General Glossary

Access Control List (ACL)

A sequential list of permit and deny conditions that define the connections allowed to pass through a device, usually a router.

ActiveX

A programming environment developed by Microsoft Corporation which competes directly with Sun Microsystems’ Java. ActiveX presents a security risk because its executable ActiveX control files run on the client and can be used to gain illicit access to its files.

ActiveX Stripping

The ability to prevent ActiveX programs from being executed on the client by removing all ActiveX programs from HTML pages as they are downloaded.

Address Resolution Protocol (ARP)

The protocol used inside networks to bind high-level IP addresses to low-level physical hardware addresses.

American National Standards Institute - The organisation which issues standards in the USA.

A method used to protect a network against IP spoofing attacks by verifying that a packet’s source and destination IP addresses are appropriate to the interface through which the packet passes. One method to avoid IP spoofing attacks is to hide internal IP addresses so that external users cannot determine what they are.

Association of Payment And Clearance Services: UK national clearing system.

Application program interface.

The seventh layer of the ISO Reference Model which provides communication between applications.

American Standard Code for Information Interchange - the standard system for representing letters and symbols. Each letter or symbol is assigned a unique number between 0 and 127.

ATM protocols are designed to handle isochronous (time critical) data such as telephony (audio) and video, in addition to more conventional inter-computer data communications.

Formal-state transition model of computer security policy that describes a formal set of access controls based on information sensitivity and subject authorisations.

A formal security model for the integrity of subjects and objects in a system.

The smallest unit of information stored electronically. It can only have the value 0 or 1. The term is always abbreviated to Bit

See Binary Digit

A cipher that provides encryption and decryption by operating on a specified size of data block, e.g. 64 bits.

A unit of computer data consisting of 8 Bits.

CBAC (Context-based Access Control)

A per-application control mechanism for IP traffic, which tracks the state and context of network connections to secure traffic flow.

CHAP (Challenge-Handshake Authentication Protocol)

A protocol supported on Point-to-Point Protocol (PPP) links used to authenticate network peers using a 3-way handshake in which a random challenge is sent to a peer and must be responded to correctly. Defined in RFC 1334.

A value calculated from item(s) of data that can be used by a recipient of the data to verify that the received data has not been altered. Usually 32 or 64 bits long.

Cipher

A term used to describe text (or data) that has previously been encrypted; see Encryption.

Certificate Revocation List – a database of Certificates no longer valid within a given security infrastructure.

Card Verification Value. A cryptographic checksum used to protect the data on the magnetic stripe of debit and credit cards.

Daemon (Disk And Execution MONitor)

A software program that is not invoked explicitly, but lies dormant waiting for some condition or conditions to occur. The idea is that the perpetrator of the condition need not be aware that a daemon is lurking in the computer system (though often a program will commit an action only because it knows that it will implicitly invoke a daemon). Daemons are not necessarily malicious, for example in Unix a request to print invokes a spooling daemon, which will then print the file. However, daemons are often installed surreptitiously by hackers and used to carry out actions unwanted by the system owner.

DES (Data Encryption Standard)

A secret key encryption Algorithm that was first developed by IBM and submitted to the US government as part of the Fed-Std-1027 program. Now approved for use on all US government sensitive, unclassified information and heavily adopted by the network security industry.

DHCP (Dynamic Host Configuration Protocol)

A protocol used to enable hosts (DHCP Clients) on an IP network to obtain their configurations from a server (DHCP Server). The most significant configuration option the client receives from the server is its IP address. The overall purpose is to reduce the work necessary to administer a large IP network. Defined in RFC 2131.

Diffie-Hellman

A public-key-based key management system developed by Whitfield Diffie and Marti Hellman at Stanford University in 1976 that allows two users or network devices to exchange public keys over an unsecured medium and calculate a shared secret key that is only known by them.

Directory Service

A standard database which typically stores user definitions, user profiles, and network resource definitions.

DNS (Domain Name Server)

A system that maps names of objects (most usually host names) into IP numbers or other resource record values.

DNS Spoofing

Assuming the DNS name of another system by either corrupting the name service cache of a victim system or by compromising a domain name server for a valid domain.

DSA

Digital Signature Algorithm – the algorithm used in creating the digital signature for a given message or transaction.

DSP

Digital Signal Processor. A microprocessor specifically designed to perform high-speed mathematical operations.

A digital signature standard established in 1994 by the National Institute of Standards and Technologies. Based on work done by El Gamal at Stanford University that makes use of Diffie-Hellman public key cryptography. A digital signature is created with a user's private key and can be verified by anyone possessing the user's public key.

Derived Unique Key Per Transaction - An American transaction key scheme standard. See Transaction Key.

EEPROM

Electronically Erasable Programmable Read Only Memory. See PROM.

Electronic Funds Transfer at the Point Of Sale - A method used by banks to process EFT instructions generated in a retail environment.

A standard that specifies how to append an encrypted IP packet with a new source and destination address. Defined in RFC 1827.

Ethernet

A standard for Local Area Network communications.

File Transfer Protocol (FTP)

A client-server protocol that allows a user on one computer to transfer files to and from another computer over a TCP/IP network. Also the client program the user executes to transfer files.

Federal Information Processing Standard (USA) - see http://www.itl.nist.gov/fipspubs/index.htm

A combination of hardware and software, i.e. a computer program or set of functions (the software) that is held in a PROM (the hardware).

Correction for a software resource providing resolution for an error within this resource. A fix is usually an emergency solution, which will be formally incorporated into an operating system upgrade or Service Pack release at a future date.

The packet transmitted by the data link layer in the OSI model.

FTP

See File Transfer Protocol

GSS-API

General Security Service Application Program Interface

A hash or hash value is the result of processing data using a Hash Function.

The process of calculating a hash value.

High level Data Link Control - A link level bit-oriented protocol that operates at level 2 of the ISO 7 layer communications stack.

HSM

Host Security Module. The HSM is a tamper resistant, hardware security module that connects as a peripheral to a host computer. The HSM provides the host with a secure environment in which to perform its cryptographic processing.

The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web (WWW). Relative to the TCP-IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol, which works on top of them. The primary concept that makes HTTP so useful is that files can contain references to other files whose selection will elicit additional transfer requests (hypertext), i.e. pages are linked to one another so that the user can browse from page to page looking for information.

IBM Channel

A byte-wide IBM copper communications link defined by FIPS 60.

Independent Data Unit Protection GSS-API

Internet Engineering Task Force – a body associated with the establishment and maintenance of technical standards and protocols for the Internet

An encryption and authentication scheme supporting multiple encryption and authentication Algorithms.

Input and Output buffers - used to store input and output data before and after processing the data.

IP

Internet Protocol - see TCP/IP

An attack whereby an active, established session is intercepted and co-opted by the attacker.  IP Slicing attacks occur after an authentication has been made, permitting the attacker to assume the role of an already authorised user. Primary protections against IP Splicing rely on encryption at the session or network layer.

An attack whereby a system attempts to illicitly impersonate another system by using its IP network address.

Internet Public Key Infrastructure – see PKIX

An IETF working group tasked with developing standards for security protocols to provide IP security services that will support combinations of authentication, integrity, access control, and confidentiality.

IPV6 is the new Internet Protocol that will be replacing the current IPV4 Protocol within the next couple of years. See http://www.ipv6.com/

A combination of security protocols used to establish security contexts and encrypting keys between a pair of hosts on the Internet. A mandatory standard in IPV6.

International Organisation for Standardisation - The worldwide federation of international standards bodies.

An independent software vendor specialising in messaging products and associated directory servers

A platform independent programming environment developed by Sun Microsystems and supported by numerous vendors, including Microsoft. Java applets can run on the client and can be used to gain illicit access to its files.

Javascript

A scripting language conforming to the standards of Sun Microsystems’ Java programming language

The ability to prevent Java code from being executed on the client by removing all Java tags from HTML pages as they are downloaded.

An authentication service developed at MIT that uses secret-key techniques for encryption and authentication to authenticate network resources (rather than network users as with other authentication services). Defined in RFC 1510.

Local Area Network

Cisco's VPDN protocol for forwarding the authentication and authorisation process from an Internet service provider to a corporate firewall or router.

An IETF standard that combines aspects of Cisco's Layer Two Forwarding (L2F) protocol and Microsoft's Point-to-Point Tunnelling Protocol (PPTP) for implementing a VPDN.

Lightweight Directory Applications Protocol – the Internet standard for simple directories for use in messaging and similar applications. A simplification of the X.500 DAP, it allows Internet clients to access and manage of a database of directory services over a TCP/IP connection.

LMK

Local Master Key - The top level master key used by a hardware security module to protect all other keys stored on the local data base. The LMK is usually a double length DES key.

MAC

Message Authentication Code – a unique message parameter allowing confirmation that the given message has not been tampered with during storage or transport

The latest in a line of Algorithms used to create a digital signature for a message to prove authorship. After the message is compressed with the algorithm (also known as hashing), the result is signed with the author's private key using Public Key cryptography. MD5 is a SNMPv2 requirement as specified in RFC 1446.

Same as Hash Value.

Mean Time Between Failures - A measure of a piece of equipment’s reliability.

A server providing remote access services to multiple dial-up users.

A feature of firewalls and routers that prevents internal addresses from appearing to users outside the network. Also, helps conserve IP addresses.

OSI

A protocol supported on Point-to-Point Protocol (PPP) links that is used to authenticate network peers by means of unencrypted user ids and passwords. Defined in RFC 1334.

A Code of Practice in the UK for Business Continuity Management that will eventually be replaced by BS 25999. For more details see here.

Public Key Cryptography Standard – a set of commonly applied data cryptography standards developed by RSA Data Security Inc., e.g.

PKIX

PROM

PVK

PIN Verification Key - A DES key that controls the generation of PINs and PIN offsets.

PIN Verification Value - A value that is derived from an account number and PIN using a pair of PIN Verification Keys. Used to verify cardholder PINs on the Visa ATM network.

A protocol used to build a trusted third-party authentication server for positively identifying network users and granting access privileges. This protocol aims to centralise authentication, configuration, and accounting of dial-in services to an independent server. Defined in RFC 2138.

Random Access Memory - Used by microprocessors to store programs and data.

A UK government-defined cryptographic Algorithm

An Encryption Algorithm developed for RSA Data Security Inc., now in the public domain

Request For Comment - a misleading name for what is effectively a de facto Internet standard. RFCs are published by the IETF

ROM

SDLC

Security Resource Manager

Racal owned host application software used to manage the interface between multiple applications and multiple HSMs attached to: IBM MVS systems, Tandem Guardian systems or UNIX systems.

SHA-1

Secure Hash Algorithm – a hash function first originated by the US National Security Agency (NSA) and National Institute of Standards and Technology (NIST).

Extension to HTTP that provides confidentiality, authentication, integrity, and non-repudiation while supporting multiple key management techniques and cryptographic Algorithms via option negotiation between the parties involved in each transaction.

A security protocol based on public-key cryptography that is used to establish security contexts and encrypting keys between a pair of hosts on the Internet. An elective standard in IPV6.

A standard that adds digital signatures and encryption to Internet MIME messages using X.509 public-key certificates. Defined in RFC 1521.

Systems Network Architecture - An IBM communications protocol.

Secure Sockets Layer – an encryption standard devised by Netscape Communications for secure communication over the World Wide Web. Now in widespread use in all web browsers using Internet protocols such as HTTP, File Transfer Protocol (FTP), and Telnet.. It is about to be superseded by TLS, an open standard developed by the IETF.

TCP/IP

See Transmission Control Protocol/Internet Protocol

The Internet standard protocol for remote login - it runs on top of TCP-IP.

A protocol derived from the U.S. Department of Defence used to build a trusted third-party authentication server for positively identifying network users and granting access privileges. Defined in RFC 1492.

TMK

Terminal Master Key - A terminal resident DES master key used for encrypting any data keys used by the terminal.

The de facto standard suite of communication protocols used for Ethernet networks and the Internet. TCP is built on top of Internet Protocol (IP) and is nearly always seen in the combination TCP/IP (TCP over IP). It adds reliable communication, flow control, multiplexing and connection-oriented communication. It provides full-duplex, process-to-process connections. While TCP and IP specify two protocols at specific protocol layers, TCP-IP is used to refer to the entire protocol suite based upon these, including Telnet, FTP and UDP.

The process of running the DES Encryption Algorithm three times with two keys. Triple-DES is 112-Bit and 168-Bit.

Universal Datagram Packets - Connectionless Internet protocol with no guarantee of delivery.

Scripting language based in the Visual Basic programming language

A special case of Virtual Private Network, for connection of dial-up users to a private network over a public network, such as the Internet.

X.509

An International Telecommunications Union (ITU) standard that specifies the authentication service for X.500 directories and a syntax for Public Key Certificates.

Zone Master Key - The master DES key used in a network to encrypt data keys exchanged between two secure entities.

Back to Jana Home Page