Module 7: Public Key Infrastructure and Cryptographic Protocols
counter (CTR)
A block cipher mode of operation that both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
online CA
A certificate authority that is directly connected to a network.
offline CA
A certificate authority that is not directly connected to a network.
email digital certificate
A certificate that allows a user to digitally sign and encrypt mail messages.
root digital certificate
A certificate that is created and verified by a CA.
Certificate Revocation List (CRL)
A list of certificate serial numbers that have been revoked.
cipher suite
A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with TLS and SSL.
stapling
A process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response.
key escrow
A process in which keys are managed by a third party, such as a trusted CA.
Online Certificate Status Protocol (OCSP)
A process that performs a real-time lookup of a certificate's status.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection for Voice over IP (VoIP) communications.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
A protocol for securing email messages.
Internet Protocol Security (IPsec)
A protocol suite for securing Internet Protocol (IP) communications.
self-signed
A signed digital certificate that does not depend upon any higher-level authority for authentication.
digital certificate
A technology used to associate a user's identity to a public key and that has been "digitally signed" by a trusted third party.
Certificate Signing Request (CSR)
A user request for a digital certificate.
Transport Layer Security (TLS)
A widespread cryptographic transport algorithm that replaces SSL.
Subject Alternative Name (SAN)
Also known as a Unified Communications Certificate (UCC), certificate primarily used for Microsoft Exchange servers or unified communications.
tunnel mode
An IPsec mode that encrypts both the header and the data portion.
Transport mode
An IPsec mode that encrypts only the data portion (payload) of each packet yet leaves the header unencrypted.
Authentication Header (AH)
An IPsec protocol that authenticates that packets received were sent from the source.
Encapsulating Security Payload (ESP)
An IPsec protocol that encrypts packets.
Canonical Encoding Rules (CER)
An X.509 encoding format.
Distinguished Encoding Rules (DER)
An X.509 encoding format.
Personal Information Exchange (PFX)
An X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites.
Privacy Enhancement Mail (PEM)
An X.509 file format that uses DER encoding and can have multiple certificates.
SSL stripping
An attack that manipulates SSL functions by intercepting an HTTP connection.
Secure Sockets Layer (SSL)
An early and widespread cryptographic transport algorithm that is now considered obsolete.
Secure Shell (SSH)
An encrypted alternative to the Telnet protocol that is used to access remote computers.
registration authority
An entity that is responsible for verifying the credentials of the applicant for a digital certificate.
intermediate certificate authority (CA)
An entity that processes the CSR and verifies the authenticity of the user on behalf of a certificate authority (CA).
unauthentication mode of operation
An information service that provides a non-credentializing service such as confidentiality by a block cipher mode of operation.
authentication mode of operation
An information service that provides credentialing by a block cipher mode of operation.
Extended Validation (EV) certificate
Certificate that requires more extensive verification of the legitimacy of the business than does a domain validation digital certificate.
domain validation digital certificate
Certificate that verifies the identity of the entity that has control over the domain name.
code signing digital certificate
Certificate used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and that no unauthorized third party has altered it.
wildcard digital certificate
Certificate used to validate a main domain along with all subdomains.
machine/computer digital certificate
Certificate used to verify the identity of a device in a network transaction.
certificate attributes
Fields in an X.509 digital certificate that are used when parties negotiate a secure connection.
Hypertext Transport Protocol Secure (HTTPS)
HTTP sent over TLS (Transport Layer Security) or SSL (Secure Sockets Layer).
pinning
Hard-coding a digital certificate within a program that is using the certificate.
block cipher mode of operation
How block ciphers handle blocks of ciphertext by using a symmetric key block cipher algorithm to provide an information service.
certificate chaining
Linking several certificates together to establish trust between all the certificates involved.
key management
The administration by PKI of all the elements involved in digital certificates for digital certificate management of public keys and digital certificates.
expiration
The date of a digital certificate when it ceases to function.
user digital certificate
The endpoint of the certificate chain.
certificate authority (CA)
The entity that is responsible for digital certificates.
.P7B
The file extension for a Cryptographic Message Syntax Standard based on PKCS#7 that defines a generic syntax for defining digital signature and encryption.
.P12
The file extension for a Personal Information Exchange Syntax Standard based on PKCS#12 that defines the file format for storing and transporting a user's private keys with a public key certificate.
.cer
The file extension for an X.509 certificate that is stored in a binary file.
common name (CN)
The name of the device protected by the digital certificate.
trust model
The type of trust relationship that can exist between individuals or entities.
public key infrastructure (PKI)
The underlying infrastructure for the management of public keys used in digital certificates.
