GIST v0.7 ― R
“RA” to “rule-combining algorithm”

R

- RA n.

- RA domains n.

RFC 2828 (2000)

(I) A capability of a CAW that allows a CA to divide the responsibility for certification requests among multiple RAs.

(C) This capability might be used to restrict access to private authorization data that is provided with a certification request, and to distribute the responsibility to review and approve certification requests in high volume environments. RA domains might segregate certification requests according to an attribute of the certificate subject, such as an organizational unit.

- radio frequency (RF) n.

SCA ISCTAG (2007)

Any frequency within the electromagnetic spectrum associated with radio wave propagation. Many wireless communications technologies are based on RF, including radio, television, mobile phones, wireless networks and contactless payment cards and devices.

See: high frequency, low frequency, ultra-high frequency.

- radio frequency identification (RFID) n.

SCA ISCTAG (2007)

Technology that is used to transmit information about objects wirelessly, using radio waves. RFID technology is composed of two main pieces: the device that contains the data and the reader that captures such data. The device has a silicon chip and an antenna and the reader also has an antenna. The device is activated when put within range of the reader. The term RFID has been most commonly associated with tags used in supply chain applications in the manufacturing and retail industries.

- RADIUS n.

See: Remote Authentication Dial-In User Service.

- radix n.

SC 27 SD 6 (2002)

ISO/IEC FCD 7064 (09/2000)

Base of a geometric progression.

- Rainbow Series n.

RFC 2828 (2000)

(O) A set of more than 30 technical and policy documents with colored covers, issued by the NCSC, that discuss in detail the TCSEC and provide guidance for meeting and applying the criteria. (See: Green Book, Orange Book, Red Book, Yellow Book.)

- random n.

RFC 2828 (2000)

(I) general usage: In mathematics, random means unpredictable. A sequence of values is called random if each successive value is obtained merely by chance and does not depend on the preceding values of the sequence, and a selected individual value is called random if each of the values in the total population of possibilities has equal probability of being selected. [Knuth] (See: cryptographic key, pseudo-random, random number generator.)

(I) security usage: In cryptography and other security applications, random means not only unpredictable, but also unguessable. When selecting data values to use for cryptographic keys, “the requirement is for data that an adversary has a very low probability of guessing or determining.” It is not sufficient to use data that “only meets traditional statistical tests for randomness or which is based on limited range sources, such as clocks. Frequently such random quantities are determinable [i.e., guessable] by an adversary searching through an embarrassingly small space of possibilities.” [R1750]

- random number n.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997, ISO/IEC 11770-1: 1996, ISO/IEC 11770-2: 1996

A time variant parameter whose value is unpredictable.

- random number generator n.

RFC 2828 (2000)

(I) A process used to generate an unpredictable, uniformly distributed series of numbers (usually integers). (See: pseudo-random, random.)

(C) True random number generators are hardware-based devices that depend on the output of a noisy diode or other physical phenomena. [R1750]

NIST IR 7298 (2006)

SP 800-57

A process used to generate an unpredictable series of numbers. Each individual value is called random if each of the values in the total population of values has an equal probability of being selected.

FIPS 140-2

Random number generators (RNGs) used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers. There are two basic classes: deterministic and nondeterministic. A deterministic RNG consists of an algorithm that produces a sequence of bits from an initial value called a seed. A nondeterministic RNG produces output that is dependent on some unpredictable physical source that is outside human control.

- randomized adj.

SC 27 SD 6 (2002)

ISO/IEC 9796-3: 2000, ISO/IEC 14888-1: 1998, ISO/IEC WD 15946-4 (10/2001)

Dependent on a randomizer.

- randomizer n.

SC 27 SD 6 (2002)

ISO/IEC 9796-3: 2000, ISO/IEC 14888-1: 1998, ISO/IEC FDIS 15946-2 (04/2001), ISO/IEC WD 15946-4 (10/2001)

A secret data item produced by the signing entity in the pre-signature production process, and not predictable by other entities.

- raw biometric sample n.

See: captured biometric sample.

- RBAC n.

See: role-based access control.

- RC2 n., - RC4 n., - RC6 n.

See: Rivest Cipher #2, Rivest Cipher #4, Rivest Cipher #6.

- read access n.

See: (secondary definition under) access mode.

- reader n.

SCA ISCTAG (2007)

Any device that communicates information or assists in communications from a card, token or other identity document and transmits the information to a host system, such as a control panel/processor or database for further action.

- REAL ID Act n.

SCA ISCTAG (2007)

The U.S. REAL ID Act of 2005. Legislation intended to deter terrorism by establishing national standards for state-issued driver’s licenses and non-driver’s identification cards in addition to other key executables.

- realm n.

RFC 2828 (2000)

(O) Kerberos usage: The domain of authority of a Kerberos server (consisting of an authentication server and a ticket-granting server), including the Kerberized clients and the Kerberized application servers

- receiver operating characteristics/curves (ROCs) n.

iAfB-ICSA 1999

receiver operating curves

A graph showing how the false rejection rate and false acceptance rate vary according to the threshold.

BEM 2002

receiver operating characteristics

A method of showing the performance of the biometric system over a range of decision criteria – usually shown as a graph that relates FAR to FRR as the decision threshold varies.

- recipient n.

SC 27 SD 6 (2002)

ISO/IEC WD 13888-1 (11/2001)

The entity that gets (receives or fetc.es) a message for which non-repudiation services are to be provided.

- recipient usage period n.

NIST IR 7298 (2006)

SP 800-57

The period of time during the cryptoperiod of a symmetric key when protected information is processed. The recipient usage period of the key is usually identical to the cryptoperiod of that key.

- recognition n.

iAfB-ICSA 1999

The preferred term is identification.

JTC 1/SC 37 (2008)

Identify as already known; to know again; acknowledge the existence, validity, or legality of.

Note: Definition source: Oxford dictionary.

- recognition biometric sample n.

See probe biometric sample.

- record n.

NIST IR 7298 (2006)

SP 800-53; FIPS 200

records

The recordings of evidence of activities performed or results achieved (e.g., forms, reports, test results) which serve as the basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

JTC 1/SC 37 (2006⇒2008)

record (in databases)

Data object that is an instance of a record type.

Note: Definition Source: ISO 2382-17, term 17.05.12

Also a synonym for (user) profile.

- recoverable part n.

SC 27 SD 6 (2002)

ISO/IEC FDIS 9796-2 (12/2001)

Part of the message conveyed in the signature.

- RED n.

RFC 2828 (2000)

(I) Designation for information system equipment or facilities that handle (and for data that contains) only plaintext (or, depending on the context, classified information), and for such data itself. This term derives from U.S. Government COMSEC terminology. (See: BLACK, RED/BLACK separation.)

- Red Book n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria [NCS05]. Instead, use the full proper name of the document or, in subsequent references, a more conventional abbreviation. (See: TCSEC, Rainbow Series, (usage note under) Green Book.)

- RED/BLACK separation n.

RFC 2828 (2000)

(I) An architectural concept for cryptographic systems that strictly separates the parts of a system that handle plaintext (i.e., RED information) from the parts that handle ciphertext (i.e., BLACK information). This term derives from U.S. Government COMSEC terminology. (See: BLACK, RED.)

- reduction-function n.

SC 27 SD 6 (2002)

ISO/IEC 10118-4: 1998

A function RED that is applied to the block H_q of length L_ɸ to generate the hash-code H of length L_p.

- redundancy n.

SC 27 SD 6 (2002)

ISO/IEC 11770-2: 1996, ISO/IEC WD 13888-1 (11/2001)

Any information that is known and can be checked.

- redundant identity n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Sequence of data items obtained from an entity’s identification data by adding redundancy using techniques specified in ISO/IEC 9796.

- re-enrollment, - re-enrolment n.

JTC 1/SC 37 (2006⇒2008)

re-enrolment

Process of establishing a new biometric reference for an individual biometric data subjectalready enrolled in the database.

Note 1: Re-enrolment requires new captured biometric sample(s).

Note 2: For example, re-enrolment may be required as a result of performance degradation due to major changes in the system or biometric characteristics.

- reference monitor n.

RFC 2828 (2000)

(I) “An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.” [NCS04] (See: security kernel.)

(C) A reference monitor should be (a) complete (i.e., it mediates every access), (b) isolated (i.e., it cannot be modified by other system entities), and (c) verifiable (i.e., small enough to be subjected to analysis and tests to ensure that it is correct).

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The concept of an abstract machine that enforces TOE access control policies.

NIST IR 7298 (2006)

SP 800-33

The security engineering term for IT functionality that –

controls all access,
cannot be by-passed,
is tamper-resistant, and
provides confidence that the other three items are true.

- reference validation mechanism n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

An implementation of the reference monitor concept that possesses the following properties: it is tamperproof, always invoked, and simple enough to be subjected to thorough analysis and testing.

- refinement n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The addition of details to a component.

- reflection attack n.

RFC 2828 (2000)

(I) A type of replay attack in which transmitted data is sent back to its originator.

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

A masquerade which involves sending a previously transmitted message back to its originator.

- register n.

SC 27 SD 6 (2002)

ISO/IEC 15292: 2001

A set of files (electronic, or a combination of electronic and paper) containing entry labels and their associated definitions and related information.

See also: registration.

- register entry n.

SC 27 SD 6 (2002)

ISO/IEC 15292: 2001

The information within a register relating to a specific PP or package.

- registration n.

RFC 2828 (2000)

(I) An administrative act or process whereby an entity’s name and other attributes are established for the first time at a CA, prior to the CA issuing a digital certificate that has the entity’s name as the subject. (See: registration authority.)

(C) Registration may be accomplished either directly, by the CA, or indirectly, by a separate RA. An entity is presented to the CA or RA, and the authority either records the name(s) claimed for the entity or assigns the entity’s name(s). The authority also determines and records other attributes of the entity that are to be bound in a certificate (such as a public key or authorizations) or maintained in the authority’s database (such as street address and telephone number). The authority is responsible, possibly assisted by an RA, for authenticating the entity’s identity and verifying the correctness of the other attributes, in accordance with the CA’s CPS.

How a claimed identity and other attributes are verified.
How organization affiliation or representation is verified.
What forms of names are permitted, such as X.500 DN, domain name, or IP address.
Whether names are required to be meaningful or unique, and within what domain.
How naming disputes are resolved, including the role of trademarks.
Whether certificates are issued to entities that are not persons.
Whether a person is required to appear before the CA or RA, or can instead be represented by an agent.
Whether and how an entity proves possession of the private key matching a public key.

SC 27 SD 6 (2002)

ISO/IEC 15292: 2001

The process of assigning a register entry.

modonis^IDM (2005)

Definition: The registration of an entity is the process in which the entity is identified and/or other attributes are corroborated. As a result of the registration, a partial identity is assigned to the entity for a certain context.

In other words, the registration of an entity is the process of linking a (partial) identity to the identity of an entity, by corroborating a specific set of attributes, which do not necessarily need to include identifiers.

Successful completion of the registration procedures results in the granting of a means (e.g., a credential) by which the entity can be authenticated in the future.

Quality assurance criteria (with various degrees of liability attached) can be imposed on the registration process.

NIST IR 7298 (2006)

FIPS 201

identity registration

The process of making a person’s identity known to the personal identity verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

SP 800-57

user registration

A stage in the lifecycle of keying material; a process whereby an entity becomes a member of a security domain.

SCA ISCTAG (2007)

identity registration

The process of making a person’s identity known to a system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

JTC 1/SC 37 (2008) – A.2.11

The action or process of registering or of being registered; exact correspondence of the position of printed matter on the two sides of a leaf.

Note 1: Register (vb.): enter in or place on a register.

Note 2: Register (n.): an official list of record.

Note 3: Definition source for registration and register (verb and noun): Oxford dictionary.

Inclusion of the printing sense seems eccentric!

IAEG LIAF (2008)

An entry in a register, or somebody or something whose name or designation is entered in a register.

NIST SP 800-63-1 DRAFT (2008)

The process through which a party applies to become a subscriber of a CSP and an RA validates the identity of that party on behalf of the CSP.

- registration authority (RA) n.

RFC 2828 (2000)

(I) An optional PKI entity (separate from the CAs) that does not sign either digital certificates or CRLs but has responsibility for recording or verifying some or all of the information (particularly the identities of subjects) needed by a CA to issue certificates and CRLs and to perform other certificate management functions. (See: organizational registration authority, registration.)

(C) Sometimes, a CA may perform all certificate management functions for all end users for which the CA signs certificates. Other times, such as in a large or geographically dispersed community, it may be necessary or desirable to offload secondary CA functions and delegate them to an assistant, while the CA retains the primary functions (signing certificates and CRLs). The tasks that are delegated to an RA by a CA may include personal authentication, name assignment, token distribution, revocation reporting, key generation, and archiving. An RA is an optional PKI component, separate from the CA, that is assigned secondary functions. The duties assigned to RAs vary from case to case but may include the following:

Verifying a subject’s identity, i.e., performing personal authentication functions.
Assigning a name to a subject. (See: distinguished name.)
Verifying that a subject is entitled to have the attributes requested for a certificate.
Verifying that a subject possesses the private key that matches the public key requested for a certificate.
Performing functions beyond mere registration, such as generating key pairs, distributing tokens, and handling revocation reports. (Such functions may be assigned to a PKI element that is separate from both the CA and the RA.)

(I) PKIX usage: An optional PKI component, separate from the CA(s). The functions that the RA performs will vary from case to case but may include identity authentication and name assignment, key generation and archiving of key pairs, token distribution, and revocation reporting. [R2510]

(O) SET usage: “An independent third-party organization that processes payment card applications for multiple payment card brands and forwards applications to the appropriate financial institutions.” [SET2]

SC 27 SD 6 (2002)

ISO/IEC TR 14516: 2000

An entity who is responsible for identification and authentication of subjects of certificates, but is not a CA or an AA, and hence does not sign or issue certificates. An RA may assist in the certificate application process, revocation process, or both.

ISO/IEC 15945: 2002

Authority entitled and trusted to perform the registration service as described below.

NIST IR 7298 (2006)

FIPS 188

Organization responsible for assignment of unique identifiers to registered objects.

SCA ISCTAG (2007)

A body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them.

Note that this definition is quite different from the others, which focus on identity registration within a PKI and similar identity-management contexts.

NIST SP 800-63-1 DRAFT (2008)

A trusted entity that establishes and vouches for the identity of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).

- registration service n.

SC 27 SD 6 (2002)

ISO/IEC 15945: 2002

The service of identifying entities and registering them in a way that allows the secure assignment of certificates to these entities.

- regrade n.

RFC 2828 (2000)

(I) Deliberately change the classification level of information in an authorized manner.

- rekey n.

RFC 2828 (2000)

(I) Change the value of a cryptographic key that is being used in an application of a cryptographic system. (See: certificate rekey.)

NIST IR 7298 (2006)

SP 800-32

re-key (a certificate)

To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key.

- reliability n.

RFC 2828 (2000)

(I) The ability of a system to perform a required function under stated conditions for a specified period of time. (See: availability, survivability.)

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property of consistent intended behaviour and results.

- relying party n.

RFC 2828 (2000)

(N) A synonym for certificate user. Used in a legal context to mean a recipient of a certificate who acts in reliance on that certificate. (See: ABA Guidelines.)

OASIS SAML 2.0 (2005)

A system entity that decides to take an action based on information from another system entity. For example, a SAML relying party depends on receiving assertions from an asserting party (a SAML authority) about a subject.

IAEG LIAF (2008)

An entity that relies upon a subscriber’s credentials, typically to process a transaction or grant access to information or a system.

NIST SP 800-63-1 DRAFT (2008)

An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.

- remediation n.

NIST IR 7298 (2006)

SP 800-40 Ver 2

The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.

- remediation plan n.

NIST IR 7298 (2006)

SP 800-40 Ver 2

A plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.

- remote access n.

NIST IR 7298 (2006)

SP 800-18 Rev 1

Access by users (or information systems) communicating external to an information system security perimeter.

- Remote Authentication Dial-In User Service (RADIUS) n.

RFC 2828 (2000)

(I) An Internet protocol [R2138] for carrying dial-in users' authentication information and configuration information between a shared, centralized authentication server (the RADIUS server) and a network access server (the RADIUS client) that needs to authenticate the users of its network access ports. (See: TACACS.)

(C) A user of the RADIUS client presents authentication information to the client, and the client passes that information to the RADIUS server. The server authenticates the client using a shared secret value, then checks the user’s authentication information, and finally returns to the client all authorization and configuration information needed by the client to deliver service to the user.

- remote maintenance n.

NIST IR 7298 (2006)

SP 800-18 Rev 1

Maintenance activities conducted by individuals communicating external to an information system security perimeter.

- renew n.

See: certificate renewal.

- replay attack n.

RFC 2828 (2000)

(I) An attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack. (See: active wiretapping.)

SC 27 SD 6 (2002)

ISO/IEC 9798-1: 1997

A masquerade which involves use of previously transmitted messages.

NIST SP 800-63-1 DRAFT (2008)

An attack in which the attacker is able to replay previously captured messages (between a legitimate claimant and a verifier) to masquerade as that claimant to the verifier or vice versa.

- repository n.

RFC 2828 (2000)

(I) A system for storing and distributing digital certificates and related information (including CRLs, CPSs, and certificate policies) to certificate users. (See: directory.)

(O) “A trustworthy system for storing and retrieving certificates or other information relevant to certificates.” [ABA]

(C) A certificate is published to those who might need it by putting it in a repository. The repository usually is a publicly accessible, on-line server. In the Federal Public-key Infrastructure, for example, the expected repository is a directory that uses LDAP, but also may be the X.500 Directory that uses DAP, or an HTTP server, or an FTP server that permits anonymous login.

NIST IR 7298 (2006)

SP 800-32

A database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.

- repudiation n.

ISO/IEC 2382-8:1998

The denial by one of the entities involved in a communication of having participated in all or part of the communication. Note: In the description of techniques and mechanisms the term "non-repudiation" is often used to mean that none of the entities involved in a communication can deny its participation in the communication.

RFC 2828 (2000)

(I) Denial by a system entity that was involved in an association (especially an association that transfers information) of having participated in the relationship. (See: accountability, non-repudiation service.)

(O) “Denial by one of the entities involved in a communication of having participated in all or part of the communication.” [I7498 Part 2]

- Request for Comment (RFC) n.

RFC 2828 (2000)

(I) One of the documents in the archival series that is the official channel for ISDs and other publications of the Internet Engineering Steering Group, the Internet Architecture Board, and the Internet community in general. [R2026, R2223] (See: Internet Standard.)

- requester n., - requestor n.

See also: subject.

OASIS SAML 2.0 (2005)

requester, SAML requester

A system entity that utilizes the SAML protocol to request services from another system entity (a SAML authority, a responder). The term “client” for this notion is not used because many system entities simultaneously or serially act as both clients and servers. In cases where the SOAP binding for SAML is being used, the SAML requester is architecturally distinct from the initial SOAP sender.

- resident security system (RSS) n.

A generic term for a guest access control service for IBM operating systems, such as CA eTrust CA-ACF2 for z/OS.

- residual data n.

ISO/IEC 2382-8:1998

Data left in a data medium after deletion of a file or a portion of a file. Note: Residual data remain recoverable until clearing of the data medium has taken place.

- residual risk n.

RFC 2828 (2000)

(I) The risk that remains after countermeasures have been applied.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The risk that remains after implementation of the IT security plan.

ISO/IEC 17799: 2000

Any combination of the risk that have been accepted by the organization, the risks that remain after all identified controls have been implemented because further action could not be identified.

NIST IR 7298 (2006)

SP 800-33

The remaining, potential risk after all IT security measures are applied. There is a residual risk associated with each threat.

- resource n.

OASIS XACML 2.0 (2005)

Data, service or system component.

(1.1.2 Related terms) In the field of access control and authorization there are several closely related terms in common use. For purposes of precision and clarity, certain of these terms are not used in this specification. … The term object is in common use, but we use the term resource in this specification. …

OASIS SAML 2.0 (2005)

Data contained in an information system (for example, in the form of files, information in memory, etc., as well as:

A service provided by a system.
An item of system equipment (in other words, a system component such as hardware, firmware, software, or documentation).
A facility that houses system operations and equipment. [RFC2828]

SAML uses resource in the first two senses, and refers to resources by means of URI references.

modonis^IDM (2005)

Definition: A resource is either data related to some identity or identifiers, or a service acting on behalf of some identity or group of identities.

The set of technical, regulatory and organizational measures intended to protect system resources against access by unauthorized entities.

The second paragraph seems to relate to something else… resource access control?

- responder n.

OASIS SAML 2.0 (2005)

responder, SAML responder

A system entity (a SAML authority) that utilizes the SAML protocol to respond to a request for services from another system entity (a requester). The term “server” for this notion is not used because many system entities simultaneously or serially act as both clients and servers. In cases where the SOAP binding for SAML is being used, the SAML responder is architecturally distinct from the ultimate SOAP receiver.

NIST IR 7298 (2006)

FIPS 196

The entity that responds to the initiator of the authentication exchange.

- response n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Data item sent by the claimant to the verifier, and which the verifier can process to help check the identity of the claimant.

SCA ISCTAG (2007)

A message returned by the integrated circuit chip to the terminal after the processing of a command message received by the chip.

- response time n.

iAfB-ICSA 1999

The time period required by a biometric system to return a decision on identification or verification of a biometric sample.

- responsible individual n.

NIST IR 7298 (2006)

SP 800-32

A trustworthy person designated by a sponsoring organization to authenticate individual applicants seeking certificates on the basis of their affiliation with the sponsor.

- restore n.

See: card restore.

- revocation n.

See: certificate revocation.

- revocation date n.

RFC 2828 (2000)

(N) In an X.509 CRL entry, a date-time field that states when the certificate revocation occurred, i.e., when the CA declared the digital certificate to be invalid. (See: invalidity date.)

(C) The revocation date may not resolve some disputes because, in the worst case, all signatures made during the validity period of the certificate may have to be considered invalid. However, it may be desirable to treat a digital signature as valid even though the private key used to sign was compromised after the signing. If more is known about when the compromise actually occurred, a second date-time, an invalidity date, can be included in an extension of the CRL entry.

- revocation list n.

See: certificate revocation list.

- revoke n.

See: certificate revocation.

- RF n.

See: radio frequency.

- RFC n.

See: Request for Comment.

- RFID n.

See: radio frequency identification.

- RFID tag n.

SCA ISCTAG (2007)

RFID tags (labels)

Simple, low-cost and disposable electronic devices that are used to identify animals, track goods logistically and replace printed bar codes at retailers. RFID tags include an integrated circuit that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader’s RF field and transmits its ID to the reader. There is little to no security on the RFID tag or during communication with the reader. Typical RFID tags can be easily read from distances of several inches (centimeters) to several yards (meters) to allow easy tracking of goods.

- rich session n.

See: session.

- ridge n.

iAfB-ICSA 1999

The raised markings found across the fingertip. See also valley.

- ridge ending n.

iAfB-ICSA 1999

The point at which a finger image ridge ends.

- Rijndael n.

NIST IR 7298 (2006)

FIPS 197

Cryptographic algorithm specified in the Advanced Encryption Standard (AES).

- risk n.

ISO/IEC 2382-8:1998

The possibility that a particular threat will exploit a particular vulnerability of a data processing system.

RFC 2828 (2000)

(I) An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

(O) SET usage: “The possibility of loss because of one or more threats to information (not to be confused with financial or business risk).” [SET2]

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

NIST IR 7298 (2006)

SP 800-53; FIPS 200

The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

- risk acceptance n.

ISO/IEC 2382-8:1998

A managerial decision to accept a certain degree of risk, usually for technical or cost reasons.

- risk analysis n., - risk assessment n.

The terms risk analysis and risk assessment are generally held to be synonymous, but ISO/IEC PDTR 13335-1 (11/2001) makes a nice distinction:

risk assessment =	⎧		⎫
	⎪	risk identification	⎪
	⎪	+	⎪
	⎪	risk analysis	⎪
	⎪	+	⎪
	⎪	risk evaluation	⎪
	⎩		⎭

ISO/IEC 2382-8:1998

A systematic method of identifying the assets of a data processing system, the threats to those assets, and the vulnerability of the system to those threats.

RFC 2828 (2000)

(I) A process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

(C) The analysis lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. It is usually financially and technically infeasible to counteract all aspects of risk, and so some residual risk will remain, even after all available countermeasures have been deployed. [FP031, R2196]

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

risk analysis

The systematic process of estimating the magnitude of risks.

ISO/IEC PDTR 13335-1 (11/2001)

risk assessment

The process of combining risk identification, risk analysis and risk evaluation.

ISO/IEC 17799: 2000

risk assessment

The assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.

NIST IR 7298 (2006)

SP 800-27A

risk analysis

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.

SP 800-53

risk assessment

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.

- risk evaluation n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The process of comparing analysed levels of risk against pre-established criteria and identifying areas needing risk treatment.

See: risk analysis.

- risk identification n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The process of identifying risks considering business objectives, threats and vulnerabilities as the basis for further analysis.

See: risk analysis.

- risk treatment n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The process of defining an IT security management plan based on risk evaluation.

- risk management n.

RFC 2828 (2000)

(I) The process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. (See: risk analysis.)

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources.

ISO/IEC 17799: 2000

The process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.

NIST IR 7298 (2006)

SP 800-53

The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

FIPS 200

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes:

the conduct of a risk assessment;
the implementation of a risk mitigation strategy; and
employment of techniques and procedures for the continuous monitoring of the security state of the information system.

FIPS 191

The process of –

estimating potential losses due to the use of or dependence upon automated information system technology,
analyzing potential threats and system vulnerabilities that contribute to loss estimates, and
selecting cost effective safeguards that reduce risk to an acceptable level.

- risk mitigation n.

NIST IR 7298 (2006)

SP 800-30

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.

- risk tolerance n.

NIST IR 7298 (2006)

SP 800-32

The level of risk an entity is willing to assume in order to achieve a potential desired result.

- Rivest Cipher #2 (RC2) n.

RFC 2828 (2000)

(N) A proprietary, variable-key-length block cipher invented by Ron Rivest for RSA Data Security, Inc. (now a wholly-owned subsidiary of Security Dynamics, Inc. [now RSA, The Security Division of EMC]).

- Rivest Cipher #4 (RC4) n.

RFC 2828 (2000)

(N) A proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc. (now a wholly-owned subsidiary of Security Dynamics, Inc. [now RSA, The Security Division of EMC]).

- Rivest Cipher #6 (RC6) n.

An AES finalist.

- Rivest-Shamir-Adleman (RSA) n.

RFC 2828 (2000)

(N) An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78, Schn].

(C) RSA uses exponentiation modulo the product of two large prime numbers. The difficulty of breaking RSA is believed to be equivalent to the difficulty of factoring integers that are the product of two large prime numbers of approximately equal size.

(C) To create an RSA key pair, randomly choose two large prime numbers, p and q, and compute the modulus, n = pq. Randomly choose a number e, the public exponent, that is less than n and relatively prime to (p-1)(q-1). Choose another number d, the private exponent, such that ed-1 evenly divides (p-1)(q-1). The public key is the set of numbers (n,e), and the private key is the set (n,d).

(C) It is assumed to be difficult to compute the private key (n,d) from the public key (n,e). However, if n can be factored into p and q, then the private key d can be computed easily. Thus, RSA security depends on the assumption that it is computationally difficult to factor a number that is the product of two large prime numbers. (Of course, p and q are treated as part of the private key, or else destroyed after computing n.)

(C) For encryption of a message, m, to be sent to Bob, Alice uses Bob’s public key (n,e) to compute m**e (mod n) = c. She sends c to Bob. Bob computes c**d (mod n) = m. Only Bob knows d, so only Bob can compute c**d (mod n) = m to recover m.

(C) To provide data origin authentication of a message, m, to be sent to Bob, Alice computes m**d (mod n) = s, where (d,n) is Alice’s private key. She sends m and s to Bob. To recover the message that only Alice could have sent, Bob computes s**e (mod n) = m, where (e,n) is Alice’s public key.

(C) To ensure data integrity in addition to data origin authentication requires extra computation steps in which Alice and Bob use a cryptographic hash function h (as explained for digital signature). Alice computes the hash value h(m) = v, and then encrypts v with her private key to get s. She sends m and s. Bob receives m' and s', either of which might have been changed from the m and s that Alice sent. To test this, he decrypts s' with Alice’s public key to get v'. He then computes h(m') = v";. If v' equals v", Bob is assured that m' is the same m that Alice sent.

SCA ISCTAG (2007)

Refers to public/private key encryption technology that uses an algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman and that is owned and licensed by RSA Security [now RSA, The Security Division of EMC].

- ROC n.

See: receiver operating characteristics/curves.

- role n.

The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
	The GNU Free Documentation License	A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
	http://homepage.mac.com/antallan/gistr.html	Last updated Wednesday 10 December 2008

Ant’s HomePage ⇧ Security Matters ⇧ GIST ⇧ R

GIST v0.7 ― R “RA” to “rule-combining algorithm”

R

Ant’s HomePage
⇧ Security Matters
⇧ GIST
⇧ R

GIST v0.7 ― R
“RA” to “rule-combining algorithm”