Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Authentication: Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.
Authority Certificate: A public key certificate that contains the distinguished name of the CA in the SubjectName field and contains the value TRUE in the BasicConstraints CA field and in which the KeyUsage keyCertSign bit is set. The cRLSign bit should be set also.
Certificate Policy (CP): The CP is the administrative policy for certificate management. A CP addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a CP can also govern the transactions conducted using a communications system protected by a certificate-based system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provisions of the security services required by a particular application.
Certificate: A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. As used in this CP, the term "Certificate" refers to certificates that expressly reference the OID of this CP in the "Certificate Practices Statement" (CPS) referenced in the CPS URI field of an X.509 v.3 certificate.
Certification Authority (CA): A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate. See: SSL/TLS Encryption.
Certificate Practices Statement (CPS): A CPS is an internal statement of practices that a CA employs in issuing certificates. A CPS is expected to be a detailed and comprehensive technical and procedural document regarding the operation of the supporting infrastructure.
Certificate Signing Request (CSR): An unsigned certificate for submission to a Certification Authority, which signs it with the Private Key of their CA Certificate. Once the CSR is signed, it becomes a real certificate.
Cross Certification: is the process undertaken by Certification Authorities to establish a trust relationship. When two Certification Authorities are cross-certified, they agree to trust and rely upon each other's public key certificates and keys as if they had issued them themselves. The two Certification Authorities exchange cross-certificates, enabling their respective users to interact securely.
Cryptographic Module: The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.
Distinguished Encoding Rules (DER): Rules for encoding ASN.1 objects which give a consistent encoding for each ASN.1 value using a binary format. Microsoft Internet Explorer understands certificates downloaded in this format.
Digital Certificate: A Digital Certificate is a digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.
Digital Signature: A digital signature is like a paper signature, but it is electronic. A digital signature cannot be forged. A digital signature provides verification to the recipient that the file came from the person who sent it, and it has not been altered since it was signed. The result of a transformation of a message by means of a cryptographic system using keys such that a Relying Party can determine: (1) whether the transformation was created using the private key that corresponds to the public key in the signer's digital certificate; and (2) whether the message has been altered since the transformation was made.
Digital Signature Standard (DSS): Standard proposed by NIST for all Federal departments and agencies for the protection of unclassified information. Uses a public-key to verify to a recipient the integrity of data and identity of the sender of the data.
Encryption: Any procedure used in cryptography to convert plaintext into ciphertext in order to prevent anyone except the intended recipient from reading that data. There are many types of data encryption, and they are the basis of network security. Common types include Data Encryption Standard and public-key encryption.
Encryption Certificate: A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.
Integrity: Protection against unauthorized modification or destruction of information. [NS4009]. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination.
Key Escrow: A deposit of the private key of a subscriber and other pertinent information pursuant to an escrow agreement or similar contract binding upon the subscriber, the terms of which require one or more agents to hold the subscriber's private key for the benefit of the subscriber, an employer, or other party, upon provisions set forth in the agreement [adapted from ABADSG, "Commercial key escrow service"].
Key Pair: Two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to discover the other key.
Lightweight Directory Access Protocol (LDAP): It is a protocol for accessing information directories such as organizations, individuals, phone numbers, and addresses. It is based on the X.500 directory protocols, but it is simpler, and unlike X.500, it supports TCP/IP for Internet usage. The standards are specified in RFC 1777.
Non-Repudiation: Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data. Technical non-repudiation refers to the assurance a Relying Party has that if a public key is used to validate a digital signature, that signature had to have been made by the corresponding private signature key. Legal non-repudiation refers to how well possession or control of the private signature key can be established.
Object Identifier: (OID) A unique specially formatted number that is composed of a most significant part assigned by an internationally recognized standards organization to a specific owner and a least significant part assigned by the owner of the most significant part. For example, the unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the Higher Education PKI they are used to uniquely identify policies and cryptographic algorithms and possibly other elements contained in a PKC.
PKCS #1: RSA public key cryptography standard which defines method of encrypting and signing data using RSA's public key crypto system. Describes a syntax identical to the syntax in X.509 and PEM, for RSA public and private keys and three signature algorithms for signing certificates and the like.
PKCS #5: RSA public key cryptography standard which describes a method for encrypting messages with a secret key derived from a password. The method is intended primarily to encrypt private keys when transferring them between systems but can be used to encrypt messages.
PKCS #6: RSA public key cryptography standard which describes a standard syntax for public key certificates beyond the X.509 standard. The syntax is a superset of the X.509 certificate with additional attributes extending the certificate process beyond just the public key to include other information such as electronic mail address.
PKCS #7: RSA public key cryptography standard which describes a standard syntax for data, compatible with PEM, that may be encrypted or signed, such as digital envelopes or digital signatures. Allows other attributes, such as timestamp, to be authenticated along with the message content. The syntax is recursive so that envelopes can be nested, or someone can sign some previously encrypted data.
PKCS #8: RSA public key cryptography standard which describes syntax for private key information - including a private key and a set of attributes - and syntax for encrypted private keys. PKCS #5 can be used to encrypt the private key information.
PKCS #12: RSA "standard" that describes the syntax for storing in software a user's public keys, protected private keys, certificates, and other related cryptographic information. The goal is to standardize on a single key file for use among a variety of applications.
Private Key: A Private Key is (1) the key of a signature key pair used to create a digital signature or (2) the key of an encryption key pair used to decrypt confidential information. In both cases, this key must be kept secret.
Public Key: A Public Key is (1) the key of a signature key pair used to validate a digital signature or (2) the key of an encryption key pair used to encrypt confidential information. In both cases, this key is made publicly available.
Public Key Infrastructure (PKI): PKI is a set of policies, processes, server platforms, software, and workstations used to administer certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.
Relying Party: The Relying Party is a person or agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. The Relying Party relies on the validity of the binding of the Subscriber's name to a public key. The Relying Party is responsible for deciding whether or how to check the validity of the certificate by checking the appropriate certificate status information. The Relying Party can use the certificate to verify the integrity of a digitally-signed message to identify the creator of the message, or to establish confidential communications with the holder of the certificate. A Relying Party may use information in the certificate to determine the suitability of the certificate for a particular use. The Relying Party is the owner of the application.
Smartcard: A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.
Secure Multi-purpose Internet Mail Extensions (S/MIME): A specification for secure electronic mail designed to add security to email messages in MIME format via authentication (using digital signatures) and privacy (using encryption). See S/MIME FAQ.
Subscriber: A Subscriber is a Person that (1) either (a) is the Subject named or identified in a certificate issued to that Person or (b) is the owner or operator of an entity that is the Subject named or identified in a certificate issued to that Person, and (2) holds a private key that corresponds to the public key listed in the certificate.
Secure Socket Layer (SSL): Secure Socket Layer protocol. A security protocol that prevents eavesdropping, tampering, or message forgery with HTTP transmissions based on server-side public/private key pairs and provides support for client-side public/private key usage. See SSL FAQ.
User Certificate: A user certificate is a user's Public Key, which has been signed (encrypted using the private key of) a Certificate Authority. This allows the user to give out his Public Key to others, and allows those others to trust that it is, in fact, the user's correct Public Key. A popular format for certificates is X.509.
Virginia Tech Certification Authority (VTCA): The Virginia Tech Certification Authority is a service at Virginia Tech that is responsible for issuing and managing digital certificates and public keys for Virginia Tech affiliated entities. The VTCA is the core of the Virginia Tech Public Key Infrastructure (PKI). The VTCA guarantees the identity and the authenticity of the entities it issues digital certificates to by using approved policies and procedures outlined in the Virginia Tech Certification Policy (CP) document. VTCA is often used to refer to any one of the CAs that comprise the VTPKI.
Web Server Certificate: Web server certificates are digital credentials that reside on a server and set up a secure connection between that server and a client or another server. This secure connection is called a Secure Sockets Layer (SSL) session.
X.500: An overall model for distributed directory services. The model encompasses the overall namespace and the protocol for querying and updating it. The protocol is known as DAP (Directory Access Protocol).
X.509: The X.500 directory service standard relevant to public key infrastructures describing two authentication methods: simple authentication based on password usage and strong authentication based on public key cryptography. Version 3 added certificate extensions to the X.509 standard.
December 16, 2013