Too Cool for Internet Explorer

GIST v0.7 ― K
“KDC” to “KTC”

K

- KDC n. 
See: key distribution center.
- KEA n. 
See: Key Exchange Algorithm.
- KEK n. 
See: key-encrypting key.
- Kerberos n. 
RFC 2828 (2000)
(N) A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. [R1510, Stei]
(C) Kerberos was developed by Project Athena and is named for the three-headed dog guarding Hades.

NIST SP 800-63-1 DRAFT (2008)
A widely used authentication protocol developed at MIT. In “classic” Kerberos, users share a secret password with a Key Distribution Center (KDC). The user, Alice, who wishes to communicate with another user, Bob, authenticates to the KDC and is furnished a “ticket” by the KDC to use to authenticate with Bob. When Kerberos authentication is based on passwords, the protocol is known to be vulnerable to off-line dictionary attacks by eavesdroppers who capture the initial user-to-KDC exchange.
- key n. 
See: cryptographic key.
- key agreement n. 
RFC 2828 (2000)
… algorithm or protocol
(I) A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each computes the same key value. i.e., each can independently generate the same key value, but that key cannot be computed by other entities. (See: Diffie-Hellman, key establishment, Key Exchange Algorithm, key transport.)
(O) “A method for negotiating a key value on line without transferring the key, even in an encrypted form, e.g., the Diffie-Hellman technique.” [X509]
(O) “The procedure whereby two different parties generate shared symmetric keys such that any of the shared symmetric keys is a function of the information contributed by all legitimate participants, so that no party [alone] can predetermine the value of the key.” [A9042]
(C) For example, a message originator and the intended recipient can each use their own private key and the other’s public key with the Diffie-Hellman algorithm to first compute a shared secret value and, from that value, derive a session key to encrypt the message.
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
The process of establishing a shared secret key between entities in such a way that neither of them can predetermine the value of that key.
- key authentication n. 
RFC 2828 (2000)
(N) “The assurance of the legitimate participants in a key agreement that no non-legitimate party possesses the shared symmetric key.” [A9042]
- key bundle n. 
NIST IR 7298 (2006)
SP 800-67
The three cryptographic keys (Key1, Key2, Key3) that are used with a Triple Data Encryption Algorithm mode.
- key center n. 
RFC 2828 (2000)
(I) A centralized key distribution process (used in symmetric cryptography), usually a separate computer system, that uses key-encrypting keys (master keys) to encrypt and distribute session keys needed in a community of users.
(C) An ANSI standard [A9017] defines two types of key center: key distribution center and key translation center.
- key confirmation n. 
RFC 2828 (2000)
(N) “The assurance of the legitimate participants in a key establishment protocol that the intended parties sharing the symmetric key actually possess the shared symmetric key.” [A9042]
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996, ISO/IEC 11770-2: 1996
The assurance for one entity that another identified entity is in possession of the correct key.
- key confirmation from A to B n.
SC 27 SD 6 (2002)
ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
The assurance for entity B that entity A is in possession of the correct key.
- key control n.
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996, ISO/IEC 11770-2: 1996, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
The ability to choose the key, or the parameters used in the key computation.
- key derivation function n.
SC 27 SD 6 (2002)
ISO/IEC FDIS 15946-3 (02/2001)
A key derivation function outputs one or more shared secrets, used as keys, given shared secrets and other mutually known parameters as input.
- key distribution n. 
RFC 2828 (2000)
(I) A process that delivers a cryptographic key from the location where it is generated to the locations where it is used in a cryptographic algorithm. (See: key management.)
- key distribution center (KDC) n. 
RFC 2828 (2000)
(I) A type of key center (used in symmetric cryptography) that implements a key distribution protocol to provide keys (usually, session keys) to two (or more) entities that wish to communicate securely. (See: key translation center.)
(C) A KDC distributes keys to Alice and Bob, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the KDC, and (c) may not be able to generate or acquire keys by themselves. Alice requests the keys from the KDC. The KDC generates or acquires the keys and makes two identical sets. The KDC encrypts one set in the KEK it shares with Alice, and sends that encrypted set to Alice. The KDC encrypts the second set in the KEK it shares with Bob, and either sends that encrypted set to Alice for her to forward to Bob, or sends it directly to Bob (although the latter option is not supported in the ANSI standard [A9017]).
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996
An entity trusted to generate or acquire, and distribute keys to entities that each share a key with the KDC.
- key distribution service n.
SC 27 SD 6 (2002)
ISO/IEC FDIS 15945 (10/2000)
The service of distributing keys securely to authorized entities performed by a Key Distribution Center and described in ISO/IEC 11770-1.
- key encapsulation n. 
See: (secondary definition under) key recovery.
- key-encrypting key (KEK) n. 
RFC 2828 (2000)
(I) A cryptographic key that is used to encrypt other keys, either DEKs or other KEKs, but usually is not used to encrypt application data.
- key escrow, - key escrow system n. 
See: (secondary definition under) key recovery.
- key establishment n. 
RFC 2828 (2000)
… algorithm or protocol
(I) A process that combines the key generation and key distribution steps needed to set up or install a secure communication association. (See: key agreement, key transport.)
(O) “The procedure to share a symmetric key among different parties by either key agreement or key transport.” [A9042]
(C) Key establishment involves either key agreement or key transport:
  • Key transport: One entity generates a secret key and securely sends it to the other entity. (Or each entity generates a secret value and securely sends it to the other entity, where the two values are combined to form a secret key.)
  • Key agreement: No secret is sent from one entity to another. Instead, both entities, without prior arrangement except a public exchange of data, compute the same secret value. i.e., each can independently generate the same value, but that value cannot be computed by other entities.
SC 27 SD 6 (2002)
ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
The process of making available a shared secret key to one or more entities. Key establishment includes key agreement and key transport.
NIST IR 7298 (2006)
FIPS 140-2
The process by which cryptographic keys are securely distributed among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).
- key exchange n. 
NIST IR 7298 (2006)
SP 800-32; CNSSI-4009 Adapted
The process of exchanging public keys in order to establish secure communications.
- Key Exchange Algorithm (KEA) n. 
RFC 2828 (2000)
(N) A key agreement algorithm [NIST] that is similar to the Diffie-Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the “Secret” level by NSA. (See: CAPSTONE chip, CLIPPER chip, FORTEZZA, SKIPJACK.)
(C) On 23 June 1998, the NSA announced that KEA had been declassified.
- key expansion n. 
NIST IR 7298 (2006)
FIPS 197
Routine used to generate a series of round keys from the cipher key.
- key generation n. 
RFC 2828 (2000)
(I) A process that creates the sequence of symbols that comprise a cryptographic key. (See: key management.)
- key generating function n.
SC 27 SD 6 (2002)
ISO/IEC 11770-2: 1996
A function which takes as input a number of parameters, at least one of which shall be secret, and which gives as output keys appropriate for the intended algorithm and application. The function shall have the property that it shall be computationally infeasible to deduce the output without prior knowledge of the secret input.
- key generation exponent n.
SC 27 SD 6 (2002)
ISO/IEC 14888-2: 1999
A positive integer known only to the trusted third party.
- key generation material n. 
NIST IR 7298 (2006)
SP 800-32
Random numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.
- key generator n. 
RFC 2828 (2000)
1. (I) An algorithm that uses mathematical rules to deterministically produce a pseudo-random sequence of cryptographic key values.
2. (I) An encryption device that incorporates a key generation mechanism and applies the key to plaintext (e.g., by exclusive OR-ing the key bit string with the plaintext bit string) to produce ciphertext.
- key loader n. 
NIST IR 7298 (2006)
FIPS 140-2
A self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module.
- key length n. 
RFC 2828 (2000)
(I) The number of symbols (usually bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)
- key lifetime n. 
RFC 2828 (2000)
(N) MISSI usage: An attribute of a MISSI key pair that specifies a time span that bounds the validity period of any MISSI X.509 public-key certificate that contains the public component of the pair. (See: cryptoperiod.)
- key management n. 
RFC 2828 (2000)
(I) The process of handling and controlling cryptographic keys and related material (such as initialization values) during their life cycle in a cryptographic system, including ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the material. (See: key distribution, key escrow, keying material, public-key infrastructure.)
(O) “The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy.” [I7498 Part 2]
(O) “The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs, counters) during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving.” [FP140]
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996
The administration and use of the generation, registration, certification, deregistration, distribution, installation, storage, archiving, revocation, derivation and destruction of keying material in accordance with a security policy.
NIST IR 7298 (2006)
FIPS 140-2
The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.
- Key Management Protocol (KMP) n. 
RFC 2828 (2000)
(N) A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.)
- key material identifier (KMID) n. 
RFC 2828 (2000)
(N) MISSI usage: A 64-bit identifier that is assigned to a key pair when the public key is bound in a MISSI X.509 public-key certificate.
- key pair n. 
RFC 2828 (2000)
(I) A set of mathematically related keys – a public key and a private key – that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key (e.g., see: Diffie-Hellman, Rivest-Shamir-Adleman).
(C) A key pair’s owner discloses the public key to other system entities so they can use the key to encrypt data, verify a digital signature, compute a protected checksum, or generate a key in a key agreement algorithm. The matching private key is kept secret by the owner, who uses it to decrypt data, generate a digital signature, verify a protected checksum, or generate a key in a key agreement algorithm.
NIST IR 7298 (2006)
SP 800-32
Two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and 2) even knowing one key, it is computationally infeasible to discover the other key.
SP 800-21 [2ndEd]; CNSSI-4009 Adapted
A public key and its corresponding private key; a key pair is used with a public key algorithm.
- key recovery n. 
1. (in a cryptanalytical attack)
RFC 2828 (2000)
(I) A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis.)
2. (in information security management)
RFC 2828 (2000)
(I) Techniques that provide an intentional, alternate (i.e., secondary) means to access the key used for data confidentiality service in an encrypted association. [DOD4]
(C) We assume that the encryption mechanism has a primary means of obtaining the key through a key establishment algorithm or protocol. For the secondary means, there are two classes of key recovery techniques – key escrow and key encapsulation:
  • key escrow: A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called escrow agents, so that the key can be recovered and used in specified circumstances. Key escrow is typically implemented with split knowledge techniques. For example, the Escrowed Encryption Standard [FP185] entrusts two components of a device-unique split key to separate escrow agents. The agents provide the components only to someone legally authorized to conduct electronic surveillance of telecommunications encrypted by that specific device. The components are used to reconstruct the device-unique key, and it is used to obtain the session key needed to decrypt communications.
  • key encapsulation: A key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that that only certain third parties called recovery agents can perform the decryption operation to retrieve the stored key. Key encapsulation typically allows direct retrieval of the secret key used to provide data confidentiality.
NIST IR 7298 (2006)
SP 800-32
key escrow
A deposit of the private key of a subscriber and other pertinent information pursuant to an escrow agreement or similar contract binding upon the subscriber, the terms of which require one or more agents to hold the subscriber’s private key for the benefit of the subscriber, an employer, or other party, upon provisions set forth in the agreement.
FIPS 185
key escrow
The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders.
FIPS 185
key escrow system
A system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").
- key space n. 
RFC 2828 (2000)
(I) The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)
- key token n.
SC 27 SD 6 (2002)
ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
Key management message sent from one entity to another entity during the execution of a key management mechanism.
- key translation center (KTC) n. 
RFC 2828 (2000)
(I) A type of key center (used in a symmetric cryptography) that implements a key distribution protocol to convey keys between two (or more) parties who wish to communicate securely. (See: key distribution center.)
(C) A key translation center translates keys for future communication between Bob and Alice, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the center, and (c) have the ability to generate or acquire keys by themselves. Alice generates or acquires a set of keys for communication with Bob. Alice encrypts the set in the KEK she shares with the center and sends the encrypted set to the center. The center decrypts the set, reencrypts the set in the KEK it shares with Bob, and either sends that encrypted set to Alice for her to forward to Bob, or sends it directly to Bob (although direct distribution is not supported in the ANSI standard [A9017]).
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996
An entity trusted to translate keys between entities that each share a key with the KTC.
- key transport n. 
RFC 2828 (2000)
key transport (algorithm or protocol)
(I) A key establishment method by which a secret key is generated by one entity in a communication association and securely sent to another entity in the association. (See: key agreement.)
(O) “The procedure to send a symmetric key from one party to other parties. As a result, all legitimate participants share a common symmetric key in such a way that the symmetric key is determined entirely by one party.” [A9042]
(C) For example, a message originator can generate a random session key and then use the Rivest-Shamir-Adleman algorithm to encrypt that key with the public key of the intended recipient.
SC 27 SD 6 (2002)
ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
The process of transferring a key from one entity to another entity, suitably protected.
NIST IR 7298 (2006)
FIPS 140-2
The secure transport of cryptographic keys from one cryptographic module to another module.
- key update n. 
RFC 2828 (2000)
(I) Derive a new key from an existing key. (See: certificate rekey.)
- key validation n. 
RFC 2828 (2000)
(N) “The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks.” [A9042]
- key wrap n. 
NIST IR 7298 (2006)
SP 800-56
A method of encrypting keys (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.
- keyed hash n. 
RFC 2828 (2000)
(I) A cryptographic hash (e.g., [R1828]) in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. (See: checksum.)
(C) If the input data object is changed, a new hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data. There are least two forms of keyed hash:
  • A function based on a keyed encryption algorithm. (e.g., see: Data Authentication Code.)
  • A function based on a keyless hash that is enhanced by combining (e.g., by concatenating) the input data object parameter with a key parameter before mapping to the hash result. (e.g., see: HMAC.)
- keyed-hash-based message authentication code (HMAC) n. 
See: hash-based message authentication code.
- keying material n. 
RFC 2828 (2000)
(I) Data (such as keys, key pairs, and initialization values) needed to establish and maintain a cryptographic security association.
SC 27 SD 6 (2002)
ISO/IEC 11770-1: 1996
The data (e.g. keys, initialisation values) necessary to establish and maintain cryptographic keying relationships.
- keystroke monitoring n. 
NIST IR 7298 (2006)
SP 800-12
The process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.
- keystroke verification n. 
ISO/IEC 2382-8:1998
The determination of the accuracy of data entry by the re-entry of the same data through a keyboard.
- KMID n. 
See: key material identifier.
- known-plaintext attack n. 
ISO/IEC 2382-8:1998
An analytical attack in which a cryptanalyst possesses a substantial quantity of corresponding plaintext and ciphertext.
RFC 2828 (2000)
(I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as the knowing the cryptographic algorithm).
- KTC n. 
See: key translation center.
The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
GFDL The GNU Free Documentation License   Creative Commons License A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
URL http://homepage.mac.com/antallan/gistk.html History Last updated Friday 12 December 2008

Made on a MacBuilt with BBEdit In Association with Amazon.co.uk Valid XHTML 1.0! Valid CSS!