SSL/TLS Terms and Acronyms (Including Some General Cryptography Definitions)
- Triple-DES (Triple-Data Encryption Standard--DES repeated three times).
- Triple-DES Encrypt-Decrypt-Encrypt. The most popular version of 3DES
- Access Control List
- Advanced Encryption Standard
- Authentication Header
- American National Standards Institute
- Application Program Interface
- Abstract Syntax Notation 1. Designed as part of the International
Telecommunications Union's Open Standards Interconnect (OSI)
effort as a description language for the OSI protocols. See also BER and
- Attribute-Value Assertion. An attribute-value pair.
- Basic Encoding Rules. A set of ASN.1 encoding
rules that allows several ways of encoding any given piece of
- Basic Input/Output. Used by OpenSSL "to
provide a layer of abstraction for I/O. As long as your object meets
the BIO interface, it doesn't matter what the underlying I/O device
is." --Rescorla, p. 261
- Block cipher designed by Bruce Schneier, "intended for
implementation on large microprocessors>"
- Bureau of Export Administration
- Certificate Authority. Certification Authority
- Caesar Cipher
- A rotation cipher where each letter is replaced by the character three
to the right modulo 26.
- Carlisle Adams and Stafford Tavares 5. Block cipher named after its
- Cipher Block Chaining. A symmetric encryption technique used with
block ciphers in which the encryption of each plaintext block depends
on the ciphertext of the previous block.
- Cipher Block Chaining Message Authentication Code
- Commercial Data Masking Facility
- Content Encryption Key
- Someone's public key, signed by a trusted third party. An X.509 certificate object
- Communications-Electronics Security Group
- The type of encryption used (for a connection)
- Cryptographic Messaging Syntax
- Common Name. Typically the most specific (?) component of a
Distinguished Name (DN). In certificates for
specific hosts, the CN is generally the fully qualified host
- Challenge Response Authentication Mechanism-Message Digest 5
- Cyclic Redundancy Check
- Certificate Revocation List. (Pronounced "krill")
- Certificate Signing Request
- Distinguished Encoding Rules. A process for unambiguously
converting an object specified in ASN.1 into
binary values for storage or transmission on a network. Format is
similar to C structs, except that type definitions are "backwards":
the name is first, followed by the data type. See also BER.
- Data Encryption Standard. A symmetric encryption algorithm
designed by IBM in the 1970s and published as a U.S. standard by the
National Institutes of Sciences and Technology. A block cipher
operating on 56-bit blocks.
- Diffie-Hellman. A key exchange algorithm published in 1976 by
Whitfield Diffie and Martin Hellman.
- Dynamic Host Configuration Protocol.
- Distinguished Name (X.500). A hierarchically structured name
capable of providing a unique name for every entity in a network. Some
common components of a DN are Country (C=), Organization (O=),
Organizational Unit (OU=) and Common Name (CN=).
- Domain Name System
- One form of subjectAltName extension (in X.509 version 3) that is used to represent a domain
- DNS Security
- Digital Signature Algorithm. A public-key (assymetric) algorithm
that can be used for digital signatures (but not for
encryption). Published as a U.S. standard by the National Institutes
of Sciences and Technology.
- Digital Subscriber Line
- Digital Signature Standard
- Digital Signature Standard 1. OpenSSL treats DSS1 as a synonym of
SHA1. As an option fo OpenSSL's dgst command, you must refer to SHA1
as -dss1; elsewhere in OpenSSL, use sha1.
- Elliptic Curve. "EC ciphers replace the prime integer field of DH
and DSS with a field composed of points on an elliptic curve."
--E. Rescorla, p. 103.
- Electronic Code Book
- Ephemeral Diffie-Hellman. A Diffie-Hellman key exchange in which
the parameters are created for a single session.
- Explicit Diffie-Hellman. A DH key exchange in which some of the
parameters are establisned in advance.
- Entropy Gathering and Distribution System
- Entropy Gathering Daemon
- Lasting for a brief time.
- Ephemeral RSA. A variant of RSA that allows communication between
an exportable client and a domestic server with a permanent strong key.
- Encapsulating Security Payload
- EVP API
- Envelope Application Program Interface. OpenSSL's EVP API is an
interface to every symmetric encryption algorithm supported by
- Federal Information Processing Standard
- A PC card (with PCM-CIA form factor) designed by the
U.S. government. Originally designed to provide strong cryptography
while allowing the NSA to intercept communications.
- File Transfer Protocol.
- FTP over SSL; Secure FTP.
- Greenwich Mean Time. The prime meridian goes through Greenwich,
England. The world's time zones are described as negative or positive
offsets from GMT. The same as (the more current) UTC.
- Hashed Message Authentication Code. (Hashed MAC.) A standardized
approach to using hash algorithms to create message authentication
codes. HMAC is generally a pair of nested digests: the first is a
digest the key and the data; the second is a digest of the key and the
output of the first digest.
- Hypertext Markup Language
- Hypertext Transfer Protocol
- HTTP Secure. The first public implementation of HTTP over SSL, released in version 2 of Netscape Navigator in 1995. Finally documented in RFC 2818. Different from SHTTP.
- Internet Assigned Numbers Authority
- Internet Control Message Protocol
- International Data Encryption Algorithm. Symmetric block cipher
with 128-bit keys and 64-bit blocks.
- Internet Explorer
- Internet Engineering Steering Group. Authorizes documents to
- Internet Engineering Task Force.
- Internet Information Server
- Internet Key Exchange
- Internet Mail Access Protocol
- Internet Protocol
- Internet Protocol Security
- Internet Security Association and Key Management Protocol
- Internet Standards Organization
- Internet Service Provider
- International Telecommunications Union
- Initialization Vector. A block of random data used as the initial
chaining value for the first iteration of Cypher Block Chaining
- Java Cryptography Architecture.
- Java Development Kit
- Java Native Interface
- Key Derivation Function
- Key Exchange Algorithm. A variant of DH used by Fortezza cards.
- Key Encryption Key
- The private key. (Often refers to the private part of the whole
- Kerberos version 5. A symmetric-key based authentication system
developed at MIT.
- Lightweight Directory Access Protocol
- Law Enforcement Access Field
- Message Authentication Code. A key-dependent one-way hash
function. (Only someone with knowledge of the secret key can verify
the hash value.)
- Message Digest 4. A one-way hash function designed by Ron
- Message Digest 5. A one-way hash function designed by Ron
Rivest. A stronger version of MD4.
- Message Digest Cipher 2, sometimes called Meyer-Schilling. Developed at IBM
- Message Digest
- A function that outputs a fixed-length string from input of
arbitrary length. Synonym: hash function.
- Man in the Middle. An attack in which the attacker sits between
two hosts that are trying to communicate and
intercepts all of the messages.
- MIME Object Security Services
- Maximum Segment Size (Ethernet)
- Nagle Algorithm
- A TCP algorithm designed to reduce tinygrams by delaying
the sending of new data (and continuing to accumulate additional data
in the write buffer) until previously send data has been
acknowledged. The algorithm also delays sending ACKs
(acknowledgements) trying to piggyback it on a data segment that it
will (soon) send out. Nagle's algorithm can cause SSL to perform
- Network Address Translation
- National Institute of Standards and Technology. (Previously known
as the National Bureau of Standards [NBS].)
- Network News Transfer Protocol.
- NNTP over SSL.
- A random number sometimes sent with a certificate during a
handshake to discourage replay attacks.
- National Security Agency
- Online Certificate Status Protocol
- Object Identifier
- An Open Source library that implements the SSL and TLS protocols.
- Open Standards Interconnect. An effort of the International
- Personal Computer Memory Card International Association. Also
called PC Card.
- Private Communications Technology. Microsoft's enhancement of
SSLv2, published in October 1995.
- Privacy Enhanced Mail
- Perfect Forward Secrecy. Used to describe a condition where, even
if a server's private authentication key is known by an attacker, the
attacker cannot attack any session already established and shut down.
- A key storage standard designed by Microsoft. Now known as PKCS #12.
- Pretty Good Privacy
- Personal Identification Number
- Public Key Cryptography. The same as asymetric cryptography,
where encryption and decryption use different keys--one of them
public, the other private.
- Public-Key Cryptography Standards. RSA Data Security, Inc.'s
attempt to provide an industry standard interface for public-key
- Public-Key Cryptography Standard #7
- Public-Key Cryptography Standard #10
- Public Key Infrastructure
- Public Key Infrastructure. Part of the name of the IETF Public Key
Infrastructure working group
- Point-to-Point Protocol
- Pre-Master Secret
- A value computed by the client during the ClientKeyExchange. It is
a random value (generated on the client), encrypted under the server's
public key, then transmitted to the server.
- Pseudo-Random Function
- Pseudo-Random Number Generator
- Quality of Protection
- Registration Authority
- Ron's Code 2, or (officially) Rivest Cipher 2. A popular
variable-key-size encryption algorithm designed by Ron Rivest for RSA
Data Security, Inc.
- Ron's Code 4, Rivest Cipher 4. A symmetric
stream cipher (popular because it is very fast).
- Ron's Code 5, Rivest Cipher 5
- Relative Distinguished Name. A sequence of RDN's make up a DN
(distinguished name). Each RDN is an attribute value assertion (AVA).
- In the DIGEST-MD5 authentication mechanism, "the name of a
collection of accounts that might include the user's account. This
string should contain at least the name of the host performing the
authentication and might additionally indicate the collection of users
who might have access. An example might be
'email@example.com'." --RFC 2831
- relatively prime
- Two numbers are relatively prime if they share no factors other
than one. (The two numbers themselves may or may not actually be prime.)
- Request for Comment
- RACE Integrity Primitives Evaluation Message Digest 160-bit
hash. (RACE = The Research and Development in Advanced Communication
Technologies in Europe program.) A 160-bit hash (message digest), not
nearly as common as SHA1 (also 160 bits). OpenSSL refers to this
algorithm as rmd160
- Same as RIPEMD-160
- Random Number Generator
- Substitution cipher that rotates each letter 13 places.
- Rivest, Shamir and Adleman. The most popular public-key algorithm,
invented in 1977 and named after its creators: Ron Rivest, Adi Shamir
and Leonard M. Adleman.
- RSA Data Security, Inc.
- Security Association (IPSec)
- safe prime
- A prime number p with the quality that (p-1)/2
is also prime. Diffie-Hellman's p parameter must be a safe
prime. Also known as strong prime.
- A public random value included as part of the input to a key
- Sensitive But Unclassified
- Server Gated Cryptography. Technique of having servers determine
key length (used in the days before cryptographic export
- Secure Hash Algorithm. A U.S. standard published by the National
Institutes of Sciences and Technology.
- Secure Hash Algorithm 1. A U.S. standard published by the National
Institutes of Sciences and Technology. A stronger hash algorithm
derived from MD4. Has 160-bit out.
- Secure Hypertext Transfer Protocol
- Secure Key Eschange Mechanism for Internet
- Block cipher encryption algorithm developed by the National
Security Agency for use with the Clipper and Capstone chips. It is
- Secure/Multipurpose Internet Mail Extensions. Secure MUltipurpose Internet Mail Exchange
- Simple Mail Transfer Protocol
- NNTP over SSL
- Security Parameter Index.
- Secure Socket Layer
- Secure Socket Layer Eric A. Young (Eric A. Young's Secure Socket
Layer). OpenSSL is based on Eric's original SSLeay
implementation. The perl implementation of OpenSSL is Net::SSLeay.
- Netscape's implementation of negotiating a strong cipher
suite. (Required by the U.S. government before export restrictions
- Secure Transport Layer Protocol. Microsoft's modification of SSLv3
(1996). Intended to work over a datagram transport such as UDP.
- strong prime
- Same as safe prime.
- Station-to-Station Protocol
- An X.509 version certificate extension that contains alternate
name forms for the subject of the certificate.
- Transmission Control Protocol/Internet Protocol
- Total Encryption Key
- Transient Electromagnetic Pulse Emanation Standard
- Ticket Granting Server. A Kerberos server--trusted by every entity
on a network--that grants "tickets."
- Very small packets
- Transport Layer Security
- User Datagram Protocol
- Message Authentication Code using Universal Hashing. See http://www.cs.ucdavis.edu/~rogaway/umac/.
- Uniform Resource Identifier. (Superset of URL)
- Uniform Resource Locator. (Subset of URI)
- Universal Time, Coordinated; Coordinated Universal Time. Formerly known as GMT.
- Virtual Private Network
- Wireless Transport Layer Security. The Wireless Application
Forum's TLS variant (1998) that works over a datagram transport such
- The most widely accepted format for certificates, first introduced
- Version 3 of X.509, introduced in 1996. Included support for
- Exclusive OR Cipher Block Chaining Message Authentication
Code. Variant of CBC-MAC developed by Black and Rogaway.
- Exclusive OR Message Authentication Code. A highly parallelizable
block cipher "suitable for authenticating traffic on a gigabit
Compiled by Weldon Whipple <firstname.lastname@example.org>. Sources
- Eric Rescorla, SSL and TLS: Designing and Building Secure
Systems (Addison-Wesley, c2001).
- John Viega, Matt Messsier, Pravir Chandra,
Network Security with OpenSSL (O'Reilly, 2002).
- Stephen A. Thomas, SSL & TLS Essentials: Securing the Web
- Bruce Schneier, Applied Cryptography, Second Edition:
Protocols, Algorithms, and Source Code in C (Wiley, 1996).