Term
| Product (systemigram-like sentence) |
|
Definition
| A product implements features by performing certain behaviors that operate on resources. |
|
|
Term
|
Definition
| A software package, protocol design, architecture, etc. |
|
|
Term
|
Definition
A main capability offered by a product.
Note: A feature is not a technical capability. |
|
|
Term
|
Definition
| An entity that is used, modified, or provided by the product, such as memory, CPU, file, cookie, news article, or network connection. |
|
|
Term
|
Definition
| An action that the product takes to provide a feature, or an action that a user performs. |
|
|
Term
| Security Feature (definition) |
|
Definition
A security feature is a system capability that contributes to its security, and can be reused for systems with similar goals.
Note: A security feature combines people, process, and technology capabilities into a prevent, detect, recover cycle. |
|
|
Term
| Difference between security feature and technology |
|
Definition
A security feature describes WHAT security will be implemented.
A security technology is used to determine HOW it will be implemented. |
|
|
Term
| Three Big Ideas of Crypto |
|
Definition
1) Confusion
2) Diffusion
3) Secrecy Only in the Key |
|
|
Term
| Crypto Big Idea 1: Confusion |
|
Definition
| Refers to making the relationship between the key and the ciphertext as complex and involved as possible. |
|
|
Term
| Crypto Big Idea 2: Diffusion |
|
Definition
Refers to the property that the redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext, i.e., spread out the message
ATTA
CKAT
DAWN
ACD TKA TAW ATN |
|
|
Term
| Crypto Big Idea 3: Secrecy Only in the Key |
|
Definition
| After thousands of years, we learned that it's a bad idea to assume that no one knows how your method works. Someone will eventually find that out, i.e., you can only decode the message with the key, not be knowing the method of encryption (assuming there isn't a flaw in the key or some other crypto breakthrough). |
|
|
Term
| Symmetric Encryption Authentication |
|
Definition
| Encryption and Decryption keys are the same; authemtication is only for community, not individual; it requires confidentiality and guarantees of not sharing keys beyond the community. |
|
|
Term
| Asymmetric Encryption-based Authentication |
|
Definition
| Public encryption key and private decryption key; requires complete integrity of public key and complete confidentiality of private key. |
|
|
Term
| Message Integrity Authentication via Digital Signature (process) |
|
Definition
Sign (Sender):
1) Hash data
2) Encrypt hash with private signature key (i.e., the digital signature)
3) Combine with certificate
4) Attach to data
Verify (recipient)
5) Separate digital signature from data
6) Decrypt using public signature key
7) Re-hash data
8) Compare new hash of data to decrypted hash
9) If hashes are equal then signature is valid. |
|
|
Term
| Message Integrity Authentication via Digital Signature combine with Confidentiality via Asymmetric Key Encryption (process) |
|
Definition
Sender:
1) Hash data
2) Encrypt data with recipient public key
3) Encrypt everything with sender private signature key
Recipient:
4) Decrypt with sender public signature key
5) Decrypt message with recipient private key
6) Re-hash data
7) Compare new hash and original hash
8) If hashes match, then data is authentic. |
|
|
Term
|
Definition
| An automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins. It follows the physical establishment of the channel and precedes normal information transfer.[ |
|
|
Term
| Federated Identity (definition) |
|
Definition
| The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems |
|
|
Term
|
Definition
| A property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. |
|
|
Term
| Handshakes using tokens (process) |
|
Definition
1) Username + PIN + Token
2) Auth Server: username is assoicated with PIN; simple lookup.
3) "Seed" key on server recalculates token using current time to perform auth. Token = algorithm(time, key).
4) "Child" key resides on hand-held device and recalcuates token every X seconds according to algorithm. Battery keeps device in sync. |
|
|
Term
| Least Privilege (definition) |
|
Definition
Principal that everyone should have exactly the permissions they need to perform their role in systems operation, and no more
Note: Not the same as need–to-know, which refers to minimum spread of information for its expected utility – much more difficult |
|
|
Term
|
Definition
- A service that provides proof of the integrity and origin of data.
- An authentication that with high assurance can be asserted to be genuine.
- Usually requires a combination of physical and logical controls.
|
|
|
Term
|
Definition
| Network configuration to ensure traffic is subject to controls. |
|
|
Term
| Segregation of Duties (definition) |
|
Definition
Provides distinction between at least two roles,
and corresponding mechanisms to ensure that a
single system function must require
collaboration from at least two distinct subjects
in order for the function to be successfully
accomplished.
• Examples:
• Two physical keys required to turn on switch
to launch nuclear missiles
• Two accounting system logins required to
process a payment, one to enter details,
another to release payment.
|
|
|
Term
|
Definition
| Communications that occur outside of a previously established communication method or channel. |
|
|
Term
|
Definition
| The adaptive capacity of systems to meet and achieve priorities and goals in order to absorb or limit disruptions while retaining service continuity. |
|
|
