Information Security Glossary

This section commonly used information security and IT security terminology.

AES algorithm

AES (Advanced Encryption Standard) is a cryptographic algorithm. It is a symmetric algorithm (in other words it uses the same key for encryption and decryption). AES, originally called Rijndael, was selected through a public competition to be approved for protecting (encrypting) information for all industry and commerce by the US National Institute for Science and Technology (NIST). It has been subjected to considerable scrutiny by government scientists and academics to check that it has no obvious weaknesses, and is considered to be the strongest protection of its type currently available. Safe Soft Corporation software uses the AES in Cipher Block Chaining Mode with 128- and 256-bit key length.

Algorithm

A mathematical expression used to encrypt or decrypt information. When information is to be encrypted or decrypted by computer, a mathematical process is followed by which it is transformed into a form that is, for all practical intents and purposes, impossible for anyone to understand unless they have the key used in the transformation.

Asymmetric encryption

An algorithm that uses one key to encrypt information but requires a different (related) key to decrypt that information. This is also referred to as public key cryptography. Because the key used to encrypt information cannot decrypt it, something very useful can be done. You can make one of the two keys available to anyone - the public key. The other key you must keep to yourself. Provided people know your public key, anyone receiving information that decrypts with your public key knows that the information must have come from you. More than that, if you encrypt something with someone else's public key you can be certain that only they can access is, regardless of who else sees the encrypted information. These features have created the concepts of PKI and non-repudiation.

Authenticity

A piece of information has authenticity when it can be shown to come from the expected person or place, and when the content of the information appears, as far as is obvious, to be correct for the circumstances involved.

Blowfish

Blowfish is a fast encryption algorithm designed by Bruce Schneier. Bruce Schneier is well-know as a president of Counterpane Systems, a security consulting firm, and author of Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition (John Wiley & Sons, 1996).

The Blowfish encryption algorithm was specially designed to encrypt data on 32-bit microprocessor. It is significantly faster than DES and GOST when implemented on 32-bit microprocessors, such as the Pentium or Power PC.

The original Blowfish paper was presented at the First Fast Software Encryption workshop in Cambridge, UK (proceedings published by Springer-Verlag, Lecture Notes in Computer Science #809, 1994) and the April 1994 issue of Dr. Dobbs Journal. Blowfish--One Year Later appeared in the September 1995 issue of Dr. Dobb's Journal.

Safe Soft Corporation software uses the Blowfish in Cipher Block Chaining Mode with 128-, 256- and 448-bit key length.

Certificate

A certificate, in the PKI sense, is an electronic record that contains information about the person, organization or device that owns it and about the authority that issued it. Its main use is to certify the owner/controller of a public key. All public keys have certificate information attached to them. The sort of information a certificate can contain is an e-mail address, an identifier of the controller (maybe their name, home or work address), information about the cryptography being used, how long the certificate is valid for and the source of any information if the certificate is cancelled. Certificates may be issued by their owners (self-signed), the organization they belong to, or they may be issued by other organizations. See also trusted authorities.

Certificate chain

The links between a certificate and the original source of its authenticity. This corresponds to the 'trust hierarchy' by which each link in the chain gains its authority to make statements about the identity to which a certificate refers. (The government says what are tax offices, the tax offices say who tax inspectors are, and so on.) As a result, it is possible to see the links between all the organizations involved in vouching for the authority of the final certificate holder. Usually a certificate chain links the certificate you have been presented with to a root certificate. See also root certificate, trusted authorities.

Confidentiality/privacy

These are two different, but interlinked topics. Confidentiality is the ability to protect information such that only people authorized are able to use it. Privacy is the right to control (usually to limit or forbid) the use of information. Privacy may use confidentiality measures in order to achieve that control. Sometimes this is related to digital rights management when information is computerized. Digital rights management allows the provider of information do decide what the recipient can and cannot do with that information (usually for a price).

Cryptography

Literally, the word means the art of secret writing. It means the conversion of writing into a form that cannot be understood without specific knowledge. (Cryptography started long before computers, with the ancient Egyptians. Computers have simply helped to automate the processes.) Cryptography is not the only method you can use to communicate information secretly. Steganography is a technique for hiding information inside other information (a picture with a person wearing a hat has one meaning, and the same picture with the person not wearing a hat has a different meaning).

Digital signature

Unlike the handwritten signature, which does not change very much over time, the digital signature is unique to every document that is signed. The digital signature makes use of the fact that, using an algorithm, it is possible to calculate a unique numeric value for any given document. This value can be encrypted using an asymmetric algorithm presenting a private key, and adding a public key certificate. This collection of items is the 'digital signature'. Quite a bit more complicated that a handwritten one. However, unlike the handwritten signature, anyone can, using the public key and its associated certificate, decrypt the unique value. Also, they can calculate that value for themselves by using the same algorithm. If the two values are equal they can be certain of two things. That the owner/controller of the private key 'signed' the document and that the document has not been altered or forged. In its way, then, the digital signature is much more powerful than the handwritten signature because it can prevent any change to a document after it has been digitally signed.

DES, Triple DES (3DES)

USA Data Encryption standard (FIPS 46). Operates on 64-bit blocks by successively modifying half of the bits with a function of the other half.

• DES encrypts one block in 16 rounds.
• DES uses 56-bit keys.

Triple DES or 3DES is three - pass DES modification.

Safe Soft Corporation software uses the 3DES in Cipher Block Chaining Mode with 168-bit key length.

Decryption

This is the reversing of encryption, where a piece of information that has been encrypted (ciphertext) is converted back into plaintext. See also encryption, cryptography.

Encryption

The process of protecting information by making it impossible for anyone who is not authorized to read that information in a useable form. Encryption is done on a computer by transforming the information to be encrypted (plaintext) using a key and producing ciphertext. If a suitable algorithm and key have been used, the ciphertext is, for all practical purposes, impossible to use in any way at all unless it is first decrypted. See also decryption, algorithm, cryptography.

El Gamal Algorithm

A popular asymmetric encryption algorithm invented by Taher El Gamal in 1985. Named after its author and based on discrete logarithms, El Gamal is used for encryption and digital signatures.

Safe Soft Corporation software uses the El Gamal Algorithm with 2048- and 4096-bit key length.

FIPS (Federal Information Processing Standard)

The National Institute for Science and Technology of the USA publish standards for Federal organizations. These are also generally used by US businesses. They are not standards in the same way as British Standards Institute (BSI) or American National Standards Institute (ANSI), but nevertheless have a considerable influence on industry and commerce as well as government. Many of the standard published deal with aspects of computer security, including the use of algorithms and cryptography.

Hashing / hash algorithm

This is a mathematical process, similar in many respects to encryption and sometimes referred to as one-way encryption. Information (some text, a web page, a file) can be processed by the algorithm. Some algorithms also require a key, just like encryption. The algorithm processes the information and calculates a number that is unique to the original information. According to the standards it should be 'collision free' - that is that no two pieces of information should ever produce the same value. Hashing is useful, because once a value has been calculated it is impossible to alter the information without detection since hashing the altered file cannot produce the original calculated value.

Integrity

A piece of information has integrity when you can show that it has not been altered (either by accident or as a result of hacking) without you being aware of the fact.

Interoperability

Generally, the ability to understand the form and format of information received and to be able to respond to that information in the manner expected by the sender. For instance, devices that can plug into and use correctly the cigarette lighter socket in a car can be said to be interoperable with the cigarette lighter.

Key length / strength

The key length for an algorithm is the number of bits (binary digits) that the key value occupies. With computerised algorithms it is often considered to be a measure of the strength of the algorithm (the more bits the better). Generally speaking, for implementations of internationally recognized algorithms this is the case.

Password

In computer systems this is a series of characters that are entered secretly (they are not displayed) in order to prove the identity of a specific user. Passwords are important because they are often used in cryptographic systems as a key that gives access to private keys. As a result, a password should never be shown or given to anyone else, even if they seem to have a reason to need the password. Passwords are normally chosen by the user, and there may be rules about how passwords are chosen. These may include specification about the use of letters, numbers, 'special' characters such as ()+= and so on. They may also forbid re-use within a particular timeframe. Generally passwords are recommended to be longer than six characters, should not be common words or readily identifiable to their user, should contain special characters and should not contain repeating or consecutive characters.

Passphrase

An alternative to the password, the passphrase is usually longer. The advantages of a passphrase over a password are that, because it is longer, it cannot be readily guessed by watching the user over their shoulder whilst they type, and dictionary attacks are of little use since the length and content of the passphrase is very hard to predict. As a result, passphrases do not have to be changed as often as passwords. The disadvantages are that they are long and take time to enter, few systems really cater for them, and the user must be a good typist or they will spend all day trying to get the passphrase right.

Private key

This is one of the two keys used in 'public key cryptography', also referred to as asymmetric cryptography. They are called public and private because for the system to work, one of the related keys must be kept private - it must not be disclosed to anyone other than its controller, whilst the other key must be made public - that is must be available to anyone that needs to contact the owner/controller of the matching private key or needs to check a digital signature that appears to come from them.

Protected

Throughout ArticSoft products, the term protected is used to mean that information cannot be accessed (used) if it has been protected, unless the user has the necessary authority. Protection is applied using cryptography. When information is protected it is encrypted. The cryptographic key needed to remove that protection is made available to authorized users. Once it is in their keystore, they will be able to access (view) that protected information. See also cryptography.

Public key

See private key.

Public Key Infrastructure (PKI)

This is a concept where it is theoretically possible to obtain the public key of any person that you wish to communicate securely with over a public communications network such as the Internet, and where it is possible to verify the accuracy of the information being presented by anyone offering a 'public key certificate' as a means of proving their identity. A number of problems wait to be resolved before such an infrastructure becomes generally available and generally respected. At the time of writing it is possible to verify the identity of a number of organizations, and it is expected that over time it will be possible to extend this to include people as well as organizations.

Signing

Unlike a handwritten signature, which is written onto, and thus becomes part of the document to which it relates, signing electronic information is rather different. To sign a piece of information, a hash of the information is created using a hashing algorithm. The hash is then encrypted using the private key for an asymmetric algorithm. The public key certificate for the private key is appended to the encrypted hash value. These correspond to the signature on the information.

Symmetric algorithm

This is an encryption algorithm where the same key is used for both encryption and decryption (unlike asymmetric where different keys are used). The key used in a symmetric algorithm is often called a secret key because it has to be kept secret by all users of the system, unlike a public key that has to be made available to everyone.

Virtual drive

Virtual drive is a virtual device created and managed by the Able Disk driver. Virtual drives are used to access the encrypted data and files stored in containers.