This glossary contains definitions of special terms and abbreviations used in the SSH Tectia user documentation. For more information on terms related to Internet security, see RFC 2828.
- Advanced Encryption Standard (AES)
AES is the current U.S. government standard for a symmetric encryption algorithm. AES is based on the Rijndael block cipher. It has a block size of 128 bits and a variable key length of 128, 192, or 256 bits. AES is defined in FIPS 197.
ASCII (American Standard Code for Information Interchange) is an 8-bit character encoding (including a parity bit) commonly used by computers to represent characters of the keyboard.
Arcfour is a symmetric stream cipher with a variable key size. It has been tested to be equivalent of the RC4 cipher by RSA Security.
Authentication is the process of verifying that the remote entity is who it claims to be. Authentication includes, for example, verifying that the correct password for the given user account has been entered, but it does not include determining what file system permissions the user has (authorization).
- base-64 encoding
A method of representing six-bit strings of binary data (values 0-63) using 64 ASCII characters. Base-64 encoding was originally used with Privacy Enhanced Mail (PEM), thus it is sometimes referred to as PEM encoding.
- block cipher
A type of symmetric (secret-key) encryption algorithm that encrypts a fixed length block of plaintext (for example, 64 bits) at a time. With a block cipher, the same plaintext block will always encrypt to the same ciphertext block under the same key.
A symmetric block cipher, Blowfish uses a block size of 64 bits and a key length of 32 to 448 bits.
Certificates are digital documents that are used for verifying the identity of communicating parties. In this documentation, the term certificate is commonly used to refer to X.509 public-key certificates. A public-key certificate binds identity information about an entity to the entity's public key for a certain validity period.
- Certificate Management Protocol (CMP)
CMP defines online interactions between the end entities, the registration authorities, and the certification authority in a PKI. It is defined in RFC 4210.
- certificate revocation list (CRL)
CRL is a signed list containing the serial numbers of the certificates that have been revoked or suspended by the certificate issuer (the CA) before their expiration date. The CA usually issues new CRLs at frequent intervals. Current PKIX implementation of CRLs is the X.509 version 2 CRL. See RFC 3280 for more information.
- certification authority (CA)
An entity in a PKI that issues digital certificates (especially X.509 public-key certificates) and vouches for the binding between the data items in a certificate.
Certificate users (end entities) depend on the validity of information provided by a certificate. Thus, a CA should be someone that the end entities trust, and who usually holds an official position created by and granted power by a government, a corporation, or some other organization.
A security service that protects data from unauthorized disclosure. Usually, unauthorized disclosure of application level data is the primary concern, but the disclosure of the external characteristics of communication can also be a concern in some circumstances. The traffic flow confidentiality service addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication.
- Connection Broker
The Connection Broker is a component of SSH Tectia Client, SSH Tectia ConnectSecure, and SSH Tectia MFT Events. It handles all cryptographic operations and authentication-related tasks.
CryptiCore was introduced in 2005 by the Danish data security company Cryptico. It is a set of algorithms consisting of the Rabbit stream cipher, which uses a 128-bit key, and Badger data integrity algorithm. CryptiCore enables very fast encryption and integrity checking performance, for example, when used with Secure Shell.
- Data Encryption Standard (DES)
DES is a U.S. government standard that defines the Data Encryption Algorithm (DEA).
The algorithm itself is a symmetric block cipher with a block size of 64 bits and a key length of 64 bits (of which 8 are parity bits). It was created in the 1970s by IBM, assisted by the U.S. National Security Agency (NSA).
DES is no longer considered secure, but its improved variant 3DES (also known as TDEA) is still in widespread use. DEA and TDEA are defined in FIPS 46-3.
- Diffie-Hellman key exchange
A method for key exchange between two parties. This method can be used to generate an unbiased secret key over an unsecured medium. The method has many variants. A well known attack called the man-in-the-middle attack forces the use of digital signatures or other means of authentication with the Diffie-Hellman protocol.
- Digital Signature Algorithm (DSA)
DSA is a digital signature algorithm, invented by the U.S. National Security Agency (NSA). It is defined in the Digital Signature Standard (DSS), FIPS 186-2, alongside with the SHA-1 hash algorithm.
EBCDIC (Extended Binary Coded Decimal Interchange Code) is an 8-bit character encoding used by IBM mainframes and other platforms to represent text. EBCDIC was designed in 1964 by IBM and it was the predecessor to ASCII. All IBM mainframe operating systems still use EBCDIC.
A security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext), to provide confidentiality. The inverse transformation process is called decryption.
- Federal Information Processing Standard (FIPS)
FIPS is a series of U.S. Government technical standards published by the National Institute of Standards and Technology (NIST).
- Generic Security Service Application Programming Interface (GSSAPI)
GSSAPI is a function interface that provides security services for applications in a mechanism-independent way. This allows different security mechanisms to be used via one standardized API. GSSAPI is often linked with Kerberos, which is the most common mechanism of GSSAPI. GSSAPI provides support for Windows domain authentication with Active Directory on Windows and Unix. GSSAPI is described in RFC 2743.
- hash function
- hashed message authentication code (HMAC)
A hashed message authentication code (HMAC) is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key. As with any MAC, it can be used to verify both the data integrity and data origin authenticity.
Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. The resulting MAC algorithms are termed HMAC-MD5 or HMAC-SHA-1, respectively. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function and on the size and quality of the key.
A security service that ensures that data modifications are detectable. Although authentication and integrity services are often cited separately, in practice they are intimately connected and almost always offered together.
Keyboard-Interactive is a generic authentication method in Secure Shell, used to implement different types of authentication mechanisms. Any authentication method that requires only the user's input can be performed with keyboard-interactive. In SSH Tectia, currently supported methods include password, PAM, RADIUS, and RSA SecurID.
- Lightweight Directory Access Protocol (LDAP)
LDAP is a protocol for accessing distributed directory services that support the X.500 directory model. The protocol is especially targeted at management applications and browser applications that provide interactive read/write access to directories. LDAPv3 is defined in RFC 4510.
A message-digest algorithm that computes an irreversible 128-bit hash value for a document. The algorithm is documented in RFC 1321.
MD5 is no longer considered secure. Other newer algorithms such as SHA-1 or SHA-256 are recommended instead.
MVS (Multiple Virtual Storage), first released in 1974, is an operating system used on the IBM mainframe computers. Although the original MVS was discontinued several years ago, the term MVS is still commonly used to refer to operating systems based on the same architecture, including OS/390 and the current z/OS.
MVS systems are traditionally accessed by 3270 terminals, or by PCs running TN3270 emulators.
- Online Certificate Status Protocol (OCSP)
In some applications, such as banking and e-commerce, it may be necessary to obtain certificate revocation status that is more timely than is possible with CRLs. OCSP may be used to determine the current revocation status of a digital certificate, instead of or as a supplement to checking against a periodically published CRL. OCSP is described in RFC 2560.
A passphrase is a string of characters. Whereas a password is used for authentication directly, a passphrase is only used to protect the actual information used for authentication, the private key.
A password is a string of characters such as numbers, letters and special characters, used for authenticating an entity against another. The strength of a password is measured by its "randomness", called entropy. If a password has a high level of entropy, it is difficult to guess using dictionary attacks.
- Pluggable Authentication Module (PAM)
Pluggable Authentication Module is an authentication framework used in Unix systems. PAM allows stacking authentication modules and can be used to integrate login with different authentication mechanisms.
- public-key cryptography
In contrast to symmetric (secret-key) cryptography with just one cipher key, in public-key cryptography each person or host has two keys. One is the private key, which is used for signing outgoing messages and decrypting incoming messages, the other is the public key, which is used by others to confirm the authenticity of a signed message coming from that person and for encrypting messages addressed to that person. The private key must not be available to anyone but its owner, but the public key is spread via trusted channels to anyone.
- Public-Key Cryptography Standards (PKCS)
The PKCS standards are a document series from RSA Laboratories. Some of the most important PKCS standards include:
PKCS #1 for RSA encryption and signature formats
PKCS #7 for cryptographic message encapsulation
PKCS #8 for private-key information syntax
PKCS #10 for certification requests
PKCS #11 for a cryptographic token interface commonly used with smart cards
PKCS #12 for storing or transporting a user's private keys, certificates, and miscellaneous secrets
- public-key infrastructure (PKI)
PKI consists of end entities possessing key pairs, certification authorities, certificate repositories (directories), and all the other software, components, and entities required when utilizing public-key cryptography.
- Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a protocol for checking a user's authentication and authorization information from a remote server. It is originally intended for authenticating dial-in users, but it is also suitable for use with Secure Shell. RADIUS is described in RFC 2865.
- Request For Comments (RFC)
A document of the Internet Engineering Task Force (IETF) under standardization. RFCs can be located at the IETF web site at http://www.ietf.org/rfc.html.
- Resource Access Control Facility (RACF)
Resource Access Control Facility (RACF) is a security system by IBM that provides access control and auditing functionality for the z/OS operating system.
RSA is a public-key encryption and digital signature algorithm, invented by Ron Rivest, Adi Shamir, and Leonard Adleman, and defined in PKCS #1. The RSA algorithm was patented by RSA Security, but the patent expired in September 2000.
- Secure File Transfer Protocol (SFTP)
The Secure File Transfer Protocol (SFTP) is a de-facto industry standard for securing transfer of files over the network. SFTP is natively supported by the SSH Tectia client/server solution.
SFTP is not technically related to the unsecured File Transfer Protocol (FTP), but the use of SFTP client programs is similar to that of FTP. The server side runs a Secure Shell version 2 server with the SFTP subsystem enabled.
- Secure Shell (SecSh)
The Secure Shell (SecSh) protocol was originally developed in 1995 by Tatu Ylönen, the founder of SSH Communications Security. Secure Shell replaces other, unsecured terminal applications (such as Rlogin, Telnet, and FTP), and allows forwarding arbitrary TCP/IP ports over the secure channel, enabling secure connection, for example, to an e-mail service.
There are two versions of the Secure Shell protocol. The current version, Secure Shell version 2 (SecSh v2, SSH2) provides several security improvements as compared to the original Secure Shell version 1 (SecSh v1, SSH1). SSH Tectia is based on SSH2, and SSH Communications Security considers SSH1 deprecated and does not recommend nor support its use anymore. The SSH2 protocol is defined in RFCs 4250-4256.
RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. The Authenticator token generates a random numerical code that the user needs to enter when connecting to a system. RSA ACE/Agent is used to verify the code. RSA ACE/Server acts as the management component handling the authentication requests and managing the authentication policies for enterprise networks.
A strong block cipher, SEED uses a block size of 128 bits and a key length of 128 bits. SEED is a national standard encryption algorithm in South Korea. It has also been adopted as an ISO/IEC standard (ISO/IEC 18033-3) and an IETF RFC (RFC 4269).
SHA-1 is an improved version of the original Secure Hash Algorithm (SHA), designed by National Security Agency (NSA). The algorithm produces a 160-bit message digest. It is defined in FIPS 180-1 and it is also part of the Digital Signature Standard (DSS), FIPS 186-2.
SOCKS is a protocol for traversing through application gateway firewalls. It allows an application inside the firewall to access resources on the global Internet. The protocol is defined in RFC 1928.
- SSH Tectia client/server solution
The SSH Tectia client/server solution consists of SSH Tectia Client, SSH Tectia ConnectSecure, SSH Tectia Server, SSH Tectia Server for Linux on IBM System z and SSH Tectia Server for IBM z/OS.
- SSH Tectia Client
SSH Tectia Client provides secure interactive file transfer and terminal client functionality for remote users and system administrators to access and manage servers running SSH Tectia Server or other applications using the Secure Shell protocol. It also supports (non-transparent) tunneling of TCP-based applications, and on Windows, transparent TCP tunneling.
- SSH Tectia ConnectSecure
SSH Tectia ConnectSecure is designed for FTP replacement. It is a client-side product that provides FTP-SFTP Conversion, enhanced file transfer, and transparent FTP and TCP tunneling services for connecting to a Secure Shell server.
- SSH Tectia MFT Auditor
SSH Tectia MFT Auditor is a central system for auditing SSH Tectia and OpenSSH file transfers and commands in large environments. It offers tools for statistical analysis, monitoring, planning, and troubleshooting.
- SSH Tectia MFT Events
SSH Tectia MFT Events is designed for automating file transfer and command events and for monitoring their performance. SSH Tectia MFT Events is typically installed on a server host and it is capable of connecting to any standard Secure Shell server.
- SSH Tectia Manager
SSH Tectia Manager is a security management platform designed to reduce the total cost of ownership of large multi-platform SSH Tectia environments. It enables administrators to enforce consistent security policy and to more efficiently monitor the state of their SSH Tectia security environments.
- SSH Tectia Server
SSH Tectia Server is a server-side component where Secure Shell clients connect to. There are three versions of the product available: SSH Tectia Server for Linux, Unix and Windows, SSH Tectia Server for Linux on IBM System z, and SSH Tectia Server for IBM z/OS.
- stream cipher
A type of symmetric (secret-key) encryption algorithm that encrypts a single bit at a time. With a stream cipher, the same plaintext bit or byte will encrypt to a different bit or byte every time it is encrypted.
- Telnet 3270
TN3270 is a remote-login protocol used by IBM 3270 mainframe computer terminal emulators. Like standard Telnet, TN3270 is natively unsecured.
- Transport Layer Security (TLS)
Transport Layer Security is a protocol providing confidentiality, authentication, and integrity for stream-like connections. It is typically used to secure HTTP connections. TLS is defined in RFC 5246.
A strong and fast block cipher, Twofish was one of the five final candidates for the U.S. Advanced Encryption Standard. Twofish uses a block size of 128 bits and a key length of up to 256 bits.
- Unix System Services (USS)
Unix System Services (USS) is a component of the IBM z/OS operating system. It allows Unix applications from other platforms to run on IBM mainframes.
The ITU-T X.509 recommendation defines the formats for X.509 certificate and X.509 CRL. Different X.509 applications are further defined by the PKIX Working Group of the IETF. These include X.509 version 3 public-key certificates and X.509 version 2 CRLs.