Recently updated

The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.

Comprehensive evaluation (usually made in support of an accreditation action) of an information system's technical security features and other safeguards to establish the extent to which the system's design and implementation meet a set of specified security requirements. [C4009, FP102, SP37] (See: accreditation. Compare: evaluation.)

An environment or context that (a) includes a set of system resources and a set of system entities that have the right to access the resources and (b) usually is defined by a security policy, security model, or security architecture. (See: CA domain, domain of interpretation, security perimeter. Compare: COI, enclave.)

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)

A cryptographic hash [R1319] that produces a 128 bit hash result, was designed by Ron Rivest, and is similar to MD4 and MD5 but slower.

See: Key Distribution Center.

A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information might have occurred. (Compare: security compromise, security incident.)

See: Network Reliability and Interoperability Council.

A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries a large number of possible solutions to the problem. (See: impossible, strength, work factor.)

See: accounting legend code.

An implementation approach that places a network security mechanism outside of the system that is to be protected. (Compare: bump in the stack.)

The ASN.1 data type "GeneralizedTime" (ISO 8601) contains a calendar date (YYYYMMDD) and a time of day, which is either (a) the local time, (b) the Coordinated Universal Time, or (c) both the local time and an offset that enables Coordinated Universal Time to be calculated. (See: Coordinated Universal Time. Compare: UTCTime.)

A DOI for ISAKMP or IKE defines payload formats, exchange types, and conventions for naming security relevant information such as security policies or cryptographic algorithms and modes. Example: See [R2407].

An adjective that refers to cryptography.

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience.

A specification (e.g., [DoD7, R3280]) of the format and semantics of public key certificates or attribute certificates, constructed for use in a specific application context by selecting from among options offered by a broader standard. (Compare: protection profile.)

An information theoretic measure (usually stated as a number of bits) of the amount of uncertainty that an attacker faces to determine the value of a secret. [SP63] (See: strength.)

See: cryptographic ignition key.

See: /access control/ under "credential".

A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.

The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)

Synonym for the "subject" of a digital certificate. (Compare: certificate owner, certificate user.)

The U.S. DoD's consolidated, worldwide, enterprise level telecommunications infrastructure that provides end to end information transfer for supporting military operations; a part of the DII. (Compare: GIG.)

See: demilitarized zone.

Software that originates from a remote server, is transmitted across a network, and is loaded onto and executed on a local client system without explicit initiation by the client's user and, in some cases, without that user's knowledge. (Compare: active content.)

The name of the IETF working group that is specifying an architecture [R2401, R4301] and set of protocols to provide security services for IP traffic. (See: AH, ESP, IKE, SAD, SPD. Compare: IPSO.)

See: secondary definition under "attack". (Compare: indirect attack.)

A U.S. Government standard [FP185] that specifies how to use a symmetric encryption algorithm (SKIPJACK) and create a Law Enforcement Access Field (LEAF) for implementing part of a key escrow system that enables decryption of telecommunications when interception is lawfully authorized.

See: Abstract Syntax Notation One.

International Organization for Standardization, a voluntary, non treaty, non governmental organization, established in 1947, with voting members that are designated standards bodies of participating nations and non voting observer organizations. (Compare: ANSI, IETF, ITU T, W3C.)

The level of evaluation criteria for a C2 computer system.

"American Bar Association (ABA) Digital Signature Guidelines" [DSG], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.

"An establishment responsible for facilitating customer initiated transactions or transmission of funds for the extension of credit or the custody, loan, exchange, or issuance of money." [SET2]

A system of interconnected networks; a network of networks. Usually shortened to "internet". (See: internet, Internet.)

"A certificate issued to an authority (e.g. either to a certification authority or to an attribute authority)." [X509] (See: authority.)

The act or process by which a digital certificate, that a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.

Encryption is the process of transforming information so it is unintelligible without the appropriate key.

The U.S. DoD's common use Non Classified Internet Protocol Router Network; the part of the Internet that is wholly controlled by the U.S. DoD and is used for official DoD business.

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.

Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the framework.

A key agreement protocol [Mene] that was proposed by A.J. Menezes, M. Qu, and S.A. Vanstone in 1995 and is based on the Diffie Hellman Merkle algorithm.

See: One Time Password.

A mechanism for distributing notices of certificate revocations; uses a tree of hash results that is signed by the tree's issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)

Association of a user with a list of protected objects the user may access.

"Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel." [C4009]

A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.) Superseded by ISAKMP and IKE.

A well defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

Synonym for "cryptoperiod".

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)