One of the first things that comes to mind when talking about security is encryption. Encryption can be used to provide confidentiality and integrity, which are two of the three main tenets behind security. To be sure that you are familiar with the concepts we will be covering in upcoming articles, here is a primer on encryption terminology.
A certificate is a binary file that can be used for encrypting files or email, signing data, establishing secure communications over the Internet, and also authentication. Certificates include, at a minimum, details about the subject, and the public key that can be used for encryption purposes. Certificates can be generated by anyone, or issued by a certificate authority. We will get into much more detail on certificates in an upcoming post.
A certificate authority (CA) is any infrastructure that issues certificates. Companies can setup certificate authorities for their own internal purposes, or commercial certificate authorities can issue certificates to customers for a fee. For internal only purposes, like authentication, companies may choose to deploy their own CA, but the biggest benefit of using a commercial CA is the ideal that the commercial CA is a trusted third party. Presumably, before a commercial CA will issue a certificate, it goes through a process to vet the recipient and confirm their identity. When you trust a CA, you rely on them to confirm that the recipient of one of their certificates is legit.
Data that has been encrypted is referred to as ciphertext.
Data that is not encrypted is said to be in the clear, or is cleartext. It is readable by anyone.
The study of cryptographic algorithms or encrypted data in an effort to decrypt it, circumventing the protections afforded by the encryption.
The study of techniques for secure communications. Sometimes called cryptology.
Data Loss Prevention (DLP) is technology designed to prevent confidential data from being released to unauthorized users. DLP is frequently used with email systems to detect and prevent confidential data from being sent out through email. It can scan for keywords, or check the hash or fingerprint of sensitive files.
Digital Rights Management (DRM) is a technology that is used to help protect copyright and ensure that only authorized users have access to data. It uses encryption/decryption to validate authorized access, and frequently restricts what authorized users can do (play but not copy, view but not print, etc.)
The process of encoding data in such a way that only authorized users or intended recipients can access the data.
A one-way mathematical function that creates a unique, fixed length value from data of an arbitrary length. 128 bit hashes are 128 bit values that can be computed on data that is much smaller, say a 64 bit password, or data that is much larger, such as a 4.7 GB ISO file. Hashes can be computed by anyone, but cannot be reversed to determine any property of the data used to create the hash. Hashes are used to verify data integrity, but not to secure the data.
A mathematical value used in encryption and decryption. A key can be a simple password, or a complex derivative of complex mathematical computations. The key is not the lock; that is the algorithm used for encryption.
A one-time password (OTP) is a key that can be used only once. In theory, using OTPs means that an encryption scheme is practically unbreakable, but the logistics behind creating a workable OTP system and securely distributing it to the other party in a data exchange scheme makes OTPs very difficult to manage.
A personal identification number (PIN) can be used to seed encryption or to unlock encryption keys for use.
A private key is one half of a key pair, and can be used to digitally sign communications to prove authenticity, or to decrypt data that was encrypted using the corresponding public key. As the name implies, you keep your private key private, and may further protect it by assigning a PIN that must be used to access the private key.
A public key is one half of a key pair, and can used to verify a digital signature, or to encrypt data destined for the owner of the public key. As the name implies, your public key can be shared with others, and is often published in online directories or in certificates. The more widespread your public key, the more useful it is.
A salt is a unique numeric value used to make an encryption scheme even more difficult to break as it makes the values that go into encryption even more unique than they might be on their own. Weak encryption systems can be made stronger by salting hashes.
Secure Sockets Layer (SSL) is a part of the transport layer of the TCP/IP suite that provides encryption of data in motion. Whenever you use HTTPS in a web browser, you are using HTTP over an SSL connection to ensure that no one can intercept your data on the wire and decrypt it.
A newer form of SSL, Transport Layer Security (TLS) provides stronger encryption than SSL can by using stronger algorithms. Often the two are analogous and used interchangeably.
In upcoming posts, we will go over many aspects of security and encryption, and these terms will be used throughout. When appropriate, we will go into more detail, but the above should enable you to follow along.