka Compressed file archive created by PKARC
.pkd Top Secret Crypto Gold file
.pkg Installer script (Next)
.pkk Private Key file
.pkt Packet Tracer Network Simulation file
.pl Perl source code file
Prolog source code file
Property List font metric file (TeX)
Palette (Harvard Graphics)
.pl1 Room plan (3D Home Architect)
.pl3 Chart palette (Harvard Graphics 3.0)
.plb Library (FoxPro)
.plc Add-in file (functions - macros - applications) (Lotus 1-2-3)
.pll Pre-linked library (Clipper 5)
.pln Spreadsheet (WordPerfect for Win)
.plr Descent Pilot file
Player file
.pls DisorderTracker2 Sample
WinAmp MPEG PlayList file
Shoutcast file
MYOB Data file
.plt AutoCAD HPGL Vector Graphic Plotter file
Bentley's CAD MicroStation Driver Configuration for Plotting
Clipper 5 Pre-linked Transfer file
Gerber Sign-making Software file
HP Graphics Language
.pmv Pegasus Mail Filter Rule file
.pmx Pegasus Mail file
.pn3 Printer device driver (Harvard Graphics 3.0)
.pnf Precompiled Setup Information (Temporary file seen during installs)
.png Bitmap graphics (Portable Network Graphics)
.pnm Pbm Portable aNy Map (PNM) graphics
.pnt Macintosh painting
Qwk reader pointer file (MarkMail 2.x)
.pod OPENPROJ Project file
.poh Optimized .goh file (Geoworks)
.poi Point of interest file
.pop Messages index (PopMail)
Pop-up menu object (dBASE Application Generator)
.pos ProCite Output Styles
QuickPOS IIF file
.pot PowerPoint template
.potx PowerPoint Open XML Template file
.pov Raytraced scene description file (Persistence Of Vision)
.pow Chord chart (PowerChords)
.pp Free Pascal Source Code file
Compressed Amiga file archive created by POWERPACKER
.ppa PowerPoint Add-in
.ppb Button bar for Print Preview (WordPerfect for Win)
.ppd PostScript Printer Description (Acrobat)
.ppf Turtle Beach Pinnacle Program file
Jasc Paint Shop Pro 7 Preset file
Micrografx Picture Publisher file
PlayStation Patch file
.ppg MS PowerPoint Ppresentation
Professor Franklin's Photo Print Gold
.ppl Polaroidpaletteplus ColorKey device driver (Harvard Graphics 3.0)
.ppm Portable Pixel Map graphics
.ppo Pre-processor output (Clipper 5)
.ppp Publication (PagePlus)
Image files used in PagePlus SE
.pps PowerPoint Slideshow
Storyboard (Personal Producer)
.ppsx MS Office PowerPoint Slide Show file
.ppt General file extension (PowerPoint)
.ppz PowerPoint Packaged Presentation
.pqa Palm Query Application File (database for wireless access)
.pqi Power Quest Drive imaging
.pr2 Presentation (Aldus Persuasion 2.x)
.pr2 Printer driver (dBASE IV)
.pr3 Postscript printer driver (dBASE IV)
Presentation (Aldus Persuasion 3.x)
.prc Corel Presentation file
Palmpilot resource file
Picture Gear Pocket
.prd Printer driver (many)
.pre Presentation (Freelance Graphics)
Settings (Programmer's WorkBench - MS C/C++)
.prf Pixel Run Format graphics (Improces - Fastgraph)
Printer driver (dBASE IV)
Profiler output
.prg Program (Atari)
Program source (dBASE IV - FoxPro - Clipper 5 - dBFast)
.pri Printer definitions (LocoScript)
.prj Project
.prm Parameters
MYOB Premier file extension
.prn DataCAD Windows Printer file
HP Printer Control Language
PostScript file
Printer Text file
XYWrite Printer Driver
.pro Prolog source code file
Graphics profile file (DOS)
.prs Printer Resource eg. fonts (WordPerfect for Win)
Presentation (Harvard Graphics Win)
Procedure (dBASE IV)
.prt CADKEY Part file
Printer Configuration
Printer driver (Dr.Halo)
Printer-formatted file
Pro/ENGINEER Model file
Process Revolution Template file
SCEdit Part file
Unigraphics Part file
.prx Windows Media Settings file
Compiled program (FoxPro)
.prz Freelance Graphics 97 file
.ps PostScript file (text/graphics) (ASCII)
.ps2 PostScript Level 2 file
.psb Pinnacle Sound Bank
Project Scheduler Configuration file
.psd Adobe Photoshop file
Design II for Windows
.pse Bitmap graphics (IBM printer Page SEgment)
.psf Photoshop Proof Settings file
Outline PostScript printer font (ChiWriter)
PrintShop Mail Favorites
.psi PSION A-law Audio
File extenstion for Pierresoft Adesign Image
.psm Music (MASI - ProTracker)
PrintShop Mail
Symbol table of IDE (Turbo Pascal)
.psmdoc PrintShop Mail
.psp PaintShop Pro Image
Procedure (Prodea Synergy)
Project Scheduler Planning file
.psr Project Scheduler Resource file
.pst MS Outlook personal folder
.psw WinXP Backup Password File
.pt3 Device driver (Harvard Graphics 3.0)
Template (PageMaker 3)
.pt4 Template (PageMaker 4)
.ptb Script (PubTech BatchWorks)
.ptm Macro (PubTech BatchWorks)
An extension used in PUNCH! home design software
Polynomial Texture Map
.ptn PaperPort Thumbnail Images
.ptp Act! Modem Sync file
.ptr Qwk reader pointer file (QMail)
.pts Infinity Engine Game Tileset
Halflife Map Creation Debug file
.ptx Real Legal E-Transcript
.pub Page template (MS Publisher)
Public key ring file (Pretty Good Privacy RSA System)
Publication (Ventura Publisher - 1st Publisher)
.put Compressed file archive created by PUT (put334.zip)
.puz Across Lite Crossword Puzzle
Packed MS Publisher file
.pva Hauppauge DVB-Software
.pvd Script (Instalit)
.pvm Parallel Virtual Machine software library
.pvl Library (Instalit)
.pvt Local Fidonet pointlist
.pw Text file (Professional Write)
.pwd Pocket Word document
AutoCAD Password file
.pwf ProCite Workforms
.pwi Pocket Word document
.pwl Password List
.pwm WebMoney Purse file
.pwp Text document (Professional WritePlus)
.pwz MS Powerpoint Wizard
.px Primary database index (Paradox)
.pxl Pocket Excel Spreadsheet
.pxv Modelworks Project File used in JPad Pro and SitePad Pro
.py Python script file
.pyc Compiled PYTHON script file
.pyd Binary Python Extension on Windows
.pyw Python GUI Script on Windows
.pz2 Curious Labs Poser Pose file
.pz3 Curious Labs Poser Document
.pza MGI PhotoSuite II/III/4 Album file
.pzd Default settings (Pizazz Plus)
.pzl Jigs@w Puzzle
Lode Runner Game Puzzle
Puzzle
.pzo Overlay file (Pizazz Plus)
.pzp MGI PhotoSuite II/III/4 Project file
Palette (Pizazz Plus)
.pzs Settings (Pizazz Plus)
.pzt Transfer file (Pizazz Plus)
.pzx Swap file (Pizazz Plus)
.q05 Intuit Canada Quick tax file, tax return file
.q9q BladePro Graphic Plugin file
.qad QuickArt database
.qag Quick Access Group (Norton Desktop)
.qap Application (Omnis Quartz)
.qbb QuickBooks for Windows Backup file
.qbe Saved query (Query By Example) (dBASE IV - Quattro Pro)
.qbk Intuit Canada Quick tax file, backup copy of tax return file
.qbl Business Lawyer Document
.qbo Compiled query (dBASE IV)
.qbr QuickBooks Report
.qbw Spreadsheet (QuickBooks for Windows)
.qcn Qualcomm Phonebook file
.qcp Qualcomm PureVoice File
Contains data frames generated by QCELP 13K vocoder
.qd0 Data file - segment 10 (Omnis Quartz)
.qd1 Data file - segment 1 (Omnis Quartz)
.qd2 Data file - segment 2 (Omnis Quartz)
.qd3 Data file - segment 3 (Omnis Quartz)
.qd4 Data file - segment 4 (Omnis Quartz)
.qd5 Data file - segment 5 (Omnis Quartz)
.qd6 Data file - segment 6 (Omnis Quartz)
.qd7 Data file - segment 7 (Omnis Quartz)
.qd8 Data file - segment 8 (Omnis Quartz)
.qd9 Data file - segment 9 (Omnis Quartz)
.qdat Quicktime Installer Cache
.qdb Quicken data file
.qdf Quicken for Windows data file
.qdt Quark Xpress Dictionary file
Question Mark Designer Test file
QuickBooks UK Accountancy Data file
Quicken Data file
.qdv Graphics (Steve Blackstock Giffer)
.qe4 Kingpin Project file
.qef Query file (Q+E for MS Excel)
.qel Quicken Electronic Library file
.qfl Quicken Family Lawyer file
.qfx Quicken Financial Exchange file
Fax (QuickLink)
.qhf QIP PDA History file
.qic Backup set for Microsoft Backup
.qif Quicken Interchange Format
Quicktime Image
.qix NovaStar Backup file
Quicken for DOS v.2 data file
.qlb Quick library (MS C/C++)
.qlc Data (PostScript help file) atmfonts.qlc
.qlf Family Tree Maker Genealogy file
.qlp Printer driver (QuickLink)
.qm4 Options or services file (QMail 4.x Mail Door)
.qm Virtual Box Language file
.qml Quick Markup Language file
.qph Intuit Quicken Price History file
.qpr Generated query program (FoxPro)
Print queue device driver (OS/2)
.qpw Quattro Pro Project file
.qpx Compiled query program (FoxPro)
.qrp QuickReport Report files
Centura Report Builder file
Liberty for Windows report file
.qrs Equation Editor support file (WordPerfect for Win)
.qrt Qrt ray tracing graphics
.qru SQL Query file
.qry Query (dBASE IV)
.qsd Quicken for Windows data file
.qsi Quintessential Stereotaxic Injector Commander log files
.qst Quake Spy Tab file
.qt Quicktime movie (animation)
.qtc Incite Media Assistant file
.qtk Apple QuickTake file format for Windows
.qtl Quick Time Media Link file
.qtp QuickTime Preferences
Astra Quicktest Report
.qts Macintosh PICT image
QuickTime image
.qtx QuickTime image
.que CuteFTP Queue file
Task Scheduler Queue Object
.qvm Quake file
.qvs Casio Digital Camera file
.qw Symantec Q&A Write file
.qwk QWK reader message file
.qxd QuarkXPress document file format
.qxl Element library (QuarkXPress)
.qxp QuarkXPress project file
.qxt Template file (QuarkXpress)
.r Ratfor (FORTRAN preprosessor) file
.r33 Train Simulator Game file
.r8 Raw graphics (one byte per pixel) plane one (PicLab)
.r8p Pcl 4 bitmap font file (Intellifont)
.ra Music (RealAudio)
.ram Ramfile (RealAudio)
.rar Compressed file archive created by RAR (rar1_402.exe)
.ras Sun Rasterfile graphics
.rat Datafile (RATS)
.raw Raw RGB 24-bit graphics
.rb Ruby on Rails class file
.rbf Windows Installer Rollback file
Datafile (Rbase)
.rbn Richard's Bridge Notation
Real Sound file
.rbs Windows Installer Rollback Script file
.rbx Format for playing RapidPlayer v3.0 ActiveX Control in Explorer
.rc Resource script (Visual C/C++ - Borland C++)
Configuration (emacs)
.rcf Rhapsody Storage file
.rcg Netscape newsgroup file (netsc.rcg)
.rcp Recomposer's MIDI Sequencer Music file
.rcx Lego Mindstorms Robotics Invention System
.rdb TrueVector Rules database
ZoneAlarm Rules database
.rdf Compiled UIC source code (Geoworks UI Compiler)
.rdi Device-independent bitmap file (RIFF RDIB format)
.rds Ray Dream Studio file
.rdx Datafile (Reflex)
.rec Datafile (EpiInfo)
Record file (Sprint)
Recorded macro file (Windows 3.x)
.red Path info (Clarion Modula-2)
.ref Cross-reference
.reg OLE Registration (Windows 3.x)
Registration (Corel programs)
.rels Microsoft Office 2007 Relationships
.rem Encrypted Data file
Remarks
.rep QWK reader reply file
Report (Report Designer - CodeReporter - DataBoss)
.req Request
.res Compiled resource (MS C/C++ - Borland C++)
Dbase resources (dBASE IV)
.rev Revision file (Geoworks)
.rex Rexx source code file
.rex Report definition (Oracle)
.rez Resource file
.rf Sun raster graphics
.rfl Roll Forward Log file
.rft Dca/RFT Revisable Format Text file (IBM DisplayWrite 4.0-5.1)
.rgb Sgi RGB image file (SDSC Image Tool)
.rgi RealArcade Game Installer
.rgp RealArcade Game Package
.rgs RealArcade Game Installer
.rgx Symbol tables etc. info (ReaGeniX code generator)
.rh Resource header file (Borland C++ 4.5)
.rhp Rhapsody Notation Program File Format
.ri Data (Lotus 1-2-3)
.rib Graphics in Renderman format (3DReality)
.ric Fax (Ricoh)
.rif Riff bitmap graphics (Fractal Design Painter)
.rip Graphics (Remote Access)
.rix Bitmap graphics (ColorRIX VGA Paint)
.rl4 Bitmap graphics
.rl8 Bitmap graphics
.rla Wavefront raster image file (SDSC Image Tool)
.rlb Data (Harvard Graphics Win) hgw.rlb
.rlc Graphics 1bit/pixel scanner output
.rle Utah Run Length Encoded raster graphic (SDSC Image Tool)
.rlz Realizer source code file (CA-Realizer)
.rm RealMedia file
.rmf Rich Map Format
Rich Music format
.rmi Midi file (RIFF RMID format)
.rmj Real Jukebox file
.rmk Makefile (Clipper RMake)
.rmm RealPlayer file
.rmr Resume Maker file
.rms Secure Real Media file
.rmvb Video file for Realplayer
.rm RealMedia
.rmvb Real Media video file
.rmx RealJukeBox MP3 file
.rn Xpl program for Nota Bene users
.rnd Rendering Slide (AutoCAD AutoShade)
.roi Actuate ReportBlast file
.rno Runoff file (VAX)
.rol Fm music Adlib Music File (Roland)
.rpd Database (RapidFile)
RosaPro file
RPV Printing System file
.rpl Text document (Replica)
.rpm RedHat Package Manager
RealMedia Player file
RunPaint Multicolor Graphic
.rps Propellerhead Software Reason Song
.rpt Report
.rrd ERDAS Imagine file
.rs Data file (Amiga Resource - Reassembler)
.rs_ Resource fork of a Macintosh file (Mac-ette)
.rsb Red Storm Image Format
.rsc Resource file
.rsm ReliaSoft MPC 3
RuneSword II Game
WinWay Deluxe Resume file
.rsp Response file
.rss Rockwell Logix PLC file
.rst ANSYS Results
ReliaSoft BlockSim
.rsw ReliaSoft BlockSim
.rtc Live Meeting Connection file
.rtf Rich Text Format text file (many - Windows Word)
Windows Help file script
.rtl Run Time Library (NU 7.0)
Text file
.rtp Turbo Tax Update file
RTPatch software update package data file
.rts Runtime library file (CA-Realizer)
.rtx Reliacast Audience Manager Turnstile
Mobile Phone Ringtone
.ru JavaSoft Library file
.rul InstallShield
.run RunScanner Saved file
.rv RealVideo Video file
.rvb Rhinoscript file
.rvp MS Scan Configuration file
.rvw Review
.rwg Random Word Generator List file
.rws Resource Workshop data file (Borland C++)
.rwx Script (RenderWare)
.rwz MS Outlook Rules Wizard file
.rzk Red Zion File Crypt (password file)
.rzr in-sync Speed Razor Project file
.rzx in-sync Speed Razor Project file
Red Zion File Crypt (encrypted file)
.s Assembly source code file (Unix)
Scheme source code file
.s$$ Temporary sort file (Sprint)
.s3m Music (16 channels) (Scream Tracker 3.0)
.sac Shared Asset Catalog (Adobe)
.saf MusicMatch Jukebox Secure Audio file
Safe File Encryption (Helix Software)
Twelve Ghosts file
.sah SETI@Home data file
.sal Datafile (SORITEC)
.sam Text file (Samna - Lotus Ami/Ami Pro)
.sar Compressed file archive created by SAR (sar1.zip)
.sas SAS System program
.sas7bcat SAS System file catalog
.sas7bdat SAS System data set
.sas7bndx SAS System index
.sas7bpgm SAS System Stored Program
.sas7bvew SAS Data Set View
.sas7mdb SAS System multidimensional database
.sat Standard ACIS Text file
.sav Backup file (saved file)
Configuration
Saved game situation (eg. NetHack)
.sb Audio file (signed byte)
.sbc Sagebrush Corporation Spectrum CIRC/CAT Report
.sbd Storyboard (Storyboard Editor)
.sbi Sound Blaster Instrument file (Creative Labs)
.sbj Micrografx Clipart or Palette file
.sbn ArcView file (GIS)
.sbp Dml program (Superbase 4)
.sbr Support file (Source Browser)
.sbs SWAT HRU Output file
.sbt Notes related to record (Suberbase 4 Windows)
.sbx ArcView file (GIS)
.sc Pal script (Paradox)
Display driver (Framework II)
.sc3 Renamed dBASE III screen mask file (dBASE IV)
Screen device driver (Harvard Graphics 3.0)
.sca Datafile (SCA)
.scc Text file
.scd Scodl Scan Conversion Object Description Language graphics
.scf Multimedia show (ScoreMaker)
Spelling checker configuration (Symphony)
Windows Explorer command file
.sch Project schedule (Schedule Publisher)
Schematics file (ORCAD)
.sci System Configuration Information
Fax (SciFax)
.scm Scheme source code file
ScreenCam Movie file
SchematicMaker file
.scn Screen file (Kermit)
Pinnacle Studio Scene file
.sco High score
.scp Script (BITCOM)
.scr Debug source code file (DOS Debug)
Screen - screen snapshot (dBASE IV - Procomm Plus)
Screen font (LocoScript)
Screen saver (Windows 3.x)
Script (Kermit - 1st Reader)
.sct Screen memo (FoxPro)
Windows Script Component
.scx Bitmap graphics (ColorRIX)
Chart (Stanford Chart)
Screen (FoxPro)
.scy Security file (ReaGeniX)
.sda Fidonet's Software Distribution Network file archive description
.sdc StarOffice Spreadsheet
.sdd StarOffice Presentation
.sdf System Data Format file (fixed lenght ASCII text)
.sdi Software Distribution Network Info file
Single Document Interface file
.sdn Software Distribution Network compressd file archive (pak251.exe)
.sdr SmartDraw file
.sds Chart Application Document file
.sdt SmartDraw Template
Dungeon Keeper 2 Archive
Theme Park World Archive
.sdu Edwards Systems Technology file
.sdw StarOffice Text
Raw Signed DWord Data
Lotus WordPro Graphic
.sea Self-Extracting compressed Macintosh file Archive
.sec CyberPaint animation file (sequence)
Secret key ring file (Pretty Good Privacy RSA System)
Secured animation file (Disney Animation Studio)
.sed Self Extraction Directive file
.sep Printer separator page
.seq Atari animation file
Sequential Instruction File (Bubble Chamber)
.ses Session info (Clarion Modula-2)
.set Configuration (1st Reader)
Driver sets created by Install (Symphony)
Setup options file
.sf Ircam Sound File (CSound package - MixView sound sample editor)
Wps attribute storage (OS/2 WorkPlace Shell) wp_root.sf
.sf2 Creative Labs Soundfont file
.sfb HP Soft Font file
.sfc System File Checker file
.sff Fritz Fax-Print file
Stage Scene file
Structured Fax Format
.sfi Graphics (SIS Framegrabber)
Printer font (HP LaserJet landscape) (Ventura Publisher)
.sfl Pcl 4 bitmap font (landscape) (Intellifont) (Ventura Publisher)
.sfn Font (SPX)
.sfo CuteFTP Search file
.sfp Pcl 4 bitmap font (portrait) (Intellifont) (Ventura Publisher)
.sfs Pcl 5 scalable font file (Intellifont)
.sft Screen font (ChiWriter)
.sfv QuickSFV/WinSFV Checksum file
Simple File Verification (Easy SFV Creator)
.sfw Seattle Film Works file
.sfx Self Extracting Archive file
.sg1 Graphics (Stanford Graphics)
.sgf Document with graphics (Starwriter)
Smart Game Format
Sonique Skin
.sgi Graphics (IRIS - Silicon Graphics)
.sgm Standard Generalized Markup Language file
Run-Time Help Files
SoftQuad XMetaL File
.sgn Sierra Print Artist Sign
.sgp Statistics (STATGRAPHICS Plus)
.sgt Save/get keyboard macro (Signature)
.sh Unix shell script
Unix ASCII file archive created by SHAR (unshar.zip)
.sh3 Presentation (Harvard Graphics 3.0)
.sha Shell Archive file
.shb Background (CorelShow)
.shd Microsoft Windows Shadow file
Print Spooler Shadow file
.shg Segmented-graphics bitmap
.shk Compressed Apple II file archive created by SHRINKIT
.shm Shell macro (WordPerfect Library)
.shn Shorten audio compression file
.shp Shape file and source file for text fonts (AutoCAD)
.shr Unix ASCII file archive created by SHAR (unshar.zip)
.shs Microsoft Word or Excel scrap file which is created when you drag and drop selected text
.shtml HTML File with Server Side
.shw Presentation (Harvard Graphics 2.0 - CorelShow)
Slide show (WordPerfect Presentations)
.shx Shape entities (AutoCAD)
.sid Commodore64 Music file
LizardTech MrSID Photo
.sif Setup Installation Files info (Windows NT Setup)
.sig Current program settings (Signature)
PrintShop Sign file
Signature file (PopMail)
.sik Backup file (Sicherungskopie) (MS Word)
.sim Aurora
PC Finder 2002C
PowerDVD file
Simulation (various)
.sis SymbianOS Installer file
.sit Compressed Macintosh archive created by STUFFIT (unsit30.zip)
.sitx Stuffit SITX Compressed File
.skb SketchUp software file (3D Design Tool)
.skf Autosketch file
.skin Skin file
.skm Google Sketchup Texture file
.skn Interface skins images (FileWrangler, SecurDesk!, SecurDesk! LV, ZipWrangler)
Symbian OS Skin File
.skp Sketchup software component (3D Design Tool)
.sl S-Lang source code file
.slb Slide library (AutoCAD)
.slc Compiled SALT script (Telix)
.sld Slide (AutoCAD)
.slf BitDefender file
Symantec Licence file
.sli Slide (MAGICorp Slide Service)
.slk Sylk Symbolic Link format data file (MultiPlan)
.sll Sound data file
.sln Microsoft Visual Studio Solution file
.slt Salt Script Application Language for Telix script source (Telix)
.sm Smalltalk source code file
Maillist (SoftSpoken Mailer)
Script (ScriptMaker)
Text file (Samna Word)
.smc Super Nintendo Game-console ROM Image
.smd StarOffice Mail
.smf Fax (SMARTFAX)
.smi RealPlay SMIL file
Self Mounting Image file
.smil Synchronized Multimedia Integration Language file
.smk Compressed File (Smacker)
.smm Macro (Ami Pro)
.smp Sample (sound file)
.sms Microsoft Package Definition file
Sega Master System Emulator
.smt Text file (Smart Ware II)
.smtmp SMTMP Virus
.snd Digitized sound file (Macintosh/ATARI/PC)
.sng Song (midi sound) (Midisoft Studio - Prism)
.snm Netscape mail
.sno Snobol4 source code file
.snp CoffeeCup HTML Editor Snippet
Computer Eyes Video Output
Microsoft Access Report Snapshop file
Snapview Shapshot
.snx Mirage Microdrive Snapshot Extended Version
Second Nature Software Graphic
StarCraft Saved file
.so Apache Module file
.sol Flash shared object file
Solution eg. game walkthroughs
.som Network serial numbers (Quattro Pro)
Sort information (Paradox)
.son Song (SBStudio II)
.sou Sound data (sound tool)
.sp Compressed file archive created by SPLINT (unix)
.spa Macromedia FutureSplash file
Smart Protocol Analyzer Real Time Communication Data
SmartPA Saved Capture file
Thermo Nicolet OMNIC file
.spc Program (MS Multiplan)
Temporary file (WordPerfect for Win)
Super Nintendo SPC700 sound file
.spd Scalable font (Speedo) (Harvard Graphics 3.0)
.spf Slide presentation file (EnerGraphics)
.spg Glossary (Sprint)
.spi Graphics (Siemens and Philips scanner)
.spi InConSoft Ltd. Sim-Path system files
.spl Compressed file archive created by SPLINT (splint.arc)
Customized printer driver (Sprint)
Personal spell dictionary (Signature)
Microsoft Windows Print Spool file
Sample
.spm Data (WordPerfect) wp{wp}.spm
.spo Statistical Program (SPSS)
.spp Printer file (Sprint)
.spr Document letter (Sprint)
Genarated screen program (FoxPro)
Sprite
.sps Spssx source code file (VAX/VMS)
Screen driver (Sprint)
.spt Spitbol source code file
Support file (MITAC disk/system management utility pack)
.spv InConSoft Ltd Sim-Path vehicle file
.spw Worksheet (SigmaPlot)
.spx Compiled screen program (FoxPro)
.sql SQL report or query
.sqlite SQLite Database file
.sqm Service Quality Monitoring file
Logfile for Windows Live Messenger
.sqz Compressed file archive created by SQUEEZE (sqz1083e.exe)
.src Source (DataFlex)
.srf Sun Raster File graphics
Sony RAW Image file
.srp Script (QuickLink)
.srt BSplayer Subtitle file
Omron CX-Supervisor
SDR99 Speech Recognition Task Speech Recogniser Transcript
.ss Bitmap graphics (Splash)
.ssa Subtitles
.ssb SmartSync Pro
.ssd Datafile (SAS/PC)
.ssf Snagit file
Enable Spreadsheet file
.ssm RealPlayer Standard Streaming Metafile
.ssp Datafile (SAS Transport)
.st Smalltalk source code file (Little Smalltalk)
Instrument library (Scream Tracker)
Stamp (NeoPaint)
.st3 MIDI Karaoke file
.sta Adobe Photoshop Match Colour Image Statistics file
Saved state (Reflection 4.0)
Stack (Spinmaker Plus)
.stb Stub library (Genus GX Kernel)
.std State Transition Diagram graphic file (Prosa)
Standard (something..) (LocoScript)
.stf Compressed file archive created by SHRINKTOFIT
.stg ActiveSync (Microsoft) Backup file
Statistica Graphics File
.stl C++ Standard Template Library
.stm State Transition Diagram model file (Prosa)
Music (Scream Tracker)
.stn ArcView Geocoding Standardization file
STiNG file
.sto Pascal stub OBJ file (Genus GX Kernel)
.stp Sharepoint Web Site Template File
PageKeeper Packed Storage file
DART Pro 98 system settings
AP203 Step file
.str Structure list object file (dBASE Application Generator)
.sts Project status info (MS C/C++)
Song format (Scream Tracker)
.stt Automap Template
SureThing CD Labeler Template file
.stu Tarantella Enterprise 3 3270 Emulator Style file
xyALGEBRA file
.stw Data file (SmartTerm for Windows)
.stx Electronic book (SmarText)
Tax form (CA-Simply Tax)
.sty Style library or sheet (many text and graphics programs)
.sub CloneCd related file
.sui Suit library (Simple User Interface Toolkit)
.sum Summary
.sun Sun rasterfile graphics
.sup Supplementary dictionary (WordPerfect for Win)
.sv4 RollerCoaster Tycoon Saved Game
.svd Autosave file for document (MS Word)
.svg Autosave file for glossary (MS Word)
Scalable Vector Graphics File format
.svgz Compressed Scaleable Graphic file
.svp WISCO Survey Power
Sonique Visual Plugin file
SwiftView Command file
.svs Autosave file for style sheet (MS Word)
.sw Audio file (signed word)
.swd Storybook file
Sabiston Textbook
.swf ShockWave Flash object
.swg Swag packet (SWAG Reader)
.swi Swish Data file
.swk Swapkeys Keyboard File
.swp Document backup (Sprint)
Swap file (DOS)
.sxc StarOffice / OpenOffice Spreadsheet file
.sxw OpenOffice.org Writer 6.0 text file
StarOffice Word Document file
.sy1 Smartpix symbol library (Ami Pro)
.sy3 Symbol file (Harvard Graphics 3.0)
.syd Backup of startup files created by QEMM (?) autoexec.syd
.sym Precompiled headers (Borland C++)
Program symbol table (many compilers and linkers)
Symbol file (Harvard Graphics 2.0)
.syn Sdsc Synu image file (SDSC Image Tool)
Synonym file (MS Word 5)
.sys Datafile (SYGRAPH - SYSTAT - SPSS/PC)
System file - device driver or hardware configuration info (DOS)
.syw Graphics symbols (Harvard Graphics Win)
.szc Windows Mobile 5 (Pocket PC)
.t Tads source
Tape Archive (tar) without compression
Tester symbol table (ReaGeniX code generator)
File extension for a Turing open source file
.t$m AVG Internet Security Temporary file
.t04 TaxCut 2004 file
.t05 TaxCut 2005 Tax Return
.t06 TaxCut 2006 Tax Return
.t07 TaxCut 2007 Tax Return
.t08 TaxCut 2008 Tax Return
.t09 H&R Block At Home 2009 Tax Return
.t10 H&R Block At Home 2010 Tax Return
.t11 H&R Block At Home 2011 Tax Return
.t12 H&R Block At Home 2012 Tax Return
.t2 Textease 2000 file
.t44 Temporary file for Sort or Index (dBASE IV)
.t64 Program (C64S emulator)
.ta0 TaxAct file
.tab Guitar Tablature file
MapInfo Table
Diabetes Mentor file
.tag Query tag name (DataFlex)
.tah Turbo Assembler Help file (Borland C++)
.tal Text illustration (TypeAlign)
.tao IsoBuster file
.tar Compressed file archive created by TAR (pax2exe.zoo)
.tax TurboTax file
.taz Compressed ASCII file archive created by TAR and COMPRESS (.tar.Z)
.tb1 Font file (Borland Turbo C)
.tb2 Font file (Borland Turbo C)
.tbf Fax (Imavox TurboFax)
.tbh Mah Jongg for Windows Tile Set
.tbk Memo backup (dBASE IV - FoxPro)
Toolbook (Asymetrix ToolBook)
.tbl Graphics (native format) (Adobe PageMaker TableEditor)
Table of values (OS/2)
.tbs Text elements ?? (Textbausteine) (MS Word)
.tbx Table (Project Scheduler 4)
.tc Configuration (Turbo C - Borland C++)
.tch Turbo C Help file (Borland C++)
.tcl Tool Command Language source code (Swat)
.tcp 3D Topicscape (exported inter-Topicscape topic link)
.tcw Drawing (TurboCAD for Windows)
.td Configuration file (Turbo Debugger for DOS)
.td0 Disk image file (Teledisk)
.td2 Configuration file (Turbo Debugger for Win32)
.tdb Database (TACT)
eBay Turbo Lister file
.tdf Font (TheDraw)
Typeface definition file (Speedo)
.tdh Help file (Turbo Debugger)
.tdk Keystroke recording file (Turbo Debugger)
.tds Symbol table (Turbo Debugger)
.tdt ASCII Data File in CSV Format
Daylight Fingerprint Data file
Thor Datatree file
.tdw Configuration file (Turbo Debugger for Windows)
.tee TeeChart Office graphic
.tef Fax (Relisys TEFAX)
.tel Host file (Telnet)
.tem Turbo Editor Macro Language script (Borland C++)
Input template (IconAuthor)
.temp Temporary file
.test Test File Extension
.tex LaTeX Source Document file
Tex text file (Scientific Word)
Datasheet (Idealist)
.text ASCII Text file
.tf Configuration (Turbo Profiler)
Configuration (TinyFugue)
.tfa Area file (Turbo Profiler)
.tfc Catalogue file (Tobi's Floppy Cataloguer)
.tfh Help file (Turbo Profiler)
.tfm Tex Font Metric file (TeX)
Tagged font metric file (Intellifont)
.tfs Statistics (Turbo Profiler)
.tfw ArcView World File For TIF Image
Digital Raster Graphic World
.tg1 Project file (On Target)
.tga Truevision Targa bitmap graphics
.tgz Compressed file archive created by TAR and GNUzip (.tar.gz)
.thb KinuPix Skin
.thd Thread
.thm Thumbnail Image file
Microsoft Clipart Gallery database
Serif DrawPlus Theme
.thn Graphics Workshop for Windows Thumbnail
.ths Thesaurus dictionary (WordPerfect for Win)
.tib Acronis True Image file
.tif Tagged Image File Format bitmap graphics (PageMaker - CorelDRAW)
.tiff Tagged Image File Format
.til Fuzzy logic knowledge base (Togai InfraLogic Fuzzy-C Compiler)
.tim Playstation Game Texture Image
The Incredible Machine Level File
.tis Tile set (MahJongg 3.0)
.tix ASA for UNIX Terminfo Extension file
DivX file
Hybrid Graphics file
Tix Widgets
.tjl Backup file (VAXTPU editor)
.tlb OLE Type Library
Reference table (Bubble Chamber)
Text library (VAX)
Type library (Visual C++)
.tlc Compiled Tool Command Language source code (Swat)
.tlp Project (TimeLine)
.tlt Trellix Web Design file
.tmb Timbuktu Pro Connection Document
.tmd Document (TextMaker)
.tmf Tagged Font Metric file (WordPerfect for Win)
.tmo Ztg global optimizer default output file (Zortech C++)
.tmp Temporary file
.tmpl eMule Web Interface Template file
.tmq TestMaster file
.tms Script (Telemate)
.tmv Template (TextMaker)
.toc Table Of Contents
PSP Audio file
.tol Kodak Photoenhancer
.TOPC TopicCrunch project file for saving and resubmitting SEO searches
.tos Self-extracting file archive (Atari ST)
.tp Configuration (Turbo Pascal)
Session-state file (Turbo Profiler)
GUI template file for components written in C (Ternion)
.tp3 Template (Harvard Graphics 3.0)
.tpb Downloadable PCL Soft font file backup (HiJaak)
.tpf Downloadable PCL Soft font file (HiJaak)
.tph Help file (Turbo Pascal)
.tpi Microsoft Test file
.tpl Document Template file
Resident units library (Turbo Pascal)
Template (Harvard Graphics 2.0)
.tpp Protected Mode Units (Borland Pascal 7.0)
Teleport Pro Project file
GUI template file for components written in C++ (Ternion)
.tps Clarion for Windows data file
.tpu Turbo Pascal Unit (BGI) (Turbo Pascal)
Command file (VAXTPU editor)
.tpw Session-state file (Turbo Profiler for Windows)
Turbo Pascal Unit (BGI) (Turbo Pascal for Windows)
.tpz Compressed file archive created by TAR and GNUzip (.tar.gz)
.tr Session-state settings (Turbo Debugger for DOS)
Man page input suitable for troff -man (cawf2.zip)
.tr2 Session-state settings (Turbo Debugger for Win32)
.trace ECXpert Debugging file
TcpDump Output file
Telcordia Software Visualization and Analysis Toolsuite
WebSTAR Mail Server Error file
Zope 3 Strace Log
.trc Debug support file (Power CTrace)
.tre Directory tree file (PC-Tools)
.trg Symantec LiveUpdate file
.tri Trigram file
.trk Kermit Script file
Mixman Studio Track
Train Dispatcher Railroad Centgralized Traffic Control Simulation
Magellan "MapSend"- series GPS 'track' data file
.trm Terminal settings (Windows 3.x)
.trn Translation support file (Quattro)
.trp Tripmaker file
High Definition Video Transport Stream file
.trs Executable file (Micrografx)
.trw Session-state settings (Turbo Debugger for Windows)
.trx Router Firmware file
Emerald PC Authorize Batch Transaction file
.ts Transport Stream file
.tsk Skins for Pocket PC PDAs
PhotoImpact Quick Command
.tsp Windows Telephony Service Provider
.tst Printer test file (WordPerfect for Win)
.tsv Tab Separated Value file
.tt10 Turbotax 2010 Return file
.tta The True Audio Codec file
.ttc OpenType font file
.ttf Truetype Font file
.tub PaintShop Pro Tube file
.tut Tutorial
.tv Table view settings (Paradox)
.tv1 Overflow file above insert point in Doc 1 (WordPerfect for Win)
.tv2 Overflow file above insert point in Doc 2 (WordPerfect for Win)
.tv3 Overflow file above insert point in Doc 3 (WordPerfect for Win)
.tv4 Overflow file above insert point in Doc 4 (WordPerfect for Win)
.tv5 Overflow file above insert point in Doc 5 (WordPerfect for Win)
.tv6 Overflow file above insert point in Doc 6 (WordPerfect for Win)
.tv7 Overflow file above insert point in Doc 7 (WordPerfect for Win)
.tv8 Overflow file above insert point in Doc 8 (WordPerfect for Win)
.tv9 Overflow file above insert point in Doc 9 (WordPerfect for Win)
.tvf Table view settings (dBASE)
.tvo TeveoLive
.tvp NVIDIA Graphic Card Update file
.tvr Navicat for MySQL file
.tvt RealPlayer
.txd Grand Theft Auto 3 Texture file
Letters Direct
.txf Compressed file archive created by TAR and FREEZE (.tar.f)
.txi Support file (TeX)
.txl Genesis3D Texture file
.txt Text file
.tym Time Stamp (PageMaker 4)
.tz Compressed file archive created by TAR and COMPRESS (.tar.Z)
.tzb Compressed file archive created by TAR - COMPRESS - BTOA (.tar.Z.btoa)
.uax Unreal Audio file
.ub Audio file (unsigned byte)
.uc2 Compressed file archive created by UltraCompressor II (uc2.zip)
.ucn New compressed file archive created by UltraCompressor II
.ucs Universal Classification Standard Database file
.udc Acrobat Spelling file
.udf Filter (Photostyler)
.udl MS Data Link
.uds Sierra Generations Family file
.ue2 Encrypted file archive created by UltraCompressor II
.ufo Ulead PhotoImpact Graphic file
.uha UHARC Compressed Archive file
.uhs Universal Hint System (binary file)
.ui Espire source code file (Geoworks UI Compiler)
User interface (Sprint)
.uif MagicISO Disc Image file
Long prompts for windows (WordPerfect for Win)
.uih Espire header file (Geoworks UI Compiler)
.uis WindowBlinds (Copyright Neil Banfield & Stardock.net, Inc.)
.ul Ulaw audio file
.uld Information about uploaded files (Procomm Plus)
.ult Music (UltraTracker)
.umb Backup file (MemMaker)
.umd Universal Media Disc file
.umf Stockmoves, MOTEK BV
.umx Unreal music file
.uni Unimod music module (MIKMOD)
Datafile (Forecast Pro)
.unl Garmin Unlock file
.unq Fax View file
.uns2 Ultra Notes Backup file
.unx Text file containing UNIX specific info
.upd Program update info
Update data (dBASE)
.upg Firmware Upgrade file
.upo Compiled update data (dBASE)
.upx ULead Photo Express Saved Image file
.url Uniform Resource Locator (Internet shortcut)
.urls GetRight URL List file
.usb D-Link FM Radio Update
USB Protocol Analyzer Trace
.user Visual Studio User Options file
.usp Printer font with USASCII extended character set (PageMaker)
.usr User database file (Procomm Plus - Turbo C++ tour)
.utf AOL Updating Files
.utl Sound file
.utx Unreal Engine Texture file
Unicode file
.uu Compressed ASCII file archive created by UUDE/ENCODE
.uue Compressed ASCII file archive created by UUENCODE (uuexe515.exe)
.uvf CSV (comma separated value) format. Used by Netica
.uvr Ulead Cool 360 Viewer file
.uw Audio file (unsigned word)
.uwl WordPerfect User Word List file
.v Consistency check support file (ReaGeniX code generator)
Main input file for an image (Vivid 2.0)
.v2 Microsoft Live Messenger data file
.v64 Nintento 64 Emulation ROM Image
.val Validity checks and referential integrity (Paradox for Windows)
Values list object file (dBASE Application Generator)
.van Animation (VistaPro)
.var Variable file (IconAuthor)
.vbc Visual Business Cards
.vbd ActiveX file
.vbe VBScript Encoded Script file
.vbn Norton Corporate anti-virus quarantined file
.vbp Visual Basic Project file
.vbs Visual Basic Script file (Visual Basic)
.vbw Visual Basic Project Workplace (Visual Basic)
.vbx Visual Basic eXtension (Visual Basic)
.vc Include file with color definitions (Vivid 2.0)
Spreatsheet (VisiCalc)
.vc4 Virtual CD/DVD Image file
.vcd VisualCADD Drawing file
Video CD format
.vce Visual CE Class Type file
.vcf VCard file
.vch Interlock Public Computer Utility
.vcmf VAIO Content Metadata file
.vcs vCalender file
.vcw Visual workbench information (MS Visual C++)
.vcx Spreatsheet (VisiCalc Advanced)
.vda Bitmap graphics
.vdb Norton AntiVirus Corporate Edition Update file
PC-cillin Quarantined file
.vdf Avira AntiVir virus definition file
Vexira Anti-virus virus definition file
.vdi Virtual Disk Images files
.vdj Virtual DJ Sample file
.vdm VDM Play
.vdr Drawing (ComputerEasy Draw)
.vdx XML for Visio Drawing file
Vector Graphic file
Virtual Device Driver
.vem VeePro Embroidery Software Format
Voice E-mail file
.ver Version Description file
.vew View file (Clipper 5, Lotus Approach)
.vfm Voting Form (Voter)
.vfn Voting Form for Customers (Voter)
.vfp TMPGEnc VFAPI Plug-in
.vfs Virtual File System Index
.vfx Ulead Video Studio Sample file
.vga Vga display driver
Vga display font
.vgd Vga display driver (Generic CADD)
.vgr Graphics (Ventura Publisher)
.vhd Virtual Hard Disk file
.vi Graphics (Jovian Logic VI)
.vic Vicar graphics
.vid Video file
Ms-DOS Shell Monitor file (MS-DOS 5)
Bitmap graphics (YUV12C M-Motion Frame Buffer)
Screen device driver (Word)
.vif Khoros Visualization image file (SDSC Image Tool)
.vik Viking graphics
.vir Virus Infected file
.vis Vis graphics
.viv VivoActive Player Video file
.vlm Ashlar-Vellum file
Novell Virtual Loadable Module
Vellum CAD Drawing
.vlt WinVault Container file
.vm Virtual Memory file (Geoworks)
.vm1 Panasonic SD Voice Editor file
.vmc Virtual memory configuration (Acrobat reader)
.vmdk VMware Image file
.vmf Font characteristics (Ventura Publisher)
Voice mail file (VocalTec Voice)
.vmg Text Message files
.vml Vector Markup Language
.vmo Mobile Phone voice file (Siemens Sl45)
Virtools Behavioral Server Composition (Web-based Protected Format)
Cosmopolitan Virtual Makeover File
.vmp Logos Library System 2.x Verse Map
.vms Text file containing VMS specific info
.vmt Valve Material file. Details how a material is to be rendered
.vmx VMware Configuration file
.vnt vNote file
.vo Include file with object definition (Vivid 2.0)
.vob DVD video movie file
.voc Digitized samples (Creative Voice file)
.vof Object folder (VZ Programmer)
.vol VOL Archive file
Tribes 2 game file
Earth Siege 2 Archive
Giants: Citizen Kabuto Archive
Tribes Archive
Tribes Extreme Archive
.vor OpenOffice.org Template
.vox Vox Audio
Dialogic ADPCM
Talking Technology Inc. file
Natural MicroSystmes Voice file
.vp6 TrueMotion VP6 Video file
.vpa Excite Chat Gestures file
.vpd Virpet Performance Descriptor
VitaGraph file
.vpg Graphics (VPGraphics)
.vpk Steam Package Archive file
.vpl Karaoke Player Playlist file
Virtual Property List file
.vpp Virtual Pool Game
Red Faction/Summoner Package file
.vqe Yamaha Sound-VQ Locator File
.vqf Yamaha Sound-VQ File
.vql Yamaha Sound-VQ Locator File
.vrd VRScape data file
.vrm Overlay file (QuattroPro)
.vro Panasonic DVD Recorder file
.vrp Project (WATCOM VX?Rexx)
.vrs Video Resource eg. video device driver (WordPerfect)
.vs Include file with surface definition (Vivid 2.0)
.vsd Diagram (Shapeware Visio)
.vsl GetRight Download List file
Visio Library
.vsm Simulation model (VisSim)
.vsp Visual Studio file
Sprite (SPX)
Backup Exec 9.1 and higher
.vss Smartshapes file (Shapeware Visio)
.vst Truevision Vista bitmap graphics
.vtf Valve Texture file. Used to store texture data
.vts DVD File format
.vtx XML for Visio template file
.vue Animation (3D Studio)
View (dBASE IV - FoxPro)
.vw Text file (Volkswriter)
.vw3 Text file (Volkswriter 3)
.vwl VideoWave Video Wave Library
.vwr File viewer file (PC Tools)
.vwt VideoWave Thumbnail
.vxd Virtual device driver (MS Windows)
.vyd VyperHelp
.w Database AppBuilder Source Code file
Word chart file (APPLAUSE)
.w02 Multiple Archive file
.w30 Printer font (AST TurboLaser) (Ventura Publisher)
.w31 Startup file (Windows 3.1)
.w3g Warcraft III file
.w3m Warcraft III Map file
.w44 Temporary file for Sort or Index (dBASE)
.w5v Winamp file
.wab Outlook File
.wac Infinity Game Engine WAVC Sound
.wad Doom Game file
Gunman Chronicle Archive
Half Life Archive
Heretic Archive
Hexen Archive
Quake Archive
Theme Park World Archive
.waf Mayim's WAF Compiler file
.wal Winamp Skin file
WalMaster Showlist file
.war Java Web Archive (used by Servlets)
Konqeror HTML page archive
.wav Waveform audio file (RIFF WAVE format)
.wax Windows Media Player Redirect file
.wb1 Notebook (Quattro Pro)
.wb2 Spreadsheet (Quattro Pro)
.wb3 Quattro Pro for Windows
.wba WindowBlinds Compressed Skin
Winace Zip file
.wbc Webshots Picture Collection
.wbf Ms Windows Batch File (Catch)
.wbk Document/workbook (WordPerfect for Win)
.wbmp Wireless Application Protocol Bitmap file
.wbt Batch file (WinBatch)
.wbx Webigger file
.wbz WebShots file
.wcd Macro token list (WordPerfect for Win)
.wcm Data transmission file (MS Works)
Macro (WordPerfect for Win)
.wcp Product information description (WordPerfect for Win)
.wd2 Info Select for Palm Organizer file
WordExpress Document
.wdb Database (MS Works)
.wdf ReliaSoft Weibull 5.0
Workshare DeltaView DeltaFile
.wdl Windows XP Watchdog Log file
.web Web source code file
.wer Microsoft Windows Error Report file
.wfc Windows Connect Now file
.wfm Form object (dBASE Form Designer)
.wfn Font (CorelDRAW)
.wfx Data file (Winfax)
.wg1 Worksheet (Lotus 1-2-3/G)
.wg2 Worksheet (Lotus 1-2-3 for OS/2)
.wgt Opera Widget file
.wid Width table (Ventura Publisher)
.wim Image Format file
.win Opera Saved Window file
Window file (FoxPro - dBASE)
Wonderware InTouch window file
.wiz Page wizard (MS Publisher)
.wjp WildTangent Branded .jpg file
.wk1 Spreadsheet (Lotus 1-2-3 version 2.x - Symphony 1.1+)
.wk3 Spreadsheet (Lotus 1-2-3 version 3.x)
.wk4 Spreadsheet (Lotus 1-2-3 version 3.4)
.wkb Document (WordPerfect for Win)
Workbook file
.wke Spreatsheet (Lotus 1-2-3 educational version)
.wkq Spreatsheet (Quattro)
.wks Spreadsheet (Lotus 1-2-3 version 1A - Symphony 1.0 - MS Works)
Workspace (Xlisp)
.wll Word Add-in
.wlk Graphics (Virtus Walkthrough)
.wlt eWallet file
WaveL Wavelet Compressed Graphic
Words of Worship Liturgy
.wma Microsoft Active Streaming file
.wmc Backup of startup files by Windows MathCad autoexec.wmc
Macro file (WordPerfect for Win)
Text file (WordMARC)
.wmf Windows MetaFile vector graphics
.wml Wireless Markup Language
.wmv MS Active Streaming file
.wmz Windows Media Compressed skin file
.wn Text (NeXT WriteNow)
.wnf Outline font description (CorelDRAW native format)
.wo4 STABCAL file
.wo7 STABCAL file
.woa Swap file (Windows 3.x)
.woc Microsoft Office 2007 Organization file
Organization (Windows OrgChart)
.wor MapInfo Workspace
.wot WebEx Saved Meeting Movie
.wow Music (8 channels) (Grave Mod Player)
.wp Text file (WordPerfect 4.2)
.wp3 Microsoft Photo Story Project file
.wp5 Document (WordPerfect 5.x)
.wpd Document (WordPerfect 6.0 - PFS:WindowWorks)
.wpf Fax (WorldPort)
Form (WordPerfect)
.wpg WildTangent Branded .PNG file
Wordperfect Graphics vector graphics (DrawPerfect)
.wpj MS Works Projects
.wpk Macros (WordPerfect for Win)
.wpl Windows Media Player Playlist file/td>
Draxy Software Wallpaper Sequencer
Online WebPanel file
PFS WinWorks Spreadsheet
WHAT IF MOL-object
Words of Worship Playlist
.wpm Macros (WordPerfect)
.wps Text document (MS Works)
.wpt WordPerfect template
602 pro PC SUITE template document file
.wpw PerfectWorks document
.wq! Compressed spreadsheet (Quattro Pro)
.wq1 Spreadsheet (Quattro Pro)
.wr1 Spreadsheet (Symphony 1.1 - 1.2 - 2)
.wrd Template (Charisma)
.wrf used for WebEx recording. Microsoft office add-in for meeting
.wri Text file (Windows Write)
.wrk Spreadsheet (Symphony 1.0, 1.2, 2.0, 3.0)
.wrl Plain text VRML file
.wrml Plain text VRML file
.wrp Compressed Amiga file archive created by WARP
.wrs Windows Resource eg. printer driver (WordPerfect for Win)
.ws Text file (WordStar 5.0-6.0)
.wsf Windows Script file
.wss Web Screen Saver file (Web Screen Saver 2008)
.ws2 Text file (WordStar 2000)
.wsc Windows scripting component file
.wsd Document (WordStar)
.wsf Windows Script file
.wsh Windows Script Host Settings file
.wsp Workspace (Fortran PowerStation)
.wsr FirstStop WebSearch file
.wss Web Screen Saver file (Web Screen Saver 2008)
.wst Text file (WordStar)
.wsx WinMX Filesharing Program
.wsz Skin Zip file (WinAmp)
.wtd WinTune Document file
.wtr MS Encarta file
.wv WavPack compressed Audio file
.wve Component of a DIVX Movie Conversion
Psion Series 3a/3c/3mx Waveform sound file
.wvx Metafile
.wvw Backup Wonderware InTouch window file
.wwb Button bar for document window (WordPerfect for Win)
.wwk Keyboard layout (WordPerfect for Win)
.wwp Worms World Party Teams file
.wws AutoRoute User Information
.wwv WildTangent Branded .WAV file
.wxp Document (EXP for Windows)
.wxs Easy Cross crosstitch file
.wzg WZebra file
.wzs Microsoft Word wizard
.x DirectX Object file
AVS X image file (SDSC Image Tool)
Lex source code file
.x01 Secondary index (Paradox)
.x02 Secondary index (Paradox)
.x03 Secondary index (Paradox)
.x04 Secondary index (Paradox)
.x05 Secondary index (Paradox)
.x06 Secondary index (Paradox)
.x07 Secondary index (Paradox)
.x08 Secondary index (Paradox)
.x09 Secondary index (Paradox)
.x16 Macromedia Program Extension (16-bit)
.x32 Macromedia Program Extension (32-bit)
.xap Silveright Application Package
.xbel XML Bookmark Exchange Language file
.xbm X11 Bitmap graphics
.xcf Gimp Image file
.xdf Milnta APL Transfer Function
Workshare Synergy file
.xdw X Windows Screen Dump file
.xef X-Genics eManager - XML form and data for eManager
.xem X-Genics eManager - Metered units / credit definition for forms/file usage in eManager
.xep X-Genics eManager - File packaging / unpacking information for eManager components
.xes X-Genics eManager - XML definition for UI skins
.xet X-Genics eManager - XML definition for eManager process
.xev X-Genics eManager - File download definition for auto-update and delivery of new procedures
.xez X-Genics eManager - Template package for eManager
.xfd XML Form in XFDL Format
.xfdl Extensible Forms Description Language file
.xfn Printer font (Xerox 4045) (Ventura Publisher)
.xft 24 pin printer font (ChiWriter)
.xfx Fax File (various)
.xhtml Extensible HyperText Markup Language file
.xi Fast Tracker 2 Instrument or ScreamTracker Instrument file
.xif Wang image file
Often a Fax image (TIFF) file
ScanSoft Pagis XIF Extended Image Format
Xerox image file
.xla Xlib Archive (xlibpas2.zip)
.xla Add-in macro sheet (MS Excel)
.xlb Data (MS Excel)
.xlc Chart document (MS Excel)
.xlk Excel Backup
.xll Excel Dynamic Link Library (MS Excel)
.xlm Macro sheet (MS Excel)
.xlr MS Works file
.xls Spreadsheet(MS Works)
DATAIR Data Import Specification Translation file
Worksheet (MS Excel)
.xlsm Microsoft Excel Macro-Enabled Workbook file
.xlsx Microsoft Excel XML file
.xlt Template (MS Excel)
Translation table (Lotus 1-2-3 - Symphony - Procomm Plus)
.xlw Workbook (MS Excel)
.xlx XoloX Incomplete Download file
.xm Music (Fast Tracker)
.xmi Compressed eXtended MIdi music
.xml Extensible Markup Language file
.xmp Extensible Metadata Platform
.xnf Standard Network File form
.xpi XPInstall File
Digital surveillance system
.xnk Microsoft Exchange Shortcut
.xpl Music file
.xpm X11 Pixel Map graphics
.xpr Memorex CD-ROM label file
.xps XML Paper Specification file
.xpt Mozilla Firefox Component file
XPCOM Type Library
.xpw Leading Market Technologies EXPO
Screen-Fillable Surfer Version of a Form
.xqt Executable file (Waffle)
Macro sheet (SuperCalc)
.xpv digital surveillance system
.xrf Cross-reference file
.xsd XML Schema file
.xsf Milnta APL Transfer Function
.xsl Extensible Stylesheet Language file
.xspf XML Shareable Playlist file
.xss Ability Office Spreadsheet
.xtb External translation table (LocoScript)
.xtm Xtremsplit Data file
.xtr MapTool file (an add-on for UI-View)
Xtreme Tuning files
.xul XML User Interface Language file
.xvb WinExplorer VB Script
.xvid Xvid Video file
.xvl Compact 3D file format for web apps.(Lattice 3D)
.xwd X Window System window dump image graphics (SDSC Image Tool)
.xwk Keyboard mapping (Crosstalk)
.xwp Session (Crosstalk)
Text file (Xerox Writer)
.xx Compressed file ASCII archive created by XXENCODE (uuexe515.exe)
.xxe Compressed file ASCII archive created by XXENCODE (uuexe515.exe)
.xxx Singer Sewing Machine Professional SewWare file
Embroidery Design file
.xy Text file (XY Write)
.xy3 Text file (XYWrite III)
.xyw Text file (XyWrite III)
.xyz ASCII RPG Maker Graphic Format
.xz XZ Compressed Archive file
.y Yacc grammar file
Compressed Amiga file archive created by YABBA
.y01 Secondary index (Paradox)
.y02 Secondary index (Paradox)
.y03 Secondary index (Paradox)
.y04 Secondary index (Paradox)
.y05 Secondary index (Paradox)
.y06 Secondary index (Paradox)
.y07 Secondary index (Paradox)
.y08 Secondary index (Paradox)
.y09 Secondary index (Paradox)
.yab Yabasic Source Code file
.yal Data (Arts & Letters)
.ybk Microsoft Encarta Yearbook file
.ychat Yahoo! Messenger chat log
.yenc yEnc file
.ymg Yahoo! Messenger file
.yml YAML file
.ync yEnc Encoded file
.yps Yahoo! Messenger Data file
.yuv YUV Encoded Image or Video file
.yz Compressed file archive created by YAC
.yz1 Yamazaki ZIPPER file
.z Compressed file ASCII archive created by COMPRESS (comp430d.zip)
Unix Compressed file archive created by PACK (Unix SysV pack)
.z01 Winzip Split Archive file
.z02 Split Archive file
.z1 ZoneAlarm Renamed VB file
.z3 Infocom game module
.zap Zero Administration Package file
FileWrangler Compressed file
MS Windows Software Installation Settings
.zbd Canon ZoomBrowser Database file
MechWarrior 3 Snow Fields file
Zebedee Encrypted file
.zdb Zimbra Database File
.zdb
.zdct After Effects Language file
.zdg Compressed ZiffNet text document (Zview)
.zdl Design Pro Label file
.zdp ZDNet Password Pro 32
.zer Data file (Zerberus)
.zfx ZFX - CC3 File Packer Tool
.zgm Graphics (Zenographics)
.zhtml Secure IE Zipped HTML file
.zi Renamed Zip file
.zif Zooming Image Format file
.zip ZIP Compressed file archive
.zipx WinZip Compressed file
.zix Quicken Data file
WinZix Compressed file
.zl? Zone Alarm Mailsafe Renamed File.
ZoneAlarm quarantines attachments and changes their file names.
ZoneAlarm Quarantined EXE File (Ex. .EXE to .zl9)
.zl Zlib Compressed file
.zls Atlantis Ocean Mind Word Processing file
.zmc ZoneAlarm Mailsafe
.zom Compressed Amiga file archive created by ZOOM
.zon Grand Theft Auto 3 Zone file
.zoo Compressed file archive created by ZOO (zoo210.exe)
.zpk Z Firm Package file
.zpl Creative Zen Micro playlist
.zst ZSNES Slot 0 Savestate
.ztd Ziff Davis Media text database
.zvd Zyxel Voicefile (Z-Fax)
.zvz Possible Virus file
.zxp Extension Manager Package
.zz Zzip Compressed Archive file
.zzt ZZT Game Creation System
.08)
18 months
(,000)
55
Corporate Department 0K FPGA 24 seconds
(.08)
19 days
(,000)
60
ASIC 0.18 seconds
(.001)
3 hours
()
Big Company M FPGA 7 seconds
(.08)
13 hours
(,000)
70
ASIC 0.005 seconds
(.001)
6 minutes
()
Intelligence Agency 0M ASIC 0.0002 seconds
(

Search metadata Search full text of books Search TV captions Search archived web sites Advanced Search.

.001)
12 seconds
()
75

So, how big is big enough? DES, invented in 1975, was still in use at the turn of the century, nearly 25 years later. If we take that to be a design criteria (i.e., a 20-plus year lifetime) and we believe Moore's Law ("computing power doubles every 18 months"), then a key size extension of 14 bits (i.e., a factor of more than 16,000) should be adequate. The 1975 DES proposal suggested 56-bit keys; by 1995, a 70-bit key would have been required to offer equal protection and an 85-bit key necessary by 2015.

A 256- or 512-bit SKC key will probably suffice for some time because that length keeps us ahead of the brute force capabilities of the attackers. Note that while a large key is good, a huge key may not always be better; for example, expanding PKC keys beyond the current 2048- or 4096-bit lengths doesn't add any necessary protection at this time. Weaknesses in cryptosystems are largely based upon key management rather than weak keys.

Much of the discussion above, including the table, is based on the paper "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" by M. Blaze, W. Diffie, R.L. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener (1996).

The most effective large-number factoring methods today use a mathematical Number Field Sieve to find a certain number of relationships and then uses a matrix operation to solve a linear equation to produce the two prime factors. The sieve step actually involves a large number of operations that can be performed in parallel; solving the linear equation, however, requires a supercomputer. Indeed, finding the solution to the RSA-140 challenge in February 1999 — factoring a 140-digit (465-bit) prime number — required 200 computers across the Internet about 4 weeks for the first step and a Cray computer 100 hours and 810 MB of memory to do the second step.

In early 1999, Shamir (of RSA fame) described a new machine that could increase factorization speed by 2-3 orders of magnitude. Although no detailed plans were provided nor is one known to have been built, the concepts of TWINKLE (The Weizmann Institute Key Locating Engine) could result in a specialized piece of hardware that would cost about 00 and have the processing power of 100-1000 PCs. There still appear to be many engineering details that have to be worked out before such a machine could be built. Furthermore, the hardware improves the sieve step only; the matrix operation is not optimized at all by this design and the complexity of this step grows rapidly with key length, both in terms of processing time and memory requirements. Nevertheless, this plan conceptually puts 512-bit keys within reach of being factored. Although most PKC schemes allow keys that are 1024 bits and longer, Shamir claims that 512-bit RSA keys "protect 95% of today's E-commerce on the Internet." (See Bruce Schneier's Crypto-Gram (May 15, 1999) for more information, as well as the comments from RSA Labs.)

It is also interesting to note that while cryptography is good and strong cryptography is better, long keys may disrupt the nature of the randomness of data files. Shamir and van Someren ("Playing hide and seek with stored keys") have noted that a new generation of viruses can be written that will find files encrypted with long keys, making them easier to find by intruders and, therefore, more prone to attack.

Finally, U.S. government policy has tightly controlled the export of crypto products since World War II. Until the mid-1990s, export outside of North America of cryptographic products using keys greater than 40 bits in length was prohibited, which made those products essentially worthless in the marketplace, particularly for electronic commerce; today, crypto products are widely available on the Internet without restriction. The U.S. Department of Commerce Bureau of Industry and Security maintains an Encryption FAQ web page with more information about the current state of encryption registration.

Without meaning to editorialize too much in this tutorial, a bit of historical context might be helpful. In the mid-1990s, the U.S. Department of Commerce still classified cryptography as a munition and limited the export of any products that contained crypto. For that reason, browsers in the 1995 era, such as Internet Explorer and Netscape, had a domestic version with 128-bit encryption (downloadable only in the U.S.) and an export version with 40-bit encryption. Many cryptographers felt that the export limitations should be lifted because they only applied to U.S. products and seemed to have been put into place by policy makers who believed that only the U.S. knew how to build strong crypto algorithms, ignoring the work ongoing in Australia, Canada, Israel, South Africa, the U.K., and other locations in the 1990s. Those restrictions were lifted by 1996 or 1997, but there is still a prevailing attitude, apparently, that U.S. crypto algorithms are the only strong ones around; consider Bruce Schneier's blog in June 2016 titled "CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist." Cryptography is a decidedly international game today; note the many countries mentioned above as having developed various algorithms, not the least of which is the fact that NIST's Advanced Encryption Standard employs an algorithm submitted by cryptographers from Belgium. For more evidence, see Schneier's Worldwide Encryption Products Survey (February 2016).

On a related topic, public key crypto schemes can be used for several purposes, including key exchange, digital signatures, authentication, and more. In those PKC systems used for SKC key exchange, the PKC key lengths are chosen so as to be resistant to some selected level of attack. The length of the secret keys exchanged via that system have to have at least the same level of attack resistance. Thus, the three parameters of such a system — system strength, secret key strength, and public key strength — must be matched. This topic is explored in more detail in Determining Strengths For Public Keys Used For Exchanging Symmetric Keys (RFC 3766).


4. TRUST MODELS

Secure use of cryptography requires trust. While secret key cryptography can ensure message confidentiality and hash codes can ensure integrity, none of this works without trust. In SKC, Alice and Bob had to share a secret key. PKC solved the secret distribution problem, but how does Alice really know that Bob is who he says he is? Just because Bob has a public and private key, and purports to be "Bob," how does Alice know that a malicious person (Mallory) is not pretending to be Bob?

There are a number of trust models employed by various cryptographic schemes. This section will explore three of them:

  • The web of trust employed by Pretty Good Privacy (PGP) users, who hold their own set of trusted public keys.
  • Kerberos, a secret key distribution scheme using a trusted third party.
  • Certificates, which allow a set of trusted third parties to authenticate each other and, by implication, each other's users.

Each of these trust models differs in complexity, general applicability, scope, and scalability.

4.1. PGP Web of Trust

Pretty Good Privacy (described more below in Section 5.5) is a widely used private e-mail scheme based on public key methods. A PGP user maintains a local keyring of all their known and trusted public keys. The user makes their own determination about the trustworthiness of a key using what is called a "web of trust."

If Alice needs Bob's public key, Alice can ask Bob for it in another e-mail or, in many cases, download the public key from an advertised server; this server might a well-known PGP key repository or a site that Bob maintains himself. In fact, Bob's public key might be stored or listed in many places. (The author's public key, for example, can be found at http://www.garykessler.net/pubkey.html.) Alice is prepared to believe that Bob's public key, as stored at these locations, is valid.

Suppose Carol claims to hold Bob's public key and offers to give the key to Alice. How does Alice know that Carol's version of Bob's key is valid or if Carol is actually giving Alice a key that will allow Mallory access to messages? The answer is, "It depends." If Alice trusts Carol and Carol says that she thinks that her version of Bob's key is valid, then Alice may — at her option — trust that key. And trust is not necessarily transitive; if Dave has a copy of Bob's key and Carol trusts Dave, it does not necessarily follow that Alice trusts Dave even if she does trust Carol.

The point here is that who Alice trusts and how she makes that determination is strictly up to Alice. PGP makes no statement and has no protocol about how one user determines whether they trust another user or not. In any case, encryption and signatures based on public keys can only be used when the appropriate public key is on the user's keyring.

4.2. Kerberos

Kerberos is a commonly used authentication scheme on the Internet. Developed by MIT's Project Athena, Kerberos is named for the three-headed dog who, according to Greek mythology, guards the entrance of Hades (rather than the exit, for some reason!).

Kerberos employs a client/server architecture and provides user-to-server authentication rather than host-to-host authentication. In this model, security and authentication will be based on secret key technology where every host on the network has its own secret key. It would clearly be unmanageable if every host had to know the keys of all other hosts so a secure, trusted host somewhere on the network, known as a Key Distribution Center (KDC), knows the keys for all of the hosts (or at least some of the hosts within a portion of the network, called a realm). In this way, when a new node is brought online, only the KDC and the new node need to be configured with the node's key; keys can be distributed physically or by some other secure means.


FIGURE 5: Kerberos architecture.


The Kerberos Server/KDC has two main functions (Figure 5), known as the Authentication Server (AS) and Ticket-Granting Server (TGS). The steps in establishing an authenticated session between an application client and the application server are:
  1. The Kerberos client software establishes a connection with the Kerberos server's AS function. The AS first authenticates that the client is who it purports to be. The AS then provides the client with a secret key for this login session (the TGS session key) and a ticket-granting ticket (TGT), which gives the client permission to talk to the TGS. The ticket has a finite lifetime so that the authentication process is repeated periodically.
  2. The client now communicates with the TGS to obtain the Application Server's key so that it (the client) can establish a connection to the service it wants. The client supplies the TGS with the TGS session key and TGT; the TGS responds with an application session key (ASK) and an encrypted form of the Application Server's secret key; this secret key is never sent on the network in any other form.
  3. The client has now authenticated itself and can prove its identity to the Application Server by supplying the Kerberos ticket, application session key, and encrypted Application Server secret key. The Application Server responds with similarly encrypted information to authenticate itself to the client. At this point, the client can initiate the intended service requests (e.g., Telnet, FTP, HTTP, or e-commerce transaction session establishment).

The current version of this protocol is Kerberos V5 (described in RFC 1510). While the details of their operation, functional capabilities, and message formats are different, the conceptual overview above pretty much holds for both. One primary difference is that Kerberos V4 uses only DES to generate keys and encrypt messages, while V5 allows other schemes to be employed (although DES is still the most widely algorithm used).

4.3. Public Key Certificates and Certificate Authorities

Certificates and Certificate Authorities (CA) are necessary for widespread use of cryptography for e-commerce applications. While a combination of secret and public key cryptography can solve the business issues discussed above, crypto cannot alone address the trust issues that must exist between a customer and vendor in the very fluid, very dynamic e-commerce relationship. How, for example, does one site obtain another party's public key? How does a recipient determine if a public key really belongs to the sender? How does the recipient know that the sender is using their public key for a legitimate purpose for which they are authorized? When does a public key expire? How can a key be revoked in case of compromise or loss?

The basic concept of a certificate is one that is familiar to all of us. A driver's license, credit card, or SCUBA certification, for example, identify us to others, indicate something that we are authorized to do, have an expiration date, and identify the authority that granted the certificate.

As complicated as this may sound, it really isn't. Consider driver's licenses. I have one issued by the State of Florida. The license establishes my identity, indicates the type of vehicles that I can operate and the fact that I must wear corrective lenses while doing so, identifies the issuing authority, and notes that I am an organ donor. When I drive in other states, the other jurisdictions throughout the U.S. recognize the authority of Florida to issue this "certificate" and they trust the information it contains. When I leave the U.S., everything changes. When I am in Aruba, Australia, Canada, Israel, and many other countries, they will accept not the Florida license, per se, but any license issued in the U.S. This analogy represents the certificate trust chain, where even certificates carry certificates.

For purposes of electronic transactions, certificates are digital documents. The specific functions of the certificate include:

  • Establish identity: Associate, or bind, a public key to an individual, organization, corporate position, or other entity.
  • Assign authority: Establish what actions the holder may or may not take based upon this certificate.
  • Secure confidential information (e.g., encrypting the session's symmetric key for data confidentiality).

Typically, a certificate contains a public key, a name, an expiration date, the name of the authority that issued the certificate (and, therefore, is vouching for the identity of the user), a serial number, any pertinent policies describing how the certificate was issued and/or how the certificate may be used, the digital signature of the certificate issuer, and perhaps other information.


FIGURE 6: VeriSign Class 3 certificate.


A sample abbreviated certificate is shown in Figure 6. This is a typical certificate found in a browser, in this case, Mozilla Firefox (Mac OS X). While this is a certificate issued by VeriSign, many root-level certificates can be found shipped with browsers. When the browser makes a connection to a secure Web site, the Web server sends its public key certificate to the browser. The browser then checks the certificate's signature against the public key that it has stored; if there is a match, the certificate is taken as valid and the Web site verified by this certificate is considered to be "trusted."

TABLE 2. Contents of an X.509 V3 Certificate.
version number
certificate serial number
signature algorithm identifier
issuer's name and unique identifier
validity (or operational) period
subject's name and unique identifier
subject public key information
standard extensions

certificate appropriate use definition
key usage limitation definition
certificate policy information

other extensions

Application-specific
CA-specific

The most widely accepted certificate format is the one defined in International Telecommunication Union Telecommunication Standardization Sector (ITU-T) Recommendation X.509. Rec. X.509 is a specification used around the world and any applications complying with X.509 can share certificates. Most certificates today comply with X.509 Version 3 and contain the information listed in Table 2.

Certificate authorities are the repositories for public keys and can be any agency that issues certificates. A company, for example, may issue certificates to its employees, a college/university to its students, a store to its customers, an Internet service provider to its users, or a government to its constituents.

When a sender needs an intended receiver's public key, the sender must get that key from the receiver's CA. That scheme is straight-forward if the sender and receiver have certificates issued by the same CA. If not, how does the sender know to trust the foreign CA? One industry wag has noted, about trust: "You are either born with it or have it granted upon you." Thus, some CAs will be trusted because they are known to be reputable, such as the CAs operated by AT&T Services, Comodo, DigiCert (formerly GTE Cybertrust), EnTrust, Symantec (formerly VeriSign), and Thawte. CAs, in turn, form trust relationships with other CAs. Thus, if a user queries a foreign CA for information, the user may ask to see a list of CAs that establish a "chain of trust" back to the user.

One major feature to look for in a CA is their identification policies and procedures. When a user generates a key pair and forwards the public key to a CA, the CA has to check the sender's identification and takes any steps necessary to assure itself that the request is really coming from the advertised sender. Different CAs have different identification policies and will, therefore, be trusted differently by other CAs. Verification of identity is just one of many issues that are part of a CA's Certification Practice Statement (CPS) and policies; other issues include how the CA protects the public keys in its care, how lost or compromised keys are revoked, and how the CA protects its own private keys.

As a final note, CAs are not immune to attack and certificates themselves are able to be counterfeited. One of the first such episodes occurred at the turn of the century; on January 29 and 30, 2001, two VeriSign Class 3 code-signing digital certificates were issued to an individual who fraudulently claimed to be a Microsoft employee (CERT/CC CA-2001-04 and Microsoft Security Bulletin MS01-017 - Critical). Problems have continued over the years; good write-ups on this can be found at "Another Certification Authority Breached (the 12th!)" and "How Cybercrime Exploits Digital Certificates." Readers are also urged to read "Certification Authorities Under Attack: A Plea for Certificate Legitimation" (Oppliger, R., January/February 2014, IEEE Internet Computing, 18(1), 40-47).

As a partial way to address this issue, the Internet Security Research Group (ISRG) designed the Automated Certificate Management Environment (ACME) protocol. ACME is a communications protocol that streamlines the process of deploying a Public Key Infrastructure (PKI) by automating interactions between CAs and Web servers that wish to obtain a certificate. More information can be found at the Let's Encrypt Web site, an ACME-based CA service provided by the ISRG.

4.4. Summary

The paragraphs above describe three very different trust models. It is hard to say that any one is better than the others; it depend upon your application. One of the biggest and fastest growing applications of cryptography today, though, is electronic commerce (e-commerce), a term that itself begs for a formal definition.

PGP's web of trust is easy to maintain and very much based on the reality of users as people. The model, however, is limited; just how many public keys can a single user reliably store and maintain? And what if you are using the "wrong" computer when you want to send a message and can't access your keyring? How easy it is to revoke a key if it is compromised? PGP may also not scale well to an e-commerce scenario of secure communication between total strangers on short-notice.

Kerberos overcomes many of the problems of PGP's web of trust, in that it is scalable and its scope can be very large. However, it also requires that the Kerberos server have a priori knowledge of all client systems prior to any transactions, which makes it unfeasible for "hit-and-run" client/server relationships as seen in e-commerce.

Certificates and the collection of CAs will form a PKI. In the early days of the Internet, every host had to maintain a list of every other host; the Domain Name System (DNS) introduced the idea of a distributed database for this purpose and the DNS is one of the key reasons that the Internet has grown as it has. A PKI will fill a similar void in the e-commerce and PKC realm.

While certificates and the benefits of a PKI are most often associated with electronic commerce, the applications for PKI are much broader and include secure electronic mail, payments and electronic checks, Electronic Data Interchange (EDI), secure transfer of Domain Name System (DNS) and routing information, electronic forms, and digitally signed documents. A single "global PKI" is still many years away, that is the ultimate goal of today's work as international electronic commerce changes the way in which we do business in a similar way in which the Internet has changed the way in which we communicate.


5. CRYPTOGRAPHIC ALGORITHMS IN ACTION

The paragraphs above have provided an overview of the different types of cryptographic algorithms, as well as some examples of some available protocols and schemes. Table 3 provides a list of some other noteworthy schemes employed — or proposed — for a variety of functions, most notably electronic commerce and secure communication. The paragraphs below will show several real cryptographic applications that many of us employ (knowingly or not) everyday for password protection and private communication. Some of the schemes described below never were widely deployed but are still historically interesting, thus remain included here.


TABLE 3. Other Crypto Algorithms and Systems of Note.
Capstone A now-defunct U.S. National Institute of Standards and Technology (NIST) and National Security Agency (NSA) project under the Bush Sr. and Clinton administrations for publicly available strong cryptography with keys escrowed by the government (NIST and the Treasury Dept.). Capstone included one or more tamper-proof computer chips for implementation (Clipper), a secret key encryption algorithm (Skipjack), digital signature algorithm (DSA), key exchange algorithm (KEA), and hash algorithm (SHA).
Challenge-Handshake Authentication Protocol (CHAP) An authentication scheme that allows one party to prove who they are to a second party by demonstrating knowledge of a shared secret without actually divulging that shared secret to a third party who might be listening. Described in RFC 1994.
Clipper The computer chip that would implement the Skipjack encryption scheme. The Clipper chip was to have had a deliberate backdoor so that material encrypted with this device would not be beyond the government's reach. Described in 1993, Clipper was dead by 1996. See also EPIC's The Clipper Chip Web page.
Derived Unique Key Per Transaction (DUKPT) A key management scheme used for debit and credit card verification with point-of-sale (POS) transaction systems, automated teller machines (ATMs), and other financial applications. In DUKPT, a unique key is derived for each transaction based upon a fixed, shared key in such a way that knowledge of one derived key does not easily yield knowledge of other keys (including the fixed key). Therefore, if one of the derived keys is compromised, neither past nor subsequent transactions are endangered. DUKPT is specified in American National Standard (ANS) ANSI X9.24-1:2009 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques) and can be purchased at the ANSI X9.24 Web page.
Escrowed Encryption Standard (EES) Largely unused, a controversial crypto scheme employing the SKIPJACK secret key crypto algorithm and a Law Enforcement Access Field (LEAF) creation method. LEAF was one part of the key escrow system and allowed for decryption of ciphertext messages that had been intercepted by law enforcement agencies. Described more in FIPS 185 (archived; no longer in force).
Federal Information Processing Standards (FIPS) These computer security- and crypto-related FIPS are produced by the U.S. National Institute of Standards and Technology (NIST) as standards for the U.S. Government.
Fortezza A PCMCIA card developed by NSA that implements the Capstone algorithms, intended for use with the Defense Messaging Service (DMS). Originally called Tessera.
GOST GOST is a family of algorithms that is defined in the Russian cryptographic standards. Although most of the specifications are written in Russian, a series of RFCs describe some of the aspects so that the algorithms can be used effectively in Internet applications:
  • RFC 4357: Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms
  • RFC 5830: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms
  • RFC 6986: GOST R 34.11-2012: Hash Function Algorithm
  • RFC 7091: GOST R 34.10-2012: Digital Signature Algorithm (Updates RFC 5832: GOST R 34.10-2001)
  • RFC 7801: GOST R 34.12-2015: Block Cipher "Kuznyechik"
  • RFC 7836: Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012
Identity-Based Encryption (IBE) Identity-Based Encryption was first proposed by Adi Shamir in 1984 and is a key authentication system where the public key can be derived from some unique information based upon the user's identity. In 2001, Dan Boneh (Stanford) and Matt Franklin (U.C., Davis) developed a practical implementation of IBE based on elliptic curves and a mathematical construct called the Weil Pairing. In that year, Clifford Cocks (GCHQ) also described another IBE solution based on quadratic residues in composite groups.

RFC 5091: Identity-Based Cryptography Standard (IBCS) #1: Describes an implementation of IBE using Boneh-Franklin (BF) and Boneh-Boyen (BB1) Identity-based Encryption.

IP Security Protocol (IPsec) The IPsec protocol suite is used to provide privacy and authentication services at the IP layer. An overview of the protocol suite and of the documents comprising IPsec can be found in RFC 2411. Other documents include:
  • RFC 4301: IP security architecture.
  • RFC 4302: IP Authentication Header (AH), one of the two primary IPsec functions; AH provides connectionless integrity and data origin authentication for IP datagrams and protects against replay attacks.
  • RFC 4303: IP Encapsulating Security Payload (ESP), the other primary IPsec function; ESP provides a variety of security services within IPsec.
  • RFC 4304: Extended Sequence Number (ESN) Addendum, allows for negotiation of a 32- or 64- bit sequence number, used to detect replay attacks.
  • RFC 4305: Cryptographic algorithm implementation requirements for ESP and AH.
  • RFC 5996: The Internet Key Exchange (IKE) protocol, version 2, providing for mutual authentication and establishing and maintaining security associations.
    • IKE v1 was described in three separate documents, RFC 2407 (application of ISAKMP to IPsec), RFC 2408 (ISAKMP, a framework for key management and security associations), and RFC 2409 (IKE, using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP). IKE v1 is obsoleted with the introdcution of IKEv2.
  • RFC 4307: Cryptographic algoritms used with IKEv2.
  • RFC 4308: Crypto suites for IPsec, IKE, and IKEv2.
  • RFC 4309: The use of AES in CBC-MAC mode with IPsec ESP.
  • RFC 4312: The use of the Camellia cipher algorithm in IPsec.
  • RFC 4359: The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH).
  • RFC 4434: Describes AES-XCBC-PRF-128, a pseudo-random function derived from the AES for use with IKE.
  • RFC 2403: Describes use of the HMAC with MD5 algorithm for data origin authentication and integrity protection in both AH and ESP.
  • RFC 2405: Describes use of DES-CBC (DES in Cipher Block Chaining Mode) for confidentiality in ESP.
  • RFC 2410: Defines use of the NULL encryption algorithm (i.e., provides authentication and integrity without confidentiality) in ESP.
  • RFC 2412: Describes OAKLEY, a key determination and distribution protocol.
  • RFC 2451: Describes use of Cipher Block Chaining (CBC) mode cipher algorithms with ESP.
  • RFCs 2522 and 2523: Description of Photuris, a session-key management protocol for IPsec.

In addition, RFC 6379 describes Suite B Cryptographic Suites for IPsec and RFC 6380 describes the Suite B profile for IPsec.

IPsec was first proposed for use with IP version 6 (IPv6), but can also be employed with the current IP version, IPv4.

(See more detail about IPsec below in Section 5.6.)

Internet Security Association and Key Management Protocol (ISAKMP/OAKLEY) ISAKMP/OAKLEY provide an infrastructure for Internet secure communications. ISAKMP, designed by the National Security Agency (NSA) and described in RFC 2408, is a framework for key management and security associations, independent of the key generation and cryptographic algorithms actually employed. The OAKLEY Key Determination Protocol, described in RFC 2412, is a key determination and distribution protocol using a variation of Diffie-Hellman.
Kerberos A secret key encryption and authentication system, designed to authenticate requests for network resources within a user domain rather than to authenticate messages. Kerberos also uses a trusted third-party approach; a client communications with the Kerberos server to obtain "credentials" so that it may access services at the application server. Kerberos V4 used DES to generate keys and encrypt messages; Kerberos V5 uses DES and other schemes for key generation.

Microsoft added support for Kerberos V5 — with some proprietary extensions — in Windows 2000 Active Directory. There are many Kerberos articles posted at Microsoft's Knowledge Base, notably "Kerberos Explained."

Keyed-Hash Message Authentication Code (HMAC) A message authentication scheme based upon secret key cryptography and the secret key shared between two parties rather than public key methods. Described in FIPS 198 and RFC 2104. (See Section 5.6 below for details on HMAC operation.)
Message Digest Cipher (MDC) Invented by Peter Gutman, MDC turns a one-way hash function into a block cipher.
MIME Object Security Services (MOSS) Designed as a successor to PEM to provide PEM-based security services to MIME messages. Described in RFC 1848. Never widely implemented and now defunct.
Mujahedeen Secrets A Windows GUI, PGP-like crytosystem. Developed by supporters of Al-Qaeda, the program employs the five finalist AES algorithms, namely, MARS, RC6, Rijndael, Serpent, and Twofish. Also described in Inspire Magazine, Issue 1, pp. 41-44 and Inspire Magazine, Issue 2, pp. 58-59. Additional related information can also be found in "How Al-Qaeda Uses Encryption Post-Snowden (Part 2)."
NSA Suite B Cryptography An NSA standard for securing information at the SECRET level. Defines use of:
  • Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits, per FIPS PUB 197 for encryption
  • The Ephemeral Unified Model and the One-Pass Diffie Hellman (referred to as ECDH) using the curves with 256 and 384-bit prime moduli, per NIST Special Publication 800-56A for key exchange
  • Elliptic Curve Digital Signature Algorithm (ECDSA) using the curves with 256 and 384-bit prime moduli, per FIPS PUB 186-3 for digital signatures
  • Secure Hash Algorithm (SHA) using 256 and 384 bits, per FIPS PUB 180-3 for hashing

RFC 6239 describes Suite B Cryptographic Suites for Secure Shell (SSH) and RFC 6379 describes Suite B Cryptographic Suites for Secure IP (IPsec).

Pretty Good Privacy (PGP) A family of cryptographic routines for e-mail, file, and disk encryption developed by Philip Zimmermann. PGP 2.6.x uses RSA for key management and digital signatures, IDEA for message encryption, and MD5 for computing the message's hash value; more information can also be found in RFC 1991. PGP 5.x (formerly known as "PGP 3") uses Diffie-Hellman/DSS for key management and digital signatures; IDEA, CAST, or 3DES for message encryption; and MD5 or SHA for computing the message's hash value. OpenPGP, described in RFC 2440, is an open definition of security software based on PGP 5.x. The GNU Privacy Guard (GPG) is a free software version of OpenPGP.

(See more detail about PGP below in Section 5.5.)

Privacy Enhanced Mail (PEM) An IETF standard for secure electronic mail over the Internet, including provisions for encryption (DES), authentication, and key management (DES, RSA). Developed by the IETF but never widely used. Described in the following RFCs:
  • RFC 1421: Part I, Message Encryption and Authentication Procedures
  • RFC 1422: Part II, Certificate-Based Key Management
  • RFC 1423: Part III, Algorithms, Modes, and Identifiers
  • RFC 1424: Part IV, Key Certification and Related Services
Private Communication Technology (PCT) Developed by Microsoft for secure communication on the Internet. PCT supported Diffie-Hellman, Fortezza, and RSA for key establishment; DES, RC2, RC4, and triple-DES for encryption; and DSA and RSA message signatures. Never widely used; superceded by SSL and TLS.
Secure Electronic Transaction (SET) A communications protocol for securing credit card transactions, developed by MasterCard and VISA, in cooperation with IBM, Microsoft, RSA, and other companies. Merged two other protocols: Secure Electronic Payment Protocol (SEPP), an open specification for secure bank card transactions over the Internet developed by CyberCash, GTE, IBM, MasterCard, and Netscape; and Secure Transaction Technology (STT), a secure payment protocol developed by Microsoft and Visa International. Supports DES and RC4 for encryption, and RSA for signatures, key exchange, and public key encryption of bank card numbers. SET V1.0 is described in Book 1, Book 2, and Book 3. SET has been superceded by SSL and TLS.
Secure Hypertext Transfer Protocol (S-HTTP) An extension to HTTP to provide secure exchange of documents over the World Wide Web. Supported algorithms include RSA and Kerberos for key exchange, DES, IDEA, RC2, and Triple-DES for encryption. Described in RFC 2660. S-HTTP was never as widely used as HTTP over SSL (https).
Secure Multipurpose Internet Mail Extensions (S/MIME) An IETF secure e-mail scheme superceding PEM, and adding digital signature and encryption capability to Internet MIME messages. S/MIME Version 3.1 is described in RFCs 3850 and 3851, and employs the Cryptographic Message Syntax described in RFCs 3369 and 3370.

(More detail about S/MIME can be found below in Section 5.15.)

Secure Sockets Layer (SSL) Developed by Netscape Communications to provide application-independent security and privacy over the Internet. SSL is designed so that protocols such as HTTP, FTP (File Transfer Protocol), and Telnet can operate over it transparently. SSL allows both server authentication (mandatory) and client authentication (optional). RSA is used during negotiation to exchange keys and identify the actual cryptographic algorithm (DES, IDEA, RC2, RC4, or 3DES) to use for the session. SSL also uses MD5 for message digests and X.509 public key certificates. SSL was found to be breakable soon after the IETF announced formation of group to work on TLS and RFC 6176 specifically prohibits the use of SSL v2.0 by TLS clients. SSL version 3.0 is described in RFC 6101. All versions of SSL are now deprecated in favor of TLS; TLS v1.0 is sometimes referred to as "SSL v3.1."

(More detail about SSL can be found below in Section 5.7.)

Server Gated Cryptography (SGC) Microsoft extension to SSL that provided strong encryption for online banking and other financial applications using RC2 (128-bit key), RC4 (128-bit key), DES (56-bit key), or 3DES (equivalent of 168-bit key). Use of SGC required an Windows NT Server running Internet Information Server (IIS) 4.0 with a valid SGC certificate. SGC was available in 32-bit Windows versions of Internet Explorer (IE) 4.0; support for Mac, Unix, and 16-bit Windows versions of IE was planned, but never materialized, and SGC was made moot when browsers started to ship with 128-bit encryption.
Simple Authentication and Security Layer (SASL) A framework for providing authentication and data security services in connection-oriented protocols (a la TCP), described in RFC 4422. It provides a structured interface and allows new protocols to reuse existing authentication mechanisms and allows old protocols to make use of new mechanisms.

It has been common practice on the Internet to permit anonymous access to various services, employing a plain-text password using a user name of "anonymous" and a password of an email address or some other identifying information. New IETF protocols disallow plain-text logins. The Anonymous SASL Mechanism (RFC 4505) provides a method for anonymous logins within the SASL framework.

Simple Key-Management for Internet Protocol (SKIP) Key management scheme for secure IP communication, specifically for IPsec, and designed by Aziz and Diffie. SKIP essentially defines a public key infrastructure for the Internet and even uses X.509 certificates. Most public key cryptosystems assign keys on a per-session basis, which is inconvenient for the Internet since IP is connectionless. Instead, SKIP provides a basis for secure communication between any pair of Internet hosts. SKIP can employ DES, 3DES, IDEA, RC2, RC5, MD5, and SHA-1. As it happened, SKIP was not adopted for IPsec; IKE was selected instead.
Transport Layer Security (TLS) TLS v1.0 is an IETF specification (RFC 2246) intended to replace SSL v3.0. TLS v1.0 employs Triple-DES (secret key cryptography), SHA (hash), Diffie-Hellman (key exchange), and DSS (digital signatures). TLS v1.0 was vulnerable to attack and updated by v1.1 (RFC 4346) and v1.2 (RFC 5246); v1.3 is the most current working draft specification.

TLS is designed to operate over TCP. The IETF developed the Datagram Transport Layer Security (DTLS) protocol to operate over UDP. DTLS v1.2 is described in RFC 6347.

(See more detail about TLS below in Section 5.7.)

TrueCrypt Open source, multi-platform cryptography software that can be used to encrypt a file, partition, or entire disk. One of TrueCrypt's more interesting features is that of plausible deniability with hidden volumes or hidden operating systems. The original Web site, truecrypt.org, suddenly went dark in May 2014; alternative sites have popped up, including CipherShed, TCnext, and VeraCrypt.

(See more detail about TrueCrypt below in Section 5.11.)

X.509 ITU-T recommendation for the format of certificates for the public key infrastructure. Certificates map (bind) a user identity to a public key. The IETF application of X.509 certificates is documented in RFC 5280. An Internet X.509 Public Key Infrastructure is further defined in RFC 4210 (Certificate Management Protocols) and RFC 3647 (Certificate Policy and Certification Practices Framework).

5.1. Password Protection

Nearly all modern multiuser computer and network operating systems employ passwords at the very least to protect and authenticate users accessing computer and/or network resources. But passwords are not typically kept on a host or server in plaintext, but are generally encrypted using some sort of hash scheme.


A) /etc/passwd file root:Jbw6BwE4XoUHo:0:0:root:/root:/bin/bash carol:FM5ikbQt1K052:502:100:Carol Monaghan:/home/carol:/bin/bash alex:LqAi7Mdyg/HcQ:503:100:Alex Insley:/home/alex:/bin/bash gary:FkJXupRyFqY4s:501:100:Gary Kessler:/home/gary:/bin/bash todd:edGqQUAaGv7g6:506:101:Todd Pritsky:/home/todd:/bin/bash josh:FiH0ONcjPut1g:505:101:Joshua Kessler:/home/webroot:/bin/bash B.1) /etc/passwd file (with shadow passwords) root:x:0:0:root:/root:/bin/bash carol:x:502:100:Carol Monaghan:/home/carol:/bin/bash alex:x:503:100:Alex Insley:/home/alex:/bin/bash gary:x:501:100:Gary Kessler:/home/gary:/bin/bash todd:x:506:101:Todd Pritsky:/home/todd:/bin/bash josh:x:505:101:Joshua Kessler:/home/webroot:/bin/bash B.2) /etc/shadow file root:AGFw$P4u/uhLK$l2.HP35rlu65WlfCzq:11449:0:99999:7::: carol:kjHaN%35a8xMM8a/0kMl1?fwtLAM.K&kw.:11449:0:99999:7::: alex:1KKmfTy0a7#3.LL9a8H71lkwn/.hH22a:11449:0:99999:7::: gary:9ajlknknKJHjhnu7298ypnAIJKL$Jh.hnk:11449:0:99999:7::: todd:798POJ90uab6.k$klPqMt%alMlprWqu6$.:11492:0:99999:7::: josh:Awmqpsui787pjnsnJJK%aappaMpQo07.8:11492:0:99999:7:::

FIGURE 7: Sample entries in Unix/Linux password files.

Unix/Linux, for example, uses a well-known hash via its crypt() function. Passwords are stored in the /etc/passwd file (Figure 7A); each record in the file contains the username, hashed password, user's individual and group numbers, user's name, home directory, and shell program; these fields are separated by colons (:). Note that each password is stored as a 13-byte string. The first two characters are actually a salt, randomness added to each password so that if two users have the same password, they will still be encrypted differently; the salt, in fact, provides a means so that a single password might have 4096 different encryptions. The remaining 11 bytes are the password hash, calculated using DES.

As it happens, the /etc/passwd file is world-readable on Unix systems. This fact, coupled with the weak encryption of the passwords, resulted in the development of the shadow password system where passwords are kept in a separate, non-world-readable file used in conjunction with the normal password file. When shadow passwords are used, the password entry in /etc/passwd is replaced with a "" or "x" (Figure 7B.1) and the MD5 hash of the passwords are stored in /etc/shadow along with some other account information (Figure 7B.2).

Windows NT uses a similar scheme to store passwords in the Security Access Manager (SAM) file. In the NT case, all passwords are hashed using the MD4 algorithm, resulting in a 128-bit (16-byte) hash value (they are then obscured using an undocumented mathematical transformation that was a secret until distributed on the Internet). The password password, for example, might be stored as the hash value (in hexadecimal) 60771b22d73c34bd4a290a79c8b09f18.

Passwords are not saved in plaintext on computer systems precisely so they cannot be easily compromised. For similar reasons, we don't want passwords sent in plaintext across a network. But for remote logon applications, how does a client system identify itself or a user to the server? One mechanism, of course, is to send the password as a hash value and that, indeed, may be done. A weakness of that approach, however, is that an intruder can grab the password off of the network and use an off-line attack (such as a dictionary attack where an attacker takes every known word and encrypts it with the network's encryption algorithm, hoping eventually to find a match with a purloined password hash). In some situations, an attacker only has to copy the hashed password value and use it later on to gain unauthorized entry without ever learning the actual password.

An even stronger authentication method uses the password to modify a shared secret between the client and server, but never allows the password in any form to go across the network. This is the basis for the Challenge Handshake Authentication Protocol (CHAP), the remote logon process used by Windows NT.

As suggested above, Windows NT passwords are stored in a security file on a server as a 16-byte hash value. In truth, Windows NT stores two hashes; a weak hash based upon the old LAN Manager (LanMan) scheme and the newer NT hash. When a user logs on to a server from a remote workstation, the user is identified by the username, sent across the network in plaintext (no worries here; it's not a secret anyway!). The server then generates a 64-bit random number and sends it to the client (also in plaintext). This number is the challenge.

Using the LanMan scheme, the client system then encrypts the challenge using DES. Recall that DES employs a 56-bit key, acts on a 64-bit block of data, and produces a 64-bit output. In this case, the 64-bit data block is the random number. The client actually uses three different DES keys to encrypt the random number, producing three different 64-bit outputs. The first key is the first seven bytes (56 bits) of the password's hash value, the second key is the next seven bytes in the password's hash, and the third key is the remaining two bytes of the password's hash concatenated with five zero-filled bytes. (So, for the example above, the three DES keys would be 60771b22d73c34, bd4a290a79c8b0, and 9f180000000000.) Each key is applied to the random number resulting in three 64-bit outputs, which comprise the response. Thus, the server's 8-byte challenge yields a 24-byte response from the client and this is all that would be seen on the network. The server, for its part, does the same calculation to ensure that the values match.

There is, however, a significant weakness to this system. Specifically, the response is generated in such a way as to effectively reduce 16-byte hash to three smaller hashes, of length seven, seven, and two, respectively. Thus, a password cracker has to break at most a 7-byte hash. One Windows NT vulnerability test program that I used in the past reported passwords that were "too short," defined as "less than 8 characters." When I asked how the program knew that passwords were too short, the software's salespeople suggested to me that the program broke the passwords to determine their length. This was, in fact, not the case at all; all the software really had to do was to look at the last eight bytes of the Windows NT LanMan hash to see that the password was seven or fewer characters.

Consider the following example, showing the LanMan hash of two different short passwords (take a close look at the last 8 bytes):

AA: 89D42A44E77140AAAAD3B435B51404EE
AAA: 1C3A2B6D939A1021AAD3B435B51404EE

Note that the NT hash provides no such clue:

AA: C5663434F963BE79C8FD99F535E7AAD8
AAA: 6B6E0FB2ED246885B98586C73B5BFB77

It is worth noting that the discussion above describes the Microsoft version of CHAP, or MS-CHAP (MS-CHAPv2 is described in RFC 2759). MS-CHAP assumes that it is working with hashed values of the password as the key to encrypting the challenge. More traditional CHAP (RFC 1994) assumes that it is starting with passwords in plaintext. The relevance of this observation is that a CHAP client, for example, cannot be authenticated by an MS-CHAP server; both client and server must use the same CHAP version.

5.2. Diffie-Hellman Key Exchange

Diffie and Hellman introduced the concept of public key cryptography. The mathematical "trick" of Diffie-Hellman key exchange is that it is relatively easy to compute exponents compared to computing discrete logarithms. Diffie-Hellman allows two parties — the ubiquitous Alice and Bob — to generate a secret key; they need to exchange some information over an unsecure communications channel to perform the calculation but an eavesdropper cannot determine the shared secret key based upon this information.

Diffie-Hellman works like this. Alice and Bob start by agreeing on a large prime number, N. They also have to choose some number G so that G<N.

There is actually another constraint on G, namely that it must be primitive with respect to N. Primitive is a definition that is a little beyond the scope of our discussion but basically G is primitive to N if the set of N-1 values of Gi mod N for i = (1,N-1) are all different. As an example, 2 is not primitive to 7 because the set of powers of 2 from 1 to 6, mod 7 (i.e., 21 mod 7, 22 mod 7, ..., 26 mod 7) = {2,4,1,2,4,1}. On the other hand, 3 is primitive to 7 because the set of powers of 3 from 1 to 6, mod 7 = {3,2,6,4,5,1}.

(The definition of primitive introduced a new term to some readers, namely mod. The phrase x mod y (and read as written!) means "take the remainder after dividing x by y." Thus, 1 mod 7 = 1, 9 mod 6 = 3, and 8 mod 8 = 0. Read more about the modulo function in the appendix.)

Anyway, either Alice or Bob selects N and G; they then tell the other party what the values are. Alice and Bob then work independently:

Alice...

  1. Choose a large random number, XA < N. This is Alice's private key.
  2. Compute YA = GXA mod N. This is Alice's public key.
  3. Exchange public key with Bob.
  4. Compute KA = YBXA mod N
Bob...

  1. Choose a large random number, XB < N. This is Bob's private key.
  2. Compute YB = GXB mod N. This is Bob's public key.
  3. Exchange public key with Alice.
  4. Compute KB = YAXB mod N

Note that XA and XB are kept secret while YA and YB are openly shared; these are the private and public keys, respectively. Based on their own private key and the public key learned from the other party, Alice and Bob have computed their secret keys, KA and KB, respectively, which are equal to GXAXB mod N.

Perhaps a small example will help here. Although Alice and Bob will really choose large values for N and G, I will use small values for example only; let's use N=7 and G=3.

Alice...

  1. Choose XA = 2
  2. Calculate YA = 32 mod 7 = 2
  3. Exchange public keys with Bob
  4. KA = 62 mod 7 = 1
Bob...

  1. Choose XB = 3
  2. Calculate YB = 33 mod 7 = 6
  3. Exchange public keys with Alice
  4. KB = 23 mod 7 = 1

In this example, then, Alice and Bob will both find the secret key 1 which is, indeed, 36 mod 7 (i.e., GXAXB = 32x3). If an eavesdropper (Mallory) was listening in on the information exchange between Alice and Bob, he would learn G, N, YA, and YB which is a lot of information but insufficient to compromise the key; as long as XA and XB remain unknown, K is safe. As said above, calculating Y = GX is a lot easier than finding X = logG Y.

A short digression on modulo arithmetic. In the paragraph above, we noted that 36 mod 7 = 1. This can be confirmed, of course, by noting that:

36 = 729 = 1047 + 1

There is a nice property of modulo arithmetic, however, that makes this determination a little easier, namely: (a mod x)(b mod x) = (ab mod x). Therefore, one possible shortcut is to note that 36 = (33)(33). Therefore, 36 mod 7 = (33 mod 7)(33 mod 7) = (27 mod 7)(27 mod 7) = 66 mod 7 = 36 mod 7 = 1.

Diffie-Hellman can also be used to allow key sharing amongst multiple users. Note again that the Diffie-Hellman algorithm is used to generate secret keys, not to encrypt and decrypt messages.

5.3. RSA Public Key Cryptography

Unlike Diffie-Hellman, RSA can be used for key exchange as well as digital signatures and the encryption of small blocks of data. Today, RSA is primarily used to encrypt the session key used for secret key encryption (message integrity) or the message's hash value (digital signature). RSA's mathematical hardness comes from the ease in calculating large numbers and the difficulty in finding the prime factors of those large numbers. Although employed with numbers using hundreds of digits, the math behind RSA is relatively straight-forward.

To create an RSA public/private key pair, here are the basic steps:

  1. Choose two prime numbers, p and q. From these numbers you can calculate the modulus, n = pq.
  2. Select a third number, e, that is relatively prime to (i.e., it does not divide evenly into) the product (p-1)(q-1). The number e is the public exponent.
  3. Calculate an integer d from the quotient (ed-1)/[(p-1)(q-1)]. The number d is the private exponent.

The public key is the number pair (n,e). Although these values are publicly known, it is computationally infeasible to determine d from n and e if p and q are large enough.

To encrypt a message, M, with the public key, create the ciphertext, C, using the equation:

C = Me mod n

The receiver then decrypts the ciphertext with the private key using the equation:

M = Cd mod n

Now, this might look a bit complex and, indeed, the mathematics does take a lot of computer power given the large size of the numbers; since p and q may be 100 digits (decimal) or more, d and e will be about the same size and n may be over 200 digits. Nevertheless, a simple example may help. In this example, the values for p, q, e, and d are purposely chosen to be very small and the reader will see exactly how badly these values perform, but hopefully the algorithm will be adequately demonstrated:

  1. Select p=3 and q=5.
  2. The modulus n = pq = 15.
  3. The value e must be relatively prime to (p-1)(q-1) = (2)(4) = 8. Select e=11.
  4. The value d must be chosen so that (ed-1)/[(p-1)(q-1)] is an integer. Thus, the value (11d-1)/[(2)(4)] = (11d-1)/8 must be an integer. Calculate one possible value, d=3.
  5. Let's suppose that we want to send a message — maybe a secret key — that has the numeric value of 7 (i.e., M=7). [More on this choice below.]
  6. The sender encrypts the message (M) using the public key value (e,n)=(11,15) and computes the ciphertext (C) with the formula C = 711 mod 15 = 1977326743 mod 15 = 13.
  7. The receiver decrypts the ciphertext using the private key value (d,n)=(3,15) and computes the plaintext with the formula M = 133 mod 15 = 2197 mod 15 = 7.

I choose this trivial example because the value of n is so small (in particular, the value M cannot exceed n). But here is a more realistic example using larger d, e, and n values, as well as a more meaningful message; thanks to Barry Steyn for permission to use values from his How RSA Works With Examples page.

Let's say that we have chosen p and q so that we have the following value for n:

14590676800758332323018693934907063529240187237535716439958187
10198734387990053589383695714026701498021218180862924674228281
57022922076746906543401224889672472407926969987100581290103199
31785875366371086235765651050788371429711563734278891146353510
2712032765166518411726859837988672111837205085526346618740053

Let's also suppose that we have selected the public key, e, and private key, d, as follows:

65537

89489425009274444368228545921773093919669586065884257445497854
45648767483962981839093494197326287961679797060891728367987549
93315741611138540888132754881105882471930775825272784379065040
15680623423550067240042466665654232383502922215493623289472138
866445818789127946123407807725702626644091036502372545139713

Now suppose that our message (M) is the character string "attack at dawn" which has the numeric value (after converting the ASCII characters to a bit string and interpreting that bit string as a decimal number) of 1976620216402300889624482718775150.

The encryption phase uses the formula C = Me mod n, so C has the value:

35052111338673026690212423937053328511880760811579981620642802
34668581062310985023594304908097338624111378404079470419397821
53784997654130836464387847409523069325349451950801838615742252
26218879827232453912820596886440377536082465681750074417459151
485407445862511023472235560823053497791518928820272257787786

The decryption phase uses the formula M = Cd mod n, so M has the value that matches our original plaintext:

1976620216402300889624482718775150

This more realistic example gives just a clue as to how large the numbers are that are used in the real world implementations. RSA keylengths of 512 and 768 bits are considered to be pretty weak. The minimum suggested RSA key is 1024 bits; 2048 and 3072 bits are even better.

As an aside, Adam Back (http://www.cypherspace.org/adam/) wrote a two-line Perl script to implement RSA. It employs dc, an arbitrary precision arithmetic package that ships with most UNIX systems:

print pack"C",split/\D+/,`echo "16iIIo\U@{$/=$z;[(pop,pop,unpack"H",<> )]}\EsMsKsN0[lN1lK[d2%Sa2/d0<X+dlMLa^lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc `

5.4. DES, Breaking DES, and DES Variants

The Data Encryption Standard (DES) started life in the mid-1970s, adopted by the National Bureau of Standards (NBS) [now the National Institute for Standards and Technology (NIST)] as Federal Information Processing Standard 46 (FIPS 46-3) and by the American National Standards Institute (ANSI) as X3.92.

As mentioned earlier, DES uses the Data Encryption Algorithm (DEA), a secret key block-cipher employing a 56-bit key operating on 64-bit blocks. FIPS 81 describes four modes of DES operation: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). Despite all of these options, ECB is the most commonly deployed mode of operation.

NIST finally declared DES obsolete in 2004, and withdrew FIPS 46-3, 74, and 81 (Federal Register, July 26, 2004, 69(142), 44509-44510). Although other block ciphers have replaced DES, it is still interesting to see how DES encryption is performed; not only is it sort of neat, but DES was the first crypto scheme commonly seen in non-governmental applications and was the catalyst for modern "public" cryptography and the first public Feistel cipher. DES still remains in many products — and cryptography students and cryptographers will continue to study DES for years to come.

DES Operational Overview

DES uses a 56-bit key. In fact, the 56-bit key is divided into eight 7-bit blocks and an 8th odd parity bit is added to each block (i.e., a "0" or "1" is added to the block so that there are an odd number of 1 bits in each 8-bit block). By using the 8 parity bits for rudimentary error detection, a DES key is actually 64 bits in length for computational purposes although it only has 56 bits worth of randomness, or entropy (See Section A.3 for a brief discussion of entropy and information theory).



FIGURE 8: DES enciphering algorithm.


DES then acts on 64-bit blocks of the plaintext, invoking 16 rounds of permutations, swaps, and substitutes, as shown in Figure 8. The standard includes tables describing all of the selection, permutation, and expansion operations mentioned below; these aspects of the algorithm are not secrets. The basic DES steps are:

  1. The 64-bit block to be encrypted undergoes an initial permutation (IP), where each bit is moved to a new bit position; e.g., the 1st, 2nd, and 3rd bits are moved to the 58th, 50th, and 42nd position, respectively.
  2. The 64-bit permuted input is divided into two 32-bit blocks, called left and right, respectively. The initial values of the left and right blocks are denoted L0 and R0.
  3. There are then 16 rounds of operation on the L and R blocks. During each iteration (where n ranges from 1 to 16), the following formulae apply:

    Ln = Rn-1
    Rn = Ln-1 XOR f(Rn-1,Kn)

    At any given step in the process, then, the new L block value is merely taken from the prior R block value. The new R block is calculated by taking the bit-by-bit exclusive-OR (XOR) of the prior L block with the results of applying the DES cipher function, f, to the prior R block and Kn. (Kn is a 48-bit value derived from the 64-bit DES key. Each round uses a different 48 bits according to the standard's Key Schedule algorithm.)

    The cipher function, f, combines the 32-bit R block value and the 48-bit subkey in the following way. First, the 32 bits in the R block are expanded to 48 bits by an expansion function (E); the extra 16 bits are found by repeating the bits in 16 predefined positions. The 48-bit expanded R-block is then ORed with the 48-bit subkey. The result is a 48-bit value that is then divided into eight 6-bit blocks. These are fed as input into 8 selection (S) boxes, denoted S1,...,S8. Each 6-bit input yields a 4-bit output using a table lookup based on the 64 possible inputs; this results in a 32-bit output from the S-box. The 32 bits are then rearranged by a permutation function (P), producing the results from the cipher function.

  4. The results from the final DES round — i.e., L16 and R16 — are recombined into a 64-bit value and fed into an inverse initial permutation (IP-1). At this step, the bits are rearranged into their original positions, so that the 58th, 50th, and 42nd bits, for example, are moved back into the 1st, 2nd, and 3rd positions, respectively. The output from IP-1 is the 64-bit ciphertext block.

Consider this example using DES in CBC mode with the following 56-bit key and input:

Key: 1100101 0100100 1001001 0011101 0110101 0101011 1101100 0011010 = 0x6424491D352B6C1A

Input character string (ASCII/IA5): +2903015-08091765
Input string (hex): 0x2B323930333031352D3038303931373635

Output string (hex): 0x9812CB620B2E9FD3AD90DE2B92C6BBB6C52753AC43E1AFA6
Output character string (BASE64): mBLLYgsun9OtkN4rksa7tsUnU6xD4a+m

Observe that we start with a 17-byte input message. DES acts on eight bytes at a time, so this message is padded to 24 bytes and provides three "inputs" to the cipher algorithm (we don't see the padding here; it is appended by the DES code). Since we have three input blocks, we get 24 bytes of output from the three 64-bit (eight byte) output blocks.

If you want to test this, a really good free, online DES calculator run by the University of Cambridge Computer Laboratory. An excellent step-by-step example of DES can also be found at J. Orlin Grabbe's The DES Algorithm Illustrated page.

NOTE: You'll notice that the output above is shown in BASE64. BASE64 is a 64-character alphabet — i.e., a six-bit character code composed of upper- and lower-case letters, the digits 0-9, and a few punctuation characters — that is commonly used as a way to display binary data. A byte has eight bits, or 256 values, but not all 256 ASCII characters are defined and/or printable. BASE64, simply, takes a binary string (or file), divides it into six-bit blocks, and translates each block into a printable character. More information about BASE64 can be found at my BASE64 Alphabet page or at Wikipedia.

Breaking DES

The mainstream cryptographic community has long held that DES's 56-bit key was too short to withstand a brute-force attack from modern computers. Remember Moore's Law: computer power doubles every 18 months. Given that increase in power, a key that could withstand a brute-force guessing attack in 1975 could hardly be expected to withstand the same attack a quarter century later.

DES is even more vulnerable to a brute-force attack because it is often used to encrypt words, meaning that the entropy of the 64-bit block is, effectively, greatly reduced. That is, if we are encrypting random bit streams, then a given byte might contain any one of 28 (256) possible values and the entire 64-bit block has 264, or about 18.5 quintillion, possible values. If we are encrypting words, however, we are most likely to find a limited set of bit patterns; perhaps 70 or so if we account for upper and lower case letters, the numbers, space, and some punctuation. This means that only about ¼ of the bit combinations of a given byte are likely to occur.

Despite this criticism, the U.S. government insisted throughout the mid-1990s that 56-bit DES was secure and virtually unbreakable if appropriate precautions were taken. In response, RSA Laboratories sponsored a series of cryptographic challenges to prove that DES was no longer appropriate for use.

DES Challenge I was launched in March 1997. It was completed in 84 days by R. Verser in a collaborative effort using thousands of computers on the Internet.

The first DES Challenge II lasted 40 days in early 1998. This problem was solved by distributed.net, a worldwide distributed computing network using the spare CPU cycles of computers around the Internet (participants in distributed.net's activities load a client program that runs in the background, conceptually similar to the SETI @Home "Search for Extraterrestrial Intelligence" project). The distributed.net systems were checking 28 billion keys per second by the end of the project.

The second DES Challenge II lasted less than 3 days. On July 17, 1998, the Electronic Frontier Foundation (EFF) announced the construction of hardware that could brute-force a DES key in an average of 4.5 days. Called Deep Crack, the device could check 90 billion keys per second and cost only about 0,000 including design (it was erroneously and widely reported that subsequent devices could be built for as little as ,000). Since the design is scalable, this suggests that an organization could build a DES cracker that could break 56-bit keys in an average of a day for as little as ,000,000. Information about the hardware design and all software can be obtained from the EFF.

The DES Challenge III, launched in January 1999, was broken is less than a day by the combined efforts of Deep Crack and distributed.net. This is widely considered to have been the final nail in DES's coffin.

The Deep Crack algorithm is actually quite interesting. The general approach that the DES Cracker Project took was not to break the algorithm mathematically but instead to launch a brute-force attack by guessing every possible key. A 56-bit key yields 256, or about 72 quadrillion, possible values. So the DES cracker team looked for any shortcuts they could find! First, they assumed that some recognizable plaintext would appear in the decrypted string even though they didn't have a specific known plaintext block. They then applied all 256 possible key values to the 64-bit block (I don't mean to make this sound simple!). The system checked to see if the decrypted value of the block was "interesting," which they defined as bytes containing one of the alphanumeric characters, space, or some punctuation. Since the likelihood of a single byte being "interesting" is about ¼, then the likelihood of the entire 8-byte stream being "interesting" is about ¼8, or 1/65536 (½16). This dropped the number of possible keys that might yield positive results to about 240, or about a trillion.

They then made the assumption that an "interesting" 8-byte block would be followed by another "interesting" block. So, if the first block of ciphertext decrypted to something interesting, they decrypted the next block; otherwise, they abandoned this key. Only if the second block was also "interesting" did they examine the key closer. Looking for 16 consecutive bytes that were "interesting" meant that only 224, or 16 million, keys needed to be examined further. This further examination was primarily to see if the text made any sense. Note that possible "interesting" blocks might be 1hJ5&aB7 or DEPOSITS; the latter is more likely to produce a better result. And even a slow laptop today can search through lists of only a few million items in a relatively short period of time. (Interested readers are urged to read Cracking DES and EFF's Cracking DES page.)

It is well beyond the scope of this paper to discuss other forms of breaking DES and other codes. Nevertheless, it is worth mentioning a couple of forms of cryptanalysis that have been shown to be effective against DES. Differential cryptanalysis, invented in 1990 by E. Biham and A. Shamir (of RSA fame), is a chosen-plaintext attack. By selecting pairs of plaintext with particular differences, the cryptanalyst examines the differences in the resultant ciphertext pairs. Linear plaintext, invented by M. Matsui, uses a linear approximation to analyze the actions of a block cipher (including DES). Both of these attacks can be more efficient than brute force.

DES Variants

Once DES was "officially" broken, several variants appeared. But none of them came overnight; work at hardening DES had already been underway. In the early 1990s, there was a proposal to increase the security of DES by effectively increasing the key length by using multiple keys with multiple passes. But for this scheme to work, it had to first be shown that the DES function is not a group, as defined in mathematics. If DES was a group, then we could show that for two DES keys, X1 and X2, applied to some plaintext (P), we can find a single equivalent key, X3, that would provide the same result; i.e.,

EX2(EX1(P)) = EX3(P)

where EX(P) represents DES encryption of some plaintext P using DES key X. If DES were a group, it wouldn't matter how many keys and passes we applied to some plaintext; we could always find a single 56-bit key that would provide the same result.

As it happens, DES was proven to not be a group so that as we apply additional keys and passes, the effective key length increases. One obvious choice, then, might be to use two keys and two passes, yielding an effective key length of 112 bits. Let's call this Double-DES. The two keys, Y1 and Y2, might be applied as follows:

C = EY2(EY1(P))
P = DY1(DY2(C))

where EY(P) and DY(C) represent DES encryption and decryption, respectively, of some plaintext P and ciphertext C, respectively, using DES key Y.

So far, so good. But there's an interesting attack that can be launched against this "Double-DES" scheme. First, notice that the applications of the formula above can be thought of with the following individual steps (where C' and P' are intermediate results):

C' = EY1(P) and C = EY2(C')
P' = DY2(C) and P = DY1(P')

Unfortunately, C'=P'. That leaves us vulnerable to a simple known plaintext attack (sometimes called "Meet-in-the-middle") where the attacker knows some plaintext (P) and its matching ciphertext (C). To obtain C', the attacker needs to try all 256 possible values of Y1 applied to P; to obtain P', the attacker needs to try all 256 possible values of Y2 applied to C. Since C'=P', the attacker knows when a match has been achieved — after only 256 + 256 = 257 key searches, only twice the work of brute-forcing DES. So "Double-DES" is not a good solution.

Triple-DES (3DES), based upon the Triple Data Encryption Algorithm (TDEA), is described in FIPS 46-3. 3DES, which is not susceptible to a meet-in-the-middle attack, employs three DES passes and one, two, or three keys called K1, K2, and K3. Generation of the ciphertext (C) from a block of plaintext (P) is accomplished by:

C = EK3(DK2(EK1(P)))

where EK(P) and DK(P) represent DES encryption and decryption, respectively, of some plaintext P using DES key K. (For obvious reasons, this is sometimes referred to as an encrypt-decrypt-encrypt mode operation.)

Decryption of the ciphertext into plaintext is accomplished by:

P = DK1(EK2(DK3(C)))

The use of three, independent 56-bit keys provides 3DES with an effective key length of 168 bits. The specification also defines use of two keys where, in the operations above, K3 = K1; this provides an effective key length of 112 bits. Finally, a third keying option is to use a single key, so that K3 = K2 = K1 (in this case, the effective key length is 56 bits and 3DES applied to some plaintext, P, will yield the same ciphertext, C, as normal DES would with that same key). Given the relatively low cost of key storage and the modest increase in processing due to the use of longer keys, the best recommended practices are that 3DES be employed with three keys.

Another variant of DES, called DESX, is due to Ron Rivest. Developed in 1996, DESX is a very simple algorithm that greatly increases DES's resistance to brute-force attacks without increasing its computational complexity. In DESX, the plaintext input is XORed with 64 additional key bits prior to encryption and the output is likewise XORed with the 64 key bits. By adding just two XOR operations, DESX has an effective keylength of 120 bits against an exhaustive key-search attack. As it happens, DESX is no more immune to other types of more sophisticated attacks, such as differential or linear cryptanalysis, but brute-force is the primary attack vector on DES.

Closing Comments

Although DES has been deprecated and replaced by the Advanced Encryption Standard (AES) because of its vulnerability to a modestly-priced brute-force attack, many applications continue to rely on DES for security, and many software designers and implementers continue to include DES in new applications. In some cases, use of DES is wholly appropriate but, in general, DES should not continue to be promulgated in production software and hardware. RFC 4772 discusses the security implications of employing DES.

On a final note, readers may be interested in seeing an Excel implementation of DES or J.O. Grabbe's The DES Algorithm Illustrated.

5.5. Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) is one of today's most widely used public key cryptography programs. Developed by Philip Zimmermann in the early 1990s and long the subject of controversy, PGP is available as a plug-in for many e-mail clients, such as Apple Mail (with GPG), Eudora Email, Microsoft Outlook/Outlook Express, and Mozilla Thunderbird (with Enigmail).

PGP can be used to sign or encrypt e-mail messages with the mere click of the mouse. Depending upon the version of PGP, the software uses SHA or MD5 for calculating the message hash; CAST, Triple-DES, or IDEA for encryption; and RSA or DSS/Diffie-Hellman for key exchange and digital signatures.

When PGP is first installed, the user has to create a key-pair. One key, the public key, can be advertised and widely circulated. The private key is protected by use of a passphrase. The passphrase has to be entered every time the user accesses their private key.


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Carol. What was that pithy Groucho Marx quote? /kess -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJYaTDaAAoJEE2ePRsA5fMj9wcH/jje/RBQYKg1ZYq1h52FpS3f GqnIkKq0wv2KiyCqIilbvb8eo2Fit7sIRo5AO3FJ9qIgRHvet+8pnRboks3uTYTM euNctkTOxcECZHupexdfB/5j5kGLn8UytIpHMa/Th4LKqvh+a6fU4nlCXe1qRSDq 7HUAvtG03LhPoAoVS411+wI+UtUf1+xvHLRJeKnhgi5j/d9tbc+K5rhPr8Bqb4Kz oHkGauPffRPfTsS+YpNoxg4eXMPBJprS9va8L2lCBPyUYEW77SSX/H2FHqPjVaxx /7j39Eu/oYtt5axnFBCYMZ2680kkFycd1RnCqhRJ8KZs6zhv3B8nQp6iS9dXrhg= =+mjr -----END PGP SIGNATURE-----

FIGURE 9: A PGP signed message. The sender uses their private key; at the destination, the sender's e-mail address yields the public key from the receiver's keyring.


Figure 9 shows a PGP signed message. This message will not be kept secret from an eavesdropper, but a recipient can be assured that the message has not been altered from what the sender transmitted. In this instance, the sender signs the message using their own private key. The receiver uses the sender's public key to verify the signature; the public key is taken from the receiver's keyring based on the sender's e-mail address. Note that the signature process does not work unless the sender's public key is on the receiver's keyring.


-----BEGIN PGP MESSAGE----- Comment: GPGTools - https://gpgtools.org hQEMA02ePRsA5fMjAQf/fJIFvXKggtfaSAXJzRRZ3sXhKJN+0kH5Kj7GdqbhBd81 n0TZ31BAoXksEQ0Q3HbN8PbJ4qTwLE+glAqVqaGfGmieEirD74/6jX/jffuA028+ X110IX4gJTpkhHzYeabrxPy9yerjI2EQL0XI4313K7w4vKZ8kAEVU86+DCHKm3br B/UrYlYDPg2xPjgqIx8Zyga2fSnb4TvqYs2+6k9O7RHKu72wKY0H/xx+rqhEmEAk L/sIxrlCufVM22zEnlbhO5BEqRhBN6CkRS7HkvxOWHetw4dOIbCjc1WI2CMGzHoK Lx2a3wOskjFbS+0PnDU/CKJV002fO+MCxvYhsF3B7dLAFAG80+08XFBKMll99/Wj bttk96NLkaz45SG9KNJyqj7KaRFYscnUbEjHunvFIJCnl0CblJb3J/gBaa/ZbSLq 0GGDr9oc0tKoR97mabkyAhohcpiIn7f2y2aCBx5qTRT2uMiedmu4XtyktgB4LUo+ /MspTWlbcyKk9+Gx+9a7QaRkvBskwDn1wL/EIfNhXvtga+qGCV3rZwEX7f46jdzi NcptK7urvqiWgYtKS1z/0VrppbHBoTux3TQcFAEzKAGCYnS2YCyjNJRqTC/ODPE8 BIIYcYNq =+eqR -----END PGP MESSAGE-----

FIGURE 10: A PGP encrypted message. The receiver's e-mail address is the pointer to the public key in the sender's keyring. At the destination side, the receiver uses their own private key.


Figure 10 shows a PGP encrypted message (PGP compresses the file, where practical, prior to encryption because encrypted files have a high degree of randomness and, therefore, cannot be efficiently compressed). In this example, public key methods are used to exchange the session key for the actual message encryption that employs secret-key cryptography. In this case, the receiver's e-mail address is the pointer to the public key in the sender's keyring; in fact, the same message can be sent to multiple recipients and the message will not be significantly longer since all that needs to be added is the session key encrypted by each receiver's public key. When the message is received, the recipient will use their private key to extract the session secret key to successfully decrypt the message (Figure 11).


Hi Gary, "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." Carol

FIGURE 11: The decrypted message.


It is worth noting that PGP was one of the first so-called "hybrid cryptosystems" that combined aspects of SKC and PKC. When Zimmermann was first designing PGP in the late-1980s, he wanted to use RSA to encrypt the entire message. The PCs of the days, however, suffered significant performance degradation when executing RSA so he hit upon the idea of using SKC to encrypt the message and PKC to encrypt the SKC key.

PGP went into a state of flux in 2002. Zimmermann sold PGP to Network Associates, Inc. (NAI) in 1997 and then resigned from NAI in early 2001. In March 2002, NAI announced that they were dropping support for the commercial version of PGP having failed to find a buyer for the product willing to pay what they wanted. In August 2002, PGP was purchased from NAI by PGP Corp. which, in turn, was purchased by Symantec. Meanwhile, there are many freeware versions of PGP available through the International PGP Page and the OpenPGP Alliance. Also check out the GNU Privacy Guard (GnuPG), a GNU project implementation of OpenPGP (defined in RFC 2440); GnuPG is also know as GPG.

5.6. IP Security (IPsec) Protocol

NOTE: The information in this section assumes that the reader is familiar with the Internet Protocol (IP), at least to the extent of the packet format and header contents. More information about IP can be found in An Overview of TCP/IP Protocols and the Internet. More information about IPv6 can be found in IPv6: The Next Generation Internet Protocol.

The Internet and the TCP/IP protocol suite were not built with security in mind. This is not meant as a criticism but as an observation; the baseline IP, TCP, UDP, and ICMP protocols were written in 1980 and built for the relatively closed ARPANET community. TCP/IP wasn't designed for the commercial-grade financial transactions that they now see or for virtual private networks (VPNs) on the Internet. To bring TCP/IP up to today's security necessities, the Internet Engineering Task Force (IETF) formed the IP Security Protocol Working Group which, in turn, developed the IP Security (IPsec) protocol. IPsec is not a single protocol, in fact, but a suite of protocols providing a mechanism to provide data integrity, authentication, privacy, and nonrepudiation for the classic Internet Protocol (IP). Although intended primarily for IP version 6 (IPv6), IPsec can also be employed by the current version of IP, namely IP version 4 (IPv4).

As shown in Table 3, IPsec is described in nearly a dozen RFCs. RFC 4301, in particular, describes the overall IP security architecture and RFC 2411 provides an overview of the IPsec protocol suite and the documents describing it.

IPsec can provide either message authentication and/or encryption. The latter requires more processing than the former, but will probably end up being the preferred usage for applications such as VPNs and secure electronic commerce.

Central to IPsec is the concept of a security association (SA). Authentication and confidentiality using AH or ESP use SAs and a primary role of IPsec key exchange it to establish and maintain SAs. An SA is a simplex (one-way or unidirectional) logical connection between two communicating IP endpoints that provides security services to the traffic carried by it using either AH or ESP procedures. The endpoint of an SA can be an IP host or IP security gateway (e.g., a proxy server, VPN server, etc.). Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction).

An SA is uniquely identified by a 3-tuple composed of:

  • Security Parameter Index (SPI), a 32-bit identifier of the connection
  • IP Destination Address
  • security protocol (AH or ESP) identifier

The IP Authentication Header (AH), described in RFC 4302, provides a mechanism for data integrity and data origin authentication for IP packets using HMAC with MD5 (RFC 2403), HMAC with SHA-1 (RFC 2404), or HMAC with RIPEMD (RFC 2857). See also RFC 4305.


0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Integrity Check Value-ICV (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

FIGURE 12: IPsec Authentication Header format. (From RFC 4302)


Figure 12 shows the format of the IPsec AH. The AH is merely an additional header in a packet, more or less representing another protocol layer above IP (this is shown in Figure 14 below). Use of the IP AH is indicated by placing the value 51 (0x33) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header. The AH follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information. The contents of the AH are:

  • Next Header: An 8-bit field that identifies the type of the next payload after the Authentication Header.
  • Payload Length: An 8-bit field that indicates the length of AH in 32-bit words (4-byte blocks), minus "2". [The rationale for this is somewhat counter intuitive but technically important. All IPv6 extension headers encode the header extension length (Hdr Ext Len) field by first subtracting 1 from the header length, which is measured in 64-bit words. Since AH was originally developed for IPv6, it is an IPv6 extension header. Since its length is measured in 32-bit words, however, the Payload Length is calculated by subtracting 2 (32 bit words) to maintain consistency with IPv6 coding rules.] In the default case, the three 32-bit word fixed portion of the AH is followed by a 96-bit authentication value, so the Payload Length field value would be 4.
  • Reserved: This 16-bit field is reserved for future use and always filled with zeros.
  • Security Parameters Index (SPI): An arbitrary 32-bit value that, in combination with the destination IP address and security protocol, uniquely identifies the Security Association for this datagram. The value 0 is reserved for local, implementation-specific uses and values between 1-255 are reserved by the Internet Assigned Numbers Authority (IANA) for future use.
  • Sequence Number: A 32-bit field containing a sequence number for each datagram; initially set to 0 at the establishment of an SA. AH uses sequence numbers as an anti-replay mechanism, to prevent a "person-in-the-middle" attack. If anti-replay is enabled (the default), the transmitted Sequence Number is never allowed to cycle back to 0; therefore, the sequence number must be reset to 0 by establishing a new SA prior to the transmission of the 232nd packet.
  • Authentication Data: A variable-length, 32-bit aligned field containing the Integrity Check Value (ICV) for this packet (default length = 96 bits). The ICV is computed using the authentication algorithm specified by the SA, such as DES, MD5, or SHA-1. Other algorithms may also be supported.

The IP Encapsulating Security Payload (ESP), described in RFC 4303, provides message integrity and privacy mechanisms in addition to authentication. As in AH, ESP uses HMAC with MD5, SHA-1, or RIPEMD authentication (RFC 2403/RFC 2404/RFC 2857); privacy is provided using DES-CBC encryption (RFC 2405), NULL encryption (RFC 2410), other CBC-mode algorithms (RFC 2451), or AES (RFC 3686). See also RFC 4305 and RFC 4308.


0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- | Security Parameters Index (SPI) | ^Int. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | Sequence Number | |ered +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- | Payload Data (variable) | | ^ | | | | |Conf. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | | Padding (0-255 bytes) | |ered +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | Pad Length | Next Header | v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ | Integrity Check Value-ICV (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ If included in the Payload field, cryptographic synchronization data, e.g., an Initialization Vector (IV), usually is not encrypted per se, although it often is referred to as being being part of the ciphertext.

FIGURE 13: IPsec Encapsulating Security Payload format. (From RFC 4303)


Figure 13 shows the format of the IPsec ESP information. Use of the IP ESP format is indicated by placing the value 50 (0x32) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header. The ESP header (i.e., SPI and sequence number) follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information. The contents of the ESP packet are:

  • Security Parameters Index: (see description for this field in the AH, above.)
  • Sequence Number: (see description for this field in the AH, above.)
  • Payload Data: A variable-length field containing data as described by the Next Header field. The contents of this field could be encrypted higher layer data or an encrypted IP packet.
  • Padding: Between 0 and 255 octets of padding may be added to the ESP packet. There are several applications that might use the padding field. First, the encryption algorithm that is used may require that the plaintext be a multiple of some number of bytes, such as the block size of a block cipher; in this case, the Padding field is used to fill the plaintext to the size required by the algorithm. Second, padding may be required to ensure that the ESP packet and resulting ciphertext terminate on a 4-byte boundary. Third, padding may be used to conceal the actual length of the payload. Unless another value is specified by the encryption algorithm, the Padding octets take on the value 1, 2, 3, ... starting with the first Padding octet. This scheme is used because, in addition to being simple to implement, it provides some protection against certain forms of "cut and paste" attacks.
  • Pad Length: An 8-bit field indicating the number of bytes in the Padding field; contains a value between 0-255.
  • Next Header: An 8-bit field that identifies the type of data in the Payload Data field, such as an IPv6 extension header or a higher layer protocol identifier.
  • Authentication Data: (see description for this field in the AH, above.)

Two types of SAs are defined in IPsec, regardless of whether AH or ESP is employed. A transport mode SA is a security association between two hosts. Transport mode provides the authentication and/or encryption service to the higher layer protocol. This mode of operation is only supported by IPsec hosts. A tunnel mode SA is a security association applied to an IP tunnel. In this mode, there is an "outer" IP header that specifies the IPsec destination and an "inner" IP header that specifies the destination for the IP packet. This mode of operation is supported by both hosts and security gateways.


ORIGINAL PACKET BEFORE APPLYING AH ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- --------------------------------------- IPv6 | | ext hdrs | | | | orig IP hdr |if present| TCP | Data | --------------------------------------- AFTER APPLYING AH (TRANSPORT MODE) ------------------------------------------------------- IPv4 |original IP hdr (any options) | AH | TCP | Data | ------------------------------------------------------- |<- mutable field processing ->|<- immutable fields ->| |<----- authenticated except for mutable fields ----->| ------------------------------------------------------------ IPv6 | |hop-by-hop, dest, | | dest | | | |orig IP hdr |routing, fragment. | AH | opt | TCP | Data | ------------------------------------------------------------ |<--- mutable field processing -->|<-- immutable fields -->| |<---- authenticated except for mutable fields ----------->| = if present, could be before AH, after AH, or both AFTER APPLYING AH (TUNNEL MODE) ---------------------------------------------------------------- IPv4 | | | orig IP hdr | | | |new IP header (any options) | AH | (any options) |TCP| Data | ---------------------------------------------------------------- |<- mutable field processing ->|<------ immutable fields ----->| |<- authenticated except for mutable fields in the new IP hdr->| -------------------------------------------------------------- IPv6 | | ext hdrs| | | ext hdrs| | | |new IP hdr|if present| AH |orig IP hdr|if present|TCP|Data| -------------------------------------------------------------- |<--- mutable field -->|<--------- immutable fields -------->| | processing | |<-- authenticated except for mutable fields in new IP hdr ->| = if present, construction of outer IP hdr/extensions and modification of inner IP hdr/extensions is discussed in the Security Architecture document.

FIGURE 14: IPsec tunnel and transport modes for AH. (Adapted from RFC 4302)


Figure 14 show the IPv4 and IPv6 packet formats when using AH in both transport and tunnel modes. Initially, an IPv4 packet contains a normal IPv4 header (which may contain IP options), followed by the higher layer protocol header (e.g., TCP or UDP), followed by the higher layer data itself. An IPv6 packet is similar except that the packet starts with the mandatory IPv6 header followed by any IPv6 extension headers, and then followed by the higher layer data.

Note that in both transport and tunnel modes, the entire IP packet is covered by the authentication except for the mutable fields. A field is mutable if its value might change during transit in the network; IPv4 mutable fields include the fragment offset, time to live, and checksum fields. Note, in particular, that the address fields are not mutable.


ORIGINAL PACKET BEFORE APPLYING ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- --------------------------------------- IPv6 | | ext hdrs | | | | orig IP hdr |if present| TCP | Data | --------------------------------------- AFTER APPLYING ESP (TRANSPORT MODE) ------------------------------------------------- IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer | ICV| ------------------------------------------------- |<---- encryption ---->| |<-------- integrity ------->| --------------------------------------------------------- IPv6 | orig |hop-by-hop,dest,| |dest| | | ESP | ESP| |IP hdr|routing,fragment.|ESP|opt|TCP|Data|Trailer| ICV| --------------------------------------------------------- |<--- encryption ---->| |<------ integrity ------>| = if present, could be before ESP, after ESP, or both AFTER APPLYING ESP (TUNNEL MODE) ----------------------------------------------------------- IPv4 | new IP hdr+ | | orig IP hdr+ | | | ESP | ESP| |(any options)| ESP | (any options) |TCP|Data|Trailer| ICV| ----------------------------------------------------------- |<--------- encryption --------->| |<------------- integrity ------------>| ------------------------------------------------------------ IPv6 | new+ |new ext | | orig+|orig ext | | | ESP | ESP| |IP hdr| hdrs+ |ESP|IP hdr| hdrs+ |TCP|Data|Trailer| ICV| ------------------------------------------------------------ |<--------- encryption ---------->| |<------------ integrity ------------>| + = if present, construction of outer IP hdr/extensions and modification of inner IP hdr/extensions is discussed in the Security Architecture document.

FIGURE 15: IPsec tunnel and transport modes for ESP. (Adapted from RFC 4303)


Figure 15 shows the IPv4 and IPv6 packet formats when using ESP in both transport and tunnel modes.

  • As with AH, we start with a standard IPv4 or IPv6 packet.
  • In transport mode, the higher layer header and data, as well as ESP trailer information, is encrypted and the entire ESP packet is authenticated. In the case of IPv6, some of the IPv6 extension options can precede or follow the ESP header.
  • In tunnel mode, the original IP packet is encrypted and placed inside of an "outer" IP packet, while the entire ESP packet is authenticated.

Note a significant difference in the scope of ESP and AH. AH authenticates the entire packet transmitted on the network whereas ESP only covers a portion of the packet transmitted on the network (the higher layer data in transport mode and the entire original packet in tunnel mode). The reason for this is straight-forward; in AH, the authentication data for the transmission fits neatly into an additional header whereas ESP creates an entirely new packet which is the one encrypted and/or authenticated. But the ramifications are significant. ESP transport mode as well as AH in both modes protect the IP address fields of the original transmissions. Thus, using IPsec in conjunction with network address translation (NAT) might be problematic because NAT changes the values of these fields after IPsec processing.

The third component of IPsec is the establishment of security associations and key management. These tasks can be accomplished in one of two ways.

The simplest form of SA and key management is manual management. In this method, a security administer or other individual manually configures each system with the key and SA management data necessary for secure communication with other systems. Manual techniques are practical for small, reasonably static environments but they do not scale well.

For successful deployment of IPsec, however, a scalable, automated SA/key management scheme is necessary. Several protocols have defined for these functions:

  • The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete security associations, and provides the framework for exchanging information about authentication and key management (RFC 2407/RFC 2408). ISAKMP's security association and key management is totally separate from key exchange.
  • The OAKLEY Key Determination Protocol (RFC 2412) describes a scheme by which two authenticated parties can exchange key information. OAKLEY uses the Diffie-Hellman key exchange algorithm.
  • The Internet Key Exchange (IKE) algorithm (RFC 2409) is the default automated key management protocol for IPsec.
  • An alternative to IKE is Photuris (RFC 2522/RFC 2523), a scheme for establishing short-lived session-keys between two authenticated parties without passing the session-keys across the Internet. IKE typically creates keys that may have very long lifetimes.

On a final note, IPsec authentication for both AH and ESP uses a scheme called HMAC, a keyed-hashing message authentication code described in FIPS 198 and RFC 2104. HMAC uses a shared secret key between two parties rather than public key methods for message authentication. The generic HMAC procedure can be used with just about any hash algorithm, although IPsec specifies support for at least MD5 and SHA-1 because of their widespread use.

In HMAC, both parties share a secret key. The secret key will be employed with the hash algorithm in a way that provides mutual authentication without transmitting the key on the line. IPsec key management procedures will be used to manage key exchange between the two parties.

Recall that hash functions operate on a fixed-size block of input at one time; MD5 and SHA-1, for example, work on 64 byte blocks. These functions then generate a fixed-size hash value; MD5 and SHA-1, in particular, produce 16 byte (128 bit) and 20 byte (160 bit) output strings, respectively. For use with HMAC, the secret key (K) should be at least as long as the hash output.

The following steps provide a simplified, although reasonably accurate, description of how the HMAC scheme would work with a particular plaintext MESSAGE (Figure 16):

  1. Alice pads K so that it is as long as an input block; call this padded key Kp. Alice computes the hash of the padded key followed by the message, i.e., HASH (Kp:MESSAGE).
  2. Alice transmits MESSAGE and the hash value.
  3. Bob has also padded K to create Kp. He computes HASH (Kp:MESSAGE) on the incoming message.
  4. Bob compares the computed hash value with the received hash value. If they match, then the sender — Alice — must know the secret key and her identity is, thus, authenticated.


FIGURE 16: Keyed-hash MAC operation.


5.7. Secure Transactions with SSL and TLS

The Secure Sockets Layer (SSL) protocol was developed by Netscape Communications to provide application-independent secure communication over the Internet for protocols such as the Hypertext Transfer Protocol (HTTP). SSL employs RSA and X.509 certificates during an initial handshake used to authenticate the server (client authentication is optional). The client and server then agree upon an encryption scheme. SSL v2.0 (1995), the first version publicly released, supported RC2 and RC4 with 40-bit keys. SSL v3.0 (1996) added support for DES, RC4 with a 128-bit key, and 3DES with a 168-bit key, all along with either MD5 or SHA-1 message hashes; this protocol is described in RFC 6101.


FIGURE 17: Browser encryption configuration screen (Firefox).


In 1997, SSL v3 was found to be breakable. By this time, the Internet Engineering Task Force (IETF) had already started work on a new, non-proprietary protocol called Transport Layer Security (TLS), described in RFC 2246 (1999). TLS extends SSL and supports additional crypto schemes, such as Diffie-Hellman key exchange and DSS digital signatures; RFC 4279 describes the pre-shared key crypto schemes supported by TLS. TLS is backward compatible with SSL (and, in fact, is recognized as SSL v3.1). SSL v3.0 and TLS v1.0 are the commonly supported versions on servers and browsers today (Figure 17); SSL v2.0 is rarely found today and, in fact, RFC 6176-compliant clients and servers that support TLS will never negotiate the use of SSL v2.

In 2002, a cipher block chaining (CBC) vulnerability was described for TLS v1.0. In 2011, the theoretical became practical when a CBC proof-of-concept exploit was released. Meanwhile, TLS v1.1 was defined in 2006 (RFC 4346), adding protection against v1.0's CBC vulnerability. In 2008, TLS v1.2 was defined (RFC 5246), adding several additional cryptographic options. Today, users are urged to use TLS v1.2 or v1.1 in lieu of any earlier versions, and v1.3 is available in draft form.


CLIENT SERVER (using URL of form https://) (listening on port 443) ClientHello ----> ServerHello Certificate ServerKeyExchange CertificateRequest <---- ServerHelloDone Certificate ClientKeyExchange CertifcateVerify [ChangeCipherSpec] Finished ----> [ChangeCipherSpec] <---- Finished Application Data <---> Application Data Optional or situation-dependent messages; not always sent

FIGURE 18: SSL/TLS protocol handshake. (Adapted from RFC 2246)


Figure 18 shows the basic TLS (and SSL) message exchanges:

  1. URLs specifying the protocol https:// are directed to HTTP servers secured using SSL/TLS. The client will automatically try to make a TCP connection to the server at port 443. The client initiates the secure connection by sending a ClientHello message containing a Session identifier, highest SSL version number supported by the client, and lists of supported crypto and compression schemes (in preference order).
  2. The server examines the Session ID and if it is still in the server's cache, it will attempt to re-establish a previous session with this client. If the Session ID is not recognized, the server will continue with the handshake to establish a secure session by responding with a ServerHello message. The ServerHello repeats the Session ID, indicates the SSL version to use for this connection (which will be the highest SSL version supported by the server and client), and specifies which encryption method and compression method to be used for this connection.
  3. There are a number of other optional messages that the server might send, including:
    • Certificate, which carries the server's X.509 public key certificate (and, generally, the server's public key). This message will always be sent unless the client and server have already agreed upon some form of anonymous key exchange.
    • ServerKeyExchange, which will carry a premaster secret when the server's Certificate message does not contain enough data for this purpose; used in some key exchange schemes.
    • CertificateRequest, used to request the client's certificate in those scenarios where client authentication is performed (which means that this message is rarely sent).
    • ServerHelloDone, indicating that the server has completed its portion of the key exchange handshake.
  4. The client now responds with a series of mandatory and optional messages:
    • Certificate, contains the client's public key certificate when it has been requested by the server (which means that this message is rarely sent).
    • ClientKeyExchange, which usually carries the secret key to be used with the secret key crypto scheme.
    • CertificateVerify, used to provide explicit verification of a client's certificate if the server is authenticating the client.
  5. TLS includes the change cipher spec protocol to indicate changes in the encryption method. This protocol contains a single message, ChangeCipherSpec, which is encrypted and compressed using the current (rather than the new) encryption and compression schemes. The ChangeCipherSpec message is sent by both client and server to notify the other station that all following information will employ the newly negotiated cipher spec and keys.
  6. The Finished message is sent after a ChangeCipherSpec message to confirm that the key exchange and authentication processes were successful.
  7. At this point, both client and server can exchange application data using the session encryption and compression schemes.

Side Note: It would probably be helpful to make some mention of how SSL/TLS is most commonly used today. Most of us have used SSL to engage in a secure, private transaction with some vendor. The steps are something like this. During the SSL exchange with the vendor's secure server, the server sends its certificate to our client software. The certificate includes the vendor's public key and a validation of some sort from the CA that issued the vendor's certificate (signed with the CA's private key). Our browser software is shipped with the major CAs' certificates containing their public keys; in that way, the client software can authenticate the server's certificate. Note that the server generally does not use a certificate to authenticate the client. Instead, purchasers are generally authenticated when a credit card number is provided; the server checks to see if the card purchase will be authorized by the credit card company and, if so, considers us valid and authenticated!

The reason that only the server is authenticated is rooted in history. SSL was developed to support e-commerce by providing a trust mechanism so that customers could have faith in a merchant. In the real world, you "trust" a store because you can walk into a brick-and-mortar structure. The store doesn't know who the customer is; they check to see if the credit card is valid and, if so, a purchase goes through. In e-commerce, we were trying to replicate the same experience — find a way in which the customer could trust the store and then make sure that the credit card was valid. In addition, how many people would have been willing to purchase an individual certificate and install it on their browser merely so that they shop online? This latter requirement, if implemented, could have killed e-commerce before it ever got started.

This all said, bidirectional — or mutual — authentication is supported by SSL, as noted in the figure above. See E. Cheng's "An Introduction to Mutual SSL Authentication" for an overview of how symmetric the process can be.

For historical purposes, it is worth mentioing Microsoft's Server Gated Cryptography (SGC) protocol, another (now long defunct) extension to SSL/TLS. For several decades, it had been illegal to generally export products from the U.S. that employed secret-key cryptography with keys longer than 40 bits. For that reason, during the 1996-1998 time period, browsers using SSL/TLS (e.g., Internet Explorer and Netscape Navigator) had an exportable version with weak (40-bit) keys and a domestic (North American) version with strong (128-bit) keys. By the late-1990s, products using strong SKC has been approved for the worldwide financial community. SGC was an extension to SSL that allowed financial institutions using Windows NT servers to employ strong cryptography. Both the client and server needed to have implemented SGC and the bank had to have a valid SGC certificate. During the initial handshake, the server would indicate support of SGC and supply its SGC certificate; if the client wished to use SGC and validated the server's SGC certificate, it would astablish a secure session employing 128-bit RC2, 128-bit RC4, 56-bit DES, or 168-bit 3DES encryption. Microsoft supported SGC in the Windows 95/98/NT versions of Internet Explorer 4.0, Internet Information Server (IIS) 4.0, and Money 98.

As mentioned earlier, SSL was designed to provide application-independent transaction security for the Internet. Although the discussion above has focused on HTTP over SSL (https/TCP port 443), SSL is also applicable to:

Protocol   TCP Port Name/Number
File Transfer Protocol (FTP)   ftps-data/989 & ftps/990
Internet Message Access Protocol v4 (IMAP4)   imaps/993
Lightweight Directory Access Protocol (LDAP)   ldaps/636
Network News Transport Protocol (NNTP)   nntps/563
Post Office Protocol v3 (POP3)   pop3s/995
Telnet   telnets/992

TLS was originally designed to operate over TCP. The IETF developed the Datagram Transport Layer Security (DTLS) protocol, based upon TLS, to operate over UDP. DTLS v1.2 is described in RFC 6347. (DTLS v1.0 can be found in RFC 4347.) RFC 6655 describes a suite of AES in Counter with Cipher Block Chaining - Message Authentication Code (CBC-MAC) Mode (CCM) ciphers for use with TLS and DTLS. An interesting analysis of the TLS protocol can be found in the paper "Analysis and Processing of Cryptographic Protocols" by Cowie.

Vulnerabilities: A vulnerability in the OpenSSL Library was discovered in 2014. Known as Heartbleed, this vulnerability had apparently been introduced into OpenSSL in late 2011 with the introduction of a feature called heartbeat. Heartbleed exploited an implementation flaw in order to exfiltrate keying material from an SSL server (or some SSL clients, in what is known at reverse Heartbleed); the flaw allowed an attacker to grab 64 KB blocks from RAM. Heartbleed is known to only affect OpenSSL v1.0.1 through v1.0.1f; the exploit was patched in v1.0.1g. In addition, the OpenSSL 0.9.8 and 1.0.0 families are not vulnerable. Note also that Heartbleed affects some versions of the Android operating system, notably v4.1.0 and v4.1.1 (and some, possibly custom, implementations of v4.2.2). Note that Heartbleed did not exploit a flaw in the SSL protocol, but rather a flaw in the OpenSSL implementation.

But that wasn't the only problem with SSL. In October 2014, a new vulnerability was found called POODLE (Padding Oracle On Downgraded Legacy Encryption), a man-in-the-middle attack that exploited another SSL vulnerability that had unknowingly been in place for many years. Weeks later, an SSL vulnerability in the bash Unix command shell was discovered, aptly named Shellshock. (Here's a nice overview of the 2014 SSL problems!) In March 2015, the Bar Mitzvah Attack was exposed, exploiting a 13-year old vulnerability in the Rivest Cipher 4 (RC4) encryption algorithm. Then there was the FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) SSL/TLS Vulnerabilty that affected some SSL/TLS implementations, including Android OS and Chrome browser for OS X later that month.

In March 2016, the SSL DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack was announced. DROWN works by exploiting the presence of SSLv2 to crack encrypted communications and steal information from Web servers, email servers, or VPN sessions. You might have read above that SSLv2 fell out of use by the early 2000s and was formally deprecated in 2011. This is true. But backward compatibility often causes old software to remain dormant and it seems that up to one-third of all HTTPS sites are vulnerable to DROWN because SSLv2 has not been removed or disabled.

5.8. Elliptic Curve Cryptography (ECC)

In general, public key cryptography systems use hard-to-solve problems as the basis of the algorithm. The most predominant algorithm today for public key cryptography is RSA, based on the prime factors of very large integers. While RSA can be successfully attacked, the mathematics of the algorithm have not been comprised, per se; instead, computational brute-force has broken the keys. The defense is "simple" — keep the size of the integer to be factored ahead of the computational curve!

In 1985, Elliptic Curve Cryptography (ECC) was proposed independently by cryptographers Victor Miller (IBM) and Neal Koblitz (University of Washington). ECC is based on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). Like the prime factorization problem, ECDLP is another "hard" problem that is deceptively simple to state: Given two points, P and Q, on an elliptic curve, find the integer n, if it exists, such that P = nQ.

Elliptic curves combine number theory and algebraic geometry. These curves can be defined over any field of numbers (i.e., real, integer, complex) although we generally see them used over finite fields for applications in cryptography. An elliptic curve consists of the set of real numbers (x,y) that satisfies the equation:

y2 = x3 + ax + b

The set of all of the solutions to the equation forms the elliptic curve. Changing a and b changes the shape of the curve, and small changes in these parameters can result in major changes in the set of (x,y) solutions.



FIGURE 19: Elliptic curve addition.


Figure 19 shows the addition of two points on an elliptic curve. Elliptic curves have the interesting property that adding two points on the elliptic curve yields a third point on the curve. Therefore, adding two points, P and Q, gets us to point R, also on the curve. Small changes in P or Q can cause a large change in the position of R.

So let's go back to the original problem statement from above. The point Q is calculated as a multiple of the starting point, P, or, Q = nP. An attacker might know P and Q but finding the integer, n, is a difficult problem to solve. Q (i.e., nP) is the public key and n is the private key.

ECC may be employed with many Internet standards, including CCITT X.509 certificates and certificate revocation lists (CRLs), Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and applications or protocols based on the cryptographic message syntax (CMS). RFC 5639 proposes a set of elliptic curve domain parameters over finite prime fields for use in these cryptographic applications and RFC 6637 proposes additional elliptic curves for use with OpenPGP.

RSA had been the mainstay of PKC for over a quarter-century. ECC, however, is emerging as a replacement in some environments because it provides similar levels of security compared to RSA but with significantly reduced key sizes. NIST use the following table to demonstrate the key size relationship between ECC and RSA, and the appropriate choice of AES key size:

TABLE 4. ECC and RSA Key Comparison.
(Source: Certicom, NIST)
ECC Key Size RSA Key Size Key-Size
Ratio AES Key Size
163 1,024 1:6 n/a
256 3,072 1:12 128
384 7,680 1:20 192
512 15,360 1:30 256
Key sizes in bits.

Since the ECC key sizes are so much shorter than comparable RSA keys, the length of the public key and private key is much shorter in elliptic curve cryptosystems. This results into faster processing times, and lower demands on memory and bandwidth; some studies have found that ECC is faster than RSA for signing and decryption, but slower for signature verification and encryption.

ECC is particularly useful in applications where memory, bandwidth, and/or computational power is limited (e.g., a smartcard) and it is in this area that ECC use is expected to grow. A major champion of ECC today is Certicom; readers are urged to see their ECC tutorial.

5.9. The Advanced Encryption Standard (AES) and Rijndael

The search for a replacement to DES started in January 1997 when NIST announced that it was looking for an Advanced Encryption Standard. In September of that year, they put out a formal Call for Algorithms and in August 1998 announced that 15 candidate algorithms were being considered (Round 1). In April 1999, NIST announced that the 15 had been whittled down to five finalists (Round 2): MARS (multiplication, addition, rotation and substitution) from IBM; Ronald Rivest's RC6; Rijndael from a Belgian team; Serpent, developed jointly by a team from England, Israel, and Norway; and Twofish, developed by Bruce Schneier. In October 2000, NIST announced their selection: Rijndael.

The remarkable thing about this entire process has been the openness as well as the international nature of the "competition." NIST maintained an excellent Web site devoted to keeping the public fully informed, at http://csrc.nist.gov/archive/aes/, which is now available as an archive site. Their Overview of the AES Development Effort has full details of the process, algorithms, and comments so I will not repeat everything here.

In October 2000, NIST released the Report on the Development of the Advanced Encryption Standard (AES) that compared the five Round 2 algorithms in a number of categories. The table below summarizes the relative scores of the five schemes (1=low, 3=high):

Algorithm Category MARS RC6 Rijndael Serpent Twofish General security Implementation of security Software performance Smart card performance Hardware performance Design features
3 2 2 3 3
1 1 3 3 2
2 2 3 1 1
1 1 3 3 2
1 2 3 3 2
2 1 2 1 3

With the report came the recommendation that Rijndael be named as the AES standard. In February 2001, NIST released the Draft Federal Information Processing Standard (FIPS) AES Specification for public review and comment. AES contains a subset of Rijndael's capabilities (e.g., AES only supports a 128-bit block size) and uses some slightly different nomenclature and terminology, but to understand one is to understand both. The 90-day comment period ended on May 29, 2001 and the U.S. Department of Commerce officially adopted AES in December 2001, published as FIPS PUB 197.

AES (Rijndael) Overview

Rijndael (pronounced as in "rain doll" or "rhine dahl") is a block cipher designed by Joan Daemen and Vincent Rijmen, both cryptographers in Belgium. Rijndael can operate over a variable-length block using variable-length keys; the specification submitted to NIST describes use of a 128-, 192-, or 256-bit key to encrypt data blocks that are 128, 192, or 256 bits long; note that all nine combinations of key length and block length are possible. The algorithm is written in such a way that block length and/or key length can easily be extended in multiples of 32 bits and it is specifically designed for efficient implementation in hardware or software on a range of processors. The design of Rijndael was strongly influenced by the block cipher called Square, also designed by Daemen and Rijmen. See

  • The Rijndael page for a lot more information.

    Rijndael is an iterated block cipher, meaning that the initial input block and cipher key undergoes multiple rounds of transformation before producing the output. Each intermediate cipher result is called a State.

    For ease of description, the block and cipher key are often represented as an array of columns where each array has 4 rows and each column represents a single byte (8 bits). The number of columns in an array representing the state or cipher key, then, can be calculated as the block or key length divided by 32 (32 bits = 4 bytes). An array representing a State will have Nb columns, where Nb values of 4, 6, and 8 correspond to a 128-, 192-, and 256-bit block, respectively. Similarly, an array representing a Cipher Key will have Nk columns, where Nk values of 4, 6, and 8 correspond to a 128-, 192-, and 256-bit key, respectively. An example of a 128-bit State (Nb=4) and 192-bit Cipher Key (Nk=6) is shown below:

    s0,0 s0,1 s0,2 s0,3
    s1,0 s1,1 s1,2 s1,3
    s2,0 s2,1 s2,2 s2,3
    s3,0 s3,1 s3,2 s3,3
     
    k0,0 k0,1 k0,2 k0,3 k0,4 k0,5
    k1,0 k1,1 k1,2 k1,3 k1,4 k1,5
    k2,0 k2,1 k2,2 k2,3 k2,4 k2,5
    k3,0 k3,1 k3,2 k3,3 k3,4 k3,5

    The number of transformation rounds (Nr) in Rijndael is a function of the block length and key length, and is given by the table below:

    No. of Rounds
    Nr Block Size 128 bits
    Nb = 4 192 bits
    Nb = 6 256 bits
    Nb = 8 Key
    Size 128 bits
    Nk = 4 192 bits
    Nk = 6 256 bits
    Nk = 8
    10 12 14
    12 12 14
    14 14 14

    Now, having said all of this, the AES version of Rijndael does not support all nine combinations of block and key lengths, but only the subset using a 128-bit block size. NIST calls these supported variants AES-128, AES-192, and AES-256 where the number refers to the key size. The Nb, Nk, and Nr values supported in AES are:

    Parameters Variant Nb Nk Nr AES-128 AES-192 AES-256
    4 4 10
    4 6 12
    4 8 14

    The AES/Rijndael cipher itself has three operational stages:

    • AddRound Key transformation
    • Nr-1 Rounds comprising:
      • SubBytes transformation
      • ShiftRows transformation
      • MixColumns transformation
      • AddRoundKey transformation
    • A final Round comprising:
      • SubBytes transformation
      • ShiftRows transformation
      • AddRoundKey transformation

    The paragraphs below will describe the operations mentioned above. The nomenclature used below is taken from the AES specification although references to the Rijndael specification are made for completeness. The arrays s and s' refer to the State before and after a transformation, respectively (NOTE: The Rijndael specification uses the array nomenclature a and b to refer to the before and after States, respectively). The subscripts i and j are used to indicate byte locations within the State (or Cipher Key) array.

    The SubBytes transformation

    The substitute bytes (called ByteSub in Rijndael) transformation operates on each of the State bytes independently and changes the byte value. An S-box, or substitution table, controls the transformation. The characteristics of the S-box transformation as well as a compliant S-box table are provided in the AES specification; as an example, an input State byte value of 107 (0x6b) will be replaced with a 127 (0x7f) in the output State and an input value of 8 (0x08) would be replaced with a 48 (0x30).

    One way to think of the SubBytes transformation is that a given byte in State s is given a new value in State s' according to the S-box. The S-box, then, is a function on a byte in State s so that:

    s'i,j = S-box (si,j)

    The more general depiction of this transformation is shown by:

    s0,0 s0,1 s0,2 s0,3
    s1,0 s1,1 s1,2 s1,3
    s2,0 s2,1 s2,2 s2,3
    s3,0 s3,1 s3,2 s3,3
    s'0,0 s'0,1 s'0,2 s'0,3
    s'1,0 s'1,1 s'1,2 s'1,3
    s'2,0 s'2,1 s'2,2 s'2,3
    s'3,0 s'3,1 s'3,2 s'3,3

    The ShiftRows transformation

    The shift rows (called ShiftRow in Rijndael) transformation cyclically shifts the bytes in the bottom three rows of the State array. According to the more general Rijndael specification, rows 2, 3, and 4 are cyclically left-shifted by C1, C2, and C3 bytes, respectively, per the table below:

    Nb
    C1 C2 C3
    4 1 2 3
    6 1 2 3
    8 1 3 4

    The current version of AES, of course, only allows a block size of 128 bits (Nb = 4) so that C1=1, C2=2, and C3=3. The diagram below shows the effect of the ShiftRows transformation on State s:

    State s
    s0,0 s0,1 s0,2 s0,3
    s1,0 s1,1 s1,2 s1,3
    s2,0 s2,1 s2,2 s2,3
    s3,0 s3,1 s3,2 s3,3
     
    ----------- no shift -----------> 
    ----> left-shift by C1 (1) ----> 
    ----> left-shift by C2 (2) ----> 
    ----> left-shift by C3 (3) ----> 
    State s'
    s0,0 s0,1 s0,2 s0,3
    s1,1 s1,2 s1,3 s1,0
    s2,2 s2,3 s2,0 s2,1
    s3,3 s3,0 s3,1 s3,2

    The MixColumns transformation

    The mix columns (called MixColumn in Rijndael) transformation uses a mathematical function to transform the values of a given column within a State, acting on the four values at one time as if they represented a four-term polynomial. In essence, if you think of MixColumns as a function, this could be written:

    s'i,c = MixColumns (si,c)

    for 0 ≤ i ≤ 3 for some column, c. The column position doesn't change, merely the values within the column.

    Round Key generation and the AddRoundKey transformation

    The AES Cipher Key can be 128, 192, or 256 bits in length. The Cipher Key is used to derive a different key to be applied to the block during each round of the encryption operation. These keys are called the Round Keys and each will be the same length as the block, i.e., Nb 32-bit words (words will be denoted W).

    The AES specification defines a key schedule by which the original Cipher Key (of length Nk 32-bit words) is used to form an Expanded Key. The Expanded Key size is equal to the block size times the number of encryption rounds plus 1, which will provide Nr+1 different keys. (Note that there are Nr encipherment rounds but Nr+1 AddRoundKey transformations.)

    Consider that AES uses a 128-bit block and either 10, 12, or 14 iterative rounds depending upon key length. With a 128-bit key, for example, we would need 1408 bits of key material (128x11=1408), or an Expanded Key size of 44 32-bit words (44x32=1408). Similarly, a 192-bit key would require 1664 bits of key material (128x13), or 52 32-bit words, while a 256-bit key would require 1920 bits of key material (128x15), or 60 32-bit words. The key expansion mechanism, then, starts with the 128-, 192-, or 256-bit Cipher Key and produces a 1408-, 1664-, or 1920-bit Expanded Key, respectively. The original Cipher Key occupies the first portion of the Expanded Key and is used to produce the remaining new key material.

    The result is an Expanded Key that can be thought of and used as 11, 13, or 15 separate keys, each used for one AddRoundKey operation. These, then, are the Round Keys. The diagram below shows an example using a 192-bit Cipher Key (Nk=6), shown in magenta italics:

    Expanded Key: Round keys:
    W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 W15 ... W44 W45 W46 W47 W48 W49 W50 W51
    Round key 0 Round key 1 Round key 2 Round key 3 ... Round key 11 Round key 12

    The AddRoundKey (called Round Key addition in Rijndael) transformation merely applies each Round Key, in turn, to the State by a simple bit-wise exclusive OR operation. Recall that each Round Key is the same length as the block.

    Summary

    Ok, I hope that you've enjoyed reading this as much as I've enjoyed writing it — and now let me guide you out of the microdetail! Recall from the beginning of the AES overview that the cipher itself comprises a number of rounds of just a few functions:

    • SubBytes takes the value of a word within a State and substitutes it with another value by a predefined S-box
    • ShiftRows circularly shifts each row in the State by some number of predefined bytes
    • MixColumns takes the value of a 4-word column within the State and changes the four values using a predefined mathematical function
    • AddRoundKey XORs a key that is the same length as the block, using an Expanded Key derived from the original Cipher Key

    Cipher (byte in[4Nb], byte out[4Nb], word w[Nb(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w) for round = 1 step 1 to Nr-1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state, w+roundNb) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w+NrNb) out = state end

    FIGURE 20: AES pseudocode.


    As a last and final demonstration of the operation of AES, Figure 20 is a pseudocode listing for the operation of the AES cipher. In the code:

    • in[] and out[] are 16-byte arrays with the plaintext and cipher text, respectively. (According to the specification, both of these arrays are actually 4Nb bytes in length but Nb=4 in AES.)
    • state[] is a 2-dimensional array containing bytes in 4 rows and 4 columns. (According to the specification, this arrays is 4 rows by Nb columns.)
    • w[] is an array containing the key material and is 4(Nr+1) words in length. (Again, according to the specification, the multiplier is actually Nb.)
    • AddRoundKey(), SubBytes(), ShiftRows(), and MixColumns() are functions representing the individual transformations.

    5.10. Cisco's Stream Cipher

    Stream ciphers take advantage of the fact that:

    x XOR y XOR y = x

    One of the encryption schemes employed by Cisco routers to encrypt passwords is a stream cipher. It uses the following fixed keystream (thanks also to Jason Fossen for independently extending and confirming this string):

    dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncx

    When a password is to be encrypted, the password function chooses a number between 0 and 15, and that becomes the offset into the keystream. Password characters are then XORed byte-by-byte with the keystream according to:

    Ci = Pi XOR K(offset+i)

    where K is the keystream, P is the plaintext password, and C is the ciphertext password.

    Consider the following example. Suppose we have the password abcdefgh. Converting the ASCII characters yields the hex string 0x6162636465666768.

    The keystream characters and hex code that supports an offset from 0 to 15 bytes and a password length up to 24 bytes is:

      d s f d ; k f o A , . i y e w r k l d J K D H S U B s g v c a 6 9 8 3 4 n c x
    0x647366643b6b666f412c2e69796577726b6c644a4b4448535542736776636136393833346e6378

    Let's say that the function decides upon a keystream offset of 6 bytes. We then start with byte 6 of the keystream (start counting the offset at 0) and XOR with the password:

        0x666f412c2e697965
    XOR 0x6162636465666768
        ------------------
        0x070D22484B0F1E0D

    The password would now be displayed in the router configuration as:

    password 7 06070D22484B0F1E0D

    where the "7" indicates the encryption type, the leading "06" indicates the offset into the keystream, and the remaining bytes are the encrypted password characters.

    (Decryption is pretty trivial so that exercise is left to the reader. If you need some help with byte-wise XORing, see http://www.garykessler.net/library/byte_logic_table.html. If you'd like some programs that do this, see http://www.garykessler.net/software/index.html#cisco7.)

    5.11. TrueCrypt

    TrueCrypt is an open source, on-the-fly crypto system that can be used on devices supports by Linux, MacOS, and Windows. First released in 2004, TrueCrypt can be employed to encrypt a partition on a disk or an entire disk.

    On May 28, 2014, the TrueCrypt.org Web site was suddenly taken down and redirected to the SourceForge page. Although this paper is intended as a crypto tutorial and not a news source about crypto controversy, the sudden withdrawal of TrueCrypt cannot go without notice. Readers interested in using TrueCrypt should know that the last stable release of the product is v7.1a (February 2012); v7.2, released on May 28, 2014, only decrypts TrueCrypt volumes, ostensibly so that users can migrate to another solution. The current TrueCrypt Web page — TCnext — is TrueCrypt.ch. The TrueCrypt Wikipedia page and accompanying references have some good information about the "end" of TrueCrypt as we knew it.

    While there does not appear to be any rush to abandon TrueCrypt, it is also the case that you don't want to use old, unsupported software for too long. A replacement was announced almost immediately upon the demise of TrueCrypt: "TrueCrypt may live on after all as CipherShed." The CipherShed group never produced a product, however, and the CipherShed Web site no longer appeared to be operational sometime after October 2016. Another — working — fork of TrueCrypt is VeraCrypt, which is also open source, multi-platform, operationally identical to TrueCrypt, and compatible with TrueCrypt containers.

    One final editorial comment. TrueCrypt was not broken or otherwise compromised! It was withdrawn by its developers for reasons that have not yet been made public but there is no evidence to assume that TrueCrypt has been damaged in any way; on the contrary, two audits, completed in April 2014 and April 2015, found no evidence of backdoors or malicious code. See Steve Gibson's TrueCrypt: Final Release Repository page for more information!

    TrueCrypt uses a variety of encryption schemes, including AES, Serpent, and Twofish. A TrueCrypt volume is stored as a file that appears to be filled with random data, thus has no specific file signature. (It is true that a TrueCrypt container will pass a chi-square (Χ2) randomness test, but that is merely a general indicator of possibly encrypted content. An additional clue is that a TrueCrypt container will also appear on a disk as a file that is some increment of 512 bytes in size. While these indicators might raise a red flag, they don't rise to the level of clearly indentifying a TrueCrypt volume.)

    When a user creates a TrueCrypt volume, a number of parameters need to be defined, such as the size of the volume and the password. To access the volume, the TrueCrypt program is employed to find the TrueCrypt encrypted file, which is then mounted as a new drive on the host system.



    FIGURE 21: TrueCrypt screen shot (Windows).



    FIGURE 22: TrueCrypt screen shot (MacOS).


    Consider this example where an encrypted TrueCrypt volume is stored as a file named James on a thumb drive. On a Windows system, this thumb drive has been mounted as device E:. If one were to view the E: device, any number of files might be found. The TrueCrypt application is used to mount the TrueCrypt file; in this case, the user has chosen to mount the TrueCrypt volume as device K: (Figure 21). Alternatively, the thumb drive could be used with a Mac system, where it has been mounted as the /Volumes/JIMMY volume. TrueCrypt mounts the encrypted file, James, and it is now accessible to the system (Figure 22).



    FIGURE 23: TrueCrypt hidden encrypted volume within an encrypted volume.
    (From http://www.truecrypt.org/images/docs/hidden-volume.gif)


    One of the most interesting — certainly one of the most controversial — features of TrueCrypt is called plausible deniability, protection in case a user is "compelled" to turn over the encrypted volume's password. When the user creates a TrueCrypt volume, he/she chooses whether to create a standard or hidden volume. A standard volume has a single password, while a hidden volume is created within a standard volume and uses a second password. As shown in Figure 23, the unallocated (free) space in a TrueCrypt volume is always filled with random data, thus it is impossible to differentiate a hidden encrypted volume from a standard volume's free space.

    To access the hidden volume, the file is mounted as shown above and the user enters the hidden volume's password. When under duress, the user would merely enter the password of the standard (i.e., non-hidden) TrueCrypt volume.

    More information about TrueCrypt can be found at the TCnext Web Site or in the TrueCrypt User's Guide (v7.1a).

    An active area of research in the digital forensics community is to find methods with which to detect hidden TrueCrypt volumes. Most of the methods do not detect the presence of a hidden volume, per se, but infer the presence by forensic remnants left over. As an example, both Mac and Windows system usually have a file or registry entry somewhere containing a cached list of the names of mounted volumes. This list would, naturally, include the name of TrueCrypt volumes, both standard and hidden. If the user gives a name to the hidden volume, it would appear in such a list. If an investigator were somehow able to determine that there were two TrueCrypt volume names but only one TrueCrypt device, the inference would be that there was a hidden volume. A good summary paper that also describes ways to infer the presence of hidden volumes — at least on some Windows systems — can be found in "Detecting Hidden Encrypted Volumes" (Hargreaves & Chivers).

    Having nothing to do with TrueCrypt, but having something to do with plausible deniability and devious crypto schemes, is a new approach to holding password cracking at bay dubbed Honey Encryption. With most of today's crypto systems, decrypting with a wrong key produces digital gibberish while a correct key produces something recognizable, making it easy to know when a correct key has been found. Honey Encryption produces fake data that resembles real data for every key that is attempted, making it significantly harder for an attacker to determine whether they have the correct key or not; thus, if an attacker has a credit card file and tries thousands of keys to crack it, they will obtain thousands of possibly legitimate credit card numbers. See "'Honey Encryption' Will Bamboozle Attackers with Fake Secrets" (Simonite) for some general information or "Honey Encryption: Security Beyond the Brute-Force Bound" (Juels & Ristenpart) for a detailed paper.

    5.12. Encrypting File System (EFS)

    Microsoft introduced the Encrypting File System (EFS) into the NTFS v3.0 file system and has supported EFS since Windows 2000 and XP (although EFS is not supported in all variations of all Windows OSes). EFS can be used to encrypt individual files, directories, or entire volumes. While off by default, EFS encryption can be easily enabled via File Explorer (aka Windows Explorer) by right-clicking on the file, directory, or volume to be encrypted, selecting Properties, Advanced, and Encrypt contents to secure data (Figure 24). Note that encrypted files and directories are displayed in green in Windows Explorer.



    FIGURE 24: EFS and Windows (File) Explorer.


    The Windows command prompt provides an easy tool with which to detect EFS-encrypted files on a disk. The cipher command has a number of options, but the /u/n switches can be used to list all encrypted files on a drive (Figure 25).



    FIGURE 25: The cipher command.


    EFS supports a variety of secret key encryption schemes, including DES, DESX, and AES, as well as RSA public key encryption. The operation of EFS — at least at the theoretical level — is clever and simple.

    When a file is saved to disk:

    • A random File Encryption Key (FEK) is generated by the operating system.
    • The file contents are encrypted using one of the SKC schemes and the FEK.
    • The FEK is stored with the file, encrypted with the user's RSA public key. In addition, the FEK is encrypted with the RSA public key of any other authorized users and, optionally, a recovery agent's RSA public key.

    When the file is opened:

    • The FEK is recovered using the RSA private key of the user, other authorized user, or the recovery agent.
    • The FEK is used to decrypt the file's contents.

    There are weaknesses with the system, most of which are related to key management. As an example, the RSA private key can be stored on an external device such as a floppy disk (yes, really!), thumb drive, or smart card. In practice, however, this is rarely done; the user's private RSA key is often stored on the hard drive. In addition, early EFS implementations (prior to Windows XP SP2) tied the key to the username; later implementations employ the user's password.

    A more serious implementation issue is that a backup file named esf0.tmp is created prior to a file being encrypted. After the encryption operation, the backup file is deleted — not wiped — leaving an unencrypted version of the file available to be undeleted. For this reason, it is best to use encrypted directories because the temporary backup file is protected by being in an encrypted directory.



    FIGURE 26: EFS key storage. (Source: NTFS.com)


    The EFS information is stored as a named stream in the $LOGGED_UTILITY_STREAM Attribute (attribute type 256 [0x100]). This information includes (Figure 26):

    • A Data Decryption Field (DDF) for every user authorized to decrypt the file, containing the user's Security Identifier (SID), the FEK encrypted with the user's RSA public key, and other information.
    • A Data Recovery Field (DRF) with the encrypted FEK for every method of data recovery

    Files in an NTFS file system maintain a number of attributes that contain the system metadata (e.g., the $STANDARD_INFORMATION attribute maintains the file timestamps and the $FILE_NAME attribute contains the file name). Files encrypted with EFS store the keys, as stated above, in a data stream named $EFS within the $LOGGED_UTILITY_STREAM attribute. Figure 27 shows the partial contents of the Master File Table (MFT) attributes for an EFS encrypted file.


    Master File Table (MFT) Parser V1.4 - Gary C. Kessler (7 June 2012) : : 0056-0059 Attribute type: 0x10-00-00-00 [$STANDARD_INFORMATION] 0060-0063 Attribute length: 0x60-00-00-00 [96 bytes] 0064 Non-resident flag: 0x00 [Attribute is resident] : : 0152-0155 Attribute type: 0x30-00-00-00 [$FILE_NAME] 0156-0159 Attribute length: 0x78-00-00-00 [120 bytes] 0160 Non-resident flag: 0x00 [Attribute is resident] : : 0392-0395 Attribute type: 0x40-00-00-00 [$VOLUME_VERSION/$OBJECT_ID] 0396-0399 Attribute length: 0x28-00-00-00 [40 bytes] 0400 Non-resident flag: 0x00 [Attribute is resident] : : 0432-0435 Attribute type: 0x80-00-00-00 [$DATA] 0436-0439 Attribute length: 0x48-00-00-00 [72 bytes] 0440 Non-resident flag: 0x01 [Attribute is non-resident] : : 0504-0507 Attribute type: 0x00-01-00-00 [$LOGGED_UTILITY_STREAM] 0508-0511 Attribute length: 0x50-00-2E-00 [80 bytes (ignore two high-order bytes)] 0512 Non-resident flag: 0x01 [Attribute is non-resident] : 0568-0575 Name: 0x24-00-45-00-46-00-53-00 [$EFS]

    FIGURE 27: The $LOGGED_UTILITY_STREAM Attribute.


    5.13. Some of the Finer Details of RC4

    RC4 is a variable key-sized stream cipher developed by Ron Rivest in 1987. RC4 works in output-feedback (OFB) mode, so that the key stream is independent of the plaintext. The algorithm is described in detail in Schneier's Applied Cryptography, 2/e, pp. 397-398 and the Wikipedia RC4 article.

    RC4 employs an 8x8 substitution box (S-box). The S-box is initialized so that S[i] = i, for i=(0,255).

    A permutation of the S-box is then performed as a function of the key. The K array is a 256-byte structure that holds the key (possibly supplemented by an Initialization Vector), repeating itself as necessary so as to be 256 bytes in length (obviously, a longer key results in less repetition). NOTE: All arithmetic below is assumed to be on a per-byte basis and so is implied to be modulo 256.

       j = 0
       for i = 0 to 255
         j = j + S[i] + K[i]
         swap (S[i], S[j])

    Encryption and decryption are performed by XORing a byte of plaintext/ciphertext with a random byte from the S-box in order to produce the ciphertext/plaintext, as follows:

       Initialize i and j to zero

    For each byte of plaintext (or ciphertext):

       i = i + 1
       j = j + S[i]
       swap (S[i], S[j])
       z = S[i] + S[j]
       Decryption: plaintext [i] = S[z] XOR ciphertext [i]
       Encryption: ciphertext [i] = S[z] XOR plaintext [i]

    A Perl implementation of RC4 (fine for academic, but not production, purposes) can be found at http://www.garykessler.net/software/index.html#RC4. This program is an implementation of the CipherSaber version of RC4, which employs an initialization vector (IV). The CipherSaber IV is a 10-byte sequence of random numbers between the value of 0-255. The IV is placed in the first 10-bytes of the encrypted file and is appended to the user-supplied key (which, in turn, can only be up to 246 bytes in length).

    In 2014, Rivest and Schuldt developed a redesign of RC4 called Spritz. The main operation of Spritz is similar to the main operation of RC4, except that a new variable, w, is added:

       i = i + w
       j = k + S [j + S[i]]
       k = i + k + S[j]
       swap (S[i], S[j])
       z = (S[j + S[i + S[z+k]]]
       Decryption: plaintext [i] = S[z] XOR ciphertext [i]
       Encryption: ciphertext [i] = S[z] XOR plaintext [i]

    As seen above, RC4 has two pointers into the S-box, namely, i and j; Spritz adds a third pointer, k.

    Pointer i move slowly through the S-box; note that it is incremented by 1 in RC4 and by a constant, w, in Spritz. Spritz allows w to take on any odd value, ensuring that it is always relatively prime to 256. (In essence, RC4 sets w to a value of 1.)

    The other pointer(s) — j in RC4 or j and k in Spritz — move pseudorandomly through the S-box. Both ciphers have a single swap of entries in the S-box. Both also produce an output byte, z, as a function of the other parameters. Spritz, additionally, includes the previous value of z as part of the calculation of the new value of z.

    5.14. Challenge-Handshake Authentication Protocol (CHAP)

    CHAP, originally described in RFC 1994, and its variants (e.g., Microsoft's MS-CHAP) are authentication schemes that allow two parties to demonstrate knowledge of a shared secret without actually divulging that shared secret to a third party who might be eavesdropping.



    FIGURE 28: CHAP Handshake.


    The operation of CHAP is relatively straight-forward (Figure 28). Assume that the Client is logging on to a remote Server across the Internet. The Client needs to prove to the Server that it knows the password but doesn't want to reveal the password in any form that an eavesdropper can decrypt. In CHAP:

    1. The User sends the password (in plaintext) to the Server.
    2. The Server sends some random challenge string (i.e., some number of octets) to the User. Based upon the password and some algorithm, the User generates an encrypted response string (the same length as the challenge) and sends it to the Server.
    3. The Server looks up the User's password in it's database and, using the same algorithm, generates an expected response string.
    4. The Server compares its expected response to the actual response sent by the User. If the two match, the User is authenticated.

    Since the password is never revealed to a third-party, why can't we then just keep the same password forever? Note that CHAP is potentially vulnerable to a known plaintext attack; the challenge is plaintext and the response is encrypted using the password and a known CHAP algorithm. If an eavesdropper has enough challenge/response pairs, they might well be able to determine the password. Some other issues related to this form of authentication can be found in "Off-Path Hacking: The Illusion of Challenge-Response Authentication" (Gilad, Y., Herzberg, A., & Shulman, H., September-October 2014, IEEE Security & Privacy, 12(5), 68-77).

    5.15. Secure E-mail and S/MIME

    Electronic mail and messaging are the primary applications for which people use the Internet. Obviously, we want our e-mail to be secure; but, what exactly does that mean? And, how do we accomplish this task?

    There are a variety of ways to implement or access secure e-mail and cryptography is an essential component to the security of electronic mail. And, the good news is that we have already described all of the essential elements in the sections above. From a practical perspective, secure e-mail means that once a sender sends an e-mail message, it can only be read by the intended recipient(s). That can only accomplished if the encryption is end-to-end; i.e., the message must be encrypted before leaving the sender's computer and cannot be decrypted until it arrives at the recipient's system. But in addition to privacy, we also need the e-mail system to provide authentication, non-repudiation, and message integrity — all functions that are provided by a combination of hash functions, secret key crypto, and public key crypto. Secure e-mail services or software, then, usually provide two functions, namely, message signing and message encryption. Encryption, obviously, provides the secrecy; signing provides the rest.

    Figure 4, above, shows how the three different types of crypto schemes work together. For purposes of e-mail, however, it is useful to independently examine the functions of signing and encryption, if for no other reason than while secure e-mail applications and services can certainly sign and encrypt a message, they may also have the ability to sign a message without encrypting it or encrypt a message without signing it.




    FIGURE 29: Signing (top) and verifying (bottom) e-mail. (Source:
    https://technet.microsoft.com/en-us/library/aa995740(v=exchg.65).aspx)


    E-mail messages are signed for the purpose of authenticating the sender, providing a mechanism so that the sender cannot later disavow the message (i.e., non-repudiation), and proving message integrity — unless, of course, the sender claims that their key has been stolen. The steps of signing and verifying e-mail are shown in Figure 29. To sign a message:

    1. The sender's software examines the message body.
    2. Information about the sender is retrieved (e.g., the sender's private key).
    3. The signing operation (e.g., encrypting the hash of the message with the sender's private key) is performed.
    4. The Digital Signature is appended to the e-mail message.
    5. The signed e-mail message is sent.

    Verification of the signed message requires the receiver's software to perform the opposite steps as the sender's software. In short, the receiver extracts the sender's Digital Signature, calculates a digital signature based upon the sender's information (e.g., using the sender's public key), and compares the computed signature with the received signature; if they match, the message's signature is verified. Note that if there are multiple recipients of the message, each will perform the same steps to verify the signature because the verification is base upon the sender's information (compare this to decryption, described below).




    FIGURE 30: Encrypting (top) and decrypting (bottom) e-mail. (Source:
    https://technet.microsoft.com/en-us/library/aa995740(v=exchg.65).aspx)


    E-mail messages are encrypted for the purpose of privacy, secrecy, confidentiality — whatever term you wish to use to indicate that the message is supposed to be a secret between sender and receiver. The steps of encrypting and decrypting e-mail are shown in Figure 30. To encrypt a message:

    1. The sender's software examines the message body.
    2. The sender's software pulls out specific information about the recipient...
    3. ... and the encryption operation is performed.
    4. The encrypted message replaces the original plaintext e-mail message.
    5. The encrypted e-mail message is sent.

    Note that if the message has multiple recipients, the encryption step will yield different results because the encryption step is dependent upon the recipient's information (e.g., their public key). One application might choose to send a different encrypted message to each recipient; another might send the same encrypted message to each recipient, but encrypt the decryption key differently for each recipient (note further that this latter approach might allow a recipient to perform a known plaintext attack against the other recipients; each recipient knows the decryption key for the message and also sees the key encrypted with the recipient's information). In any case, recipient-specific information (e.g., their private key) must be used in order to decrypt the message and the decryption steps performed by the recipient are essentially the opposite of those performed by the sender.

    This discussion, so far, has been a little vague because different applications will act is different ways but, indeed, are performing very similar generic steps. There are two primary ways for a user to get send and receive secure e-mail, namely, to employ some sort of Web-based e-mail service or employ a secure e-mail client.

    If the reader is interested in using a Web-based secure e-mail service, you have only to do an Internet search to find many such services. All have slightly different twists to them, but here are a few representative free and commercial options:

    • 4SecureMail: Web-based e-mail service using 128-bit SSL between client and server; also supports many e-mail clients and mobile apps. Anonymous headers are "virtually untraceable." Non-4SecureMail recipients are notified by e-mail of waiting secure message which can be downloaded via browser; authenticity of the message is via the user's registered WaterMark (Figure 31).

    • CounterMail: Online, end-to-end e-mail service based upon OpenPGP. Multi-platform support, including Android. Has a USB key option, requiring use of a hardware dongle in order to retrieve mail.

    • Hushmail: Web- or client-based, end-to-end encrypted email based upon OpenPGP. Multi-platform support, including iPhone. Can send secure e-mail to non-Hushmail user by employing a shared password.

    • Kolab Now: Web-based secure e-mail service provider although it does not perform server-side e-mail encryption; they recommend that users employ a true end-to-end e-mail encryption solution. Data is stored on servers exclusively located in Switzerland and complies with the strict privacy laws of that country.

    • ProtonMail: End-to-end secure e-mail service using AES and OpenPGP, also located in Switzerland. Does not log users' IP addresses, thus provides an anonymous service. Multi-platform support, plus Android and iOS.

    • Tutanota: Web-, Android-, or iOS-based end-to-end secure e-mail service.



    FIGURE 31: E-mail message to non-4SecureMail user.


    The alternative to using a Web-based solution is to employ a secure e-mail client or, at least, a client that supports secure e-mail. Using host-based client software ensures end-to-end security — as long as the mechanisms are used correctly. There are no lack of clients that support secure mechanisms; Apple Mail, Microsoft Outlook, and Mozilla Thunderbird, for example, all have native support for S/MIME and have plug-ins that support OpenPGP/GPG (see Section 5.5 for additional information on the signing and encryption capabilities of PGP).

    The Secure Multipurpose Internet Mail Extensions (S/MIME) protocol is an IETF standard for use of public key-based encryption and signing of e-mail. S/MIME is actually a series of extensions to the MIME protocol, adding digital signature and encryption capability to MIME messages (which, in this context, refers to e-mail messages and attachments). S/MIME is based upon the original IETF MIME specifications and RSA's PKCS #7 secure message format, although it is now an IETF specification defined primarily in four RFCs:

    • RFC 3369: Cryptographic Message Syntax (CMS) (based upon PKCS #7) — Describes the syntax (format) used to digitally sign, digest, authenticate, or encrypt any type of message content, the rules for encapsulation, and an architecture for certificate-based key management.
    • RFC 3370: Cryptographic Message Syntax (CMS) Algorithms — Describes the use of common crypto algorithms to support the CMS, such as those for message digests (e.g., MD5 and SHA-1), signatures (e.g., DSA and RSA), key management, and content encryption (e.g., RC2 and 3DES).
    • RFC 3850: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling — Specifies how S/MIME agents use the Internet X.509 Public Key Infrastructure (PKIX) and X.509 certificates to send and receive secure MIME messages. (See Section 4.3 for additional information about X.509 certificates.)
    • RFC 3851: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification — Describes the "secure" part of the S/MIME protocol, add digital signature and encryption services to MIME. The MIME standard specifies the general structure for different content types within Internet messages; this RFC specifies cryptographically-enhanced MIME body parts.

    A quite good overview of the protocol can be found in a Microsoft TechNet article titled "Understanding S/MIME."


    Content-Type: multipart/signed; boundary="Apple-Mail=_6293E5DF-2993-4264-A32B-01DD43AB4259"; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail=_6293E5DF-2993-4264-A32B-01DD43AB4259 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Hi Carol. What was that pithy Groucho Marx quote? /kess --Apple-Mail=_6293E5DF-2993-4264-A32B-01DD43AB4259 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ9TCCBK8w ggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlNF MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTQxMjIyMDAwMDAw WhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hl c3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNV BAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAibEN2npTGU5wUh28VqYGJre4SeCW 51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JD FnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUI kzqcKlOjENs9IGE8VQOO2U52JQIhKfqjfHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7Az aS1D6/rWpfGXd2dRjNnuJ+u8pQc4doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZA P8vk4p+iIQIDAQABo4IBFzCCARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYD VR0OBBYEFJJha4LhoqCqT+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAG AQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAw RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJu YWxDQVJvb3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNl cnRydXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOcUvi7 BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc06HvgARCl nMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLKhjQHuSzK5hxK 2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6H3kU9koQGib6fIr7 mzCCBT4wggQmoAMCAQICEQDvRS7kXtfrf7+LzZ7ZrvObMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRow GAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50 IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcwMTAxMDAwMDAwWhcNMTgw MTAxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNnY2tAZ2FyeWtlc3NsZXIubmV0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ql2BQ6RbvG/9L4qGN7x9v3ieA5YFu0NKGF91J4ujNT5 upPhZl0K2u5Oa7Zj1WEf+1Jq+D7oj4px7C8nkJfJAyUVgZ9DfHysEliF4l4xSsVMwNUuAoWIYpfe iGKEL/X9U323yv2NNxkMTfiZ3WWsETNL43zzNwRGnu7hZmqpQsbNaIfhEXvC5BVZXv/B38jrq/v+ 6szdcvnjbhC+gkaaxNlj7xvJiVom0RESIqwwSkVNcn2KFu/Uja6NMzVApbkwwJfmTgEHm8jgiIEc +CHkeqkWF3u3HdE8a2xn8Xeg6IKlekZCtnEPwURF/IwWYq4BPdYKZIBkp9QQ5yr7KL4BVwIDAQAB o4IB8TCCAe0wHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFJW+t4wQ BPSM0gdWl+x1+F76ThzAMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcG CCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7Bgwr BgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMw XQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xp ZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAw WAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1 dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNnY2tAZ2FyeWtlc3NsZXIubmV0MA0GCSqGSIb3DQEB CwUAA4IBAQAeZNE03prooHZKvzjDUbVFGfiX+pTPJxQjruFazJOK7iHd3PaadSlqBiyMJgazDBYY hvsjzrM0p9KV5z6pTyA8aWczvNTq+MgDymTPpCYOG6GSUHFIWok+iv/MVrJ/zhOgk81n9MuHe02t XYtg5r9UbEXpIOfhNt5ziMo9r37uHKl+kF+y5fF4YHyVcmlFGg0gzpOSdpvMdFWfpKm03jvpBITQ WDMrQ2vJs4vQUq0Qh+13cbOMc4cPHAAz+YXtcR2IiUPDDEfAPcgDSYfYeQlNHiGYVqWA9xGL9cDQ iyB1zp5TERWIfv2BnNdodupn+8LtoIX/cOJLyf16F8Lp1xBzMYIDxjCCA8ICAQEwgbEwgZsxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGll bnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAO9FLuRe1+t/v4vNntmu85sw CQYFKw4DAhoFAKCCAekwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MTcwMTAxMTgwNDIwWjAjBgkqhkiG9w0BCQQxFgQUrhgwhfaU8cFbOsDvQEcl78xWH2wwgcIGCSsG AQQBgjcQBDGBtDCBsTCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMT OENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENB AhEA70Uu5F7X63+/i82e2a7zmzCBxAYLKoZIhvcNAQkQAgsxgbSggbEwgZsxCzAJBgNVBAYTAkdC MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoT EUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAO9FLuRe1+t/v4vNntmu85swDQYJKoZIhvcN AQEBBQAEggEAi3e2rGbbeg0pkV1oaPVU/90jYkcqt3tYGNf5cDgySklQQARxuXhPpIroLLEKexrM m96Z5jB+c2Lo2LIZG9O7gFQkDF3wqU5YOB5m1PmTdQXaYjhttIKGAHHQs1vW0fhAXHIBRBI0d3j9 wK9svbxG7XwxDwZ9ED/tv4dbI9gyktbl6ppczAEC6+JoTGdLLPtEI9XgME9ZBh3ykXa87o46MgdQ FCTp5J2z1BMeP9B7FENvN9D+fi297HjCTFZoxKopoLQ92/Cud2w85+s6JbgeWlqAdNgAp4c24bxW Winw3N7LukDaWB1KdkfWKMsP2bJXF9uIDoPYTjvb2VO4kVEaBwAAAAAAAA== --Apple-Mail=_6293E5DF-2993-4264-A32B-01DD43AB4259--

    FIGURE 32: Sample multipart/signed message.


    Figure 32 shows a sample signed message using S/MIME. The first few lines indicate that this is a multipart signed message using the PKCS #7 signature protocol and, in this case, the SHA-1 hash. The two text lines following the first --Apple-Mail=... indicate that the message is in plaintext followed by the actual message. The next block indicates use of S/MIME where the signature block is in an attached file (the .p7s extension indicates that this is a signed-only message), encoded using BASE64.


    Content-Type: application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHA6CAMIACAQAxggHOMIIBygIBADCBsTCBmzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlv biBhbmQgU2VjdXJlIEVtYWlsIENBAhEA70Uu5F7X63+/i82e2a7zmzANBgkqhkiG9w0BAQEFAASC AQAbKAO7BoEKgZ9e/C837YpZYzspGdLbiMnRPmz3p2v+8H9DgPcOzMAjwdvT94el3hguke/Dn4LK L4/Un9ZbruoPzfps0Cxa8A+Acw2fVluYImKs0y3zCCOCQiKwW4IMWmS0HCvFTrHKGuGcWmpaFUv1 vTdFNPhQzF6jRJPv35GNtHWEFIRwqWFG1jOh/0uX0o3Cg8B1j/wwjTEkd0WU/DzYbe6nQSJzh7Kz 9guBAyfSVPZsLcvkd1ftP4vVrILnafKaFK9ls3al8dT5+oY7oTUHhem+oPMLcOnX0+ZZcqs97+oW HvQQy1lpofU8b/0Qt8lYZfAC5lMIOg6nMbmIUdjOMIAGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQI hd7YXnfGNOeggAQYdIYlsYppSpTleDWPMbopt2Zu7+umGjuHBAiuLupldkuMbwQYorVXhHJ3J6G3 0Rad+eC3vbpu4Ohtcz/rBBAhZ97y8YgLhmSJzXCSLh5UBAisFO1grQ/WgQQIpwnzeRUrRikEMMo/ qTMXMBaFFmGRHgSbVaNTJOcpk11kmrZbUWUdSWUZwQ3TSdvnyVUJUUf7gFs8eQQop2w/yLoGZGVY DJFpaCBEbgBZAXbWeducGiDR8lUYOPdwjSnfb96yBgQIN2WZZMiZ6x4ECMQJ5uftbc+dBAj/LNyO TGk4awAAAAAAAAAAAAA=

    FIGURE 33: Sample S/MIME encrypted message.


    Figure 33 shows a sample encrypted message, carried as an S/MIME enveloped data attachment (.p7m) file, also formatted in BASE64. S/MIME can also attach certificate management messages (.p7c) and compressed data (.p7z). Many more S/MIME sample messages can be found in RFC 4134 ("Examples of S/MIME Messages").



    FIGURE 34: Sample S/MIME certificate.


    S/MIME is a powerful mechanism and is widely supported by many e-mail clients. To use your e-mail client's S/MIME functionality, you will need to have an S/MIME certificate (Figure 34). Several sites provide free S/MIME certificates for personal use, such as Instant SSL (Comodo), Secorio, and StartSSL (StartCom); commercial-grade S/MIME certificates are available from many other CAs. (NOTE: If these sites install your S/MIME certificate to your browser, you might need to export [backup] the certificate and import it so it can be seen by your e-mail application.)

    Do note that S/MIME is not necessarily well-suited for use with Web-based e-mail services. First off, S/MIME is designed for true end-to-end (i.e., client-to-client) encryption and Web mail services provide server-to-server or server-to-client encryption. Second, while S/MIME functionality could be built into browsers, the end-to-end security offered by S/MIME requires that the private key be accessible only to the end-user and not to the Web server. Finally, end-to-end encryption makes it impossible for a third-party to scan e-mail for viruses and other malware, thus obviating one of the advantages of using a Web-based e-mail service in the first place.

    6. CONCLUSION AND SOAP BOX

    This paper has briefly (!?) described how digital cryptography works. The reader must beware, however, that there are a number of ways to attack every one of these systems; cryptanalysis and attacks on cryptosystems, however, are well beyond the scope of this paper. In the words of Sherlock Holmes (ok, Arthur Conan Doyle, really), "What one man can invent, another can discover" ("The Adventure of the Dancing Men").

    There are a lot of topics that have been discussed above that will be big issues going forward in cryptography. As compute power increases, attackers can go after bigger keys and local devices can process more complex algorithms. Some of these issues include the size of public keys, the ability to forge public key certificates, which hash function(s) to use, and the trust that we will have in random number generators. Interested readers should check out "Recent Parables in Cryptography" (Orman, H., January/February 2014, IEEE Internet Computing, 18(1), 82-86).

    Cryptography is a particularly interesting field because of the amount of work that is, by necessity, done in secret. The irony is that secrecy is not the key to the goodness of a cryptographic algorithm. Regardless of the mathematical theory behind an algorithm, the best algorithms are those that are well-known and well-documented because they are also well-tested and well-studied! In fact, time is the only true test of good cryptography; any cryptographic scheme that stays in use year after year is most likely a good one. The strength of cryptography lies in the choice (and management) of the keys; longer keys will resist attack better than shorter keys.

    The corollary to this is that consumers should run, not walk, away from any product that uses a proprietary cryptography scheme, ostensibly because the algorithm's secrecy is an advantage. The observation that a cryptosystem should be secure even if everything about the system — except the key — is known by your adversary has been a fundamental tenet of cryptography for over 125 years. It was first stated by Dutch linguist Auguste Kerckhoffs von Nieuwenhoff in his 1883 (yes, 1883) papers titled La Cryptographie militaire, and has therefore become known as "Kerckhoffs' Principle."

    Getting a new crypto scheme accepted, marketed, and, commercially viable is a hard problem particularly if someone wants to make money off of the invention of a "new, unbreakable" methodology. Many people want to sell their new algorithm and, therefore, don't want to expose the scheme to the public for fear that their idea will be stolen. I observe that, consistent with Kerckhoffs' Principle, this approach is doomed to fail. A company won't invest in a secret scheme because there's no need; one has to demonstrate that their algorithm is better and stronger than what is currently available before someone else will invest time and money to explore an unknown promise. Regardless, I would also suggest that the way to make money in crypto is in the packaging — how does the algorithm fit into user applications and how easy is it for users to use? Check out a wonderful paper about crypto usability, titled "Why Johnny Can't Encrypt" (Whitten, A., & Tygar, J.D., 1999, Proceedings of the 8th USENIX Security Symposium, August 23-36, 1999, Washington, D.C., pp. 169-184.).

    As a slight aside, another way that people try to prove that their new crypto scheme is a good one without revealing the mathematics behind it is to provide a public challenge where the author encrypts a message and promises to pay a sum of money to the first person — if any — who cracks the message. Ostensibly, if the message is not decoded, then the algorithm must be unbreakable. As an example, back in 2011, a ,000 challenge page for a new crypto scheme called DioCipher was posted and scheduled to expire on 1 January 2013 — which it did. That was the last that I heard of DioCipher. I leave it to the reader to consider the validity and usefulness of the public challenge process.


    7. REFERENCES AND FURTHER READING

    • Bamford, J. (1983). The Puzzle Palace: Inside the National Security Agency, America's most secret intelligence organization. New York: Penguin Books.
    • Bamford, J. (2001). Body of Secrets : Anatomy of the Ultra-Secret National Security Agency from the Cold War Through the Dawn of a New Century. New York: Doubleday.
    • Barr, T.H. (2002). Invitation to Cryptology. Upper Saddle River, NJ: Prentice Hall.
    • Basin, D., Cremers, C., Miyazaki, K., Radomirovic, S., & Watanabe, D. (2015, May/June). Improving the Security of Cryptographic Protocol Standards. IEEE Security & Privacy, 13(3), 24:31.
    • Bauer, F.L. (2002). Decrypted Secrets: Methods and Maxims of Cryptology, 2nd ed. New York: Springer Verlag.
    • Belfield, R. (2007). The Six Unsolved Ciphers: Inside the Mysterious Codes That Have Confounded the World's Greatest Cryptographers. Berkeley, CA: Ulysses Press.
    • Denning, D.E. (1982). Cryptography and Data Security. Reading, MA: Addison-Wesley.
    • Diffie, W., & Landau, S. (1998). Privacy on the Line. Boston: MIT Press.
    • Electronic Frontier Foundation. (1998). Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. Sebastopol, CA: O'Reilly & Associates.
    • Esslinger, B., & the CrypTool Team. (2017, January 21). The CrypTool Book: Learning and Experiencing Cryptography with CrypTool and SageMath, 12th ed. CrypTool Project. Retrieved from https://www.cryptool.org/images/ctp/documents/CT-Book-en.pdf
    • Federal Information Processing Standards (FIPS) 140-2. (2001, May 25). Security Requirements for Cryptographic Modules. Gaithersburg, MD: National Intitute of Standards and Technology (NIST). Retrieved from http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
    • Ferguson, N., & Schneier, B. (2003). Practical Cryptography. New York: John Wiley & Sons.
    • Ferguson, N., Schneier, B., & Kohno, T. (2010). Cryptography Engineering: Design Principles and Practical Applications. New York: John Wiley & Sons.
    • Flannery, S. with Flannery, D. (2001). In Code: A Mathematical Journey. New York: Workman Publishing Company.
    • Ford, W., & Baum, M.S. (2001). Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption, 2nd ed. Englewood Cliffs, NJ: Prentice Hall.
    • Garfinkel, S. (1995). PGP: Pretty Good Privacy. Sebastopol, CA: O'Reilly & Associates.
    • Grant, G.L. (1997). Understanding Digital Signatures: Establishing Trust over the Internet and Other Networks. New York: Computing McGraw-Hill.
    • Grabbe, J.O. (1997, October 10). Cryptography and Number Theory for Digital Cash. Retrieved from http://www-swiss.ai.mit.edu/6.805/articles/money/cryptnum.htm
    • Kahn, D. (1983). Kahn on Codes: Secrets of the New Cryptology. New York: Macmillan.
    • Kahn, D. (1996). The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, revised ed. New York: Scribner.
    • Kaufman, C., Perlman, R., & Speciner, M. (1995). Network Security: Private Communication in a Public World. Englewood Cliffs, NJ): Prentice Hall.
    • Koblitz, N. (1994). A Course in Number Theory and Cryptography, 2nd ed. New York: Springer-Verlag.
    • Levy, S. (1999, April). The Open Secret. WIRED Magazine, 7(4). Retrieved from http://www.wired.com/wired/archive/7.04/crypto.html
    • Levy, S. (2001). Crypto: When the Code Rebels Beat the Government — Saving Privacy in the Digital Age. New York: Viking Press.
    • Mao, W. (2004). Modern Cryptography: Theory & Practice. Upper Saddle River, NJ: Prentice Hall Professional Technical Reference.
    • Marks, L. (1998). Between Silk and Cyanide: A Codemaker's War, 1941-1945. New York: The Free Press (Simon & Schuster).
    • Schneier, B. (1996). Applied Cryptography, 2nd ed. New York: John Wiley & Sons.
    • Schneier, B. (2000). Secrets & Lies: Digital Security in a Networked World. New York: John Wiley & Sons.
    • Simion, E. (2015, January/February). The Relevance of Statistical Tests in Cryptography. IEEE Security & Privacy, 13(1), 66:70.
    • Singh, S. (1999). The Code Book: The Evolution of Secrecy from Mary Queen of Scots to Quantum Cryptography. New York: Doubleday.
    • Smart, N. (2014). Cryptography: An Introduction, 3rd ed. Retrieved from https://www.cs.umd.edu/waa/414-F11/IntroToCrypto.pdf
    • Smith, L.D. (1943). Cryptography: The Science of Secret Writing. New York: Dover Publications.
    • Spillman, R.J. (2005). Classical and Contemporary Cryptology. Upper Saddle River, NJ: Pearson Prentice-Hall.
    • Stallings, W. (2006). Cryptography and Network Security: Principles and Practice, 4th ed. Englewood Cliffs, NJ: Prentice Hall.
    • Trappe, W., & Washington, L.C. (2006). Introduction to Cryptography with Coding Theory, 2nd ed. Upper Saddle River, NJ: Pearson Prentice Hall.
    • Young, A., & Yung, M. (2004). Malicious Cryptography: Exposing Cryptovirology. New York: John Wiley & Sons.
    • On the Web:
      • Bob Lord's Online Crypto Museum
      • Crypto Museum
      • Crypto-Gram Newsletter
      • Cypherpunk -- A history
      • Internet Engineering Task Force (IETF) Security Area
        • An Open Specification for Pretty Good Privacy (openpgp)
        • Common Authentication Technology (cat)
        • IP Security Protocol (ipsec)
        • One Time Password Authentication (otp)
        • Public Key Infrastructure (X.509) (pkix)
        • S/MIME Mail Security (smime)
        • Simple Public Key Infrastructure (spki)
        • Transport Layer Security (tls)
        • Web Transaction Security (wts)
        • Web Security (websec)
        • XML Digital Signatures (xmldsig)
      • Kerberos: The Network Authentication Protocol (MIT)
      • The MIT Kerberos & Internet trust (MIT-KIT) Consortium (MIT)
      • Peter Gutman's godzilla crypto tutorial
      • Pretty Good Privacy (PGP):
        • The GNU Privacy Guard (GPG)
        • GPGTools
        • The International PGP Home Page
        • The OpenPGP Alliance
      • RSA's Cryptography FAQ (v4.1, 2000)
      • Interspersed in RSA's Public Key Cryptography Standards (PKCS) pages are a very good set of chapters about cryptography.
      • Ron Rivest's "Cryptography and Security" Page
      • "List of Cryptographers" from U.C. Berkeley

    • Software:
      • Wei Dai's Crypto++, a free C++ class library of cryptographic primitives
      • Peter Gutman's cryptlib security toolkit
      • A Perl implementation of RC4 (for academic but not production purposes) can be found at http://www.garykessler.net/software/index.html#RC4.
      • A Perl program to decode Cisco type 7 passwords can be found at http://www.garykessler.net/software/index.html#cisco7.
      • The Rijndael page

    And for a purely enjoyable fiction book that combines cryptography and history, check out Neal Stephenson's Crytonomicon (published May 1999). You will also find in it a new secure crypto scheme based upon an ordinary deck of cards (ok, you need the jokers...) called the Solitaire Encryption Algorithm, developed by Bruce Schneier.

    Finally, I am not in the clothing business although I do have an impressive t-shirt collection (over 350 and counting!). I still proudly wear the DES (well, actually the IDEA) encryption algorithm t-shirt from 2600 Magazine which, sadly, appears to be no longer available (left). (It was always ironic to me that The Hacker Quarterly got the algorithm wrong but...) A t-shirt with Adam Back's RSA Perl code can be found at http://www.cypherspace.org/adam/uk-shirt.html (right).


    APPENDIX. SOME MATH NOTES

    A number of readers over time have asked for some rudimentary background on a few of the less well-known mathematical functions mentioned in this paper. Although this is purposely not a mathematical treatise, some of the math functions mentioned here are essential to grasping how modern crypto functions work. To that end, some of the mathematical functions mentioned in this paper are defined in greater detail below.

    A.1. The Exclusive-OR (XOR) Function

    Exclusive OR (XOR) is one of the fundamental mathematical operations used in cryptography (and many other applications). George Boole, a mathematician in the late 1800s, invented a new form of "algebra" that provides the basis for building electronic computers and microprocessor chips. Boole defined a bunch of primitive logical operations where there are one or two inputs and a single output depending upon the operation; the input and output are either TRUE or FALSE. The most elemental Boolean operations are:

    • NOT: The output value is the inverse of the input value (i.e., the output is TRUE if the input is false, FALSE if the input is true)
    • AND: The output is TRUE if all inputs are true, otherwise FALSE. (E.g., "the sky is blue AND the world is flat" is FALSE while "the sky is blue AND security is a process" is TRUE.)
    • OR: The output is TRUE if either or both inputs are true, otherwise FALSE. (E.g., "the sky is blue OR the world is flat" is TRUE and "the sky is blue OR security is a process" is TRUE.)
    • XOR (Exclusive OR): The output is TRUE if exactly one of the inputs is TRUE, otherwise FALSE. (E.g., "the sky is blue XOR the world is flat" is TRUE while "the sky is blue XOR security is a process" is FALSE.)

    I'll only discuss XOR for now and demonstrate its function by the use of a so-called truth tables. In computers, Boolean logic is implemented in logic gates; for design purposes, XOR has two inputs (black) and a single output (red), and its logic diagram looks like this:

    XOR Input #1
    0 1
    Input #2 0 0 1
    1 1 0

    So, in an XOR operation, the output will be a 1 if one input is a 1; otherwise, the output is 0. The real significance of this is to look at the "identity properties" of XOR. In particular, any value XORed with itself is 0 and any value XORed with 0 is just itself. Why does this matter? Well, if I take my plaintext and XOR it with a key, I get a jumble of bits. If I then take that jumble and XOR it with the same key, I return to the original plaintext.

    NOTE: Boolean truth tables usually show the inputs and output as a single bit because they are based on single bit inputs, namely, TRUE and FALSE. In addition, we tend to apply Boolean operations bit-by-bit. For convenience, I have created Boolean logic tables when operating on bytes.

    A.2. The modulo Function

    The modulo function is, simply, the remainder function. It is commonly used in programming and is critical to the operation of any mathematical function using digital computers.

    To calculate X modulo Y (usually written X mod Y), you merely determine the remainder after removing all multiples of Y from X. Clearly, the value X mod Y will be in the range from 0 to Y-1.

    Some examples should clear up any remaining confusion:

    • 15 mod 7 = 1
    • 25 mod 5 = 0
    • 33 mod 12 = 9
    • 203 mod 256 = 203

    Modulo arithmetic is useful in crypto because it allows us to set the size of an operation and be sure that we will never get numbers that are too large. This is an important consideration when using digital computers.

    A.3. Information Theory and Entropy

    Information theory is the formal study of reliable transmission of information in the least amount of space or, in the vernacular of information theory, the fewest symbols. For purposes of digital communication, a symbol can be a byte (i.e., an eight-bit octet) or an even smaller unit of transmission.

    The father of information theory is Bell Labs scientist and MIT professor Claude E. Shannon. His seminal paper, "A Mathematical Theory of Communication" (The Bell System Technical Journal, Vol. 27, pp. 379-423, 623-656, July, October, 1948), defined a field that has laid the mathematical foundation for so many things that we take for granted today, from data compression, data storage and communication, and quantum computing to language processing, plagiarism detection and other linguistic analysis, and statistical modeling. And, of course, cryptography — although crypto pre-dates information theory by nearly 2000 years.

    There are many everyday computer and communications applications that have been enabled by the formalization of information theory, such as:

    • Lossless data compression, where the compressed data is an exact replication of the uncompressed source (e.g., PKZip, GIF, PNG, and WAV).
    • Lossy data compression, where the compressed data can be used to reproduce the original uncompressed source within a certain threshold of accuracy (e.g., JPG and MP3).
    • Coding theory, which describes the impact of bandwidth and noise on the capacity of data communication channels from modems to Digital Subscriber Line (DSL) services, why a CD or DVD with scratches on the surface can still be read, and codes used in error-correcting memory chips and forward error-correcting satellite communication systems.

    One of the key concepts of information theory is that of entropy. In physics, entropy is a quantification of the disorder in a system; in information theory, entropy describes the uncertainty of a random variable or the randomness of an information symbol. As an example, consider a file that has been compressed using PKZip. The original file and the compressed file have the same information content but the smaller (i.e., compressed) file has more entropy because the content is stored in a smaller space (i.e., with fewer symbols) and each data unit has more randomness than in the uncompressed version. In fact, a perfect compression algorithm would result in compressed files with the maximum possible entropy; i.e., the files would contain the same number of 0s and 1s, and they would be distributed within the file in a totally unpredictable, random fashion.

    As another example, consider the entropy of passwords (this text is taken from my paper, "Passwords — Strengths And Weaknesses," citing an example from Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick & Bellovin [1994]):

    Most Unix systems limit passwords to eight characters in length, or 64 bits. But Unix only uses the seven significant bits of each character as the encryption key, reducing the key size to 56 bits. But even this is not as good as it might appear because the 128 possible combinations of seven bits per character are not equally likely; users usually do not use control characters or non-alphanumeric characters in their passwords. In fact, most users only use lowercase letters in their passwords (and some password systems are case-insensitive, in any case). The bottom line is that ordinary English text of 8 letters has an information content of about 2.3 bits per letter, yielding an 18.4-bit key length for an 8-letter passwords composed of English words. Many people choose names as a password and this yields an even lower information content of about 7.8 bits for the entire 8-letter name. As phrases get longer, each letter only adds about 1.2 to 1.5 bits of information, meaning that a 16-letter password using words from an English phrase only yields a 19- to 24-bit key, not nearly what we might otherwise expect.

    Encrypted files tend to have a great deal of randomness. This is why a compressed file can be encrypted but an encrypted file cannot be compressed; compression algorithms rely on redundancy and repetitive patterns in the source file and such syndromes do not appear in encrypted files.

    Randomness is such an integral characteristic of encrypted files that an entropy test is often the basis for searching for encrypted files. Not all highly randomized files are encrypted, but the more random the contents of a file, the more likely that the file is encrypted. As an example, AccessData's Forensic Toolkit (FTK), software widely used in the computer forensics field, uses the following tests to detect encrypted files:

    • Arithmetic Mean: Calculated by summing all of the bytes in a file and dividing by the file length; if random, the value should be 1.75.
    • Χ2 Error Percent: This distribution is calculated for a byte stream in a file; the value indicates how frequently a truly random number would exceed the calculated value.
    • Entropy: Describes the information density (per Shannon) of a file in bits/character; as entropy approaches 8, there is more randomness.
    • MCPI Error Percent: The Monte Carlo algorithm uses statistical techniques to approximate the value of π; a high error rate implies more randomness.
    • Serial Correlation Coefficient: Indicates the amount to which each byte is an e-mail relies on the previous byte. A value close to 0 indicates randomness.

    SIDEBAR: An 8-bit byte has 256 possible values. The entropy of a binary file can be calculated using the following formula:


    where n=256 and P(xi) is the probability of a byte in this file having the value i. A small Perl program to compute the entropy of a file can be found at entropy.zip.

    Given this need for randomness, how do we ensure that crypto algorithms produce random numbers for high levels of entropy? Computers use random number generators (RNGs) for myriad purposes but computers cannot actually generate truly random sequences but, rather, sequences that have mostly random characteristics. To this end, computers use pseudorandom number generator (PRNG), aka deterministic random number generator, algorithms. NIST has a series of documents (SP 800-90: Random Bit Generators) that address this very issue:

    • SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
    • Draft SP 800-90 B: Recommendation for the Entropy Sources Used for Random Bit Generation
    • Draft SP 800-90 C: Recommendation for Random Bit Generator (RBG) Constructions

    SIDEBAR: While the purpose of this document is to be tutorial in nature, I cannot totally ignore the disclosures of Edward Snowden in 2013 about NSA activities related to cryptography. One interesting set of disclosures is around deliberate weaknesses in the NIST PRNG standards at the behest of the NSA. NIST denies any such purposeful flaws but this will be evolving news over time. Interested readers might want to review "NSA encryption backdoor proof of concept published" (M. Lee) or "Dual_EC_DRBG backdoor: a proof of concept" (A. Adamantiadis).

    Along these lines, another perspective of the Snowden disclosures relates to the impact on the world's most confidential data and critical infrastructures if governments are able to access encrypted communications. In July 2015, 14 esteemed cryptographers and computer scientists released a paper continuing the debate around cryptography and privacy. The paper, titled "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications," argues that government access to individual users' encrypted information will ultimately yield significant flaws in larger systems and infrastructures. Also check out the N.Y. Times article, "Security Experts Oppose Government Access to Encrypted Communication" (N. Perlroth).

    Do not underestimate the importance of good random number generation to secure cryptography — and do not forget that an algorithm might be excellent but the implementation poor. Read, for example, "Millions of high-security crypto keys crippled by newly discovered flaw" (D. Goodin), which reported on a weakness in an RSA software library. Because RSA prime factorization arithmetic can be very complex on smart cards and other energy and memory constrained devices, the code for generating keys employed coding shortcuts. The result was that an attacker could calculate the private key from a vulnerable key-pair by only knowing the public key, which is totally anathema to the whole concept of public-key cryptography (i.e., the public key is supposed to be widely known without compromise of the private key). The vulnerability was due to the fact that the weakness was in the RNG and, therefore, a reduced level of randomness in the relationship between the private and public keys. This flaw, exposed in November 2017, had been present since at least 2012.

    For readers interested in learning more about information theory, see the following sites:

    • Wikipedia entry for Information Theory
    • A Short Course in Information Theory (Eight lectures by David J.C. MacKay)
    • Entropy and Information Theory by Gray (Revised 1st ed., 1991). In 2011, the second edition was published.

    Finally, it is important to note that information theory is an continually evolving field. There is an area of research essentially questioning the "power" of entropy in determining the strength of a cryptosystem. An interesting paper about this is "Brute force searching, the typical set and Guesswork" by Christiansen, Duffy, du Pin Calmon, & Médard (2013 IEEE International Symposium on Information Theory); a relatively non-technical overview of that paper can be found at "Encryption Not Backed by Math Anymore" by Hardesty (DFI News, 8/15/2013).

    A.4. Cryptography in the Pre-Computer Era

    This paper purposely focuses on cryptography terms, concepts, and schemes in current use and is not a treatise of the whole field. No mention is made here about pre-computerized crypto schemes, the difference between a substitution and transposition cipher, cryptanalysis, or other history, nor is there a lot of theory presented here. That said, the history and evolution of cryptography is really interesting and readers should check out some of the books in the References and Further Reading section below or some of the links in my crypto URLs page.

    There are also several excellent Web sites that provide detailed information about the history of cryptographic methods, such as:

    • Crypto Lab is a series of blog-like posts describing various encryption methods. The entire set of pages for offline viewing can be found at GitHub.

    • Crypto Programs is an online collection of more than 50 classical substitution and transposition encryption schemes.

    • The CrypTool Portal is designed to raise awareness about cryptography and contains a collection of free software with which to experiment with a variety of ciphers.

    • The Learn Cryptography Encryption page has a lot of information about classical and historic encryption methods, as well as pages about cryptanalysis, cryptocurrency, hash functions, and more.

    • The MultiWingSpan Ciphers page discusses a dozen or so manual encryption schemes as a setup to a series of programming assignments.

    • The Practical Cryptography Ciphers page provides history, math, and sample implementations of a couple dozen manual encryption codes. Other pages discuss cryptanalysis and hash functions.

    Finally, my software page contains a Perl program that implements several manual crypto schemes.


    ABOUT THE AUTHOR

    Gary C. Kessler, Ph.D., CCE, CISSP, is the president and janitor of Gary Kessler Associates, an independent consulting and training firm specializing in computer and network security, computer forensics, and TCP/IP networking. He has written over 75 papers, articles, and book chapters for industry publications, is co-author of ISDN, 4th. edition (McGraw-Hill, 1998), and is a past editor-in-chief of the Journal of Digital Forensics, Security and Law. Gary is also a Professor of Cybersecurity and chair of the Security Studies & International Affairs Dept. at Embry-Riddle Aeronautical University in Daytona Beach, Florida. He is a former-member of the Vermont Internet Crimes Against Children (ICAC) Task Force and currently works with the Hawaii and North Florida ICAC Task Forces, and is an Adjunct Professor at Edith Cowan University in Perth, Western Australia. Gary was formerly an Associate Professor and Program Director of the M.S. in Information Assurance program at Norwich University in Northfield, Vermont, and he started the M.S. in Digital Investigation Management and undergraduate Computer & Digital Forensics programs at Champlain College in Burlington, Vermont. Gary's e-mail address is and his PGP public key can be found at http://www.garykessler.net/pubkey.html or on MIT's PGP keyserver (import the latest key!). Some of Gary's other crypto pointers of interest on the Web can be found at his Security-related URLs list. Gary is also a SCUBA instructor and U.S. Coast Guard licensed captain.


    ACKNOWLEDGEMENTS

    This section was introduced late in the life of this paper and so I apologize to all of you who have made helpful comments that remain unacknowledged. If you did make comments that I adopted — from catching typographical or factual errors to suggesting a new resource or topic — and I have failed to recognize you, please remind me!

    Thanks are offered to Steve Bellovin, Sitaram Chamarty, Bernhard Esslinger (and his students at the University of Siegen, Germany, contributors to the CrypTool project), William R. Godwin, Hugh Macdonald, and Douglas P. McNutt.


188
Sitemap