The Glossary

The Glossary describes common security jargon, phrases, abbreviations, and concepts succinctly and in a way that makes sense to you. You can find these items below in alphabetical order. If you would like to learn about the origins and purpose of this page, please read its introduction post.


ABAC - Attribute Based Access Control. In this access-control model, access is granted based on policies. Policies use various attributes when evaluated. These attributes may include user, object, environment, etc. The use of these policies allow fine-graned access-control. Amazon IAM supports ABAC.

Access Control - The materialization of authorization, i.e. it is used to enforce the authorization policies. There are various models used across the industry: DAC, MAC, RBAC, ABAC, etc.

Access Token - Generally it refers to a piece of information, which grants access to a resources. In OAuth these tokens are short lived and used as a bearer token when making request to the resource server.

Adware - A malicious application, which shows unwanted advertisement to the victim.

AES - Advanced Encryption Standard. AES is a symmetric block cipher with a 128 bit block size. It can be used with 3 different key lengths: 128, 192, 256 bits. 128 bits is considered enough for today. If you want to be future proof opt for 256 bits.

Argon2 - Is a key derivation function used for password hashing. It was selected as a winner Password Hashing Competition in July 2015.

Asymmetric Cryptography - Also called public key cryptography. In contrast to symmetric cryptography, this type of crypto deals with key-pairs. Different operations require different keys. The classic example is RSA.

Audit Trail - Also called audit log. A set of records providing evidence that something happened at a given time. A single audit entry must answer at least the following questions: when did it happen? What happened? Who did it? Where did it happen?

Authentication - Usually happens after identification. Authentication is the act of providing proof of identity. For instance, knowing a password for an account is the proof of being the owner of it.

Authenticity - Assurance of identity. For instance, a TLS certificate provides domain authenticity. If it’s valid, you can be confident the website is who it claims to be. Authenticity is verified via authentication.

Authorization - Deals with privileges. Whether an entity is allowed to carry out a certain action. It is possible to be identified and authenticated but not have any rights in a system. The implementation of authorization is referred to as access-control.

Availability - A component of the CIA triad. It ensures authorized parties are able to access the information in a timely manner.


Bcrypt - An adaptive password hashing function based on Blowfish. This algorithm stood the test of time. A modern version is safe to use today with correct parameters.

Bearer Token - A token, when presented grants access to a resource. Usually sent in an HTTP request’s Authorization header.

Block Cipher - Refers to a cipher which works with blocks of data rather than individual bits. Typically, if the data is not matching the multiple of the block size, it is padded.

Blowfish - A symmetric-key block cipher using 64 bit block size.

Brute Force Attack - This attack involves trying all combinations of possible inputs to defeat a system. For instance, one might try to brute force a five-character alpha password on a website by continuously trying everything from “aaaaa” to “zzzzz”. Brute force guarantees success since they whole keyspace is tried. A huge caveat though is its speed. In a well-designed system brute force attacks should be infeasible.


CA - Certificate Authority. An entity issuing digital certificates. In the web PKI, certificate authorities are a trusted third party. Their root certificates are stored in browser’s and OS’ trust stores. As the security of the web is greatly influenced by CAs, they have to obey strict rules defined in their baseline requirements.

CAA - Certificate Authority Authorization. It a special DNS record you can set to only allow certain CAs to publish certificates for your domain.

Certificate - A piece of information signed by a trusted third-party attesting something about an entity. Most commonly used to prove domain ownership. A CA, after doing a domain ownership validation, will sign a certificate so others can rely on this information. Certificates also contain a public key that is used in the TLS protocol and to establish a trusted certificate-chain.

Certificate Chain - Certificates can be signed to form a chain. Signature works by signing the certificate’s hash with the private key corresponding to the public key in the signer’s certificate. This chain usually ends with a root-certificate.

Checksum - A small piece of data ensuring integrity against random errors. Naive example: you need to transfer ten one-digit integers to another party. You add an 11th, which holds the last digit of the sum of all integers. The receiving party calculates the same sum and checks if its last digit matches the one you sent. If not, there has been an error in the transfer.

CIA Triad - Confidentiality, Integrity and Availability of information. These are the fundamental properties security systems strive to achieve. This is one of the most widely used security models in the industry.

Cipher - An algorithm design to be used for encrypting data, providing confidentiality. Modern ciphers may also provide integrity.

Cipher Text - Refers to encrypted data. The output of an encryption algorithm is ciphertext.

Client Credentials - In OAuth, The credentials the client uses to authenticate to the OAuth server, a.k.a identity provider. Usually an id-secret pair.

Collision Resistance - A property of hash function, guaranteing that it is very hard to find to input two distinct messages, which generate the same hash.

Confidentiality - A component of the CIA triad. It deals with keeping information inaccessible to unauthorized parties.

CRL - Certificate Revocation List. A list of revoked certificates signed by the CA.

Cross-signed Root Certificate - When a new CA enters the scene, it’s root certificate is not yet distributed to the clients’ trust stores, therefore it cannot yet issue valid certificates. A cross signed root certificate is essentially an intermediate certificate signed by an already established CA.

Cryptoanalysis - A study of crypto systems to find vulnerabilities in its design or implementation (side-channel attack).

Cryptographic Security - Something is said to be cryptographically secure if it can be used in a cryptosystem without weakening its properties. Basically, it refers to a high-level of security.

Cryptography - The study that deals with securing messages from third-parties. Modern cryptography deals with confidentiality, integrity, authentication, non-repudiation.

CSP - Content Security Policy. A set of rules a server can send to the client’s browser in the form of a header. Browsers supporting CSP will enforce these rule providing more security.

CSRF / XSRF - Cross-Site Request Forgery. Also called session riding. An attack where the victim visits a webpage, which instructs the browser to send a request to another site. The browser happily executes and attaches the required credentials (cookies, basic/digest auth) if available. Using this technique, the attacker can impersonate the victim towards vulnerable websites, where he is logged-in. Most commonly a CSRF-token is used to protect against this behavior.

CT - Certificate Transparency. An open framework aiming to fix the current flaws of our PKI ecosystem. It provides ways for anyone to detect misbehaving CAs, rogue-certificates.


3DES - Triple DES. 3DES is a symmetric block cipher with a 64 bit block size. Available key sizes are 56, 112, 168 bits. The 168 bit version is vulnerable to a meet-in-the-middle-attack and is considered to provide only 112 bits of security. This is still considered okay, but if you can, opt for AES.

DAC - Discretionary Access Control. In this access-control model, access is granted based on the identity or the group membership of the user. A user with certain permissions is capable of passing these on to any other subject. A good example of this model is the Unix file mode or Facebook’s content visibility.

DANE - DNS-based Authentication of Named Entities. A protocol to bind certificates to domains by using DNSSEC. Using this would remove the need for CAs.

DDoS - Distributed Denial of Service. A DoS attack, which originates from multiple sources, hence making it distributed. Commonly used to exhaust the target’s network resources.

Decryption - A cryptographic concept, where an encrypted message, a.k.a ciphertext, is transformed back into its original form, a.k.a plaintext, by someone who possesses the correct key.

DES - Data Encryption Standard. DES is a symmetric block cipher with a 64 bit block size and 56 bit key size. It takes a 64 bit key, but only 56 bits is used during encryption/decryption. DES is insecure today. Use AES (or 3DES for legacy systems).

DH - Diffie-Hellman. A key exchange algorithm used to agree on a secret key over a public network. The algorithm’s strength builds on the discrete logarithm problem.

Dictionary Attack - An attack where a predetermined number of possible solutions is tried. It can be more effective than brute-force as the number of likely solutions is a lot smaller. Commonly used to crack password hashes.

Digital Signature - A cryptographic operation used to provide authenticity, integrity and non-repudiation to messages.

DKIM - DomainKeys Identified Mail. A standard used to provide extra security for email’s originating from your domain. If you configure DKIM correctly for your domain, every message you send from that domain will include a cryptographic signature to ensure it’s integrity and authenticity. Receivers may verify this signature, by fetching your public keys from DNS.

DMARC - Domain-based Message Authentication, Reporting and Conformance. Builds on SPF and DKIM. Using DMARC domain owners are capable of deploying policies instructing recipients to require DKIM and SPF for emails originating from their domain. The framework also provides the ability to for recipients to report malicious messages back to the domain owner.

DNSSEC - DNS Security Extensions. Adds digital signatures to DNS responses.

DoS - Denial of Service. An attack which aims to make the service unavailable to users. A common way to achieve this is by exhausting the resources (network, memory, CPU, etc.) of a server. It can also be done by crashing the target.


ECC - Elliptic Curve Cryptography. Refers to cryptographic algorithms based on the discrete logarithm problem defined over elliptic curves. Read this for a gentle introduction to ECC.

ECDH - Elliptic Curve Diffie-Hellman. A key exchange similar to DH, but based on the elliptic curve discrete logarithm problem.

ECDHE - Ephemeral Elliptic Curve Diffie-Hellman. This is ECDH combined with EDH.

EDH / DHE - Ephemeral Diffie-Hellman. A variation of Diffie-Hellman, where each party generates a new private key for every key exchange, thus enabling forward secrecy.

Encryption - A cryptographic concept, where a message, a.k.a plaintext, is transformed in such a way, that it can only be transformed back to its original form, a.k.a decrypted, by someone who possesses the correct key, making the resulting message, a.k.a. ciphertext, completely unusable by anyone else.

Exploit - A piece of code or data, which is utilized to take advantage of a vulnerability.


Forward Secrecy - A crypto system is said to support forward secrecy if breaking the key for one connection has no impact on future connection. For instance, TLS connection relying on RSA for key exchange are not forward secure, while those utilizing DHE and ECDHE are.



Hash - A one way function used to map data to a fixed size. It is considered cryptographic if it satisfies the following properties: collision resistance, preimage resistance, and second preimage resistance.

HMAC - Hash-based Message Authentication Code. A MAC algorithm based on hashes.

HOTP - HMAC-based One-time Password. An OTP algorithm based on HMAC.

HPKP - HTTP Public Key Pinning. A standard which allows websites to instruct browsers to only accept specific certificates for the site, i.e. pin it. This is being deprecated.

HSTS - HTTP Strict Transport Security. A standard which allows websites to instruct browsers to only connect via TLS.



Identification - The act of stating who you claim to be. The classic example is entering a username on a website.

Integrity - A component of the CIA triad. It deals with protecting information from being modified by unathorized parties.

Intermediate Certificate - Any certificate in the certificate chain which is not the root or the leaf certificate.

IV - Initialization Vector. Some cryptographic operations require an initial input before they can do meaningful work. This is where IV comes in. Usually, the IV needs to be random and unpredictable, but it depends heavily on the use-case. An IV is not considered secret.


JWT - Json Web Token. A self-contained, integrity protected token, which carries JSON data. Read more about it at


KDF - Key Derivation Function. A one-way function used to derive pseudo-random keys from a secret value that may only be statistically random (having a normal distribution).

Key - The key in cryptography refers to a secret bit series which is required perform the operation. The security of all cryptographic constructions depend on the secrecy of the key.

Key Exchange - Refers to the protocol or algorithm utilize by two parties to agree upon a key for further use. Secure key exchange algorithms are resistant to passive network attacks. The agreed key cannot be easily calculated by seeing the traffic.

Key-pair - Used in asymmetric cryptography. Refers to public-private pair of keys, which are bound together with mathematical properties.

Key Pinning - The practice of explicitly associating a given public key or certificate with a domain. Key pinning protects against active network attacks, where the attacker tries to inject a trusted certificate during the TLS handshake, to compromise the channel’s confidentiality and integrity. HPKP can be used to achieve this over HTTP.

Key space - All possible permutations from which the key is chosen. The larger the keyspace, the harder it is to brute-force the key. For instance, the key space of an eight character lower alphanumeric password has, assuming the English alphabet, 36^8 or about 2.8 trillion permutations.


Leaf Certificate - The last certificate in the chain, which is not used to sign any other certificates. This certificate is used to link the trust chain to the actual entity (domain, email, etc.)


MAC - Message Authentication Code. A small piece of information used provide authenticity and integrity to a message. It is usually attached alongside the message.

Malware - A malicious application.

MAC - Mandatory Access Control. In this access-control model, access is granted based on centrally enforced policies. The policies are defined by the administrator and users do not have the ability to override them. A great example is SELinux.

Mask Attack - A special kind of brute-force attack where the attacker tries specific patterns reducing the key space. For instance, if the attacker saw the first 3 letters of a 7 character passwords, and knows the last character is a digit. He can create the following pattern: ^Ast[a-z]{3}[0-9]$.

MD5 - A deprecated hash algorithm using a 128 bit block size. MD5 is considered insecure today. Opt for stronger algorithms like SHA256 or SHA512.

Meet In The Middle Attack - The idea is to split the problem into two (or more) parts and attack them individually. If the crypto system is vulnerable, the time required to brute-force a key is greatly reduced. The classic example is double-DES.

MITM - Man In The Middle. A network attack where the attacker can position himself between two parties, gaining access to the information exchange between them. In a passive MITM the attacker can only read information, while in an active MITM, he is also able to modify it on the fly.

Mixed Content - A vulnerability which happens when an secure site (loaded over HTTPS loads content over an unsecure channel. Active mixed content (javascript, css, etc.) is blocked by modern browsers, while passive is allowed, but generates a warning. The server can enforce mixed content blocking via CSP.


Non-repudiation - A security property, which cryptographically binds an object, action, etc. to a user. For instance, by digitally signing a message with his private key, the user explicitly states this came from him. Later, he cannot deny signing the message as no other party is capable of producing that exact signature.

Nonce - Number used only once. In cryptography, it refers to a number or piece of data that is only used a single time. Nonce reuse can completely break security.


OAuth - An authorization protocol now superseeded by OAuth 2. For more information visit

OAuth 2 - An authorization framework enables third-party applications to obtain limited access to a web service. For more information visit

OCSP - Online Certificate Status Protocol. A protocol which allows browsers to query for certificate’s revocation status online from its issuer. This protocol was created to solve the problem of huge CRL lists.

OCSP Stampling - A technique, which allows website operators to prefetch OCSP information and staple it to certificate during a TLS handshake.

Opaque Token - A token, which is meaningless to an outside observer. I.e. it does not have anything encoded within it. The opposite of a self-describing token.

OpenId Connect - A protocol built on top of OAuth 2 to provide single-sign-on. For more information visit the official website.

Open Redirect - A web-based vulnerability where a website takes a user-controlled URL and redirects the browser there without any validation. This increases the likelihood of a successful phishing attack, as the attacker can construct links which point to the original site but redirect to a fake phishing site.

OTP - One-time Password. As its name suggest, a password which is only usable once. Commonly used during two-factor authentication.

OWASP - Open Web Application Security Project. An open source project dedicated to improving web application security. Find out more on the OWASP website.

OWASP Top 10 - The list of top 10 vulnerabilities compiled by the OWASP team. Find out more on their website.


Padding - Used to ensure that data is of a certain size, by adding extra bit/bytes to it. Can be used to hide the exact length of the plaintext and make cryptoanalysis harder.

Passphrase - A piece of information used as by the user to authenticate himself to a system. Sometimes used interchangable with password. Usually passphrases are longer and may contain multiple words and spaces. In practice their effectivesness is questionable.

Password - A piece of information used as by the user to authenticate himself to a system. Sometimes used interchangable with passphrase.

PBKDF - Password-based key derivation function. It is used to create cryptographic key from a password.

PBKDF2 - Password-based key derivation function 2. A standard PBKDF still in use today. With a high iteration count it is still considered secure.

Permission - Used interchangeably with privilege. In authorization, if a user has a given permission, he is allowed to perform a certain action.

PGP - Pretty Good Privacy. An encryption program designed to provide privacy and authentication to a digital communication (like email). The most widely used standard is OpenPGP.

Phishing Attack - An attack against people, which aims to obtain sensitive information from the targets by using legitimatelly looking websites, messages, email, etc. This type of attack is commonly used togather with social engineering.

PKI - Public Key Infrastructure. A system describing roles and processes when managing digital certificates. For instance the web PKI, defines the following: the role of the CA and the browser, the concept of a trust-store, the process of obtaining, using, validating and revoking certificates.

Plaintext - Refers to data not encrypted. The output of a decryption algorithm is plaintext. Sometimes it is also referred to as cleartext.

Preimage Resistance - A property of a hash function, which guarantees that given a hash value h, it is difficult to find a message m, such that hash(m) = h.

Private key - The part of the key pair, which must be kept secret. Used to decrypt or sign messages in asymmetric cryptography.

Privilege - Used interchangeably with permissions. In authorization, if a user has a given privilege, he is allowed to perform a certain action.

Privilege Escalation - The act of gaining higher privileges, than the user would normally have, by exploiting a bug, design flaw or misconfiguration in a system.

Public Key - The part of the key pair, which should be published. Used to encrypt or check the signature of a messages in asymmetric cryptography.



Rainbow Table - An attack against hash functions aimed at reversing the hash to a plaintext. It uses precomputed hash tables, making it a space-time tradeoff. It takes less time than brute-force and uses less space than a lookup table of every hash in the key space.

Ransomware - A type of malicious application, which encrypts files on the victim’s computer and demands a ransom for the key, which can be used to decrypt them.

RBAC - Role Based Access Control. In this access-control model, access is granted based on roles. Roles are assigned privileges. And users are assigned to one or multiple roles. The user is allowed access if any of it’s roles grant the require permission.

RC4 - A well known stream cipher, now deprecated because of known weaknesses. Opt for ChaCha20 or block ciphers instead.

RCE - Remote Code Execution. A vulnerability, when exploited, let’s the attacker run arbitrary code on the victim machine.

Refresh Token - A concept used in OAuth, to make it more secure. A refresh token, along with the client credentials is used to obtain a new access tokens. These tokens are generally long lived.

Replay attack - This attack aims to replay a genuine request at a later point in time. An attacker may record HTTP requests and reissue them unmodified.

Revoked certificate - A certificate that should no longer be trusted even if its scheduled expiration date is yet to come. CAs publish a list of these certificates in a CRL. They also provide a protocol to query for a certificate’s status called OCSP.

Rogue certificate - These are valid certificates, which were either issued by a malicious CA or were obtained by compromising a CA’s systems by exploting a vulnerability.

Root certificate - A self-signed certificate issued by a CA. These certificates are placed in the client’s trust store to allow for certificate chain validation.

RSA - Rivest-Shamir-Adleman cryptosystem. A well known asymmetric cryptography system, which is still considered secure today. It is built on the hardness of the integer factorization problem. If you can, use 4096 bit keys and never go below 2048 bits.


Salt - Extra random data added to the input of the hash function. It’s primary purpose is to defend against dictionary and rainbow table attacks.

Scrypt - An adaptive password-based key derivation function designed to require large amounts of memory. It is safe to use today with correct parameters.

Second Preimage Resistance - A property of a hash function, which guarantees that given a message m1, it should be difficult to find a different message m2, such that hash(m1) = hash(m2).

Self-describing Token - Also known as self-contained token. A piece of data which carries information in itself. The opposite of an opaque token. A great example is JWT.

Self-signed Certificate - A certificate signed by the private-key corresponding to the public-key in the certificate itself.

SHA - Secure Hash Algorithm. A standard hashing algorithm. If you need cryptographic security, use SHA256 or above.

Shellcode - A piece of code used as the payload of an exploit. Typically this code opens a shell on the target computer, hence the name.

Side-channel attack - A form of cryptoanalysis that focuses on the implementation of the cryptosystem. The idea is that just by looking at the system (listening to it, measuring timing, measuring power consumption, etc.) an attacker may gain enough information to break the system.

Social Engineering - The act of manipulating other people to behave in a certain way. A successful attack often results in the victim divulging confidential information or installing malicious programs onto their systems. Read more about it on Wikipedia.

SPF - Sender Policy Framework. A type of DNS record which specifies what mail servers are allowed to send emails for your domain. This is used to prevent spammers from abusing your domain and sending out an email, which appears to originate from you. SPF is enforced client side, non-compatible clients/email providers are still exposed.

Spyware - A malicious application used to spy on the victim.

SQL injection - An attack which exploits a vulnerability in query composition. Incorrectly composed SQL queries can be manipulated to alter their behavior. The results can be devastating, anywhere from complete database compromise to data loss. Protections include, prepared statements, correct escaping, data segregation.

SRI - Subresource Integrity. A technology that enables browsers to verify the integrity of the resources it loads. Read more about it on MDN.

SSL - Secure Socket Layer. This protocol is the predecessor of TLS. Today it is considered insecure and should not be used.

SSRF - Server Side Request Forgery. A technique where the attacker manipulates the server into issuing requests. This allows the attacker to reach into the internal network using the vulnerable server as a proxy.

Stream cipher - Refers to a cipher which works with bits of data rather than blocks. Stream ciphers require no padding, therefore produce no size overhead.

Symmetric Key Algorithm - Also known as symmetric (key) cryptography. Refers to an algorithm/construction which requires the same key for all of its operations (encryption-decryption or signature-validation).


TFA / 2FA - Two Factor Authentication. An authentication mode, which requires multiple proofs of identity. Typical proof types are something you know (password), something you have (smart-card), and something you are (fingerprint).

TLS - Transport Layer Security. It is a protocol used under HTTPS to provide authenticity, confidentiality, and integrity.

TLS Handshake - Before a TLS connection is establish the involved parties exchange certificates, connection parameters, and agree on a cipher. This process is called a handshake.

TOTP - Time-based One-time Password. An OTP algorithm based on HOTP using the current time instead of a counter.

Trust store - All the trusted CA root certificates are placed in the system’s trust store. If a certificate chain ends with a trusted root certificate, the whole chain is considered trusted.



Vulnerability - A security defect in a software. These defects are used by attackers during exploitation.


WAF - Web Application Firewall. A piece of software installed in front of the web application. Its main purpose is to defend the application from malicious requests by detecting a blocking them. Apache’s ModSecurity is a good example of a WAF.

Web of Trust - A decentrialized trust model, which relies on its users to validate identity. In PGP, users sign the public key of those who they trust. For instance, user A signs user B’s public key, claiming it really belongs to B. Now, if user C trusts user A, then C may also trust B, forming a web.


X.509 - The standard describing digital certificates and the PKI.

XSS - Cross Site Scripting. An attack, which let’s the attacker run scripts in the victim’s web browser. For a 360 view of this vulnerability read this post.

XSSI - Cross Site Script Include. An attack where the attacker website may obtain confidential information by including a script from a different origin.

XXE - XML External Entity. An attack, which let’s the attacker “run code” when a vulnerable XML parser processes a specially crafted XML document.