%20(500%20x%20162%20px)(1).png)
Keyfactor Glossary
Acronym | What Acronym Stands for/ | Keyfactor Platform | Definition |
|---|---|---|---|
AD DS | Active Directory Domain Services | Manages and stores information about users, computers, and other network resources in a Microsoft environment Active Directory enviroment. | |
AES | Advanced Encryption Standard | EJBCA | Symmetric algorithm used for encrypting electronic data. |
AMI | Amazon Machine Image | EJBCA | A special type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud ("EC2"). It serves as the basic unit of deployment for services delivered using EC2. |
Asymmetric Cryptography | Also known as public-key cryptography, is a process that uses a pair of related keys -- one public key and one private key -- to encrypt and decrypt a message and protect it from unauthorized access or use. | ||
Authentication | The process or action of verifying the identity of a user or process. Digital signature that provides proof-of-identity. | ||
ACME | Automatic Certificate Management Environment | EJBCA | ACME is a protocol that a Certificate Authority (CA) and an applicant can use to automate the process of verification and certificate issuance. |
BKSC | Backup Key Smart Card | ||
CA | Certificate Authority |
| A trusted entity that issues digital certificates, which are data files used to cryptographically link an entity with a public key. Certificate authorities are a critical part of the internet's public key infrastructure (PKI) because they issue the Secure Sockets Layer (SSL) certificates that web browsers use to authenticate content sent from web servers. |
CDP | Certificate Distribution Point |
| The purpose of the CRL is to list certificates which are valid, but are revoked. The starting point for the CRL is the CRL Distribution Point (the CDP), which is a field located in each certificate. The CDP is optional, but most well-run PKI installations include a CDP in each certificate. |
XCEP | Certificate Enrollment Policy Protocol | Enables users and computers to obtain certificate enrollment policy information. | |
CEP | Certificate Enrollment Policy Server | EJBCA | For MSAE: Certificate Enrollment Policy Server (CEP), which initially returns a set of Certificate Enrollment Policies which entitles the client to the corresponding certificates. The client then sends a request for those certificates, which is passed on to a server running Microsoft CA, which enrolls the client for the requested certificates. This process is fully oblique to the client, as are any following certificate renewals |
CMP | Certificate Management Protocol | EJBCA | An Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC4210 and is one of two protocols to use the Certificate Request Message Format (CRMF), described in RFC4211. |
CP | Certificate Policy | EJBCA | The purpose of the Certificate Policy document is to provide security guidance using a baseline set of security controls and practices to support the secure issuance of certificates. |
CPS | Certificate Practice Statement | EJBCA | Works with the CP and answers the question - How are the policy statements in the CP are enforced? For example if the CP states “CA Keys are stored in HW”, the CPS should answer how they are stored in HW. For example the CPS would state specifics “The CA keys are stored in an HSM from manufacture X to pretect the CA keys”. |
CRL | Certificate Revocation List |
| A list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. |
CSR | Certificate Signing Request |
| A CSR is a data structure that contains information to be signed by a CA. Once the signing process has occurred, a X.509 certificate is returned. CSR files contain the public key along with more information, that is used by the CA when requesting a certificate. |
Cipher Text | Also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer. The original message has been encrypted, and without the "cipher", the text is unreadable. | ||
CLI | Command Line Interface | A text-based user interface (UI) used to view and manage computer files. | |
CN | Common Name | An X.509 attribute that can be used to uniquely identify an end-entity (person, workstation, device, etc). cn is one of many different attributes which can be used standalone, or used in combination with other attributes such as C (country) and O (organization). | |
CDP | CRL Distribution Point |
| Is a location on an LDAP directory server or Web server where a CA publishes CRLs. The system downloads CRL information from the CDP at the interval specified in the CRL, at the interval that you specify during CRL configuration, and when you manually download the CRL. |
COS | Custom Operating System | ||
DES | Data Encryption Standard | One of the first algorithms used in Public Key technology. It is now been superseded, by more robust and secure algorithms. | |
Data Integrity | Ensures that data is intact/untampered using a message digest or hash function. | ||
Digital Signature |
| A type of electronic signature, it is a mathematical algorithm routinely used to validate the authenticity and integrity of a message (e.g., an email, a credit card transaction, or a digital document). Digital signatures create a virtual fingerprint that is unique to a person or entity and are used to identify users and protect information in digital messages or documents. | |
DSA | Digital Signature Algorithm | Refers to a standard for digital signatures. It was introduced in 1991 by the National Institute of Standards and Technology (NIST) as a better method of creating digital signatures. Along with RSA, DSA is considered one of the most preferred digital signature algorithms used today. | |
DN Format | Distinguished Name Format | Is a sequence of relative distinguished names (RDN) connected by commas. For example, CN=Smith Bob, OU=Accounting, O=ABC, C=US. or CN=Bob Smith, DC=Acme, DC=Com | |
EC2 | Elastic Compute Cloud | Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. Amazon EC2’s simple web service interface allows you to obtain and configure capacity with minimal friction. It provides you with complete control of your computing resources and lets you run on Amazon’s proven computing environment. Amazon EC2 reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change. Amazon EC2 changes the economics of computing by allowing you to pay only for capacity that you actually use. Amazon EC2 provides developers the tools to build failure resilient applications and isolate them from common failure scenarios. | |
eIDAS | Electronic IDentification, Authentication and trust Services | A European Union regulation that establishes a framework for secure electronic transactions and digital identities across member states. | |
eMRTD | Electronic Machine Readable Travel Documents | Advanced travel documents that include digital data as well as written data, for instance a passport. The digital data could be stored on a chip, and may contain a photo, as well as other information. | |
ECC | Elliptic-curve crytography | EJBCA | Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. |
EFS | Encrypted File System | A feature of the Windows 2000 operating system that lets any file or folder be stored in encrypted form and decrypted only by an individual user and an authorized recovery agent. EFS is especially useful for mobile computer users, whose computer (and files) are subject to physical theft, and for storing highly sensitive data. | |
EEC | End Entity Certificate | A digitally-signed statement issued by a Certificate Authority to a person or system. ... The term “end-entity” is used to distinguish it from a Certificate Authority certificate. The signer of the statement is the issuer and the entity discussed in the certificate is the subject. | |
EST | Enrollment over Secure Transport | EJBCA | A standardized certificate enrollment protocol that describes an X.509 certificate management protocol. EJBCA supports the EST protocol as defined in RFC7030. |
EJBCA | Enterprise Java Beans Certificate Authority | A free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company Keyfactor Solutions, which holds the copyright to most of the codebase. | |
EAL 4+ certified | Evaluation Assurance Level | Represents a product has undergone independent rigorous testing and evaluation, to meet a specific level of security functionality and assurance. | |
EAC | Extended Access Control | EAC PKI | A security feature that enhances access control to sensitive data stored on electronic travel documents, like ePassports. |
FIPS | Federal Information Processing Standard | U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. | |
FQDN | Fully Qualified Domain Name | A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS) | |
gMSA | Group Managed Service Accounts | A type of managed domain account in Active Directory designed to securely run services and applications, particularly in clustered or multi-server environments | |
GPO | Group Policy Object | A collection of settings that define how users and computers behave within a Windows network. They are used to manage and configure various aspects of a system. | |
HSM | Hardware Security Module | SignServer, PKI Appliance | A physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. |
IAM | Identity Access Management | Process used in businesses and organizations to grant or deny employees and others authorization to secure systems. | |
JKS | Java Key Store | A type of token that is a server side generated key-pair, which contains the public/private key pair, certificate, and is password protected. | |
Jboss | JavaBeans Open Source Software | Java based application web server developed by RedHat. This is the paid version, Wildfly is the open source veersion. | |
KDC | Key Distribution Center | KDC, often associated with Kerberos, relies on a centralized, trusted authority to distribute session keys based on shared secrets. | |
Key Escrow |
| A method of storing important cryptographic keys. Each key stored in an escrow system is tied to the original user and subsequently encrypted for security purposes. Much like a valet or coat check, each key is stored in relation to the user that leverages it, and then returned once queried. By using key escrow, organizations can ensure that in the case of catastrophe, be it a security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe. | |
Key Usage | Define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing or verifying a signature, enable the digital signature and/or non-repudiation extensions. Other purposes included: encryption, authentication etc. | ||
LDAP | Lightweight Directory Access Protocol | A protocol used to query objects in a directory structure. Directory structures such as those using X.500 or LDAP standards. | |
MRTD | Machine-Readable Travel Document | SignServer | A machine-readable passport (MRP) is a machine-readable travel document (MRTD) with the data on the identity page encoded in optical character recognition format. Many countries began to issue machine-readable travel documents in the 1980s. |
MSAE | Microsoft Auto-Enrollment | EJBCA | Auto-enrollment is the method with which Microsoft Windows servers and clients provision Active Directory (AD) certificates within a Microsoft domain. |
MSCA | Microsoft Certificate Authority | A MS server role that acts as a trusted 3rd party to issue and manage certificates. | |
MMC | Microsoft Management Console | A GUI tool that allows management and configuration of various objects within the MS environment. Has various “snap-ins” that allow the user to see objects in a graphical format. | |
NPKD | National Public Key Directory | A secure database containing national and international digital certificates used for verifying the authenticity of electronic documents. It's a crucial component in systems such as e-passports. | |
NFS | Network File System | A distributed file system protocol that allows a user on a client computer to access files over a computer network much like local storage is accessed. | |
NTP | Network Time Protocol | A service that provides synchronization of the date/time that is collected from a reference point such as the atomic clock. | |
Non-Repudiation | Ensures that a participant in a transaction cannot deny having participated in the transaction through the use of a digital signature. | ||
OCSP | Online Certificate Status Protocol | EJBCA | An Internet protocol used for obtaining the revocation status of an X.509 digital certificate.[1] It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI).[2] Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders. |
OID | Object Identifier | Defines one of many X.500 attributes, that can be used used within an X.509 certificate. The OID takes the form such as 1.2.3.4 for example. These are derived from the OID tree, such as ANSI, and IANA. | |
OU | Organization Unit | An X.509 attribute that can be used to uniquely identify an end-entity (person, workstation, device, etc). ou is one of many different attributes which can be used standalone, or in combination with other attributes such as C (country) and O (organization). | |
PII | Personably Identifiable Information | Any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual | |
IdAM | PrimeKey Identity Authority Manager | A PKI Registration Authority that integrates directly into a smart manufacturing environment. IdAM enables you to establish and maintain an unbroken chain of trusted identities throughout the supply chain and the product lifecycle. | |
PEM | Privacy Enhanced Mail | PEM is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers. Below are some examples of different files in PEM format. | |
Private Key | Public and private keys form the basis for public key cryptography , also known as asymmetric cryptography. Together, they are used to encrypt and decrypt messages. ... If you encode a message using a person's public key, they can only decode it using their matching private key. The public and Private key are generated at the same time, and will only work with one another. | ||
Public Key | Public and private keys form the basis for public key cryptography , also known as asymmetric cryptography. Together, they are used to encrypt and decrypt messages. ... If you encode a message using a person's public key, they can only decode it using their matching private key. The public and Private key are generated at the same time, and will only work with one another. If you encrypt a message with a Public Key, you need the corresponding Private key to decrypt the message. | ||
PKCS | Public Key Cryptography System | A set of cryptographic standards developed by RSA Laboratories. These standards provide a framework for implementing and using public-key cryptography, a system that uses two keys (public and private) for secure communication. | |
PKI | Public Key Infrastructure | A collection of systems that work together to create, manage, and revoke X.509 (and other types) of certificates. It utilizes public-key cryptography to distribute the digital certificates - which in turn can be used for different use cases such as securing communication between servers, authentication, and encryption. | |
REST API | Representational State Transfer Application Programming Interface | EJBCA | A REST API (also known as RESTful API) is an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services. REST stands for representational state transfer and was created by computer scientist Roy Fielding. |
Revoke | Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational. The reason for revocation is included when the certificate has been revoked i.e. superseded, compromised etc. | ||
RSA | Rivest–Shamir–Adleman | One of the first public-key cryptosystems and is widely used for secure data transmission. | |
RA | Registration Authority | EJBCA | A PKI service providing some certificate lifecycle management functions, most importantly enrolling and revocation. It receives certificate signing requests (CSR) or revocation requests, provides means to verify the requester and party the certificate will be issued for, and after successful verification forwards the requests to a Certificate Authority (CA). RAs are usually separated from the CA for accessibility and security reasons. The EJBCA RA UI is the portal for all end entity related operations, from enrolling certificates to administrating access for other RA administrators. The RA can be configured to both use certificate authentication or to allow for public access |
SEE | Secure Execution Environment | Keyfactor SEE appliance | |
SHA-256 Signature | Secure Hash Algorithm | Cryptographic Hash Algorithm. A cryptographic hash (sometimes called 'digest') is a kind of 'signature' for a text or a data file. SHA-256 generates an almost-unique 256-bit (32-byte) signature for a text. | |
SSL | Secure Sockets Layer | An older protocol that is used interchangeably with TLS. It is used to secure communication by encrypting data transmitted between the browser, and a web server. | |
SAML | Security Assertion Markup Language | SignServer | An open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). |
SFP | Security Foundation Platform | Virtualization layer to get the appliance moving | |
SPN | Service Principal Name | An unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. | |
SCEP | Simple Certificate Enrollment Protocol | EJBCA | A protocol commonly used by network equipment to enroll for certificates. SCEP has in general use been supplanted by the similar Enrollment over Secure Transport (EST) protocol, which we recommend as an alternative. |
SPOC | Single Point of Contact | Single point of contact for cross certification of inspection systems between countries. Used within the inspection infrastructure in eMRTD (Electronic Machine Readable Travel Documents) | |
SAN | Subject Alternative Names | An X.509 attribute that can be used to reference an object with multiple different names. Typically used to secure a webserver. Instead of needing a separate certificate for each server, the SAN attribute can contain all the names it protects within the certificate itself. | |
Symmetric cryptography | Is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. | ||
TLS Certificate | Transport Layer Security | Cryptographic protocols that provide communications security over a computer network. The TLS protocol is designed to provide three essential services to all applications running above it: encryption, authentication, and data integrity. | |
UKC | Unbound Key Control | EJBCA | EJBCA supports using the Unbound’s key management product Unbound Key Control (UKC) to provide enhanced key protection to EJBCA acting as a virtual vHSM |
VA | Validation Authority |
| A PKI service providing validation function, i.e. possibility to check if the certificate issued by related Certificate Authority (CA) is still trustworthy. This purpose is achieved by exposing access to Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP) and CA chain certificate downloads. Just as Registration Authorities (RA), VAs are often separated from the CA for accessibility and security reasons. |
VHSM | Virtual HSM | VHSM communicates to HSM. More of a proxy to the HSM. | |
VPC | Virtual Private Cloud | EJBCA & SignServer | A Virtual Private Cloud (VPC) is a logically isolated section of a public cloud environment that allows users to create their own virtual network, similar to a traditional private network, but hosted on shared public cloud infrastructure. |
WSDL | Web Services Description Language | EJBCA | An XML-based language used to describe web services |
WebServices |
| Any piece of software that makes itself available over the internet and uses a standardized XML messaging system. XML is used to encode all communications to a web service. For example, a client invokes a web service by sending an XML message, then waits for a corresponding XML response. | |
WSTEP | WS-Trust Token Enrollment Extensions | Enables users and computers to obtain certificate enrollment policy information. | |
X.509 Digital Certificate |
| An X. 509 certificate is a digital certificate based on the widely accepted International Telecommunications Union (ITU) X. 509 standard, which defines the format of public key infrastructure (PKI) certificates. They are used to manage identity and security in internet communications and computer networking. |