Glossary
This glossary contains important terms used in key and policy management, encryption, and quantum cyber-security. It is regularly updated with the latest terminology and usage. Your participation and feedback are most welcome. Please contact us to submit comments, new entries, or suggestions.
asymmetric encryption
Also called public key cryptography (or asymmetric cryptography). Asymmetric cryptography uses two keys. One key is called a public key and the other is called a private key. Asymmetric cryptography solves the secret key transport problem encountered during initial attempts to communicate securely using symmetric encryption.
Common Criteria EAL2
An ISO/IEC 15408 standard also known as Common Criteria for Information Technology Security Evaluation Assurance Level 2.
encryption
Encryption is the process of converting data, also known as plaintext, to another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. It is commonly used to protect sensitive information – this includes files and storage devices, as well as data transferred over wireless networks and the Internet. The information is transformed from plaintext into ciphertext through encryption and then transformed back from ciphertext to plaintext via decryption.
EKM
see enterprise key management
encryption key management
The management of cryptographic keys used for encryption, This includes generating, exchanging, protecting, storing, using and replacing encryption keys throughout their full life cycle. Encryption key management is one of the most complex problems of encryption and is critical to the security of a cryptosystem.
encryption key manager
A solution delivering encryption key management. Also called a cryptographic key management system (CKMS). Encryption key managers include policies, procedures, components and devices that are used to protect, manage and distribute cryptographic keys and associated information.
enterprise key management
Refers to encryption key managers that provide encryption keys across a variety of operating systems and databases centrally managed and globally implemented throughout the enterprise.
entropy
A measure of the randomness of data. High entropy corresponds to higher levels of randomness. Many parameters used in security are based on random data. The security strength of such cryptographic parameters depends on the actual entropy delivered by the underlying random number generator.
FIPS 140-2 Level 3
Federal Information Processing Standards PUB 140-2 – Security Requirements for Cryptographic Modules, fully described in: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to critical cryptographic material held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext critical security parameters when the removable covers/doors of the cryptographic module are opened.
Hardware Security Module
A hardware security module (HSM) is a security device that serves as the server's root of trust and provides encryption capabilities by storing and using keys. HSMs can be added to a system to manage, generate, and securely store cryptographic keys. HSMs are high performance and can be external devices connected to a network. HSMs can also come in smaller expansion card form factors making it possible to embed the HSM within the key and policy manager for ease of HSM management, operation, and deployment. Unlike TPMs, HSMs are removable or external devices. HSMs typically use a FIPS 140-2 Level 3 FIPS 140-2 Level 3 validated cryptographic module.
HSM
See Hardware Security Module
ISO
International Organization for Standardization
IEC
International Electrotechnical Commission
interoperable
Two or more systems are interoperable if they have the ability to communicate, exchange data, and use the information that has been exchanged. Product vendors who implement open standards such as KMIP or PKCS#11 facilitate interoperability between themselves and competitors, ultimately giving the customer choice, flexibility, and the ability to continue to leverage prior CAPEX.
key management
see encryption key management
key management interoperability protocol
The Key Management Interoperability Protocol, governed by the OASIS standards body, is a protocol for communication between encryption systems and enterprise applications.
KMIP
Key Management Interoperability Protocol.
NIST
National Institute of Standards and Technology
NIST SP800-57 Part 1
This overall standard provides the NIST Recommendations for Key Management. NIST SP800-57 Part1 provides guidance on cryptographic key management. It includes in particular details on key management lifecycle requirements that encryption key management solutions should implement.
NIST SP800-90A
Recommendation for Deterministic Random Bit Generator Validation System (DRBGVS).
NIST SP800-90B
Recommendation for the Entropy Sources Used for Random Bit Generation.
NIST SP800-90C
Recommendation for Random Bit Generator (RBG) Constructions.
OASIS
Organization for the Advancement of Structured Information Standards. OASIS is a nonprofit consortium that drives the development, convergence and adoption of open standards for the global information society. The OASIS KMIP Technical Committee works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. Additional KMIP goals include removing redundant, incompatible key management processes, providing better data security while at the same time reducing expenditures on multiple products.
one-time pad
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. Using the OTP technique, a plaintext is paired with a random secret key (also referred to as a one-time pad) that is truly random and at least as long as the plaintext. Then, each bit or character of the plain text is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting cipher text will be mathematically impossible to decrypt or break.
OTP
one-time pad.
PKCS#11 API
Public Key Cryptography Standards #11 Application Program Interface. The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it). The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
policy manager
The policy manager allows the administrator to define and manage usage and object polices.
pseudo random numbers
PRNs are numbers generated from pseudo random number generators (PRNGs). PRNGs use a short random seed using deterministic mathematical algorithms. Poorly constructed pseudo-Random numbers have resulted in security breaches.
QKD
quantum key distribution
quantum key distribution
Quantum Key Distribution allows the information-theoretically secure distribution of keys between two spatially separate parties. There are several approaches to QKD, including discrete variable quantum key distribution (DVQKD) which uses single-photons or weak coherent states and single photon detectors; and continuous variable quantum key distribution (CVQKD), which uses coherent or squeezed states of light and homodyne detectors. Both continuous and discrete approaches have been experimentally demonstrated; just as importantly, both have been proven to be information-theoretically secure. QuintessenceLabs' 2nd generation quantum key distribution technology (qOptica) uses a continuous variable bright laser beam for key distribution, while leveraging commercial off-the-shelf (COTS) telecommunications components and existing fiber optic cables to offer a very cost competitive solution.
quantum cryptography
This refers to cryptosystems whose security is guaranteed by the physical law of quantum mechanics. It differs from classical public-key cryptography; whose security relies on the difficulty of solving certain mathematical problems.
QRNG
Quantum Random Number Generator
quantum random number generator
QRNGs are true random number generators using quantum physics. (QRNGs) can be truly random. Many quantum random number generators are based on the detection of single photons and have relatively limited throughput.
quantum random numbers
Quantum random numbers are numbers generated by QRNGs.
raw
Virtual machines (VMs) do not have a hardware based HSM or TPM. Therefore (raw) memory is the storage location specified for RSA encryption keys.
replication
QuintessenceLabs’ key and policy management solutions include encryption key replication - based on a multi-master protocol using sharding. Sharding allows for the distribution of data over multiple machines, provides greater redundancy, better load balancing, and more functionality available during network partition events.
SDK
Software Development Kit
shard
A shard is a database instance running on an appliance or VM which stores part of the key management data.
Software Development Kit
SDK
symmetric encryption
Also called secret key encryption. Both the sender and receiver share a common secret key.
TPM
trusted platform module
Trusted Platform Module
A TPM is a hardware chip typically included on the key management server’s motherboard used to encrypt the keys. Keys protected by a TPM chip cannot be directly used on another system – they must be decrypted by a key which is locked inside the TPM chip. To preserve the secrecy of the key when exported, the key is exported as a pair of files. The first file is an encrypted blob and contains the key protected by an asymmetric key pair and then further encrypted using an OTP. The second file contains the OTP itself. Security conscious administrators can assign privileges to ensure no single account can download both the OTP and the encrypted blob – two administrators are required to take custody of an exported key, and the two files can be stored separately.
TRNG
true random number generator
true random number generator
TRNGs uses random physical processes to generate numbers instead of deterministic computational algorithms used by pseudo random number generators. True random numbers based on classical deterministic systems can be predicted if enough is known about the system, or if they can be influenced by actions such as temperature changes. High speed true random numbers generated using quantum physics, also known as quantum random number generators (QRNGs), are truly random.
true random numbers
TRNs are numbers derived from true random number generators (TRNGs).
usage policy
Usage policies specify the client groups that are allowed to perform various operations on an object.