J <- 4. Definitions -> L
K
$ KAK
(D) See: key-auto-key. (Compare: KEK.)
$ KDC
(I) See: Key Distribution Center.
$ KEA
(N) See: Key Exchange Algorithm.
$ KEK
(I) See: key-encrypting key. (Compare: KAK.)
$ Kerberos
(I) A system developed at the Massachusetts Institute of
Technology that depends on passwords and symmetric cryptography
(DES) to implement ticket-based, peer entity authentication
service and access control service distributed in a client-server
network environment. [R4120, Stei] (See: realm.)
Shirey Informational [Page 170]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: Kerberos was originally developed by Project Athena and
is named for the mythical three-headed dog that guards Hades. The
system architecture includes authentication servers and ticket-
granting servers that function as an ACC and a KDC.
RFC 4556 describes extensions to the Kerberos specification that
modify the initial authentication exchange between a client and
the KDC. The extensions employ public-key cryptography to enable
the client and KDC to mutually authenticate and establish shared,
symmetric keys that are used to complete the exchange. (See:
PKINIT.)
$ kernel
(I) A small, trusted part of a system that provides services on
which the other parts of the system depend. (See: security
kernel.)
$ Kernelized Secure Operating System (KSOS)
(O) An MLS computer operating system, designed to be a provably
secure replacement for UNIX Version 6, and consisting of a
security kernel, non-kernel security-related utility programs, and
optional UNIX application development and support environments.
[Perr]
Tutorial: KSOS-6 was the implementation on a SCOMP. KSOS-11 was
the implementation by Ford Aerospace and Communications
Corporation on the DEC PDP-11/45 and PDP-11/70 computers.
$ key
1a. (I) /cryptography/ An input parameter used to vary a
transformation function performed by a cryptographic algorithm.
(See: private key, public key, storage key, symmetric key, traffic
key. Compare: initialization value.)
1b. (O) /cryptography/ Used in singular form as a collective noun
referring to keys or keying material. Example: A fill device can
be used transfer key between two cryptographic devices.
2. (I) /anti-jam/ An input parameter used to vary a process that
determines patterns for an anti-jam measure. (See: frequency
hopping, spread spectrum.)
Tutorial: A key is usually specified as a sequence of bits or
other symbols. If a key value needs to be kept secret, the
sequence of symbols that comprise it should be random, or at least
pseudorandom, because that makes the key harder for an adversary
to guess. (See: brute-force attack, cryptanalysis, strength.)
Shirey Informational [Page 171]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ key agreement (algorithm or protocol)
1. (I) A key establishment method (especially one involving
asymmetric cryptography) by which two or more entities, without
prior arrangement except a public exchange of data (such as public
keys), each can generate the same key value. That is, the method
does not send a secret from one entity to the other; instead, both
entities, without prior arrangement except a public exchange of
data, can compute the same secret value, but that value cannot be
computed by other, unauthorized entities. (See: Diffie-Hellman-
Merkle, key establishment, KEA, MQV. Compare: key transport.)
2. (O) "A method for negotiating a key value on line without
transferring the key, even in an encrypted form, e.g., the Diffie-
Hellman technique." [X509] (See: Diffie-Hellman-Merkle.)
3. (O) "The procedure whereby two different parties generate
shared symmetric keys such that any of the shared symmetric keys
is a function of the information contributed by all legitimate
participants, so that no party [alone] can predetermine the value
of the key." [A9042]
Example: A message originator and the intended recipient can each
use their own private key and the other's public key with the
Diffie-Hellman-Merkle algorithm to first compute a shared secret
value and, from that value, derive a session key to encrypt the
message.
$ key authentication
(N) "The assurance of the legitimate participants in a key
agreement [i.e., in a key-agreement protocol] that no non-
legitimate party possesses the shared symmetric key." [A9042]
$ key-auto-key (KAK)
(D) "Cryptographic logic [i.e., a mode of operation] using
previous key to produce key." [C4009, A1523] (See: CTAK,
/cryptographic operation/ under "mode".)
Deprecated Term: IDOCs SHOULD NOT use this term; it is neither
well-known nor precisely defined. Instead, use terms associated
with modes that are defined in standards, such as CBC, CFB, and
OFB.
$ key center
(I) A centralized, key-distribution process (used in symmetric
cryptography), usually a separate computer system, that uses
master keys (i.e., KEKs) to encrypt and distribute session keys
needed by a community of users.
Shirey Informational [Page 172]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: An ANSI standard [A9017] defines two types of key
center: "key distribution center" and "key translation center".
$ key confirmation
(N) "The assurance [provided to] the legitimate participants in a
key establishment protocol that the [parties that are intended to
share] the symmetric key actually possess the shared symmetric
key." [A9042]
$ key distribution
(I) A process that delivers a cryptographic key from the location
where it is generated to the locations where it is used in a
cryptographic algorithm. (See: key establishment, key management.)
$ key distribution center (KDC)
1. (I) A type of key center (used in symmetric cryptography) that
implements a key-distribution protocol to provide keys (usually,
session keys) to two (or more) entities that wish to communicate
securely. (Compare: key translation center.)
2. (N) "COMSEC facility generating and distributing key in
electrical form." [C4009]
Tutorial: A KDC distributes keys to Alice and Bob, who (a) wish to
communicate with each other but do not currently share keys, (b)
each share a KEK with the KDC, and (c) may not be able to generate
or acquire keys by themselves. Alice requests the keys from the
KDC. The KDC generates or acquires the keys and makes two
identical sets. The KDC encrypts one set in the KEK it shares with
Alice, and sends that encrypted set to Alice. The KDC encrypts the
second set in the KEK it shares with Bob, and either (a) sends
that encrypted set to Alice for her to forward to Bob or (b) sends
it directly to Bob (although the latter option is not supported in
the ANSI standard [A9017]).
$ key encapsulation
(N) A key recovery technique for storing knowledge of a
cryptographic key by encrypting it with another key and ensuring
that only certain third parties called "recovery agents" can
perform the decryption operation to retrieve the stored key. Key
encapsulation typically permits direct retrieval of a secret key
used to provide data confidentiality. (Compare: key escrow.)
$ key-encrypting key (KEK)
(I) A cryptographic key that (a) is used to encrypt other keys
(either DEKs or other TEKs) for transmission or storage but (b)
(usually) is not used to encrypt application data. Usage:
Sometimes called "key-encryption key".
Shirey Informational [Page 173]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ key escrow
(N) A key recovery technique for storing knowledge of a
cryptographic key or parts thereof in the custody of one or more
third parties called "escrow agents", so that the key can be
recovered and used in specified circumstances. (Compare: key
encapsulation.)
Tutorial: Key escrow is typically implemented with split knowledge
techniques. For example, the Escrowed Encryption Standard [FP185]
entrusts two components of a device-unique split key to separate
escrow agents. The agents provide the components only to someone
legally authorized to conduct electronic surveillance of
telecommunications encrypted by that specific device. The
components are used to reconstruct the device-unique key, and it
is used to obtain the session key needed to decrypt
communications.
$ key establishment (algorithm or protocol)
1. (I) A procedure that combines the key-generation and key-
distribution steps needed to set up or install a secure
communication association.
2. (I) A procedure that results in keying material being shared
among two or more system entities. [A9042, SP56]
Tutorial: The two basic techniques for key establishment are "key
agreement" and "key transport".
$ Key Exchange Algorithm (KEA)
(N) A key-agreement method [SKIP, R2773] that is based on the
Diffie-Hellman-Merkle algorithm and uses 1024-bit asymmetric keys.
(See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)
Tutorial: KEA was developed by NSA and formerly classified at the
U.S. DoD "Secret" level. On 23 June 1998, the NSA announced that
KEA had been declassified.
$ key generation
(I) A process that creates the sequence of symbols that comprise a
cryptographic key. (See: key management.)
$ key generator
1. (I) An algorithm that uses mathematical rules to
deterministically produce a pseudorandom sequence of cryptographic
key values.
2. (I) An encryption device that incorporates a key-generation
mechanism and applies the key to plain text to produce cipher text
Shirey Informational [Page 174]
RFC 4949 Internet Security Glossary, Version 2 August 2007
(e.g., by exclusive OR-ing (a) a bit-string representation of the
key with (b) a bit-string representation of the plaintext).
$ key length
(I) The number of symbols (usually stated as a number of bits)
needed to be able to represent any of the possible values of a
cryptographic key. (See: key space.)
$ key lifetime
1. (D) Synonym for "cryptoperiod".
Deprecated Definition: IDOCs SHOULD NOT use this term with
definition 1 because a key's cryptoperiod may be only a part of
the key's lifetime. A key could be generated at some time prior to
when its cryptoperiod begins and might not be destroyed (i.e.,
zeroized) until some time after its cryptoperiod ends.
2. (O) /MISSI/ An attribute of a MISSI key pair that specifies a
time span that bounds the validity period of any MISSI X.509
public-key certificate that contains the public component of the
pair. (See: cryptoperiod.)
$ key loader
(N) Synonym for "fill device".
$ key loading and initialization facility (KLIF)
(N) A place where ECU hardware is activated after being
fabricated. (Compare: CLEF.)
Tutorial: Before going to its KLIF, an ECU is not ready to be
fielded, usually because it is not yet able to receive DEKs. The
KLIF employs trusted processes to complete the ECU by installing
needed data such as KEKs, seed values, and, in some cases,
cryptographic software. After KLIF processing, the ECU is ready
for deployment.
$ key management
1a. (I) The process of handling keying material during its life
cycle in a cryptographic system; and the supervision and control
of that process. (See: key distribution, key escrow, keying
material, public-key infrastructure.)
Usage: Usually understood to include ordering, generating,
storing, archiving, escrowing, distributing, loading, destroying,
auditing, and accounting for the material.
1b. (O) /NIST/ "The activities involving the handling of
cryptographic keys and other related security parameters (e.g.,
Shirey Informational [Page 175]
RFC 4949 Internet Security Glossary, Version 2 August 2007
IVs, counters) during the entire life cycle of the keys, including
their generation, storage, distribution, entry and use, deletion
or destruction, and archiving." [FP140, SP57]
2. (O) /OSIRM/ "The generation, storage, distribution, deletion,
archiving and application of keys in accordance with a security
policy." [I7498-2]
$ Key Management Protocol (KMP)
(N) A protocol to establish a shared symmetric key between a pair
(or a group) of users. (One version of KMP was developed by SDNS,
and another by SILS.) Superseded by ISAKMP and IKE.
$ key material
(D) Synonym for "keying material".
Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for
"keying material".
$ key pair
(I) A set of mathematically related keys -- a public key and a
private key -- that are used for asymmetric cryptography and are
generated in a way that makes it computationally infeasible to
derive the private key from knowledge of the public key. (See:
Diffie-Hellman-Merkle, RSA.)
Tutorial: A key pair's owner discloses the public key to other
system entities so they can use the key to (a) encrypt data, (b)
verify a digital signature, or (c) generate a key with a key-
agreement algorithm. The matching private key is kept secret by
the owner, who uses it to (a') decrypt data, (b') generate a
digital signature, or (c') generate a key with a key-agreement
algorithm.
$ key recovery
1. (I) /cryptanalysis/ A process for learning the value of a
cryptographic key that was previously used to perform some
cryptographic operation. (See: cryptanalysis, recovery.)
2. (I) /backup/ Techniques that provide an intentional, alternate
means to access the key used for data confidentiality service in
an encrypted association. [DoD4] (Compare: recovery.)
Tutorial: It is assumed that the cryptographic system includes a
primary means of obtaining the key through a key-establishment
algorithm or protocol. For the secondary means, there are two
classes of key recovery techniques: key encapsulation and key
escrow.
Shirey Informational [Page 176]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ key space
(I) The range of possible values of a cryptographic key; or the
number of distinct transformations supported by a particular
cryptographic algorithm. (See: key length.)
$ key translation center
(I) A type of key center that implements a key-distribution
protocol (based on symmetric cryptography) to convey keys between
two (or more) parties who wish to communicate securely. (Compare:
key distribution center.)
Tutorial: A key translation center transfers keys for future
communication between Bob and Alice, who (a) wish to communicate
with each other but do not currently share keys, (b) each share a
KEK with the center, and (c) have the ability to generate or
acquire keys by themselves. Alice generates or acquires a set of
keys for communication with Bob. Alice encrypts the set in the KEK
she shares with the center and sends the encrypted set to the
center. The center decrypts the set, reencrypts the set in the KEK
it shares with Bob, and either (a) sends that reencrypted set to
Alice for her to forward to Bob or (b) sends it directly to Bob
(although direct distribution is not supported in the ANSI
standard [A9017]).
$ key transport (algorithm or protocol)
1. (I) A key establishment method by which a secret key is
generated by a system entity in a communication association and
securely sent to another entity in the association. (Compare: key
agreement.)
Tutorial: Either (a) one entity generates a secret key and
securely sends it to the other entity, or (b) each entity
generates a secret value and securely sends it to the other
entity, where the two values are combined to form a secret key.
For example, a message originator can generate a random session
key and then use the RSA algorithm to encrypt that key with the
public key of the intended recipient.
2. (O) "The procedure to send a symmetric key from one party to
other parties. As a result, all legitimate participants share a
common symmetric key in such a way that the symmetric key is
determined entirely by one party." [A9042]
$ key update
1. (I) Derive a new key from an existing key. (Compare: rekey.)
2. (O) Irreversible cryptographic process that modifies a key to
produce a new key. [C4009]
Shirey Informational [Page 177]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ key validation
1. (I) "The procedure for the receiver of a public key to check
that the key conforms to the arithmetic requirements for such a
key in order to thwart certain types of attacks." [A9042] (See:
weak key)
2. (D) Synonym for "certificate validation".
Deprecated Usage: IDOCs SHOULD NOT use the term as a synonym for
"certificate validation"; that would unnecessarily duplicate the
meaning of the latter term and mix concepts in a potentially
misleading way. In validating an X.509 public-key certificate, the
public key contained in the certificate is normally treated as an
opaque data object.
$ keyed hash
(I) A cryptographic hash (e.g., [R1828]) in which the mapping to a
hash result is varied by a second input parameter that is a
cryptographic key. (See: checksum.)
Tutorial: If the input data object is changed, a new,
corresponding hash result cannot be correctly computed without
knowledge of the secret key. Thus, the secret key protects the
hash result so it can be used as a checksum even when there is a
threat of an active attack on the data. There are two basic types
of keyed hash:
- A function based on a keyed encryption algorithm. Example: Data
Authentication Code.
- A function based on a keyless hash that is enhanced by
combining (e.g., by concatenating) the input data object
parameter with a key parameter before mapping to the hash
result. Example: HMAC.
$ keying material
1. (I) Data that is needed to establish and maintain a
cryptographic security association, such as keys, key pairs, and
IVs.
2. (O) "Key, code, or authentication information in physical or
magnetic form." [C4009] (Compare: COMSEC material.)
$ keying material identifier (KMID)
1. (I) An identifier assigned to an item of keying material.
2. (O) /MISSI/ A 64-bit identifier that is assigned to a key pair
when the public key is bound in a MISSI X.509 public-key
certificate.
Shirey Informational [Page 178]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ Khafre
(N) A patented, symmetric block cipher designed by Ralph C. Merkle
as a plug-in replacement for DES. [Schn]
Tutorial: Khafre was designed for efficient encryption of small
amounts of data. However, because Khafre does not precompute
tables used for encryption, it is slower than Khufu for large
amounts of data.
$ Khufu
(N) A patented, symmetric block cipher designed by Ralph C. Merkle
as a plug-in replacement for DES. [Schn]
Tutorial: Khufu was designed for fast encryption of large amounts
of data. However, because Khufu precomputes tables used in
encryption, it is less efficient than Khafre for small amounts of
data.
$ KLIF
(N) See: key loading and initialization facility.
$ KMID
(I) See: keying material identifier.
$ known-plaintext attack
(I) A cryptanalysis technique in which the analyst tries to
determine the key from knowledge of some plaintext-ciphertext
pairs (although the analyst may also have other clues, such as
knowing the cryptographic algorithm).
$ kracker
(O) Old spelling for "cracker".
$ KSOS, KSOS-6, KSOS-11
(O) See: Kernelized Secure Operating System.
J <- 4. Definitions -> L