The implementation of device security is growing at an exponential rate and its easy to be faced with new security terminology on a regular basis.
Understanding the basics is a core element in achieving successful secure deployments. To help you stay on top of the evolving device security industry we offer you this list of commonly used security terms below.
Term | Definition |
Advanced Encryption Standard (AES): | A symmetric key algorithm with a 128-bit block and key lengths 128, 192 and 256 bits |
Anti-Rollback Prevention: | A Silicon Labs technology to stop old firmware with potential security flaws being reloaded into a device. |
ARM® TrustZone: | An ARM architecture that allows the physical seperation of software on a device into a trusted zone and a normal zone |
Asymmetric Key Algorithm: | A cryptographic algorithm that uses both private and public keys for encryption and decryption operations |
Asymmetric Key Cryptography: | Cryptography that uses one key to sign or encrypt and a different key to verify or decrypt |
Attack: | The attempt to break cryptographic methods employed in a security service. This may include brute force, man-in-the-middle or simple plaintext attacks |
Attack Surface: | A potentially exploitable vulnerability of a system |
Authentication: | Designed to assure that something is what it claims to be. |
Authenticity: | Assurance that code is from the source it claims to be. |
Block Cipher: | An asymmetric key algorithm that encrypts messages by breaking them down to fixed-size encrypted blocks |
Brute Force Attack: | A method that methodically tries to guess each key and then uses those keys to decipher ciphertext. Attacks become increasingly more time and power-consuming as key sizes increase. |
Certificate Authority (CA): | An official entity that issues digital certificates and provides a 'trust anchor' or 'root of trust' as part of a 'trust chain'. |
Checksum: | A value, assigned to a file that is tested later to confirm that there were not any changes made to the original file. |
Cipher: | An encryption-decryption algorithm. |
Ciphertext: | Plaintext passed through the cipher becomes ciphertext |
Confidentiality: | Assurance that data is protected from being accessed by unapproved parties. |
Countermeasures: | Process or implementations that can prevent or mitigate the actions of a threat or an attack.; |
Data Encryption Standard (DES): | Asymmetric encryption algorithm with a 56-bit key. The more secure Triple DES (3DES) uses 3 different keys and applies DES to each block three times. |
Decryption: | The conversion of ciphertext back into its original data (plaintext) |
Differential Power Analysis (DPA): | A form of Side-Channel Attack (SCA) based on analyzing power consumption variations of an electronic circuit performing crypto operations involving confidential keys. |
Diffie-Hellman: | An asymmetric key algorithm that uses two entities that exchange some public information, they then combine them using a secure mathematical algorithm and their own private key(s) to generate a shared session key. |
Digital Certificate: | An electronic 'certificate' that binds pieces of information together. These informational elements may include a user's identity, a public key, and/or a digital signature. |
Digital Signature: | An asymmetric key algorithm that associates a calculated number to both a message and its signer. |
Digital Signature Algorithm (DSA): | An asymmetric key algorithm that creates a digital signature using the private key of a public/private key pair. The signature is verified by the associated public key. |
Digital Signature: | The mathematical technique used to validate the authenticity and integrity of the content. |
Elliptic Curve: | Mathematical construct |
Elliptic Curve Cryptography (ECC): | An asymmetric key algorithm based upon elliptical curve constraints. (Often combined with Diffie-Hellman (ECDH) and DSA (ECDSA)) |
Elliptical Curve Diffie-Hellman (ECDH): | Combination of Elliptical curve cryptography and Diffie-Hellman key exchanges to generate a shared secret. |
Elliptical Curve Diffie-Hellman Ephemeral (ECDHE): | ECDH done with temporary (ephemeral) keys. After the secret is used, it is destroyed, along with the temporary key pairs. This type of temporal secret is fundamental to achieving Perfect Forward Secrecy |
Elliptical Curve Digital Signature Algorithm (ECDSA): | Combination of ECC and DSA. |
Encryption: | The use of an algorithm to convert original data (plaintext) into incomprehensible data (ciphertext). |
Entropy: | Random numbers used in cryptography designed provide a lack of order and reason. The greater the entropy, the more complex it is to find patterns therefore creating better encryption |
FIPS - Federal Information Processing Standards: | Standards set by the US government for data protection. |
Hacker: | A person who tries to overcome data security measures. Hackers may do so for malicious or non-malicious intent. |
Hands-On Attack: | Attackers have physical access to a device/product and use that to their advantage to gain access to product interfaces where they can extract secret(s) or inject alternate code. |
Hash Function: | An algorithm that produces message digests (MDM - Message Digest Algorithm). Familiar hash functions include MD2, MD4, and SHA. |
Identification: | The process through which one user or service identifies another. |
Integrity: | Assurance that code has not been altered, modified, or replaced. NIST Curves NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A. In FIPS 186-4, NIST recommends fifteen elliptic curves of varying security levels for use in these elliptic curve cryptographic standards. Visit the National Institute of Standards and Technology (NIST) for more information. |
Key: | A parameter, such as a private key, public key, secret key or session key that is used in cryptographic functions. |
Key Pair: | Corresponding public and private keys. Always present in Asymmetric Key Cryptography. |
Key Schedule: | An algorithm that creates subkeys in cipher blocks within a given keyspace. |
Key Space: | Collection of all possible keys in a cryptosystem. |
MAC - Message Authentication Code: | MAC, not to be confused with 'Media Access Controller' that is often used in other sections of this site, a Message Authentication Code is the conversion of plaintext using an algorithm and symmetric key that provides both authentication and data integrity. |
MAC Algorithm: | Common algorithms are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-512. |
Man-in-the-Middle Attack: | An attack where a hacker sits in the middle of the communicating parties and collects all the data. |
National Institute of Standards and Technology (NIST): | Division of the US Government that produces safety standards for cryptography. |
Nonce: | A number used once. A nonce is used to assure the uniqueness of an operation. This uniqueness thwarts replay attacks and makes backward calculation of keys infeasible. |
Perfect Forward Secrecy: | Protects past sessions against future compromises of secret keys or passwords. |
Plaintext: | Data transferred without any cryptographic protection. Also called cleartext. |
Private Key: | In symmetric cryptography, the private key is synonymous with the secret key (shared key). In asymmetric cryptography, the private key is the secret half of the public/private key pair. |
Pseudo-Random Number (PRN): | Numbers that seem random but are actually determined by specific function and seed value. PRNs are created by a PRNG (PRN Generator). |
Public Key: | Universal key in asymmetric cryptography. |
Public Key Infrastructure (PKI): | A set of roles, policies, and procedures needed to create manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. |
PUF: | Physically Unclonable Function, a unique and random digital fingerprint associated with a single device |
Root of Trust: | Secure foundation (hardware, software, firmware) of a system that cannot be tampered with by malware. |
RSA: | Asymmetric Key Algorithm that can encrypt data and create and confirm digital signatures. |
Secret Key: | A shared key used for encryption and decryption in symmetric cryptography. |
Secret Sharing: | The act of splitting a secret key into many pieces so that the user needs all pieces to utilize the secret key. |
Secure Boot: | The process where the initial boot phase is executed from an immutable memory (i.e. ROM) and where code is authenticated before being authorized to be executed. |
Secure Element: | A tamper-resistant component used to securely store sensitive data, keys, and to execute cryptographic functions and secure services. |
Secure Hash Algorithm (SHA): | A message-digest algorithm that creates a unique hash value for each input. |
Secure Key Management: | Cryptographic storage of device keys |
Seed: | A random sequence of numbers used to derive more random numbers. |
Session Key: | A key used only for the duration of communication between users. |
SHA-1: | An old type of SHA that is no longer considered strong enough by the security community to protect against modern hackers. The hash function uses a 160-bit hash value. |
SHA-2: | Originally introduced to supersede SHA-1. This hash algorithm works in the same way but produces a longer and stronger hash. There are four main variants: SHA-224, SHA-256, SHA-384 and SHA-512. The numbers at the end of the acronym are the bit size of the resulting hash. |
SHA-3: | The most recent version of SHA. Unlike SHA-1 and SHA-2, it uses a new structure called the 'sponge construction', in which data is “absorbed” into the sponge, and then the result is “squeezed” out. The result is a permutation-based hash. |
Shared Key: | The secret key users share in symmetric key cryptography. |
Shared Secret: | A piece of data known only two of the parties communicating. |
Side-Channel Attack: | Any attack based on the information gathered from the physical implementation of the cryptosystem. Information that could be used against a system includes timing information, power consumption and electromagnetic leaks. |
Side-Channel Attacks (SCA): | A form of security exploits that takes advantage of information leakage from an electronic circuit in order to extract confidential keys or secret information. The most common forms of attacks are conducted by monitoring power consumption and electromagnetic emission during cryptographic operations |
Sign/Verify: | See Digital Signature |
Symmetric Key Algorithm: | A cryptographic algorithm that uses a secret key which is shared between entities in the system |
Symmetric Key Cryptography: | Cryptography using symmetric key algorithms. |
Tamper Resistant: | Hardware devices that are impossible or almost impossible to extract information from. |
Transport Layer Security (TLS): | Standard security technology creating an encrypted link between a web server and a browser. Its predecessor is known as Secure Sockets Layer (SSL). |
True Random Number (TRN): | A hardware device that generates random numbers from a physical process as opposed to an algorithm. TRNs are created by a TRNG (TRN Generator) |
Trust Anchor: | A trust anchor is an authoritative entity for which trust is assumed and not derived. (see Root of Trust) |
Trust Chain (Also known as 'Chain of Trust'): | A layered structure of certificates/signatures that creates a “trust anchor” assuring the trustworthiness of other elements within the structure, each layer is guaranteed by the previous layer to create a chain. |
Verification: | A sub-process of authentication where a user verifies that the other user is who it claims to be. |
Have you Discovered a Vulnerability?
Our Product Security Incident Response Team (PSIRT) is responsible for ensuring the vulnerabilities discovered in our products are mitigated and communicated responsibly. If you detect a security threat, let us know.
Information on how to subscribe to security notices can be found here.