GIST v0.7 ― O
“OAKLEY” to “outside threat”
O
-
- OAKLEY n.
-
RFC 2828 (2000)
-
(I) A key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP. [R2412]
-
(C) OAKLEY establishes a shared key with an assigned identifier and associated authenticated identities for parties. i.e., OAKLEY provides authentication service to ensure the entities of each other’s identity, even if the Diffie-Hellman exchange is threatened by active wiretapping. Also, provides public-key forward secrecy for the shared key and supports key updates, incorporation of keys distributed by out-of-band mechanisms, and user-defined abstract group structures for use with Diffie-Hellman.
-
- object n.
-
ISO/IEC 2382-8:1998
-
An entity to which access is controlled. Examples: A file, a program, an area of main storage; data collected and maintained about a person.
-
RFC 2828 (2000)
-
(I) trusted computer system modeling usage: A system element that contains or receives information. (See: Bell-LaPadula Model, trusted computer system.)
-
SC 27 SD 6 (2002)
-
ISO/IEC 15408-1: 1999
-
An entity within the TSC that contains or receives information and upon which subjects perform operations.
-
NIST IR 7298 (2006)
-
SP 800-27A; CNSSI-4009 Adapted
-
A passive entity that contains or receives information.
-
- object identifier (OID) n.
-
RFC 2828 (2000)
-
(I) An official, globally unique name for a thing, written as a sequence of integers (which are formed and assigned as defined in the ASN.1 standard) and used to reference the thing in abstract specifications and during negotiation of security services in a protocol.
-
(O) “A value (distinguishable from all other such values) which is associated with an object.” [X680]
-
(C) Objects named by OIDs are leaves of the object identifier tree (which is similar to but different from the X.500 Directory Information Tree). Each arc (i.e., each branch of the tree) is labeled with a non-negative integer. An OID is the sequence of integers on the path leading from the root of the tree to a named object.
-
(C) The OID tree has three arcs immediately below the root: {0} for use by ITU-T, {1} for use by ISO, and {2} for use by both jointly. Below ITU-T are four arcs, where {0 0} is for ITU-T recommendations. Below {0 0} are 26 arcs, one for each series of recommendations starting with the letters A to Z, and below these are arcs for each recommendation. Thus, the OID for ITU-T Recommendation X.509 is {0 0 24 509}. Below ISO are four arcs, where {1 0} is for ISO standards, and below these are arcs for each ISO standard. Thus, the OID for ISO/IEC 9594-8 (the ISO number for X.509) is {1 0 9594 8}.
-
(C) The following are additional examples: ANSI registers organization names below the branch {joint-iso-ccitt(2) country(16) US(840) organization(1)}. The NIST CSOR records PKI objects below the branch {joint-iso-ccitt(2) country(16) us(840) gov(101) csor(3) pki(4)}. The U.S. Department of Defense registers INFOSEC objects below the branch {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1)}. The OID for the PKIX private extension is defined in an arc below the arc for the PKIX name space, as {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 1}.
-
NIST IR 7298 (2006)
-
SP 800-32
-
A specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI they are used to uniquely identify each of the four policies and cryptographic algorithms supported.
-
- object reuse n.
-
RFC 2828 (2000)
-
(N) “The reassignment and reuse of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more [information] objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the object(s) previously contained in the media.” [NCS04]
-
- obligation n.
-
OASIS XACML 2.0 (2005)
-
An operation specified in a policy or policy set that should be performed by the PEP in conjunction with the enforcement of an authorization decision.
-
- OCSP n.
-
See: On-line Certificate Status Protocol.
-
- octet n.
-
RFC 2828 (2000)
-
(I) A data unit of eight bits. (See: byte.)
-
(C) This term is used in networking (especially in OSI standards) in preference to byte, because some systems use byte for data storage units of a size other than eight.
-
SC 27 SD 6 (2002)
-
ISO/IEC FDIS 9796-2 (12/2001)
-
String of eight bits.
-
- OEM n.
-
See: original equipment manufacturer, original equipment module.
-
- OFB n.
-
See: output feedback.
-
- off-card adj.
-
Compare with on-card.
-
NIST IR 7298 (2006)
-
FIPS 201
-
Refers to data that is not stored within the PIV card or computation that is not done by the integrated circuit chip (ICC) of the PIV card.
-
SCA ISCTAG (2007)
-
Refers to data that is not stored on the ID card or to a computation that is not performed by the integrated circuit on the ID card.
-
- off-line attack n.
-
NIST SP 800-63-1 DRAFT (2008)
-
An attack where the attacker obtains some data (typically by eavesdropping on an authentication protocol run, or by penetrating a system and stealing security files) that he/she is able to analyze in a system of his/her own choosing.
-
- off-line processing n.
-
BEM 2002
-
Use of temporarily stored data fed into the comparison process to simulate live processing for test purposes.
-
- offset track n.
-
ISO/IEC 2382-8:1998
-
A track written at a nonstandard position on a disk, as part of a method of copy protection.
-
- ohnosecond n.
-
RFC 2828 (2000)
-
(C) That minuscule fraction of time in which you realize that your private key has been compromised.
-
- OID n.
-
See: object identifier.
-
- on-card adj.
-
Compare with off-card.
-
NIST IR 7298 (2006)
-
FIPS 201
-
Refers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.
-
SCA ISCTAG (2007)
-
Refers to data that is stored on the ID card or to a computation that is performed by the integrated circuit chip on the ID card.
-
- on-line attack n.
-
NIST SP 800-63-1 DRAFT (2008)
-
An attack against an authentication protocol where the attacker either assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.
-
- On-line Certificate Status Protocol (OCSP)
-
RFC 2828 (2000)
-
(I) An Internet protocol used by a client to obtain from a server the validity status and other information concerning a digital certificate.
-
(C) In some applications, such as those involving high-value commercial transactions, it may be necessary to obtain certificate revocation status that is more timely than is possible with CRLs or to obtain other kinds of status information. OCSP may be used to determine the current revocation status of a digital certificate, in lieu of or as a supplement to checking against a periodic CRL. An OCSP client issues a status request to an OCSP server and suspends acceptance of the certificate in question until the server provides a response.
-
NIST IR 7298 (2006)
-
SP 800-63
-
An on-line protocol used to determine the status of a public key certificate.
-
FIPS 201
-
Online Certificate Status Protocol
-
An on-line protocol used to determine the status of a public key certificate.
-
SCA ISCTAG (2007)
-
An online protocol used to determine the status of a public key certificate.
-
- on-line guessing attack n.
-
NIST SP 800-63-1 DRAFT (2008)
-
online guessing attack
-
An attack in which an attacker performs repeated logon trials by guessing possible values of the token authenticator.
-
- on-line processing n.
-
See: live processing.
-
- one-time pad n.
-
RFC 2828 (2000)
-
(I) An encryption algorithm in which the key is a random sequence of symbols and each symbol is used for encryption only one time – to encrypt only one plaintext symbol to produce only one ciphertext symbol – and a copy of the key is used similarly for decryption.
-
(C) To ensure one-time use, the copy of the key used for encryption is destroyed after use, as is the copy used for decryption. This is the only encryption algorithm that is truly unbreakable, even given unlimited resources for cryptanalysis [Schn], but key management costs and synchronization problems make it impractical except in special situations.
-
- one-time password (OTP) n.
-
Although ambiguous, the abbreviation OTP is firmly established for one-time password; see also: One-Time Password.
-
RFC 2828 (2000)
-
(O) A one-time password is a simple authentication technique in which each password is used only once as authentication information that verifies an identity. This technique counters the threat of a replay attack that uses passwords captured by wiretapping.
-
SCA ISCTAG (2007)
-
Passwords that are used once and then discarded. Each time the user authenticates to a system, a different password is used, after which that password is no longer valid. The password is computed either by software on the logon computer or by OTP hardware tokens in the user’s possession that are coordinated through a trusted system.
-
- One-Time Password (OTP) n.
-
Compare with one-time password.
-
RFC 2828 (2000)
-
(I) One-Time Password is an Internet protocol [R1938] that is based on S/Key and uses a cryptographic hash function to generate one-time passwords for use as authentication information in system login and in other processes that need protection against replay attacks.
-
- one-to-a-few, - one-to-few adj.
-
iAfB-ICSA 1999
-
one-to-a-few
-
A hybrid of one-to-many identification and one-to-one verification. Typically the one-to-a-few process involves comparing a submitted biometric sample [sic] against a small number of biometric reference templates on file.
-
IBG
-
There is a middle ground between identification and verification referred to as one-to-few (1:few). This type of application involves identification of a user from a very small database of enrollees. While there is no exact number that differentiates a 1:N from a 1:few system, any system involving a search of more than 500 records is likely to be classified as 1:N. A typical use of a 1:few system would be access control to sensitive rooms at a 50-employee company, where users place their finger on a device and are located from a small database.
-
JTC 1/SC 37 (2006⇒2008)
-
one-to-few (deprecated)
-
Note: One-to-few has previously been used to describe the processes of (a) a one-to-many search comparison of part of the biometric enrolment database, for example, searching a binning partition; (b) a set of one-to-one comparisons against a set of biometric references for one individual biometric data subject , or for one claimed biometric reference identifier.
-
- one-to-many comparison n.
-
JTC 1/SC 37 (2008)
-
one-to-many comparison
one-to-few (deprecated)
-
Process in which a probe biometric sample set of one biometric data subject is compared against the biometric references of more than one biometric data subject to return a set of comparison scores.
-
Note: The term “compared” refers to comparison in the biometric sense.
-
- one-to-many search n.
-
iAfB-ICSA 1999
-
one-to-many
-
Synonym for identification.
-
JTC 1/SC 37 (2006⇒2008)
-
one-to-many search
-
Comparison Process in which a reference probe biometric sample / biometric feature / biometric model set of one individual biometric data subject is compared searched against the biometric references of more than one individual biometric data subject to return a set of comparisons candidate list or a comparison decision.
-
Note 1: A biometric identification function performs a one-to-many search.
-
Note 2: In the case of a multimodal biometric system, the recognition biometric / biometric feature / biometric model and the biometric reference in the above definition comprise individual biometric samples / biometric feature / biometric model and biometric references of the component modalities.
-
Note 3: A universal background model is not an individual, therefore a comparison of a single individual’s sample to a claimed reference and a universal background model is not inherently one-to-many.
-
Note 4: Use of a universal background model can still be one-to-one.
-
Note 1: The term “searched”, in the above definition, refers to biometric search.
-
Note 2: Output of a candidate list or the comparison decision implies implementation of a policy.
-
There is no agreed designation biometric search in JTC 1/SC 37 (2008)!
-
- one-to-one comparison n.
-
JTC 1/SC 37 (2006⇒2008)
-
Process in which a reference probe biometric sample / biometric feature / biometric model set from one individual biometric data subject is compared to biometric reference(s) from one biometric data subject to produce a comparison score with respect to one individual, perhaps using additional data from the biometric enrolment database.
-
Note 1: A biometric verification function performs a one-to-one comparison.
-
Note 2 1 : In the case of a multimodal biometric system, the reference probe biometric sample / biometric feature / biometric model, and the biometric reference and possibly the comparison score in the above definition comprise components for each biometric modality. may contain multiple biometric modalities.
-
Note 3 2 : In the case of likelihood-ratios, calculation will involve comparisons determining the consistency Some one-to-one comparison algorithms, i.e. those using score normalization, cohort models or likelihood-ratios, may require comparisons of the reference probe biometric sample / biometric feature / biometric model set of one individual with the from one biometric data subject to biometric references of many individuals from multiple biometric data subjects. Nevertheless the comparison score generated refers to the similarity between a reference probe biometric sample / biometric feature / biometric model set of one individual biometric data subject and a biometric reference of one individual, biometric data subject; therefore the process is considered a one-to-one comparison.
-
Note 4: A comparison can still be considered one-to-one even if a universal background model or cohort models are used.
-
- one-way encryption n.
-
ISO/IEC 2382-8:1998
-
irreversible encryption, irreversible encipherment, one-way encryption
-
Encryption that produces ciphertext from which the original data cannot be reproduced. Note: Irreversible encryption is useful in authentication. For example, a password might be irreversibly encrypted and the resulting ciphertext stored. A password presented later would be irreversibly encrypted identically and the two strings of ciphertext compared. If they are identical, the presented password is correct.
-
RFC 2828 (2000)
-
(I) Irreversible transformation of plaintext to ciphertext, such that the plaintext cannot be recovered from the ciphertext by other than exhaustive procedures even if the cryptographic key is known. (See: encryption.)
-
- one-way function n.
-
RFC 2828 (2000)
-
(I) “A (mathematical) function, f, which is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult.” [X509]
-
(D) ISDs SHOULD NOT use this term as a synonym for cryptographic hash.
-
SC 27 SD 6 (2002)
-
ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)
-
A function with the property that it is easy to compute the output for a given input but it is computationally infeasible to find for a given output an input which maps to this output.
-
- one-way hash algorithm n.
-
See: hash function.
-
- OpenID n.
-
SCA ISCTAG (2007)
-
A decentralized digital identity system, in which any user’s online identity is given by, for example, a URL (such as for a blog or a home page) and can be verified by any server running the protocol. Users are able to clearly control what pieces of information can be shared such as their name, address, or phone number.
-
OpenID
-
- open security environment n.
-
ISO/IEC 2382-8:1998
-
open-security environment
-
An environment in which protection of data and resources from accidental or malicious acts is achieved through normal operational procedures.
-
RFC 2828 (2000)
-
(O) U.S. Department of Defense usage: A system environment that meets at least one of the following conditions: (a) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control does not provide sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. [NCS04] (See: closed security environment.)
-
- open-set identification n.
-
iAfB-ICSA 1999
-
Identification, when it is possible that the individual is not enrolled in the biometric system.
-
out of set
-
In open-set identification, when the individual is not enrolled in the biometric system.
-
JTC 1/SC 37 (2006⇒2008)
-
open-set identification (biometric application)
-
Application that determines a possibly empty candidate list by collecting one or more biometric samples from an individual biometric capture subject and searching the biometric enrolment database for similar biometric references.
-
Note: Biometric references may be judged to be similar on the basis of comparison score.
-
- Open Systems Interconnection (OSI) Reference Model (OSIRM) n.
-
RFC 2828 (2000)
-
(N) A joint ISO/ITU-T standard [I7498 Part 1] for a seven-layer, architectural communication framework for interconnection of computers in networks.
-
(C) OSI-based standards include communication protocols that are mostly incompatible with the Internet Protocol Suite, but also include security models, such as X.509, that are used in the Internet.
-
(C) The OSIRM layers, from highest to lowest, are:
-
(7) Application,
-
(6) Presentation,
-
(5) Session,
-
(4) Transport,
-
(3) Network,
-
(2) Data Link, and
-
(1) Physical.
In this Glossary, these layers are referred to by number to avoid confusing them with Internet Protocol Suite layers, which are referred to by name.
-
(C) Some unknown person described how the OSI layers correspond to the seven deadly sins:
-
7. Wrath: Application is always angry at the mess it sees below itself. (Hey! Who is it to be pointing fingers?)
-
6. Sloth: Presentation is too lazy to do anything productive by itself.
-
5. Lust: Session is always craving and demanding what truly belongs to Application’s functionality.
-
4. Avarice: Transport wants all of the end-to-end functionality. (Of course, it deserves it, but life isn't fair.)
-
3. Gluttony: (Connection-Oriented) Network is overweight and overbearing after trying too often to eat Transport’s lunch.
-
2. Envy: Poor Data Link is always starved for attention. (With Asynchronous Transfer Mode, maybe now it is feeling less neglected.)
-
1. Pride: Physical has managed to avoid much of the controversy, and nearly all of the embarrassment, suffered by the others.
-
(C) John G. Fletcher described how the OSI layers also correspond to Snow White’s dwarf friends:
-
7. Doc: Application acts as if it is in charge, but sometimes muddles its syntax.
-
6. Sleepy: Presentation is indolent, being guilty of the sin of Sloth.
-
5. Dopey: Session is confused because its charter is not very clear.
-
4. Grumpy: Transport is irritated because Network has encroached on Transport’s turf.
-
3. Happy: Network smiles for the same reason that Transport is irritated.
-
2. Sneezy: Data Link makes loud noises in the hope of attracting attention.
-
1. Bashful: Physical quietly does its work, unnoticed by the others.
-
- operational controls n.
-
NIST IR 7298 (2006)
-
SP 800-53; FIPS 200
-
The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).
-
- operational integrity n.
-
RFC 2828 (2000)
-
(I) A synonym for system integrity; emphasizes the actual performance of system functions rather than just the ability to perform them.
-
- operational range n.
-
SCA ISCTAG (2007)
-
The maximum distance between a contactless smart card reader and a contactless smart card.
-
- operational testing n.
-
BEM 2002
-
Testing a biometric system to measure its statistical properties (e.g. FAR and FRR) in a specified operational environment, with a specific target population. (Compare scenario testing; technology testing.)
-
- operations security (OPSEC) n.
-
RFC 2828 (2000)
-
(I) A process to identify, control, and protect evidence of the planning and execution of sensitive activities and operations, and thereby prevent potential adversaries from gaining knowledge of capabilities and intentions.
-
- OPSEC n.
-
See: operations security.
-
- optional topography n.
-
NIST IR 7298 (2006)
-
FIPS 201
-
A personal identity verification (PIV) card having both the standard topography (mandatory topography) features and the optional features as defined in FIPS 201 sections 4.1.4.3 and 4.1.4.4.
-
Clearly optional topography isn’t a PIV card per se, but a characteristic of such a card as described.
-
Also refered to in FIPS PUB 201 as enhanced topography.
-
- optical adj.
-
iAfB-ICSA 1999
-
A finger image capture technique that uses a light source, a prism and a platen to capture finger images.
-
- ORA n.
-
See: organizational registration authority.
-
- Orange Book n.
-
RFC 2828 (2000)
-
(D) ISDs SHOULD NOT use this term as a synonym for Trusted Computer System Evaluation Criteria [CSC001, DOD1]. Instead, use the full, proper name of the document or, in subsequent references, the abbreviation TCSEC. (See: (usage note under) Green Book.)
-
- order of an element in a finite commutative group n.
-
SC 27 SD 6 (2002)
-
ISO/IEC 14888-3: 1998
-
If a0 = e, and an+1 = a*an (for n ≥ 0), is defined recursively, the order of a ∈ J is the least positive integer n such that an = e.
-
- organizational security policy n.
-
See: security policy.
-
- organizational certificate n.
-
RFC 2828 (2000)
-
(O) MISSI usage: A type of MISSI X.509 public-key certificate that is issued to support organizational message handling for the U.S. Government’s Defense Message System.
-
- organizational registration authority (ORA) n.
-
RFC 2828 (2000)
-
(I) general usage: An RA for an organization.
-
(O) MISSI usage: The MISSI implementation of RA. A MISSI end entity that (a) assists a PCA, CA, or SCA to register other end entities, by gathering, verifying, and entering data and forwarding it to the signing authority and (b) may also assist with card management functions. An ORA is a local administrative authority, and the term refers both to the office or role, and to the person who fills that office. An ORA does not sign certificates, CRLs, or CKLs. (See: no-PIN ORA, SSO-PIN ORA, user-PIN ORA.)
-
- origin authentication n., - origin authenticity n.
-
RFC 2828 (2000)
-
(D) ISDs SHOULD NOT use these terms because they look like careless use of an internationally standardized term. Instead, use data origin authentication or peer entity authentication, depending which is meant.
-
- original equipment manufacturer (OEM) n.
-
iAfB-ICSA 1999
-
A biometric organisation (manufacturer) which assembles a complete biometric system from parts.
-
Clearly, this definition is specific to biometric systems!
-
- original equipment module (OEM) n.
-
iAfB-ICSA 1999
-
A biometric module for integration into a complete biometric system.
-
Clearly, this definition is specific to biometric systems!
-
- originator n.
-
SC 27 SD 6 (2002)
-
ISO/IEC WD 13888-1 (11/2001)
-
The entity that sends a message to the recipient or makes available a message for which non-repudiation services are to be provided.
-
- OSI n., - OSIRM n.
-
See: Open Systems Interconnection Reference Model.
-
- OTP n.
-
See: one-time password, One-Time Password.
-
- out of band n.
-
RFC 2828 (2000)
-
(I) Transfer of information using a channel that is outside (i.e., separate from) the channel that is normally used. (See: covert channel.)
-
(C) Out-of-band mechanisms are often used to distribute shared secrets (e.g., a symmetric key) or other sensitive information items (e.g., a root key) that are needed to initialize or otherwise enable the operation of cryptography or other security mechanisms. (See: key distribution.)
-
- out of set n.
-
See: (secondary definition under) open-set identification.
-
- output feedback (OFB) n.
-
RFC 2828 (2000)
-
(N) A block cipher mode [FP081] that modifies electronic codebook mode to operate on plaintext segments of variable length less than or equal to the block length.
-
(C) This mode operates by directly using the algorithm’s previously generated output block as the algorithm’s next input block (i.e., by feeding back the output block) and combining (exclusive OR-ing) the output block with the next plaintext segment (of block length or less) to form the next ciphertext segment.
-
- output transformation n.
-
SC 27 SD 6 (2002)
-
ISO/IEC 9797-1: 1999
-
A function that is applied at the end of the MAC algorithm, before the truncation operation.
-
ISO/IEC 10118-1: 2000
-
A transformation or mapping of the output of the iteration stage to obtain the hash-code.
-
- outside attack n., - outsider attack n.
-
See: (secondary definition under) attack.
-
- outside threat n.
-
NIST IR 7298 (2006)
-
SP 800-32
-
An unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service.
