Cryptography Dictionary

An attack in which the attacker has access to the cryptographic system they are attacking and is providing input or responses to the system in an attempt to defeat it.

A cryptographic algorithm which was chosen to replace DES.

See Advanced Encryption Standard.

See Andrew File System.

A step by step set procedure for performing a process or carrying out a set of actions.

A file system which relies upon the Kerberos authentication system for security.

1. Having the quality of an unknown source or author.

2. An author or source which is unknown.

Anonymous Digital Currency.

A program developed to allow for the sending of anonymous or pseudonymous email. Remailers where designed to be resistant to traffic analysis.

A mechanism used to prevent unauthorized parties from re-presenting intercepted or expired authorization or authentication token and thereby gaining access which they should not have.

See Authority Revocation List.

Abstract Syntax Notation One. ASN.1 is a notation used describe messages. It describes them as a sequence of components. The described components may be sequences also. ASN.1 is used to describe the internals of Kerberos datagrams. Unless you are a software developer, you do not need to gain an understanding of ASN.1.

A cryptographic algorithm which uses two different keys for encryption and decryption. See Public Key Algorithm.

[Undefined]

A comprehensive review of an algorithm, software implementation, cryptosystem, or computer system possibly including log data in an effort to uncover flaws or wrongdoing.

A listing of CA authority revocation relationships. Specifically, a listing of which, if any, other CA's are allow to revoke all of a given CA's certificates. Often this is a superior CA removing the authorization for a lower tier CA to issue or sign certificates.

The verification that a claimed identity is valid, in effect that a person, system, or piece of software is who they say they are.

The quality of actually having come from the source which is claimed.

Software which automatically generates keys.

A feature of most often a cryptographic communications systems which allows the system to automatically cycle through a set of keys, or to generate new keys after at a given interval to increase the resistance of the system to keys compromise and to limit the effects of a key compromise should one occur.

1. The act of determining if a client may have access to a system or service and what level of access that client may have. 2. Stating that a client may have access to a system or service at a specified level.

Multiplying and cascading changes in ciphertext produced by seeding encryption rounds with data from previous rounds. For example, if the content of the first block of plaintext differs, all resulting ciphertext for subsequent blocks will differ even if they contain the same plaintext data.

A program execution path, alternative access mechanism, or an alternative decryption mechanism which allows a party to easily bypass the security of a system. Back doors are often included stupendously with out the knowledge of one of, or all parties, participating in a system.

[Undefined]

[Undefined]

In computer science, a type of notation used to denote a theoretical measure of the rate at which the resources needed by a problem with grow for a given function.

Cryptosystems which make use of the hard problem of factoring large semiprime numbers for their security.

[Undefined]

Security and authentication measures which rely on biological characteristics though to be sufficiently unique. For example, physical characteristics such as finger prints, retina structure, voice recognition, or facial recognition.

A sub class of brute force attacks against hash algorithms which take advantage of the birthday paradox over the size of the hash value produced by the algorithm rather than over the days of the year.

A term given to the fact that given a group of 23 people, the odds are greater than 50% that at least two of the people in the group with have the same birthday. It is termed a paradox because the size of the group of people strikes most people as unreasonably small.

A digital signature which is performed on a hash value. Since the hash algorithms used in blind signatures have few collisions, a signature can be performed on the hash value which endorses the validity of the data with out revealing any of the data to the signer. Blind signatures are commonly deployed in Time Stamping Services.

The smallest unit of data which is encrypted or decrypted by a block cipher.

A cryptosystem which works on plaintext in blocks of a given size. If sufficient data is not available to result in an even number of blocks the data is usually padded with nulls.

A cryptosystem which works on plaintext in blocks of a given size. If sufficient data is not available to result in an even number of blocks the data is usually padded with nulls.

The number of bits in a block operated upon by a block cipher.

A pseudorandom number generator.

[Undefined]

[Undefined]

[Undefined]

A CA dedicated to the role of establishing and maintaining cross certifications with other certificate authorities. Also known as a Bridge CA.

An attack against a cryptosystem or security system in which all possible values for the key, password, or passphrase are tried.

[Undefined]

[Undefined]

The agency responsible for executing and administering export restrictions on cryptographic technologies. It is now know as the Bureau of Industry and Security.

See Bureau of Export Administration.

A substitution cipher in which substitutions are made by rotating the alphabet a set number of spaces. Today, these ciphers are most commonly found in toys such as children's decoder rings and casually protected data on internet messages such as joke punch lines.

see Digital Certificate.

A repository either digital or physical of previously used digital certificates. Such an archive may or may not contain the certificate associated private keys.

Also known as a Certification Authority. An entity which is authorized and recognized to have the authority to sign digital certificates in order to validate or authorize them for specific purposes.

The Certificates which are transversed when verifying signatures which prove authenticity. Most often, the patch of certificates which must be walked to reach the root certificate authority when verifying a presented client certificate.

A written or electronic history of all certificates used by an entity both expired and current.

A protocol defined by PKIX in RFC2510 for the management of X.509 digital certificates.

A signature or digitally signed statement which invalidates an issued certificate. In x.509 PKI standards, such invalidation is communicated through a Certificate Revocation List [CRL].

A list of certificates which have been revoked. Certificate Revocation Lists can be distributed and cached locally on a system which uses PKI for authentication or authorization. When a certificate is presented which is listed in the CRL, that client can be rejected.

A binary format for certificate revocation data which takes a compressed form tree datastructure. CRT's are used to represent large CRL's efficiently.

[Undefined]

[Undefined]

A type of authentication in which a challenge is issues by the server to a client which wishes to authenticate. In order to authenticate, the client then replies with a response that proves the client is in possession of a shared secret. The shared secret may be a cryptographic key or other type of data.

[Undefined]

[Undefined]

A value produced by performing a CRC on data in order to allow validation or in order to validate its integrity.

An attack in which the attacker has access the to an implementation of the cryptosystem and may decrypt arbitrarily chosen cyphertext.

An attack in which the attacker has access to an implementation of the cryptosystem and can encrypt or decrypt messages with arbitrarily chosen key material.

An attack in which the attacker has access the to an implementation of the cryptosystem and may encrypt arbitrarily chosen plaintext.

See Cypher.

In a block cipher, a method of operation which uses the resulting encrypted data from the previous block to see the encryption operation for the current block resulting in the realization of the avalanche effect in the resulting ciphertext.

In a block cipher, a method of operation which uses the resulting encrypted data from the previous block to see the encryption operation for the current block resulting in the realization of the avalanche effect in the resulting ciphertext.

A method of text encryption available within the Data Encryption Standard.

Encrypted data.

[Undefined]

[Undefined]

A comprehensive and detailed review of the source code of a piece of software. Such a review is often performed to uncover any flaws in implementation, security vulnerabilities, or other weaknesses.

An occurrence in hash algorithms where different data, or inputs, result in the generation of the same hash, or output. Collisions allow the potential for modification of a hashed document without invalidating the hash.

A subset of computational theory which deals with the determination of how much time it will take to computationally solve a given problem.

[Undefined]

The quality of having be communicated in trust to a limited number of people or systems and entrusted to them.

[Undefined]

Vector super computers designed by Seymour Cray and Cray Computers, Inc.

In Kerberos, a ticket for the server and a session key which is used to authenticate the principal.

1. Certification between two parties in which both parties have certified the other. 2. In PKI, the certification of a given CA by another CA establishing a trust relationship between the CAs.

In Kerberos, the ability for a KDC is one realm to authenticate a principal in another realm if a secret is shared between the KDCs of both realms. This inter-realm authentication is called cross-realm authentication.

see Cyclic Redundant Check.

see Certificate Revocation List.

see Certificate Revocation Tree.

The study of cryptographic algorithms or resulting ciphertext in order to determine their strengths and potential weaknesses. Often such analysis is performed in order to attempt to break an encryption algorithm or in order to perform key recovery.

A theorized social state in which the ubiquitous availability of strong cryptography results in an inability for any government to dominate individuals, most specifically through an erosion of the tax base through secret and potentially anonymous financial transaction which cannot be taxed.

A scientist, researcher, or programmer, who works in the science of cryptography.

The science of encoding and decoding secret messages.

A daughter card with a microprocessor which is often specialized and which is dedicated to performing cryptographic operations so that they may be offloaded from the systems main processing resources.

A class of pseudo-random number generators which produce output which cannot be determined in advance even if an attackers know what algorithms and methods are being used to generate the pseudo-random data.

1. A protocol or method of performing encryption. 2. A system of securing data or system through cryptography.

see Cryptography.

A dictionary which was created specifically for a password or passpharse guessing attack against a known entity. Most often, such dictionaries are used by law enforcement after an individual's computers and electronic data has been siezed. The dictionary is then created from that electronic data as well as data on the individuals computers such as from web pages that the browser cache identifies as visited or that have been bookmarked.

A cryptographic algorithm.

A group of techno-libertarians which where formed around a mailling list on the internet. The cypherpunks believe in privacy, security, and autonomy. They actively work toward realizing these goals through cryptographic technological developments.

[Undefined]

An algorithm used for encrypted which was the official algorithm of the United Sates Government. It was developed by IBM with assistance from the NSA. The algorithm is a sixteen round block cypher which uses a 64bit block and a 56bit key.

To decode encrypted information. The act of transforming ciphertext into the original source plaintext.

See Data Encryption Standard.

The Diffie-Hellman cryptosystem. DH is based on the difficulty of calculating logs in modular arithmetic. It gained popularity due to patent restrictions surrounding other methods of public key cryptography.

A collection of words or phrases used in password guessing.

A brute force attempt to decrypt encrypted data by guessing passwords or pass phrases sequentially from a store of possible solutions.

A battery of statistical test used to evaluate random number generators written by George Marsaglia.

A type of known plaintext attack in which the goal is to provide plain text inputs that move the attacker closer and closer in similarity to a given cyphertext which is being attacked.

A type of known plaintext attack in which the goal is to provide plain text inputs that move the attacker closer and closer in similarity to a given cyphertext which is being attacked.

[Undefined]

A protocol of key exchange which uses public key cryptography. The protocol is defined in RFC2631.

See Electronic Currency.

A formated electronic container for an encrypted communication.

see Fingerprint.

An identity created in the digital world, ie on the internet. The identity may or may not have an meat space identity strongly associated with it through the use of cryptographic keys and digital signatures.

The use of a cryptosystem to allow only controlled access to content perceived to be of value.

An electronic signatures which can validate the data contents of a signed message and be used the validate the identity of the signer. Most often electronic messages are digitally signed to prove authorship and content integrity. Digital signatures most often are done with public key cryptography systems using the OpenPGP standard. To PGP sign a message, a hash value is created of the message contents. That hash value is encrypted with the signer's private key. Since only the public key of the signer will provide a decryption of the signature to an accurate hash of the message, authentication is performed in this way.

[Undefined]

[Undefined]

[Undefined]

The computational difficulty of reversing a mod operation over a group. This problem is the basis of Elliptic Curve Cryptography, as the factoring problem is the basis of RSA Cryptography.

[Undefined]

A key which has been split into several pieces of key material and shared among multiple individuals or which is stored in multiple locations.

[Undefined]

[Undefined]

[Undefined]

[Undefined]

See Digital Signature Algorithm.

See Digital Signature Standard.

See Elliptic Curve Cryptography.

[Undefined]

A method of text encryption available within the Data Encryption Standard.

See Electronic Frontier Foundation.

Digital tokens which have real world monetary value associated with them.

See Secure Electronic Voting.

A digital and internet rights defense lobbying and support group.

An ECC based encryption algorithm.

A class of Cryptosystems which are based on the difficulty of finding points on an elliptic curve over a field with special properties. Most often, the strength of ECC is provided by the discreet logarithm problem, however the factoring problem can also be used.

[Undefined]

[Undefined]

The transformation of data in order to make it private.

An connection between two systems through which all data that passes is encrypted before transmission.

A measure of the amount of randomness of disorder in a system, dataset, or in the data read from a data source or device.

[Undefined]

[Undefined]

A temporary short lived keypair which is generated as part of a larger handshake operation and most often intended for only one use. The use of such short lived keypairs can increase the security of the primary key pair by reducing its use, and increase the security of the communication since several ephemeral keypairs may be used and each may be used only on a small amount of data.

The holding of a key which can decrypt communications by a given third party. Most often, the holding of private keys in public key cryptography by a corporation or government.

A date which is encoded in a certificate of public key at the time of creation which specifies when the key or certificate will no longer be valid. Expiration dates are often used to protect end users from brute force attacks against their keys.

Laws put in place to keep foreign nationals and foreign governments from acquiring and using strong encryption technology to protect their communications.

A number which can divide a given quantity with out leaving a remainder.

[Undefined]

[Undefined]

A generalization of number domains in which the basic mathematic properties and rules apply. Examples of fields are all reals, all rationals, and all complex numbers.

A class of iterated block ciphers in which encryption transforms are repeatidly performed on the inputs in a specially defined way.

A computer chip which can have its gates reprogrammed by electrical impulses. A skilled cryptographer can use such a chip to created a hardware implementation of an attack against a cryptosystem. Attacks performed in this was can be significantly faster than software only attacks.

[Undefined]

A one way hash value calculated over a digital certificate or pgp key which serves as a unique id.

A field which contains only a given number of elements.

A message or communication which has been made to appear as though it came from a source other that the source the recipient believes is its origin.

A cross certification in which another entity has signed the key of a given entity.

In Kerberos, A ticket granted by the KDC which allows the user to request additional tickets with different IP addresses. In effect, a TGT which allows the authenticated principal to request tickets valid on other additional machines.

The quality of a web of trust to be fully peered.

A state in a web of trust in which each entity has a digital signature establishing trust from every other entity. This term may be used to refer to the PGP web of trust of a web of trust between certificate authorities.

A finite field named for the mathematician who first encountered it, Evariste Galois. See Finite Field.

A set of C language bindings which provide security services to its callers. The API may be implemented on top of various cryptographic systems. Kerberos is one example of such a system.

The fastest known way to factor a large semiprime number.

A computer chip specifically designed for the processing of graphics routines. These chips often include some level of Vector Computing functionality allowing them to be used to significantly speed the process of encryption or to attack a cryptosystem.

A set of protocols that allow a large numbers of systems to pool processing power, memory, and storage space. A Grid can be used to perform a large scale distributed attack against an encryption system.

The use of a Grid in the completion of computing tasks.

[Undefined]

Group Signature.

see One Way Hash.

A token which consists of previously agreeded upon content and a counter value, which when hashed together result in a hash value with a prefix of one or more zeros.

see Session Hijacking.

[Undefined]

A cryptosystem in which nyms, typically email or other electronic addresses, are used rather than keyids or certificate ids to send a secure message. The purpose of such a system is to make the system transparent. However, no such system has been demonstated to be secure.

[Undefined]

A value used as a seed in the performance of key expansion in a cryptographic algorithm in order to strengthen resultant cipher text against cryptanalysis.

[Undefined]

The quality of a system or information to be authentic and free from tampering or malicious intent.

Interleaving is the use of multiple offset avalanche effect systems in encryption protocols to allow the parallelization of those processes. Cryptosystems can be made much more secure by basing the encryption of any given part of a message upon the previous data, because it prevents attackers from performing cryptanalysis against small parts of the message. However, this prevents the encryption of subsequent parts of the message from being done before the preceding parts have been. By starting a chaining mechanism such as DES's CBC at multiple parts of the message, some strength from CBC can be realized while still allowing the message to be encrypted on more than a single processor.

[Undefined]

[Undefined]

Internet Protocol Security. A method of securing traffic transmitted by the Internet Protocol (IP).

A group of United States laws known as the International Traffic in Arms Regulations which at one time prevented computer programs and electronic devices using more than 40 bit key lengths from being exported.

See Initialization Vector.

An authentication protocol in which a trusted third party, an arbitrator, is relied upon to perform the authentication of clients on a TCP/IP network. The protocol was designed in a way that encrypted tickets are transmitted over the network rather than traditional plaintext passwords providing for secure network authentication.

The first publically released version of the Kerberos protocol. This version was shown to have weaknesses in implementation and should no longer be used.

See Also Kerberos 5.

The second public release of the Kerberos protocol. Kerberos 5 is widely used and fixed a number of security flaws in version 4 of the protocol.

(v.) The act of modifying a system, service, or piece of software to make use of the kerberos protocol to perform authentication. (adj. -d) A system, service, or piece of software which supports authentication through kerberos.

A unit of data out of many which can be used to transform other data such as plain text or cyphertext. The set of possible units is defined as the key space.

In cryptographic protocols, the mechanism by which two or more parties that wish to communicate securely between each other determine a shared key(s) to be used in the communication. Key Agreement is usually followed by Key Exchange.

A long term repository of key data.

[Undefined]

The acquisition of a key or key pair by a party that should not have access to the key or key pair.

In Kerberos the machine and software which perform the role of the trusted arbitrator in the Kerberos protocol.

A key used to encrypt keys. Most often a key encrypting key is a key which is a member of a key pair and is used to encrypt a symmetric key during key exchange.

A process in which a larger key is generated from an initial key.

The storage of secret keys by a third party, usually a government, who desires the ability to break a the security of a cryptosystem at any given time.

The process of transmitting a key between two parties that which to communicate securely.

In PGP, a value used to identify a key which is generated by performing a hash of key material.

The act of creating a new key or key pair. Often, this involves the acquisition of pseudorandom data from the host operating system and the user.

A record, most often including the keys themselves, of all of the keys an entity, or group of entities, has made use of. The record may be complete covering all keys ever used, or it may only be kept for a given time period or a given number of keys.

In PGP, an identifier generated from key material which can be used to identify a key. The Key ID is often used by the user to specify a recipient, a key to be used when performing an operation, or to select a key in a keyring of keyserver.

The number of bits which a comprise a key.

1. The storage, generation, use, lifetime, securing, and disposal of cryptographic keys. 2. The specification of policies related to the storage, generation, use, lifetime and disposal of cryptographic keys.

One or more of the bits that compromises a secret or public key.

In public key cryptography, a pair of keys consisting of a public and private, or secret, key which interrelate.

The determination of a key needed for decryption when that key is not available. Key Recovery may be performed through cryptanalysis or through the use of a key escrow system.

A policy which defines when keys are generated and for how long they are used.

A system which stores key material in a database. These servers may be queried by users who wish to acquire the public key of a recipient they have not had prior contact with.

The total number of possible keys which can be used for a given key length.

A continuous feed of key material used in the encryption process. Most commonly, this term is used when describing stream cyphers.

A collection of keys. Most often this term is used in relation to PGP, where a keyring consits of a collection of one or more key packets.

A get-together of people who use the PGP encryption system with the purpose of allowing those people to sign each others public keys. Keysigning parties serve to extend the web of trust.

A list of predetermined requirements that must be met before the ower of a key is willing to use it to create a signature endorsing the content of a message of the validity of a key pair. Keysigning Policies are often limited to requirements for signing other's pubic PGP keys and posted publicly on an individual's person webpage.

[Undefined]

An attack against a cryptosystem in which both the plaintext of a message and the resulting cyphertext are known.

See Kerberos.

See Kerberos 4.

See Kerberos 5.

A delay in data transmission which can affect the strength of a cryptosystem against network sniffing attacks.

[Undefined]

A protocol for accessing an on-line directory service. In cryptography directories accessed in this manner usually contain digital certificates or cryptographic keys. The LDAP protocol was developed to provide simple universal access to the content of the directories with less overhead and complexity than would be required to access a relational database.

[Undefined]

In Cryptanalysis, a statistical analysis of the occurrence of the letters of the alphabet in ciphertext. This calculation can be used to determine if an algorithm produces sufficiently random ciphertext, or it can be performed on ciphertext after a decryption attempt has been made in order to estimate whether the attempt was successful and produced plaintext.

Synonymous with Full Keyid. In PGP, a 16 byte value which identifies a key.

See Message Authentication Code.

A method of attacking cryptographic protocols in which the attackers intercepts both messages from the client and the server. The attacker, also known as the man in the middle, pretends to be the server to the client and the client to the server allowing him to decrypt data from both parties.

To pretend to be another entity, be it an individual, a system, or a server.

See Maurer's Universal Statistical Test.

A statistical test of randomness used in the evaluation of random number generators. This test is also sometimes referred to as Maurer's Universal Test.

A hash algorithm. It was shown to be susceptible to collisions, but is still use because some believe is has sufficient strength.

An attack in which some known plaintext is double encrypted by the system which is to be attacked. The same plaintext is then encrypted with all possible keys in a given 2^n keyspace. The results of those encryption operations are stored in a table. The cyphertext which the attacker wishes to compromise is then decrypted with all possible keys in the 2^n keyspace and compared against the stored values in the table. A collision reveals the two keys used for encrypted by the system begin attacked.

A hash which is performed in a way that the final hash value is dependent upon a key. Only an individual in possession of the correct key could produce a valid hash of the message content thereby validating that the created or a message with a valid hash attached was in possession of the key when the hash was created.

[Undefined]

[Undefined]

A term used to describe encryption technology which is believed to be sufficiently strong for military usage.

Million Instructions Per Second. A computer term which is used to quantify the number of assembly instructions per second a processor is capable of performing.

A MIPS year is the number of instructions a processor which runs at 1 MIPS would complete in 1 years time. Roughly 1 MIPS Year equates to 3.1536 * 10^15 instructions.

The practice of encrypting data with more a cryptographical algorithm more that one time. Or, the practice of encrypting data with multiple time with different encryption algorithms.

A protocol used to synchronizes clocks of hosts and routers on the Internet. The network time protocol is defined in RFC958.

National Institute of Standards. A government organization tasked with the definition and establishment of standards.

[Undefined]

A quality of a cryptosystem or protocol which prevents an individual that sent a message from later denying that he sent the message.

In complexity theory, Non-Deterministic Polynomial Time. The set of all problems which can yield a binary result and be solved in polynomial time by a non-deterministic turning machine.

In complexity theory, a complexity class of problems which can be solved in polynomial time and which all other NP problems can be reduced to. NP Complete is the intersection of NP and NP-Hard.

In complexity theory, a complexity class of problems which may or may not be solvable in polynomial time but which will yield a binary result.

The NSA is a governmental organization.

See Network Time Protocol.

The fastest available factoring algorithm.

[Undefined]

Pseudonymous remailers. A class of remailer which allows users to send emails and make usenet posts under a pseudonym. The software keeps a database of those pseudonyms to real email addresses so that replies can be sent directly to the authors of messages.

[Undefined]

See Online Certificate Status Protocol.

Truly random data which is used as a cryptographic key in a one to one relation with plaintext. One Time Pads are theoretically unbreakable since the key material and resulting ciphertext are truly random. However, one time pads are usually impractical due to the need to transmit the pad, or encryption key, to the recipient of the message.

One way functions are mathematical functions which are easy to compute but difficult to reverse. Modern cryptography is based upon one way functions. For example, it is easy to multiply two large prime numbers together to produce a large composite number, however it is very difficult to factor that large composite number back into the two primes of which it is the product.

A hash algorithms which has the quality of making it very difficult to determine any information about the data which was hashed from the hash value.

A protocol for querying revocation information related to a given certificate or certificate authority. The OCSP Protocol is defined in RFC2560.

A type of message passing in which multiple layers of encryption and multiple intermediate message passers protect the identities of the source and destination of a message.

An open standard which defines a version of the PGP security system.

See One Time Pad.

Communications which take place over a different, usually more secure, medium or mechanism. For example, key material may be exchanged in a face to face meeting and then used to encrypted internet communications. The face to face meeting is termed to be "out of band" since it did not take place over the internet.

In networking, a datagram. In PGP, a unit of data of a defined type which comprises a PGP key.

In block cyphers, additional data added to plain text in order to make it divisible by the cipher's block size.

[Undefined]

[Undefined]

[Undefined]

[Undefined]

An attack against an encrypted message, or cryptosystem, when some of the plain text from an encrypted messages is already know.

[Undefined]

An attack performed on a cryptosystem in which the attacker is not a participant in the communications and protocol of the system. Most often this refers to the transparent interception of cryptographic keys or cipher text with out the knowledge of the protocol participants.

A collection of text used as a secret key. Often, a phrase or sentence consisting of several words and special characters.

A secret value which is used to prove the identity of a client in order to allow authentication of that individual. Passwords are usually text values, often they are transformed into cryptographic keys.

see Dictionary Attack.

The act of performing network traffic analysis in order to record any passwords sent over the network.

See Privacy Enhanced Mail.

1. In a pseudo-random number generator, the amount of time before the generator will produce duplicated output. 2. In cryptography, the amount of plain text which can be encrypted with a given key before key material is reused.

Permutation Cypher.

See Pretty Good Privacy.

Public Key Cryptography Standards.

See Public Key Infrastructure.

Cross Certification among two or more CAs allowing for trust between their respective userbases.

Most often used to refer to the IETF Public Key Infrastructure X.509 Standardization Working Group. The group's Charter contains additional information about the group and the standards they have generated.

Data, usually text, which is unencrypted and readable

A class of computer problems for which the run time of a computation is not more than a polynomial of the problem size. In Big-O notation: f(n) = O(n^s)

In Kerberos 5, a ticket which is invalid initial and which becomes valid at some time in the future. Normal kerberos tickets are only valid from the time they are requested until the time that they expire.

In Kerberos, additional authentication which takes place before a KDC grants a TGT to a principal.

Privacy software developed by Phil Zimmermann, which includes public key cryptography, a standard packet and key format, and symmetric encryption as well.

Polyalphabetic Cypher.

[Undefined]

[Undefined]

The quality of having only two factors.

A number which has only two factors, one and the number itself.

A herusitic, and possibly statistical, test used to check if a number is likely prime.

A basic human right. In the United States it guaranteed by the U.S. Constitution.

An internet standard defined in RFC1421, RFC1422, RFC1423 and RFC1424 which involves the use of PKI for securing internet email.

A method, or set way, of performing a single task or group of tasks, or defined procedure of communication between multiple entities.

The cryptographic algorithms a piece of software is capable of supporting.

A cryptographic algorithm which can be demonstrated to be secure through the use of a mathematical proof.

[Undefined]

[Undefined]

Data which is not truly random, but which is sufficiently random for most cryptographic applications.

A random number generator which has not been proven to produce truly random output. Most random number generators used today fall into this category. The most common way of generating random input for key generation involves sampling hardware interrupts from a personal computer of server.

In public key cryptography, the key of a key pair which is shared.

A type of cryptography in which two keys are used, a public key and a private key. The two keys are termed a key pair. The private key must be key secret, however the public key may be posted and shared with out significantly reducing the strength of the key pair. This ability, to post the public key, is tremendously valuable because it solves the problem of secure key exchange.

A class of standards which provide a workable infrastructure for sharing and certifying public keys in the form of standardized certificates while securely identifying real world identities as the owners of those certificates.

see Keyserver.

A keyring consisting of Public Keys. This term is most often used in relation to PGP.

A sieving method which can be used to factor large numbers, such as the composites used in RSA cryptography.

Communication performed with a single particle in a known state. With current technology, the particle is a photon with a known spin. Communication performed in this way is theoretically impossible to easedrop on due to the Heisenburg Uncertainty Principal.

A computer which makes use of quantom phenonom to perform computation.

A type of cryptography in which the laws of physics are relied upon to prevent eavesdropping. Specifically, the Heisenberg uncertainty principle theoretically prevents data from being observed in transit by anyone other than the intended final receiver.

[Undefined]

[Undefined]

A quantum bit. The basic unit of value in a quantum computer.

A method of encoding data so that it may be transmitted over a channel which only support 8 bit characters. For example, such a channel could be email or the Usenet.

The quality of being with out order and unpredicted.

A number which was selected with no bias or predictability.

Random Walk.

A device which produces a stream of random numbers. On unix based operating systems this is most often a software device which gathers randomness by monitoring system interrupt signals, but such a device may also be a system which gathers data from a naturally random source such as radio active decay.

[Undefined]

A method of attacking a server which is performing cryptographic operations in which the attacker forces the server to perform operations which deplete the amount of entropy available to it. If entropy is sufficiently depleted, cryptographic operations may become predictable and there for weak enough to reveal secret data.

A cryptographic algorithm.

A cryptographic algorithm.

An implementation of authentication and authorization technologies such as Kerberos and LDAP which allow a single username and password to be used across most of the enterprise.

see Anonymous Remailer.

The representation of credentials or network traffic in order to attempt to defeat a cryptposystem or authentication system.

The fraudulent representation of credentials or network traffic in order to attempt to defeat a cryptosystem or an authentication system.

Repudiate.

A publically held valuation of a known history of previous actions or of possessed skill and ability.

A software system designed to track the amount of trust and perceived reputations of its participants. The Advogato web community is one instance of an implementation of such a system.

The certification of an entity by a given entity in a web of trust.

A statement that a given certificate of key pair binding is no longer valid.

A certificate which is a digitally signed statement that a given key pair or certificate is no longer valid.

The amount of time which passes between the revocation of a key or key pair, the receipt of realization by other parties involved in, or initiating, communication that the key has been revoked. Revocation Delays may be used in attempts to compromise or exploit cryptographic protocols.

A signature that specifies that the user id or key is no longer to be used. Revocation signatures may be circulated as part of a PGP public key, or in a detached form.

An internet standards document published by the IETF.

see Request For Comments.

Ring Signature.

An encryption standard which was chosen to be the Advanced Encryption Standard (AES). Therefor, Rijndael is also known as AES.

An area of mathematics which plays a role in the General Number Field Sieve.

[Undefined]

See Root Certificate Authority.

A trusted certificate authority at the top of the trust heirchary which signs the certificate of other certificate authorities allowing those certificates and authorities to be trusted.

A Caesar cipher which rotates the English alphabet 13 spaces. It gained popularity on the UseNet as a way to scramble insensitive data from casual readers. The ROT13 cipher was not intended to be secure, it's goal was just to add an extra step in the reading of messages.

One iteration of a cryptographic algorithm.

Reusable Proof of Work.

A cryptographic protocol named for the initials of its inventors, Rivest, Shamir and Adelman. The algorithm's strength is based on the hard problem of determining the prime factors of a large composite number. The RSA algorithm can be used to perform encryption or digital signatures.

Cryptanalysis which is performed by persuading an individual to reveal a secret key through torture or duress.

A Substitution Box, or Substitution Array. These arrays of numbers are used to add additional variance into the cyphertext output of block encryption algorithms in order to protect the output and cryptosystem from differential and linear cryptanalsys.

A seed value used in the encrypted of a plaintext password to expand the number of possible resulting ciphertexts from a given plaintext. The use of a salt value is a defensive measure against dictionary attacks against encrypted passwords.

[Undefined]

[Undefined]

1. In public key cryptography, a the key of a key pair which is kept secure. 2. In symmetric key cryptography, the key which is used to secure a message.

A collection of secret keys. Most often this term is used in relation to PGP where it defines a collection of secret key packets.

Secret Sharing Scheme.

A login shell tunneled over SSL.

A protocol which allows the establishes a secure persistant connection to another host over a specific port. SSL is most widely known for its use in the HTTPS protocol.

1. A value used to initialize a cryptographic operation. 2. A value used as a starting point as a cryptographic protocol or operation. Most often this term refers to a value used to initialize a pseudorandom number generator.

A signature made on a public key and user id packet with the secret key associated with the public key being signed. The signature generated is used to validate the association of the user id with the public key material. The need to sign user id's with the secret key prevents anyone that does not posses the secret key from modifying existing user id (by changing the listed email address for example) or from adding new user ids.

A method of attack which involves a third party intercepting communications in a session, or series of communications, and pretending to be one of the parties involved in the session.

A key which is generated and used only for one communications session after which it is discarded.

A Secret Key, or other piece of information which is held by two parties who wish to communicate securely. The information may be used to perform identity verification, key exchange, or encryption and decryption.

Shore's Algorithm.

A slang term referring to the observation of an individual entering their password with out their knowledge. Historically, this involved looking over the individual's shoulder while they where sitting at a terminal. Contemporary use of this term can include any visual observation which reveals a secret information.

A method of classification of a group of numbers which allows the determination or estimation of which numbers are prime. Such methods are used in factoring to speed the process by eliminating the need to test numbers for primarily which are clearly divisible by another number.

An attack against a cryptosystem which uses observations other than just the data input and outputs of the encryption device. Some examples of such attacks include attacks which enable an attacker to gain an edge in the determination of the encryption key by the observation of power consumption, compute time, and heat radiation.

[Undefined]

[Undefined]

[Undefined]

Internet PKI standards developed by an IETF working group which where designed to be easier to use an implement than existing PKI standards in order to allow and encourage wider adoption. The current SPKI standards are defined in RFC2692 and RFC2693.

A system of authentication which allows a user name and password to be used across the enterprise.

A card which includes a computer chip which is capable of performing a role in a cryptosystem. Smart Cards are used primarily for authentication.

[Undefined]

The Secured version of the MIME internet email standard. S/MIME is defined in RFC2633 and RFC2632.

Encryption which is weak due to theoretical or implementation flaws.

The performance of traffic analysis on a network.

Simple Public Key Infrastructure.

In Kerberos, a disk store of secret keys.

A keypair which is long lived or does not change. For example, such a key pair may be used to establish an initial session and negotiate a session keypair or a series of session key pairs.

The science of hiding secret data in public data. An example of this would be the hiding of encrypted data in a publicly posted and distributed digital image.

A cryptosystem which operates upon data as a stream of bits rather than divided into blocks.

Cryptography which is of Military grade strength. Cryptography which is though to be unbreakable in a small amount of time.

In PGP, a key which is part of a key pair which is attached to a primary key pair. The primary keypair is used for the creation and verification of digital signatures while the subkey pair is used for the encryption of secret messages.

In PGP, a signature by a private key which binds a public subkey to the keypair that the signing private key is a part of.

A communications channel which is hidden in another visible communication channel. The subliminal channel relies upon its concealment to provide security although information communicated in a subliminal channel may be encrypted.

A cipher in which one plaintext symbol is substituted for a ciphertext symbol.

An attack in which a message is intercepted and suppressed, then later presented to the original recipient by the attacker.

See Secure Shell.

See Secure Sockets Layer.

[Undefined]

[Undefined]

[Undefined]

A cypher which makes use of symmetric key cryptography.

A type of cryptography in which only one key is used to both encrypt and decrypt data.

A quality of a cryptosystem which attempts to prevent tamering activities such as cryptanalysis, modification, or key recovery.

An acronym for Transient Electromagnetic Pulse Emanation Surveillance Technology. A system developed by the US Government which allows at attacker to analyze the electromagnetic radiation emitted from the hardware used in a cryptosystem in order to determine secret information including cryptographic keys.

An estimation of the capabilities and methods of attack which must be resisted when selecting or designing a cryptosystem.

In Kerberos, a data message consiting of the client's identity, a session key, a timestamp, and other information all encrypted with the server's secret key. It is used to perform authentication.

In Kerberos, a service which is capable and authorized in the issuing of tickets to clients after they have acquire a Ticket Granting Ticket (TGT).

In Kerberos, a ticket which contains a session key to be used in communication between the client and the KDC.

[Undefined]

A digital signature which includes a time and date thereby certifying that the content was signed at a given time. Time Stamps may be made of the data being certified itself or on a sufficiently strong hash value of that data.

A trusted time stamping service.

The attack of a cryptosystem by monitoring the amount of processing time which is needed to perform operations.

A break in a cryptographic protocol which reduces the compromise of the protocal to easily tractable levels.

see Transport Layer Security.

An Onion Routing network.

A class of ciphers that make use of the discrete logarithm problem for their security like elliptic curve cryptosystems, but compute the discrete logs over a torus.

[Undefined]

The study of network data in order to defeat a cryptosystem or determine secret information.

In Kerberos 5, the ability to chain trust together between realms building in effect a trust path so that a principal in realm X that wishes to authenticate a principal in realm z does not need the KDC for realm X to share a secret with realm Z if both realm X and realm Z share a secret with realm Y. Realm Y can be used as a "hop" in a trust path.

An IETF standard for a secure internet communications protocol which performs key exchange and encryption at the transport level so that an application developer does not need to perform these tasks separately for each protocol used by his application. The TLS standard is defined in RFC2246.

A cipher which encodes information by reordering the plaintext.

A system or component of a system that allows those which know of it to easily avoid the security features of the system. Most often, a weakness intentionally build into a cryptographic system to allow data to be intercepted or modified with out the knowledge of the data source.

[Undefined]

A variant of DES in which data is encrypted three times with standard DES using two different keys.

A computer program or piece of computer code which is said to do something but actually performs something different when run. Most often, the unsuspected execution includes a compromise of a cryptosystem or of system security.

Data which is perfectly random. This term is often used to describe theoretical ideal situations. Truly Random data is believed to exist in nature in nuclear decay.

Belief in the authenticity of a claim or the validity of data.

In a reputation system, a node which has been identified as worthy of an inherent weight of amount of trustworthiness.

A route by which trust is extended from one entity to another. In PGP, this is a link of trust between two public keys.

A trusted arbitrator in cryptographic protocols.

see Time Stamp Authority.

see Time Stamping Service.

A virtual connection formed between two systems over an untrusted network through which uses software or a hardware device to encrypt all communications which are sent through it.

[Undefined]

[Undefined]

A challenge response system in which the client is shown a secret which only they and the service that they wish to authenticate to are believed to know when they are prompted to authenticate with the server.

The point at which a plain text message and the key it is to be encrypted with can only result in one valid decrypted message. Cryphertext messages which are bellow the unicity distance, when subject to cryptanalsys can reveal multiple valid "decryptions" to meaningful plaintext messages.

A signature which cannot be repudiated.

[Undefined]

A decentralized model of key material authentication where users of the system are depended upon to validate identity. The most prominent example of the deployment of such a system in the real world is the web of trust used by PGP.

A type of Block Cipher which does not have a block size fixed with in the cipher definition.

A computer which operates on vectors of bits rather than single words. Vector registers allow such computers to hold an entire block of a block cipher in a single register and then perform an operation on the entire block in a single CPU operation.

A computer register which can hold more that a single word.

The act of validating presented data and statements either by checking with an authoritative source or by recomputing the presented data and statements.

A virtual network connection between two points of presence over which all traffic is encrypted. Such encrypted virtual circuits are often used to allow remote users or offices to communicate securely with a home office even while using insecure applications (applications which do not have the capacity to encrypt their network traffic).

[Undefined]

A weakness or flaw in a system. Often, a flaw in a software implementation or standard.

The use of steganography to hide an identifying mark with in digital information. Water Marks are often used to identify the owner of digital content.

An international treaty which restricts the export of encryption technology by participating countires.

The collection of signatures upon keys and resultant trust paths in a user centric trust model which provide for authentication. Collectively, the trust relationships between a group of keys.

In a cryptosystem, a key which when used makes cryptanalysis of the resulting ciphertext easier. The implementations of most cryptosystems known to have week keys test for weak keys during key generation and reject any such keys that occur before they are used.

[Undefined]

[Undefined]

[Undefined]

The analysis of the frequency of works occuring in plain text in order to use the data to attempt to determine the identity of an anonymous author. The frequency of word usage can be combined with other characteristics of individual writing such as the occurrence and frequency of misspellings and grammatical errors.

A standardized format for digital certificates.

A computation with two bits of data where A or B may be true but not both. It is sometimes used as an elementary form of data hiding or as a component of cryptosystems. XOR is short for Exclusive OR. XOR Truth Table -------------- 0 ^ 0 = 0 0 ^ 1 = 1 1 ^ 0 = 1 1 ^ 1 = 0

A proof which can show that a secondary party is in possession of some information to a primary party with out revealing anything about the information the secondary party holds.