Opportunistic Encryption


The main idea of opportunistic encryption is to deploy security gateways that will sit between the border of intranets (private networks) and the Internet. A gateway intercepts an outgoing packet aimed at a remote host, and attempts to negotiate an IPsec tunnel to that host's security gateway. If the attempt succeeds, traffic can then be secured transparently (without changes to the end-host software). If the attempt fails, packets are sent through in the clear or dropped, according to the local policy. Opportunistic encryption allows secure (encrypted, authenticated) communication via IPsec without connection-by-connection pair-wise pre-arrangement.

Our Opportunistic Encryption scheme for IPv6 relies on IPv6 Anycast, Authorization certificates and Crypto-Based Identifiers (CBID) to provide secure and easily deployable Opportunistic Encryption in IPv6.

Unlike existing schemes (e.g. FreeS/WAN), our proposal does not rely on any global Third Trusted Party (such as DNSSEC or a PKI). Hence, we claim it is more secure, easier to deploy and more robust.

More information about our Opportunistic Encryption proposal is available in the following publications:


Source Code: OE-SPKI library

This library offers basic functionalities to handle SPKI certificates in the context of Opportunistic Encryption (OE).

The latest release...

Old releases...


Local Contact and Feedback

Claude Castelluccia, (claude_DOT_castelluccia_AT_inria_DOT_fr).
Gabriel Montenegro, (gab_AT_sun_DOT_com).
Julien Laganier, (julien_DOT_laganier_AT_sun_DOT_com).
Christoph Neumann, (christoph_DOT_neumann_AT_inria_DOT_fr).

Last Updated: 09-02-2005.

Copyright © 2005 INRIA.  All rights reserved.

    I N S T I T U T    N A T I O N A L    D E    R E C H E R C H E   E N    I N F O R M A T I Q U E    E T    E N    A U T O M A T I Q U E
      INRIA Rhône-Alpes Research Unit: Zirst - 655 avenue de l'Europe - 38330 Montbonnot Saint Martin - France
                 Phone: +33 (0)4 76 61 52 00 - Fax: +33 (0)4 76 61 52 52