rfc2828.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,556 行 · 第 1/5 页
TXT
1,556 行
The paragraph marking "C" identifies text that is advisory or
tutorial. This text MAY be reused in other Internet documents. This
text is not intended to be authoritative, but is provided to clarify
the definitions and to enhance this Glossary so that Internet
security novices can use it as a tutorial.
3. Definitions
Note: Each acronym or other abbreviation (except items of common
English usage, such as "e.g.", "etc.", "i.e.", "vol.", "pp.", "U.S.")
that is used in this Glossary, either in a definition or as a subpart
of a defined term, is also defined in this Glossary.
$ 3DES
See: triple DES.
$ *-property
(N) (Pronounced "star property".) See: "confinement property"
under Bell-LaPadula Model.
Shirey Informational [Page 6]
RFC 2828 Internet Security Glossary May 2000
$ ABA Guidelines
(N) "American Bar Association (ABA) Digital Signature Guidelines"
[ABA], a framework of legal principles for using digital
signatures and digital certificates in electronic commerce.
$ Abstract Syntax Notation One (ASN.1)
(N) A standard for describing data objects. [X680]
(C) OSI standards use ASN.1 to specify data formats for protocols.
OSI defines functionality in layers. Information objects at higher
layers are abstractly defined to be implemented with objects at
lower layers. A higher layer may define transfers of abstract
objects between computers, and a lower layer may define transfers
concretely as strings of bits. Syntax is needed to define abstract
objects, and encoding rules are needed to transform between
abstract objects and bit strings. (See: Basic Encoding Rules.)
(C) In ASN.1, formal names are written without spaces, and
separate words in a name are indicated by capitalizing the first
letter of each word except the first word. For example, the name
of a CRL is "certificateRevocationList".
$ ACC
See: access control center.
$ access
(I) The ability and means to communicate with or otherwise
interact with a system in order to use system resources to either
handle information or gain knowledge of the information the system
contains.
(O) "A specific type of interaction between a subject and an
object that results in the flow of information from one to the
other." [NCS04]
(C) In this Glossary, "access" is intended to cover any ability to
communicate with a system, including one-way communication in
either direction. In actual practice, however, entities outside a
security perimeter that can receive output from the system but
cannot provide input or otherwise directly interact with the
system, might be treated as not having "access" and, therefore, be
exempt from security policy requirements, such as the need for a
security clearance.
$ access control
(I) Protection of system resources against unauthorized access; a
process by which use of system resources is regulated according to
a security policy and is permitted by only authorized entities
Shirey Informational [Page 7]
RFC 2828 Internet Security Glossary May 2000
(users, programs, processes, or other systems) according to that
policy. (See: access, access control service.)
(O) "The prevention of unauthorized use of a resource, including
the prevention of use of a resource in an unauthorized manner."
[I7498 Part 2]
$ access control center (ACC)
(I) A computer containing a database with entries that define a
security policy for an access control service.
(C) An ACC is sometimes used in conjunction with a key center to
implement access control in a key distribution system for
symmetric cryptography.
$ access control list (ACL)
(I) A mechanism that implements access control for a system
resource by enumerating the identities of the system entities that
are permitted to access the resource. (See: capability.)
$ access control service
(I) A security service that protects against a system entity using
a system resource in a way not authorized by the system's security
policy; in short, protection of system resources against
unauthorized access. (See: access control, discretionary access
control, identity-based security policy, mandatory access control,
rule-based security policy.)
(C) This service includes protecting against use of a resource in
an unauthorized manner by an entity that is authorized to use the
resource in some other manner. The two basic mechanisms for
implementing this service are ACLs and tickets.
$ access mode
(I) A distinct type of data processing operation--e.g., read,
write, append, or execute--that a subject can potentially perform
on an object in a computer system.
$ accountability
(I) The property of a system (including all of its system
resources) that ensures that the actions of a system entity may be
traced uniquely to that entity, which can be held responsible for
its actions. (See: audit service.)
(C) Accountability permits detection and subsequent investigation
of security breaches.
Shirey Informational [Page 8]
RFC 2828 Internet Security Glossary May 2000
$ accredit
$ accreditation
(I) An administrative declaration by a designated authority that
an information system is approved to operate in a particular
security configuration with a prescribed set of safeguards.
[FP102] (See: certification.)
(C) An accreditation is usually based on a technical certification
of the system's security mechanisms. The terms "certification" and
"accreditation" are used more in the U.S. Department of Defense
and other government agencies than in commercial organizations.
However, the concepts apply any place where managers are required
to deal with and accept responsibility for security risks. The
American Bar Association is developing accreditation criteria for
CAs.
$ ACL
See: access control list.
$ acquirer
(N) SET usage: "The financial institution that establishes an
account with a merchant and processes payment card authorizations
and payments." [SET1]
(O) "The institution (or its agent) that acquires from the card
acceptor the financial data relating to the transaction and
initiates that data into an interchange system." [SET2]
$ active attack
See: (secondary definition under) attack.
$ active wiretapping
See: (secondary definition under) wiretapping.
$ add-on security
(I) "The retrofitting of protection mechanisms, implemented by
hardware or software, after the [automatic data processing] system
has become operational." [FP039]
$ administrative security
(I) Management procedures and constraints to prevent unauthorized
access to a system. (See: security architecture.)
(O) "The management constraints, operational procedures,
accountability procedures, and supplemental controls established
to provide an acceptable level of protection for sensitive data."
[FP039]
Shirey Informational [Page 9]
RFC 2828 Internet Security Glossary May 2000
(C) Examples include clear delineation and separation of duties,
and configuration control.
$ Advanced Encryption Standard (AES)
(N) A future FIPS publication being developed by NIST to succeed
DES. Intended to specify an unclassified, publicly-disclosed,
symmetric encryption algorithm, available royalty-free worldwide.
$ adversary
(I) An entity that attacks, or is a threat to, a system.
$ aggregation
(I) A circumstance in which a collection of information items is
required to be classified at a higher security level than any of
the individual items that comprise it.
$ AH
See: Authentication Header
$ algorithm
(I) A finite set of step-by-step instructions for a problem-
solving or computation procedure, especially one that can be
implemented by a computer. (See: cryptographic algorithm.)
$ alias
(I) A name that an entity uses in place of its real name, usually
for the purpose of either anonymity or deception.
$ American National Standards Institute (ANSI)
(N) A private, not-for-profit association of users, manufacturers,
and other organizations, that administers U.S. private sector
voluntary standards.
(C) ANSI is the sole U.S. representative to the two major non-
treaty international standards organizations, ISO and, via the
U.S. National Committee (USNC), the International Electrotechnical
Commission (IEC).
$ anonymous
(I) The condition of having a name that is unknown or concealed.
(See: anonymous login.)
(C) An application may require security services that maintain
anonymity of users or other system entities, perhaps to preserve
their privacy or hide them from attack. To hide an entity's real
name, an alias may be used. For example, a financial institution
may assign an account number. Parties to a transaction can thus
remain relatively anonymous, but can also accept the transaction
Shirey Informational [Page 10]
RFC 2828 Internet Security Glossary May 2000
as legitimate. Real names of the parties cannot be easily
determined by observers of the transaction, but an authorized
third party may be able to map an alias to a real name, such as by
presenting the institution with a court order. In other
applications, anonymous entities may be completely untraceable.
$ anonymous login
(I) An access control feature (or, rather, an access control
weakness) in many Internet hosts that enables users to gain access
to general-purpose or public services and resources on a host
(such as allowing any user to transfer data using File Transfer
Protocol) without having a pre-established, user-specific account
(i.e., user name and secret password).
(C) This feature exposes a system to more threats than when all
the users are known, pre-registered entities that are individually
accountable for their actions. A user logs in using a special,
publicly known user name (e.g., "anonymous", "guest", or "ftp").
To use the public login name, the user is not required to know a
secret password and may not be required to input anything at all
except the name. In other cases, to complete the normal sequence
of steps in a login protocol, the system may require the user to
input a matching, publicly known password (such as "anonymous") or
may ask the user for an e-mail address or some other arbitrary
character string.
$ APOP
See: POP3 APOP.
$ archive
(I) (1.) Noun: A collection of data that is stored for a
relatively long period of time for historical and other purposes,
such as to support audit service, availability service, or system
integrity service. (See: backup.) (2.) Verb: To store data in such
a way. (See: back up.)
(C) A digital signature may need to be verified many years after
the signing occurs. The CA--the one that issued the certificate
containing the public key needed to verify that signature--may not
stay in operation that long. So every CA needs to provide for
long-term storage of the information needed to verify the
signatures of those to whom it issues certificates.
$ ARPANET
(N) Advanced Research Projects Agency Network, a pioneer packet-
switched network that was built in the early 1970s under contract
to the U.S. Government, led to the development of today's
Internet, and was decommissioned in June 1990.
Shirey Informational [Page 11]
RFC 2828 Internet Security Glossary May 2000
$ ASN.1
See: Abstract Syntax Notation One.
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?