Recently updated

An active attack on the data integrity of cipher text, effected by replacing sections of cipher text with other cipher text, such that the result appears to decrypt correctly but actually decrypts to plain text that is forged to the satisfaction of the attacker.

A centralized, key distribution process (used in symmetric cryptography), usually a separate computer system, that uses master keys (i.e., KEKs) to encrypt and distribute session keys needed by a community of users.

A passive information system related entity containing or receiving information.

The total capacity of a link to carry information; usually expressed in bits per second. (RFC 3753) (Compare: bandwidth.)

A mechanism [R2195], intended for use with IMAP4 AUTHENTICATE, by which an IMAP4 client uses a keyed hash [R2104] to authenticate itself to an IMAP4 server. (See: POP3 APOP.)

A character string that (a) may be a part of the X.500 DN of a Directory object ("commonName" attribute), (b) is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization), and (c) conforms to the naming conventions of the country or culture with which it is associated. [X520] (See: "subject" and "issuer" under "X.509 public key certificate".)

Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. (See: ciphertext. Compare: clear text, plain text.)

A trusted online server that acts for a CA to provide authenticated certificate status information to certificate users [FPKI]. Offers an alternative to issuing a CR. (See: certificate revocation tree, OCSP.)

See: Information Assurance Technical Framework.

Synonym for "identifier".

A type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve, where the curve is defined by a quadratic equation in a finite field. [Schn]

See: Computer Security Objects Register.

A generic term encompassing decode and decipher.

A type of network based attack method that does not require the attacking entity to receive data traffic from the attacked entity; i.e., the attacker does not need to "see" data packets sent by the victim. Example: SYN flood.

Synonym for "guard".

An action, device, procedure, or technique used by an attacker to offset a defensive countermeasure.

See: Global Information Grid.

A process or subsystem, implemented in software or hardware, that automates the tasks of (a) monitoring events that occur in a computer network and (b) analyzing them for signs of security problems. [SP31] (See: intrusion detection.)

Protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other.

"A (mathematical) function, f, [that] is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult." [X509]

A PKI operated by the U.S. Government's General Services Administration in cooperation with industry partners. (See: CAM.)

"The property of a system that is guaranteed as the result of formal verification activities." [Huff] (See: correctness proof, verification.)

See: secondary definition under "stream integrity service".

Abbreviation of "Europay, MasterCard, Visa". Refers to a specification for smart cards that are used as payment cards, and for related terminals and applications. [EMV1, EMV2, EMV3]

An identifier that is defined for a nation by ISO. [I3166]

An organizational entity responsible for assigning DNs and for assuring that each DN is meaningful and unique within its domain. [DoD9]

A computer that implements all seven layers of the OSIRM and may attach to a subnetwork. Usage: In the IPS context, an end system is called a "host".

Refers to administrative security, personnel security, and physical security. (Compare: internal controls.)

See: "International Committee for Information Technology Standardization" under "ANSI".

A set of entities that operate under a common security policy. (Compare: domain.)

See: Internet Protocol Security Option.

A system of symbols used to represent information, which might originally have some other representation. Examples: ASCII, BER, country code, Morse code. (See: encode, object code, source code.)

See: Digital Signature Standard.

See: Internet Security Association and Key Management Protocol.

See: electronic data interchange.

A computer that maintains a database (possibly in the form of an access control matrix) defining the security policy for an access control service, and that acts as a server for clients requesting access control decisions.

A branching, hierarchical data structure that is used to represent events and to determine the various combinations of component failures and human acts that could result in a specified undesirable system event. (See: attack tree, flaw hypothesis methodology.)

A computation that is part of a mechanism to provide data integrity service or data origin authentication service. (Compare: checksum.)

A digital certificate that is issued to a cardholder upon approval of the cardholder's issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]

A threat to a system for which there is no corresponding vulnerability and, therefore, no implied risk.

Stepwise (link by link) protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnetwork relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (Compare: end to end encryption.)

The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication.

See: Internet Message Access Protocol, version 4.

Storage media that, once written into, provide stable storage of information without an external power supply. (Compare: permanent storage, volatile media.)

A denial of service (DoS) attack attempts to make a system or network unavailable to legitimate users.

A cipher that is defined for an alphabet of N characters, A(1), A(2), ..., A(N), and creates cipher text by replacing each plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]

An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.

Refers to one of three types of IP security options, which are fields that may be added to an IP datagram for carrying security information about the datagram. (Compare: IPsec.)

An ISAKMP/IKE domain of interpretation for group key management; i.e., a phase 2 protocol in ISAKMP. [R3547] (See: secure multicast.)

See: POP3 AUTH.