Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. While in theory it has 168 bits of security, the practical security it provides is only 112 bits. To make things worse, there are known attacks against it, so that effectively it compares to about 80 bits security. Do not use!
Advanced Encryption Standard
The Advanced Encryption Standard (AES) is a is a symmetric-key algorithm for the encryption of electronic data established by a U.S. Governement institution (NIST) in 2001. AES has been adopted by the U.S. government for top secret information and is used worldwide today. It supersedes the Data Encryption Standard (DES).
Advanced Encryption Standard Instruction Set
Advanced Encryption Standard Instruction Set (or AES-NI) is an extension of the x86 CPU architecture from Intel and AMD. It accelarates data encryption and decryption if the Advanced Encryption Standard (AES) is used by an application.
DNS zone transfer
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. A zone transfer uses TCP for transport, and takes the form of a client–server transaction. The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. The portion of the database that is replicated is a zone. Avoid if possible and use other more secure replication methods. See also What are zone transfers? from Daniel Bernstein.
Bayesian Filter
Bayesian Filtering
Bayesian Spam Filter
A Bayesian spam filter (after Rev. Thomas Bayes) is a statistical technique of e-mail filtering. In its basic form, it makes use of a naive Bayes classifier on bag of words features to identify spam e-mail, an approach commonly used in text classification.
Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention. Blowfish users are encouraged by Bruce Schneier, Blowfish’s creator, to use the more modern and computationally efficient alternative Twofish.
Cipher Suite
A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. For more information see [KAea14b].
Composer is a tool for dependency management in PHP. It allows a developer to declare the dependent libraries a project needs and it will install them along the project.
Cryptographic Hash Function
A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. They are used for digital signatures, message authentication codes (MAC), and other forms of authentication. It can also be used as ordinary hash function, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values. Some widely used ones are: MD5, SHA-1, SHA-256
In cryptography, Curve25519 is an elliptic curve offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest ECC curves and is not covered by any known patents. Curve25519 was first released by Daniel J. Bernstein in 2005, but interest increased considerably after 2013 when it was discovered that the NSA had implemented a backdoor into Dual EC DRBG. While not directly related, suspicious aspects of the NIST P curves led to concerns that the NSA had chosen values that gave them an advantage in factoring public keys.
Long-running programms usually running in the background and providing services for other programs and or clients on other systems connected by a network. Daemons typically are started automatically on system boot and run on their own, without any user interaction.
DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC). It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA).
Data Encryption Standard
The Data Encryption Standard (DES) is a previously predominant symmetric-key algorithm for the encryption of electronic data. It is now considered to be insecure. This is chiefly due to the 56-bit key size being too small; in January, 1999, and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes. The cipher has been superseded by the Advanced Encryption Standard (AES) and has been withdrawn as a standard. DES was developed in the early 1970s at IBM. Do not use!
Diffie-Hellman key exchange
Diffie–Hellman key exchange (DH) is a specific method of exchanging cryptographic keys. The method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Youtube has a great video that explains it in 5 minutes.
DH Parameters
DH parameters are pre-generated large prime-numbers, which accelerates the generatation of session keys while using Diffie-Hellman key exchange. To find and evaluate such prime numbers takes a long time (up to several minutes). Using pre-generated values allows to establish session keys during initial handshake and periodic renevals, without any noticeable delay.
Digital Fingerprint
See Cryptographic Hash Function.
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Digital Signature Algorithm

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. In August 1991 the National Institute of Standards and Technology (NIST) proposed DSA for use in their Digital Signature Standard (DSS) and adopted it 1994 in its FIPS standards specification. Four revisions to the initial specification have been released in 1996, 2000, 2009 and in 2013.

DSA is covered by a U.S. Patent and attributed to a former NSA employee. The patent was given to the United States, and NIST has made it available worldwide royalty-free. DSA is a variant of the ElGamal signature scheme.

Dual Elliptic Curve Deterministic Random Bit Generator
Dual EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is an algorithm that was presented as a cryptographically secure pseudorandom number generator (CSPRNG) using methods in elliptic curve cryptography. Despite wide public criticism, including a potential backdoor, for seven years it was one of the four (now three) CSPRNGs standardized in NIST SP 800-90A as originally published circa June 2006, until withdrawn in 2014.
Elliptic-Curve Cryptography
Elliptic Curve Cryptography
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.[1]
Elliptic curve Diffie–Hellman
Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie-Hellman key exchange using elliptic curve cryptography.
Elliptic Curve Digital Signature Algorithm
In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography.
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public domain software.
Extended SMTP (ESTMP) includes additions made to SMTP who where defined in 2008 in RFC 5321. It is in widespread use today. Like SMTP, ESMTP uses TCP port 25.
Filter Bubble
A filter bubble is a result of a personalized search in which a website algorithm selectively guesses what information a user would like to see based on information about the user (such as location, past click behavior and search history) and, as a result, users become separated from information that disagrees with their viewpoints, effectively isolating them in their own cultural or ideological bubbles. The term was coined by internet activist Eli Pariser in his book by the same name [ARNea]. The bubble effect may have negative implications for civic discourse, according to Pariser, but there are contrasting views suggesting the effect is minimal and addressable.

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the US Government trough its National Institute of Standards and Technology (NIST) for use in computer systems by non-military government agencies and government contractors.

FIPS standards are issued to establish requirements for various purposes such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).

These include amongst others, encryption standards, such as the Digital Signature Algorithm (DSA), Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).

Firmware is essentially software that is very closely tied to specific hardware, and unlikely to need frequent updates. Typically stored in non-volatile memory chips such as ROM, EPROM, or flash memory. Since it can only be updated or replaced by special procdures designed by the hardware manufacturer, it is somewhat on the boundary between hardware and software; thus the name “firmware”.
Forward Secrecy
Perfect Forward Secrecy
In cryptography, forward secrecy is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys (like the servers private key) is compromised in the future. Ususally either Diffie-Hellman key exchange or Elliptic curve Diffie–Hellman are used to create and exchange session keys.
Hash Function
HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security mechanism introduced in 2015 with RFC 7469 delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. In order to do so, it delivers a set of public keys to the client (browser), which should be the only ones trusted for connections to this domain. In practice it was newer largely adopted. For website owners and is difficult and risky to maintain. Therefore Google announced in October 2017 to deprecate and later remove the HPKP feature from the Chrome browser.
Internet Engineering Task Force
Internet Message Access Protocol (IMAP) is a protocol for email retrieval and storage by the MUA from the MAS. It was devloped as an alternative to POP. IMAP unlike POP, specifically allows multiple clients simultaneously connected to the same mailbox, and through flags stored on the server, different clients accessing the same mailbox at the same or different times can detect state changes made by other clients. The IMAP protocol uses TCP port 143 and TCP port 993 for SSL secured IMAPS connections.
KSK Key-signing-key is the cryptographic key-pair used in DNSSEC to
sign zone-signing-keys (ZSK). The KSK public key is signed by the parent and published as delegation-signing (DS) record in the the parent zone. The child zone publishes the public part of the KSK as DNSKEY in its own Zone.
Link Aggregation Control Protocol
Local Delivery Agent
The software program in charge of delivering mail messages to its final destination on the local system, usually a users mailbox, after they receive a message from the MTA.
The Local Mail Transfer Protocol is a derivative of ESMTP, the extension of the Simple Mail Transfer Protocol. It is defined in RFC 2033.
Mail Access Server
Mail Delivery Agent
Another name for LDA or Local Delivery Agent.
Message Submission Agent
The software program in charge of receiving mail messages from the MUA using the Submission protocol. The MSA runs as a daemon.
Mail Transfer Agent
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.
Message User Agent
The software program in charge of retrieving messages from a users mailbox on a MAS or Mail Access Server, usually using either IMAP or POP3 protocols. The MUA might also submit mail messages to the MSA or Message Submission Agent using the Submission protocol. MUAs are commonly known as mail clients. Known MUA software product examples are Microsoft Outlook or Mozilla Thunderbird.
DNS record for “Mail Exchanger”, informing the sending system, which hosts are responsible to receive mails for a domain over SMTP.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. In 2013 the newspapers Guardian and New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator thereby allowing the surreptitious decryption of data.
NIST P curves
NIST P-224
NIST P-256
NIST P-384

According to Bernstein and Lange, many of the efficiency-related decisions in NIST FIPS 186-2 are sub-optimal. Other curves are more secure and run just as fast

In 2014 Daniel J. Bernstein and Tanja Lange claimed that that most real-world implementations of elliptic-curve cryptography are not to be considered safe. Amongst many others they also criticize the NIST curves. Use if no better alternatives available like Curve25519.

National Security Agency
Open Publication Distribution System
The Open Publication Distribution System (OPDS) is a way for electronic book reading devices to access catalogs of books and download books itself from a web server. Its specification is prepared by an informal grouping of partners, combining Internet Archive, O’Reilly Media, Feedbooks, OLPC, and others.
Privacy Enhanced Mail (PEM) is a 1993 IETF proposal for securing email using public-key cryptography. Although PEM became an IETF proposed standard it was never widely deployed or used.
PEM Encoded
PEM File Format
Base64 encoded binary data, often used to store X.509 certificates and keys usually enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” strings.
The Post Office Protocol (POP) is an Internet protocol used by mail clients to retrieve mail from remote servers over a TCP/IP connection. POP has been developed through several versions, with version 3 (POP3) being the current standard.
Rainbow Table
RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. As of 2013, there is speculation that some state cryptologic agencies may possess the capability to break RC4 even when used in the TLS protocol. RC4 should disabled and avoided wherever possible!
A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society, the principal technical development and standards-setting bodies for the Internet.
Read-Only Memory
Read-only memory (ROM) is a class of storage medium used in computers and other electronic devices. Data stored in ROM can only be modified slowly, with difficulty, or not at all, so it is mainly used to distribute firmware.
RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Youtube has this video that explains it in 16 minutes.
In cryptography, a salt is random data that is used as an additional input to a cryptographic hash function on a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre- computed rainbow table attacks. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication while defending against compromise of the plaintext password in the event that the database is somehow compromised. Cryptographic salts are broadly used in many modern computer systems, from Unix system credentials to Internet security.
SHA-1 is a cryptographic hash function designed by the NSA and is a U.S. Governement Standard published by the United States NIST in 1995. SHA stands for “secure hash algorithm”. In 2005, analysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use. The U.S, the German and other governements are required to move to SHA-2 after 2010 because of the weakness. Windows will stop accepting SHA-1 certificates by 2017. Hoever a large part of todays commercial certificate authorities still only issue SHA-1 signed certificates. Avoid where possible!
SHA-2 is cryptographic hash function, published in 2001 by the US governement (NSA & NIST), is significantly different from SHA-1. SHA-2 currently consists of a set of six hash functions with digests that are 224, 256, 384 or 512 bits.
Sieve is a programming language that can be used to create filters for email. Sieve’s base specification is outlined in RFC 5228.
Smart card
Chip card
Integrated Circuit Card
A pocket-sized plastic card with embedded integrated circuits. Smart cards can provide identification, authentication, data storage and application processing. See the Wikipedia article for many possible usage scenarios.
The Simple Mail Transfer Protocol (SMTP) is the protool used by a MTA to transmit mails between Internet domains. First defined by RFC 821 in 1982, it was last updated in 2008 as ESMTP. SMTP by default uses TCP port 25. SMTP connections secured by SSL, known as SMTPS, default to TCP port 465.
Simple Mail Transfer Protocol Secure was a way to provide SSL secured SMTP connections on TCP port 465. SMTPS has been revoked in favor of Submission in 1998 and today TCP port 465 is reserved for other purposes. Nonetheless many mail service providers still provide this service on port 465 today.
Opportunistic TLS
Opportunistic TLS (Transport Layer Security) refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Several protocols use a command named “STARTTLS” for this purpose. It is primarily intended as a countermeasure to passive monitoring. The STARTTLS command for IMAP and POP3 is defined in RFC 2595, for SMTP in RFC 3207, for XMPP in RFC 6120 and for NNTP in RFC 4642. For IRC, the IRCv3 Working Group has defined the STARTTLS extension. FTP uses the command “AUTH TLS” defined in RFC 4217 and LDAP defines a protocol extension OID in RFC 2830. HTTP uses upgrade header.
Stock ROM
Original firmware of a device as supplied by the manufacturer on a programmable ROM. The term is mostly used in the context where a third party provides alternative firmware which may enhance or otherwise change the functionality of a device, beyond the intentions of its original manufacturer.
Message Submission for Mail is a protocol defined in RFC 6409 and used by mail clients (MSA, MUA) to submit electronic mail for further delivery on the internet. It is essentially SMTP, but with mandatory TLS-encrpytion and user authentication added and running on TCP port 587.
“Too Long; Didn’t Read”.
Transport Layer Security TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.
A TLSA DNS record publishes information on certificates used by a TLS secured server. Clients (e.g webbrowsers) can verify the TLS certificate of a server by checking the TLSA DNS record instead of or additionally to check if the certificates is singned by a trusted certificate authority. TLSA is part of the DANE specfication. Domains publishing TLSA records must be secured by DNSSEC.

Trust on first use (TOFU), or trust upon first use (TUFU), is a security model used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the identifier, usually some kind of public key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to determine if the client should trust the identifier or it will simply trust the identifier which was given and record the trust relationship into its trust database. If a different identifier is received in subsequent connections to the endpoint the client software will consider it to be untrusted.

The TOFU approach can be used when connecting to arbitrary or unknown endpoints which do not have a trusted third party such as a certificate authority. For example, the SSH protocol is designed to issue a prompt the first time the client connects to an unknown or not-yet-trusted endpoint. Other implementations of TOFU can be found in HTTP Public Key Pinning in which browsers will always accept the first public key returned by the server and with HTTP Strict Transport Security in which browsers will obey the redirection rule for the duration of ‘age’ directive.

In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
Extensible Messaging and Presence Protocol (XMPP) is a communications protocol for message-oriented middleware based on XML (Extensible Markup Language). The protocol was originally named Jabber and was developed by the Jabber open-source community in 1999 for near real-time, instant messaging (IM), presence information, and contact list maintenance.