K (Security Glossary)



See key certification authority.


See Key Distribution Center.


See key exchange algorithm.

Kerberos protocol

A protocol that defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

key BLOB

A BLOB containing an encrypted private key. Key BLOBs provide a way to store keys outside the CSP. Key BLOBs are created by exporting an existing key from the CSP by calling the CryptExportKey function. Later, the key BLOB can be imported into a provider (often a different CSP on a different computer) by calling the CryptImportKey function. This creates a key in the CSP that is a duplicate of the one that was exported.

See also simple key BLOB, public key BLOB, and private key BLOB.

key BLOB format

The format of the key BLOB when a public or session key is exported from a CSP. The format is specified by the provider type of the exporting CSP. A key BLOB is created by calling CryptExportKey.

See also public key BLOB and simple key BLOB.

key certification authority

(KCA) A trusted entity that typically keeps a secure database of compound messages signed with the KCA's private key. In practical implementations, the compound messages consist of the user's name, the user's public key, and any other important information about the user. When the receiving application gets a signed message from a user, the application can then verify the public key received with the message by comparing it to the public key stored in the KCA database.

key container

A part of the key database that contains all the key pairs (exchange and signature key pairs) belonging to a specific user. Each container has a unique name that is used when calling the CryptAcquireContext function to get a handle to the container.

key database

A database that contains the persistent cryptographic keys for a specific CSP. The database contains one or more key containers, which individually store all the cryptographic key pairs for a specific user.

See also key container.

Key Distribution Center

(KDC) A network service that supplies session tickets and temporary session keys used in the Kerberos V5 authentication protocol. The KDC runs as a privileged process on all domain controllers.

See also Kerberos protocol.

key exchange algorithm

An algorithm used to encrypt and decrypt exchange keys (symmetric session keys). Some common key exchange algorithms include Diffie-Hellman and KEA, the key exchange algorithm specified by a PROV_FORTEZZA provider type. The KEA algorithm is an improved version of the Diffie-Hellman algorithm. Each provider type can specify only one key exchange algorithm.

Key Exchange Algorithm

(KEA) The key exchange algorithm specified by a PROV_FORTEZZA provider type. This algorithm is an improved version of the Diffie-Hellman algorithm.

key exchange certificate

A certificate used to encrypt information sent to another party. The certification authority (CA) key exchange certificate can be used by a client to encrypt information sent to the CA.

key exchange functions

A set of functions used to exchange or transmit keys. Key exchange functions can also be used to implement fully authenticated three-phase key exchanges.

key-exchange key pair

See exchange key pair.

key exchange private key

The private key of an exchange key pair.

See also exchange key pair.

key exchange protocol

A protocol by which two parties exchange information to establish a shared secret. The shared secret is then typically used as a symmetric encryption key.

key exchange public key

The public key of an exchange key pair.

See also exchange key pair.

key generation functions

A set of functions used by applications to generate and customize cryptographic keys. These functions include full support for changing chaining modes, initialization vectors, and other encryption features.

key length

Values specified by some providers that indicate the length of the public/private key pairs and session keys used with that provider.

key pair

A private key and its related public key.

key storage provider

(KSP) An independent software module that implements functionality to create, manage, store, and retrieve private keys.


See key storage provider.