Category: Key management

Pre-shared key
In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used.
KAME project
The KAME project, a sub-project of the WIDE Project, was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementatio
Secure key issuing cryptography
Secure key issuing is variant of ID-based cryptography that reduces the level of trust that needs to be placed in a trusted third party by spreading the trust across multiple third parties. In additio
Trust anchor
In cryptographic systems with hierarchical structure, a trust anchor is an authoritative entity for which trust is assumed and not derived. In the X.509 architecture, a root certificate would be the t
Certificate server
No description available.
SSHFP record
A Secure Shell fingerprint record (abbreviated as SSHFP record) is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisi
In cryptography, zeroisation (also spelled zeroization) is the practice of erasing sensitive parameters (electronically stored data, cryptographic keys, and critical security parameters) from a crypto
CCMP (cryptography)
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (Counter Mode CBC-MAC Protocol) or CCM mode Protocol (CCMP) is an encryption protocol designed for Wireless LAN products that im
Key signature (cryptography)
In cryptography, a key signature is the result of a third-party applying a cryptographic signature to a representation of a cryptographic key. This is usually done as a form of assurance or verificati
CA/Browser Forum
The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating
Key checksum value
In cryptography, a Key Checksum Value (KCV) is the checksum of a cryptographic key. It is used to validate the key integrity or compare keys without knowing their actual values. The KCV is computed by
Key distribution center
In cryptography, a key distribution center (KDC) is part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have perm
Temporal Key Integrity Protocol
Temporal Key Integrity Protocol (TKIP /tiːˈkɪp/) is a security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as
Forward secrecy
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised eve
The KIK-30 "Really Simple Key loader" (RASKL) is a fill device made by and approved by the US National Security Agency for the distribution of NSA Type 1 cryptographic keys. It can also store and tran
Simple public-key infrastructure
Simple public key infrastructure (SPKI, pronounced spoo-key) was an attempt to overcome the complexity of traditional X.509 public key infrastructure. It was specified in two Internet Engineering Task
Keybase is a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner. Additionally it offers an end-to-end encrypted
The KSD-64[A] Crypto Ignition Key (CIK) is an NSA-developed EEPROM chip packed in a plastic case that looks like a toy key. The model number is due to its storage capacity — 64 kibibits (65,536 bits,
Public key infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key
Internet Security Association and Key Management Protocol
Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. ISAKM
Key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudor
Ephemeral key
A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once, within a single session (e.g., in br
Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data may be considered to exist in thr
Key management
Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys.
Key stretching
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and poss
The open-source Kmc-Subset137 Project implements the protocol described in "ERTMS/ECTS; On-line Key Management FFFIS" UNISIG SUBSET-137 ver1.0.0. It covers the on-line distribution of cryptographic ke
Key authentication
Key/Config-authentication is used to solve the problem of authenticating the keys of the person (say "person B") to some other person ("person A") is talking to or trying to talk to. In other words, i
The AN/PYQ-10 Simple Key Loader (SKL) is a ruggedized, portable, hand-held fill device, for securely receiving, storing, and transferring data between compatible cryptographic and communications equip
The Accredited Standards Committee X9 (ASC X9, Inc.) is an ANSI (American National Standards Institute) accredited standards developing organization, responsible for developing voluntary open consensu
In cryptography, CDMF (Commercial Data Masking Facility) is an algorithm developed at IBM in 1992 to reduce the security strength of the 56-bit DES cipher to that of 40-bit encryption, at the time a r
Dynamic secrets
Dynamic Secrets is a novel key management scheme for secure communications. It was proposed by Sheng Xiao, Weibo Gong, and Don Towsley. The first academic publication had been nominated for INFOCOM 20
Quantum digital signature
A Quantum Digital Signature (QDS) refers to the quantum mechanical equivalent of either a classical digital signature or, more generally, a handwritten signature on a paper document. Like a handwritte
Static key
A cryptographic key is called static if it is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key establishment scheme. Con
Certificate policy
A certificate policy (CP) is a document which aims to state what are the different entities of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI pe
Key ceremony
In cryptography, a key ceremony is a ceremony held to generate or use a cryptographic key. A public example is the signing of the DNS root zone for DNSSEC.
Key escrow
Key escrow (also known as a "fair" cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party
Derived unique key per transaction
In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived k
Simple Key-Management for Internet Protocol
Simple Key-Management for Internet Protocol or SKIP was a protocol developed circa 1995 by the IETF for the sharing of encryption keys. SKIP and Photuris were evaluated as key exchange mechanisms for
Computational trust
In information security, computational trust is the generation of trusted authorities or user trust through cryptography. In centralised systems, security is typically based on the authenticated ident
Fill device
A fill device or key loader is a module used to load cryptographic keys into electronic encryption machines. Fill devices are usually hand held and electronic ones are battery operated. Older mechanic
AACS encryption key controversy
A controversy surrounding the AACS cryptographic key arose in April 2007 when the Motion Picture Association of America and the Advanced Access Content System Licensing Administrator, LLC (AACS LA) be
Key clustering
Key or hash function should avoid clustering, the mapping of two or more keys to consecutive slots. Such clustering may cause the lookup cost to skyrocket, even if the load factor is low and collision
Keysigning is the process of digitally signing someone else's public key using one's own.A more correct term would be certificate signing, since the actual key material is not changed by the process o
Key signing party
In public-key cryptography, a key signing party is an event at which people present their public keys to others in person, who, if they are confident the key actually belongs to the person who claims
Key size
In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's secu
Broadcast encryption
Broadcast encryption is the cryptographic problem of delivering encrypted content (e.g. TV programs or data on DVDs) over a broadcast channel in such a way that only qualified users (e.g. subscribers
Cryptographic key types
A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. Cryptographic keys are grouped into cryptographi
Validation authority
In public key infrastructure, a validation authority (VA) is an entity that provides a service used to verify the validity of a digital certificate per the mechanisms described in the X.509 standard a
Session key
A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or mult
Key server (cryptographic)
In computer security, a key server is a computer that receives and then serves existing cryptographic keys to users or other programs. The users' programs can be running on the same network as the key
Key Management Interoperability Protocol
The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This fac
Shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be
Key distribution in wireless sensor networks
Key distribution is an important issue in wireless sensor network (WSN) design [1]. WSNs are networks of small, battery-powered, memory-constraint devices named sensor nodes, which have the capability
Key generator
A key generator is a protocol or algorithm that is used in many cryptographic protocols to generate a sequence with many pseudo-random characteristics. This sequence is used as an encryption key at on
Key encapsulation mechanism
In cryptographic protocols, a key encapsulation mechanism (KEM) is used to secure symmetric key material for transmission using asymmetric (public-key) algorithms. It is commonly used in hybrid crypto
Media Key Block
The Media Key Block (MKB) is one of the keys included inside the copying protection system (DRM) AACS. This system is used to prevent Blu-ray and HD DVD formats from being copied. The system was devel
Public key certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes i
DNS-based Authentication of Named Entities
DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names us
Secure Shell (SSH) is a protocol allowing secure remote login to a computer on a network using public-key cryptography. SSH client programs (such as ssh from OpenSSH) typically run for the duration of
Key whitening
In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key.
The AN/CYZ-9 is a hardware random number generator fielded by the US National Security Agency in the 1990s. It was used in initial phases of the US military's Electronic Key Management System (EKMS) T
The KSV-21 Enhanced Crypto Card is a US National Security Agency-approved PC card that provides Type 1 encryption functions and key storage to the STE secure telephones and other devices. The KSV-21 w
Self-signed certificate
In cryptography and computer security, self-signed certificates are public key certificates that are not issued by a certificate authority (CA). These self-signed certificates are easy to make and do
Ticket Granting Ticket
In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with a limited validity period. After authentication, this file is
A keyfile (or key-file) is a file on a computer which contains encryption or license keys. A common use is web server software running secure socket layer (SSL) protocols. Server-specific keys issued
Domain-validated certificate
A domain validated certificate (DV) is an X.509 public key certificate typically used for Transport Layer Security (TLS) where the domain name of the applicant is validated by proving some control ove
Weak key
In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, wh
Certificate authority
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key
Key distribution
In symmetric key cryptography, both parties must possess a secret key which they must exchange prior to using any encryption. Distribution of secret keys has been problematic until recently, because i
Signal operating instructions
Signal operating instructions (SOI) or Communications-Electronics Operation Instructions (CEOI) are U.S. military terms for a type of combat order issued for the technical control and coordination of
The KYK-13 Electronic Transfer Device is a common fill device designed by the United States National Security Agency for the transfer and loading of cryptographic keys with their corresponding check w
Authenticated Key Exchange
Authenticated Key Exchange (AKE) or Authenticated Key Agreement is the exchange of session key in a key exchange protocol which also authenticates the identities of parties involved in key exchange. T
Web of trust
In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized
Qualified website authentication certificate
A qualified website authentication certificate (QWAC certificate) is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation. A 2016 European Union Agen
Blom's scheme
Blom's scheme is a symmetric threshold key exchange protocol in cryptography. The scheme was proposed by the Swedish cryptographer Rolf Blom in a series of articles in the early 1980s. A trusted party
Offline root certificate authority
An offline root certificate authority is a certificate authority (as defined in the X.509 standard and RFC 5280) which has been isolated from network access, and is often kept in a powered-down state.
Wildcard certificate
In computer networking, a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain. The principal use is for securing web sites with HTTPS, but there ar
GateKeeper (access control device)
GateKeeper is a wireless proximity-based access control and authentication device that allows a user to automatically lock their computer by walking away and unlock it by walking back. The GateKeeper
Key generation
Key generation is the process of generating keys in cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted. A device or program used to generate keys is called a
Certification Practice Statement
A Certification Practice Statement (CPS) is a document from a certificate authority or a member of a web of trust which describes their practice for issuing and managing public key certificates. Some
Glossary of cryptographic keys
This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA). For classification
gnoMint is a free software tool for managing X.509 certification authorities (CAs). Its purpose is to offer an easy to use interface for creating certification authorities and all related elements inc
Key (cryptography)
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptog
strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates o
AES key schedule
AES uses a key schedule to expand a short key into a number of separate round keys. The three AES variants have a different number of rounds. Each variant requires a separate 128-bit round key for eac
A cryptoperiod is the time span during which a specific cryptographic key is authorized for use. Common government guidelines range from 1 to 3 years for asymmetric cryptography, and 1 day to 7 days f
Domain Name System Security Extensions
The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in
Paper key
A paper key is a machine-readable print of a cryptographic key. The printed key can be used to decrypt data, e.g. archives or backup data. A paper key can be the result of an offline private key proto
Client certificate
In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mut
The xor–encrypt–xor (XEX) is a (tweakable) mode of operation of a block cipher. In tweaked-codebook mode with ciphertext stealing (XTS mode), it is one of the more popular modes of operation for whole
Extended Validation Certificate
An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV c
Texas Instruments signing key controversy
The Texas Instruments signing key controversy resulted from Texas Instruments' (TI) response to a project to factorize the 512-bit RSA cryptographic keys needed to write custom firmware to TI devices.
OpenIKED is a free, permissively licensed Internet Key Exchange (IKEv2) daemon developed as part of the OpenBSD project.
Certificate revocation list
In cryptography, a certificate revocation list (or CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and s