tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 2828


Internet Security Glossary

Part 6 of 8, p. 150 to 179
Prev RFC Part       Next RFC Part


prevText      Top      Up      ToC       Page 150 
      measures to protect the system. (3.) The condition of system
      resources being free from unauthorized access and from
      unauthorized or accidental change, destruction, or loss.

   $ security architecture
      (I) A plan and set of principles that describe (a) the security
      services that a system is required to provide to meet the needs of
      its users, (b) the system elements required to implement the
      services, and (c) the performance levels required in the elements
      to deal with the threat environment. (See: (discussion under)
      security policy.)

      (C) A security architecture is the result of applying the system
      engineering process. A complete system security architecture
      includes administrative security, communication security, computer
      security, emanations security, personnel security, and physical
      security (e.g., see: [R2179]). A complete security architecture
      needs to deal with both intentional, intelligent threats and
      accidental kinds of threats.

   $ security association
      (I) A relationship established between two or more entities to
      enable them to protect data they exchange. The relationship is
      used to negotiate characteristics of protection mechanisms, but
      does not include the mechanisms themselves. (See: association.)

      (C) A security association describes how entities will use
      security services. The relationship is represented by a set of
      information that is shared between the entities and is agreed upon
      and considered a contract between them.

      (O) IPsec usage: A simplex (uni-directional) logical connection
      created for security purposes and implemented with either AH or
      ESP (but not both). The security services offered by a security
      association depend on the protocol selected, the IPsec mode
      (transport or tunnel), the endpoints, and the election of optional
      services within the protocol. A security association is identified
      by a triple consisting of (a) a destination IP address, (b) a
      protocol (AH or ESP) identifier, and (c) a Security Parameter

   $ security association identifier (SAID)
      (I) A data field in a security protocol (such as NLSP or SDE),
      used to identify the security association to which a protocol data
      unit is bound. The SAID value is usually used to select a key for
      decryption or authentication at the destination. (See: Security
      Parameter Index.)

Top      Up      ToC       Page 151 
   $ security audit
      (I) An independent review and examination of a system's records
      and activities to determine the adequacy of system controls,
      ensure compliance with established security policy and procedures,
      detect breaches in security services, and recommend any changes
      that are indicated for countermeasures. [I7498 Part 2, NCS01]

      (C) The basic audit objective is to establish accountability for
      system entities that initiate or participate in security-relevant
      events and actions. Thus, means are needed to generate and record
      a security audit trail and to review and analyze the audit trail
      to discover and investigate attacks and security compromises.

   $ security audit trail
      (I) A chronological record of system activities that is sufficient
      to enable the reconstruction and examination of the sequence of
      environments and activities surrounding or leading to an
      operation, procedure, or event in a security-relevant transaction
      from inception to final results. [NCS04] (See: security audit.)

   $ security class
      (D) A synonym for "security level". For consistency, ISDs SHOULD
      use "security level" instead of "security class".

   $ security clearance
      (I) A determination that a person is eligible, under the standards
      of a specific security policy, for authorization to access
      sensitive information or other system resources. (See: clearance

   $ security compromise
      (I) A security violation in which a system resource is exposed, or
      is potentially exposed, to unauthorized access. (See: data
      compromise, violation.)

   $ security domain
      See: domain.

   $ security environment
      (I) The set of external entities, procedures, and conditions that
      affect secure development, operation, and maintenance of a system.

   $ security event
      (I) A occurrence in a system that is relevant to the security of
      the system. (See: security incident.)

Top      Up      ToC       Page 152 
      (C) The term includes both events that are security incidents and
      those that are not. In a CA workstation, for example, a list of
      security events might include the following:

       - Performing a cryptographic operation, e.g., signing a digital
         certificate or CRL.
       - Performing a cryptographic card operation: creation, insertion,
         removal, or backup.
       - Performing a digital certificate lifecycle operation: rekey,
         renewal, revocation, or update.
       - Posting information to an X.500 Directory.
       - Receiving a key compromise notification.
       - Receiving an improper certification request.
       - Detecting an alarm condition reported by a cryptographic
       - Logging the operator in or out.
       - Failing a built-in hardware self-test or a software system
         integrity check.

   $ security fault analysis
      (I) A security analysis, usually performed on hardware at a logic
      gate level, gate-by-gate, to determine the security properties of
      a device when a hardware fault is encountered.

   $ security gateway
      (I) A gateway that separates trusted (or relatively more trusted)
      hosts on the internal network side from untrusted (or less
      trusted) hosts on the external network side. (See: firewall and

      (O) IPsec usage: "An intermediate system that implements IPsec
      protocols." [R2401] Normally, AH or ESP is implemented to serve a
      set of internal hosts, providing security services for the hosts
      when they communicate with other, external hosts or gateways that
      also implement IPsec.

   $ security incident
      (I) A security event that involves a security violation. (See:
      CERT, GRIP, security event, security intrusion, security

      (C) In other words, a security-relevant system event in which the
      system's security policy is disobeyed or otherwise breached.

      (O) "Any adverse event which compromises some aspect of computer
      or network security." [R2350]

Top      Up      ToC       Page 153 
      (D) ISDs SHOULD NOT use this "O" definition because (a) a security
      incident may occur without actually being harmful (i.e., adverse)
      and (b) this Glossary defines "compromise" more narrowly in
      relation to unauthorized access.

   $ security intrusion
      (I) A security event, or a combination of multiple security
      events, that constitutes a security incident in which an intruder
      gains, or attempts to gain, access to a system (or system
      resource) without having authorization to do so.

   $ security kernel
      (I) "The hardware, firmware, and software elements of a trusted
      computing base that implement the reference monitor concept. It
      must mediate all accesses, be protected from modification, and be
      verifiable as correct." [NCS04] (See: reference monitor.)

      (C) That is, a security kernel is an implementation of a reference
      monitor for a given hardware base.

   $ security label
      (I) A marking that is bound to a system resource and that names or
      designates the security-relevant attributes of that resource.
      [I7498 Part 2, R1457]

      (C) The recommended definition is usefully broad, but usually the
      term is understood more narrowly as a marking that represents the
      security level of an information object, i.e., a marking that
      indicates how sensitive an information object is. [NCS04]

      (C) System security mechanisms interpret security labels according
      to applicable security policy to determine how to control access
      to the associated information, otherwise constrain its handling,
      and affix appropriate security markings to visible (printed and
      displayed) images thereof. [FP188]

   $ security level
      (I) The combination of a hierarchical classification level and a
      set of non-hierarchical category designations that represents how
      sensitive information is. (See: (usage note under) classification
      level, dominate, lattice model.)

   $ security management infrastructure (SMI)
      (I) System elements and activities that support security policy by
      monitoring and controlling security services and mechanisms,
      distributing security information, and reporting security events.
      The associated functions are as follows [I7498-4]:

Top      Up      ToC       Page 154 
       - Controlling (granting or restricting) access to system
      resources: This includes verifying authorizations and
      identities, controlling access to sensitive security data, and
      modifying access priorities and procedures in the event of

       - Retrieving (gathering) and archiving (storing) security
      information: This includes logging security events and
      analyzing the log, monitoring and profiling usage, and
      reporting security violations.

       - Managing and controlling the encryption process: This includes
      performing the functions of key management and reporting on key
      management problems. (See: public-key infrastructure.)

   $ security mechanism
      (I) A process (or a device incorporating such a process) that can
      be used in a system to implement a security service that is
      provided by or within the system. (See: (discussion under)
      security policy.)

      (C) Some examples of security mechanisms are authentication
      exchange, checksum, digital signature, encryption, and traffic

   $ security model
      (I) A schematic description of a set of entities and relationships
      by which a specified set of security services are provided by or
      within a system. (See: (discussion under) security policy.)

      (C) An example is the Bell-LaPadula Model.

   $ security parameters index (SPI)
      (I) IPsec usage: The type of security association identifier used
      in IPsec protocols. A 32-bit value used to distinguish among
      different security associations terminating at the same
      destination (IP address) and using the same IPsec security
      protocol (AH or ESP). Carried in AH and ESP to enable the
      receiving system to determine under which security association to
      process a received packet.

   $ security perimeter
      (I) The boundary of the domain in which a security policy or
      security architecture applies; i.e., the boundary of the space in
      which security services protect system resources.

Top      Up      ToC       Page 155 
   $ security policy
      (I) A set of rules and practices that specify or regulate how a
      system or organization provides security services to protect
      sensitive and critical system resources. (See: identity-based
      security policy, rule-based security policy, security
      architecture, security mechanism, security model.)

      (O) "The set of rules laid down by the security authority
      governing the use and provision of security services and
      facilities." [X509]

      (C) Ravi Sandhu notes that security policy is one of four layers
      of the security engineering process (as shown in the following
      diagram). Each layer provides a different view of security,
      ranging from what services are needed to how services are

         What Security Services Should Be Provided?
          | + - - - - - - - - - - - +
          | | Security Policy       |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Model        |    | A "top-level specification" |
          | + - - - - - - - - - - - + <- | is at a level below "model" |
          | | Security Architecture |    | but above "architecture".   |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Mechanism    |
          | + - - - - - - - - - - - +
         How Are Security Services Implemented?

   $ Security Protocol 3 (SP3)
      (O) A protocol [SDNS3] developed by SDNS to provide connectionless
      data security at the top of OSI layer 3. (See: NLSP.)

   $ Security Protocol 4 (SP4)
      (O) A protocol [SDNS4] developed by SDNS to provide either
      connectionless or end-to-end connection-oriented data security at
      the bottom of OSI layer 4. (See: TLSP.)

   $ security-relevant event
      See: security event.

   $ security service
      (I) A processing or communication service that is provided by a
      system to give a specific kind of protection to system resources.
      (See: access control service, audit service, availability service,

Top      Up      ToC       Page 156 
      data confidentiality service, data integrity service, data origin
      authentication service, non-repudiation service, peer entity
      authentication service, system integrity service.)

      (O) "A service, provided by a layer of communicating open systems,
      which ensures adequate security of the systems or the data
      transfers." [I7498 Part 2]

      (C) Security services implement security policies, and are
      implemented by security mechanisms.

   $ security situation
      (I) ISAKMP usage: The set of all security-relevant information--
      e.g., network addresses, security classifications, manner of
      operation (normal or emergency)--that is needed to decide the
      security services that are required to protect the association
      that is being negotiated.

   $ security token
      See: token.

   $ security violation
      (I) An act or event that disobeys or otherwise breaches security
      policy. (See: compromise, penetration, security incident.)

   $ self-signed certificate
      (I) A public-key certificate for which the public key bound by the
      certificate and the private key used to sign the certificate are
      components of the same key pair, which belongs to the signer.
      (See: root certificate.)

      (C) In a self-signed X.509 public-key certificate, the issuer's DN
      is the same as the subject's DN.

   $ semantic security
      (I) An attribute of a encryption algorithm that is a formalization
      of the notion that the algorithm not only hides the plaintext but
      also reveals no partial information about the plaintext. Whatever
      is efficiently computable about the plaintext when given the
      ciphertext, is also efficiently computable without the ciphertext.
      (See: indistinguishability.)

   $ sensitive (information)
      (I) Information is sensitive if disclosure, alteration,
      destruction, or loss of the information would adversely affect the
      interests or business of its owner or user. (See: critical.)

Top      Up      ToC       Page 157 
   $ separation of duties
      (I) The practice of dividing the steps in a system function among
      different individuals, so as to keep a single individual from
      subverting the process. (See: dual control, administrative

   $ serial number
      See: certificate serial number.

   $ server
      (I) A system entity that provides a service in response to
      requests from other system entities called clients.

   $ session key
      (I) In the context of symmetric encryption, a key that is
      temporary or is used for a relatively short period of time. (See:
      ephemeral key, key distribution center, master key.)

      (C) Usually, a session key is used for a defined period of
      communication between two computers, such as for the duration of a
      single connection or transaction set, or the key is used in an
      application that protects relatively large amounts of data and,
      therefore, needs to be rekeyed frequently.

   $ SET
      See: SET Secure Electronic Transaction(trademark).

   $ SET private extension
      (O) One of the private extensions defined by SET for X.509
      certificates. Carries information about hashed root key,
      certificate type, merchant data, cardholder certificate
      requirements, encryption support for tunneling, or message support
      for payment instructions.

   $ SET qualifier
      (O) A certificate policy qualifier that provides information about
      the location and content of a SET certificate policy.

      (C) In addition to the policies and qualifiers inherited from its
      own certificate, each CA in the SET certification hierarchy may
      add one qualifying statement to the root policy when the CA issues
      a certificate. The additional qualifier is a certificate policy
      for that CA. Each policy in a SET certificate may have these

       - A URL where a copy of the policy statement may be found.
       - An electronic mail address where a copy of the policy statement
         may be found.

Top      Up      ToC       Page 158 
       - A hash result of the policy statement, computed using the
         indicated algorithm.
       - A statement declaring any disclaimers associated with the
         issuing of the certificate.

   $ SET Secure Electronic Transaction(trademark) or SET(trademark)
      (N) A protocol developed jointly by MasterCard International and
      Visa International and published as an open standard to provide
      confidentiality of transaction information, payment integrity, and
      authentication of transaction participants for payment card
      transactions over unsecured networks, such as the Internet. [SET1]
      (See: acquirer, brand, cardholder, dual signature, electronic
      commerce, issuer, merchant, payment gateway, third party.)

      (C) This term and acronym are trademarks of SETCo. MasterCard and
      Visa announced the SET standard on 1 February 1996. On 19 December
      1997, MasterCard and Visa formed SET Secure Electronic Transaction
      LLC (commonly referred to as "SETCo") to implement the SET 1.0
      specification. A memorandum of understanding adds American Express
      and JCB Credit Card Company as co-owners of SETCo.

   $ SETCo
      See: (secondary definition under) SET Secure Electronic

   $ SHA-1
      See: Secure Hash Standard.

   $ shared secret
      (I) A synonym for "keying material" or "cryptographic key".

   $ S-HTTP
      See: Secure HTTP.

   $ sign
      (I) Create a digital signature for a data object.

   $ signature
      See: digital signature, electronic signature.

   $ signature certificate
      (I) A public-key certificate that contains a public key that is
      intended to be used for verifying digital signatures, rather than
      for encrypting data or performing other cryptographic functions.

      (C) A v3 X.509 public-key certificate may have a "keyUsage"
      extension which indicates the purpose for which the certified
      public key is intended.

Top      Up      ToC       Page 159 
   $ signer
      (N) A human being or an organization entity that uses its private
      key to create a digital signature for a data object. [ABA]

   $ SILS
      See: Standards for Interoperable LAN/MAN Security.

   $ simple authentication
      (I) An authentication process that uses a password as the
      information needed to verify an identity claimed for an entity.
      (See: strong authentication.)

      (O) "Authentication by means of simple password arrangements."

   $ Simple Authentication and Security Layer (SASL)
      (I) An Internet specification [R2222] for adding authentication
      service to connection-based protocols. To use SASL, a protocol
      includes a command for authenticating a user to a server and for
      optionally negotiating protection of subsequent protocol
      interactions. The command names a registered security mechanism.
      SASL mechanisms include Kerberos, GSSAPI, S/KEY, and others. Some
      protocols that use SASL are IMAP4 and POP3.

   $ Simple Key-management for Internet Protocols (SKIP)
      (I) A key distribution protocol that uses hybrid encryption to
      convey session keys that are used to encrypt data in IP packets.
      [R2356] (See: IKE, IPsec.)

      (C) SKIP uses the Diffie-Hellman algorithm (or could use another
      key agreement algorithm) to generate a key-encrypting key for use
      between two entities. A session key is used with a symmetric
      algorithm to encrypt data in one or more IP packets that are to be
      sent from one of the entities to the other. The KEK is used with a
      symmetric algorithm to encrypt the session key, and the encrypted
      session key is placed in a SKIP header that is added to each IP
      packet that is encrypted with that session key.

   $ Simple Mail Transfer Protocol (SMTP)
      (I) A TCP-based, application-layer, Internet Standard protocol
      [R0821] for moving electronic mail messages from one computer to

   $ Simple Network Management Protocol (SNMP)
      (I) A UDP-based, application-layer, Internet Standard protocol
      [R2570, R2574] for conveying management information between
      managers and agents.

Top      Up      ToC       Page 160 
      (C) SNMP version 1 uses cleartext passwords for authentication and
      access control. (See: community string.) Version 2 adds
      cryptographic mechanisms based on DES and MD5. Version 3 provides
      enhanced, integrated support for security services, including data
      confidentiality, data integrity, data origin authentication, and
      message timeliness and limited replay protection.

   $ simple security property
      See: (secondary definition under) Bell-LaPadula Model.

   $ single sign-on
      (I) A system that enables a user to access multiple computer
      platforms (usually a set of hosts on the same network) or
      application systems after being authenticated just one time. (See:

      (C) Typically, a user logs in just once, and then is transparently
      granted access to a variety of permitted resources with no further
      login being required until after the user logs out. Such a system
      has the advantages of being user friendly and enabling
      authentication to be managed consistently across an entire
      enterprise, and has the disadvantage of requiring all hosts and
      applications to trust the same authentication mechanism.

   $ situation
      See: security situation.

   $ S/Key
      (I) A security mechanism that uses a cryptographic hash function
      to generate a sequence of 64-bit, one-time passwords for remote
      user login. [R1760]

      (C) The client generates a one-time password by applying the MD4
      cryptographic hash function multiple times to the user's secret
      key. For each successive authentication of the user, the number of
      hash applications is reduced by one. (Thus, an intruder using
      wiretapping cannot compute a valid password from knowledge of one
      previously used.) The server verifies a password by hashing the
      currently presented password (or initialization value) one time
      and comparing the hash result with the previously presented

   $ SKIP
      See: Simple Key-management for IP.

Top      Up      ToC       Page 161 
      (N) A Type II block cipher [NIST] with a block size of 64 bits and
      a key size of 80 bits, that was developed by NSA and formerly
      classified at the U.S. Department of Defense "Secret" level. (See:
      CAPSTONE, CLIPPER, FORTEZZA, Key Exchange Algorithm.)

      (C) On 23 June 1998, NSA announced that SKIPJACK had been

   $ slot
      (O) MISSI usage: One of the FORTEZZA PC card storage areas that
      are each able to hold an X.509 certificate and additional data
      that is associated with the certificate, such as the matching
      private key.

   $ smart card
      (I) A credit-card sized device containing one or more integrated
      circuit chips, which perform the functions of a computer's central
      processor, memory, and input/output interface. (See: PC card.)

      (C) Sometimes this term is used rather strictly to mean a card
      that closely conforms to the dimensions and appearance of the kind
      of plastic credit card issued by banks and merchants. At other
      times, the term is used loosely to include cards that are larger
      than credit cards, especially cards that are thicker, such as PC

      (C) A "smart token" is a device that conforms to the definition of
      smart card except that rather than having standard credit card
      dimensions, the token is packaged in some other form, such as a
      dog tag or door key shape.

   $ smart token
      See: (secondary definition under) smart card.

   $ SMI
      See: security management infrastructure.

   $ S/MIME
      See: Secure/MIME.

   $ SMTP
      See: Simple Mail Transfer Protocol.

   $ smurf
      (I) Software that mounts a denial-of-service attack ("smurfing")
      by exploiting IP broadcast addressing and ICMP ping packets to
      cause flooding. (See: flood, ICMP flood.)

Top      Up      ToC       Page 162 
      (D) ISDs SHOULD NOT use this term because it is not listed in most
      dictionaries and could confuse international readers.

      (C) A smurf program builds a network packet that appears to
      originate from another address, that of the "victim", either a
      host or an IP router. The packet contains an ICMP ping message
      that is addressed to an IP broadcast address, i.e., to all IP
      addresses in a given network. The echo responses to the ping
      message return to the victim's address. The goal of smurfing may
      be either to deny service at a particular host or to flood all or
      part of an IP network.

   $ sniffing
      (C) A synonym for "passive wiretapping". (See: password sniffing.)

      (D) ISDs SHOULD NOT use this term because it unnecessarily
      duplicates the meaning of a term that is better established. (See:
      (usage note under) Green Book.

   $ SNMP
      See: Simple Network Management Protocol.

   $ social engineering
      (I) A euphemism for non-technical or low-technology means--such as
      lies, impersonation, tricks, bribes, blackmail, and threats--used
      to attack information systems. (See: masquerade attack.)

      (D) ISDs SHOULD NOT use this term because it is vague; instead,
      use a term that is specific with regard to the means of attack.

   $ SOCKS
      (I) An Internet protocol [R1928] that provides a generalized proxy
      server that enables client-server applications--such as TELNET,
      FTP, and HTTP; running over either TCP or UDP--to use the services
      of a firewall.

      (C) SOCKS is layered under the application layer and above the
      transport layer. When a client inside a firewall wishes to
      establish a connection to an object that is reachable only through
      the firewall, it uses TCP to connect to the SOCKS server,
      negotiates with the server for the authentication method to be
      used, authenticates with the chosen method, and then sends a relay
      request. The SOCKS server evaluates the request, typically based
      on source and destination addresses, and either establishes the
      appropriate connection or denies it.

Top      Up      ToC       Page 163 
   $ soft TEMPEST
      (O) The use of software techniques to reduce the radio frequency
      information leakage from computer displays and keyboards. [Kuhn]
      (See: TEMPEST.)

   $ software
      (I) Computer programs (which are stored in and executed by
      computer hardware) and associated data (which also is stored in
      the hardware) that may be dynamically written or modified during
      execution. (See: firmware, hardware.)

   $ SORA
      See: SSO-PIN ORA.

   $ source authentication
      (D) ISDs SHOULD NOT use this term because it is ambiguous. If the
      intent is to authenticate the original creator or packager of data
      received, then say "data origin authentication". If the intent is
      to authenticate the identity of the sender of data, then say "peer
      entity authentication". (See: data origin authentication, peer
      entity authentication).

   $ source integrity
      (I) The degree of confidence that can be placed in information
      based on the trustworthiness of its sources. (See: integrity.)

   $ SP3
      See: Security Protocol 3.

   $ SP4
      See: Security Protocol 4.

   $ spam
      (I) (1.) Verb: To indiscriminately send unsolicited, unwanted,
      irrelevant, or inappropriate messages, especially commercial
      advertising in mass quantities. (2.) Noun: electronic "junk mail".

      (D) This term SHOULD NOT be written in upper-case letters, because
      SPAM(trademark) is a trademark of Hormel Foods Corporation. Hormel
      says, "We do not object to use of this slang term [spam] to
      describe [unsolicited commercial email (UCE)], although we do
      object to the use of our product image in association with that
      term. Also, if the term is to be used, it should be used in all
      lower-case letters to distinguish it from our trademark SPAM,
      which should be used with all uppercase letters."

Top      Up      ToC       Page 164 
      (C) In sufficient volume, spam can cause denial of service. (See:
      flooding.) According to the SPAM Web site, the term was adopted as
      a result of the Monty Python skit in which a group of Vikings sang
      a chorus of 'SPAM, SPAM, SPAM . . .' in an increasing crescendo,
      drowning out other conversation. Hence, the analogy applied
      because UCE was drowning out normal discourse on the Internet.

   $ SPC
      See: software publisher certificate.

   $ SPI
      See: Security Parameters Index.

   $ split key
      (I) A cryptographic key that is divided into two or more separate
      data items that individually convey no knowledge of the whole key
      that results from combining the items. (See: dual control, split

   $ split knowledge
      (I) A security technique in which two or more entities separately
      hold data items that individually convey no knowledge of the
      information that results from combining the items. (See: dual
      control, split key.)

      (O) "A condition under which two or more entities separately have
      key components which individually convey no knowledge of the
      plaintext key which will be produced when the key components are
      combined in the cryptographic module." [FP140]

   $ spoofing attack
      (I) A synonym for "masquerade attack".

   $ SSH
      (I) A protocol for secure remote login and other secure network
      services over an insecure network.

      (C) Consists of three major components:

       - Transport layer protocol: Provides server authentication,
         confidentiality, and integrity. It may optionally also provide
         compression. The transport layer will typically be run over a
         TCP/IP connection, but might also be used on top of any other
         reliable data stream.

       - User authentication protocol: Authenticates the client-side
         user to the server. It runs over the transport layer protocol.

Top      Up      ToC       Page 165 
       - Connection protocol: Multiplexes the encrypted tunnel into
         several logical channels. It runs over the user authentication

   $ SSL
      See: Secure Sockets Layer, Standard Security Label.

   $ SSO
      See: system security officer.

   $ SSO PIN
      (O) MISSI usage: One of two personal identification numbers that
      control access to the functions and stored data of a FORTEZZA PC
      card. Knowledge of the SSO PIN enables the card user to perform
      the FORTEZZA functions intended for use by an end user and also
      the functions intended for use by a MISSI certification authority.
      (See: user PIN.)

      (O) MISSI usage: A MISSI organizational RA that operates in a mode
      in which the ORA performs all card management functions and,
      therefore, requires knowledge of the SSO PIN for an end user's
      FORTEZZA PC card.

   $ Standards for Interoperable LAN/MAN Security (SILS)
      (N) (1.) The IEEE 802.10 standards committee. (2.) A developing
      set of IEEE standards, which has eight parts: (a) Model, including
      security management, (b) Secure Data Exchange protocol, (c) Key
      Management, (d) [has been incorporated in (a)], (e) SDE Over
      Ethernet 2.0, (f) SDE Sublayer Management, (g) SDE Security
      Labels, and (h) SDE PICS Conformance. Parts b, e, f, g, and h are
      incorporated in IEEE Standard 802.10-1998.

   $ star property
      (I) (Written "*-property".) See: "confinement property" under
      Bell-LaPadula Model.

   $ Star Trek attack
      (C) An attack that penetrates your system where no attack has ever
      gone before.

   $ steganography
      (I) Methods of hiding the existence of a message or other data.
      This is different than cryptography, which hides the meaning of a
      message but does not hide the message itself. (See: cryptology.)

      (C) An example of a steganographic method is "invisible" ink.
      (See: digital watermark.)

Top      Up      ToC       Page 166 
   $ storage channel
      See: (secondary definition under) covert channel.

   $ stream cipher
      (I) An encryption algorithm that breaks plaintext into a stream of
      successive bits (or characters) and encrypts the n-th plaintext
      bit with the n-th element of a parallel key stream, thus
      converting the plaintext bit stream into a ciphertext bit stream.
      [Schn] (See: block cipher.)

   $ strong authentication
      (I) An authentication process that uses cryptography--particularly
      public-key certificates--to verify the identity claimed for an
      entity. (See: X.509.)

      (O) "Authentication by means of cryptographically derived
      credentials." [X509]

   $ subject
      1. (I) In a computer system: A system entity that causes
      information to flow among objects or changes the system state;
      technically, a process-domain pair. (See: Bell-LaPadula Model.)

      2. (I) Of a certificate: The entity name that is bound to the data
      items in a digital certificate, and particularly a name that is
      bound to a key value in a public-key certificate.

   $ subnetwork
      (N) An OSI term for a system of packet relays and connecting links
      that implement the lower three protocol layers of the OSIRM to
      provide a communication service that interconnects attached end
      systems. Usually the relays operate at OSI layer 3 and are all of
      the same type (e.g., all X.25 packet switches, or all interface
      units in an IEEE 802.3 LAN). (See: gateway, internet, router.)

   $ subordinate certification authority (SCA)
      (I) A CA whose public-key certificate is issued by another
      (superior) CA. (See: certification hierarchy.)

      (O) MISSI usage: The fourth-highest (bottom) level of a MISSI
      certification hierarchy; a MISSI CA whose public-key certificate
      is signed by a MISSI CA rather than by a MISSI PCA. A MISSI SCA is
      the administrative authority for a subunit of an organization,
      established when it is desirable to organizationally distribute or
      decentralize the CA service. The term refers both to that
      authoritative office or role, and to the person who fills that

Top      Up      ToC       Page 167 
      office. A MISSI SCA registers end users and issues their
      certificates and may also register ORAs, but may not register
      other CAs. An SCA periodically issues a CRL.

   $ subordinate distinguished name
      (I) An X.500 DN is subordinate to another X.500 DN if it begins
      with a set of attributes that is the same as the entire second DN
      except for the terminal attribute of the second DN (which is
      usually the name of a CA). For example, the DN <C=FooLand, O=Gov,
      OU=Treasurer, CN=DukePinchpenny> is subordinate to the DN
      <C=FooLand, O=Gov, CN=KingFooCA>.

   $ superencryption
      (I) An encryption operation for which the plaintext input to be
      transformed is the ciphertext output of a previous encryption

   $ survivability
      (I) The ability of a system to remain in operation or existence
      despite adverse conditions, including both natural occurrences,
      accidental actions, and attacks on the system. (See: availability,

   $ symmetric cryptography
      (I) A branch of cryptography involving algorithms that use the
      same key for two different steps of the algorithm (such as
      encryption and decryption, or signature creation and signature
      verification). (See: asymmetric cryptography.)

      (C) Symmetric cryptography has been used for thousands of years
      [Kahn]. A modern example of a symmetric encryption algorithm is
      the U.S. Government's Data Encryption Algorithm. (See: DEA, DES.)

      (C) Symmetric cryptography is sometimes called "secret-key
      cryptography" (versus public-key cryptography) because the
      entities that share the key, such as the originator and the
      recipient of a message, need to keep the key secret. For example,
      when Alice wants to ensure confidentiality for data she sends to
      Bob, she encrypts the data with a secret key, and Bob uses the
      same key to decrypt. Keeping the shared key secret entails both
      cost and risk when the key is distributed to both Alice and Bob.
      Thus, symmetric cryptography has a key management disadvantage
      compared to asymmetric cryptography.

   $ symmetric key
      (I) A cryptographic key that is used in a symmetric cryptographic

Top      Up      ToC       Page 168 
   $ SYN flood
      (I) A denial of service attack that sends a host more TCP SYN
      packets (request to synchronize sequence numbers, used when
      opening a connection) than the protocol implementation can handle.
      (See: flooding.)

   $ system
      (C) In this Glossary, the term is mainly used as an abbreviation
      for "automated information system".

   $ system entity
      (I) An active element of a system--e.g., an automated process, a
      subsystem, a person or group of persons--that incorporates a
      specific set of capabilities.

   $ system high
      (I) The highest security level supported by a system at a
      particular time or in a particular environment. (See: system high
      security mode.)

   $ system high security mode
      (I) A mode of operation of an information system, wherein all
      users having access to the system possess a security clearance or
      authorization, but not necessarily a need-to-know, for all data
      handled by the system. (See: mode of operation.)

      (C) This mode is defined formally in U.S. Department of Defense
      policy regarding system accreditation [DOD2], but the term is
      widely used outside the Defense Department and outside the

   $ system integrity
      (I) "The quality that a system has when it can perform its
      intended function in a unimpaired manner, free from deliberate or
      inadvertent unauthorized manipulation." [NCS04] (See: system
      integrity service.)

   $ system integrity service
      (I) A security service that protects system resources in a
      verifiable manner against unauthorized or accidental change, loss,
      or destruction. (See: system integrity.)

   $ system low
      (I) The lowest security level supported by a system at a
      particular time or in a particular environment. (See: system

Top      Up      ToC       Page 169 
   $ system resource
      (I) Data contained in an information system; or a service provided
      by a system; or a system capability, such as processing power or
      communication bandwidth; or an item of system equipment (i.e., a
      system component--hardware, firmware, software, or documentation);
      or a facility that houses system operations and equipment.

   $ system security officer (SSO)
      (I) A person responsible for enforcement or administration of the
      security policy that applies to the system.

   $ system verification
      See: (secondary definition under) verification.

   $ TACACS+
      See: Terminal Access Controller (TAC) Access Control System.

   $ tamper
      (I) Make an unauthorized modification in a system that alters the
      system's functioning in a way that degrades the security services
      that the system was intended to provide.

   $ TCB
      See: trusted computing base.

   $ TCP
      See: Transmission Control Protocol.

   $ TCP/IP
      (I) A synonym for "Internet Protocol Suite", in which the
      Transmission Control Protocol (TCP) and the Internet Protocol (IP)
      are important parts.

   $ TCSEC
      See: Trusted Computer System Evaluation Criteria.

      (I) A TCP-based, application-layer, Internet Standard protocol
      [R0854] for remote login from one host to another.

      (O) A nickname for specifications and standards for limiting the
      strength of electromagnetic emanations from electrical and
      electronic equipment and thus reducing vulnerability to
      eavesdropping. This term originated in the U.S. Department of
      Defense. [Army, Kuhn, Russ] (See: emanation security, soft

Top      Up      ToC       Page 170 
      (D) ISDs SHOULD NOT use this term as a synonym for
      "electromagnetic emanations security".

   $ Terminal Access Controller (TAC) Access Control System (TACACS)
      (I) A UDP-based authentication and access control protocol [R1492]
      in which a network access server receives an identifier and
      password from a remote terminal and passes them to a separate
      authentication server for verification.

      (C) TACACS was developed for ARPANET and has evolved for use in
      commercial equipment. TACs were a type of network access server
      computer used to connect terminals to the early Internet, usually
      using dial-up modem connections. TACACS used centralized
      authentication servers and served not only network access servers
      like TACs but also routers and other networked computing devices.
      TACs are no longer in use, but TACACS+ is. [R1983]

       - "XTACACS": The name of Cisco Corporation's implementation,
         which enhances and extends the original TACACS.

       - "TACACS+": A TCP-based protocol that improves on TACACS and
         XTACACS by separating the functions of authentication,
         authorization, and accounting and by encrypting all traffic
         between the network access server and authentication server. It
         is extensible to allow any authentication mechanism to be used
         with TACACS+ clients.

   $ TESS
      See: The Exponential Encryption System.

   $ The Exponential Encryption System (TESS)
      (I) A system of separate but cooperating cryptographic mechanisms
      and functions for the secure authenticated exchange of
      cryptographic keys, the generation of digital signatures, and the
      distribution of public keys. TESS employs asymmetric cryptography,
      based on discrete exponentiation, and a structure of self-
      certified public keys. [R1824]

   $ threat
      (I) A potential for violation of security, which exists when there
      is a circumstance, capability, action, or event that could breach
      security and cause harm. (See: attack, threat action, threat

      (C) That is, a threat is a possible danger that might exploit a
      vulnerability. A threat can be either "intentional" (i.e.,
      intelligent; e.g., an individual cracker or a criminal

Top      Up      ToC       Page 171 
      organization) or "accidental" (e.g., the possibility of a computer
      malfunctioning, or the possibility of an "act of God" such as an
      earthquake, a fire, or a tornado).

      (C) In some contexts, such as the following, the term is used
      narrowly to refer only to intelligent threats:

      (N) U. S. Government usage: The technical and operational
      capability of a hostile entity to detect, exploit, or subvert
      friendly information systems and the demonstrated, presumed, or
      inferred intent of that entity to conduct such activity.

   $ threat action
      (I) An assault on system security. (See: attack, threat, threat

      (C) A complete security architecture deals with both intentional
      acts (i.e. attacks) and accidental events [FIPS31]. Various kinds
      of threat actions are defined as subentries under "threat

   $ threat analysis
      (I) An analysis of the probability of occurrences and consequences
      of damaging actions to a system.

   $ threat consequence
      (I) A security violation that results from a threat action.
      Includes disclosure, deception, disruption, and usurpation. (See:
      attack, threat, threat action.)

      (C) The following subentries describe four kinds of threat
      consequences, and also list and describe the kinds of threat
      actions that cause each consequence. Threat actions that are
      accidental events are marked by "*".

      1. "(Unauthorized) Disclosure" (a threat consequence): A
         circumstance or event whereby an entity gains access to data
         for which the entity is not authorized. (See: data
         confidentiality.) The following threat actions can cause
         unauthorized disclosure:

         A. "Exposure": A threat action whereby sensitive data is
            directly released to an unauthorized entity. This includes:

            a. "Deliberate Exposure": Intentional release of sensitive
               data to an unauthorized entity.

Top      Up      ToC       Page 172 
            b. "Scavenging": Searching through data residue in a system
               to gain unauthorized knowledge of sensitive data.

            c* "Human error": Human action or inaction that
               unintentionally results in an entity gaining unauthorized
               knowledge of sensitive data.

            d* "Hardware/software error". System failure that results in
               an entity gaining unauthorized knowledge of sensitive

         B. "Interception": A threat action whereby an unauthorized
            entity directly accesses sensitive data traveling between
            authorized sources and destinations. This includes:

            a. "Theft": Gaining access to sensitive data by stealing a
               shipment of a physical medium, such as a magnetic tape or
               disk, that holds the data.

            b. "Wiretapping (passive)": Monitoring and recording data
               that is flowing between two points in a communication
               system. (See: wiretapping.)

            c. "Emanations analysis": Gaining direct knowledge of
               communicated data by monitoring and resolving a signal
               that is emitted by a system and that contains the data
               but is not intended to communicate the data. (See:

         C. "Inference": A threat action whereby an unauthorized entity
            indirectly accesses sensitive data (but not necessarily the
            data contained in the communication) by reasoning from
            characteristics or byproducts of communications. This

            a. Traffic analysis: Gaining knowledge of data by observing
               the characteristics of communications that carry the
               data. (See: (main Glossary entry for) traffic analysis.)

            b. "Signals analysis": Gaining indirect knowledge of
               communicated data by monitoring and analyzing a signal
               that is emitted by a system and that contains the data
               but is not intended to communicate the data. (See:

         D. "Intrusion": A threat action whereby an unauthorized entity
            gains access to sensitive data by circumventing a system's
            security protections. This includes:

Top      Up      ToC       Page 173 
            a. "Trespass": Gaining unauthorized physical access to
               sensitive data by circumventing a system's protections.

            b. "Penetration": Gaining unauthorized logical access to
               sensitive data by circumventing a system's protections.

            c. "Reverse engineering": Acquiring sensitive data by
               disassembling and analyzing the design of a system

            d. Cryptanalysis: Transforming encrypted data into plaintext
               without having prior knowledge of encryption parameters
               or processes. (See: (main Glossary entry for)

      2. "Deception" (a threat consequence): A circumstance or event
         that may result in an authorized entity receiving false data
         and believing it to be true. The following threat actions can
         cause deception:

         A. "Masquerade": A threat action whereby an unauthorized entity
            gains access to a system or performs a malicious act by
            posing as an authorized entity. (See: (main Glossary entry
            for) masquerade attack.)

            a. "Spoof": Attempt by an unauthorized entity to gain access
               to a system by posing as an authorized user.

            b. "Malicious logic": In context of masquerade, any
               hardware, firmware, or software (e.g., Trojan horse) that
               appears to perform a useful or desirable function, but
               actually gains unauthorized access to system resources or
               tricks a user into executing other malicious logic. (See:
               (main Glossary entry for) malicious logic.)

         B. "Falsification": A threat action whereby false data deceives
            an authorized entity. (See: active wiretapping.)

            a. "Substitution": Altering or replacing valid data with
               false data that serves to deceive an authorized entity.

            b. "Insertion": Introducing false data that serves to
               deceive an authorized entity.

         C. "Repudiation": A threat action whereby an entity deceives
            another by falsely denying responsibility for an act. (See:
            non-repudiation service, (main Glossary entry for)

Top      Up      ToC       Page 174 
            a. "False denial of origin": Action whereby the originator
               of data denies responsibility for its generation.

            b. "False denial of receipt": Action whereby the recipient
               of data denies receiving and possessing the data.

      3. "Disruption" (a threat consequence): A circumstance or event
         that interrupts or prevents the correct operation of system
         services and functions. (See: denial of service.) The following
         threat actions can cause disruption:

         A. "Incapacitation": A threat action that prevents or
            interrupts system operation by disabling a system component.

            a. "Malicious logic": In context of incapacitation, any
               hardware, firmware, or software (e.g., logic bomb)
               intentionally introduced into a system to destroy system
               functions or resources. (See: (main Glossary entry for)
               malicious logic.)

            b. "Physical destruction": Deliberate destruction of a
               system component to interrupt or prevent system

            c* "Human error": Action or inaction that unintentionally
               disables a system component.

            d* "Hardware or software error": Error that causes failure
               of a system component and leads to disruption of system

            e* "Natural disaster": Any "act of God" (e.g., fire, flood,
               earthquake, lightning, or wind) that disables a system
               component. [FP031 section 2]

         B. "Corruption": A threat action that undesirably alters system
            operation by adversely modifying system functions or data.

            a. "Tamper": In context of corruption, deliberate alteration
               of a system's logic, data, or control information to
               interrupt or prevent correct operation of system

            b. "Malicious logic": In context of corruption, any
               hardware, firmware, or software (e.g., a computer virus)
               intentionally introduced into a system to modify system
               functions or data. (See: (main Glossary entry for)
               malicious logic.)

Top      Up      ToC       Page 175 
            c* "Human error": Human action or inaction that
               unintentionally results in the alteration of system
               functions or data.

            d* "Hardware or software error": Error that results in the
               alteration of system functions or data.

            e* "Natural disaster": Any "act of God" (e.g., power surge
               caused by lightning) that alters system functions or
               data. [FP031 section 2]

         C. "Obstruction": A threat action that interrupts delivery of
            system services by hindering system operations.

            a. "Interference": Disruption of system operations by
               blocking communications or user data or control

            b. "Overload": Hindrance of system operation by placing
               excess burden on the performance capabilities of a system
               component. (See: flooding.)

      4. "Usurpation" (a threat consequence): A circumstance or event
         that results in control of system services or functions by an
         unauthorized entity. The following threat actions can cause

         A. "Misappropriation": A threat action whereby an entity
            assumes unauthorized logical or physical control of a system

            a. "Theft of service": Unauthorized use of service by an

            b. "Theft of functionality": Unauthorized acquisition of
               actual hardware, software, or firmware of a system

            c. "Theft of data": Unauthorized acquisition and use of

         B. "Misuse": A threat action that causes a system component to
            perform a function or service that is detrimental to system

            a. "Tamper": In context of misuse, deliberate alteration of
               a system's logic, data, or control information to cause
               the system to perform unauthorized functions or services.

Top      Up      ToC       Page 176 
            b. "Malicious logic": In context of misuse, any hardware,
               software, or firmware intentionally introduced into a
               system to perform or control execution of an unauthorized
               function or service.

            c. "Violation of permissions": Action by an entity that
               exceeds the entity's system privileges by executing an
               unauthorized function.

   $ thumbprint
      (I) A pattern of curves formed by the ridges on the tip of a
      thumb. (See: biometric authentication, fingerprint.)

      (D) ISDs SHOULD NOT use this term as a synonym for "hash result"
      because that meaning mixes concepts in a potentially misleading

   $ ticket
      (I) A synonym for "capability". (See: Kerberos.)

      (C) A ticket is usually granted by a centralized access control
      server (ticket-granting agent) to authorize access to a system
      resource for a limited time. Tickets have been implemented with
      symmetric cryptography, but can also be implemented as attribute
      certificates using asymmetric cryptography.

   $ timing channel
      See: (secondary definition under) covert channel.

   $ TLS
      See: Transport Layer Security. (See: TLSP.)

   $ TLSP
      See: Transport Layer Security Protocol. (See: TLS.)

   $ token
      1. (I) General usage: An object that is used to control access and
      is passed between cooperating entities in a protocol that
      synchronizes use of a shared resource. Usually, the entity that
      currently holds the token has exclusive access to the resource.

      2. (I) Authentication usage: A data object or a portable, user-
      controlled, physical device used to verify an identity in an
      authentication process. (See: authentication information, dongle.)

      3. (I) Cryptographic usage: See: cryptographic token.

Top      Up      ToC       Page 177 
      4. (O) SET usage: "A portable device [e.g., smart card or PCMCIA
      card] specifically designed to store cryptographic information and
      possibly perform cryptographic functions in a secure manner."

   $ token backup
      (I) A token management operation that stores sufficient
      information in a database (e.g., in a CAW) to recreate or restore
      a security token (e.g., a smart card) if it is lost or damaged.

   $ token copy
      (I) A token management operation that copies all the personality
      information from one security token to another. However, unlike in
      a token restore operation, the second token is initialized with
      its own, different local security values such as PINs and storage

   $ token management
      (I) The process of initializing security tokens (e.g., see: smart
      card), loading data into the tokens, and controlling the tokens
      during their life cycle. May include performing key management and
      certificate management functions; generating and installing PINs;
      loading user personality data; performing card backup, card copy,
      and card restore operations; and updating firmware.

   $ token restore
      (I) A token management operation that loads a security token with
      data for the purpose of recreating (duplicating) the contents
      previously held by that or another token.

   $ token storage key
      (I) A cryptography key used to protect data that is stored on a
      security token.

   $ top CA
      (I) A CA that is the highest level (i.e., is the most trusted CA)
      in a certification hierarchy. (See: root.)

   $ top-level specification
      (I) "A non-procedural description of system behavior at the most
      abstract level; typically a functional specification that omits
      all implementation details." [NCS04] (See: (discussion under)
      security policy.)

      (C) A top-level specification may be descriptive or formal:

Top      Up      ToC       Page 178 
       - "Descriptive top-level specification": One that is written in a
      natural language like English or an informal design notation.

       - "Formal top-level specification": One that is written in a
      formal mathematical language to enable theorems to be proven that
      show that the specification correctly implements a set of formal
      requirements or a formal security model. (See: correctness proof.)

   $ traffic analysis
      (I) Inference of information from observable characteristics of
      data flow(s), even when the data is encrypted or otherwise not
      directly available. Such characteristics include the identities
      and locations of the source(s) and destination(s), and the
      presence, amount, frequency, and duration of occurrence. (See:

      (O) "The inference of information from observation of traffic
      flows (presence, absence, amount, direction, and frequency)."
      [I7498 Part 2]

   $ traffic flow confidentiality
      (I) A data confidentiality service to protect against traffic

      (O) "A confidentiality service to protect against traffic
      analysis." [I7498 Part 2]

   $ traffic padding
      (I) "The generation of spurious instances of communication,
      spurious data units, and/or spurious data within data units."
      [I7498 Part 2]

   $ tranquillity property
      See: (secondary definition under) Bell-LaPadula Model.

   $ Transmission Control Protocol (TCP)
      (I) An Internet Standard protocol [R0793] that reliably delivers a
      sequence of datagrams (discrete sets of bits) from one computer to
      another in a computer network. (See: TCP/IP.)

      (C) TCP is designed to fit into a layered hierarchy of protocols
      that support internetwork applications. TCP assumes it can obtain
      a simple, potentially unreliable datagram service (such as the
      Internet Protocol) from the lower-layer protocols.

   $ Transport Layer Security (TLS)
      (I) TLS Version 1.0 is an Internet protocol [R2246] based-on and
      very similar to SSL Version 3.0. (See: TLSP.)

Top      Up      ToC       Page 179 
      (C) The TLS protocol is misnamed, because it operates well above
      the transport layer (OSI layer 4).

   $ Transport Layer Security Protocol (TLSP)
      (I) An end-to-end encryption protocol(ISO Standard 10736) that
      provides security services at the bottom of OSI layer 4, i.e.,
      directly above layer 3. (See: TLS.)

      (C) TLSP evolved directly from the SP4 protocol of SDNS.

   $ transport mode vs. tunnel mode
      (I) IPsec usage: Two ways to apply IPsec protocols (AH and ESP) to
      protect communications:

       - "Transport mode": The protection applies to (i.e., the IPsec
         protocol encapsulates) the packets of upper-layer protocols,
         the ones that are carried above IP.

       - "Tunnel mode": The protection applies to (i.e., the IPsec
         protocol encapsulates) IP packets.

      (C) A transport mode security association is always between two
      hosts. In a tunnel mode security association, each end may be
      either a host or a gateway. Whenever either end of an IPsec
      security association is a security gateway, the association is
      required to be in tunnel mode.

   $ trap door
      (I) A hidden computer flaw known to an intruder, or a hidden
      computer mechanism (usually software) installed by an intruder,
      who can activate the trap door to gain access to the computer
      without being blocked by security services or mechanisms. (See:
      back door, Trojan horse.)

   $ triple DES
      (I) A block cipher, based on DES, that transforms each 64-bit
      plaintext block by applying the Data Encryption Algorithm three
      successive times, using either two or three different keys, for an
      effective key length of 112 or 168 bits. [A9052] (See: DES.)

      (C) IPsec usage: The algorithm variation proposed for ESP uses a
      168-bit key, consisting of three independent 56-bit quantities
      used by the Data Encryption Algorithm, and a 64-bit initialization
      value. Each datagram contains an IV to ensure that each received
      datagram can be decrypted even when other datagrams are dropped or
      a sequence of datagrams is reordered in transit. [R1851]

Next RFC Part