SSL/TLS Terms and Acronyms (Including Some General Cryptography Definitions)

3 A B C D E F G H I J K L M N O P Q R S T U V W X

3

3DES
Triple-DES (Triple-Data Encryption Standard--DES repeated three times).
3DES-EDE
Triple-DES Encrypt-Decrypt-Encrypt. The most popular version of 3DES

a

ACL
Access Control List
AES
Advanced Encryption Standard
AH
Authentication Header
ANSI
American National Standards Institute
API
Application Program Interface
ASN.1
Abstract Syntax Notation 1. Designed as part of the International Telecommunications Union's Open Standards Interconnect (OSI) effort as a description language for the OSI protocols. See also BER and DER
AVA
Attribute-Value Assertion. An attribute-value pair.

b

BER
Basic Encoding Rules. A set of ASN.1 encoding rules that allows several ways of encoding any given piece of data.
BIO
Basic Input/Output. Used by OpenSSL "to provide a layer of abstraction for I/O. As long as your object meets the BIO interface, it doesn't matter what the underlying I/O device is." --Rescorla, p. 261
Blowfish
Block cipher designed by Bruce Schneier, "intended for implementation on large microprocessors>"
BXA
Bureau of Export Administration

c

CA
Certificate Authority. Certification Authority
Caesar Cipher
A rotation cipher where each letter is replaced by the character three to the right modulo 26.
CAST5
Carlisle Adams and Stafford Tavares 5. Block cipher named after its creators.
CBC
Cipher Block Chaining. A symmetric encryption technique used with block ciphers in which the encryption of each plaintext block depends on the ciphertext of the previous block.
CBC-MAC
Cipher Block Chaining Message Authentication Code
CDMF
Commercial Data Masking Facility
CEK
Content Encryption Key
Cert
Certificate
Certificate
Someone's public key, signed by a trusted third party. An X.509 certificate object
CESG
Communications-Electronics Security Group
Cipher
The type of encryption used (for a connection)
CMS
Cryptographic Messaging Syntax
CN
Common Name. Typically the most specific (?) component of a Distinguished Name (DN). In certificates for specific hosts, the CN is generally the fully qualified host name.
CRAM-MD5
Challenge Response Authentication Mechanism-Message Digest 5
CRC
Cyclic Redundancy Check
CRL
Certificate Revocation List. (Pronounced "krill")
CSR
Certificate Signing Request

d

DER
Distinguished Encoding Rules. A process for unambiguously converting an object specified in ASN.1 into binary values for storage or transmission on a network. Format is similar to C structs, except that type definitions are "backwards": the name is first, followed by the data type. See also BER.
DES
Data Encryption Standard. A symmetric encryption algorithm designed by IBM in the 1970s and published as a U.S. standard by the National Institutes of Sciences and Technology. A block cipher operating on 56-bit blocks.
DH
Diffie-Hellman. A key exchange algorithm published in 1976 by Whitfield Diffie and Martin Hellman.
DHCP
Dynamic Host Configuration Protocol.
DN
Distinguished Name (X.500). A hierarchically structured name capable of providing a unique name for every entity in a network. Some common components of a DN are Country (C=), Organization (O=), Organizational Unit (OU=) and Common Name (CN=).
DNS
Domain Name System
dNSName
One form of subjectAltName extension (in X.509 version 3) that is used to represent a domain name.
DNSSEC
DNS Security
DSA
Digital Signature Algorithm. A public-key (assymetric) algorithm that can be used for digital signatures (but not for encryption). Published as a U.S. standard by the National Institutes of Sciences and Technology.
DSL
Digital Subscriber Line
DSS
Digital Signature Standard
DSS1
Digital Signature Standard 1. OpenSSL treats DSS1 as a synonym of SHA1. As an option fo OpenSSL's dgst command, you must refer to SHA1 as -dss1; elsewhere in OpenSSL, use sha1.

e

EC
Elliptic Curve. "EC ciphers replace the prime integer field of DH and DSS with a field composed of points on an elliptic curve." --E. Rescorla, p. 103.
ECB
Electronic Code Book
EDE
Encrypt-Decrypt-Encrypt
EDH
Ephemeral Diffie-Hellman. A Diffie-Hellman key exchange in which the parameters are created for a single session.
Explicit Diffie-Hellman. A DH key exchange in which some of the parameters are establisned in advance.
EEE
Encrypt-Encrypt-Encrypt
EGADS
Entropy Gathering and Distribution System
EGD
Entropy Gathering Daemon
ephemeral
Lasting for a brief time.
ERSA
Ephemeral RSA. A variant of RSA that allows communication between an exportable client and a domestic server with a permanent strong key.
ESP
Encapsulating Security Payload
EVP API
Envelope Application Program Interface. OpenSSL's EVP API is an interface to every symmetric encryption algorithm supported by OpenSSL.

f

FIPS
Federal Information Processing Standard
Fortezza
A PC card (with PCM-CIA form factor) designed by the U.S. government. Originally designed to provide strong cryptography while allowing the NSA to intercept communications.
FTP
File Transfer Protocol.
FTPS
FTP over SSL; Secure FTP.

g

GMT
Greenwich Mean Time. The prime meridian goes through Greenwich, England. The world's time zones are described as negative or positive offsets from GMT. The same as (the more current) UTC.

h

HMAC
Hashed Message Authentication Code. (Hashed MAC.) A standardized approach to using hash algorithms to create message authentication codes. HMAC is generally a pair of nested digests: the first is a digest the key and the data; the second is a digest of the key and the output of the first digest.
HTML
Hypertext Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
HTTP Secure. The first public implementation of HTTP over SSL, released in version 2 of Netscape Navigator in 1995. Finally documented in RFC 2818. Different from SHTTP.

i

IANA
Internet Assigned Numbers Authority
ICMP
Internet Control Message Protocol
IDEA
International Data Encryption Algorithm. Symmetric block cipher with 128-bit keys and 64-bit blocks.
IE
Internet Explorer
IESG
Internet Engineering Steering Group. Authorizes documents to become RFCs.
IETF
Internet Engineering Task Force.
IIS
Internet Information Server
IKE
Internet Key Exchange
IMAP
Internet Mail Access Protocol
IP
Internet Protocol
IPsec
Internet Protocol Security
ISAKMP
Internet Security Association and Key Management Protocol
ISO
Internet Standards Organization
ISP
Internet Service Provider
ITU
International Telecommunications Union
IV
Initialization Vector. A block of random data used as the initial chaining value for the first iteration of Cypher Block Chaining (CBC).

j

JCA
Java Cryptography Architecture.
JDK
Java Development Kit
JNI
Java Native Interface

k

KDF
Key Derivation Function
KEA
Key Exchange Algorithm. A variant of DH used by Fortezza cards.
KEK
Key Encryption Key
Key
The private key. (Often refers to the private part of the whole certificate.)
KRB5
Kerberos version 5. A symmetric-key based authentication system developed at MIT.

l

LDAP
Lightweight Directory Access Protocol
LEAF
Law Enforcement Access Field

m

MAC
Message Authentication Code. A key-dependent one-way hash function. (Only someone with knowledge of the secret key can verify the hash value.)
MD4
Message Digest 4. A one-way hash function designed by Ron Rivest.
MD5
Message Digest 5. A one-way hash function designed by Ron Rivest. A stronger version of MD4.
MDC2
Message Digest Cipher 2, sometimes called Meyer-Schilling. Developed at IBM
Message Digest
A function that outputs a fixed-length string from input of arbitrary length. Synonym: hash function.
MITM
Man in the Middle. An attack in which the attacker sits between two hosts that are trying to communicate and intercepts all of the messages.
MOSS
MIME Object Security Services
MSS
Maximum Segment Size (Ethernet)

n

Nagle Algorithm
A TCP algorithm designed to reduce tinygrams by delaying the sending of new data (and continuing to accumulate additional data in the write buffer) until previously send data has been acknowledged. The algorithm also delays sending ACKs (acknowledgements) trying to piggyback it on a data segment that it will (soon) send out. Nagle's algorithm can cause SSL to perform badly.
NAT
Network Address Translation
NIST
National Institute of Standards and Technology. (Previously known as the National Bureau of Standards [NBS].)
NNTP
Network News Transfer Protocol.
NNTPS
NNTP over SSL.
Nonce
A random number sometimes sent with a certificate during a handshake to discourage replay attacks.
NSA
National Security Agency

o

OCSP
Online Certificate Status Protocol
OID
Object Identifier
OpenSSL
An Open Source library that implements the SSL and TLS protocols.
OSI
Open Standards Interconnect. An effort of the International Telecommunications Union.

p

PCMCIA
Personal Computer Memory Card International Association. Also called PC Card.
PCT
Private Communications Technology. Microsoft's enhancement of SSLv2, published in October 1995.
PEM
Privacy Enhanced Mail
PFS
Perfect Forward Secrecy. Used to describe a condition where, even if a server's private authentication key is known by an attacker, the attacker cannot attack any session already established and shut down.
PFX
A key storage standard designed by Microsoft. Now known as PKCS #12.
PGP
Pretty Good Privacy
PIN
Personal Identification Number
PKC
Public Key Cryptography. The same as asymetric cryptography, where encryption and decryption use different keys--one of them public, the other private.
PKCS
Public-Key Cryptography Standards. RSA Data Security, Inc.'s attempt to provide an industry standard interface for public-key cryptography.
PKCS7
Public-Key Cryptography Standard #7
PKCS10
Public-Key Cryptography Standard #10
PKI
Public Key Infrastructure
PKIX
Public Key Infrastructure. Part of the name of the IETF Public Key Infrastructure working group
PPP
Point-to-Point Protocol
Pre-Master Secret
A value computed by the client during the ClientKeyExchange. It is a random value (generated on the client), encrypted under the server's public key, then transmitted to the server.
PRF
Pseudo-Random Function
PRNG
Pseudo-Random Number Generator

q

QOP
Quality of Protection

r

RA
Registration Authority
RC2
Ron's Code 2, or (officially) Rivest Cipher 2. A popular variable-key-size encryption algorithm designed by Ron Rivest for RSA Data Security, Inc.
RC4
Ron's Code 4, Rivest Cipher 4. A symmetric stream cipher (popular because it is very fast).
RC5
Ron's Code 5, Rivest Cipher 5
RDN
Relative Distinguished Name. A sequence of RDN's make up a DN (distinguished name). Each RDN is an attribute value assertion (AVA).
Realm
In the DIGEST-MD5 authentication mechanism, "the name of a collection of accounts that might include the user's account. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be 'registered_users@gotham.news.example.com'." --RFC 2831
relatively prime
Two numbers are relatively prime if they share no factors other than one. (The two numbers themselves may or may not actually be prime.)
RFC
Request for Comment
RIPEMD-160
RACE Integrity Primitives Evaluation Message Digest 160-bit hash. (RACE = The Research and Development in Advanced Communication Technologies in Europe program.) A 160-bit hash (message digest), not nearly as common as SHA1 (also 160 bits). OpenSSL refers to this algorithm as rmd160
RMD160
Same as RIPEMD-160
RNG
Random Number Generator
ROT13
Substitution cipher that rotates each letter 13 places.
RSA
Rivest, Shamir and Adleman. The most popular public-key algorithm, invented in 1977 and named after its creators: Ron Rivest, Adi Shamir and Leonard M. Adleman.
RSADSI
RSA Data Security, Inc.

s

SA
Security Association (IPSec)
safe prime
A prime number p with the quality that (p-1)/2 is also prime. Diffie-Hellman's p parameter must be a safe prime. Also known as strong prime.
salt
A public random value included as part of the input to a key derivation function.
SBU
Sensitive But Unclassified
SGC
Server Gated Cryptography. Technique of having servers determine key length (used in the days before cryptographic export deregulation).
SHA
Secure Hash Algorithm. A U.S. standard published by the National Institutes of Sciences and Technology.
SHA-1
Secure Hash Algorithm 1. A U.S. standard published by the National Institutes of Sciences and Technology. A stronger hash algorithm derived from MD4. Has 160-bit out.
S-HTTP
Secure Hypertext Transfer Protocol
SKEME
Secure Key Eschange Mechanism for Internet
Skipjack
Block cipher encryption algorithm developed by the National Security Agency for use with the Clipper and Capstone chips. It is classified "Secret."
S/MIME
Secure/Multipurpose Internet Mail Extensions. Secure MUltipurpose Internet Mail Exchange
SMTP
Simple Mail Transfer Protocol
SNEWS
NNTP over SSL
SPI
Security Parameter Index.
SSL
Secure Socket Layer
SSLeay
Secure Socket Layer Eric A. Young (Eric A. Young's Secure Socket Layer). OpenSSL is based on Eric's original SSLeay implementation. The perl implementation of OpenSSL is Net::SSLeay.
Step-Up
Netscape's implementation of negotiating a strong cipher suite. (Required by the U.S. government before export restrictions were removed.)
STLP
Secure Transport Layer Protocol. Microsoft's modification of SSLv3 (1996). Intended to work over a datagram transport such as UDP.
strong prime
Same as safe prime.
STS
Station-to-Station Protocol
subjectAltName
An X.509 version certificate extension that contains alternate name forms for the subject of the certificate.

t

TCP/IP
Transmission Control Protocol/Internet Protocol
TEK
Total Encryption Key
TEMPEST
Transient Electromagnetic Pulse Emanation Standard
TGS
Ticket Granting Server. A Kerberos server--trusted by every entity on a network--that grants "tickets."
tinygrams
Very small packets
TLS
Transport Layer Security

u

UDP
User Datagram Protocol
UMAC
Message Authentication Code using Universal Hashing. See http://www.cs.ucdavis.edu/~rogaway/umac/.
URI
Uniform Resource Identifier. (Superset of URL)
URL
Uniform Resource Locator. (Subset of URI)
UTC
Universal Time, Coordinated; Coordinated Universal Time. Formerly known as GMT.

v

VPN
Virtual Private Network

w

WTLS
Wireless Transport Layer Security. The Wireless Application Forum's TLS variant (1998) that works over a datagram transport such as UDP.

x

X.509
The most widely accepted format for certificates, first introduced in 1988.
X.509v3
Version 3 of X.509, introduced in 1996. Included support for extensions.
XCBC-MAC
Exclusive OR Cipher Block Chaining Message Authentication Code. Variant of CBC-MAC developed by Black and Rogaway.
XOR-MAC
Exclusive OR Message Authentication Code. A highly parallelizable block cipher "suitable for authenticating traffic on a gigabit network."

Compiled by Weldon Whipple <weldon@whipple.org>. Sources include: