HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

100

Glossary

AES Advanced Encryption Standard. A symmetric key block encryption algorithm suitable for

encrypting large amounts of data.

API Application Programming Interface. The definition of a set of functions that a library supports.

asymmetric key

cryptography

See public key cryptography..

CA Certificate Authority. A trusted third party that authenticates users and issues security

certificates. In addition to establishing trust in the binding between a user’s public key and

other security-related information in a certificate, the CA digitally signs the certificate information

using its private key.

certificate A security certificate associates (or binds) a public key with a principal--a particular person,

system, device, or other entity. The security certificate is issued by an entity, in whom users

have put their trust, called a Certificate Authority (CA) that guarantees or confirms the identity

of the holder (person, device, or other entity) of the corresponding private key. The CA digitally

signs the certificate with the CA’s private key, so the certificate can be verified using the CA’s

public key. The most commonly used format for public-key certificates is the International

Organization for Standardization (ISO) X.509 standard, Version 3.

Certificate

Authority

See CA..

DLKM Dynamically Loadable Kernel Module. A kernel module that can be installed without requiring

a system reboot.

EVFS HP-UX Encrypted Volumes and File Systems. EVFS protects data by encrypting data volumes

to protect data at rest, that is, data on disks. EVFS can also be used to create encrypted backup

media. EVFS prevents anyone who gains unauthorized physical access to storage media from

reading or using the data.

key blob An opaque data object that contains a key and other data used by TCS to use the key. The key

is visible and usable only by TCS.

migratable key A key that can be migrated or moved and used on another TPM system. The Roaming Key and

all its descendants are migratable.

public key

cryptography

A cryptographic method using two mathematically related keys (k1 and k2) such that data

encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide

assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2.

One key must be private (known only to the owner), but the second key can be widely known

(public), which makes key distribution easy to manage. Public key encryption is computationally

expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is

usually used to authenticate data.

Also referred to as asymmetric key cryptography (the two keys are not the same) or

public-private key cryptography.

RK Roaming Key. A migratable encryption key that protects data. The SRK protects the RK, and

the RK protects TCS application keys.

RSA (Rivest, Shamir, and Adelman) Public key cryptosystem that can be used for privacy (encryption)

and authentication (signatures). For encryption, system A can send data encrypted with system

B's public key. Only system B's private key can decrypt the data. For authentication, system A

sends data with a signature - a digest or hash encrypted with system A's private key. To verify

the signature, system B uses system A's public key to decrypt the signature and compare the

decrypted hash or digest to the digest or hash that it computes for the message.

SK System Specific Storage Key. An encryption key that protects data. It can not be migrated to

another platform. TCS creates an SK but does not use it to protect any other keys.

SRK Storage Root Key. The top key in the TPM key hierarchy. The SRK private key component never

leaves the TPM. It protects the SK and RK.