Skip to main content

Appendix B. Glossary

This glossary defines key terms used in RFC 5246.

Core Terms

Advanced Encryption Standard (AES)

  • AES is a widely used symmetric key encryption standard. TLS 1.2 supports AES-128 and AES-256.

Application layer

  • The highest protocol layer that typically provides services directly to users.

Application protocol

  • A protocol that uses TLS as its security sublayer.

Asymmetric cipher

  • Also known as public key cryptography. Uses a pair of different keys for encryption and decryption.

Authentication

  • The process of verifying the identity of an entity.

Block cipher

  • An encryption algorithm that transforms fixed-size plaintext blocks into ciphertext blocks of the same size.

Bulk cipher

  • A traditional symmetric algorithm used for encrypting large amounts of data, as opposed to public key algorithms.

Cipher Block Chaining (CBC)

  • A block cipher mode of operation where each plaintext block is XORed with the previous ciphertext block before encryption.

Certificate

  • An X.509 certificate containing a public key and subject identity information, signed by a certificate authority.

Certificate Authority (CA)

  • A trusted entity that issues digital certificates.

Client

  • The application entity that initiates a TLS connection.

Client hello

  • The first message sent by the client to the server to initiate a TLS session.

Client key exchange

  • A handshake message sent by the client containing information used to compute the pre-master secret.

Client write key

  • The bulk cipher key used by the client to encrypt data.

Client write MAC key

  • The key used by the client for MAC operations.

Connection

  • A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For TLS, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session.

Data Encryption Standard (DES)

  • DES is a widely used symmetric key encryption method. DES is not recommended for use in TLS 1.2.

Digital Signature Standard (DSS)

  • A NIST standard based on the Digital Signature Algorithm (DSA).

Diffie-Hellman (DH)

  • A key agreement protocol that allows two parties to establish a shared secret over an insecure channel.

Ephemeral Diffie-Hellman (DHE)

  • Diffie-Hellman key exchange using ephemeral keys, providing forward secrecy.

Finished

  • A handshake protocol message that verifies successful completion of the key exchange and authentication process.

Handshake

  • The initial negotiation required to establish TLS session parameters.

Hash function

  • A function that converts an arbitrary-length input into a fixed-length output.

HMAC (Hash-based Message Authentication Code)

  • A message authentication code using a cryptographic hash function and a secret key.

Initialization Vector (IV)

  • A random value that provides initial state for a block cipher.

MAC (Message Authentication Code)

  • A short piece of information used to verify message integrity.

Master secret

  • A 48-byte secret derived from the pre-master secret, used to generate key material.

MD5 (Message Digest 5)

  • A cryptographic hash function that produces a 128-bit hash value. Use of MD5 alone is no longer recommended in TLS 1.2.

Pre-master secret

  • The secret negotiated or transmitted during key exchange, used to derive the master secret.

Public key cryptography

  • An encryption method using key pairs where one key can be made public.

Record

  • The basic data transmission unit of the TLS record layer protocol.

RSA (Rivest-Shamir-Adleman)

  • A widely used public key encryption algorithm.

Server

  • The application entity that responds to TLS connection requests.

Server hello

  • The message sent by the server in response to the client hello.

Session

  • A TLS session is an association between peers. Sessions are created by the handshake protocol. Sessions define a set of cryptographic security parameters that can be shared among multiple connections.

Session identifier

  • A value chosen by the server to identify an active or resumable session state.

SHA (Secure Hash Algorithm)

  • A family of cryptographic hash functions designed by NIST, including SHA-1, SHA-256, SHA-384, etc.

Stream cipher

  • An encryption algorithm that encrypts plaintext bit by bit or byte by byte.

Symmetric cipher

  • A cipher algorithm that uses the same key for both encryption and decryption.

Transport Layer Security (TLS)

  • This protocol; TLS 1.2 is its third major version. TLS 1.0, 1.1, and 1.2 are based on SSL 3.0.

Verify data

  • A 12-byte value included in the Finished message to verify handshake integrity.

Note: For complete term definitions and detailed explanations, please refer to the full text of Appendix B in RFC 5246.

Last updated on