World Library  
Flag as Inappropriate
Email this Article

Opportunistic encryption

Article Id: WHEBN0004299490
Reproduction Date:

Title: Opportunistic encryption  
Author: World Heritage Encyclopedia
Language: English
Subject: Obfuscated TCP, ZRTP, Tcpcrypt, Virtual private network, IPsec
Publisher: World Heritage Encyclopedia

Opportunistic encryption

Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

Opportunistic encryption can be used to combat passive wiretapping.[1] (An active wiretapper, on the other hand, can disrupt encryption negotiation to force an unencrypted channel.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most Internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.


The FreeS/WAN project was one of the early proponents of OE. Openswan has also been ported to the OpenWrt project.[2] Openswan uses DNS records to facilitate the key exchange between the systems.[1]

It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.[3]

Unix and unix-like systems

The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs which can also operate in OE mode using IPsec based technology. Obfuscated TCP is another method of implementing OE.

Windows OS

Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "IP Security Policies on Local Computer" and then editing the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a Kerberos environment.

In a non-Kerberos environment, a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely is required.

Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT Traversal (NAT-T) and is accomplished by adding a DWORD of 2 to the registry: HKLM\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule [4] Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.


Opportunistic encryption can also be used for specific traffic like e-mail using the SMTP STARTTLS extension for relaying messages across the Internet, or the Internet Message Access Protocol (IMAP) STARTTLS extension for reading e-mail. With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.

  • RFC 2595 Using TLS with IMAP, POP3 and ACAP
  • RFC 3207 SMTP Service Extension for Secure SMTP over TLS
  • STARTTLS and postfix
  • STARTTLS and Exchange

Many systems employ a variant with third-party add-ons to traditional email packages by first attempting to obtain an encryption key and if unsuccessful, then sending the email in the clear. PGP, Hushmail, and Ciphire, among others can all be set up to work in this mode.


Some Voice over IP (VoIP) solutions provide for painless encryption of voice traffic when possible. Some versions of the Sipura and Linksys lines of analog telephony adapters (ATA) include a hardware implementation of SRTP with the installation of a certificate from Voxilla, a VoIP information site. When the call is placed an attempt is made to use SRTP, if successful a series of tones are played into the handset, if not the call proceeds without using encryption. Skype and Amicima use only secure connections and Gizmo5 attempts a secure connection between its clients. Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP.[5] They have an implementation of it called Zfone whose source and compiled binaries are available.


For encrypting WWW/HTTP connections, typically HTTPS is used. This can also be used for opportunistic website encryption. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a trusted certificate authority. The easiest way to enable opportunistic website encryption is by using self-signed certificates, but this causes browsers to display a warning each time the website is visited unless the user imports the website's certificate into their browser.

Browser extensions like HTTPS Everywhere and HTTPSfinder are available which find and automatically switch the connection to HTTPS when possible.

See also


  1. ^  
  2. ^ "IPSec Howto". OpenWrt Community wiki. Retrieved 2007-10-24. 
  3. ^ "Creating a Dynamic VPN". Archived from the original on 2007-09-28. Retrieved 2007-10-24. 
  4. ^ "L2TP/IPsec NAT-T update for Windows XP and Windows 2000".  
  5. ^ ZRTP: Extensions to RTP for Diffie-Hellman Key Agreement for SRTP

External links

  • Enabling Email Confidentiality through the use of Opportunistic Encryption by Simson Garfinkel of the MIT Laboratory for Computer Science, May 2003
  • Windows OE HOWTO
  • Windows KB article on NAT-T and DH2048
  • RFC 4322 - Opportunistic Encryption using the Internet Key Exchange (IKE)
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.