Cryptography glossary↑

A↑

(Cryptographic) Algorithm↑

A sequence of computational instructions that performs specific (cryptographic) tasks.

API (Application Programming Interface)↑

A set of functions that enable different software components to communicate and transfer data.

(AQtive Guard) API client↑

The AQtive Guard API Client (cs-api) is a CLI program you can use to interface with AQtive Guard using its API. Its two main purposes are uploading traces created using the AQtive Guard sensors and launching an analysis in AQtive Guard.

AQL (AQ Language)↑

The SandboxAQ domain-specific language (DSL) designed for querying AQtive Guard data. It’s interpreted as a KSQL table.

Asymmetric cryptography↑

Synonym: public key cryptography

Augmented trace↑

A trace file enhanced with additional details, such as cryptographic call sites.

Authenticity↑

A security property achieved through cryptographic methods that guarantees data is genuine, verifiable, and trustworthy. It provides confidence in the validity of a transmission, information, message, or its sender.

B↑

Block cipher↑

A cryptographic algorithm that maps blocks of fixed lengths to blocks of the same length such that for every output there is exactly one input.

Brute-force attack↑

An attack method of trying every possible value for a secret input, like a secret key or password, until the correct one is found.

C↑

CCPA (California Consumer Privacy Act)↑

A California law that gives residents rights over their personal data, including the right to know what information is collected, to have it deleted, and to opt out of its sale. It requires businesses to be transparent about their data practices and protect consumer privacy.

Certificate↑

A signed document, linking a public key to an identity. Common examples of an identity are a domain name, an email address, or a X.500 common name. Certificates usually also contain additional management data, like a validity period, a serial number, issuer identity, and potential extensions providing more context data.

Certificate Authority (CA)↑

A trusted organization that issues certificates to verified entities, such as websites or individuals, linking their identity to public keys. This allows the user to authenticate a communication partner using public key cryptography.

CSR (Certificate Signing Request)↑

A message sent from an applicant to a certificate authority (CA) in order to apply for a certificate.

Collision↑

A scenario where two distinct inputs to a cryptographic hash function produce the same output.

Collision attack↑

An attack that attempts to find two inputs to a cryptographic hash function that produce the same output.

Computational infeasibility (Computationally infeasible)↑

A task or calculation is considered computationally infeasible if it would require an unrealistically long time or computing resources to complete, making it practically impossible to achieve within a practical timeframe.

Confidentiality↑

A security property that guarantees data is not disclosed to users, processes, or devices unless they are authorized to access the information.

Counter with CBC-MAC (CCM)↑

A block cipher mode of operation that provides both confidentiality and authentication.

CRL (Certificate Revocation List)↑

A list of certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date. CRL certificates should no longer be trusted.

Cryptography Bill of Materials (CBOM)↑

A cryptography bill of materials (CBOM) is a cybersecurity asset that lists all software and hardware components within a system, including their dependencies, vulnerabilities, and security risks.

Cryptographic boundary↑

The clearly defined perimeter (physical or logical) that encloses all hardware, software, and firmware components of a cryptographic module. Everything inside this boundary is protected by the module’s cryptographic functions.

Cryptographic call site↑

A location in the code where cryptographic functions (such as encryption, decryption, or hashing) are invoked.

Cryptographic key↑

A typically short piece of data that is used in most cryptographic algorithms to perform their operations with. The key type depends on the algorithm and determines its confidentiality requirements. For example, secret keys and private keys must remain confidential, while public keys are intended to be shared.

Cryptographically relevant quantum computer (CRQC)↑

A quantum computer capable of breaking cryptographic systems used in real-world applications, which are deemed infeasible to break with conventional computers.

CVE (Common Vulnerabilities and Exposures)↑

CVE, maintained by MITRE, is a system providing standardized identifiers for publicly known cybersecurity vulnerabilities. It catalogs and assigns unique IDs to vulnerabilities, facilitating information sharing and vulnerability management.

CWE (Common Weakness Enumeration)↑

CWE, maintained by MITRE, is a community-developed list of common software and hardware weakness types. It provides a standardized language for describing security flaws, aiding in software security analysis and development.

D↑

Decryption↑

The process of converting ciphertext back into plaintext, reverting encryption.

Deprecated (cryptography)↑

A cryptographic algorithm or key length that was previously approved for a specific application but is no longer recommended due to identified security weaknesses.

Digital signature↑

A value computed with a cryptographic process using a private key and appended to a data object to digitally sign it. The digital signature enables verification of the data object’s authenticity and integrity using the signer’s public key. A secure signature scheme guarantees the computational infeasibility of creating forgeries (refer to EUF-CMA).

E↑

Elliptic Curve Cryptography (ECC)↑

A type of public key cryptography.

Encryption↑

The process of transforming plaintext into ciphertext.

Entropy↑

A measure of randomness or unpredictability in data, often used in cryptography to ensure secure key generation and encryption.

Existential Unforgeability under Chosen Message Attack (EUF-CMA)↑

The standard security notion for a digital signature scheme. A scheme is EUF-CMA secure if it is computationally infeasible for an adversary to forge a valid signature, even when they can obtain valid signatures for messages they select or craft themselves.

F↑

Filesystem scanner↑

An AQtive Guard sensor that scans the filesystem for cryptographic artifacts, like cryptographic keys or certificates.

Forward secrecy↑

A property of cryptographic protocols that guarantees the secrecy of previously transmitted data remains protected, even if a private key is compromised.

G↑

Galois/Counter Mode (GCM)↑

A block cipher mode of operation that provides both encryption for confidentiality and authentication for data authenticity and integrity. It is widely used and recommended.

GDPR (General Data Protection Regulation)↑

A European Union regulation that sets strict guidelines on collecting, processing, and storing personal data, granting individuals more control over their data and requiring organizations to ensure privacy and security compliance.

H↑

(Cryptographic) Hash function↑

A core cryptographic building block that converts input data of arbitrary length into short, fixed-length outputs, known as a hash value or digest. A secure hash function ensures it is computationally infeasible to find two inputs that produce the same output collision, determine an input from its output, or to distinguish the output from random values.

HIPAA (Health Insurance Portability and Accountability Act)↑

HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. federal law designed to ensure the privacy and security of patients’ health information. It sets standards for how healthcare organizations and their business associates handle, share, and protect sensitive medical data.

Hardware Security Module (HSM)↑

A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing. An HSM is or contains a cryptographic module.

I↑

Integrity↑

A security property that guarantees that data or a system are not (maliciously) altered.

IV↑

A unique, unpredictable value used once (IV, Initialization Vector), typically as input to cryptographic operations to ensure different outputs for identical plaintexts. IVs help randomize encryption, preventing patterns and enhancing security. They are often generated randomly or sequentially, depending on the encryption mode.

J↑

Java tracer↑

An AQtive Guard sensor that records cryptographic operations in Java applications for analysis.

K↑

Key agreement↑

Synonym: key exchange.

Key derivation↑

The process of deriving a secret key in a non-reversible manner from shared information, at least some of which is secret.

Key Derivation Function (KDF)↑

A cryptographic algorithm that derives one or more secret keys from an input secret bit string of sufficient entropy, optionally incorporating additional context information.

Key Encapsulation Mechanism (KEM)↑

A set of three cryptographic algorithms (called key generation, encapsulation, and decapsulation) that can be used to establish shared secret keys over a public channel.

Key establishment↑

Synonym: key exchange.

Key exchange↑

A process that allows two parties to securely establish a shared secret key over a public channel in order to establish secure communications.

Key management↑

The process of creating, storing, distributing, and securely handling cryptographic keys throughout their lifecycle to protect sensitive data and ensure secure communications.

Key pair↑

Pair consisting of a private key and a public key. Used in public key cryptography.

Key transport↑

A procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party or device (the receiver). Contrast with key exchange.

Key wrapping↑

A method of protecting secret keying material (along with associated integrity information) that provides both confidentiality and integrity protection when using symmetric-key algorithms.

L↑

Legacy use↑

Approval to continue using an algorithm or key length only in scenarios where legacy applications cannot be updated or replaced without unreasonable effort.

M↑

Machine-In-The-Middle (MITM) Attack↑

A Machine-in-the-Middle attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating. Historically, this class of attacks was known as a man-in-the-middle (MITM) attack. The term attacker in the middle is more common, although some prefer Machine-in-the-Middle or Mallory-in-the-Middle to retain the well-known acronym MITM and still using gender-neutral language.

Message Authentication Code (MAC)↑

Cryptographic data, created with a symmetric key, that is attached to a message and can be used to verify its integrity and authenticity using the same key.

Mode of operation↑

An algorithm for the cryptographic transformation of data that uses a block cipher.

N↑

NHI (Non-Human Identity)↑

A digital identity used by automated systems such as applications, services, devices, or scripts to communicate with other machines and access resources. Managing NHIs involves securing their credentials (API keys, certificates, tokens, etc.) and controlling their access with policies.

NIST (National Institute of Standards and Technology)↑

The agency responsible for U.S. Federal standards in various technical fields, including cryptography. NIST cryptography standards and recommendations have included algorithms such as AES, SHA-2, SHA-3, ML-KEM, ML-DSA, SLH-DSA, block cipher modes, key management, randomness generation, and statistical tests.

Nonce↑

A unique number used once (nonce), typically as input to cryptographic operations to ensure different outputs for identical inputs. Since uniqueness can be challenging, nonces are often randomly generated. Authenticated ciphers use nonces to prevent attackers from detecting repeated messages.

O↑

OCSP (Online Certificate Status Protocol)↑

An interactive protocol used to verify the revocation status of a certificate.

P↑

PCI-DSS (Payment Card Industry Data Security Standard)↑

PCI DSS, the Payment Card Industry Data Security Standard, is a set of security requirements designed to ensure the safe processing, storage, and transmission of cardholder data. It applies to all businesses and organizations that accept, process, or store payment card information.

PKCS#11↑

A standard defining cryptographic tokens, often used for smart cards and hardware security modules (HSMs).

Post-quantum cryptography (PQC)↑

Cryptographic algorithms designed to resist attacks not only from classical but also quantum computers.

Private key↑

The secret part of a key pair that must be kept confidential. It’s used to perform operations in (public key) cryptographic algorithms such as decryption or signing.

Public key↑

The public part of a key pair. that does not need to be kept confidential and can be shared openly. It’s used to perform operations in (public key) cryptographic algorithms such as encryption or signature verification.

Public key cryptography↑

Cryptography that uses a key pair consisting of a private key and a public key to secure communications. Also known as asymmetric cryptography.

Public Key Infrastructure (PKI)↑

A framework consisting of standards and services to enable secure communication.

Q↑

Quantum bit (Qubit)↑

A fundamental unit of quantum information used in quantum computing, leveraging principles of quantum physics. Unlike classical bits, which are strictly 0 or 1, qubits can exist in both states simultaneously. When measured, a qubit resolves to either 0 or 1, with the outcome determined probabilistically based on its quantum state. Qubits enable quantum computers to store, process, and transmit data in ways that differ fundamentally from classical systems.

R↑

Root certificate↑

Certificate for the highest public key in a certificate hierarchy. Root certificates are self-signed and serve as the foundation of trust in the hierarchy. Root certificates from major Certificate Authorities (CAs) are commonly preinstalled in the trust stores of web browsers and operating systems, enabling trust in the identity of a public key owner.

(Certificate) Revocation↑

Process of revoking a previously issued certificate, typically due to potential private key compromise or inaccuracies in the certificate’s data, such as a change in domain ownership.

S↑

Salt↑

A random value added to a password or input before hashing to ensure that identical inputs produce unique hashes. Salts protect against attacks like dictionary or rainbow table attacks by making hashed values harder to precompute and match.

Self-signed certificate↑

A certificate signed by the private key corresponding to its own public key, rather than being authenticated by a trusted third party. As a result, it does not provide any guarantee of authenticity.

Security strength↑

A number associated with the amount of resources (such as the number of operations, or amount of memory) required to break a cryptographic algorithm or system for a given key length.

Shared secret↑

A secret value known to two or more parties, often used as input to a key-derivation method to produce (shared) secret keys.

Secret key↑

A cryptographic key used in symmetric cryptography. It does not require additional key derivation. The secret key must be kept confidential.

Secret keying material↑

Synonym: Shared secret

Signing (digital signatures)↑

The act of creating a digital signature for a data object.

Software Bill of Materials (SBOM)↑

An SBOM (Software Bill of Materials) is a comprehensive list detailing all software components, their dependencies, and associated metadata within a software package or application, designed to aid vendors and developers in understanding and managing software dependencies. A Cryptography Bill of Materials (CBOM) is a security-focused extension of an SBOM, providing deeper visibility into cryptographic components.

SOX (Sarbanes-Oxley Act)↑

A U.S. federal law aimed at enhancing corporate governance and accountability. It requires public companies to ensure accurate financial reporting, conduct independent audits, and implement effective internal controls. These obligations include safeguarding the integrity of relevant financial and operational data.

Static analysis↑

A method of examining an application’s code without executing it to identify potential security vulnerabilities, such as hard-coded cryptographic values or weak algorithms.

Stream cipher↑

A type of symmetric encryption that generates a continuous keystream to encrypt data one bit or byte at a time, rather than in blocks (contrast with block cipher).

Strong Existential Unforgeability under Chosen Message Attack (SUF-CMA)↑

A security property for digital signature schemes. Beyond the guarantees of EUF-CMA, where adversaries cannot forge signatures even with access to valid signatures for chosen messages, SUF-CMA ensures that adversaries cannot modify or tweak an existing valid signature in any way that it remains valid.

Symmetric cryptography↑

A type of cryptography where the same cryptographic key, called a secret key, is used for both encryption and decryption, or message authentication and verification. It is efficient for securing large amounts of data, but both parties must securely share the secret key in advance. For historical reasons, this term often is meant to also cover cryptographic hash functions, key derivation functions, and other similar key-less cryptographic algorithms.

T↑

TLS/SSL↑

Protocols used to secure data transmitted over a network by encrypting and authenticating the connection between a client and server. TLS (Transport Layer Security) is the modern, secure successor to the insecure SSL (Secure Sockets Layer) and is widely used to ensure data confidentiality, integrity, and authentication in web traffic.

U↑

V↑

Verification (digital signatures)↑

The act of confirming the validity of a digital signature for a data object.

VPN (Virtual Private Network)↑

A logical network that simulates the properties of a closed local area network, enabling secure communication between remote participants or network segments over public Internet connections. Traffic is protected using cryptographic protocols like IPSec, TLS, or WireGuard.

W↑

X↑

Y↑

Z↑