|
|
|
|
| |
|
|
| |
Access Control
The
process of ensuring that systems are accessed only by those
authorized to do so, and only in a manner for which they have been
authorized.
Algorithm
An algorithm
is a set of rules that specifies a method of carrying out a task
(e.g., encryption algorithm).
Archive
To store records
and associated journals for a given period of time for security,
backup, or auditing purposes.
Audit Logs
All
significant transactions that are recorded in audit logs. Audit logs
are valuable because they record all significant operations.
Authentication
The
process of assuring that data has come from its claimed source, or
of corroborating the claimed identity of a communicating party. Certificates are used to identify the author of a
message or entity, such as a Web server or client. People or
applications who receive a certificate can verify the identity of
the certificate's owner and the validity of the certificate. This
process is known as authentication.
Authorization
Determining whether a subject
is trusted for a given purpose. |
|
| |
|
|
| |
Backup
A copy of
computer data that is used to recreate data that has been lost,
mislaid, corrupted, or erased.
Browser
A client program
that is used to look at various kinds of Internet
resources. |
|
| |
|
|
| |
Certification Authority
(CA)
An entity that issues and manages certificates
within a PKI.
CA certificate
A
certificate that identifies a CA. When a CA issues a certificate to
a client, a server, or other entity, the certificate is signed by
the CA's private key. The signature can be verified using the public
key in the CA's certificate.
Certificate
A digital
identifier linking an entity and a trusted third party able to
confirm the entity's identity. It is used to verify the identity of
an individual, organization, or Web server, and to ensure
non-repudiation in business transactions. Three major kinds of
certificates are used in a PKI: CA certificates, server
certificates, and end-entity certificates.
Certificate Revocation List
(CRL)
An enumeration of certificates that have been
revoked by a particular CA. CRLs can be used to check the status of
certificates offline.
Certificate Serial
Number
A value that unambiguously identifies a certificate
generated by a CA.
Certification Authority
(CA)
A trusted entity issuing certificates and confirming
the identity of, or given facts about, the certificate's subject.
Client (servers)
A
machine that retrieves information from a server.
Compromise
A violation
(or suspected violation) of a security policy, in which an
unauthorized disclosure of, or loss of control over, sensitive
information may have occurred (see Data Integrity). The loss of a
key through noncryptanalytic means.
Confidentiality
The
process of ensuring that data is not disclosed to those not
authorized to see it. Also known as secrecy.
Cryptography
The art or
science of transforming clear, meaningful information into an
enciphered, unintelligible form using an algorithm and a key.
Customer
The customer is
any person authorized by a data owner to read, enter, or update that
person's data. |
|
| |
|
|
| |
Data Integrity
Measures
to prevent unauthorized alteration of data, deciphering, or
conversion of ciphertext back into plaintext.
Database
A set of
related information created, stored, or manipulated by a
computerized management information system.
Decrypt
To decrypt a
protected file is to restore it to its original, unprotected state.
Decryption
Decryption is
the process of transforming ciphertext back into plaintext. It is
the reverse of encryption.
Digital Signature
A data
element allowing the recipient of a message or transaction to verify
the content and sender.
Directory
Databases that
can be used to search for and retrieve attribute-value pairs.
Directories can be configured to use (or support) authentication and
access control protection. The schema of a directory describes the
objects in the directory.
DST
Digital Signature
Trust Co. Also refers to computing resources and computer-related
facilities specifically assigned by Digital Signature Trust Co. to
DST for operations and maintenance. |
|
| |
|
|
| |
Encrypt
To encrypt a
file is to render the file completely unreadable. No one can read
the file until it is decrypted. Only authorized recipients can
decrypt the file. You (the key owner) have full control in
determining authorized recipients.
Encryption
A process of
disguising information so that an unauthorized person cannot
understand it.
End-entity Certificate
A
certificate issued to an entity that cannot itself issue
certificates (in essence, it is not a CA). Because the entity that
requests such a certificate is sometimes referred to as the client,
end-entity certificates are sometimes called client certificates.
Entity
A person,
computer, organization, or piece of information. In a PKI, an entity
may be thought of as anything to which a certificate may be issued. |
|
| |
|
|
| |
Firewall
A combination
of hardware and software that separates a LAN into two or more parts
for security purposes.
Frequently Asked Questions
(FAQ)
FAQs are documents that list and answer the most
common questions on a particular subject. |
|
| |
|
|
| |
Generate a Key Pair
A
trustworthy process of creating private keys whose corresponding
public keys are submitted to the applicable IA during certificate
application in a manner that demonstrates the applicant's capacity
to use the private key. |
|
| |
|
|
| |
Identification and Authentication
(I&A)
A process that identifies and authenticates a
person or a business that applied to receive a digital certificate.
Identity Certificate
A
certificate that links a public key value to a real world entity
such as a person, a computer, or a Web server. Server certificates,
CA certificates, and most end-entity certificates are all examples
of identity certificates.
Integrity
The element of
data protection concerned with ensuring that data cannot be deleted,
modified, duplicated, or forged without detection.
Internet
A global public
network consisting of millions of interconnected computers all
linked together using the Internet protocol.
Issuing
The act of
signing a certificate request with the private key of a CA to create
a certificate. |
|
| |
|
|
| |
Key
A special number
that an encryption algorithm uses to change data, making that data
secure.
Key Lifetime
The length
of time for which a key is valid. All keys have a specific lifetime
except the decryption private key, which never expires. Default key
lifetimes are defined by Security Officers as part of an
organization's security policy.
Key
Management
Administering keys securely so that they are
provided to users where and when they are needed. Processes
associated with the secure generation, transport, storage, and
destruction of encryption keys.
Key Recovery
A key
management process associated with the retrieval of a key lost by
the keyholder to ensure access to ciphertext created with the key in
question.
Key Update
When key
pairs are updated, they are replaced with the new key pairs, and new
public key certificates are created. The new keys and certificates
have no relation to the old keys and certificates.
Key
When used in the
context of encryption, a series of numbers which are used by an
encryption algorithm to transform plaintext data into encrypted
(ciphertext) data, and vice versa. |
|
| |
|
|
| |
Lightweight Directory Access
Protocol (LDAP)
The standard Internet protocol for
accessing directory systems over a network. LDAP is a "lightweight"
(smaller amount of overhead) version of DAP (Directory Access
Protocol), which is part of X.500, a standard for directory services
in a network. Sentry's Secure Directory is an LDAP directory.
Lightweight Directory Applications
Protocol
The Internet standard for simple directories for
use in messaging and similar applications. |
|
| |
|
|
| |
National Institute of Standards
& Technology (NIST)
The National Institute of
Standards and Technology (NIST) is taking a leadership role in the
development of a Federal Public Key Infrastructure that supports
digital signatures and other public key-enabled security services.
NIST is coordinating with industry and technical groups developing
PKI technology to foster interoperability of PKI products and
projects.
Netscape Communicator
A
Web browser, widely recognized and popular. |
|
| |
|
|
| |
Out-of-band
Not in the
electronic pipeline; any communication which is not
computer-to-computer.
Order Number
A payment
mechanism for certificate purchase. See instructions
for submitting a purchase order (PO) to request a DST Order Number. |
|
| |
|
|
| |
Password
A sequence of
characters which allows users access to a system. Although they are
supposed to be unique, experience has shown that most people's
choices are highly insecure. People tend to choose short words such
as names, which are easy to guess.
Personal Identification Number
(PIN)
A sequence of digits used to verify the identity of
the holder of a token. It is a kind of password.
Policy
An informal,
generally natural language description of desired system behavior.
Policies may be defined for particular requirements, such as
confidentiality, integrity, availability, safety, etc.
Portal
The place people
see when using the Web.
Private Key
The private
part of a key pair. With Sentry CA and Sentry RA, private keys are
generated on the client whenever a certificate request is made.
Private keys must be securely stored to prevent unauthorized access
and accidental deletion. In general, information encrypted with a
private key can only be decrypted with the corresponding public key.
A digital signature involves encrypting messages with a private key
and allows anyone with a corresponding public key to decrypt the
message to be certain of who sent the message and that it has not
been tampered with.
Protocol
A series of
steps involving two or more parties designed to accomplish a task.
Public Key
The public
and widely distributed part of a key pair. A cryptographic key
employed in public key cryptography to encrypt (usually small)
amounts of data to the key's owner, or to verify the key owner's
signature. A certificate contains information about the certificate
subject, the certificate's signer, and a public key value. In
general, information encrypted with a public key can only be
decrypted with the corresponding private key. It can be published
without revealing the owner's corresponding private key.
Public Key Algorithm
An
asymmetric algorithm, so designed that the key used for encryption
is different from the key used for decryption.
Public Key
Cryptography
A form of asymmetric encryption where all
parties possess a pair of keys, one private and one public, for use
in encryption and digital signing of data.
Public Key Cryptography Standard
(PKCS)
A set of commonly applied data cryptography
standards developed by RSA Data Security Inc. for making secure
information exchange possible. The standards include RSA encryption,
password-based encryption, extended certificate syntax, and
cryptographic message syntax for S/MIME, RSA's proposed standard for
secure e-mail.
Public Key Infrastructure
(PKI)
A system for publishing the public key values used
in public key cryptography. Also a system used in verifying,
enrolling, and certifying users of a security application. All PKIs
involve issuing public key certificates to individuals,
organizations, and other entities and verifying that these
certificates are indeed valid. |
|
| |
|
|
| |
Recovering a
User
Recovering means generating a new signing key pair
and securely retrieving from the Certification Authority, your
current encryption public key certificate, decryption private key
history, verification public key certificate, and CA verification
public key certificate.
Registration Authority
(RA)
The part of a PKI involved in verifying and enrolling
users. RAs work with a particular CA to vet requests for
certificates that will then be issued by the CA.
Repository
A database of
certificates and other relevant information accessible online.
Repudiation
The denial
or attempted denial by an entity involved in a communication of
having participated in all or part of the communication.
Revocation
Revoking a
certificate makes the certificate invalid, effectively suspending
all of the certificate user's privileges in the PKI. Revocation is
necessary if the CA administrator wants to retract the certificate
before it expires. Certificates are revoked by marking them as
invalid in the Secure Directory. Users of the PKI are notified of a
certificate's revoked status during online validation or with CRLs.
Root
The IA that issues
the first certificate in a certification chain. The root's public
key must be known in advance by a certificate issuer in order to
validate a certification chain. The root's public key is made
trustworthy by some mechanism other than a certificate, such as by
secure physical distribution.
Root CA
The source CA is
a certification path. Generally, the Root CA is a self-signed CA
that is used to sign the certificates of other CAs. The Root CA may
also be referred to as a top-level CA to reflect the CA's position
in a hierarchical PKI.
RSA Keys
The encryption
keys employed in the RSA cryptography system. |
|
| |
|
|
| |
Schema
A schema
describes an object and its attributes in LDAP.
Secure Sockets Layer
(SSL)
An encryption standard devised by Netscape
Communications for secure communication over the World Wide Web. SSL
is a protocol layer created by Netscape to manage the security of
message transmissions in a network. The "sockets" part of the term
refers to the sockets method of passing data back and forth between
client and server programs in a network or between program layers in
the same computer. Now in widespread use in all Web browsers. It is
about to be superseded by TLS, an open standard developed by the
IETF.
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
S/MIME is a specification for secure
electronic mail and was designed to add security to e-mail messages
in MIME format. The security services offered are authentication
(using digital signatures) and privacy (using encryption).
Security
The quality or
state of being protected from unauthorized access or uncontrolled
losses or effects. Absolute security is impossible to achieve in
practice and the quality of a given security system is relative.
Within a state-model security system, security is a specific "state"
to be preserved under various operations.
Server
A machine running
a service. A Web server provides a Web-based information service to
a community of machines. A computer, or a software package, that
provides a specific kind of service to client software running on
other computers.
Server Certificate
A
certificate issued to a server. Servers present their certificates
to Web browsers so they can verify (authenticate) the identity of
the server. Server certificates are sometimes called SSL
certificates.
SHA-1
Secure Hash
Algorithm-a hash function first originated by the US National
Security Agency and National Institute of Standards and Technology.
Signer
A person who
creates a digital signature for a message or a signature for a
document.
Smart Card
A hardware
token that incorporates one or more integrated circuit (IC) chips to
implement cryptographic functions and that possesses some inherent
resistance to tampering. A plastic card (looks like a credit card)
with an embedded computer chip, used most widely in Europe. Many
countries use the smart card for pay telephones. There are also
smart credit cards and smart cash cards.
SSL Server
Authentication
The process whereby a client application
authenticates a server by verifying the certificate chain presented
by the server during SSL operations.
Subscriber Agreement
The
agreement executed between a subscriber and a CA for the provision
of designated public certification services in accordance with this
CPS. Test Certificate A certificate issued by a CA for the limited
purpose of internal technical testing. Test certificates may be used
by authorized persons only. |
|
| |
|
|
| |
Time Stamp
A notion
that indicates (at least) the correct date and time of an action and
the identity of the person or device that sent or received the time
stamp.
Token
A physical object,
often containing sophisticated electronics, which is required to
gain access to a system. Some tokens contain a microprocessor, and
are called intelligent tokens, or smart cards.
Trust
A person or system
in which confidence or faith is placed.
Trusted Third
Party
Someone other than the principals who are involved
in a transaction.
Type of Certificate
The
defining properties of a certificate, which limit its intended
purpose to a class of applications uniquely associated with that
type. |
|
| |
|
|
| |
Uniform Resource Locator
(URL)
A URL is used to specify the location and name of a
World Wide Web document, for example, http://www.trustdst.com.
Previously called Universal Resource Locator.
Universal Resource Locator
(URL)
Same as Uniform Resource Locator.
User
Any person
utilizing resources provided and maintained by Digital Signature
Trust Co. (DST). An authorized entity that uses a certificate. User
authentication Determining that a user truly is authentic. |
|
| |
|
|
| |
Validation
The process
of verifying that a certificate is still valid. Validation can occur
online or through the use of CRLs. |
|
| |
|
|
| |
World Wide Web
The whole
constellation of resources that can be accessed using Gopher, FTP,
HTTP, telnet, USENET, WAIS and some other tools. A hypertext-based,
distributed information system in which users may create, edit, or
browse hypertext documents. A graphical document publishing and
retrieval medium. A collection of linked documents that reside on
the Internet. |
|
| |
|
|
| |
X.509
The ITU
(International Telecommunications Union) standard for certificates.
X.509 v3 refers to certificates containing or capable of containing
extensions. Also an International Standards Organization (ISO)
standard that describes a basic electronic format for digital
certificates.
X.509 v3 Certificate
Extension
The PKI suites used by DST support X.509 v3
certificate extensions including extensions for PKIX, SET, and SSL.
These extensions conform to the X.509 standard and specify
additional constraints or capabilities on the certificate
subject. |
|
| |
|
|
