D (Security Glossary)



See dynamic access control.


See discretionary access control list.

data content type

A base content type defined by PKCS #7. Data content is simply an octet (byte) string.

data encryption

See encryption.

data encryption function

See encryption and decryption functions.

Data Encryption Standard

(DES) A block cipher that encrypts data in 64-bit blocks. DES is a symmetric algorithm that uses the same algorithm and key for encryption and decryption.

Developed in the early 1970s, DES is also known as the DEA (Data Encryption Algorithm) by ANSI and the DEA-1 by ISO.


A communication channel that uses information routed through a packet-switching network. This information includes separate packets of information and the delivery information associated with those packets, such as the destination address. In a packet-switching network, data packets are routed independently of one another and may follow different routes. They may also arrive in a different order from the one in which they were sent.


The process of translating an encoded object (such as a certificate) or data back to its original format.

In general terms, data is decoded by the Encoding/Decoding layer of the communication protocol. Certificates are decoded by a call to the CryptDecodeObject function.


The process of converting ciphertext to plaintext. Decryption is the opposite of encryption.

default mode

Default settings, such as the block encryption cipher mode or the block encryption padding method.


See Distinguished Encoding Rules.

derived key

A cryptographic key created by a call to the CryptDeriveKey function. A derived key can be created from a password, or any other user data. Derived keys allow applications to create session keys as needed, eliminating the need to store a particular key.


See Data Encryption Standard.


See Diffie-Hellman algorithm.


The CryptoAPI algorithm name for the Diffie-Hellman key-exchange algorithm.

See also Diffie-Hellman algorithm.

Diffie-Hellman algorithm

(DH) A public key algorithm used for secure key exchange. Diffie-Hellman cannot be used for data encryption. This algorithm is specified as the key exchange algorithm for PROV_DSS_DH provider types.

See also Diffie-Hellman (store and forward) key-exchange algorithm and Diffie-Hellman (ephemeral) key-exchange algorithm.

Diffie-Hellman (store and forward) key-exchange algorithm

A Diffie-Hellman algorithm where the exchange key values are retained (in the CSP) after the key handle has been destroyed.

See also Diffie-Hellman (ephemeral) key-exchange algorithm.

Diffie-Hellman (ephemeral) key-exchange algorithm

A Diffie-Hellman algorithm where the exchange key value is deleted from the CSP when the key handle is destroyed.

See also Diffie-Hellman (store and forward) key-exchange algorithm.

digested data

A data content type defined by PKCS #7 that consists of any type of data plus a message hash (digest) of the content.

digital certificate

See certificate.

digital envelope

Private messages encrypted using the recipient's public key. Enveloped messages can only be decrypted by using the recipient's private key, allowing only the recipient to understand the message.

digital signature

Data that binds a sender's identity to the information being sent. A digital signature may be bundled with any message, file, or other digitally encoded information, or transmitted separately. Digital signatures are used in public key environments and provide authentication and integrity services.

Digital Signature Algorithm

(DSA) A public key algorithm specified by Digital Signature Standard (DSS). DSA is only used to generate digital signatures. It cannot be used for data encryption.

digital signature key pair

See signature key pair.

Digital Signature Standard

(DSS) A standard that specifies the Digital Signature Algorithm (DSA) for its signature algorithm and SHA-1 as its message hash algorithm. DSA is a public key cipher that is only used to generate digital signatures and cannot be used for data encryption. DSS is specified by PROV_DSS, PROV_DSS_DH, and PROV_FORTEZZA provider types.

discretionary access control list

(DACL) An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

See also access control list and system access control list.

Distinguished Encoding Rules

(DER) A set of rules for encoding ASN.1 defined data as a stream of bits for external storage or transmission. Every ASN.1 object has exactly one corresponding DER encoding. DER is defined in CCITT Recommendation X.509, Section 8.7. This is one of two encoding methods currently used by CryptoAPI.


See dynamic-link library.


See Digital Signature Algorithm.


See Digital Signature Standard.

Dynamic Access Control

(DAC) The ability to specify access control policies based on user, device, and resource claims. This makes for more flexible authentication for applications while maintaining security and compliance requirements.

dynamic-link library

(DLL) A file that contains executable routines that can be called from other applications.