Skip to content

TLS and Crypto Terminology

Jump to bottom
Jens Alfke edited this page Jul 7, 2020 · 1 revision

Here's a quick rundown of the alphabet soup involved in secure connections, certificates, and public-key crypto.

  • ASN.1: A rather nasty old structured data format. You can think of it as being like JSON or XML. Has multiple possible encodings, but everyone uses DER. ("Abstract Syntax Notation 1".)
  • BER: A binary encoding of ASN.1 data. ("Basic Encoding Rule".)
  • Certificate or Cert: A small structured document that publicly associates an identity (like a DNS name, email address, username...) with a public key. The cert contains the public key and enough metadata to identify the holder (its subject), and is signed by an issuer. The interpretation of a cert is "I [issuer] assert that [subject] is known to me and has the public key [key]."
  • Certificate Authority (CA): A trusted service that signs other certs (acting as their issuer), extending its trust to them. A CA has its own cert or certs that have been signed by a higher CA (unless it's a root!); these certs are used only for signing, not for connecting.
  • Certificate Chain: A list of certificates that establishes trust. The first ("leaf") cert is the one being verified; the last is a root cert that the recipient already trusts. Each cert's issuer is the next cert's subject, i.e. each cert is signed by the owner of the next one in the chain, so if you trust cert n+1 you can also trust cert n. This transitively extends trust back to the leaf.
  • Certificate Verification: The process of determining whether a cert you've received can be trusted. Involves schema validation, looking at the expiration date, making sure it hasn't been revoked, and finally constructing a cert chain back to a trusted root cert.
  • Client Certificate: A cert presented by the client (initiating) side of a TLS connection to identify itself to the server (listener). This is optional, and basically never used by web browsers, but a very secure login mechanism.
  • CSR: A Certificate Signing Request: a document containing a public key and identifying data like a name/address, which a Subject sends to an Issuer. The Issuer makes sure the data is correct and then signs the CSR with its CA cert's private key, producing the actual certificate.
  • DER: A canonical binary encoding of ASN.1 data. It's BER plus some rules that resolve ambiguity, so that the same data always results in the exact same bytes, which is crucial for signing. ("Distinguished Encoding Rule".)
  • Issuer: The entity that signs a certificate, thereby vouching for its Subject. Usually a Certificate Authority.
  • Key-Pair: The combination of a matching public and private key. Generated as a unit.
  • PEM: A data format for encoding certs and keys in ASCII. Looks like hard-wrapped base64 with header/footer lines. ("Privacy-Enhanced Mail".)
  • PKI: Public-Key Infrastructure. A blanket term for all the systems that make certificates and public-key crypto usable, like root certs and CAs.
  • Private Key: The half of a key-pair that must be kept secret. It's used to sign data, and to decrypt data encrypted by the public key.
  • Public Key: The half of a key-pair that can be shared publicly. It's used to verify signatures made by the private key, and to encrypt data that can be decrypted with the private key.
  • Root Certificate: A globally-known certificate that everyone implicitly trusts. There are a small number of these, owned by big data security vendors like Verisign, and their private keys are (literally) locked in safes. Every browser and operating system has a set of these certs, because they're needed to verify all the other certs.
  • RSA: The most common public-key encryption algorithm. (Named for its inventors: Rivest, Shamir and Adelman.) Dates from the late '70s. It's slow and its keys are awkwardly large; newer Elliptic-Curve algorithms are better.
  • Self-Signed Certificate: A cert whose issuer is the same as its subject, i.e. it's signed by its own key. It can only form the end of a cert chain; you have to decide on your own whether to trust it. The advantage of these is that they can be created instantly without requiring anyone else to sign them. (Root certificates are a special type of self-signed cert.)
  • Signature: A small data blob generated from a piece of data by a private key. Like a digest, in that it's essentially unique to that specific source data, but better in that it can only be created by that specific key. The matching public key can be used to verify the signature, proving that it was generated from exactly that source data by that exact private key.
  • Subject: The entity that a certificate is about; its owner, the one who knows its private key.
  • TLS: The protocol that encrypts data over a TCP socket and authenticates the server (and optionally the client.) Formerly known as SSL. ("Transport Layer Security".)
  • X.509: A standardized type of certificate, defined as an ASN.1 schema, used in TLS.
Clone this wiki locally