مصطلحات امن المعلومات (1)

A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass Registration Authorities and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

Security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers (PINs)) whose disclosure or modification can compromise the security of a cryptographic module.

Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.

A certificate used to establish a trust relationship between two Certification Authorities.

1) Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection.

2) The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

An operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions.

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

An explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.

A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties:

1) (One-way) It is computationally infeasible to find any input which maps to any pre-specified output, and

2) (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification. A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm. A parameter used in conjunction with a cryptographic algorithm that determines . the transformation of plaintext data into ciphertext data, . the transformation of ciphertext data into plaintext data, . a digital signature computed from data, . the verification of a digital signature computed from data, . an authentication code computed from data, or . an exchange agreement of a shared secret.

The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module. The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

A precise specification of the security rules under which a cryptographic module will operate, including the rules derived from the requirements of this standard (FIPS 140-2) and additional rules imposed by the vendor.

Validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.

A measure of the expected number of operations required to defeat a cryptographic mechanism.

A token where the secret is a cryptographic key.

The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. The discipline that embodies principles, means and methods for providing information security, including confidentiality, data integrity, non-repudiation, and authenticity. It is categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties . The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography which make use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key [FIPS 140-1]. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret.

The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.

Time span during which each key setting remains in effect.

A method to ensure data has not been altered after being sent through a communication channel.

A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.

The cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).

A U.S. Government-approved, symmetric cipher, encryption algorithm used by business and civilian government agencies. The Advanced Encryption Standard (AES) is designed to replace DES. The original “single” DES algorithm is no longer secure because it is now possible to try every possible key with special purpose equipment or a high performance cluster. Triple DES, however, is still considered to be secure.

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.

The process of transforming ciphertext into plaintext. The process of changing ciphertext into plaintext using a cryptographic algorithm and key. Conversion of ciphertext to plaintext through the use of a cryptographic algorithm.

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

A network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)

The individual selected by an authorizing official to act on their behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system.

The protocol used to assign Internet Protocol (IP) addresses to all nodes on the network.

An analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.

Electronic information stored or transferred in digital form. An asymmetric key operation where the private key is used to digitally sign an electronic document and the public key is used to verify the signature. Digital signatures provide authentication and integrity protection. A nonforgeable transformation of data that allows the proof of the source (with nonrepudiation) and the verification of the integrity of that data. The result of a cryptographic transformation of data which, when properly implemented, provides the services of:

1. origin authentication

2. data integrity, and

3. signer non-repudiation.

Asymmetric algorithms used for digitally signing data.

A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

The termination of an interconnection between two or more IT systems. A disconnection may be planned (e.g., due to changed business needs) or unplanned (i.e., due to an attack or other contingency).

The basis of this kind of security is that an individual user, or program operating on the user’s behalf is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user’s control.

An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).

Information which unambiguously distinguishes an entity in the authentication process.

A Denial of Service technique that uses numerous hosts to perform the attack.

A set of subjects, their information objects, and a common security policy.

A certificate that is intended for use with both digital signature and data encryption services.

The responsibility that managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.

A field within a certificate that is composed of two subfields; “date of issue” and “date of next issue”.

Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be non-threatening.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.

The process of blocking outgoing packets that use obviously false Internet Protocol (IP) addresses, such as source addresses from internal networks.

The process of establishing confidence in user identities electronically presented to an information system.

Digital documents used in authentication that bind an identity or an attribute to a subscriber's token.

Information and data of investigative value that is stored on or transmitted by an electronic device.

The entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)

A cryptographic key that has been encrypted using an approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.

A network on which messages are encrypted (e.g. using DES, AES, or other appropriate algorithms) to prevent reading by unauthorized parties.

Encryption is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized people. Conversion of plaintext to ciphertext through the use of a cryptographic algorithm. The process of changing plaintext into ciphertext for the purpose of security or privacy.

A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.

Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible.

Either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information). An active element in an open system. Any participant in an authentication exchange; such a participant may be human or nonhuman, and may take the role of a claimant and/or verifier.

A measure of the amount of uncertainty that an attacker faces to determine the value of a secret.

Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.

Short-lived cryptographic keys that are statistically unique to each execution of a key establishment process and meets other requirements of the key type (e.g., unique to each message or session).

A code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.

Something (e.g., a document, an encryption key) that is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition."

Any observable occurrence in a network or system.

A technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.

Evidence that tends to decrease the likelihood of fault or guilt.

An executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

A program that allows attackers to automatically break into a system.

When a biometric system incorrectly identifies an individual or incorrectly verifies an impostor against a claimed identity

The probability that a biometric system will incorrectly identify an individual or will fail to reject an impostor. The rate given normally assumes passive impostor attempts.

Alternative to ‘False Acceptance Rate’. Used to avoid confusion in applications that reject the claimant if their biometric data matches that of an applicant.

Alternative to ‘False Rejection Rate’. Used to avoid confusion in applications that reject the claimant if their biometric data matches that of an applicant.

An alert that incorrectly indicates that malicious activity is occurring.

When a biometric system fails to identify an applicant or fails to verify the legitimate claimed identity of an applicant.

The probability that a biometric system will fail to identify an applicant, or verify the legitimate claimed identity of an applicant.

The Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.

The Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.

The Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.

A standard for adoption and use by Federal agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

An organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.

The Federal PKI Policy Authority is a federal government body responsible for setting, implementing, and administering policy decisions regarding interagency PKI interoperability that uses the FBCA.

A virus that attaches itself to a program file, such as a word processor, spreadsheet application, or game.

Software that generates, stores, and compares message digests for files to detect changes to the files.

1) A mismatch between the internal file header and its external extension;

2) A file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphical extension.

A security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.

An acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.

A gateway that limits access between networks in accordance with local security policy.

The component that controls a firewall’s handling of a call. The firewall control proxy can instruct the firewall to open specific ports that are needed by a call, and direct the firewall to close these ports at call termination.

A firewall environment is a collection of systems at a point on a network that together constitute a firewall implementation. A firewall environment could consist of one device or many devices such as several firewalls, intrusion detection systems, and proxy servers.

A firewall platform is the system device upon which a firewall is implemented. An example of a firewall platform is a commercial operating system running on a personal computer.

A firewall ruleset is a table of instructions that the firewall uses for determining how packets should be routed between its interfaces. In routers, the ruleset can be a file that the router examines from top to bottom when making routing decisions.

The programs and data components of a cryptographic module that are stored in hardware within the cryptographic boundary and cannot be dynamically written or modified during execution.

Federal Information Security Management Act - requires agencies to integrate IT security into their capital planning and enterprise architecture processes at the agency, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the Office of Management and Budget (OMB).

An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.

A professional who locates, identifies, collects, analyzes and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered.

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

The function that transforms the payload, associated data, and nonce into a sequence of complete blocks.

One of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key.

An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.

A security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.

A mechanism limiting the exchange of information between information systems or subsystems.