P (Security Glossary)

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

padding

A string, typically added when the last plaintext block is short. For example, if the block length is 64 bits and the last block contains only 40 bits, then 24 bits of padding must be added to the last block. The padding string may contain zeros, alternating zeros and ones, or some other pattern. Applications that use CryptoAPI need not add padding to their plaintext before it is encrypted, nor do they have to remove it after decrypting. This is all handled automatically.

password filter

A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority.

persistent storage

Any storage medium that remains intact when the power to it is disconnected. Many certificate store databases are forms of persistent storage.

PKCS

See Public Key Cryptography Standards.

PKCS #1

The recommended standards for the implementation of public-key cryptography based on the RSA algorithm as defined in RFC 3447.

PKCS #12

The Personal Information Exchange Syntax Standard, developed and maintained by RSA Data Security, Inc. This syntax standard specifies a portable format for storing or transporting a user's private keys, certificates, and miscellaneous secrets.

See also certificate and Public Key Cryptography Standards.

PKCS #7 Signed Data

A data object that is signed with the Public Key Cryptography Standard #7 (PKCS #7) and that encapsulates the information used to sign a file. Typically, it includes the signer's certificate and the root certificate.

PKCS #7

The Cryptographic Message Syntax Standard. A general syntax for data to which cryptography may be applied, such as digital signatures and encryption. It also provides a syntax for disseminating certificates or certificate revocation lists and other message attributes, such as time stamps, to the message.

PKCS_7_ASN_ENCODING

A message encoding type. Message encoding types are stored in the high-order word of a DWORD (value is: 0x00010000).

plaintext

A message that is not encrypted. Plaintext messages are sometimes referred to as cleartext messages.

Portable Executable (PE) Image

The standard Windows executable format.

PRF

See Pseudo-Random Function.

primary credentials

The MsV1_0 authentication package defines a primary credential key string value: The primary credentials string holds the credentials provided at initial logon time. It includes the user name and both case-sensitive and case-insensitive forms of the user's password.

See also supplemental credentials.

primary service provider

The service provider that supplies the control interfaces to the card. Each smart card can register its primary service provider in the smart card database.

primary token

An access token that is typically created only by the Windows kernel. It may be assigned to a process to represent the default security information for that process.

See also access token and impersonation token.

principal

See security principal.

privacy

The condition of being isolated from view or secret. With respect to messages, private messages are encrypted messages whose text is hidden from view. With respect to keys, a private key is a secret key concealed from others.

private key

The secret half of a key pair used in a public key algorithm. Private keys are typically used to encrypt a symmetric session key, digitally sign a message, or decrypt a message that has been encrypted with the corresponding public key.

See also public key.

private key BLOB

A key BLOB that contains a complete public/private key pair. Private key BLOBs are used by administrative programs to transport key pairs. As the private key portion of the key pair is extremely confidential, these BLOBs are typically kept encrypted with a symmetric cipher. These key BLOBs can also be used by advanced applications where the key pairs are stored within the application, rather than relying on the CSP's storage mechanism. A key BLOB is created by calling the CryptExportKey function.

privilege

The right of a user to perform various system-related operations, such as shutting down the system, loading device drivers, or changing the system time. A user's access token contains a list of the privileges held by either the user or the user's groups.

process

The security context under which an application runs. Typically, the security context is associated with a user, so all applications running under a given process take on the permissions and privileges of the owning user.

PROV_DSS

See PROV_DSS provider type.

PROV_DSS Provider Type

Predefined provider type that only supports digital signatures and hashes. It specifies the DSA signature algorithm, and the MD5 and SHA-1 hashing algorithms.

PROV_DSS_DH

See PROV_DSS_DH provider type.

PROV_DSS_DH provider type

Predefined provider type that provides key exchange, digital signature, and hashing algorithms. It is similar to the PROV_DSS provider type.

PROV_FORTEZZA

See PROV_FORTEZZA provider type.

PROV_FORTEZZA provider type

Predefined provider type that provides key exchange, digital signature, encryption, and hashing algorithms. The cryptographic protocols and algorithms specified by this provider type are owned by the National Institute of Standards and Technology (NIST).

PROV_MS_EXCHANGE

See PROV_MS_EXCHANGE provider type.

PROV_MS_EXCHANGE provider type

Predefined provider type designed for the needs of Microsoft Exchange, as well as other applications that are compatible with Microsoft Mail. It provides key exchange, digital signature, encryption, and hashing algorithms.

PROV_RSA_FULL

See PROV_RSA_FULL provider type.

PROV_RSA_FULL provider type

Predefined provider type defined by Microsoft and RSA Data Security, Inc. This general purpose provider type provides key exchange, digital signature, encryption, and hashing algorithms. The key exchange, digital signature, and encryption algorithms are based on RSA public key cryptography.

PROV_RSA_SIG

See PROV_RSA_SIG provider type.

PROV_RSA_SIG provider type

Predefined provider type defined by Microsoft and RSA Data Security. This provider type is a subset of PROV_RSA_FULL that provides only digital signature and hashing algorithms. The digital signature algorithm is an RSA public key algorithm.

PROV_SSL

See PROV_SSL provider type.

PROV_SSL provider type

Predefined provider type that supports the Secure Sockets Layer (SSL) protocol. This type provides key encryption, digital signature, encryption, and hashing algorithms. A specification explaining SSL is available from Netscape Communications Corp.

provider

See Cryptographic Service Provider.

provider name

A name used to identify a CSP. For example, the Microsoft Base Cryptographic Provider version 1.0. The provider name is typically used when calling the CryptAcquireContext function to connect to a CSP.

provider type

A term used to identify a type of cryptographic service provider (CSP). CSPs are grouped into different provider types that represent a specific families of standard data formats and protocols. In contrast to a CSP's unique provider name, provider types are not unique for a given CSP. The provider type is typically used when calling the CryptAcquireContext function to connect to a CSP.

pseudo-random function

(PRF) A function that takes a key, label, and seed as input, then produces an output of arbitrary length.

public/private key pair

A set of cryptographic keys used for public key cryptography. For each user, a CSP usually maintains two public/private key pairs: an exchange key pair and a digital signature key pair. Both key pairs are maintained from session to session.

See exchange key pair and signature key pair.

public key

A cryptographic key typically used when decrypting a session key or a digital signature. The public key can also be used to encrypt a message, guaranteeing that only the person with the corresponding private key can decrypt the message.

See also private key.

public key algorithm

An asymmetric cipher that uses two keys, one for encryption, the public key, and the other for decryption, the private key. As implied by the key names, the public key used to encode plaintext can be made available to anyone. However, the private key must remain secret. Only the private key can decrypt the ciphertext. The public key algorithm used in this process is slow (on the order of 1,000 times slower than symmetric algorithms), and is typically used to encrypt session keys or digitally sign a message.

See also public key and private key.

public key BLOB

A BLOB used to store the public key portion of a public/private key pair. Public key BLOBs are not encrypted as the public key contained within is not secret. A public key BLOB is created by calling the CryptExportKey function.

Public Key Cryptography Standards

(PKCS) A set of syntax standards for public key cryptography covering security functions, including methods for signing data, exchanging keys, requesting certificates, public key encryption and decryption, and other security functions.

public key encryption

Encryption that uses a pair of keys, one key to encrypt data and the other key to decrypt data. In contrast, symmetric encryption algorithms that use the same key for both encryption and decryption. In practice, public key cryptography is typically used to protect the session key used by a symmetric encryption algorithm. In this case, the public key is used to encrypt the session key, which in turn was used to encrypt some data, and the private key is used for decryption. In addition to protecting session keys, public key cryptography may also be used to digitally sign a message (using the private key) and validate the signature (using the public key).

See also public key algorithm.