Recently updated

See: National Computer Security Center.

"identifier credential": A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system. Example: X.509 public key certificate. (See: anonymous credential.)

The process of handling keying material during its life cycle in a cryptographic system; and the supervision and control of that process. (See: key distribution, key escrow, keying material, public key infrastructure.)

Proprietary variants of "meta data". (See: SPAM(trademark).)

A mode of system operation wherein (a) two or more security levels of information are allowed to be to be handled concurrently within the same system when some users having access to the system have neither a security clearance nor need to know for some of the data handled by the system and (b) separation of the users and the classified material on the basis, respectively, of clearance and classification level are dependent on operating system control. (See: /system operation/ under "mode", need to know, protection level, security clearance. Compare: controlled mode.)

A hash function maps input data to a fixed size output (digest) and is commonly used for integrity checks.

A 1972 study of computer security that was written by James P. Anderson for the U.S. Air Force [Ande].

A credential that (a) can be used to authenticate a person as having a specific attribute or being a member of a specific group (e.g., military veterans or U.S. citizens) but (b) does not reveal the individual identity of the person that presents the credential. [M0404] (See: anonymity.)

A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].

A computer that is attached to a communication subnetwork or internetwork and can use services provided by the network to exchange data with other attached systems. (See: end system. Compare: server.)

Information transfer using a channel or method that is outside (i.e., separate from or different from) the main channel or normal method.

A keyed hash [R2104] that can be based on any iterated cryptographic hash (e.g., MD5 or SHA 1), so that the cryptographic strength of HMAC depends on the properties of the selected cryptographic hash. (See: [R2202, R2403, R2404].)

An Internet Standard protocol [R2743] that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies, thus enabling the application source code to be ported to different environments. (Compare: EAP, SASL.)

An experimental, end to end, network packet encryption system developed in a working prototype form by BBN and the Collins Radio division of Rockwell Corporation in the 1975 1980 time frame for the U.S. DoD. BCR was the first network security system to support TCP/IP traffic, and it incorporated the first DES chips that were validated by the U.S. National Bureau of Standards (now called NIST). BCR also was the first to use a KDC and an ACC to manage connections.

Probability that a particular vulnerability will be exploited within an interacting population and adversely affect some members of that population. [C4009] (See: Morris worm, risk.)

Ability of cryptographic equipment to resist efforts to extract keying material directly from the equipment (as opposed to gaining knowledge of keying material by cryptanalysis). [C4009]

A mechanism to verify the identity of an entity by means of information exchange.

See: certificate management authority.

See: Computer Incident Advisory Capability.

See: message integrity code.

A predefined package of assurance components that represents a point on the Common Criteria's scale for rating confidence in the security of information technology products and systems.

The act or process by which non key data items bound in an existing public key certificate, especially authorizations granted

An attribute of a role that obligates an entity playing the role to perform one or more tasks, which usually are essential for the functioning of the system. [Sand] (Compare authorization, privilege. See: role, billet.)

A room or other space or area to which no person may have unaccompanied access and that, when occupied, is required to be occupied by two or more appropriately authorized persons. [C4009] (See: dual control.)

The digits of a credit card number that identify the issuing bank. (See: primary account number.)

A design procedure for symmetric encryption algorithms, and a resulting family of algorithms, invented by Carlisle Adams (C.A.) and Stafford Tavares (S.T.). [R2144, R2612]

An unauthorized user who attempts to or gains access to an information system.

Application software used to prevent access to certain Web servers, such as by parents who do not want their children to access pornography. (See: filter, guard.)

Repeated switching of frequencies during radio transmission according to a specified algorithm. [C4009] (See: spread spectrum.)

Data that is needed to establish and maintain a cryptographic security association, such as keys, key pairs, and IVs.

A security label that tells the degree of harm that will result from unauthorized disclosure of the labeled data, and may also tell what countermeasures are required to be applied to protect the data from unauthorized disclosure. Example: IPSO. (See: classified, data confidentiality service. Compare: integrity label.)

A collection of host computers together with the subnetwork or internetwork through which they can exchange data.

An algorithm [R2410] that is specified as doing nothing to transform plaintext data; i.e., a no op. It originated because ESP always specifies the use of an encryption algorithm for confidentiality. The NULL encryption algorithm is a convenient way to represent the option of not applying encryption in ESP (or in any other context where a no op is needed). (Compare: null.)

A random or non repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing liveness and thus detecting and protecting against replay attacks. (See: fresh.)

The existence of a covert storage channel in a communications channel may release information which can be of significant use to attackers.

To officially remove the security level designation of a classified information item or information type, such that the information is no longer classified (i.e., becomes unclassified). (See: classified, classify, security level. Compare: downgrade.)

See: File Transfer Protocol.

A methodology, language, and integrated set of software tools developed at the System Development Corporation for specifying, coding, and verifying software to produce correct and reliable programs. Usage: a.k.a. the Formal Development Methodology. [Cheh]

An independent, non profit organization, based in France, that is officially recognized by the European Commission and responsible for standardization of information and communication technologies within Europe.

A limitation on the function of an identity, role, or privilege. (See: rule based access control.)

Contraction of "cryptographic system".

A cryptanalysis technique in which the analyst tries to determine the key from knowledge of cipher text that corresponds to plain text selected (i.e., dictated) by the analyst.

A system login account (usually accessed with a user identifier and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service. (See: harden.)

An "opaque encrypted tuple, which is included in a SET message but appended as external data to the PKCS encapsulated data. This avoids superencryption of the previously encrypted tuple, but guarantees linkage with the PKCS portion of the message." [SET2]

A security service that provide protection against false denial of involvement in an association (especially a communication association that transfers data). (See: repudiation, time stamp.)

The U.S. Government standard [FP186] that specifies the DSA.

A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

See: Domain Keys Identified Mail.

Synonym for "encryption".

See: Tutorial under "Trusted Computer System Evaluation Criteria".