This glossary contains definitions of special terms and abbreviations used in the Tectia user documentation. For more information on terms related to Internet security, see RFC 2828.

Advanced Encryption Standard (AES)

AES is the current U.S. government standard for a symmetric encryption algorithm. AES is based on the Rijndael block cipher. It has a block size of 128 bits and a variable key length of 128, 192, or 256 bits. AES is defined in FIPS 197.

base-64 encoding

A method of representing six-bit strings of binary data (values 0-63) using 64 ASCII characters. Base-64 encoding was originally used with Privacy Enhanced Mail (PEM), thus it is sometimes referred to as PEM encoding.

block cipher

A type of symmetric (secret-key) encryption algorithm that encrypts a fixed length block of plaintext (for example, 64 bits) at a time. With a block cipher, the same plaintext block will always encrypt to the same ciphertext block under the same key.


Certificates are digital documents that are used for verifying the identity of communicating parties. In this documentation, the term certificate is commonly used to refer to X.509 public-key certificates. A public-key certificate binds identity information about an entity to the entity's public key for a certain validity period.

certificate enrollment

Certificate enrollment is an action in which a public key gets certified by a certification authority (CA). In this action a client provides the CA with a public key and some additional data in a certification request. The CA signs this key together with additional information with its own private key and returns the signed certificate to the client.

Certificate Management Protocol (CMP)

CMP defines online interactions between the end entities, the registration authorities, and the certification authority in a PKI. It is defined in RFC 4210.

certificate revocation list (CRL)

CRL is a signed list containing the serial numbers of the certificates that have been revoked or suspended by the certificate issuer (the CA) before their expiration date. The CA usually issues new CRLs at frequent intervals. Current PKIX implementation of CRLs is the X.509 version 2 CRL. See RFC 3280 for more information.

certification authority (CA)

An entity in a PKI that issues digital certificates (especially X.509 public-key certificates) and vouches for the binding between the data items in a certificate.

Certificate users (end entities) depend on the validity of information provided by a certificate. Thus, a CA should be someone that the end entities trust, and who usually holds an official position created by and granted power by a government, a corporation, or some other organization.

certification request

A certification request contains at least the public key and some identity information of the entity making the request, and it is signed with the private key of the entity. Certification requests are generated by end entities or RAs and sent to the CA. If allowed by the certificate policy of the CA, a certificate can be issued based on the request.

Connection Broker

The Connection Broker is a component of Tectia Client, Tectia ConnectSecure, and Tectia MFT Events. It handles all cryptographic operations and authentication-related tasks.

Data Encryption Standard (DES)

DES is a U.S. government standard that defines the Data Encryption Algorithm (DEA).

The algorithm itself is a symmetric block cipher with a block size of 64 bits and a key length of 64 bits (of which 8 are parity bits). It was created in the 1970s by IBM, assisted by the U.S. National Security Agency (NSA).

DES is no longer considered secure, but its improved variant 3DES (also known as TDEA) is still in widespread use. DEA and TDEA are defined in FIPS 46-3.

Diffie-Hellman key exchange

A method for key exchange between two parties. This method can be used to generate an unbiased secret key over an unsecured medium. The method has many variants. A well known attack called the man-in-the-middle attack forces the use of digital signatures or other means of authentication with the Diffie-Hellman protocol.

Digital Signature Algorithm (DSA)

DSA is a digital signature algorithm, invented by the U.S. National Security Agency (NSA). It is defined in the Digital Signature Standard (DSS), FIPS 186-2, alongside with the SHA-1 hash algorithm.


A security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext), to provide confidentiality. The inverse transformation process is called decryption.

end entity

An entity in a PKI (other than a CA or an RA) to whom a certificate is issued. The end entity has also the private key counterpart of the public key in the certificate.

Federal Information Processing Standard (FIPS)

FIPS is a series of U.S. Government technical standards published by the National Institute of Standards and Technology (NIST).

Generic Security Service Application Programming Interface (GSSAPI)

GSSAPI is a function interface that provides security services for applications in a mechanism-independent way. This allows different security mechanisms to be used via one standardized API. GSSAPI is often linked with Kerberos, which is the most common mechanism of GSSAPI. GSSAPI provides support for Windows domain authentication with Active Directory on Windows and Unix. GSSAPI is described in RFC 2743.

hash function

An algorithm that computes a short digest of a longer message. The digest is usually of a fixed size. See also MD5 and SHA-1.

hashed message authentication code (HMAC)

A hashed message authentication code (HMAC) is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key. As with any MAC, it can be used to verify both the data integrity and data origin authenticity.

Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. The resulting MAC algorithms are termed HMAC-MD5 or HMAC-SHA-1, respectively. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function and on the size and quality of the key.

host key distribution

In Tectia Manager, host key distribution is a mechanism for automatic distribution of the server host public keys that are used for server authentication when a Secure Shell client connects to a Secure Shell server.

Initial Configuration Block (ICB)

To work, the Management Agent of Tectia Manager requires a data file called Initial Configuration Block (ICB). The ICB is created by the Management Server and it contains pre-configuration information that the Management Agent needs to operate, such as the address of the Management Server and the required authentication credentials.

International Data Encryption Algorithm (IDEA)

A symmetric block cipher with a block size of 64 bits and a key length of 128 bits.

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol for accessing distributed directory services that support the X.500 directory model. The protocol is especially targeted at management applications and browser applications that provide interactive read/write access to directories. LDAPv3 is defined in RFC 4510.

Management Agent

A software component which enables managing a host. Management Agent is responsible for communicating with the Management Server, installing, upgrading, monitoring, and controlling the Tectia software on the host according to the management commands from the Management Server.

Management Server

The Management Server runs the management logics, stores the configuration and environment information, and provides management communications to the managed hosts.


A message-digest algorithm that computes an irreversible 128-bit hash value for a document. The algorithm is documented in RFC 1321.

MD5 is no longer considered secure. Other newer algorithms such as SHA-1 or SHA-256 are recommended instead.

Online Certificate Status Protocol (OCSP)

In some applications, such as banking and e-commerce, it may be necessary to obtain certificate revocation status that is more timely than is possible with CRLs. OCSP may be used to determine the current revocation status of a digital certificate, instead of or as a supplement to checking against a periodically published CRL. OCSP is described in RFC 2560.


A passphrase is a string of characters. Whereas a password is used for authentication directly, a passphrase is only used to protect the actual information used for authentication, the private key.


A password is a string of characters such as numbers, letters and special characters, used for authenticating an entity against another. The strength of a password is measured by its "randomness", called entropy. If a password has a high level of entropy, it is difficult to guess using dictionary attacks.

public-key cryptography

In contrast to symmetric (secret-key) cryptography with just one cipher key, in public-key cryptography each person or host has two keys. One is the private key, which is used for signing outgoing messages and decrypting incoming messages, the other is the public key, which is used by others to confirm the authenticity of a signed message coming from that person and for encrypting messages addressed to that person. The private key must not be available to anyone but its owner, but the public key is spread via trusted channels to anyone.

Public-Key Cryptography Standards (PKCS)

The PKCS standards are a document series from RSA Laboratories. Some of the most important PKCS standards include:

  • PKCS #1 for RSA encryption and signature formats

  • PKCS #7 for cryptographic message encapsulation

  • PKCS #8 for private-key information syntax

  • PKCS #10 for certification requests

  • PKCS #11 for a cryptographic token interface commonly used with smart cards

  • PKCS #12 for storing or transporting a user's private keys, certificates, and miscellaneous secrets

public-key infrastructure (PKI)

PKI consists of end entities possessing key pairs, certification authorities, certificate repositories (directories), and all the other software, components, and entities required when utilizing public-key cryptography.


RC2 is a symmetric block cipher that uses a block size of 64 bits and a variable key length.


RC4 is a symmetric stream cipher with a variable key length. RC4 is based on the use of random permutation and its operations are byte-oriented.

registration authority (RA)

An optional entity in a PKI, separate from the CA(s). The functions that the RA performs will vary from case to case but may include identity authentication and name assignment, key generation, token distribution, and revocation reporting.

Request For Comments (RFC)

A document of the Internet Engineering Task Force (IETF) under standardization. RFCs can be located at the IETF web site at


RSA is a public-key encryption and digital signature algorithm, invented by Ron Rivest, Adi Shamir, and Leonard Adleman, and defined in PKCS #1. The RSA algorithm was patented by RSA Security, but the patent expired in September 2000.

Secure File Transfer Protocol (SFTP)

The Secure File Transfer Protocol (SFTP) is a de-facto industry standard for securing transfer of files over the network. SFTP is natively supported by the Tectia client/server solution.

SFTP is not technically related to the unsecured File Transfer Protocol (FTP), but the use of SFTP client programs is similar to that of FTP. The server side runs a Secure Shell version 2 server with the SFTP subsystem enabled.

Secure Shell (SecSh)

The Secure Shell (SecSh) protocol was originally developed in 1995 by Tatu Ylönen, the founder of Tectia (former SSH Communications Security). Secure Shell replaces other, unsecured terminal applications (such as Rlogin, Telnet, and FTP), and allows forwarding arbitrary TCP/IP ports over the secure channel, enabling secure connection, for example, to an e-mail service.

There are two versions of the Secure Shell protocol. The current version, Secure Shell version 2 (SecSh v2, SSH2) provides several security improvements as compared to the original Secure Shell version 1 (SecSh v1, SSH1). Tectia products are based on SSH2, and Tectia Corporation considers SSH1 deprecated and does not recommend nor support its use anymore. The SSH2 protocol is defined in RFCs 4250-4256.


SHA-1 is an improved version of the original Secure Hash Algorithm (SHA), designed by National Security Agency (NSA). The algorithm produces a 160-bit message digest. It is defined in FIPS 180-1 and it is also part of the Digital Signature Standard (DSS), FIPS 186-2.

shared secret

A shared secret, also known as pre-shared key (PSK) or simply shared key, is similar to a password in the sense that it is also used for authentication, but shared keys are often used to authenticate both entities at the same time. If both entities know the shared secret, they are assured of each others' identities.

stream cipher

A type of symmetric (secret-key) encryption algorithm that encrypts a single bit at a time. With a stream cipher, the same plaintext bit or byte will encrypt to a different bit or byte every time it is encrypted.

Tectia client/server solution

The Tectia client/server solution consists of Tectia Client, Tectia ConnectSecure, Tectia Server, Tectia Server for Linux on IBM System z and Tectia Server for IBM z/OS.

Tectia Client

Tectia Client provides secure interactive file transfer and terminal client functionality for remote users and system administrators to access and manage servers running Tectia Server or other applications using the Secure Shell protocol. It also supports (non-transparent) tunneling of TCP-based applications, and on Windows, transparent TCP tunneling.

Tectia ConnectSecure

Tectia ConnectSecure is designed for FTP replacement. It is a client-side product that provides FTP-SFTP Conversion, enhanced file transfer, and transparent FTP and TCP tunneling services for connecting to a Secure Shell server.

Tectia Manager

Tectia Manager is a central system for managing Tectia and OpenSSH security software, and for auditing Tectia and OpenSSH file transfers and commands in large environments. It offers tools for statistical analysis, monitoring, planning, and troubleshooting. Tectia Manager is designed for large multi-platform environments, where centralized management of security software reduces the total cost of ownership and enables administrators to enforce consistent security policy, and to more efficiently monitor the state of their Tectia security environment.

Tectia MFT Events

Tectia MFT Events is designed for automating file transfer and command events and for monitoring their performance. Tectia MFT Events is typically installed on a server host and it is capable of connecting to any standard Secure Shell server.

Tectia Server

Tectia Server is a server-side component where Secure Shell clients connect to. There are three versions of the product available: Tectia Server for Linux, Unix and Windows, Tectia Server for Linux on IBM System z, and Tectia Server for IBM z/OS.

Transport Layer Security (TLS)

Transport Layer Security is a protocol providing confidentiality, authentication, and integrity for stream-like connections. It is typically used to secure HTTP connections. TLS is defined in RFC 5246.


The ITU-T X.509 recommendation defines the formats for X.509 certificate and X.509 CRL. Different X.509 applications are further defined by the PKIX Working Group of the IETF. These include X.509 version 3 public-key certificates and X.509 version 2 CRLs.