SDS E-Business Server® | EBS | Glossary of Cryptography

Here are explanations of many key terms essential to understanding computer cryptography.

Advanced Encryption Standard (AES): A symmetric-key encryption standard adopted by the U.S. government in 2002. The standard uses three, 128-bit, block ciphers with 128-, 192-, and 256-bit keys. Published by the U.S. National Institute of Standards and Technology (NIST): FIPS 197.

Authenticity: See Signature.

Certificate: A certificate provides evidence that a public key is authentic, genuine. A certificate is an electronic file that holds a public key, identifies the owner of the key, and provides a signature to assure that the key does indeed belong to the person identified. An X.509 certificate can hold just one identity and one signature. An OpenPGP certificate can identify the key owner in multiple ways (like a work address and a home address) and include multiple signatures, each one authenticating one or more of the identities.

Certificate Authority (CA): A trusted person or organization with the power to create and sign certificates. The X.509 standard relies heavily on a hierarchy of root CAs and their designated subordinate CAs. The OpenPGP standard, on the other hand, allows self-signing and relies on a web of trust.

Certificate Request: A message asking a certificate authority to create an X.509 certificate for a given public key and owner identity. Does not apply to OpenPGP certificates.

Certificate Server: See Key Server.

Cipher, Ciphertext: A cipher is a mathematical function that takes in a key and a body of plain text, then outputs encrypted ciphertext. The same algorithm processing the same plain text, but with different keys, yields different ciphertext.

Clear Text, Plain Text: Data that is not encrypted--whether it's ASCII, EBCDIC, binary, or anything else.

Compression: The process of describing patterns in a body of data and so reproducing the same data in a smaller-size file--common practice because it eases storage and transmission. For encryption it has an added advantage: Compressing a file before encrypting it further disguises the patterns in the original data, making it harder to decrypt without the right keys and tools.

Data Encryption Standard (DES): A symmetric-key encryption standard adopted by the U.S. government in 1976. DES uses 56-bit key.

Hash: A hash, also called a checksum, provides a way to judge the integrity of data. A hash algorithm processes a body of data and generates a value unique to that data. A truncated, tampered with, or otherwise damaged body of data will no longer yield the same hash value.

A hash value encrypted into a signature provides a way to test the integrity of the signed message.

A hash value for a certificate is its fingerprint. To evaluate the authenticity of a certificate, ask the owner to give you the fingerprint by some other route, then match it to the fingerprint of the certificate you have in hand.

Hierarchical Trust: X.509 certificates are signed by a hierarchy of certificate authorities. The root authority can designate subordinates, and they can designate further subordinates, and so on. Each is trusted because of the chain of trust going back to the root authority.

Regarding OpenPGP, see Web of Trust.

Integrity: A file with integrity is complete, undamaged, not tampered with. As files move from one machine to another it is important to ensure their integrity. That is typically accomplished by means of a hash.

Key Pairs, Public and Private: A key-pair has a public key for encrypting data; a private key for decrypting it. You can safely send your public key to your data source. The source can return an encrypted file that only you can read.

Key Server / Certificate Server: A server that allows clients to search for and retrieve public keys and certificates.

For example, an OpenPGP Global Directory or an LDAP system for X.509.

Also see Public Key Infrastructure.

Keyring: Keyring files on a computer store encrypted keys and certificates.

An OpenPGP system typically has two keyrings, one for private keys, one for public keys. The public key ring can include evaluation of a key's authenticity and evaluation of how much to trust the key's owner as a signer of other key certificates, i.e. as a certificate authority.

Non-repudiation: See Signature.

OpenPGP: A standard that describes how PGP encryption works so that encrypted messages can be handled by different software implementations. See RFC 4880, "OpenPGP Message Format," RFC 2440, "OpenPGP Message Format," and RFC 1991, "PGP Message Exchange Formats." Also see RFC 3156, "MIME Security with OpenPGP," and RFC 2015, "MIME Security with Pretty Good Privacy (PGP)."

PGP: PGP is a trademark belonging to Symantec Corp.

Private Key: See Key Pairs.

Public Key: See Key Pairs.

Public Key Infrastructure (PKI): A system that provides a key server as well as facilities for issuing and revoking keys and certificates.

For example, an OpenPGP Universal Server.

Revoke, Revocation: To revoke a key or certificate is to publish, via a public key infrastructure, notice that a given key or certificate cannot be trusted.

Self-Decrypting Archive (SDA): An encrypted file packaged with executable software for decrypting it, given the right decryption key. For use by recipients who do not have encryption software and a public key to encrypt to. Recognize that self-decryption cannot rely on public-private key pairs. They require sending a decription key to the recipient of the SDA.

Self-Signature: In a self-signed certificate, the signer and the owner of the key are the same person. OpenPGP allows self-signing. X.509 does not.

Session Key: A session key is a random number generated each time a body of data is encrypted.

The data is encrypted with the session key. Then the session key is encrypted with the recipient's public key. Then both are sent to the recipient.

The recipient uses his/her private key to decrypt the session key. Then the recipient uses the session key to decrypt the data.

That process is faster and more secure than encrypting the payload data with a public key.

Signature: An electronic signature assures that a message did indeed originate with the source it claims. A signature is data encrypted with the signer's private key. If the signer's public key can decrypt the signature, the signature is authentic.

Typically, signature data includes a hash of the message. If that hash value matches a new, locally generated hash of the message, the message is authentic and has integrity. In addition, the signature provides non-repudiation--the source cannot deny being the source.

Symmetric Key: A single key used for both encryption and decryption. The simpler, less-secure alternative to public-and-private key pairs.

Web of Trust: OpenPGP allows anyone to sign a certificate, and allows multiple signatures on any one certificate. Signers are trusted because, as certificates are used and signers accumulate, the certificates and the signers gain reputations as reliable, genuine, authentic, and safe.

See also Keyring. Regarding X.509, see Hierarchical Trust.

X.509: A standard that defines the creation, content, and use of certificates. An X.509 certificate describes a single identity for the owner of a single public key, and certifies them with a single third-party signature. See RFC 5280, "Internet X.509 Public Key Infrastructure...".