Virginia Tech Certification Authority


ASN.1: Abstract Syntax Notation. An abstract notation for structuring complex data objects.

Activation Data: Private data, other than keys, that are required to access cryptographic modules (i.e., unlock private keys for signing or decryption events).

Algorithm: An algorithm is a mathematical function that is used to encrypt and decrypt information.

Applicant: The subscriber is sometimes also called an "applicant" after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.

Arc: An arc is an individual sub tree of an Object Identifier (OID) tree.

Archive: Long-term, physically separate storage.

Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Audit Data: Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.

Authenticate: To confirm the identity of an entity when that identity is presented.

Authentication: Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

Authorization:  The granting of rights, including the ability to access specific information or resources.

Authority Certificate: A public key certificate that contains the distinguished name of the CA in the SubjectName field and contains the value TRUE in the BasicConstraints CA field and in which the KeyUsage keyCertSign bit is set. The cRLSign bit should be set also.

Authorized CA: A CA for which another CA signs an authority certificate in accordance with a certificate policy.

Backup: Copy of files and programs made to facilitate recovery if necessary.

Binding: Process of associating two related elements of information.

Certificate Policy (CP): The CP is the administrative policy for certificate management. A CP addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a CP can also govern the transactions conducted using a communications system protected by a certificate-based system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provisions of the security services required by a particular application.

Certificate: A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. As used in this CP, the term "Certificate" refers to certificates that expressly reference the OID of this CP in the "Certificate Practices Statement" (CPS) referenced in the CPS URI field of an X.509 v.3 certificate.

Certification Authority (CA): A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate. See: SSL/TLS Encryption.

Certificate Practices Statement (CPS): A CPS is an internal statement of practices that a CA employs in issuing certificates. A CPS is expected to be a detailed and comprehensive technical and procedural document regarding the operation of the supporting infrastructure.

Certificate Revocation List (CRL): The CRL is the CA's listing of invalid certificates. Revocation can occur due to time lapse, employment change, theft of a private key, or other reasons.

Certificate Signing Request (CSR): An unsigned certificate for submission to a Certification Authority, which signs it with the Private Key of their CA Certificate. Once the CSR is signed, it becomes a real certificate.

Ciphertext: Ciphertext is information that has been encrypted into seemingly meaningless code.

Cross Certification:   is the process undertaken by Certification Authorities to establish a trust relationship. When two Certification Authorities are cross-certified, they agree to trust and rely upon each other's public key certificates and keys as if they had issued them themselves. The two Certification Authorities exchange cross-certificates, enabling their respective users to interact securely.

Cryptographic Module: The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.

CRL Distribution Point: An online and publicly accessible point where Certificate revocation lists are kept. It could house the entire list or only a sub set of the revoked certificates.

Cryptoperiod: Time span during which each key setting remains in effect. [NS4009]

Data Integrity: Assurance that the data are unchanged from creation to reception.

Distinguished Encoding Rules (DER): Rules for encoding ASN.1 objects which give a consistent encoding for each ASN.1 value using a binary format. Microsoft Internet Explorer understands certificates downloaded in this format.

Digital Encryption Signature (DES): Government standard using single (symmetric) key.

Digital Certificate: A Digital Certificate is a digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.

Digital Signature: A digital signature is like a paper signature, but it is electronic. A digital signature cannot be forged. A digital signature provides verification to the recipient that the file came from the person who sent it, and it has not been altered since it was signed. The result of a transformation of a message by means of a cryptographic system using keys such that a Relying Party can determine: (1) whether the transformation was created using the private key that corresponds to the public key in the signer's digital certificate; and (2) whether the message has been altered since the transformation was made.

Digital Signature Algorithm (DSA): Encryption algorithm proposed by NIST employed in the Digital Signature Standard (DSS). Uses SHA-1 hashing algorithm.

Digital Signature Standard (DSS): Standard proposed by NIST for all Federal departments and agencies for the protection of unclassified information. Uses a public-key to verify to a recipient the integrity of data and identity of the sender of the data.

Dual Use Certificate: A certificate that is intended for use with both digital signature and data encryption services.

Encryption: Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended recipient from reading that data. There are many types of data encryption, and they are the basis of network security. Common types include Data Encryption Standard and public-key encryption.

Encryption Certificate: A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.

Firewall: Gateway that limits access between networks in accordance with local security policy. [NS4009]

Integrity: Protection against unauthorized modification or destruction of information. [NS4009]. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination.

Key Escrow: A deposit of the private key of a subscriber and other pertinent information pursuant to an escrow agreement or similar contract binding upon the subscriber, the terms of which require one or more agents to hold the subscriber's private key for the benefit of the subscriber, an employer, or other party, upon provisions set forth in the agreement [adapted from ABADSG, "Commercial key escrow service"].

Key Exchange: The process of exchanging public keys in order to establish secure communications.

Key Generation: Material Random numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.

Key Pair: Two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to discover the other key.

Lightweight Directory Access Protocol (LDAP): It is a protocol for accessing information directories such as organizations, individuals, phone numbers, and addresses. It is based on the X.500 directory protocols, but it is simpler, and unlike X.500, it supports TCP/IP for Internet usage. The standards are specified in RFC 1777.

Message Digest 5 (MD5): Hashing technique that creates 128-bit message digest.

Non-Repudiation: Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data. Technical non-repudiation refers to the assurance a Relying Party has that if a public key is used to validate a digital signature, that signature had to have been made by the corresponding private signature key. Legal non-repudiation refers to how well possession or control of the private signature key can be established.

Object Identifier: (OID) A unique specially formatted number that is composed of a most significant part assigned by an internationally recognized standards organization to a specific owner and a least significant part assigned by the owner of the most significant part. For example, the unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the Higher Education PKI they are used to uniquely identify policies and cryptographic algorithms and possibly other elements contained in a PKC.

Public-Key Cryptography Standards (PKCS): A series of cryptographic standards dealing with public-key issues, published by RSA Laboratories.

PKCS #1: RSA public key cryptography standard which defines method of encrypting and signing data using RSA's public key crypto system. Describes a syntax identical to the syntax in X.509 and PEM, for RSA public and private keys and three signature algorithms for signing certificates and the like.

PKCS #3: RSA public key cryptography standard which describes a method for implementing Diffie-Hellman key exchange.

PKCS #5: RSA public key cryptography standard which describes a method for encrypting messages with a secret key derived from a password. The method is intended primarily to encrypt private keys when transferring them between systems but can be used to encrypt messages.

PKCS #6: RSA public key cryptography standard which describes a standard syntax for public key certificates beyond the X.509 standard. The syntax is a superset of the X.509 certificate with additional attributes extending the certificate process beyond just the public key to include other information such as electronic mail address.

PKCS #7: RSA public key cryptography standard which describes a standard syntax for data, compatible with PEM, that may be encrypted or signed, such as digital envelopes or digital signatures. Allows other attributes, such as timestamp, to be authenticated along with the message content. The syntax is recursive so that envelopes can be nested, or someone can sign some previously encrypted data.

PKCS #8: RSA public key cryptography standard which describes syntax for private key information - including a private key and a set of attributes - and syntax for encrypted private keys. PKCS #5 can be used to encrypt the private key information.

PKCS #9: RSA public key cryptography standard which defines selected attribute types for PKCS #6 extended certificates, PKCS #7 digitally signed messages, and PKCS #8 private-key information.

PKCS #10: Public key standard which defines syntax for issuing server certificate requests.

PKCS #11: Public key standard which defines communication methods with cryptographic devices such as smart cards.

PKCS #12: RSA "standard" that describes the syntax for storing in software a user's public keys, protected private keys, certificates, and other related cryptographic information. The goal is to standardize on a single key file for use among a variety of applications.

Private Key: A Private Key is (1) the key of a signature key pair used to create a digital signature or (2) the key of an encryption key pair used to decrypt confidential information. In both cases, this key must be kept secret.

Public Key: A Public Key is (1) the key of a signature key pair used to validate a digital signature or (2) the key of an encryption key pair used to encrypt confidential information. In both cases, this key is made publicly available.

Public Key Infrastructure (PKI): PKI is a set of policies, processes, server platforms, software, and workstations used to administer certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

Registration Authority (RA): The RA is responsible for the identification and authentication of certificate Subscribers before issuing certificates, but does not sign or issue the certificates.

Relying Party: The Relying Party is a person or agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. The Relying Party relies on the validity of the binding of the Subscriber's name to a public key. The Relying Party is responsible for deciding whether or how to check the validity of the certificate by checking the appropriate certificate status information. The Relying Party can use the certificate to verify the integrity of a digitally-signed message to identify the creator of the message, or to establish confidential communications with the holder of the certificate. A Relying Party may use information in the certificate to determine the suitability of the certificate for a particular use. The Relying Party is the owner of the application.

Smartcard: A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.

Secure Multi-purpose Internet Mail Extensions (S/MIME): A specification for secure electronic mail designed to add security to email messages in MIME format via authentication (using digital signatures) and privacy (using encryption). See S/MIME FAQ.

Subordinate CA: In a hierarchical PKI, a CA whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA. (See superior CA).

Subscriber: A Subscriber is a Person that (1) either (a) is the Subject named or identified in a certificate issued to that Person or (b) is the owner or operator of an entity that is the Subject named or identified in a certificate issued to that Person, and (2) holds a private key that corresponds to the public key listed in the certificate.

Superior CA: In a hierarchical PKI, a CA who has certified the certificate signature key of another CA, and who constrains the activities of that CA. (See subordinate CA).

Secure Socket Layer (SSL): Secure Socket Layer protocol. A security protocol that prevents eavesdropping, tampering, or message forgery with HTTP transmissions based on server-side public/private key pairs and provides support for client-side public/private key usage. See SSL FAQ.

Trust List: Collection of trusted certificates used by Relying Parties to authenticate other certificates.

User Certificate: A user certificate is a user's Public Key, which has been signed (encrypted using the private key of) a Certificate Authority. This allows the user to give out his Public Key to others, and allows those others to trust that it is, in fact, the user's correct Public Key. A popular format for certificates is X.509.

Virginia Tech Certification Authority (VTCA): The Virginia Tech Certification Authority is a service at Virginia Tech that is responsible for issuing and managing digital certificates and public keys for Virginia Tech affiliated entities. The VTCA is the core of the Virginia Tech Public Key Infrastructure (PKI). The VTCA guarantees the identity and the authenticity of the entities it issues digital certificates to by using approved policies and procedures outlined in the Virginia Tech Certification Policy (CP) document. VTCA is often used to refer to any one of the CAs that comprise the VTPKI.

Virginia Tech Public Key Infrastructure (VTPKI): VTPKI refers to the Virginia Tech Root CA and all of the Subordinate CAs within the PKI hierarchy.

Web Server Certificate: Web server certificates are digital credentials that reside on a server and set up a secure connection between that server and a client or another server. This secure connection is called a Secure Sockets Layer (SSL) session.

X.500: An overall model for distributed directory services. The model encompasses the overall namespace and the protocol for querying and updating it. The protocol is known as DAP (Directory Access Protocol).

X.509: The X.500 directory service standard relevant to public key infrastructures describing two authentication methods: simple authentication based on password usage and strong authentication based on public key cryptography. Version 3 added certificate extensions to the X.509 standard.

RSA Labs FAQs on Cryptography


Last updated December 16, 2013