Mentalis.org Security Library documentation

Welcome

Glossary

This is a glossary of technical terms that are frequently used in the documentation of the Security Library.

Term

Description

AES Advanced Encryption Standard; a standard that specifies a cryptographic algorithm [Rijndael] to protect sensitive information. The AES will replace the Data Encryption Standard [DES].
ASN.1 Abstract Syntax Notation One; a method used to specify abstract objects that are intended for serial transmission.
BLOB Binary Large OBject;  refers to any random large block of bits that shouldn't be interpreted by the SecureSocket itself.
BSD license The BSD license is a license that was originally used for software developed by the university of Berkeley. Many programmers have since used licenses based on the original BSD license for their software projects. Well known examples include Apache, FreeBSD, and OpenSSL. The Mentalis.org Source Code license is also based on the original BSD license.
CA Certificate Authority; they typically verify credentials of entities seeking certificates, issue them, then make these certificates available in some common database. CAs must be trusted in order for their certificates to be meaningful.
Certificate

Certificates are special documents that correlate a public key with a specific entity; this is most commonly a person--defined by a real name, a login name, or a pseudo-anonymous name--or a server. Certificates are used to authenticate persons in a SSL communication. Server-side authentication is required in SSL.

Certificate Chain

When you present a certificate, it’s typically signed by a CA. That CA’s certificate may in turn be signed by another CA. A set of certificates such as this, each signed by a more reliable source than the last, is a certificate chain.

Certificate Store Typically, a permanent storage where certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs) are stored. It is possible, however, to create and open a certificate store solely in memory when working with certificates that do not need to be put in permanent storage.
CRL Certificate Revocation List; CRLs are regularly published by CAs in order to list certificates which have been compromised. Theoretically, a certificate should never be accepted unless the CA’s CRL is first checked.
CSP Crypto Service Provider; a class or a collection of classes that offers a cryptographic service to applications, such as encryption, decryption, hashing or signing.
DER Distinguished Encoding Rules; a set of rules for encoding ASN.1 defined data as a stream of bits for external storage or transmission. Every ASN.1 object has exactly one corresponding DER encoding. DER is defined in CCITT Recommendation X.509, Section 8.7.
Hash A fixed-size result obtained by applying a mathematical function (the hashing algorithm) to an arbitrary amount of data. Also known as "message digest".
IV Initialization Vector; a sequence of random bytes appended to the front of the plaintext before encryption by a block cipher. Adding the initialization vector to the beginning of the plaintext eliminates the possibility of having the initial cipher text block the same for any two messages.
Nonrepudiation The ability to identify users who performed certain actions, thus irrefutably countering any attempts by a user to deny responsibility. For example, a system may log the ID of a user whenever a file is deleted.
PCT Private Communication Technology; a security protocol, designed by Microsoft, that was meant to replace SSL version 2.
PFX, P12 Private Information Exchange or PKCS#12; it is a standard for storing private keys and certificates securely.
PKCS Public Key Cryptography Standards; the PKCS are a set of Public Key Cryptography Standards that have been suggested by RSA Security. Not all are really industry standards.
PKI Public Key Infrastructure; it’s what you get when you take a collection of certificates and put them together with a set of CAs, RAs, certificate repositories, and people who use these resources.
SCHANNEL A security package that provides authentication between clients and servers.
SSL Secure Socket Layer; a security protocol that provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
SSPI Security Support Provider Interface; a common interface between transport-level applications and security providers. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details.
TLS Transport Layer Security; a security protocol based on SSL.
X509

X.509 is an authentication scheme for the X.500 directory structure. X.500 is a distributed data structure which can contain information about objects and people. X.500 is largely irrelevent to PKI; it just so happens that X.509 was chosen as the certificate format that is now in general usage.