rfc2828.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,556 行 · 第 1/5 页

      (D) "A certificate issued to an authority (e.g. either to a
      certification authority or to an attribute authority)." [FPDAM]
      (See: authority.)

      (C) ISDs SHOULD NOT use this term or definition because they are
      ambiguous with regard to which specific types of PKI entities they
      address.

   $ authority revocation list (ARL)
      (I) A data structure that enumerates digital certificates that
      were issued to CAs but have been invalidated by their issuer prior
      to when they were scheduled to expire. (See: certificate
      expiration, X.509 authority revocation list.)




Shirey                       Informational                     [Page 17]

RFC 2828               Internet Security Glossary               May 2000


      (O) "A revocation list containing a list of public-key
      certificates issued to authorities, which are no longer considered
      valid by the certificate issuer." [FPDAM]

   $ authorization
   $ authorize
      (I) (1.) An "authorization" is a right or a permission that is
      granted to a system entity to access a system resource. (2.) An
      "authorization process" is a procedure for granting such rights.
      (3.) To "authorize" means to grant such a right or permission.
      (See: privilege.)

      (O) SET usage: "The process by which a properly appointed person
      or persons grants permission to perform some action on behalf of
      an organization. This process assesses transaction risk, confirms
      that a given transaction does not raise the account holder's debt
      above the account's credit limit, and reserves the specified
      amount of credit. (When a merchant obtains authorization, payment
      for the authorized amount is guaranteed--provided, of course, that
      the merchant followed the rules associated with the authorization
      process.)" [SET2]

   $ automated information system
      (I) An organized assembly of resources and procedures--i.e.,
      computing and communications equipment and services, with their
      supporting facilities and personnel--that collect, record,
      process, store, transport, retrieve, or display information to
      accomplish a specified set of functions.

   $ availability
      (I) The property of a system or a system resource being accessible
      and usable upon demand by an authorized system entity, according
      to performance specifications for the system; i.e., a system is
      available if it provides services according to the system design
      whenever users request them. (See: critical, denial of service,
      reliability, survivability.)

      (O) "The property of being accessible and usable upon demand by an
      authorized entity." [I7498 Part 2]

   $ availability service
      (I) A security service that protects a system to ensure its
      availability.

      (C) This service addresses the security concerns raised by denial-
      of-service attacks. It depends on proper management and control of
      system resources, and thus depends on access control service and
      other security services.



Shirey                       Informational                     [Page 18]

RFC 2828               Internet Security Glossary               May 2000


   $ back door
      (I) A hardware or software mechanism that (a) provides access to a
      system and its resources by other than the usual procedure, (b)
      was deliberately left in place by the system's designers or
      maintainers, and (c) usually is not publicly known. (See: trap
      door.)

      (C) For example, a way to access a computer other than through a
      normal login. Such access paths do not necessarily have malicious
      intent; e.g., operating systems sometimes are shipped by the
      manufacturer with privileged accounts intended for use by field
      service technicians or the vendor's maintenance programmers. (See:
      trap door.)

   $ back up vs. backup
      (I) Verb "back up": To store data for the purpose of creating a
      backup copy. (See: archive.)

      (I) Noun/adjective "backup": (1.) A reserve copy of data that is
      stored separately from the original, for use if the original
      becomes lost or damaged. (See: archive.) (2.) Alternate means to
      permit performance of system functions despite a disaster to
      system resources. (See: contingency plan.)

   $ baggage
      (D) ISDs SHOULD NOT use this term to describe a data element
      except when stated as "SET(trademark) baggage" with the following
      meaning:

      (O) SET usage: An "opaque encrypted tuple, which is included in a
      SET message but appended as external data to the PKCS encapsulated
      data. This avoids superencryption of the previously encrypted
      tuple, but guarantees linkage with the PKCS portion of the
      message." [SET2]

   $ bandwidth
      (I) Commonly used to mean the capacity of a communication channel
      to pass data through the channel in a given amount of time.
      Usually expressed in bits per second.

   $ bank identification number (BIN)
      (N) The digits of a credit card number that identify the issuing
      bank. (See: primary account number.)

      (O) SET usage: The first six digits of a primary account number.






Shirey                       Informational                     [Page 19]

RFC 2828               Internet Security Glossary               May 2000


   $ Basic Encoding Rules (BER)
      (I) A standard for representing ASN.1 data types as strings of
      octets. [X690] (See: Distinguished Encoding Rules.)

   $ bastion host
      (I) A strongly protected computer that is in a network protected
      by a firewall (or is part of a firewall) and is the only host (or
      one of only a few hosts) in the network that can be directly
      accessed from networks on the other side of the firewall.

      (C) Filtering routers in a firewall typically restrict traffic
      from the outside network to reaching just one host, the bastion
      host, which usually is part of the firewall. Since only this one
      host can be directly attacked, only this one host needs to be very
      strongly protected, so security can be maintained more easily and
      less expensively. However, to allow legitimate internal and
      external users to access application resources through the
      firewall, higher layer protocols and services need to be relayed
      and forwarded by the bastion host. Some services (e.g., DNS and
      SMTP) have forwarding built in; other services (e.g., TELNET and
      FTP) require a proxy server on the bastion host.

   $ BCA
      See: brand certification authority.

   $ BCI
      See: brand CRL identifier.

   $ Bell-LaPadula Model
      (N) A formal, mathematical, state-transition model of security
      policy for multilevel-secure computer systems. [Bell]

      (C) The model separates computer system elements into a set of
      subjects and a set of objects. To determine whether or not a
      subject is authorized for a particular access mode on an object,
      the clearance of the subject is compared to the classification of
      the object. The model defines the notion of a "secure state", in
      which the only permitted access modes of subjects to objects are
      in accordance with a specified security policy. It is proven that
      each state transition preserves security by moving from secure
      state to secure state, thereby proving that the system is secure.

      (C) In this model, a multilevel-secure system satisfies several
      rules, including the following:







Shirey                       Informational                     [Page 20]

RFC 2828               Internet Security Glossary               May 2000


       - "Confinement property" (also called "*-property", pronounced
         "star property"): A subject has write access to an object only
         if classification of the object dominates the clearance of the
         subject.

       - "Simple security property": A subject has read access to an
         object only if the clearance of the subject dominates the
         classification of the object.

       - "Tranquillity property": The classification of an object does
         not change while the object is being processed by the system.

   $ BER
      See: Basic Encoding Rules.

   $ beyond A1
      (O) (1.) Formally, a level of security assurance that is beyond
      the highest level of criteria specified by the TCSEC. (2.)
      Informally, a level of trust so high that it cannot be provided or
      verified by currently available assurance methods, and
      particularly not by currently available formal methods.

   $ BIN
      See: bank identification number.

   $ bind
      (I) To inseparably associate by applying some mechanism, such as
      when a CA uses a digital signature to bind together a subject and
      a public key in a public-key certificate.

   $ biometric authentication
      (I) A method of generating authentication information for a person
      by digitizing measurements of a physical characteristic, such as a
      fingerprint, a hand shape, a retina pattern, a speech pattern
      (voiceprint), or handwriting.

   $ bit
      (I) The smallest unit of information storage; a contraction of the
      term "binary digit"; one of two symbols--"0" (zero) and "1" (one)
      --that are used to represent binary numbers.

   $ BLACK
      (I) Designation for information system equipment or facilities
      that handle (and for data that contains) only ciphertext (or,
      depending on the context, only unclassified information), and for
      such data itself. This term derives from U.S. Government COMSEC
      terminology. (See: RED, RED/BLACK separation.)




Shirey                       Informational                     [Page 21]

RFC 2828               Internet Security Glossary               May 2000


   $ block cipher
      (I) An encryption algorithm that breaks plaintext into fixed-size
      segments and uses the same key to transform each plaintext segment
      into a fixed-size segment of ciphertext. (See: mode, stream
      cipher.)

      (C) For example, Blowfish, DEA, IDEA, RC2, and SKIPJACK. However,
      a block cipher can be adapted to have a different external
      interface, such as that of a stream cipher, by using a mode of
      operation to "package" the basic algorithm.

   $ Blowfish
      (N) A symmetric block cipher with variable-length key (32 to 448
      bits) designed in 1993 by Bruce Schneier as an unpatented,
      license-free, royalty-free replacement for DES or IDEA. [Schn]

   $ brand
      (I) A distinctive mark or name that identifies a product or
      business entity.

      (O) SET usage: The name of a payment card. Financial institutions
      and other companies have founded payment card brands, protect and
      advertise the brands, establish and enforce rules for use and
      acceptance of their payment cards, and provide networks to
      interconnect the financial institutions. These brands combine the
      roles of issuer and acquirer in interactions with cardholders and
      merchants. [SET1]

   $ brand certification authority (BCA)
      (O) SET usage: A CA owned by a payment card brand, such as
      MasterCard, Visa, or American Express. [SET2] (See: certification
      hierarchy, SET.)

   $ brand CRL identifier (BCI)
      (O) SET usage: A digitally signed list, issued by a BCA, of the
      names of CAs for which CRLs need to be processed when verifying
      signatures in SET messages. [SET2]

   $ break
      (I) Cryptographic usage: To successfully perform cryptanalysis and
      thus succeed in decrypting data or performing some other
      cryptographic function, without initially having knowledge of the
      key that the function requires. (This term applies to encrypted
      data or, more generally, to a cryptographic algorithm or
      cryptographic system.)






Shirey                       Informational                     [Page 22]

RFC 2828               Internet Security Glossary               May 2000


   $ bridge
      (I) A computer that is a gateway between two networks (usually two
      LANs) at OSI layer 2. (See: router.)

   $ British Standard 7799
      (N) Part 1 is a standard code of practice and provides guidance on
      how to secure an information system. Part 2 specifies the
      management framework, objectives, and control requirements for
      information security management systems [B7799]. The certification
      scheme works like ISO 9000. It is in use in the UK, the