Glossary: Terms from A-Z
Active Directory (AD)
Microsoft directory service
Advanced Encryption Standard (AES)
Symmetric-key algorithm used for SSH and IPsec
Access Point Name (APN)
Name of a gateway between a GSM, GPRS, 3G or 4G mobile network and another computer network, e.g. the public Internet.
Application Programming Interface (API)
A computer interface for a software component or system.
Authentication is the act of proving the identity of a system, a user, a client or a server.
Basic Input/Output System (BIOS)
ROM chip located on motherboards and providing access to a computer system and its basic setup.
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) is a concept allowing employees of a company or organization to use their private devices for work. Of course, this is subject to compliance with the relevant guidelines and requirements.
Bundesamt für Sicherheit in der Informationstechnik (BSI)
The Bonn-based German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) is a German higher federal authority affiliated with the Federal Ministry of the Interior.
The BSI is responsible for protecting the German Federation's networks as well as detecting and defending against attacks on government networks. Its areas of responsibility include computer application security, critical infrastructure protection, Internet security, cryptography, counter eavesdropping, accreditation of security test laboratories and approval of security products.
Central Processing Unit (CPU)
The electronic circuitry of a computer executing all instructions it receives from hardware and software running on a computer.
Certificate Authority (CA)
An entity in cryptography that issues digital certificates confirming the ownership of a public key by the named subject of the certificate.
Certificate Management over CMS (CMC)
IETF-published Internet standard defining transport mechanisms for cryptographic message syntax (CMS).
Certificate Revocation List (CRL)
List of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their validity expires and should no longer be trusted.
Short term for critical infrastructures, which means facilities or organizations of great importance to the community whose breakdown would have serious consequences for society and the state order.
Domain Name System (DNS)
Naming system in which Internet domain names are located and translated into Internet Protocol (IP) addresses.
Dynamic Host Configuration Protocol (DHCP)
Communication protocol used by servers to assign the network configuration to clients.
Elliptic Curve Cryptography (ECC)
ECC is an asymmetric cryptographic method that generates key pairs using mathematical operations with pairs of points on elliptical curves. Key generation and cryptographic operations are faster and shorter than with the RSA method. ECC is mainly used in X.509 certificates and in encryption procedures.
Enrollment over Secure Transport (EST)
A cryptographic X.509 certificate management protocol targeting PKI clients that need to acquire client certificates and associated CA certificates (SCEP successor to RFC7030).
Protection of EU classified information (EUCI) as "RESTREINT UE/EU RESTRICTED: the unauthorised disclosure of this information could be disadvantageous to the interests of the EU or one or more of the member states."
A fully equipped, powerful desktop computer possessing local software and own resources such as computing power, memory and network connectivity. This contrasts with the thin client, a simply built computer without own mass storage that uses the computing power of a server connected via network.
Hardware Security Module (HSM)
Internal or external peripheral device for the efficient and secure execution of cryptographic operations or applications.
HMAC-based one-time password/algorithm (HOTP)
Method for generating counter-based one-time passwords using the Keyed-Hash Message Authentication Code (HMAC).
Internet of Things (IoT)
Collective term for a network of physical objects (things) equipped with sensors, software and other technologies to connect and exchange data with other devices and systems via the Internet.
Internet Protocol (IP)
Network layer communication protocol of the Internet protocol suite for routing data packets from the source host to the destination host based on the IP addresses in the packet headers. IP is the implementation of the Internet layer of the TCP/IP model.
Internet Protocol Security (IPsec)
IPsec is a suite of protocols, standards and protocol extensions for the Internet Protocol used for secure communication in IP networks.
IPsec allows to securely transmit data over potentially insecure IP networks such as the Internet by encrypting data packets and authenticating clients or servers. IPsec is used to implement different Virtual Private Network (VPN) architectures such as host-to-host, host-to-gateway or LAN-to-LAN VPNs. IPsec reliably prevents attacks like IP spoofing or replay attacks.
Management of symmetric or asymmetric cryptographic keys in a cryptosystem. The security of encrypted communication or data depends directly on key management. It ensures confidentiality of the keys and verifies their authenticity. A key management system can generate, store, provide, exchange and protect large numbers of keys.
Local Area Network (LAN)
A network connecting computers in a restricted area such as a home, school, or office building.
Master Boot Record (MBR)
A special type of boot sector located in the first sector of a partitionable storage medium and containing a startup program for BIOS-based computers (IBM PC-compatible computers) and a partition table.
Multi-Factor Authentication (MFA)
Multi-factor Authentication (MFA) is an authentication method that requires a client to provide two or more pieces of evidence (factors) to an authentication mechanism to gain access to a resource such as an application, a website, or a VPN.
MFA is a key component of a strong identity and access management (IAM) and includes two or more of the following authentication factors:
- something only the user knows (knowledge)
- something only the user has (possession)
- something only the user is (inherence)
NATO RESTRICTED (NR)
Protection of NATO classified information (treated as VS-NfD in Germany).
Network Address Translation (NAT)
A method with which a traffic routing device such as firewalls assigns a public IP address to a computer or group of computers located in a private network. NAT is mainly used for limiting the number of public IP addresses in the face of IPv4 address exhaustion.
Network Time Protocol (NTP)
Network protocol for synchronizing clocks in computer systems over packet-based communication networks.
Object identifier (OID)
A worldwide unique identifier for naming an information object.
One-Time Password (OTP)
A dynamic password that is valid for only one authentication operation for network access. Consequently, any new authentication requires a new one-time password.
Common OTP approaches are based on the time-synchronization between the authentication server and the client such as TOTP, or use mathematical algorithms to generate a new password based on the previous password like HOTP.
Online Certificate Status Protocol (OCSP)
A network protocol used by clients to query the revocation status of X.509 certificates. An OCSP responder can be used to query in real time whether certificates (or certificate chains) used for signature verification, client/server identification, or encryption have been revoked before the end of their regular validity period or have expired. OCSP has largely replaced the CRL for checking certificate status.
PC over IP (PCoIP)
PCoIP is a UDP-based, host-rendered multi-codec protocol developed by Teradici and licensed by VMware to deliver desktops in VMware's VDI product VMware View. Images rendered on the server are captured as pixels, compressed, encoded and then sent to the client for decoding and decompression. The protocol also dynamically adapts its encoding to the available bandwidth.
Privacy Enhanced Mail (PEM)
A base64-encoded file format for storing cryptographic keys, certificates, certificate chains, and other data.
Public Key Infrastructure (PKI)
A combination of roles, policies, hardware, software, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and to manage public key encryption. The purpose of a PKI is to allow secure electronic transmission of information for e-commerce, Internet banking, and confidential email to be facilitated. It is required wherever simple passwords are an insufficient authentication method and more rigorous proof is needed to confirm the identity of the parties involved in the communication and validate the information being transmitted.
Remote Authentication Dial-in User Service (RADIUS)
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management. RADIUS runs at the application layer and can use either TCP or UDP. A RADIUS server is a centralized authentication server to which services turn for client authentication.
RADIUS is often the backend of choice for the central authentication of connections via VPN, WLAN (according to IEEE 802.1X) or DSL.
Remote Desktop Protocol (RDP)
The Remote Desktop Protocol (RDP) is a proprietary network protocol developed by Microsoft for remote access to computers. It allows to transmit screen content of a remote computer system, and provides functions for peripheral devices (keyboard, mouse, headset, printer) as well as data exchange (clipboard). The user employs RDP client software for this purpose, which Microsoft calls Remote Desktop Connection, while the other computer must run RDP server software such as RDS.
Remote Desktop Services (RDS)
A feature of Microsoft Windows Server, known as Terminal Services in Windows Server 2008 and earlier. RDS is Microsoft's implementation of thin client architecture, where Windows software and the entire desktop of the computer running RDS are made accessible to any remote client machine that supports RDP. A connection broker allows to manage virtual machines and to distribute the user sessions load by sending the user connection to the respective virtual machine.
Remote Desktop Session Host (RDSH)
A role within RDS. RDSH servers provide applications or desktops that users can access. RDSH servers can be grouped to provide remote apps or session-based desktops.
Rivest Shamir Adleman (RSA)
Asymmetric cryptographic method that generates a key pair using modular exponentiation of large prime numbers. It is named after the mathematicians Ronald L. Rivest, Adi Shamir and Leonard Adleman. The RSA method is mainly used in X.509 certificates and in hybrid encryption methods for the secure exchange of symmetric keys.
Secure Shell (SSH)
Secure Shell (SSH) is a cryptographic network protocol for secure operation of network services over unsecured networks.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are encryption protocol for secure data transmission on the Internet. The SSL protocol was originally developed by Netscape Communications Corporation for its browser. The IETF standards organization continued its development by renaming it Transport Layer Security (TLS). SSL/TLS is therefore sometimes referred to as either SSL or TLS.
SSL/TLS operates in a client-server mode and allows to meet following security objectives:
- server authentication
- confidentiality of the exchanged data
- integrity of the exchanged data
- optionally, client authentication
A thin client is a simple computer, usually without mass storage such as a local hard disk, that has been optimized for working in a remote, server-based computing environment and uses the applications and computing power of the network-connected server. Thin clients are most often used in conjunction with a terminal server.
This contrasts with the fat client, a traditional personal computer that has considerable local computing power.
Time-based One-Time Password Algorithm (TOTP)
Method for generating one-time passwords which use the current time as a source of uniqueness based on the Keyed-Hash Message Authentication Code (HMAC).
Transmission Control Protocol (TCP)
TCP is a connection-oriented transport protocol that defines how data is exchanged between network components. "Connection-oriented" means that a connection must be established between sender and receiver before data can be transmitted.
TCP runs on top of the Internet Protocol, which is why the model is often referred to as TCP/IP. Application programs first send messages or data streams to the Transport Layer Protocol. TCP divides the data into smaller packets and forwards them to the next protocol layer, the so-called network layer with the Internet Protocol, where the packets are reassembled in order.
TCP contains mechanisms for solving many problems that occur in packet-based data transmission, e.g. for lost packets, packets in wrong order, duplicate packets or damaged packets. TCP thus guarantees the integrity of data sent over the network, regardless of the amount of data.
Two-factor Authentication (2FA)
2FA is an authentication method that requires a client to provide two pieces of evidence (factors) to an authentication mechanism to gain access to a resource such as an application, a website, or a VPN.
2FA adds an extra layer of security and includes two of the following authentication factors:
- something only the user knows (knowledge)
- something only the user has (possession)
- something only the user is (inherence)
Unified Extensible Firmware Interface (UEFI)
Specification for a software interface between a computer's firmware and operating system (OS). On some motherboards, UEFI replaces BIOS which was originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for old BIOS services (legacy boot).
UEFI offers many advantages over BIOS: standard networking features, a high-resolution graphical user interface, integrated management of multiple OS installations, a secure boot mechanism, and the ability to use large disk partitions of more than 2 TB.
Uniform Resource Identifier (URI)
A unique sequence of characters that identifies a specific resource (web pages, other files, calling web services, email recipients etc.) used by web technologies.
Uniform Resource Locator (URL)
A URL, commonly referred to as a web address, is a uniform string of characters that identifies a resource on the World Wide Web by its location and specifies the Internet protocol for retrieving the resource (for example, http or https).
Universal Mobile Telecommunications System (UMTS)
Third-generation (3G) mobile cellular system for networks.
Universal Serial Bus (USB)
An industry standard for a bit-serial data transmission system for interconnection, communication, and power supply (interfaces) between computers, peripherals, and other devices.
User Datagram Protocol (UDP)
UDP is a connectionless transport protocol that defines how data is exchanged between network components. "Connectionless" means that no connection has to be switched between sender and receiver for data transmission.
UDP runs on top of the Internet Protocol. As with TCP, application programs send data to the transport layer protocol, which UDP splits into smaller packets and forwards to the Internet protocol. Unlike TCP, UDP does not include mechanisms for lost packets or the like. UDP cannot assemble data packets in the correct order, so it is mainly used for DNS requests, VPN connections or audio and video streaming, since its simplified operation makes it faster and data loss is not a problem.
Virtual Desktop Infrastructure (VDI)
A virtual desktop infrastructure (VDI) is a data center infrastructure that hosts virtual machines for provisioning and managing virtual desktops on a central server. The clients can be PCs, tablets or thin clients.
Virtual Private Network (VPN)
A virtual private network (VPN) extends a private network over a public network and allows users to send and receive data over shared or public networks as if their computing devices were directly connected to the private network. A VPN is established by setting up a virtual point-to-point connection using tunneling protocols and/or software such as IPsec or OpenVPN over existing networks. Tunnel endpoints must be authenticated before secure VPN tunnels can be established. Network-to-network tunnels often use passwords and/or digital certificates. The encrypted connection allows the secure transmission of sensitive data, prevents unauthorized persons from snooping on data traffic, and remote working.
VS-NfD stands for „Verschlusssachen – nur für den Dienstgebrauch“ (classified information - for official use only) and is the lowest of the four classification levels for public authorities and federal agencies in Germany. Information marked VS-NfD may only be viewed by authorized persons.
Wireless Local Area Network (WLAN)
A wireless computer network connecting two or more devices wirelessly to form a local area network (LAN) within a limited area such as a home, school, or office building..