Tectia

Glossary

This glossary contains definitions of special terms and abbreviations used in the Tectia user documentation. For more information on terms related to Internet security, see RFC 2828.

Advanced Encryption Standard (AES)

AES is the current U.S. government standard for a symmetric encryption algorithm. AES is based on the Rijndael block cipher. It has a block size of 128 bits and a variable key length of 128, 192, or 256 bits. AES is defined in FIPS 197.

Arcfour

Arcfour is a symmetric stream cipher with a variable key size. It has been tested to be equivalent of the RC4 cipher by RSA Security.

block cipher

A type of symmetric (secret-key) encryption algorithm that encrypts a fixed length block of plaintext (for example, 64 bits) at a time. With a block cipher, the same plaintext block will always encrypt to the same ciphertext block under the same key.

Blowfish

A symmetric block cipher, Blowfish uses a block size of 64 bits and a key length of 32 to 448 bits.

certificate

Certificates are digital documents that are used for verifying the identity of communicating parties. In this documentation, the term certificate is commonly used to refer to X.509 public-key certificates. A public-key certificate binds identity information about an entity to the entity's public key for a certain validity period.

Certificate Management Protocol (CMP)

CMP defines online interactions between the end entities, the registration authorities, and the certification authority in a PKI. It is defined in RFC 4210.

certificate revocation list (CRL)

CRL is a signed list containing the serial numbers of the certificates that have been revoked or suspended by the certificate issuer (the CA) before their expiration date. The CA usually issues new CRLs at frequent intervals. Current PKIX implementation of CRLs is the X.509 version 2 CRL. See RFC 3280 for more information.

certification authority (CA)

An entity in a PKI that issues digital certificates (especially X.509 public-key certificates) and vouches for the binding between the data items in a certificate.

Certificate users (end entities) depend on the validity of information provided by a certificate. Thus, a CA should be someone that the end entities trust, and who usually holds an official position created by and granted power by a government, a corporation, or some other organization.

Connection Broker

The Connection Broker is a component of Tectia Client, Tectia ConnectSecure, and Tectia MFT Events. It handles all cryptographic operations and authentication-related tasks.

CryptiCore

CryptiCore was introduced in 2005 by the Danish data security company Cryptico. It is a set of algorithms consisting of the Rabbit stream cipher, which uses a 128-bit key, and Badger data integrity algorithm. CryptiCore enables very fast encryption and integrity checking performance, for example, when used with Secure Shell.

Data Encryption Standard (DES)

DES is a U.S. government standard that defines the Data Encryption Algorithm (DEA).

The algorithm itself is a symmetric block cipher with a block size of 64 bits and a key length of 64 bits (of which 8 are parity bits). It was created in the 1970s by IBM, assisted by the U.S. National Security Agency (NSA).

DES is no longer considered secure, but its improved variant 3DES (also known as TDEA) is still in widespread use. DEA and TDEA are defined in FIPS 46-3.

Diffie-Hellman key exchange

A method for key exchange between two parties. This method can be used to generate an unbiased secret key over an unsecured medium. The method has many variants. A well known attack called the man-in-the-middle attack forces the use of digital signatures or other means of authentication with the Diffie-Hellman protocol.

Digital Signature Algorithm (DSA)

DSA is a digital signature algorithm, invented by the U.S. National Security Agency (NSA). It is defined in the Digital Signature Standard (DSS), FIPS 186-2, alongside with the SHA-1 hash algorithm.

encryption

A security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext), to provide confidentiality. The inverse transformation process is called decryption.

event

A file transfer or a remote command operation to be run at a given time or under defined conditions. Used with Tectia MFT Events. In an event configuration, the user defines one or more actions to be started when an event trigger is activated, or when the defined constraints are met.

Federal Information Processing Standard (FIPS)

FIPS is a series of U.S. Government technical standards published by the National Institute of Standards and Technology (NIST).

Generic Security Service Application Programming Interface (GSSAPI)

GSSAPI is a function interface that provides security services for applications in a mechanism-independent way. This allows different security mechanisms to be used via one standardized API. GSSAPI is often linked with Kerberos, which is the most common mechanism of GSSAPI. GSSAPI provides support for Windows domain authentication with Active Directory on Windows and Unix. GSSAPI is described in RFC 2743.

hash function

An algorithm that computes a short digest of a longer message. The digest is usually of a fixed size. See also MD5 and SHA-1.

hashed message authentication code (HMAC)

A hashed message authentication code (HMAC) is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key. As with any MAC, it can be used to verify both the data integrity and data origin authenticity.

Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. The resulting MAC algorithms are termed HMAC-MD5 or HMAC-SHA-1, respectively. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function and on the size and quality of the key.

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol for accessing distributed directory services that support the X.500 directory model. The protocol is especially targeted at management applications and browser applications that provide interactive read/write access to directories. LDAPv3 is defined in RFC 4510.

MD5

A message-digest algorithm that computes an irreversible 128-bit hash value for a document. The algorithm is documented in RFC 1321.

MD5 is no longer considered secure. Other newer algorithms such as SHA-1 or SHA-256 are recommended instead.

MVS

MVS (Multiple Virtual Storage), first released in 1974, is an operating system used on the IBM mainframe computers. Although the original MVS was discontinued several years ago, the term MVS is still commonly used to refer to operating systems based on the same architecture, including OS/390 and the current z/OS.

Online Certificate Status Protocol (OCSP)

In some applications, such as banking and e-commerce, it may be necessary to obtain certificate revocation status that is more timely than is possible with CRLs. OCSP may be used to determine the current revocation status of a digital certificate, instead of or as a supplement to checking against a periodically published CRL. OCSP is described in RFC 2560.

passphrase

A passphrase is a string of characters. Whereas a password is used for authentication directly, a passphrase is only used to protect the actual information used for authentication, the private key.

password

A password is a string of characters such as numbers, letters and special characters, used for authenticating an entity against another. The strength of a password is measured by its "randomness", called entropy. If a password has a high level of entropy, it is difficult to guess using dictionary attacks.

public-key cryptography

In contrast to symmetric (secret-key) cryptography with just one cipher key, in public-key cryptography each person or host has two keys. One is the private key, which is used for signing outgoing messages and decrypting incoming messages, the other is the public key, which is used by others to confirm the authenticity of a signed message coming from that person and for encrypting messages addressed to that person. The private key must not be available to anyone but its owner, but the public key is spread via trusted channels to anyone.

Public-Key Cryptography Standards (PKCS)

The PKCS standards are a document series from RSA Laboratories. Some of the most important PKCS standards include:

  • PKCS #1 for RSA encryption and signature formats

  • PKCS #7 for cryptographic message encapsulation

  • PKCS #8 for private-key information syntax

  • PKCS #10 for certification requests

  • PKCS #11 for a cryptographic token interface commonly used with smart cards

  • PKCS #12 for storing or transporting a user's private keys, certificates, and miscellaneous secrets

public-key infrastructure (PKI)

PKI consists of end entities possessing key pairs, certification authorities, certificate repositories (directories), and all the other software, components, and entities required when utilizing public-key cryptography.

Request For Comments (RFC)

A document of the Internet Engineering Task Force (IETF) under standardization. RFCs can be located at the IETF web site at http://www.ietf.org/rfc.html.

RSA

RSA is a public-key encryption and digital signature algorithm, invented by Ron Rivest, Adi Shamir, and Leonard Adleman, and defined in PKCS #1. The RSA algorithm was patented by RSA Security, but the patent expired in September 2000.

Secure File Transfer Protocol (SFTP)

The Secure File Transfer Protocol (SFTP) is a de-facto industry standard for securing transfer of files over the network. SFTP is natively supported by the Tectia client/server solution.

SFTP is not technically related to the unsecured File Transfer Protocol (FTP), but the use of SFTP client programs is similar to that of FTP. The server side runs a Secure Shell version 2 server with the SFTP subsystem enabled.

Secure Shell (SecSh)

The Secure Shell (SecSh) protocol was originally developed in 1995 by Tatu Ylönen, the founder of Tectia (former SSH Communications Security). Secure Shell replaces other, unsecured terminal applications (such as Rlogin, Telnet, and FTP), and allows forwarding arbitrary TCP/IP ports over the secure channel, enabling secure connection, for example, to an e-mail service.

There are two versions of the Secure Shell protocol. The current version, Secure Shell version 2 (SecSh v2, SSH2) provides several security improvements as compared to the original Secure Shell version 1 (SecSh v1, SSH1). Tectia products are based on SSH2, and Tectia Corporation considers SSH1 deprecated and does not recommend nor support its use anymore. The SSH2 protocol is defined in RFCs 4250-4256.

SHA-1

SHA-1 is an improved version of the original Secure Hash Algorithm (SHA), designed by National Security Agency (NSA). The algorithm produces a 160-bit message digest. It is defined in FIPS 180-1 and it is also part of the Digital Signature Standard (DSS), FIPS 186-2.

stream cipher

A type of symmetric (secret-key) encryption algorithm that encrypts a single bit at a time. With a stream cipher, the same plaintext bit or byte will encrypt to a different bit or byte every time it is encrypted.

Tectia client/server solution

The Tectia client/server solution consists of Tectia Client, Tectia ConnectSecure, Tectia Server, Tectia Server for Linux on IBM System z and Tectia Server for IBM z/OS.

Tectia Client

Tectia Client provides secure interactive file transfer and terminal client functionality for remote users and system administrators to access and manage servers running Tectia Server or other applications using the Secure Shell protocol. It also supports (non-transparent) tunneling of TCP-based applications, and on Windows, transparent TCP tunneling.

Tectia ConnectSecure

Tectia ConnectSecure is designed for FTP replacement. It is a client-side product that provides FTP-SFTP Conversion, enhanced file transfer, and transparent FTP and TCP tunneling services for connecting to a Secure Shell server.

Tectia Manager

Tectia Manager is a central system for managing Tectia and OpenSSH security software, and for auditing Tectia and OpenSSH file transfers and commands in large environments. It offers tools for statistical analysis, monitoring, planning, and troubleshooting. Tectia Manager is designed for large multi-platform environments, where centralized management of security software reduces the total cost of ownership and enables administrators to enforce consistent security policy, and to more efficiently monitor the state of their Tectia security environment.

Tectia MFT Events

Tectia MFT Events is designed for automating file transfer and command events and for monitoring their performance. Tectia MFT Events is typically installed on a server host and it is capable of connecting to any standard Secure Shell server.

Tectia Server

Tectia Server is a server-side component where Secure Shell clients connect to. There are three versions of the product available: Tectia Server for Linux, Unix and Windows, Tectia Server for Linux on IBM System z, and Tectia Server for IBM z/OS.

Transport Layer Security (TLS)

Transport Layer Security is a protocol providing confidentiality, authentication, and integrity for stream-like connections. It is typically used to secure HTTP connections. TLS is defined in RFC 5246.

X.509

The ITU-T X.509 recommendation defines the formats for X.509 certificate and X.509 CRL. Different X.509 applications are further defined by the PKIX Working Group of the IETF. These include X.509 version 3 public-key certificates and X.509 version 2 CRLs.