Apache
Apache is a freely available Unix based web server. It is currently the most commonly used server on Internet connected sites. Its genesis was in early 1995 when developers of some high visibility web sites decided to pool their patches and enhancements to the NCSA/1.3 server to create A patchy server. The project has since gained considerable momentum.
Asymmetric Cryptography
A synonym for public key cryptography
Ben Laurie
One of the Apache developers and the person responsible for the original extensions to provide https capability for Apache. These extensions use SSLeay and are distributed independently of the Apache server from sites outside of North America and so fall outside of the US Government's export regulations, and the US RSA patent.
Block Cipher
An encryption scheme in which the data is divided into fixed-size blocks (often 64 bits), each of which is encrypted independently of the others. Complete independence of blocks is cryptographically undesirable, so usually a block cipher will be used in a chaining or feedback mode in which the output from one block affects the way the next is encrypted.
CAST
CAST is a symmetric key block cipher.
Certificate
A token which underpins the principle of trust in ssl-encrypted transactions. The information within a certificate includes the issuer (the Certificate Authority that issued the certificate), the organisation that owns the certificate, public key, the validity period (usually one year) of the certificate, and the hostname that the certificate was issued in respect of. It is digitally signed by the certification authority so that none of the details can be changed without invalidating the signature.
Certification Authority
A third party organisation which is used to confirm the relationship between a party to the https transaction and that party's public key. Certification authorities may be widely known and trusted institutions for internet based transactions, though where https is used on companies internal networks, an internal department within the company may fulfill this role.
Cipher
Any encryption algorithm. Ciphers can be classified according to whether they are symmetric or public key algorithms, and by whether they operate on their data as a stream or divided into blocks.
Client-side certificate
SSL has an optional feature which allows the client (for example the browser and its user) to authenticate itself to the server by means of a certificate. Some servers will disallow connections unless they are authenticated in this way.
Common Name
A field of an X.509 certificate used for matching against the domain name when validating the certificate.
C2Net
C2Net is the vendor of the Stronghold server. Stronghold is based on Apache and includes Eric Young's SSL implementation. Crucially, the vendors have obtained a commercial RSAREF licence, to enable use of the server in North America without patent infringement, and have had the server accredited by Verisign. The Stronghold server is able to provide strong encryption, including Triple DES and 128-bit key RC4, to companies worldwide because the relevant code was not developed in the US and is not constrained by US export regulations.
C2Net also markets Safe Passage to provide unencumbered 128-bit cryptographic capability for the Netscape and Microsoft browsers and were sponsors of the 1995 Hack Netscape competition, which, amongst other things, helped flesh out the misgivings people had about encryption using 40-bit key lengths.
DES (Data Encryption Standard)
A symmetric key block cipher algorithm developed by IBM and adopted as a standard in the US in 1975.
Digital signature
A use of public key cryptography to authenticate a message. The private key is used, showing that the signature must have been made by the owner of that key. A secure hash of the entire document is signed, so that any change to the document will invalidate the signature.
DSA
The Digital Signature Algorithm mandated by the Federal Information Processing Standard FIPS 186. This is a public key system, but unlike RSA it can only be used for making signatures.
Eric Young
The original developer of SSLeay. Eric is Australian and his work is not encumbered by US export regulations.
http
The Hyper Text Transfer Protocol is the protocol used between a Web browser and a server to request a document and transfer its contents. The specification is maintained and developed by the World Wide Web Consortium.
https
https is ordinary http exchanged over an SSL encrypted session.
IDEA
A symmetric key block cipher algorithm developed by Xuejia Lai and James Massey in 1991.
MD2
A secure hash, or message digest, algorithm developed by Ron Rivest.
MD5
A secure hash, or message digest, algorithm developed by Ron Rivest.
Microsoft
Netscape
See www.netscape.com
OpenSSL
OpenSSL is the name now used for the SSL library originally known as SSLeay.
Private Key
The part of the key in a public key system which is kept secret and is used only by its owner. This is the key used for decrypting messages, and for making digital signatures.
Protocol
A protocol is an algorithm, or or step by step procedure, carried out by more than one party. Examples are network protocols, in which the steps are intended to ensure reliable transmission of information, or cryptographic protocols, in which the aim is to maintain some form of security relationship between the parties.
Public Key
The part of the key in a public key system which is distributed widely, and is not kept secure. This is the key used for encryption (as opposed to decryption) or for verifying signatures. Compare private key
Public Key Cryptography
A public key cipher is one in which the key used for encryption is different from the one used for decryption. Although the keys are related, it is not possible to calculate the decryption key from only the encryption key in any reasonable amount of computation time. In most practical systems, the public key system is used for encoding a session key which is used with a symmetric system to encode the actual data. RSA is an example of a public key algorithm.
RC2
A symmetric key block cipher, developed by RSA Data Security Inc, and now widely available.
RC4
A symmetric key stream cipher, developed by RSA Data Security Inc, and now widely available.
RSA
RSA is a public key cipher which can be used both for encrypting messages and making digital signatures The letters stand for the names of the inventors: Rivest, Shamir and Adleman. The company RSA Data Security Inc. takes its name from this algorithm, and has acquired the rights to the patents which cover it.
RSAREF
RSAREF is an implementation of the RSA public key system, and associated utilities, produced by RSA Data Security Inc. It is licensed without fee for non-commercial use.
Safe Passage
A recently announced solution to the problem that "export" versions of the Microsoft & Netscape browsers are only capable of using 40-bit keys, and so cannot negotiate full strength sessions when connecting to servers capable of strong encryption. c2.net have made this functionality available as an http proxy.
Self-signed Certificate
It is possible for the owner of a certificate to sign it themselves instead of having a recognised certification authority do so. This is unlikely to be trusted by anyone wishing to use the certificate as proof of ownership of the corresponding public key. However, a signature by the owner is still useful, especially when the owner is a certification authority which must be trusted for independent reasons, as it restricts the possibilities for malicious or accidental changes to the details contained in the certificate.
Secret Key
Confusingly sometimes used to mean the private key of a public key system, and also sometimes used (in contrast to "public key") to refer to a symmetric key system.
Secure Hash
A process which reduces a message of arbitrary length to a fixed length fingerprint which is very unlikely to be the same for any other message. The word "secure" indicates that the algorithm has been chosen so that it is not possible to forge a message which to have given hash value, nor to create two similar messages with the same hash value.
Session Key
A key used for just one message or set of messages. In a typical system, a random session key is generated for use with a symmetric algorithm to encode the bulk of the data, and only the session key itself is communicated using public key encryption.
Server Signature
The string usually returned as part of servicing each http request that gives the name and version of the web server software being used.
SET
SET is a secure protocol designed by MasterCard and Visa to facilitate financial transactions over the Internet. Compared with SSL, it places more emphasis on validating both parties to the transaction, and uses trusted servers so that a merchant holds only transaction identifiers, not actual credit card numbers.
SHA (Secure Hash Algorithm)
A secure hash, or message digest algorithm adopted as a Federal Information Processing Standard.
shttp
Secure Hypertext Transfer Protocol, provides security at the document level rather than the connection level as provided by SSL. This protocol is not widely used.
S/MIME
S/MIME is a standard for end-to-end encryption of email messages. The current version (version 3) is defined in RFC2632, RFC2633 and RFC2634.
SSL (Secure Socket Layer)
A protocol developed by Netscape for encrypted transmission over TCP/IP networks. It sets up a secure end-to-end link over which http or any other application protocol can operate. The most common application of SSL is https for ssl-encrypted http.
SSLeay
A freely available implementation of the SSL protocol and the cryptographic algorithms used by SSL, developed by Eric Young in Australia. It is naturally available worldwide without breaching United States export legislation, and has become a cornerstone for cryptography application developers wishing to avoid the implications of US export regulations. Usage within the United States has not been legally tested but is likely to be controversial because of the US patent on RSA. Eric Young has now withdrawn from the project and further development is continued under the name OpenSSL by a team of developers.
Stream Cipher
A stream cipher encrypts in small units, often a bit or a byte at a time, but unlike a basic block cipher the output corresponding to a given input will depend on where in the message it occurs. The simplest type of stream cipher uses a complicated function, which retains state, to generate a psuedo-random sequence which is then combined with the input using a simple operation such as bytewise addition.
Symmetric Cryptography
A symmetric cipher is one in which the same key is used for encryption and decryption. Therefore a secure method has to be found by which the sender and recipient can agree on the key. CAST, DES, IDEA, RC2 and RC4 are symmetric ciphers.
TLS
TLS, standing for Transport Layer Security, is the latest version of SSL. It is an enhancement of SSL version 3.0, and is a proposed Internet Standard (see RFC2246).
Thawte
Thawte is a South African company which acts as a certificate authority. On December 20, 1999, it was acquired by Verisign.
Triple DES
Each block is encrypted three times using DES, using at least two different keys. There are variants which differ in whether two or three keys are used, and whether some of the steps are in decryption mode. In SSL, three separate keys are used, and the middle step is a decryption.
Verisign
Verisign is the dominant certificate authority on the internet at the present time, though many of its certificates are signed as RSA Data Security. Early versions of Microsoft and Netscape browsers had RSA Data Security configured as the only trusted certificate authority, and this more or less mandated that people wishing to use certificates on the internet need to obtain them from Verisign, and use server software that had been accredited by Verisign. Current versions of the Microsoft & Netscape browsers have the facility for users to add new certificate authorities, and, as older versions of the browsers have been replaced, there has been an opportunity for new certificate authorities such as Thawte to emerge.
X.509
An International Telecommunication Union recommendation for the format of certificates.
Report & Index | Glossary | Example Certificate | Whats that site running? | Search