Recently updated

A block cipher mode [SP38C] that provides both data confidentiality and data origin authentication, by combining the techniques of CTR and a CBC based message authentication code. (See: block cipher.)

See: Layer 2 Forwarding Protocol.

A security service that protects data against unauthorized disclosure. (See: access control, data confidentiality, datagram confidentiality service, flow control, inference control.)

See: Tutorial under "Trusted Computer System Evaluation Criteria".

See: secondary definition under "IPSO".

A key that is protected with a key encrypting key and that must be decrypted before use. (See: BLACK. Compare: RED key.)

A non hierarchical PKI architecture in which there are several trusted CAs rather than a single root. Each certificate user bases path validations on the public key of one of the trusted CAs, usually the one that issued that user's own public key certificate. Rather than having superior to subordinate relationships between CAs, the relationships are peer to peer, and CAs issue cross certificates to each other. (Compare: hierarchical PKI, trust file PKI.)

An internetwork router that selectively prevents the passage of data packets according to a security policy. (See: guard.)

Synonym for "contingency plan".

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed upon set of security controls.

A registered trademark of NSA, used for a family of interoperable security products that implement a NIST/NSA approved suite of cryptographic algorithms for digital signature, hash, encryption, and key exchange. The products include a PC card (which contains a CAPSTONE chip), and compatible serial port modems, server boards, and software implementations.

A methodology, language, and integrated set of software tools developed at the University of Texas for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

A comprehensive defense posture and response based on the status of information systems, military operations, and intelligence assessments of adversary capabilities and intent. (See: threat)

A U.S. DoD organization, housed in NSA, that has responsibility for encouraging widespread availability of trusted systems throughout the U.S. Federal Government. It has established criteria for, and performed evaluations of, computer and network systems that have a TCB. (See: Rainbow Series, TCSEC.)

See: initialization value.

See: Data Authentication Code, discretionary access control.

A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). (See: failure control. Compare: fail safe.)

Final destination device into which a key is loaded for operational use.

Synonym for "guard". (Compare: content filter, filtering router.)

Synonym for "key".

See: secondary definition under "Internet Standard".

Monitoring for unauthorized transfers of sensitive information and other communications that originate inside a system's security perimeter and are directed toward the outside; i.e., roughly the opposite of "intrusion detection".

The number of symbols (usually stated as a number of bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)

Verify (i.e., establish the truth of) an attribute value claimed by or for a system entity or system resource. (See: authentication, validate vs. verify, "relationship between data integrity service and authentication services" under "data integrity service".)

Recently generated; not replayed from some earlier interaction of the protocol.

A list that identifies keys for which unauthorized disclosure or alteration may have occurred. (See: compromise.)

The necessity for access to, knowledge of, or possession of specific information required to carry out official duties.

A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis, recovery.)

Document containing a systematically arranged list of plaintext units and their ciphertext equivalents. [C4009]

"The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks." [A9042] (See: weak key)

See: Challenge Handshake Authentication Protocol.

Perform processing operations on data, such as receive and transmit, collect and disseminate, create and delete, store and retrieve, read and write, and compare. (See: access.)

Synonym for "certification path".

An electronic functionary analogous to a notary public. Provides a trusted timestamp for a digital document, so that someone can later prove that the document existed at that point in time; verifies the signature(s) on a signed document before applying the stamp. (See: notarization.)

A circumstance in which a collection of information items is required to be classified at a higher security level than any of the items is classified individually. (See: classification.)

A document that attests to the truth of something or the ownership of something.

The principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.

An Internet client server protocol (RFC 3377) that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP).

A data item or a mechanism that is defined in a protocol to extend the protocol's basic or original functionality.

A security policy domain that "consists of a CA and its subjects [i.e., the entities named in the certificates issued by the CA]. Sometimes referred to as a PKI domain." [PAG] (See: domain.)

A data confidentiality service that preserves the confidentiality of data in a single, independent, packet; i.e., the service applies to datagrams one at a time. Example: ESP. (See: data confidentiality.)

See: Internet Society.

A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.

Synonym for the "subject" of a digital certificate. (Compare: certificate holder, certificate user.)

A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity. (See: covert channel.)

A key agreement method [SKIP, R2773] that is based on the Diffie Hellman Merkle algorithm and uses 1024 bit asymmetric keys. (See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)

A technique that disperses a single, logically related set of tasks among a group of geographically separate yet cooperating computers. (See: distributed attack.)

"A personnel position or assignment that may be filled by one person." [JCP1] (Compare: principal, role, user.)

A system entity that depends on the validity of information (such as another entity's public key value) provided by a digital certificate. (See: relying party. Compare: /digital certificate/ subject.)

The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system. (See: administrative security, harden, trusted distribution.)