Asymmetric encryption uses different keys for encryption and decryption. Each participant is assigned a pair of keys, consisting of an encryption key and a corresponding decryption key.
It is impossible to derive (“hack”) the decryption key from a known encryption key (with reasonable computing power, time and money. Asymmetric encryption typically is used for public key encryption.
Authentication is the process of verifying a claim of identity, e.g. of a user name, or the correctness of data. This verification is often done by providing a user name together with a password. Better security can be achieved through the use of cryptographic methods (e.g. smartcards, authentication protocols) or biometric characteristics (e.g. fingerprint).
Authenticity typically means the integrity and trustworthiness of data or an entity. The authenticity can be secured and verified using cryptographic methods.
Certification Authority: Independent and trustworthy entity responsible for issuing and managing digital
certificates. By digitally signing the issued certificates, the CA guarantees the authenticity of the data held in them. Since all participants of a public key infrastructure trust the CA they can also
trust the issued certificates and the public keys of other participants.
An “electronic ID card” for a person / an IT system that is issued by a CA and certified by its digital signature. In particular, a certificate guarantees the correspondence between a public key and a person or an IT system.
Certificate Revocation List: The CA uses certificate revocation lists for publishing certificates that have been invalidated prior to the normal termination of validity. All certificates on a CRL are invalid from the time of publication.
The primary goal of cryptography is to conceal data to protect it against unauthorized third-party access by applying encryption. The more theoretical or mathematical effort is required for an unauthorized third party to recover data, the stronger is the encryption.
The origin of data can be proved by means of a digital signature. The term describes electronic signatures that are generated and verified using asymmetric encryption. An EU directive concerning electronic signatures as well as its national implementations, such as the German “Signaturgesetz” (SigG, Digital Signature Act), the corresponding “Signaturverordnung” (SigV, Digital Signature Ordinance) and the so-called “Formanpassungsgesetz” (a framework law modifying formal requirements) puts electronic signatures on a par with manual signatures except for a few special cases.
Digital Signature Act
“Signaturgesetz“, “SigG“: The Digital Signature Act, published in its current version on May 22nd. 2001 is part of the German “Multimediagesetz” (Multimedia Act) and provides the basis for the use of digital signatures. In combination with the “Signaturverordnung” (Digital Signature Ordinance) and the newly adopted “Formanpassungsgesetz” (a framework law modifying formal requirements) published on August 1st. 2001, the SigG provides the legal basis for putting electronic signatures on a par with manual signatures.
A data source according to ITU specification X.500 that holds data organized in a tree structure.
This data source can be queried using a suitable client. Directory services are used for example for address, e-mail and phone lists or yellow pages. All possible data sources have in common, that the information needed can be requested using various criteria. The data source can also be distributed over several different servers.
Encryption means encoding data for secure storage or transmission. During encryption the content of a document, a file or e-mail is transformed into an unreadable character sequence using an (encryption) key. Only the intended recipient is able to retransform the data by applying the corresponding decryption key.
There is a variety of commonly used encryption methods such as asymmetric, symmetric and hybrid encryption.
Public Key Cryptographic Standards: A set of specifications for cryptographic methods published by RSA Data Security Inc.
“Cryptographic Message Syntax Standard“: One of the specifications of the PKCS specification set. It describes a generic data format that is comparable to an “electronic envelope”. This envelope contains signed and/or encrypted data.
Public Key Infrastructure: This is the general term for the required technical equipment as well as the appropriate processes and concepts for using asymmetric encryption. This includes inter alia registration authorities (RA), certification authorities (CA) and directory services. Common alternatives today are PGP and increasingly X.509-based PKIs.
This is the key for use with asymmetric encryption that is accessible to the key holder only. A private key is used for generating digital signatures and for decrypting data.
Personal Security Environment. This is a private security area which contains personal security-related data such as the private key. Normally the PSE can be found on smartcards, but it also can be contained in an encrypted file. The PSE is secured by a password, a PIN or biometric methods (e.g. fingerprints, eyeball scanning).
This is the key for use with public key encryption methods that is publicly made available. It is published by the key holder or the issuing CA by using for instance the CA’s directory server of the or distributing it by disk, web download or e-mail. The public key can be certified using an electronic certificate issued and signed by a CA.
Public Key Encryption
This encryption method uses asymmetric encryption and a pair of keys consisting of a secret private key known only to the key holder and a public key that is made available to the public. The public key is used for encrypting confidential messages and for verifying digital signatures. The sender of an e-mail for example can encrypt the mail using the public key of the recipient. The message is then unreadable to unauthorized parties; only the recipient can decrypt the message using his private key. The recipient of a digitally signed e-mail can use the sender’s public key to verify the signature because the sender is the only person who has the corresponding private key for generating the present signature.
Registration Authority: An authority that is responsible for the registration of users applying for digital certificates.
The RA shall check in particular the identity of an applicant; the certificate is then issued by the CA.
Single Sign On Mechanism
Single Sign On means logging a user onto a system (such as a web site) only once for the duration of a session. SSO enables the user to access all of the resources, applications and systems he is authorized for requiring only one single authentication, e.g. by entering his username and password.
Credit card-sized chip card with an integrated microprocessor. This device possesses memory, a card operating system and optionally one or more co-processors which can execute programs (chip card applications) and complex arithmetic operations. A computer can access a smartcard using a smartcard reader (terminal). Private keys are often generated and saved on smartcards with crypto-processors (cryptographic coprocessors), as smartcards are the most secure storage media today. The smartcard application inhibits direct access to the private key.
Secure Multipurpose Internet Mail Extension: A de-facto standard that was developed by RSA Data
Security Inc. for encrypting and signing e-mails using digital certificates based on X.509v3.
Secure Sockets Layer: SSL is a protocol for secure data exchange between clients and servers on the Internet. Clients and servers can mutually authenticate using SSL certificates and encrypt the exchanged data. This protocol was developed by Netscape. SSL certificates are based on X.509.
A trust center is an entity that reliably operates especially the sensitive and security-critical components of a CA in a highly secure environment.
X.509 is a specification for digital certificates published by the ITU-T (International Telecommunications Union – Telecommunication). It specifies information and attributes required for the identification of a person or a computer system. Version 3 (X.509v3) defines the format for certificate extensions, used to store additional information about the certificate holder (e.g. academic degrees, position within a company, authorities to sign) or to define (resp. limit) the certificate usage (e.g. private use, official use, for signing, for encryption, etc.).