Recently updated

Synonym for "certification authority".

See: Access Certificate for Electronic Services.

The act or process by which the validity of the binding asserted by an existing public key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)

"Interoperable collection of systems developed by ... the U.S. Government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic keying material and the management of other types of COMSEC material." [C4009]

See: Tutorial under "Trusted Computer System Evaluation Criteria".

See: secondary definition under "attack".

See: National Security Agency

An Internet protocol [R1848] that applies end to end encryption and digital signature to MIME message content, using symmetric cryptography for encryption and asymmetric cryptography for key distribution and signature. MOSS is based on features and specifications of PEM. (See: S/MIME.)

The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without an initial knowledge of the key employed in providing the protection.

See: certification authority workstation.

Refers to a cryptographic key or other cryptographic parameter or data object that is short lived, temporary, or used one time. (See: session key. Compare: static.)

See: computer security incident response team.

A security model [BN89] to enforce the Chinese wall policy. (Compare: Bell LaPadula model, Clark Wilson model.)

An access control service that (a) enforces a security policy based on the identity of system entities and the authorizations associated with the identities and (b) incorporates a concept of ownership in which access rights for a system resource may be granted and revoked by the entity that owns the resource. (See: access control list, DAC, identity based security policy, mandatory access control.)

Refers to materiel that is authorized and available to combat, combat support, combat service support, and combat readiness training forces to accomplish their assigned missions. [JP1] (Compare: mission critical.)

The time span during which a particular key value is authorized to be used in a cryptographic system. (See: key management.)

System capabilities, or performance of system functions, that are needed either (a) to securely manage a system or (b) to manage security features of a system. (Compare: operations security (OPSEC).)

Information that is classified but is not required to be protected by an SAP. (See: /U.S. Government/ classified.)

The act or process by which an existing public key certificate has its key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)

A system entity that accesses a system resource for which the entity has received an authorization. (Compare: insider, outsider, unauthorized user.)

An X.509 compliant CA that is the top CA of the Internet certification hierarchy operated under the auspices of the ISOC [R1422]. (See: /PEM/ under "certification hierarchy".)

Synonym for "Trusted Computer System Evaluation Criteria" [CSC1, DoD1].

See: compromised key list.

See: Open Systems Interconnection Reference Model.

Authorization is the process of determining what an authenticated principal is permitted to do.

See: Data Encryption Algorithm.

A symmetric block cipher with variable length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license free, royalty free replacement for DES or IDEA. [Schn] (See: Twofish.)

See: endorsed for unclassified cryptographic item.

See: security audit trail.

"Relationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product." [C4009]

A token (usually an unforgeable data object) that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource indicated by the token. (See: attribute certificate, capability list, credential, digital certificate, ticket, token.)

The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.

A standard for representing ASN.1 data types as strings of octets. [X690] (See: Distinguished Encoding Rules.)

To inseparably associate by applying some security mechanism.

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.

A family of symmetric block ciphers that was developed in Japan; uses a 64 bit block, keys of either 64 or 128 bits, and a variable number of rounds; and has been successfully attacked by cryptanalysts. [Schn]

See: Escrowed Encryption Standard.

A manual encryption system in the form of a paper pad for one time use.

See: cyclic redundancy check.

"The assurance of the legitimate participants in a key agreement [i.e., in a key agreement protocol] that no non legitimate party possesses the shared symmetric key." [A9042]

A certificate that is intended for use with both digital signature and data encryption services. [SP32]

A list of entities, together with their access rights, that are authorized to have access to a resource.

The principle that a security mechanism should be designed to be as simple as possible, so that (a) the mechanism can be correctly implemented and (b) it can be verified that the operation of the mechanism enforces the system's security policy. (Compare: economy of alternatives, least privilege.)

A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (Compare: backup, repository.)

See: cryptographic application programming interface.

A checksum designed to detect, but not correct, accidental (i.e., unintentional) changes in data.

A U.S. Government standard [FP046] that specifies the DEA and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES.)

UTC is derived from International Atomic Time (TAI) by adding a number of leap seconds. The International Bureau of Weights and Measures computes TAI once each month by averaging data from many laboratories. (See: GeneralizedTime, UTCTime.)

A property of a communication association or a feature of a communication protocol that provides assurance to the recipient of data that the data is being freshly transmitted by its originator, i.e., that the data is not being replayed, by either the originator or a third party, from a previous transmission. (See: fresh, nonce, replay attack.)

"The space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient physical and technical control to preclude an unauthorized entry or compromise." [NCSSG] (Compare: inspectable space, TEMPEST zone.)