tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 4949


Internet Security Glossary, Version 2

Part 13 of 13, p. 343 to 365
Prev RFC Part


prevText      Top      Up      ToC       Page 343 
5. Security Considerations

   This document mainly defines security terms and recommends how to use
   them. It also provides limited tutorial information about security
   aspects of Internet protocols, but it does not describe in detail the
   vulnerabilities of, or threats to, specific protocols and does not
   definitively describe mechanisms that protect specific protocols.

6. Normative Reference

   [R2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119, March 1997.

7. Informative References

   This Glossary focuses on the Internet Standards Process. Therefore,
   this set of informative references emphasizes international,
   governmental, and industrial standards documents. Some RFCs that are
   especially relevant to Internet security are mentioned in Glossary
   entries in square brackets (e.g., "[R1457]" in the entry for
   "security label") and are listed here; some other RFCs are mentioned
   in parentheses (e.g., "(RFC 959)" in the entry for "File Transport
   Protocol") but are not listed here.

   [A1523]  American National Standards Institute, "American National
            Standard Telecom Glossary", ANSI T1.523-2001.

   [A3092]  ---, "American National Standard Data Encryption Algorithm",
            ANSI X3.92-1981, 30 December 1980.

   [A9009]  ---, "Financial Institution Message Authentication
            (Wholesale)", ANSI X9.9-1986, 15 August 1986.

   [A9017]  ---, "Financial Institution Key Management (Wholesale)",
            X9.17, 4 April 1985. (Defines procedures for manual and
            automated management of keying material and uses DES to
            provide key management for a variety of operational

   [A9042]  ---, "Public key Cryptography for the Financial Service
            Industry: Agreement of Symmetric Keys Using Diffie-Hellman
            and MQV Algorithms", X9.42, 29 January 1999. (See: Diffie-

   [A9052]  ---, "Triple Data Encryption Algorithm Modes of Operation",
            X9.52-1998, ANSI approval 9 November 1998.

Top      Up      ToC       Page 344 
   [A9062]  ---, "Public Key Cryptography for the Financial Services
            Industry: The Elliptic Curve Digital Signature Algorithm
            (ECDSA)", X9.62-1998, ANSI approval 7 January 1999.

   [A9063]  ---, "Public Key Cryptography for the Financial Services
            Industry: Key Agreement and Key Transport Using Elliptic
            Curve Cryptography", X9.63-2001.

   [ACM]    Association for Computing Machinery, "Communications of the
            ACM", July 1998 issue with: M. Yeung, "Digital
            Watermarking"; N. Memom and P. Wong, "Protecting Digital
            Media Content"; and S. Craver, B.-L. Yeo, and M. Yeung,
            "Technical Trials and Legal Tribulations".

   [Ande]   Anderson, J., "Computer Security Technology Planning Study",
            ESD-TR-73-51, Vols. I and II, USAF Electronics Systems Div.,
            Bedford, MA, October 1972. (Available as AD-758206/772806,
            National Technical Information Service, Springfield, VA.)

   [ANSI]   American National Standards Institute, "Role Based Access
            Control", Secretariat, Information Technology Industry
            Council, BSR INCITS 359, DRAFT, 10 November 2003.

   [Army]   U.S. Army Corps of Engineers, "Electromagnetic Pulse (EMP)
            and Tempest Protection for Facilities", EP 1110-3-2, 31
            December 1990.

   [B1822]  Bolt Baranek and Newman Inc., "Appendix H: Interfacing a
            Host to a Private Line Interface", in "Specifications for
            the Interconnection of a Host and an IMP", BBN Report No.
            1822, revised, December 1983.

   [B4799]  ---, "A History of the Arpanet: The First Decade", BBN
            Report No. 4799, April 1981.

   [Bell]   Bell, D. and L. LaPadula, "Secure Computer Systems:
            Mathematical Foundations and Model", M74-244, The MITRE
            Corporation, Bedford, MA, May 1973. (Available as AD-771543,
            National Technical Information Service, Springfield, VA.)

   [Biba]   K. Biba, "Integrity Considerations for Secure Computer
            Systems", ESD-TR-76-372, USAF Electronic Systems Division,
            Bedford, MA, April 1977.

   [BN89]   Brewer, D. and M. Nash, "The Chinese wall security policy",
            in "Proceedings of IEEE Symposium on Security and Privacy",
            May 1989, pp. 205-214.

Top      Up      ToC       Page 345 
   [BS7799] British Standards Institution, "Information Security
            Management, Part 1: Code of Practice for Information
            Security Management", BS 7799-1:1999, 15 May 1999.

            ---, "Information Security Management, Part 2: Specification
            for Information Security Management Systems", BS 7799-
            2:1999, 15 May 1999.

   [C4009]  Committee on National Security Systems (U.S. Government),
            "National Information Assurance (IA) Glossary", CNSS
            Instruction No. 4009, revised June 2006.

   [CCIB]   Common Criteria Implementation Board, "Common Criteria for
            Information Technology Security Evaluation, Part 1:
            Introduction and General Model", version 2.0, CCIB-98-026,
            May 1998.

   [Chau]   D. Chaum, "Untraceable Electronic Mail, Return Addresses,
            and Digital Pseudonyms", in "Communications of the ACM",
            vol. 24, no. 2, February 1981, pp. 84-88.

   [Cheh]   Cheheyl, M., Gasser, M., Huff, G., and J. Millen, "Verifying
            Security", in "ACM Computing Surveys", vol. 13, no. 3,
            September 1981, pp. 279-339.

   [Chris]  Chrissis, M. et al, 1993. "SW-CMM [Capability Maturity Model
            for Software Version", Release 3.0, Software Engineering
            Institute, Carnegie Mellon University, August 1996.

   [CIPSO]  Trusted Systems Interoperability Working Group, "Common IP
            Security Option", version 2.3, 9 March 1993.

   [Clark]  Clark, D. and D. Wilson, "A Comparison of Commercial and
            Military computer Security Policies", in "Proceedings of the
            IEEE Symposium on Security and Privacy", April 1987, pp.

   [Cons]   NSA, "Consistency Instruction Manual for Development of U.S.
            Government Protection Profiles for Use in Basic Robustness
            Environments", Release 2.0, 1 March 2004

   [CORBA]  Object Management Group, Inc., "CORBAservices: Common Object
            Service Specification", December 1998.

   [CSC1]   U.S. DoD Computer Security Center, "Department of Defense
            Trusted Computer System Evaluation Criteria", CSC-STD-001-
            83, 15 August 1983. (Superseded by [DoD1].)

Top      Up      ToC       Page 346 
   [CSC2]   ---, "Department of Defense Password Management Guideline",
            CSC-STD-002-85, 12 April 1985.

   [CSC3]   ---, "Computer Security Requirements: Guidance for Applying
            the Department of Defense Trusted Computer System Evaluation
            Criteria in Specific Environments", CSC-STD-003-85, 25 June

   [CSOR]   U.S. Department of Commerce, "General Procedures for
            Registering Computer Security Objects", National Institute
            of Standards Interagency Report 5308, December 1993.

   [Daem]   Daemen, J. and V. Rijmen, "Rijndael, the advanced encryption
            standard", in "Dr. Dobb's Journal", vol. 26, no. 3, March
            2001, pp. 137-139.

   [DC6/9]  Director of Central Intelligence, "Physical Security
            Standards for Sensitive Compartmented Information
            Facilities", DCI Directive 6/9, 18 November 2002.

   [Denn]   Denning, D., "A Lattice Model of Secure Information Flow",
            in "Communications of the ACM", vol. 19, no. 5, May 1976,
            pp. 236-243.

   [Denns]  Denning, D. and P. Denning, "Data Security", in "ACM
            Computing Surveys", vol. 11, no. 3, September 1979, pp. 227-

   [DH76]   Diffie, W. and M. Hellman, "New Directions in Cryptography",
            in "IEEE Transactions on Information Theory", vol. IT-22,
            no. 6, November 1976, pp. 644-654. (See: Diffie-Hellman-

   [DoD1]   U.S. DoD, "Department of Defense Trusted Computer System
            Evaluation Criteria", DoD 5200.28-STD, 26 December 1985.
            (Supersedes [CSC1].) (Superseded by DoD Directive 8500.1.)

   [DoD4]   ---, "NSA Key Recovery Assessment Criteria", 8 June 1998.

   [DoD5]   ---, Directive 5200.1, "DoD Information Security Program",
            13 December 1996.

   [DoD6]   ---, "Department of Defense Technical Architecture Framework
            for Information Management, Volume 6: Department of Defense
            (DoD) Goal Security Architecture", Defense Information
            Systems Agency, Center for Standards, version 3.0, 15 April

Top      Up      ToC       Page 347 
   [DoD7]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 7, 18 December 2002.
            (Superseded by [DoD9].)

   [DoD9]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 9, 9 February 2005.

   [DoD10]  ---, "DoD Architecture Framework, Version 1: Deskbook", 9
            February 2004.

   [DSG]    American Bar Association, "Digital Signature Guidelines:
            Legal Infrastructure for Certification Authorities and
            Secure Electronic Commerce", Chicago, IL, 1 August 1996.
            (See: [PAG].)

   [ElGa]   El Gamal, T., "A Public-Key Cryptosystem and a Signature
            Scheme Based on Discrete Logarithms", in "IEEE Transactions
            on Information Theory", vol. IT-31, no. 4, 1985, pp. 469-

   [EMV1]   Europay International S.A., MasterCard International
            Incorporated, and Visa International Service Association,
            "EMV '96 Integrated Circuit Card Specification for Payment
            Systems", version 3.1.1, 31 May 1998.

   [EMV2]   ---, "EMV '96 Integrated Circuit Card Terminal Specification
            for Payment Systems", version 3.1.1, 31 May 1998.

   [EMV3]   ---, "EMV '96 Integrated Circuit Card Application
            Specification for Payment Systems", version 3.1.1, 31 May

   [F1037]  U.S. General Services Administration, "Glossary of
            Telecommunications Terms", FED STD 1037C, 7 August 1996.

   [For94]  Ford, W., "Computer Communications Security: Principles,
            Standard Protocols and Techniques", ISBN 0-13-799453-2,

   [For97]  --- and M. Baum, "Secure Electronic Commerce: Building the
            Infrastructure for Digital Signatures and Encryption", ISBN
            0-13-476342-4, 1994.

   [FP001]  U.S. Department of Commerce, "Code for Information
            Interchange", Federal Information Processing Standards
            Publication (FIPS PUB) 1, 1 November 1968.

Top      Up      ToC       Page 348 
   [FP031]  ---, "Guidelines for Automatic Data Processing Physical
            Security and Risk Management", FIPS PUB 31, June 1974.

   [FP039]  ---, "Glossary for Computer Systems Security", FIPS PUB 39,
            15 February 1976.

   [FP041]  ---, "Computer Security Guidelines for Implementing the
            Privacy Act of 1974", FIPS PUB 41, 30 May 1975.

   [FP046]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.

   [FP074]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.

   [FP081]  ---, "DES Modes of Operation", FIPS PUB 81, 2 December 1980.

   [FP087]  ---, "Guidelines for ADP Contingency Planning", FIPS PUB 87,
            27 March 1981.

   [FP102]  ---, "Guideline for Computer Security Certification and
            Accreditation", FIPS PUB 102, 27 September 1983.

   [FP113]  ---, "Computer Data Authentication", FIPS PUB 113, 30 May

   [FP140]  ---, "Security Requirements for Cryptographic Modules", FIPS
            PUB 140-2, 25 May 2001; with change notice 4, 3 December

   [FP151]  ---, "Portable Operating System Interface (POSIX) -- System
            Application Program Interface [C Language]", FIPS PUB 151-2,
            12 May 1993

   [FP180]  ---, "Secure Hash Standard", FIPS PUB 180-2, August 2000;
            with change notice 1, 25 February 2004.

   [FP185]  ---, "Escrowed Encryption Standard", FIPS PUB 185, 9
            February 1994.

   [FP186]  ---, "Digital Signature Standard (DSS)", FIPS PUB 186-2, 27
            June 2000; with change notice 1, 5 October 2001.

   [FP188]  ---, "Standard Security Label for Information Transfer",
            FIPS PUB 188, 6 September 1994.

   [FP191]  ---, "Guideline for the Analysis of Local Area Network
            Security", FIPS PUB 191, 9 November 1994.

Top      Up      ToC       Page 349 
   [FP197]  ---, "Advanced Encryption Standard", FIPS PUB 197, 26
            November 2001.

   [FP199]  ---, "Standards for Security Categorization of Federal
            Information and Information Systems ", FIPS PUB 199,
            December 2003.

   [FPKI]   ---, "Public Key Infrastructure (PKI) Technical
            Specifications: Part A -- Technical Concept of Operations",
            NIST, 4 September 1998.

   [Gass]   Gasser, M., "Building a Secure Computer System", Van
            Nostrand Reinhold Company, New York, 1988, ISBN 0-442-

   [Gray]   Gray, J. and A. Reuter, "Transaction Processing: Concepts
            and Techniques", Morgan Kaufmann Publishers, Inc., 1993.

   [Hafn]   Hafner, K. and M. Lyon, "Where Wizards Stay Up Late: The
            Origins of the Internet", Simon & Schuster, New York, 1996.

   [Huff]   Huff, G., "Trusted Computer Systems -- Glossary", MTR 8201,
            The MITRE Corporation, March 1981.

   [I3166]  International Standards Organization, "Codes for the
            Representation of Names of Countries and Their Subdivisions,
            Part 1: Country Codes", ISO 3166-1:1997.

            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 2: Country Subdivision Codes",
            ISO/DIS 3166-2.

            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 3: Codes for Formerly Used Names of
            Countries", ISO/DIS 3166-3.

   [I7498-1] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, [Part 1:] Basic Reference
            Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation

   [I7498-2] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 2: Security
            Architecture", ISO/IEC 7499-2.

   [I7498-4] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 4: Management
            Framework", ISO/IEC 7498-4.

Top      Up      ToC       Page 350 
   [I7812]  ---, "Identification cards -- Identification of Issuers,
            Part 1: Numbering System", ISO/IEC 7812-1:1993

            ---, "Identification cards -- Identification of Issuers,
            Part 2: Application and Registration Procedures", ISO/IEC

   [I8073]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Transport Protocol Specification", ISO IS

   [I8327]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Session Protocol Specification", ISO IS

   [I8473]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Protocol for Providing the Connectionless
            Network Service", ISO IS 8473.

   [I8802-2] ---, "Information Processing Systems -- Local Area
            Networks, Part 2: Logical Link Control", ISO IS 8802-2.
            (Equivalent to IEEE 802.2.)

   [I8802-3] ---, "Information Processing Systems -- Local Area
            Networks, Part 3: Carrier Sense Multiple Access with
            Collision Detection (CSMA/CD) Access Method and Physical
            Layer Specifications", ISO IS 8802-3. (Equivalent to IEEE

   [I8823]  ---, "Information Processing Systems -- Open Systems
            Interconnection -- Connection-Oriented Presentation Protocol
            Specification", ISO IS 8823.

   [I9945]  "Portable Operating System Interface for Computer
            Environments", ISO/IEC 9945-1: 1990.

   [IATF]   NSA, "Information Assurance Technical Framework", Release 3,
            NSA, September 2000. (See: IATF.)

   [IDSAN]  ---, "Intrusion Detection System Analyzer Protection
            Profile", version 1.1, NSA, 10 December 2001.

   [IDSSC]  ---, "Intrusion Detection System Scanner Protection
            Profile", version 1.1, NSA, 10 December 2001.

   [IDSSE]  ---, "Intrusion Detection System Sensor Protection Profile",
            version 1.1, NSA, 10 December 2001.

Top      Up      ToC       Page 351 
   [IDSSY]  ---, "Intrusion Detection System", version 1.4, NSA, 4
            February 2002.

   [Ioan]   Ioannidis, J. and M. Blaze, "The Architecture and
            Implementation of Network Layer Security in UNIX", in "UNIX
            Security IV Symposium", October 1993, pp. 29-39.

   [ITSEC]  "Information Technology Security Evaluation Criteria
            (ITSEC): Harmonised Criteria of France, Germany, the
            Netherlands, and the United Kingdom", version 1.2, U.K.
            Department of Trade and Industry, June 1991.

   [JP1]    U.S. DoD, "Department of Defense Dictionary of Military and
            Associated Terms", Joint Publication 1-02, as amended
            through 13 June 2007.

   [John]   Johnson, N. and S. Jajodia, "Exploring Steganography; Seeing
            the Unseen", in "IEEE Computer", February 1998, pp. 26-34.

   [Kahn]   Kahn, D., "The Codebreakers: The Story of Secret Writing",
            The Macmillan Company, New York, 1967.

   [Knut]   Knuth, D., Chapter 3 ("Random Numbers") of Volume 2
            ("Seminumerical Algorithms") of "The Art of Computer
            Programming", Addison-Wesley, Reading, MA, 1969.

   [Kuhn]   Kuhn, M. and R. Anderson, "Soft Tempest: Hidden Data
            Transmission Using Electromagnetic Emanations", in David
            Aucsmith, ed., "Information Hiding, Second International
            Workshop, IH'98", Portland, Oregon, USA, 15-17 April 1998,
            LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp. 124-142.

   [Land]   Landwehr, C., "Formal Models for Computer Security", in "ACM
            Computing Surveys", vol. 13, no. 3, September 1981, pp. 247-

   [Larm]   Larmouth, J., "ASN.1 Complete", Open System Solutions, 1999
            (a freeware book).

   [M0404]  U.S. Office of Management and Budget, "E-Authentication
            Guidance for Federal Agencies", Memorandum M-04-04, 16
            December 2003.

   [Mene]   Menezes, A. et al, "Some Key Agreement Protocols Providing
            Implicit Authentication", in "The 2nd Workshop on Selected
            Areas in Cryptography", 1995.

Top      Up      ToC       Page 352 
   [Moor]   Moore, A. et al, "Attack Modeling for Information Security
            and Survivability", Carnegie Mellon University / Software
            Engineering Institute, CMU/SEI-2001-TN-001, March 2001.

   [Murr]   Murray, W., "Courtney's Laws of Security", in "Infosecurity
            News", March/April 1993, p. 65.

   [N4001]  National Security Telecommunications and Information System
            Security Committee, "Controlled Cryptographic Items",
            NSTISSI No. 4001, 25 March 1985.

   [N4006]  ---, "Controlled Cryptographic Items", NSTISSI No. 4006, 2
            December 1991.

   [N7003]  ---, "Protective Distribution Systems", NSTISSI No. 7003, 13
            December 1996.

   [NCS01]  National Computer Security Center, "A Guide to Understanding
            Audit in Trusted Systems", NCSC-TG-001, 1 June 1988. (See:
            Rainbow Series.)

   [NCS03]  ---, "Information System Security Policy Guideline", I942-
            TR-003, version 1, July 1994. (See: Rainbow Series.)

   [NCS04]  ---, "Glossary of Computer Security Terms", NCSC-TG-004,
            version 1, 21 October 1988. (See: Rainbow Series.)

   [NCS05]  ---, "Trusted Network Interpretation of the Trusted Computer
            System Evaluation Criteria", NCSC-TG-005, version 1, 31 July
            1987. (See: Rainbow Series.)

   [NCS25]  ---, "A Guide to Understanding Data Remanence in Automated
            Information Systems", NCSC-TG-025, version 2, September
            1991. (See: Rainbow Series.)

   [NCSSG]  National Computer Security Center, "COMPUSECese: Computer
            Security Glossary", NCSC-WA-001-85, Edition 1, 1 October
            1985. (See: Rainbow Series.)

   [NRC91]  National Research Council, "Computers At Risk: Safe
            Computing in the Information Age", National Academy Press,

   [NRC98]  Schneider, F., ed., "Trust in Cyberspace", National Research
            Council, National Academy of Sciences, 1998.

   [Padl]   Padlipsky, M., "The Elements of Networking Style", 1985,
            ISBN 0-13-268111-0.

Top      Up      ToC       Page 353 
   [PAG]    American Bar Association, "PKI Assessment Guidelines",
            version 1.0, 10 May 2002. (See: [DSG].)

   [Park]   Parker, D., "Computer Security Management", ISBN 0-8359-
            0905-0, 1981

   [Perr]   Perrine, T. et al, "An Overview of the Kernelized Secure
            Operating System (KSOS)", in "Proceedings of the 7th DoD/NBS
            Computer Security Conference", 24-26 September 1984.

   [PGP]    Garfinkel, S.. "PGP: Pretty Good Privacy", O'Reilly &
            Associates, Inc., Sebastopol, CA, 1995.

   [PKCS]   Kaliski Jr., B., "An Overview of the PKCS Standards", RSA
            Data Security, Inc., 3 June 1991.

   [PKC05]  RSA Laboratories, "PKCS #5: Password-Based Encryption
            Standard ", version 1.5, 1 November 1993. (See: RFC 2898.)

   [PKC07]  ---, "PKCS #7: Cryptographic Message Syntax Standard",
            version 1.5, 1 November 1993. (See: RFC 2315.)

   [PKC10]  ---, "PKCS #10: Certification Request Syntax Standard",
            version 1.0, 1 November 1993.

   [PKC11]  ---, "PKCS #11: Cryptographic Token Interface Standard",
            version 1.0, 28 April 1995.

   [PKC12]  ---, "PKCS #12: Personal Information Exchange Syntax",
            version 1.0, 24 June 1995.

   [R1108]  Kent, S., "U.S. Department of Defense Security Options for
            the Internet Protocol", RFC 1108, November 1991.

   [R1135]  Reynolds, J., "The Helminthiasis of the Internet", RFC 1135,
            December 1989

   [R1208]  Jacobsen, O. and D. Lynch, "A Glossary of Networking Terms",
            RFC 1208, March 1991.

   [R1281]  Pethia, R., Crocker, S., and B. Fraser, "Guidelines for
            Secure Operation of the Internet", RFC 1281, November 1991.

   [R1319]  Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319,
            April 1992.

   [R1320]  Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320,
            April 1992.

Top      Up      ToC       Page 354 
   [R1321]  ---, "The MD5 Message-Digest Algorithm", RFC 1321, April

   [R1334]  Lloyd, B. and W. Simpson, "PPP Authentication Protocols",
            RFC 1334, October 1992.

   [R1413]  St. Johns, M., "Identification Protocol", RFC 1413, February

   [R1421]  Linn, J., "Privacy Enhancement for Internet Electronic Mail,
            Part I: Message Encryption and Authentication Procedures",
            RFC 1421, February 1993.

   [R1422]  Kent, S., "Privacy Enhancement for Internet Electronic Mail,
            Part II: Certificate-Based Key Management", RFC 1422,
            February 1993.

   [R1455]  Eastlake 3rd, D., "Physical Link Security Type of Service",
            RFC 1455, May 1993.

   [R1457]  Housley, R., "Security Label Framework for the Internet",
            RFC 1457, May 1993.

   [R1492]  Finseth, C., "An Access Control Protocol, Sometimes Called
            TACACS", RFC 1492, July 1993.

   [R1507]  Kaufman, C., "DASS: Distributed Authentication Security
            Service", RFC 1507, September 1993.

   [R1731]  Myers, J., "IMAP4 Authentication Mechanisms", RFC 1731,
            December 1994.

   [R1734]  ---, "POP3 AUTHentication Command", RFC 1734, Dec, 1994.

   [R1760]  Haller, N., "The S/KEY One-Time Password System", RFC 1760,
            February 1995.

   [R1824]  Danisch, H., "The Exponential Security System TESS: An
            Identity-Based Cryptographic Protocol for Authenticated Key-
            Exchange (E.I.S.S.-Report 1995/4)", RFC 1824, August 1995.

   [R1828]  Metzger, P. and W. Simpson, "IP Authentication using Keyed
            MD5", RFC 1828, August 1995.

   [R1829]  Karn, P., Metzger, P., and W. Simpson, "The ESP DES-CBC
            Transform", RFC 1829, August 1995.

Top      Up      ToC       Page 355 
   [R1848]  Crocker, S., Freed, N., Galvin, J., and S. Murphy, "MIME
            Object Security Services", RFC 1848, October 1995.

   [R1851]  Karn, P., Metzger, P., and W. Simpson, "The ESP Triple DES
            Transform", RFC 1851, September 1995.

   [R1928]  Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and L.
            Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996.

   [R1958]  Carpenter, B., "Architectural Principles of the Internet",
            RFC 1958, June 1996.

   [R1983]  Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983,
            August 1996.

   [R1994]  Simpson, W., "PPP Challenge Handshake Authentication
            Protocol (CHAP)", RFC 1994, August 1996.

   [R2078]  Linn, J., "Generic Security Service Application Program
            Interface, Version 2", RFC 2078, January 1997. (Superseded
            by RFC 2743.)

   [R2084]  Bossert, G., Cooper, S., and W. Drummond, "Considerations
            for Web Transaction Security", RFC 2084, January 1997.

   [R2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
            Hashing for Message Authentication", RFC 2104, February

   [R2144]  Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144,
            May 1997.

   [R2179]  Gwinn, A., "Network Security For Trade Shows", RFC 2179,
            July 1997.

   [R2195]  Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP
            AUTHorize Extension for Simple Challenge/Response", RFC
            2195, September 1997.

   [R2196]  Fraser, B., "Site Security Handbook", FYI 8, RFC 2196,
            September 1997.

   [R2202]  Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-
            SHA-1", RFC 2202, Sep. 1997.

   [R2222]  Myers, J., "Simple Authentication and Security Layer
            (SASL)", RFC 2222, October 1997.

Top      Up      ToC       Page 356 
   [R2289]  Haller, N., Metz, C., Nesser, P., and M. Straw, "A One-Time
            Password System", STD 61, RFC 2289, February 1998.

   [R2323]  Ramos, A., "IETF Identification and Security Guidelines",
            RFC 2323, 1 April 1998. (Intended for humorous entertainment
            -- "please laugh loud and hard" -- and does not contain
            serious security information.)

   [R2350]  Brownlee, N. and E. Guttman, "Expectations for Computer
            Security Incident Response", BCP 21, RFC 2350, June 1998.

   [R2356]  Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal
            for Mobile IP", RFC 2356, June 1998.

   [R2401]  Kent, S. and R. Atkinson, "Security Architecture for the
            Internet Protocol", RFC 2401, November 1998.

   [R2402]  ---, "IP Authentication Header", RFC 2402, November 1998.

   [R2403]  Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP
            and AH", RFC 2403, November 1998.

   [R2404]  ---, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404,
            November 1998.

   [R2405]  Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher
            Algorithm With Explicit IV", RFC 2405, November 1998.

   [R2406]  Kent, S. and R. Atkinson, "IP Encapsulating Security Payload
            (ESP)", RFC 2406, November 1998.

   [R2407]  Piper, D. "The Internet IP Security Domain of Interpretation
            for ISAKMP", RFC 2407, November 1998.

   [R2408]  Maughan, D., Schertler, M., Schneider, M., and J. Turner,
            "Internet Security Association and Key Management Protocol
            (ISAKMP)", RFC 2408, November 1998.

   [R2410]  Glenn, R. and S. Kent, "The NULL Encryption Algorithm and
            Its Use With IPsec", RFC 2410, November 1998.

   [R2412]  Orman, H., "The OAKLEY Key Determination Protocol", RFC
            2412, November 1998.

   [R2451]  Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
            Algorithms", RFC 2451, November 1998.

Top      Up      ToC       Page 357 
   [R2504]  Guttman, E., Leong, L., and G. Malkin, "Users' Security
            Handbook", RFC 2504, February 1999.

   [R2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
            Adams, "X.509 Internet Public Key Infrastructure Online
            Certificate Status Protocol - OCSP", RFC 2560, June 1999.

   [R2612]  Adams, C. and J. Gilchrist, "The CAST-256 Encryption
            Algorithm", RFC 2612, June 1999.

   [R2628]  Smyslov, V., "Simple Cryptographic Program Interface (Crypto
            API)", RFC 2628, June 1999.

   [R2631]  Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC
            2631, June 1999. (See: Diffie-Hellman-Merkle.)

   [R2634]  Hoffman, P., "Enhanced Security Services for S/MIME", RFC
            2634, June 1999.

   [R2635]  Hambridge, S. and A. Lunde, "DON'T SPEW: A Set of Guidelines
            for Mass Unsolicited Mailings and Postings", RFC 2635, June

   [R2660]  Rescorla, E. and A. Schiffman, "The Secure HyperText
            Transfer Protocol", RFC 2660, August 1999.

   [R2743]  Linn, J., "Generic Security Service Application Program
            Interface Version 2, Update 1", RFC 2743, January 2000.

   [R2773]  Housley, R., Yee, P., and W. Nace, "Encryption using KEA and
            SKIPJACK", RFC 2773, February 2000.

   [R2801]  Burdett, D., "Internet Open Trading Protocol - IOTP, Version
            1.0", RFC 2801, April 2000.

   [R2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
            Defeating Denial of Service Attacks which employ IP Source
            Address Spoofing", BCP 38, RFC 2827, May 2000.

   [R2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
            Authentication Dial In User Service (RADIUS)", RFC 2865,
            June 2000.

   [R3060]  Moore, B., Ellesson, E., Strassner, J., and A. Westerinen,
            "Policy Core Information Model -- Version 1 Specification",
            RFC 3060, February 2001.

Top      Up      ToC       Page 358 
   [R3198]  Westerinen, A., Schnizlein, J., Strassner, J., Scherling,
            M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry,
            J., and S. Waldbusser, "Terminology for Policy-Based
            Management", RFC 3198, November 2001.

   [R3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
            X.509 Public Key Infrastructure Certificate and Certificate
            Revocation List (CRL) Profile", RFC 3280, April 2002.

   [R3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "Group
            Domain of Interpretation", RFC 3547, July 2003.

   [R3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text
            on Security Considerations", RFC 3552, July 2003.

   [R3647]  Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. Wu,
            "Internet X.509 Public Key Infrastructure Certificate Policy
            and Certification Practices Framework", RFC 3647, November

   [R3739]  Santesson, S., Nystrom, M., and T. Polk, "Internet X.509
            Public Key Infrastructure: Qualified Certificates Profile",
            RFC 3739, March 2004.

   [R3740]  Hardjono, T. and B. Weis, "The Multicast Group Security
            Architecture", RFC 3740, March 2004.

   [R3748]  Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
            Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
            3748, June 2004.

   [R3766]  Orman, H. and P. Hoffman, "Determining Strengths For Public
            Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
            April 2004.

   [R3820]  Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M.
            Thompson, "Internet X.509 Public Key Infrastructure (PKI)
            Proxy Certificate Profile", RFC 3820, June 2004.

   [R3851]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
            (S/MIME) Version 3.1 Message Specification", RFC 3851, July

   [R3871]  Jones, G., "Operational Security Requirements for Large
            Internet Service Provider (ISP) IP Network Infrastructure",
            RFC 3871, September 2004.

Top      Up      ToC       Page 359 
   [R4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
            Rose, "DNS Security Introduction and Requirements", RFC
            4033, March 2005.

   [R4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
            Rose, "Resource Records for the DNS Security Extensions",
            RFC 4034,  March 2005.

   [R4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
            Rose, "Protocol Modifications for the DNS Security
            Extensions", RFC 4035, March 2005.

   [R4086]  Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness
            Requirements for Security", BCP 106, RFC 4086, June 2005.

   [R4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
            Kerberos Network Authentication Service (V5)", RFC 4120,
            July 2005.

   [R4158]  Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
            Nicholas, "Internet X.509 Public Key Infrastructure:
            Certification Path Building", RFC 4158, September 2005.

   [R4210]  Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet
            X.509 Public Key Infrastructure Certificate Management
            Protocol (CMP)", RFC 4210, September 2005.

   [R4301]  Kent, S. and K. Seo, "Security Architecture for the Internet
            Protocol", RFC 4301, December 2005.

   [R4302]  Kent, S., "IP Authentication Header", RFC 4302, December

   [R4303]  Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
            4303, December 2005.

   [R4306]  Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
            4306, December 2005.

   [R4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
            (TLS) Protocol Version 1.1", RFC 4346, April 2006.

   [R4422]  Melnikov, A. and K. Zeilenga, "Simple Authentication and
            Security Layer (SASL)", RFC 4422, June 2006.

Top      Up      ToC       Page 360 
   [Raym]   Raymond, E., ed., "The On-Line Hacker Jargon File", version
            4.0.0, 24 July 1996. (See:
            for the latest version. Also, "The New Hacker's Dictionary",
            3rd edition, MIT Press, September 1996, ISBN 0-262-68092-0.)

   [Roge]   Rogers, H., "An Overview of the CANEWARE Program", in
            "Proceedings of the 10th National Computer Security
            Conference", NIST and NCSC, September 1987.

   [RSA78]  Rivest, R., A. Shamir, and L. Adleman, "A Method for
            Obtaining Digital Signatures and Public-Key Cryptosystems",
            in "Communications of the ACM", vol. 21, no. 2, February
            1978, pp. 120-126.

   [RSCG]   NSA, "Router Security Configuration Guide: Principles and
            Guidance for Secure Configuration of IP Routers, with
            Detailed Instructions for Cisco Systems Routers", version
            1.1c, C4-040R-02, 15 December 2005, available at

   [Russ]   Russell, D. et al, Chapter 10 ("TEMPEST") of "Computer
            Security Basics", ISBN 0-937175-71-4, 1991.

   [SAML]   Organization for the Advancement of Structured Information
            Standards (OASIS), "Assertions and Protocol for the OASIS
            Security Assertion Markup Language (SAML)", version 1.1, 2
            September 2003.

   [Sand]   Sandhu, R. et al, "Role-Based Access Control Models", in
            "IEEE Computer", vol. 29, no. 2, February 1996, pp. 38-47.

   [Schn]   Schneier, B., "Applied Cryptography Second Edition", John
            Wiley & Sons, Inc., New York, 1996.

   [SDNS3]  U.S. DoD, NSA, "Secure Data Network Systems, Security
            Protocol 3 (SP3)", document SDN.301, Revision 1.5, 15 May

   [SDNS4]  ---, "Secure Data Network Systems, Security Protocol 4
            (SP4)", document SDN.401, Revision 1.2, 12 July 1988.

   [SDNS7]  ---, "Secure Data Network Systems, Message Security Protocol
            (MSP)", SDN.701, Revision 4.0, 7 June 1996, with
            "Corrections to Message Security Protocol, SDN.701, Rev 4.0,
            96-06-07", 30 Aug, 1996.

Top      Up      ToC       Page 361 
   [SET1]   MasterCard and Visa, "SET Secure Electronic Transaction
            Specification, Book 1: Business Description", version 1.0,
            31 May 1997.

   [SET2]   ---, "SET Secure Electronic Transaction Specification, Book
            2: Programmer's Guide", version 1.0, 31 May 1997.

   [SKEME]  Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
            Mechanism for Internet", in "Proceedings of the 1996
            Symposium on Network and Distributed Systems Security".

   [SKIP]   "SKIPJACK and KEA Algorithm Specifications", version 2.0, 22
            May 1998, and "Clarification to the SKIPJACK Algorithm
            Specification", 9 May 2002 (available from NIST Computer
            Security Resource Center).

   [SP12]   NIST, "An Introduction to Computer Security: The NIST
            Handbook", Special Publication 800-12.

   [SP14]   Swanson, M. et al (NIST), "Generally Accepted Principles and
            Practices for Security Information Technology Systems",
            Special Publication 800-14, September 1996.

   [SP15]   Burr, W. et al (NIST), "Minimum Interoperability
            Specification for PKI Components (MISPC), Version 1",
            Special Publication 800-15, September 1997.

   [SP22]   Rukhin, A. et al (NIST), "A Statistical Test Suite for
            Random and Pseudorandom Number Generators for Cryptographic
            Applications", Special Publication 800-15, 15 May 2001.

   [SP27]   Stoneburner, G. et al (NIST), "Engineering Principles for
            Information Technology Security (A Baseline for Achieving
            Security)", Special Publication 800-27 Rev A, June 2004.

   [SP28]   Jansen, W. (NIST), "Guidelines on Active Content and Mobile
            Code", Special Publication 800-28, October 2001.

   [SP30]   Stoneburner, G. et al (NIST), "Risk Management Guide for
            Information Technology Systems", Special Publication 800-30,
            October 2001.

   [SP31]   Bace, R. et al (NIST), "Intrusion Detection Systems",
            Special Publication 800-31.

   [SP32]   Kuhn, D. (NIST), "Introduction to Public Key Technology and
            the Federal PKI Infrastructure ", Special Publication
            800-32, 26 February 2001.

Top      Up      ToC       Page 362 
   [SP33]   Stoneburner, G. (NIST), "Underlying Technical Models for
            Information Technology Security", Special Publication
            800-33, December 2001.

   [SP37]   Ross, R. et al (NIST), "Guide for the Security Certification
            and Accreditation of Federal Information Systems", Special
            Publication 800-37, May 2004.

   [SP38A]  Dworkin, M. (NIST), "Recommendation for Block Cipher Modes
            of Operation: Methods and Techniques", Special Publication
            800-38A, 2001 Edition, December 2001.

   [SP38B]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CMAC Mode for Authentication", Special Publication
            800-38B, May 2005.

   [SP38C]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CCM Mode for Authentication and Confidentiality",
            Special Publication 800-38C, May 2004.

   [SP41]   Wack, J. et al (NIST), "Guidelines on Firewalls and Firewall
            Policy", Special Publication 800-41, January 2002.

   [SP42]   ---, "Guideline on Network Security Testing", Special
            Publication 800-42, October 2003.

   [SP56]   NIST, "Recommendations on Key Establishment Schemes", Draft
            2.0, Special Publication 800-63, January 2003.

   [SP57]   ---, "Recommendation for Key Management", Part 1 "General
            Guideline" and Part 2 "Best Practices for Key Management
            Organization", Special Publication 800-57, DRAFT, January

   [SP61]   Grance, T. et al (NIST), "Computer Security Incident
            Handling Guide", Special Publication 800-57, January 2003.

   [SP63]   Burr, W. et al (NIST), "Electronic Authentication
            Guideline", Special Publication 800-63, June 2004

   [SP67]   Barker, W. (NIST), "Recommendation for the Triple Data
            Encryption Algorithm (TDEA) Block Cipher", Special
            Publication 800-67, May 2004

   [Stal]   Stallings, W., "Local Networks", 1987, ISBN 0-02-415520-9.

Top      Up      ToC       Page 363 
   [Stei]   Steiner, J. et al, "Kerberos: An Authentication Service for
            Open Network Systems", in "Usenix Conference Proceedings",
            February 1988.

   [Weis]   Weissman, C., "Blacker: Security for the DDN: Examples of A1
            Security Engineering Trades", in "Symposium on Security and
            Privacy", IEEE Computer Society Press, May 1992, pp. 286-

   [X400]   International Telecommunications Union -- Telecommunication
            Standardization Sector (formerly "CCITT"), Recommendation
            X.400, "Message Handling Services: Message Handling System
            and Service Overview".

   [X419]   ---, "Message Handling Systems: Protocol Specifications",
            ITU-T Recommendation X.419. (Equivalent to ISO 10021-6).

   [X420]   ---, "Message Handling Systems: Interpersonal Messaging
            System", ITU-T Recommendation X.420. (Equivalent to ISO

   [X500]   ---, Recommendation X.500, "Information Technology -- Open
            Systems Interconnection -- The Directory: Overview of
            Concepts, Models, and Services". (Equivalent to ISO 9594-1.)

   [X501]   ---, Recommendation X.501, "Information Technology -- Open
            Systems Interconnection -- The Directory: Models".

   [X509]   ---, Recommendation X.509, "Information Technology -- Open
            Systems Interconnection -- The Directory: Authentication
            Framework", COM 7-250-E Revision 1, 23 February 2001.
            (Equivalent to ISO 9594-8.)

   [X519]   ---, Recommendation X.519, "Information Technology -- Open
            Systems Interconnection -- The Directory: Protocol

   [X520]   ---, Recommendation X.520, "Information Technology -- Open
            Systems Interconnection -- The Directory: Selected Attribute

   [X680]   ---, Recommendation X.680, "Information Technology --
            Abstract Syntax Notation One (ASN.1) -- Specification of
            Basic Notation", 15 November 1994. (Equivalent to ISO/IEC

Top      Up      ToC       Page 364 
   [X690]   ---, Recommendation X.690, "Information Technology -- ASN.1
            Encoding Rules -- Specification of Basic Encoding Rules
            (BER), Canonical Encoding Rules (CER) and Distinguished
            Encoding Rules (DER)", 15 November 1994. (Equivalent to
            ISO/IEC 8825-1.)

8. Acknowledgments

   George Huff had a good idea! [Huff]

Author's Address

   Dr. Robert W. Shirey
   3516 N. Kensington St.
   Arlington, Virginia  22207-1328


Top      Up      ToC       Page 365 
Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78 and at, and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at


   Funding for the RFC Editor function is currently provided by the
   Internet Society.