IT security glossary
A selection of the most important vocabulary from the world of encryption
Please use the alphabet given in the grey box on the right side. If you are missing a specific word you are looking for, don´t hesitate to contact us. For additional information, please also check the history of cryptography on http://www.wikipedia.org, and the charismathics listing in Wikipedia. A similar IT security glossary in French language may be found here...
123
| AES |
|
| The AES (Advanced Encryption Standard) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt and decrypt information. The NIST published a formal request for this DES successor; in October 2000 Rijndael was chosen. Requirements included, among others, that it should be a symmetric block cipher with a block length of 128 and key lengths of 128, 192 and 256 bit. While approx. 15 candidates were presented in the beginning, in the last round 5 algorithms were still in the game. The finalists were MARS, RC6, Serpent, Twofish and Rijndael. |
|
| Alice and Bob |
| Probably the two most popular cryptography users. While end points are often marked as A and B in technical descriptions, it has become common in cryptography to use these names. Further frequently encountered persons are: Eve ("E", eavesdropper), the listener; and Mallory ("M", malicious) or Oscar ("O", opponent) the active attackers. Charly ("C") is used often as "enemy" synonym of a third party listening to a secret dialogue, a reminescense to US soldiers fighting in Vietnam, in time with the mathematical proof of asymmetric cryptography at the Universities of Stanford and Harvard. |
|
| Algorithm |
| An algorithm is a procedure (a finite set of well-defined instructions) for accomplishing some task which, given an initial state, will terminate in a defined end-state. Its purpose is to hide the meaning of a message rather than its existence. |
|
| API |
| An application programming interface (API) is the interface that a computer system, library or application provides in order to allow requests for services to be made of it by other computer programs, and/or to allow data to be exchanged between them. |
|
| ASN.1 |
| Abbreviation for Abstract Syntax Notation One. ASN.1 is a widely used standard for the decryption of abstract objects. In encoding (rules describing how such objects are to be produced as a string) it is distinguished between Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER). |
|
| Asymmetric Cipher |
| Encryption algorithms employing two different keys (in contrast to symmetric cipher): One publicly known key - the public key - for data encryption and one key only known to the message receiver - the private key - for decryption. |
|
| Authentication |
| By authentication an entity, e.g. a user, proves his identity. Authentication types include: authentication by knowledge (password), possession (cryptographic token), or biometric characteristics (fingerprint, etc.). The most elegant method is based on the use of so called » digital signatures. |
|
| Authorization |
| Authorization (in computer systems) is granting access to a network resource. It is the step that follows after successful authentication. |
|
| Avalanche Effect |
| The avalanche effect describes the fact that in case of a good cipher, changes in plaintext have a preferably quick effect on the cipher text (within the enciphering function). This is a strong diffusion of a block cipher and a counter measure against differential cryptanalysis. The strict avalanche criterion means, that if one input bit is changed, exactly half of the output bits are changed. |
|
| Biometry (Biometrics) |
| Uses individual body and behavior features to identify a person. Hence, biometric identification procedures are authentication by possession. |
|
| Block Cipher |
| An algorithm which processes the plaintext in groups of bits, called blocks, is called block algorithm or block cipher. Its alternative is called a stream cipher. Examples for block ciphers are Blowfish, CAST, IDEA, MARS, Rijndael, RC5, RC6, SAFER, Skipjack, Serpent and Twofish. |
|
| Brute Force Attack |
| An attack on a cryptographic algorithm, in which the entire key space is systematically searched. |
|
| BSI |
| The BSI (Bundesamt für Sicherheit in der Informationstechnik, eng. Federal Office of Security in Information Technology, http://www.bsi.de) was founded in 1991. BSI promotes IT security in different areas and provides pertinent support. BSI issued product certifications are comparably recognized at » DCSSI. |
|
| Card Operating System |
|
A card operating system is the software code located in the » smart card IC itself. It provides the basic function of the smart card and defines the purpose of the token. C.O.S. are subject to » certification through regulation authorities to provide a minimum security and/or privacy level towards the holder of the token. C.O.S do not work as stand-alone code, but usually carry a file system just like a computer hard disk or flash memory drive, however with logical and physical access restrictions. |
|
| Card Reader |
| » Card readers are tools used to communicate with smart cards or built into USB tokens. In spite of their name most of them can also be used to write data onto the card. |
|
| CCITT |
| Standardization committee, whose abbreviation is derived from Comite Consultatif International Telephonique et Telegraphique, since 1993: ITU-T. |
|
| Certificate |
| A » digital certificate is an electronic document, which is connected to a public key. A trustworthy authority (like a CA) verifies that the key belongs to a certain person and has not been modified. The advantages of such procedures are that only the public key of the so called root instance of the PKI (and not of every participant) will be required for complete verification. |
|
| Certification Authority (CA) |
| A CA is a trustworthy agency whose task is to certify cryptographic keys (see Certificate). It is an important part of a PKI. Some details: A CA issues certificates. The data contains the name of the key bearer, a set of identifying attributes, his public key, its period of validity and the name of the CA. The CA must have a CRL, where it publishes revoked certificates, which might have invalid data or compromised secret data. |
|
| Certificate Practice Statement |
| A Certificate Practice Statement (CPS) states the rules of contact with certificates, and private and public keys. |
|
| Certificate Revocation List |
| A list of certificates which are no longer valid. CRLs are defined in the » X.509 standard. |
|
| Challenge Response Protocol |
| A protocol used to check the authenticity of communication partners. In this case, one partner sends a question (challenge) to be answered correctly by the other (response). This is usually implemented in such a way that a coincidental answer must be matched with a digital signature. |
|
| Charismathics |
| A cryptography start-up founded in 2003 by Sven Gossel and Xiangdong Wang, industry experts in smart card technology. The company delivers » PKI software and » hardware with the given vision gain on user convenience and price, according to the believe in a strong growth of identity management demands also for small comanies and consumers. Charismathics pioneered in PKI middleware and is specifically servicing the computer and software industry. |
|
| Chosen Plaintext Attack |
| Describes the situation in which an attacker is capable to freely choose the text to be encrypted. This is of course usually the case in public key algorithms, see also known plaintext. |
|
| Cipher |
| A cipher is the procedure or algorithm for encryption and decryption of data. Furthermore, one distinguishes between asymmetric and symmetric ciphers. Symmetric ciphers are, in turn, divided into block and stream ciphers. |
|
| Classical Cipher |
| A classical cipher is a type of cipher used historically but which now have fallen, for the most part, into disuse. In general, classical ciphers operate on an alphabet of letters (such as "A-Z"), and are implemented by hand or with simple mechanical devices. Sometimes classed with classical ciphers, are more advanced mechanical or electro-mechanical cipher machines, such as the Enigma machine. |
|
| Closed User Group, Closed Network |
| All users are known in a closed user group. Only these users have access to the network and its resources. Only a few operators manage such a network. Thus any violation can be traced back to the corresponding operator or user. |
|
| Collision |
| Occurs in a hash function, if two different messages lead to one and the same hash value. If no such collisions can be generated by the hash function, it is called collision-resistant. |
|
| Common Criteria |
| A pre-defined certification process, that has been implemented by the international IT industry community. It is meant to replace national certification schemes and provides transparency on security levels towards the user of the product (http://www.commoncriteriaportal.org). |
|
| Composit Certification |
| The pre-defined end of a certification process under the rules of the » Common Criteria, in which an already certifed small device (such as a » smart card) is used as carrier for a new software (such as a » card operating system), that is under evaluation within the same process the hardware has already been certified with. A composit certification is mostly required as a minimum security level for smart cards used for » digital signature. |
|
| Confidentiality |
| is the objective of data encryption. It refers to keeping information secret from all except those who are authorized to see it or access it. |
|
| Confusion |
| Confusion disguises the relationship between plain text and the cipher text. Confusion and diffusion are basic principles in the design of encryption algorithms. The objective of confusion is that the statistics of the plain text should influence the statistics of the cipher text in such a complicated manner that a potential cryptanalyst can not gain any advantage. |
|
| Contact-Less Smart Card |
| Contact-less smart cards are able to transmit data contactlessly over small distances (often in the centimeter range) by electromagnetic fields. This prevents wear and simplifies usage. |
|
| Cross-Certification |
| This is the establishment of a trusted path between 2 CAs. When two Certification Authorities are cross-certified, they agree to trust and rely upon each other's public key certificates and keys as if they had issued them themselves. The two Certification Authorities exchange cross-certificates, enabling their respective users to interact securely. Thus, partners from different CAs can conveniently communicate with one another. |
|
| crypt´n´trust family |
|
» crypt´n´trust combines the benefits of the » plug´n´crypt product range with the use of digital signatures. It is our high-end product that allows you to sign all your electronic communication, financial transactions and securely identify yourself in the web. It is truly a complete solution for the age of digital communication. |
| Cryptanalysis |
| Cryptanalysis describes that part of cryptology dealing with attacks on cryptographic algorithms. |
|
| Cryptanalyst |
| Cryptanalysts try to crack cryptographic codes or algorithms in general. |
|
| Cryptographic Mode of Operation |
| This is the cryptographic mode in which a block cipher is operated. It connects the blocks operated by the basic enciphering to each other. Examples are ECB, CBC, CFB or OFB. |
|
| Cryptographic Token |
| Cryptographic tokens are personal security tools like smart cards, SIM-cards, USB-tokens or HSMs They are to be compared with a conventional key and a further unit, which provides the requested “authorized” service or resource. |
|
| Cryptographic Service Provider (CSP) |
| A CSP is a software module, that is implemented as a DLL compatible to 32-bit Windows (such as in charismathics´ » smart security interface©) and provides an API for cryptographic services (in C, C++, or Java) within the » Microsoft Windows 2000 operating system and higher (see http://msdn.microsoft.com/library). As most of the popular software applications require a broader interface than given by the MS CAPI, » PKI client software usually provide both, a CSP and a » PKCS#11 interface. |
|
| Cryptography |
| In the classical sense, the science of encrypting messages. Today, this notion comprises a larger field and also includes problems like authentication or digital signatures. |
|
| DCSSI |
| The DCSSI (Direction centrale de la sécurité des systèmes d'information, eng. Federal Office of Security in Information Technology, http://www.ssi.gouv.fr/en/dcssi) was founded in 2001. DCSSI could be compared to » BSI, promotes IT security in different areas and provides pertinent support. DCSSI issued product certifications are comparably recognized at BSI. |
|
| Denial of Service (DoS) Attack |
| One of the dangers in the Internet are so-called Denial of Service attacks which put certain services out of operation. One method is mail bombing, where a large number of mails are sent causing certain computers to overload so that they can no longer take up their role as a server. |
|
| DES |
| The DES algorithm (Data Encryption Standard or also Data Encryption Algorithm, DEA) is a symmetric 64-bit block cipher, which was developed (first under the name Lucifer) by IBM. The key length is 64 bits of which 8 bits serve as parity check. This is the classic among the encryption algorithms, which nevertheless is no longer secure due to its insufficient key length. Alternatives are Triple-DES or the successor AES. |
|
| DFA (Differential Fault Analysis) |
| During cryptographic calculations one can obtain hints about the secret key by deliberately generating errors. |
|
| Die, Dice |
| A die (plural: dice) is a wafer of silicon containing one single integrated circuit (e.g. a micro controller or smart card IC). |
|
| Differential Cryptanalysis |
| The basic idea of Differential Cryptanalysis is to first cipher some plaintext, then make particular changes in that plaintext and cipher it again. Particular cipher text differences occur more frequently with some key values than others, so when those differences occur, particular keys are (weakly) indicated. With huge numbers of tests, false indications will be distributed randomly, but true indications always point at the same key values and so will eventually rise above the noise to indicate some part of the key. |
|
| Differential Fault Analysis |
| See » DFA |
|
| Differential Power Analysis |
| See » DPA |
|
| Diffie-Hellman (DH) Protocol |
| Expression for the probably most popular cryptographic protocol. The objective is a key exchange via an insecure channel. The presentation of this idea in 1976 marked the beginning of public key cryptography. The protocol is based on the discrete logarithm problem. |
|
| Digital payment |
| Also known as electronic cash, electronic currency, digital currency, digital money or digital cash refers to money which is exchanged only electronically. |
| Digital Signature |
The counterpart of a handwritten signature. A signature should provide the following services:
• Authentication,
• Data integrity,
• Non repudiation.
These features can be achieved by using asymmetric algorithms. The signature is generated using the secret key of the key pair. A third person, who knows the appropriate public key, is able to verify its correctness. Performing a digital signature, popular public key procedures like » RSA or » ECC are used in accordance with standardized protocols. Here, they represent the opposite of » encryption and decryption. The most popular applications using those functions are probably » PGP and Microsoft Outlook. |
|
| Directory Services |
| In public key cryptography, a directory is required where certificates and CRLS can be published and regulated. This is a component of the PKI, but a new directory must not be created, instead a branch can be created in the existing database. |
|
| Discrete Logarithm (DL) Problem |
| Exponentiation is an arithmetic operation known from school mathematics. For the calculation of Xn the given number has to be multiplied by itself n-times. The corresponding inverse problem is the determination of the logarithm of a number: For given X and Y, a number n has to be found, so that Y = Xn. What seems to result in comparably simple problems in case of known (real) numbers proves to be very difficult in certain sets. Although there is always an efficient algorithm for the exponentiation of elements available, the reverse operation (the calculation of the logarithm of a given element), is hard to compute under certain conditions. This problem could be used as the basis for key exchange protocols (e.g. Diffie-Hellman), encryption of data, and for digital signatures. DSA and the algorithms based on elliptic curves are based on this problem. |
|
| Document management |
| (DM) is a computer system (or set of computer programs) used to track and store electronic documents and/or images of paper documents. Document management commonly provides storage, versioning, metadata, security, as well as indexing and retrieval capabilities. |
| DPA (Differential Power Analysis) |
| DPAs belong to the class of side channel attacks. One measures the electric power consumption while the encryption (or signature) takes place. Frequently these measurements are performed multiple times. These results are analyzed statistically to find out partial information about the key. |
|
| DSA |
| The DSA algorithm (Digital Signature Algorithm) is used to generate digital signatures. It is based on the DL problem in finite fields. Currently, numbers with 1024 bits or more are used in applications (as in the RSA algorithm). |
|
| Dual Interface Card |
| Dual interface cards are smart cards with both contact and contact-less interfaces for data transmission in both directions. |
|
| ECC (Elliptic Curve Cryptography) |
| The use of elliptic curves in cryptography is called ECC (Elliptic Curve Cryptography). This class of algorithms provides an attractive alternative for the probably most popular asymmetric algorithm, the RSA algorithm. The basic mathematical problem is the calculation of the discrete logarithm in finite sets. The set of the elements considered here is a set of points, which solve a certain mathematical equation, that is, an elliptic curve. The decisive advantage of this algorithm is the fact that the fast algorithms known so far for solving the DL problem in finite fields can not be applied in this case. As for the DL problem only very general algorithm exist in the group of points on elliptic curves, significantly shorter key and parameter lengths are sufficient without reducing the security. This is especially useful in situations with limited storage or computing capacity, like e.g. in smart cards or other small devices. Examples for ECC-Algorithms are EC-DH, EC-DSA, EC-IES, EC-MQV and EC-NR. These are the versions of known protocols based on elliptic curves. |
|
| E-Commerce |
| Electronic commerce comprises all business transactions which are carried out electronically. This includes payment via PC (» Online Banking) or via mobile phone (» see M-Commerce). Therefore, authenticity and integrity must be ensured. |
|
| EEPROM |
| The EEPROM (electrical erasable and programmable read only memory) is a non-volatile memory used on chip cards. The EEPROM is divided into memory pages, which can be written and erased. The quality of those is distinguished by the number of these memory accesses possible. |
|
| Elliptic Curves |
A mathematical construction, which has been employed successfully in cryptography since 1985.
If the ground field is GF(p) (p prime), an element (or point) of an elliptic curve (with the parameters A,B) is defined by a tuple (x,y), which solves an equation of the following form:
y2 = x3 + Ax + B
If the finite field has characteristic 2, the equation has the following form:
y2 + xy = x3 + Ax2 + B
Elliptic curves can be defined over any field; but only curves over finite fields are used in cryptography. If the elliptic curve and field based on it meets certain conditions, the discrete logarithm problem can not be efficiently solved. |
|
| E-Mail Worm |
| A computer program which is sent by email and copies itself to many computers. In May 2000, the ”I LOVE YOU” worm caused a break-down of a large number of computers in several countries, because this email worm was unknown to virus scanners at that time. It was not a virus but a DoS attack. |
|
| Embedded Systems |
| In order to protect against the misuse of steering elements and information systems, efficient and secure cryptographic algorithms are being employed increasingly in the Automotive and other industries. Here, small keys and short computing time are often of particular significance (see » ECC). |
|
| Encryption and Decryption |
| Encryption is the process of obscuring information by using the knowledge of » Cryptography, to make it unreadable without special knowledge. Decryption is the process to convert encrypted text into its equivalent plaintext. Encryption and decryption are used in digital cryptography especially in conjunction with » asymmetric ciphers. Here, they represent the opposite of a » digital signature. The most popular applications using those functions are probably » PGP and Microsoft Outlook. |
|
| E-Provisioning |
| eProvisioning is the process arranging all the necessary digital resources. For example, an employee needs corporate access from his computer to the network, certain directories, databases, or programs and needs to be able to send email, make telephone calls and much more. |
|
| Evaluation |
| The process of a product certification, in which the software and hardware architecture of a » small device is reviewed to achieve a defined security level, e.g. in the » Common Criteria rules. E. are conducted by certified companies, acting oin behalf of the dedicated national autorities, such as » NIST in the United States, » BSI in Germany or » DCSSI in France. |
|
| Factoring |
| Factoring defines the problem of determining the prime factors of a given number. In the case n=pq (i.e. n is the product of two prime numbers p and q) this is known as the IF (Integer Factoring) problem which is the basis for the RSA algorithm. The difficulty to solve this problem grows with increasing size of p and q; usually numbers around 512 bit are used for these factors (then n has 1024 bit, i.e. more than 300 decimal digits). |
|
| Fault Attack |
| During normal operation the cryptanalyst deliberately provokes errors e.g. by electromagnetic radiation or suddenly raising the clock rate. By the changed program sequence he tries to deduce information about the secret data. |
|
| Feistel cipher |
| An important problem in the enciphering of data is the fact that the encryption function must be reversible to enable a correct decryption of texts. Feistel ciphers meet this requirement due to a special design. Probably the most popular representative with such a structure is DES. |
|
| Firefox |
| Firefox is a free, open source web browser, for Windows, Linux and Mac OS X computer clients. It is based originally on the Mozilla project of » Netscape. |
|
| Finite Field |
| A mathematical structure with a finite number of elements, in which one can add, subtract, multiply and divide. A common expression is GF (for Galois Field). Especially GF(p) is used in cryptography, i.e. the number of elements is a prime number p or GF(2m), i.e. the number is a power of 2. |
|
| Fingerprint |
| This is meant to be a checksum which can be used to determine the correctness of a key easily without having to compare the entire key. This is often done by comparing the hash values after application of a hash function. Often, real fingerprints are used to create this checksum through a dedicated algorithm. |
|
| FIPS |
| Federal Information Processing Standard, Standard used by government agencies in the United States. |
|
| Firewall |
| This term was adopted from architecture to refer to a computer whose purpose is to protect a network from others by e.g. access controls. This ensures that private, sensitive data remain within the home network and that unauthorized users are kept outside. Firewalls control and record the internet access to protect a local area network (LAN) from outside attacks. |
|
| Flash Memory |
Flash memory is a form of non-volatile computer memory that can be electrically erased and reprogrammed.
|
| Hackers |
| Hackers are people who try to enter into systems and gain access to data that they are not authorized to obtain or access. The hackers’ motivation has usually been more targeted at notifying people of security gaps than at causing damage (this, however, can give other people criminal ideas). |
|
| Hard disk encryption |
| This process is used to protect confidentiality of the data stored on a computer hard disk. |
| Hash function |
| A function which forms a fixed-size value (the hash value) from an arbitrary amount of data (which is the input). These functions are used to generate the electronic equivalent of a fingerprint. The significant factor is that it must be impossible to generate two entries which lead to the same hash value (so called collisions) or even to generate a matching message for a defined hash value. Common hash functions are RIPEMD-160 and SHA-1, each having hash values with a length of 160 bits as well as the MD5, which is still often used today having a hash value length of 128 bits. |
|
| HBCI |
| HBCI (Home Banking Computer Interface) is the specification of a » standardized interface between customer products and (German) financial institutions. |
|
| HSM (High Security Module) |
| High Security Modules (HSMs) are modules to save and process sensitive data and cryptographic keys. Some commercial use of this term is defined as "hardware security interface", a specific form factor of an HSM. |
|
| Identity Based Web Services |
| Ventures that go about the task of providing secure management of individual data over the world wide web. |
|
| Identity Management |
| Identity Management gains relevance in today’s times where there are users from many locations, inside and outside a firm that require access to central data. Open networks emerge from various external sites that must provide access to confidential data. This means a large challenge for the design of a security structure (Public Key Infrastructure). |
|
| IEEE |
| The abbreviation for Institute of Electrical and Electronics Engineers (http://www.ieee.org). For several years, the working group P1363 has been dealing with the standardization of algorithms for public key cryptography. |
|
| IETF |
| The Internet Engineering Task Force (http://www.ietf.org/overview.html) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution and standardization of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. |
|
| Integrated Public Key Infrastructure |
| Classic security measures in corporations push the limit as soon as open networks emerge. Passwords no longer suffice, the necessity for more powerful authentication becomes more of the focus. A solution is therefore in demand, which uses the intact corporate infrastructure, and preferably expands it and integrates the Identity Management functions unobtrusively and smoothly without having to redefine the process. By running PKI-Services directly on the existing directory services, the user data that is already stored there will not be discarded and redundant data management will be avoided. |
|
| Integrity |
| The test on the integrity of data is carried out by checking messages for changes during the transmission by the receiver. Common test procedures employ hash functions, MACs (Message Authentication Codes) or - with additional functionality - » digital signatures. |
|
| IPSec |
| IP Security (IPSec) is a protocol suite developed by the IETF to support secure exchange of packets at the IP layer. |
|
| ISIS MTT |
| ISIS MTT specifications deal with signatures and security functionalities. The main subject are Secure email, various levels of security, and compatibility according to international standards and consistent with existing laws. |
|
| ISO |
| International Organization for Standardization, (http://www.iso.ch); deals with algorithms of all cryptography areas in various working groups. |
|
| ISO 7816 |
| The ISO standard family defining plastic banking cards, including extentions for » smart card ICs. Due to the success of the standard defining credit cards, and a large demand for interoperability, the standard has also been widely used for other card applications, especially for identification purposes, and often using » RFID technology. |
|
| IPSec |
| IP Security (IPSec) is a protocol suite developed by the IETF to support secure exchange of packets at the IP layer. |
|
| Javacard |
| Other than an » ISO 7816 compliant » smart card IC, a javacard compliant smart card IC uses an interface layer to allow a more flexible use of a token, once deployed into the field. Just like in computer systems, a javacard is using a so-called "virtual machine". Whereas regular smart card ICs are mostly for pre-specifed applications or customers, a javacard is designed to fit several demands. The main reason for a second smart card standard, introduced by » Sun Microsystems, was the interoperability between different vendors with banking and mobile phone applications, due to the limited peformance of the reading devices. Within » public key infrastructures, compatibility is reached by the PC client software (such as charismathics´ » smart security interface) and of much less importance. |
|
| Kerberos |
| Kerberos is an authentication protocol developed at MIT. It uses symmetric cryptography to provide a strong authentication for client/server applications across an otherwise open network. |
|
| Kerckhoffs´ Principle |
| An important principle in the evaluation of cryptographic algorithms. The security of the procedures should not be based on keeping the encryption function secret, but only the used private key. |
|
| Key Escrow |
| Key escrow means deposing the private key, i.e. the possibility for a superior authority to gain access to the private key of a user. This is not necessary if a private key is used for communication (data can be resend again), but for stored data there is a clear risk that key loss or damage could render critical data inaccessible |
|
| Key Exchange |
| The use of symmetric cipher algorithms requires that two communication partners decide on one joint key only known to themselves. The difficulty is that for the exchange of such information usually only partially secure channels exist. Additionally, protocols for key exchange must be prepared in such a way that only those pieces of information are exchanged which do not lead to knowledge of the real secret (the key). The most popular protocol of that type is Diffie-Hellman, whose presentation in 1976 can be regarded as the birth of public-key cryptography. |
|
| Key Management |
| To the key management belong all functions for the generation, distribution, storage, destruction and the updating of keys. |
|
| Knapsack Problem |
The so called knapsack problem was one of the first problems used for public key procedures. The description is simple: You have a knapsack capable of carrying a certain weight, and a large number of entities of different masses. The problem is to select what to put in the knapsack to fill it optimally. For a large number of entities this is a really difficult problem, yet the algorithms based on it have all been proved to be insecure in the meantime.
Known Plaintext Attack. Expression for the situation in which an attacker knows the corresponding plaintext in an attack on the cipher. This is a serious problem since many messages are characterized by a certain format. |
|
| LDAP |
| LDAP (Lightweight Directory Access Protocol) has been developed as an open standard for directory information services for global or local directories. The intended concept supports a high volume of requests, but data should not change too often. |
|
| Liberty Alliance |
| A venture providing secure management of individual data over the world wide web. |
|
| Linear cryptanalysis |
| Method of attack on a cipher. Belongs to the class of known plaintext attacks. Tries to discover and exploit simple (”linear”) dependencies between the bits of the plaintext and the cipher text to obtain information about the key. |
|
| MAC |
| A Message Authentication Code (MAC) expands the message by means of a secret key by special redundant pieces of information, which are stored or transmitted together with the message. To prevent an attacker from deliberate modification of the attached redundancy, requires its protection in a suitable way. |
|
| Magnetic Stripe Card |
| The magnetic stripe card has a magnetic stripe, on which data can be written and read. It is widely used in conjunction with online authorization systems, especially with credit cards. As the data is easily read and copied, magnetic stripe cards are very insecure, if not alinged with expenive online tracking processes. PKI tokens in » smart cards or » USB sticks avoid these kind of security issues. |
|
| Man-in-the-middle-attack |
| The attacker C ("Charly" or "Eve") intervenes secretly between A ("Alice") and B ("Bob"), intercepts their transmitted keys and impersonates » Alice to Bob and vice versa. |
|
| M-Commerce |
| The possibility of mobile execution of business processes. In particular, this denotes the connection of » E-Commerce with a mobile phone or another small device e.g. for the creation of digital signatures. |
|
| Message Recovery |
| The possibility of recovering a message without the origin encryption key, e.g. if the encryption key is lost. |
|
| Message Digest |
| See » hash value under hash function. |
|
| Middleware |
| » Middleware is computer software that connects software components or applications. It is used most often support complex, distributed applications. |
| Microsoft |
|
Microsoft was founded by Bill Gates in 1975 in Albuquerque, New Mexico. With the issueing of the Windows 2000 platform in 1999, Microsoft started its design of software security mechanisms, defining an own cryptographic layer called crypto API. It has been designed for the Mircosoft platform only and defines a standard interface for the » cryptographic service provider (CSP), provided to support » smart card ICs. |
|
| MMC & SD device |
| the MultiMediaCard (MMC) is a flash memory standard.Typically, an » MMC card is used as storage media for a portable device. Secure Digital (SD) is a flash memory card format used in portable devices. |
| Mobile Data Security |
| Mobile Data Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled and Mobil. Thus data security helps to ensure privacy. It also helps in protecting personal data. |
| Multi API support |
| Our » middleware can support all standard PKI smart cards or USB sticks. Ex.: JCOP, CardOS, TCOS, StarCOS; SecCOS, Cryptoflex, also PKCS#11, MS-CAPI, APDU, PC/SC, CTAPI |
| Multi card profile support |
Our middleware can support the follow profiles: PKCS#15, SigG, EPP, CNS, CAC, etc. Example:
(SigG) Signaturgesetz: the German Law rulling all profile application at a Smart Card.
CAC: The Common Access Card is smartcard issued to standard identification for active duty military personnel, selected reserve personnel, civilian employees, and eligible contractor personnel.
|
| Multi client OS platform support |
Our middleware can support the follow OS platform:
Windows NT4, 2000, XP, 2003, Vista, Linux Redhat, SuSe, Solaris, MacOS
|
| Multi smart card chip platform support |
Our middleware can support the different » smart card chips.
|
| NIST |
| The National Institute for Standards and Technology - formerly NBS (National Bureau of Standards) - is a division of the US Ministry of Trade, which, among other tasks, defines cryptographic standards(http://www.nist.gov). |
|
| Netscape |
| The internet software pioneer company that introduced a cheap software application for internet browsing to PC clients in 1994. The company was aqcuired by AOL in 1999. Competing with Microsoft´s Internet Explorer, Netscape decided to open the source code of the "Navigator" into an open source project called "Mozilla", today known as "Firefox". |
|
| Non Repudiation |
| One of the objectives in the employment of digital signatures. It describes the fact that the sender of a message is prevented from denying the dispatch of the message. |
|
| NSA |
| National Security Agency (http://www.nsa.gov), a federal US security bureau, e.g. responsible for IT security, export control regulations and illegal use of the internet. |
|
| One Time Pad |
| The only proven unconditionally secure method to encrypt data. But there is a big disadvantage: The key used must have the same length as the text to be encrypted, and may only be used once. On the other hand, the basic encryption is very simple: The bits of the plaintext are XOR-connected to the corresponding bits of the key receiving the cipher text; another XOR-connection reverses this process and leads to decryption. |
|
| One Time Password (OTP) |
| The purpose of a one-time password is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. There are three basic types of one-time passwords: A first type is a mathematical algorithm to generate a new password based on the previous, a second type that is based on time-synchronization between the authentication server and the client providing the password, and a third type that is again using a mathematical algorithm, but the new password is based on a challenge (e.g. a random number choosen by the authentication server or transaction details) and a counter instead of being based on the previous password. » charismathics supplies OTP tokens as an optional extention to the » plug´n´crypt product series. |
|
| One-way function |
| Mathematical function whose inverse function cannot, or only with great effort, be calculated. |
|
| Open Network |
| In an open network (internet) not all participants and operators know each other. Since everybody has access to an open network, no single operator can be responsible for security issues. Hence, groups with common interests have to integrate security measures into their communication by themselves |
|
| OCSP |
| OCSP (Online Certificate Status Protocol) is a protocol for online verification of the validity of a single certificate (RFC 2560). This protocol enables a user to query the validity in real-time over the so-called OCSP-Responder. |
|
| Padding |
| Most messages cannot be divided into blocks of a fixed length of e.g. 64 bit. There can remain an incomplete block which will then be completed with the method of padding. Such procedures exist for all block-orientated algorithms. |
|
| Pass Phrase |
| A long, but memorable character sequence (e.g. short sentences with punctuation) which should replace passwords as they offer more security. |
|
| Password |
| A secret character sequence whose knowledge is to serve as a replacement for the authentication of a participant. A password should be long enough to really ensure that an attacker cannot guess the password by trial and error. |
|
| PGP |
| PGP ("Pretty Good Privacy") is a software application developed by P. Zimmermann for email encryption and email signatures. One of major outcomes of the availability of the software was the popularity of public key procedures since 1994. Another one was the reaction of the US government: Mr. Zimmermann refused to withdraw his free software from the market. As of 2006, he still belongs to the board of directors of PGP corporation in Mountain View, CA. |
|
| PKCS |
| Abbreviation for "Public Key Cryptography Standard". Issued and supported by RSA Laboratories (http://www.rsasecurity.com/rsalabs), it is an inter company standard, meant to solve the difficult problem of product compatibility. The expression comprises a range of different documents, examples are PKCS#1 (for the RSA algorithm), PKCS#7 (for the formats used within cryptography) or » PKCS#11. |
|
| PKCS#11 |
| The widely used inter-company standard for a generic interface between software applications and cryptographic tokens like e.g. » smart card ICs or » soft tokens), defined by RSA laboratories. Comparable to Microsoft´s CAPI, it defines a much broader range of commands and allows a much more convenient interfacing between the user and the token. Therefore, most of the popular software applications are using security mechanisms based on the PKCS#11 standard. Most » PKI clients (such as charismathics´ » smart security interface©) support both interfaces, and consist of a DLL supporting PKCS#11 and another one supporting the Microsoft CAPI, by using a » CSP software module. |
|
| plug´n´crypt family |
| » plug´n´crypt is an all-in-one USB device. It combines the functionality of a smart card and a smart card reader with the convenience of a USB flash memory stick, creating a unique new product: Your easy-to-use companion for mobile security and secure data storage. ID, RFID and certgate are different presentations from our token. |
|
| plugs into all standard software applications |
| Applications such as MS Explorer, Firefox, Outlook Express, MS Outlook, Netscape, etc... are considered standard applications, and our product line work perfectly together with all applications refered. |
|
| Power Attacks |
| A power attack measures the electric power consumption during a calculation to find out partial information about the secret data. SPA and DPA are power attacks. |
|
| Prime Number |
| A number (greater than 1) whose only divisors are 1 and itself. Prime numbers have special importance in cryptography e.g. due to the problem of factoring. |
|
| Profile Diversity PKCS#15 |
| The cryptographic token information format standard. This describes a standard for the format of cryptographic credentials stored on cryptographic tokens. Profile Diversity in our case, our token can support the different profiles at the same token. |
|
| Protection Profile |
| A Protection Profile (PP) is a document typically created by a user or user community is an implementation independent specification of information assurance security requirements. A PP is a complete combination of security objectives, security related functional requirements, information assurance requirements, assumption, and rationale. A PP is part of the evaluation process for the Common Criteria (CC) standard and CC certification is sometimes required for IT procurement. |
|
| Pseudo Prime Number |
| A number which has not been proved to be a prime number, but which nonetheless has been demonstrated to have a low probability of being a composed number by means of special procedures (e.g. the so called Miller-Rabin test). The numbers used e.g. in the RSA algorithm are usually pseudo prime numbers. A humorous description of this expression is ”prime number of industrial quality”. |
|
| Pseudo Random Number |
| Many cryptographic mechanisms require random numbers (e.g. in key generation). The problem, however, is that it is difficult to generate true random numbers in software. Therefore, so called pseudo-random number generators are used, which should be initialized with a real random element (the so called seed). |
|
| Public Key |
| This is the publicly known key in an asymmetric cipher which is used for encryption and verification of digital signatures. |
|
| Public Key Algorithms |
| Describes the class of algorithms in which the required key is divided into a publicly known key (the public key) and one part to be kept secret (the private key). Due to this division, these algorithms are also called asymmetric ciphers; examples are the RSA algorithm and most of the ECC-algorithm. |
|
| Public Key Infrastructure (PKI) |
| A Public Key Infrastructure represents an infrastructure to manage public key certificates. A PKI does not create security by itself, instead it is a combination of hardware and software components, and policies and various procedures. It is primarily based on certificates, which on their part through digital signatures from a trusted instance, authenticate keys of the communication partner. |
|
| Quantum Cryptography |
| Quantum cryptography is a young field of cryptography, that exploits quantum-mechanical effects. For example: single photons with certain polarization are used for secure data-transmission. Even eavesdropping can be proved, because if somebody listened to the transmitted data, he made measurements and these measurements polluted the physical data. But the commercial implementation is not yet possible, because in scientific field experiments only short transmission ranges (less than 20 km) could be achieved. |
|
| Random Number |
| Many cryptographic algorithms or protocols require a random element, mostly in form of a random number, which is newly generated in each case. In these cases, the security of the procedure depends in part on the suitability of these random numbers. As the generation of real random numbers within computers still imposes a problem (a source for real random events can in fact only be gained by exact observation of physical events, which is not easy to realize for a software), so called pseudo random numbers are used instead. |
|
| Registration Authority (RA) |
| The function of a Registration Authority (RA) is the unambiguous establishment of an identity of a person, for which a certificate can be generated. This data is then relayed to the CA. In an Integrated PKI it is possible to use existing Services and qualified data, where user data already stored in the directory services is not discarded, omitting a redundant registration process. |
|
| RFC |
| The procedures used in the internet are presented and stored in documents called "Request For Comments". Everybody can send a proposal to the » IETF, which decides whether the proposal becomes an RFC or even an internet standard. |
|
| RSA |
| This algorithm named after its inventors Rivest, Shamir and Adleman and presented in 1978, is based on the experience that the factoring of large numbers (in real applications above 300 decimal points) imposes a problem which cannot be practically solved. It is the best known and most widely used algorithm of the class of asymmetric ciphers. It can also be used to employ the algorithm for the generation of digital signatures by exchanging the functions of the secret and the public key. |
|
|
S.S.C. |
| The » smart security component is an integrated platform made up of a PKI smart card chip and the charismathics CSP and PKCS#11 middleware. This unique solution provides complete independence when choosing smart card chip and operating system supplier for a maximum amount of flexibility when integrating identity management applications. |
|
|
S.S.I. |
| The » smart security interface is a smart card independent middleware which allows integration directly with any PKI and at the same time interfaces seamlessly with PKCS#11 applications. |
|
|
S.S.L. |
| This charismathics » smart security language is an additional product in the form of a tool-set, which allows developers to rapidly create and integrate the smart security interface components into their existing infrastructure. |
|
|
S/MIME |
| Extension of MIME (Multipurpose Internet Mail Extensions) by the functionalities of encryption and message signing, mainly by using PKCS specifications. |
|
| Secret Sharing |
| A cryptographic protocol aiming at the distribution of confidential information to a number of participants in such a way that only a subset of the participants is capable to reconstruct the original secret. |
|
|
Secure application access |
| Secure Application Access is the piece of sotware/hardware that provides a secure connection to computing resources. |
|
|
Secure internet transactions |
| When you communicate with a transaction server, an encrypted digital ID and adress of the server is sent. Then, when you send any data from your device, a program called a certificate authorizes that digital encrypted ID that was sent and verifies a secure connection between your device and the server. |
|
|
Secure login |
| A login (also log in, log on, signon, sign on, sign in) is the process of receiving access to a computer system by identification of the user in order to obtain credentials to permit access. Secure login is an integral part of computer security procedure to verify the credentials from the user to get access to specific information storage. |
|
| Seed |
| The value by which a pseudo random number generator must be initialized so that the resulting sequence cannot be predicted by an attacker. |
|
| SCEP |
| The Simple Certificate Enrollment Protocol (SCEP) specifies the secure distribution of certificates over a network. The goal is the automatic issuance and distribution of certificates for Cisco Routers operating over VPNs. |
|
| SHA |
|
Short for "Secure Hash Algorithm", a family of relatedcryptographic hash functions. The most commonly used function in the family, SHA-1, is employed in a large variety of popular security applications and protocols, including » TLS, » SSL, » PGP, » SSH, » S/MIME and » IPSec. SHA-1 is considered to be the successor to MD5, an earlier, widely-used hash function. Both are reportedly compromised. In some circles, it is suggested that SHA-256 or greater be used for critical technology. The SHA algorithms were designed by the » NSA and published as a US government standard. Four more variants have since been issued with increased output ranges and a slightly different design: SHA-224, SHA-384, and SHA-512 - sometimes collectively referred to as SHA-2. |
|
| Side Channel Attacks |
| This type of attack on a smart card is based on the measurement of indirect information, e.g. the current consumption (Power Attack), the temporal duration (Timing Attack) or electromagnetic radiation. |
|
| SigG/SigV |
| Abbreviation for the notions "Signaturgesetz" and "Signaturverordnung" (German Ditigal Signature Act/Signature Regulation); these have been regulating the use of digital signatures in Germany since 1997. |
|
| Small Devices |
| These are small portable devices which contain a micro-controller or similar devices, such as smart cards, palmtops, organizers or mobile phones, i.e. devices for individual data communications. |
|
| Smart Card IC |
| A smart card IC (such as charismathics´ » smart security component©) typically is built into an » ISO 7816 formatted plastic card, containing a micro controller IC (with CPU, volatile (RAM) and non-volatile (ROM, EEPROM) memory). This special » die is able to carry out its own calculations in contrast to a simple memory IC. Sometimes a smart card IC has a numerical coprocessor (NPU) to execute public key algorithms efficiently (see » smart security component©). Smart card ICs have all of their functionality comprised on a single chip. Therefore, a smart card IC is ideal for use in cryptography as it is almost impossible to manipulate its internal processes. |
|
|
Smart security appliance |
| The » smart security appliance is an easy to use, flexible and inexpensive product to fit your demands for all identity management purposes, such as certificate management and user authentication for various demands and applications. |
|
| SPA (Simple Power Analysis) |
| An SPA (simple power analysis) attack belongs to the class of side channel attacks. The power consumption is measured during the usage of the private key, e.g. calculation of the digital signature, to deduce partial information about the key itself. If for instance the program sequence branches according to the key, this will influence the power consumption and give certain feedback about the key. This can be overcome by providing a continuous power consumption, less branches and randomizing operations when using the private key. |
|
| SPHINX |
| A project of the » BSI, testing products of different manufacturers realizating email security by encryption and interoperability of digital signatures. |
|
| Steganography |
| Steganography (or Data Hiding) comprises all techniques that hide information. Digital data can be hidden into pictures, videos, music, text, or source code. If the emphasis is on hiding copy right, which can be verified later, it is called digital watermarking. |
|
| Stream Cipher |
| A symmetric encryption algorithm which processes the plaintext bit-by-bit or byte-by-byte, is called stream cipher. Examples are A5 or RC4. The other usually employed class of algorithms comprises so called block ciphers. |
|
| SSL |
|
Short for "Secure Socket Layer", an internet software protocol developed by » Netscape, based on a digital certificate of the host and the client computer. SSL uses asymetric keys to sign and encrypt data. SSL based webistes can be recognized by the abbreviation "https://..." in the URL line and by a key lock symbol displayed in the internet browser. They are proven to be authentic. Lately, one-directional SSL sessions are replaced by bi-directional SSL sessions, allowing the secure identification of the client computer. SSL is meant to replace user name and PIN as authentication means. |
|
| Sun Microsystems |
|
Founded as a vendor of computer server systems in the Silicon Valley, Sun Microsytems has grown more and more into a role competing with » Microsoft. Supporting open and non-proprietary architectures against them and inspired by the development of the internet, Sun invented, developed and standardized the "Java" programming language, enabling engineers to develop hardware-independent software by using an abstraction layer, so-called "virtual machine". A derivative of this programming language was the specification of the » javacard. |
|
|
Supported Pre-Boot Environments |
| Charismathics products suite is guaranteed to integrate with network and device encryption technology at the pre-boot level. (When a protected PC is started and before Windows loads its operating system.) |
|
| Symmetric Cipher |
| Encryption algorithm using the same key for enciphering and deciphering (or, in which these two keys can simply be derived from each other). One distinguishes between block ciphers processing plaintext in blocks of fixed length (mostly 64 or 128 bit) and stream ciphers working on the basis of single bits. |
|
| Time stamp |
| For some applications in cryptography (e.g. liable digital signatures) it is important to know the exact point in time at which certain data existed. This is why a time stamp is attached (and signed of course) to the messages concerned. |
|
| Timing Attack |
| Timing attacks try to gain information about the private key by simple time measurements. E.g. the time for a digital signature could depend on the number of one-bits in the private key. |
|
| TLS |
| The TLS (transport layer security) protocol permits client/server applications confidential and tamper-proof communication. TLS is application protocol-independent; higher-level protocols can layer on top of the TLS protocol transparently. Based on SSL 3.0, TLS supercedes and is an extension of » SSL. TLS and SSL are not interoperable. |
|
|
Token management system |
| A management system is the framework of processes and procedures used to ensure that an token can fullfill all tasks required to achieve its objectives. |
|
| Trapdoor Function |
| A trapdoor function is a function f which can be calculated easily, but for which it is not possible without the secret key to calculate an argument x with f(x)=y. Trapdoor functions are potential candidates for asymmetric cryptographic systems. |
|
| Triple-DES (3-DES) |
| The DES algorithm is employed three times in a row with different keys. There are different versions, which distinguish themselves by e.g. the number of employed keys. The most common method (also standardized by ANSI) is the EDE procedure. In this procedure, the 1st key is used for encryption, the 2nd for decryption, and then the 1st key is used again for encryption. The effective key length in this case is therefore 112 bit. But also versions exist with 3 different keys, i.e. 168-bit key length. |
|
| Trojan Horse |
| This is the name of a program which, in addition to its basic function, comprises another unknown function, e.g. to send passwords via email to the internet. In contrast to a virus such a program is not self-replicating. |
|
| Trust Center |
| A trust center is a commercial establishment that issues certificates, such as Verisign, Geotrust or Thawte. Additional services can include directory, revocation and time-stamp services. In many countries, T.C. combine the functions of certificate distribution and a » certificate authority. |
|
|
Two-factor authentication |
| (T-FA) is any authentication protocol that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one factor (knowledge of a password) in order to gain access to a system. |
|
| USB-Token |
| A USB-token is a » small device with a USB-port. Most of them have the form of a key fob and provide similar functionality to a smart card. Since most equipment today has a USB-port, they can save the cost of a card reader. |
|
| Virus |
| This is a program which usually attaches itself unnoticed to or into other files and which can carry out destructive activities. In this case (in contrast to a » Trojan horse) virus infected files are capable of infecting other files. |
|
| VPN |
| Short for "Virtual Private Network", a VPN is the simulation of a private network by utilizing a public network. In this network, all computer links are encrypted so that every communication is carried out confidentially (privately). |
|
| Weak Cryptography |
| The quality of a cryptographic algorithm depends on the effort, that a potential attacker has to invest to crack a message without knowing the key. This effort is composed of the necessary computing time and the necessary memory. Weak cryptographic algorithms can be cracked with little effort (and thus little cost). |
|
| X.509 |
| Standard for certificates, CRLs and authentication services. It is part of the X.500 standard of the ITU-T for realization of a worldwide distributed directory service. |
|
| XOR |
| XOR (exclusive or) is a Boolean operator. (True resp. False correspond to 1 resp. 0). Bit-by-bit XOR is an important function for cryptography. It equals an addition without overflow bit in the binary number system, i.e. 0+0=0, 1+0=1, 0+1=1 and 1+1=0. Such bit-by-bit orientated functions are interesting as they can be implemented in hardware very quickly. |
|
| Zero Knowledge Proof |
| A protocol with the aim to convince the recipient that the sender has a certain information and at the same time keep all of the secret (therefore "zero knowledge"). If the sender has the information, he can always send the correct bit. Otherwise he can send the correct bit only with a 50% chance. By iteration of this call-and-response game the recipient can rule out error probabilities as small as he wants. (This simplified explanation is not the general mathematical definition of a Zero Knowledge Proof). Zero-Knowledge protocols allow identification, key exchange and other basic cryptographic operations to be implemented without leaking any secret information during the conversation. Thus Zero-Knowledge protocols can provide the functionalities of public-key protocols. |
|
© Copyright Charismathics GmbH, 2004-2010 |
Print