Key Encryption and Security Related Terms and Concepts

Often, those new to Encryption and Security have a hard time understanding the language.  Here is a glossary of some key terms to get started on.

  • Advanced Encryption Standard (AES): Current NIST approved encryption algorithm. Documented in FIPS 197.
  • Authorization: Capabilities designed to determine if a user (or other computer) is authorized to access a resource. This field is closely related to identity management.
  • Card management Systems (CMS): Digital credential management solution based on card/tokens.
  • Digital Rights Management (DRM): Concept associated with application of access control technologies which can impose limitations on the use of digital content and devices, primarily for the use of content publishers and copyright holders. In practice, all DRM systems eventually become breakable.
  • Federated Single Sign On (FSSO): The extension of Single Sign On constructs across multiple enterprises, generally through the use of formal Internet standards such as the OASIS Security Assertion Markup Language (SAML).
  • FIPS 140-2: Certification standards for card/token cryptographic strength.
  • FIPS 197: Documents implementation of the Advanced Encryption Standard (AES)
  • FIPS 200: Minimum security requirements for federal systems
  • FIPS 201: Personal Identity Verification (PIV) of federal employees and contractors. An addendum includes an evaluation approved products list.
  • FIPS: Federal Information Processing Standards are NIST coordinated standards for IT including series on security. Designed for government agencies and government contractors. Many FIPS standards are modified versions of standards used by the wider community (ANSI, IEEE, ISO etc).
  • Firewall: Almost every enterprise guards access from the outside with devices that are meant to block some bad traffic. This device is never enough.
  • Hardware Security Module (HSM): A type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings, and for providing strong authentication to access critical keys for server applications. Can be installed directly to the server or in some cases plug-in cards. HSM solutions are critically important in managing large keylength keystores in ways that do not overload processors.
  • Identity and Access Management (IAM): Capabilities that serve to identify users and grant access to resources.
  • Internet Protocol Security (IPsec): Widely used protocol enabling VPNs and other security capabilities over the Internet.
  • Intrusion Detection and Prevention (IDP): Security devices that seek to detect when authorized accesses have occurred (detection) or block them (prevention).
  • NSA Suite A Cryptography: Systems that contain classified algorithms that will not be released.
  • NSA Suite B Cryptography: Systems established with cryptographic algorithms promulgated by NSA to provide an interoperable cryptographic base for systems. Built on Advanced Encryption Standard (AES), Elliptic Curve Cryptography, and secure has algorithms.
  • One Time Password (OTP): A password only valid for a single log-in. They cannot be memorized so they require additional technology to work. Generally use one of three standards. The proprietary RSA algorithm (not really a standard but is very widely deployed in SecureID tokens), the Open ANSI OTP standards, which most use, and the new open-standard OTP algorithm, designed to enable increased interoperability.
  • Personal Portable Security Devices (PPSD): The category that includes hardware tokens and usb devices as well as security smart cards.
  • Policy Management: Systems which help enforce enterprise policy generally by connecting to enterprise identity management and authorization systems and further adding ability for enterprise leadership to determine which resources can be accessed by which individuals or groups.
  • Public-Key Credentials (PKC): Certificate keys used as part of a PKI solution.
  • Public-Key Infrastructure (PKI): Describes the end to end implication of an asymmetric encryption capability where combinations of public and private keys are employed to enhance security.
  • Rule and Regulatory Compliance Management: Broad term meant to cover actions and policies and devices that help organizations comply with regulations (big examples are PCI, GLBA, SOX and HIPAA).
  • Secure Sockets Layer (SSL): Cryptographic protocol for use in web systems. SSL enabled the ecommerce revolution. It has been replaced by Transport Layer Security (TLS).
  • Security Assertion Markup Language (SAML): An XML-based standard for exchanging authentication and authorization data between security domains. Important in solving Single Sign On and Federated Single Sign On challenges.
  • Security Information Event Management (SIEM): Systems designed to turn raw security information into actionable presentations enabling further action. Involves correlation, visualization and usually command and control capabilities. SIEM is a category reported on by Gartner.
  • Single Sign On (SSO): Makes access to enterprise resources much easier for users.
  • Smartcards: At times referred to as a chip card or integrated circuit card (ICC). Pocket-sized cards which can hold data. Memory cards contain only data. Microprocessor cards contain volatile memory and microprocessor components.
  • Software Licensing and Authentication Tokens (SLAT): These are tokens that plug into a computer port (USB or serial) or are USB keys that authorize the use of software on a particular device.
  • Tokens: This is a broad category of devices used to ease authentication. eToken from Aladdin and SecureID from RSA are examples.
  • Transport Layer Security (TLS): Crytographic protocol that provides securityfrom webservers to webbrowsers. In use in web browsing, email, Instant Messaging and VOIP. TLS is an IETF standard.
  • Trusted Platform Module (TPM): Secure cryptoprocessor that can create and store cryptographic keys on hardware. The trusted computing group manages the requirements and standards for the trusted platform module used for encrypting data on many PCs, laptops and other devices (including games and set top boxes).
  • Two factor authentication: (2FA): A system where two different factors are used in conjunction with each other in order to authenticate to the enterprise. Might include password and a smartcard or password and a token or password and a fingerprint.
  • Type 1 Product: Device certified by the NSA for use in cryptographically securing classified government information.
  • Type 2 Product: Device certified by the NSA for use in cryptographically securing unclassified government information. Type 2 devices are subject to export control.
  • Type 3 Product: Device certified by the NSA for use in cryptographically securing unclassified information that is non-national security related. Algorithms include DES, Triple DES, AES.
  • Type 4 Product: Device which has been registered with NIST but is not a FIPS standard. It is not to be used to protect classified or sensitive unclassified information. Exportable.
  • Unified Threat Management (UTM): Includes multiple functions in one platform including including firewalls. They are growing in the small business market and soon will be in larger enterprises. They provide network, management and advanced security features.
  • User Provisioning: The end to end process and technology supporting the creation of user accounts and establishing their accesses.
  • Virtual Private Network (VPN): A communications system that leverages encryption to create a private encrypted tunnel where user authentication is assured.
  • Web Single Sign On (WSSO): Implementation of single sign on through a web page.

Extended Security Dictionary