GIST v0.7 ― D
“ d' ” to “dynamic signature verification (DSV)”

D

- d' n., d prime n.

iAfB-ICSA 1999

d prime

A statistical measure of how well a biometric system can discriminate between different individuals. The larger the d prime value, the better a biometric system is at discriminating between individuals.

“A measure of the sensitivity of an observer to some stimulus ‘event.’ The notion of an ‘event’ here is interpreted broadly. It may be the occurrence of a simple stimulus, the occurrence of some stimulus that differs in some fashion from another stimulus, a part on an assembly line that has a flaw, a shadow on a chest X-ray, etc. The measure d' is derived from signal-detection theory as an index of how sensitive an observer is to the stimulus independently of criteria for responding, payoffs for being right or wrong, the probabilities of the stimuli actually being presented and any instructional set that may be given to the subject. It is thus an index for the ‘ideal’ observer which can, of course, be read for any given subject in a signal-detection experiment. … Usually pronounced as ‘d-prime.’” [The Penguin Dictionary of Psychology, edited by Arthur S. Reber]

- DAA n.

See: designated approving authority.

- DAC n.

See: Data Authentication Code, discretionary access control.

- DASS n.

See: Distributed Authentication Security Service.

- data n.

RFC 2828 (2000)

(I) Information in a specific physical representation, usually a sequence of symbols that have meaning; especially a representation of information that can be processed or produced by a computer.

- data authentication n.

modonis^IDM (2005)

Definition: Data authentication is the corroboration that the origin and integrity of data is as claimed.

Data authentication is a technical process which (in an IDM context) serves to verify that any claimed attribute corresponds to the actual attribute held by an entity.

It is worth noting that data authentication verifies origin and integrity (i.e., the correspondence of a claimed attribute to an attribute that was issued to a specific entity), but not necessarily truth (i.e., the factual correctness of the claimed attribute). E.g., an authentication token containing incorrect data (e.g., an incorrect name) could be used to authenticate data which is factually wrong. Data authentication protects against manipulation (insertion, substitution or deletion) by unauthorised parties; not against e.g., incorrect issuance of credentials or tokens.

See: data integrity service, data origin authentication, data origin authentication service.

- Data Authentication Algorithm n.

RFC 2828 (2000)

(N) A keyed hash function equivalent to DES cipher block chaining with IV = 0. [A9009]

(D) ISDs SHOULD NOT use the uncapitalized form of this term as a synonym for other kinds of checksums.

- data authentication code n.

Compare with Data Authentication Code

RFC 2828 (2000)

(D) ISDs SHOULD NOT use data authentication code as a synonym for another kind of checksum, because this term mixes concepts in a potentially misleading way. (See: authentication code.) Instead, use checksum, error detection code, hash, keyed hash, Message Authentication Code, or protected checksum, depending on what is meant.

- Data Authentication Code (DAC) n.

Compare with data authentication code

RFC 2828 (2000)

(N) Data Authentication Code refers to a U.S. Government standard [FP113] for a checksum that is computed by the Data Authentication Algorithm. (Also known as the ANSI standard Message Authentication Code [A9009].)

- database n.

iAfB-ICSA 1999

Any storage of biometric templates and related end user information. Even if only one biometric template or record is stored, the database will simply be “a database of one”. Generally speaking, however, a database will contain a number of biometric records.

Clearly, this definition is specific to biometric systems! See: biometric enrollment database.

JTC 1/SC 37 (2008)

Collection of data organized according to a conceptual structure describing the characteristics of these data and the relationship among their corresponding entities, supporting one or more applications.

Note: Definition source: ISO 2382 Part 17, term 17.01.01.

- data compromise n.

See: compromise.

- data confidentiality n.

See: confidentiality.

- data confidentiality service n.

RFC 2828 (2000)

(I) A security service that protects data against unauthorized disclosure. (See: data confidentiality.)

(D) ISDs SHOULD NOT use this term as a synonym for privacy, which is a different concept.

- data corruption n.

ISO/IEC 2382-8:1998

An accidental or intentional violation of data integrity.

- data element n.

NIST IR 7298 (2006)

A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.

- Data Encryption Algorithm (DEA) n.

RFC 2828 (2000)

(N) A symmetric block cipher, defined as part of the U.S. Government’s Data Encryption Standard. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block. [FP046] (See: DES, symmetric cryptography.)

(C) This algorithm is usually referred to as DES. The algorithm has also been adopted in standards outside the Government (e.g., [A3092]).

NIST IR 7298 (2006)

SP 800-67

The cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).

- data encryption key (DEK) n.

RFC 2828 (2000)

(I) A cryptographic key that is used to encipher application data. (See: key-encrypting key.)

- Data Encryption Standard (DES) n.

RFC 2828 (2000)

(N) A U.S. Government standard [FP046] that specifies the Data Encryption Algorithm and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES, DEA.)

NIST IR 7298 (2006)

SP 800-46

A U.S. Government-approved, symmetric cipher, encryption algorithm used by business and civilian government agencies. [≡ DEA] The Advanced Encryption Standard (AES) is designed to replace DES. The original “single” DES algorithm is no longer secure because it is now possible to try every possible key with special purpose equipment or a high performance cluster. triple DES (see glossary entry below), however, is still considered to be secure.

SCA ISCTAG (2007)

A method for encrypting information. [≡ DEA] (See related term Triple DES.)

Strictly DES is the standard that specifies the algorithm, DEA, but in common parlance DES is used for the algorithm itself.

- data integrity n.

See also: encryption.

ISO/IEC 2382-8:1998

decryption, decipherment

The process of obtaining, from a ciphertext, the original corresponding data. Note: A ciphertext may be encrypted a second time, in which case a single decryption does not produce the original plaintext.

SC 27 SD 6 (2002)

ISO/IEC 9797-1: 1999, ISO/IEC 9798-1: 1997, ISO/IEC 11770-1: 1996, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

decipherment

The reversal of a corresponding encipherment.

ISO/IEC WD 18033-1 (12/2001)

decipherment

Alternative term for decryption.

decryption

Reversal of a corresponding encipherment. (An odd counterposition of decryption and encipherment… hopefully corrected in the final document.)

NIST IR 7298 (2006)

SP 800-67

The process of transforming ciphertext into plaintext.

SP 800-21 [2ndEd]

The process of changing ciphertext into plaintext using a cryptographic algorithm and key.

FIPS 185

Conversion of ciphertext to plaintext through the use of a cryptographic algorithm.

JTC 1/SC 37 (2006⇒2008) – A.2.7

Reversal of a corresponding encryption.

Note: Definition Source: ISO 18033-1 (via SC27 SD6).

- dedicated security mode n.

RFC 2828 (2000)

(I) A mode of operation of an information system, wherein all users have the clearance or authorization, and the need-to-know, for all data handled by the system. In this mode, the system may handle either a single classification level or category of information or a range of levels and categories. [DOD2]

(C) This mode is defined formally in U.S. Department of Defense policy regarding system accreditation, but the term is also used outside the Defense Department and outside the Government.

- default account n.

RFC 2828 (2000)

(I) A system login account (usually accessed with a user name and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service.

(C) Sometimes, the default user name and password are the same in each copy of the system. In any case, when the system is put into service, the default password should immediately be changed or the default account should be disabled.

- degauss vb.

RFC 2828 (2000)

(N) Apply a magnetic field to permanently remove, erase, or clear data from a magnetic storage medium, such as a tape or disk [NCS25]. Reduce magnetic flux density to zero by applying a reversing magnetic field.

- degausser n.

RFC 2828 (2000)

(N) An electrical device that can degauss magnetic storage media.

- degrees of freedom n.

iAfB-ICSA 1999

The number of statistically independent features in biometric data.

- DEK n.

See: data encryption key.

- deleted file n.

NIST IR 7298 (2006)

SP 800-72

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

- delegation n.

modonis^IDM (2005)

Definition: Delegation is the process in which an identified entity issues a mandate to another identified entity.

From a legal perspective, the concept of delegation usually implies acceptance by the receiving identified entity. In a technical context, acceptance is usually unnecessary.

A mandate can be used to delegate authorizations of one identified entity to another.

- deliverable n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

The object of an assurance assessment. An object may be a Protection Profile (PP) or Security Target (ST) as defined by ISO 15408 or a product, system, service, process, or environmental factor (i.e. personnel, organisation). Note: ISO 9000:2000 holds that a service is a type of product and “product and/or service" when used in the ISO 9000 family of standards.

- delivery authority n.

SC 27 SD 6 (2002)

ISO/IEC WD 13888-1 (11/2001)

An authority trusted by the sender to deliver the data from the sender to the receiver, and to provide the sender with evidence on the submission and transport of data upon request.

- delta CRL n.

RFC 2828 (2000)

(I) A partial CRL that only contains entries for X.509 certificates that have been revoked since the issuance of a prior, base CRL. This method can be used to partition CRLs that become too large and unwieldy.

- demilitarized zone (DMZ) n.

NIST IR 7298 (2006)

SP 800-41

A network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

- denial of service (DoS, DOS) n.

ISO/IEC 2382-8:1998

The prevention of authorized access to resources or the delaying of time-critical operations.

RFC 2828 (2000)

(I) The prevention of authorized access to a system resource or the delaying of system operations and functions. (See: availability, critical (resource of a system), flooding.)

NIST IR 7298 (2006)

SP 800-27A

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)

- DES n.

See: Data Encryption Standard.

- designated accrediting authority, - designated approving authority (DAA) n.

NIST IR 7298 (2006)

SP 800-37

The individual selected by an authorizing official to act on their behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system.

- dependency n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A relationship between requirements such that the requirement that is depended upon must normally be satisfied for the other requirements to be able to meet their objectives.

- deterministic n.

SC 27 SD 6 (2002)

ISO/IEC 14888-1: 1998

Independent of a randomizer, not randomized.

- dial-back n.

ISO/IEC 2382-8:1998

A synonym for call-back.

- dictionary attack n.

RFC 2828 (2000)

(I) An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list.

(C) For example, an attack on an authentication service by trying all possible passwords; or an attack on encryption by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup.

- differential power analysis (DPA) n.

NIST IR 7298 (2006)

FIPS 140-2

An analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.

- Diffie-Hellman n.

RFC 2828 (2000)

(N) A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].

(C) Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.

(C) The difficulty of breaking Diffie-Hellman is considered to be equal to the difficulty of computing discrete logarithms modulo a large prime. The algorithm is described in [R2631] and [Schn]. In brief, Alice and Bob together pick large integers that satisfy certain mathematical conditions, and then use the integers to each separately compute a public-private key pair. They send each other their public key. Each person uses their own private key and the other person’s public key to compute a key, k, that, because of the mathematics of the algorithm, is the same for each of them. Passive wiretapping cannot learn the shared k, because k is not transmitted, and neither are the private keys needed to compute k. However, without additional mechanisms to authenticate each party to the other, a protocol based on the algorithm may be vulnerable to a man-in-the-middle attack.

- digest n.

See: message digest.

- digital certificate n.

RFC 2828 (2000)

(I) A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, capability, public-key certificate.)

(D) ISDs SHOULD NOT use this term to refer to a signed CRL or CKL. Although the recommended definition can be interpreted to include those items, the security community does not use the term with those meanings.

- digital certification n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for certification, unless the context is not sufficient to distinguish between digital certification and another kind of certification, in which case it would be better to use public-key certification or another phrase that indicates what is being certified.

- digital document n.

RFC 2828 (2000)

(I) An electronic data object that represents information originally written in a non-electronic, non-magnetic medium (usually ink on paper) or is an analogue of a document of that type.

- digital envelope n.

ISO/IEC 2382-8:1998

Data appended to a message, that allow the intended recipient to verify the content of the message.

RFC 2828 (2000)

(I) A digital envelope for a recipient is a combination of (a) encrypted content data (of any kind) and (b) the content encryption key in an encrypted form that has been prepared for the use of the recipient.

(C) In ISDs, this term should be defined at the point of first use because, although the term is defined in PKCS #7 and used in S/MIME, it is not yet widely established.

(C) Digital enveloping is not simply a synonym for implementing data confidentiality with encryption; digital enveloping is a hybrid encryption scheme to seal a message or other data, by encrypting the data and sending both it and a protected form of the key to the intended recipient, so that no one other than the intended recipient can open the message. In PCKS #7, it means first encrypting the data using a symmetric encryption algorithm and a secret key, and then encrypting the secret key using an asymmetric encryption algorithm and the public key of the intended recipient. In S/MIME, additional methods are defined for conveying the content encryption key.

- digital evidence n.

NIST IR 7298 (2006)

SP 800-72

Electronic information stored or transferred in digital form.

- Digital ID^SM

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for digital certificate because (a) it is the service mark of a commercial firm [VeriSign externalLink

], (b) it unnecessarily duplicates the meaning of other, well-established terms, and (c) a certificate is not always used as authentication information. In some contexts, however, it may be useful to explain that the key conveyed in a public-key certificate can be used to verify an identity and, therefore, that the certificate can be thought of as digital identification information. (See: identification .)

- digital identity n.

modonis^IDM (2005)

Definition: A digital identity is a partial identity in an electronic form.

For any given entity, there will typically exist many digital identities which may be unique or non-unique. A digital identity can be created on the fly when a particular identity transaction is desired.

A digital identity is, by definition, a subset of the identity, and can in effect be considered a manifestation of an entity’s presence in an electronic IDM system (i.e., it is the subset of attributes belonging to an entity that is accessible through a specific IDM system).

- digital key n.

RFC 2828 (2000)

(C) The adjective digital need not be used with key or cryptographic key, unless the context is insufficient to distinguish the digital key from another kind of key, such as a metal key for a door lock.

- digital notary n.

RFC 2828 (2000)

(I) Analogous to a notary public. Provides a trusted date-and-time stamp for a document, so that someone can later prove that the document existed at a point in time. May also verify the signature(s) on a signed document before applying the stamp. (See: notarization.)

- digital signature n.

ISO/IEC 2382-8:1998

Data appended to a message, that allow the recipient of the message to verify the source and integrity of the message.

RFC 2828 (2000)

(I) A value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity. (See: data origin authentication service, data integrity service, digitized signature, electronic signature, signer.)

(I) “Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient.” [I7498 Part 2]

(C) Typically, the data object is first input to a hash function, and then the hash result is cryptographically transformed using a private key of the signer. The final resulting value is called the digital signature of the data object. The signature value is a protected checksum, because the properties of a cryptographic hash ensure that if the data object is changed, the digital signature will no longer match it. The digital signature is unforgeable because one cannot be certain of correctly creating or changing the signature without knowing the private key of the supposed signer.

(C) Some digital signature schemes use a asymmetric encryption algorithm (e.g., see: RSA) to transform the hash result. Thus, when Alice needs to sign a message to send to Bob, she can use her private key to encrypt the hash result. Bob receives both the message and the digital signature. Bob can use Alice’s public key to decrypt the signature, and then compare the plaintext result to the hash result that he computes by hashing the message himself. If the values are equal, Bob accepts the message because he is certain that it is from Alice and has arrived unchanged. If the values are not equal, Bob rejects the message because either the message or the signature was altered in transit.

(C) Other digital signature schemes (e.g., see: DSS) transform the hash result with an algorithm (e.g., see: DSA, El Gamal algorithm ) that cannot be directly used to encrypt data. Such a scheme creates a signature value from the hash and provides a way to verify the signature value, but does not provide a way to recover the hash result from the signature value. In some countries, such a scheme may improve exportability and avoid other legal constraints on usage.

SC 27 SD 6 (2002)

ISO/IEC 11770-3: 1999

A data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the origin and integrity of the data unit and protect the sender and the recipient of the data unit against forgery by third parties, and the sender against forgery by the recipient.

ISO/IEC FDIS 15946-3 (02/2001)

Data appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to prove the origin and integrity of the data unit and protect against forgery, e.g. by the recipient.

ISO/IEC 15945: 2002

A cryptographic transformation of a data unit that allows a recipient of the data unit to prove the origin and integrity of the data unit and protect the sender and the recipient of the data unit against forgery by third parties, and the sender against forgery by the recipient. Note: Digital signatures may be used by end entities for the purposes of authentication, of data integrity, and of non-repudiation of creation of data. The usage for non-repudiation of creation of data is the most important one for legally binding digital signatures.

ISO/IEC 9798-1: 1997

signature

NIST IR 7298 (2006)

FIPS 196

A nonforgeable transformation of data that allows the proof of the source (with nonrepudiation) and the verification of the integrity of that data.

FIPS 140-2

The result of a cryptographic transformation of data which, when properly implemented, provides the services of:

origin authentication
data integrity, and
signer non-repudiation.

SCA ISCTAG (2007)

Digital information used for the purpose of identification of an electronic message or documents. Digital signatures provide a way of authenticating the identity of creators or producers of digital information.

NIST SP 800-63-1 DRAFT (2008)

An asymmetric key operation where the private key is used to digitally sign an electronic document and the public key is used to verify the signature. Digital signatures provide authentication and integrity protection.

- digital signature algorithm n.

NIST IR 7298 (2006)

SP 800-49

Asymmetric algorithms used for digitally signing data.

- Digital Signature Algorithm (DSA) n.

RFC 2828 (2000)

(N) An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: Digital Signature Standard.)

- Digital Signature Standard (DSS) n.

RFC 2828 (2000)

(N) The U.S. Government standard [FP186] that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.

- digital watermarking n.

RFC 2828 (2000)

(I) Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data – text, graphics, images, video, or audio – and for detecting or extracting the marks later.

(C) The set of embedded bits (the digital watermark) is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. [ACM]

- digitized signature n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term because there is no current consensus on its definition. Although it appears to be used mainly to refer to various forms of digitized images of handwritten signatures, the term should be avoided because it might be confused with digital signature.

- directly trusted CA n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

A directly trusted CA is a CA whose public key has been obtained and is being stored by an end entity in a secure, trusted manner, and whose public key is accepted by that end entity in the context of one or more applications.

- directly trusted CA key n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

A directly trusted CA key is a public key of a directly trusted CA. It has been obtained and is being stored by an end entity in a secure, trusted manner. It is used to verify certificates without being itself verified by means of a certificate created by another CA. Note: If for example the CAs of several organizations cross-certify each other (see Annex A) the directly trusted CA for an entity may be the CA of the entity’s organization. Directly trusted CAs and directly trusted CA keys may vary from entity to entity. An entity may regard several CAs as directly trusted CAs.

- directory

Compare with Directory

RFC 2828 (2000)

(I) The term directory refers generically to a database server or other system that provides information – such as a digital certificate or CRL – about an entity whose name is known.

- Directory n.

Compare with directory

RFC 2828 (2000)

(I) Directory refers specifically to the X.500 Directory. (See: repository.)

- Directory Access Protocol (DAP) n.

RFC 2828 (2000)

(N) An OSI protocol [X519] for communication between a Directory User Agent (a client) and a Directory System Agent (a server). (See: Lightweight Directory Access Protocol.)

- directory service n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

A service to search and retrieve information from a catalogue of well defined objects, which may contain information about certificates, telephone numbers, access conditions, addresses etc. An example is provided by a directory service conforming to the ITU-T Recommendation X.500.

- disaster plan, - disaster recovery plan (DRP) n.

ISO/IEC 2382-8:1998

disaster recovery plan

A synonym for contingency plan.

RFC 2828 (2000)

disaster plan

(D) A synonym for contingency plan. In the interest of consistency, ISDs SHOULD use contingency plan instead of disaster plan.

NIST IR 7298 (2006)

SP 800-34

disaster recovery plan

A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

- disclosure n.

ISO/IEC 2382-8:1998

A violation of computer security whereby data have been made available to unauthorized entities.

RFC 2828 (2000)

In the sense of unauthorized disclosure: See: (secondary definition under) threat consequence.

- disconnection n.

NIST IR 7298 (2006)

SP 800-47

The termination of an interconnection between two or more IT systems. A disconnection may be planned (e.g., due to changed business needs) or unplanned (i.e., due to an attack or other contingency).

- discretionary access control (DAC) n.

RFC 2828 (2000)

(I) An access control service that enforces a security policy based on the identity of system entities and their authorizations to access system resources. (See: access control list, identity-based security policy, mandatory access control.)

(C) This service is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

(O) “A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.” [DOD1]

NIST IR 7298 (2006)

FIPS 191

The basis of this kind of security is that an individual user, or program operating on the user’s behalf is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user’s control.

SCA ISCTAG (2007)

Access restriction based solely on an individual’s identity.

Way too simplistic a definition! See those above.

- discriminant training n.

iAfB-ICSA 1999

A means of refining the extraction algorithm so that biometric data from different individuals are as distinct as possible.

- disjunctive sequence n.

OASIS XACML 2.0 (2005)

A sequence of predicates combined using the logical OR operation.

- disruption n.

RFC 2828 (2000)

See: (secondary definition under) threat consequence.

NIST IR 7298 (2006)

SP 800-34

An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).

- dissimilarity score n.

See: distance score.

- distance score n.

JTC 1/SC 37 (2006⇒2008)

distance score
dissimilarity score

Comparison score that decreases with similarity.

- Distinguished Encoding Rules (DER) n.

RFC 2828 (2000)

(N) A subset of the Basic Encoding Rules, which gives exactly one way to represent any ASN.1 value as an octet string [X690].

(C) Since there is more than one way to encode ASN.1 in BER, DER is used in applications in which a unique encoding is needed, such as when a digital signature is computed on an ASN.1 value.

- distinguished name (DN) n.

RFC 2828 (2000)

(I) An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (See: domain name.)

(C) A DN is a set of attribute values that identify the path leading from the base of the DIT to the object that is named. An X.509 public-key certificate or CRL contains a DN that identifies its issuer, and an X.509 attribute certificate contains a DN or other form of name that identifies its subject.

- distinguishing identifier n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-2: 1996, ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

Information which unambiguously distinguishes an entity.

ISO/IEC WD 13888-1 (11/2001)

Information which unambiguously distinguishes an entity in the non-repudiation process.

NIST IR 7298 (2006)

FIPS 196

Information which unambiguously distinguishes an entity in the authentication process.

- distributed denial of service (DDoS, DDOS) n.

NIST IR 7298 (2006)

SP 800-61

A denial of service technique that uses numerous hosts to perform the attack.

- Distributed Authentication Security Service (DASS) n.

RFC 2828 (2000)

(I) An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.

- distribution point n.

RFC 2828 (2000)

(I) An X.500 Directory entry or other information source that is named in a v3 X.509 public-key certificate extension as a location from which to obtain a CRL that might list the certificate.

(C) A v3 X.509 public-key certificate may have a cRLDistributionPoints extension that names places to get CRLs on which the certificate might be listed. A CRL obtained from a distribution point may (a) cover either all reasons for which a certificate might be revoked or only some of the reasons, (b) be issued by either the authority that signed the certificate or some other authority, and (c) contain revocation entries for only a subset of the full set of certificates issued by one CA or (c') contain revocation entries for multiple CAs.

- DMZ n.

See: demilitarized zone.

- DN n.

See: distinguished name.

- DNS n.

See: Domain Name System.

- DOI n.

See: domain of interpretation.

- domain n.

RFC 2828 (2000)

(I) security usage: An environment or context that is defined by a security policy, security model, or security architecture to include a set of system resources and the set of system entities that have the right to access the resources. (See: domain of interpretation, security perimeter.)

(I) Internet usage: That part of the Internet domain name space tree [R1034] that is at or below the name the specifies the domain. A domain is a subdomain of another domain if it is contained within that domain. For example, D.C.B.A is a subdomain of C.B.A. (See: Domain Name System.)

(O) MISSI usage: The domain of a MISSI CA is the set of MISSI users whose certificates are signed by the CA.

(O) OSI usage: An administrative partition of a complex distributed OSI system.

SC 27 SD 6 (2002)

ISO/IEC 15816: 2002

security domain

A collections of users and systems subject to a common security policy.

OASIS SAML 2.0 (2005)

security domain

An environment or context that is defined by security models and a security architecture, including a set of resources and set of system entities that are authorized to access the resources. One or more security domains may reside in a single administrative domain. The traits defining a given security domain typically evolve over time. [Taxonomy]

NIST IR 7298 (2006)

SP 800-27A

domain, security domain

A set of subjects, their information objects, and a common security policy.

FIPS 188

security domain

A collection of entities to which applies a single security policy executed by a single authority.

- domain modulus n.

SC 27 SD 6 (2002)

ISO/IEC 14888-2: 1999

A domain parameter, which is a positive integer resulting from the product of two distinct primes which are known only to the trusted third party.

- domain name n.

RFC 2828 (2000)

(I) The style of identifier – a sequence of case-insensitive ASCII labels separated by dots (bbn.com) – defined for subtrees in the Internet Domain Name System [R1034] and used in other Internet identifiers, such as host names (e.g., rosslyn.bbn.com), mailbox names (e.g., rshirey@bbn.com), and URLs (e.g., http://www.rosslyn.bbn.com/foo). (See: distinguished name, domain.)

(C) The domain name space of the DNS is a tree structure in which each node and leaf holds records describing a resource. Each node has a label. The domain name of a node is the list of labels on the path from the node to the root of the tree. The labels in a domain name are printed or read left to right, from the most specific (lowest, farthest from the root) to the least specific (highest, closest to the root). The root’s label is the null string, so a complete domain name properly ends in a dot. The top-level domains, those immediately below the root, include COM, EDU, GOV, INT, MIL, NET, ORG, and two-letter country codes (such as US) from ISO-3166. [R1591] (See: country code.)

- Domain Name System (DNS) n.

RFC 2828 (2000)

(I) The main Internet operations database, which is distributed over a collection of servers and used by client software for purposes such as translating a domain name-style host name into an IP address (e.g., rosslyn.bbn.com is 192.1.7.10) and locating a host that accepts mail for some mailbox address. [R1034]

Domain name space and resource records: Specifications for the tree-structured domain name space, and data associated with the names.
Name servers: Programs that hold information about a subset of the tree’s structure and data holdings, and also hold pointers to other name servers that can provide information from any part of the tree.
Resolvers: Programs that extract information from name servers in response to client requests; typically, system routines directly accessible to user programs.

(C) Extensions to the DNS [R2065, R2137, R2536] support (a) key distribution for public keys needed for the DNS and for other protocols, (b) data origin authentication service and data integrity service for resource records, (c) data origin authentication service for transactions between resolvers and servers, and (d) access control of records.

- domain of interpretation (DOI) n.

RFC 2828 (2000)

(I) IPsec usage: An ISAKMP/IKE DOI defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes.

- domain parameter n.

SC 27 SD 6 (2002)

ISO/IEC 14888-1: 1998

A data item which is common to and known by or accessible to all entities within the domain.

ISO/IEC 9796-3: 2000, ISO/IEC WD 15946-4 (10/2001)

A data item which is common to and known by or accessible to all entities within the domain. Note: The set of domain parameters may contain data items such as hash-function identifier, length of the hash-token, length of the recoverable part of the message, finite field parameters, elliptic curve parameters, or other parameters specifying the security policy in the domain.

ISO/IEC FDIS 15946-2 (04/2001)

A data item which is common to and known by or accessible to all entities within the domain. Note: The set of domain parameters may contain data items such as hash-function identifier, elliptic curve parameters, or other parameters specifying the security policy in the domain.

- domain verification exponent n.

SC 27 SD 6 (2002)

ISO/IEC 14888-2: 1999

A domain parameter which is a positive integer.

- dominate n.

RFC 2828 (2000)

(I) Security level A is said to dominate security level B if the hierarchical classification level of A is greater (higher) than or equal to that of B and the nonhierarchical categories of A include all of those of B.

- dongle n.

RFC 2828 (2000)

(I) A portable, physical, electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)

(C) A dongle is essentially a physical key used for copy protection of software, because the program will not run unless the matching dongle is attached. When the software runs, it periodically queries the dongle and quits if the dongle does not reply with the proper authentication information. Dongles were originally constructed as an EPROM (erasable programmable read-only memory) to be connected to a serial input-output port of a personal computer.

- door reader n.

SCA ISCTAG (2007)

The device on each door that communicates with a card or credential and sends data from the card to the controller for decision on access rights.

- door strike n.

SCA ISCTAG (2007)

The electronic lock on each door that is connected to the controller.

- dots per inch (DPI) n.

iAfB-ICSA 1999

A measurement of resolution for finger image biometrics.

- downgrade n.

RFC 2828 (2000)

(I) Reduce the classification level of information in an authorized manner.

- DPI n.

See: dots per inch.

- draft RFC n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term, because the Request for Comment series is archival in nature and does not have a draft category. (Instead, see: Internet Draft, Draft Standard (in Internet Standard).)

- DSA n.

See: Digital Signature Algorithm.

- DSS n.

See: Digital Signature Standard.

- DSV n.

See: dynamic signature verification.

- dual control n.

RFC 2828 (2000)

(I) A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. (See: no-lone zone, separation of duties, split knowledge.)

- dual-interface card n.

SCA ISCTAG (2007)

A smart card that has a single smart card chip with two interfaces – a contact and a contactless interface – using shared memory and chip resources.

- dual signature n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term except when stated as SET™ dual signature with the following meaning:

(O) SET usage: A single digital signature that protects two separate messages by including the hash results for both sets in a single encrypted value. [SET2]

(C) Generated by hashing each message separately, concatenating the two hash results, and then hashing that value and encrypting the result with the signer’s private key. Done to reduce the number of encryption operations and to enable verification of data integrity without complete disclosure of the data.

- dual-use certificate n.

NIST IR 7298 (2006)

SP 800-32

A certificate that is intended for use with both digital signature and data encryption services.

- due care n.

NIST IR 7298 (2006)

SP 800-30

The responsibility that managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

- duplicate digital evidence n.

NIST IR 7298 (2006)

SP 800-72

A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.

- duplicate enrolment check n.

JTC 1/SC 37 (2006⇒2008)

Comparison of a recognition biometric sample / biometric feature / biometric model biometric probe to some or all of the biometric references in the biometric enrolment database to determine if any similar biometric reference exists.

- duration n.

NIST IR 7298 (2006)

SP 800-32

A field within a certificate that is composed of two subfields; “date of issue” and “date of next issue”.

- dynamic biometric characteristic n.

A synonym for behavioral biometric characteristic.

- dynamic host configuration protocol (DHCP) n.

NIST IR 7298 (2006)

SP 800-48

The protocol used to assign Internet Protocol (IP) addresses to all nodes on the network.

- dynamic signature verification (DSV) n.

iAfB-ICSA 1999

Synonym for signature verification (see: biometric characteristic). Compare: static signature verification.

The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
	The GNU Free Documentation License	A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
	http://homepage.mac.com/antallan/gistd.html	Last updated Wednesday 10 December 2008

Ant’s HomePage ⇧ Security Matters ⇧ GIST ⇧ D

GIST v0.7 ― D “ d' ” to “dynamic signature verification (DSV)”

D

Ant’s HomePage
⇧ Security Matters
⇧ GIST
⇧ D

GIST v0.7 ― D
“ d' ” to “dynamic signature verification (DSV)”