|
1-Factor vs.
2-Factor Authentication
1-Factor authentication simply refers to a memorized password, which
can be copied with relative ease. 2-Factor authentication is the
memorized password of an external token used in conjunction with the
physical token. Access can only be granted when the two are used
together.
Thus, 2-factor authentication is something you know, used together
with something you physically have.
Access
Control
The process of preventing unauthorized access to the resources of an
IT product, programs, processes, systems, or other IT products. Some
suppliers consider preventing unauthorized users from logging on to
the system to be access control. In reality, access control should
also s logged-on users accessing objects (files, devices, etc) for
which they have no authorization.
Access Control List
An access control list (ACL) is a table that tells a computer?s
operating system which access rights each user has to a particular
system object, such as a file directory or individual file. Each
object has a security attribute that identifies its access control
list. The list has an entry for each system user with access
privileges. The most common privileges include the ability to read a
file (or all the files in a directory), to write to the file or files,
and to execute the file (if it is an executable file, or program). The
list is implemented differently by each operating system.
AES
The ?Advanced Encryption Standard?, which will replace DES (Data
Encryption System) in the near future.
Alice
The name traditionally used for the first user of cryptography in a
system; Bob's friend.
Algorithm
A mathematical procedure that can manipulate data. Cryptographic
algorithms are used to encrypt sensitive data files, to encrypt and
decrypt messages, and to digitally sign documents.
APDU
The APDU (Application Protocol Data Unit) is a set of native commands
that enable software to communicate with the eToken directly, rather
than through a higher level API like CAPI or PKCS#11.
Asymmetric Cryptography
See
Public Key Cryptography
Authentication
Authentication is the action of verifying information such as identity,
ownership or authorization. In private and public computer networks (including
the Internet), authentication is commonly done through the use of
logon passwords. Knowledge of the password is assumed to guarantee
that the user is authentic. Each user registers initially (or is
registered by someone else), using an assigned or self-declared
password. On each subsequent use, the user must know and use the
previously declared password. The weakness in this system for
transactions that are significant (such as the exchange of money) is
that passwords can often be stolen, accidentally revealed, or
forgotten.
For this reason, Internet business and many other transactions require
a more stringent authentication process. The use of digital
certificates issued and verified by a Certificate Authority (CA) as
part of a Public Key Infrastructure (PKI) is considered likely to
become the standard way to perform authentication on the Internet.
Logically, authentication precedes authorization (although they may
often seem to be combined).
Block
Cipher
A symmetric cipher, which encrypts a message by breaking, it down into
blocks and encrypting each block.
Bob
The name traditionally used for the second user of cryptography in a
system; Alice's friend.
Brute Force Attack
This attack requires trying all (or a large fraction of all) possible
values till the right value is found; also called an exhaustive
search.
CA (Certification
Authority)
A certification authority is a trusted third party who confirms the
identity of an organization. The CA will first satisfy itself that an
organization is exactly who or what it claims to be, and will then
issue that organization with a 'certificate'. The certificate is
likely to be in the form of an electronic key or value. A trading
partner can present it electronically to the CA for verification and
confirmation at any time.
In some ways the certificate is analogous to a credit card. Both the
certificate and the credit card allow two parties to trade with some
degree of security without any further proof of identity.
Certificate
In cryptography, an electronic document binding some pieces of
information together, such as a user's identity and public-key.
Certifying Authorities (CA's) provide certificates.
Certificate
Revocation List (CRL)
A list of certificates that have been revoked before their expiration
date.
CertStore
In Windows, public-key objects such as certificates, CRLs (Certificate
Revocation Lists), and CTLs (Certificate Trust Lists) are stored in
certificate stores for use by users, services, and computers. The
Windows certificate stores include physical stores and logical stores.
The physical certificate stores are where public-key objects such as
certificates, CRLs, and CTLs are physically stored either locally in
the system registry of the computer, or on an eToken, or remotely in
Active Directory. Many of the public-key objects in the physical
stores are shared among users, services, and computers through the use
of logical certificate stores.
Logical certificate stores group certificates together in logical,
functional categories for users, computers, and services. Logical
certificate stores contain pointers to the physical certificate stores.
Changes to the logical certificate stores are made to the appropriate
physical stores that are located in the system registry or on an
eToken or in Active Directory. Because you use only the logical
certificate store for a user, service, or computer, you neither have
to keep track of where the certificates are actually stored, nor do
you have to edit the system registry to manage the certificate stores.
CHAP
Challenge Handshake Authentication Protocol. Security feature
supported on lines using PPP encapsulation that prevents unauthorized
access. CHAP does not itself prevent unauthorized access, it merely
identifies the remote end. The router or access server then determines
whether that user is allowed access. Compare to PAP.
Ciphertext
Data that has been scrambled by encryption.
Computer Fraud
The deliberate misrepresentation, or unauthorized disclosure or
alteration of data; usually for personal and monetary gain.
CryptoAPI (CAPI)
Microsoft® Cryptographic Application Programming Interface (CryptoAPI
or CAPI) provides services that enable application developers to add
security based on cryptography to applications. CryptoAPI includes
functionality for encoding to and decoding from ASN.1, hashing,
encrypting and decrypting data, for authentication using digital
certificates, and for managing certificates in certificate stores.
Encryption and decryption are provided both using session keys and
with public/private key pairs.
Cryptanalysis
The science of revealing information that has been concealed by
difficult problems; i.e. cryptanalysis reveals the secrets hidden by
cryptography.
Cryptography
RSA calls it the science of using difficult problems to conceal
information. It is the study and use of methods designed to render
information unintelligible. Cryptography does not seek to hide the
message, only the meaning of the message.
CRYPTOKI - RSA
Cryptoki ("Crypto-Key") is a member of RSA's Public Key Cryptography
Standards (PKCS) family; specifically PKCS #11which provides guidance
to the commercial cryptography community. Cryptoki is standardized and
distributed without charge by RSA Labs; the research arm of RSA Data
Security, Inc. Cryptoki provides a standard lower level CAPI,
primarily for access to personal cryptographic tokens. RSA realized
that their existing commercial libraries were not flexible or general
enough to support the needs of applications working with such devices,
and therefore developed Cryptoki. Additional goals in the Cryptoki
design include portability, extensibility, generality, support for
resource sharing, and algorithm independence.
Cryptology
The study of techniques that can be used to conceal information, or
reveal information that has been previously concealed; that is, the
combination of cryptanalysis, cryptography and steganography.
Decryption
The process of unscrambling ciphertext and returning it to plaintext
Default Password
A password contained in a system when first delivered and installed.
If you accept delivery of any product containing a default password,
hardware or software, you should change the password as soon as
possible.
DES
Encryption
Data Encryption Standard (DES) is a widely used method of data
encryption using a private (secret) key that was judged so difficult
to break by the U.S. government that it was restricted for exportation
to other countries. There are 72,000,000,000,000,000 (72 quadrillion)
or more possible encryption keys that can be used. For each given
message, the key is chosen at random from among this enormous number
of keys. Like other private key cryptographic methods, both the sender
and the receiver must know and use the same private key.
DESX 128-bit Encryption
DESX (DES eXtended) is an encryption algorithm that extends the famous
DES (Data Encryption Standard) algorithm to a key size of 128 bits, by
adding two complex operations that further strengthen its efficiency
and security. Deciphering a message encrypted with DESX requires
finding the right random information out of a total of 2118 operations,
which has been mathematically proven to be impractical.
Digest
Commonly used to refer to the output of a hash function, e.g. message
digest refers to the hash of a message.
Digital Signature
A digital signature is an electronic rather than a written signature
that can be used by someone to authenticate the identity of the sender
of a message or of the signer of a document. It can also be used to
ensure that the original content of the message or document that has
been conveyed is unchanged. Additional benefits to the use of a
digital signature are that it is easily transportable, cannot be
easily repudiated, cannot be imitated by someone else, and can be
automatically time-stamped.
A digital signature can be used with any kind of message, whether it
is encrypted or not, simply so that the receiver can be sure of the
sender's identity and that the message arrived intact. A digital
certificate contains the digital signature of the certificate-issuing
authority so that anyone can verify that the certificate is real.
Digital Certificates
A digital certificate is an electronic "credit card" that establishes
your credentials when doing business or other transactions on the Web.
It is issued by a certification authority (CA), containing your name,
a serial number, expiration dates, a copy of the certificate holder's
public key (used for encrypting and decrypting messages and digital
signatures), and the digital signature of the certificate-issuing
authority so that a recipient can verify that the certificate is real.
Some digital certificates conform to a standard, X.509. Digital
certificates can be kept in registries so that authenticated users can
look up other users' public keys.
eCommerce
Business transactions conducted over the Internet, Intranet in digital
form.
Encryption
The transformation of plaintext into an apparently less readable form
(called ciphertext) through a mathematical process. The ciphertext may
be read by anyone who has the key that decrypts (undoes the encryption)
the ciphertext.
The key is fundamental to the strength of the encryption. You need the
one correct key before you can decrypt the ciphertext. It follows,
then, that the longer is the key, the greater is the range of possible
values it could have. The range of possible values is called the key
space. The greater the key space, the more difficult it is for an
unauthorized person to discover the correct key.
Encryption cannot make unauthorized decryption impossible; it can
merely make it improbable. With unlimited processing capacity and
unlimited time available, all cryptosystems could be broken. The
purpose of encryption is to make it as unlikely as possible that a
ciphertext could be broken within the period of time during which the
contents should remain secret.
There is an arbitrary and subjective distinction between weak and
strong encryption. Strong encryption implies that it would effectively
be impossible to find the key within the effective lifetime of the
secret. Any key length above 56 bits is generally considered to be
'strong' encryption.
FIPS
Federal Information Processing Standards.
See NIST.
Hash
Function
A function that takes a variable sized input and has a fixed size
output.
Hashing
An iterative process that computes a value (i.e., the 'hash word' or 'message
digest') from data. Hashing is a one-way process. It is simple to
produce a hash value from a string of data, but it is effectively
impossible to compute the original string from the hash value.
Integrity
One of the four fundamental requirements of information security,
integrity measures are meant to protect data and/or resources from
unauthorized modification. Data whose integrity has failed is said to
be corrupted.
IPSec/IKE
IPSec (Internet Protocol Security) is a developing standard for
security at the network or packet-processing layer of network
communication. Earlier security approaches have inserted security at
the application layer of the communications model. IPSec will be
especially useful for implementing virtual private networks and for
remote user access through dial-up connection to private networks. A
big advantage of IPSec is that security arrangements can be handled
without requiring changes to individual user computers. Cisco has been
a leader in proposing IPSec as a standard (or combination of standards
and technologies) and has included support for it in its network
routers.
IPSec provides two choices of security service: Authentication Header
(AH), which essentially allows authentication of the sender of data,
and Encapsulating Security Payload (ESP), which supports both
authentication of the sender and encryption of data as well. The
specific information associated with each of these services is
inserted into the packet in a header that follows the IP packet header.
Separate key protocols can be selected, such as the ISAKMP/Oakley
protocol.
Key
A string of bits used widely in cryptography, allowing people to
encrypt and decrypt data; a key can be used to perform other
mathematical operations as well. Given a cipher, a key determines the
mapping of the plaintext to the ciphertext. See also distributed key,
private key, public key, secret key, session key, shared key, sub key,
symmetric key, weak key.
Key Escrow
Key escrow involves lodging the decryption key with a Trusted Third
Party (TTP). It is an emotive subject because of governments' repeated
attempts and known desire to enforce a general requirement not merely
for key escrow, but also for the mandatory release of that key to Law
Enforcement agencies. Nevertheless, key escrow is a concept that will
need to be considered by many organizations. If strong encryption is
used, and the relevant key is lost either through accident or
misadventure, theft or employee disaffection, then the organization
concerned will lose its data. Lodging the key with a TTP means that it
can be recovered in extremis.
The security issues center around the security of the TTP. In general,
any addition to the chain of trust is the addition of a weak link in
the chain. Use of a TTP introduces new threats that would not
otherwise exist: TTP staff could be duped, bribed or threatened; TTP
systems could be hacked.
Key File
Some encryption programs store your encryption keys in a file where
they can be conveniently accessed. Usually, the keys are themselves
strongly encrypted -- this means that you need to enter a pass phrase
to begin using the key file, but you do not then need to enter each
key as it is used. This helps ensure that if your key file is stolen,
it will be of limited use to the attacker. Even so, you are advised
not to store key files on your hard disk because of the risk of
compromise.
Key
Management
Key management is the administrative side of cryptography, and is one
of the biggest problems faced by any crypto system. It involves the
generation, certification, distribution and revocation of keys - all
of which must be done in a secure manner. It can be undertaken
manually, by software, or by outsourcing to a third party such as a
Certification Authority. It is the difficulties of key management that
make the one unbreakable crypto system, the One Time Pad, unrealistic
for the commercial market.
Key Pair
The full key information in a public-key cryptosystem, consisting of
the public key and private key.
Key Space
The name given to the range of possible values for a cryptographic key.
Normally described in terms of bits, as in the number of bits needed
to count every distinct key. The longer the key length (in bits), the
greater the key space (the range of possible key values doubles for
every 'bit' added).
A brute force attack will on average require 50% of all possible keys
to be guessed before the correct key is found. The key space is
consequently used as a simple measure to describe the strength of the
cryptosystem. A 64-bit key space is no longer considered sufficient to
defeat a brute force attack. A 120-bit key space is often considered
to be the requirement.
MD5
A Message Digest algorithm, frequently used alongside encryption and
authentication software. MD5 produces a short (typically 16 bytes)
checksum of a file. Any change to the original file will result in a
change to the checksum and thus allow tampering to be detected without
having to compare the full-length files.
NIST
National Institute of Standards and Technology, a United States agency
that produces security and cryptography related standards (as well as
others); these standards are published as FIPS documents.
Non-repudiation
The process by which the sender of data is provided with proof of
delivery, and the receiver is assured of the sender's identity. This
is non-repudiation, so that neither party can deny either sending or
receiving the data in question. It provides a sound framework, and is
considered vital, for the future development of electronic commerce.
Unfortunately, genuine non-repudiation would seem to be beyond our
current capabilities. It can only be achieved by protecting the key
holder?s private key from theft, and protecting the computer that uses
that private key from infiltration or subversion. Most experts agree
that neither of these are, or are likely to become in the foreseeable
future, realizable.
PAP
Password Authentication Protocol. Authentication protocol that allows
PPP peers to authenticate one another. The remote router attempting to
connect to the local router is required to send an authentication
request. Unlike CHAP, PAP passes the password and host name or
username in the clear (unencrypted). PAP does not itself prevent
unauthorized access, but merely identifies the remote end. The router
or access server then determines if that user is allowed access. PAP
is supported only on PPP lines. Compare with CHAP.
Pass
Phrase
A password constructed of more than one word.
Password
A security device consisting of a protected/private string of
characters known only to the authorized user/s and the system. It is
used to authenticate the authorized user of a computer or data file.
Password Sniffing
The use of a sniffer to capture passwords as they pass across a
network. The network could be a local area network, or the Internet
itself. The sniffer could be hardware (if the attacker has physical
access to the network) or software (in which case all that is required
is the ability to compromise a server). A favorite method for
'installing' a password sniffer onto a local area network would be
through the use of a ?Trojan horse? virus application.
Once a LAN has been compromised, it is very difficult to detect the
sniffer. The LAN is likely to be Ethernet - in which case the attacker
ensures that the compromised server is placed into 'promiscuous' mode
(that is, able to receive all the packets on the network rather than
those specifically addressed to it). When the sniffer sees a packet
that fits certain criteria, it logs it to a file. The most common
criteria for an interesting packet are those contains words like
"login" or "password".
But the sniffer itself is passive. It doesn't change anything: it just
listens and logs, allowing the attacker to analyze the logs later.
Since it doesn't change anything, it is difficult to detect. But the
log itself could grow very large - so the detection of such logs could
demonstrate the existence of a sniffer.
The only safe defense against sniffers is constantly changing your
passwords.
PC/SC
The PC/SC standard (PC/Smartcard) was developed by Microsoft - in
conjunction with other IT companies - to ensure compatibility between
smart cards, card reader/writers and computers produced by different
manufacturers. This initiative requires manufacturers of smart card
readers and smart card manufacturers to develop the relevant drivers
and service programs for their hardware. Thus PC/SC became established
as the standard for the chip card industry.
The PC/SC standard development was based on the current ISO 7816
standard for smart card communications, and supports business-specific
application standards such as EMV (Europay, MasterCard, Visa) and GSM
(Global Standard for Mobile Communication).
PGP
Pretty Good Privacy. An encryption program for encrypting data files
and/or e-mail messages on PCs and Macs. Considered to be among the
strongest encryption utilities available.
PGP also has facilities for authentication, so that you can be sure a
message was really sent by the person who it appears to be from, and
non-repudiation to prevent someone from denying that they ever sent a
message.
PKI (Public Key
Infrastructure)
PKI is the term given to the overall system required to provide public
key encryption and digital signature services. The purpose of the PKI
is thus to manage keys and certificates, and thereby establish and
maintain a trustworthy networking environment.
PKCS#11
PKCS (Public-Key Cryptography System) is a set of informal
inter-vendor standard protocols developed by RSA for making possible
secure information exchange on the Internet. The standards include RSA
encryption, password-based encryption, extended certificate syntax,
and cryptographic message syntax for S/MIME, RSA's proposed standard
for secure e-mail.
This standard specifies an API, called Cryptoki, to devices, which
hold cryptographic information and perform cryptographic functions.
Cryptoki, pronounced crypto-key and short for cryptographic token
interface, follows a simple object-based approach, addressing the
goals of technology independence (any kind of device) and resource
sharing (multiple applications accessing multiple devices), presenting
to applications a common, logical view of the device called a
cryptographic token.
Plaintext
Data that has not been encrypted, or ciphertext that has been
decrypted.
Private
Key
The undis d key in a matched key pair (that is, the private key and
the public key) that each party safeguards for public key
cryptography.
Private Key Cryptography
Synonymous with Symmetric Cryptography. Encryption where the same key
is used to both encrypt and decrypt data. This can cause problems
unless a secure method can be found for transferring the key along
with the encrypted data.
Public Key
A public key is a value provided by some designated authority as a key
that, combined with a private key, can be used to effectively encrypt
and decrypt messages and digital signatures. The use of combined
public and private keys is known as asymmetric cryptography. A system
for using public keys is called a public key infrastructure (PKI).
Public Key Cryptography
Synonymous with Asymmetric Cryptography. An encryption system
developed by Whitfield Diffie and Martin Hellman that uses two keys;
one public and one private. Anyone can know a person's public key; no
one should ever know a person's private key. Encrypted messages may be
sent to a recipient by using that person's public key. However, the
message can only be decrypted by the associated private key. In this
way, decryption keys need never be published nor transmitted.
Radius (Remote
Authentication Dial-In User Service)
The Remote Authentication Dial-In User Service (RADIUS) is a
client/server security protocol created by Lucent InterNetworking
Systems. RADIUS is an Internet draft standard protocol. User profiles
are stored in a central location, known as the RADIUS server. RADIUS
clients communicate with the RADIUS server to authenticate users. The
server specifies back to the client what the authenticated user is
authorized to do. Although the term RADIUS refers to the network
protocol that the client and server use to communicate, it is often
used to refer to the entire client/server system.
RAS (Remote Access
System)
Remote access is the ability to get access to a computer or a network
from a remote distance. In corporations, people at branch offices,
telecommuters, and people who are traveling may need access to the
corporation's network. Home users get access to the Internet through
remote access to an Internet service provider (ISP). Dial-up
connection through desk, notebook, or handheld computer modems over
regular telephone lines is a common method of remote access. Remote
access is also possible using a dedicated line between a computer or a
remote local area network and the "central" or main corporate local
area network.
Risk
Management
The total process of identifying, controlling, and eliminating or
minimizing uncertain events that may affect system resources. It
includes risk analysis, cost-risk analysis, selection, implementation
and test, security evaluation of safeguards, and overall security
review.
RSA
A public key encryption algorithm invented by Messrs Rivest, Shamir
and Adelman of IBM. "RSA is a public-key cryptosystem for both
encryption and authentication; it was invented in 1977 by Ron Rivest,
Adi Shamir, and Leonard Adelman. It works as follows: take two large
primes, p and q, and find their product n = pq; n is called the
modulus. Choose a number, e, less than n and relatively prime to
(p-1)(q-1), which means that e and (p-1)(q-1) have no common factors
except 1. Find another number d such that (ed - 1) is divisible by
(p-1)(q-1). The values e and d are called the public and private
exponents, respectively. The public key is the pair (n,e); the private
key is (n,d). The factors p and q maybe kept with the private key, or
destroyed. "It is difficult (presumably) to obtain the private key d
from the public key (n,e). If one could factor n into p and q,
however, then one could obtain the private key d. Thus the security of
RSA is related to the assumption that factoring is difficult."
S/MIME
S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure
method of sending e-mail that uses the RSA encryption system. S/MIME
is included in the latest versions of the Web browsers from Microsoft
and Netscape and has also been endorsed by other vendors that make
messaging products. RSA has proposed S/MIME as a standard to the
Internet Engineering Task Force (IETF). An alternative to S/MIME is
PGP/MIME, which has also been proposed as a standard.
MIME itself, described in the IETF standard called RFC 1521, spells
out how an electronic message will be organized. S/MIME describes how
encryption information and a digital certificate can be included as
part of the message body. S/MIME follows the syntax provided in the
Public-Key Cryptography Standard (PKCS) format #7.
SDK
Short for software development kit, the SDK is a programming package
that enables a programmer to develop applications for a specific
platform. Typically an SDK includes one or more APIs, programming
tools, and documentation.
The eToken Software Developer's Kit (SDK) v1.25 allows developers to
create customized security applications and integrate a web-based
method for eToken driver deployment across the enterprise. The SDK
includes eToken development information and APIs to establish
interfaces with applications or services designed to support Aladdin's
R2 eToken.
The eToken SDK uses standard security interfaces (including PC/SC,
PKCS#11 and CAPI), ties the eToken to access control and VPN
solutions, and gives full support for Public Key Infrastructure (PKI).
It also includes drivers and support for: Windows 98, NT4.0, and
Windows 2000.
Security Clearance
Assuming that a system's objects (let us say, 'files') are all given
an hierarchical label defining their sensitivity (Security
Classification), a subject's (let us say, user's) security clearance
is the corresponding label that defines the degree of sensitivity that
can be accessed. Clearance level labels could, and for administrative
ease possibly should, be given the same names as classification level
labels. Under such circumstances, a user with a clearance level up to
'secret' would be able to access files with an classification level up
to, but not higher than, 'secret'.
Session
Key
A key for symmetric-key cryptosystems, which is used for the duration
of one message or communication session
Single
Sign-on
The ability to log in into multiple computers or servers with a single
action and the entry of a single password. Especially useful where,
for example, a user on a LAN or WAN requires access to a number of
different servers. Although single sign-on makes the login process
more convenient for the user, it does mean that the password becomes
more valuable to a hacker because of the large number of systems it
can access. For this reason some consultants discourage the use of
single sign-on systems, and, where there is no other realistic option,
recommend that passwords are guarded safely and changed regularly.
Users must also be made fully aware of their responsibility for
safeguarding their password.
SSL
SSL (Secure Sockets Layer) is a program layer created ??? for managing
the security of message transmissions in a network. The idea is that
the programming for keeping your messages confidential ought to be
contained in a program layer between an application (such as your Web
browser or HTTP) and the Internet's TCP/IP layers. The "sockets" part
of the term refers to the sockets method of passing data back and
forth between a client and a server program in a network or between
program layers in the same computer. SSL uses the public-and-private
key encryption system from RSA, which also includes the use of a
digital certificate.
Strong Encryption
A term given to describe a cryptosystem that uses a key of sufficient
length that it becomes effectively impossible to 'break' the cipher
within a meaningful time frame.
Symmetric Cryptography
See
Private Key Cryptography
Triple DES
(3-DES) Encryption
Triple DES is a method of data encryption that uses the same block
size and can use the same hardware as DES; it just uses three keys and
runs DES three times (encrypting each block with the first key,
decrypting it with the second, then encrypting it with the third). The
strength of Triple-DES is substantially stronger than DES.
Tamper
Evident
A feature providing assurance that can identify if something has
changed or been tampered with.
Tamper Resistant
In cryptographic terms, this usually refers to a hardware device that
is either impossible or extremely difficult to reverse engineer or
extract information from.
Trusted Third Party (TTP)
A trustworthy organization such as a bank, or specialist consultancy,
which provides security-related services that enable transactions such
as encryption, and authentication to be conducted securely. Under
various schemes being implemented or proposed by a number of
governments throughout Europe and the world, companies who use strong
encryption will be required to lodge copies of their encryption keys
with a trusted third party in order that the keys can be divulged to
law enforcements groups such as those investigating organized crime,
drugs or terrorism.
Username / User ID
A unique "name" by which each user is known to the system. This name
is assigned to each user whenever they register to use the system.
Verification
The act of recognizing that a person or entity is who or what it
claims to be.
VPN
A virtual private network (VPN) is a private data network that makes
use of the public telecommunication infrastructure, maintaining
privacy through the use of a tunneling protocol and security
procedures. A virtual private network can be contrasted with a system
of owned or leased lines that can only be used by one company. The
idea of the VPN is to give the company the same capabilities at much
lower cost by using the shared public infrastructure rather than a
private one. Phone companies have provided secure shared resources for
voice messages. A virtual private network makes it possible to have
the same secure sharing of public resources for data. Companies today
are looking at using a private virtual network for both extranets and
wide-area intranets.
Using a virtual private network involves encrypting data before
sending it through the public network and decrypting it at the
receiving end. An additional level of security involves encrypting not
only the data but also the originating and receiving network
addresses. Microsoft, 3Com, and several other companies have developed
the Point-to-Point Tunneling Protocol (PPTP) and Microsoft has
extended Windows NT to support it. VPN software is typically installed
as part of a company's firewall server.
X.509
Certificate Version 3
Application of public key technology requires the user of a public key
to be confident that the public key belongs to the correct remote
subject (person or system) with which an encryption or digital
signature mechanism will be used. This confidence is obtained through
the use of public key certificates, which are data structures that
bind public key values to subject identities. The binding is achieved
by having a trusted certification authority (CA) digitally sign each
certificate. A certificate has a limited valid lifetime, which is
indicated in its signed contents. Because a certificate-using client
can independently check a certificate?s signature and timeliness,
certificates can be distributed via non-trusted communications and
server systems, and can be cached in unsecured storage in
certificate-using systems.
The standard known as ITU-T X.509 (formerly CCITT X.509) or ISO/IEC
9594-8, which was first published in 1988 as part of the X.500
Directory recommendations, defines a standard certificate format.
The main reason for the structural restrictions imposed by RFC 1422
was the restricted certificate format provided with X.509 v1. With
X.509 v3, most of the requirements addressed by RFC 1422 can be
addressed using certificate extensions, without a need to restrict the
CA structures used. In particular, the certificate extensions relating
to certificate policies obviate the need for PCAs and the constraint
extensions obviate the need for the name subordination rule.
In response to these new requirements, ISO/IEC and ANSI X9 developed
the X.509 version 3 (v3) certificate format. The v3 format extends the
v2 format by adding provision for additional extension fields.
Particular extension field types may be specified in standards or may
be defined and registered by any organization or community. In June
1996, standardization of the basic v3 format was completed [X.509-AM].
ISO/IEC and ANSI X9 have also developed a set of standard extensions
for use in the v3 extensions field [X.509-AM]. These extensions can
convey such data as additional subject identification information, key
attribute information, policy information, and certification path
constraints.
However, the ISO/IEC and ANSI standard extensions are very broad in
their applicability. In order to develop interoperable implementations
of X.509 v3 systems for Internet use, it is necessary to specify a
profile for use of the X.509 v3 extensions tailored for the Internet.
For example the Internet Public Key Infrastructure (IETF-PKIX) working
group [PKIX] has specified a profile for Internet WWW, electronic
mail, and IPSEC applications. Environments with additional
requirements may build on this profile or may replace it.
|
top
