|
Delegated Credential
Delegated credential is a short-lived Transport Layer Security, TLS Public key certificate, certificate used to improve security by faster recovery from private key leakage, without increasing the Network delay, latency of the TLS handshake. It is currently an Internet Engineering Task Force, IETF Internet Draft, and has been in use by Cloudflare and Facebook, with browser support by Firefox. Motivation Modern websites and other services use content delivery networks (CDNs), which are servers potentially distributed all over the world, in order to respond to a user's request as fast as possible, alongside other services that CDNs provide such as DDoS mitigation. However, in order to establish a Transport Layer Security, secure connection, the server is required to prove possession of a private key associated with a certificate, which serves as a chain of trust linking the public key and a trusted party. The trusted party is normally a certificate authority (CA). CAs issue these Pu ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible. The TLS protocol aims primarily to provide security, including privacy (confidentiality), integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications. It runs in the presentation layer and is itself composed of two layers: the TLS record and the TLS handshake protocols. The closely related Datagram Transport Layer Security (DTLS) is a communications protocol that provides security to datagram-based applications. In technical writing, references to "(D)TLS" are often seen when it applies to both versions. TLS is a proposed Internet Engineering Task Force (IETF) standard, fir ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Chain Of Trust
In computer security, a chain of trust is established by validating each component of hardware and software from the end entity up to the root certificate. It is intended to ensure that only trusted software and hardware can be used while still retaining flexibility. Introduction A chain of trust is designed to allow multiple users to create and use the software on the system, which would be more difficult if all the keys were stored directly in hardware. It starts with hardware that will only boot from software that is digitally signed ( bootloader). The signing authority will only sign boot programs that enforce security, such as only running programs that are themselves signed, or only allowing signed code to have access to certain features of the machine. This process may continue for several layers. This process results in a chain of trust. The final software can be trusted to have certain properties because if it had been illegally modified its signature would be inva ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Cryptographic Protocols
A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program. Cryptographic protocols are widely used for secure application-level data transport. A cryptographic protocol usually incorporates at least some of these aspects: * Key agreement or establishment * Entity authentication * Symmetric encryption and message authentication material construction * Secured application-level data transport * Non-repudiation methods * Secret sharing methods * Secure multi-party computation For example, Transport Layer Security (TLS) is a cryptographic protocol that is used to secure web (HTTPS) connections. It has an entity authentication mechanism, based on the ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Cryptographic Agility
In cryptographic protocol design, cryptographic agility or crypto-agility is the ability to switch between multiple cryptographic primitives. A cryptographically agile system implementing a particular standard can choose which combination of primitives to use. The primary goal of cryptographic agility is to enable rapid adaptations of new cryptographic primitives and algorithms without making disruptive changes to the system's infrastructure. Cryptographic agility acts as a safety measure or an incident response mechanism for when a cryptographic primitive of a system is discovered to be vulnerable. A security system is considered crypto-agile if its cryptographic algorithms or parameters can be replaced with ease and is at least partly automated. The impending arrival of a quantum computer that can break existing asymmetric cryptography is raising awareness of the importance of cryptographic agility. Example The X.509 public key certificate illustrates crypto-agility. A public k ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Ed25519
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public-domain software. Summary The following is a simplified description of EdDSA, ignoring details of encoding integers and curve points as bit strings; the full details are in the papers and RFC. An EdDSA signature scheme is a choice: * of finite field \mathbb_q over odd prime power q; * of elliptic curve E over \mathbb_q whose group E(\mathbb_q) of \mathbb_q-rational points has order \#E(\mathbb_q) = 2^c \ell, where \ell is a large prime and 2^c is called the cofactor; * of base point B \in E(\mathbb_q) with order \ell; and * of cryptographic hash functi ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Hardware Security Module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), and performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips. Design HSMs may have features that provide tamper evidence such as visible signs of tampering or logging and alerting, or tamper resistance which makes tampering difficult without making the HSM inoperable, or tamper responsiveness such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by the tamper evident, tamper resistant, or tamper responsive packaging. A ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Key Signature (cryptography)
In cryptography, a key signature is the result of a third-party applying a cryptographic signature to a representation of a cryptographic key. This is usually done as a form of assurance or verification: If "Alice" has signed "Bob's" key, it can serve as an assurance to another party, say "Eve", that the key actually belongs to Bob, and that Alice has personally checked and attested to this. The representation of the key that is signed is usually shorter than the key itself, because most public-key signature schemes can only encrypt or sign short lengths of data. Some derivative of the public key fingerprint may be used, i.e. via hash functions. See also *Key (cryptography) *Public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ... {{crypto-stub Key management [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Mirror Site
Mirror sites or mirrors are replicas of other websites. The concept of mirroring applies to network services accessible through any protocol, such as HTTP or FTP. Such sites have different URLs than the original site, but host identical or near-identical content. Mirror sites are often located in a different geographic region than the original, or upstream site. The purpose of mirrors is to reduce network traffic, improve access speed, ensure availability of the original site for technical or political reasons, or provide a real-time backup of the original site. Mirror sites are particularly important in developing countries, where internet access may be slower or less reliable. Mirror sites were heavily used on the early internet, when most users accessed through dialup and the Internet backbone had much lower bandwidth than today, making a geographically-localized mirror network a worthwhile benefit. Download archives such as Info-Mac, Tucows and CPAN maintained worldwide ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Certificate Revocation
In public key cryptography, a public key certificate, certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation. For distributing revocation information to clients, the timeliness of the discovery of revocation (and hence the window for an attacker to exploit a compromised certificate) trades off against resource usage in querying revocation statuses and privacy concerns. If revocation information is unavailable (either due to an accident or an attack), clients must decide whether to ''fail-hard'' and treat a certificate as if it is revoked (and so degrade availability) or to ''fail-soft'' and treat it as unrevoked (and allow attackers to sideste ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Man-in-the-middle Attack
In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, where in actuality the attacker has inserted themselves between the two user parties. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. In this scenario, the attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within range of a Wi-Fi access point hosting a network without encryption could insert themselves as a man in the middle. ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Certificate Authority
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard. One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents. Overview Trusted certificates can be used to create secure connections to a server via the Internet. A certificate is ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
DDoS Mitigation
DDoS mitigation is a set of network management techniques and tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. DDoS attacks are a constant threat to businesses and organizations, delaying service performance or shutting down websites entirely. DDoS mitigation works by identifying baseline conditions for network traffic by analyzing "traffic patterns" to allow threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. This process involves comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and browser fingerprints. After the attack is detected, the next process is filtering. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists, deep ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
