Table of Contents
RFC 4949 Internet Security Glossary Definitions K
Return to RFC 4949 Internet Security Glossary Definitions, RFC 4949 Internet Security Glossary, RFC 4949 Internet Security Glossary Bibliography, Cybersecurity, Awesome Security
RFC 4949: #, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z (navbar_rfc4949)
([[Fair Use]] [[Source]]: [[RFC 4949])
- KAK
(D) See: key-auto-key. (Compare: KEK.)
([[Fair Use]] [[Source]]: [[RFC 4949])
- KDC
(I) See: Key Distribution Center.
([[Fair Use]] [[Source]]: [[RFC 4949])
- KEA
(N) See: Key Exchange Algorithm.
([[Fair Use]] [[Source]]: [[RFC 4949])
- KEK
(I) See: key-encrypting key. (Compare: KAK.)
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. [R4120, Stei] (See: realm.)
Shirey Informational Page 170]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: Kerberos was originally developed by Project Athena and is named for the mythical three-headed dog that guards Hades. The system architecture includes authentication servers and ticket- granting servers that function as an ACC and a KDC.
RFC 4556 describes extensions to the Kerberos specification that modify the initial authentication exchange between a client and the KDC. The extensions employ public-key cryptography to enable the client and KDC to mutually authenticate and establish shared, symmetric keys that are used to complete the exchange. (See: PKINIT.)
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A small, trusted part of a system that provides services on which the other parts of the system depend. (See: security kernel.)
([[Fair Use]] [[Source]]: [[RFC 4949])
(O) An MLS computer operating system, designed to be a provably secure replacement for UNIX Version 6, and consisting of a security kernel, non-kernel security-related utility programs, and optional UNIX application development and support environments. [Perr]
Tutorial: KSOS-6 was the implementation on a SCOMP. KSOS-11 was the implementation by Ford Aerospace and Communications Corporation on the DEC PDP-11/45 and PDP-11/70 computers.
([[Fair Use]] [[Source]]: [[RFC 4949])
1a. (I) /cryptography/ An input parameter used to vary a transformation function performed by a cryptographic algorithm. (See: private key, public key, storage key, symmetric key, traffic key. Compare: initialization value.)
1b. (O) /cryptography/ Used in singular form as a collective noun referring to keys or keying material. Example: A fill device can be used transfer key between two cryptographic devices.
2. (I) /anti-jam/ An input parameter used to vary a process that determines patterns for an anti-jam measure. (See: frequency hopping, spread spectrum.)
Tutorial: A key is usually specified as a sequence of bits or other symbols. If a key value needs to be kept secret, the sequence of symbols that comprise it should be random, or at least pseudorandom, because that makes the key harder for an adversary to guess. (See: brute-force attack, cryptanalysis, strength.)
Shirey Informational Page 171]
RFC 4949 Internet Security Glossary, Version 2 August 2007
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each can generate the same key value. That is, the method does not send a secret from one entity to the other; instead, both entities, without prior arrangement except a public exchange of data, can compute the same secret value, but that value cannot be computed by other, unauthorized entities. (See: Diffie-Hellman- Merkle, key establishment, KEA, MQV. Compare: key transport.)
2. (O) “A method for negotiating a key value on line without transferring the key, even in an encrypted form, e.g., the Diffie- Hellman technique.” [X509] (See: Diffie-Hellman-Merkle.)
3. (O) “The procedure whereby two different parties generate shared symmetric keys such that any of the shared symmetric keys is a function of the information contributed by all legitimate participants, so that no party [alone] can predetermine the value of the key.” [A9042]
Example: A message originator and the intended recipient can each use their own private key and the other's public key with the Diffie-Hellman-Merkle algorithm to first compute a shared secret value and, from that value, derive a session key to encrypt the message.
([[Fair Use]] [[Source]]: [[RFC 4949])
(N) “The assurance of the legitimate participants in a key agreement [i.e., in a key-agreement protocol that no non- legitimate party possesses the shared symmetric key.” [A9042]
([[Fair Use]] [[Source]]: [[RFC 4949])
(D) “Cryptographic logic [i.e., a mode of operation using previous key to produce key.” [C4009, A1523] (See: CTAK, /cryptographic operation/ under “mode”.)
Deprecated Term: IDOCs SHOULD NOT use this term; it is neither well-known nor precisely defined. Instead, use terms associated with modes that are defined in standards, such as CBC, CFB, and OFB.
([[Fair Use]] [[Source]]: [[RFC 4949])
- key center
(I) A centralized, key-distribution process (used in symmetric cryptography), usually a separate computer system, that uses master keys (i.e., KEKs) to encrypt and distribute session keys needed by a community of users.
Shirey Informational Page 172]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: An ANSI standard [A9017] defines two types of key center: “key distribution center” and “key translation center”.
([[Fair Use]] [[Source]]: [[RFC 4949])
(N) “The assurance provided to] the legitimate participants in a key establishment protocol that the [parties that are intended to share the symmetric key actually possess the shared symmetric key.” [A9042]
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A process that delivers a cryptographic key from the location where it is generated to the locations where it is used in a cryptographic algorithm. (See: key establishment, key management.)
([[Fair Use]] [[Source]]: [[RFC 4949])
- key distribution center (KDC)
1. (I) A type of key center (used in symmetric cryptography) that implements a key-distribution protocol to provide keys (usually, session keys) to two (or more) entities that wish to communicate securely. (Compare: key translation center.)
2. (N) “COMSEC facility generating and distributing key in electrical form.” [C4009]
Tutorial: A KDC distributes keys to Alice and Bob, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the KDC, and © may not be able to generate or acquire keys by themselves. Alice requests the keys from the KDC. The KDC generates or acquires the keys and makes two identical sets. The KDC encrypts one set in the KEK it shares with Alice, and sends that encrypted set to Alice. The KDC encrypts the second set in the KEK it shares with Bob, and either (a) sends that encrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although the latter option is not supported in the ANSI standard [A9017]).
([[Fair Use]] [[Source]]: [[RFC 4949])
(N) A key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called “recovery agents” can perform the decryption operation to retrieve the stored key. Key encapsulation typically permits direct retrieval of a secret key used to provide data confidentiality. (Compare: key escrow.)
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A cryptographic key that (a) is used to encrypt other keys (either DEKs or other TEKs) for transmission or storage but (b) (usually) is not used to encrypt application data. Usage: Sometimes called “key-encryption key”.
Shirey Informational Page 173]
RFC 4949 Internet Security Glossary, Version 2 August 2007
([[Fair Use]] [[Source]]: [[RFC 4949])
- key escrow
(N) A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called “escrow agents”, so that the key can be recovered and used in specified circumstances. (Compare: key encapsulation.)
Tutorial: Key escrow is typically implemented with split knowledge techniques. For example, the Escrowed Encryption Standard [FP185] entrusts two components of a device-unique split key to separate escrow agents. The agents provide the components only to someone legally authorized to conduct electronic surveillance of telecommunications encrypted by that specific device. The components are used to reconstruct the device-unique key, and it is used to obtain the session key needed to decrypt communications.
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) A procedure that combines the key-generation and key- distribution steps needed to set up or install a secure communication association.
2. (I) A procedure that results in keying material being shared among two or more system entities. [A9042, SP56]
Tutorial: The two basic techniques for key establishment are “key agreement” and “key transport”.
([[Fair Use]] [[Source]]: [[RFC 4949])
- Key Exchange Algorithm (KEA)
(N) A key-agreement method [SKIP, R2773] that is based on the Diffie-Hellman-Merkle algorithm and uses 1024-bit asymmetric keys. (See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)
Tutorial: KEA was developed by NSA and formerly classified at the U.S. DoD “Secret” level. On 23 June 1998, the NSA announced that KEA had been declassified.
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A process that creates the sequence of symbols that comprise a cryptographic key. (See: key management.)
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) An algorithm that uses mathematical rules to deterministically produce a pseudorandom sequence of cryptographic key values.
2. (I) An encryption device that incorporates a key-generation mechanism and applies the key to plain text to produce cipher text
Shirey Informational Page 174]
RFC 4949 Internet Security Glossary, Version 2 August 2007
(e.g., by exclusive OR-ing (a) a bit-string representation of the key with (b) a bit-string representation of the plaintext).
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) The number of symbols (usually stated as a number of bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (D) Synonym for “cryptoperiod”.
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 1 because a key's cryptoperiod may be only a part of the key's lifetime. A key could be generated at some time prior to when its cryptoperiod begins and might not be destroyed (i.e., zeroized) until some time after its cryptoperiod ends.
2. (O) /MISSI/ An attribute of a MISSI key pair that specifies a time span that bounds the validity period of any MISSI X.509 public-key certificate that contains the public component of the pair. (See: cryptoperiod.)
([[Fair Use]] [[Source]]: [[RFC 4949])
(N) Synonym for “fill device”.
([[Fair Use]] [[Source]]: [[RFC 4949])
(N) A place where ECU hardware is activated after being fabricated. (Compare: CLEF.)
Tutorial: Before going to its KLIF, an ECU is not ready to be fielded, usually because it is not yet able to receive DEKs. The KLIF employs trusted processes to complete the ECU by installing needed data such as KEKs, seed values, and, in some cases, cryptographic software. After KLIF processing, the ECU is ready for deployment.
([[Fair Use]] [[Source]]: [[RFC 4949])
1a. (I) The process of handling keying material during its life cycle in a cryptographic system; and the supervision and control of that process. (See: key distribution, key escrow, keying material, public-key infrastructure.)
Usage: Usually understood to include ordering, generating, storing, archiving, escrowing, distributing, loading, destroying, auditing, and accounting for the material.
1b. (O) /NIST/ “The activities involving the handling of cryptographic keys and other related security parameters (e.g.,
Shirey Informational Page 175]
RFC 4949 Internet Security Glossary, Version 2 August 2007
IVs, counters) during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving.” [FP140, SP57]
2. (O) /OSIRM/ “The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy.” [I7498-2]
([[Fair Use]] [[Source]]: [[RFC 4949])
- Key Management Protocol (KMP)
(N) A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.) Superseded by ISAKMP and IKE.
([[Fair Use]] [[Source]]: [[RFC 4949])
- key material
(D) Synonym for “keying material”.
Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for “keying material”.
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A set of mathematically related keys – a public key and a private key – that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key. (See: Diffie-Hellman-Merkle, RSA.)
Tutorial: A key pair's owner discloses the public key to other system entities so they can use the key to (a) encrypt data, (b) verify a digital signature, or © generate a key with a key- agreement algorithm. The matching private key is kept secret by the owner, who uses it to (a') decrypt data, (b') generate a digital signature, or (c') generate a key with a key-agreement algorithm.
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) /cryptanalysis/ A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis, recovery.)
2. (I) /backup/ Techniques that provide an intentional, alternate means to access the key used for data confidentiality service in an encrypted association. DoD4] (Compare: recovery.)
Tutorial: It is assumed that the cryptographic system includes a primary means of obtaining the key through a key-establishment algorithm or protocol. For the secondary means, there are two classes of key recovery techniques: key encapsulation and key escrow.
Shirey Informational Page 176]
RFC 4949 Internet Security Glossary, Version 2 August 2007
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)
([[Fair Use]] [[Source]]: [[RFC 4949])
- key translation center
(I) A type of key center that implements a key-distribution protocol (based on symmetric cryptography) to convey keys between two (or more) parties who wish to communicate securely. (Compare: key distribution center.)
Tutorial: A key translation center transfers keys for future communication between Bob and Alice, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the center, and © have the ability to generate or acquire keys by themselves. Alice generates or acquires a set of keys for communication with Bob. Alice encrypts the set in the KEK she shares with the center and sends the encrypted set to the center. The center decrypts the set, reencrypts the set in the KEK it shares with Bob, and either (a) sends that reencrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although direct distribution is not supported in the ANSI standard [A9017]).
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) A key establishment method by which a secret key is generated by a system entity in a communication association and securely sent to another entity in the association. (Compare: key agreement.)
Tutorial: Either (a) one entity generates a secret key and securely sends it to the other entity, or (b) each entity generates a secret value and securely sends it to the other entity, where the two values are combined to form a secret key. For example, a message originator can generate a random session key and then use the RSA algorithm to encrypt that key with the public key of the intended recipient.
2. (O) “The procedure to send a symmetric key from one party to other parties. As a result, all legitimate participants share a common symmetric key in such a way that the symmetric key is determined entirely by one party.” [A9042]
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) Derive a new key from an existing key. (Compare: rekey.)
2. (O) Irreversible cryptographic process that modifies a key to produce a new key. [C4009]
Shirey Informational Page 177]
RFC 4949 Internet Security Glossary, Version 2 August 2007
([[Fair Use]] [[Source]]: [[RFC 4949])
1. (I) “The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks.” [A9042] (See: weak key)
2. (D) Synonym for “certificate validation”.
Deprecated Usage: IDOCs SHOULD NOT use the term as a synonym for “certificate validation”; that would unnecessarily duplicate the meaning of the latter term and mix concepts in a potentially misleading way. In validating an X.509 public-key certificate, the public key contained in the certificate is normally treated as an opaque data object.
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A cryptographic hash (e.g., [R1828]) in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. (See: checksum.)
Tutorial: If the input data object is changed, a new, corresponding hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data. There are two basic types of keyed hash: - A function based on a keyed encryption algorithm. Example: Data Authentication Code. - A function based on a keyless hash that is enhanced by combining (e.g., by concatenating) the input data object parameter with a key parameter before mapping to the hash result. Example: HMAC.
([[Fair Use]] [[Source]]: [[RFC 4949])
- keying material
1. (I) Data that is needed to establish and maintain a cryptographic security association, such as keys, key pairs, and IVs.
2. (O) “Key, code, or authentication information in physical or magnetic form.” [C4009] (Compare: COMSEC material.)
([[Fair Use]] [[Source]]: [[RFC 4949])
- keying material identifier (KMID)
1. (I) An identifier assigned to an item of keying material.
2. (O) /MISSI/ A 64-bit identifier that is assigned to a key pair when the public key is bound in a MISSI X.509 public-key certificate.
Shirey Informational Page 178]
RFC 4949 Internet Security Glossary, Version 2 August 2007
([[Fair Use]] [[Source]]: [[RFC 4949])
- Khafre
(N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]
Tutorial: Khafre was designed for efficient encryption of small amounts of data. However, because Khafre does not precompute tables used for encryption, it is slower than Khufu for large amounts of data.
([[Fair Use]] [[Source]]: [[RFC 4949])
- Khufu
(N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]
Tutorial: Khufu was designed for fast encryption of large amounts of data. However, because Khufu precomputes tables used in encryption, it is less efficient than Khafre for small amounts of data.
([[Fair Use]] [[Source]]: [[RFC 4949])
- KLIF
(N) See: key loading and initialization facility.
([[Fair Use]] [[Source]]: [[RFC 4949])
- KMID
(I) See: keying material identifier.
([[Fair Use]] [[Source]]: [[RFC 4949])
(I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as knowing the cryptographic algorithm).
([[Fair Use]] [[Source]]: [[RFC 4949])
- kracker
(O) Old spelling for “cracker”.
([[Fair Use]] [[Source]]: [[RFC 4949])
- KSOS, KSOS-6, KSOS-11
(O) See: Kernelized Secure Operating System.
Fair Use Sources
Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); Identity and Access Management (IAM), OS Security, Java Security, Security, (Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security, Passwords, Linux Passwords, Windows Passwords), Passkeys, Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, Cybersecurity CI/CD, Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_windows_security, navbar_linux_security, navbar_macos_security, navbar_android_security, navbar_ios_security, navbar_os_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy)
Request for Comments (RFC): List of RFCs, GitHub RFCs, Awesome RFCs, (navbar_rfc)
© 1994 - 2024 Cloud Monk Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.