- CA
- See Certification Authority.
- CA certificate
- Identifies the Certification Authority (CA) that issues server and/or client authentication certificates to the servers and clients that request these certificates. Because it contains a public key used in digital signatures, it is also referred to as a signature certificate. If the CA is a root authority, the CA certificate may be referred to as a root certificate. Also sometimes known as a site certificate.
- CA hierarchy
- A Certification Authority (CA) hierarchy contains multiple CAs. It is organized such that each CA is certified by another CA in a higher level of the hierarchy until the top of the hierarchy, also known as the root authority, is reached.
- CALG_DH_EPHEM
- The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of ephemeral keys.
See also Diffie-Hellman (ephemeral) key-exchange algorithm.
- CALG_DH_SF
- The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of store-and-forward keys.
See also Diffie-Hellman (store and forward) key-exchange algorithm.
- CALG_HMAC
- The CryptoAPI algorithm identifier for the Hash-Based Message Authentication Code algorithm.
See also HMAC.
- CALG_MAC
- The CryptoAPI algorithm identifier for the Message Authentication Code algorithm.
See also Message Authentication Code algorithm.
- CALG_MD2
- The CryptoAPI algorithm identifier for the MD2 hash algorithm.
See also MD2 algorithm.
- CALG_MD5
- The CryptoAPI algorithm identifier for the MD5 hash algorithm.
See also MD5 algorithm.
- CALG_RC2
- The CryptoAPI algorithm identifier for the RC2 block cipher algorithm.
See also RC2 block algorithm.
- CALG_RC4
- The CryptoAPI algorithm identifier for the RC4 stream cipher algorithm.
See also RC4 stream algorithm.
- CALG_RSA_KEYX
- The CryptoAPI algorithm identifier for the RSA public-key algorithm when used for key exchange.
See also RSA public-key algorithm.
- CALG_RSA_SIGN
- The CryptoAPI algorithm identifier for the RSA public-key algorithm when used to generate digital signatures.
See also RSA public-key algorithm.
- CALG_SHA
- The CryptoAPI algorithm identifier for the Secure Hash Algorithm (SHA-1).
See also Secure Hash Algorithm.
- CAST
- A family of DES-like symmetric block ciphers developed by C. M. Adams and S. E. Tavares.
PROV_MS_EXCHANGE provider types specify a particular CAST algorithm that uses a 64-bit block size.
- CBC
- See Cipher Block Chaining.
- certificate
- A digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a Certification Authority (CA) after the CA has verified that the entity is who it says it is.
Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.
- certificate BLOB
- A BLOB containing the certificate data.
A certificate BLOB is created by calls to CryptEncodeObject. The process is complete when the output of the call contains all the certificate data.
- certificate context
- A CERT_CONTEXT structure that contains a handle to a certificate store, a pointer to the original encoded certificate BLOB, a pointer to a CERT_INFO structure, and an encoding type member. It is the CERT_INFO structure that contains most of the certificate information.
- certificate encode/decode functions
- Functions that manage the translation of certificates and related material into standard, binary formats that can be used in different environments.
- certificate encoding type
- Defines how the certificate is encoded. The certificate encoding type is stored in the low-order word of the encoding type (DWORD) structure.
- certificate name BLOB
- An encoded representation of the name information that is included in certificates. Each name BLOB is mapped to a CERT_NAME_BOLB structure.
For example, the issuer and subject information referenced by a CERT_INFO structure is stored in two CERT_NAME_BLOB structures.
- certificate policy
- A named set of rules indicating the applicability of certificates for a specific class of applications with common security requirements. Such a policy might, for example, limit certain certificates to electronic data interchange transactions within given price limits.
- certificate request
- A specially formatted electronic message (sent to a CA) used to request a certificate. The request must contain the information required by the CA to authenticate the request, plus the public key of the entity requesting the certificate.
All the information necessary to create the request is mapped to a CERT_REQUEST_INFO structure.
- certificate revocation list (CRL)
- A document maintained and published by a certification authority (CA) that lists certificates issued by the CA that are no longer valid.
- certificate server
- A server that issues certificates for a particular CA. The certificate server software provides customizable services for issuing and managing certificates used in security systems employing public-key cryptography.
- Certificate Services
- A service in Microsoft® Windows NT®/Windows® 2000 that enables a certificate server to manage the process of issuing certificates across the Internet, corporate intranets, and other networks.
- certificate store
- Typically, a permanent storage where certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs) are stored. It is possible, however, to create and open a certificate store solely in memory when working with certificates that do not need to be put in permanent storage.
The certificate store is central to much of the certificate functionality in the CryptoAPI.
- certificate store functions
- Functions that manage the storage and retrieval data such as certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs).
These functions can be separated into common certificate functions, certificate revocation list functions, and certificate trust list functions.
- certificate trust list (CTL)
- A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.
- certification authority (CA)
- An entity entrusted to issue certificates asserting that the recipient individual, machine or organization requesting the certificate fulfills the conditions of an established policy.
- CFB
- See Cipher Feedback.
- chaining mode
- A block cipher mode that introduces feedback by combining ciphertext and plaintext.
See also Cipher Block Chaining.
- cipher
- A cryptographic algorithm used to encrypt data, to transform plaintext into ciphertext using a predefined key.
- Cipher Block Chaining
- (CBC) A method of operating a symmetric block cipher that uses feedback to combine previously generated ciphertext with new plaintext.
Each plaintext block is combined with the ciphertext of the previous block by a bitwise XOR before it is encrypted. Combining ciphertext and plaintext ensures that even if the plaintext contains many identical blocks, they will each encrypt to a different ciphertext block.
When the Microsoft Base Cryptographic Provider is used, CBC is the default cipher mode.
- Cipher Block Chaining (CBC) MAC
- A block cipher method that encrypts the base data with a block cipher and then uses the last encrypted block as the hash value. The encryption algorithm used to build the MAC is the one that was specified when the session key was created.
- Cipher Feedback
- (CFB) A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.
This mode uses a shift register that is one block size in length and divided into sections. For example, if the block size is 64 bits with eight bits processed at a time, then the shift register would be divided into eight sections.
- cipher mode
- A block cipher mode (each block is encrypted individually) that can be specified via the CryptSetKeyParam function. If the application does not explicitly specify one of these modes, then the cipher block chaining (CBC) cipher mode is used.
ECB: A block cipher mode that uses no feedback.
CBC: A block cipher mode that introduces feedback by combining ciphertext and plaintext.
CFB: A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.
OFB: A block cipher mode that uses feedback similar to CFB.
- ciphertext
- A message that has been encrypted.
- cleartext
- See plaintext.
- client
- The application, rather than the server application, that initiates a connection to a server.
Compare with server.
- client certificate
- Refers to a certificate used for client authentication, such as authenticating a Web browser on a Web server. When a Web browser client attempts to access a secured Web server, the client sends its certificate to the server to allow it to verify the client's identity.
- communication protocol
- The method in which data is serialized (converted to a string of ones and zeros) and deserialized. The protocol is controlled by both software and data-transmission hardware.
Typically discussed in terms of layers, a simplified communication protocol might consist of an application layer, encode/decode layer, and hardware layer.
- context
- The security data relevant to a connection. A context contains information such as a session key, duration of the session.
- context function
- Functions used to connect to a cryptographic service provider (CSP). These functions enable applications to choose a specific CSP by name, or get one with a needed class of functionality.
- countersignature
- A signature added to an existing signature in a message. A countersignature is used to sign an existing signature's encrypted hash or time stamp a message.
A countersignature is added by calling CryptMsgCountersign or CryptCountersignEncoded.
- credentials
- Data used by a principal to establish its own identity, such as a password, or a Kerberos protocol ticket.
- CRL
- See Certificate Revocation List.
- CRYPT_ASN_ENCODING
- Specifies certificate encoding. Certificate encoding types are stored in the low-order word of a DWORD (value is: 0x00000001).
Functionally the same as X509_ASN_ENCODING.
- cryptoanalysis
- Cryptoanalysis is the art and science of breaking ciphertext. In contrast, the art and science of keeping messages secure is cryptography.
- CryptoAPI
- Microsoft® Cryptographic API, an application programming interface that enables application developers to add authentication, encoding, and encryption to Win32®-based applications.
- cryptographic algorithm
- A mathematical function used for encryption and decryption. Most cryptographic algorithms are based on a substitution cipher, a transposition cipher, or a combination of both.
- Cryptographic API
- See CryptoAPI.
- Cryptographic Digest
- A one-way hash function that takes a variable-length input string and converts it to a fixed-length output string (called a cryptographic digest.) This fixed-length output string is probabilistically unique for every different input string and thus can act as a fingerprint of a file. When a file with a cryptographic digest is downloaded, the receiver recomputes the digest. If the output string matches the digest contained in the file, the receiver has proof that the received file was not tampered with and is identical to the file originally sent.
- cryptographic key
- The session (symmetric) key used during the encryption and decryption processes, and the public and private keys used during the authentication process. Of these three keys, the session key and private key must always remain secret.
- cryptographic service provider (CSP)
- An independent software module that actually performs cryptography algorithms for authentication, encoding, and encryption.
- cryptography
- The art and science of information security. It includes information confidentiality, data integrity, entity authentication, and data origin authentication.
- cryptology
- The branch of mathematics that encompasses both cryptography and cryptoanalysis.
- CryptoSPI
- The system program interface used with a cryptographic service provider (CSP).
- CSP
- See cryptographic service provider.
- CSP family
- A unique group of CSPs that use the same set of data formats and perform their function in the same way. Even when two CSP families use the same algorithm (for example, the RC2 block cipher), their different padding schemes, keys lengths, or default modes make each group distinct.
The CryptoAPI has been designed so that each CSP type represents a particular family.
- CSP name
- The textual name of the CSP. If the CSP has been signed by Microsoft, this name must exactly match the CSP name that was specified in the Export Compliance Certificate (ECC).
- CSP type
- Indicates the CSP family associated with a provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to that CSP type.
- CTL
- See certificate trust list.
- CYLINK_MEK
- An encryption algorithm that uses a 40-bit variant of a DES key where 16 bits of the 56-bit DES key are set to zero. This algorithm is implemented as specified in the IETF Draft specification for 40-bit DES. The draft specification, at the time of this writing can be found at ftp://ftp.ietf.org/internet-drafts/draft-hoffman-des40-02.txt. This algorithm is used with the ALG_ID value CALG_CYLINK_MEK