Glossary of Terms

Authentication Proving your identity. To be able to access a website or resource, you must provide authentication via a password or some combination of tokens, biometrics, and passwords.
Authorization The act of granting approval. Authorization to resources or information within an application can be based on simple or complex access control methods.
Basic Internet Security Typically employed in low value, low sensitivity applications using Secure Sockets Layer (SSL) for confidentiality, with the possible addition of User ID and Passwords for user authentication.
CA See “Certification Authority
CA Policy Management Control over CA properties such as whether the CA key is stored on hardware, the algorithm used to encrypt the CA signing key, and how often the CA updates its list of users whose certificates have been revoked.
CA Signing Key Pair This consists of one key that the CA uses to sign digital certificates. This key is known as the signing private key. When accessing encrypted or signed information, the trustworthiness of this information is validated, in part, by using the CA’s public key to authenticate the CA’s signature.
Certificate A digital “passport”. A certificate is a secure electronic identity conforming to the X.509 standard. Certificates typically contain a user’s name and public key. A CA authorizes certificates by signing the contents using its CA signing private key.
Certificate Expiry The date after which a user’s certificate should no longer be trusted. The certificate expiry date is contained within the certificate.
Certificate Renewal The process of issuing a new certificate using the same public key from the previous certificate. Certificate renewal is used by some vendors who issue short lifetime certificates so that they can charge for each additional certificate issued. This offers no security value and is equivalent to buying a new safe while using the old combination. By contrast, Entrust offers automatic key update to update both the key and certificate before key expiry. Automatic key update provides strong security since it allows keys to only be used for a specific time period.
Certificate Revocation The act of identifying certificates that are no longer trusted. Revoked certificates are identified on Certificate Revocation Lists (CRLs). With enhanced security management, applications automatically check the revocation status of certificates before trusting them.
Certificate Revocation List (CRL) A list containing the serial numbers of public key certificates that have been revoked. CRLs are placed in directories so that applications can check the revocation status of certificates before trusting them.
Certificate Validation The process of checking the trustworthiness of a certificate. Certificate validation involves checking that the certificate has not been tampered with, has not expired, is not revoked, and was issued by a CA you trust.
Certification Authority (CA) The system responsible for issuing secure electronic identities to users in the form of certificates. The Entrust Authority™ Security Manager product acts as the CA.
Common Criteria Evaluation Certifies the overall security of the product solution. Entrust/PKI 4.0 for Windows® NT Service Pack 3 is certified to Evaluation Level 3 (EAL-3) of the Common Criteria for Information Technology Security Evaluation (CC) by the UK IT Security Evaluation and Certification Scheme (UKITSEC). This represents an alignment of North American and European certification policies.
CRL Distribution Points Entrust maintains multiple certificate revocation lists (CRLs). Entrust stores the CRLs at unique distribution points in the Directory. Each user certificate contains a pointer to an appropriate CRL distribution point so that its revocation status can be checked.
Cross-certification The process by which two CAs certify each others’ trustworthiness. Cross-certification initiates PKI networking. With PKI networking, users from both CAs can securely communicate with each other.
Decrypt To decrypt a protected file is to restore it to its original, unprotected state.
Digital ID An encrypted file containing your personal security data, including your private keys. Access to your digital ID requires authentication via some combination of tokens, biometrics and/or passwords.
Directory Networking Support for any LDAP-compliant directory provides the ability to network directories, which allows the retrieval of user certificates, cross-certificates and revocation information.
Digital Signature A digital signature is like a paper signature, except that it is fully electronic. A digital signature is impossible to forge, making it more secure than a paper signature. A digital signature provides verification to a recipient that the signed file came from the person who sent it, and that it was not altered since it was signed.
Directory A directory is a software program that stores information (much like a database). In Entrust, a directory serves as a repository for the certificates of all users. The directory also keeps lists of certificates that have been revoked because they are no longer trusted (CRLs). Access to the directory is via the Lightweight Directory Access Protocol(LDAP).
Dual Key Pairs A combination of the user’s encryption and signing key pairs. Two key pairs are required to satisfy the requirements for non-repudiation and key backup and recovery.
Encryption To encrypt a file is to apply a mathematical function that transforms every character in the file into some other character. Encryption renders the file unreadable. This means no one, including you, can read the file until it is decrypted. Only you and the authorized recipients can decrypt the file.
Encryption Key Pair This consists of the encryption public key and decryption private key. The public key portion of an encryption key pair is used to encrypt data which can be decrypted by the matching decryption private key.
Enhanced Internet Security This is the required level of security needed for applications that deal with higher value and higher sensitivity transactions and information. This consists of enhanced levels of identification, entitlements, verification,privacy, and security management.
Entitlements These are your rights and privileges,from an application perspective, based on who you are. Based on your identity and role, you may be granted or denied access to various types of applications or data.
Entitlements Service The purpose of the Entrust Entitlements Service (a Foundation Security Service of the Secure Transaction Platform) is to confirm that the entity trying to access a Web service (and other types of resources, also) has the right to do so. Like the Identification Service, the Entitlements Service makes it possible for Web services applications to focus on business logic and rely on fundamental security operations occurring centrally in the Foundation Security Services by “outsourcing” the entitlements decision. (more)
Extended Validation SSL Certificates (EV) Extended Validation SSL Certificates — commonly referred to as “EV” certificates — allow valid Web sites to trigger the browser address bar to turn green, and information about the company operating the site and the certification authority (CA) that issued the certificate is displayed. Extended Validation refers to rigorous, industry-standard validation methods now used by CAs before issuing an SSL certificate.
Foundation Security Services Foundation Security Services are the building blocks for integrating identification, entitlements, verification, and privacy into transactions. Open and standards-compliant, Foundation Security Services deliver enhanced security capabilities broadly applicable across Web services and other server-based applications.Initially, the Entrust Secure Transaction Platform’s Foundation Security Services will include:
  • Identification Service
  • Entitlements Service
  • Verification Service
  • Privacy Service
FIPS 140-1 A federal government standard by which security products are measured. Entrust was the first company to receive certification to FIPS PUB 140-1 level 1 and has been awarded 6 different FIPS certifications to date. Entrust also supports FIPS PUB 140-1 level 3 security hardware devices from various partner companies.
Fraud Detection Fraud detection refers to security solutions that analyze patterns of behavior. Specific high-risk transactions can be identified according to predefined business procedures and flagged for closer evaluation, and advanced fraud detection solutions can evaluate patterns of transactions as well.
Hash Function A function that produces a unique value, or fingerprint, for every unique input message. Hash functions are used when digitally signing and time stamping.
Hierarchical Cross-certification The process of adding a subordinate CA to a hierarchy of CAs. Ideal within organizations where multiple CAs are needed and where one root CA must control all other CAs.
Identification This is the concept of knowing exactly who you are dealing with in the electronic world.
Identification Service The Entrust Identification Service is a Foundation Security Service of the Entrust Security Transaction Platform that enables organizations to centrally control which identities are trusted for automated Web services transactions so that each Web services application does not have to manage these issues independently. (more)
Key and Certificate Management Refers to generating keys for encryption and signing, storing the keys in certificates, and administering keys securely and transparently, so that they are provided to users where and when they are needed. Included in key and certificate management is key update. Keys should have limited lifetimes and be updated regularly in a secure, transparent manner.
Key Backup and Recovery Key backup is the process of maintaining the user’s decryption keys. Key recovery is the process of restoring the decryption keys. All organizations require decryption key backup and recovery capabilities to prevent data loss when users forget their password or lose their digital ID.
Key History The collection of decryption keys belonging to a user. As old keys are replaced with new keys, the Entrust Key and Certificate Manager backs all of these keys up centrally. If in case the user’s keys need to be recovered, Entrust seamlessly manages the key history so that the user doesn’t need to know which key is required to decrypt which data.
Key Lifetime The length of time a key is valid. All keys have a specific lifetime except the decryption private key, which never expires. An organization needs a policy regarding key lifetimes. This policy should consider when keys will no longer be needed as well as the risks and threats of private key disclosure due to brute force attacks.
Key Update Key update involves creating a new key pair and generating a corresponding public key certificate. Entrust updates all keys, including the CA key, automatically and seamlessly before the keys expire.
Lightweight Directory Access Protocol (LDAP) A Directory Access Protocol (DAP) specified by IETF RFC 1487. Entrust communicates with the directory using LDAP.
Managed Digital ID A repository of your keys and certificates that benefit from the full key and certificate management capabilities of Entrust. With managed digital IDs, users don’t need to know anything about security.
Multifactor Authentication A term used to define security solutions that leverage two or more authenticators to verify the identity of users or machines. Employing this method, organizations can often “step up” authentication when the sensitivity of the information being accessed increases. Sometimes referred to as two-factor authentication. Examples of authenticators includes grid cards, one-time-passcode hardware tokens, IP-geolocation, machine authentication, biometrics, questions and answers and out-of-band one-time passwords, among others.
Non-repudiation The inability to deny having signed a transaction or file. Transactions cannot be repudiated through notarization.
Notarization The validity of binding business transactions provides that users actually signed the transaction at a specific time. Entrust offers seamless creation and verification of notarized transactions.
Off-line Logon Allows users to function normally while not connected to the network, thereby maintaining user productivity and security.
Peer-to-Peer Cross-certification The process of certifying the trustworthiness of another organization’s CA so that users can successfully validate the users from the cross-certified CA. Peer-to-peer cross-certification is ideal between organizations where each firm has secure control over its own organization and maximum flexibility to form relationships as business requirements dictate.
Privacy Privacy entails keeping data confidential while in transit and in storage from end to end of the transaction lifecycle or information exchange. It also constitutes the policy surrounding the use and disclosure of this information within the enterprise.
Privacy Service The Privacy Service is a Foundation Security Service of the Entrust Secure Transaction Platform responsible for encrypting information so that only designated entities can access that information. Rather than each Web services application having to understand how to encrypt information, the Entrust Privacy Service takes care of the complexity of using cryptographic keys to provide data encryption in a centralized service. (more)
PKI Networking Enables users in one Certification Authority (CA) to communicate securely with users from another, trusted, CA domain.
Policy Networking Establishes a trusted relationships between or within organizations for a limited amount of time.
Private Key The portion of a key pair that is kept secret by the owner of the key pair. Private keys sign or decrypt data.
Public Key The portion of a key pair that is available publicly.
Public Key Infrastructure (PKI) A system that provides the basis for establishing and maintaining a trustworthy networking environment through the generation and distribution of keys and certificates. This is also the foundation technology for providing enhanced Internet security. (More about PKI)
RA Policy Management Flexible control over RA operator permissions such as what operations may be performed and which users may perform them on a per-RA administrator basis.
Registration Authority (RA) Refers to the people, processes, and tools used to support the registration ongoing administration of users.
Revocation System Networking Certificates can be revoked, and applications can automatically check the revocation status of certificates.
Risk Based Authentication Risk Based Authentication is the ability to identify risk using transaction monitoring and react in real time using open multifactor authentication. This common-sense approach to consumer authentication can allow an organization to apply the appropriate level of authentication based on the transaction risk assessment identified by the fraud detection solution.
Roaming A method of allowing users to access security services via their Digital ID without being constrained to a specific PC, device, or location.
S/MIME S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It is an email-system independent, Internet standards-based protocol that uses public key cryptography (PKI) to provide writer-to-reader security features such as authentication and confidentiality of message integrity. S/MIME offers an additional layer of security between the sender and recipient of an email message using advanced encryption and digital signatures.
SAML SAML (Security Assertion Markup Language) is an industry standard ratified by OASIS (Organization for Advancement Structured Information Sciences). This XML-based framework provides a standard way to define user authentication, entitlements and attribute information in XML documents.
Secure Sockets Layer (SSL) A secure session protocol used to maintain data confidentiality only between Web browsers and Web servers. This is a fundamental component of basic Internet security.
Security Management The act of effectively and efficiently managing identification, entitlements, verification, and privacy such that there is less burden of administration for end users and administrators regardless of application or platform.
Security Policy An organization’s security policy governs the use of Entrust in the organization to achieve security objectives.
Signing Key Pair Consists of a privately held key for signing data and a key distributed publicly so others can verify the signature.
Simple Public Key Mechanism (SPKM) A secure session protocol specified by IETF RFC 2025.
Single Login Entrust minimizes the proliferation of passwords and successive logins to ease user frustration and minimize the risk that passwords will be written down.
SOAP (Simple Object Access Protocol) is a lightweight XML protocol that governs the exchange of information in a distributed environment. SOAP provides a standardized XML envelope for carrying other application specific XML payloads, a set of encoding rules for expressing instances of application-defined data types, and a convention for representing remote procedure calls and responses.
SOAP Firewall SOAP firewalls reflect the concept of application-level firewalls. These firewalls sit in the flow of information on a network and look for specific application-level messages and act upon those messages. In the case of SOAP firewalls, these products watch for SOAP messages and “transform” those messages as they pass through the firewall.
Symmetric Key One key that can be used to encrypt and decrypt the same data. Symmetric key encryption is different from public key encryption, which relies on one key held privately (for signing or decryption) and a second key distributed to the public (for signature verification or encryption).
Transaction Monitoring See “Fraud Detection
Two-factor Authentication See “Multifactor Authentication
UDDI (Universal Description, Discovery, and Integration) is a specification for registries of distributed Web-based business information. Companies publish descriptions of the services they offer, along with instructions on how the services are invoked, to the UDDI registry such that other companies can discover, and ultimately, use them. Entrust is a UDDI Advisor.
Unified Communication Certificate (UCC) Unified Communications Certificates are suited for environments that typically need to encrypt communications across a wide range of protocols and domains, both internally and externally. This technology enables organizations to secure communications with large numbers of specific hosts and domains with a single certificate. Unified Communications refers to an industry trend of bringing multiple communication methods together into a unified management and usage context. The technology serves as a versatile management system that affords users the ability to track and respond to a range of communication options (e.g., e-mail, voicemail, instant message, fax, etc.).
Unmanaged Digital ID A repository of your keys and certificates that do not benefit from the full key and certificate management capabilities of Entrust. Unmanaged digital IDs require users to manually generate keys, manually renew keys, and understand how certificates work.
User Mobility A method of accommodating users who login from different workstations or devices.
User Policy Management Flexible control over user settings such as algorithms used to encrypt and sign user data.
Verification The act of providing an auditable record of a transaction. This can be in the form of a digital signature. This binds each party to a transaction such that they cannot repudiate participating in it.
Verification Service The Entrust Verification Service is a Foundation Security Service of the Entrust Secure Transaction Platform designed to deliver integrity and accountability capabilities for Web services transactions through centralized digital signatures and time-stamping. (more)
Web Portal A Web portal is a single doorway for employees, customers and partners to access an organization’s content, data and services online. Also known as Enterprise portals, Web portals make it possible to establish online relationships by providing personalized content to different individuals and entities. Organizations are building portals not only to increase loyalty, but also to create competitive advantage, strengthen relationships, speed access to services and satisfy regulatory requirements. Portals also make it possible to increase revenue, efficiencies and cost savings by moving business processes online.
Web Services Web services are self-contained, modular applications that can be described, published, located and invoked over the Internet. They perform well-defined functions both for applications and other Web services. These functions can be anything from simple calculations to complicated business processes. Through their loose-coupling and dynamic real-time discovery and binding, Web Services insulate applications from the complexity and details of other components, creating systems that are more flexible and adaptable. Security is recognized as a major impediment to wide-spread adoption of Web services.
WS-Security WS-Security is a proposal for adding message-layer security to SOAP messages, defining standardized locations and syntax by which security tokens (such as X.509 certificates and Kerberos tickets) can be carried within SOAP Headers in order to secure the contents of the SOAP messages (some business message). It leverages the existing XML Signature and XML Encryption specifications for capturing the results of, respectively, signing and encryption operations in XML syntax. In essence, WS-Security will standardize where the XML Signature and XML Encryption data blocks are carried within a SOAP message.
WSDL (Web Services Description Language) is a n XML format for describing network services as a set of endpoints operating on messages. WSDL service definitions provide the technical details for describing Web Services that would be required for someone to actually invoke the service, e.g. input parameters, output format etc.
X.509 A digital certificate standard used within public key infrastructure (PKI) that enables a certification authority (CA) to confirm the identities of all parties involved, and ensure the secure encryption of any information that is shared between them.
XKMS (XML Key Management Service) is a proposed standard for the enrollment and subsequent management of keys. Rather than integrating complicated PKI key management functionality into applications through ‘toolkits’, XKMS enables the outsourcing of this PKI functionality to remote services. The application developer need only know how to create/process the appropriate XML messages with which the remote services are invoked.
XML XML (eXtensible Markup Language) is the standard messaging format for business communication, allowing companies to connect their business systems with those of customers and partners using the existing Internet infrastructure. Web Services are built on a model of request/response messages that use XML syntax. Similar to HTML, XML uses tags (words bracketed by ‘<‘ and ‘>’) and attributes (of the form name=”value”) to help place structured data into text files. XML is different from HTML in that it is a meta-language (a language for describing languages) and, therefore, does not define specific tags and attributes; it just tells you how to define those tags and attributes.
XML Digital Signature The XML Signature proposal, of which Entrust is a co-author, specifies how to digitally sign XML documents at levels of granularity down to individual elements. The resultant signature is captured in XML syntax. XML Signature has advanced to W3C/IETF Candidate Recommendation stage.
XML Encryption XML Encryption specifies a process for encrypting digital content (including but not exclusive to XML) and an XML syntax for the encrypted content and appropriate required information that enables an intended recipient to decrypt it. Entrust co-authored the XML Encryption Proposal that has since been submitted to a W3C Working group.
XACML XML Access Control Markup Language is a proposal for an XML syntax for specifying authorization and entitlements policies. XACML is expected to address fine grained control of authorized activities, characteristics of the access requester, and the protocol over which the request is made.
Zero-footprint This term describes software that does not require any client software to be installed or configured on a users’ systems. For example, Entrust TruePass™ is zero-footprint software that: