GIST v0.7 ― A
“AA” to “awareness and training program”

A

- AA n.

- ABA Guidelines n.

RFC 2828 (2000)

(N) American Bar Association (ABA) Digital Signature Guidelines [ABA], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.

- aborted connection n.

ISO/IEC 2382-8:1998

A disconnection that does not follow established procedures. Note: An aborted connection may enable other entities to gain unauthorized access.

- Abstract Syntax Notation One (ASN.1) n.

RFC 2828 (2000)

(N) A standard for describing data objects. [X680]

(C) OSI standards use ASN.1 to specify data formats for protocols. OSI defines functionality in layers. Information objects at higher layers are abstractly defined to be implemented with objects at lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define transfers concretely as strings of bits. Syntax is needed to define abstract objects, and encoding rules are needed to transform between abstract objects and bit strings. (See: Basic Encoding Rules.)

(C) In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is certificateRevocationList.

- ACC n.

See: access control center.

- access n. & vb.

1. n.

RFC 2828 (2000)

(I) The ability and means to communicate with or otherwise interact with a system in order to use system resources to either handle information or gain knowledge of the information the system contains.

(O) “A specific type of interaction between a subject and an object that results in the flow of information from one to the other.” [NCS04]

(C) In this Glossary, access is intended to cover any ability to communicate with a system, including one-way communication in either direction. In actual practice, however, entities outside a security perimeter that can receive output from the system but cannot provide input or otherwise directly interact with the system, might be treated as not having access and, therefore, be exempt from security policy requirements, such as the need for a security clearance.

OASIS XACML 2.0 (2005)

Performing an action.

NIST IR 7298 (2006)

SP 800-32

Ability to make use of any information system (IS) resource.

2. vb.

OASIS SAML 2.0 (2005)

To interact with a system entity in order to manipulate, use, gain knowledge of, and/or obtain a representation of some or all of a system entity’s resources. [RFC2828]

OASIS cites RFC 2828 for its definition, but heavily rewords the (I) paragraph, above. A verbatim definition of action as a verb would, of course, be…

To communicate with or otherwise interact with a system in order to use system resources to either handle information or gain knowledge of the information the system contains.

- access authority n.

NIST IR 7298 (2006)

SP 800-57

An entity responsible for monitoring and granting access privileges for other authorized entities.

In some access control services, e.g., RACF, broadly synonymous with access permission.

- access category n.

ISO/IEC 2382-8:1998

A category to which entities may be assigned, based on the resources that the entity is authorized to use.

- access control n.

ISO/IEC 2382-8:1998

A means of ensuring that the resources of a data processing system can be accessed only by authorized entities in authorized ways.

RFC 2828 (2000)

(I) Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy. (See: access, access control service.)

(O) “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.” [I7498 Part 2]

OASIS XACML 2.0 (2005)

Controlling access in accordance with a policy.

OASIS SAML 2.0 (2005)

Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy. [RFC2828]

SAML cites RFC 2828 for its definition, but slightly rewords the (I) paragraph, above.

modonis^IDM (2005)

Definition: Access control is the protection of resources with technical, regulatory and organizational measures against access or use by unauthorized entities.

NIST IR 7298 (2006)

FIPS 201

The process of granting or denying specific requests:

for obtaining and using information and related information processing services; and
to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

SCA ISCTAG (2007)

The process of granting or denying specific requests to:

obtain and use information and related to information processing services; and
enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

See also: logical access control, physical access control.

- access control center (ACC) n.

RFC 2828 (2000)

(I) A computer containing a database with entries that define a security policy for [i.e., that is implemented by] an access control service.

(C) An ACC is sometimes used in conjunction with a key center to implement access control in a key distribution system for symmetric cryptography.

- access control information (ACI) n.

OASIS SAML 2.0 (2005)

Any information used for access control purposes, including contextual information. [X.812] Contextual information might include source IP address, encryption strength, the type of operation being requested, time of day, etc. Portions of ACI may be specific to the request itself, others may be associated with the connection via which the request is transmitted, others (e.g. time of day) may be “environmental”. [RFC2829]

- access control list (ACL) n.

ISO/IEC 2382-8:1998

access control list, access list

A list of entities, together with their access rights, that are authorized to access a resource.

RFC 2828 (2000)

(I) A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resource. (See: capability.)

NIST IR 7298 (2006)

SP 800-12

access control lists (ACLs)

A register of:

users (including groups, machines, processes) who have been given permission to use a particular system resource, and
the types of access they have been permitted.

Definition: A data structure associated with a system resource that enumerates the identities of system entities that are permitted access to the resource and the access permission for each entity. An ACL may be an attribute of the resource itself or of another object (e.g., a dataset profile in RACF, an authorization list in OS/400) that is associated with one or more resources.

- access control service n.

RFC 2828 (2000)

(I) A security service that protects against a system entity using a system resource in a way not authorized by the system’s security policy; in short, protection of system resources against unauthorized access. (See: access control, discretionary access control, identity-based security policy, mandatory access control, role-based access control, rule-based security policy.)

(C) This service includes protecting against use of a resource in an unauthorized manner by an entity that is authorized to use the resource in some other manner. The two basic mechanisms for implementing this service are ACLs and tickets.

A system can have a native access control service – i.e., one that is an integral component of the operating system, application, etc. A system can also have a guest access control service.

A guest access control service is standard in IBM mainframe operating systems, such as z/OS and z/VM. The service is called either:

an external security manager (ESM);
a resident security system (RSS).

Three proprietary software products fulfil this role in z/OS, one from IBM: RACF (a component of the SecureWay Security Server); and two from Computer Associates International, Inc. (CA): eTrust CA-ACF2 and eTrust CA-Top Secret.

(See: External Security Managers for z/OS.)

- access control system format n.

SCA ISCTAG (2007)

The algorithm that specifies how data transmitted by the system is to be interpreted. The format specifies how many bits make up the data stream and which bits represent different types of information. For example, the first few bits might transmit the facility code, the next few the unique ID number, the next few parity, and so on.

- access level n.

ISO/IEC 2382-8:1998

The level of authority required from an entity to access a protected system resource. Example: The authority to access information at a particular security level.

In some systems, e.g., RACF, access level (or level of access) is used as a synonym for access permission.

- access management n.

SCA ISCTAG (2007)

The processes and technologies for controlling and monitoring access privileges to resources, consistent with governing policies. Access management includes authentication, authorization, trust, and security auditing.

See: identity and access management.

- access mode n.

UNIX2:1997

A particular form of access permitted to a file.

ISO/IEC 2382-8:1998

access type

A type of operation specified by an access right. Examples: read, write, execute, append, modify, delete, create.

RFC 2828 (2000)

(I) A distinct type of data processing operation – e.g., read, write, append, or execute – that a subject can potentially perform on an object in a computer system.

- access period n.

ISO/IEC 2382-8:1998

A period of time during which specified access rights prevail.

- access permission n.

ISO/IEC 2382-8:1998

All of a subject’s access rights with respect to some object.

See: (discussion under) access right.

- access right n.

ISO/IEC 2382-8:1998

Permission for a subject to access a particular object for a specific type of operation. Example: Permission for a process to read a file but not write to it.

08.04.20 read access: An access right that gives permission to read data.
08.04.21 write access: An access right that gives permission to write data. Note: Write access may grant permission to append, modify, delete or create data.

OASIS SAML 2.0 (2005)

access rights

A description of the type of authorized interactions a subject can have with a resource. Examples include read, write, execute, add, modify, and delete.

SCA ISCTAG (2007)

The privilege or permission for an individual to access a controlled resource or entity (physical or logical).

An access control service might permit a subject to access a particular object for either a discrete access mode, as in Unix operating systems, or for a hierarchical set of access modes, as in IBM’s RACF. How do the ISO/IEC 2382-8:1998 (and similar) definitions of access permission and access right apply in each case?

In a Unix OS, each permitted access mode – e.g., read, write, execute – is an access right, and the combination of modes – e.g., r-x, rwx, -w- – is the access permission.

In RACF, a user might be permitted the UPDATE access authority to a data set; this is an access permission that combines the write, read, and execute access rights.

- access type n.

See: access mode.

- accessor identifier (ACID) n.

See: (secondary definition under) userid.

- account n.

See: user account under profile.

OASIS SAML 2.0 (2005)

Typically a formal business agreement for providing regular dealings and services between a principal and business service providers.

- account linkage n.

OASIS SAML 2.0 (2005)

A method of relating accounts at two different providers that represent the same principal so that the providers can communicate about the principal. Account linkage can be established through the sharing of attributes or through identity federation.

- account management, user n.

See: user account management.

- accountability n.

ISO/IEC 2382-8:1998

The property that ensures that the actions of a entity may be traced uniquely to that entity.

RFC 2828 (2000)

(I) The property of a system (including all of its system resources) that ensures that the actions of a system entity may be traced uniquely to that entity, which can be held responsible for its actions. (See: audit service.)

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property that ensures that the actions of an entity may be traced uniquely to the entity.

NIST IR 7298 (2006)

SP 800-27A

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

- accredit vb.

See: accreditation.

- accreditation n.

RFC 2828 (2000)

(I) An administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. [FP102] (See: certification.)

(C) An accreditation is usually based on a technical certification of the system’s security mechanisms. The terms certification and accreditation are used more in the U.S. Department of Defense and other government agencies than in commercial organizations. However, the concepts apply any place where managers are required to deal with and accept responsibility for security risks. The American Bar Association is developing accreditation criteria for CAs.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Formal declaration by the responsible management approving the operation of an automated system in a particular security mode using a particular set of safeguards. Accreditation is the official authorization by management for the operation of the system, and acceptance by that management of the associated residual risks. Accreditation is based on the certification process as well as other management considerations.

NIST IR 7298 (2006)

SP 800-37 – authorization, security authorization

SP 800-53 – accreditation, authorize processing

FIPS 200 – accreditation

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

IAEG LIAF (2008)

The process used to achieve formal recognition that an organization has agreed to the IAEG operating rules and is competent to perform assessments using the service assessment criteria.

- accreditation authority n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Entity trusted by all members of a group of entities for the purposes of the generation of private accreditation information.

NIST IR 7298 (2006)

SP 800-53; FIPS 200

accrediting authority, authorizing official

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

SP 800-37

authorizing official designated representative

Individual selected by an authorizing official to act on their behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system.

- accreditation boundary n.

See: security perimeter.

- accreditation multiplicity parameter n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Positive integer equal to the number of items of secret accreditation information provided to an entity by the accreditation authority.

- accreditation package n.

NIST IR 7298 (2006)

SP 800-37

The evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to:

the system security plan;
the assessment results from the security certification; and
the plan of action and milestones.

- ACI n.

See: access control information.

- accrediting authority n.

See: accreditation authority.

- ACID n.

See: accessor identifier under userid.

- ACL n.

See: access control list.

- acoustic emission n.

iAfB-ICSA 1999

A proprietary technique used in signature verification (see (signature under) biometric characteristic). As a user writes on a paper surface, the movement of the pen tip over the paper fibres generates acoustic emissions that are transmitted in the form of stress waves within the material of a writing block beneath the document being signed. The structure-borne elastic waves behave in materials in a similar way to sound waves in air and can be detected by a sensor attached to the writing block.

- acquire vb.

JTC 1/SC 37 (2008)

[1.] Successfully complete an acquisition.

[2.] Come to possess; learn or develop. Note: Definition source: Oxford dictionary.

- acquirer n.

RFC 2828 (2000)

(N) SET usage: “The financial institution that establishes an account with a merchant and processes payment card authorizations and payments.” [SET1]

(O) “The institution (or its agent) that acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system.” [SET2]

- acquisition n.

JTC 1/SC 37 (2008)

Process of capturing a biometric sample(s) and creating a biometric sample/biometric feature/biometric model with the intent of comparison or enrolment.

Note: In addition to capture, acquisition may include segmentation, biometric feature extraction, quality control and other pre-processing steps.

- acquisition device n.

See: biometric capture device.

- action n.

OASIS XACML 2.0 (2005)

An operation on a resource.

- activation data n.

NIST IR 7298 (2006)

SP 800-32

Private data, other than keys, that are required to access cryptographic modules.

- active attack n.

See: (secondary definition under) attack.

- active content n.

SP 800-46

NIST IR 7298 (2006)

Active content refers to electronic documents that are able to automatically carry out or trigger actions on a computer platform without the intervention of a user.

- active impostor acceptance n.

iAfB-ICSA 1999

When an impostor submits a modified, simulated or reproduced biometric sample, intentionally attempting to relate it to another person who is an enrollee, and he/she is incorrectly identified or verified by a biometric system as being that enrolee. Compare: passive impostor acceptance.

Note: An impostor can sumbit a fraudulent biometric – e.g., a gelatin fingerprint – but not a fraudulent sample (see: discussion under impostor). The definition might be better worded…

The instance of a biometric system incorrectly accepting an impostor as an enrollee when the impostor submits a modified, simulated, or reproduced biometric characteristic in an intentional attempt to relate it to another person who is an enrollee.

- active role n.

OASIS SAML 2.0 (2005)

A role that a system entity has donned when performing some operation, for example accessing a resource.

- active threat n.

See: (secondary definition under) threat.

- active wiretapping n.

See: (secondary definition under) wiretapping.

- add-on security n.

RFC 2828 (2000)

(I) “The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational.” [FP039]

- address of record n.

NIST SP 800-63-1 DRAFT (2008)

The official location where an individual can be found. The address of record always includes the residential street address of an individual and may also include the mailing address of the individual. In very limited circumstances, an Army Post Office box number, Fleet Post Office box number or the street address of next of kin or of another contact individual can be used when a residential street address for the individual is not available.

- adequate security n.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; OMB Circular A-130, App. III

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

- administrative domain n.

OASIS SAML 2.0 (2005)

An environment or context that is defined by some combination of one or more administrative policies, Internet Domain Name registrations, civil legal entities (for example, individuals, corporations, or other formally organized entities), plus a collection of hosts, network devices and the interconnecting networks (and possibly other traits), plus (often various) network services and applications running upon them. An administrative domain may contain or define one or more security domains. An administrative domain may encompass a single site or multiple sites. The traits defining an administrative domain may, and in many cases will, evolve over time. Administrative domains may interact and enter into agreements for providing and/or consuming services across administrative domain boundaries.

- administrative safeguards n.

See: administrative security.

- administrative security n.

ISO/IEC 2382-8:1998

administrative security, procedural security

Administrative measures for computer security. Note: These measures may be operational and accountability procedures, procedures of investigating breaches in security, and reviewing audit trails.

! RFC 2828 deprecates the term procedural security.

RFC 2828 (2000)

(I) Management procedures and constraints to prevent unauthorized access to a system. (See: security architecture.)

(O) “The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data.” [FP039]

NIST IR 7298 (2006)

administrative safeguards

SP 800-66

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity’s workforce in relation to protecting that information.

- administrator n.

OASIS SAML 2.0 (2005)

A person who installs or maintains a system (e.g. a SAML-based security system) or who uses it to manage system entities, users, and/or content (as opposed to application purposes. See also end user). An administrator is typically affiliated with a particular administrative domain and may be affiliated with more than one administrative domain.

- Advanced Encryption Standard (AES) n.

RFC 2828 (2000)

(N) A future FIPS publication being developed by NIST to succeed DES. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm, available royalty-free worldwide.

NIST IR 7298 (2006)

SP 800-46

The Advanced Encryption Standard specifies a U.S. Government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.

FIPS 197

This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.

SCA ISCTAG (2007)

Advanced Encryption Standard (AES), also known as Rijndael. A block cipher adopted as an encryption standard by the U.S. government.

On 2 October 2000, U.S. Secretary of Commerce Norman Y. Mineta announced that the winner of the three-year AES competition involving some of the world’s leading cryptographers was… Rijndael. NIST’s press release externalLink

FIPS 197 Advanced Encryption Standard (AES) [PDF] externalLink

was published 26 November 2001 and became effective on 26 May 2002.

The other canditates that made it to the final round of the competition were:

See: AES Home Page (archived) externalLink

- adversary n.

RFC 2828 (2000)

(I) An entity that attacks, or is a threat to, a system.

- AES n.

See: Advanced Encryption Standard.

- affiliation n., - affiliation group n.

OASIS SAML 2.0 (2005)

A set of system entities that share a single namespace (in the federated sense) of identifiers for principals.

- AFIS n.

See: Automated Fingerprint Identification System.

- agency n.

NIST IR 7298 (2006)

FIPS 200; 44 U.S.C., Sec. 3502

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include:

the General Accounting Office;
the Federal Election Commission;
the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or
government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

See also: biometric applicant.

- application n.

NIST IR 7298 (2006)

SP 800-37

The use of information resources (information and information technology) to satisfy a specific set of user requirements.

JTC 1/SC 37 (2006⇒2008)

Program or piece of software designed to fulfil a particular purpose.

Note 1: Definition source: Oxford dictionary.

Note2: This dictionary definition does not preclude other natural language use of the term “application” in the context of biometrics. For example, biometric samples might be collected from an individual biometric capture subject during an application for a passport or visa.

SCA ISCTAG (2007)

A hardware/software system implemented to satisfy a particular set of requirements. In the context of FIPS 201, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.

- application authority n.

SCA ISCTAG (2007)

The entity that defines the rules of the application and attribute disclosure required from a subject to be disclosed in order to provide the service which may be delegated to a service provider.

- application content filtering n.

NIST IR 7298 (2006)

SP 800-41

Application content filtering is performed by a software proxy agent to remove or quarantine viruses that may be contained in email attachments, to block specific Multipurpose Internet Mail Extensions (MIME) types, or to filter other active content such as Java, JavaScript, and ActiveX® Controls.

- application developer n.

iAfB-ICSA 1999

An individual entrusted with developing and implementing a biometric application [or, indeed, any application].

- application program interface n.

iAfB-ICSA 1999

A set of services or instructions used to standardise an application. An API is computer code used by an application developer. Any biometric system [or, indeed, any application] that is compatible with the API can be added or interchanged by the application developer. APIs are often described by the degree to which they are high level or low level. High level means that the interface is close to the application and low level means that the interface is close to the device.

SCA ISCTAG (2007)

A source code interface that a computer system or program library provides in order to support requests for services to be made of it by other computer programs, and/or to allow data to be exchanged.

- application-specific integrated circuit (ASIC) n.

iAfB-ICSA 1999

An integrated circuit (silicon chip) that is specially produced for a biometric system [or, indeed, any application] to improve performance.

- Application Vulnerability Description Language (AVDL) n.

The Application Vulnerability Description Language (AVDL) is a new security interoperability standard. AVDL version 1.0 was approved as an OASIS standard on 23 June 2004.

AVDL provides a uniform way of describing application security vulnerabilities; that is, an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks between any of the various security entities that address HTTP application-level protocol security. Such security entities include vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, and so on.

AVDL can describe vulnerability information such as:

Discreet, previously known vulnerabilities against the application’s software stack or any of its components; e.g., OS type/version, app server type, web server type, database type, etc.
Information on an application’s known legitimate usage schemes, e.g., directory structures, HTML structures, legal entry points, legal interaction parameters, etc.

AVDL is intended to be entirely complimentary to CVE and VulnXML/WAS-XML. AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, covered by SAML and XACML.

AVDL was proposed by five product vendors, representing various aspects of the full application security lifecycle. In alphabetical order, these companies are:

Citadel , security remediation
GuardedNet , security event management
Netc.ntinuum , application attack prevention and secure application access (co-chair, AVDL TC)
SPI Dynamics , application vulnerability assessment (co-chair, AVDL TC)
Teros , application attack prevention

See:

- approach n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

The method used or steps taken in setting about a task, problem, etc.

- approval n.

IAEG LIAF (2008)

The process by which the IAEG Board accepts the compliance of a certified service and the CSP responsible for that service commits to upholding the IAEG Rules.

- approved adj.

NIST IR 7298 (2006)

FIPS 201

Federal Information Processing Standard (FIPS) approved or National Institute of Standards and Technology (NIST) recommended. An algorithm or technique that is either:

specified in a FIPS or NIST Recommendation, or
adopted in a FIPS or NIST Recommendation.

FIPS 140-2

FIPS-approved and/or NIST-recommended.

NIST SP 800-63-1 DRAFT (2008)

FIPS approved or NIST recommended. An algorithm or technique that is either:

specified in a FIPS or NIST Recommendation, or
adopted in a FIPS or NIST Recommendation.

- approved encryption n.

IAEG LIAF (2008)

Any cryptographic algorithm or method specified in a FIPS or a NIST recommendation or equivalent, as established by a recognized national technical authority

Refer to http://csrc.nist.gov/cryptval/

- approved mode of operation n.

NIST IR 7298 (2006)

FIPS 140-2

A mode of the cryptographic module that employs only approved security functions (not to be confused with a specific mode of an approved security function, e.g., Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode).

- approved security function n.

NIST IR 7298 (2006)

FIPS 140-2

A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either:

specified in an approved standard,
adopted in an Approved standard and specified either in an appendix of the approved standard or in a document referenced by the approved standard, or
specified in the list of approved security functions.

- approved service n.

IAEG LIAF (2008)

A certified service which has been granted an approval by the IAEG Board.

- archive n. & vb.

ISO/IEC 2382-8:1998

archive

To store backup files and any associated journals, usually for a given period of time.

archive file: A file set aside for later research or verification, for security, or for any other purpose.
archived file: A file for which an archive file exists.

RFC 2828 (2000)

(I) 1. n.: A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (See: backup.) 2. vb.: To store data in such a way. (See: back up.)

(C) A digital signature may need to be verified many years after the signing occurs. The CA – the one that issued the certificate containing the public key needed to verify that signature – may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates.

- ARPANET n.

RFC 2828 (2000)

(N) Advanced Research Projects Agency Network, a pioneer packet-switched network that was built in the early 1970s under contract to the U.S. Government, led to the development of today’s Internet, and was decommissioned in June 1990.

- ASIC

See: application-specific integrated circuit.

- artifact

See: SAML artifact.

- ASN.1

See: Abstract Syntax Notation One.

- assertion n.

OASIS SAML 2.0 (2005)

A piece of data produced by a SAML authority regarding either an act of authentication performed on a subject, attribute information about the subject, or authorization data applying to the subject with respect to a specified resource.

modonis^IDM (2005)

Definition: An assertion is synonymous with a credential.

This may be so only when “credential” has the sense of authentication information – a SAML authentication assertion might be regarded as such. See discussion under credential.

IAEG LIAF (2008)

A statement from a verifier to a relying party that contains identity or other information about a subscriber.

NIST SP 800-63-1 DRAFT (2008)

A statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may also contain verified attributes.

- asserting party n.

OASIS SAML 2.0 (2005)

Formally, the administrative domain that hosts one or more SAML authorities. Informally, an instance of a SAML authority.

- assessment n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Verification of a deliverable against a standard using the corresponding method to establish compliance and determine the assurance.

IAEG LIAF (2008)

A process used to evaluate an electronic trust service and the service provider using the requirements specified by one or more service assessment criteria for compliance with all applicable requirements.

- assessment method n.

NIST IR 7298 (2006)

SP 800-53

A focused activity or action employed by an assessor for evaluating a particular attribute of a security control.

- assessment procedure n.

NIST IR 7298 (2006)

SP 800-53

A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

- assessor n.

IAEG LIAF (2008)

A person or corporate entity who performs an assessment.

- asset n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

Anything that has value to the organization.

ISO/IEC 17799: 2000

Anything that has value to the organization, its business operations and theoir continuity.

ISO/IEC 15408-1: 1999

assets – Information or resources to be protected by the countermeasures of a TOE.

NIST IR 7298 (2006)

SP 800-26

A major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

- assignment n.

SC 27 SD 6 (2002)

ISO/IEC 14888-1: 1998, ISO/IEC 9796-3: 2000

A data item which is a function of the witness and possibly of a part of the message, and forms part of the input to the signature function.

ISO/IEC 15408-1: 1999

The specification of an identified parameter in a component.

- association n.

RFC 2828 (2000)

(I) A cooperative relationship between system entities, usually for the purpose of transferring information between them. (See: security association.)

- assurance n.

RFC 2828 (2000)

(I) 1. An attribute of an information system that provides grounds for having confidence that the system operates such that the system security policy is enforced. 2. A procedure that ensures a system is developed and operated as intended by the system’s security policy.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

Grounds for confidence that an entity meets its security objectives.

ISO/IEC WD 15443-1 (11/2001)

Performance of appropriate activities or processes to instil confidence that a deliverable meets its security objectives.

NIST IR 7298 (2006)

SP 800-27A

One of the five security goals. It involves support for our confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes:

functionality that performs correctly,
sufficient protection against unintentional errors (by users or software), and
sufficient resistance to intentional penetration or by-pass.

NIST SP 800-63-1 DRAFT (2008)

In the context of OMB 04-04 and NIST SP 800-63, assurance is defined as:

the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and
the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

- assurance approach n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

A grouping of assurance methods according to the aspect examined.

- assurance authority n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

A person or body responsible (accountable) for the selection, implementation and acceptance of assurance. Note: In specific schemes or organisations, the term for assurance authority may be different such as evaluation authority.

- assurance element n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

A process or activity of an assurance method, in itself recognised to provide reproducible assurance results.

- assurance level n.

RFC 2828 (2000)

(I) evaluation usage: A specific level on a hierarchical scale representing successively increased confidence that a target of evaluation adequately fulfills the requirements. (e.g., see: TCSEC.)

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

The amount of assurance obtained according to the specific scale used by the assurance method. The amount of assurance obtained generally is related to the effort expended on the activities performed. Note: The assurance level may not be measurable in quantitative terms.

SCA ISCTAG (2007)

The degree of certainty that the user has presented an identifier (e.g., a credential) that refers to his or her identity. In the context of FIPS 201, assurance is defined as:

the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and
the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

IAEG LIAF (2008)

assurance level (AL)

A degree of certainty that a claimant has presented a credential that refers to the claimant’s identity.

Each assurance level expresses a degree of confidence in the process used to establish the identity of the individual to whom the credential was issued and a degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

The four assurance levels are:

Level 1: Little or no confidence in the asserted identity’s validity.
Level 2: Some confidence in the asserted identity’s validity.
Level 3: High confidence in the asserted identity’s validity.
Level 4: Very high confidence in the asserted identity’s validity

See: (usage note under) validate – thus “validity” is not quite the right word here. In any case, it’s not the identity that’s being “validated” (~ verified), but the assertion or claim of identity. See also: identity assurance.

- assurance method n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Documented set of assurance elements recognised to obtain reproducible assurance results.

- assurance results n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Documented numerical or qualitative assurance statement obtained by applying an assurance method.

- assurance scheme n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

The administrative and regulatory framework under which an assurance method is applied by an assurance authority within a specific community or organisation.

- assurance stage n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

The deliverable life cycle stage on which a given assurance method is focused. The overall deliverable assurance takes into account the results of the assurance methods applied throughout the deliverable life cycle.

- asymmetric cipher n.

SC 27 SD 6 (2002)

ISO/IEC WD 18033-1 (12/2001)

Alternative term for asymmetric encipherment system.

- asymmetric cryptographic technique, - asymmetric cryptography n.

ISO/IEC 2382-8:1998

public-key cryptography, asymmetric cryptography

Cryptography in which a public key and a corresponding private key are used for encryption and decryption. Note: If a public key is used for encryption, the corresponding private key must be used for decryption, and vice versa.

RFC 2828 (2000)

asymmetric cryptography

(I) A modern branch of cryptography (popularly known as public-key cryptography) in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. (See: key pair.)

(C) Asymmetric algorithms have key management advantages over equivalently strong symmetric ones. First, one key of the pair does not need to be known by anyone but its owner; so it can more easily be kept secret. Second, although the other key of the pair is shared by all entities that use the algorithm, that key does not need to be kept secret from other, non-using entities; so the key distribution part of key management can be done more easily.

(C) For encryption: In an asymmetric encryption algorithm (e.g., see: RSA), when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a public key provided by Bob. Only Bob has the matching private key that is needed to decrypt the data.

(C) For signature: In an asymmetric digital signature algorithm (e.g., see: DSA), when Alice wants to ensure data integrity or provide authentication for data she sends to Bob, she uses her private key to sign the data (i.e., create a digital signature based on the data). To verify the signature, Bob uses the matching public key that Alice has provided.

(C) For key agreement: In an asymmetric key agreement algorithm (e.g., see: Diffie-Hellman), Alice and Bob each send their own public key to the other person. Then each uses their own private key and the other’s public key to compute the new key value.

SC 27 SD 6 (2002)

asymmetric cryptographic technique

ISO/IEC 9798-1: 1997

A cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation. Note: A system based on asymmetric cryptographic techniques can either be an encipherment system, a signature system, a combined encipherment and signature system, or a key agreement system. With asymmetric cryptographic techniques there are four elementary transformations: sign and verify for signature systems, encipher and decipher for encipherment systems. The signature and decipherment transformation are kept private by the owning entity, whereas the corresponding verification and encipherment transformation are published. There exist asymmetric cryptosystems (e.g. RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both verifying and encrypting messages. However, since this is not the general case, throughout ISO/IEC 9798 the four elementary transformations and the corresponding keys are kept separate.

ISO/IEC 11770-1: 1996, ISO/IEC FDIS 15946-3 (02/2001)

ISO/IEC 11770-3: 1999

A cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation. Note: A system based on asymmetric cryptographic techniques can either be an encipherment system, a signature system, a combined encipherment and signature system, or a key agreement system. With asymmetric cryptographic techniques there are four elementary transformations: sign and verify for signature systems, encipher and decipher for encipherment systems. The signature and the decipherment transformation are kept private by the owning entity, whereas the corresponding verification and encipherment transformation are published. There exist asymmetric cryptosystems (e.g. RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both verifying and encrypting messages. However, since this does not conform to the principle of key separation, throughout this part of ISO/IEC 11770 the four elementary transformations and the corresponding keys are kept separate.

ISO/IEC WD 18033-1 (12/2001)

Cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation.

SCA ISCTAG (2007)

asymmetric cryptographic technique

A cryptographic technique that uses two related operations: a public operation defined by public numbers or by a public key and a private operation defined by private numbers or by a private key. (The two operations have the property that, given the public operation, it is computationally infeasible to derive the private operation.)

public (asymmetric) key cryptography

A type of cryptography that uses a pair of mathematically related cryptographic keys. The public key can be made available to anyone and can encrypt information or verify a digital signature. The private key is kept secret by its holder and can decrypt information or generate a digital signature.

- asymmetric encipherment system n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

A system based on asymmetric cryptographic techniques whose public transformation is used for encipherment and whose private transformation is used for decipherment.

ISO/IEC WD 18033-1 (12/2001)

System based on asymmetric cryptographic techniques whose public transformation is used for encipherment and whose private transformation is used for decipherment. Note: An asymmetric encipherment system is an asymmetric cryptographic technique that is also an encryption algorithm.

- asymmetric encryption algorithm n.

SC 27 SD 6 (2002)

ISO/IEC WD 18033-1 (12/2001)

Alternative term for asymmetric encipherment system.

- asymmetric key, - asymmetric keys n.

See: asymmetric key pair.

- asymmetric key pair n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

A pair of related keys where the private key defines the private transformation and the public key defines the public transformation.

ISO/IEC WD 18033-1 (12/2001)

Pair of related keys where the private key defines the private transformation and the public key defines the public transformation.

NIST IR 7298 (2006)

FIPS 201

asymmetric keys

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

SCA ISCTAG (2007)

asymmetric keys

Two related keys, a public key and a private key, that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

NIST SP 800-63-1 DRAFT (2008)

asymmetric keys

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

- asymmetric signature system n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

A system based on asymmetric cryptographic techniques whose private transformation is used for signing and whose public transformation is used for verification.

- asynchronous multimodal adj.

See (secondary definition under): multimodal.

- attack n.

ISO/IEC 2382-8:1998

An attempt to violate computer security. Examples: Malicious logic, wiretapping.

RFC 2828 (2000)

(I) An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. (See: penetration, violation, vulnerability.)

active vs. passive: An active attack attempts to alter system resources or affect their operation. A passive attack attempts to learn or make use of information from the system but does not affect system resources. (e.g., see: wiretapping.)
insider vs. outsider: An inside attack is an attack initiated by an entity inside the security perimeter (an insider), i.e., an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization. An outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an outsider). In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

SC 27 SD 6 (2002)

ISO/IEC DTR 15947 (10/2001)

An attempt to exploit an IT system vulnerability.

IAEG LIAF (2008)

An attempt to obtain a subscriber’s token or to fool a verifier into believing that an unauthorized individual possesses a claimant’s token.

NIST SP 800-63-1 DRAFT (2008)

attack

An attempt to obtain a subscriber’s token or to fool a verifier into believing that an unauthorized individual possess a claimant’s token.

active attack

An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle, impersonation, and session hijacking.

passive attack

An attack against an authentication protocol where the attacker intercepts data traveling along the network between the claimant and verifier, but does not alter the data (i.e. eavesdropping).

- attack potential n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker’s expertise, resources and motivation.

- attack signature n.

NIST IR 7298 (2006)

SP 800-12

A specific sequence of events indicative of an unauthorized access attempt.

- attacker n.

NIST SP 800-63-1 DRAFT (2008)

A party who acts with malicious intent to assault an information system.

- attempt n., vb.

iAfB-ICSA 1999 and BEM 2002

The submission of a biometric sample to a biometric system for identification or verification. A biometric system may allow more than one attempt to identify or verify.

JTC 1/SC 37 (2006⇒2008)

[n.] The act of attempting.

[vb.] Make an effort to achieve or complete.

Note: Definition source: Oxford dictionary.

- attendant n.

JTC 1/SC 37 (2006⇒2008)

Agent of the biometric system operator who directly interacts with the biometric capture subject.

Example: An immigration officer supervising biometric capture process and taking action on the comparison decision.

- attribute n.

OASIS XACML 2.0 (2005)

Characteristic of a subject, resource, action or environment that may be referenced in a predicate or target. (See also: named attribute.)

(1.1.2 Related terms) In the field of access control and authorization there are several closely related terms in common use. For purposes of precision and clarity, certain of these terms are not used in this specification. For instance, the term attribute is used in place of the terms: group and role. …

OASIS SAML 2.0 (2005)

A distinct characteristic of an object (in SAML, of a subject). An object’s attributes are said to describe it. Attributes are often specified in terms of physical traits, such as size, shape, weight, and color, etc., for real-world objects. Objects in cyberspace might have attributes describing size, type of encoding, network address, and so on. Which attributes of an object are salient is decided by the beholder. Attributes are often represented as pairs of attribute name and attribute value(s), e.g. “foo” has the value ‘bar’, “count” has the value 1, “gizmo” has the values “frob” and “2”, etc. Often, these are referred to as attribute value pairs. Note that identifiers are essentially distinguished attributes. See also identifier and XML attribute.

modonis^IDM (2005)

Definition: An attribute is a distinct, measurable, physical or abstract named property belonging to an entity.

An attribute has a type and a value. It is any piece of information about an entity, which does not necessarily uniquely distinguish the entity from any other entity in a given context. Attributes include the characteristics of an entity.

An entity has a finite, but unlimited number of attributes.

SCA ISCTAG (2007)

A quality, characteristic or entity that defines properties of a subject (e.g., person), object or element.

IAEG LIAF (2008)

A property associated with an individual.

- attribute assertion n.

OASIS SAML 2.0 (2005)

An assertion that conveys information about attributes of a subject.

- attribute authority n.

RFC 2828 (2000)

(I) A CA that issues attribute certificates.

(O) “An authority, trusted by the verifier to delegate privilege, which issues attribute certificates.” [FPDAM]

SC 27 SD 6 (2002)

ISO/IEC TR 14516: 2000

An entity trusted by one or more entities to create and sign attribute certificates. Note that a CA may also be an AA.

OASIS SAML 2.0 (2005)

A system entity that produces attribute assertions.

NIST IR 7298 (2006)

SP 800-32

An entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.

- attribute certificate n.

RFC 2828 (2000)

(I) A digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. [X509]

(O) “A set of attributes of a user together with some other information, rendered unforgeable by the digital signature created using the private key of the CA which issued it.” [X509]

(O) “A data structure that includes some attribute values and identification information about the owner of the attribute certificate, all digitally signed by an Attribute Authority. This authority’s signature serves as the guarantee of the binding between the attributes and their owner.” [FPDAM]

(C) A public-key certificate binds a subject name to a public key value, along with information needed to perform certain cryptographic functions. Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.

Different lifetimes: When the lifetime of an attribute binding is shorter than that of the related public-key certificate, or when it is desirable not to need to revoke a subject’s public key just to revoke an attribute.
Different authorities: When the authority responsible for the attributes is different than the one that issues the public-key certificate for the subject. (There is no requirement that an attribute certificate be issued by the same CA that issued the associated public-key certificate.)

- audit n.

See: computer-system audit, security audit.

- audit data n.

See: security audit trail.

- audit reduction tools n.

NIST IR 7298 (2006)

SP 800-12

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.

- audit service n.

RFC 2828 (2000)

(I) A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them. (See: security audit.)

- audit trail n.

See: security audit trail.

- augmentation n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The addition of one or more assurance component(s) from Part 3 (ISO/IEC 15408-3: 1999} to an EAL or assurance package.

- AUTH n.

See: POP3 AUTH.

- authentic signature n.

RFC 2828 (2000)

(I) A signature (particularly a digital signature) that can be trusted because it can be verified. (See: verify.)

- authenticate vb.

RFC 2828 (2000)

(I) Verify (i.e., establish the truth of) an identity claimed by or for a system entity. (See: authentication.)

(D) In general English usage, this term usually means to prove genuine (e.g., an art expert authenticates a Michelangelo painting). But the recommended definition carries a much narrower meaning. For example, to be precise, an ISD SHOULD NOT say “the host authenticates each received datagram”. Instead, the ISD SHOULD say “the host authenticates the origin of each received datagram”. In most cases, we also can say “and verifies the datagram’s integrity”, because that is usually implied. (See: (relationship between data integrity service and authentication services under) data integrity service.)

(D) ISDs SHOULD NOT talk about authenticating a digital signature or digital certificate. Instead, we sign and then verify digital signatures, and we issue and then validate digital certificates. (See: (usage note under) verify.)

NIST IR 7298 (2006)

SP 800-32

To confirm the identity of an entity when that identity is presented.

SCA ISCTAG (2007)

To verify (guarantee) the identity of a person or entity. To ensure that the individual or organization is really who it says it is.

JTC 1/SC 37 (2008)

To prove or show to be of undisputed origin or veracity; genuine.

Note: Definition source: Oxford dictionary.

Explicitly, a word to be used with respect to its natural language definition.

- authentication n.

“Authentication” is generally used with the specific sense of “user authentication”, but does have a more general sense of “establishing confidence of authenticity” reflected in some of the definitions below. See also: data integrity service (“data authentication”), data origin authentication, identity verification.

See also: biometric authentication.

ISO/IEC 2382-8:1998 & 08.01.12

authentication

The act of verifying the claimed identity of a entity.

identity authentication, identity validation [!]

The performance of tests to enable a data processing system to recognize entities. Example: The checking of a password or of an identity token.

! Note that the use of “validation” is incorect in this context! See (discussion under) validate.

RFC 2828 (2000)

(I) The process of verifying an identity claimed by or for a system entity. (See: authenticate, authentication exchange, authentication information, credential, data origin authentication, peer entity authentication.)

? (C) An authentication process consists of two steps [see my remarks below]:

Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)
Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. (See: verification.)

The “(I)” and first “(C)” paragraphs seem inconsistent. The two-step “authentication process” in the “(C)” paragraph is really an identification and authentication (I&A) process and authentication is strictly just the verification step.

Sometimes the distinction between the two steps is blurred or disappears altogether; i.e., the user’s identity is partially or wholly implicit in the authentication information. See: biometric identification.

SC 27 SD 6 (2002)

ISO/IEC TR 13335-4: 1999

The provision of assurance of the claimed identity of an entity.

ISO/IEC 9798-1: 1997, ISO/IEC 11770-2: 1996, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

entity authentication

The corroboration that an entity is the one claimed.

OASIS SAML 2.0 (2005)

To confirm a system entity’s asserted principal identity with a specified, or understood, level of confidence.

modonis^IDM (2005)

authentication – 4.5

Definition: Authentication is the corroboration of a claimed set of attributes or facts with a specified, or understood, level of confidence.

Authentication may be used during any IDM process. Authentication serves to demonstrate the integrity (i.e., equivalence to a corresponding reality) and origin (i.e., the source) of what is being pretended (the claimed information). [“pretend” here has the sense of “(to) lay claim to”] The security and reliability of authentication mechanisms may vary dependant on the desired authentication level. The stronger the authentication, the higher the confidence that an entity corresponds with the claimed set of attributes.

Authentication is typically subdivided into two separate classes: data authentication and entity authentication. For this reason, autonomous use of the term “authentication” (without specifying the type of authentication) should be avoided, as it is subject to (mis)interpretation.

Nonetheless, authentication sans specification is generally taken to refer to entity (or user) authentication, as several other definitions attest. Data authentication is possibly better decomposed into data integrity [verification] and data origin authentication.

Authentication can be unilateral or mutual. Unilateral authentication provides assurance of the identity of only one entity, where mutual authentication provides assurance of the identities of both entities. [This comment is clearly about entity authentication! See below.]

entity authentication – 4.5.2

Definition: Entity authentication is the corroboration of the claimed identity of an entity and a set of its observed attributes.

As a part of entity authentication, entities can be identified by factors: knowledge (e.g., password), possession (e.g., token), a personal characteristic (biometrics), location (e.g., network address or phone number), etc., or by a combination of these factors. [Location is not strictly an authentication factor, at least not one that’s on the same footing as the other three; see discussion below. In any case, a phone (number) is more like a token (identifier)!] A typical example of a two-factor authentication mechanism consists of the combination of password and fingerprint authentication.

The specific case of biometrics can be considered a variation of possession (e.g., fingerprint authentication demonstrates the possession of the required fingertip). As the only difference between biometry and other forms of possession is the decreased likelihood of accidental loss of the identifying element, it does not necessitate specific attention at this point.

Entity authentication can be unilateral or mutual. Unilateral authentication provides assurance of the identity of only one entity. Mutual authentication provides assurance of the identities of both entities.

NIST IR 7298 (2006)

SP 800-53; FIPS 200

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

FIPS 201

The process of establishing confidence of authenticity.

FIPS 190

Encompasses identity verification, message origin authentication, and message content authentication.

SP 800-21 [2ndEd]

A process that establishes the origin of information or determines an entity’s identity.

That is, either data origin authentication or user authentication.

SCA ISCTAG (2007)

authentication

The process of validating the identity of a person or other entity.

This should read “verifiying”! See (discussion under) validate.

authentication factors

Pieces of information used to verify a person’s identity for security purposes. The three most commonly recognized factors are:

Something you know, such as a password or personal identification number (PIN)
Something you have, such as a credential, card or token
Something you are, such as a fingerprint or other biometric.

IAEG LIAF (2008)

authentication

Authentication simply establishes identity, not what that identity is authorized to do or what access privileges he or she has.

identity authentication

Process of establishing an understood level of confidence that an identifier refers to an identity.

It may or may not be possible to link the authenticated identity to an individual. [See: identity proofing.]

NIST SP 800-63-1 DRAFT (2008)

authentication

The process of establishing confidence in the identity of users or information systems.

electronic authentication, e-authentication

The process of establishing confidence in user identities electronically presented to an information system.

Three types of authentication are described by NCSC-TG-017 A Guide to Understanding Identification and Authentication in Trusted Systems

(also known as the Light Blue Book). In each type, authentication information may exist as, or be derived from, an authentication factor (or login factor).

NCSC-TG-017 Classification	Factor	Examples
Type 1 Authentication by Knowledge	Something the entity knows.	a password, a PIN
Type 2 Authentication by Ownership	Something the entity owns , possesses, or holds. Sometimes described as authentication by possession.	a token
Type 3 Authentication by Characteristic	Something the entity is or does – i.e., a characteristic or property of the entity. Sometimes also called authentication by property, but this term might be confused with Type 2 authentication, if property is understood in the sense of “something owned”.	a biometric characteristic

Using any one authentication factor alone provides single-factor authentication. Any two authentication factors can be combined to provide two-factor authentication; NCSC-TG-017 calls these combinations Type 12 (say “one-two”, rather than “twelve”), Type 13, and Type 23. Combining all three factors provides three-factor authentication (Type 123).

Are there other authentication factors? Location, say? I’d say not.

(See: authentication method; authentication service.)

- authentication assertion n.

OASIS SAML 2.0 (2005)

An assertion that conveys information about a successful act of authentication that took place for a subject.

NIST SP 800-63-1 DRAFT (2008)

SAML authentication assertion

A SAML assertion that conveys information about a successful act of authentication that took place for a subject.

- authentication authority n.

OASIS SAML 2.0 (2005)

A system entity that produces authentication assertions. [SAMLAgree]

- authentication code n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for any form of checksum, whether cryptographic or not. The word authentication is misleading because the mechanism involved usually serves a data integrity function rather than an authentication function, and the word code is misleading because it implies that either encoding or encryption is involved or that the term refers to computer software. (See: message authentication code.)

NIST IR 7298 (2006)

FIPS 140-2

A cryptographic checksum based on an approved security function (also known as a Message Authentication Code (MAC)).

- authentication data n.

See: authentication information.

- authentication, electronic n.

See: (secondary definition under) authentication.

- authentication exchange n.

ISO/IEC 2382-8:1998

A mechanism intended to ensure the identity of a entity by means of an information exchange.

RFC 2828 (2000)

(I) A mechanism to verify the identity of an entity by means of information exchange.

(O) “A mechanism intended to ensure the identity of an entity by means of information exchange.” [I7498 Part 2]

- authentication factor n.

See: (secondary definition under) authentication.

- Authentication Header (AH) n.

RFC 2828 (2000)

(I) An Internet IPsec protocol [R2402] designed to provide connectionless data integrity service and data origin authentication service for IP datagrams, and (optionally) to provide protection against replay attacks.

(C) Replay protection may be selected by the receiver when a security association is established. AH authenticates upper-layer protocol data units and as much of the IP header as possible. However, some IP header fields may change in transit, and the value of these fields, when the packet arrives at the receiver, may not be predictable by the sender. Thus, the values of such fields cannot be protected end-to-end by AH; protection of the IP header by AH is only partial when such fields are present.

(C) AH may be used alone, or in combination with the IPsec ESP protocol, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. ESP can provide the same security services as AH, and ESP can also provide data confidentiality service. The main difference between authentication services provided by ESP and AH is the extent of the coverage; ESP does not protect IP header fields unless they are encapsulated by AH.

- authentication information n.

ISO/IEC 2382-8:1998

Information used to establish the validity of the claimed identity of an entity.

RFC 2828 (2000)

(I) Information used to verify an identity claimed by or for an entity. (See: authentication, credential.)

Something the entity knows. (See: password.)
Something the entity possesses. (See: token.)
Something the entity is. (See: biometric authentication.)

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

authentication data

Information used to verify the claimed identity of a user.

NIST IR 7298 (2006)

FIPS 196

authentication token

Authentication information conveyed during an authentication exchange.

See: (discussion under) authentication. See also: credential, token.

- authentication management infrastructure (AMI) n.

A name used by some vendors to describe a class of products that provide a single authentication service for multiple target systems within a heterogenous environment, which supports the use of multiple authentication methods and granular authentication policies.

An AMI product may provide native single sign-on (SSO) functionality or be used in conjunction with a SSO product.

- authentication mechanism n.

NIST IR 7298 (2006)

SP 800-72

Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device.

- authentication method n.

An authentication method is a specific implementation of an authentication factor, or of a combination of factors, that yields discrete authentication information.

- authentication mode n.

NIST IR 7298 (2006)

SP 800-38B

A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.

- authentication protocol n.

IAEG LIAF (2008)

A well-specified message exchange process that verifies possession of a token to remotely authenticate a claimant.

Some authentication protocols also generate cryptographic keys that are used to protect an entire session, so that the data transferred in the session is cryptographically protected.

NIST SP 800-63-1 DRAFT (2008)

A well-specified message exchange process that verifies possession of a token to remotely authenticate a claimant. Some authentication protocols also generate cryptographic keys that are used to protect an entire session, so that the data transferred in the session is cryptographically protected. A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has control of a valid token to establish his/her identity, and optionally, demonstrates to the claimant that he or she is communicating with the intended verifier.

- authentication service n.

RFC 2828 (2000)

(I) A security service that verifies an identity claimed by or for an entity. (See: authentication.)

(C) In a network, there are two general forms of authentication service: data origin authentication service and peer entity authentication service.

An authentication service yields an authentication decision using ―

one or more authentication methods AND
zero or more “child” authentication services AND
zero or more pieces of contextual and environmental information

Some vendors call combinations of authentication methods within an authentication service authentication chains or login sequences.

(Note that a combination of authentication methods does not necessarily imply a combination of types of authentication factors. For example, an authentication service might combine face and voice – both Type 3.)

- authentication tag n.

NIST IR 7298 (2006)

SP 800-38B

A pair of bit strings associated to data to provide assurance of its authenticity.

- authentication token n.

See: authentication information.

- authenticity n.

RFC 2828 (2000)

(I) The property of being genuine and able to be verified and be trusted. (See: authenticate, authentication, verify)

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems and information.

NIST IR 7298 (2006)

SP 800-53

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication.

NIST SP 800-63-1 DRAFT (2008)

The property that data originated from its purported source.

- authentification n.

! A surprisingly common misspelling of authentication, perhaps an unconscious blend of authentication and verification… or maybe influenced by identification, even among native English speakers. Non-native English-speakers will likely be influenced by French authentification, Spanish autentificación, and Dutch authentificatie.

- authN n.

An abbreviation of authentication; compare with: authZ.

- authorisation n., - authorise vb.

Variant (UK) spellings of authorization, authorize.

- authority n.

RFC 2828 (2000)

(D) “An entity, responsible for the issuance of certificates.” [FPDAM]

(C) ISDs SHOULD NOT use this term as a synonym for AA, CA, RA, ORA, or similar terms, because it may cause confusion. Instead, use the full term at the first instance of usage and then, if it is necessary to shorten text, use the style of abbreviation defined in this Glossary.

(C) ISDs SHOULD NOT use this definition for any PKI entity, because the definition is ambiguous with regard to whether the entity actually issues certificates (e.g., attribute authority or certification authority) or just has accountability for processes that precede or follow signing (e.g., registration authority). (See: issue.)

- authority certificate n.

RFC 2828 (2000)

(D) “A certificate issued to an authority (e.g. either to a certification authority or to an attribute authority).” [FPDAM] (See: authority.)

(C) ISDs SHOULD NOT use this term or definition because they are ambiguous with regard to which specific types of PKI entities they address.

- authority revocation list (ARL) n.

RFC 2828 (2000)

(I) A data structure that enumerates digital certificates that were issued to CAs but have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, X.509 authority revocation list.)

(O) “A revocation list containing a list of public-key certificates issued to authorities, which are no longer considered valid by the certificate issuer.” [FPDAM]

- authorization n.

1. (a property) ◆ See also: access right, entitlement, permission, privilege.

RFC 2828 (2000)

? (I) A right or a permission that is granted to a system entity to access a system resource. (See: privilege.)

2. (a process) ◆ See also: authorize.

ISO/IEC 2382-8:1998

? The granting of rights, which includes the granting of access based on access rights.

RFC 2828 (2000)

? (I) authorization process

A procedure for granting a system entity rights or permissions to access a system resource.

(O) SET usage

authorization: “The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder’s debt above the account’s credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed – provided, of course, that the merchant followed the rules associated with the authorization process.)” [SET2]

OASIS SAML 2.0 (2005)

The process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a subject is authenticated, it may be authorized to perform different types of access. [Taxonomy]

modonis^IDM (2005)

Definition: Authorisation refers to

the permission of an authenticated entity to perform a defined action or to use a defined service/resource; [that is, a property; see above]
the process of determining, by evaluation of applicable permissions, whether an authenticated entity is allowed to have access to a particular resource.

Usually, authorisation is in the context of authentication. Permission is granted or denied based on the result of data or entity authentication, and on the allowed activities, as defined within the system. Once an entity is authenticated, it may be authorized to perform different types of access, each of which is referred to as a role.

SCA ISCTAG (2007)

The assignment of a privilege or privileges (e.g., access to a building or network) verifying that a known person or entity has the authority to perform a specific operation. Authorization is provided after authentication.

IAEG LIAF (2008)

Process of deciding what an individual ought to be allowed to do.

! It is difficult to disambiguate these different senses of authorization (and authorize) – it is a real can of worms!

Not only is the authorization applied to a property – for which usage (access) right or (access) permission might better be used – but it is also applied to both management, administration, and systems-level processes.

A time-ordered view might be helpful – each step might be called authorization:

A manager authorizes (gives approval for) a user to be permitted certain access rights to certain resources.
An administrator authorizes (grants those access rights to) the user.
The user attempts to access a resource and the system authorizes (checks the user’s access rights to determine that it can allow) access.

My feeling is that the first two senses should be deprecated as only the last is on the same footing as authentication. A definition for this sense along the lines of that for authentication might be useful —

The process of verifying access rights claimed by or for a system entity.

3. (a declaration of approval) ◆ See: accreditation.

- authorization decision n.

OASIS XACML 2.0 (2005)

The result of evaluating applicable policy, returned by the PDP to the PEP. A function that evaluates to Permit, Deny, Indeterminate or NotApplicable, and (optionally) a set of obligations.

OASIS SAML 2.0 (2005)

The result of an act of authorization. The result may be negative, that is, it may indicate that the subject is not allowed any access to the resource.

- authorization decision assertion n.

OASIS SAML 2.0 (2005)

An assertion that conveys information about an authorization decision.

- authorization process n.

See: (secondary definition under) authorization.

- authorize vb.

RFC 2828 (2000)

? (I) To grant a system entity rights or permissions to access a system resource. (See: authorization.)

- authorized user n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A user who may, in accordance with the TSP, perform an operation.

- authorizing official n.

See: accreditation authority.

- authorizing official designated representative n.

See: accreditation authority.

- authZ n.

An abbreviation of authorization; compare with: authN.

- auto-correlation n.

iAfB-ICSA 1999

A proprietary fingerscanning technique. Two identical finger images are overlaid in the auto-correlation process, so that light and dark areas, known as Moiré fringes, are created.

- Automated Fingerprint Identification System (AFIS) n.

iAfB-ICSA 1999

A highly specialised biometric system that compares a single finger image with a database of finger images. AFIS is predominantly used for law enforcement, but is also being put to use in civil applications. For law enforcement, finger images are collected from crime scenes, known as latents, or are taken from criminal suspects when they are arrested. In civilian applications, finger images may be captured by placing a finger on a scanner or by electronically scanning inked impressions on paper.

- automated information system n.

See: information system.

- automated key transport n.

NIST IR 7298 (2006)

FIPS 140-2

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).

- automated password generator n.

NIST IR 7298 (2006)

FIPS 181

An algorithm which creates random passwords that have no association with a particular user.

- automatic ID, - auto ID n.

iAfB-ICSA 1999

An umbrella term for any biometric system or other security technology that uses automatic means to check identity. This applies to both one-to-one verification and one-to-many identification.

- availability n.

ISO/IEC 2382-8:1998

The property of data or of resources being accessible and usable on demand by an authorized entity.

RFC 2828 (2000)

(I) The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. (See: critical, denial of service, reliability, survivability.)

(O) “The property of being accessible and usable upon demand by an authorized entity.” [I7498 Part 2]

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property of being accessible and usable upon demand by an authorized entity.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

Ensuring timely and reliable access to and use of information.

- availability service n.

RFC 2828 (2000)

(I) A security service that protects a system to ensure its availability.

(C) This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control of system resources, and thus depends on access control service and other security services.

- AVDL n.

See: Application Vulnerability Description Language.

- awareness n.

See also: awareness and training program, education, needs assessment, and training.

NIST IR 7298 (2006)

SP 800-50

awareness (information security)

Activities which seek to focus an individual’s attention on an (information security) issue or set of issues.

SP 800-50

IT security awareness

The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

- awareness and training program n.

See also: awareness, education, needs assessment, and training.

NIST IR 7298 (2006)

SP 800-50

IT security awareness and training program

Explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed.

The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
	The GNU Free Documentation License	A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
	http://homepage.mac.com/antallan/gista.html	Last updated Friday 12 December 2008

Ant’s HomePage ⇧ Security Matters ⇧ GIST ⇧ A

GIST v0.7 ― A “AA” to “awareness and training program”

A

Ant’s HomePage
⇧ Security Matters
⇧ GIST
⇧ A

GIST v0.7 ― A
“AA” to “awareness and training program”