Information Security Glossary
This section commonly used information security and IT security terminology. The following web sites also provide explanations of common IT and data security terms:
This is a term that, throughout ArticSoft products, is used to mean that the user is able to make use of (read, alter, pass on to an application and so on) information that has been transferred to their computer (usually in a browser window, an instant messaging application or in a file). It is possible that users may be able to obtain information, but, because it is protected, and they have not been authorized to access it, they cannot access it even though it is on their computer.
AES (Advanced Encryption Standard) is a cryptographic algorithm. It is a symmetric algorithm (in other words it uses the same key for encryption and decryption). AES, originally called Rijndael, was selected through a public competition to be approved for protecting (encrypting) information for all industry and commerce by the US National Institute for Science and Technology (NIST). It has been subjected to considerable scrutiny by government scientists and academics to check that it has no obvious weaknesses, and is considered to be the strongest protection of its type currently available. The AES algorithm is used in all of ArticSoft products. See also symmetric algorithm and algorithm.
A mathematical expression used to encrypt or decrypt information. When information is to be encrypted or decrypted by computer, a mathematical process is followed by which it is transformed into a form that is, for all practical intents and purposes, impossible for anyone to understand unless they have the key used in the transformation.
An algorithm that uses one key to encrypt information but requires a different (related) key to decrypt that information. This is also referred to as public key cryptography. Because the key used to encrypt information cannot decrypt it, something very useful can be done. You can make one of the two keys available to anyone - the public key. The other key you must keep to yourself. Provided people know your public key, anyone receiving information that decrypts with your public key knows that the information must have come from you. More than that, if you encrypt something with someone else's public key you can be certain that only they can access is, regardless of who else sees the encrypted information. These features have created the concepts of PKI and non-repudiation.
A piece of information has authenticity when it can be shown to come from the expected person or place, and when the content of the information appears, as far as is obvious, to be correct for the circumstances involved.
A certificate, in the PKI sense, is an electronic record that contains information about the person, organization or device that owns it and about the authority that issued it. Its main use is to certify the owner/controller of a public key. All public keys have certificate information attached to them. The sort of information a certificate can contain is an e-mail address, an identifier of the controller (maybe their name, home or work address), information about the cryptography being used, how long the certificate is valid for and the source of any information if the certificate is cancelled. Certificates may be issued by their owners (self-signed), the organization they belong to, or they may be issued by other organizations. See also trusted authorities.
The links between a certificate and the original source of its authenticity. This corresponds to the 'trust hierarchy'by which each link in the chain gains its authority to make statements about the identity to which a certificate refers. (The government says what are tax offices, the tax offices say who tax inspectors are, and so on.) As a result, it is possible to see the links between all the organizations involved in vouching for the authority of the final certificate holder. Usually a certificate chain links the certificate you have been presented with to a root certificate. See also root certificate, trusted authorities.
These are two different, but interlinked topics. Confidentiality is the ability to protect information such that only people authorized are able to use it. Privacy is the right to control (usually to limit or forbid) the use of information. Privacy may use confidentiality measures in order to achieve that control. Sometimes this is related to digital rights management when information is computerized. Digital rights management allows the provider of information do decide what the recipient can and cannot do with that information (usually for a price).
Literally, the word means the art of secret writing. It means the conversion of writing into a form that cannot be understood without specific knowledge. (Cryptography started long before computers, with the ancient Egyptians. Computers have simply helped to automate the processes.) Cryptography is not the only method you can use to communicate information secretly. Steganography is a technique for hiding information inside other information (a picture with a person wearing a hat has one meaning, and the same picture with the person not wearing a hat has a different meaning).
Unlike the handwritten signature, which does not change very much over time, the digital signature is unique to every document that is signed. The digital signature makes use of the fact that, using an algorithm, it is possible to calculate a unique numeric value for any given document. This value can be encrypted using an asymmetric algorithm presenting a private key, and adding a public key certificate. This collection of items is the 'digital signature'. Quite a bit more complicated that a handwritten one. However, unlike the handwritten signature, anyone can, using the public key and its associated certificate, decrypt the unique value. Also, they can calculate that value for themselves by using the same algorithm. If the two values are equal they can be certain of two things. That the owner/controller of the private key 'signed'the document and that the document has not been altered or forged. In its way, then, the digital signature is much more powerful than the handwritten signature because it can prevent any change to a document after it has been digitally signed.
This is the reversing of encryption, where a piece of information that has been encrypted (ciphertext) is converted back into plaintext. See also encryption, cryptography.
The process of protecting information by making it impossible for anyone who is not authorized to read that information in a useable form. Encryption is done on a computer by transforming the information to be encrypted (plaintext) using a key and producing ciphertext. If a suitable algorithm and key have been used, the ciphertext is, for all practical purposes, impossible to use in any way at all unless it is first decrypted. See also decryption, algorithm, cryptography.
FIPS (Federal Information Processing Standard)
The National Institute for Science and Technology of the USA publish standards for Federal organizations. These are also generally used by US businesses. They are not standards in the same way as British Standards Institute (BSI) or American National Standards Institute (ANSI), but nevertheless have a considerable influence on industry and commerce as well as government. Many of the standard published deal with aspects of computer security, including the use of algorithms and cryptography.
Hashing / hash algorithm
This is a mathematical process, similar in many respects to encryption and sometimes referred to as one-way encryption. Information (some text, a web page, a file) can be processed by the algorithm. Some algorithms also require a key, just like encryption. The algorithm processes the information and calculates a number that is unique to the original information. According to the standards it should be 'collision free'- that is that no two pieces of information should ever produce the same value. Hashing is useful, because once a value has been calculated it is impossible to alter the information without detection since hashing the altered file cannot produce the original calculated value.
A piece of information has integrity when you can show that it has not been altered (either by accident or as a result of hacking) without you being aware of the fact.
Generally, the ability to understand the form and format of information received and to be able to respond to that information in the manner expected by the sender. For instance, devices that can plug into and use correctly the cigarette lighter socket in a car can be said to be interoperable with the cigarette lighter.
Key length / strength
The key length for an algorithm is the number of bits (binary digits) that the key value occupies. With computerised algorithms it is often considered to be a measure of the strength of the algorithm (the more bits the better). Generally speaking, for implementations of internationally recognized algorithms this is the case.
This is the file that ArticSoft products use to store keys and certificates used to protect and verify web sites, web site content, files and message content. It also contains user notes on any of the information stored in it. It must be backed up regularly to prevent its being lost. It is protected from attack by strong cryptography.
The USA National Institute for Science and Technology. This is the US body responsible for the development and maintenance of scientific standards, methods and techniques. They produce standards for a broad range of topics including measuring, structures and vessels and information technology. See www.nist.gov.
Literally, that a thing cannot be denied. In the case of computer systems and PKI it is understood to mean that when a message (or file) is signed by a digital signature, the owner/controller of the private key for that signature cannot deny that they signed it, and, by implication, cannot deny the contents of the information that was signed. This is similar to the idea that if you physically sign a document you cannot later deny either that you signed it or what the document contained. In paper systems it is normal for all those involved in signing documents to keep a copy each as reference to prevent disputes over the contents. Digital signatures do not remove this since, whilst you can detect the alteration of a document, if it has been altered you cannot prove what the original document was unless there is a signed copy available.
In computer systems this is a series of characters that are entered secretly (they are not displayed) in order to prove the identity of a specific user. Passwords are important because they are often used in cryptographic systems as a key that gives access to private keys. As a result, a password should never be shown or given to anyone else, even if they seem to have a reason to need the password.
Passwords are normally chosen by the user, and there may be rules about how passwords are chosen. These may include specification about the use of letters, numbers, 'special' characters such as ()+= and so on. They may also forbid re-use within a particular timeframe. Generally passwords are recommended to be longer than six characters, should not be common words or readily identifiable to their user, should contain special characters and should not contain repeating or consecutive characters. ArticSoft suggest users select passwords by taking two common words say 'rain' and 'gravel' and joining them using a special character, e.g. Rain*#gravel or rainGravel. Passwords formed in this way are not readily subject to 'dictionary attack', where the attacker uses a dictionary of common passwords, or a simple attach of all upper (or lower) case letters. More complex schemes do exist, but they tend to create passwords that are difficult to remember, which may not be that helpful. See also Passphrase and PIN.
An alternative to the password (and sometimes this term is used when password is meant), the passphrase is usually longer. So, whilst a password could be rain*#Gravel, a passphrase could be a quotation such as, "Can I compare thee to a Summer's day" or "Now is the Winter of our discontent made full Summer" . The advantages of a passphrase over a password are that, because it is longer, it cannot be readily guessed by watching the user over their shoulder whilst they type, and dictionary attacks are of little use since the length and content of the passphrase is very hard to predict. As a result, passphrases do not have to be changed as often as passwords. The disadvantages are that they are long and take time to enter, few systems really cater for them, and the user must be a good typist or they will spend all day trying to get the passphrase right. See also Password and PIN.
PGP – Phil Zimmerman's Pretty Good Privacy, created in 1991, is the name of a computer program for generating and storing cryptographic keys, and for encrypting, decrypting, digitally signing and signature checking texts, files and folders. Its technical method of operation was standardized by the Internet Engineering Task Force in RFC 2440 (1998) since replaced by RFC 4880. Concepts of 'trusting the certificate' used to provide (prove) a sender's or recipient's identity were introduced in 1992 using either the PGP web of trust or the X.509 Public Key Infrastructure (PKI).
PIN (Personal Identity Number)
This is usually four digits for credit and debit cards. It replaces the password in situations where a full keyboard is not available to the user, or where the system security mechanism can invalidate the user's identity very quickly if the wrong values are entered. Commonly three attempts are allowed to enter a correct PIN, and if they all fail the PIN is revoked and the user (card holder) is informed that they must contact the issuer before they can do anything. Like the password and passphrase, a PIN should never be given to anyone else no matter what plausible reason they seem to have.
This is Public Key Cryptography Standard #12 developed by RSA and subsequently endorsed by general industry. It is a specific method for storing and holding a private key and a public key in a certificate. It is often used as a secure means for transferring keys to users, and is encrypted using a secret key or password. See also X.509. See www.rsa.com.
This is one of the two keys used in 'public key cryptography', also referred to as asymmetric cryptography. They are called public and private because for the system to work, one of the related keys must be kept private - it must not be disclosed to anyone other than its controller, whilst the other key must be made public - that is must be available to anyone that needs to contact the owner/controller of the matching private key or needs to check a digital signature that appears to come from them.
Throughout ArticSoft products, the term protected is used to mean that information cannot be accessed (used) if it has been protected, unless the user has the necessary authority. Protection is applied using cryptography. When information is protected it is encrypted. The cryptographic key needed to remove that protection is made available to authorized users. Once it is in their keystore, they will be able to access (view) that protected information. See also cryptography.
See private key.
Public Key Infrastructure (PKI)
This is a concept where it is theoretically possible to obtain the public key of any person that you wish to communicate securely with over a public communications network such as the Internet, and where it is possible to verify the accuracy of the information being presented by anyone offering a 'public key certificate' as a means of proving their identity. A number of problems wait to be resolved before such an infrastructure becomes generally available and generally respected. At the time of writing it is possible to verify the identity of a number of organizations, and it is expected that over time it will be possible to extend this to include people as well as organizations.
In a public key and certificate system, this is the certificate that identifies a trusted authority from which other trusted relationships are derived. In PKI theory, the ability to trust an identity is based upon the trust you have in the organization (authority) that vouches for the identity. You might accept a person's identity if your government has issued it, or a company's if the national company registration authority issues it. At the time of writing, nation states have not taken the step of issuing PKI identities, preferring to allow the commercial market to develop the infrastructure. As a result, root certificates contained in web browsers and ArticSoft keystores are currently those of commercial companies that are recognized in their own markets as competent to make statements about the certificates that they issue. That may not be the case in all countries in the future.
This is the name of the first published asymmetric or public key algorithm. It is named after its inventors, Rivest, Shamir and Edelman. RSA has been known about for over 20 years now, and has been subjected to considerable academic research to find out if it has any weaknesses, and, so far, none have been published. It has key lengths of 512, 1024 and 2048 bits (binary digits), so the maximum possible number of unique keys (and hence unique users) that could exist range from 2 raised to the power 512 to 2 raised to the power 2048. (For the non-mathematicians 2 raised to the power of 100 is calculated by multiplying 2 by itself 100 times, giving a value 1,267,650,600,228,229,401,496,703,205,376 and that value doubles each time you raise it by multiplying by two. (2 to the power 2048 doesn't fit very readably on this page and is difficult to proof read.)
Unlike a handwritten signature, which is written onto, and thus becomes part of the document to which it relates, signing electronic information is rather different. To sign a piece of information, a hash of the information is created using a hashing algorithm. The hash is then encrypted using the private key for an asymmetric algorithm. The public key certificate for the private key is appended to the encrypted hash value. These correspond to the signature on the information. See digital signature, hash, Public Key Infrastructure.
This is an encryption algorithm where the same key is used for both encryption and decryption (unlike asymmetric where different keys are used). The key used in a symmetric algorithm is often called a secret key because it has to be kept secret by all users of the system, unlike a public key that has to be made available to everyone. See algorithm, cryptography.
Trusted Authorities are electronic identities (people, businesses, governments and so on) that you have decided (either by some positive action or by default) to trust. In this sense, the word trust means simply that you believe they are who they say they are. You may also believe that these identities can vouch for the identity of others. (You believe a man is from the Gas board if he has identification from the Gas board saying that he is.) When you load the ArticSoft system for the first time you are provided with a list of Trusted Authorities that have been generally accepted in the IT industry as being competent to register identities in a proper manner. These are not government backed, but they may accept some liability if they tell you something that is wrong. You may add your own list to that, either of web sites that you deal with (where they do not link back to a Trusted Authority already) or of individuals that you know and trust to give you accurate information when they register identities. See certificate, root certificate.
Throughout ArticSoft products, the term unprotected is used to mean that information can be accessed (used) providing the user has the necessary authority. When information is unprotected it is decrypted. The cryptographic key needed to remove the protection is made available to authorized users. Once it is in their keystore, they will be able to access (view) that protected information. See also cryptography.
This term refers to an information technology standard that was first developed by the International Telecommunications Union (ITU), and later modified by the Internet Engineering Task Force (IETF). The standard concerns the definition of a record in a database that is used to store public key certificates for access through a PKI. Although the format is a standard, it has been shown to be capable of many interpretations by different manufacturers. Some of the information in a certificate includes the owner's/controller's identity and the identity of the Trusted Authority that vouches for them (or their own identity if they are issuing certificates for themselves (as a root authority).