GIST v0.7 ― P
“P1363” to “push”

P

- P1363 n.

See: IEEE P1363.

- PAA n.

- package n.

SC 27 SD 6 (2002)

ISO/IEC 15292: 2001

A reusable set of either functional or assurance components combined together to satisfy a set of identified security objectives.

ISO/IEC 15408-1: 1999

A reusable set of either functional or assurance components (e.g. an EAL), combined together to satisfy a set of identified security objectives.

- packet filter n.

See: (secondary definition under) filtering router.

- packet sniffer n.

NIST IR 7298 (2006)

SP 800-61

Software that observes and records network traffic.

- padding n.

SC 27 SD 6 (2002)

ISO/IEC FDIS 9797-2 (09/2000), ISO/IEC 10118-1: 2000

Appending extra bits to a data string.

- padlocking n.

ISO/IEC 2382-8:1998

The use of special techniques to protect data or software against unauthorized copying.

- pagejacking n.

RFC 2828 (2000)

(I) A contraction of Web page hijacking. A masquerade attack in which the attacker copies (steals) a home page or other material from the target server, rehosts the page on a server the attacker controls, and causes the rehosted page to be indexed by the major Web search services, thereby diverting browsers from the target server to the attacker’s server.

(D) ISDs SHOULD NOT use this term without including a definition, because the term is not listed in most dictionaries and could confuse international readers. (See: (usage note under) Green Book.)

- PAIIWG n.

See: Physical Access Interagency Interoperability Working Group.

- PAN n.

See: primary account number.

- PAP n.

See: Password Authentication Protocol (PPP); policy administration point (XACML).

- parent organization n.

NIST IR 7298 (2006)

FIPS 201

The organization that is applying for the personal identity verification card on behalf of an applicant. Typically this is an organization for whom the applicant is working.

- partial identity n.

modonis^IDM (2005)

Definition: A partial identity is a certain subset of one or more attributes that does not necessarily uniquely identify the entity.

While an entity has only one identity, it may have many partial identities. Partial identities are often simply referred to as “identities”, which may lead to confusion when they refer to a single entity. For this reason, the term “partial identity” should be preferred.

- partitioned security mode n.

RFC 2828 (2000)

(N) A mode of operation of an information system, wherein all users have the clearance, but not necessarily formal access authorization and need-to-know, for all information handled by the system. This mode is defined in U.S. Department of Defense policy regarding system accreditation. [DoD2]

- party n.

OASIS SAML 2.0 (2005)

Informally, one or more principals participating in some process or communication, such as receiving an assertion or accessing a resource.

- passive attack n.

See: (secondary definition under) attack.

- passive impostor acceptance n.

iAfB-ICSA 1999

When an impostor submits his/her own biometric sample and claiming the identity of another person (either intentionally or inadvertently) he/she is incorrectly identified or verified by a biometric system. Compare with active impostor acceptance.

Along the same lines as active impostor acceptance, this definition might be better worded…

The instance of a biometric system incorrectly accepting an impostor as an enrollee when the impostor submits his or her own biometric characteristic (whether intentionally attempting to relate it to another person who is an enrollee or inadvertantly).

- passive threat n.

See: (secondary definition under) threat.

- passive wiretapping n.

See: (secondary definition under) wiretapping.

- password n.

ISO/IEC 2382-8:1998

A character string that is used as authentication information.

RFC 2828 (2000)

(I) A secret data value, usually a character string, that is used as authentication information. (See: challenge-response.)

(C) A password is usually matched with a user identifier that is explicitly presented in the authentication process, but in some cases the identity may be implicit.

(C) Using a password as authentication information assumes that the password is known only by the system entity whose identity is being authenticated. Therefore, in a network environment where wiretapping is possible, simple authentication that relies on transmission of static (i.e., repetitively used) passwords as cleartext is inadequate. (See: one-time password, strong authentication.)

NIST IR 7298 (2006)

FIPS 181

A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.

FIPS 140-2

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

SCA ISCTAG (2007)

A form of secret authentication data that is used to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly. Typically referred to as “something you know” for single-factor authentication.

IAEG LIAF (2008)

A shared secret character string used in authentication protocols. In many cases the claimant is expected to memorize the password.

NIST SP 800-63-1 DRAFT (2008)

A secret that a claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings.

- Password Authentication Protocol (PAP) n.

RFC 2828 (2000)

(I) A simple authentication mechanism in PPP. In PAP, a user identifier and password are transmitted in cleartext. [R1334] (See: CHAP.)

- password-protected adj.

NIST IR 7298 (2006)

SP 800-72

The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.

This ability should be called something like password protection; password-protected is an adjective describing such a file.

- password sniffing n.

RFC 2828 (2000)

(I) Passive wiretapping, usually on a local area network, to gain knowledge of passwords. (See: (usage note under) sniffing.)

- path discovery n.

RFC 2828 (2000)

(I) For a digital certificate, the process of finding a set of public-key certificates that comprise a certification path from a trusted key to that specific certificate.

- path history n.

NIST IR 7298 (2006)

SP 800-19

path histories

Maintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.

Path history should refer to the authenticatable record itself rather than the act or process of maintaining them!

- path validation n.

RFC 2828 (2000)

(I) The process of validating (a) all of the digital certificates in a certification path and (b) the required relationships between those certificates, thus validating the contents of the last certificate on the path. (See: certificate validation.)

- payload n.

NIST IR 7298 (2006)

SP 800-38C

The input data to the CCM generation-encryption process that is both authenticated and encrypted.

- payment card n.

RFC 2828 (2000)

(N) SET usage: Collectively refers “to credit cards, debit cards, charge cards, and bank cards issued by a financial institution and which reflects a relationship between the cardholder and the financial institution.” [SET2]

- payment gateway n.

RFC 2828 (2000)

(O) SET usage: A system operated by an acquirer, or a third party designated by an acquirer, for the purpose of providing electronic commerce services to the merchants in support of the acquirer, and which interfaces to the acquirer to support the authorization, capture, and processing of merchant payment messages, including payment instructions from cardholders. [SET1, SET2]

- payment gateway certification authority (SET PCA)

RFC 2828 (2000)

(O) SET usage: A CA that issues digital certificates to payment gateways and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. A SET PCA issues a CRL for compromised payment gateway certificates. [SET2] (See: PCA.)

- PC card n.

RFC 2828 (2000)

(N) A type of credit card-sized, plug-in peripheral device that was originally developed to provide memory expansion for portable computers, but is also used for other kinds of functional expansion. (See: FORTEZZA, PCMCIA.)

(C) The international PC Card Standard defines a non-proprietary form factor in three standard sizes – Types I, II and III – each of which have a 68-pin interface between the card and the socket into which it plugs. All three types have the same length and width, roughly the size of a credit card, but differ in their thickness from 3.3 to 10.5 mm. Examples include storage modules, modems, device interface adapters, and cryptographic modules.

- PC/SC n.

See: Personal Computer/Smart Card.

- PC/SC Lite n.

See: Personal Computer/Smart Card Lite.

- PCA n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this acronym without a qualifying adjective because that would be ambiguous. (See: Internet policy certification authority, (MISSI) policy creation authority, (SET) payment gateway certification authority.)

- PCMCIA n.

RFC 2828 (2000)

(N) Personal Computer Memory Card International Association, a group of manufacturers, developers, and vendors, founded in 1989 to standardize plug-in peripheral memory cards for personal computers and now extended to deal with any technology that works in the PC card form factor. (See: PC card.)

- PDP n.

See: policy decision point.

- peer entity authentication n.

RFC 2828 (2000)

(I) “The corroboration that a peer entity in an association is the one claimed.” [I7498 Part 2] (See: authentication.)

- peer entity authentication service n.

RFC 2828 (2000)

(I) A security service that verifies an identity claimed by or for a system entity in an association. (See: authentication, authentication service.)

(C) This service is used at the establishment of, or at times during, an association to confirm the identity of one entity to another, thus protecting against a masquerade by the first entity. However, unlike data origin authentication service, this service requires an association to exist between the two entities, and the corroboration provided by the service is valid only at the current time that the service is provided.

- PEM n.

See: Privacy Enhanced Mail.

- penetration n.

ISO/IEC 2382-8:1998

Unauthorized access to a data processing system.

RFC 2828 (2000)

(I) Successful, repeatable, unauthorized access to a protected system resource. (See: attack, violation.)

- penetration test n.

ISO/IEC 2382-8:1998

penetration testing

Examining the functions of a data processing system to find a means of circumventing computer security.

RFC 2828 (2000)

(I) A system test, often part of system certification, in which evaluators attempt to circumvent the security features of the system. [NCS04]

(C) Penetration testing may be performed under various constraints and conditions. However, for a TCSEC evaluation, testers are assumed to have all system design and implementation documentation, including source code, manuals, and circuit diagrams, and to work under no greater constraints than those applied to ordinary users.

- PEP n.

See: policy enforcement point.

- perfect forward secrecy n.

See: (discussion under) public-key forward secrecy.

- performance criteria n.

iAfB-ICSA 1999

Pre-determined criteria established to evaluate the performance of the biometric system under test.

Clearly, this definition is specific to biometric systems!

- perimeter n.

See: security perimeter.

- periods processing n.

RFC 2828 (2000)

(I) A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system, with the system being properly purged or sanitized between periods. (See: color change.)

- permission n.

UNIX2:1997

See file access permissions.

RFC 2828 (2000)

(I) A synonym for authorization, but authorization is preferred in the PKI context. (See: privilege.)

modonis^IDM (2005)

Definition: Permission describes the privileges granted to an authenticated entity with respect to low-level operations that may be performed on some resource (e.g., read, write, delete, execute, create…).

Permissions are also referred to as “access rights”.

- persistent pseudonym n.

OASIS SAML 2.0 (2005)

A privacy-preserving name identifier assigned by a provider to identify a principal to a given relying party for an extended period of time that spans multiple sessions; can be used to represent an identity federation.

- person n.

JTC 1/SC 37 (2008)

Person

An entity, i.e. natural or legal person, recognized by law as having legal rights and duties, able to make commitment(s), assume and fulfill resulting obligation(s), and able of being held legally accountable for its action(s).

Note 1: Synonyms for legal person include artificial person, body corporate, etc. depending on the terminology used in the competent jurisdictional domain.

Note 2: Person is capitalized to indicate that it is being used as formally defined in the standards and to differentiate it from day-to-day use.

Note 3: Minimum and common external constraints applicable to a business transaction often require one to differentiate among three common subtypes of Person, namely, individual, organization and public administration.

Note 4: Definition and notes (1-3) source: [ISO/IEC 15944-1:2002 (3.47)]. See 15944-1:2002 for additional definitions of entity and commitment.

- persona n.

modonis^IDM (2005)

Definition: A persona is a pre-existing digital identity that an entity can select and use to represent itself in a given context.

A persona is something put forward by an entity, but how it is perceived, recognized, accepted, rejected, trusted, used, etc. by another entity cannot be specified or in any way implied. It is often used when the set of credentials of the entity represents a role or has a virtual character animated by the entity.

- Personal Computer/Smart Card (PC/SC) n.

SCA ISCTAG (2007)

The PC/SC specification defines how to integrate smart card readers and smart cards with the computing environment and how to allow multiple applications to share smart card devices.

- Personal Computer/Smart Card Lite (PCSC Lite) n.

SCA ISCTAG (2007)

PCSC Lite is open source software that implements the PC/SC specification for Linux.

- personal identification number (PIN) n.

iAfB-ICSA 1999

A security method whereby a (usually) four-digit number is entered by an individual to gain access to a particular system or area.

RFC 2828 (2000)

(I) A character string used as a password to gain access to a system resource. (See: authentication information.)

(C) Despite the words identification and number, a PIN seldom serves as a user identifier, and a PIN’s characters are not necessarily all numeric. A better name for this concept would have been personal authentication system string (PASS).

(C) Retail banking applications commonly use 4-digit PINs. FORTEZZA PC cards use up to 12 characters for user or SSO PINs.

NIST IR 7298 (2006)

FIPS 201

A secret that a claimant memorizes and uses to authenticate his or her identity. PINS are generally only decimal digits.

FIPS 140-2

An alphanumeric code or password used to authenticate an identity.

SCA ISCTAG (2007)

personal identification number (PIN)

A secret that an individual memorizes and uses to authenticate his or her identity or to unlock certain information stored on an ID card (e.g., the biometric information). PINs are generally only decimal digits.

PIN

A numeric code that is associated with an ID card and that adds a second factor of authentication to the identity verification process.

Yes, SCA ISCTAG (2007) really does provide two different definitions under these separate headings!

NIST SP 800-63-1 DRAFT (2008)

A password consisting only of decimal digits.

PIN number is ugly and redundant and SHOULD NOT be used.

- personal identity verification (PIV) n.

A formal term for user authentication used in the context of Homeland Security Presidential Directive 12 (HSPD 12) and FIPS PUB 201.

- personal identity verification authorizing official n.

NIST IR 7298 (2006)

FIPS 201

An individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.

- personal identity verification card (PIV card) n.

NIST IR 7298 (2006)

FIPS 201

Physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

SCA ISCTAG (2007)

The physical artifact (e.g., identity card, smart card) issued to an individual that contains printed and stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).

- personal identity verification issuance authority n.

NIST IR 7298 (2006)

FIPS 201

An authorized identity card creator that procures FIPS approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the card with the identity credentials of the authorized subject, and delivers the personalized card to the authorized subject along with appropriate instructions for protection and use.

- personal identity verification registration authority (PIV RA) n.

NIST IR 7298 (2006)

FIPS 201

An entity that establishes and vouches for the identity of an applicant to a PIV issuing authority. The PIV RA authenticates the applicant’s identity by checking identity source documents and identity proofing and ensures a proper background check has been completed before the credential is issued.

- personal identity verification requesting official n.

NIST IR 7298 (2006)

FIPS 201

An individual who can act on behalf of an agency to request a credential for an applicant.

- personally identifiable information (PII) n.

modonis^IDM (2005)

Definition: Personally identifiable information is any data that identifies or refers to a particular natural or legal person.

SCA ISCTAG (2007)

In information security and privacy, any piece of information which can potentially be used to uniquely identify, locate, or contact a person or steal the identity of a person.

This is the most common expansion of PII; less common, but perhaps more grammatical and meaningful, expansions include: personal identification information, personal identifying information, personal identity information, personally identifying information.

See: USA Services Intergovernmental Newsletter: Protecting Personally Identifiable Information [PDF]

, INFORMATION SECURITY: Protecting Personally Identifiable Information [PDF]

- personal security environment (PSE) n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

Secure local storage for an entity’s private key, the directly trusted CA key and possibly other data. Depending on the security policy of the entity or the system requirements this may be e. g. a cryptographically protected file or a tamper resistant hardware token.

- personality n., - personality label n.

RFC 2828 (2000)

(O) MISSI usage: A set of MISSI X.509 public-key certificates that have the same subject DN, together with their associated private keys and usage specifications, that is stored on a FORTEZZA PC card to support a role played by the card’s user.

(C) When a card’s user selects a personality to use in a FORTEZZA-aware application, the data determines behavior traits (the personality) of the application. A card’s user may have multiple personalities on the card. Each has a personality label, a user-friendly character string that applications can display to the user for selecting or changing the personality to be used. For example, a military user’s card might contain three personalities: GENERAL HALFTRACK, COMMANDER FORT SWAMPY, and NEW YEAR’s EVE PARTY CHAIRMAN. Each personality includes one or more certificates of different types (such as DSA versus RSA), for different purposes (such as digital signature versus encryption), or with different authorizations.

- personalization service n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

The service of storing cryptographic information (especially private keys) to a PSE. Note: The organizational and physical security measures for a service like this are not in the scope of this document. For organizational measures refer to ITU-T Rec. X.842 | ISO/IEC TR 14516 Guidelines for the use and management of Trusted Third Parties.

- personnel security n.

RFC 2828 (2000)

(I) Procedures to ensure that persons who access a system have proper clearance, authorization, and need-to-know as required by the system’s security policy.

- PGP™ n.

See: Pretty Good Privacy.

- pharming n.

SCA ISCTAG (2007)

A cyber attack that directs people to a fraudulent website by poisoning the domain name system server.

NIST SP 800-63-1 DRAFT (2008)

An attack in which an attacker corrupts an infrastructure service such as DNS (Domain Name Service) causing the subscriber to be misdirected to a forged verifier/relying party, and revealing sensitive information, downloading harmful software or contributing to a fraudulent act.

- phishing n.

NIST IR 7298 (2006)

SP 800-83

Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.

SCA ISCTAG (2007)

A cyber attack that directs people to a fraudulent website to collect personal information for identity theft.

NIST SP 800-63-1 DRAFT (2008)

An attack in which the subscriber is lured (usually through an email) to interact with a counterfeit verifier, and tricked into revealing information that can be used to masquerade as that subscriber to the real verifier.

- Photuris n.

RFC 2828 (2000)

(I) A UDP-based, key establishment protocol for session keys, designed for use with the IPsec protocols AH and ESP. Superseded by IKE.

- phreaking n.

RFC 2828 (2000)

(I) A contraction of telephone breaking. An attack on or penetration of a telephone system or, by extension, any other communication or information system. [Raym]

(D) ISDs SHOULD NOT use this term because it is not listed in most dictionaries and could confuse international readers.

- physical access n.

SCA ISCTAG (2007)

Access to facilities (e.g., buildings, rooms, airports, warehouses).

Compare: logical access.

- physical access control n.

ISO/IEC 2382-8:1998

The use of physical mechanisms to provide access control. Example: Keeping a computer in a locked room.

SCA ISCTAG (2007)

A system composed of hardware and software components that controls access to physical facilities (e.g., buildings, rooms, airports, warehouses).

Compare: logical access control.

Note that the meaning of access control has forked; it can mean either of —

The physical elements of access control, i.e., the control of access to information systems, etc. (which is the sense in the ISO/IEC definition above).
(Automated) control of access to physical resources, typically buildings (which is the sense used in physical access control system).

However, note that these two senses can overlap!

- physical access control system (PACS) n.

ISO/IEC 2382-8:1998

controlled access system

A means of automating physical security.

Examples: The use of magnetic striped badges, smart cards, biometric readers.

Note: The term physical access control system is now far more common than controlled access system. See: (discussion under) physical access control.

“A physical access control system (PACS) solution integrates software components with various hardware systems, and may have extensible features that integrate other physical plant and security devices such as cameras. The key components in a PACS solution support the ability to associate an access point with a card, which is associated with a specific individual, and may incorporate temporal controls such as time periods where access may be approved or restricted.” — Interagency Advisory Board (IAB) Draft SP 800-73 Version 1.2 (21 January 2005)

- Physical Access Interagency Interoperability Working Group (PAIIWG) n.

A workgroup

of the Government Smart Card Interagency Advisory Board (IAB).

- physical biometric characteristic n.

See: (secondary definition under) biometric characteristic.

- physical security n.

RFC 2828 (2000)

(I) Tangible means of preventing unauthorized physical access to a system. e.g., fences, walls, and other barriers; locks, safes, and vaults; dogs and armed guards; sensors and alarm bells. [FP031, R1455]

See also: physical access control.

- physically isolated network n.

NIST IR 7298 (2006)

SP 800-32

A network that is not connected to entities or systems outside a physically controlled space.

- physiological biometric characteristic n.

See: (secondary definition under) biometric characteristic.

- piggyback attack n.

ISO/IEC 2382-8:1998

piggyback entry

Unauthorized access to a data processing system via an authorized user’s legitimate connection.

RFC 2828 (2000)

(I) A form of active wiretapping in which the attacker gains access to a system via intervals of inactivity in another user’s legitimate communication connection. Sometimes called a between-the-lines attack. (See: hijack attack, man-in-the-middle attack.)

- PII n.

See: personally identifiable information.

- PIN n.

See: personal identification number.

- ping of death n.

RFC 2828 (2000)

(I) An attack that sends an improperly large ICMP [R0792] echo request packet (a ping) with the intent of overflowing the input buffers of the destination machine and causing it to crash.

- ping sweep n.

RFC 2828 (2000)

(I) An attack that sends ICMP [R0792] echo requests (pings) to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.

- PIP n.

See: policy information point.

- PIV n.

See: personal identity verification.

- PKCS n.

See: Public-Key Cryptography Standards.

- PKCS #7 n.

RFC 2828 (2000)

(N) A standard [PKC07, R2315] from the PKCS series; defines a syntax for data that may have cryptography applied to it, such as for digital signatures and digital envelopes.

- PKCS #10 n.

RFC 2828 (2000)

(N) A standard [PKC10] from the PKCS series; defines a syntax for requests for public-key certificates. (See: certification request.)

(C) A PKCS #10 request contains a DN and a public key, and may contain other attributes, and is signed by the entity making the request. The request is sent to a CA, who converts it to an X.509 public-key certificate (or some other form) and returns it, possibly in PKCS #7 format.

- PKCS #11 n.

RFC 2828 (2000)

(N) A standard [PKC11] from the PKCS series; defines a software CAPI called Cryptoki (pronounced crypto-key; short for cryptographic token interface) for devices that hold cryptographic information and perform cryptographic functions.

SCA ISCTAG (2007)

Public Key Cryptography Standard #11. This standard defines the interface for cryptography operations with hardware tokens.

- PKI n.

See: public-key infrastructure.

- PKIX n.

RFC 2828 (2000)

(I) 1. A contraction of Public-Key Infrastructure (X.509), the name of the IETF working group that is specifying an architecture and set of protocols needed to support an X.509-based PKI for the Internet. 2. A collective name for that architecture and set of protocols.

(C) The goal of PKIX is to facilitate the use of X.509 public-key certificates in multiple Internet applications and to promote interoperability between different implementations that use those certificates. The resulting PKI is intended to provide a framework that supports a range of trust and hierarchy environments and a range of usage environments. PKIX specifies (a) profiles of the v3 X.509 public-key certificate standards and the v2 X.509 CRL standards for the Internet; (b) operational protocols used by relying parties to obtain information such as certificates or certificate status; (c) management protocols used by system entities to exchange information needed for proper management of the PKI; and (d) information about certificate policies and CPSs, covering the areas of PKI security not directly addressed in the rest of PKIX.

- PKIX private extension n.

RFC 2828 (2000)

(I) PKIX defines a private extension to identify an on-line verification service supporting the issuing CA.

- plaintext n.

ISO/IEC 2382-8:1998

A synonym for cleartext.

RFC 2828 (2000)

(I) Data that is input to and transformed by an encryption process, or that is output by a decryption process.

(C) Usually, the plaintext input to an encryption operation is cleartext. But in some cases, the input is ciphertext that was output from another encryption operation. (See: superencryption.)

SC 27 SD 6 (2002)

ISO 8372: 1987, ISO/IEC 9797-1: 1999, ISO/IEC 9798-1: 1997, ISO/IEC CD 10116 (12/2001), ISO/IEC WD 18033-1 (12/2001)

Unenciphered information.

NIST IR 7298 (2006)

FIPS 197

Data input to the cipher or output from the inverse cipher.

SP 800-21 [2ndEd]

Intelligible data that has meaning and can be understood without the application of decryption.

- plaintext key n.

NIST IR 7298 (2006)

FIPS 140-2

An unencrypted cryptographic key.

- plan of action and milestones (POA&M) n.

NIST IR 7298 (2006)

SP 800-53; OMB Memorandum 02-01

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

- platen n.

iAfB-ICSA 1999

The surface on which a finger is placed during optical finger image capture.

- point-to-point key establishment n.

SC 27 SD 6 (2002)

ISO/IEC 11770-2: 1996

The direct establishment of keys between entities, without involving a third party.

- Point-to-Point Protocol (PPP) n.

RFC 2828 (2000)

(I) An Internet Standard protocol [R1661] for encapsulation and full-duplex transportation of network layer (mainly OSI layer 3) protocol data packets over a link between two peers, and for multiplexing different network layer protocols over the same link. Includes optional negotiation to select and use a peer entity authentication protocol to authenticate the peers to each other before they exchange network layer data. (See: CHAP, EAP, PAP.)

- Point-to-Point Tunneling Protocol (PPTP) n.

RFC 2828 (2000)

(I) An Internet client-server protocol (originally developed by Ascend and Microsoft) that enables a dial-up user to create a virtual extension of the dial-up link across a network by tunneling PPP over IP. (See: L2TP.)

(C) PPP can encapsulate any Internet Protocol Suite network layer protocol (or OSI layer 3 protocol). Therefore, PPTP does not specify security services; it depends on protocols above and below it to provide any needed security. PPTP makes it possible to divorce the location of the initial dial-up server (i.e., the PPTP Access Concentrator, the client, which runs on a special-purpose host) from the location at which the dial-up protocol (PPP) connection is terminated and access to the network is provided (i.e., the PPTP Network Server, which runs on a general-purpose host).

- policy n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this word as an abbreviation for either security policy or certificate policy. Instead, to avoid misunderstanding, use the fully qualified term, at least at the point of first usage.

OASIS XACML 2.0 (2005)

A set of rules, an identifier for the rule-combining algorithm and (optionally) a set of obligations. May be a component of a policy set.

NIST IR 7298 (2006)

SP 800-26

A document that delineates the security management structure and clearly assigns security responsibilities and lays the foundation necessary to reliably measure progress and compliance.

Also see security policy.

JTC 1/SC 37 (2008)

Course or principle of action adopted or proposed by an organisation or individual.

Note: Definition source: Oxford dictionary.

- policy administration n.

Creation and modification of a policy or policy set.

(Back formation from the following XACML definition.)

- policy administration point (PAP) n.

OASIS XACML 2.0 (2005)

The system entity that creates a policy or policy set.

- policy approving authority (PAA) n.

RFC 2828 (2000)

(O) MISSI usage: The top-level signing authority of a MISSI certification hierarchy. The term refers both to that authoritative office or role and to the person who plays that role. (See: root registry.)

(C) A PAA registers MISSI PCAs and signs their X.509 public-key certificates. A PAA issues CRLs but does not issue a CKL. A PAA may issue cross-certificates to other PAAs.

- policy certification authority (Internet PCA) n.

RFC 2828 (2000)

(I) An X.509-compliant CA at the second level of the Internet certification hierarchy, under the Internet Policy Registration Authority (IPRA). Each PCA operates in accordance with its published security policy (see: certification practice statement) and within constraints established by the IPRA for all PCAs. [R1422]. (See: policy creation authority.)

- policy-combining algorithm n.

OASIS XACML 2.0 (2005)

The procedure for combining the decision and obligations from multiple policies.

- policy creation authority (MISSI PCA) n.

RFC 2828 (2000)

(O) MISSI usage: The second level of a MISSI certification hierarchy; the administrative root of a security policy domain of MISSI users and other, subsidiary authorities. The term refers both to that authoritative office or role and to the person who fills that office. (See: policy certification authority.)

(C) A MISSI PCA’s certificate is issued by a policy approving authority. The PCA registers the CAs in its domain, defines their configurations, and issues their X.509 public-key certificates. (The PCA may also issue certificates for SCAs, ORAs, and other end entities, but a PCA does not usually do this.) The PCA periodically issues CRLs and CKLs for its domain.

- policy decision point (PDP) n.

OASIS XACML 2.0 (2005)

The system entity that evaluates applicable policy and renders an authorization decision. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in RFC 3198 Terminology for Policy-Based Management (November 2001). This term corresponds to access decision function (ADF) in ISO/IEC 10181-3:1996 Information technology – Open Systems Interconnection – Security frameworks for open systems: Access control framework.

OASIS SAML 2.0 (2005)

A system entity that makes authorization decisions for itself or for other system entities that request such decisions. [PolicyTerm] For example, a SAML PDP consumes authorization decision requests, and produces authorization decision assertions in response. A PDP is an “authorization decision authority”.

- policy enforcement point (PEP) n.

OASIS XACML 2.0 (2005)

The system entity that performs access control, by making decision requests and enforcing authorization decisions. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in RFC 3198 Terminology for Policy-Based Management (November 2001). This term corresponds to access enforcement function (AEF) in ISO/IEC 10181-3:1996 Information technology – Open Systems Interconnection – Security frameworks for open systems: Access control framework.

OASIS SAML 2.0 (2005)

A system entity that requests and subsequently enforces authorization decisions. [PolicyTerm] For example, a SAML PEP sends authorization decision requests to a PDP, and consumes the authorization decision assertions sent in response.

- policy information point (PIP) n.

OASIS XACML 2.0 (2005)

The system entity that acts as a source of attribute values.

- policy management authority (PMA) n.

NIST IR 7298 (2006)

SP 800-32

Body established to oversee the creation and update of certificate policies, review certification practice statements, review the results of CA audits for policy compliance, evaluate non-domain policies for acceptance within the domain, and generally oversee and manage the PKI certificate policies. For the FBCA, the PMA is the Federal PKI Policy Authority.

- Policy Management Authority n.

RFC 2828 (2000)

(N) Canadian usage: An organization responsible for PKI oversight and policy management in the Government of Canada.

- policy mapping n.

RFC 2828 (2000)

(I) “Recognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.” [X509]

NIST IR 7298 (2006)

SP 800-15

Recognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.

- policy set n.

OASIS XACML 2.0 (2005)

A set of policies, other policy sets, a policy-combining algorithm and (optionally) a set of obligations. May be a component of another policy set.

- POP3 n.

See: Post Office Protocol, version 3.

- POP3 APOP n.

RFC 2828 (2000)

(I) A POP3 “command” (better described as a transaction type, or a protocol-within-a-protocol) by which a POP3 client optionally uses a keyed hash (based on MD5) to authenticate itself to a POP3 server and, depending on the server implementation, to protect against replay attacks. (See: CRAM, POP3 AUTH, IMAP4 AUTHENTICATE.)

(C) The server includes a unique timestamp in its greeting to the client. The subsequent APOP command sent by the client to the server contains the client’s name and the hash result of applying MD5 to a string formed from both the timestamp and a shared secret that is known only to the client and the server. APOP was designed to provide as an alternative to using POP3’s USER and PASS (i.e., password) command pair, in which the client sends a cleartext password to the server.

- POP3 AUTH n.

RFC 2828 (2000)

(I) A “command” [R1734] (better described as a transaction type, or a protocol-within-a-protocol) in POP3, by which a POP3 client optionally proposes a mechanism to a POP3 server to authenticate the client to the server and provide other security services. (See: POP3 APOP, IMAP4 AUTHENTICATE.)

(C) If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms used by POP3 AUTH are those used by IMAP4.

- population n.

iAfB-ICSA 1999

The set of end-users for the application.

SCA ISCTAG (2007)

The set of users for an application.

- port n.

NIST IR 7298 (2006)

FIPS 140-2

A physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).

- port scan n., - port scannning n.

RFC 2828 (2000)

port scan

(I) An attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service.

NIST IR 7298 (2006)

SP 800-61

port scanning

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

- portal n.

BEM 2002

The physical or logical point beyond which information or assets are protected by a biometric system.

- positive claim n.

BEM 2002

A claim by a user to be enrolled in the biometric system. An explicit claim is often accompanied by a user identification, and may also be associated with a password or PIN. Compare: negative claim.

- positive identification n.

JTC 1/SC 37 (2006⇒2008)

positive identification (deprecated)

Note 1: Use of this term is deprecated to avoid confusion biometric verification and biometric identification.

Note 2: This term has been used in biometrics to mean biometric verification of a positive claim as to the source of a biometric reference template in the database.

Note 3: Preferred expression would be a positive identity claim.

- POSIX n.

RFC 2828 (2000)

(N) Portable Operating System Interface for Computer Environments, a standard [FP151, IS9945-1] (originally IEEE Standard P1003.1) that defines an operating system interface and environment to support application portability at the source code level. It is intended to be used by both application developers and system implementers.

(C) P1003.1 supports security functionality like those on most UNIX systems, including discretionary access control and privilege. IEEE Draft Standard P1003.6.1 specifies additional functionality not provided in the base standard, including (a) discretionary access control, (b) audit trail mechanisms, (c) privilege mechanisms, (d) mandatory access control, and (e) information label mechanisms.

- possession and control of a token n.

NIST SP 800-63-1 DRAFT (2008)

The ability to activate and use the token in an authentication protocol.

- Post Office Protocol, version 3 (POP3) n.

RFC 2828 (2000)

(I) An Internet Standard protocol [R1939] by which a client workstation can dynamically access a mailbox on a server host to retrieve mail messages that the server has received and is holding for the client. (See: IMAP4.)

(C) POP3 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: POP3 APOP, POP3 AUTH.)

- potential impact n.

NIST IR 7298 (2006)

SP 800-53

The loss of confidentiality, integrity, or availability could be expected to have:

a limited adverse effect (FIPS 199 low);
a serious adverse effect (FIPS 199 moderate); or
a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.

FIPS 200

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

- PP n.

See: Protection Profile.

- PPP n.

See: Point-to-Point Protocol.

- PPTP n.

See: Point-to-Point Tunneling Protocol.

- practice statement n.

IAEG LIAF (2008)

A formal statement of the practices followed by an authentication entity (e.g., RA, CSP, or verifier) that typically defines the specific steps taken to register and verify identities, issue credentials and authenticate claimants.

NIST SP 800-63-1 DRAFT (2008)

- pre-authorization n.

RFC 2828 (2000)

(I) A capability of a CAW that enables certification requests to be automatically validated against data provided in advance to the CA by an authorizing entity.

- precursor n.

NIST IR 7298 (2006)

SP 800-61

A sign that an attacker may be preparing to cause an incident.

- pre-signature n.

SC 27 SD 6 (2002)

ISO/IEC 9796-3: 2000

A value computed in the signature process which is a function of the randomizer but is independent of the message.

ISO/IEC 14888-1: 1998, ISO/IEC WD 15946-4 (10/2001)

A value computed in the signature process which is a function of the randomizer but which is independent of the message.

- predicate n.

OASIS XACML 2.0 (2005)

A statement about attributes whose truth can be evaluated.

- prefix free representation n.

SC 27 SD 6 (2002)

ISO/IEC FDIS 15946-3 (02/2001)

A representation of a data element for which concatenation with any other data does not produce a valid representation.

- presentation n.

JTC 1/SC 37 (2008) – 3.3.6

Interaction of the data capture subject and the biometric capture subsystem to obtain a signal from a biometric characteristic.

Note: The biometric capture subject may not be aware that a signal from a biometric characteristic is being captured.

??? Should data capture subject be biometric capture subject? ???

- Pretty Good Privacy™ (PGP™) n.

RFC 2828 (2000)

(O) Trademarks of Network Associates, Inc., referring to a computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet. (See: MOSS, PEM, S/MIME.)

(C) PGP encrypts messages with IDEA in CFB mode, distributes the IDEA keys by encrypting them with RSA, and creates digital signatures on messages with MD5 and RSA. To establish ownership of public keys, PGP depends on the web of trust. (See: Privacy Enhanced Mail.)

- primary account number (PAN) n.

RFC 2828 (2000)

(O) SET usage: “The assigned number that identifies the card issuer and cardholder. This account number is composed of an issuer identification number, an individual account number identification, and an accompanying check digit as defined by ISO 7812-1985.” [SET2, IS7812] (See: bank identification number.)

(C) The PAN is embossed, encoded, or both on a magnetic-strip-based credit card. The PAN identifies the issuer to which a transaction is to be routed and the account to which it is to be applied unless specific instructions indicate otherwise. The authority that assigns the bank identification number part of the PAN is the American Bankers Association.

- principal n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

An entity whose identity can be authenticated.

OASIS SAML 2.0 (2005)

A system entity whose identity can be authenticated. [X.811]

modonis^IDM (2005)

principal – 4.32

Definition: A principal is synonymous with an identifiable entity.

identifiable entity – 4.17

Definition: An identifiable entity is an entity whose identity can be established.

NIST IR 7298 (2006)

FIPS 196

An entity whose identity can be authenticated.

- principal certification authority n.

NIST IR 7298 (2006)

SP 800-32

The principal certification authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple principal CAs to interoperate with the FBCA.

- principal identity n.

OASIS SAML 2.0 (2005)

A representation of a principal’s identity, typically an identifier.

This definition seems to ignore the distinction between identifier and identity; see annotation under identity.

- privacy n.

ISO/IEC 2382-8:1998

Freedom from intrusion into the private life or affairs of an individual, when that intrusion results from undue or illegal gathering and use of data about that individual.

RFC 2828 (2000)

(I) The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others. (See: anonymous.)

(O) “The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.” [I7498 Part 2]

(D) ISDs SHOULD NOT use this term as a synonym for data confidentiality or data confidentiality service, which are different concepts. Privacy is a reason for security rather than a kind of security. For example, a system that stores personal data needs to protect the data to prevent harm, embarrassment, inconvenience, or unfairness to any person about whom data is maintained, and to protect the person’s privacy. For that reason, the system may need to provide data confidentiality service.

modonis^IDM (2005)

Definition: Privacy is the right of an entity – in this context usually a natural person – to decide for itself when and on what terms its attributes should be revealed.

Privacy can alternatively be described as the freedom of a natural person to sustain a “personal space”, free from interference by other entities.

In an IDM context, privacy is mostly used as a synonym of “informational privacy”, i.e., the interest of a natural person to control, or at least significantly influence the handling of data about themselves, also taking into account the nature of the applicable attributes and the entity in charge of data management.

NIST IR 7298 (2006)

SP 800-32

Restricting access to subscriber or relying party information in accordance with Federal law and agency policy.

SCA ISCTAG (2007)

The ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves.

- Privacy Enhanced Mail (PEM) n.

RFC 2828 (2000)

(I) An Internet protocol to provide data confidentiality, data integrity, and data origin authentication for electronic mail. [R1421, R1422]. (See: MOSS, MSP, PGP, S/MIME.)

(C) PEM encrypts messages with DES in CBC mode, provides key distribution of DES keys by encrypting them with RSA, and signs messages with RSA over either MD2 or MD5. To establish ownership of public keys, PEM uses a certification hierarchy, with X.509 public-key certificates and X.509 CRLs that are signed with RSA and MD2. (See: Pretty Good Privacy.)

(C) PEM is designed to be compatible with a wide range of key management methods, but is limited to specifying security services only for text messages and, like MOSS, has not been widely implemented in the Internet.

- privacy enhancing technology (PET) n.

modonis^IDM (2005)

Definition: A privacy enhancing technology is hardware or software which increases the ability of a natural person to actively influence the availability of information about and exposure of itself.

- privacy impact assessment n.

NIST IR 7298 (2006)

SP 800-53; OMB Memorandum 03-22

An analysis of how information is handled:

to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and
to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

- privacy protection n.

ISO/IEC 2382-8:1998

privacy protection

The measures taken to ensure privacy. Note: The measures include data protection and limitations on the gathering, combining and processing of data about individuals.

- private component n.

RFC 2828 (2000)

(I) A synonym for private key.

(D) In most cases, ISDs SHOULD NOT use this term; to avoid confusing readers, use private key instead. However, the term MAY be used when specifically discussing a key pair; e.g., “A key pair has a public component and a private component.”

- private accreditation exponent n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Value known only to the accreditation authority, and which is used in the production of claimants' private accreditation information. This value shall be kept secret. This value is related to the public accreditation verification exponent.

- private accreditation information n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Private information provided to a claimant by an accreditation authority, and of which a claimant proves knowledge, thereby establishing the claimant’s identity.

- private decipherment key n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

Private key which defines the private decipherment transformation.

- private decipherment transformation n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Decipherment transformation determined by an asymmetric encipherment system and the private key of an asymmetric key pair.

- private extension n.

See: (secondary definition under) extension.

- private key n.

ISO/IEC 2382-8:1998

A cryptographic key that is intended for decryption (see (secondary definition under) encryption) for the exclusive use by its owner.

RFC 2828 (2000)

(I) The secret component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair, public key.)

(O) “(In a public key cryptosystem) that key of a user’s key pair which is known only by that user.” [X509]

SC 27 SD 6 (2002)

ISO/IEC 11770-1: 1996, ISO/IEC WD 18033-1 (12/2001)

That key of an entity’s asymmetric key pair which should only be used by that entity. Note: A private key shall not normally be disclosed.

ISO/IEC 9798-1: 1997, ISO/IEC FDIS 15946-3 (02/2001)

That key of an entity’s asymmetric key pair which should only be used by that entity. Note: In the case of an asymmetric signature system the private key defines the signature transformation. In the case of an asymmetric encipherment system the private key defines the decipherment transformation.

ISO/IEC 11770-3: 1999, ISO/IEC WD 13888-1 (11/2001)

That key of an entity’s asymmetric key pair which can only be used by that entity. Note: In the case of an asymmetric signature system the private key defines the signature transformation. In the case of an asymmetric encipherment system the private key defines the decipherment transformation.

ISO/IEC FDIS 9796-2 (12/2001)

That key of an entity’s asymmetric key pair which should only be used by that entity.

NIST IR 7298 (2006)

SP 800-57

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used to –

Compute the corresponding public key,
Compute a digital signature that may be verified by the corresponding public key,
Decrypt data that was encrypted by the corresponding public key, or
Compute a piece of common shared data, together with other information.

FIPS 196

A cryptographic key used with a public key cryptographic algorithm, which is uniquely associated with an entity, and not made public; it is used to generate a digital signature; this key is mathematically linked with a corresponding public key.

FIPS 140-2

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public.

SCA ISCTAG (2007)

The secret part of an asymmetric key pair that is used to create digital signatures and, depending upon the algorithm, to decrypt messages, files or other information encrypted (for confidentiality) with the corresponding public key.

NIST SP 800-63-1 DRAFT (2008)

The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

- private signature key n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

Private key which defines the private signature transformation. Note: This is sometimes referred to as a secret signature key.

ISO/IEC FDIS 9796-2 (12/2001)

Private key which defines the private signature transformation.

- privilege n.

RFC 2828 (2000)

(I) An authorization or set of authorizations to perform security-relevant functions, especially in the context of a computer operating system.

SCA ISCTAG (2007)

An authorization or right granted by an application authority for an individual or group to perform an action.

- privilege management infrastructure n.

RFC 2828 (2000)

(N) “The complete set of processes required to provide an authorization service”, i.e., processes concerned with attribute certificates. [FPDAM] (See: PKI.)

(D) ISDs SHOULD NOT use this term and its definition because the definition is vague, and there is no consensus on an alternate definition.

- privileged accounts n.

NIST IR 7298 (2006)

SP 800-12

Individuals who have access to set “access rights” for users on a given system. Sometimes referred to as system or network administrative accounts.

This is a narrow definition of privileged accounts; compare the RFC 2828 definition of privilege, above.

- privileged process n.

RFC 2828 (2000)

(I) An computer process that is authorized (and, therefore, trusted) to perform some security-relevant functions that ordinary processes are not. (See: privilege, trusted process.)

- probe biometric sample n.

JTC 1/SC 37 (2008)

recognition probe biometric sample

Referenced but not defined in JTC 1/SC 37 (2008). An instance of a captured biometric sample used to generate a biometric probe.

- procedural security n.

ISO/IEC 2382-8:1998

A synonym for administrative security.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for administrative security. Any type of security may involve procedures; therefore, the term may be misleading. Instead, use administrative security, communication security, computer security, emanations security, personnel security, physical security, or whatever specific type is meant. (See: security architecture.)

- process n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

An organised set of activities which uses resources to transform inputs to outputs.

- process assurance n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

Assurance derived from an assessment of activities of a process.

- product n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A package of IT software, firmware and/or hardware, providing functionality designed for use or incorporation within a multiplicity of systems.

- profile n.

1. (descriptive profile)

ISO/IEC 2382-8:1998

user profile

A description of a user, typically used for access control. Note: A user profile may include data such as user ID, user’s name, password, access rights, and other attributes.

iAfB-ICSA 1999

record

The template and other information about the end-user (e.g. access permissions).

modonis^IDM (2005)

Definition: A profile of an entity or a group of entities is an organized set of attributes that characterizes the specific properties of that entity or entities within a given context for a specific purpose.

Also user account, user profile, user record. See also: user ID.

“user profile: A record that consists of all the information that defines a user to Windows 2000. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources.” [MSFT]

2. (behavioral profile)

ISO/IEC 2382-8:1998

user profile

A pattern of a user’s activity that can be used to detect changes in the activity.

3. (SAML profile)

OASIS SAML 2.0 (2005)

A set of rules for one of several purposes; each set is given a name in the pattern “xxx profile of SAML” or “xxx SAML profile”.

Rules for how to embed assertions into and extract them from a protocol or other context of use.
Rules for using SAML protocol messages in a particular context of use.
Rules for mapping attributes expressed in SAML to another attribute representation system. Such a set of rules is known as an “attribute profile”.

- profiling n.

modonis^IDM (2005)

Definition: Profiling is the practice of collecting and analysing data related to an entity with the aim of creating its profile.

NIST IR 7298 (2006)

SP 800-61

Measuring the characteristics of expected activity so that changes to it can be more easily identified.

- program manager n.

See: information system owner.

- proof n.

SC 27 SD 6 (2002)

ISO/IEC WD 13888-1 (11/2001)

The corroboration that evidence is valid in accordance with the non-repudiation policy in force. Note: Proof is evidence that serves to prove truth or existence of something.

- proof of possession protocol n., - POP protocol n.

NIST SP 800-63-1 DRAFT (2008)

A protocol where a claimant proves to a verifier that he/she possesses and controls a token (e.g., a key or password)

- proprietary n.

RFC 2828 (2000)

(I) Refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity.

- protected channel n.

NIST SP 800-63-1 DRAFT (2008)

A session wherein messages between two participants are encrypted and integrity is protected using a set of shared secrets; A participant is said to be authenticated if the other participant can link possession of the session keys by the first participant to a long term cryptographic token and verify the identity associated with that token.

- protected checksum n.

RFC 2828 (2000)

(I) A checksum that is computed for a data object by means that protect against active attacks that would attempt to change the checksum to make it match changes made to the data object. (See: digital signature, keyed hash, (discussion under) checksum.

- protected distribution system n.

RFC 2828 (2000)

(I) A wireline or fiber-optic system that includes sufficient safeguards (acoustic, electric, electromagnetic, and physical) to permit its use for unencrypted transmission of (cleartext) data.

- protection authority n.

See: (secondary definition under) Internet Protocol Security Option.

- Protection Profile (PP) n.

SC 27 SD 6 (2002)

ISO/IEC 15292: 2001

An implementation-independent set of security requirements for a category of IT products or systems that meet specific consumer needs.

ISO/IEC 15408-1: 1999

An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs.

- protection ring n.

RFC 2828 (2000)

(I) One of a hierarchy of privileged operation modes of a system that gives certain access rights to processes authorized to operate in that mode.

- protective distribution system n.

NIST IR 7298 (2006)

SP 800-53

Wire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.

- protocol n.

RFC 2828 (2000)

(I) A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. (e.g., see: Internet Protocol.)

(C) In particular, a series of ordered steps involving computing and communication that are performed by two or more system entities to achieve a joint objective. [A9042]

- protocol binding n.

See: binding.

- protocol data unit n.

NIST IR 7298 (2006)

FIPS 188

A unit of data specified in a protocol and consisting of protocol information and, possibly, user data.

- protocol droid n.

Protocol droids are vital in smoothing differences encountered by the many farflung cultures interacting on a regular basis throughout the galaxy. Programmed in etiquette and equipped with formidable language skills, protocol droids assist diplomats and politicians and also serve as administrative aides and companions for high-ranking officials. They come in as many shapes and sizes, but most are humanoid, like the company they keep. C-3PO and TC-14 are examples of protocol droids.

See: Star Wars: Databank | protocol droid externalLink

- protocol entity n.

NIST IR 7298 (2006)

FIPS 188

Entity that follows a set of rules and formats (semantic and syntactic) that determines the communication behavior of other entities.

- protocol run n.

NIST IR 7298 (2006)

SP 800-63

An instance of the exchange of messages between a claimant and a verifier in a defined authentication protocol that results in the authentication (or authentication failure) of the claimant.

- protocol suite n.

RFC 2828 (2000)

(I) A complementary collection of communication protocols used in a computer network. (See: Internet, OSI.)

- provider n.

OASIS SAML 2.0 (2005)

A generic way to refer to both identity providers and service providers.

- proximity card n.

SCA ISCTAG (2007)

proximity cards

A generic name for contactless integrated circuit devices typically used for security access or payment systems. It can refer to 125 kHz RFID devices or 13.56 MHz contactless smart cards. (See ISO/IEC 14443.)

- proxy n.

OASIS SAML 2.0 (2005)

An entity authorized to act for another.

Authority or power to act for another.
A document giving such authority. [Merriam]

modonis^IDM (2005)

Definition: A proxy is synonymous with a mandate.

NIST IR 7298 (2006)

SP 800-44

A proxy is an application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. This effectively closes the straight path between the internal and external networks, making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, an Hyper Text Transfer Protocol (HTTP) proxy used for Web access, and an Simple Mail Transfer Protocol (SMTP) proxy used for e-mail.

- proxy agent n.

NIST IR 7298 (2006)

SP 800-41

A proxy agent is a software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it to between the interfaces of the device.

- proxy server n.

RFC 2828 (2000)

(I) A computer process – often used as, or as part of, a firewall – that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. (See: SOCKS.)

(C) In a firewall, a proxy server usually runs on a bastion host, which may support proxies for several protocols (e.g., FTP, HTTP, and TELNET). Instead of a client in the protected enclave connecting directly to an external server, the internal client connects to the proxy server which in turn connects to the external server. The proxy server waits for a request from inside the firewall, forwards the request to the remote server outside the firewall, gets the response, then sends the response back to the client. The proxy may be transparent to the clients, or they may need to connect first to the proxy server, and then use that association to also initiate a connection to the real server.

(C) Proxies are generally preferred over SOCKS for their ability to perform caching, high-level logging, and access control. A proxy can provide security service beyond that which is normally part of the relayed protocol, such as access control based on peer entity authentication of clients, or peer entity authentication of servers when clients do not have that capability. A proxy at OSI layer 7 can also provide finer-grained security service than can a filtering router at OSI layer 3. For example, an FTP proxy could permit transfers out of, but not into, a protected network.

OASIS SAML 2.0 (2005)

A computer process that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. [RFC2828]

NIST IR 7298 (2006)

SP 800-46

A server that sits between a client application, such as a web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

- PSE n.

See: personal security environment.

- pseudo-random n.

RFC 2828 (2000)

(I) Describing a sequence of values that appears to be random (i.e., unpredictable) but is actually generated by a deterministic algorithm. (See: random.)

- pseudo-random number generator n.

RFC 2828 (2000)

(I) A process used to deterministically generate a series of numbers (usually integers) that appear to be random according to certain statistical tests, but actually are pseudo-random.

NIST IR 7298 (2006)

SP 800-57

An algorithm that produces a sequence of bits that are uniquely determined from an initial value called a seed. The output of the PRNG “appears” to be random, i.e., the output is statistically indistinguishable from random values. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.

- pseudonym n.

modonis^IDM (2005)

Definition: A pseudonym (synonym: nym) is an arbitrary identifier of an identifiable entity, by which a certain action can be linked to this specific entity. The entity that may be identified by the pseudonym is the holder of the pseudonym.

A pseudonym is typically a fictitious name that can refer to an entity without using any of the entity’s identifiers. In effect, the pseudonym is an additional attribute of a given entity’s identity, which allows it to form a set of partial identities which can not necessarily be easily traced to the originating entity.

As identifiers, pseudonyms are context-bound, and one pseudonym is not necessarily valid across multiple identity management systems.

An entity is pseudonymous if it relies on a pseudonym as identifier.

NIST SP 800-63-1 DRAFT (2008)

A subscriber name that has been chosen by the subscriber that is not verified as meaningful by identity proofing.

- public accreditation verification exponent n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Value agreed by all members of a group of entities, and which, in conjunction with the modulus, determines the value of the private accreditation exponent.

- public component n.

RFC 2828 (2000)

(I) A synonym for public key.

- public encipherment key n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

Public key which defines the public encipherment transformation.

- public encipherment transformation n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Encipherment transformation determined by an asymmetric encipherment system and the public key of an asymmetric key pair.

- public key n.

ISO/IEC 2382-8:1998

A cryptographic key that is intended for use by any entity for encrypted communication with the owner of the corresponding private key.

RFC 2828 (2000)

(I) The publicly-disclosable component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair, private key.)

(O) "(In a public key cryptosystem) that key of a user’s key pair which is publicly known.” [X509]

SC 27 SD 6 (2002)

That key of an entity’s asymmetric key pair which can be made public. [ISO/IEC FDIS 9796-2 (12/2001), ISO/IEC 11770-1: 1996, ISO/IEC WD 18033-1 (12/2001)]

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-3: 1999, ISO/IEC WD 13888-1 (11/2001), ISO/IEC FDIS 15946-3 (02/2001)

That key of an entity’s asymmetric key pair which can be made public. Note: In the case of an asymmetric signature system the public key defines the verification transformation. In the case of an asymmetric encipherment system the public key defines the encipherment transformation. A key that is 'publicly known' is not necessarily globally available. The key may only be available to all members of a pre-specified group.

NIST IR 7298 (2006)

SP 800-57

A cryptographic key that is used with a public key cryptographic algorithm. The public key is uniquely associated with an entity and may be made public. In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used to –

Verify a digital signature that is signed by the corresponding private key,
Encrypt data that can be decrypted by the corresponding private key, or
Compute a piece of shared data.

FIPS 196

A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and which may be made public; it is used to verify a digital signature; this key is mathematically linked with a corresponding private key.

FIPS 140-2

A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public.

SCA ISCTAG (2007)

The public part of an asymmetric key pair that is used to verify signatures created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt messages, files, or other information that can then be decrypted with the corresponding private key. The user releases this key to the public who can use it to encrypt messages to be sent to the user and to verify the user’s digital signature. Compare with private key.

IAEG LIAF (2008)

The public part of the asymmetric key pair that is typically used to verify signatures or encrypt data.

NIST SP 800-63-1 DRAFT (2008)

The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.

- public-key certificate n.

RFC 2828 (2000)

(I) A digital certificate that binds a system entity’s identity to a public key value, and possibly to additional data items; a digitally-signed data structure that attests to the ownership of a public key. (See: X.509 public-key certificate.)

(C) The digital signature on a public-key certificate is unforgeable. Thus, the certificate can be published, such as by posting it in a directory, without the directory having to protect the certificate’s data integrity.

(O) “The public key of a user, together with some other information, rendered unforgeable by encipherment with the private key of the certification authority which issued it.” [X509]

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-1: 1996, ISO/IEC 11770-3: 1999, ISO/IEC WD 13888-1 (11/2001)

The public key information of an entity signed by the certification authority and thereby rendered unforgeable.

ISO/IEC 9796-3: 2000

The public key information of an entity signed by the certification authority and thereby rendered unforgeable. Note: In the context of this part of ISO/IEC 9796 the public key information contains the information about the verification key and the domain parameters.

NIST IR 7298 (2006)

FIPS 196

A set of data that unambiguously identifies an entity, contains the entity’s public key, and is digitally signed by a trusted third party (certification authority).

FIPS 140-2

A set of data that uniquely identifies an entity, contains the entity’s public key, and is digitally signed by a trusted party, thereby binding the public key to the entity.

SCA ISCTAG (2007)

digital certificate (or public key certificate)

Digital documents (e.g., information such as the name of the person or an organization and their address) attesting to the binding of a public key to an individual or other entity. Digital certificates allow verification of the claim that a specific public key does in fact belong to a specific individual.

Note that digital certificate has a broader definition that includes other kinds of certificate.

public key certificate

A digital document that is issued and digitally signed by the private key of a certificate authority (CA) and that binds an attribute of a subject to a public key.

NIST SP 800-63-1 DRAFT (2008)

A digital document issued and digitally signed by the private key of a certification authority that binds the name of a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. See also [RFC 3280]

- public-key cryptographic algorithm n.

NIST IR 7298 (2006)

FIPS 140-2

public key (asymmetric) cryptographic algorithm

A cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the property that deriving the private key from the public key is computationally infeasible.

The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
	The GNU Free Documentation License	A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
	http://homepage.mac.com/antallan/gistp.html	Last updated Thursday 11 December 2008

Ant’s HomePage ⇧ Security Matters ⇧ GIST ⇧ P

GIST v0.7 ― P “P1363” to “push”

P

Ant’s HomePage
⇧ Security Matters
⇧ GIST
⇧ P

GIST v0.7 ― P
“P1363” to “push”