|
Apache |
Apache is the
most popular web server on the internet today. Its origins
stem back to early 1995 when a group of developers pooled
their patches to the NCSA/1.3 server, and created "a patchy"
server. |
Asymmetric
Cryptography |
A synonym for
public key cryptography |
|
Ben Laurie |
One of the
Apache developers and the person responsible for the
extensions to provide https capability for Apache. These
extensions use OpenSSL (then known as SSLeay) and are
distributed independently of the Apache server from sites
outside of North America and so fall outside of the US
Government's ITAR regulations, and the US RSA patent. |
|
Block Cipher |
An encryption
algorithm in which the data is processed in fixed size blocks,
usually 64 bits or 128 bits at a time. |
|
Certificate |
A certificate
(also known as a Digital ID), is equivalent to an ID card, but
making use of the public key cryptographic system. Digital
certificates are issued by trusted third parties known as
certificate authorities such as Verisign (www.verisign.com) or
Thawte (www.thawte.com). The certification process used varies
from one CA to the other and the level of certification
required. Corporate registration papers, signatures by signing
officers, and proof of domain registration are examples of
documents used to generate a certificate for a company owned
web site.
Two parts of
the electronic certification process allow certificates to be
used in a practical fashion: 1) the certificate is signed by
the CA's private key. 2) The CA's public key is usually widely
known (e.g. often located in the browser when it is shipped).
The CA's public key allows the browser to verify that the CA
actually signed this certificate, and that the information
contained in the certificate is genuine. |
|
Server
Side
Certificate |
Server side
certificates are most commonly employed on secure web sites.
They are required here to allow the browser to know, without
doubt, that the web site responding to the request is the
desired web site, and not an impostor. This is done by hecking
that the host component of the URL requested by the user
matches the host name located within the certificate.
SSLv2, SSLv3,
and TLSv1 all support server side certificates. |
|
Client
Side
Certificate |
Client side
certificates are no different than server side certificates,
other than in how they are used. For example, on the web, a
server side certificate allows the browser to verify the web
server's identity. A client side certificate, on the other
hand, would allow the web server to verify the identify of the
user of the browser. The terminology is usually applied in
circumstances where a server side certificate is already being
used.
Client side
certificates are as yet not as popular, primarily due to the
heavy cost of administering these certificates. For example, a
bank wishing to use this technology would need to issue and
maintain certificates for ALL of its clients.
SSLv3 and
TLSv1 support client side certificates (i.e. certificates on
both sides of a connection at the same time).
|
|
Certificate
Authority |
An organization
that issues certificates. The trustworthiness of the
certificate authority is the foundation of secure electronic
commerce on the web. The most popular certificate authorities
today are Verisign (www.verisign.com) and Thawte
(www.thawte.com). (Thawte still operates their own site, but
was acquired by Verisign.) |
|
Cipher |
Any encryption
algorithm. Ciphers can be classified according to whether they
are symmetric or public key algorithms, and by whether they
are stream ciphers or block ciphers.
SecuritySpace's survey reports on the different ciphers used
by web servers it polls. The following terms are used when
describing ciphers found:
|
EXP |
The cipher
is suitable for export from the U.S. under ITAR
regulations. |
|
RC4 |
A symmetric
key key stream cipher, developed by RSA Data Security Inc.
and now widely available. |
|
RC2 |
A symmetric
key block cipher, developed by RSA Data Security Inc. and
now widely available. |
|
DES |
A symmetric
key block cipher algorithm developed by IBM and adopted as
a standard in the US in 1975. |
|
IDEA |
A symmetric
key block cipher algorithm developed by Xuejia Lai and
James Massey in 1991. |
|
CBC |
Cipher block
chaining. Block ciphers operate on blocks of data rather
than a data stream. Cipher block chaining is a feedback
mode in which the results from encrypting/decrypting one
block will affect the way the next block of data is
encrypted/decrypted. |
|
MD5 |
An alogrithm
created in 1991 by Ronald Rivest that is used to create
digital signatures. It is safer than the MD4 algorithm,
which has been broken. MD5 is a one-way hash function,
which can be used to compare a calculated message digest
against the message digest that is decrypted with a public
key, providing a means to ensure that messages aren't
tampered with. |
|
EXP-RC4-MD5 |
Export grade
40 bit RC4 encryption using an MD5 Mac and and an RSA key
exchange algorithm. |
|
EXP-RC2-CBC-MD5 |
Export grade
40 bit RC2 encryption using an MD5 Mac and and an RSA key
exchange algorithm. |
|
RC4-MD5 |
128 bit RC4
encryption using an MD5 Mac and an RSA key exchange
algorithm. |
|
DES-CBC-MD5 |
56 bit DES
encryption using an MD5 Mac and an RSA key exchange
algorithm. |
|
DES-CBC3-MD5 |
168 bit DES
(Triple DES) encryption using an MD5 Mac and an RSA key
exchange algorithm. |
|
RC2-CBC-MD5 |
128 bit RC2
encryption using an MD5 Mac and an RSA key exchange
algorithm. |
|
RC4-64-MD5 |
64 bit RC4
encryption using an MD5 Mac and an RSA key exchange
algorithm. |
|
IDEA-CBC-MD5 |
128 bit IDEA
encryption using an MD5 Mac and an RSA key exchange
algorithm. |
|
DES
(Data
Encryption
Standard) |
A symmetric key
block cipher algorithm developed by IBM and adopted as a
standard in the US in 1975. |
|
Digital
Signature |
A use of public
key cryptography to authenticate a message. The private key is
used, showing that the signature must have been made by the
owner of that key. A secure hash of the entire document is
signed, so that any change to the document will invalidate the
signature. |
|
Eric Young |
Developer of
SSLeay (now known as OpenSSL). Eric is Australian and his work
is not encumbered by ITAR. |
|
http |
The Hyper Text
Transfer Protocol is the protocol used between a Web browser
and a server to request a document and transfer its contents.
The specification is maintained and developed by the World
Wide Web Consortium. |
|
https |
https is
ordinary http exchanged over an SSL encrypted session.
|
|
IDEA |
A symmetric key
block cipher algorithm developed by Xuejia Lai and James
Massey in 1991.
|
|
ITAR |
The
International Traffic in Arms Regulations under US export
legislation, which amongst other things restrict the export of
cryptographic systems. |
|
MD2 |
A secure hash,
or message digest, algorithm developed by Ron Rivest.
|
|
MD5 |
A secure hash,
or message digest, algorithm developed by Ron Rivest.
|
|
OpenSSL |
Formerly known
as SSLeay, and open source implementation of SSL, supporting
the SSLv2, SSLv3 and TLSv1 protocols. |
|
Private Key |
The part of the
key in a public key system which is kept secret and is used
only by its owner. This is the key used for decrypting
messages, and for making digital signatures. |
|
Protocol |
A protocol is an
algorithm, or step by step procedure, carried out by more than
one party. Examples are network protocols, in which the steps
are intended to ensure reliable transmission of information,
or cryptographic protocols, in which the aim is to maintain
some form of security relationship between the parties. In
terms of secure web transactions, SET, SSLv2, SSLv3, and TLSv1
are examples of protocols. |
|
Public Key |
The part of the
key in a public key system which is distributed widely, and is
not kept secure. This is the key used for encryption (as
opposed to decryption) or for verifying signatures. Compare
private key |
|
Public
Key
Cryptography |
An algorithm for
securing information that involves two keys, a private key and
a public key. Information encrypted with one key can usually
only be decrypted with the other key. Typically, a sender of
information encrypts the data with the recipient's public key.
The recipient is then the only one who can decrypt the
information using their private key. |
|
RC2 |
A symmetric key
block cipher, developed by RSA Data Security Inc, and now
widely available. |
|
RC4 |
A symmetric key
stream cipher, developed by RSA Data Security Inc, and now
widely available. |
|
RSA |
RSA is a public
key cipher which can be used both for encrypting messages
and making digital signatures The letters stand for the
names of the inventors: Rivest, Shamir and Adleman. The
company RSA Data Security Inc. takes its name from this
algorithm, and has acquired the rights to the patents which
cover it. |
|
Safe Passage |
A solution to
the problem that "export" versions of the Microsoft & Netscape
browsers are only capable of using 40-bit keys, and so cannot
negotiate full strength sessions when connecting to servers
capable of strong encryption. UK Web have made this
functionality available as an http proxy. |
|
Self-signed
Certificate |
It is possible
for the owner of a certificate to sign it themselves instead
of having a recognized certificate authority do so. This is
unlikely to be trusted by anyone wishing to use the
certificate as proof of ownership of the corresponding public
key. This is often useful in a development environment where
there is no benefit to paying a certificate authority to issue
a certificate that the public will never see. |
|
Secret Key |
Confusingly
sometimes used to mean the private key of a public key system,
and also sometimes used (in contrast to "public key") to refer
to a symmetric key system. |
|
Server Signature |
The string
usually returned as part of servicing each http request that
gives the name and version of the web server software being
used. |
|
SET |
SET is a secure
protocol designed by MasterCard and Visa to facilitate
financial transactions over the Internet. Compared with SSL,
it places more emphasis on validating both parties to the
transaction. SET is still in development, and is not yet
widely available. |
SHA
(Secure
Hash Algorithm) |
A secure hash,
or message digest algorithm adopted as a Federal Information
Processing Standard. |
SSL
(Secure
Socket Layer) |
A protocol
developed by Netscape for encrypted transmission over TCP/IP
networks. It sets up a secure end-to-end link over which http
or any other application protocol can operate. The most common
application of SSL is https for ssl-encrypted http. |
|
SSLeay |
A freely
available implementation of the SSL protocol and the
cryptographic algorithms used by SSL, developed by Eric Young
in Australia. SSLeay is now known as OpenSSL. |
|
Stream Cipher |
A stream cipher
encrypts in small units, often a bit or a byte at a time, but
unlike a basic block cipher the output corresponding to a
given input will depend on where in the message it occurs. The
simplest type of stream cipher uses a complicated function,
which retains state, to generate a psuedo-random sequence
which is then combined with the input using a simple operation
such as bytewise addition. |
Symmetric
Cryptography |
A symmetric
cipher is one in which the same key is used for encryption and
decryption. Therefore a secure method has to be found by which
the sender and recipient can agree on the key. DES, IDEA, RC2
and RC4 are symmetric ciphers.
|
|
Thawte |
The second most
popular Certificate Authority on the internet, until it was
bought by Verisign. Certificates are still issued by Thawte
separately from those issued by Verisign.
|
TLS
(Transport
Layer Security) |
An open
standards based protocol, based on (but not compatible with)
SSLv3, used to support encrypted communications over TCP/IP
networks.
|
|
Triple DES |
Each block is
encrypted three times using DES, using at least two different
keys. There are variants which differ in whether two or three
keys are used, and whether some of the steps are in decryption
mode. In SSL, three separate keys are used, and the middle
step is a decryption.
|
|
Verisign |
The most popular
Certificate Authority on the internet. Their lead is due
primarily to the fact that early versions of Microsoft and
Netscape browsers would only recognize certificates as valid
if they were issued by Verisign (signed as RSA Data Security).
Verisign's biggest competitor was Thawte, until Verisign
bought Thawte. |
|
X.509 |
An International
Telecommunication Union recommendation for the format of
certificates.
|
|
|
|
|
VPN Technology Glossary of
Terms |
Copyright © 2000 - 2005 MANBIZ ISP.