Glossary

A | B | C | D | E | F | G | I | K | L | N | O | P | R | S | T | U | V | W | X  

 
 
Access Control
The process of ensuring that systems are accessed only by those authorized to do so, and only in a manner for which they have been authorized.

Algorithm
An algorithm is a set of rules that specifies a method of carrying out a task (e.g., encryption algorithm).

Archive
To store records and associated journals for a given period of time for security, backup, or auditing purposes.

Audit Logs
All significant transactions that are recorded in audit logs. Audit logs are valuable because they record all significant operations.

Authentication
The process of assuring that data has come from its claimed source, or of corroborating the claimed identity of a communicating party. Certificates are used to identify the author of a message or entity, such as a Web server or client. People or applications who receive a certificate can verify the identity of the certificate's owner and the validity of the certificate. This process is known as authentication.

Authorization
Determining whether a subject is trusted for a given purpose.
 
 
Backup
A copy of computer data that is used to recreate data that has been lost, mislaid, corrupted, or erased.

Browser
A client program that is used to look at various kinds of Internet resources.
 
 
Certification Authority (CA)
An entity that issues and manages certificates within a PKI.

CA certificate
A certificate that identifies a CA. When a CA issues a certificate to a client, a server, or other entity, the certificate is signed by the CA's private key. The signature can be verified using the public key in the CA's certificate.

Certificate
A digital identifier linking an entity and a trusted third party able to confirm the entity's identity. It is used to verify the identity of an individual, organization, or Web server, and to ensure non-repudiation in business transactions. Three major kinds of certificates are used in a PKI: CA certificates, server certificates, and end-entity certificates.

Certificate Revocation List (CRL)
An enumeration of certificates that have been revoked by a particular CA. CRLs can be used to check the status of certificates offline.

Certificate Serial Number
A value that unambiguously identifies a certificate generated by a CA.

Certification Authority (CA)
A trusted entity issuing certificates and confirming the identity of, or given facts about, the certificate's subject.

Client (servers)
A machine that retrieves information from a server.

Compromise
A violation (or suspected violation) of a security policy, in which an unauthorized disclosure of, or loss of control over, sensitive information may have occurred (see Data Integrity). The loss of a key through noncryptanalytic means.

Confidentiality
The process of ensuring that data is not disclosed to those not authorized to see it. Also known as secrecy.

Cryptography
The art or science of transforming clear, meaningful information into an enciphered, unintelligible form using an algorithm and a key.

Customer
The customer is any person authorized by a data owner to read, enter, or update that person's data.
 
 
Data Integrity
Measures to prevent unauthorized alteration of data, deciphering, or conversion of ciphertext back into plaintext.

Database
A set of related information created, stored, or manipulated by a computerized management information system.

Decrypt
To decrypt a protected file is to restore it to its original, unprotected state.

Decryption
Decryption is the process of transforming ciphertext back into plaintext. It is the reverse of encryption.

Digital Signature
A data element allowing the recipient of a message or transaction to verify the content and sender.

Directory
Databases that can be used to search for and retrieve attribute-value pairs. Directories can be configured to use (or support) authentication and access control protection. The schema of a directory describes the objects in the directory.

DST
Digital Signature Trust Co. Also refers to computing resources and computer-related facilities specifically assigned by Digital Signature Trust Co. to DST for operations and maintenance.
 
 
Encrypt
To encrypt a file is to render the file completely unreadable. No one can read the file until it is decrypted. Only authorized recipients can decrypt the file. You (the key owner) have full control in determining authorized recipients.

Encryption
A process of disguising information so that an unauthorized person cannot understand it.

End-entity Certificate
A certificate issued to an entity that cannot itself issue certificates (in essence, it is not a CA). Because the entity that requests such a certificate is sometimes referred to as the client, end-entity certificates are sometimes called client certificates.

Entity
A person, computer, organization, or piece of information. In a PKI, an entity may be thought of as anything to which a certificate may be issued.
 
 
Firewall
A combination of hardware and software that separates a LAN into two or more parts for security purposes.

Frequently Asked Questions (FAQ)
FAQs are documents that list and answer the most common questions on a particular subject.
 
 
Generate a Key Pair
A trustworthy process of creating private keys whose corresponding public keys are submitted to the applicable IA during certificate application in a manner that demonstrates the applicant's capacity to use the private key.
 
 
Identification and Authentication (I&A)
A process that identifies and authenticates a person or a business that applied to receive a digital certificate.

Identity Certificate
A certificate that links a public key value to a real world entity such as a person, a computer, or a Web server. Server certificates, CA certificates, and most end-entity certificates are all examples of identity certificates.

Integrity
The element of data protection concerned with ensuring that data cannot be deleted, modified, duplicated, or forged without detection.

Internet
A global public network consisting of millions of interconnected computers all linked together using the Internet protocol.

Issuing
The act of signing a certificate request with the private key of a CA to create a certificate.
 
 
Key
A special number that an encryption algorithm uses to change data, making that data secure.

Key Lifetime
The length of time for which a key is valid. All keys have a specific lifetime except the decryption private key, which never expires. Default key lifetimes are defined by Security Officers as part of an organization's security policy.

Key Management
Administering keys securely so that they are provided to users where and when they are needed. Processes associated with the secure generation, transport, storage, and destruction of encryption keys.

Key Recovery
A key management process associated with the retrieval of a key lost by the keyholder to ensure access to ciphertext created with the key in question.

Key Update
When key pairs are updated, they are replaced with the new key pairs, and new public key certificates are created. The new keys and certificates have no relation to the old keys and certificates.

Key
When used in the context of encryption, a series of numbers which are used by an encryption algorithm to transform plaintext data into encrypted (ciphertext) data, and vice versa.
 
 
Lightweight Directory Access Protocol (LDAP)
The standard Internet protocol for accessing directory systems over a network. LDAP is a "lightweight" (smaller amount of overhead) version of DAP (Directory Access Protocol), which is part of X.500, a standard for directory services in a network. Sentry's Secure Directory is an LDAP directory.

Lightweight Directory Applications Protocol
The Internet standard for simple directories for use in messaging and similar applications.
 
 
National Institute of Standards & Technology (NIST)
The National Institute of Standards and Technology (NIST) is taking a leadership role in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical groups developing PKI technology to foster interoperability of PKI products and projects.

Netscape Communicator
A Web browser, widely recognized and popular.
 
 
Out-of-band
Not in the electronic pipeline; any communication which is not computer-to-computer.

Order Number
A payment mechanism for certificate purchase. See instructions for submitting a purchase order (PO) to request a DST Order Number.
 
 
Password
A sequence of characters which allows users access to a system. Although they are supposed to be unique, experience has shown that most people's choices are highly insecure. People tend to choose short words such as names, which are easy to guess.

Personal Identification Number (PIN)
A sequence of digits used to verify the identity of the holder of a token. It is a kind of password.

Policy
An informal, generally natural language description of desired system behavior. Policies may be defined for particular requirements, such as confidentiality, integrity, availability, safety, etc.

Portal
The place people see when using the Web.

Private Key
The private part of a key pair. With Sentry CA and Sentry RA, private keys are generated on the client whenever a certificate request is made. Private keys must be securely stored to prevent unauthorized access and accidental deletion. In general, information encrypted with a private key can only be decrypted with the corresponding public key. A digital signature involves encrypting messages with a private key and allows anyone with a corresponding public key to decrypt the message to be certain of who sent the message and that it has not been tampered with.

Protocol
A series of steps involving two or more parties designed to accomplish a task.

Public Key
The public and widely distributed part of a key pair. A cryptographic key employed in public key cryptography to encrypt (usually small) amounts of data to the key's owner, or to verify the key owner's signature. A certificate contains information about the certificate subject, the certificate's signer, and a public key value. In general, information encrypted with a public key can only be decrypted with the corresponding private key. It can be published without revealing the owner's corresponding private key.

Public Key Algorithm
An asymmetric algorithm, so designed that the key used for encryption is different from the key used for decryption.

Public Key Cryptography
A form of asymmetric encryption where all parties possess a pair of keys, one private and one public, for use in encryption and digital signing of data.

Public Key Cryptography Standard (PKCS)
A set of commonly applied data cryptography standards developed by RSA Data Security Inc. for making secure information exchange possible. The standards include RSA encryption, password-based encryption, extended certificate syntax, and cryptographic message syntax for S/MIME, RSA's proposed standard for secure e-mail.

Public Key Infrastructure (PKI)
A system for publishing the public key values used in public key cryptography. Also a system used in verifying, enrolling, and certifying users of a security application. All PKIs involve issuing public key certificates to individuals, organizations, and other entities and verifying that these certificates are indeed valid.
 
 
Recovering a User
Recovering means generating a new signing key pair and securely retrieving from the Certification Authority, your current encryption public key certificate, decryption private key history, verification public key certificate, and CA verification public key certificate.

Registration Authority (RA)
The part of a PKI involved in verifying and enrolling users. RAs work with a particular CA to vet requests for certificates that will then be issued by the CA.

Repository
A database of certificates and other relevant information accessible online.

Repudiation
The denial or attempted denial by an entity involved in a communication of having participated in all or part of the communication.

Revocation
Revoking a certificate makes the certificate invalid, effectively suspending all of the certificate user's privileges in the PKI. Revocation is necessary if the CA administrator wants to retract the certificate before it expires. Certificates are revoked by marking them as invalid in the Secure Directory. Users of the PKI are notified of a certificate's revoked status during online validation or with CRLs.

Root
The IA that issues the first certificate in a certification chain. The root's public key must be known in advance by a certificate issuer in order to validate a certification chain. The root's public key is made trustworthy by some mechanism other than a certificate, such as by secure physical distribution.

Root CA
The source CA is a certification path. Generally, the Root CA is a self-signed CA that is used to sign the certificates of other CAs. The Root CA may also be referred to as a top-level CA to reflect the CA's position in a hierarchical PKI.

RSA Keys
The encryption keys employed in the RSA cryptography system.
 
 
Schema
A schema describes an object and its attributes in LDAP.

Secure Sockets Layer (SSL)
An encryption standard devised by Netscape Communications for secure communication over the World Wide Web. SSL is a protocol layer created by Netscape to manage the security of message transmissions in a network. The "sockets" part of the term refers to the sockets method of passing data back and forth between client and server programs in a network or between program layers in the same computer. Now in widespread use in all Web browsers. It is about to be superseded by TLS, an open standard developed by the IETF.

Secure/Multipurpose Internet Mail Extensions (S/MIME)
S/MIME is a specification for secure electronic mail and was designed to add security to e-mail messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption).

Security
The quality or state of being protected from unauthorized access or uncontrolled losses or effects. Absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific "state" to be preserved under various operations.

Server
A machine running a service. A Web server provides a Web-based information service to a community of machines. A computer, or a software package, that provides a specific kind of service to client software running on other computers.

Server Certificate
A certificate issued to a server. Servers present their certificates to Web browsers so they can verify (authenticate) the identity of the server. Server certificates are sometimes called SSL certificates.

SHA-1
Secure Hash Algorithm-a hash function first originated by the US National Security Agency and National Institute of Standards and Technology.

Signer
A person who creates a digital signature for a message or a signature for a document.

Smart Card
A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and that possesses some inherent resistance to tampering. A plastic card (looks like a credit card) with an embedded computer chip, used most widely in Europe. Many countries use the smart card for pay telephones. There are also smart credit cards and smart cash cards.

SSL Server Authentication
The process whereby a client application authenticates a server by verifying the certificate chain presented by the server during SSL operations.

Subscriber Agreement
The agreement executed between a subscriber and a CA for the provision of designated public certification services in accordance with this CPS. Test Certificate A certificate issued by a CA for the limited purpose of internal technical testing. Test certificates may be used by authorized persons only.
 
 
Time Stamp
A notion that indicates (at least) the correct date and time of an action and the identity of the person or device that sent or received the time stamp.

Token
A physical object, often containing sophisticated electronics, which is required to gain access to a system. Some tokens contain a microprocessor, and are called intelligent tokens, or smart cards.

Trust
A person or system in which confidence or faith is placed.

Trusted Third Party
Someone other than the principals who are involved in a transaction.

Type of Certificate
The defining properties of a certificate, which limit its intended purpose to a class of applications uniquely associated with that type.
 
 
Uniform Resource Locator (URL)
A URL is used to specify the location and name of a World Wide Web document, for example, http://www.trustdst.com. Previously called Universal Resource Locator.

Universal Resource Locator (URL)
Same as Uniform Resource Locator.

User
Any person utilizing resources provided and maintained by Digital Signature Trust Co. (DST). An authorized entity that uses a certificate. User authentication Determining that a user truly is authentic.
 
 
Validation
The process of verifying that a certificate is still valid. Validation can occur online or through the use of CRLs.
 
 
World Wide Web
The whole constellation of resources that can be accessed using Gopher, FTP, HTTP, telnet, USENET, WAIS and some other tools. A hypertext-based, distributed information system in which users may create, edit, or browse hypertext documents. A graphical document publishing and retrieval medium. A collection of linked documents that reside on the Internet.
 
 
X.509
The ITU (International Telecommunications Union) standard for certificates. X.509 v3 refers to certificates containing or capable of containing extensions. Also an International Standards Organization (ISO) standard that describes a basic electronic format for digital certificates.

X.509 v3 Certificate Extension
The PKI suites used by DST support X.509 v3 certificate extensions including extensions for PKIX, SET, and SSL. These extensions conform to the X.509 standard and specify additional constraints or capabilities on the certificate subject.