Asymmetric cryptography

Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys (public and private keys) is used to encrypt and decrypt a message so that it arrives securely.

Certification Authority (CA)

Authority which creates the link between a public key and a user in the form of a certificate, and authenticates it with its own digital signature.

Certificate Policy (CP)

Certificate Policies describe the different classes of certificates issued by the CA, the procedures governing their issuance and revocation and terms of usage of such certificates and among other things the rules governing the different uses of these certificates.

Certificate Practice Statement (CPS)

A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates.

Certificate revocation

A process aims to recognize the certificate as invalid (online) while verifying/validating the signature by CA or replicated information services.
The revocation can be carried out by the participant or his representative. The card issuer or CA as certificate issuer should have a representative function here. The revocation should contain the time and must not have retroactive effect.
SigG has further requirements for the revocation management.

Chip card

A chip card, smart card or integrated circuit card (ICC) is any pocket-sized card with embedded integrated circuits. Chip cards can provide identification, authentication, data storage and application processing. Chip cards may provide strong security authentication for single sign-on (SSO) within large organizations.

Cryptographic algorithm

Mathematical set of rules for recursively carrying out cryptographic operations (for example encryption, hashing) by means of keys and parameters, based on elementary mathematical functions (such as shift, multiply, create residual value).

Digital signature, now electronic signature

An electronic signature represents a cryptographic data conversion in order to protect this against unnoticed falsifications (Integrity protection).
The process of the digital signing is mostly associated with digital signature, which can be subject to regionally applicable laws. The relevance of these laws is more broadly defined, i.e. it does not comply with the Signature Law. 

Directory service

The Corporate Directory is the directory in which user´s information available throughout the company is recorded. This service aims to issue certificates and provide them throughout the company or to provide part of the information by means of suitable reflection mechanisms (such as name, first name, email and certificate).


The encryption prevents unauthorized persons or third parties to utilize electronic communication. In an encryption scheme, mathematical methods are used to turn data in a readable but unusable form (encrypt). The conversion to the original form (decryption) is reserved only to authorized persons, organizations, procedures or institutions.

Encryption certificate

A certificate is a document which confirms that a public key is bound to information which identifies persons, organizations, procedures or institutions as users of the related private key. In a certificate for a private key this information basically consists of identity data of the key owner. In a certificate for a key without identity link the information identifies for example a department, a function, a server, an IT system, a procedure which is entitled to use the related key.

Hash algorithm

By hashing a document a long number (for example 160 Bit long digits) is formed by the document (one-way function). It is hardly probable that different documents have a same hash value (collision-resistant). The hash value will subsequently be signed with the private key.
The validation of recipients of documents is carried out with hash value is independently generated over the document. Subsequently, it will be compared with the hash value found in the document and encrypted by means of the public key of the signer. If both values match, the document was not changed after the signature.

Key backup

Key backup as an entity in the corporate PKI organization is responsible for the backup of private keys.  This component of the PKI takes over, saves and grants access to private keys or enables the requirement for the replacement of original data (Data Recovery). Key backup is only within the company´s control.

Key holder

The key holder is the end-user who is authorized to hold the private key in the form of Personal Security Environments (PSE) and are responsible for its correct use. The owner of a personal key pair is always the holder since it is prohibited to pass on the private key.

Key material

The summary of personal key material (Personal Security Environment) and the associated (public) key certificate.  

Key owner

The owner of a key pair is the end user who is responsible for the correct use and integrity of the private key. The owner or issuer (CA) is also responsible for the revocation of the key pair.

Key pair

A pair of a private and a public key which is needed to enable asymmetric cryptography.

Lightweight Directory Access Protocol (LDAP)

LDAP is a TCP/IP-based repository access protocol, which has caught on as a standard solution for secure repository services on the Internet and intranets.

Local Registration Authorities (LRA)

An LRA (Local Registration Authority) is an agent of the Certifying Authority who collects the application forms for Digital Signature Certificates and related documents, does the verification and approves or rejects the application based on the results of the verification process.

Personal key

An asymmetric key pair is a personal key pair if the owner and holder of the associated Personal Security Environment must be the same person and the name of this person has been authenticated in the certificate.


The consolidation of personal data and card data.

Personal Security Environment (PSE)

Secure location where a user or component's public-key information is stored. The PSE for a user or component is typically located in a protected directory in the file system or on a smart card. It contains both the public information (public-key certificate and private address book) as well as the private information (private key) for its owner. Therefore, only the owner of the information should be able to access his or her PSE.

PIN, Personal Identity Number

A personal identification number (PIN) is a secret numeric password with which an end user needs for the authentication in order to gain access to the Personal Security Environment. PIN aims to protect the confidentiality of the PSE, especially in private keys.

Policy Disclosure Statement (PDS)

Occasionally the so-called Policy Disclosure Statement (PDS) is derived from CPS, when the CPS is not issued.  

Private key

In a symmetrical method, we refer to a secret key which is in the possession of both communicating parties. In an asymmetric method, each participant has a public key and a private key. The private key is used to sign while the function of the public key is to validate the signature.

The relying party can use the private key to decrypt messages encrypted using the public key (see also "Public Key Cryptography").

Public key

The public key is the section of a key pair which is used in asymmetric cryptography and which is accessible to anyone.

Public Key Cryptography (PKC)

Encryption methods in which two different keys are used to encrypt and decrypt a message (hence the term "Asymmetric Cryptography"). In practical terms, one of these keys is published with the identification data of the holder (= public key) while the other is given to the holder in a secure manner, frequently on a smartcard or even generated by the smartcard. One important use of public key cryptography is the electronic signature, in which a document is signed with the private key and the receiver validates the signature by using the public key.

Public Key Infrastructure (PKI)

PKI is the sum of all authorities and procedures necessary for the use of public key cryptography. They are described in a policy.

Public Key Infrastructure (PKI)-Policy

A security concept consists of organizational and technical steps and is generally set out in a security policy. The Public Key Infrastructure is laid down in a PKI policy and describes the organizational regulations, the technical components, and how they interact. The PKI policy is the central document of a PKI and simply defines the level of security of the PKI.
This document describes the handling of key material, irrespective of how it was generated, certified or authenticated, and applies to all participants in the process.

Registration Authority, also Local Registration Authority (LRA)

Entity where the unambiguous determination of the identity of the end user and the issue of key material take place.


Ascertainment of identity in the personalization process at a (L)RA and the signed transmission of data over a secure channel to the Trust Centre. It must be preceded by an application. The participant in the process for digital signatures is assigned a suitable, unique name.

Relying party

People, organizations, processes and equipment who/which use the certificate and the public key it contains for encryption (before transmitting data) or verification (upon receiving signed data).


Certificates can or must in certain cases be revoked by the owners, holders or third parties who do not belong to the company before their validity expires. Possible reasons for revocation are the disclosure of the PSE (Personal Security Environment), theft or loss of the PSE, and all cases in which the misuse of the PSE is suspected. Since revocation can never be rescinded, it permanently prevents the use of this certificate and the associated PSE.

Secure Multipurpose Internet Mail Extensions (S/MIME)

Enable emails to be sent and received securely.

Security Policy

Binding document describing the security policy of a company. Possible commercial risks are assessed and measures are defined, if necessary. Risks include both unexpected negative events and unrealized business opportunities. IT security is part of the security policy; PKI policy is also part of the security policy. Accordingly, this document supplements the security policy of the individual enterprise.


A plastic card about the size of a credit card, with an embedded microchip that contains a processor, file system and an operating system. An essential aspect of the operating system is the integrated access protection of date in file system. Only after entering a correct PIN or an authentication the respective access status can be accomplished so that contained data in the corresponding file can be externally provided. The processor also carries out cryptographical arithmetic operations independently.


Authority whose possible tasks include generating key pairs, the secure storage of key material, and the issue, publishing and revocation of public key certificates. See also "Certification Authority (CA)".

User authentication

Users authenticate themselves to an application in a certificate-based procedure with their PSE instead of an ID and password. PSE is a personal, electronic security environment, in which security-related data, such as a private key, are contained. A PSE is regularly to be found on a chip card, but also can be available as encrypted file. The PSE is protected by a pass word, a PIN or by biometric methods (such as fingerprint).

User, cryptographic procedure in the PKI

  • Person (also: end-user): employers, working students, apprentices, consultants (respectively in a company or a business partner).
  • Organization: project groups (in or out of the company), offices, business partner companies etc.
  • Procedure: service, client, server, CA, LRA etc.
  • Installation: computer, router, firewall etc.

Such users are either users of a Personal Security Environments (PSE) or of a certificate or target of an application of certificates themselves.

Verify, Verification, Validation

When a digital signature is verified, an assessment is carried out to see whether the data is unadulterated and was signed by the person, organization, procedure or facility which created the digital signature. See also "Hash Value".