Glossary

Asymmetric Cryptography
A mathematical procedure of data encryption during which two different keys, belonging together mathematically, are used for the encryption and decryption of data.

User authentication
On the basis of the certificate, the user authenticates himself towards an application with his Personal Security Environment (PSE) instead of identification and password.

Key holder
The holder of a key is the end-user who is authorized to own the private key (in the form of a Personal Security Environment, PSE) and responsible for the proper usage.
The holder of a personal key pair is always also the key owner because it is prohibited to pass on the personal key.

Certification Authority (CA)
Certification Authority is an entity, which establishes the link between a public key and a user in the form of a certificate, and certifies it with its digital signature.

Chip card
Card in the format of a check card. According to external access via ISO 7816-norm with embedded microchip. If this microchip has a programmable controller (CPU), it is called a SmartCard.

Directory Corporate Directory is a repository where available information of the employees are registered company-wide. It is also useful for the publication and company-wide provision of certificates, as well as for the external provision of only parts of the information (e.g. surname, name, E-mail, and certificate) via special reflection mechanisms.

Digital signature
An electronic signature is a cryptographic transformation of data in order to protect it from unnoticed forgery (protection of the integrity).
Often, the digital signature is associated with the procedure of digital signing, which underlies local regulations. Its meaning is wider and so it does not conform with the signature law.

Key owner
The owner of a key pair is the end-user who is responsible for the proper usage and sound condition of the private key. The owner or issuer (CA) does also implement the revocation of the key pair.

Hash algorithm
When a document is hashed, the document initially forms a, for example, 160 Bit long number (one-way operation). It is very unlikely that there is one hash algorithm for different documents (collision-resistant). Subsequently, the hash algorithm is signed with the private signature key.
When the document is received and validated, initially the hash algorithm of the document is automatically formed. Subsequently, it is compared to the hash algorithm that was sent with the document and was decrypted with the help of the public signature key of the person who signed it. If both numbers match, the document was not altered after the signature.

Cryptographic algorithm
Mathematical set of rules with the help of which cryptographic operations (e.g. encryption, hash algorithm), based on elementary mathematical calculations (e.g. shifting, multiplication, forming of residual value), are carried out recursively with the help of keys and parameters.

Lightweight Directory Access Protocol (LDAP)
LDAP is a TCP/IP - based Directory Access Protocol which has established as the standard solution to secure directory services in the internet and intranets.

Local Registration Authorities (LRA)
Authorized, user-close authority which ensures the users' identification and authentication, issues key material to the users and administers it.

Public key
The public key is the part of a key pair that is easily accessible by everyone and that is used in the asymmetrical cryptography
 
Personal Security Environment (PSE)
Total key material -especially private keys-, certificates, and other information of a user for checking purposes. The PSE mainly consists of the private key and other information which belong to the user who has exclusive access to the private key. Therefore, the PSE must be protected from access by others. SmartCards, chip cards and disks are media where the PSE can be stored.

Personalization
Development of personal data into card data.

Personal key
An asymmetrical key pair is a personal one, if the key holder and owner of the corresponding Personal Security Environment must only be one and the same person and the person’s name is certified in the certificate.

Private key
A private key is the secret part of a key pair (of a personal key, operational key) that is used in the asymmetrical cryptography.

PIN, Personal Identity Number
The PIN is a password with which an end-user authenticates himself when accessing the Personal Security Environment. The PIN is used for the protection of the PSE's confidential character and especially that of the private key that it contains.

Public Key Infrastructure (PKI)-Policy
A security concept consists of organizational and technical controls and is usually stipulated in a security policy.
The Public Key Infrastructure is stipulated in a PKI policy and explains organizational regulations, technical components and their interaction. The PKI policy is the pivotal document of a PKI and defines the PKI’s security level.
This document describes the handling of key material, irrespective of how it was generated or certified, and applies to all participants.

Private key
In the symmetrical procedure, one talks of a secret key held by both communication parties.
In the asymmetrical procedure, each participant has a public and a private key.
The private key is used for signing purposes, and with the public key the signature is validated.
With the help of the private key, the recipient is able to decode the message that was previously encoded with the public key of the recipient. See also Public Key Cryptography.

Public Key Infrastructure (PKI)
PKI is the sum of all authorities and procedures necessary for the application of Public Key Cryptography.They are usually described in a policy.

Public Key Cryptographie
Encryption procedure, in which two different keys are used for the de- and encodification of a message (asymmetrical cryptography).
In the practical application, one key is published with the key holder’s identification data (=public key), and the other one is handed over securely to the key holder (often on a SmartCard) or it is generated in a SmartCard right away.
An important application of the Public Key Cryptography is the electronic signature during which a document is signed with the private key and the signature is validated by the recipient with the public key.

Registration Authority
 Registration Authority, also Local Registration Authority (LRA)
Place where the end-user’s identity is validated and key material is issued.

Registration
Identity assessment in the personalization procedure of the (L)RA and signed data transfer to the trust center via a secure channel. Precondition is an application.
The participant is assigned an unambiguous and suitable name in the procedure for digital signatures.

Secure Multipurpose Internet Mail Extensions (S/MIME)
Enable secure sending and secure receiving of E-mails.

Key pair
A pair that consists of a private and a public key and is necessary for asymmetrical cryptography procedures is called a key pair.

Key material
The sum of personal key material (Personal Security Environment) and the corresponding key certificate.

Key Backup
The key backup is an entity in the business-PKI-organization and it is responsible for the backup of private keys which are intended to be used for the decryption of data whose unencrypted original is not available. This component of the PKI takes over, saves and gives access to private keys and facilitates the chance of request for data recovery. Only the business has an influence on - and the responsibility for - a key-backup.

Encryption certificate
A certificate is an attestation verifying that a public key is linked to the information that identifies a person, organization, procedure or institution as the user of the corresponding private key. The information of a certificate for a personal key primarily consist of facts concerning the key owner's identity. The information of a certificate for a key that is not linked to a person identifies, for example, an authority, an operation, a server, an IT-system, or a procedure that is authorized to use the corresponding key. (No object of elaboration.)

Security Policy
Obliging document describing the security policy of a business. Possible risks are evaluated and measures are determined if necessary. Risks are unexpected negative events as well as unrealized business chances. IT-Security is part of the safety policy; PKI-Policy is part of security policy. Thus, this document supplements the security policy of the individual enterprise.

SmartCard
Microcomputer in check card formate. It has a chip (applied on a module) that is comprised of a processor, a file system and an operating system. One fundamental aspect of the operating system is the integrated protection of access to the information in the file system. Only after the entry of the correct PIN or an authentication can, for instance, the respective access status be achieved so that the information, contained in the respective file, is made available to the outside world. The processor also carries out cryptographic arithmetic operations independently.

Trustcenter
Authority with tasks like: generation of key pairs, secure storage of key material, issuance, publication, and revocation of Public Key certificates, see also Certification Authority, CA.

Verification, validation
When verifying a digital signature it is detected as to whether signed data is unaltered and derives from the person, organization, procedure, or institution that established this digital signature. See also hash algorithm.

Encryption
Encryption avoids the exploitation of electronic communication material by unauthorized persons or a third party. Thus, mathematical procedures, transforming the information into a legible but unusable form (encryption), are applied. The decryption is only permitted to authorized persons, organizations, procedures, or institutions.

Revocation
Certificates can or must, in certain situations, be revoked by the certificate owner, holder or third parties that are not members of the business, before the certificate’s validity expires. Possible reasons for revocation are disclosure of the Personal Security Environment (PSE), theft or loss of the PSE, as well as all cases in which misuse of the PSE is suspected. The revocation prohibits the application of the certificate and the associated PSE permanently since the subsequent cancellation of the revocation is impossible.

Relying party
These are persons, organizations, procedures, or institutions using the certificate and the associated public key for encryption purposes (previous to data transfer) or verification purposes (after the reception of signed data).

Certificate revocation
Procedure that serves the purpose of identifying the certificate as invalid (online) during the verification/validation of the signature by the CA or similiar information services.
Revocation can be coordinated by the participant or his representative. The authority issuing cards, as well as the CA as the authority issuing certificates, must have representative functions. Revocation must show date and time and must not be effected retroactively. There is an obligation to inform respective authorities.
SigG makes further stipulations to the revocation management.

Users of cryptographic procedures in the PKI 

• Person (also: End-User): employee, student trainee, apprentice, consultant (in the corporation or the corporation of a business partner).
• Organization: project group (internally or externally), Department, corporation of a business partner etc.
• Experience: Service, Client, Server, Certification Authority, LRA etc.,
• Facilities: Computer, Router, Firewall etc.
• Such a user is either operator of a Personal Security Environment (PSE) or user of a certificate, or he himself is object of the application of a certificate.