GIST v0.7 ― C
“CA” to “cyclic[al] redundancy check (CRC)”

C

- CA n. 

See: certification authority.

- CA certificate n. 

RFC 2828 (2000)

(I) “A [digital] certificate for one CA issued by another CA.” [X509]

(C) That is, a digital certificate whose holder is able to issue digital certificates. A v3 X.509 public-key certificate may have a basicConstraints extension containing a cA value that specifically “indicates whether or not the public key may be used to verify certificate signatures.”

- call back n. 

ISO/IEC 2382-8:1998

call-back, dial-back

A procedure in which a data processing system identifies a calling terminal, disconnects the call, and dials the calling terminal to authenticate the calling terminal.

RFC 2828 (2000)

(I) An authentication technique for terminals that remotely access a computer via telephone lines. The host system disconnects the caller and then calls back on a telephone number that was previously authorized for that terminal.

- candidate n. 

JTC 1/SC 37 (2006⇒2008)

Biometric reference identifier of a biometric reference in the [biometric] enrolment database determined to be similar to the probe biometric sample.

Note: Determination may be on the basis of comparison score and/or rank.

- candidate list n. 

JTC 1/SC 37 (2006⇒2008)

Set of zero, one or more candidates that may be intermediate or final.

Note: Intermediate candidate lists may be produced by systems that use multi-pass biometric identification.

- candidate score n. 

JTC 1/SC 37 (2006⇒2008)

Comparison score for a candidate.

- CAP n.

See: Credential Assessment Profile.

- capability n. 

ISO/IEC 2382-8:1998

A representation of the identifications of an object, or of a class of objects, and of a set of authorized access types for these objects. Note: A capability can be implemented in the form of a ticket.

RFC 2828 (2000)

(I) A token, usually an unforgeable data value (sometimes called a ticket) that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource named or indicated by the token. (See: access control list, credential, digital certificate.)

(C) This concept can be implemented as a digital certificate. (See: attribute certificate.)

- capability list n. 

ISO/IEC 2382-8:1998

A list associated with a subject that identifies all of the subject’s access types for all objects. Example: A list associated with a process that identifies all of its access types for all files and other protected resources.

- capacitance n. 

iAfB-ICSA 1999

A finger image capture technique that senses an electrical charge, from the contact of ridges, when a finger is placed on the surface of a sensor. (See: biometric characteristic.)

! Note: More generally, capacitance is the property of a system that enables it to store electric charge, or a measure of this.

- capacity n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 9796-2 (12/2001)

Positive integer indicating the number of bits available within the signature for the recoverable part of the message.

- CAPI n. 

See: cryptographic application programming interface.

- CAPSTONE chip n. 

RFC 2828 (2000)

(N) An integrated circuit (the Mykotronx, Inc. MYK-82) with a Type II cryptographic processor that implements SKIPJACK, KEA, DSA, SHA, and basic mathematical functions to support asymmetric cryptography, and includes the key escrow feature of the CLIPPER chip. (See: FORTEZZA .)

- capture n. 

JTC 1/SC 37 (2008)

Record or express accurately in words or pictures; cause data to be stored in a computer.

Note: Definition source: Oxford dictionary.

See: biometric capture process.

- capture attempt n. 

JTC 1/SC 37 (2008)

Predetermined number/type/length of presentations with the intent of producing a captured biometric sample.

Note1: A capture attempt involves only biometric samples and not the acquisition of metadata.

- captured biometric sample n. 

JTC 1/SC 37 (2006⇒2008)

captured biometric sample; raw biometric sample (deprecated)

Biometric sample that is input to intermediate biometric sample processing. output of biometric capture process.

- capture transaction n.

JTC 1/SC 37 (2008)

One or more capture attempts with the intent of acquiring all of the biometric data from a biometric capture subject necessary to produce either a biometric reference or a probe biometric sample set.

It seems unlikely that a capture transaction captures all of the biometric data, as that also designates features sets, templates, and so on that are the outputs of later processes…

- card n. 

SCA ISCTAG (2007)

1. A type of physical form factor designed to carry electronic information and/or human readable data.
2. Under FIPS 201, a dual interface smart card-based ID badge for both physical and logical access that contains within it an integrated circuit chip.

See: cryptographic card, FORTEZZA , payment card, PC card, smart card, token.

- card backup n. 

See: token backup.

- card copy n. 

See: token copy.

- card issuer n.

SCA ISCTAG (2007)

The organization or entity that issues cards.

- card management system (CMS) n.

SCA ISCTAG (2007)

A smart card/token and digital credential management solution that is used to issue, manage, personalize and support cryptographic smart cards and PKI certificates for identity-based applications throughout an organization.

- card reader n.

SCA ISCTAG (2007)

Any device that reads encoded information from a card, token, or other identity device and communicates to a host such as a control panel/processor or database for further action.

See: smart-card interface device

- card restore n. 

See: token restore.

- card serial number n.

SCA ISCTAG (2007)

An identifier which is guaranteed to be unique among all identifiers used for a specific purpose (see unique identifier).

- cardholder n. 

RFC 2828 (2000)

(I) An entity that has been issued a card.

(O) SET usage: “The holder of a valid payment card account and user of software supporting electronic commerce.” [SET2] A cardholder is issued a payment card by an issuer. SET ensures that in the cardholder’s interactions with merchants, the payment card account information remains confidential. [SET1]

NIST IR 7298 (2006)

FIPS 201

An individual possessing an issued personal identity verification (PIV) card.

SCA ISCTAG (2007)

An individual to whom an ID card is issued or assigned.

- cardholder certificate n. 

RFC 2828 (2000)

(O) SET usage: A digital certificate that is issued to a cardholder upon approval of the cardholder’s issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]

- cardholder certification authority (CCA) n. 

RFC 2828 (2000)

(O) SET usage: A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

- Cardholder Unique Identifier (CHUID) n.

SCA ISCTAG (2007)

Part of the standardized data model for cardholder identification data for FIPS 201.

- CAS n. 

See: controlled access system.

- CAST n. 

RFC 2828 (2000)

(N) A design procedure for symmetric encryption algorithms, and a resulting family of algorithms, invented by C.A. (Carlisle Adams) and S.T. (Stafford Tavares). [R2144, R2612]

- casual impostor n. 

JTC 1/SC 37 (2006⇒2008)

Opportunistic biometric impostor that acts without use of artifacts, knowledge or cunning.

- category n. 

ISO/IEC 2382-8:1998

security category

A nonhierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone.

RFC 2828 (2000)

(I) A grouping of sensitive information items to which a non-hierarchical restrictive security label is applied to increase protection of the data. (See: compartment.)

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199

security category

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.

- CAW n. 

See: certification authority workstation.

- CBC n. 

See: cipher block chaining.

- CBC/MAC n. 

See: cipher block chaining-message authentication code

- CBEFF n. 

See: Common Biometric Exchange File Format.

- CCA n. 

See: cardholder certification authority.

- CCD n. 

See: charge-coupled device.

- CCITT n. 

RFC 2828 (2000)

(N) Acronym for French translation of International Telephone and Telegraph Consultative Committee. Now renamed ITU-T.

- CCM n. 

See: counter with cipher block chaining-message authentication code

- CERT n. 

See: computer emergency response team.

- certificate n. 

RFC 2828 (2000)

(I) general English usage: A document that attests to the truth of something or the ownership of something.

(C) security usage: See: capability, digital certificate.

(C) PKI usage: See: attribute certificate, public-key certificate.

SC 27 SD 6 (2002)

ISO/IEC WD 13888-1 (11/2001)

An entity’s data rendered unforgeable with the private or secret key of a certification authority. [≡ digital certificate.]

ISO/IEC 15292: 2001

A declaration by an independent authority operating in accordance with ISO Guide 58, Calibration and testing laboratory accreditation systems - General requirements for operation and recognition, confirming that an evaluation pass statement is valid. (See certification, sense 1.)

NIST IR 7298 (2006)

SP 800-32

A digital representation of information which at least

1. identifies the certification authority issuing it,
2. names or identifies its subscriber,
3. contains the subscriber’s public key,
4. identifies its operational period, and
5. is digitally signed by the certification authority issuing it.

[≡ public-key certificate.]

SP 800-21 [2ndEd]

A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its cryptoperiod. [≡ public-key certificate.]

- certificate authority n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term because it looks like sloppy use of certification authority, which is the term standardized by X.509.

- certificate chain n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term because it duplicates the meaning of a standardized term. Instead, use certification path.

- certificate chain validation n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term because it duplicates the meaning of standardized terms and mixes concepts in a potentially misleading way. Instead, use certificate validation or path validation, depending on what is meant. (See: validate.)

- certificate creation n. 

RFC 2828 (2000)

(I) The act or process by which a CA sets the values of a digital certificate’s data fields and signs it. (See: issue.)

- certificate directory n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 15945 (10/2000)

A directory containing a well defined (sub)set of public key certificates. This directory can contain certificates from different Certification Authorities.

- certificate domain n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 9796-2 (12/2001)

Collection of entities using public key certificates created by a single certification authority (CA) or a collection of CAs operating under a single security policy.

- certificate domain parameters n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 9796-2 (12/2001)

Cryptographic parameters specific to a certificate domain and which are known and agreed by all members of the certificate domain.

- certificate expiration n. 

RFC 2828 (2000)

(I) The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, validity period.)

- certificate extension n. 

See: extension.

- certificate holder n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for the subject of a digital certificate because the term is potentially ambiguous. For example, the term could also refer to a system entity, such as a repository, that simply has possession of a copy of the certificate. (See: certificate owner.)

- certificate management n. 

RFC 2828 (2000)

(I) The functions that a CA may perform during the life cycle of a digital certificate, including the following:

• Acquire and verify data items to bind into the certificate.
• Encode and sign the certificate.
• Store the certificate in a directory or repository.
• Renew, rekey, and update the certificate.
• Revoke the certificate and issue a CRL.

(See: archive , certificate management, key management, security architecture, token management.)

- certificate management authority (CMA) n. 

NIST IR 7298 (2006)

SP 800-32

A certification authority (CA) or a registration authority (RA).

- certificate management services n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 15945 (10/2000)

All services needed for the maintenance of the lifecycle of certificates, including registration, certification, distribution, and revocation of certificates.

- certificate owner n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for the subject of a digital certificate because the term is potentially ambiguous. For example, the term could also refer to a system entity, such as a corporation, that has acquired a certificate to operate some other entity, such as a Web server. (See: certificate holder.)

- certificate policy n. 

RFC 2828 (2000)

(I) “A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.” [X509] (See: certification practice statement.)

(C) A certificate policy can help a certificate user decide whether a certificate should be trusted in a particular application. “For example, a particular certificate policy might indicate applicability of a type of certificate for the authentication of electronic data interchange transactions for the trading goods within a given price range.” [R2527]

(C) A v3 X.509 public-key certificate may have a certificatePolicies extension that lists certificate policies, recognized by the issuing CA, that apply to the certificate and govern its use. Each policy is denoted by an object identifier and may optionally have certificate policy qualifiers.

(C) SET usage: Every SET certificate specifies at least one certificate policy, that of the SET root CA. SET uses certificate policy qualifiers to point to the actual policy statement and to add qualifying policies to the root policy. (See: SET qualifier.)

NIST IR 7298 (2006)

SP 800-32

A certificate policy is a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A certificate policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.

This definition seems to span both certificate policy (as in the other definitions, above) and certification practice statement.

- certificate policy qualifier n. 

RFC 2828 (2000)

(I) Information that pertains to a certificate policy and is included in a certificatePolicies extension in a v3 X.509 public-key certificate.

- certificate reactivation n. 

RFC 2828 (2000)

(I) The act or process by which a digital certificate, which a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.

- certificate rekey n. 

RFC 2828 (2000)

(I) The act or process by which an existing public-key certificate has its public key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)

(C) For an X.509 public-key certificate, the essence of rekey is that the subject stays the same and a new public key is bound to that subject. Other changes are made, and the old certificate is revoked, only as required by the PKI and CPS in support of the rekey. If changes go beyond that, the process is a certificate update.

(O) MISSI usage: To rekey a MISSI X.509 public-key certificate means that the issuing authority creates a new certificate that is identical to the old one, except the new one has a new, different KEA key; or a new, different DSS key; or new, different KEA and DSS keys. The new certificate also has a different serial number and may have a different validity period. A new key creation date and maximum key lifetime period are assigned to each newly generated key. If a new KEA key is generated, that key is assigned a new KMID. The old certificate remains valid until it expires, but may not be further renewed, rekeyed, or updated.

- certificate-related information n. 

NIST IR 7298 (2006)

SP 800-32

Information, such as a subscriber’s postal address, that is not included in a certificate. May be used by a certification authority (CA) managing certificates.

- certificate renewal n. 

RFC 2828 (2000)

(I) The act or process by which the validity of the data binding asserted by an existing public-key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)

(C) For an X.509 public-key certificate, this term means that the validity period is extended (and, of course, a new serial number is assigned) but the binding of the public key to the subject and to other data items stays the same. The other data items are changed, and the old certificate is revoked, only as required by the PKI and CPS to support the renewal. If changes go beyond that, the process is a certificate rekey or certificate update.

NIST IR 7298 (2006)

SP 800-32

renew (a certificate)

The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.

- certificate request n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term because it looks like imprecise use of a term standardized by PKCS #10 and used in PKIX. Instead, use the standard term, certification request.

- certificate revocation n. 

RFC 2828 (2000)

(I) The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with a revocation date.

(C) In X.509, a revocation is announced to potential certificate users by issuing a CRL that mentions the certificate. Revocation and listing on a CRL is only necessary before certificate expiration.

NIST IR 7298 (2006)

SP 800-32

revoke a certificate

To prematurely end the operational period of a certificate effective at a specific date and time.

- certificate revocation list (CRL) n. 

RFC 2828 (2000)

(I) A data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, X.509 certificate revocation list.)

(O) “A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. After a certificate appears on a CRL, it is deleted from a subsequent CRL after the certificate’s expiry. CRLs may be used to identify revoked public-key certificates or attribute certificates and may represent revocation of certificates issued to authorities or to users. The term CRL is also commonly used as a generic term applying to all the different types of revocation lists, including CRLs, ARLs, ACRLs, etc.” [FPDAM]

NIST IR 7298 (2006)

SP 800-21 [2ndEd]

A list of revoked but un-expired certificates issued by a CA.

SCA ISCTAG (2007)

A list of certificates that have been revoked before their expiration by a certificate authority.

NIST SP 800-63-1 DRAFT (2008)

A list of revoked public key certificates created and digitally signed by a certification authority. See [RFC 3280]

- certificate revocation tree n. 

RFC 2828 (2000)

(I) A mechanism for distributing notice of certificate revocations; uses a tree of hash results that is signed by the tree’s issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)

- certificate serial number n. 

RFC 2828 (2000)

(I) An integer value that (a) is associated with, and may be carried in, a digital certificate; (b) is assigned to the certificate by the certificate’s issuer; and (c) is unique among all the certificates produced by that issuer.

(O) “An integer value, unique within the issuing CA, which is unambiguously associated with a certificate issued by that CA.” [X509]

- certificate status authority n. 

NIST IR 7298 (2006)

SP 800-32

A trusted entity that provides on-line verification to a relying party of a subject certificate’s trustworthiness, and may also provide additional attribute information for the subject certificate.

- certificate status responder n. 

RFC 2828 (2000)

(N) FPKI usage: A trusted on-line server that acts for a CA to provide authenticated certificate status information to certificate users. [FPKI] Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate revocation tree.)

- certificate update n. 

RFC 2828 (2000)

(I) The act or process by which non-key data items bound in an existing public-key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate. (See: certificate rekey, certificate renewal.)

(C) For an X.509 public-key certificate, the essence of this process is that fundamental changes are made in the data that is bound to the public key, such that it is necessary to revoke the old certificate. (Otherwise, the process is only a certificate rekey or certificate renewal.)

NIST IR 7298 (2006)

SP 800-32

update (a certificate)

The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate.

- certificate user n. 

RFC 2828 (2000)

(I) A system entity that depends on the validity of information (such as another entity’s public key value) provided by a digital certificate. (See: relying party.)

(O) “An entity that needs to know, with certainty, the public key of another entity.” [X509]

(C) The system entity may be a human being or an organization, or a device or process under the control of a human or an organization.

(D) ISDs SHOULD NOT use this term as a synonym for the subject of a certificate.

- certificate validation n. 

RFC 2828 (2000)

(I) An act or process by which a certificate user establishes that the assertions made by a digital certificate can be trusted. (See: valid certificate, validate.)

(O) “The process of ensuring that a certificate is valid including possibly the construction and processing of a certification path, and ensuring that all certificates in that path have not expired or been revoked.” [FPDAM]

(C) To validate a certificate, a certificate user checks that the certificate is properly formed and signed and currently in force:

• Checks the signature: Employs the issuer’s public key to verify the digital signature of the CA who issued the certificate in question. If the verifier obtains the issuer’s public key from the issuer’s own public-key certificate, that certificate should be validated, too. That validation may lead to yet another certificate to be validated, and so on. Thus, in general, certificate validation involves discovering and validating a certification path.
• Checks the syntax and semantics: Parses the certificate’s syntax and interprets its semantics, applying rules specified for and by its data fields, such as for critical extensions in an X.509 certificate.
• Checks currency and revocation: Verifies that the certificate is currently in force by checking that the current date and time are within the validity period (if that is specified in the certificate) and that the certificate is not listed on a CRL or otherwise announced as invalid. (CRLs themselves require a similar validation process.)

- certification n. 

1. (accreditation) ◆ See also: certification and accreditation.

ISO/IEC 2382-8:1998

Procedure by which a third party gives assurance that all or part of a data processing system conforms to security requirements.

iAfB-ICSA 1999

The process of testing a biometric system to ensure that it meets certain performance criteria. Systems that meet the testing criteria are said to have passed and are certified by the testing organisation.

RFC 2828 (2000)

(I) information system usage: Technical evaluation (usually made in support of an accreditation action) of an information system’s security features and other safeguards to establish the extent to which the system’s design and implementation meet specified security requirements. [FP102] (See: accreditation.)

(O) SET usage: “The process of ascertaining that a set of requirements or criteria has been fulfilled and attesting to that fact to others, usually with some written instrument. A system that has been inspected and evaluated as fully compliant with the SET protocol by duly authorized parties and process would be said to have been certified compliant.” [SET2]

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Procedure by which a third party gives written assurance that a deliverable (product, system or service) conforms to specified requirements.

NIST IR 7298 (2006)

SP 800-53; FIPS 200

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

FIPS 201

The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.

SCA ISCTAG (2007)

The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.

IAEG LIAF (2008)

The IAEG’s affirmation that a particular credential service provider can provide a particular credential service at a particular assurance level.

2. (PKI usage)

RFC 2828 (2000)

(I) digital certificate usage: The act or process of vouching for the truth and accuracy of the binding between data items in a certificate. (See: certify.)

(I) public key usage: The act or process of vouching for the ownership of a public key by issuing a public-key certificate that binds the key to the name of the entity that possesses the matching private key. In addition to binding a key to a name, a public-key certificate may bind those items to other restrictive or explanatory data items. (See: X.509 public-key certificate.)

- certification agent n. 

NIST IR 7298 (2006)

SP 800-53

The individual, group, or organization responsible for conducting a security certification.

- certification and accreditation (C&A) n. 

NIST IR 7298 (2006)

SP 800-37

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

- certification authority (CA) n. 

RFC 2828 (2000)

(I) An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

(O) “An authority trusted by one or more users to create and assign certificates. Optionally, the certification authority may create the user’s keys.” [X509]

(C) Certificate users depend on the validity of information provided by a certificate. Thus, a CA should be someone that certificate users trust, and usually holds an official position created and granted power by a government, a corporation, or some other organization. A CA is responsible for managing the life cycle of certificates (see: certificate management) and, depending on the type of certificate and the CPS that applies, may be responsible for the life cycle of key pairs associated with the certificates (see: key management).

SC 27 SD 6 (2002)

ISO/IEC 9796-3: 2000, ISO/IEC 11770-1: 1996, ISO/IEC 11770-3: 1999

A centre trusted to create and assign public key certificates. Optionally, the certification authority may create and assign keys to the entities.

NIST IR 7298 (2006)

FIPS 201

A trusted entity that issues and revokes public key certificates.

SP 800-21 [2ndEd]

The entity in a public key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance to a PKI policy.

SCA ISCTAG (2007)

certificate authority (CA)

A trusted third party that is responsible for issuing and revoking digital certificates within the public key infrastructure.

Note that while RFC 2828 deprecates certificate authority, it does have wider currency than certification authority.

NIST SP 800-63-1 DRAFT (2008)

A trusted entity that issues and revokes public key certificates.

- certification authority facility n. 

NIST IR 7298 (2006)

SP 800-32

The collection of equipment, personnel, procedures and structures that are used by a certification authority to perform certificate issuance and revocation.

- certification authority workstation (CAW) n. 

RFC 2828 (2000)

(I) A computer system that enables a CA to issue digital certificates and supports other certificate management functions as required.

- certification body n.

IAEG LIAF (2008)

An organization which has been deemed competent to perform assessments of a particular type

Such assessments may be formal evaluations or testing and be based upon some defined set of standards or other criteria.

- certification hierarchy n. 

RFC 2828 (2000)

(I) A tree-structured (loop-free) topology of relationships among CAs and the entities to whom the CAs issue public-key certificates. (See: hierarchical PKI.)

(C) In this structure, one CA is the top CA, the highest level of the hierarchy. (See: root, top CA.) The top CA may issue public-key certificates to one or more additional CAs that form the second highest level. Each of these CAs may issue certificates to more CAs at the third highest level, and so on. The CAs at the second-lowest of the hierarchy issue certificates only to non-CA entities, called end entities that form the lowest level. (See: end entity.) Thus, all certification paths begin at the top CA and descend through zero or more levels of other CAs. All certificate users base path validations on the top CA’s public key.

(O) MISSI usage: A MISSI certification hierarchy has three or four levels of CAs:

• A CA at the highest level, the top CA, is a policy approving authority.
• A CA at the second-highest level is a policy creation authority.
• A CA at the third-highest level is a local authority called a certification authority.
• A CA at the fourth-highest (optional) level is a subordinate certification authority.

(O) PEM usage: A PEM certification hierarchy has three levels of CAs [R1422]:

• The highest level is the Internet Policy Registration Authority.
• A CA at the second-highest level is a policy certification authority.
• A CA at the third-highest level is a certification authority.

(O) SET usage: A SET certification hierarchy has three or four levels of CAs:

• The highest level is a SET root CA.
• A CA at the second-highest level is a brand certification authority.
• A CA at the third-highest (optional) level is a geopolitical certification authority.
• A CA at the fourth-highest level is a cardholder CA, a merchant CA, or a payment gateway CA.

- certification path n. 

RFC 2828 (2000)

(I) An ordered sequence of public-key certificates (or a sequence of public-key certificates followed by one attribute certificate) that enables a certificate user to verify the signature on the last certificate in the path, and thus enables the user to obtain a certified public key (or certified attributes) of the entity that is the subject of that last certificate. (See: certificate validation, valid certificate.)

(O) “An ordered sequence of certificates of objects in the [X.500 Directory Information Tree] which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path.” [X509, R2527]

(C) The path is the “list of certificates needed to allow a particular user to obtain the public key of another.” [X509] The list is “linked” in the sense that the digital signature of each certificate (except the first) is verified by the public key contained in the preceding certificate; i.e., the private key used to sign a certificate and the public key contained in the preceding certificate form a key pair owned by the entity that signed.

(C) In the X.509 quotation in the previous “C” paragraph, the word “particular” points out that a certification path that can be validated by one certificate user might not be able to be validated by another. That is because either the first certificate should be a trusted certificate (it might be a root certificate) or the signature on the first certificate should be verified by a trusted key (it might be a root key), but such trust is defined relative to each user, not absolutely for all users.

- certification policy n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term. Instead, use either certificate policy or certification practice statement, depending on what is meant.

- certification practice statement (CPS) n. 

RFC 2828 (2000)

(I) “A statement of the practices which a certification authority employs in issuing certificates.” [ABA96, R2527] (See: certificate policy.)

(C) A CPS is a published security policy that can help a certificate user to decide whether a certificate issued by a particular CA can be trusted enough to use in a particular application. A CPS may be (a) a declaration by a CA of the details of the system and practices it employs in its certificate management operations, (b) part of a contract between the CA and an entity to whom a certificate is issued, (c) a statute or regulation applicable to the CA, or (d) a combination of these types involving multiple documents. [ABA]

(C) A CPS is usually more detailed and procedurally oriented than a certificate policy. A CPS applies to a particular CA or CA community, while a certificate policy applies across CAs or communities. A CA with a single CPS may support multiple certificate policies, which may be used for different application purposes or by different user communities. Multiple CAs, each with a different CPS, may support the same certificate policy. [R2527]

NIST IR 7298 (2006)

SP 800-32

A statement of the practices that a certification authority employs in issuing, suspending, revoking and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this certificate policy, or requirements specified in a contract for services).

This definition appears to use certificate policy where it should say CPS…

- certification request n. 

RFC 2828 (2000)

(I) A algorithm-independent transaction format, defined by PCKS #10 and used in PKIX, that contains a DN, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification, and sent to a CA, which transforms the request to an X.509 public-key certificate or another type of certificate.

- certification service n. 

SC 27 SD 6 (2002)

ISO/IEC FDIS 15945 (10/2000)

The service of creating and assigning certificates performed by a CA and described in ISO/IEC 9594-8: 1995.

- certified service n.

IAEG LIAF (2008)

An electronic trust service which has been assessed by an IAEG-recognized certification body and found to be compliant with the applicable SACs.

- certify vb. 

RFC 2828 (2000)

1. (I) Issue a digital certificate and thus vouch for the truth, accuracy, and binding between data items in the certificate (e.g., see: X.509 public key certificate), such as the identity of the certificate’s subject and the ownership of a public key. (See: certification.)

(C) To certify a public key means to issue a public-key certificate that vouches for the binding between the certificate’s subject and the key.

2. (I) The act by which a CA employs measures to verify the truth, accuracy, and binding between data items in a digital certificate.

(C) A description of the measures used for verification should be included in the CA’s CPS.

- CFB n. 

See: cipher feedback.

- chain letter n. 

ISO/IEC 2382-8:1998

A synonym for bacterium.

- chain of custody n. 

NIST IR 7298 (2006)

SP 800-72

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

- chain of trust n.

SCA ISCTAG (2007)

An attribute of a secure ID system that encompasses all of the system’s components and processes and assures that the system as a whole is worthy of trust. A chain of trust should guarantee the authenticity of the people, issuing organizations, devices, equipment, networks, and other components of a secure ID system. The chain of trust must also ensure that information within the system is verified, authenticated, protected, and used appropriately.

- challenge n. 

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

A data item chosen at random and sent by the verifier to the claimant, which is used by the claimant, in conjunction with secret information held by the claimant, to generate a response which is sent to the verifier.

SCA ISCTAG (2007)

The demand for disclosure of one or more attributes related to a subject made by service authority.

- Challenge Handshake Authentication Protocol (CHAP) n. 

RFC 2828 (2000)

(I) A peer entity authentication method for PPP, using a randomly-generated challenge and requiring a matching response that depends on a cryptographic hash of the challenge and a secret key. [R1994] (See: challenge-response, PAP.)

- challenge-response n. 

RFC 2828 (2000)

(I) An authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge. In a computer system, the authentication information is usually a value that is required to be computed in response to an unpredictable challenge value.

SCA ISCTAG (2007)

challenge/response

A family of protocols in which one party (e.g., a reader) presents a question (“challenge”) and another party (e.g., a credential) must provide a valid answer (“response”) in order to be authenticated.

NIST SP 800-63-1 DRAFT (2008)

challenge-response protocol

An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a shared secret (often such as by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier knows the shared secret andcan independently compute verify the response and compare it with the response generated by the claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the claimant possesses and controls the secret. If the two are the same, the claimant is considered to have successfully authenticated himself. When the shared secret is a cryptographic key, such protocols are generally secure against eavesdroppers. When the shared secret is a password, an eavesdropper does not directly intercept the password itself, but the eavesdropper may be able to find the password with an off-line password guessing attack.

- Challenge-Response Authentication Mechanism (CRAM) n. 

RFC 2828 (2000)

(I) IMAP4 usage: A mechanism [R2195], intended for use with IMAP4 AUTHENTICATE, by which an IMAP4 client uses a keyed hash [R2104] to authenticate itself to an IMAP4 server. (See: POP3 APOP.)

(C) The server includes a unique timestamp in its ready response to the client. The client replies with the client’s name and the hash result of applying MD5 to a string formed from concatenating the timestamp with a shared secret that is known only to the client and the server.

- challenge-response protocol n. 

See: challenge-response.

- channel n. 

RFC 2828 (2000)

(I) An information transfer path within a system. (See: covert channel.)

- CHAP n. 

See: Challenge Handshake Authentication Protocol.

- characteristic n.

modonis^IDM (2005)

Definition: A characteristic of an entity is an attribute specific to a particular context.

A characteristic does not need to uniquely identify an entity. Characteristics indicate an entity’s capacity, function, and qualification, etc.

Examples:

• the prime minister of a particular country or a prime minister in a group of prime ministers;
• the Belgian national registry number of a citizen in Belgium or the same number determining a part of a computer device.

While a characteristic is a single attribute, in practice it often implies a set of other attributes, which may or may not be included in the system. E.g., the characteristic of being a doctor implies adulthood and the completion of a certain education.

- charge-coupled device (CCD) n. 

iAfB-ICSA 1999

A semiconductor device that records images electronically.

- check character n. 

SC 27 SD 6

ISO/IEC FCD 7064 (09/2000)

Added character which may be used to verify the accuracy of a string by a mathematical relationship to that string.

- check character system n. 

SC 27 SD 6

ISO/IEC FCD 7064 (09/2000)

Set of rules for generating check characters and checking strings incorporating check characters.

- checking code n. 

ISO/IEC 2382-8:1998

Machine instructions that read part of a disk to determine whether it is an unauthorized copy.

- checksum n. 

RFC 2828 (2000)

(I) A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for the purpose of detecting changes in the data. (See: cyclic redundancy check, data integrity service, error detection code, hash function , keyed hash, protected checksum.)

(C) To gain confidence that a data object has not been changed, an entity that later uses the data can compute a checksum and compare it with the checksum that was stored or transmitted with the object.

(C) Computer systems and networks employ checksums (and other mechanisms) to detect accidental changes in data. However, active wiretapping that changes data could also change an accompanying checksum to match the changed data. Thus, some checksum functions by themselves are not good countermeasures for active attacks. To protect against active attacks, the checksum function needs to be well-chosen (see: cryptographic hash), and the checksum result needs to be cryptographically protected (see: digital signature, keyed hash).

SCA ISCTAG (2007)

A computed value that depends on the contents of a message. The checksum is transmitted with the message. The receiving party can then recompute the checksum to verify that the message was not corrupted during transmission.

- chief information officer (CIO) n. 

NIST IR 7298 (2006)

SP 800-53; FIPS 200; Public Law 104-106, Sec. 5125(b)

Agency official responsible for:

1. Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, executive orders, directives, policies, regulations, and priorities established by the head of the agency;
2. Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and
3. Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

- chief information security officer (CISO) n. 

NIST IR 7298 (2006)

SP 800-53; FIPS 200; 44 U.S.C., Sec. 3544

senior agency information security officer

Official responsible for carrying out the chief information officer (CIO) responsibilities under the Federal Information Security Management Act (FISMA) and serving as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

- chip n.

SCA ISCTAG (2007)

Electronic component that performs logic, processing and/or memory functions.

- chosen-ciphertext attack n. 

RFC 2828 (2000)

(I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of plaintext that corresponds to ciphertext selected (i.e., dictated) by the analyst.

- chosen-plaintext attack n. 

ISO/IEC 2382-8:1998

An analytical attack in which a cryptanalyst can submit an unlimited number of plaintext messages and examine the corresponding ciphertext.

RFC 2828 (2000)

(I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of ciphertext that corresponds to plaintext selected (i.e., dictated) by the analyst.

- CHUID n.

See: Cardholder Unique Identifier.

- CIAC n. 

See: Computer Incident Advisory Capability.

- CIK n. 

See: cryptographic ignition key.

- cipher n. 

RFC 2828 (2000)

(I) A cryptographic algorithm for encryption and decryption.

SC 27 SD 6 (2002)

ISO/IEC WD 18033-1 (12/2001)

Alternative term for encryption algorithm.

ISO/IEC WD 18033-1 (12/2001)

encryption algorithm

Cryptographic technique used to protect the confidentiality of data. An encryption algorithm consists of two processes: encryption (or encipherment) which transforms plaintext into ciphertext, and decryption (or decipherment) which transforms ciphertext to plaintext.

NIST IR 7298 (2006)

FIPS 197

Series of transformations that converts plaintext to ciphertext using the cipher key.

- cipher block chaining (CBC) n. 

RFC 2828 (2000)

(I) An block cipher mode that enhances electronic codebook mode by chaining together blocks of ciphertext it produces. [FP081] (See: [R1829], [R2451].)

(C) This mode operates by combining (exclusive OR-ing) the algorithm’s ciphertext output block with the next plaintext block to form the next input block for the algorithm.

- cipher block chaining-message authentication code (CBC-MAC) n. 

NIST IR 7298 (2006)

SP 800-38C

A secret-key block-cipher algorithm used to encrypt data and to generate a message authentication code (MAC) to provide assurance that the payload and the associated data are authentic.

- cipher feedback (CFB) n. 

RFC 2828 (2000)

(I) An block cipher mode that enhances electronic code book mode by chaining together the blocks of ciphertext it produces and operating on plaintext segments of variable length less than or equal to the block length. [FP081]

(C) This mode operates by using the previously generated ciphertext segment as the algorithm’s input (i.e., by “feeding back” the ciphertext) to generate an output block, and then combining (exclusive OR-ing) that output block with the next plaintext segment (block length or less) to form the next ciphertext segment.

- cipher key n. 

NIST IR 7298 (2006)

FIPS 197

Secret, cryptographic key that is used by the key expansion routine to generate a set of round keys; can be pictured as a rectangular array of bytes, having four rows and Nk columns.

- cipher suite n. 

NIST IR 7298 (2006)

SP 800-52

Negotiated algorithm identifiers. Cipher suites are identified in human readable form using a pneumonic code.

- cipher text n. 

See: ciphertext.

- ciphersystem n. 

ISO/IEC 2382-8:1998

A synonym for cryptographic system.

- ciphertext n. 

ISO/IEC 2382-8:1998

Data produced through the use of encryption, the semantic content of which is not available without the use of cryptographic techniques.

RFC 2828 (2000)

(I) Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. (See: cleartext, plaintext.)

(O) “Data produced through the use of encipherment. The semantic content of the resulting data is not available.” [I7498 Part 2]

SC 27 SD 6 (2002)

ISO/IEC 9797-1: 1999, ISO/IEC 9798-1: 1997, ISO/IEC CD 10116 (12/2001), ISO/IEC WD 18033-1 (12/2001)

Data which has been transformed to hide its information content.

ISO 8372: 1987

cipher text

Enciphered information.

NIST IR 7298 (2006)

FIPS 197

Data output from the cipher or input to the inverse cipher.

SP 800-21 [2ndEd]

Data in its encrypted form.

- ciphertext-only attack n. 

ISO/IEC 2382-8:1998

An analytical attack in which a cryptanalyst possesses only ciphertext.

RFC 2828 (2000)

(I) A cryptanalysis technique in which the analyst tries to determine the key solely from knowledge of intercepted ciphertext (although the analyst may also know other clues, such as the cryptographic algorithm, the language in which the plaintext was written, the subject matter of the plaintext, and some probable plaintext words).

- CIPSO n. 

See: Common IP Security Option.

- civil identity n. 

“… the identity attributed to an individual by a State (e.g. represented by the social security number [or other SIN] or the combination of name, date of birth, and location of birth etc.).” – Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology 

- CKL n. 

See: compromised key list.

- claim n., vb.

SCA ISCTAG (2007)

An assertion by a subject about the value of an attribute.

JTC 1/SC 37 (2008)

An assertion of the truth of something.

Note: Definition source: Oxford dictionary.

Explicitly, a word to be used with respect to its natural language definition.

As a verb, to make such an assertion.

- claim of identity n. 

See: biometric claim.

- claimant n. 

iAfB-ICSA 1999

A person submitting a biometric sample for verification or identification whilst claiming a legitimate or false identity.

A claim of identity is made before biometric verification, but not at all for biometric identification. (See: biometric authentication.)

Note also that use of this term is not restricted to biometric authentication alone.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

An entity which is or represents a principal for the purposes of authentication. A claimant includes the functions necessary for engaging in authentication exchanges on behalf of a principal.

NIST IR 7298 (2006)

FIPS 201

A party whose identity is to be verified using an authentication protocol.

FIPS 196

An entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard (claimant) can act on behalf of a human user (principal))

JTC 1/SC 37 (2008) – 3.4.1.6

Individual making a claim that can be verified biometrically.

Note: The claimant need not be the biometric data subject.

Note also that use of this term is not restricted to biometric verification alone.

NIST SP 800-63-1 DRAFT (2008)

A party whose identity is to be verified using an authentication protocol.

- claimed identity n.

JTC 1/SC 37 (2008) – 3.2.2.3.3.3

Biometric reference in a biometric enrolment database to which an assertion is made that a biometric capture subject is the source.

Note: Usually made in the first person.

Rather than the biometric reference as such, a claimed identity is surely the identity of the biometric data subject associated with the biometric reference…

- class n. 

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A grouping of families that share a common focus.

- class 2, class 3, class 4, and class 5 n. 

RFC 2828 (2000)

(O) U.S. Department of Defense usage: Levels of PKI assurance based on risk and value of information to be protected [DOD3]:

• Class 2: For handling low-value information (unclassified, not mission-critical, or low monetary value) or protection of system-high information in low-to medium-risk environment.
• Class 3: For handling medium-value information in low-to medium-risk environment. Typically requires identification of a system entity as a legal person, rather than merely a member of an organization.
• Class 4: For handling medium-to high-value information in any environment. Typically requires identification of an entity as a legal person, rather than merely a member of an organization, and a cryptographic hardware token for protection of keying material.
• Class 5: For handling high-value information in a high-risk environment.

- classification, - classification level n.  

1. (a property)

ISO/IEC 2382-8:1998

security classification

The determination of which specific degree of protection against access the data or information requires, together with a designation of that degree of protection. Examples: Top Secret, Secret, Confidential.

RFC 2828 (2000)

classification, classification level

(I) 1. A grouping of classified information to which a hierarchical, restrictive security label is applied to increase protection of the data. 2. The level of protection that is required to be applied to that information. (See: security level.)

2. (a process)

The systematic identification of the classification (or classification level) of data or information. (See: classified, classify.)

- classified adj. 

RFC 2828 (2000)

(I) Refers to information (stored or conveyed, in any form) that is formally required by a security policy to be given data confidentiality service and to be marked with a security label (which in some cases might be implicit) to indicate its protected status. (See: unclassified.)

(C) The term is mainly used in government, especially in the military, although the concept underlying the term also applies outside government. In the U.S. Department of Defense, for example, it means information that has been determined pursuant to Executive Order 12958 (Classified National Security Information, 20 April 1995) or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

The general English usage of classified is “arranged according to some system of classification” [CED3e], so any data or information that has been assigned a classification (or classification level) can be said to be classified, even if the assigned classification is, say, Public.

- classified information n. 

NIST IR 7298 (2006)

SP 800-60; E.O. 13292

Information that has been determined pursuant to Executive Order (E.O.) 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

- classify vb.  

To systematically identify the classification (or classification level) of data or information.

- clean system n. 

RFC 2828 (2000)

(I) A computer system in which the operating system and application system software and files have just been freshly installed from trusted software distribution media.

(C) A clean system is not necessarily in a secure state.

- clearance n. 

See: security clearance.

- clearance level n. 

RFC 2828 (2000)

(I) The security level of information to which a security clearance authorizes a person to have access.

- clearing n. 

ISO/IEC 2382-8:1998

Overwriting classified data on a data medium that has a particular security classification and security category, so that this data medium may be reused for writing at the same security classification and security category.

- cleartext n. 

ISO/IEC 2382-8:1998

plaintext, cleartext

Data, the semantic content of which is available without using cryptographic techniques.

RFC 2828 (2000)

(I) Data in which the semantic information content (i.e., the meaning) is intelligible or is directly available. (See: plaintext.)

(O) “Intelligible data, the semantic content of which is available.” [I7498 Part 2]

(D) ISDs SHOULD NOT use this term as a synonym for plaintext, the input to an encryption operation, because the plaintext input to encryption may itself be ciphertext that was output from another operation. (See: superencryption.)

SC 27 SD 6 (2002)

Alternative term for plaintext. [ISO/IEC WD 18033-1 (12/2001)] (But see comment in RFC 2828, above.)

- client n. 

RFC 2828 (2000)

(I) A system entity that requests and uses a service provided by another system entity, called a server.

(C) Usually, the requesting entity is a computer process, and it makes the request on behalf of a human user. In some cases, the server may itself be a client of some other server.

NIST IR 7298 (2006)

SP 800-32

client (application)

A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.

- Clinger-Cohen Act of 1996 n. 

NIST IR 7298 (2006)

SP 800-64

Also known as Information Technology Management Reform Act. A statute that substantially revised the way that IT resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.

- CLIPPER chip n. 

RFC 2828 (2000)

(N) The Mykotronx, Inc. MYK-82, an integrated microcircuit with a cryptographic processor that implements the SKIPJACK encryption algorithm and supports key escrow. (See: CAPSTONE chip , Escrowed Encryption Standard.)

(C) The key escrow scheme for a chip involves a SKIPJACK key common to all chips that protects the unique serial number of the chip, and a second SKIPJACK key unique to the chip that protects all data encrypted by the chip. The second key is escrowed as split key components held by NIST and the U.S. Treasury Department.

- cloning n.

SCA ISCTAG (2007)

The process of creating an identical copy of something.

- closed security environment n. 

ISO/IEC 2382-8:1998

closed-security environment

An environment in which special attention is paid (in the form of authorizations, security clearances, configuration controls, etc.) to protect data and resources from accidental or malicious acts.

RFC 2828 (2000)

(O) U.S. Department of Defense usage: A system environment that meets both of the following conditions:

• (a) Application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced malicious logic.
• (b) Configuration control provides sufficient assurance that system applications and the equipment they run on are protected against the introduction of malicious logic prior to and during the operation of applications. [NCS04]

(See: open security environment.)

- closed-set identification n. 

iAfB-ICSA 1999

When an unidentified end-user is known to be enrolled in the biometric system.

This definition is inconsistent with the following.

JTC 1/SC 37 (2006⇒2008)

closed-set identification (biometric application)

Application that ranks the biometric references in the biometric enrolment database in order of decreasing similarity against a probe biometric sample.

Note 1: Closed-set identification always returns a non-empty candidate list.

Note 2: Closed-set identification is rarely used within practical systems, but is often used experimentally.

- CMOS n. 

See: complementary metal oxide semiconductor .

- code n. 

RFC 2828 (2000)

(I) A system of symbols used to represent information, which might originally have some other representation. (See: encode.)

(D) ISDs SHOULD NOT use this term as synonym for the following:

• (a) cipher, hash function, or other words that mean a cryptographic algorithm;
• (b) ciphertext; or
• (c) encrypt, hash, or other words that refer to applying a cryptographic algorithm.

(D) ISDs SHOULD NOT this word as an abbreviation for the following terms: country code, cyclic redundancy code, Data Authentication Code, error detection code, Message Authentication Code, object code, or source code. To avoid misunderstanding, use the fully qualified term, at least at the point of first usage.

- cold site n. 

ISO/IEC 2382-8:1998

cold site, shell site

A facility with at least the equipment necessary to support the installation and operation of an alternative data processing system.

NIST IR 7298 (2006)

SP 800-34

A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.

- collision n. 

NIST IR 7298 (2006)

SP 800-57

Two or more distinct inputs produce the same output.

- collision-resistant hash-function n. 

SC 27 SD 6 (2002)

ISO/IEC 10118-1: 2000, ISO/IEC 9796-3: 2000, ISO/IEC 14888-1: 1998, ISO/IEC WD 15946-4 (10/2001)

A hash function satisfying the following property:

• it is computationally infeasible to find any two distinct inputs which map to the same output.

Note: Computational feasibility depends on the specific security requirements and environment.

ISO/IEC FDIS 9796-2 (12/2001), ISO/IEC FDIS 9797-2 (09/2000)

Hash-function satisfying the following property.

• It is computationally infeasible to find any two distinct inputs which map to the same output.

- color change n. 

RFC 2828 (2000)

(I) In a system that is being operated in periods processing mode, the act of purging all information from one processing period and then changing over to the next processing period.

- Common Biometric Exchange File Format n. 

“CBEFF describes a set of data elements necessary to support biometric technologies in a common way.

“CBEFF features:

1. Facilitates biometric data interchange between different system components or between systems
2. Promotes interoperability of biometric-based application programs and systems
3. Provides forward compatibility for technology improvements
4. Simplifies the software and hardware integration process

“The data described by CBEFF includes:

1. Security (Digital Signatures and Data Encryption)
2. Processing information (identification of Biometric Type and information about the Biometric Sample)
3. Biometric data

“These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. CBEFF provides forward compatibility accommodating for technology improvements and allows for new formats to be created. CBEFF implementations simplify integration of software and hardware provided by different vendors.”

See: Common Biometric Exchange File Format 

- Common Criteria for Information Technology Security (Common Criteria) n. 

RFC 2828 (2000)

(N) The Common Criteria is a standard for evaluating information technology products and systems, such as operating systems, computer networks, distributed systems, and applications. It states requirements for security functions and for assurance measures. [CCIB]

(C) Canada, France, Germany, the Netherlands, the United Kingdom, and the United States (NIST and NSA) began developing this standard in 1993, based on the European ITSEC, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the U.S. Federal Criteria for Information Technology Security (FC) and its precursor, the TCSEC. Work was done in cooperation with ISO/IEC Joint Technical Committee 1 (Information Technology), Subcommittee 27 (Security Techniques), Working Group 3 (Security Criteria). Version 2.1 of the Criteria is equivalent to ISO’s International Standard 15408 [I15408]. The U.S. Government intends that this standard eventually will supersede both the TCSEC and FIPS PUB 140-1. (See: NIAP.)

(C) The standard addresses data confidentiality, data integrity, and availability and may apply to other aspects of security. It focuses on threats to information arising from human activities, malicious or otherwise, but may apply to non-human threats. It applies to security measures implemented in hardware, firmware, or software. It does not apply to (a) administrative security not related directly to technical security, (b) technical physical aspects of security such as electromagnetic emanation control, (c) evaluation methodology or administrative and legal framework under which the criteria may be applied, (d) procedures for use of evaluation results, or (e) assessment of inherent qualities of cryptographic algorithms.

- Common IP Security Option (CIPSO) n. 

See: (secondary definition under) Internet Protocol Security Option.

- common name n. 

RFC 2828 (2000)

(I) A character string that (a) may be a part of the X.500 DN of a Directory object (commonName attribute), (b) is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization), and (c) conforms to the naming conventions of the country or culture with which it is associated. [X520] (See: (subject and issuer under) X.509 public-key certificate.)

(C) For example, Dr. E. F. Moore, The United Nations, or 12th Floor Laser Printer.

- common security control n. 

NIST IR 7298 (2006)

SP 800-53; FIPS 200

Security control that can be applied to one or more agency information systems and has the following properties:

1. the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and
2. the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied.

- Common Vulnerabilities and Exposures (CVE) n. 

NIST IR 7298 (2006)

SP 800-51

A dictionary of common names for publicly known IT system vulnerabilities.

CVE is a list of standardized names for vulnerabilities and other information security exposures.

The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools by standardizing the names for all publicly known vulnerabilities and security exposures. But while CVE may make it easier to search for information in other databases, CVE is not itself a vulnerability database.

The content of CVE is a result of a collaborative effort of the CVE Editorial Board, which includes representatives from many security-related organizations. The MITRE Corporation maintains CVE and moderates Editorial Board discussions.

See: Common Vulnerabilities and Exposures 

- communication security, communications security, COMSEC n. 

ISO/IEC 2382-8:1998

Computer security applied to data communication.

RFC 2828 (2000)

(I) Measures that implement and assure security services in a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities.

(C) Usually understood to include cryptographic algorithms and key management methods and processes, devices that implement them, and the life cycle management of keying material and devices.

- community string n. 

RFC 2828 (2000)

(I) A community name in the form of an octet string that serves as a cleartext password in SNMP version 1. [R1157]

- compare vb., - comparison n. 

While match (vb.) and matching (n.) are commonly used as synonyms for compare and comparison, JTC 1/SC 37 (2006⇒2008) deprecates this usage; match (n.) is used for a comparison decision that probe data and reference data are from the same source.

iAfB-ICSA 1999

comparison

The process of comparing a biometric sample with a previously stored reference template or templates. See also one-to-many and one-to-one under biometric authentication.

match/matching

The process of comparing a biometric sample against a previously stored template and scoring the level of similarity. An accept or reject decision is then based upon whether this score exceeds the given threshold.

Note: It is the biometric features derived from the sample, not the sample itself, that is directly compared with the biometric template.

BEM 2002

comparison

The process of comparing biometric data with a previously stored reference template (or templates).

NIST IR 7298 (2006)

FIPS 201

comparison

The process of comparing a biometric with a previously stored reference template or templates.

FIPS 201

match/matching

The process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.

JTC 1/SC 37 (2006⇒2008)

comparison
match / matching (n.) (deprecated as a synonym for comparison)

Estimation, calculation or measurement of similarity or dissimilarity between recognition biometric sample(s) / biometric features / biometric models biometric probes and biometric reference(s).

Note 1: Compare (vb.) – estimate, measure or note the similarity or dissimilarity between.

Note 1: Match (vb.) is deprecated as a synonym to compare (vb.).

SCA ISCTAG (2007)

match/matching (n.)

The process of comparing biometric information against previously stored biometric data and scoring the level of similarity.

- comparison decision n. 

JTC 1/SC 37 (2006⇒2008)

Determination of whether the recognition probe biometric sample(s) and biometric reference(s) have the same biometric source, based on a comparison score(s), a decision policy(ies) including a threshold, and possibly other inputs.

Note 1: A match is a positive comparison decision.

Note 2: A non-match is a negative comparison decision.

Note 3: A decision of "undetermined" may sometimes be given.

- comparison score n. 

iAfB-ICSA 1999

score

The level of similarity from comparing a biometric sample against a previously stored template.

It is the biometric data derived from the sample, not the sample itself, that is directly compared with the (reference) template.

BEM 2002

matching score

A measure of similarity or dissimilarity between the biometric data and a stored template, used in the comparison process.

JTC 1/SC 37 (2006⇒2008)

comparison score; matching score (deprecated)

Numerical value (or set of values) resulting from a comparison.

Note: Higher is not meant to mean more similar.

See: distance score (higher means less similar), similarity score (higher does mean more similar).

- compartment n. 

RFC 2828 (2000)

(I) A grouping of sensitive information items that require special access controls beyond those normally provided for the basic classification level of the information. (See: category.)

(C) The term is usually understood to include the special handling procedures to be used for the information.

- compartmentalization n. 

ISO/IEC 2382-8:1998

A division of data into isolated blocks with separate security controls for the purpose of reducing risk. Example: The division of data relative to a major project into blocks corresponding to subprojects, each with its own security protection, in order to limit exposure of the overall project.

- compensating controls, - compensating security controls n. 

NIST IR 7298 (2006)

FIPS 200

compensating controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security control baselines, that provide equivalent or comparable protection for an information system.

SP 800-53

compensating security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.

- complementary metal oxide semiconductor (CMOS) n. 

iAfB-ICSA 1999

A type of integrated circuit used by some biometric systems because of its low power consumption.

- component n. 

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The smallest selectable set of elements that may be included in a PP, an ST, or a package.

SCA ISCTAG (2007)

An element of a larger system. In the FIPS 201 context, a component can be an identity card, PIV issuer, PIV registrar, card reader, or identity verification support, within the PIV system.

- compromise n. 

ISO/IEC 2382-8:1998

A violation of computer security whereby programs or data may have been modified, destroyed, or made available to unauthorized entities.

RFC 2828 (2000)

data compromise

(I) A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information may have occurred. (See: system compromise.)

security compromise

(I) A security violation in which a system resource is exposed, or is potentially exposed, to unauthorized access. (See: data compromise, violation.)

NIST IR 7298 (2006)

SP 800-32

Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

FIPS 140-2

The unauthorized disclosure, modification, substitution or use of sensitive data (including plaintext cryptographic keys and other critical security parameters).

- compromising emanation n. 

See: emanation.

- compromised key list (CKL) n. 

RFC 2828 (2000)

(O) MISSI usage: A list that identifies keys for which unauthorized disclosure or alteration may have occurred. (See: compromise.)

(C) A CKL is issued by an CA, like a CRL is issued. But a CKL lists only KMIDs, not subjects that hold the keys, and not certificates in which the keys are bound.

- COMPUSEC n. 

See: computer security.

- computer abuse n. 

ISO/IEC 2382-8:1998

A willful or negligent unauthorized activity that affects the computer security of a data processing system.

- computer crime n. 

ISO/IEC 2382-8:1998

A crime committed with the aid of, or directly involving, a data processing system or computer network. Note: This a revised version of the definition in ISO/IEC 2382-1:1993.

- computer emergency response team (CERT) n. 

RFC 2828 (2000)

(I) An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. (See: CSIRT, security incident.)

(C) For example, the CERT Coordination Center at Carnegie-Mellon University (sometimes called the CERT) and the Computer Incident Advisory Capability.

- computer forensics n. 

NIST IR 7298 (2006)

SP 800-61

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

- computer fraud n. 

ISO/IEC 2382-8:1998

A fraud committed with the aid of, or directly involving, a data processing system or computer network.

- Computer Incident Advisory Capability (CIAC) n. 

RFC 2828 (2000)

(N) A computer emergency response team in the U.S. Department of Energy.

- computer network n. 

RFC 2828 (2000)

(I) A collection of host computers together with the subnetwork or internetwork through which they can exchange data.

(C) This definition is intended to cover systems of all sizes and types, ranging from the complex Internet to a simple system composed of a personal computer dialing in as a remote terminal of another computer.

IAEG LIAF (2008)

network

An open communications medium, typically, the Internet, that is used to transport messages between the claimant and other parties.

NIST SP 800-63-1 DRAFT (2008)

network

An open communications medium, typically the Internet, that is used to transport messages between the claimant and other parties. Unless otherwise stated no assumptions are made about the security of the network; it is assumed to be open and subject to active attack (e.g., impersonation, man-in-the-middle, session hijacking…) and passive attack (e.g., eavesdropping) at any point between the parties (claimant, verifier, CSP or relying party).

- computer security, COMPUSEC n. 

ISO/IEC 2382-8:1998

The protection of data and resources from accidental or malicious acts, usually by taking appropriate actions. Note: Those acts may be modification, destruction, access, disclosure, or acquisition, if not authorized.

RFC 2828 (2000)

(I) Measures that implement and assure security services in a computer system, particularly those that assure access control service.

(C) Usually understood to include functions, features, and technical characteristics of computer hardware and software, especially operating systems.

- computer security incident n. 

NIST IR 7298 (2006)

SP 800-61

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.

- computer security incident response team (CSIRT) n. 

RFC 2828 (2000)

(I) An organization “that coordinates and supports the response to security incidents that involve sites within a defined constituency.” [R2350] (See: CERT, FIRST, security incident.)

(C) To be considered a CSIRT, an organization must do as follows:

• Provide a (secure) channel for receiving reports about suspected security incidents.
• Provide assistance to members of its constituency in handling the incidents.
• Disseminate incident-related information to its constituency and other involved parties.

NIST IR 7298 (2006)

SP 800-61

A capability set up for the purpose of assisting in responding to computer security-related incidents; also called a computer incident response team (CIRT) or a CIRC (computer incident response center, computer incident response capability).

- computer security object n. 

RFC 2828 (2000)

(I) The definition or representation of a resource, tool, or mechanism used to maintain a condition of security in computerized environments. Includes many elements referred to in standards that are either selected or defined by separate user communities. [CSOR] (See: object identifier, Computer Security Objects Register.)

NIST IR 7298 (2006)

FIPS 188

A resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.

- computer security objects register n. 

NIST IR 7298 (2006)

FIPS 188

A collection of computer security object names and definitions kept by a registration authority [such as NIST’s CSOR, below].

- Computer Security Objects Register (CSOR) n. 

RFC 2828 (2000)

(N) A service operated by NIST is establishing a catalog for computer security objects to provide stable object definitions identified by unique names. The use of this register will enable the unambiguous specification of security parameters and algorithms to be used in secure data exchanges.

(C) The CSOR follows registration guidelines established by the international standards community and ANSI. Those guidelines establish minimum responsibilities for registration authorities and assign the top branches of an international registration hierarchy. Under that international registration hierarchy the CSOR is responsible for the allocation of unique identifiers under the branch {joint-iso-ccitt(2) country(16) us(840) gov(101) csor(3)}.

- computer-system audit n. 

ISO/IEC 2382-8:1998

A examination of the procedures used in a data processing system to evaluate their effectiveness and correctness, and to recommend improvements.

- computer virus n. 

See: virus.

- COMSEC n. 

See: communication security.

- condition n. 

OASIS XACML 2.0 (2005)

An expression of predicates. A function that evaluates to True, False or Indeterminate.

- confidence n. 

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

A belief that a deliverable will perform in the way expected or claimed (i.e. properly, trustworthy, enforce security policy, reliably, effectively).

- confidence level n.

SCA ISCTAG (2007)

The degree of likelihood that an identifier refers to a specific individual.

- confidentiality n. 

ISO/IEC 2382-8:1998

The property of data that indicates the extent to which these data have not been made available or disclosed to unauthorized individuals, processes, or other entities.

RFC 2828 (2000)

data confidentiality

(I) “The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity].” [I7498 Part 2]. (See: data confidentiality service.)

(D) ISDs SHOULD NOT use this term as a synonym for privacy, which is a different concept.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

modonis^IDM (2005)

Definition: Confidentiality refers to the state of keeping the content of information secret from all entities but those authorised to have access to it.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

FIPS 140-2

The property that sensitive information is not disclosed to unauthorized individuals, entities or processes.

- configuration control n. 

RFC 2828 (2000)

(I) The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system. (See: administrative security.)

(C) Configuration control helps protect against unauthorized or malicious alteration of a system and thus provides assurance of system integrity. (See: malicious logic.)

NIST IR 7298 (2006)

SP 800-53; CNSSI-4009

Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications prior to, during, and after system implementation.

- confinement property n. 

See: (secondary definition under) Bell-LaPadula Model.

- congruence n. 

SC 27 SD 6 (2002)

ISO/IEC FCD 7064 (09/2000)

Property of a set of integers which differ from each other by a multiple of the modulus. Congruence is indicated by the symbol ∘. For example, 39 ∘ 6 (mod 11) indicates that 39 and 6 are congruent with respect to the modulus 11, i.e., 39 - 6 = 33, which is a multiple of 11.

- conjunctive sequence n. 

OASIS XACML 2.0 (2005)

A sequence of predicates combined using the logical AND operation.

- connectionless data integrity service n. 

RFC 2828 (2000)

(I) A security service that provides data integrity service for an individual IP datagram, by detecting modification of the datagram, without regard to the ordering of the datagram in a stream of datagrams.

(C) A connection-oriented data integrity service would be able to detect lost or reordered datagrams within a stream of datagrams.

- connectivity n. 

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The property of the TOE which allows interaction with IT entities external to the TOE. This includes exchange of data by wire or by wireless means, over any distance in any environment or configuration.

- contact smart card n.

SCA ISCTAG (2007)

A smart card that connects to the reading device through direct physical contact between the smart card chip and the smart card reader. (See ISO/IEC 7816.)

- contactless smart card n.

SCA ISCTAG (2007)

A smart card that communicates with a reader through a radio frequency interface.

- contamination n. 

ISO/IEC 2382-8:1998

contamination

The introduction of data of one security classification or security category into data of a lower security classification or different security category.

- context n. 

OASIS XACML 2.0 (2005)

The canonical representation of a decision request and an authorization decision.

modonis^IDM (2005)

Definition: A context is a sphere of activity, a geographic region, a communication platform, an application, a logical or physical domain.

Practically, a context is only relevant in an interaction.

- context handler n. 

OASIS XACML 2.0 (2005)

The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.

- contingency plan n. 

See also: disaster (recovery) plan.

ISO/IEC 2382-8:1998

contingency plan, disaster recovery plan

A plan for backup procedures, emergency response, and post-disaster recovery.

RFC 2828 (2000)

(I) A plan for emergency response, backup operations, and post-disaster recovery in a system as part of a security program to ensure availability of critical system resources and facilitate continuity of operations in a crisis. [NCS04] (See: availability.)

NIST IR 7298 (2006)

SP 800-34

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.

- contingency procedure n. 

ISO/IEC 2382-8:1998

A procedure that is an alternative to the normal path of a process if an unusual but anticipated situation occurs.

- continuity of operations plan (COOP) n. 

NIST IR 7298 (2006)

SP 800-34

A predetermined set of instructions or procedures that describe how an organization’s essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.

See also: business continuity plan.

- continuity of support plan n. 

NIST IR 7298 (2006)

SP 800-34

The documentation of a predetermined set of instructions or procedures mandated by Office of Management and Budget (OMB) A-130 that describe how to sustain major applications and general support systems in the event of a significant disruption.

See also: business continuity plan.

- control n. 

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

In the context of information technology security, the term control is normally considered to be synonymous with safeguard. [See security control.]

- control information n. 

NIST IR 7298 (2006)

FIPS 140-2

Information that is entered into a cryptographic module for the purposes of directing the operation of the module.

- control panel n.

SCA ISCTAG (2007)

The physical access control system component that connects to all door readers, door locks and the access control server. The control panel validates the reader and accepts data. Depending on the overall system design, the control panel may next send the data to the access control server or may have enough local intelligence to determine the user’s rights and make the final access authorization. The control panel can be called the controller or panel.

- control point n.

SCA ISCTAG (2007)

Any device which is controlled by a physical access control system (for example, doors, turnstiles, gates, lights, cameras, elevators). There may be multiple control points for a single access requirement.

- controlled access system (CAS) n. 

See: physical access control system.

- controlled interface n. 

NIST IR 7298 (2006)

SP 800-53; FIPS 200; CNSSI-4009

Mechanism that facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system).

- controlled security mode n. 

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term. It was defined in an earlier version of the U.S. Department of Defense policy that regulates system accreditation, but was subsumed by partitioned security mode in the current version. [DOD2]

(C) The term refers to a mode of operation of an information system, wherein at least some users with access to the system have neither a security clearance nor a need-to-know for all classified material contained in the system. However, separation and control of users and classified material on the basis, respectively, of clearance and classification level are not essentially under operating system control like they are in multilevel security mode.

(C) Controlled mode was intended to encourage ingenuity in meeting the security requirements of Defense policy in ways less restrictive than dedicated security mode and system high security mode, but at a level of risk lower than that generally associated with the true multilevel security mode. This was to be accomplished by implementation of explicit augmenting measures to reduce or remove a substantial measure of system software vulnerability together with specific limitation of the security clearance levels of users permitted concurrent access to the system.

- cookie n. 

RFC 2828 (2000)

(I) access control usage: A synonym for capability or ticket in an access control system.

(I) IPsec usage: Data exchanged by ISAKMP to prevent certain denial-of-service attacks during the establishment of a security association.

(I) HTTP usage: Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.

(C) An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections. A cookie may include a description of the range of URLs for which the state is valid. Future requests made by the client in that range will also send the current value of the cookie to the server. Cookies can be used to generate profiles of web usage habits, and thus may infringe on personal privacy.

NIST IR 7298 (2006)

SP 800-46

A piece of information supplied by a web server to a browser, along with requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests.

- Coordinated Universal Time (UTC) n. 

RFC 2828 (2000)

(N) UTC is derived from International Atomic Time (TAI) by adding a number of leap seconds. The International Bureau of Weights and Measures computes TAI once each month by averaging data from many laboratories. (See: GeneralizedTime, UTCTime.)

- copy n. 

See: token copy.

- copy protection n. 

ISO/IEC 2382-8:1998

The use of special techniques to detect or prevent the unauthorized copying of data, software, or firmware.

- correctness integrity n. 

RFC 2828 (2000)

(I) Accuracy and consistency of the information that data values represent, rather than of the data itself. Closely related to issues of accountability and error handling. (See: data integrity, source integrity.)

- correctness proof n. 

RFC 2828 (2000)

(I) A mathematical proof of consistency between a specification for system security and the implementation of that specification. (See: formal specification.)

- corroboration n.

modonis^IDM (2005)

Definition: Corroboration is the confirmation by provision of sufficient evidence and examination thereof that specified requirements have been fulfilled.

The term “verification” is often used as a synonym of corroboration. However, this term is somewhat more dubious, as it is also occasionally used as a synonym of authentication (either entity authentication or data authentication). For this reason, “corroboration” should be preferred over “verification”.

“Sufficient evidence” is determined by the identity management system. It is possible that the amount of evidence required is (virtually) non-existent or holds (virtually) no legal value, e.g., a simple set of claims (e.g., claiming to have a certain name or address).

- counter n. 

SC 27 SD 6 (2002)

ISO/IEC CD 10116 (12/2001)

A bit array of length n bits which is used in the Counter Mode; its value when considered as the binary representation of an integer increases by one (modulo 2ⁿ) after each block of plaintext is processed.

- counter with cipher block chaining-message authentication code (CCM) n. 

NIST IR 7298 (2006)

SP 800-38C

A mode of operation for a symmetric key block cipher algorithm. It combines the techniques of the counter (CTR) mode and the cipher block chaining-message authentication code (CBC-MAC) algorithm to provide assurance of the confidentiality and the authenticity of computer data.

- countermeasure n. 

See: security control.

- country code n. 

RFC 2828 (2000)

(I) An identifier that is defined for a nation by ISO. [I3166]

(C) For each nation, ISO Standard 3166 defines a unique two-character alphabetic code, a unique three-character alphabetic code, and a three-digit code. Among many uses of these codes, the two-character codes are used as top-level domain names.

- covert channel n. 

ISO/IEC 2382-8:1998

A transmission channel that may be used to transfer data in a manner that violates security policy.

RFC 2828 (2000)

(I) A intra-system channel that permits two cooperating entities, without exceeding their access authorizations, to transfer information in a way that violates the system’s security policy. (See: channel, out of band.)

(O) “A communications channel that allows two cooperating processes to transfer information in a manner that violates the system’s security policy.” [NCS04]

(C) The cooperating entities can be either two insiders or an insider and an outsider. Of course, an outsider has no access authorization at all. A covert channel is a system feature that the system architects neither designed nor intended for information transfer:

• timing channel: A system feature that enable one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity.
• storage channel: A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity.

- CPS n. 

See: certification practice statement.

- cracker n. 

RFC 2828 (2000)

(I) Someone who tries to break the security of, and gain access to, someone else’s system without being invited to do so. (See: hacker and intruder.)

- CRAM n. 

See: Challenge-Response Authentication Mechanism.

- CRC n. 

See: cyclic redundancy check.

- credential, - credentials n. 

ISO/IEC 2382-8:1998

Data that are transferred to establish the claimed identity of a entity.

RFC 2828 (2000)

(I) Data that is transferred or presented to establish either a claimed identity or the authorizations of a system entity. (See: authentication information, capability, ticket.)

(O) “Data that is transferred to establish the claimed identity of an entity.” [I7498 Part 2]

OASIS SAML 2.0 (2005)

Data that is transferred to establish a claimed principal identity. [X.800] [SAMLAgree]

modonis^IDM (2005)

Definition: A credential is a piece of information attesting to the integrity of certain stated facts.

Credentials are primarily used in the process of entity authentication, and are then often incorporated in an authentication token, e.g., a smart card, bank card, mobile phone, etc.

Note that credentials are not always integrated into a token: in certain systems, a password might function as a credential, despite the lack of a medium carrying the information. Certificates are a common type of credential in a PKI system, where they often take the form of so-called attribute certificates: a credential attesting to the integrity of one or more attribute values with identification information about the corresponding entity.

Credentials are typically revocable.

The examples here seem at odds with the Modonis-IBM definition of an assertion being synonymous with a credential… See discussion below.

NIST IR 7298 (2006)

FIPS 201

Evidence attesting to one’s right to credit or authority.

SCA ISCTAG (2007)

1. Evidence attesting to one’s rights, privileges or evidence of authority.
2. In FIPS 201, the PIV card and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual. A smart card can store multiple digital credentials.

IAEG LIAF (2008)

An object to be verified when presented in an authentication transaction.

A credential can be bound in some way to the individual to whom it was issued, or it can be a bearer credential.

Electronic credentials are digital documents that bind an identity or an attribute to a subscriber’s token.

electronic credentials

Digital documents used in authentication that bind an identity or an attribute to a subscriber’s token.

NIST SP 800-63-1 DRAFT (2008)

credential

An object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.

electronic credentials

Digital documents used in authentication that bind an identity or an attribute to a subscriber’s token.

Note that this document distinguishes between credentials and tokens (see below), while other documents may interchange these terms.

The older definitions that state that credentials are “data that are transferred to establish the claimed identity” make credentials almost synonymous with authentication information: “information used to verify an identity claimed by or for an entity”. This is consistent with real-world experience, where a person presents the credentials they have been issued with as evidence of their identity, trustworthiness, competence and so on.

But such a credential is incompatible with the modonis^IDM comment that credentials “are … often incorporated in an authentication token”. In all but simple knowledge-based authentication methods, what’s known to or held by the user is different from what is transfered as evidence of the claimed identity. This is a design goal of a good user authentication method: to prove the user’s possession (in a very broad sense) of such evidence without revealing the evidence itself, thus making it harder for the evidence to be discovered, copied and later used by a potential attacker.

For example: The unique, personal seed value in an RSA SecurID token is different from the OTP that RSA Authentication Manager (formerly ACE/Server) bases its authentication decision on. The OTP is derived from the seed value, and thus demonstrates possession of the token, without revealing the seed value. (Essentially each OTP is a clock-based message authentication code, so it is computationally infeasible to derive the seed value from an analysis of successive OTPs.)

Thus, my preference is to use credential in the narrow sense of the thing known to, held by or inherent to the user from which the authentication information is derived. A credential is what is issued to, registered by or otherwise associated with the user as evidence of his or her (claimed) identity.

This still leaves some ambiguity. In X.509 authentication, the “seed” is the private key… but it is still natural to talk about the public key and the public-key certificate, which are not necessarily held by only the user, as credentials.

An unambigous term for my narrow sense of credential seems preferable, but a natural alternative remains elusive…

- credential management n.

IAEG LIAF (2008)

A service that supports the lifecycle of identity credentials from issuance to revocation, including renewal, status checks and authentication services.

- credential service n.

IAEG LIAF (2008)

A type of electronic trust service that supports the verification of identities (identity proofing), the issuance of identity-related assertions/credentials/tokens, and the subsequent management of those credentials (for example, renewal, revocation and the provision of related status and authentication services).

- credential service provider (CSP) n. 

IAEG LIAF (2008)

An electronic trust service provider that operates one or more credential services

A CSP can include a registration authority.

NIST SP 800-63-1 DRAFT (2008)

A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass registration authorities and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

- critical adj. 

RFC 2828 (2000)

(I) of a system resource: A condition of a service or other system resource such that denial of access to (i.e., lack of availability of) that resource would jeopardize a system user’s ability to perform a primary function or would result in other serious consequences. (See: availability, sensitive.)

(N) of an X.509 certificate extension: Each extension of an X.509 certificate (or CRL) is marked as being either critical or non-critical. If an extension is critical and a certificate user (or CRL user) does not recognize the extension type or does not implement its semantics, then the user is required to treat the certificate (or CRL) as invalid. If an extension is non-critical, a user that does not recognize or implement that extension type is permitted to ignore the extension and process the rest of the certificate (or CRL).

- critical security parameter n. 

NIST IR 7298 (2006)

FIPS 140-2

Security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and personal identification numbers (PINs)) whose disclosure or modification can compromise the security of a cryptographic module.

- criticality level n. 

NIST IR 7298 (2006)

SP 800-60

Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.

- CRL n. 

See: certificate revocation list.

- CRL distribution point n. 

See: distribution point.

- CRL extension n. 

See: extension.

- cross-certificate n. 

See: cross-certification.

- cross-certification n. 

RFC 2828 (2000)

(I) The act or process by which two CAs each certify a public key of the other, issuing a public-key certificate to that other CA.

(C) Cross-certification enables users to validate each other’s certificate when the users are certified under different certification hierarchies.

NIST IR 7298 (2006)

SP 800-32

A certificate used to establish a trust relationship between two certification authorities.

- crossover error rate n. 

iAfB-ICSA 1999

Synonym for equal error rate.

- cryptanalysis n. 

ISO/IEC 2382-8:1998

The analysis of a cryptographic system, its inputs or outputs, or both, to derive sensitive information, such as plaintext.

analytical attack, cryptanalytical attack

An attempt to break a code [sic] or to find a cryptographic key using analytical methods. Examples: A statistical analysis of patterns; a search for flaws in an encryption algorithm. Note: Contrast with exhaustive attack.

RFC 2828 (2000)

(I) The mathematical science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide. (See: cryptology.)

(O) “The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext.” [I7498 Part 2]

(C) The “O” definition states the traditional goal of cryptanalysis – convert the ciphertext to plaintext (which usually is cleartext) without knowing the key – but that definition applies only to encryption systems. Today, the term is used with reference to all kinds of cryptographic algorithms and key management, and the “I” definition reflects that. In all cases, however, a cryptanalyst tries to uncover or reproduce someone else’s sensitive data, such as cleartext, a key, or an algorithm. The basic cryptanalytic attacks on encryption systems are ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext; and these generalize to the other kinds of cryptography.

NIST IR 7298 (2006)

SP 800-57

1. Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection.
2. The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

- cryptanalytical attack n. 

See: (secondary definition under) cryptanalysis.

- crypto n., adj. 

RFC 2828 (2000)

(D) Except as part of certain long-established terms listed in this Glossary, ISDs SHOULD NOT use this abbreviated term because it may be misunderstood. Instead, use cryptography or cryptographic.

- crypto officer n. 

NIST IR 7298 (2006)

FIPS 140-2

An operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions.

- cryptographic adj. 

Of or pertaining to cryptography.

- cryptographic algorithm n. 

RFC 2828 (2000)

(I) An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.

NIST IR 7298 (2006)

SP 800-21 [2ndEd]

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

- cryptographic algorithm for confidentiality n. 

SC 27 SD 6 (2002)

ISO/IEC 9979: 1999

A cryptographic algorithm for confidentiality is defined as an algorithm which transforms data in order to hide or reveal its information content and which uses at least one secret parameter. This definition includes both symmetric algorithms (e.g. DES and FEAL) and asymmetric algorithms (e.g. RSA and Rabin). In the case of a symmetric algorithm the data is hidden and revealed using a secret parameter. In the case of an asymmetric algorithm the data is hidden using a public parameter and revealed using a secret parameter.

- cryptographic application programming interface (CAPI) n. 

RFC 2828 (2000)

(I) The source code formats and procedures through which an application program accesses cryptographic services, which are defined abstractly compared to their actual implementation. For example, see: PKCS #11, [R2628].

- cryptographic boundary n. 

NIST IR 7298 (2006)

FIPS 140-2

An explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.

- cryptographic card n. 

RFC 2828 (2000)

(I) A cryptographic token in the form of a smart card or a PC card.

- cryptographic check function n. 

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

A cryptographic transformation which takes as input a secret key and an arbitrary string, and which gives a cryptographic check value as output. The computation of a correct check value without knowledge of the secret key shall be infeasible.

Compare: hash function.

- cryptographic check value n. 

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-3: 1999

Information which is derived by performing a cryptographic transformation on the data unit.

ISO/IEC FDIS 15946-3 (02/2001)

Information which is derived by performing a cryptographic transformation on the data unit. Note: The cryptographic check value is the output of the cryptographic check function.

Compare: hash result.

- cryptographic component n. 

RFC 2828 (2000)

(I) A generic term for any system component that involves cryptography. (See: cryptographic module.)

- cryptographic hash, - cryptographic hash function n. 

See: (secondary definition under) hash function.

- cryptographic ignition key (CIK) n. 

RFC 2828 (2000)

(I) A physical (usually electronic) token used to store, transport, and protect cryptographic keys. (Sometimes abbreviated as crypto ignition key.)

(C) A typical use is to divide a split key between a CIK and a cryptographic module, so that it is necessary to combine the two to regenerate a key-encrypting key and thus activate the module and other keys it contains.

- cryptographic key n. 

ISO/IEC 2382-8:1998

key

A bit string that controls the operations of encryption or decryption.

RFC 2828 (2000)

(I) Usually shortened to just key. An input parameter that varies the transformation performed by a cryptographic algorithm.

(O) “A sequence of symbols that controls the operations of encipherment and decipherment.” [I7498 Part 2]

(C) If a key value needs to be kept secret, the sequence of symbols (usually bits) that comprise it should be random, or at least pseudo-random, because that makes the key hard for an adversary to guess. (See: cryptanalysis, brute force .)

SC 27 SD 6 (2002)

ISO/IEC 9797-1: 1999, ISO/IEC 9798-1: 1997, ISO/IEC 11770-1: 1996

key

A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment, cryptographic check function computation, signature generation, or signature verification).

ISO/IEC 11770-3: 1999

A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment, cryptographic check function computation, signature calculation, or signature verification).

ISO/IEC CD 10116 (12/2001)

A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment).

ISO/IEC FDIS 15946-3 (02/2001)

A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment, cryptographic check function computation, signature generation, signature verification, or key agreement).

ISO/IEC WD 18033-1 (12/2001)

Sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment).

NIST IR 7298 (2006)

FIPS 201; FIPS 198

A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.

FIPS 140-2

A parameter used in conjunction with a cryptographic algorithm that determines

1. the transformation of plaintext data into ciphertext data,
2. the transformation of ciphertext data into plaintext data,
3. a digital signature computed from data,
4. the verification of a digital signature computed from data,
5. an authentication code computed from data, or
6. an exchange agreement of a shared secret.

SCA ISCTAG (2007)

key

In encryption and digital signatures, a value used in combination with a cryptographic algorithm to encrypt or decrypt data.

NIST SP 800-63-1 DRAFT (2008)

A value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification. For the purposes of this document, key requirements shall coincide the minimum requirements stated in table 2 of NIST SP [800-57] part 1. See also asymmetric keys, symmetric key.

- Cryptographic Message Syntax (CMS) n. 

RFC 2828 (2000)

(I) A encapsulation syntax for digital signatures, hashes, and encryption of arbitrary messages. [R2630]

(C) CMS was derived from PKCS #7. CMS values are specified with ASN.1 and use BER encoding. The syntax permits multiple encapsulation with nesting, permits arbitrary attributes to be signed along with message content, and supports a variety of architectures for digital certificate-based key management.

- cryptographic module n. 

RFC 2828 (2000)

(I) A set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the module’s cryptographic boundary, which is an explicitly defined contiguous perimeter that establishes the physical bounds of the module. [FP140]

NIST IR 7298 (2006)

SP 800-32; FIPS 196

The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.

FIPS 140-2

The set of hardware, software, and/or firmware that implements Approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

- cryptographic module security policy n. 

NIST IR 7298 (2006)

FIPS 140-2

A precise specification of the security rules under which a cryptographic module will operate, including the rules derived from the requirements of this standard (FIPS 140-2) and additional rules imposed by the vendor.

- cryptographic module validation program (CMVP) n. 

NIST IR 7298 (2006)

FIPS 140-2

Validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.

- cryptographic smart card n.

SCA ISCTAG (2007)

cryptographic smart cards

Advanced smart cards that are equipped with specialized cryptographic hardware that lets algorithms such as RSA be used on the card. Today’s cryptographic smart cards are also able to generate key pairs on the card, to avoid the risk of having more than one copy of the key (since by design (usually) there isn’t a way to extract the keys from a smart card). Cryptographic smart cards are often used for digital signatures and secure identification.

- cryptographic strength n. 

NIST IR 7298 (2006)

SP 800-63

A measure of the expected number of operations required to defeat a cryptographic mechanism.

- cryptographic synchronization n. 

SC 27 SD 6 (2002)

ISO 8372: 1987, ISO/IEC CD 10116 (12/2001)

The co-ordination of the encipherment and decipherment processes.

- cryptographic system n. 

ISO/IEC 2382-8:1998

cryptographic system, ciphersystem, cryptosystem

The documents, devices, equipment, and associated techniques that are used together to provide a means of encryption or decryption.

RFC 2828 (2000)

(I) A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.

(C) This “I” definition covers a wider range of algorithms than the following “O” definition:

(O) “A collection of transformations from plaintext into ciphertext and vice versa [which would exclude digital signature, cryptographic hash, and key agreement algorithms], the particular transformation(s) to be used being selected by keys. The transformations are normally defined by a mathematical algorithm.” [X509]

- cryptographic token n. 

RFC 2828 (2000)

(I) A portable, user-controlled, physical device used to store cryptographic information and possibly perform cryptographic functions. (See: cryptographic card, token.)

(C) A smart token may implement some set of cryptographic algorithms and may implement related algorithms and key management functions, such as a random number generator. A smart cryptographic token may contain a cryptographic module or may not be explicitly designed that way.

NIST IR 7298 (2006)

IAEG LIAF (2008)

A token for which the secret is a cryptographic key.

NIST SP 800-63-1 DRAFT (2008)

A token where the secret is a cryptographic key.

- cryptography n. 

ISO/IEC 2382-8:1998

The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.

RFC 2828 (2000)

(I) The mathematical science that deals with transforming data to render its meaning unintelligible (i.e., to hide its semantic content), prevent its undetected alteration, or prevent its unauthorized use. If the transformation is reversible, cryptography also deals with restoring encrypted data to intelligible form. (See: cryptology, steganography.)

(O) “The discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use. … Cryptography determines the methods used in encipherment and decipherment.” [I7498 Part 2]

NIST IR 7298 (2006)

SP 800-59; ANSDIT

The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.

SP 800-21 [2ndEd]

The discipline that embodies principles, means and methods for providing information security, including confidentiality, data integrity, non-repudiation, and authenticity.

FIPS 191

Is categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties . The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography which make use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key [FIPS 140-1]. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret.

- Cryptoki n. 

See: (secondary definition under) PKCS #11.

- cryptology n. 

RFC 2828 (2000)

(I) The science that includes both cryptography and cryptanalysis, and sometimes is said to include steganography.

NIST IR 7298 (2006)

SP 800-60

The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.

- cryptonet n. 

RFC 2828 (2000)

(I) A group of system entities that share a secret cryptographic key for a symmetric algorithm.

- cryptoperiod n. 

RFC 2828 (2000)

(I) The time span during which a particular key is authorized to be used in a cryptographic system. (See: key management.)

(C) A cryptoperiod is usually stated in terms of calendar or clock time, but sometimes is stated in terms of the maximum amount of data permitted to be processed by a cryptographic algorithm using the key. Specifying a cryptoperiod involves a tradeoff between the cost of rekeying and the risk of successful cryptanalysis.

(C) Although we deprecate its prefix, this term is long-established in COMPUSEC usage. (See: crypto) In the context of certificates and public keys, key lifetime and validity period are often used instead.

NIST IR 7298 (2006)

SP 800-32

Time span during which each key setting remains in effect.

- cryptosystem n. 

ISO/IEC 2382-8:1998

A synonym for cryptographic System.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as an abbreviation for cryptographic System. (For rationale, see: crypto.)

- CSIRT n. 

See: computer security incident response team.

- CSOR n. 

See: Computer Security Objects Register.

- CSP n. 

See: credential service provider.

- cull n. 

See: thresholding.

- cut-and-paste attack n. 

RFC 2828 (2000)

(I) An active attack on the data integrity of ciphertext, effected by replacing sections of ciphertext with other ciphertext, such that the result appears to decrypt correctly but actually decrypts to plaintext that is forged to the satisfaction of the attacker.

- CVE n. 

See: Common Vulnerabilities and Exposures.

- cyclic redundancy check, - cyclical redundancy check (CRC) n. 

RFC 2828 (2000)

cyclic redundancy check

(I) Sometimes called cyclic redundancy code. A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.

NIST IR 7298 (2006)

SP 800-72

cyclical redundancy check

A method to ensure data has not been altered after being sent through a communication channel.