CRYPTOGLOSSARY

The practice of securely generating, distributing, storing, rotating, and retiring cryptographic keys. It ensures confidentiality, integrity, and compliance across systems. 

An encryption method where the same secret key is used for both encrypting and decrypting data. It’s fast and efficient but requires secure key sharing. 

A framework of policies, technologies, and certificates that uses public/private key pairs to enable authentication, encryption, and digital trust. 

A centralized solution that automates key lifecycle tasks, enforces security policies, integrates with applications, and helps organizations stay compliant. 

A scalable enterprise platform that connects with HSMs, automates manual key operations, manages multiple formats and apps, and provides audit-ready logging. 

A management layer that standardizes access to heterogeneous HSMs, giving organizations one unified interface for cryptographic operations. 

Cryptomathic’s advanced key management product that delivers compliance, crypto-agility, role-based access, and significant cost savings for enterprises. 

Centralized management unifies key control, visibility, and auditing, while distributed management increases complexity and risk of errors. 

MASC is Cryptomathic’s SDK for iOS and Android that embeds layered security directly inside mobile apps. It provides code hardening, runtime protection (RASP), app-level encryption, API protection, and monitoring to defend against threats like rooting, jailbreaking, hooking, phishing, and tampering—all without relying solely on the device’s operating system. 

Symmetric encryption uses one shared key for both encryption and decryption—fast and efficient for large data. 

Asymmetric encryption uses a public/private key pair—slower but ideal for key exchange, authentication, and securing sessions. 

Encryption applied directly within the app to secure sensitive data such as credentials, tokens, or business logic, even if the device itself is compromised. 

A technique that transforms source or binary code into a harder-to-read format, protecting sensitive logic from reverse engineering. 

Adding multiple layers of protection to an app (encryption, obfuscation, anti-tampering, RASP) to make attacks significantly harder and more time-consuming. 

A security feature embedded inside the app that monitors its behavior at runtime, detects malicious activity (e.g., tampering, hooking), and can block or shut down attacks in real time. 

Safeguarding mobile APIs from misuse through authentication, encryption, token management, and anomaly detection, preventing fraud or unauthorized access. 

Application Programming Interfaces allow mobile apps to communicate with backend services, enabling secure data exchange and functionality. 

A development approach that integrates security into every stage of the DevOps pipeline, ensuring mobile apps are tested, hardened, and compliant from the start. 

An Android device where the user has gained privileged access (root), bypassing built-in security controls—making the device more vulnerable to malware. 

The iOS equivalent of rooting, where restrictions are removed to gain elevated privileges, exposing apps to greater security risks. 

A social engineering attack where users are tricked into giving up sensitive information (e.g., passwords, banking details) via fake apps, pop-ups, or messages. 

An attack technique where malicious software intercepts and alters app behavior at runtime, often used to steal data or bypass security checks. 

Protections that prevent attackers from decompiling, analyzing, or modifying mobile apps—such as code obfuscation, integrity checks, and secure packaging. 

A technique that scrambles code to make it unreadable to attackers while preserving functionality—commonly used to protect algorithms and IP. 

A defense mechanism that detects if an app is running inside an emulator, often used by attackers to analyze or manipulate apps in a controlled environment. 

A digital credential used to authenticate a user, device, or session—commonly short-lived and tied to API protection. 

Monitoring device and app behavior to detect suspicious conditions (e.g., rooted devices, unusual API traffic) and flag anomalies that may indicate fraud or compromise. 

Quantum computing uses quantum bits (qubits) that can exist in multiple states simultaneously, allowing certain calculations to be performed exponentially faster than with classical computers.

Classical computers use binary bits (0 or 1), while quantum computers use qubits, which can represent 0 and 1 at the same time through superposition. Quantum entanglement and interference enable new problem-solving capabilities. 

Quantum cryptography leverages quantum mechanics to secure communications, such as Quantum Key Distribution (QKD), which detects any eavesdropping attempts. 

A sufficiently powerful quantum computer could use Shor’s algorithm to factor large prime numbers quickly, breaking RSA and other public-key cryptosystems. 

Estimates vary, but experts suggest large-scale quantum computers capable of breaking RSA and ECC may appear within the next 10–20 years, making preparation essential now. 

PQC refers to new cryptographic algorithms designed to resist attacks from quantum computers while still being secure against classical attacks. 

The ability of a system to quickly switch algorithms, key lengths, or cryptographic protocols without major redesign. It future-proofs security against new threats and regulations. 

Organizations should adopt crypto-agility – designing systems that can switch algorithms easily, testing PQC standards, updating key management processes, and planning phased migrations to quantum-safe cryptography 

Centralized management unifies key control, visibility, and auditing, while distributed management increases complexity and risk of errors. 

An IdP is a trusted service that authenticates users and issues identity assertions (like tokens or certificates) so apps and services can verify them. 

Credentials (like passwords, certificates, or tokens) prove a person or entity’s claimed identity and are required to access digital services securely.

A digital wallet stores electronic credentials, certificates, and signatures, allowing users to authenticate and sign securely through mobile or online apps. 

Signer is Cryptomathic’s solution for creating secure digital signatures, binding an identity to content while meeting compliance requirements such as eIDAS.

A TSP issues and manages digital certificates for signatures, authentication, and encryption in compliance with legal and regulatory standards.

A QTSP is a TSP certified under eIDAS to issue qualified certificates, providing the highest legal assurance across the EU. 

A QSCD is a secure device (hardware or software) that ensures only the rightful signatory can use their private key to generate a qualified electronic signature.

eIDAS is the EU regulation that standardizes electronic identification, trust services, and digital signatures across member states, giving them legal recognition. 

A basic form of electronic signature such as a scanned image, typed name, or a click-to-sign action—suitable in contexts where high assurance isn’t required.  

An AdES uniquely links to the signatory, is under their sole control, and detects tampering—providing stronger assurance than a basic electronic signature. 

A QES is an AdES created using a QSCD and a qualified certificate issued by a QTSP. It has the same legal value as a handwritten signature in the EU. 

Non-repudiation means a signer cannot later deny having signed a document, as the cryptographic evidence makes the action legally binding. 

A digital certificate is an electronic credential that binds a public key to an identity, enabling authentication and secure communication. 

Short for What You See Is What You Sign, this principle ensures the content displayed on-screen is exactly what is digitally signed—preventing manipulation. 

An electronic seal is applied by a legal entity (like a company) rather than an individual, guaranteeing the authenticity and integrity of a document. 

A qualified electronic seal is created with a qualified certificate and QSCD, offering the highest assurance of document authenticity under eIDAS. 

KYC is the process of verifying the identity of individuals or organizations before granting access to digital services, often used in banking and compliance. 

PKI underpins digital identity by providing the framework for issuing, validating, and managing certificates, enabling secure authentication and trusted digital signatures. 

A global standard (Europay, Mastercard, Visa) for chip-based payment cards and secure transactions. 

A chip card payment that uses dynamic cryptograms and authentication to verify the cardholder and prevent fraud. 

The cryptographic and application information stored on an EMV chip—such as keys, certificates, and issuer parameters—that enables secure transactions. 

Commands sent by issuers to update card parameters (like PIN or risk rules) after issuance, without replacing the card. 

Replacing sensitive card numbers with unique tokens used for transactions, protecting the underlying account data. 

The process of generating and securing the cryptographic data required for EMV-compliant cards, including keys, certificates, and application profiles. 

Cardink is Cryptomathic’s EMV data preparation solution. It generates secure card data, manages cryptographic keys, and delivers personalization files to card bureaus. 

• Data preparation: Creation of cryptographic data and card profiles before card production. 

• Card personalization: Writing this data onto the card chip and printing visual elements. 

All EMV chip-based payment cards—credit, debit, prepaid, and contactless—require secure data preparation. 

It ensures global interoperability, protects against fraud, maintains compliance with card schemes, and secures the issuance process end-to-end. 

Keys authenticate issuers, generate card certificates, create ARQCs, and secure sensitive data throughout issuance and transactions. 

The controlled process of loading cryptographic keys into personalization equipment or directly onto cards, always under strict security. 

HSMs generate and protect keys, perform encryption/decryption, and enforce security controls during issuance and transaction processing. 

A software toolkit for provisioning secure payment credentials to mobile wallets and apps instead of issuing physical cards. 

A modular Cryptomathic platform supporting end-to-end EMV and mobile credential issuance, from certification and PIN to personalization and transactions.

The module for preparing, securing, and delivering EMV data and profiles to personalization bureaus. 

The certification authority module that issues and manages keys and certificates for EMV ecosystems. 

A secure system for PIN generation, encryption, delivery, and management during card issuance. 

A solution for managing EMV transaction security, including cryptogram validation, key lifecycle management, and post-issuance card scripting. 

A cryptographic key is a string of bits used in algorithms to encrypt, decrypt, sign, or verify data. It determines the output of a cryptographic process.

A public key is openly shared and used to encrypt data or verify signatures. A private key is kept secret and used to decrypt data or create signatures. 

A key feeds into a cryptographic algorithm to transform data—either scrambling it (encryption), restoring it (decryption), or proving authenticity (signatures). 

Key length is the size (in bits) of the key. Longer keys are harder to brute force, making them more secure but also potentially slower in performance. 

A key pair is the combination of a public key and a private key used in asymmetric encryption and digital signatures. The two keys are mathematically linked.

Keys are essential for both symmetric and asymmetric encryption—determining how plaintext is transformed into ciphertext and back again. 

Private keys create digital signatures, while public keys verify them—ensuring authenticity, integrity, and non-repudiation of data. 

Keys prove identity by signing challenges, establishing secure sessions, or encrypting authentication exchanges between a user and a system. 

• At rest: Keys encrypt stored files, databases, or devices so only authorized parties can read them. 

• In transit: Keys secure communications (e.g., TLS) so data remains confidential and tamper-proof while moving over networks.