Glossary of Encryption Terminology
Welcome to the Encrypti0n.com glossary: Your quick, concise reference to essential cryptographic and encryption terms clearly explained for easy understanding.
Table of Contents
- AES-GCM (Galois/Counter Mode)
- AEAD (Authenticated Encryption with Associated Data)
- AAD (Associated Data)
- AuthTag (Authentication Tag)
- Tamper-proof
- Nonce
- IV (Initialization Vector)
- AES (Advanced Encryption Standard)
- Symmetric Encryption
- Encryption
- Decryption
- Plaintext
- Ciphertext
- Payload
- Key Material
- DEK (Data Encryption Key)
- KEK (Key Encryption Key)
- Key Wrapping
- Envelope Encryption
- HSM (Hardware Security Module)
- KMS (Key Management System)
- Master Key
- Key Rotation
- Master Password
- KDF (Key Derivation Function)
- Hash Function
- Argon2id
- Argon2 (Key Derivation)
- Memory-hardened
- Salt
- Password Entropy
- Brute-force Attack
- Base64
- Web Crypto API
AEAD (Authenticated Encryption with Associated Data)
An encryption approach (e.g., AES-GCM) that ensures confidentiality, integrity, and authenticity. It authenticates both the ciphertext and optional associated data (AAD), outputting an AuthTag.
IV (Initialization Vector)
A per-message value used to randomize encryption. In AES-GCM, the IV/nonce must be unique (not necessarily secret) to maintain security.
AES (Advanced Encryption Standard)
A widely used symmetric cipher that encrypts data with 128-, 192-, or 256-bit keys. Modes like GCM add authentication.
Symmetric Encryption
Encryption where the same secret key is used for both encryption and decryption, e.g., AES in GCM mode.
Encryption
The process of transforming plaintext into ciphertext using a key, to protect data from unauthorized access.
Decryption
The reverse of encryption, converting ciphertext back to plaintext using the correct key (and validating the AuthTag in AES-GCM).
Plaintext
Original, readable data before encryption—sometimes called cleartext.
Payload
The data being protected (e.g., a file’s contents). It usually refers to the plaintext before encryption or the protected ciphertext after encryption.
Key Material
Any secret bits used as cryptographic keys. In this glossary, it includes DEKs, KEKs, and higher-level keys such as a Master Key.
DEK (Data Encryption Key)
A symmetric key that encrypts the actual data (payload). A DEK is often wrapped by a KEK using key wrapping.
Key Wrapping
The process of encrypting one key (e.g., a DEK) with another (a KEK) for secure transport or storage—central to envelope encryption.
Envelope Encryption
A design where the data is encrypted with a DEK, and that DEK is wrapped with a KEK via key wrapping. The wrapped DEK is stored with the ciphertext; an HSM/KMS protects the KEK.
HSM (Hardware Security Module)
A dedicated hardware device for secure key generation, storage, and use. Often safeguards KEKs and a Master Key and enforces key rotation policies.
Key Rotation
The periodic replacement of cryptographic keys (DEKs, KEKs, Master Keys) to reduce exposure. Often orchestrated by a KMS or enforced by an HSM.
KDF (Key Derivation Function)
A function that derives strong cryptographic keys from secrets (e.g., a master password), using a salt and substantial work (time/memory). Many KDFs use a hash function or cipher primitives.
Hash Function
A one-way function that maps data to a fixed-size digest, with properties like preimage and collision resistance. Used for integrity checks and inside some KDFs.
Argon2id
The recommended variant of Argon2 for password-based key derivation. It blends data-independent and data-dependent memory access to resist side-channel and GPU/ASIC attacks.
Argon2 (Key Derivation)
A family of KDFs that are memory-hardened. With a salt and tunable time/memory/parallelism, Argon2 thwarts large-scale brute-force attempts.
Memory-hardened
Describes algorithms (e.g., Argon2) engineered to require significant memory, increasing cost for parallel cracking on GPUs/ASICs.
Salt
Random, per-password value added to KDF inputs to prevent precomputed and shared-work attacks, ensuring unique outputs even for identical passwords.
Password Entropy
A measure (in bits) of a password’s unpredictability based on length and character set. Higher entropy resists brute-force guessing.
Brute-force Attack
Systematically trying all possibilities to recover a password or key. Practicality is reduced by high entropy and KDF costs (e.g., Argon2id).
Base64
An encoding that represents binary data (ciphertexts, nonces, wrapped keys) as ASCII text. It is not encryption.
Web Crypto API
A browser API that provides primitives like AES-GCM, key wrapping, and KDF operations for building secure, in-browser cryptography.