Glossary of Terms Used in Cryptography, IPSec Interoperability and PKI

A5 - a secret algorithm used in European cellular telephones.

ACA - the American Cryptogram Association is an amateur (not professional), nonprofit, volunteer organization devoted to disseminating cryptographic information.

Access control - the control of who or what applications have access to a network, server, PC.

Access Router - A router that connects your network to another network or networks. An access router enforces your ACL effectively providing a level of protection for all of the hosts "behind" that router.

ACL (Access Control List) - A listing of users and their associated access rights. Rules for packet filters (typically routers, servers or security gateways) that determine which packets to pass and which to block.

Accidental Repetition - a repetition caused by chance, and not by the encipherment of identical plaintext characters by identical keying elements.

Active attack - an attack in which the attacker must create or modify information.

Additional Servers - Name servers, other than the primary and secondary name servers, that are available to identify a particular domain name with its corresponding Internet Protocol (IP) address(es).

Additive - a single digit or numerical group, or series of digits which for the purpose of encipherment, is added to a numerical cipher unit, code group, or plaintext, usually by cryptographic arithmetic.

Additive method - the method of encipherment wherein the cryptographic equations are P + K = C, and P + K - C.

Additive system - a cryptosystem in which encipherment is accomplished through the application of additives.

ADFGVX system - a German High-Command cipher system used in World War I. Essentially, it is a bilateral substitution system that employs a 6 x 6 or 5 x 5 square to which columnar transposition is subsequently applied.

Advanced Research Projects Agency (ARPA) - an agency of the U.S. Department of Defense that promotes exploratory research in areas that carry long-term promise for military applications. ARPA funded the major packet switching experiments in the United States that led to the Internet.

AES - (advanced encryption standard) - to be approved by NIST for next 20 - 30 years use.

AFT - Authenticated Firewall Transversal - SOCKS V5 - a protocol that provides for authenticated firewall transversal for client-server applications [RFC 1928]

Agent - In network management: that component of a system that responds to management requests and/or preprogrammed traps. In the client/server model: the system component that prepares information and exchanges it for a client or server application.

AH - The IP Authentication Header - provides authentication services at the IP layer on a packet-by-packet basis [RFC 2402].

AKEP - Authentication Key Exchange Protocol - Key transport based on symmetric encryption allowing two parties to end up with a shared secret key, secure against passive adversaries.

Algorithm - (encryption algorithm, encryption engine) A set of mathematical rules (logic) used in the processes of encryption and decryption.

Alias - an assumed name (dummy) mail address that routes the message to all real addresses associated with the assumed name.

American National Standards Institute (ANSI) - an organization that endorses and publishes standards for various industries.

American Registry for Internet Numbers (ARIN) - Non-profit organization that manages the allocation of Internet Protocol (IP) addresses in the Americas, the Caribbean, and sub-Saharan Africa. The National Science Foundation (NSF) approved the establishment of ARIN on June 24, 1997.

Anagram - plain language reconstructed from a transposition cipher by restoring the letters of the cipher text to their original order.

Annual Solar Limit - the total amount of energy produced by the sun in a year. It is possible to calculate a worst case upper limit for the number of keys that can be tested with that amount of energy: 2192 keys. This suggests that a secret key containing 192 bits is impractical to crack using brute force methods.

Anonymity - of unknown or undeclared origin or authorship, concealing an entityÂ’s identification.

ANSI - American National Standards Institute - represents the U.S. in the ISO. A private standards body that develops industry standards through various Accredited Standards Committees (ASC). The X9 committee focuses on security standards for the financial services industry.

Anti-replay integrity (protection) - detects arrival of duplicate IP datagrams within a constrained window.

Aperiodic - characterized by absence of cyclic attributes or usage.

Aperiodic system - a system in which the method of keying does not bring about cyclic phenomena in the cryptographic text

API - application program interface - provides means to take advantage of software features.

Application - information processing according to a set of instructions to accomplish a given end Application examples: electronic mail, credit card verification, electronic data interchange, database search, LAN/WAN connections, remote computing services, distributed data processing, information gateways, international access services, frame-relay services, ATM networks, electronic publishing, electronic trading, authentication, database SQL, Â…

Archie - A search utility program used to find files on the Internet.

Arcnet - A 2.5 Mbps network (twisted pair or coaxial cable) most often implemented in a physical star configuration using token-passing to control access.

ARP - Address Resolution Protocol.

ARPANET - a pioneering wide area. packet-switched computer network developed by ARPA. The ARPANET was the original back bone for the modern Internet, and many of its protocols were adapted to work on the Internet, including those for e-mail, FTP, and remote terminal connections.

AS - autonomous system - an autonomous network of interconnected hosts, clients, etc.

ASCII - American Standard Code for Information Interchange - The standard code, using a coded character set consisting of 7-bit coded characters (8 bits including parity check), used for information.

Asia-Pacific Network Information Center (APNIC) - A collaborative effort of national Network Information Centers (NICs) and Internet Service Providers within the Asian-Pacific region. The APNIC manages the allocation of Internet Protocol (IP) addresses in the Asia-Pacific region.

ASC - Accredited Standards Committee

ASN.1 - Abstract Syntax Notation One - ISO/IEC standard for encoding rules, DER (Distinguished Encoding Rules), BER (Basic Encoding Rules).

Asymmetric - do not need the same key on each end of a communication link.

Asymmetric key encryption - a separate but integrated user key pair comprised of one public key and one private key. Each key is one way meaning that key used to encrypt information can not be used to decrypt information.

Asynchronous - character-by-character or cell-by-cell or data unit-by-data unit transfer. Data units from any one source need not be periodically spaced within the overall data unit stream.

ATM - asynchronous transfer mode

Audit - The process of examining the history of a transaction to find out what happened. An operational audit can be an examination of ongoing activities to determine what is happening.

Authentication - The process of ensuring the identity of the connecting user or participants exchanging electronic data. Makes sure the person or server at either end of a connection is who they/it claim to be and not an impostor.

Authorization - to convey official sanction, access or legal power to an entity.

Autoenchipherment - encipherment by means of an autokey system.

Autokey - the block cipher mode in which the cipher is used to generate the key stream.. Also called output feedback (OFB) mode.

Autokey system - an aperiodic substitution system in which the key, following the application of a previously arranged initial key, is generated from elements of the plain or cipher text of the message.

Availability - requires that computer-system assets be available to authorized parties

Backbone - A high-performance network of thick wire or fiber optic cables that enables data transmission within networks that are connected to it.

BATAP - Type B Application to Application Protocol, secures TYPE B traffic. It was specified by SITA and published by IATA.

BER - Basic Encoding Rules provide a platform independent means to encode objects for transmission. BER are a universal representation of the data values whose abstract syntax is described in ASN.1. BER is the encoding language of Connection-Oriented message transport [ITU-T Rec X.680]. BER-encoded means that the values would typically be represented as octet strings

BGP - border gateway protocol - an Internet protocol that enables routers to share routing information. [RFC 1771]

Binary digit - one of the two symbols (0 & 1) commonly used to represent numerical entries in the binary number system.

B-ISDN - A high-speed communications standard for wide area networks that supports wide-bandwidth applications including voice, data and graphics.

Bit - a single digit in a binary numbering system (e.g., 1 or 0). A contraction of the term "binary digit."

BITS - Bump-in-the-Stack - IP Security is implemented underneath an existing implementation of an IP protocol stack.

BITW - Bump-in-the-Wire - the use of an outboard crypto processor to achieve security
[cf. RFC 2401, p 8].

Blind signature - the ability to sign documents without the knowledge of content; notary public.

Block - a string or group of bits that a block algorithm operates on; typical values are 40, 50, 64, 128, 512, 1024, Â…

Block cipher - block algorithms - algorithms that operate on plain text in blocks (strings or groups) of bits.

Blowfish - a symmetric block cipher system that can be used as a replacement for the DES or IDEA encryption algorithms. It takes a variable-length key, from 32 to 512 bits, making it ideal for both domestic and exportable use. It was designed in 1993 by Bruce Schneier as a fast alternative to the existing encryption algorithms.

Bridge - an inter-networking switch usually operating at OSI Level 2, the Data Link Layer. A bridge expands a LAN or connects two LANs.

Broadcast - In network terms, to send a datagram to an entire subnetwork.

Browser - client application software for accessing data on the World Wide Web.

Brute Force Cracking - the process of trying to recover a crypto key by trying all reasonable possibilities.

Bucket Brigade - an attack against public key exchange in which attackers substitute their own public key for their requested public key, also called a Man-in-the-Middle attack.

Bus - a single data path to which all workstations directly attach, and on which all transmissions are available to every workstation. However, only the workstation to which a transmission is addresses can actually read it.

Bypass - a flaw in a security device that allows messages to go around the security mechanisms. Crypto bypass refers to flaws that allow plaintext to leak out.

Byte - a string of binary digits (usually 8, 16, 32, or 64 bits long) operated on as a basic unit by a digital computer.

CA (Certification Authority, certificate authority) - a trusted third party that creates certificates that essentially notarize the association of an identified entity with a public key and other attributes.

CAC - connection admission control - actions performed by a network to enforce network admissions policies.

CAP - competitive access providers

CAPI - MicrosoftÂ’s crypto API for Windows-based operating systems and applications.

Capstone - The U.S. GovernmentÂ’s long-term project to develop a set of standards for publicly available cryptography. NIST and NSA are the responsible agencies. Capstone specifies Skipjack as the encryption algorithm which is implemented on the Clipper chip. It uses the DSA digital signature algorithm and the SHA hash function.

Cascading - connecting in series.

CAST - Northern Telcom algorithm developed by Carlisle Adams and Stafford Tavares. A 64-bit block cipher with 8-bit input and 32-bit output.

Causal repetition - a repetition produce by encipherment of identical plaintext characters by identical keying elements.

CBC (Cipher Block Chaining) - the plain text is XORed with the previous cipher text block then encrypted.

CBR - constant bit rate

CCITT - Consultative Committee for International Telegraphy and Telephony

CDK - Crypto Developer Kit - a documented environment, including an API for third parties to write secure applications using a specific vendors cryptographic library

CDMF - IBM's 40 bit DES. A mandatory part of the SET protocol

CDSA - Common Data Security Architecture - a set of layered security services developed by The Open Group to address communications and data security in the Internet and intranet application space.

Cell - fixed sized packets (the ATM standard is 53 octets, but proprietary lengths e.g. of 16 and 24 octets have been used). Cells are identified and switched by means of a five byte header.

Cell relay - (cell switching) is used for high-speed transmission of multiple types of traffic, including voice, data and video.

CERT - Computer Emergency Response Team - Security clearinghouse that promotes security awareness. Cert provides 24-hour technical assistance for computer and network security incidents. CERT is located at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, PA.

Certificate - (digital certificate) - An electronic document attached to a public key by a trusted third party which provides proof that the public key belongs to a legitimate owner and has not been compromised.

Certificate authority - a trusted third party who issues, revokes, and manages certificates, validating that public keys are not compromised and that they belong to the correct owners.

Certificate Revocation List (CRL) - a list of certificates that have been revoked before their scheduled expiration date.

Certification - The administrative act of approving a computer system, component, product, etc., for use in a particular application; endorsement of information by a trusted entity.

CFM - Cipher Feedback Mode - a block cipher that has been implemented as a self-synchronizing stream cipher.

Chain - a series of letters or other textual symbols following one another according to some rule or law.

Chaining - chaining adds feedback to a cipher block. The results of the encryption of a previous block(s) are fed back into the encryption of the current block.

CHAP - Challenge Authentication Protocol - session-based, two way password authentication scheme.

Checksum - a numeric value used to verify the integrity of a block of data. The value is computed suing a checksum procedure. A crypto checksum incorporates secret information in the checksum procedure so that it canÂ’t be reproduced by third parties that donÂ’t know the secret information.

Chi-square test - a statistical test used for determining the likelihood that two distributions derive from the same source.

Chi-test - a test applied to the distributions of the elements of two cipher texts either to determine whether the distribution results form the encipherment by identical cipher alphabets, or to determine whether there is a relationship between the underlying cipher alphabets.

CIPE - Crypto IP Encapsulation is an ongoing project to build encrypting IP routers. The protocol used is as lightweight as possible. It is designed for passing encrypted packets between prearranged routers in the form of UDP packet. CIPE is not as flexible as IPSec but the original intended purpose: securely connecting subnets over an insecure transit network.

Cipher - (cipher text) encrypted plain text.

Cipher alphabet - an ordered arrangement of the letters of a written language and the characters to replace them in a cryptographic process of substitution.

Cipher Block Chaining (CBC) - a block cipher mode that combines the previous block of ciphertext with the current block of plaintext before encrypting it; very widely used.

Cipher feedback - a block cipher mode that feeds previously encrypted ciphertext through the block cipher to generate the key that encrypts the next block of ciphertext; also called CTAK.

Cipher system - (cryptosystem) the hardware and/or software making up the means to encrypt and decrypt plaintext. Encryption and decryption can be implemented in software on the host computer or in hardware devices placed on the links between computers.

Ciphertext - data that has been encrypted with a cipher, as opposed to plaintext.

Circuit switching - A method of handling traffic through a switching center, either from local users or from other switching centers, whereby a connection is established between the calling and called parties.

Cleartext - characters in a human readable form or bits in a machine readable form.

Client - A device or application that makes use of the services provided by a server in a client/server architecture.

Clipper - An encryption chip developed and sponsored by the U.S. Government that contains the Skipjack encryption algorithm.

CMC - Certificate Management of Messages over CMS

CMIP - Common Management Information Protocol - The OSI layer 7 protocol for network management covering manager-to-agent and manager-to-manager communication.

CMIS - Common Management Information Services [see CMOT]

CMOT - The Common Management Information Services and Protocol over TCP - CMOT is a network management architecture that uses the International Organization for Standardization's (ISO) Common Management Information Services/Common Management Information Protocol (CMIS/CMIP) in a TCP/IP environment. CMOT provides a means by which control and monitoring information can be exchanged between a manager and a remote network element [RFC 1095].

CMP - Certificate Management Protocols - The Internet X.509 PKI Certificate Management Protocols [RFC 2510].

CMS - Cryptographic Messaging Syntax - a general syntax for data that may have cryptography applied to it, such as digital signatures and digital envelopes [RFC 2315].

CORBA - Common Object Request Broker Architecture - OMG's model for using and managing distributed objects in a network. []

Code - a system of instructions making up software. A system of symbols making up cipher text.

Code group - a group of symbols assigned to represent a plain-text element.

Coincidence - a recurrence of textual elements occurring within message, or between messages.

Coincidence test - the Kappa test, applied to two cipher-text messages to determine whether or not they both involve ciphering by the same sequence or cipher alphabets.

Compatibility - capable of working together harmoniously.

COMSEC - Communications Security - Protection of all measures designed to deny to unauthorized persons information of value that might be derived from a study of communications.

Confidentiality - assurance that data is not read or accessed by unauthorized persons.

Connection mode - a logical connection is set up between end systems prior to the data exchange. After data transfer the connection is terminated.

Connection integrity - assurance that the connection is not modified by unauthorized entities.

Connectionless integrity - detecting modification to an individual IP datagram regardless of the sequence or order of the datagram in a stream of traffic.

Connectionless mode - each data unit (packet) is independently routed to the destination; no connection establishment activities are required.

Control vector - a string of bits of arbitrary length attached to a key that specifies the uses and restrictions for that key in the IBM Secret Key Management Protocol.

Cookie - Persistent Client State HTTP Cookie - a file or token of sorts, that is passed from the web server to the web client (your browser) that is used to identify you and could record personal information such as id & password, mailing address, credit card number, etc.

COS - Corporation for Open Systems

CPC - Cryptography Products Consortium

CRAB - a 1024 byte block cipher similar to MD5, using techniques from a one-way hash function, developed by Burt Kaliski and Matt Robshaw at RSA Laboratories.

Cracking - the process of overcoming a security measure. Cracking a key means an attempt to recover the keyÂ’s value; cracking some ciphertext means an attempt to recover the corresponding plaintext.

CRC - Cyclic Redundancy Check - an algorithm used to detect data transmission errors.

CRMF - Certificate Request Message Format - used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA) for the purposes of X.509 certificate production [RFC 2511].

Credentials - something that provides a basis for credit or confidence.

Critical application - a computing application in which an attacker could cause incredibly serious damage, including loss of life.

CRL - Certificate Revocation List - a list of certificates that have been revoked before their scheduled expiration date.

Cross-certification - two or more organizations or Certificate Authorities that share some level of trust.

Crypt, crypto - means secret; pertaining to secret.

Cryptanalysis - The art or science of transferring ciphertext into plaintext without initial knowledge of the key used to encrypt the plaintext.

CRYPTOKI - also known as PKCS #11

Cryptogram - an encrypted message, file, etc.; a simple word/character substitution cipher.

Cryptography - the branch of cryptographic science which deals with the means, methods, and apparatus of converting plain text messages into secret messages and visa versa.

Cryptolinguistics - study of characteristics of languages which have some application in cryptology, i.e. frequency data, letter combinations, universal patterns, etc.

Cryptologic - pertaining to cryptology

Cryptology - cryptography and cryptanalysis.

Cryptoperiod - the amount of time a particular key has been used; sometimes refers to the amount of data encrypted with it.

Cryptosystem - (cipher system) - the hardware and software making up the means to encrypt and decrypt plaintext. Encryption and decryption can be implemented in software on computers or in hardware devices placed on the links between computers.

Cyclic phenomena - periodic ciphertext repetitions in a cryptogram enciphered with a repeating key.

Data - digital information or just information, depending on the context.

Database - an electronic filing system for data - a collection of data organized by fields, records, and files such that a computer program can select desired pieces of the collection.

Datagram - packets individually routed through a network and reassembled at the receiving end.

Data Integrity - ensuring information has not been altered by unauthorized or unknown means.

Data key - a crypto key that encrypts data as opposed to a key that encrypts other keys.

Data link - the portion of a system of computers that transfers data between them, including wiring, hardware, interfaces, and device driver software.

DBS - direct broadcast satellite.

Deactivation - The process of removing a domain name from the zone files for the top level domains. When a domain name is deactivated, the Domain Name System (DNS) no longer has the information needed to match the domain name with its corresponding Internet Protocol (IP) address(es).

Decimation - the process of selecting members of a series by counting off at an arbitrary interval; the original series being treated as cyclic.

Decode - that section of a code book in which the code groups are in alphabetical order, or other systematic order. To convert by codebook, not cryptanalysis.

Decrypt - to convert cipher text into the original plain text using a cryptosystem. Decryption (and encryption ) can be implemented in software on computers or in hardware devices placed on the links between computers.

Deletion - The process of removing a domain name and its corresponding record from the Domain Name System (DNS). A deleted domain name cannot be used to locate computers on the Internet and is available for other parties.

DER - Distinguished Encoding Rules

DES - Data Encryption Standard - U.S. data encryption standard adopted in 1976 as FIPS 46.

Device driver - a software component that controls a peripheral device. For data link devices, it manages the process of sending and receiving data across the data link.

DHCP - dynamic host configuration protocol - ISPs use the DHCP to assign mobile clients an IP address that is good only for the duration of a dial-in phone call.

Dial-up-access - the connection of a computer to a network through the use of a modem and a public telephone network.

Dictionary attack - a calculated, brute-force attack to reveal a password by trying obvious combinations.

Diffie-Hellman - the first public-key algorithm, using discrete logarithms in a finite field, invented in 1976.

Digital Cash - electronic money that is stored and transferred through a variety of complex protocols.

Digital certificate - a signed electronic document (digital ID) that notarizes and binds the connection between a public key and its legitimate owner. Similar to how a drivers license or passport proves the ownerÂ’s identify. ItÂ’s purpose is to prevent unauthorized impersonation and provide confidence in public keys.

Digital signature - an electronic identification of a person or thing created by using a public-key algorithm, intended to verify to a recipient the integrity of the data and the identity of the sender of the data.

Direct trust - an establishment of peer-to-peer confidence.

Discrete logarithm - the underlying mathematical problem used in asymmetric algorithms like Diffe-Hellman and Elliptic Curve, the inverse problem of modular exponentiation, which is a one way function.

DLL - Dynamic Link library - a library of executable functions that can be used by a windows application.

DMS - Defense Messaging System - standards designed by the U.S. Department of Defense to provide a secure and reliable enterprise-wide messaging infrastructure for government and military agencies.

DN - (1) domain name indicates the general domain of the activity or user and could represent many IP addresses whereas the FQDN corresponds to one IP address. (2) Distinguished Name

DNS - Domain Name Server, Domain Name Space, Domain Name System

DNSSEC - Domain Name System Security - an IETF Working Group proposed draft that will specify enhancements to the DNS protocol to protect the DNS against unauthorized modification of data and against masquerading of data origin; adds data integrity and authentication capabilities to the DNS via digital signatures.

Domain - a domain represents a level of the hierarchy in the Domain Name Space and is represented by a domain name. For example, the domain name "" represents the second level domain "icsa" which is a subset, or sub-domain, of the top level domain "net," which is in turn a larger subset of the total Domain Name Space.

Domain Name - the textual name assigned to a host on the Internet. The Domain Name Service (DNS) protocol translates between domain names and numerical IP addresses.

Domain Name Server - see Name Server

Domain Name Space - all the domain names that currently represent the networks, computers, and other network devices that can be described and represented by the Domain Name System (DNS).

Domain Name System (DNS) - a distributed database of information used to translate domain names into Internet Protocol (IP) addresses.

DSA - Digital Signature Algorithm - a public-key digital signature. algorithm proposed by NIST for use in DSS

DSS- Digital Signature Standard - a NIST proposed standard (FIPS) for digital standards using DSA.

Due Diligence - Such a measure of prudence, activity, or assiduity, as is properly to be expected from, and ordinarily exercised by, a reasonable and prudent person under the particular circumstances; not measured by any absolute standard, but depending on the relative facts of the special case.

EAP - Extensible Authentication Protocol - protocol for PPP authentication [RFC 2284].

EBCDIC - Extended Binary Coded Decimal Interchange Code

eCash - electronically transferred money.

EC - electronic commerce or elliptic curve

ECC - Elliptic Curve Cryptography - elliptic curve cryptosystem - uses the algebraic system defined by the points of an elliptic curve to provide public-key cryptographic algorithms.

ECMA - European Computer Manufacturers Association

ECN - Explicit Congestion Notification - a method for indicating congestion to end-nodes as a means for congestion control and avoidance. [RFC 2481]

ECP - extended capability port - a parallel- port standard to support bi-directional communications between a PC and attached devices.

EDI - Electronic Data Interchange - is the direct, standardized computer-to-computer exchange or business documents (purchase orders, invoices, payments, inventory analyses, and others) between an organization and its suppliers and customers.

EEMA - European electronic messaging association

EES - Escrowed Encryption Standard - a U.S. Government proposed standard for escrowing private keys.

EGP - exterior gateway protocol - a protocol used by gateways to interconnect autonomous systems or networks.

EIA - Electronic Industries Association

Encryption algorithm - used for both digital signatures and encryption based on discrete logarithms in a finite field, can be used with the DSA function.

Electronic Codebook (ECB) - a block cipher mode that consists of simply applying the cipher to blocks of data in sequence.

ELGamal Scheme - used for both digital signatures and encryption based on discrete logarithms in a finite field, can be used with the DSA function.

EMA - Electronic Messaging Association - an inter industry forum dedicated to the promotion, development and use of email, voice mail, fax, EDI and other messaging technologies for secure global electronic commerce.

E-mail - electronic mail.

Encipher - to convert a plaintext into unintelligible language or signals by means of cipher system.

Encrypt -(encode, encipher) to convert plain text into unintelligible forms by means of a cipher system (crypto system). Encryption (and decryption) can be implemented in software on computers or in hardware - the set of mathematical logic that actually converts (encrypts/decrypts) data.

End-to-end (hardware) encryption - the data is disguised throughout its path, the encoding and decoding devices are synchronized, the data is encrypted at its source and decrypted at its destination, the data link header is in clear text, the source and destination need not be kept secret, not transparent to the hardware which must detect start/stop instructions and/or be sensitive to data communications procedures.

Entering wedge - a weakness in crypto system or other security system that gives an attacker a way to break down some of the systems protections.

Enterprise - The collection of systems, computers, networks, etc., that society depends upon for information transfer, processing and management.

Entropy - a mathematical measurement of the amount of uncertainty or randomness.

ERM - electronic records management

ERP - enterprise resource planning - activities supported by multi-module application software that help a manufacturer or other business manage product planning, finance planning, parts purchasing, maintaining inventories, interacting with suppliers, providing customer service, and tracking orders.

ESP - encapsulating security payload - The IPSec protocol that provides the security services of confidentiality, traffic flow confidentiality, connectionless integrity, data origin authentication, and an anti-replay service. [RFC 2406]

Ethernet - Ethernet is an approach for local area networks using basic copper wire or cable connections. Ethernets have been developed for 10 Mbytes/sec, 100 Mbytes/sec and higher speed applications. Ethernets use a protocol called CSMACD which stands for "Carrier Sense, Multiple Access, Collision Detect". "Multiple Access" means that every station is connected to a single copper wire (or a set of wires that are connected together to form a single data path). "Carrier Sense" means that before transmitting data, a station checks the wire to see if any other station is already sending something. If the LAN appears to be idle, then the station can begin to send data. For the "Collision Detect" part, two stations can begin to send data at the same time, and their signals will "collide" nanoseconds later. When such a collision occurs, the two stations stop transmitting, "back off", and try again later after a randomly chosen delay period.

EWOS - an open European organization working to provide high quality contributions to the worldwide efforts to build an effective Global Information Infrastructure, whilst ensuring proactive support of solutions meeting specific European needs, in areas such as Electronic Commerce.

Executable contents - data with contents that represent an executable computer program that is capable of modifying persistent data on a host computer.

Export - The U.S. Government regulates the strength of cryptography products exported outside of the U.S. and Canada.

FDDI - fiber distributed data interface - An ANSI standard specifying a packet-switched LAN-to-LAN backbone for transporting data at high throughput rates over a variety of multimode fibers. FDDI addresses the bottom two layers of the OSI model.

FEAL - a block cipher using a 64-bit block and 64-bit key, designed by A. Shimizu and S.Miyaguchi at NTT Japan.

Field - In database terms, a field is a name or tag given to a set of similar data inputs. For example a field might be "name," while Bob and Alice are two inputs to the field.

File - In database terms, a collection of records stored and handled as a single unit. For example, an executive telephone book may be a file consisting of the names, titles and telephone numbers of the executives listed in the company's human resources database.

File transfer - the electrical transfer of a file from one storage or processing unit to another.

FIPS - Federal Information Processing Standards - a U.S. government standards published by NIST.

Firewall - a device, installed at the point where network connections enter a site, that applies rules to control the type of networking traffic that flows in and out. Most commercial firewalls are built to handle Internet protocols.

Flow ID Traffic - Flow identifier used in host-to-host traffic to differentiate traffic flow types.

Forgery - a data item with contents that mislead the recipient to believe the item and its contents were produced by someone other than the actual author.

Fortezza - formerly known as Tessera. A PCMCIA card used by the Capstone project (US Government).

FPGA - field programmable gate arrays

FQDN - fully qualified domain name, corresponds or maps to one IP address. A FQDN is registered with one of the international NICs or the InterNIC - a registered, identified user site.

FR - Frame Relay - packet-mode switching interface for handling high-speed data and interconnecting LANs and WANs in low error-rate environments. A streamlined version of X.25, uses variable packets (frames) as the transfer format with less overhead and sequence checking. Error checks occur only at the destination point.

Frequency - the number of actual occurrences of a textual element within a given text.

Frequency distribution - a tabulation of the frequency of occurrence of plain or cipher text; a frequency count.

FTP - file transfer protocol

Function - In programming terms, a section of a program that performs a specific task.

GAK - Government Access to Keys - a method for the government to escrow an individualÂ’s private keys

Gateway - a major relay station that receives, switches, relays, and transmits ILC traffic. A gateway converts one protocol suite to another, when necessary, to allow different computer systems to communicate. A gateway can operate at any OSI layer above OSI Level 3, the Network Layer.

General solution - a solution dependent on exploiting the inherent weaknesses of the cryptographic system arising from it sown mechanics, without the presence of any specialized circumstances.

GOSIP - Government OSI Protocol - U.S. Government standards for inter-operable data communications based on the ISOÂ’s OSI Reference Model.

GOST - an algorithm from the former Soviet Union

GSS - generic security services - Generic Security Service Application Program Interface (GSS-API) provides security services, supportable with a range of underlying mechanisms and technologies, allowing source-level portability of applications to different environments [RFC 1508].

Hardware encryption - plain text is encrypted by hardware devices on-line between the host computers. There are two approaches to hardware encryption: end-to-end and link (see end-to-end and link).

Hash code - also known as message digest. A unique snap shot image of data that can be used for alter comparison.

Hash function - one-way hash function - a function that produces a message digest that cannot be reversed to produced the original.

Headers - formatted information attached to the front of data sent through a computer network contain information used to deliver and process correctly the data being sent.

Henry the Forger - an attacker who generates completely forged network messages to try to fool victims.

Hierarchical Trust - a graded series of entities that distribute trust in an organized fashion, commonly used in X.509 issuing certifying authorities.

High risk application - a computer application in which the enterprise operating it can suffer a significant loss through a computer incident.

Hijacking - an attack in which the attacker takes over a live connection between two entities so that he can masquerade as one of the entities.

HLD - High Level Designator: Indicates the entry or exit point of a block in the network.

HMAC - a mechanism for message authentication that combines an iterative cryptographic hash function such as MD5 or SHA-1 with a secret shared key.

Host - a computer system that resides on a network and is capable of independently communicating with other systems on the network. A host is accessed by a user working at a remote location. The computer that contains the data is the host and the computer at which the user is working is the terminal.

Host address - the address used by others on the network to communicate with a particular host

HTH - Host To Host (traffic)

HTML - hypertext markup language

HTTP - Hypertext Transfer Protocol - The protocol used by WWW servers and clients to exchange hypertext data.

Hypertext - associated with information on the World Wide Web. Any text that contains "links" to other documents. Specifically, words or phrases in one document that are user selectable and which cause another document to be retrieved and displayed. These "links" usually appear in a different color than the main text and are underlined.

IATA - International Air Transport Association

IBM SKMP - IBM secure-key management protocol

ICE - integrated cryptographic engine

ICMP (Internet Control Message Protocol) - An IP protocol used for monitoring and control of an IP network. [RFC 792]

ICSA - International Computer Security Association

ICV - Integrity Check Value

IDEA - International Data Encryption Algorithm - An algorithm designed by Lai and Massey in 1991. Patented internationally, offered by ACSOM, a Swiss company. IDEA uses a 128-bit key and is considered strong.

Identification - determination of the plaintext value of a cipher element of code group.

Identity Certificate - a signed statement which binds a key to the name of an individual and has the intended meaning of delegating authority from that named individual to the public key.

IEEE - Institute of Electrical and Electronics Engineers

IEC - International Electrotechnical Commission

IGMP - Internet Group Management Protocol - The standard for IP multicasting used to establish host memberships in multicast groups on a single network. IGMP provides for a host to inform its local router that it wishes to receive transmissions addressed to a specific multicast group. The router then is able to determine which multicast traffic should be forwarded to each of its hosts. [RFC 1112]

IGP - interior gateway protcol - a protocol used to interconnect the members ( host, clients, etc.) of an autonomous system or network.

IKE - the Internet Key Exchange protocol is planned to establish IPSec based virtual private networks on the Internet. When used together in the IKE hybrid protocol, a subset of the Oakley key exchange modes are used in the ISAKMP framework to negotiate and provide authenticated keying material for security associations in a protected manner[RFC 2409].

ILC - international commercial communications.

IMAP - Internet Message Access Protocol - protocol for retrieving e-mail messages from a mail server.

Index of Coincidence (IC) - the ratio of observed number of coincidences in a given body of text to the number of coincidences expected in a sample of random text of the same size.

Indicator - an element inserted within the text or heading of the message to serve as a guide tot the selection of derivation and application of the correct system and key for the prompt decryption of the message.

In-line encryptor - a product that plies encryption automatically to all data passing along a data link.

Integrity - Knowing or having assurance that data is transmitted from source to destination without undetected alteration.

Internet Architecture Board (IAB) - oversees the development of Internet standards and protocols and acts as a liaison between the Internet Society (ISOC) and other standards bodies.

Internet Assigned Numbers Authority (IANA) - Located at the Information Sciences Institute at the University of Southern California in Marina del Rey, CA, the IANA oversees registration for various Internet Protocol parameters, such as port numbers, protocol and enterprise numbers, options, codes, and types.

Internet Engineering Steering Group (IESG) - operational management arm of the Internet Engineering Task Force (IETF)

Internet Engineering Task Force (IETF) - formed by the Internet Architecture Board, the IETF is an international, voluntary body of network designers, engineers, researchers, vendors, etc., who work together to resolve technical and operational problems on the Internet and develop Internet standards and protocols. The IETF meets three times a year; however, the bulk of the collaboration and work takes place on the various mailing lists maintained by its participants.

Internet Society (ISOC) - an international organization, founded in 1992, dedicated to the expansion, development and availability of the Internet.

InterNIC - Internet Network Information Center - under a cooperative agreement with the National Science Foundation (NSF), certain companies (called interNICs) administer second level domain name registration services in the top-level domains, e.g., com, net, mil, org. Some also provide information and education services. AT&T provides directory and database services.

Internet Stack Layers - Physical (copper wire, fiber optic cable), Network Access (ethernet, ATM), Internet Protocol (IP), Transport (TCP, UDP) and Application (HTTP, NNTP, POP, IMAP)

Information security - technical security measures that involve communications security, cryptography, and computer security.

Integrity - assurance that data is not modified (by unauthorized persons) during storage or transmittal.

Internet - The global set of networks interconnected using TCP/IP.

Internetwork switches - switches that connect multiple data networks; classified according to the OSI protocol level at which they operate. Bridges are internetworking devices operating at Level 2, the Data Link level. Routers operate at OSI level 3, the Network Level and gateways operate at any level above Level 3.

Interoperability - The condition achieved among communications-electronics systems or equipment when information or services can be exchanged directly and satisfactorily between them and their users.

Interval - a distance between to points or occurrences, especially between recurrent conditions or states. The number of units between a letter, digraph, code group, and the recurrence of the same letter, digraph, counting either the first or second occurrence of both.

Internet - The globally connected computer network using the Internet Protocol [RFC 760].

Intranet - a private network, usually within an organization, that uses the Internet protocols but is not directly connected to the global Internet.

IP - Internet Protocol - moves packets of data from node to node. Works above layer 3 (network) of the OSI reference model like an OSI layer 3 ½ [RFC 760].

IP address (numbers) - The standard way to identify a computer connected to the Internet. Each IP address consists of eight octets expressed as four numbers between 0 and 255, separated by periods, for example:

IPARS - International Program Airline Reservation System: IPARS code is used in airline communications.

IPPCP - Internet Protocol Payload Compression Protocol - a protocol to reduce the size of IP datagrams [RFC 2393]

IPSec - IP Security Protocols - The IPSec protocols provide for security of Internet Protocol (IP) communications where routing and relaying of data between network nodes are managed. Two protocols are described, AH and ESP. [RFC 2401]

IPX - Internet Packet Exchange - Novell's network-layer protocol for managing the routing and relaying of data between nodes.

IS - information systems

ISAKMP -The Internet Security Association and Key Management Protocol defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. ISAKMP is designed to support many different key exchange protocols, but does not establish session keys itself.

ISDN - Integrated Services Digital Network - supports transmission of voice, data, and image-based communications in an integrated form.

ISEC - Information Security Exploratory Committee - formed by the NSTAC

ISO - International Organization for Standardization - created the seven layer OSI structure for telecommunications

ISP - internet service provider - provides points-of presence to give users dial-up-access to the Internet

ISSB - Information Systems Security Board proposed by the NSTAC

IT - information technology

ITAR - International Traffic in Arms Regulations

JEIDA - Japan Electronic Industry Development Association

Kappa I.C. - in comparing two superimposed sequences of text, the ratio of the observed number of coincidences to that expected for random.

Kerberos - a trusted-third-party authentication protocol developed at MIT. [RFC 1510]

Key, keyword, key sequence - a sequence of symbols that used with a cryptographic algorithm enables encryption and decryption. The security of the cryptosystem is dependent on the security of the key.

Key distribution center (KDC) - a device that provides secret keys to allow pairs of hosts to encrypt traffic directly between themselves.

Key encrypting key (KEK) - a crypto key used to encrypt session or data keys, and never used to encrypt the data itself.

Key escrow - a mechanisms for storing copies of crypto keys so that third parties can recover them if necessary to read information encrypted by others.

Key exchange - the process for getting session keys into the hands of the conversants.

Key length - the number of bits representing the key size. The longer the key, the stronger it is.

Key management - the overall process of generating and distributing cryptographic key to authorized recipients in a secure manner.

Key Management Proxy - A node implementing a key management protocol on behalf of some other node

Key recovery - a mechanism for determining the key used to encrypt some data.

Key splitting - a process for dividing portions of a single key between multiple parties, none having the ability to reconstruct the whole key.

Keysize - number of bits in a key

Khufu - an algorithm from Xerox

Knapsack algorithm - the first generalize public-key encryption algorithm, developed by Ralph Merkle and Martin Hellman

L2TP - Layer Two Tunneling Protocol - facilitates the tunneling of PPP packets across an intervening network in a way that is as transparent as possible to both end-users and applications [draft-ietf-pppext-12tp-15.txt].

LAN - local area network

LATA - Local access and transport area.

Label set - the combination of Roles-Based Label values associated with specific data that is used to describe authorized roles with access to the data.

Layer - usually referring to one of the OSI basic reference model levels.

LDAP - Lightweight Directory Access Protocol - a protocol targeted at simple management applications and browser applications that provide read/write interactive access to the X.500 Directory [RFC 1487].

Least privilege - a feature of a system in which operations are granted the fewest permissions possible in order to perform their tasks.

LEC - local exchange carriers

LFSR - linear feedback shift register.

Lightweight crypto - a set of crypto capabilities that is as strong as possible but still sufficiently weak to qualify for favorable treatment under U.S. export regulations.

Link - the existence of communications facilities between two points.

Link (hardware) encryption - performed through a series of switches (nodes) before the data reaches its destination, an encryption device is needed at each node, the source and destination are kept secret, the header need not be in clear text, the encryption devices are transparent to the data on the line and the data does not affect the processors at each end.

Local Area Network (LAN) - a network that consists of a single type of data link and can reside entirely within a physically protected area.

Low risk application - computer applications that, if penetrated or disrupted, would not cause a serious loss for an enterprise.

LSB - Least Significant Bit

Lucifer - an IBM developed, private key encryption system

MAA - Message Authenticator Algorithm - an ISO standard that produces a 32-bit hash, designed for IBM mainframes.

MAC - Media Access Control - The lower sub-layer of Layer 2 of the OSI model, the data link layer. MAC enables forwarding of packets or switching based on MAC addresses of the nodes connected to a shared network.

MAC - Message Authentication Code - key-dependent one-way hash function, requiring the use of the identical key to verify the hash.

MD2 - Message Digest 2

MD4 - Message Digest 4

MD5 - Message Digest 5 [RFC 1321].

Man-in-the-Middle (MIM) - an attack against a public key exchange in which the attacker substitutes his own public key for the requested public key; also called a bucket brigade attack.

Mandatory protection - a security mechanism in a computer that unconditionally blocks particular types of activities. For example, most multi-user systems have a "user mode" that unconditionally blocks users from directly accessing shared peripherals. In networking applications, some vendors use mandatory protection to prevent attacks on Internet servers from penetrating other portions of the host system.

Masquerade - an attack in which an entity takes on the identity of a different entity without authorization

MATIP - Mapping of Airline Traffic over Internet Protocol or Mapping of airline reservation, ticketing and message traffic over IP.

MBONE - The Internet Multicast Backbone - an interconnected set of subnetworks and routers that support the delivery of IP multicast traffic

Medium-risk application - a computer application in which a disruption or other security problems could cause losses to the enterprise, some of which are an acceptable cost of doing business.

Message - information sent from one entity to another on the network. A single message may be divided into several packets for delivery to the destination and then reassembled by the receiving host.

Message digest - A number that is derived from a message. Change a single character in the message and the message will have a different message digest.

Message Security Protocol (MSP) - an e-mail crypto protocol developed as part of the Secure Data Network System and used in the Defense Message System.

MIB - Management Information Base - a database of objects that a network management system can monitor [RFC1156]

MIC - Message Integrity Code - originally defined in PEM for authentication using MD2 or MD5. Micalc (message integrity calculation) is used in secure MIME implementations.

Middleware - software that connects applications that are ordinarily separate, for example from client to server, desktop to mainframe, or web server to database, etc.

MIME - multipurpose Internet mail extensions - lets one transfer non-textual data, e.g. graphics, etc.

MLS - multi-level security

MMB - Modular Multiplication-based Block - based on IDEA, Joan Daemen developed this 128-bit key/128-bit block size symmetric algorithm, not used because of its susceptibility to linear Cryptanalysis.

Mode - one of several ways to apply a block cipher to a data stream; includes CBC, CFB, and OFB.

Modulus - in public key crypto, part of the public key.

Monoalphabetically - a characteristic of encrypted text which indicates that it has been produced by means of a single cipher alphabet. The frequency distribution is characterized by troughs and peaks which are announced.

MOSS - MIME Object Security Service - defined in RFC 1848; facilitates encryption and signature services for MIME, including key management based on asymmetric techniques

MSB - Most Significant Bit

MSP - Message Security Protocol - the military equivalent of PEM; an X.400-compatible application level protocol for securing e-mail, developed by NSA in late 1980.

MTU - Message Transfer Unit

Multicast - In network terms, the transmission of IP datagrams to host members of a multicast group in various scattered subnetworks. The host members are identified by a single IP destination address. [RFC 1112]

Munition - anything that is useful in warfare. Cryptography systems are munitions according to U.S. law. This is the rationale behind export controls on crypto systems.

Name Server - a computer that has both the software and the data (zone files) needed to match domain names to IP addresses

Name Service - A service that provides individuals or organizations with domain name-to-P address matching by maintaining and making available the hardware, software, and data needed to perform this function.

Nanoteq - an algorithm from South Africa

NAT - Network Address Translator - rfc 1631, a router connecting two networks together; one designated as inside, is addressed with either private or obsolete addresses that need to be converted into legal addresses before packets are forwarded onto the other network (designated as outside).

National Computer Security Center (NCSC) - a U.S. government organization that evaluates computing equipment for high - security applications.

National Institute of Standards and Technology (NIST) - an agency of the U.S. government that establishes national standards [].

National Science Foundation (NSF) - An independent U.S. government agency that sponsors, funds, and fosters research and development in science and engineering. The NSF became involved in wide area networking in the mid 1980s and founded NSFNET, which connected academic and research institutions. NSFNET was later connected to the Advanced Research Projects Agency Network (ARPANET), and eventually developed into the network that we now refer to as the Internet. The NSF has gradually transitioned its role and responsibility in the Internet to the private sector, however it continues to be involved in a number of experimental networking efforts.

National Security Agency (NSA) - an agency of the U.S. government responsible for intercepting foreign communications for intelligence reasons and for developing crypto systems to protect U.S. government communications.

NetBEUI - NetBIOS extended user interface protocol introduced by IBM in 1985.

NetBIOS (Network Basic Input/Output) - Network programming interface allowing applications to communicate across a network.

Network - an organization of stations capable of intercommunication; a combination of circuits and terminals serviced by a single switching or processing center.

Network encryption - crypto services applied to information above the data link level but below the application software level. This allows crypto protections to use existing networking services and existing application software transparently.

Network protocol attack - a software package that provides general-purpose networking services to application software, independent of the particular type of data link being used.

NII - National Information Infrastructure

NIC (Network Information Center) - The organizational authority that administers the registration of domain names on the Internet. A.K.A.-interNIC in the USA

NIST - National Institute for Standards and Technology (Dept. of Commerce)

NLSP - network layer security protocol

NNTP - Network News Transfer Protocol

Node - a point of concentrated communications; a central point of communications. Switching devices are often called nodes because they form the junctions between routes or trunks in a data network.

Nonce - a random value sent in a communications protocol exchange; often used to detect replay attacks.

Non-repudiation - A receiver knowing or having assurance that the sender of some data did in fact send the data even though the sender later may desire to deny ever having sent the data.

Normal frequency - the standard frequency of a textual unit or letter, as disclosed by a statistical study of large volume of homogenous text.

NSA - National Security Agency

NSP - network service provider

NSTAC - The PresidentÂ’s National Security Telecommunications Advisory Committee

Oakley - a protocol by which two authenticated parties can agree on secure and secret keying material. The basic mechanism is the Diffie-Hellman key exchange algorithm. The OAKLEY protocol supports Perfect Forward Security, compatibility with the ISAKMP protocol for managing security associations, user-defined abstract group structures for use with the Diffie-Hellman algorithm, key updates, and incorporation of keys distributed via out-of-band mechanisms.

Object - In programming, an item that can be identified, selected and moved or manipulated. An object can be a program, a picture, a chart, a shape or a software entity containing data and/or executables.

OC - Open Confirm (MATIP command)

OCSP - Online Certificate Status Protocol - a protocol useful in determining the current status of a digital certificate without requiring CRLs [RFC 2560]

ODN - Open Data Network

OEM - original equipment manufacturer.

OMG - Object Management Group - A global group of about 800 companies formed in 1989 to establish industry guidelines and detailed object management specifications to provide a common framework for application development. []

One time pad - a Vernam cipher in which one bit of a new, purely random key is used for every bit of data being used.

One time password - a password that can only be used once; usually produced by special password-generating software or by a hardware token.

One way hash - a hash function for which it is extremely difficult to construct two blocks of data that yield exactly the same hash result. Ideally it should require a brute force search to find two data blocks that yield the same result.

Opaque - inaccessible because of encryption or fragmentation

Open Group - an international group of companies and organizations promoting open and accessible technology for the Internet and the enterprise [].

Open System Interconnection (OSI) - a system capable of transparently operating in telecommunications environments of dissimilar computers.

Orange Book - the National Computer Security Center book entitled "Department of Defense Trusted Computer Systems Evaluation Criteria" that defines security requirements

OSI - open systems interconnection (interface). Usually refers to the International Standard Organization (ISO) seven layered protocol model for the exchange of information between open systems - a model for the connection of generalized data systems through communications networks. The seven layers are physical, data link, network, transport, session, presentation and application.

Output feedback - a block cipher mode in which the cipher is used to generate the key stream; also called autokey mode.

OWF - One Way Function - see one way hash

P1024B - SITA implementation of the ALC, the IBM airlines specific protocol. It uses 6-bit padded characters (IPARS) and IA/ TA for physical addressing.

P1024C - SITA implementation of the UTS, the UNISYS terminal protocol. It uses 7-bit (ASCII) characters and RID/ SID for physical addressing.

Packet - a sequence of data and control characters (binary digits) in a specified format that is switched/transferred as a whole.

Packet-Switching - the process of routing and transferring data by means of addressed packets so that a channel is occupied only during the transmission of the packet. No physical connection is necessary. The packets are routed throughout the network towards their destination where the entire message is reconstructed. Upon completion of the transmission, the channel is made available for the transmission of other traffic.

PAD - packet assembler/disassembler - a device that assembles character strings into packets that includes routing information and later dissembles the packets.

PAP - Password Authentication Protocol - an authentication protocol that allows PPP peers to authenticate on another, does not prevent unauthorized access but merely identifies the remote end.

Parse - collecting and organizing into components; for example, compilers parse source code so it can be translated into object code. Parsing consists of two activities, lexical analysis and semantic parsing. Lexical analysis divides strings into components and semantic parsing determines the meaning of the strings.

Passive attack - an attack in which data is observed but not modified. This is the type of attack performed by Peeping Tom.

Password, pass code - a sequence of characters or words that a subject submits to a system for purposes of authentication, validation, or verification.

Password sniffing - an attack in which someone examines data traffic that includes secret passwords in order to recover the passwords, presumably to sue them alter in masquerades.

PAX - PAX PDL - PAX Pattern Description Language (PDL) - a special purpose language for describing pattern matching criteria in policy-based networking devices such as QoS routers, switches, packet filters, traffic shapers, etc. PAX encourages modular and object-oriented design [draft-nossik-pax-pdl-00.txt].

PC - personal computer

PCMCIA card - a credit card size memory or PC card that meets the PC Card Standard developed jointly by the Personal Computer Memory Card International Association (PCMCIA) and the Japan Electronic Industry Development Association (JEIDA).

PCT - Private Communication Technology - Protocol developed by Microsoft and Visa for secure communications on the Internet.

PDL - Pattern Description Language - see PAX

Peeping Tom - an attacker whose attacks are based on examining network data traffic; such as password sniffing.

PEM - Privacy Enhanced Mail - a protocol to provide secure Internet mail [RFC 1421-1424], including services for encryption, authentication, message integrity, and key management; PEM uses X.509 certificates.

Pentagraph - a set of five letters.

Perimeter - the physical boundary between the inside and the outside. Security measures rely on being able to trust individuals within a perimeter, at least to some degree.

Periodic - characterized by cyclic attributes or usage.

PFS (Perfect Forward Secrecy) - Compromise of a single key will permit access only to data protected by that key. For PFS to exist the key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, that material must not be used to derive any more keys.

Phi test - a test applied to cipher text to determine whether it is monoalphabetic or not.

Physical Level - OSI Level 1 - functions to send the bit stream over a transmission medium.

Physical network address - a host address on a data link.

Physical star - (logical ring) - a ring in a star configuration with a multi-station access unit or media access unit (MAU) at the center of the star. Eliminates the single point failure feature of a ring because when a line breaks the internal circuitry of the MAU can loop the ring back on itself to bypass the break.

PKCS - Public-Key Cryptography Standards - set of standards for public key cryptography developed in cooperation with an informal consortium (Apple, DEC, Lotus, Microsoft, MIT, RSA and Sun) that includes algorithm specific and algorithm independent implementation standards [cf. RFC 2315]

Plain text - (clear text) the readable data or message before it is encrypted.

PMTU - Path Message Transfer Unit.

Point-of-presence - a telephone number that provides dial-up-access

Polyalphabetic Substitution - substitution cipher systems using multiple alphabets for cipher components.

Polygraph - two or more letters.

POP - Point Of Presence; Post Office Protocol

Port number - a number carried in internet transport protocols to identify which service or program is supposed to receive an incoming packet. Certain port numbers are permanently assigned to particular protocols by the IANA. For example, e-mail generally uses port 25 and Web services traditionally use port 80.

Post Office Protocol (POP) - an Internet protocol for retrieving e-mail from a server host.

PPP - Point-to-Point Protocol - A protocol that provides router-to-router and host-to-network connections over synchronous and asynchronous communications links [draft-ietf-pppext-pptp-10.txt].

Pretty Good Privacy (PGP) - an e-mail crypto protocol that used RSA and IDEA, implemented in a software package widely distributed on the Internet.

PRF - pseudo random function

Privacy enhanced mail - an e-mail crypto protocol published by the IETF and provided in some commercial products.

Private key - the privately held "secret" component of an integrated asymmetric key pair.

Probable word - a word assumed or known to be present in the underlying plain text of a cryptogram.

Protocol - the procedures that are used by two or more computer systems so they can communicate with each other.

Proxy - a facility that indirectly provides some service. Proxy crypto applies crypto services to network traffic without individual hosts having to support the services themselves. Firewall proxies provide access to Internet services that are on the other side of the firewall while controlling access to services in either direction.

Pseudorandom number generator (PRNG) - a procedure that generates a sequence of numerical value that appear random. Cryptographic PRNGs strive to generate sequences that are almost impossible to predict. Most PRNGs in commercial software are statistical PRNGs that strive to produce randomly distributed data with a sequence that may in fact be somewhat predictable.

Public key - a key used in public key crypto that belongs to an individual entity and is distributed publicly. Others can use the public key to encrypt data that only the keyÂ’s owner can decrypt.

Public key algorithm - a cipher that uses a pair of keys, a public key and private key, for encryption and decryption; also called an asymmetric algorithm.

OoS - Quality of Service - term indicating the quality of a network; indicates a guaranteed throughput.

RA - Registration Authority - supports the functions of Certification Authorities. Some of the functions an RA may perform may include personal authentication, token distribution, certificate revocation reporting, etc.

RACE - Research and Development in Advanced Communication Technologies in Europe

RADIUS - Remote Authentication Dial-In User Service - an authenticating and authorizing [RFC 2138] system used by many ISPs. To gain access to the services of the ISP you must dial in to the ISP and enter your username and password. The ISP passes your information to a RADIUS server, which checks the username and password and then tells the network access server to grant or deny you access to the ISP system. A RADIUS server also can be used as an accounting server [RFC 2139]. Accounting information is passed between the network access server and the RADIUS server.

Random - in mathematics, pertaining to the chance variations from and expected norm.

Random number - a number with a value that cannot be predicted. Truly random numbers are often generated by physical events that are believed to occur randomly.

RARP - Reverse Address Resolution Protocol.

RC2 - Rivest Cipher 2

RC4 - Rivest Cipher 4, once a proprietary algorithm of RSA Data Security, Inc.

RC5 - Rivest Cipher 5

Record - In database terms, a record is one set of inputs to a set of fields. For example: Bob, Analyst, 555-5555 may be one record from the set of records consisting of all inputs to the database fields: first name, title, phone number. See file.

Red/black separation - a design concept for crypto systems that keeps the portions of the system that handle plaintext rigidly separate from portions that handle ciphertext. Portions that handle both are vigorously minimized and then very carefully implemented.

Registry - A registry delegates IP addresses and domain names and keeps a record of those addresses and the information associated with their delegation. Examples of regional IP registries include Reseaux IP Europeens (RIPE), Asian-Pacific Network Information Center (APNIC), and the American Registry for Internet Numbers (ARIN).

Repeating key - a key used cyclically.

Replay - an attack that attempts to trick the system by retransmitting a legitimate message.

Request For Comments (RFCs) - The official document series of the Internet Engineering Task Force (IETF) that discusses computing, computer communication, networking, Internet protocols, procedures, programs, and concepts.

Reseaux IP Europeens Network Coordination Center (RIPE NCC) - a collaborative group of approximately 400 organizations such as European Internet service providers. The RIPE NCC acts as a regional Internet Registry, providing the allocation of IP addresses to the European region.

Reusable password - a password that can be used over and over, as opposed to a one-time password. Most passwords used today are reusable passwords.

Rewrite - an attack that modifies an encrypted messageÂ’s contents without decrypting it first.

RFC - Each Internet standards-related specification is published as part of the "Request for Comments" (RFC) document series, the official publication channel for Internet standards documents and other publications of the IESG, IAB, and Internet community. RFCs can be obtained from a number of Internet hosts using anonymous FTP, gopher, World Wide Web, and other Internet document-retrieval systems. See for example: Any RFC can be seen by replacing the number "2026" in this URL with the RFC number desired.

RFU - Reserved for Future Use

RID - Remote Identifier: ASCU identifier in P1024C protocol.

Ring - a networking configuration in which each workstation is connected to another adjacent workstation in a closed loop. It has the disadvantage of a single point of failure unless implemented as a physical star/logical ring.

RIP - routing information protocol - evolving dynamic routing protocol, c.f.

RIPE - RACE Integrity Primitives Evaluation - European Community program to support work in communications standards and technologies to support integrated broadband communication

RIPE-MD - an algorithm developed for the European CommunityÂ’s RIPE project, designed to resist known cryptanalytic attacks and produce a 128-bit hash value.

Risk - the likelihood that a vulnerability may be exploited or that a threat may become harmful.

Rivest - Ron Rivest.

RMON - remote monitoring - a computer network management protocol that allows a single workstation to gather distributed network information.

Role - the set of transactions a user is authorized to perform.

Root - The top of the Domain Name System (DNS) hierarchy. Examples: .com, .net, .mil

Root server - name servers that contain authoritative data for the very top of the Domain Name System (DNS) hierarchy. Technical specifications currently limit the number of root servers to 13, located in the U.S., the U.K., Sweden, and Japan.

Router - an internetworking switch operating at the OSI Level 3, the Network Layer.

Routing host - a host that routes IP packets between networks as well as provides other services.

RPK - Raike Public Key

RSA - RSA Data Security, Inc. - or referring to the principles: Ron Rivest, Adi Shamir, and Len Adleman; or to the algorithm they invented. The RSA algorithm is used in public-key cryptography and is based on the fact that it is easy to multiply two large prime numbers together, but hard to factor them out of the product.

RSADSI - RSA Data Security, Inc.

SA - security association

SAD - security association database - contains parameters that are associated with each active security association in an IPSec implementation. [sec 4.4.3, RFC 2401]

SAFE - Security and Freedom through Encryption - a congressional act to ease export controls on encryption products.

SAFER - a Cylink algorithm - Secure And Fast Encryption Routine - Non-proprietary block cipher 64-bit key encryption algorithm. Not patented, available license free. Developed by Massey, who developed IDEA.

SALT - a random string that is concatenated with passwords before operated on by a one-way function, helps prevent against successful dictionary attacks.

SAP - Service Advertising Protocol - works at the network layer, OSI Layer 3, to accomplish internetwork routing.

SAP - Systems, Applications and Products in data processing.

SC - Session Close (MATIP command)

SCR - System and Communication Reference. (IATA document)

SCSI - Small Computer System Interface - a set of parallel interface standards developed by ANSI; used for attaching peripheral devices such as printers and drives to computers. SCSI interfaces provide for faster data transmission rates (up to 80 Mbytes per second) than standard serial and parallel ports. Because you can attach many devices to a single SCSI port, SCSI really is an input/output bus rather than a simple interface. Because there are many variants of SCSI, two SCSI interfaces may not be compatible.

SDMI - secure digital music initiative - development of tools to enable delivery of music while downloading as well as after downloading.

SDSI - Simple Distributed Security Infrastructure - a new PKI proposal from Ronald L. Rivest (MIT), and Butler Lampson (Microsoft). A means of defining groups and issuing group-membership, access-control lists and security policies. SDSIÂ’s design emphasizes like local name spaces rather than a hierarchical global name space.

SEAL - Software-optimized Encryption Algorithm - A fast stream cipher for 32-bit machines designed by Rogaway and Coppersmith.

Second Level Domain - In the Domain Name System (DNS), the level of the hierarchy immediately underneath the top level domains. In a domain name, that portion of the domain name that appears immediately to the left of the top level domain. For example, the icsa in

Secret key - a crypto key that is used in a secret key (symmetric) algorithm. The secrecy of encrypted data depends solely on the secrecy of the secret key.

Secret key algorithm - a crypto algorithm that uses the same key to encrypt data and to decrypt data; also called a symmetric algorithm.

Secure - safe, protected, free from attack or damage.

Secure channel - a means of conveying information from one entity to another such that an adversary does not have the ability to reorder, delete, insert or read (SSL, IPSEC, whispering in someoneÂ’s ear).

Security Association - The set of security information relating to a given network connection or set of connections. SAs contain all the information required for execution of various network security services such as the IP layer services of header authentication, payload encapsulation and transport or application layer services such as self-protection of negotiation traffic. [RFC 2401]

Security Association Bundle - SA Bundle - a sequence of SAs through which traffic must be processed to satisfy a security policy that is not achievable with a single SA.

Security services - authentication, privacy, confidentiality, integrity, non-repudiation, authorization, administration, audit, Â…

Seed, random - a random data value used when generating a random sequence of data values with a PRNG.

SEPP - Secure Electronic Payment Protocol - Open specification for secure bank card transactions over the Internet. Developed by IBM, Netscape, GTE, Cybercash and MasterCard.

Sequence - an ordered arrangement of symbols (letter, digits, etc.) having continuity. The members of a component of a cipher alphabet; the symbols in a row, column, or diagonal of the cipher square in order; key letters or key figures in order.

Server - Computer, devices or processes that provide service to clients in a client/server architecture.

Sesame - Secure European System for Applications in a Multi-vendor environment - European research and development project that extended Kerbros by adding authorization and access services.

Session - a single communication transaction.

Session key - The secret (symmetric) key used to encrypt each set of data on a transaction basis. A different session key or set of session keys is used for each communication session.

SET - Secure Electronic Transaction - provides for secure credit card transactions over the Internet. Through the use of digital signatures, SET enables merchants to verify source authentication. SET provides a mechanism for credit card numbers to be transferred directly to the credit card issuer for verification and billing without allowing the merchant to see the number.

SGML - Standard Generalized Markup Language -a set of rules developed by the ISO in 1986 for organizing and tagging elements of a document. The tags can be interpreted to format document elements in different ways. HTML interprets tags according to SGML rules.

SGMP - Simple Gateway Monitoring Protocol - a simple application-layer protocol by which management information for a gateway may be inspected or altered by logically remote users [RFC 1028].

SHA - secure hash algorithm specified secure hash standard, developed by the National Institute for Standards and Technology (NIST).

SHA-1 - 1994 revision to SHA which is considered more secure.

Shim - a software component inserted at a well-known interface between two other software components. For example, shim versions of IPSec are often implemented at the device driver interface, below the hostÂ’s TCP/IP network protocol stack.

SID - station identifier - terminal identifier in P1024C protocol.

Simple Key Interchange Protocol (SKIP) - a protocol that establishes session keys to use with IPSec protocol headers. SKIP data is carried in packet headers and travels in every IPSec-protected packet.

Simple Mail Transfer Protocol (SMTP) - an Internet protocol for transmitting e-mail between e-mail servers [RFC 821].

SITA - Societe International de Telecommunications Aeronautiques

SKIP - simple key-management for Internet protocols, developed by Sun Microsystems, Inc.

Skipjack - The 80-bit key encryption algorithm contained in NSAÂ’s Clipper chip. The algorithm is classified; NSA will not release information on how it works.

Smart card - tamper-resistant hardware devices that store private keys & other sensitive information

SMDS - Switched Multi-megabit Data Service - a high-speed (1.544 M bps and 45M bps), connectionless , packet-switched service.

SMI - Structure and Identification of Management Information for TCP/IP-based Internets - the common structures and identification scheme for the definition of management information used in managing TCP/IP-based Internets [RFC 1155].

S/MIME - a standard email protocol developed by RSA Data Security. It enables a secure email environment which authenticates the identity of the sender and receiver, verifies message integrity ensures privacy of the message contents and all attachments.

SMG - semantic message gateway

SMTP - Simple Mail Transfer Protocol - used to communicate management information between the network management stations and the agents in the network elements [RRFC 1157].

SNA - System Network Architecture (IBM)

Snake oil - a derogatory term applied to a product whose developers describe it with misleading, inconsistent, or incorrect technical statements.

Sniffing - an attack that collects information from network messages by making copies of their contents. Password sniffing is the most widely publicized example.

SNF - sequence number field

SNMP - simple network management protocol

SO - Session Open (MATIP command)

SOCKS - a protocol that provides for firewall transversal for client-server applications [RFC 1928].

Sockets - the package of subroutines that provide access to TCP/IP on most systems

Software encryption - encryption accomplished by software operations.

Solution - (1) the process or result of solving a cryptogram or cryptosystems by cryptanalysis. A.k.a. Cracking. (2) The approach to solving a network connection or security problem.

SONET - synchronous optical network

SPD - Security Policy Database - specifies what services are to be offered to what datagrams in an IPSec implementation. [sec 4.4.1, RFC 2401]

SPI - Security Parameter Index - a field used to distinguish one security association from another terminating at the same destination and using the same IPSec protocol. The combination of a destination address, a security protocol, and an SPI uniquely identifies a security association (SA). [pp 21 and 47, RFC 2401]

Splitting - the process of dividing a crypto key into two separate keys so that an attacker cannot reconstruct the actual crypto key even if one of the split keys is intercepted.

SPSL - Security Policy Specification Language - a language designed to express security policies, security domains and the entities that manage the policies and domains. SPSL supports policies for packet filtering, IP Security (IPSec) and ISAKMP exchanges. [draft-ietf-ipsec-spsl-01.txt]

SQL - Structured Query Language - set of commands used to create, access, query, modify, and otherwise manage relational databases.

SSH - Site Security Handbook - A working group of the IETF has been working since 1994 to produce a pair of documents designed to educate the Internet community on security. The first document is a complete reworking of RFC 1244 targeted at system and network administrators and decision makers.

SSL - Secure Sockets Level - Developed by Netscape to provide security and privacy over the Internet. Supports server and client authentication and maintains the security and integrity of the transmission channel [].

SSO - Single Sign On - one log-on provides access to all resources of the network, LAN, WAN, etc.

SSSO - secure single sign on

SSPI - security support programming interface

SST - Secure Transaction Technology - a secure payment protocol developed by Microsoft and Visa as a companion to the PCT protocol.

Stream cipher - a cipher that operates on a continuous data stream instead of processing a block of data at a time.

String - A series of characters that do not mean anything in particular and that are manipulated as a group.

Strong crypto - crypto facilities that exceed the standards for lightweight or medium-strength crypto and therefore face significant restrictions under U.S. export rules.

STU-III - Secure Telephone Unit - NSA designed phone for secure voice and low-speed data communications for use by the U.S. Department of Defense and its contractors.

Sub-key splits - the multiple, separate components used in the generation of CONNECT: Conceal symmetric session keys.

Subroutines - a set of instructions, appearing within a computer program, for performing a specific task.

Substitution cipher - the characters of the plain text are substituted with other characters to form the cipher text.

Superencryption - a further encryption of the text of a cryptogram for increased security.

Symmetric algorithm - a crypto algorithm that uses the same crypto key for encrypting and decrypting; also called a secret key algorithm.

Symmetric key - same key used to encrypt and decrypt data.

Symmetric key encryption - process using one and only one key to perform both the encryption and decryption processes.

Synchronous transmission - the entire message is sent with control information surrounding the text portion of the transmission.

TA - Terminal Address: Terminal identifier in P1024B protocol.

T1 - a digital communications line which has a capacity of 1.544 megabits per second (Mbps)

T3 - a digital communications line having a capacity of 44.736 Mbps.

TCP - Transmission Control Protocol - verifies correct delivery of data from client to server; uses virtual circuit routing. Occupies layer 4 (transport) of the OSI reference model. Electronic mail uses TCP as its transmission control.

TCP/IP - transmission control protocol/Internet protocol

TDM - time division multiplexing

TDMA - time division multiple access

TELNET - virtual terminal protocol that enables remote log-ons to computers across a network.

Text - part of the message containing the basic information which the originator desires to be communicated.

Throughput - data transfer rate in bps, Kbps, Mbps, ...

Timestamping - recording the time of creation or existence of information.

TLS - Transport Layer Security, a software based security protocol based on minor changes to Netscape's secure sockets layer version 3.0. Provides data source authentication, data integrity and confidentiality. Submitted to the IETF for change control in 1996. [RFC 2246]

TLSP - transport layer security protocol (ISO 10736, draft international standard)

Token - a single element of a programming language, as used in parsing. A password as used in token authentication. A data item as used in token e-mail. A data structure as used in token rings.

Token, authentication - a hardware device that generates a one-time password to authenticate its owner; also sometimes applied to software programs that generate one-time passwords.

Token, e-mail - a data item in the header of an encrypted e-mail message that holds an encrypted copy of the secret key used to encrypt the message; usually encrypted with the recipientÂ’s public key so that only the recipient can decrypt it.

Token ring - networking using token-passing on a ring configuration.

Token-passing - a deterministic access method that allows only one station at a time the right to access the network. A special data structure, called a token, passes from station to station in sequence. A station that has data to transmit grabs the token and changes a bit, making the token into a packet header. When the data is received, the altered token is placed back on the ring as an acknowledgment from the intended recipient that the data was received without error. The transmitting station then generates a new token and passes it to the next station on the network.

Top Level Domain (TLD) - In the Domain Name System (DNS), the highest level of the hierarchy after the root. For example, the com in

Traffic, traffic analysis - branch of cryptology which deals with the external characteristics of signal communications and related materials for the purpose of obtaining information concerning the organization and operation of a communication system.

Traffic flow confidentiality - concealing the existence of the traffic flowing through a connection.

Transmission Control Protocol (TCP) - the Internet protocol that provides a reliable connection between a server and a client.

Transparency - allowing an application to perform on a circuit/connection without impacting on the usual operations or the operators of the circuit.

Transport - to carry from one place to another, especially over long distances.

Transport Mode - In IPSec protocols, transport mode generally refers to security associations between hosts. Security protection is extended to only selected portions of the association. [p9, RFC 2401]

Transposition cipher - the plain text remains the same but the order of the characters is transposed.

Triple DES (3DES) - an encryption configuration in which the DES algorithm is used three times with three different keys.

Trojan horse - a program with secret functions that are surreptitiously access information without the operatorÂ’s knowledge, usually to circumvent security protections.

Trust - a firm belief or confidence in the honesty, integrity, justice, reliability, etc., of a person, company, etc.

TTL - Time To Live; eg. Lifetime in seconds or number of transmissions of a packet.

TTP (Trust Third Party) - a responsible party which all participants involved agree upon in advance, to provide a service or function, such as certification by binding a public key to an entity, time-stamping, or key-escrow.

Tunnel - a secure virtual connection through the Internet or an intranet.

Tunnel Mode - In IPSec, tunnel mode generally refers to a security association in which an "outer" IP header specifies the IPSec processing destination while an "inner" IP header specifies the ultimate destination of the packet. In IPSec protocols, tunnel mode is required for gateway to gateway security associations unless one gateway is acting as a host, then transport mode is allowed.
[p 9, RFC 2401]

TYPE A Traffic - Interactive traffic or host to host

TYPE B Traffic - Messaging traffic in IATA compliant format with high level of reliability

UDP - User Datagram Protocol - defined to make available a datagram mode of packet-switched computer communication in the environment of an interconnected set of computer networks [RFC 768]. This protocol assumes that the Internet Protocol (IP) [RFC 760] is used as the underlying protocol.

Unicast - to transmit a packet to a single destination

UTS - Universal Terminal System by Unisys: (see P1024C)

Validation - a means to provide timeliness of authorization to use or manipulate information or resources.

VAN - value added network

Variant, variant system - a substitution system in which some or all of the plaintext letters may be represented by more than one cipher equivalent.

VC - Virtual Circuit - a network generated, end-to-end link sending packets in order.

VENONA - a U.S. military project to cryptanalyze Soviet one time pad ciphertext from the 1940s.

Verification - to authenticate, confirm or to establish accuracy.

Vernam cipher - a cipher developed for encrypting teletype traffic by computing the exclusive or of the data bits and the key bits.

Vigerene System, vigenere square - cipher system attributed to by Blaise de Vigenere (1523-1596) having the normal sequence at the top and regular permutations of the normal in successive rows for all 26 alphabets (in English).

Virtual Private Network (VPN) - a private network built atop a public network. Hosts within the private network use encryption to talk to other hosts. The encryption excludes hosts from outside the private network even if they are on the public network.

Virus - a small program that attaches itself to legitimate program. When the legitimate program runs, the virus copies itself onto other legitimate programs in a form of reproduction.

VLSI - very large scale integration (circuits/chips)

VN - virtual network
W3C - World Wide Web Consortium - International consortium formed to develop open standards for the world wide web. The principal standards body for HTTP, HTML and XML.

WAKE - Word Auto Key Encryption - produces a stream of 32-bit words which can be XORed with a plain text stream to produce cipher text, invented by David Wheeler.

WAN - wide area network

Web of Trust - a distributed trust model used by PGP to validate the ownership of a public key where the level of trust is cumulative based on the individual's knowledge of the ‘introducers’.

Weight - a value assigned to units of text or key, used to evaluate results of certain cryptanalytic operations.

Wide area network (WAN) - a network that connects host computers and sites across a wide geographical area.

Word pattern - the characteristic arrangement of repeated letter in a word which tends to make it readily identifiable when enciphered monoalphabetically.

Word separator - a unit of one or more characters employed to indicate the space between words. It may be enciphered or in plain.

Work factor - the amount of work an attacker must perform to overcome security measures.

WWW - World Wide Web - an international information network using HTTP and HTML residing on Internet host computers.

Worm - a computer program that copies itself into other host computers across a network. In 1988 the Internet Worm infected several thousand hosts.

XML - eXtensible Markup Language -being developed by theW3C. XML supports links that point to multiple documents.

X.25 - recommendation of the CCITT (now ITU-T) that outlines procedures for switching data through a packet-switched network.

X.400 - ITU-T recommendation known as Message Handling System, one of two standard architectures used for providing email services and interconnecting propriety email systems. The other is Simple Mail Transfer Protocol (SMTP).

X.500 - a specification of the directory services required to support X.400 e-mail.

X.509v3 - ITU-T digital certificate. The internationally recognized electronic document used to prove identity and public key ownership over a communication network. It contains the issuerÂ’s name, userÂ’s identifying information, and issuerÂ’s digital signature.

Xenocrypts, XenoÂ’s - pertaining to language ciphers or cipher systems other than English.

xDSL - Digital subscriber line.

XOR - Exclusive-Or Operation - a mathematical bit operation to represent differences additive states.

Zone - The portion of the total domain name space stored on a particular name server.

Zone File - Zone files contain the information needed to match domain names to Internet Protocol (IP) addresses.

Various recognized sources ( Menezes, Schneier, Smith, Stallings Kahn, and the Internet) were used to obtain the definitions given here. ICSA Cryptography Product Consortium members contributed terms and explanations. Charles Breed of Pretty Good Privacy, Inc , now part of Network Associates, Inc. and Randy Nichols of COMSEC Solutions provided substantial input to the process. All sources available on the Internet are used liberally.