术语表

Argon2

Argon2 Key Derivation Function

The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU cracking attacks.

Certificate Pinning

TLS Certificate Pinning

A technique that associates a host with its expected certificate, preventing man-in-the-middle attacks with forged certificates.

Checksum

校验和（数据完整性验证）

使用特定算法从数据块计算出的值，作为验证数据在存储或传输过程中未被损坏或篡改的指纹。

Clickjacking

UI Redress Attack

An attack that tricks users into clicking hidden elements by overlaying invisible frames on top of legitimate page content.

CSRF

Cross-Site Request Forgery

An attack tricking an authenticated user into submitting unintended requests to a web application.

CVE

Common Vulnerabilities and Exposures

A standardized catalog of publicly known security vulnerabilities, each assigned a unique CVE-YYYY-NNNNN identifier.

DDoS

Distributed Denial of Service

An attack that overwhelms a server or network with traffic from many distributed sources, making it unavailable to legitimate users.

Entropy

Password Entropy

A measure of randomness or unpredictability in a password, expressed in bits, indicating resistance to guessing.

PGP

PGP（Pretty Good Privacy）

一种使用对称加密和非对称加密相结合的加密系统，基于去中心化的信任网络模型，为电子邮件、文件和数据提供机密性、认证性和完整性保护。

TOTP

Time-based One-Time Password

A temporary passcode generated from a shared secret and the current time, used in two-factor authentication.

RSA

RSA（Rivest-Shamir-Adleman）

一种广泛使用的非对称加密算法，基于大素数分解的数学难题，能够实现安全的密钥交换、数字签名和加密通信，而无需共享密钥。

SSL/TLS

SSL/TLS（安全套接层 / 传输层安全）

通过在客户端（浏览器）与服务器之间加密数据、验证服务器身份并确保传输过程中数据完整性，来保护互联网通信安全的加密协议。

Steganography

隐写术（隐藏数据嵌入）

将消息或数据隐藏在外观正常的文件（如图像、音频或视频）中的技术，使隐藏信息的存在不被普通观察者察觉。

Password Hashing

密码哈希（安全凭证存储）

将明文密码转换为固定长度、不可逆的哈希值以供存储的过程，确保即使数据库被泄露，原始密码也无法被轻易恢复。

QR Code

QR Code（快速响应码）

一种由黑白方块模块按网格排列组成的二维条形码，可编码文本、URL、联系信息或其他数据，可被智能手机摄像头和专用扫描器读取。

HMAC

HMAC（基于哈希的消息认证码）

一种使用密码学哈希函数与密钥相结合来创建消息认证码的特定构造，用于同时验证数据的完整性和消息的真实性。

Key Derivation

Key Derivation Function

A function that derives one or more secret keys from a password or passphrase using a pseudorandom function.

Salt

Cryptographic Salt

Random data added to a password before hashing to ensure identical passwords produce different hashes.

Public Key

Public Key Cryptography

A cryptographic system using paired keys where the public key encrypts and only the private key can decrypt.

XSS

Cross-Site Scripting

An attack injecting malicious scripts into web pages viewed by other users, stealing data or session tokens.

OWASP Top 10

OWASP Top Ten Web Risks

A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project.

SQL Injection

SQL Injection Attack

Inserting malicious SQL code into application queries to access, modify, or delete database data.

Command Injection

OS Command Injection

An attack passing arbitrary operating system commands through a vulnerable application to the host system.

Path Traversal

Directory Traversal Attack

Exploiting insufficient input validation to access files outside the intended directory using ../ sequences.

Penetration Testing

Penetration Testing (Pentest)

Simulating real-world attacks against a system to identify security vulnerabilities before malicious actors do.

Threat Modeling

Security Threat Modeling

A structured process for identifying potential threats, attack vectors, and mitigations during system design.

Defense in Depth

Defense in Depth Strategy

A security approach using multiple layers of protection so that if one layer fails, others still provide defense.

Insecure Deserialization

A vulnerability where untrusted data is deserialized without validation, potentially enabling remote code execution.

XXE

XML External Entity Attack

An attack exploiting XML parsers to access local files, perform SSRF, or cause denial of service via entity expansion.

SRI

Subresource Integrity

An HTML attribute providing a cryptographic hash to verify that fetched resources have not been tampered with.

CORS Misconfiguration

CORS Security Misconfiguration

Overly permissive CORS headers allowing unauthorized origins to read sensitive API responses in the browser.

Sensitive Data Exposure

A vulnerability where applications fail to adequately protect sensitive data like passwords, tokens, or PII in transit or at rest.

HSTS

HTTP Strict Transport Security

An HTTP header instructing browsers to only connect via HTTPS, preventing protocol downgrade attacks.

Zero-Day

Zero-Day Vulnerability

A software vulnerability unknown to the vendor and without a patch, actively exploited before a fix is available.

SSRF

Server-Side Request Forgery

An attack making the server send requests to unintended internal or external resources on behalf of the attacker.

RBAC

Role-Based Access Control

An authorization model that assigns permissions to roles rather than individual users, simplifying access management at scale.

PKI

Public Key Infrastructure

A framework of certificate authorities, digital certificates, and key pairs that enables secure encrypted communication and identity verification.

WAF

Web Application Firewall

A security layer that filters HTTP traffic between a web application and the internet, blocking common attacks like SQL injection and XSS.

Nonce

Number Used Once

A random or sequential value used exactly once in cryptographic operations to prevent replay attacks and ensure message freshness.

E2EE

End-to-End Encryption

A communication system where only the sender and recipient can read messages, with encryption keys never accessible to intermediary servers.

FIDO2

Fast Identity Online 2

An authentication standard enabling passwordless login through hardware security keys or biometrics using public key cryptography.

Sandbox

Security Sandbox

An isolated execution environment that restricts a program's access to system resources, limiting the impact of malicious code.

SHA-256

SHA-256（256 位安全散列算法）

一种密码学哈希函数，能从任意输入生成固定的 256 位（32 字节）摘要，广泛用于数据完整性验证、数字签名、区块链和密码存储。

AES

AES（高级加密标准）

最广泛使用的对称加密算法，2001 年被美国政府 (NIST) 采纳为标准。AES 使用 128、192 或 256 位密钥对固定的 128 位数据块进行加密。

2FA

Two-Factor Authentication

A security process requiring two distinct forms of identification — typically a password and a code from a separate device.