.. glossary::
:sorted:
3DES
`Triple DES (3DES) <https://en.wikipedia.org/wiki/3DES>`_ is the common
name for the Triple Data Encryption Algorithm (TDEA or Triple DEA)
symmetric-key block cipher, which applies the Data Encryption Standard
(DES) cipher algorithm three times to each data block. While in theory
it has 168 bits of security, the practical security it provides is only
112 bits. To make things worse, there are known attacks against it, so
that effectively it compares to about 80 bits security.
**Do not use!**
802.11
IEEE 802.11
`IEEE 802.11 <https://en.wikipedia.org/wiki/IEEE_802.11>`_ is a set of
:term:`Media Access Control` (MAC) and physical layer (PHY) specifications for
implementing wireless local area network (WLAN) computer communication in the
900 MHz and 2.4, 3.6, 5, and 60 GHz frequency bands. They are the world's most
widely used wireless computer networking standards, used in most home and
office networks to allow laptops, printers, and smartphones to talk to each
other and access the Internet without connecting wires. They are created and
maintained by the :term:`Institute of Electrical and Electronics Engineers`
(IEEE) LAN/MAN Standards Committee (IEEE 802). The base version of the
standard was released in 1997, and has had subsequent amendments. The standard
and amendments provide the basis for wireless network products using the Wi-Fi
brand. While each amendment is officially revoked when it is incorporated in
the latest version of the standard, the corporate world tends to market to the
revisions because they concisely denote capabilities of their products. As a
result, in the marketplace, each revision tends to become its own standard.
See also :term:`802.11a`, :term:`802.11b`, :term:`802.11g`, :term:`802.11n`,
:term:`802.11ac`, :term:`802.11ax`,
802.11a
TBD
802.11ac
IEEE 802.11ac
`IEEE 802.11ac <https://en.wikipedia.org/wiki/IEEE_802.11ac>`_ is a wireless
networking standard in the :term:`802.11` family (which is marketed under the
brand name :term:`Wi-Fi`), developed in the :term:`IEEE` Standards
Association, providing high-throughput wireless local area networks
(:term:`WLAN`) on the 5 GHz band. The standard was developed from 2008
through 2013 and published in December 2013.
The specification has multi-station throughput of at least **1 Gbit/s** and
single-link throughput of at least **500 Mbit/s**. This is accomplished by
extending the air-interface concepts embraced by :term:`802.11n`: wider RF
bandwidth (up to 160 MHz), more :term:`MIMO` spatial streams (up to eight),
downlink multi-user MIMO (up to four clients), and high-density modulation (up
to 256-:term:`QAM`).
The first 802.11ac products from 2013 are referred to as **Wave 1**, and the
newer higher bandwidth products introduced in 2016 are referred to as **Wave
2**.
802.11ax
IEEE 802.11ax
`IEEE 802.11ax <https://en.wikipedia.org/wiki/IEEE_802.11ax>`_ is a type of
WLAN in the :term:`IEEE 802.11` set of types of :term:`WLAN`. IEEE 802.11ax is
designed to operate in the already existing 2.4 GHz and 5 GHz spectrums. In
addition to utilizing :term:`MIMO` and :term:`MU-MIMO`, the new amendment
introduces :term:`OFDMA` to improve overall spectral efficiency, and higher
order 1024 :term:`QAM` modulation support for increased throughput. Though the
nominal data rate is just 37% higher than :term:`IEEE 802.11ac`, the new
amendment is expected to achieve a 4x increase to user throughput—due to more
efficient spectrum utilization.
IEEE 802.11ax is due to be publicly released sometime in 2019. Devices were
presented at CES 2018 that showed a top speed of **11 Gbps**.
802.11b
IEEE 802.11b
`IEEE 802.11b-1999 <https://en.wikipedia.org/wiki/IEEE_802.11b-1999>`_ or
802.11b, is an amendment to the :term:`IEEE 802.11` wireless networking
specification that extends throughput up to **11 Mbit/s** using the same
2.4GHz band. A related amendment was incorporated into the IEEE 802.11-2007
standard.
802.11e
IEEE 802.11e
See also :term:`WMM`.
`IEEE 802.11e-2005 <https://en.wikipedia.org/wiki/IEEE_802.11e-2005>`_
or 802.11e is an approved amendment to the :term:`IEEE 802.11` standard
that defines a set of :term:`Quality of Service` (QoS) enhancements for
wireless LAN applications through modifications to the :term:`Media
Access Control` (MAC) layer. The standard is considered of critical
importance for delay-sensitive applications, such as :term:`Voice over
Wireless LAN` and streaming multimedia. The amendment has been
incorporated into the published IEEE 802.11-2007 standard.
802.11g
IEEE 802.11g
`IEEE 802.11g-2003 <https://en.wikipedia.org/wiki/IEEE_802.11g-2003>`_ or
802.11g is an amendment to the :term:`IEEE 802.11` specification that extended
throughput to up to **54 Mbit/s** using the same 2.4 GHz band as
:term:`802.11b`. This specification under the marketing name of :term:`Wi-Fi`
has been implemented all over the world. The 802.11g protocol is now Clause 19
of the published IEEE 802.11-2007 standard, and Clause 19 of the published
IEEE 802.11-2012 standard.
802.11n
IEEE 802.11n
`IEEE 802.11n-2009 <https://en.wikipedia.org/wiki/IEEE_802.11n-2009>`_,
commonly shortened to 802.11n, is a wireless-networking standard that
uses multiple antennas to increase data rates. Sometimes referred to
as MIMO, which stands for "multiple input and multiple output", it is
an amendment to the IEEE 802.11-2007 wireless-networking standard. Its
purpose is to improve network throughput over the two previous
standards — :term:`802.11a` and :term:`802.11g` — with a significant
increase in the maximum net data rate from 54 Mbit/s to **600 Mbit/s**
(slightly higher gross bit rate including for example error-correction
codes, and slightly lower maximum throughput) with the use of four
spatial streams at a channel width of 40 MHz. 802.11n standardized
support for multiple-input multiple-output, frame aggregation, and
security improvements, among other features. It can be used in the 2.4
GHz or 5 GHz frequency bands.
Development of 802.11n began in 2002, seven years before publication.
The 802.11n protocol is now Clause 20 of the published IEEE
:term:`802.11`-2012 standard.
802.11w
Management Frame Protection
MFP
`IEEE 802.11w-2009 <https://en.wikipedia.org/wiki/IEEE_802.11w-2009>`_ is an
approved amendment to the :term:`IEEE 802.11` standard to increase the
security of its management frames.
802.3ad
See :term:`LACP`;
ACME
Automated Certificate Management Environment
The
`Automatic Certificate Management Environment <https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment#API_version_2>`_
(ACME) protocol is a communications protocol for automating interactions
between certificate authorities and their users' web servers, allowing
the automated deployment of public key infrastructure at very low
cost. It was designed by the Internet Security Research Group
(ISRG) for their Let's Encrypt service.
The protocol, based on passing JSON-formatted messages over HTTPS, has
been published as an Internet Standard in :rfc:`8555` by its own
chartered :term:`IETF` working group.
AES
Advanced Encryption Standard
`The Advanced Encryption Standard (AES)
<https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>`_ is a is a
symmetric-key algorithm for the encryption of electronic data
established by a U.S. Governement institution (:term:`NIST`) in 2001.
AES has been adopted by the U.S. government for top secret information
and is used worldwide today. It supersedes the
:term:`Data Encryption Standard` (DES).
AES-NI
Advanced Encryption Standard Instruction Set
`Advanced Encryption Standard Instruction Set (or AES-NI)
<https://en.wikipedia.org/wiki/AES_instruction_set>`_ is an extension of
the x86 CPU architecture from Intel and AMD. It accelarates data
encryption and decryption if the :term:`Advanced Encryption Standard`
(AES) is used by an application.
AMD Platform Security Processor
AMD PSP
AMD Secure Technology
PSP
The `AMD Platform Security Processor <https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor>`_
(PSP), officially known as AMD Secure Technology, is a trusted
execution environment subsystem incorporated **since about 2013** into
all AMD microprocessors. According to an AMD developer's guide, the
subsystem is "responsible for creating, monitoring and maintaining the
security environment" and "its functions include managing the boot
process, initializing various security related mechanisms, and
monitoring the system for any suspicious activity or events and
implementing an appropriate response." Critics worry it can be used as
a backdoor and is a security concern.
AMD has denied requests to open source the code that runs on the PSP.
The PSP is similar to the :term:`Intel Management Engine` for Intel
processors.
Authenticated Received Chain
ARC
`Authenticated Received Chain <https://en.wikipedia.org/wiki/Authenticated_Received_Chain>`_
(ARC) is an email authentication system designed to allow an
intermediate mail server like a mailing list or forwarding service to
sign an email's original authentication results. This allows a receiving
service to validate an email when the email's :term:`SPF` and
:term:`DKIM` records are rendered invalid by an intermediate server's
processing.
ARC is currently an Internet Draft with the IETF.
:term:`DMARC` allows a sender's domain to indicate that their emails are
protected by SPF and/or DKIM, and tells a receiving service what to do
if neither of those authentication methods passes - such as to reject
the message. However, a strict DMARC policy may block legitimate emails
sent through a mailing list or forwarder, as the SPF check will fail due
to the unapproved sender, and the DKIM signature will be invalidated if
the message is modified, such as by adding a subject tag or footer.
ARC helps solve this problem by giving intermediate servers a way to
sign the original message's validation results. Even if the SPF and DKIM
validation fail, the receiving service can choose to validate the ARC.
If the ARC indicates that the original message passed the SPF and DKIM
checks, and the only modifications were made by intermediaries trusted
by the receiving service, the receiving service may choose to accept the
email.
AXFR
DNS zone transfer
`DNS zone transfer <https://en.wikipedia.org/wiki/DNS_zone_transfer>`_,
also sometimes known by the inducing DNS query type AXFR, is a type of
DNS transaction. A zone transfer uses TCP for transport, and takes the
form of a client–server transaction. The client requesting a zone
transfer may be a slave server or secondary server, requesting data from
a master server, sometimes called a primary server. The portion of the
database that is replicated is a zone. Avoid if possible and use other
more secure replication methods. See also `What are zone transfers?
<https://cr.yp.to/djbdns/tcp.html#intro-axfr>`_ from Daniel Bernstein.
Bayesian Filter
Bayesian Filtering
Bayesian Spam Filter
A `Bayesian spam filter
<https://en.wikipedia.org/wiki/Bayesian_spam_filtering>`_ (after Rev.
Thomas Bayes) is a statistical technique of e-mail filtering. In its
basic form, it makes use of a naive Bayes classifier on bag of words
features to identify spam e-mail, an approach commonly used in text
classification.
Beacon Broadcast interval
Beacon Interval
Beacon Broadcast interval is the time lag between each of the beacons
sent by your router or access points. By definition, the lower the
value, the smaller the time lag which means that the beacon is sent more
frequently. The higher the value, the bigger the time lag which means
that the beacon is sent broadcasted less frequently.
The beacon is needed for your devices or clients to receive information
about the particular router. In this case the beacon includes some main
information such as SSID, Timestamp, and various parameters.
See `Beacon Interval Best Optimal Setting <https://routerguide.net/beacon-interval-best-optimal-setting-improve-wireless-speed/>`_
Blowfish
`Blowfish <https://en.wikipedia.org/wiki/Blowfish_(cipher)>`_ is a
symmetric-key block cipher, designed in 1993 by Bruce Schneier and
included in a large number of cipher suites and encryption products.
Blowfish provides a good encryption rate in software and no effective
cryptanalysis of it has been found to date. However, the :term:`Advanced
Encryption Standard` (:term:`AES`) now receives more attention. Blowfish
users are encouraged by Bruce Schneier, Blowfish's creator, to use the
more modern and computationally efficient alternative :term:`Twofish`.
BSSID
Basic Service Set Identifier
An infrastructure mode wireless network consists of one ore more
redistribution points — typically access points — together with one or
more "client" stations that are associated with (i.e. connected to) that
redistribution point.
Each access point has its own unique identifier, a BSSID, which is a
unique 48-bit identifier that follows :term:`MAC Address` conventions
and is usually non-configurable.
CA
Certificate Authority
TBD
CCM mode Protocol
CCMP
Counter Mode CBC-MAC Protocol
Counter Mode Cipher Block Chaining Message Authentication Code Protocol
`CCMP <https://en.wikipedia.org/wiki/CCMP_(cryptography)>`_ is an
encryption protocol designed for Wireless LAN products that implements
the standards of the :term:`IEEE 802.11i` amendment to the original
:term:`IEEE 802.11` standard. CCMP is an enhanced data cryptographic
encapsulation mechanism designed for data confidentiality and based upon
the Counter Mode with CBC-MAC (CCM mode) of the :term:`Advanced
Encryption Standard` (AES) standard. It was created to address the
vulnerabilities presented by :term:`Wired Equivalent Privacy` (WEP), a
dated, insecure protocol.
CCMP is the standard encryption protocol for use with the :term:`Wi-Fi
Protected Access II` (WPA2) standard and is much more secure than the
Wired Equivalent Privacy (WEP) protocol and :term:`Temporal Key
Integrity Protocol` (TKIP) of :term:`Wi-Fi Protected Access` (WPA).
Chip card
ICC
Integrated Circuit Card
Smart card
Smartcard
A pocket-sized plastic card with embedded integrated circuits. Smart
cards can provide identification, authentication, data storage and
application processing. See the `Wikipedia article
<https://en.wikipedia.org/wiki/Smart_card>`_ for many possible usage
scenarios.
Cipher Suite
A cipher suite is a standardized collection of key exchange algorithms,
encryption algorithms (ciphers) and Message authentication codes
(:term:`MAC`) algorithm that provides authenticated encryption schemes.
For more information see [KAea14b]_.
Composer
`Composer <https://getcomposer.org/>`_ is a tool for dependency management in
PHP. It allows a developer to declare the dependent libraries a project needs
and it will install them along the project.
Cryptographic Hash Function
A `cryptographic hash function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>`_
is a :term:`Hash Function` which is considered practically impossible to
invert, that is, to recreate the input data from its hash value alone.
They are used for digital signatures, Message Authentication Codes
(:term:`MAC`), and other forms of authentication. It can also be used as
ordinary hash function, to index data in hash tables, for
fingerprinting, to detect duplicate data or uniquely identify files, and
as checksums to detect accidental data corruption. Cryptographic hash
values are sometimes called (digital) fingerprints, checksums, or just
hash values. Some widely used ones are: :term:`MD5`, :term:`SHA-1`,
:term:`SHA-256`
Curve25519
In cryptography, `Curve25519 <https://en.wikipedia.org/wiki/Curve25519>`_ is
an elliptic curve offering 128 bits of security and designed for use with the
:term:`Elliptic Curve Diffie–Hellman` (:term:`ECDH`) key agreement scheme. It
is one of the fastest :term:`ECC` curves and is not covered by any known
patents. Curve25519 was first released by Daniel J. Bernstein in 2005, but
interest increased considerably after 2013 when it was discovered that the NSA
had implemented a backdoor into :term:`Dual EC DRBG`. While not directly
related, suspicious aspects of the :term:`NIST P curves` led to concerns that
the NSA had chosen values that gave them an advantage in factoring public
keys.
Daemon
Long-running programs usually running in the background and providing
services for other programs and or clients on other systems connected by
a network. Daemons typically are started automatically on system boot
and run on their own, without any user interaction.
DANE
DNS-based Authentication of Named Entities
`DNS based Authentication of Named Entities <https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities>`_
(DANE) is a protocol to allow :term:`X.509` certificates, commonly used for
:term:`Transport Layer Security` (:term:`TLS`), to be bound to :term:`DNS`
names using :term:`Domain Name System Security Extensions` (:term:`DNSSEC`).
It is proposed in :RFC:`6698` as a way to authenticate TLS client and server
entities without a :term:`Certificate Authority` (CA).
Data deduplication
In computing,
`data deduplication <https://en.wikipedia.org/wiki/Data_deduplication>`_
is a technique for eliminating duplicate copies of repeating data.
Thereby dramatically reducing the required storage space. It can also be
applied to network data transfers to reduce the number of bytes that
must be transferred.
The deduplication process cuts the data to be stored into equal sized
'chunks'. These chunks are then compared to other chunks already stored
earlier. Whenever a match occurs, the new chunk is replaced with a small
reference that points to the already stored chunk, instead of storing it
again. Given that the same byte pattern may occur dozens, hundreds, or
even thousands of times (depending on the used chunk size), the amount
of data that must be stored or transferred can be greatly reduced.
Delegation-Signing
TBD
DES
Data Encryption Standard
The Data Encryption Standard (DES) is a previously predominant symmetric-key
algorithm for the encryption of electronic data. It is now considered to be
insecure. This is chiefly due to the 56-bit key size being too small; in
January, 1999, distributed.net and the :term:`Electronic Frontier Foundation`
collaborated to publicly break a DES key in 22 hours and 15 minutes. The
cipher has been superseded by the :term:`Advanced Encryption Standard` (AES)
and has been withdrawn as a standard. DES was developed in the early 1970s at
IBM. **Do not use!**
DH
Diffie-Hellman Key Exchange
`Diffie–Hellman key exchange (DH) <https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange>`_
is a specific method of exchanging cryptographic keys.
The method allows two parties that have no prior knowledge of each other to
jointly establish a shared secret key over an insecure communications channel.
This key can then be used to encrypt subsequent communications using a
symmetric key cipher. Youtube has a `great video
<https://www.youtube.com/watch?v=3QnD2c4Xovk>`_ that explains it in 5 minutes.
DH Parameters
DH parameters are pre-generated large prime-numbers, which accelerates
the generatation of session keys while using :term:`Diffie-Hellman Key
Exchange`. To find and evaluate such prime numbers takes a long time
(up to several minutes). Using pre-generated values allows to establish
session keys during initial handshake and periodic renevals, without any
noticeable delay.
Diceware
`Diceware <https://en.wikipedia.org/wiki/Diceware>`_ is a method for
creating passphrases, passwords, and other cryptographic variables using
ordinary dice as a hardware random number generator. For each word in
the passphrase, five rolls of the dice are required. The numbers from 1
to 6 that come up in the rolls are assembled as a five-digit number,
e.g. 43146. That number is then used to look up a word in a word list.
In the English list 43146 corresponds to munch. By generating several
words in sequence, a lengthy passphrase can be constructed.
A Diceware word list is any list of 6^5 = 7,776 unique words, preferably
ones the user will find easy to spell and to remember. The contents of
the word list do not have to be protected or concealed in any way, as
the security of a Diceware passphrase is in the number of words
selected, and the number of words each selected word could be taken
from. Lists have been compiled for several languages.
See also the original
`Diceware Passphrase Home Page <https://theworld.com/~reinhold/diceware.html>`_
or the `urown.net Diceware <https://diceware.urown.net/#eff>`_
installation.
Digital Fingerprint
See :term:`Cryptographic Hash Function`.
Distance Optimization
A configuration option in wireless networks. The distance between the
wireless access point and the furthest wireless client in meters.
DKIM
DomainKeys Identified Mail
`DomainKeys Identified Mail <https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>`_
(DKIM) is an email authentication method designed to detect forged sender
addresses in emails (email spoofing), a technique often used in phishing
and email spam.
DKIM allows the receiver to check that an email claimed to have come
from a specific domain was indeed authorized by the owner of that
domain. It achieves this by affixing a digital signature, linked to a
domain name, to each outgoing email message. The recipient system can
verify this by looking up the sender's public key published in the DNS.
A valid signature also guarantees that some parts of the email (possibly
including attachments) have not been modified since the signature was
affixed. Usually, DKIM signatures are not visible to end-users, and are
affixed or verified by the infrastructure rather than the message's
authors and recipients.
DKIM is now an "Internet standard". It is defined in :rfc:`6376`, dated
September 2011; with updates in :rfc:`8301` and :rfc:`8463`.
DMARC
Domain-based Message Authentication, Reporting and Conformance
`DMARC <https://en.wikipedia.org/wiki/DMARC>`_ (Domain-based Message
Authentication, Reporting and Conformance) is an email authentication
protocol. It is designed to give email domain owners the ability to
protect their domain from unauthorized use, commonly known as email
spoofing. The purpose and primary outcome of implementing DMARC is to
protect a domain from being used in business email compromise attacks,
phishing emails, email scams and other cyber threat activities.
Once the DMARC DNS entry is published, any receiving email server can
authenticate the incoming email based on the instructions published by
the domain owner within the DNS entry. If the email passes the
authentication it will be delivered and can be trusted. If the email
fails the check, depending on the instructions held within the DMARC
record the email could be delivered, quarantined or rejected.
DMARC extends two existing mechanisms, :term:`Sender Policy Framework`
(SPF) and :term:`DomainKeys Identified Mail` (DKIM). It allows the
administrative owner of a domain to publish a policy in their DNS
records to specify which mechanism (DKIM, SPF or both) is employed when
sending email from that domain; how to check the From: field presented
to end users; how the receiver should deal with failures - and a
reporting mechanism for actions performed under those policies.
DMARC is defined in :rfc:`7489`, dated March 2015, as "Informational".
DNS
Domain Name System
TBD
DNS Resolver
The client side of the DNS is called a DNS resolver. A resolver is
responsible for initiating and sequencing the queries that ultimately
lead to a full resolution (translation) of the resource sought, e.g.,
translation of a domain name into an IP address. DNS resolvers are
classified by a variety of query methods, such as recursive,
non-recursive, and iterative. A resolution process may use a combination
of these methods.
DNS-over-HTTPS
DoH
`DNS over HTTPS <https://en.wikipedia.org/wiki/DNS_over_HTTPS>`_ (DoH)
is a protocol for performing remote Domain Name System (:term:`DNS`)
resolution via the :term:`HTTPS` protocol. A goal of the method is to
increase user privacy and security by preventing eavesdropping and
manipulation of DNS data by man-in-the-middle attacks[1] by using the
HTTPS protocol to encrypt the data between the DoH client and the
DoH-based DNS resolver. By March of 2018, Google and the Mozilla
Foundation had started testing versions of DNS over HTTPS. In February
2020, Firefox switched to DNS over HTTPS by default for users in the
United States.
DNS-over-TLS
DoT
`DNS over TLS <https://en.wikipedia.org/wiki/DNS_over_TLS>`_ (DoT) is a
security protocol for encrypting and wrapping Domain Name System
(:term:`DNS`) queries and answers via the
:term:`Transport Layer Security` (:term:`TLS`) protocol. The goal of the
method is to increase user privacy and security by preventing
eavesdropping and manipulation of DNS data via man-in-the-middle
attacks.
DNSCrypt
`DNSCrypt <https://en.wikipedia.org/wiki/DNSCrypt>`_ is a network
protocol that authenticates and encrypts :term:`Domain Name
System` (term:`DNS`) traffic between the user's computer and recursive
name servers. It was originally designed by Frank Denis and Yecheng Fu.
Although multiple client and server implementations exist, the protocol
was never proposed to the :term:`Internet Engineering Task Force`
(:term:`IETF`) by the way of a :term:`Request for Comments`
(:term:`RFC`). DNSCrypt wraps unmodified DNS traffic between a client
and a DNS resolver in a cryptographic construction in order to detect
forgery. Though it doesn't provide end-to-end security, it protects the
local network against man-in-the-middle attacks. It also mitigates
UDP-based amplification attacks by requiring a question to be at least
as large as the corresponding response. Thus, DNSCrypt helps to prevent
DNS amplification attacks.
DNSSEC
Domain Name System Security Extensions
The `Domain Name System Security Extensions (DNSSEC)
<https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions>`_ is a
suite of :term:`Internet Engineering Task Force` (:term:`IETF`) specifications
for securing certain kinds of information provided by the Domain Name System
(DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to
DNS which provide to DNS clients (resolvers) origin authentication of DNS
data, authenticated denial of existence, and data integrity, but not
availability or confidentiality.
DSA
Digital Signature Algorithm
`The Digital Signature Algorithm (DSA) <https://en.wikipedia.org/wiki/Digital_Signature_Algorithm>`_
is a United States Federal Information Processing Standard for digital
signatures. In August 1991 the :term:`National Institute of Standards
and Technology` (NIST) proposed DSA for use in their
:term:`Digital Signature Standard` (:term:`DSS`) and adopted it 1994 in
its :term:`FIPS` standards specification. Four revisions to the initial
specification have been released in 1996, 2000, 2009 and in 2013.
DSA is covered by a U.S. Patent and attributed to a former NSA
employee. The patent was given to the United States, and NIST has made
it available worldwide royalty-free. DSA is a variant of the ElGamal
signature scheme.
Digital Signature Standard
DSS
The
`Digital Signature Standard (DSS) <https://en.wikipedia.org/wiki/Digital_Signature_Standard>`_
is a United States Federal Information Processing Standard specifying a
suite of algorithms that can be used to generate digital signatures
established by the :term:`National Institute of Standards and Technology`
(NIST) in 1994. Four revisions to the initial specification have been
released: :term:`FIPS` 186-1 in 1996, FIPS 186-2 in 2000, FIPS 186-3 in
2009, and FIPS 186-4 in 2013.
It defines the :term:`Digital Signature Algorithm` (DSA), contains a
definition of :term:`RSA` signatures based on the definitions contained
within :term:`PKCS #1` version 2.1 and in American National Standard
X9.31 with some additional requirements, and contains a definition of
the :term:`Elliptic Curve Digital Signature Algorithm` based on the
definition provided by American National Standard X9.62 with some
additional requirements and some recommended elliptic curves. It also
approves the use of all three algorithms.
DSM
DiskStation Manager
Synology’s primary product is the Synology DiskStation Manager (DSM), a
Linux based software package that is the operating system for the
DiskStation and RackStation products.
DTIM Interval
Delivery traffic indication map
Delivery traffic indication message
DTIM stands for Delivery traffic indication map or message. It is
basically an additional message added after the normal beacon broadcast
by your router or access point. See :term:`Beacon Interval`.
Depending on the timing set for your router, the router “buffers”
broadcast and multicast data and let your mobile devices or clients know
when to “wake up” to receive those data.
The more often that DTIM is transmitted, the more often that your mobile
devices wake up, and the more battery that it uses (due to the lack of
“sleep”). By setting a low value of DTIM and beacon interval, you can
effectively keep your devices awake indefinitely so they never go into
sleep mode when idling. In some cases the “no sleep” setup can use up to
10~20% additional power consumption.
See `DTIM Interval Best Setting <https://routerguide.net/dtim-interval-period-best-setting/>`_
Dual EC DRBG
Dual Elliptic Curve Deterministic Random Bit Generator
Dual EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) is
an algorithm that was presented as a cryptographically secure
pseudorandom number generator (CSPRNG) using methods in :term:`Elliptic
Curve Cryptography`. Despite wide public criticism, including a
potential backdoor, for seven years it was one of the four (now three)
CSPRNGs standardized in NIST SP 800-90A as originally published circa
June 2006, until *withdrawn in 2014*.
ECC
Elliptic Curve Cryptography
Elliptic-Curve Cryptography
`Elliptic Curve Cryptography (ECC)
<https://en.wikipedia.org/wiki/Elliptic-curve_cryptography>`_ is an
approach to public-key cryptography based on the algebraic structure of
elliptic curves over finite fields. ECC requires smaller keys compared
to non-ECC cryptography (based on plain Galois fields) to provide
equivalent security.[1]
ECDH
Elliptic Curve Diffie–Hellman
Elliptic-Curve Diffie–Hellman
`Elliptic Curve Diffie–Hellman (ECDH)
<https://en.wikipedia.org/wiki/Elliptic_curve_Diffie-Hellman>`_ is an
anonymous key agreement protocol that allows two parties, each having an
Elliptic Curve public–private key pair, to establish a shared secret
over an insecure channel. This shared secret may be directly used as a
key, or better yet, to derive another key which can then be used to
encrypt subsequent communications using a symmetric key cipher. It is a
variant of the :term:`Diffie-Hellman Key Exchange` using :term:`Elliptic
Curve Cryptography`.
ECDSA
Elliptic Curve Digital Signature Algorithm
In cryptography, the
`Elliptic Curve Digital Signature Algorithm (ECDSA) <https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm>`_
offers a variant of the Digital Signature Algorithm (:term:`DSA`)
which uses :term:`Elliptic Curve Cryptography`.
Ed25519
EdDSA
In public-key cryptography, `Edwards-curve Digital Signature Algorithm
(EdDSA) <https://en.wikipedia.org/wiki/EdDSA>`_ is a digital signature
scheme using a variant of Schnorr signature based on Twisted Edwards
curves. It is designed to be faster than existing digital signature
schemes without sacrificing security. It was developed by a team
including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe,
and Bo-Yin Yang. The reference implementation is public domain software.
EEPROM
Electrically Erasable Programmable Read-Only Memory
`EEPROM <https://en.wikipedia.org/wiki/EEPROM>`_ (also E2PROM) stands
for electrically erasable programmable read-only memory and is a type of
non-volatile memory used in computers, integrated in microcontrollers
for smart cards and remote keyless systems, and other electronic devices
to store relatively small amounts of data but allowing individual bytes
to be erased and reprogrammed.
EFF
Electronic Frontier Foundation
`The Electronic Frontier Foundation <https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation>`_
(EFF) is an international non-profit digital rights group based in San
Francisco, California. The foundation was formed in July 1990 by John
Gilmore, John Perry Barlow and Mitch Kapor to promote Internet civil
liberties.
EPROM
Erasable Programmable Read-only Memory
An `EPROM <https://en.wikipedia.org/wiki/EPROM>`_ (rarely EROM), or
erasable programmable Read-Only Memory, is a type of programmable
:term:`Read-Only Memory` (PROM) chip that retains its data when its
power supply is switched off. Computer memory that can retrieve stored
data after a power supply has been turned off and back on is called
non-volatile. It is an array of floating-gate transistors individually
programmed by an electronic device that supplies higher voltages than
those normally used in digital circuits. Once programmed, an EPROM can
be erased by exposing it to strong ultraviolet light source (such as
from a mercury-vapor lamp). EPROMs are easily recognizable by the
transparent fused quartz window in the top of the package, through which
the silicon chip is visible, and which permits exposure to ultraviolet
light during erasing.
ESMTP
`Extended SMTP (ESTMP) <https://en.wikipedia.org/wiki/Extended_SMTP>`_
includes additions made to :term:`SMTP` who where defined in 2008 in
:rfc:`5321`. It is in widespread use today. Like SMTP, ESMTP uses TCP
port 25.
Filter Bubble
A `filter bubble <https://en.wikipedia.org/wiki/Filter_bubble>`_ is a
result of a personalized search in which a website algorithm selectively
guesses what information a user would like to see based on information
about the user (such as location, past click behavior and search
history) and, as a result, users become separated from information that
disagrees with their viewpoints, effectively isolating them in their own
cultural or ideological bubbles. The term was coined by internet
activist Eli Pariser in his book by the same name [ARNea]_. The bubble
effect may have negative implications for civic discourse, according to
Pariser, but there are contrasting views suggesting the effect is
minimal and addressable.
FIPS
`Federal Information Processing Standards (FIPS) <https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards>`_
are publicly announced standards developed by the US Government trough
its National Institute of Standards and Technology (:term:`NIST`) for
use in computer systems by non-military government agencies and
government contractors.
FIPS standards are issued to establish requirements for various
purposes such as ensuring computer security and interoperability, and
are intended for cases in which suitable industry standards do not
already exist. Many FIPS specifications are modified versions of
standards used in the technical communities, such as the American
National Standards Institute (ANSI), the Institute of Electrical and
Electronics Engineers (IEEE), and the International Organization for
Standardization (ISO).
These include amongst others, encryption standards, such as the
Digital Signature Algorithm (:term:`DSA`), Data Encryption Standard
(:term:`DES`) and the Advanced Encryption Standard (:term:`AES`).
Firmware
`Firmware <https://en.wikipedia.org/wiki/Firmware>`_ is essentially
software that is very closely tied to specific hardware, and unlikely to
need frequent updates. Typically stored in non-volatile memory chips
such as :term:`ROM`, EPROM, or flash memory. Since it can only be
updated or replaced by special procdures designed by the hardware
manufacturer, it is somewhat on the boundary between *hardware* and
*software*; thus the name *"firmware"*.
Forward Secrecy
FS
Perfect Forward Secrecy
PFS
In cryptography, forward secrecy is a property of key-agreement
protocols ensuring that a session key derived from a set of long-term
keys cannot be compromised if one of the long-term keys (like the
servers private key) is compromised in the future. Usually either
:term:`Diffie-Hellman Key Exchange` or :term:`Elliptic Curve
Diffie–Hellman` are used to create and exchange session keys.
Fragmentation Threshold
In wireless networks this value is used to set the maximum size of
packet a client can send. Smaller packets improve reliability, but they
will decrease performance. Unless you’re facing problems with an
unreliable network, reducing the fragmentation threshold is not
recommended. Make sure it is set to the default settings (usually 2346).
FTP
File Transfer Protocol
TBD
Hash
Hash Function
Hash Functions
A `hash function <https://en.wikipedia.org/wiki/Hash_function>`_ is any
function that can be used to map data of arbitrary size onto data of a
fixed size. The values returned by a hash function are called hash
values, hash codes, digests, or simply hashes. Hash functions are often
used in combination with a hash table, a common data structure used in
computer software for rapid data lookup. Hash functions accelerate table
or database lookup by detecting duplicated records in a large file. One
such application is finding similar stretches in DNA sequences. They are
also useful in cryptography. A :term:`Cryptographic Hash Function`
allows one to easily verify whether some input data map onto a given
hash value, but if the input data is unknown it is deliberately
difficult to reconstruct it (or any equivalent alternatives) by knowing
the stored hash value. This is used for assuring integrity of
transmitted data, and is the building block for :term:`HMAC`'s, which
provide message authentication.
Hash functions are related to (and often confused with) checksums, check
digits, fingerprints, lossy compression, randomization functions,
error-correcting codes, and ciphers. Although the concepts overlap to some
extent, each one has its own uses and requirements and is designed and
optimized differently.
HMAC
In cryptography, an `HMAC <https://en.wikipedia.org/wiki/HMAC>`_
(sometimes expanded as either keyed-hash message authentication code or
hash-based message authentication code) is a specific type of
:term:`Message Authentication Code` (:term:`MAC`) involving a
:term:`Cryptographic Hash Function` and a secret cryptographic key. It
may be used to simultaneously verify both the data integrity and the
authentication of a message, as with any MAC. Any cryptographic hash
function, such as :term:`SHA-256` or :term:`SHA-3`, may be used in the
calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X,
where X is the hash function used (e.g. HMAC-SHA256 or HMAC-SHA3). The
cryptographic strength of the HMAC depends upon the cryptographic
strength of the underlying hash function, the size of its hash output,
and the size and quality of the key.
HTTP
Hypertext Transfer Protocol
`The Hypertext Transfer Protocol <https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`_
(HTTP) is an application layer protocol for distributed, collaborative,
hypermedia information systems. HTTP is the foundation of data
communication for the World Wide Web, where hypertext documents include
hyperlinks to other resources that the user can easily access, for
example by a mouse click or by tapping the screen in a web browser.
Development of HTTP was initiated by Tim Berners-Lee at CERN in 1989.
Development of early HTTP Requests for Comments (RFCs) was a coordinated
effort by the Internet Engineering Task Force (IETF) and the World Wide
Web Consortium (W3C), with work later moving to the IETF.
HTTPS
Hypertext Transfer Protocol Secure
`Hypertext Transfer Protocol Secure <https://en.wikipedia.org/wiki/HTTPS>`_
(HTTPS) is an extension of the :term:`Hypertext Transfer Protocol`
(:term:`HTTP`). It is used for secure communication over a computer
network, and is widely used on the Internet. In HTTPS, the communication
protocol is encrypted using :term:`Transport Layer Security`
(:term:`TLS`) or, formerly, :term:`Secure Sockets Layer` (:term:`SSL`).
The protocol is therefore also referred to as HTTP over TLS, or HTTP
over SSL.
HPKP
HTTP Public Key Pinning
`HTTP Public Key Pinning (HPKP)
<https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning>`_ is a security
mechanism introduced in 2015 with :rfc:`7469` delivered via an HTTP
header which allows HTTPS websites to resist impersonation by attackers
using mis-issued or otherwise fraudulent certificates. In order to do so,
it delivers a set of public keys to the client (browser), which should
be the only ones trusted for connections to this domain. In practice it
was newer largely adopted. For website owners and is difficult and risky
to maintain. Therefore Google
`announced <https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ?hn>`_
in October 2017 to deprecate and later remove the HPKP feature from the
Chrome browser.
HSTS
HTTP Strict Transport Security
TBD.
IANA
Internet Assigned Numbers Authority
The `Internet Assigned Numbers Authority <https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority>`_
(IANA) is a function of :term:`ICANN`, a nonprofit private American
corporation that oversees global IP address allocation, autonomous system
number allocation, root zone management in the Domain Name System
(:term:`DNS`), media types, and other Internet Protocol-related symbols
and Internet numbers.
Its website is `www.iana.org <https://www.iana.org/>`_.
ICANN
Internet Corporation for Assigned Names and Numbers
The `Internet Corporation for Assigned Names and Numbers <https://en.wikipedia.org/wiki/ICANN>`_
(ICANN) is a nonprofit organization responsible for coordinating the
maintenance and procedures of several databases related to the namespaces
and numerical spaces of the Internet, ensuring the network's stable and
secure operation.
Much of its work has concerned the Internet's global Domain Name System
(:term:`DNS`), including policy development for internationalization of
the DNS system, introduction of new generic top-level domains (TLDs), and
the operation of root name servers.
Its website is `www.icann.org <https://www.icann.org/>`_.
IEEE
Institute of Electrical and Electronics Engineers
The
`Institute of Electrical and Electronics Engineers <https://en.wikipedia.org/wiki/Institute_of_Electrical_and_Electronics_Engineers>`_
(IEEE) is a professional association with its corporate office in New
York City and its operations center in Piscataway, New Jersey. It was
formed in 1963 from the amalgamation of the American Institute of
Electrical Engineers and the Institute of Radio Engineers. As of 2018,
it is the world's largest association of technical professionals with
more than 423,000 members in over 160 countries around the world. Its
objectives are the educational and technical advancement of electrical
and electronic engineering, telecommunications, computer engineering
and allied disciplines.
IETF
Internet Engineering Task Force
The `IETF <https://ietf.org/about/>`_ is a large open international community
of network designers, operators, vendors, and researchers concerned with the
evolution of the Internet architecture and the smooth operation of the
Internet. The technical work of the IETF is done in Working Groups, which are
organized by topic into several Areas.
These working groups develop and promote the voluntary Internet standards, in
particular the standards that comprise the Internet protocol suite (TCP/IP).
These are typically published as :term:`RFC`. It is an open standards
organization, with no formal membership or membership requirements. All
participants and managers are volunteers, though their work is usually funded
by their employers or sponsors.
The IETF started out as an activity supported by the U.S. federal government,
but since 1993 it has operated as a standards development function under the
auspices of the Internet Society, an international membership-based non-profit
organization.
Intel Active Management Technology
AMT
`Intel Active Management Technology <https://en.wikipedia.org/wiki/Intel_Active_Management_Technology>`_
(AMT) is hardware and firmware backdoor for remote out-of-band
management of personal computers, running on the :term:`Intel
Management Engine`, a separate microprocessor not exposed to the user,
in order to monitor, maintain, update, upgrade, and repair them.
Features include remote power up/down, boot from remote storage
devices, console redirection, remote KVM access and other remote
management and security features.
Intel AMT is available on processors advertised under the umbrella
marketing term **Intel vPro** technology tipically targeted at
corporate customers since about 2007.
Unlike the Intel Management Engine, AMT usually can be switched off by
the computers BIOS options.
Intel Management Engine
ME
Manageability Engine
The `Intel Management Engine <https://en.wikipedia.org/wiki/Intel_Management_Engine>`_
(ME), also known as the Manageability Engine, is an autonomous
subsystem that has been incorporated in virtually all of Intel's
processor chipsets **since 2008**. It is located in the Platform
Controller Hub of modern Intel motherboards. It is a part of
:term:`Intel Active Management Technology`, which allows system
administrators to perform tasks on the machine remotely. System
administrators can use it to turn the computer on and off, and they can
login remotely into the computer regardless of whether or not an
operating system is installed.
The Intel Management Engine always runs as long as the motherboard is
receiving power, even when the computer is turned off.
The ME is an attractive target for hackers, since it has top level
access to all devices and completely bypasses the operating system.
Intel has not released much information on the Intel Management
Engine, prompting speculation that it may include a backdoor. The
:term:`Electronic Frontier Foundation` has voiced concern about IME.
AMD processors have a similar feature, called :term:`AMD Secure Technology`.
IMAP
`Internet Message Access Protocol (IMAP)
<https://en.wikipedia.org/wiki/Imap>`_ is a protocol for email
retrieval and storage by the :term:`MUA` from the :term:`MAS`. It was
devloped as an alternative to :term:`POP`. IMAP unlike :term:`POP`,
specifically allows multiple clients simultaneously connected to the
same mailbox, and through flags stored on the server, different clients
accessing the same mailbox at the same or different times can detect
state changes made by other clients. The IMAP protocol uses TCP port 143
and TCP port 993 for :term:`SSL` secured IMAPS connections.
IRC
Internet Relay Chat
TBD
Jabber
See :term:`XMPP`.
KSK
Key-signing-key
DNSKEY
Key-signing-key (KSK) is the cryptographic key-pair used in :term:`DNSSEC` to
sign :term:`Zone-Signing-Keys` (ZSK). The KSK public key is signed by the
parent and published as :term:`Delegation-Signing` (DS) record in the the
parent zone. The child zone publishes the public part of the KSK as DNSKEY
record in its own Zone.
LACP
Link Aggregation Control Protocol
`Link Aggregation Control Protocol <https://en.wikipedia.org/wiki/Link_aggregation#Link_Aggregation_Control_Protocol>`_
LDA
Local Delivery Agent
The software program in charge of delivering mail messages to its final
destination on the local system, usually a users mailbox, after they
receive a message from the :term:`MTA`.
LDAP
TBD.
LMTP
The `Local Mail Transfer Protocol <https://en.wikipedia.org/wiki/LMTP>`_
is a derivative of ESMTP, the extension of the Simple Mail Transfer
Protocol. It is defined in :RFC:`2033`.
LFU
LFU means "Least Frequently Used"
LRU
LRU means "Least Recently Used"
LUA
`Lua <https://en.wikipedia.org/wiki/Lua_(programming_language)>`_ (from
Portuguese meaning "moon") is a lightweight, multi-paradigm programming
language designed primarily for embedded use in applications. Lua is
cross-platform, since the interpreter of compiled bytecode is written in
ANSI C, and Lua has a relatively simple C API to embed it into
applications.
Lua was originally designed in 1993 as a language for extending software
applications to meet the increasing demand for customization at the
time. It provided the basic facilities of most procedural programming
languages, but more complicated or domain-specific features were not
included; rather, it included mechanisms for extending the language,
allowing programmers to implement such features. As Lua was intended to
be a general embeddable extension language, the designers of Lua focused
on improving its speed, portability, extensibility, and ease-of-use in
development.
MAC Address
Media Access Control
Media Access Control Address
A `media access control address <https://en.wikipedia.org/wiki/MAC_address>`_
(MAC address) of a device is a unique identifier assigned to a network
interface controller (NIC). For communications within a network segment,
it is used as a network address for most IEEE 802 network technologies,
including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems
Interconnection (OSI) model, MAC addresses are used in the medium access
control protocol sublayer of the data link layer. As typically
represented, MAC addresses are recognizable as six groups of two
hexadecimal digits, separated by hyphens, colons, or no separator (see
Notational conventions below).
A MAC address may be referred to as the burned-in address, and is also
known as an **Ethernet hardware address**, **hardware address**, and
**physical address**.
A network node with multiple NICs must have a unique MAC address for
each. Sophisticated network equipment such as a multilayer switch or
router may require one or more permanently assigned MAC addresses.
MAC addresses are most often assigned by the manufacturer of network
interface cards. Each is stored in hardware, such as the card's
read-only memory or by a firmware mechanism. A MAC address typically
includes the manufacturer's organizationally unique identifier (OUI).
MAC
Message Authentication Code
TBD
MAS
Mail Access Server
TBD
MD5
TBD
MDA
Mail Delivery Agent
Another name for :term:`LDA` or :term:`Local Delivery Agent`.
Memcached
Memcache
`Memcached <https://en.wikipedia.org/wiki/Memcached>`_ is a
general-purpose distributed memory caching system. It is often used to
speed up dynamic database-driven websites by caching data and objects in
RAM to reduce the number of times an external data source (such as a
database or API) must be read. Memcached is free and open-source
software, licensed under the Revised BSD license. Memcached runs on
Unix-like operating systems and on Microsoft Windows.
Memcached's APIs provide a very large hash table distributed across
multiple machines. When the table is full, subsequent inserts cause
older data to be purged in least recently used (LRU) order. Applications
using Memcached typically layer requests and additions into RAM before
falling back on a slower backing store, such as a database.
Milter
`Milter <https://en.wikipedia.org/wiki/Milter>`_ (portmanteau for mail
filter) is an extension to the widely used open source mail transfer
agents (:term:`MTA`) Sendmail and Postfix. It allows administrators to
add mail filters for filtering spam or viruses in the mail-processing
chain. In the language of the art, "milter" refers to the protocol and
API implementing the service, while "a milter" has come to refer to a
filter application that uses milter to provide service.
MIMO
TBD
MSA
Message Submission Agent
The software program in charge of receiving mail messages from the
:term:`MUA` using the :term:`Submission` protocol. The MSA runs as a
:term:`Daemon`.
MTA
Mail Transfer Agent
TBD
MTA-STS
SMTP MTA Strict Transport Security
SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a
mechanism enabling mail service providers to declare their ability to
receive Transport Layer Security (:term:`TLS`) secure :term:`SMTP`
connections, and to specify whether sending SMTP servers should refuse
to deliver to MX hosts that do not offer TLS with a trusted server
certificate. MTA-STS is described in :rfc:`8461`.
MU-MIMO
TBD
MUA
Message User Agent
The software program in charge of retrieving messages from a users
mailbox on a :term:`MAS` or :term:`Mail Access Server`, usually using
either :term:`IMAP` or :term:`POP3` protocols. The MUA might also submit
mail messages to the :term:`MSA` or :term:`Message Submission Agent`
using the :term:`Submission` protocol. MUAs are commonly known as mail
clients. Known MUA software product examples are Microsoft Outlook or
Mozilla Thunderbird.
MX
DNS record for "Mail Exchanger", informing the sending system, which
hosts are responsible to receive mails for a domain over :term:`SMTP`.
NIST
National Institute of Standards and Technology
The `National Institute of Standards and Technology (NIST) <https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology>`_
is a measurement standards laboratory, and a non-regulatory agency of
the United States Department of Commerce. Its mission is to promote
innovation and industrial competitiveness. In 2013 the newspapers
Guardian and New York Times reported that NIST allowed the
:term:`National Security Agency` (:term:`NSA`) to insert a
cryptographically secure pseudorandom number generator called
:term:`Dual EC DRBG` into NIST standard SP 800-90 that had a
kleptographic backdoor that the NSA can use to covertly predict the
future outputs of this pseudorandom number generator thereby allowing
the surreptitious decryption of data.
NIST P curves
NIST P-224
NIST P-256
NIST P-384
NIST-P-512
According to Bernstein and Lange, many of the efficiency-related
decisions in NIST FIPS 186-2 are sub-optimal. Other curves are more
secure and run just as fast
In 2014 `Daniel J. Bernstein and Tanja Lange claimed <https://safecurves.cr.yp.to/>`_
that that most real-world implementations of :term:`Elliptic-Curve Cryptography`
are not to be considered safe. Amongst many others they also criticize
the NIST curves. **Use if no better alternatives available** like
:term:`Curve25519`.
NNTP
TBD.
NSA
National Security Agency
TBD
NTP
Network Time Protocol
`Network Time Protocol <https://en.wikipedia.org/wiki/Network_Time_Protocol>`_
(NTP) is a networking protocol for clock synchronization between computer
systems over packet-switched, variable-latency data networks. In operation
since before 1985, NTP is one of the oldest Internet protocols in current use.
NTP is intended to synchronize all participating computers to within a few
milliseconds of Coordinated Universal Time (UTC). It is designed to mitigate
the effects of variable network latency. NTP can usually maintain time to
within tens of milliseconds over the public Internet, and can achieve better
than one millisecond accuracy in local area networks under ideal conditions.
Asymmetric routes and network congestion can cause errors of 100 ms or more.
Null Modem
`Null modem <https://en.wikipedia.org/wiki/Null_modem>`_ is a
communication method to directly connect two DTEs (computer, terminal,
printer, etc.) using an :term:`RS-232` serial cable. The name stems
from the historical use of RS-232 cables to connect two teleprinter
devices or two modems in order to communicate with one another; null
modem communication refers to using a crossed-over RS-232 cable to
connect the teleprinters directly to one another without the modems.
It is also used to serially connect a computer to a printer, since
both are DTE, and is known as a Printer Cable.
OFDMA
TBD
OPDS
Open Publication Distribution System
The `Open Publication Distribution System (OPDS)
<https://en.wikipedia.org/wiki/OPDS>`_ is a way for electronic book
reading devices to access catalogs of books and download books itself
from a web server. Its specification is prepared by an informal grouping
of partners, combining Internet Archive, O'Reilly Media, Feedbooks, OLPC,
and others.
PDU
Power Distribution Unit
A `power distribution unit <https://en.wikipedia.org/wiki/Power_distribution_unit>`_
(PDU) or mains distribution unit (MDU) is a device fitted with multiple
(outputs designed to distribute electric power, especially to racks of
(computers and networking equipment located within a data center. Data
(centers face challenges in power protection and management solutions.
(This is why many data centers rely on PDU monitoring to improve
(efficiency, uptime, and growth.
PEM
`Privacy Enhanced Mail (PEM)
<https://en.wikipedia.org/wiki/Privacy_Enhanced_Mail>`_ is a 1993
:term:`IETF` proposal for securing email using public-key
cryptography. Although PEM became an IETF proposed standard it was
never widely deployed or used.
PEM Encoded
PEM File Format
Base64 encoded binary data, often used to store :term:`X.509`
certificates and keys usually enclosed between "-----BEGIN
CERTIFICATE-----" and "-----END CERTIFICATE-----" strings.
POP
POP3
The `Post Office Protocol (POP) <https://en.wikipedia.org/wiki/POP3>`_
is an Internet protocol used by mail clients to retrieve mail from
remote servers over a TCP/IP connection. POP has been developed through
several versions, with version 3 (**POP3**) being the current standard.
PKCS
Public-Key Cryptography Standards
`PKCS <https://en.wikipedia.org/wiki/PKCS>`_ stands for "Public Key
Cryptography Standards". These are a group of public-key cryptography
standards devised and published by RSA Security LLC, starting in the
early 1990s. The company published the standards to promote the use of
the cryptography techniques to which they had patents, such as the RSA
algorithm, the Schnorr signature algorithm and several others. Though
not industry standards (because the company retained control over them),
some of the standards in recent years[when?] have begun to move into the
"standards-track" processes of relevant standards organizations such as
the IETF and the PKIX working-group.
PKCS #1
RSA Cryptography Standard
See :rfc:`8017`. Defines the mathematical properties and format of
RSA public and private keys (ASN.1-encoded in clear-text), and the
basic algorithms and encoding/padding schemes for performing RSA
encryption, decryption, and producing and verifying signatures.
PKCS #11
Cryptographic Token Interface
Also known as "Cryptoki". An API defining a generic interface to
cryptographic tokens (see also hardware security module). Often used in
single sign-on, public-key cryptography and disk encryption systems. RSA
Security has turned over further development of the PKCS #11 standard to
the OASIS PKCS 11 Technical Committee. See also :term:`PKCS`.
PKCS #15
Cryptographic Token Information Format Standard
Defines a standard allowing users of cryptographic tokens to identify
themselves to applications, independent of the application's Cryptoki
implementation (PKCS #11) or other API. RSA has relinquished
IC-card-related parts of this standard to ISO/IEC 7816-15. See also
:term:`PKCS`.
QAM
TBD
Quality of Service
QoS
TBD
Rainbow Table
TBD
RC4
`RC4 <https://en.wikipedia.org/wiki/RC4>`_ is the most widely used
software stream cipher and is used in popular protocols such as
Transport Layer Security (TLS) and WEP (to secure wireless networks).
While remarkable for its simplicity and speed in software, RC4 has
weaknesses that argue against its use in new systems. As of 2013, there
is speculation that some state cryptologic agencies may possess the
capability to break RC4 even when used in the TLS protocol.
**RC4 should disabled and avoided wherever possible!**
Regular Expression
regex
regexp
A `regular expression <https://en.wikipedia.org/wiki/Regular_expression>`_,
regex or regexp is a sequence of characters that define a search
pattern. Usually such patterns are used by string searching algorithms
for "find" or "find and replace" operations on strings, or for input
validation. It is a technique developed in theoretical computer science
and formal language theory.
RFC
Request for Comments
A `Request for Comments (RFC)
<https://en.wikipedia.org/wiki/Request_for_Comments>`_ is a publication of the
:term:`Internet Engineering Task Force` (:term:`IETF`) and the Internet
Society, the principal technical development and standards-setting bodies for
the Internet.
ROM
Read-Only Memory
Read-only memory (ROM) is a class of storage medium used in computers
and other electronic devices. Data stored in ROM can only be modified
slowly, with difficulty, or not at all, so it is mainly used to
distribute :term:`Firmware`.
RSA
`RSA <https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29>`_ is one of
the first practicable public-key cryptosystems and is widely used for
secure data transmission. In such a cryptosystem, the encryption key is
public and differs from the decryption key which is kept secret. RSA
stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first
publicly described the algorithm in 1977. Youtube has `this video
<https://www.youtube.com/watch?v=wXB-V_Keiu8>`_ that explains it in 16
minutes.
RTS/CTS Threshold
RTS (Request to send) and CTS (Clear to Send) is the optional mechanism
used by the :term:`802.11` wireless networking protocol to reduce frame
collisions introduced by the "hidden node problem". Originally the
protocol fixed the "exposed node problem" as well, but modern RTS/CTS
includes ACKs and does not solve the exposed node problem.
RTS (Request to send) is send by the client to the access point – it
essentially asks for permission to send the next data packet. The lower
the threshold, the more stable your Wi-Fi network, since it essentially
asks more often when sending packages. However, if you don’t have
problems with your Wi-Fi you should make sure that the RTS Threshold is
set to the maximum allowed.
RS-232
In telecommunications, `RS-232
<https://en.wikipedia.org/wiki/RS-232>`_, Recommended Standard 232
refers to a standard originally introduced in 1960 for serial
communication transmission of data. It formally defines signals
connecting between a DTE (data terminal equipment) such as a computer
terminal, and a DCE (data circuit-terminating equipment or data
communication equipment), such as a modem. The standard defines the
electrical characteristics and timing of signals, the meaning of
signals, and the physical size and pinout of connectors.
See also :term:`Serial Port`.
Salt
In cryptography, a `salt
<https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_ is random data
that is used as an additional input to a :term:`Cryptographic Hash
Function` on a password or passphrase. The primary function of salts is
to defend against dictionary attacks versus a list of password hashes
and against pre- computed :term:`Rainbow Table` attacks. A new salt is
randomly generated for each password. In a typical setting, the salt and
the password are concatenated and processed with a :term:`Cryptographic
Hash Function`, and the resulting output (but not the original password)
is stored with the salt in a database. Hashing allows for later
authentication while defending against compromise of the plaintext
password in the event that the database is somehow compromised.
Cryptographic salts are broadly used in many modern computer systems,
from Unix system credentials to Internet security.
Serial Port
COM Port
In computing, a serial port is a serial communication interface
through which information transfers in or out one bit at a time (in
contrast to a parallel port).Throughout most of the history of
personal computers, data was transferred through serial ports to
devices such as modems, terminals, and various peripherals.
While such interfaces as Ethernet, FireWire, and USB all send data as
a serial stream, the term serial port usually identifies hardware
compliant to the :term:`RS-232` standard or similar and intended to
interface with a modem or with a similar communication device.
Modern computers without serial ports may require USB-to-serial
converters to allow compatibility with RS-232 serial devices. Serial
ports are still used in applications such as industrial automation
systems, scientific instruments, point of sale systems and some
industrial and consumer products. Server computers may use a serial
port as a control console for diagnostics. Network equipment (such as
routers and switches) often use serial console for configuration.
Serial ports are still used in these areas as they are simple, cheap
and their console functions are highly standardized and widespread. A
serial port requires very little supporting software from the host
system.
On personal computers they are called **COM** ports and numerated like
COM1, COM2 etc.
Short Preamble
Long Preamble
Preamble Type is an easy router option that can boost the performance of
your wireless wifi network slightly. Most of the routers or firmware has
the default setting for the Preamble Type as long.
Preamble Type setting means that it adds some additional data header
strings to help check the wifi data transmission errors. Short Preamble
Type uses shorter data strings that adds less data to transmit the error
redundancy check which means that it is much faster. Long Preamble Type
uses longer data strings which allow for better error checking
capability.
See `Preamble Type Short or Long <https://routerguide.net/preamble-type-short-or-long/>`_
SHA
SHA1
SHA-1
`SHA-1 <https://en.wikipedia.org/wiki/SHA1>`_ is a :term:`Cryptographic
Hash Function` designed by the NSA and is a U.S. Governement Standard
published by the United States NIST in 1995. SHA stands for "secure hash
algorithm". In 2005, analysts found attacks on SHA-1 suggesting
that the algorithm might not be secure enough for ongoing use. The U.S,
the German and other governements are required to move to SHA-2 after
2010 because of the weakness. Windows will stop accepting SHA-1
certificates by 2017. Hoever a large part of todays commercial
certificate authorities still only issue SHA-1 signed certificates.
**Avoid where possible!**
SHA2
SHA-2
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
`SHA-2 <https://en.wikipedia.org/wiki/SHA2>`_ is :term:`Cryptographic
Hash Function`, published in 2001 by the US government (NSA & NIST), is
significantly different from :term:`SHA-1`. SHA-2 currently consists of
a set of six :term:`Hash Functions` with digests that are 224, 256, 384
or 512 bits.
SHA-3
Keccak
SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash
Algorithm family of standards, released by NIST on August 5, 2015.
Although part of the same series of standards, SHA-3 is internally
different from the MD5-like structure of :term:`SHA-1` and
:term:`SHA-2`.
SHA-3 is a subset of the broader cryptographic primitive family Keccak
designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van
Assche, building upon RadioGatún. Keccak's authors have proposed
additional uses for the function, not (yet) standardized by NIST,
including a stream cipher, an authenticated encryption system, a "tree"
hashing scheme for faster hashing on certain architectures, and AEAD
ciphers Keyak and Ketje.
Keccak is based on a novel approach called sponge construction. Sponge
construction is based on a wide random function or random permutation,
and allows inputting ("absorbing" in sponge terminology) any amount of
data, and outputting ("squeezing") any amount of data, while acting as a
pseudorandom function with regard to all previous inputs. This leads to
great flexibility.
NIST does not currently plan to withdraw SHA-2 or remove it from the
revised Secure Hash Standard. The purpose of SHA-3 is that it can be
directly substituted for SHA-2 in current applications if necessary, and
to significantly improve the robustness of NIST's overall hash algorithm
toolkit.
Sieve
`Sieve <https://en.wikipedia.org/wiki/Sieve_%28mail_filtering_language%29>`_
is a programming language that can be used to create filters for email.
Sieve's base specification is outlined in :rfc:`5228`.
SMTP
The `Simple Mail Transfer Protocol (SMTP)
<https://en.wikipedia.org/wiki/SMTP>`_ is the protool used by a
:term:`MTA` to transmit mails between Internet domains. First defined
by :rfc:`821` in 1982, it was last updated in 2008 as :term:`ESMTP`.
SMTP by default uses TCP port 25. SMTP connections secured by SSL, known
as :term:`SMTPS`, default to TCP port 465.
SMTPS
`Simple Mail Transfer Protocol Secure
<https://en.wikipedia.org/wiki/SMTPS>`_ was a way to provide
:term:`SSL` secured :term:`SMTP` connections on TCP port 465. SMTPS
has been revoked in favor of :term:`Submission` in 1998 and today TCP
port 465 is reserved for other purposes. Nonetheless many mail service
providers still provide this service on port 465 today.
SPF
Sender Policy Framework
`Sender Policy Framework <https://en.wikipedia.org/wiki/Sender_Policy_Framework>`_
(SPF) is an email authentication method designed to detect forging sender
addresses during the delivery of the email. SPF alone though is limited
only to detect a forged sender claimed in the envelope of the mail which
is used when the mail gets bounced. Only in combination with
:term:`DMARC` it can be used to detect forging of the visible sender in
emails (email spoofing), a technique often used in phishing and email
spam.
SPF allows the receiving mail server to check during mail delivery that
a mail claiming to come from a specific domain is submitted by an IP
address authorized by that domain's administrators. The list of
authorized sending hosts and IP addresses for a domain is published in
the DNS records for that domain.
Sender Policy Framework is defined in :rfc:`7208` dated April 2014 as a
"proposed standard".
SSH
`Secure Shell (SSH) <https://en.wikipedia.org/wiki/Secure_Shell>`_ is a
cryptographic network protocol for operating network services securely
over an unsecured network. Typical applications include remote
command-line, login, and remote command execution, but any network
service can be secured with SSH.
SSID
Service Set Identifier
In :term:`IEEE 802.11` wireless local area networking standards
(including Wi-Fi), a
`service set <https://en.wikipedia.org/wiki/Service_set_(802.11_network)>`_
is a group of wireless network devices
that are operating with the same networking parameters.
The SSID or "Service Set Identifier" is a unique ID of up to 32
characters that is used for naming wireless networks. When
multiple wireless networks overlap in a certain location, SSIDs make
sure that data gets sent to the correct destination.
Each packet sent over a wireless network includes the SSID, which
ensures that the data being sent over the air arrives at the correct
location.
See also :term:`BSSID`.
SSL
Secure Sockets Layer
Secure Sockets Layer is the predecessor of :term:`Transport Layer
Security` (:term:`TLS`).
STARTTLS
Opportunistic TLS
`Opportunistic TLS <https://en.wikipedia.org/wiki/Opportunistic_TLS>`_
(Transport Layer Security) refers to extensions in plain text
communication protocols, which offer a way to upgrade a plain text
connection to an encrypted (:term:`TLS` or SSL) connection instead of
using a separate port for encrypted communication. Several protocols
use a command named "STARTTLS" for this purpose. It is primarily
intended as a countermeasure to passive monitoring.
The STARTTLS command for :term:`IMAP` and :term:`POP3` is defined in
:rfc:`2595`, for :term:`SMTP` in :rfc:`3207`, for :term:`XMPP` in
:rfc:`6120` and for :term:`NNTP` in :rfc:`4642`. For :term:`IRC`, the
IRCv3 Working Group has defined the STARTTLS extension. :term:`FTP`
uses the command "AUTH TLS" defined in :rfc:`4217` and :term:`LDAP`
defines a protocol extension OID in :rfc:`2830`. :term:`HTTP` uses
upgrade header.
Stock ROM
Original :term:`Firmware` of a device as supplied by the manufacturer on
a programmable :term:`ROM`. The term is mostly used in the context where
a third party provides alternative :term:`Firmware` which may enhance or
otherwise change the functionality of a device, beyond the intentions of
its original manufacturer.
Submission
Message Submission for Mail is a protocol defined in :rfc:`6409` and
used by mail clients (:term:`MSA`, :term:`MUA`) to submit electronic
mail for further delivery on the internet. It is essentially
:term:`SMTP`, but with mandatory :term:`TLS`-encrpytion and user
authentication added and running on TCP port 587.
TKIP
Temporal Key Integrity Protocol
`Temporal Key Integrity Protocol
<https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol>` is a
security protocol used in the :term:`IEEE 802.11` wireless networking
standard. TKIP was designed by the :term:`IEEE 802.11i` task group and
the Wi-Fi Alliance as an interim solution to replace :term:`WEP` without
requiring the replacement of legacy hardware. This was necessary because
the breaking of WEP had left Wi-Fi networks without viable link-layer
security, and a solution was required for already deployed hardware.
However, TKIP itself is no longer considered secure, and was deprecated
in the 2012 revision of the 802.11 standard.
TLDR
TL;DR
"Too Long; Didn't Read".
TLS
Transport Layer Security
Transport Layer Security (TLS) and its predecessor, :term:`Secure Sockets
Layer` (SSL), are cryptographic protocols designed to provide communication
security over the Internet. They use :term:`X.509` certificates and hence
asymmetric cryptography to authenticate the counterparty with whom they are
communicating, and to exchange a symmetric key. This session key is then used
to encrypt data flowing between the parties. This allows for data/message
confidentiality, and message authentication codes for message integrity and as
a by-product, message authentication.
TLSA
A TLSA DNS record publishes information on certificates used by a
:term:`TLS` secured server. Clients (e.g webbrowsers) can verify the TLS
certificate of a server by checking the TLSA DNS record instead of or
additionally to check if the certificates is singned by a trusted
certificate authority. TLSA is part of the :term:`DANE` specfication.
Domains publishing TLSA records must be secured by :term:`DNSSEC`.
TOFU
`Trust on first use (TOFU) <https://en.wikipedia.org/wiki/Trust_on_first_use>`_,
or trust upon first use (TUFU), is a security model used by client
software which needs to establish a trust relationship with an
unknown or not-yet-trusted endpoint. In a TOFU model, the client will
try to look up the identifier, usually some kind of public key, in
its local trust database. If no identifier exists yet for the
endpoint, the client software will either prompt the user to
determine if the client should trust the identifier or it will simply
trust the identifier which was given and record the trust
relationship into its trust database. If a different identifier is
received in subsequent connections to the endpoint the client
software will consider it to be untrusted.
The TOFU approach can be used when connecting to arbitrary or unknown
endpoints which do not have a trusted third party such as a
certificate authority. For example, the :term:`SSH` protocol is
designed to issue a prompt the first time the client connects to an
unknown or not-yet-trusted endpoint. Other implementations of TOFU can
be found in :term:`HTTP Public Key Pinning` in which browsers will
always accept the first public key returned by the server and with
:term:`HTTP Strict Transport Security` in which browsers will obey the
redirection rule for the duration of 'age' directive.
Twofish
In cryptography, `Twofish <https://en.wikipedia.org/wiki/Twofish>`_ is a
symmetric key block cipher with a block size of 128 bits and key sizes
up to 256 bits. It was one of the five finalists of the Advanced
Encryption Standard contest, but it was not selected for
standardization. Twofish is related to the earlier block cipher
:term:`Blowfish`.
Voice over IP
VoIP
TBD
Voice over Wireless LAN
VoWLAN
TBD
WEP
Wired Equivalent Privacy
`Wired Equivalent Privacy <https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy>`_
(WEP) is a security algorithm for :term:`IEEE 802.11` wireless networks.
Introduced as part of the original 802.11 standard ratified in 1997, its
intention was to provide data confidentiality comparable to that of a
traditional wired network.
WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104
bits), was at one time widely in use and was often the first security
choice presented to users by router configuration tools.
In 2003 the Wi-Fi Alliance announced that WEP had been superseded by
:term:`Wi-Fi Protected Access` (WPA). In 2004, with the ratification of
the full 802.11i standard (i.e. :term:`WPA2`), the :term:`IEEE` declared
that both WEP-40 and WEP-104 have been deprecated.
WEP was the only encryption protocol available to :term:`802.11a` and
:term:`802.11b` devices built before the WPA standard, which was
available for :term:`802.11g` devices. However, some 802.11b devices
were later provided with firmware or software updates to enable WPA, and
newer devices had it built in.
Wi-Fi
TBD
Wi-Fi Multimedia
Wireless Multimedia Extensions
WME
WMM
`Wireless Multimedia Extensions <https://en.wikipedia.org/wiki/Wireless_Multimedia_Extensions>`_
(WME), also known as Wi-Fi Multimedia (WMM), is a Wi-Fi Alliance
interoperability certification, based on the :term:`IEEE 802.11e` standard. It
provides basic :term:`Quality of Service` (QoS) features to :term:`IEEE 802.11`
networks. WMM prioritizes traffic according to four Access Categories
(AC): voice (AC_VO), video (AC_VI), best effort (AC_BE), and background
(AC_BK). However, it does not provide guaranteed throughput. It is
suitable for well-defined applications that require QoS, such as :term:`Voice
over IP` (VoIP) on Wi-Fi phones (:term:`VoWLAN`).
WMM is mandatory for :term:`802.11n`. If you disable WMM you also
disable 802.11n and your wirelless network will automatically fall
back to :term:`802.11g`
WLAN
TBD
WLAN Channel
Wireless LAN Channel
Wireless Local Area Network Channel
Wireless local area network channels using :term:`IEEE 802.11`
protocols are sold mostly under the trademark WiFi.
The 802.11 workgroup has documented use in five distinct frequency
ranges: 2.4 GHz, 3.6 GHz, 4.9 GHz, 5 GHz, and 5.9 GHz bands. Each
range is divided into a multitude of channels. Countries apply their
own regulations to the allowable channels, allowed users and maximum
power levels within these frequency ranges.
A `List of WLAN Channels <https://en.wikipedia.org/wiki/List_of_WLAN_channels>`_
is available at Wikipedia.
WPA
Wi-Fi Protected Access
IEEE 802.11i
`Wi-Fi Protected Access <https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>`_
is a security certification programs developed by the Wi-Fi Alliance to
secure wireless computer networks. The Alliance defined these in
response to serious weaknesses researchers had found in the previous
system, Wired Equivalent Privacy (:term:`WEP`).
WPA (sometimes referred to as the draft IEEE 802.11i standard) became
available in 2003. The Wi-Fi Alliance intended it as an intermediate
measure in anticipation of the availability of the more secure and
complex :term:`WPA2`, which became available in 2004 and is a common
shorthand for the full IEEE 802.11i (or :term:`IEEE 802.11i-2004`)
standard.
In January 2018, Wi-Fi Alliance announced the release of :term:`WPA3`
with several security improvements over WPA2.
WPA2
Wi-Fi Protected Access II
IEEE 802.11i-2004
`IEEE 802.11i-2004 <https://en.wikipedia.org/wiki/IEEE_802.11i-2004>`_,
or 802.11i for short, is an amendment to the original IEEE 802.11,
implemented as Wi-Fi Protected Access II (WPA2). The draft standard was
ratified on 24 June 2004. This standard specifies security mechanisms
for wireless networks, replacing the short Authentication and privacy
clause of the original standard with a detailed Security clause. In the
process, the amendment deprecated broken Wired Equivalent Privacy (WEP),
while it was later incorporated into the published IEEE 802.11-2007
standard.
WPA2-PSK
A :term:`WPA2` wireless connection using the a pre-shared key (aka a
password) to carry out the initial authentication process.
WPA3
In January 2018, the Wi-Fi Alliance announced WPA3 as a replacement to
:term:`WPA2`. The new standard uses 128-bit encryption in WPA3-Personal
mode (192-bit in WPA3-Enterprise) and :term:`Forward Secrecy`. The WPA3
standard also replaces the Pre-Shared Key exchange with Simultaneous
Authentication of Equals as defined in IEEE 802.11-2016 resulting in a
more secure initial key exchange in personal mode. The Wi-Fi Alliance
also claims that WPA3 will mitigate security issues posed by weak
passwords and simplify the process of setting up devices with no display
interface.
WPS
Wi-Fi Protected Setup
Originally called, Wi-Fi Simple Config,
`WiFi Protected Setup <https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup>`_
is a network security standard to create a secure wireless home network.
Created by the Wi-Fi Alliance and introduced in 2006, the goal of the
protocol is to allow home users who know little of wireless security
and may be intimidated by the available security options to set up Wi-
Fi Protected Access, as well as making it easy to add new devices to
an existing network without entering long passphrases. Prior to the
standard, several competing solutions were developed by different
vendors to address the same need.
A major security flaw was revealed in December 2011 that affects
wireless routers with the WPS PIN feature, which most recent models
have enabled by default. The flaw allows a remote attacker to recover
the WPS PIN in a few hours with a brute-force attack and, with the WPS
PIN, the network's WPA/WPA2 pre-shared key. Users have been urged
to turn off the WPS PIN feature.
X.509
In cryptography, X.509 is an ITU-T standard for a public key
infrastructure (PKI) and Privilege Management Infrastructure (PMI).
X.509 specifies, amongst other things, standard formats for public key
certificates, certificate revocation lists, attribute certificates, and
a certification path validation algorithm.
XML
TBD
XMPP
`Extensible Messaging and Presence Protocol (XMPP)
<https://en.wikipedia.org/wiki/Xmpp>`_ is a communications protocol for
message-oriented middleware based on XML (Extensible Markup Language).
The protocol was originally named Jabber and was developed by the Jabber
open-source community in 1999 for near real-time, instant messaging (IM),
presence information, and contact list maintenance.
Zone-Signing-Keys
ZSK
TBD
OMEMO
TBD
OpenPGP
TBD
WebRTC
TBD
BLAKE2b-256
TBD