$ output feedback (OFB)
(N) A block cipher mode [FP081] that modifies electronic codebook
mode to operate on plaintext segments of variable length less than
or equal to the block length.
(C) This mode operates by directly using the algorithm's
previously generated output block as the algorithm's next input
block (i.e., by "feeding back" the output block) and combining
(exclusive OR-ing) the output block with the next plaintext
segment (of block length or less) to form the next ciphertext
$ outside attack
$ outsider attack
See: (secondary definition under) attack.
See: IEEE P1363.
See: policy approving authority.
$ packet filter
See: (secondary definition under) filtering router.
(I) A contraction of "Web page hijacking". A masquerade attack in
which the attacker copies (steals) a home page or other material
from the target server, rehosts the page on a server the attacker
controls, and causes the rehosted page to be indexed by the major
Web search services, thereby diverting browsers from the target
server to the attacker's server.
(D) ISDs SHOULD NOT use this term without including a definition,
because the term is not listed in most dictionaries and could
confuse international readers. (See: (usage note under) Green
See: primary account number.
See: Password Authentication Protocol.
$ partitioned security mode
(N) A mode of operation of an information system, wherein all
users have the clearance, but not necessarily formal access
authorization and need-to-know, for all information handled by the
system. This mode is defined in U.S. Department of Defense policy
regarding system accreditation. [DoD2]
$ passive attack
See: (secondary definition under) attack.
$ passive wiretapping
See: (secondary definition under) wiretapping.
(I) A secret data value, usually a character string, that is used
as authentication information. (See: challenge-response.)
(C) A password is usually matched with a user identifier that is
explicitly presented in the authentication process, but in some
cases the identity may be implicit.
(C) Using a password as authentication information assumes that
the password is known only by the system entity whose identity is
being authenticated. Therefore, in a network environment where
wiretapping is possible, simple authentication that relies on
transmission of static (i.e., repetitively used) passwords as
cleartext is inadequate. (See: one-time password, strong
$ Password Authentication Protocol (PAP)
(I) A simple authentication mechanism in PPP. In PAP, a user
identifier and password are transmitted in cleartext. [R1334]
$ password sniffing
(I) Passive wiretapping, usually on a local area network, to gain
knowledge of passwords. (See: (usage note under) sniffing.)
$ path discovery
(I) For a digital certificate, the process of finding a set of
public-key certificates that comprise a certification path from a
trusted key to that specific certificate.
$ path validation
(I) The process of validating (a) all of the digital certificates
in a certification path and (b) the required relationships between
those certificates, thus validating the contents of the last
certificate on the path. (See: certificate validation.)
$ payment card
(N) SET usage: Collectively refers "to credit cards, debit cards,
charge cards, and bank cards issued by a financial institution and
which reflects a relationship between the cardholder and the
financial institution." [SET2]
$ payment gateway
(O) SET usage: A system operated by an acquirer, or a third party
designated by an acquirer, for the purpose of providing electronic
commerce services to the merchants in support of the acquirer, and
which interfaces to the acquirer to support the authorization,
capture, and processing of merchant payment messages, including
payment instructions from cardholders. [SET1, SET2]
$ payment gateway certification authority (SET PCA)
(O) SET usage: A CA that issues digital certificates to payment
gateways and is operated on behalf of a payment card brand, an
acquirer, or another party according to brand rules. A SET PCA
issues a CRL for compromised payment gateway certificates. [SET2]
$ PC card
(N) A type of credit card-sized, plug-in peripheral device that
was originally developed to provide memory expansion for portable
computers, but is also used for other kinds of functional
expansion. (See: FORTEZZA, PCMCIA.)
(C) The international PC Card Standard defines a non-proprietary
form factor in three standard sizes--Types I, II and III--each of
which have a 68-pin interface between the card and the socket into
which it plugs. All three types have the same length and width,
roughly the size of a credit card, but differ in their thickness
from 3.3 to 10.5 mm. Examples include storage modules, modems,
device interface adapters, and cryptographic modules.
(D) ISDs SHOULD NOT use this acronym without a qualifying
adjective because that would be ambiguous. (See: Internet policy
certification authority, (MISSI) policy creation authority, (SET)
payment gateway certification authority.)
(N) Personal Computer Memory Card International Association, a
group of manufacturers, developers, and vendors, founded in 1989
to standardize plug-in peripheral memory cards for personal
computers and now extended to deal with any technology that works
in the PC card form factor. (See: PC card.)
$ peer entity authentication
(I) "The corroboration that a peer entity in an association is the
one claimed." [I7498 Part 2] (See: authentication.)
$ peer entity authentication service
(I) A security service that verifies an identity claimed by or for
a system entity in an association. (See: authentication,
(C) This service is used at the establishment of, or at times
during, an association to confirm the identity of one entity to
another, thus protecting against a masquerade by the first entity.
However, unlike data origin authentication service, this service
requires an association to exist between the two entities, and the
corroboration provided by the service is valid only at the current
time that the service is provided.
(C) See: "relationship between data integrity service and
authentication services" under data integrity service.
See: Privacy Enhanced Mail.
(I) Successful, repeatable, unauthorized access to a protected
system resource. (See: attack, violation.)
$ penetration test
(I) A system test, often part of system certification, in which
evaluators attempt to circumvent the security features of the
(C) Penetration testing may be performed under various constraints
and conditions. However, for a TCSEC evaluation, testers are
assumed to have all system design and implementation
documentation, including source code, manuals, and circuit
diagrams, and to work under no greater constraints than those
applied to ordinary users.
$ perfect forward secrecy
See: (discussion under) public-key forward secrecy.
See: security perimeter.
$ periods processing
(I) A mode of system operation in which information of different
sensitivities is processed at distinctly different times by the
same system, with the system being properly purged or sanitized
between periods. (See: color change.)
(I) A synonym for "authorization", but "authorization" is
preferred in the PKI context. (See: privilege.)
$ personal identification number (PIN)
(I) A character string used as a password to gain access to a
system resource. (See: authentication information.)
(C) Despite the words "identification" and "number", a PIN seldom
serves as a user identifier, and a PIN's characters are not
necessarily all numeric. A better name for this concept would have
been "personal authentication system string (PASS)".
(C) Retail banking applications commonly use 4-digit PINs.
FORTEZZA PC card's use up to 12 characters for user or SSO PINs.
$ personality label
(O) MISSI usage: A set of MISSI X.509 public-key certificates that
have the same subject DN, together with their associated private
keys and usage specifications, that is stored on a FORTEZZA PC
card to support a role played by the card's user.
(C) When a card's user selects a personality to use in a FORTEZZA-
aware application, the data determines behavior traits (the
personality) of the application. A card's user may have multiple
personalities on the card. Each has a "personality label", a user-
friendly character string that applications can display to the
user for selecting or changing the personality to be used. For
example, a military user's card might contain three personalities:
GENERAL HALFTRACK, COMMANDER FORT SWAMPY, and NEW YEAR'S EVE PARTY
CHAIRMAN. Each personality includes one or more certificates of
different types (such as DSA versus RSA), for different purposes
(such as digital signature versus encryption), or with different
$ personnel security
(I) Procedures to ensure that persons who access a system have
proper clearance, authorization, and need-to-know as required by
the system's security policy.
See: Pretty Good Privacy.
(I) A UDP-based, key establishment protocol for session keys,
designed for use with the IPsec protocols AH and ESP. Superseded
(I) A contraction of "telephone breaking". An attack on or
penetration of a telephone system or, by extension, any other
communication or information system. [Raym]
(D) ISDs SHOULD NOT use this term because it is not listed in most
dictionaries and could confuse international readers.
$ physical security
(I) Tangible means of preventing unauthorized physical access to a
system. E.g., fences, walls, and other barriers; locks, safes, and
vaults; dogs and armed guards; sensors and alarm bells. [FP031,
$ piggyback attack
(I) A form of active wiretapping in which the attacker gains
access to a system via intervals of inactivity in another user's
legitimate communication connection. Sometimes called a "between-
the-lines" attack. (See: hijack attack, man-in-the-middle attack.)
See: personal identification number.
$ ping of death
(I) An attack that sends an improperly large ICMP [R0792] echo
request packet (a "ping") with the intent of overflowing the input
buffers of the destination machine and causing it to crash.
$ ping sweep
(I) An attack that sends ICMP [R0792] echo requests ("pings") to a
range of IP addresses, with the goal of finding hosts that can be
probed for vulnerabilities.
See: Public-Key Cryptography Standards.
$ PKCS #7
(N) A standard [PKC07, R2315] from the PKCS series; defines a
syntax for data that may have cryptography applied to it, such as
for digital signatures and digital envelopes.
$ PKCS #10
(N) A standard [PKC10] from the PKCS series; defines a syntax for
requests for public-key certificates. (See: certification
(C) A PKCS #10 request contains a DN and a public key, and may
contain other attributes, and is signed by the entity making the
request. The request is sent to a CA, who converts it to an X.509
public-key certificate (or some other form) and returns it,
possibly in PKCS #7 format.
$ PKCS #11
(N) A standard [PKC11] from the PKCS series; defines a software
CAPI called Cryptoki (pronounced "crypto-key"; short for
"cryptographic token interface") for devices that hold
cryptographic information and perform cryptographic functions.
See: public-key infrastructure.
(I) (1.) A contraction of "Public-Key Infrastructure (X.509)", the
name of the IETF working group that is specifying an architecture
and set of protocols needed to support an X.509-based PKI for the
Internet. (2.) A collective name for that architecture and set of
(C) The goal of PKIX is to facilitate the use of X.509 public-key
certificates in multiple Internet applications and to promote
interoperability between different implementations that use those
certificates. The resulting PKI is intended to provide a framework
that supports a range of trust and hierarchy environments and a
range of usage environments. PKIX specifies (a) profiles of the v3
X.509 public-key certificate standards and the v2 X.509 CRL
standards for the Internet; (b) operational protocols used by
relying parties to obtain information such as certificates or
certificate status; (c) management protocols used by system
entities to exchange information needed for proper management of
the PKI; and (d) information about certificate policies and CPSs,
covering the areas of PKI security not directly addressed in the
rest of PKIX.
$ PKIX private extension
(I) PKIX defines a private extension to identify an on-line
verification service supporting the issuing CA.
(I) Data that is input to and transformed by an encryption
process, or that is output by a decryption process.
(C) Usually, the plaintext input to an encryption operation is
cleartext. But in some cases, the input is ciphertext that was
output from another encryption operation. (See: superencryption.)
$ Point-to-Point Protocol (PPP)
(I) An Internet Standard protocol [R1661] for encapsulation and
full-duplex transportation of network layer (mainly OSI layer 3)
protocol data packets over a link between two peers, and for
multiplexing different network layer protocols over the same link.
Includes optional negotiation to select and use a peer entity
authentication protocol to authenticate the peers to each other
before they exchange network layer data. (See: CHAP, EAP, PAP.)
$ Point-to-Point Tunneling Protocol (PPTP)
(I) An Internet client-server protocol (originally developed by
Ascend and Microsoft) that enables a dial-up user to create a
virtual extension of the dial-up link across a network by
tunneling PPP over IP. (See: L2TP.)
(C) PPP can encapsulate any Internet Protocol Suite network layer
protocol (or OSI layer 3 protocol). Therefore, PPTP does not
specify security services; it depends on protocols above and below
it to provide any needed security. PPTP makes it possible to
divorce the location of the initial dial-up server (i.e., the PPTP
Access Concentrator, the client, which runs on a special-purpose
host) from the location at which the dial-up protocol (PPP)
connection is terminated and access to the network is provided
(i.e., the PPTP Network Server, which runs on a general-purpose
(D) ISDs SHOULD NOT use this word as an abbreviation for either
"security policy" or "certificate policy". Instead, to avoid
misunderstanding, use the fully qualified term, at least at the
point of first usage.
$ policy approving authority (PAA)
(O) MISSI usage: The top-level signing authority of a MISSI
certification hierarchy. The term refers both to that
authoritative office or role and to the person who plays that
role. (See: root registry.)
(C) A PAA registers MISSI PCAs and signs their X.509 public-key
certificates. A PAA issues CRLs but does not issue a CKL. A PAA
may issue cross-certificates to other PAAs.
$ policy certification authority (Internet PCA)
(I) An X.509-compliant CA at the second level of the Internet
certification hierarchy, under the Internet Policy Registration
Authority (IPRA). Each PCA operates in accordance with its
published security policy (see: certification practice statement)
and within constraints established by the IPRA for all PCAs.
[R1422]. (See: policy creation authority.)
$ policy creation authority (MISSI PCA)
(O) MISSI usage: The second level of a MISSI certification
hierarchy; the administrative root of a security policy domain of
MISSI users and other, subsidiary authorities. The term refers
both to that authoritative office or role and to the person who
fills that office. (See: policy certification authority.)
(C) A MISSI PCA's certificate is issued by a policy approving
authority. The PCA registers the CAs in its domain, defines their
configurations, and issues their X.509 public-key certificates.
(The PCA may also issue certificates for SCAs, ORAs, and other end
entities, but a PCA does not usually do this.) The PCA
periodically issues CRLs and CKLs for its domain.
$ Policy Management Authority
(N) Canadian usage: An organization responsible for PKI oversight
and policy management in the Government of Canada.
$ policy mapping
(I) "Recognizing that, when a CA in one domain certifies a CA in
another domain, a particular certificate policy in the second
domain may be considered by the authority of the first domain to
be equivalent (but not necessarily identical in all respects) to a
particular certificate policy in the first domain." [X509]
See: Post Office Protocol, version 3.
$ POP3 APOP
(I) A POP3 "command" (better described as a transaction type, or a
protocol-within-a-protocol) by which a POP3 client optionally uses
a keyed hash (based on MD5) to authenticate itself to a POP3
server and, depending on the server implementation, to protect
against replay attacks. (See: CRAM, POP3 AUTH, IMAP4
(C) The server includes a unique timestamp in its greeting to the
client. The subsequent APOP command sent by the client to the
server contains the client's name and the hash result of applying
MD5 to a string formed from both the timestamp and a shared secret
that is known only to the client and the server. APOP was designed
to provide as an alternative to using POP3's USER and PASS (i.e.,
password) command pair, in which the client sends a cleartext
password to the server.
$ POP3 AUTH
(I) A "command" [R1734] (better described as a transaction type,
or a protocol-within-a-protocol) in POP3, by which a POP3 client
optionally proposes a mechanism to a POP3 server to authenticate
the client to the server and provide other security services.
(See: POP3 APOP, IMAP4 AUTHENTICATE.)
(C) If the server accepts the proposal, the command is followed by
performing a challenge-response authentication protocol and,
optionally, negotiating a protection mechanism for subsequent POP3
interactions. The security mechanisms used by POP3 AUTH are those
used by IMAP4.
$ port scan
(I) An attack that sends client requests to a range of server port
addresses on a host, with the goal of finding an active port and
exploiting a known vulnerability of that service.
(N) Portable Operating System Interface for Computer Environments,
a standard [FP151, IS9945-1] (originally IEEE Standard P1003.1)
that defines an operating system interface and environment to
support application portability at the source code level. It is
intended to be used by both application developers and system
(C) P1003.1 supports security functionality like those on most
UNIX systems, including discretionary access control and
privilege. IEEE Draft Standard P1003.6.1 specifies additional
functionality not provided in the base standard, including (a)
discretionary access control, (b) audit trail mechanisms, (c)
privilege mechanisms, (d) mandatory access control, and (e)
information label mechanisms.
$ Post Office Protocol, version 3 (POP3)
(I) An Internet Standard protocol [R1939] by which a client
workstation can dynamically access a mailbox on a server host to
retrieve mail messages that the server has received and is holding
for the client. (See: IMAP4.)
(C) POP3 has mechanisms for optionally authenticating a client to
a server and providing other security services. (See: POP3 APOP,
See: Point-to-Point Protocol.
See: Point-to-Point Tunneling Protocol.
(I) A capability of a CAW that enables certification requests to
be automatically validated against data provided in advance to the
CA by an authorizing entity.
$ Pretty Good Privacy(trademark) (PGP(trademark))
(O) Trademarks of Network Associates, Inc., referring to a
computer program (and related protocols) that uses cryptography to
provide data security for electronic mail and other applications
on the Internet. (See: MOSS, PEM, S/MIME.)
(C) PGP encrypts messages with IDEA in CFB mode, distributes the
IDEA keys by encrypting them with RSA, and creates digital
signatures on messages with MD5 and RSA. To establish ownership of
public keys, PGP depends on the web of trust. (See: Privacy
$ primary account number (PAN)
(O) SET usage: "The assigned number that identifies the card
issuer and cardholder. This account number is composed of an
issuer identification number, an individual account number
identification, and an accompanying check digit as defined by ISO
7812-1985." [SET2, IS7812] (See: bank identification number.)
(C) The PAN is embossed, encoded, or both on a magnetic-strip-
based credit card. The PAN identifies the issuer to which a
transaction is to be routed and the account to which it is to be
applied unless specific instructions indicate otherwise. The
authority that assigns the bank identification number part of the
PAN is the American Bankers Association.
(I) The right of an entity (normally a person), acting in its own
behalf, to determine the degree to which it will interact with its
environment, including the degree to which the entity is willing
to share information about itself with others. (See: anonymity.)
(O) "The right of individuals to control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed." [I7498 Part
(D) ISDs SHOULD NOT use this term as a synonym for "data
confidentiality" or "data confidentiality service", which are
different concepts. Privacy is a reason for security rather than a
kind of security. For example, a system that stores personal data
needs to protect the data to prevent harm, embarrassment,
inconvenience, or unfairness to any person about whom data is
maintained, and to protect the person's privacy. For that reason,
the system may need to provide data confidentiality service.
$ Privacy Enhanced Mail (PEM)
(I) An Internet protocol to provide data confidentiality, data
integrity, and data origin authentication for electronic mail.
[R1421, R1422]. (See: MOSS, MSP, PGP, S/MIME.)
(C) PEM encrypts messages with DES in CBC mode, provides key
distribution of DES keys by encrypting them with RSA, and signs
messages with RSA over either MD2 or MD5. To establish ownership
of public keys, PEM uses a certification hierarchy, with X.509
public-key certificates and X.509 CRLs that are signed with RSA
and MD2. (See: Pretty Good Privacy.)
(C) PEM is designed to be compatible with a wide range of key
management methods, but is limited to specifying security services
only for text messages and, like MOSS, has not been widely
implemented in the Internet.
$ private component
(I) A synonym for "private key".
(D) In most cases, ISDs SHOULD NOT use this term; to avoid
confusing readers, use "private key" instead. However, the term
MAY be used when specifically discussing a key pair; e.g., "A key
pair has a public component and a private component."
$ private extension
See: (secondary definition under) extension.
$ private key
(I) The secret component of a pair of cryptographic keys used for
asymmetric cryptography. (See: key pair, public key.)
(O) "(In a public key cryptosystem) that key of a user's key pair
which is known only by that user." [X509]
(I) An authorization or set of authorizations to perform security-
relevant functions, especially in the context of a computer
$ privilege management infrastructure
(N) "The complete set of processes required to provide an
authorization service", i.e., processes concerned with attribute
certificates. [FPDAM] (See: PKI.)
(D) ISDs SHOULD NOT use this term and its definition because the
definition is vague, and there is no consensus on an alternate
$ privileged process
(I) An computer process that is authorized (and, therefore,
trusted) to perform some security-relevant functions that ordinary
processes are not. (See: privilege, trusted process.)
$ procedural security
(D) ISDs SHOULD NOT use this term as a synonym for "administrative
security". Any type of security may involve procedures; therefore,
the term may be misleading. Instead, use "administrative
security", "communication security", "computer security",
"emanations security", "personnel security", "physical security",
or whatever specific type is meant. (See: security architecture.)
(I) Refers to information (or other property) that is owned by an
individual or organization and for which the use is restricted by
$ protected checksum
(I) A checksum that is computed for a data object by means that
protect against active attacks that would attempt to change the
checksum to make it match changes made to the data object. (See:
digital signature, keyed hash, (discussion under) checksum.
$ protected distribution system
(I) A wireline or fiber-optic system that includes sufficient
safeguards (acoustic, electric, electromagnetic, and physical) to
permit its use for unencrypted transmission of (cleartext) data.
$ protection authority
See: (secondary definition under) Internet Protocol Security
$ protection ring
(I) One of a hierarchy of privileged operation modes of a system
that gives certain access rights to processes authorized to
operate in that mode.
(I) A set of rules (i.e., formats and procedures) to implement and
control some type of association (e.g., communication) between
systems. (E.g., see: Internet Protocol.)
(C) In particular, a series of ordered steps involving computing
and communication that are performed by two or more system
entities to achieve a joint objective. [A9042]
$ protocol suite
(I) A complementary collection of communication protocols used in
a computer network. (See: Internet, OSI.)
$ proxy server
(I) A computer process--often used as, or as part of, a firewall--
that relays a protocol between client and server computer systems,
by appearing to the client to be the server and appearing to the
server to be the client. (See: SOCKS.)
(C) In a firewall, a proxy server usually runs on a bastion host,
which may support proxies for several protocols (e.g., FTP, HTTP,
and TELNET). Instead of a client in the protected enclave
connecting directly to an external server, the internal client
connects to the proxy server which in turn connects to the
external server. The proxy server waits for a request from inside
the firewall, forwards the request to the remote server outside
the firewall, gets the response, then sends the response back to
the client. The proxy may be transparent to the clients, or they
may need to connect first to the proxy server, and then use that
association to also initiate a connection to the real server.
(C) Proxies are generally preferred over SOCKS for their ability
to perform caching, high-level logging, and access control. A
proxy can provide security service beyond that which is normally
part of the relayed protocol, such as access control based on peer
entity authentication of clients, or peer entity authentication of
servers when clients do not have that capability. A proxy at OSI
layer 7 can also provide finer-grained security service than can a
filtering router at OSI layer 3. For example, an FTP proxy could
permit transfers out of, but not into, a protected network.
(I) A sequence of values that appears to be random (i.e.,
unpredictable) but is actually generated by a deterministic
algorithm. (See: random.)
$ pseudo-random number generator
(I) A process used to deterministically generate a series of
numbers (usually integers) that appear to be random according to
certain statistical tests, but actually are pseudo-random.
(C) Pseudo-random number generators are usually implemented in
$ public component
(I) A synonym for "public key".
(D) In most cases, ISDs SHOULD NOT use this term; to avoid
confusing readers, use "private key" instead. However, the term
MAY be used when specifically discussing a key pair; e.g., "A key
pair has a public component and a private component."
$ public key
(I) The publicly-disclosable component of a pair of cryptographic
keys used for asymmetric cryptography. (See: key pair, private
(O) "(In a public key cryptosystem) that key of a user's key pair
which is publicly known." [X509]
$ public-key certificate
(I) A digital certificate that binds a system entity's identity to
a public key value, and possibly to additional data items; a
digitally-signed data structure that attests to the ownership of a
public key. (See: X.509 public-key certificate.)
(C) The digital signature on a public-key certificate is
unforgeable. Thus, the certificate can be published, such as by
posting it in a directory, without the directory having to protect
the certificate's data integrity.
(O) "The public key of a user, together with some other
information, rendered unforgeable by encipherment with the private
key of the certification authority which issued it." [X509]
$ public-key cryptography
(I) The popular synonym for "asymmetric cryptography".
$ Public-Key Cryptography Standards (PKCS)
(I) A series of specifications published by RSA Laboratories for
data structures and algorithm usage for basic applications of
asymmetric cryptography. (See: PKCS #7, PKCS #10, PKCS #11.)
(C) The PKCS were begun in 1991 in cooperation with industry and
academia, originally including Apple, Digital, Lotus, Microsoft,
Northern Telecom, Sun, and MIT. Today, the specifications are
widely used, but they are not sanctioned by an official standards
organization, such as ANSI, ITU-T, or IETF. RSA Laboratories
retains sole decision-making authority over the PKCS.
$ public-key forward secrecy (PFS)
(I) For a key agreement protocol based on asymmetric cryptography,
the property that ensures that a session key derived from a set of
long-term public and private keys will not be compromised if one
of the private keys is compromised in the future.
(C) Some existing RFCs use the term "perfect forward secrecy" but
either do not define it or do not define it precisely. While
preparing this Glossary, we tried to find a good definition for
that term, but found this to be a muddled area. Experts did not
agree. For all practical purposes, the literature defines "perfect
forward secrecy" by stating the Diffie-Hellman algorithm. The term
"public-key forward secrecy" (suggested by Hilarie Orman) and the
"I" definition stated for it here were crafted to be compatible
with current Internet documents, yet be narrow and leave room for
(C) Challenge to the Internet security community: We need a
taxonomy--a family of mutually exclusive and collectively
exhaustive terms and definitions to cover the basic properties
discussed here--for the full range of cryptographic algorithms and
protocols used in Internet Standards:
(C) Involvement of session keys vs. long-term keys: Experts
disagree about the basic ideas involved.
- One concept of "forward secrecy" is that, given observations of
the operation of a key establishment protocol up to time t, and
given some of the session keys derived from those protocol runs,
you cannot derive unknown past session keys or future session
- A related property is that, given observations of the protocol
and knowledge of the derived session keys, you cannot derive one
or more of the long-term private keys.
- The "I" definition presented above involves a third concept of
"forward secrecy" that refers to the effect of the compromise of
- All three concepts involve the idea that a compromise of "this"
encryption key is not supposed to compromise the "next" one. There
also is the idea that compromise of a single key will compromise
only the data protected by the single key. In Internet literature,
the focus has been on protection against decryption of back
traffic in the event of a compromise of secret key material held
by one or both parties to a communication.
(C) Forward vs. backward: Experts are unhappy with the word
"forward", because compromise of "this" encryption key also is not
supposed to compromise the "previous" one, which is "backward"
rather than forward. In S/KEY, if the key used at time t is
compromised, then all keys used prior to that are compromised. If
the "long-term" key (i.e., the base of the hashing scheme) is
compromised, then all keys past and future are compromised; thus,
you could say that S/KEY has neither forward nor backward secrecy.
(C) Asymmetric cryptography vs. symmetric: Experts disagree about
forward secrecy in the context of symmetric cryptographic systems.
In the absence of asymmetric cryptography, compromise of any long-
term key seems to compromise any session key derived from the
long-term key. For example, Kerberos isn't forward secret, because
compromising a client's password (thus compromising the key shared
by the client and the authentication server) compromises future
session keys shared by the client and the ticket-granting server.
(C) Ordinary forward secrecy vs. "perfect" forward secret: Experts
disagree about the difference between these two. Some say there is
no difference, and some say that the initial naming was
unfortunate and suggest dropping the word "perfect". Some suggest
using "forward secrecy" for the case where one long-term private
key is compromised, and adding "perfect" for when both private
keys (or, when the protocol is multi-party, all private keys) are
(C) Acknowledgements: Bill Burr, Burt Kaliski, Steve Kent, Paul
Van Oorschot, Michael Wiener, and, especially, Hilarie Orman
contributed ideas to this discussion.
$ public-key infrastructure (PKI)
(I) A system of CAs (and, optionally, RAs and other supporting
servers and agents) that perform some set of certificate
management, archive management, key management, and token
management functions for a community of users in an application of
asymmetric cryptography. (See: hierarchical PKI, mesh PKI,
security management infrastructure, trust-file PKI.)
(O) PKIX usage: The set of hardware, software, people, policies,
and procedures needed to create, manage, store, distribute, and
revoke digital certificates based on asymmetric cryptography.
(C) The core PKI functions are (a) to register users and issue
their public-key certificates, (b) to revoke certificates when
required, and (c) to archive data needed to validate certificates
at a much later time. Key pairs for data confidentiality may be
generated (and perhaps escrowed) by CAs or RAs, but requiring a
PKI client to generate its own digital signature key pair helps
maintain system integrity of the cryptographic system, because
then only the client ever possesses the private key it uses. Also,
an authority may be established to approve or coordinate CPSs,
which are security policies under which components of a PKI
(C) A number of other servers and agents may support the core PKI,
and PKI clients may obtain services from them. The full range of
such services is not yet fully understood and is evolving, but
supporting roles may include archive agent, certified delivery
agent, confirmation agent, digital notary, directory, key escrow
agent, key generation agent, naming agent who ensures that issuers
and subjects have unique identifiers within the PKI, repository,
ticket-granting agent, and time stamp agent.
See: registration authority.
$ RA domains
(I) A capability of a CAW that allows a CA to divide the
responsibility for certification requests among multiple RAs.
(C) This capability might be used to restrict access to private
authorization data that is provided with a certification request,
and to distribute the responsibility to review and approve
certification requests in high volume environments. RA domains
might segregate certification requests according to an attribute
of the certificate subject, such as an organizational unit.
See: Remote Authentication Dial-In User Service.
$ Rainbow Series
(O) A set of more than 30 technical and policy documents with
colored covers, issued by the NCSC, that discuss in detail the
TCSEC and provide guidance for meeting and applying the criteria.
(See: Green Book, Orange Book, Red Book, Yellow Book.)
(I) General usage: In mathematics, random means "unpredictable". A
sequence of values is called random if each successive value is
obtained merely by chance and does not depend on the preceding
values of the sequence, and a selected individual value is called
random if each of the values in the total population of
possibilities has equal probability of being selected. [Knuth]
(See: cryptographic key, pseudo-random, random number generator.)
(I) Security usage: In cryptography and other security
applications, random means not only unpredictable, but also
"unguessable". When selecting data values to use for cryptographic
keys, "the requirement is for data that an adversary has a very
low probability of guessing or determining." It is not sufficient
to use data that "only meets traditional statistical tests for
randomness or which is based on limited range sources, such as
clocks. Frequently such random quantities are determinable [i.e.,
guessable] by an adversary searching through an embarrassingly
small space of possibilities." [R1750]
$ random number generator
(I) A process used to generate an unpredictable, uniformly
distributed series of numbers (usually integers). (See: pseudo-
(C) True random number generators are hardware-based devices that
depend on the output of a "noisy diode" or other physical
See: Role-Based Access Control.
See: Rivest Cipher #2, Rivest Cipher #4.
(O) Kerberos usage: The domain of authority of a Kerberos server
(consisting of an authentication server and a ticket-granting
server), including the Kerberized clients and the Kerberized
(I) Designation for information system equipment or facilities
that handle (and for data that contains) only plaintext (or,
depending on the context, classified information), and for such
data itself. This term derives from U.S. Government COMSEC
terminology. (See: BLACK, RED/BLACK separation.)
$ Red Book
(D) ISDs SHOULD NOT use this term as a synonym for "Trusted
Network Interpretation of the Trusted Computer System Evaluation
Criteria" [NCS05]. Instead, use the full proper name of the
document or, in subsequent references, a more conventional
abbreviation. (See: TCSEC, Rainbow Series, (usage note under)
$ RED/BLACK separation
(I) An architectural concept for cryptographic systems that
strictly separates the parts of a system that handle plaintext
(i.e., RED information) from the parts that handle ciphertext
(i.e., BLACK information). This term derives from U.S. Government
COMSEC terminology. (See: BLACK, RED.)
$ reference monitor
(I) "An access control concept that refers to an abstract machine
that mediates all accesses to objects by subjects." [NCS04] (See:
(C) A reference monitor should be (a) complete (i.e., it mediates
every access), (b) isolated (i.e., it cannot be modified by other
system entities), and (c) verifiable (i.e., small enough to be
subjected to analysis and tests to ensure that it is correct).
$ reflection attack
(I) A type of replay attack in which transmitted data is sent back
to its originator.
(I) An administrative act or process whereby an entity's name and
other attributes are established for the first time at a CA, prior
to the CA issuing a digital certificate that has the entity's name
as the subject. (See: registration authority.)
(C) Registration may be accomplished either directly, by the CA,
or indirectly, by a separate RA. An entity is presented to the CA
or RA, and the authority either records the name(s) claimed for
the entity or assigns the entity's name(s). The authority also
determines and records other attributes of the entity that are to
be bound in a certificate (such as a public key or authorizations)
or maintained in the authority's database (such as street address
and telephone number). The authority is responsible, possibly
assisted by an RA, for authenticating the entity's identity and
verifying the correctness of the other attributes, in accordance
with the CA's CPS.
(C) Among the registration issues that a CPS may address are the
- How a claimed identity and other attributes are verified.
- How organization affiliation or representation is verified.
- What forms of names are permitted, such as X.500 DN, domain
name, or IP address.
- Whether names are required to be meaningful or unique, and
within what domain.
- How naming disputes are resolved, including the role of
- Whether certificates are issued to entities that are not
- Whether a person is required to appear before the CA or RA, or
can instead be represented by an agent.
- Whether and how an entity proves possession of the private key
matching a public key.
$ registration authority (RA)
(I) An optional PKI entity (separate from the CAs) that does not
sign either digital certificates or CRLs but has responsibility
for recording or verifying some or all of the information
(particularly the identities of subjects) needed by a CA to issue
certificates and CRLs and to perform other certificate management
functions. (See: organizational registration authority,
(C) Sometimes, a CA may perform all certificate management
functions for all end users for which the CA signs certificates.
Other times, such as in a large or geographically dispersed
community, it may be necessary or desirable to offload secondary
CA functions and delegate them to an assistant, while the CA
retains the primary functions (signing certificates and CRLs). The
tasks that are delegated to an RA by a CA may include personal
authentication, name assignment, token distribution, revocation
reporting, key generation, and archiving. An RA is an optional PKI
component, separate from the CA, that is assigned secondary
functions. The duties assigned to RAs vary from case to case but
may include the following:
- Verifying a subject's identity, i.e., performing personal
- Assigning a name to a subject. (See: distinguished name.)
- Verifying that a subject is entitled to have the attributes
requested for a certificate.
- Verifying that a subject possesses the private key that matches
the public key requested for a certificate.
- Performing functions beyond mere registration, such as
generating key pairs, distributing tokens, and handling
revocation reports. (Such functions may be assigned to a PKI
element that is separate from both the CA and the RA.)
(I) PKIX usage: An optional PKI component, separate from the
CA(s). The functions that the RA performs will vary from case to
case but may include identity authentication and name assignment,
key generation and archiving of key pairs, token distribution, and
revocation reporting. [R2510]
(O) SET usage: "An independent third-party organization that
processes payment card applications for multiple payment card
brands and forwards applications to the appropriate financial
(I) Deliberately change the classification level of information in
an authorized manner.
(I) Change the value of a cryptographic key that is being used in
an application of a cryptographic system. (See: certificate
(C) For example, rekey is required at the end of a cryptoperiod or
(I) The ability of a system to perform a required function under
stated conditions for a specified period of time. (See:
$ relying party
(N) A synonym for "certificate user". Used in a legal context to
mean a recipient of a certificate who acts in reliance on that
certificate. (See: ABA Guidelines.)
$ Remote Authentication Dial-In User Service (RADIUS)
(I) An Internet protocol [R2138] for carrying dial-in users'
authentication information and configuration information between a
shared, centralized authentication server (the RADIUS server) and
a network access server (the RADIUS client) that needs to
authenticate the users of its network access ports. (See: TACACS.)
(C) A user of the RADIUS client presents authentication
information to the client, and the client passes that information
to the RADIUS server. The server authenticates the client using a
shared secret value, then checks the user's authentication
information, and finally returns to the client all authorization
and configuration information needed by the client to deliver
service to the user.
See: certificate renewal.
$ replay attack
(I) An attack in which a valid data transmission is maliciously or
fraudulently repeated, either by the originator or by an adversary
who intercepts the data and retransmits it, possibly as part of a
masquerade attack. (See: active wiretapping.)
(I) A system for storing and distributing digital certificates and
related information (including CRLs, CPSs, and certificate
policies) to certificate users. (See: directory.)
(O) "A trustworthy system for storing and retrieving certificates
or other information relevant to certificates." [ABA]
(C) A certificate is published to those who might need it by
putting it in a repository. The repository usually is a publicly
accessible, on-line server. In the Federal Public-key
Infrastructure, for example, the expected repository is a
directory that uses LDAP, but also may be the X.500 Directory that
uses DAP, or an HTTP server, or an FTP server that permits
(I) Denial by a system entity that was involved in an association
(especially an association that transfers information) of having
participated in the relationship. (See: accountability, non-
(O) "Denial by one of the entities involved in a communication of
having participated in all or part of the communication." [I7498
$ Request for Comment (RFC)
(I) One of the documents in the archival series that is the
official channel for ISDs and other publications of the Internet
Engineering Steering Group, the Internet Architecture Board, and
the Internet community in general. [R2026, R2223] (See: Internet
(C) This term is *not* a synonym for "Internet Standard".
$ residual risk
(I) The risk that remains after countermeasures have been applied.
See: card restore.
See: certificate revocation.
$ revocation date
(N) In an X.509 CRL entry, a date-time field that states when the
certificate revocation occurred, i.e., when the CA declared the
digital certificate to be invalid. (See: invalidity date.)
(C) The revocation date may not resolve some disputes because, in
the worst case, all signatures made during the validity period of
the certificate may have to be considered invalid. However, it may
be desirable to treat a digital signature as valid even though the
private key used to sign was compromised after the signing. If
more is known about when the compromise actually occurred, a
second date-time, an "invalidity date", can be included in an
extension of the CRL entry.
$ revocation list
See: certificate revocation list.
See: certificate revocation.
See: Request for Comment.
(I) An expectation of loss expressed as the probability that a
particular threat will exploit a particular vulnerability with a
particular harmful result.
(O) SET usage: "The possibility of loss because of one or more
threats to information (not to be confused with financial or
business risk)." [SET2]
$ risk analysis
$ risk assessment
(I) A process that systematically identifies valuable system
resources and threats to those resources, quantifies loss
exposures (i.e., loss potential) based on estimated frequencies
and costs of occurrence, and (optionally) recommends how to
allocate resources to countermeasures so as to minimize total
(C) The analysis lists risks in order of cost and criticality,
thereby determining where countermeasures should be applied first.
It is usually financially and technically infeasible to counteract
all aspects of risk, and so some residual risk will remain, even
after all available countermeasures have been deployed. [FP031,
$ risk management
(I) The process of identifying, controlling, and eliminating or
minimizing uncertain events that may affect system resources.
(See: risk analysis.)
$ Rivest Cipher #2 (RC2)
(N) A proprietary, variable-key-length block cipher invented by
Ron Rivest for RSA Data Security, Inc. (now a wholly-owned
subsidiary of Security Dynamics, Inc.).
$ Rivest Cipher #4 (RC4)
(N) A proprietary, variable-key-length stream cipher invented by
Ron Rivest for RSA Data Security, Inc. (now a wholly-owned
subsidiary of Security Dynamics, Inc.).
$ Rivest-Shamir-Adleman (RSA)
(N) An algorithm for asymmetric cryptography, invented in 1977 by
Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78, Schn].
(C) RSA uses exponentiation modulo the product of two large prime
numbers. The difficulty of breaking RSA is believed to be
equivalent to the difficulty of factoring integers that are the
product of two large prime numbers of approximately equal size.
(C) To create an RSA key pair, randomly choose two large prime
numbers, p and q, and compute the modulus, n = pq. Randomly choose
a number e, the public exponent, that is less than n and
relatively prime to (p-1)(q-1). Choose another number d, the
private exponent, such that ed-1 evenly divides (p-1)(q-1). The
public key is the set of numbers (n,e), and the private key is the
(C) It is assumed to be difficult to compute the private key (n,d)
from the public key (n,e). However, if n can be factored into p
and q, then the private key d can be computed easily. Thus, RSA
security depends on the assumption that it is computationally
difficult to factor a number that is the product of two large
prime numbers. (Of course, p and q are treated as part of the
private key, or else destroyed after computing n.)
(C) For encryption of a message, m, to be sent to Bob, Alice uses
Bob's public key (n,e) to compute m**e (mod n) = c. She sends c to
Bob. Bob computes c**d (mod n) = m. Only Bob knows d, so only Bob
can compute c**d (mod n) = m to recover m.
(C) To provide data origin authentication of a message, m, to be
sent to Bob, Alice computes m**d (mod n) = s, where (d,n) is
Alice's private key. She sends m and s to Bob. To recover the
message that only Alice could have sent, Bob computes s**e (mod n)
= m, where (e,n) is Alice's public key.
(C) To ensure data integrity in addition to data origin
authentication requires extra computation steps in which Alice and
Bob use a cryptographic hash function h (as explained for digital
signature). Alice computes the hash value h(m) = v, and then
encrypts v with her private key to get s. She sends m and s. Bob
receives m' and s', either of which might have been changed from
the m and s that Alice sent. To test this, he decrypts s' with
Alice's public key to get v'. He then computes h(m') = v". If v'
equals v", Bob is assured that m' is the same m that Alice sent.
$ role-based access control (RBAC)
(I) A form of identity-based access control where the system
entities that are identified and controlled are functional
positions in an organization or process.
(I) A CA that is directly trusted by an end entity. Acquiring the
value of a root CA's public key involves an out-of-band procedure.
(I) Hierarchical PKI usage: The CA that is the highest level (most
trusted) CA in a certification hierarchy; i.e., the authority upon
whose public key all certificate users base their trust. (See: top
(C) In a hierarchical PKI, a root issues public-key certificates
to one or more additional CAs that form the second highest level.
Each of these CAs may issue certificates to more CAs at the third
highest level, and so on. To initialize operation of a
hierarchical PKI, the root's initial public key is securely
distributed to all certificate users in a way that does not depend
on the PKI's certification relationships. The root's public key
may be distributed simply as a numerical value, but typically is
distributed in a self-signed certificate in which the root is the
subject. The root's certificate is signed by the root itself
because there is no higher authority in a certification hierarchy.
The root's certificate is then the first certificate in every
(O) MISSI usage: A name previously used for a MISSI policy
creation authority, which is not a root as defined above for
general usage, but is a CA at the second level of the MISSI
hierarchy, immediately subordinate to a MISSI policy approving
(O) UNIX usage: A user account (also called "superuser") that has
all privileges (including all security-related privileges) and
thus can manage the system and its other user accounts.
$ root certificate
(I) A certificate for which the subject is a root.
(I) Hierarchical PKI usage: The self-signed public-key certificate
at the top of a certification hierarchy.
$ root key
(I) A public key for which the matching private key is held by a
$ root registry
(O) MISSI usage: A name previously used for a MISSI policy
(I) A computer that is a gateway between two networks at OSI layer
3 and that relays and directs data packets through that
internetwork. The most common form of router operates on IP
packets. (See: bridge.)
(I) Internet usage: In the context of the Internet protocol suite,
a networked computer that forwards Internet Protocol packets that
are not addressed to the computer itself. (See: host.)
$ rule-based security policy
(I) "A security policy based on global rules imposed for all
users. These rules usually rely on comparison of the sensitivity
of the resource being accessed and the possession of corresponding
attributes of users, a group of users, or entities acting on
behalf of users." [I7498 Part 2] (See: identity-based security
(I) The property of a system being free from risk of causing harm
to system entities and outside entities.
See: security association identifier.
(I) A random value that is concatenated with a password before
applying the one-way encryption function used to protect passwords
that are stored in the database of an access control system. (See:
(C) Salt protects a password-based access control system against a
(I) Delete sensitive data from a file, a device, or a system; or
modify data so as to be able to downgrade its classification
See: Simple Authentication and Security Layer.
See: subordinate certification authority.
See: (secondary definition under) threat consequence.
$ screening router
(I) A synonym for "filtering router".
See: Secure Data Exchange.
See: Secure Data Network System.
(O) To use cryptography to provide data integrity service for a
data object. (See: sign, wrap.)
(D) ISDs SHOULD NOT use this definition; instead, use language
that is more specific with regard to the mechanism(s) used, such
as "sign" when the mechanism is digital signature.
(I) (1.) Adjective: The condition of information being protected
from being known by any system entities except those who are
intended to know it. (2.) Noun: An item of information that is
(C) This term applies to symmetric keys, private keys, and
$ secret-key cryptography
(I) A synonym for "symmetric cryptography".
$ Secure Data Exchange (SDE)
(N) A local area network security protocol defined by the IEEE
$ Secure Data Network System (SDNS)
(N) An NSA program that developed security protocols for
electronic mail (Message Security Protocol), OSI layer 3 (SP3),
OSI layer 4 (SP4), and key management (KMP).
$ Secure Hash Standard (SHS)
(N) The U.S. Government standard [FP180] that specifies the Secure
Hash Algorithm (SHA-1), a cryptographic hash function that
produces a 160-bit output (hash result) for input data of any
length < 2**64 bits.
$ Secure Hypertext Transfer Protocol (Secure-HTTP, S-HTTP)
(I) A Internet protocol for providing client-server security
services for HTTP communications. (See: https.)
(C) S-HTTP was originally specified by CommerceNet, a coalition of
businesses interested in developing the Internet for commercial
uses. Several message formats may be incorporated into S-HTTP
clients and servers, particularly CMS and MOSS. S-HTTP supports
choice of security policies, key management mechanisms, and
cryptographic algorithms through option negotiation between
parties for each transaction. S-HTTP supports both asymmetric and
symmetric key operation modes. S-HTTP attempts to avoid presuming
a particular trust model, but it attempts to facilitate multiply-
rooted hierarchical trust and anticipates that principals may have
many public key certificates.
$ Secure/MIME (S/MIME)
(I) Secure/Multipurpose Internet Mail Extensions, an Internet
protocol [R2633] to provide encryption and digital signatures for
Internet mail messages.
$ Secure Sockets Layer (SSL)
(N) An Internet protocol (originally developed by Netscape
Communications, Inc.) that uses connection-oriented end-to-end
encryption to provide data confidentiality service and data
integrity service for traffic between a client (often a web
browser) and a server, and that can optionally provide peer entity
authentication between the client and the server. (See: Transport
(C) SSL is layered below HTTP and above a reliable transport
protocol (TCP). SSL is independent of the application it
encapsulates, and any higher level protocol can layer on top of
SSL transparently. However, many Internet applications might be
better served by IPsec.
(C) SSL has two layers: (a) SSL's lower layer, the SSL Record
Protocol, is layered on top of the transport protocol and
encapsulates higher level protocols. One such encapsulated
protocol is SSL Handshake Protocol. (b) SSL's upper layer provides
asymmetric cryptography for server authentication (verifying the
server's identity to the client) and optional client
authentication (verifying the client's identity to the server),
and also enables them to negotiate a symmetric encryption
algorithm and secret session key (to use for data confidentiality)
before the application protocol transmits or receives data. A
keyed hash provides data integrity service for encapsulated data.
$ secure state
(I) A system condition in which no subject can access any object
in an unauthorized manner. (See: (secondary definition under)
Bell-LaPadula Model, clean system.)
(I) (1.) Measures taken to protect a system. (2.) The condition of
a system that results from the establishment and maintenance of