PKI Glossary
AES
Advanced Encryption Standard. A Symmetric key encryption algorithm e.g. AES 128, 256. Provides same encryption strength than much larger sized RSA keys. Good for hardware with limited processing or storage.
API
Application Programming Interface. Aimed to provide interfaces to interact with other software
ASN.1
Abstract Syntax Notation One. Provides data structure representation for different data in a cross platform fashion e.g. certificates, crls, OCSP, timestamp etc.
Asymmetric Encryption
Concept of encrypting and decryption with two related keys called Private Key and Public Key. Each can decrypt data with the other key. Algorithms include DSA, RSA etc. There is no shared key involved.
Authentication
Process to prove identity. Could be human or a machine (PC, router, switch, mobile, IOT etc.).
BER
Basic Encoding Rules. Rules defining how to encode ASN.1 data.
Block Cipher
A type of symmetric cipher which works on fixed sized bits e.g. DES, Triple DES, AES
Certification Authority (CA)
An entity (business, software etc.) which manages the life cycle of digital certificates. This includes creation, deletion, renewal, rekey, revocation of certificates. Can be a subordinate CA (issued by a Root CA) or a Root CA (self signed)
Certificate / Digital Certificate
A digital file which identifies a user, signed by a CA. The digital file contains the public key of the entity it identifies (person/computer/company etc.) Certificate contains information related to expiry, who issued the certificate and purpose. The associated private key of the public key can be used for authentication or signing. See more here.
CRL
Certificate Revocation List issued by a Certification Authority containing the list of revoked or blacklisted certificates. See more here.
Cryptography
The study of techniques to perform secure communication. See more here.
Decryption
The process of getting original plain text from encrypted one.
DER
Distinguish Encoding Rules. Rules defining how to encode ASN.1 data.
DES
Data Encryption Standard. A deprecated symmetric encryption algorithm due to weak encryption key used. Developed in 1970s and broken in 1999. See more here.
Digital Signature
Digital Signature is a cryptographically generated data to ensure Authenticity, Integrity and non-repudiation. Mostly confused with electronic signature. The idea was conjectured in 1976 by Whitfield Diffie and Martin Hellman and later implemented by RSA. See more here.
ECC
Elliptic Curve Cryptography is a public key cryptography based on algebraic structures on elliptic curves over finite fields. Good for low powered computing machines like mobile phones, IOT etc.. Competes RSA standard which is based on the difficulty on factoring large numbers.
Hash Function
One way unique transformation a large data e.g. strings into a fixed, short value e.g. MD-5, SHA-1, SHA-256 etc. A key step in creating digital signatures e.g. SHA256. The resultant value is called Hash value. SHA-256 Hash value of Codegic is b658b459663b78dfeecf473a136474f75f080933444a7aafae7300775ec4c309
HSM
Hardware security module. Able to process cryptographic keys (asymmetric and symmetric) in a secure fashion. Recommended for critical cryptographic operations. Keys generated cannot be exported in plain. Can be hosted on-premise or in the cloud.
Key
A number which is a critical component to encrypt or decrypt data. In RSA could be of 2048 length or above and in case of ECC 160 bits or more. Longer key lengths ensures more security over slow performance to encrypt or decrypt. The public key and private key forms the KeyPair.
Key Management
Encircles the complete life cycle of cryptographic key generation, renewal, storage, security and deletion.
MD2, MD4, MD5
Message Digest. A set of weak and obsolete one way hashing schemes with less than 128 bit hash value subject to birthday attacks. More details here.
One-time Password (OTP)
A temporary, user friendly, server generated unique password or PIN. Protects users from hackers when they use weak password. Normally used as two factor authentication. Have different variations like TOTP (Time based OTP) and HOTP (Counter based based OTP).
OCSP Server
A server software implementing Online Certificate Status Protocol. Replaces the need to rely on CRL files which can be large and hence slows revocation checking process as opposed to light weight (few kb) request and response from the OCSP server.
Phishing
A type of attack to acquire credentials or personal data from people mimicking legitimate emails, phone call or website.
PKCS
Public Key Cryptography Standards. Developed by devised by RSA Laboratories in 1991. Some of these are:
- PKCS#1: Defines the format of RSA encryption.
- PKCS#5 – Password-based Encryption Standard
- PKCS#7 – Cryptographic Message Syntax Standard
- PKCS#8 – Private-Key Information Syntax Standard
- PKCS#9 – Attribute types for use in PKCS#6, PKCS#7, PKCS#8 and PKCS#10.
- PKCS#10 – Certificate Request Standard requesting certificate from a CA
- PKCS#11 – An Interface to communicate with cryptographic devices such as HSMs, Smart cards etc..
- PKCS#12 – A password protect data to securely store Private keys and associated certificates.
- PKCS#15 – Defines a file system of objects to be stored on cryptographic devices
Rijndael
NIST selected symmetric algorithm for AES works with a minimum key length of 128-bit. Learn more here.
RIPEMD-160
A hashing algorithm providing more security over MD set of hashing algorithms. Ripemd-160 hash of Codegic is: edd8a680830228aa67b80760c448549e05d431d6
RSA
A public key cryptographic algorithm developed in 1977. This competes with ECC based public key algorithm.
Session Key
A symmetric key e.g. AES 128, generated during a TLS handshake. 100x faster than asymmetric algorithm.
SHA
Secure Hash Algorithm. Started with SHA-1 (obsolete as subjected to collision attacks) following by SHA-2 family (SHA-256, SHA-384, SHA-512).
Symmetric Encryption
An encryption mechanism where same key is used to encrypt or decrypt data e.g. DES, AES
SSL
Secure Sockets Layer. A weak protocol utilizing public key cryptography generating symmetric keys to secure communication over the network. Now replaced by TLS protocol.
Time Stamp
A digitally signed content sufficing that content existed prior a particular time. Time can be from system, HSM or GPS clock. Learn more here.
Time Stamping Authority
A server or business entity providing timestamp services. Can be a software or hardware.
TLS
Transport Layer Security.
Two-factor Authentication
An authentication scheme ensuring two pieces of information is present at authentication time e.g. password and OTP or password and biometric.
X.509v3
X.509 is a standard defining the format of public key certificates. V3 stands for version 3 of X.509 Digital Certificate prevalent as of 2021. See more here.