a

Security

Security is regarded by businesses and consumers as the issue of greatest concern with regards to the Internet. This was confirmed by a recent survey  IDC (International Data Corp. Consequently a comprehensive and trusted security architecture will be vital for enterprises as they must increasingly provide customers, suppliers and new trading communities access to their systems. This is reflected by the IDC survey which revealed a major increase in spending on firewalls, encryption, antivirus, intrusion detection, single sign-on, PKI/CA, and other security management software.

In particular, a whole new industry is emerging to satisfy a growing corporate demand for Internet security solutions. Much of this is focused on IPSec (IP Security), a developing security architecture aimed at providing interoperable, cryptographically based security services for IP layer environments.

Analysts at Bear Stearns, in a report released in June 2000, predict that spending for Internet security could climb to $15 billion or more by 2004, with an ever-changing technology requiring constant security supervision. More recently in October 2000, Dataquest Inc., a division of Gartner Group, stated that the worldwide security software market is on track to reach $3.2 billion in 2000 and expect it to grow at a compound rate of 21.7% through 2004 to surpass $6.7 billion.

This growth will certainly generate a significant worldwide requirement for Secrity Architects who can provide expertise in Internet and computer related security technologies such as Kerboros, PKI and Digital Signatures.

AES

AES (Advanced Encryption Standard) is a new encryption standard being developed by IBM to overcome the limitations of DES. It uses variable length blocks of data, and keys of 128 to 256 bits. AES is expected to be available in 2000. (see DES)

AH

AH (the Authentication Header) is an IPSec protocol that provides authentication services at the IP layer on a packet-by-packet basis.  (see IPSec).

authentication

This is simply the process of identifying an individual : it ensures that the individual is who they claim to be and unlike authorisation says nothing about their access rights.

authentication algorithms

examples are MD2/MD5, SHA1 (see Digital Certificates)

Axent

product suite includes Raptor Firewall

beTRUSTed

beTRUSTED is the name of a security device launched by PricewaterhouseCoopers to safeguard transactions and communications over the Internet.

Biometrics

Biometrics is the science of using biological properties, such as finger prints, retina scans and voice, to identify individuals. With regards to security, biometrics applies to a broad range of techniques that employ human physical characteristics as a means of authentication. A number of such techniques have been developed for use with computers and include fingerprint readers, iris scanners, voice readers, hand geometry readers and face imaging devices. They are often used in conjunction with other user authentication methods rather than as a single, exclusive method.

CA’s

CA’s (Certificate Authorities)  are trusted 3rd party organisations assuming responsibility for issuing & managing digital certificates to a user and guaranteeing to some degree that the user granted the certificate is who they claim to be.  Examples of CA’s include Baltimore, VeriSign, Thawte, Cybertust, GTE & Entrust.

CA/RA Configuration

Some CA’s have a Registration Authority (RA) as part of their implementation.  RA’s are essentially  servers that act as a proxy for the CA so that CA functions can continue when the CA is offline.

CDSA

CDSA (Common Data Security Architecture) is a set of layered security services developed by the Open Group to address Internet and Intranet security.

Challenge/Response

Challenge/Response is an authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge.

CHAP

CHAP (Challenge Handshake Authentication Protocol) is an access protocol that enables a user’s ID and password to be transmitted in an encrypted form. It forms the basis of a popular authentication method for PPP that uses a randomly generated challenge. This challenge requires a matching response which is dependent upon the cryptographic hash of the challenge and a secret key. 

CMP

CMP (certificate management protocols) is a name applied to the Internet X.509 PKI certificate protocols.

CRL

CRL (Certificate Revocation List) is a time-stamped list of certificates that have been revoked prior to their scheduled expiration date and therefore should not be trusted. The CRL is signed by a CA and is made freely available in a public directory. Each revoked certificate is identified by its certificate serial number. When a certificate is used, a check should be made on its signature and validity and a CRL should be checked to ensure that it does not contain the certificate’s serial number. Entries are added to CRL’s as revocations occur and are removed once the certificate expiration date has been reached.

CyberTrust

GTE’s CyberTrust

DES

DES (Data Encryption Standard) is a symmetric-key encryption method. Developed by IBM & the US government in the 70’s, it is  used mainly in North America.  3DES (aka Triple DES) is a variant of DES which iterates 3 times with 3 separate keys and thereby effectively doubles the strength of DES.

Digital Certificates (aka Digital ID’s)

Digital Certificates, issued and managed CA’s, can address a number of security concerns. For example, they can verify the identity & privileges of an individual or organisation on the Internet, provide non-repudiation & authorise transactions such as credit card payments.

Digital Signatures (aka authentication algorithms)

These are digital codes (algorithms) that can be attached to electronic messages to identify the sender and,  like written signatures, authenticate that the sender is who they claim to be.  There are 3 major types of digital signature algorithms: the hash-based signature, DSS & RSA.

Digital signatures are electronically generated and can be used to ensure the integrity and authenticity of some data such as an email message (TrustedMIME) and to protect against non-repudiation (TrustedDOC). It is based on both the signer’s identity and the data being signed, with the signature tying the signer to the data in such a way that it is infeasible to generate the same signature with a different signer, or with different data.

DirectoryAlert

DirectoryAlert is Netvision’s real-time solution for network security.

DSA

DSA is an acronym for Digital Signature Algorithm

DSS Signatures

The US government’s DSS (Digital Signature Standard) signature algorithms are (as are RSA signatures) public-key algorithms. Unlike RSA, DSS  is a signature-only system providing only  authentication.

ECC

see Elliptic Curve Cryptography

Elliptic Curve Cryptography

Elliptic Curve Cryptography (ECC) is an emerging public-key encryption technology that promises to offer low-cost, high security connection, compared to RSA, and is expected to support cryptography even in PDA’s. It currently offers the greatest available encryption strength per bit of key-length. In the future, the cost advantages of having smaller keys - and thus less drain on battery-powered devices - will become more important for sending small e-business messages such as structured financial transactions.

Encryption

Encryption is the translation of data into a secret code by one of two types: public-key encryption or symmetric encryption.

ESP

ESP (encapsulating security payload) is an IPSec protocol that provides a number of security services including confidentiality, traffic flow confidentiality and data origin authentication. (see IPSec).

Fingerprint Readers

Fingerprint readers promise to become a common form of biometric authentication during the present decade. Users identify themselves to a server by placing a finger on a small reading device which measures various characteristics of the patterns associated with the user’s fingerprint. The server, having compared these measurements against a registered set of the user’s measurements, is then able to authenticate the user if the two sets of measurements closely correspond to each other. (see Biometrics).

Firewalls

Firewalls are systems designed to prevent the unauthorized access to or from a private network. Examples of firewalls include CheckPoint Firewall-1, Raptor, PIX Firewall, Solstice, Suncreen, TIS Toolkitx

GSSAP1 (or GSS-API)

GSSAPi (the Generic Security Services API) is a standard developed by the IETF to provide a uniform, high-level interface to security systems such as Kerberos V.

GTE

GTE is a leading CA

Hash Signatures

Hash-based signatures use cryptographically secure hash function such as MD-5 (Message Digest 5) or SHA (Secure Hash Algorithm) to produce a hash value from a file.  CyberCoin & Millicent are examples of systems using these less computationally intensive algorithms.

IBM Registry

IBM Registry, IBM’s certification software, uses certificates and public-key digital signatures as the basis for a variety of service offerings including directory services, time stamping and business archives.

ICSA

the International Computer Security Association

IDEA

IDEA (International Data Encryption Algorithm) is a single-key encryption  algorithm. It was selected, in preference to other algorithms such as DES or RSA, for use in parts of PGP.

IKE

IKE (Internet Key Exchange) is a protocol that is used in conjunction with IPSec and is planned to  establish IPSec based VPNs on the Internet. IKE  enhances IPSec by providing additional features, flexibility and by easing IPSec configuration.

iKP

iKP (Internet Key Payments protocol) is an architecture for secure payment over the Internet. It defines transactions where buyer and seller involve the services of a third-party , such as a credit card company, to authorise and administer the transaction.

Internet Security Protocols

Internet Security Protocols (which include SSL, S/MIME, & SET) must be adhered to in order to ensure the interoperability of certificates in a wide range of applications.

IPSec

IPSec, short for IP Security, is a set of protocols developed to enable the secure exchange of IP packets over unprotected networks such as the Internet. It is anticipated that IPsec will be widely used in the implementation of VPN’s which are categorised by intranets, extranets and remote dial access.  

Kerberos

Developed at the Massachusetts Institute of Technology (MIT), Kerberos is an authentication system designed to enable two parties to securely exchange private information across an otherwise open network. It works by assigning a unique key (‘ticket’) to each user logging on the network which is then embedded in messages to identify the sender of the message. The Kerberos server (a ‘trusted third-party server’) comprises of two parts: an authentication server (which verifies identities) & a ticket-granting server (which grants permission to access various servers and applications on the network).

Key

A key is a string of bits used widely in cryptography to enable the encryption & decryption of data

management algorithms

RSA, DSA, Diffie-Hellman, IKE,  etc.

Millicent

Millicent is DEC’s microcash payment system based on hash-signatures

MIME

acronym for Multi-purpose Internet Mail Extension (see Internet security protocols).

non-repudiation

Non-repudiation is a legally binding proof of messages sent over the Internet and means that an individual cannot easily deny involvement in a transaction. As such, it is a facility that is vital to companies conducting business electronically. A non-repudiation facility, such as that provided by TrustedDOC, go beyond simply providing integrity and authentication services by using digital signatures to provide additional evidence to counter any potential attempts at repudiation. (see digital signatures).

PCT

PCT (Private Telecommunication Technology) is a protocol developed by Microsoft and Visa for secure communications over the Internet.

PGP

PGP (Pretty Good Privacy) is an public-key based authentication and encryption method that is well suited to e-mail, EDI & EFT. It is becoming widely used in the USA as a means of protecting messages on the Internet.

PKCS

PKCS (Public-Key Cryptography Standards) are specifications which should be incorporated within a CA’s technology to accelerate the deployment of public-key cryptography & ensure worldwide  interoperability with leading Internet applications. They were developed by an informal consortium including Apple, DEC, Lotus, MIT, RSA & Sun Microsystems.

PKI

PKI (Public Key Infrastructure) is a framework of methods that combines all aspects of network security (including cryptographic methods, digital certificates, CA’s,  and appropriate management facilities for issues such as non-repudiation of business transactions and revocation of misused certificates) into a single, easy to manage system for exchanging information securely within a network.  With the increasing exchange of information that relates to  B2B transactions, a PKI is likely to be one of the most critical security-related investments that enterprises will need to make in the next few years.

As enterprises may need to handle many thousands of digital certificates in order to authenticate the identity of their suppliers, customers and suppliers, a PKI system must have considerable capacity, including the use of a powerful directory function for storage and access to all the relevant information. A company’s PKI is often used to compliment its firewall, which unlike the PKI is unable to afford protection against the majority of security problems that arise inside the firewall.

PKIX

PKIX (PKI for X.509 certificates) is an X.509-based PKI; it is based on digital certificates conforming to the X.509 standard from the ITU.  The PKIX initiative has been supported by major associations, vendors and security users including IBM, Intel, Sun Microsystems, Netscape, JP Morgan, DASCOM, General Motors and ICSA.

PKI World

PKI World (also known as the Baltimore Interoperability Program) is an initiative driven by Baltimore Technologies to promote interoperability in PKI technology by bringing together companies who are building products based on open industry standards. (see PKI)

Private Key

The private key is one of the pair of keys that is used by public key encryption or (or cryptography). The private key is for the sole use of the owner and must be kept secret. The public key,. which may be stored on a floppy disk, hard-drive or smartcard, is used to decrypt data and generate digital signatures. (see Public-key encryption & digital signatures) 

PSEs

PSEs (Personal Security Environments), which can be located on a hard disk, diskette or smart card,  contain a user’s private key and may also contain other personal security details such as their certificate or their CA’s certificate.

Public Key

The public key is one of the pair of keys that is used by public key encryption or (or cryptography). The public key can be made widely available to the public and can be distributed in the form of an X.509 public key certificate. It is used to encrypt data and verify digital signatures. (see Public-key encryption, digital signatures and X.509)

Public-key encryption (aka Diffie-Hellman or Asymmetric encryption)

This is a cryptographic system that uses 2 keys:  a public key known to everyone and a private key known only to the recipient. Only the public key can be used to to encrypt messages and only the corresponding private key can decrypt them. As a result of the security they provide, Public-key systems are becoming a popular means of transmitting information over the Internet. It is sometimes called Diffie-Hellman encryption after its inventors.

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is an Internet security authentication protocol, based on the challenge-response method, that was developed by the IETF and is used widely by many ISP’s. The RADIUS protocol carries a dial-in users’ authentication, authorisation & configuration information.  

RSA Signatures

RSA is a public-key encryption technology or signature algorithm developed by and named after three professors at MIT in 1977 (Rivest, Shamir & Adelman). It has since become the de facto industry standard for encryption, especially of Internet transmitted data. RSA has been built into a number of software products including Netscape Navigator & Internet Explorer. The development of the RSA algorithm led to the formation of RSA Data Security which merged with Security Dynamics Technologies in September 1999 to create RSA Security Inc., a market leader in e-Security.

RSA Keon

RSA Security’s family of PKI products which enable, facilitate & extend the use of digital certificates across organisations and applications.   

SDSI

SDSI (Simple Distributed Security Infrastructure) is a system that uses public key cryptology combined with mechanisms for defining groups and group membership for certificates.

Secret Key Cryptography

Secret key (or symmetric) cryptography uses the same key for encryption and decryption of data. The best-known secret key algorithm is DES which was developed by IBM in 1977. Although secret key (or DES) cryptography is very successful, it has posed a number of difficulties that have led to the use of the more advanced public key cryptography. The issues include the frequent need to change the secret keys to avoid the risk of the keys being compromised and difficulties in securely generating and distributing the secret keys and in easily providing support for strong authentication. (see DES)

Security oriented protocols

examples of these are IPSec, SSL, TLS, IKE

SEPP

SEPP (Secure Electronic Payments Protocol) is an open specification for secure bank card transactions over the Internet that was jointly developed by IBM, Netscape, GTE, Cybercash and MasterCard. Building on the iKP protocol, SEPP messages are transmitted as Multi-purpose Internet Mail Extensions (MIME) attachments. (see iKP and MIME).

SESAME

SESAME (Secure European System for Applications in a Multi-vendor Environment) is a security specification which resulted from a European research and development project that extended Kerberos by adding authorisation and access services. SESAME is consequently  similar to Kerberos albeit more comprehensive. (see Kerberos).

SET

The SET (Secure Electronic Transaction) protocol, used by the credit card companies to ensure secure credit card transactions over the Internet, represents one of the most sophisticated uses of digital signatures. It provides a mechanism for credit card numbers for credit card numbers to be transferred directly to the credit card issuer for verification and billing without allowing the vendor to see the number. Jointly developed & endorsed by Visa & MasterCard (with some help from industry), SET makes provisions for both corporate certificate authorities and geopolitical certificate authorities.

S-HTTP

S-HTTP (Secure-HTTP) is a protocol for transmitting private data securely over the Internet. It differs from SSL in that it is designed only to transmit individual messages securely.

SiteMinder

SiteMinder is Netegrity’s flagship product for managing and securing e-commerce portals (including B2B, B2C & Intranet portals).

Smartcard

A smartcard is a card, not much bigger than a credit card, that contains a computer chip that can store or process information. Smartcards are being increasingly used by companies in conjunction with the firewall and PKI to enable users, including remote salesmen and teleworkers, identify themselves securely and electronically. 

S/MIME

S/MIME (Secure Multipurpose Internet Mail Extension) is an e-mail protocol, developed by RSA Data Security, to provide a secure e-mail environment that ensures the privacy of message contents and attachments. ( see Internet security protocols).

SonicWALL

SonicWALL Inc’s firewall of the same name that provides Internet security for broadband customers in the SME market.

SSH

SSH (Secure Shell) is a protocol used for providing authentication and secure communications over insecure channels. 

SSL

SSL (Secure Sockets Layer) is a protocol  developed by Netscape to transmit private data securely over the Internet. SSL works by securing the connection between a client and  a server thereby enabling any amount of data to be sent securely. SSL is supported by both Netscape Navigate & Internet Explorer and is used by many Web-sites to authenticate confidential user information such as credit card details.  (See S-HTTP).

SST

SST (Secure Transaction Technology) is a secure payment protocol developed by Microsoft and Visa to work in conjunction with the PCT protocol (see PCT).

S/WAN

Secure Wide Area Network

TIP

In order to build trust, CA’s must have in place requisite TIP ( ie technology, infrastructure & practices.)

Triple DES (aka 3DES)

Triple DES is an encryption configuration in which the DES algorithm is used three times with three different keys. (see DES)

TrustedDOC

TrustedDOC is SSE’s e-Business product that utilises leading digital signature technologies to produce trustworthy digitally signed documents for use in e-Business environments. It allows identification of the signatory and the authentication of the data that was signed. In addition, it has a Trusted Timestamp feature that pinpoints the time of signing and ensures validation of the document many years after signing. (see digital signatures)

TrustedMIME

TrustedMIME is SSE’s plug-in for existing mail systems that provides strong encryption, authentication and smart card support. It thereby provides a highly cost-effective means of establishing a highly secure channel for internal and external business communications. It is regarded as an excellent solution for those seeking to easily add S/MIME encryption to their messaging solutions. (see S/MIME)

TrustedWEB

TrustedWEB is SSE’s Internet security solution.

Tumbleweed Messaging Solutions

Tumbleweed Communications’ secure e-mail solutions which enable enterprises to connect safely to anyone on the Internet

UniCert

UniCert is Baltimore Technologies’ comprehensive, interoperable PKI security solution for e-business. It is recognised by many as the world’s leading PKI technology.  As a policy driven Certificate Management System, it  enables companies to define all policies within their PKI.  UniCert consists of a highly secure Certificate Authority and a number of other modules which allow for comprehensive certificate registration, management of users and seamless integration with other secure software systems.

VeriSign

VeriSign is one of the leading CA’s and is recognised for its advanced technology for digital certificate management which is based on its ECAS certificate management architecture.

VPN’s

VPN’s (Virtual Private Networks) physically enable private networks to be extended to encompass remote sites by connecting them through the Internet; they manage this by enabling IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. In this way, VPN’s enable customers, business partners &  remote users to securely access enterprise computing resources.

They are called ‘virtual’ as it appears that there exists a separate, private network whereas the reality is that the company’s VPN is part of a big mesh and is physically sharing lines with many other companies. The trend is expected to move away from companies having their own private enterprise network based on leased lines towards outsourcing the running of them  to Telcos and Service Providers.

X.509

X.509 is a standard which should be incorporated into a CA’s technology to ensure worldwide  interoperability with leading Internet applications. Although it is the most widely used standard for defining digital certificates, it has not yet been officially defined or approved resulting in different implementations by companies including Netscape & Microsoft.

back to top
[Home] [About Us] [Contact Us] [Vacancies] [How to Apply] [Skills Glossary] [Useful Links]