Abbreviation for "two-factor authentication".
Pronounced "triple DES". Application of the DES standard where three keys are used in succession to provide additional security.
Access control list. A method for limiting the use of a specific resource to authorised users.
Advanced Encryption Standard. A symmetric key encryption technique that provides strong encryption in various environments: standard software platforms, limited space environments, and hardware implementations.
The name given to 'person A' when describing a conversation.
Application Programming Interface
Abstract Syntax Notation One. An ITU notation used to define the syntax of information data. It defines a number of simple data types and specifies a notation for identifying these types and for specifying values of these types. These notations can be used to define the abstract syntax of information independent of how the information is encoded for transmission.
In an asymmetric encryption system different keys are used for encrypting and decrypting a message or a document, which means that the communicating parties need not "share a secret". Instead, the asymmetric system uses a key pair, a public and a private key, which is applicable in processes that require a high level of security.
The process of establishing that an entity - whether human or machine - is who or what they say they are.
Basic Encoding Rules. A set of rules specified in for encoding data units described in ASN.1.
Short for binary digit, is a digit in the binary numeral system which consists of base 2 digits, where the value for each digit will either be a 0 or a 1.
A fixed-length group of bits.
A symmetric key cipher which operates on fixed length groups of bits.
The name given to 'person B' when describing a conversation.
Abbreviation of Certification Authority.
See Certification Authority below.
Certification Authority (CA)
A Certification Authority (CA) is an enabling service that issues, manages and revokes certificates of users, service providers, applications and appliances. A certificate is signed by the CA, which guarantees the identity of the certificate owner.
The server component in a public key infrastructure which handles, stores and issues digital certificates.
A digital certificate is an electronic document which links a public key to a person or a company in a public key infrastructure enabling the user(s) to send encrypted and digitally signed electronic messages. The certificate identifies the user and is required to verify his digital signature. The certificate contains information about the identity and public key of the person/company as well as the certificate's expiry date. The certificate may also contain information about its usage.
An algorithm for performing encryption and decryption.
Certificate Revocation List. A list of certificates that have been revoked by the Certification Authority. The CRL can be compared to a blacklist containing the certificates which are no longer valid.
Or 'code breaking' is the study of methods for obtaining the meaning of encrypted information. It is also used to refer to any attempt to get around the security of other types of cryptographic algorithms and protocols in general.
The study of message secrecy.
An umbrella term for cryptography and cryptanalysis.
A suite of algorithms, typically three - one for key generation, one for encryption and one for decryption.
Dynamic Data Authentication
The process of converting an encrypted text back to a plain and meaningful text.
Distinguished Encoding Rules. A set of encoding rules which are part of ASN.1.
Data Encryption Standard. An encryption block cipher developed in 1977 by IBM. It applies a 56-bit key to each 64-bit block of data. It provides strong encryption based on symmetric cryptography, i.e. both the sender and receiver must know the same secret key. This key is used for both encryption and decryption. DES is sometimes used with 3 keys known as "triple DES" or 3DES. The Data Encryption Standard was replaced in 2000 by the Advanced Encryption Standard (AES).
A digital signature is the electronic equivalent of a person's handwritten signature to guarantee the identity of the sender of an electronic message. The use of a digital signature is as legally binding as a physical signature as it fulfils three vital security needs: authenticity, non-repudiation and integrity.
Digital Time Stamp
A time code that can form part of a digital signature which proves the existence of the signed document or content at a given time.
Digital Rights Management
Digital Signature Algorithm. A public key algorithm that is used as part of the Digital Signature Standard (DSS). DSA was developed by the U.S. National Security Agency to generate a digital signature for the authentication of electronic documents. It cannot be used for encryption, only for digital signatures. The algorithm produces a pair of large numbers that enable the authentication of the signatory, and consequently, the integrity of the data attached. DSA is used both in generating and verifying digital signatures.
Digital Signature Standard. Recommended as a standard in 1994 by NIST and has become the United States government standard for authentication of electronic documents, specified in Federal Information Processing Standard (FIPS) 186. It uses the Digital Signature Algorithm (DSA) to create digital signatures for the authentication of electronic documents.
Elliptic Curve Cryptography. A technique that uses elliptic curves for cryptography. The advantage of using elliptic curves is that they are particularly well-suited for applications involving chip cards with limited computational power, for example, mobile communication.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the DSA standard. The advantages of ECDSA compared to RSA-like schemes are shorter key lengths and faster signing and decryption. For example, a 160 (210) bit ECC key is expected to give the same security as a 1024 (2048) bit RSA key, and the advantage increases as the level of security is raised.
In mathematics: an algebraic curve defined by an equation in the form y2 = x3 + ax + b.
A standard for interoperation of chip cards for authenticating credit and debit card payments. The name comes from Europay, MasterCard and Visa - the three companies who cooperated to develop the standard.
A method used in authentication.
Federal Information Processing Standards is a set of standards that describe the handling and processing of information within governmental agencies.
An algorithm that transforms a string of characters into a (usually) shorter value of a fixed length or a 'fingerprint' that represents the original value.
The value calculated by a hash function, e.g. the message digest that is created as part of a digital signature.
Hardware security module.
Hypertext transfer protocol.
The Institute of Electrical and Electronics Engineers
International Organization for Standardization
The International Telecommunication Union, formerly known as CCITT. The organisation, which includes governments and the private sector, handles the coordination of telecommunication technology and is a leading publisher of standards and regulatory information.
Java Cryptography Extension. A framework for the implementation of encryption, key generation, key agreement and message authentication code algorithms in the Java language.
A key specifies the particular transformation of plain text into cipher text during encryption and vice-versa during decryption.
The process of generating keys.
Encryption systems are only as strong as the length of the encryption key and depend on which type of mathematical equation - i.e. algorithm - the system employs. A long key makes it more difficult to break the cryptosystem - but the longer the key, the more time it takes to encrypt and decrypt messages.
Key management includes all of the provisions made in a cryptosystem design, including cryptographic protocols, user procedures, etc, which are related to generation, exchange, storage, safeguarding, use, vetting, and replacement of keys.
A corresponding public and private key.
Local Registration Authority. The LRA is responsible for registering and managing the users' identities in a Public Key Infrastructure (PKI). Based on this information the CA issues the digital certificates.
Message Authentication Code. MACs are used to validate information transmitted between two parties that share a secret key.
An attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.
A message-digest hash function optimised for 8-bit machines.
A message-digest hash function that is several times faster than MD2 and optimised for 32-bit machines.
A one-way message-digest hash function with a 128-bit hash value. The algorithm processes input text and creates a 128-bit message digest which is unique to the message and can be used to verify data integrity. MD5 was developed by Ron Rivest in 1991 to replace MD4.
Modification Detection Code. A hash function that produces a 128-bit output from block ciphers. IBM has named their hash functions: MDC-1, MDC-2 and MDC-4.
The fixed-length output from a hash function, e.g. the MD5 algorithm.
Multipurpose Internet Mail Extensions. A set of specifications for the interchange of text in languages with different character sets. MIME is also used to attach multimedia and rich text elements to e-mail that may be transmitted among different computer systems using Internet mail standards. The specifications define Content-Types and other conventions for the formatting of e-mail messages. S/MIME is a later standard that adds security to e-mail communication by allowing signing and encryption of messages.
National Institute of Standards and Technology, formerly known as the National Bureau of Standards. A unit of the US Commerce Department which promotes open standards and interoperability in computer-based industries.
One-time Password (OTP)
A password that is used only once, often abbreviated to OTP. One-time passwords are used to make it more difficult to gain unauthorised access to, for example, an online bank account. Traditional static passwords have proved to be more easily accessible by an attacker, but by using a password that is altered constantly, as is done with a one-time password, this greatly reduces the risk of unauthorised access being gained. There are three types of one-time password:
- the first uses a mathematical algorithm to generate a new password based on the previous password
- the second is time-based - the authentication server and the client providing the password are synchronised
- the third is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password.
An attempt to fraudulently acquire sensitive information such as usernames and passwords via an email sent by the attacker appearing to come from the recipient's bank. It contains a link that leads the recipient to a convincing web page, at which point he is tricked into entering his details.
An attack that re-directs traffic to a website to another bogus website.
Personal Identification Number.
A set of Public Key Cryptography Standards devised by RSA Laboratories in 1991 which are widely used in public key cryptography systems.
PKCS#1 - RSA Cryptography Standard
Defines the format of RSA encryption.
Withdrawn. Has been incorporated into PKCS#1.
PKCS#3 - Diffie-Hellman Key Agreement Standard
A protocol that allows two parties unknown to each other to jointly establish a shared secret key over an insecure communications channel.
Withdrawn. Has been incorporated into PKCS#1.
PKCS#5 - Password-based Encryption Standard
PKCS#6 - Extended-Certificate Syntax Standard
Defines extensions to the old v1 X.509 certificate specification.
PKCS#7 - Cryptographic Message Syntax Standard
Used to sign and/or encrypt messages under a PKI.
PKCS#8 - Private-Key Information Syntax Standard
PKCS#9 - Selected Attribute Types
Defines selected attribute types for use in PKCS#6, PKCS#7, PKCS#8 and PKCS#10.
PKCS#10 - Certificate Request Standard
Specifies a standard syntax for requesting certification of a public key from a certification authority.
PKCS#11 - Cryptographic Token Interface (Cryptoki)
A technology-independent programming interface for cryptographic devices such as smart cards.
PKCS#12 - Personal Information Exchange Syntax Standard
Specifies a portable format for storing or transporting a user's private keys and certificates, protected with a password-based symmetric key.
PKCS#13 - Elliptic Curve Cryptography Standard
PKCS#14 - Pseudo-random Number Generation
PKCS#15 - Cryptographic Token Information Format Standard
Defines a standard allowing users of cryptographic tokens to identify themselves to applications, independent of the application's Cryptoki implementation (PKCS#11) or other API.
A number that is only divisible by itself and 1.
Also known as a decryption key that is kept secret and used to decrypt data encrypted by its corresponding public key.
Also known as an encryption key that can be widely distributed to encrypt data.
The algorithm that was chosen by NIST to become the Advanced Encryption Standard (AES). It was developed by Vincent Rijmen and Joan Daemen. It has a block size of 128-bit and supports keys of at least 128 bits.
A 160-bit hash function that offers a higher degree of security than 128-bit hash functions such as MD4 and MD5.
A public key cryptographic algorithm named after its inventors (Rivest, Shamir, and Adelman). It is used for encryption and digital signatures. RSA was developed in 1977 and is today the most commonly used encryption and authentication algorithm.
Static Data Authentication.
A session key is a key used for encrypting one message or a group of messages in a communication session.
SHA Hash Functions
The SHA (Secure Hash Algorithm) hash functions refer to five FIPS approved algorithms denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, designed by the National Security Agency (NSA) and published by the NIST as a US government standard. The latter four variants are sometimes collectively referred to as SHA-2.
SHA-1 is employed in several widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It was considered to be the successor to MD5, an earlier, widely-used hash function.
The security of SHA-1 has been somewhat compromised, but the newer SHA-2 algorithms are not believed to be subject to the same vulnerabilities.
A standard that extends the MIME (Multipurpose Internet Mail Extensions) specifications to support the signing and encryption of e-mail transmitted across the Internet.
In a symmetric encryption system, a message or a document is encrypted and decrypted with the same key. The message is encrypted with the sender's key and the recipient decrypts the message by use of the same key.
Secure Sockets Layer. A technology used on the Internet to secure web pages and transactions by means of public key cryptography.
A stream cipher (also known as a state cipher) is a symmetric cipher in which the plaintext digits are encrypted one at a time, and in which the transformation of successive digits varies during the encryption. In practice, the digits are typically single bits or bytes.
A time stamp can refer to a time code or to a digitally signed timestamp whose signer vouches for the existence of the signed document or content at the time given as part of the digital signature. Time stamps are used, for example, on contracts or medical records.
Time Stamping Authority
A trusted third party who issues a time stamp to prove the existence of certain data before a certain point in time without the possibility that the owner can backdate the timestamps.
Transport Layer Security. A protocol intended to secure and authenticate communications across a public networks by using data encryption. TLS is designed as a successor to SSL and uses the same cryptographic methods but supports more cryptographic algorithms.
Trusted Platform Management.
Malicious computer software that looks harmless to the user but contains a virus or spyware. Named after the Trojan Horse in Greek mythology.
Virtual Private Network (VPN)
A virtual private network (VPN) is a private communications network often used by companies or organisations, to communicate confidentially over a public network (e.g. the Internet) on top of standard protocols, or over a service provider's private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider. A VPN can send data (e.g., voice, data or video, or a combination of these media) across secured and encrypted private channels between two points.
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the International Telecommunications Union (ITU). ISO was a partner in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO identification. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup.
Public key certificate standard. Used for secure management and distribution of digitally signed certificates across secure Internet networks.
Version 3 of the X.509 certificate standard includes extended data structures for storing and retrieving information on certificate application, certificate distribution, certificate revocation, policies and digital signatures. X.509v3 maintains time-stamped CRLs for all certificates, making it possible for the application to check the validity of the certificate.