Network Working Group                                          R. Shirey
Request for Comments: 2828                        GTE / BBN Technologies
FYI: 36                                                         May 2000
Category: Informational
        
Network Working Group                                          R. Shirey
Request for Comments: 2828                        GTE / BBN Technologies
FYI: 36                                                         May 2000
Category: Informational
        

Internet Security Glossary

互联网安全词汇表

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

Abstract

摘要

This Glossary (191 pages of definitions and 13 pages of references) provides abbreviations, explanations, and recommendations for use of information system security terminology. The intent is to improve the comprehensibility of writing that deals with Internet security, particularly Internet Standards documents (ISDs). To avoid confusion, ISDs should use the same term or definition whenever the same concept is mentioned. To improve international understanding, ISDs should use terms in their plainest, dictionary sense. ISDs should use terms established in standards documents and other well-founded publications and should avoid substituting private or newly made-up terms. ISDs should avoid terms that are proprietary or otherwise favor a particular vendor, or that create a bias toward a particular security technology or mechanism versus other, competing techniques that already exist or might be developed in the future.

本术语表(191页定义和13页参考文献)提供了信息系统安全术语的缩写、解释和使用建议。其目的是提高有关互联网安全,特别是互联网标准文件(ISDs)的写作的可理解性。为避免混淆,每当提及相同的概念时,ISDs应使用相同的术语或定义。为了增进国际间的理解,ISD应该使用最简单的词典意义上的术语。ISD应使用标准文件和其他有根据的出版物中确定的术语,并应避免替换私人或新编制的术语。ISD应避免使用专有术语或以其他方式有利于特定供应商的术语,或避免使用对特定安全技术或机制产生偏见的术语,而不是使用已经存在或将来可能开发的其他竞争性技术。

Table of Contents

目录

   1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2. Explanation of Paragraph Markings  . . . . . . . . . . . . . .   4
      2.1 Recommended Terms with an Internet Basis ("I") . . . . . .   4
      2.2 Recommended Terms with a Non-Internet Basis ("N")  . . . .   5
      2.3 Other Definitions ("O")  . . . . . . . . . . . . . . . . .   5
      2.4 Deprecated Terms, Definitions, and Uses ("D")  . . . . . .   6
      2.5 Commentary and Additional Guidance ("C") . . . . . . . . .   6
   3. Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 197
   5. Security Considerations  . . . . . . . . . . . . . . . . . . . 211
   6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 211
   7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 211
   8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 212
        
   1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2. Explanation of Paragraph Markings  . . . . . . . . . . . . . .   4
      2.1 Recommended Terms with an Internet Basis ("I") . . . . . .   4
      2.2 Recommended Terms with a Non-Internet Basis ("N")  . . . .   5
      2.3 Other Definitions ("O")  . . . . . . . . . . . . . . . . .   5
      2.4 Deprecated Terms, Definitions, and Uses ("D")  . . . . . .   6
      2.5 Commentary and Additional Guidance ("C") . . . . . . . . .   6
   3. Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 197
   5. Security Considerations  . . . . . . . . . . . . . . . . . . . 211
   6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 211
   7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 211
   8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 212
        
1. Introduction
1. 介绍

This Glossary provides an internally consistent, complementary set of abbreviations, definitions, explanations, and recommendations for use of terminology related to information system security. The intent of this Glossary is to improve the comprehensibility of Internet Standards documents (ISDs)--i.e., RFCs, Internet-Drafts, and other material produced as part of the Internet Standards Process [R2026]-- and of all other Internet material, too. Some non-security terms are included to make the Glossary self-contained, but more complete lists of networking terms are available elsewhere [R1208, R1983].

本术语表提供了一套内部一致的、补充的缩写、定义、解释以及与信息系统安全相关的术语使用建议。本术语表旨在提高互联网标准文件(ISD)的可理解性,即RFC、互联网草案和作为互联网标准过程一部分制作的其他材料[R2026]——以及所有其他互联网材料的可理解性。包括一些非安全术语以使术语表自包含,但其他地方提供了更完整的网络术语列表[R1208、R1983]。

Some glossaries (e.g., [Raym]) list terms that are not listed here but could be applied to Internet security. However, those terms have not been included in this Glossary because they are not appropriate for ISDs.

一些词汇表(例如,[Raym])列出了此处未列出但可用于互联网安全的术语。但是,这些术语未包含在本词汇表中,因为它们不适用于ISDs。

This Glossary marks terms and definitions as being either endorsed or deprecated for use in ISDs, but this Glossary is not an Internet standard. The key words "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are intended to be interpreted the same way as in an Internet Standard [R2119], but this guidance represents only the recommendations of this author. However, this Glossary includes reasons for the recommendations--particularly for the SHOULD NOTs--so that readers can judge for themselves whether to follow the recommendations.

本术语表将在ISDs中使用的术语和定义标记为已认可或已弃用,但本术语表不是互联网标准。关键词“应该”、“不应该”、“建议”、“可能”和“可选”的解释与互联网标准[R2119]中的解释相同,但本指南仅代表作者的建议。然而,这个词汇表包含了这些建议的理由——特别是不应该这样做的理由——以便读者能够自己判断是否遵循这些建议。

This Glossary supports the goals of the Internet Standards Process:

本术语表支持互联网标准过程的目标:

o Clear, Concise, and Easily Understood Documentation

o 清晰、简洁且易于理解的文档

This Glossary seeks to improve comprehensibility of security-related content of ISDs. That requires wording to be clear and understandable, and requires the set of security-related terms and definitions to be consistent and self-supporting. Also, the terminology needs to be uniform across all ISDs; i.e., the same term or definition needs to be used whenever and wherever the same concept is mentioned. Harmonization of existing ISDs need not be done immediately, but it is desirable to correct and standardize the terminology when new versions are issued in the normal course of standards development and evolution.

本术语表旨在提高ISDs安全相关内容的可理解性。这要求措辞清晰易懂,并要求一套与安全相关的术语和定义保持一致和自我支持。此外,所有ISD的术语需要统一;i、 例如,无论何时何地提及相同的概念,都需要使用相同的术语或定义。现有ISD的协调无需立即进行,但在标准开发和演变的正常过程中发布新版本时,需要对术语进行纠正和标准化。

o Technical Excellence

o 技术卓越

Just as Internet Standard (STD) protocols should operate effectively, ISDs should use terminology accurately, precisely, and unambiguously to enable Internet Standards to be implemented correctly.

正如互联网标准(STD)协议应有效运行一样,ISDs应准确、准确、明确地使用术语,以确保正确实施互联网标准。

o Prior Implementation and Testing

o 预先实施和测试

Just as STD protocols require demonstrated experience and stability before adoption, ISDs need to use well-established language. Using terms in their plainest, dictionary sense (when appropriate) helps to ensure international understanding. ISDs need to avoid using private, made-up terms in place of generally-accepted terms from standards and other publications. ISDs need to avoid substituting new definitions that conflict with established ones. ISDs need to avoid using "cute" synonyms (e.g., see: Green Book); no matter how popular a nickname may be in one community, it is likely to cause confusion in another.

正如STD协议在采用前需要经过验证的经验和稳定性,ISDs需要使用成熟的语言。在适当的时候使用最简单、词典意义上的术语有助于确保国际理解。ISD需要避免使用私人的、虚构的术语来代替标准和其他出版物中普遍接受的术语。ISD需要避免替换与现有定义冲突的新定义。ISD需要避免使用“可爱”同义词(例如,参见:绿皮书);无论昵称在一个社区中多么流行,它都可能在另一个社区中引起混乱。

o Openness, Fairness, and Timeliness

o 公开、公平和及时性

ISDs need to avoid terms that are proprietary or otherwise favor a particular vendor, or that create a bias toward a particular security technology or mechanism over other, competing techniques that already exist or might be developed in the future. The set of terminology used across the set of ISDs needs to be flexible and adaptable as the state of Internet security art evolves.

ISD需要避免专有术语或以其他方式有利于特定供应商的术语,或避免对特定安全技术或机制产生偏见,而不是对已经存在或可能在未来开发的其他竞争技术产生偏见的术语。随着互联网安全技术的发展,ISDs中使用的术语集需要具有灵活性和适应性。

2. Explanation of Paragraph Markings
2. 对段落标记的解释

Section 3 marks terms and definitions as follows:

第3节标记术语和定义如下:

o Capitalization: Only terms that are proper nouns are capitalized.

o 大写:只有专有名词的术语才大写。

o Paragraph Marking: Definitions and explanations are stated in paragraphs that are marked as follows:

o 段落标记:定义和解释在标记如下的段落中说明:

- "I" identifies a RECOMMENDED Internet definition. - "N" identifies a RECOMMENDED non-Internet definition. - "O" identifies a definition that is not recommended as the first choice for Internet documents but is something that authors of Internet documents need to know. - "D" identifies a term or definition that SHOULD NOT be used in Internet documents. - "C" identifies commentary or additional usage guidance.

- “I”表示推荐的互联网定义。-“N”表示推荐的非互联网定义。-“O”表示不建议将其作为互联网文档的首选,但互联网文档的作者需要了解的定义。-“D”表示不应在互联网文档中使用的术语或定义。-“C”表示注释或附加使用指南。

The rest of Section 2 further explains these five markings.

第2节的其余部分进一步解释了这五个标记。

2.1 Recommended Terms with an Internet Basis ("I")
2.1 基于互联网的推荐条款(“I”)

The paragraph marking "I" (as opposed to "O") indicates a definition that SHOULD be the first choice for use in ISDs. Most terms and definitions of this type MAY be used in ISDs; however, some "I" definitions are accompanied by a "D" paragraph that recommends against using the term. Also, some "I" definitions are preceded by an indication of a contextual usage limitation (e.g., see: certification), and ISDs should not the term and definition outside that context

标有“I”的段落(与“O”相对)表示应作为ISDs首选的定义。大多数此类术语和定义可在ISDs中使用;然而,一些“I”定义附有一个“D”段,建议不要使用该术语。此外,一些“I”定义前面有上下文使用限制的指示(例如,见:认证),ISDs不应在该上下文之外使用该术语和定义

An "I" (as opposed to an "N") also indicates that the definition has an Internet basis. That is, either the Internet Standards Process is authoritative for the term, or the term is sufficiently generic that this Glossary can freely state a definition without contradicting a non-Internet authority (e.g., see: attack).

“I”(与“N”相对)也表示该定义具有互联网基础。也就是说,互联网标准流程对术语具有权威性,或者术语具有足够的通用性,因此本术语表可以自由陈述定义,而不会与非互联网权威相抵触(例如,参见:攻击)。

Many terms with "I" definitions are proper nouns (e.g., see: Internet Protocol). For such terms, the "I" definition is intended only to provide basic information; the authoritative definition is found elsewhere.

许多带有“I”定义的术语都是专有名词(例如,参见:互联网协议)。对于此类术语,“I”的定义仅用于提供基本信息;权威的定义可在别处找到。

For a proper noun identified as an "Internet protocol", please refer to the current edition of "Internet Official Protocol Standards" (STD 1) for the standardization state and status of the protocol.

对于被识别为“互联网协议”的专有名词,请参考当前版本的“互联网官方协议标准”(STD 1),了解协议的标准化状态和状态。

2.2 Recommended Terms with a Non-Internet Basis ("N")
2.2 非互联网基础的推荐条款(“N”)

The paragraph marking "N" (as opposed to "O") indicates a definition that SHOULD be the first choice for the term, if the term is used at all in Internet documents. Terms and definitions of this type MAY be used in Internet documents (e.g., see: X.509 public-key certificate).

标记为“N”(与“O”相对)的段落表明,如果在互联网文档中使用该术语,则应首先选择该术语的定义。此类术语和定义可用于互联网文档(例如,请参阅:X.509公钥证书)。

However, an "N" (as opposed to an "I") also indicates a definition that has a non-Internet basis or origin. Many such definitions are preceded by an indication of a contextual usage limitation, and this Glossary's endorsement does not apply outside that context. Also, some contexts are rarely if ever expected to occur in a Internet document (e.g., see: baggage). In those cases, the listing exists to make Internet authors aware of the non-Internet usage so that they can avoid conflicts with non-Internet documents.

然而,“N”(与“I”相对)也表示具有非互联网基础或来源的定义。许多这样的定义之前都有上下文使用限制的指示,本术语表的认可不适用于该上下文之外的情况。此外,一些上下文很少出现在互联网文档中(例如,请参阅:baggage)。在这些情况下,该清单的存在是为了让互联网作者了解非互联网使用情况,从而避免与非互联网文档发生冲突。

Many terms with "N" definitions are proper nouns (e.g., see: Computer Security Objects Register). For such terms, the "N" definition is intended only to provide basic information; the authoritative definition is found elsewhere.

许多定义为“N”的术语都是专有名词(例如,请参阅:计算机安全对象寄存器)。对于此类术语,“N”的定义仅用于提供基本信息;权威的定义可在别处找到。

2.3 Other Definitions ("O")
2.3 其他定义(“O”)

The paragraph marking "O" indicates a definition that has a non-Internet basis, but indicates that the definition SHOULD NOT be used in ISDs *except* in cases where the term is specifically identified as non-Internet.

标有“O”的段落表示具有非互联网基础的定义,但表明该定义不应在ISDs*中使用,除非该术语被明确标识为非互联网。

For example, an ISD might mention "BCA" (see: brand certification authority) or "baggage" as an example to illustrate some concept; in that case, the document should specifically say "SET(trademark) BCA" or "SET(trademark) baggage" and include the definition of the term.

例如,ISD可能会提到“BCA”(见:品牌认证机构)或“baggage”作为示例来说明某些概念;在这种情况下,文件应特别注明“SET(商标)BCA”或“SET(商标)行李”,并包括该术语的定义。

For some terms that have a definition published by a non-Internet authority--government (see: object reuse), industry (see: Secure Data Exchange), national (see: Data Encryption Standard), or international (see: data confidentiality)--this Glossary marks the definition "N", recommending its use in Internet documents. In other cases, the non-Internet definition of a term is inadequate or inappropriate for ISDs. For example, it may be narrow or outdated, or it may need clarification by substituting more careful or more explanatory wording using other terms that are defined in this Glossary. In those cases, this Glossary marks the tern "O" and provides an "I" definition (or sometimes a different "N" definition), which precedes and supersedes the definition marked "O".

对于一些定义由非互联网权威机构发布的术语——政府(请参阅:对象重用)、行业(请参阅:安全数据交换)、国家(请参阅:数据加密标准)或国际(请参阅:数据机密性)——本术语表将定义标记为“N”,建议在互联网文档中使用。在其他情况下,一个术语的非互联网定义不足以或不适合ISDs。例如,它可能是狭义的或过时的,或者可能需要通过使用本术语表中定义的其他术语替换更仔细或更具解释性的措辞来进行澄清。在这些情况下,本术语表将tern标记为“O”,并提供了一个“I”定义(有时是一个不同的“N”定义),该定义位于并取代标记为“O”的定义。

In most of the cases where this Glossary provides a definition to supersede one from a non-Internet standard, the substitute is intended to subsume the meaning of the superseded "O" definition and not conflict with it. For the term "security service", for example, the "O" definition deals narrowly with only communication services provided by layers in the OSI model and is inadequate for the full range of ISD usage; the "I" definition can be used in more situations and for more kinds of service. However, the "O" definition is also provided here so that ISD authors will be aware of the context in which the term is used more narrowly.

在大多数情况下,如果本术语表提供了一个定义来取代非互联网标准中的定义,则替换词旨在包含被取代的“O”定义的含义,而不是与之冲突。例如,就术语“安全服务”而言,“O”的定义仅狭隘地涉及OSI模型中各层提供的通信服务,不足以满足ISD的全部用途;“I”定义可用于更多情况和更多种类的服务。然而,此处还提供了“O”的定义,以便ISD作者了解该术语使用范围更窄的上下文。

When making substitutions, this Glossary attempts to use understandable English that does not contradict any non-Internet authority. Still, terminology differs between the standards of the American Bar Association, OSI, SET, the U.S. Department of Defense, and other authorities, and this Glossary probably is not exactly aligned with all of them.

在进行替换时,本词汇表试图使用不与任何非互联网权威相抵触的可理解英语。尽管如此,美国律师协会、OSI、SET、美国国防部和其他权威机构的标准之间的术语有所不同,而且这个术语表可能并不完全符合所有这些标准。

2.4 Deprecated Terms, Definitions, and Uses ("D")
2.4 不推荐使用的术语、定义和用法(“D”)

If this Glossary recommends that a term or definition SHOULD NOT be used in ISDs, then either the definition has the paragraph marking "D", or the restriction is stated in a "D" paragraph that immediately follows the term or definition.

如果本术语表建议不在ISDs中使用某个术语或定义,则该定义的段落标记为“D”,或者该限制在紧跟该术语或定义之后的“D”段落中说明。

2.5 Commentary and Additional Guidance ("C")
2.5 评注和补充指南(“C”)

The paragraph marking "C" identifies text that is advisory or tutorial. This text MAY be reused in other Internet documents. This text is not intended to be authoritative, but is provided to clarify the definitions and to enhance this Glossary so that Internet security novices can use it as a tutorial.

标有“C”的段落标识了建议性或教程性文本。此文本可在其他Internet文档中重复使用。本文并不具有权威性,但旨在澄清定义并增强本词汇表,以便互联网安全新手可以将其用作教程。

3. Definitions
3. 定义

Note: Each acronym or other abbreviation (except items of common English usage, such as "e.g.", "etc.", "i.e.", "vol.", "pp.", "U.S.") that is used in this Glossary, either in a definition or as a subpart of a defined term, is also defined in this Glossary.

注:本术语表中使用的每个首字母缩略词或其他缩写词(除常见英语用法项外,如“e.g.”、“etc.”、“i.e.”、“vol.”、“pp.”、“U.S.”)在定义中或定义术语的子部分中也在本术语表中定义。

$ 3DES See: triple DES.

$ 3DES见:三重DES。

$ *-property (N) (Pronounced "star property".) See: "confinement property" under Bell-LaPadula Model.

$ *-属性(N)(发音为“星属性”)参见Bell-LaPadula模型下的“限制属性”。

$ ABA Guidelines (N) "American Bar Association (ABA) Digital Signature Guidelines" [ABA], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.

$ 美国律师协会指南(N)“美国律师协会(ABA)数字签名指南”[ABA],在电子商务中使用数字签名和数字证书的法律原则框架。

$ Abstract Syntax Notation One (ASN.1) (N) A standard for describing data objects. [X680]

$ 抽象语法符号1(ASN.1)(N)描述数据对象的标准。[X680]

(C) OSI standards use ASN.1 to specify data formats for protocols. OSI defines functionality in layers. Information objects at higher layers are abstractly defined to be implemented with objects at lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define transfers concretely as strings of bits. Syntax is needed to define abstract objects, and encoding rules are needed to transform between abstract objects and bit strings. (See: Basic Encoding Rules.)

(C) OSI标准使用ASN.1为协议指定数据格式。OSI在层中定义功能。高层的信息对象被抽象地定义为与底层的对象一起实现。较高的一层可以定义计算机之间抽象对象的传输,较低的一层可以具体地定义为比特串的传输。定义抽象对象需要语法,在抽象对象和位字符串之间转换需要编码规则。(请参阅:基本编码规则。)

(C) In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is "certificateRevocationList".

(C) 在ASN.1中,正式名称是不带空格的,名称中的单独单词是通过大写每个单词的第一个字母来表示的,第一个单词除外。例如,CRL的名称是“CertificatereJournalist”。

$ ACC See: access control center.

$ ACC见:门禁中心。

$ access (I) The ability and means to communicate with or otherwise interact with a system in order to use system resources to either handle information or gain knowledge of the information the system contains.

$ 访问(I)与系统通信或以其他方式与系统交互的能力和方法,以便使用系统资源处理信息或获取系统包含信息的知识。

(O) "A specific type of interaction between a subject and an object that results in the flow of information from one to the other." [NCS04]

(O) “主体和客体之间的一种特定类型的交互,导致信息从一个流向另一个。”[NCS04]

(C) In this Glossary, "access" is intended to cover any ability to communicate with a system, including one-way communication in either direction. In actual practice, however, entities outside a security perimeter that can receive output from the system but cannot provide input or otherwise directly interact with the system, might be treated as not having "access" and, therefore, be exempt from security policy requirements, such as the need for a security clearance.

(C) 在本术语表中,“访问”旨在涵盖与系统通信的任何能力,包括单向通信。然而,在实际实践中,安全外围之外的实体可以从系统接收输出,但不能提供输入或以其他方式直接与系统交互,可能被视为没有“访问权”,因此可以免于安全政策要求,例如需要安全许可。

$ access control (I) Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities

$ 访问控制(I)保护系统资源免受未经授权的访问;一种过程,通过该过程,系统资源的使用根据安全策略进行管理,并且仅由授权实体允许

(users, programs, processes, or other systems) according to that policy. (See: access, access control service.)

(用户、程序、进程或其他系统)根据该策略。(请参阅:访问、访问控制服务。)

(O) "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner." [I7498 Part 2]

(O) “防止未经授权使用资源,包括防止以未经授权的方式使用资源。”[I7498第2部分]

$ access control center (ACC) (I) A computer containing a database with entries that define a security policy for an access control service.

$ 门禁中心(ACC)(I)包含数据库的计算机,数据库中的条目定义了门禁服务的安全策略。

(C) An ACC is sometimes used in conjunction with a key center to implement access control in a key distribution system for symmetric cryptography.

(C) ACC有时与密钥中心结合使用,以在对称加密的密钥分发系统中实现访问控制。

$ access control list (ACL) (I) A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resource. (See: capability.)

$ 访问控制列表(ACL)(I)通过枚举允许访问资源的系统实体的标识来实现对系统资源的访问控制的机制。(请参阅:能力。)

$ access control service (I) A security service that protects against a system entity using a system resource in a way not authorized by the system's security policy; in short, protection of system resources against unauthorized access. (See: access control, discretionary access control, identity-based security policy, mandatory access control, rule-based security policy.)

$ 访问控制服务(I)防止系统实体以未经系统安全策略授权的方式使用系统资源的安全服务;简而言之,保护系统资源免受未经授权的访问。(请参阅:访问控制、自主访问控制、基于身份的安全策略、强制访问控制、基于规则的安全策略。)

(C) This service includes protecting against use of a resource in an unauthorized manner by an entity that is authorized to use the resource in some other manner. The two basic mechanisms for implementing this service are ACLs and tickets.

(C) 此服务包括防止被授权以某种其他方式使用资源的实体以未经授权的方式使用资源。实现此服务的两种基本机制是ACL和票证。

$ access mode (I) A distinct type of data processing operation--e.g., read, write, append, or execute--that a subject can potentially perform on an object in a computer system.

$ 访问模式(I)一种不同类型的数据处理操作——例如,读、写、附加或执行——主体可能对计算机系统中的对象执行这些操作。

$ accountability (I) The property of a system (including all of its system resources) that ensures that the actions of a system entity may be traced uniquely to that entity, which can be held responsible for its actions. (See: audit service.)

$ 问责制(I)系统的属性(包括其所有系统资源),确保系统实体的行为可以唯一追溯到该实体,该实体可以对其行为负责。(请参阅:审计服务。)

(C) Accountability permits detection and subsequent investigation of security breaches.

(C) 问责制允许对安全漏洞进行检测和后续调查。

$ accredit $ accreditation (I) An administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. [FP102] (See: certification.)

$ 认证$认证(I)指定机构的行政声明,表明信息系统已获准在特定的安全配置下运行,并具有一套规定的安全措施。[FP102](参见:认证。)

(C) An accreditation is usually based on a technical certification of the system's security mechanisms. The terms "certification" and "accreditation" are used more in the U.S. Department of Defense and other government agencies than in commercial organizations. However, the concepts apply any place where managers are required to deal with and accept responsibility for security risks. The American Bar Association is developing accreditation criteria for CAs.

(C) 认证通常基于系统安全机制的技术认证。与商业组织相比,“认证”和“认可”这两个术语在美国国防部和其他政府机构中使用得更多。然而,这些概念适用于要求管理者应对安全风险并承担安全风险责任的任何地方。美国律师协会正在为CAs制定认证标准。

$ ACL See: access control list.

$ ACL请参阅:访问控制列表。

$ acquirer (N) SET usage: "The financial institution that establishes an account with a merchant and processes payment card authorizations and payments." [SET1]

$ 收单机构(N)设置用法:“与商户建立账户并处理支付卡授权和支付的金融机构。”[SET1]

(O) "The institution (or its agent) that acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system." [SET2]

(O) “从卡接受人处获取与交易有关的金融数据并将该数据导入交换系统的机构(或其代理人)。[SET2]

$ active attack See: (secondary definition under) attack.

$ 主动攻击请参见:(第二个定义下)攻击。

$ active wiretapping See: (secondary definition under) wiretapping.

$ 主动窃听请参见:(第二定义)窃听。

$ add-on security (I) "The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational." [FP039]

$ 附加安全(I)“在[自动数据处理]系统开始运行后,通过硬件或软件对保护机制进行改造。”[FP039]

$ administrative security (I) Management procedures and constraints to prevent unauthorized access to a system. (See: security architecture.)

$ 管理安全(I)防止未经授权访问系统的管理程序和限制。(请参阅:安全体系结构。)

(O) "The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data." [FP039]

(O) “为为敏感数据提供可接受的保护水平而建立的管理约束、操作程序、问责程序和补充控制。”[FP039]

(C) Examples include clear delineation and separation of duties, and configuration control.

(C) 示例包括职责的明确划分和分离,以及配置控制。

$ Advanced Encryption Standard (AES) (N) A future FIPS publication being developed by NIST to succeed DES. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm, available royalty-free worldwide.

$ 高级加密标准(AES)(N)NIST为接替DES而开发的未来FIPS出版物。旨在指定一种非保密、公开披露的对称加密算法,可在全球范围内免费使用。

$ adversary (I) An entity that attacks, or is a threat to, a system.

$ 对手(I)攻击或威胁系统的实体。

$ aggregation (I) A circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it.

$ 聚合(I)一种情况,在这种情况下,信息项集合需要在比组成它的任何单个项更高的安全级别上进行分类。

$ AH See: Authentication Header

$ 请参阅:身份验证标头

$ algorithm (I) A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer. (See: cryptographic algorithm.)

$ 算法(I)用于解决问题或计算过程的一组有限的分步指令,特别是可以由计算机实现的指令。(请参阅:加密算法。)

$ alias (I) A name that an entity uses in place of its real name, usually for the purpose of either anonymity or deception.

$ 别名(I)实体用以代替真实姓名的名称,通常用于匿名或欺骗目的。

$ American National Standards Institute (ANSI) (N) A private, not-for-profit association of users, manufacturers, and other organizations, that administers U.S. private sector voluntary standards.

$ 美国国家标准协会(ANSI)(N):一个由用户、制造商和其他组织组成的非营利私人协会,负责管理美国私营部门的自愿性标准。

(C) ANSI is the sole U.S. representative to the two major non-treaty international standards organizations, ISO and, via the U.S. National Committee (USNC), the International Electrotechnical Commission (IEC).

(C) ANSI是两大非条约国际标准组织ISO和通过美国国家委员会(USNC)国际电工委员会(IEC)的唯一美国代表。

$ anonymous (I) The condition of having a name that is unknown or concealed. (See: anonymous login.)

$ 匿名(I)具有未知或隐藏的名称的情况。(请参阅:匿名登录。)

(C) An application may require security services that maintain anonymity of users or other system entities, perhaps to preserve their privacy or hide them from attack. To hide an entity's real name, an alias may be used. For example, a financial institution may assign an account number. Parties to a transaction can thus remain relatively anonymous, but can also accept the transaction

(C) 应用程序可能需要维护用户或其他系统实体匿名性的安全服务,可能是为了保护他们的隐私或使他们免受攻击。要隐藏实体的真实名称,可以使用别名。例如,金融机构可以指定一个帐号。因此,交易各方可以保持相对匿名,但也可以接受交易

as legitimate. Real names of the parties cannot be easily determined by observers of the transaction, but an authorized third party may be able to map an alias to a real name, such as by presenting the institution with a court order. In other applications, anonymous entities may be completely untraceable.

合法的。交易的观察者无法轻易确定当事人的真实姓名,但经授权的第三方可以将别名映射为真实姓名,例如向机构提交法院命令。在其他应用程序中,匿名实体可能完全不可追踪。

$ anonymous login (I) An access control feature (or, rather, an access control weakness) in many Internet hosts that enables users to gain access to general-purpose or public services and resources on a host (such as allowing any user to transfer data using File Transfer Protocol) without having a pre-established, user-specific account (i.e., user name and secret password).

$ 匿名登录(I)许多Internet主机中的一种访问控制功能(或者更确切地说,是访问控制的弱点),使用户能够访问主机上的通用或公共服务和资源(例如允许任何用户使用文件传输协议传输数据),而无需预先建立特定于用户的帐户(即用户名和密码)。

(C) This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions. A user logs in using a special, publicly known user name (e.g., "anonymous", "guest", or "ftp"). To use the public login name, the user is not required to know a secret password and may not be required to input anything at all except the name. In other cases, to complete the normal sequence of steps in a login protocol, the system may require the user to input a matching, publicly known password (such as "anonymous") or may ask the user for an e-mail address or some other arbitrary character string.

(C) 与所有用户都是已知的、预先注册的、对其行为负责的实体相比,此功能使系统面临更多的威胁。用户使用特殊的、公开的用户名(例如,“匿名”、“来宾”或“ftp”)登录。要使用公共登录名,用户无需知道密码,也无需输入除名称以外的任何内容。在其他情况下,为了完成登录协议中的正常步骤序列,系统可能要求用户输入匹配的公开密码(例如“匿名”),或者可能要求用户输入电子邮件地址或其他任意字符串。

$ APOP See: POP3 APOP.

$ APOP见:POP3 APOP。

$ archive (I) (1.) Noun: A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (See: backup.) (2.) Verb: To store data in such a way. (See: back up.)

$ 归档(I)(1.)名词:为历史和其他目的(如支持审计服务、可用性服务或系统完整性服务)而存储相对较长时间的数据集合。动词:以这种方式存储数据。(请参阅:备份。)

(C) A digital signature may need to be verified many years after the signing occurs. The CA--the one that issued the certificate containing the public key needed to verify that signature--may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates.

(C) 数字签名可能需要在签名发生多年后进行验证。CA(颁发包含验证该签名所需公钥的证书的CA)可能不会保持那么长时间的运行。因此,每个CA都需要长期存储所需的信息,以验证向其颁发证书的人的签名。

$ ARPANET (N) Advanced Research Projects Agency Network, a pioneer packet-switched network that was built in the early 1970s under contract to the U.S. Government, led to the development of today's Internet, and was decommissioned in June 1990.

$ ARPANET(N)Advanced Research Projects Agency Network是一个先锋分组交换网络,根据与美国政府签订的合同于20世纪70年代初建成,引领了当今互联网的发展,并于1990年6月退役。

$ ASN.1 See: Abstract Syntax Notation One.

$ ASN.1参见:抽象语法符号1。

$ association (I) A cooperative relationship between system entities, usually for the purpose of transferring information between them. (See: security association.)

$ 关联(I)系统实体之间的合作关系,通常用于在它们之间传输信息。(见:安全协会。)

$ assurance (I) (1.) An attribute of an information system that provides grounds for having confidence that the system operates such that the system security policy is enforced. (2.) A procedure that ensures a system is developed and operated as intended by the system's security policy.

$ 保证(I)(1.)信息系统的一种属性,它为系统的运行提供了信心,从而使系统安全策略得以实施。(2.)确保系统按照系统安全政策的预期开发和运行的程序。

$ assurance level (I) Evaluation usage: A specific level on a hierarchical scale representing successively increased confidence that a target of evaluation adequately fulfills the requirements. (E.g., see: TCSEC.)

$ 保证级别(I)评估使用:在等级尺度上的特定级别,表示评估目标充分满足要求的信心不断增强。(例如,参见:TCSEC)

$ asymmetric cryptography (I) A modern branch of cryptography (popularly known as "public-key cryptography") in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. (See: key pair.)

$ 非对称密码学(I)密码学的一个现代分支(通常称为“公钥密码学”),其中算法使用一对密钥(公钥和私钥),并在算法的不同步骤中使用该对密钥的不同组件。(请参阅:密钥对。)

(C) Asymmetric algorithms have key management advantages over equivalently strong symmetric ones. First, one key of the pair does not need to be known by anyone but its owner; so it can more easily be kept secret. Second, although the other key of the pair is shared by all entities that use the algorithm, that key does not need to be kept secret from other, non-using entities; so the key distribution part of key management can be done more easily.

(C) 与等价强对称算法相比,非对称算法具有密钥管理优势。首先,这对钥匙中的一把不需要任何人知道,只有它的主人知道;所以它更容易被保密。第二,尽管该对的另一个密钥由使用该算法的所有实体共享,但该密钥不需要对其他未使用的实体保密;因此,密钥管理的密钥分发部分可以更容易地完成。

(C) For encryption: In an asymmetric encryption algorithm (e.g., see: RSA), when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a public key provided by Bob. Only Bob has the matching private key that is needed to decrypt the data.

(C) 对于加密:在非对称加密算法(例如,请参阅:RSA)中,当Alice希望确保她发送给Bob的数据的机密性时,她使用Bob提供的公钥对数据进行加密。只有Bob具有解密数据所需的匹配私钥。

(C) For signature: In an asymmetric digital signature algorithm (e.g., see: DSA), when Alice wants to ensure data integrity or provide authentication for data she sends to Bob, she uses her private key to sign the data (i.e., create a digital signature based on the data). To verify the signature, Bob uses the matching public key that Alice has provided.

(C) 对于签名:在非对称数字签名算法(例如,请参阅:DSA)中,当Alice希望确保数据完整性或为她发送给Bob的数据提供身份验证时,她使用私钥对数据进行签名(即,基于数据创建数字签名)。为了验证签名,Bob使用Alice提供的匹配公钥。

(C) For key agreement: In an asymmetric key agreement algorithm (e.g., see: Diffie-Hellman), Alice and Bob each send their own public key to the other person. Then each uses their own private key and the other's public key to compute the new key value.

(C) 对于密钥协商:在非对称密钥协商算法中(例如,请参见:Diffie Hellman),Alice和Bob各自向另一个人发送自己的公钥。然后,每一方使用自己的私钥和另一方的公钥来计算新的密钥值。

$ attack (I) An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. (See: penetration, violation, vulnerability.)

$ 攻击(I)源自智能威胁的对系统安全的攻击,即蓄意企图(尤其是在方法或技术意义上)逃避安全服务并违反系统安全策略的智能行为。(请参阅:渗透、违规、漏洞。)

- Active vs. passive: An "active attack" attempts to alter system resources or affect their operation. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources. (E.g., see: wiretapping.)

- 主动与被动:“主动攻击”试图改变系统资源或影响其运行。“被动攻击”试图从系统中学习或利用信息,但不影响系统资源。(例如,参见:窃听。)

- Insider vs. outsider: An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider"), i.e., an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization. An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an "outsider"). In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

- 内部人与外部人:“内部攻击”是指由安全边界内的实体(“内部人”)发起的攻击,即被授权访问系统资源但以未经授权者批准的方式使用这些资源的实体。“外部攻击”是由系统的未经授权或非法用户(“外部人员”)从外围发起的。在互联网上,潜在的外部攻击者包括业余恶作剧者、有组织犯罪分子、国际恐怖分子和敌对政府。

(C) The term "attack" relates to some other basic security terms as shown in the following diagram:

(C) 术语“攻击”涉及一些其他基本安全术语,如下图所示:

      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
        
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
        

$ attribute authority (I) A CA that issues attribute certificates.

$ 属性颁发机构(I)颁发属性证书的CA。

(O) "An authority, trusted by the verifier to delegate privilege, which issues attribute certificates." [FPDAM]

(O) “由验证器信任以授予特权的颁发机构,它颁发属性证书。”[FPDAM]

$ attribute certificate (I) A digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. [X509]

$ 属性证书(I)将一组描述性数据项(公钥除外)直接绑定到使用者名称或另一个公钥证书的标识符的数字证书。[X509]

(O) "A set of attributes of a user together with some other information, rendered unforgeable by the digital signature created using the private key of the CA which issued it." [X509]

(O) “用户的一组属性以及一些其他信息,通过使用颁发它的CA的私钥创建的数字签名而变得不可伪造。”[X509]

(O) "A data structure that includes some attribute values and identification information about the owner of the attribute certificate, all digitally signed by an Attribute Authority. This authority's signature serves as the guarantee of the binding between the attributes and their owner." [FPDAM]

(O) “一种数据结构,包括一些属性值和属性证书所有者的标识信息,所有这些信息都由属性授权机构进行数字签名。该授权机构的签名是属性与其所有者之间绑定的保证。”[FPDAM]

(C) A public-key certificate binds a subject name to a public key value, along with information needed to perform certain cryptographic functions. Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.

(C) 公钥证书将使用者名称与公钥值以及执行某些加密功能所需的信息绑定在一起。主体的其他属性,例如安全许可,可以在称为属性证书的单独类型的数字证书中进行认证。一个主题可以有多个属性证书与其名称或每个公钥证书相关联。

(C) An attribute certificate might be issued to a subject in the following situations:

(C) 在以下情况下,可以向主题颁发属性证书:

- Different lifetimes: When the lifetime of an attribute binding is shorter than that of the related public-key certificate, or when it is desirable not to need to revoke a subject's public key just to revoke an attribute.

- 不同的生存期:当属性绑定的生存期短于相关公钥证书的生存期时,或者当不需要仅仅为了撤销属性而撤销主体的公钥时。

- Different authorities: When the authority responsible for the attributes is different than the one that issues the public-key certificate for the subject. (There is no requirement that an attribute certificate be issued by the same CA that issued the associated public-key certificate.)

- 不同权限:当负责属性的权限不同于为主题颁发公钥证书的权限时。(不要求属性证书由颁发相关公钥证书的同一CA颁发。)

$ audit service (I) A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them. (See: security audit.)

$ 审计服务(I)一种安全服务,记录建立系统事件责任和导致系统事件的系统实体行为责任所需的信息。(请参阅:安全审计。)

$ audit trail See: security audit trail.

$ 审计跟踪请参阅:安全审计跟踪。

$ AUTH See: POP3 AUTH.

$ 验证请参阅:POP3验证。

$ authentic signature (I) A signature (particularly a digital signature) that can be trusted because it can be verified. (See: validate vs. verify.)

$ 真实签名(I)由于可以验证而可以信任的签名(特别是数字签名)。(请参见:验证与验证。)

$ authenticate (I) Verify (i.e., establish the truth of) an identity claimed by or for a system entity. (See: authentication.)

$ 验证(I)验证(即,确定)系统实体声明的或为系统实体声明的身份。(请参阅:身份验证。)

(D) In general English usage, this term usually means "to prove genuine" (e.g., an art expert authenticates a Michelangelo painting). But the recommended definition carries a much narrower meaning. For example, to be precise, an ISD SHOULD NOT say "the host authenticates each received datagram". Instead, the ISD SHOULD say "the host authenticates the origin of each received datagram". In most cases, we also can say "and verifies the datagram's integrity", because that is usually implied. (See: ("relationship between data integrity service and authentication services" under) data integrity service.)

(D) 在一般的英语用法中,这个术语通常意味着“证明真实”(例如,艺术专家鉴定米开朗基罗的绘画)。但推荐的定义含义要狭窄得多。例如,准确地说,ISD不应该说“主机验证每个接收到的数据报”。相反,ISD应该说“主机验证每个接收到的数据报的来源”。在大多数情况下,我们也可以说“并验证数据报的完整性”,因为这通常是隐含的。(请参阅:(“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”)数据完整性服务。)

(D) ISDs SHOULD NOT talk about authenticating a digital signature or digital certificate. Instead, we "sign" and then "verify" digital signatures, and we "issue" and then "validate" digital certificates. (See: validate vs. verify.)

(D) ISDs不应谈论对数字签名或数字证书进行身份验证。相反,我们先“签名”然后“验证”数字签名,然后“颁发”然后“验证”数字证书。(请参见:验证与验证。)

$ authentication (I) The process of verifying an identity claimed by or for a system entity. (See: authenticate, authentication exchange, authentication information, credential, data origin authentication, peer entity authentication.)

$ 身份验证(I)验证系统实体声明的或为系统实体声明的身份的过程。(请参阅:身份验证、身份验证交换、身份验证信息、凭据、数据源身份验证、对等实体身份验证。)

(C) An authentication process consists of two steps:

(C) 身份验证过程包括两个步骤:

1. Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)

1. 识别步骤:向安全系统显示标识符。(应谨慎分配标识符,因为经过身份验证的标识是其他安全服务(如访问控制服务)的基础。)

2. Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. (See: verification.)

2. 验证步骤:显示或生成验证实体和标识符之间绑定的身份验证信息。(见:核查。)

(C) See: ("relationship between data integrity service and authentication services" under) data integrity service.

(C) 请参阅:(“数据完整性服务和身份验证服务之间的关系”)数据完整性服务。

$ authentication code (D) ISDs SHOULD NOT use this term as a synonym for any form of checksum, whether cryptographic or not. The word "authentication" is misleading because the mechanism involved usually serves a data integrity function rather than an authentication function, and the word "code" is misleading because it implies that either encoding or encryption is involved or that the term refers to computer software. (See: message authentication code.)

$ 身份验证码(D)ISDs不应将此术语用作任何形式校验和的同义词,无论是否加密。“身份验证”一词具有误导性,因为所涉及的机制通常用于数据完整性功能而不是身份验证功能,“代码”一词具有误导性,因为它意味着涉及编码或加密,或者该术语指的是计算机软件。(请参阅:消息身份验证代码。)

$ authentication exchange (I) A mechanism to verify the identity of an entity by means of information exchange.

$ 身份验证交换(I)通过信息交换验证实体身份的机制。

(O) "A mechanism intended to ensure the identity of an entity by means of information exchange." [I7498 Part 2]

(O) “旨在通过信息交换确保实体身份的机制。”[I7498第2部分]

$ Authentication Header (AH) (I) An Internet IPsec protocol [R2402] designed to provide connectionless data integrity service and data origin authentication service for IP datagrams, and (optionally) to provide protection against replay attacks.

$ 认证头(AH)(I)互联网IPsec协议[R2402],旨在为IP数据报提供无连接数据完整性服务和数据源认证服务,以及(可选)提供防止重播攻击的保护。

(C) Replay protection may be selected by the receiver when a security association is established. AH authenticates upper-layer protocol data units and as much of the IP header as possible. However, some IP header fields may change in transit, and the value of these fields, when the packet arrives at the receiver, may not be predictable by the sender. Thus, the values of such fields cannot be protected end-to-end by AH; protection of the IP header by AH is only partial when such fields are present.

(C) 当建立安全关联时,接收器可以选择重播保护。AH对上层协议数据单元和尽可能多的IP报头进行身份验证。然而,一些IP报头字段可能在传输过程中发生变化,并且当数据包到达接收方时,发送方可能无法预测这些字段的值。因此,AH不能端到端地保护这些字段的值;仅当存在此类字段时,AH对IP报头的保护才是部分的。

(C) AH may be used alone, or in combination with the IPsec ESP protocol, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. ESP can provide the same security services as AH, and ESP can also provide data confidentiality service. The main difference between authentication services provided by ESP and AH is the extent of the coverage; ESP does not protect IP header fields unless they are encapsulated by AH.

(C) AH可以单独使用,也可以与IPsec ESP协议结合使用,或者以嵌套方式与隧道结合使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP可以提供与AH相同的安全服务,ESP还可以提供数据保密服务。ESP和AH提供的认证服务的主要区别在于覆盖范围;ESP不保护IP头字段,除非它们由AH封装。

$ authentication information (I) Information used to verify an identity claimed by or for an entity. (See: authentication, credential.)

$ 身份验证信息(I)用于验证实体声明的身份或为实体声明的身份的信息。(请参阅:身份验证、凭据。)

(C) Authentication information may exist as, or be derived from, one of the following:

(C) 身份验证信息可以作为以下信息之一存在,也可以源于以下信息之一:

- Something the entity knows. (See: password). - Something the entity possesses. (See: token.) - Something the entity is. (See: biometric authentication.)

- 实体知道的东西。(请参阅:密码)。-实体拥有的东西。(请参阅:token。)-实体是什么。(请参阅:生物特征认证。)

$ authentication service (I) A security service that verifies an identity claimed by or for an entity. (See: authentication.)

$ 身份验证服务(I)验证实体声明的身份或为实体声明的身份的安全服务。(请参阅:身份验证。)

(C) In a network, there are two general forms of authentication service: data origin authentication service and peer entity authentication service.

(C) 在网络中,有两种常见的身份验证服务形式:数据源身份验证服务和对等实体身份验证服务。

$ authenticity (I) The property of being genuine and able to be verified and be trusted. (See: authenticate, authentication, validate vs. verify)

$ 真实性(I)真实、可验证和可信任的属性。(请参阅:身份验证、身份验证、验证与验证)

$ authority (D) "An entity, responsible for the issuance of certificates." [FPDAM]

$ 管理局(D)“负责签发证书的实体。”[FPDAM]

(C) ISDs SHOULD NOT use this term as a synonym for AA, CA, RA, ORA, or similar terms, because it may cause confusion. Instead, use the full term at the first instance of usage and then, if it is necessary to shorten text, use the style of abbreviation defined in this Glossary.

(C) ISDs不应将此术语用作AA、CA、RA、ORA或类似术语的同义词,因为它可能会引起混淆。相反,在第一次使用时使用完整术语,然后,如果需要缩短文本,则使用本词汇表中定义的缩写形式。

(C) ISDs SHOULD NOT use this definition for any PKI entity, because the definition is ambiguous with regard to whether the entity actually issues certificates (e.g., attribute authority or certification authority) or just has accountability for processes that precede or follow signing (e.g., registration authority). (See: issue.)

(C) ISDs不应将此定义用于任何PKI实体,因为该定义在实体是否实际颁发证书(如属性颁发机构或证书颁发机构)或仅对签名之前或之后的流程负责(如注册机构)方面不明确。(见:问题)

$ authority certificate (D) "A certificate issued to an authority (e.g. either to a certification authority or to an attribute authority)." [FPDAM] (See: authority.)

$ 颁发机构证书(D)“颁发给颁发机构的证书(例如,颁发给证书颁发机构或属性颁发机构)。”[FPDAM](参见:颁发机构。)

(C) ISDs SHOULD NOT use this term or definition because they are ambiguous with regard to which specific types of PKI entities they address.

(C) ISD不应使用这一术语或定义,因为它们对于所针对的特定类型的PKI实体不明确。

$ authority revocation list (ARL) (I) A data structure that enumerates digital certificates that were issued to CAs but have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, X.509 authority revocation list.)

$ 授权撤销列表(ARL)(I)一种数据结构,列举已颁发给CA但在其计划到期之前已由其颁发者失效的数字证书。(请参阅:证书到期,X.509权限撤销列表。)

(O) "A revocation list containing a list of public-key certificates issued to authorities, which are no longer considered valid by the certificate issuer." [FPDAM]

(O) “一个撤销列表,包含颁发给当局的公钥证书列表,证书颁发者不再认为这些证书有效。”[FPDAM]

$ authorization $ authorize (I) (1.) An "authorization" is a right or a permission that is granted to a system entity to access a system resource. (2.) An "authorization process" is a procedure for granting such rights. (3.) To "authorize" means to grant such a right or permission. (See: privilege.)

$ 授权$authorize(I)(1.“授权”是授予系统实体访问系统资源的权利或权限。(2.“授权程序”是授予此类权利的程序。(3.“授权”指授予此类权利或许可。(请参阅:特权。)

(O) SET usage: "The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed--provided, of course, that the merchant followed the rules associated with the authorization process.)" [SET2]

(O) 设置用法:“一个或多个适当任命的人员授权代表组织执行某些操作的过程。此过程评估交易风险,确认给定交易不会使账户持有人的债务超过账户的信用限额,并保留指定的信用额度。(当商户获得授权时,保证支付授权金额——当然,前提是商户遵守与授权流程相关的规则。)“[SET2]

$ automated information system (I) An organized assembly of resources and procedures--i.e., computing and communications equipment and services, with their supporting facilities and personnel--that collect, record, process, store, transport, retrieve, or display information to accomplish a specified set of functions.

$ 自动化信息系统(I)资源和程序的有组织的集合,即计算和通信设备和服务及其支持设施和人员,用于收集、记录、处理、存储、运输、检索或显示信息,以完成一组指定的功能。

$ availability (I) The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. (See: critical, denial of service, reliability, survivability.)

$ 可用性(I)根据系统性能规范,授权系统实体可根据要求访问和使用的系统或系统资源的属性;i、 例如,如果系统在用户请求时根据系统设计提供服务,则系统可用。(请参阅:关键、拒绝服务、可靠性、生存能力。)

(O) "The property of being accessible and usable upon demand by an authorized entity." [I7498 Part 2]

(O) “经授权实体要求可访问和使用的财产。”[I7498第2部分]

$ availability service (I) A security service that protects a system to ensure its availability.

$ 可用性服务(I)保护系统以确保其可用性的安全服务。

(C) This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control of system resources, and thus depends on access control service and other security services.

(C) 此服务解决拒绝服务攻击引起的安全问题。它依赖于对系统资源的适当管理和控制,因此依赖于访问控制服务和其他安全服务。

$ back door (I) A hardware or software mechanism that (a) provides access to a system and its resources by other than the usual procedure, (b) was deliberately left in place by the system's designers or maintainers, and (c) usually is not publicly known. (See: trap door.)

$ 后门(I)一种硬件或软件机制,其(A)通过非常规程序提供对系统及其资源的访问,(b)由系统的设计者或维护者故意留在原地,以及(c)通常不为公众所知。(请参阅:活板门。)

(C) For example, a way to access a computer other than through a normal login. Such access paths do not necessarily have malicious intent; e.g., operating systems sometimes are shipped by the manufacturer with privileged accounts intended for use by field service technicians or the vendor's maintenance programmers. (See: trap door.)

(C) 例如,通过正常登录以外的方式访问计算机。此类访问路径不一定具有恶意意图;e、 例如,操作系统有时由制造商以特权帐户发货,以供现场服务技术人员或供应商的维护程序员使用。(请参阅:活板门。)

$ back up vs. backup (I) Verb "back up": To store data for the purpose of creating a backup copy. (See: archive.)

$ 备份与备份(I)动词“备份”:为创建备份副本而存储数据。(请参阅:存档。)

(I) Noun/adjective "backup": (1.) A reserve copy of data that is stored separately from the original, for use if the original becomes lost or damaged. (See: archive.) (2.) Alternate means to permit performance of system functions despite a disaster to system resources. (See: contingency plan.)

(一) 名词/形容词“备份”:(1.)与原件分开存储的数据保留副本,用于原件丢失或损坏时使用。(请参阅:存档。)(2.)允许在系统资源发生灾难时执行系统功能的替代方法。(见:应急计划。)

$ baggage (D) ISDs SHOULD NOT use this term to describe a data element except when stated as "SET(trademark) baggage" with the following meaning:

$ 行李(D)ISDs不应使用此术语来描述数据元素,除非声明为具有以下含义的“成套(商标)行李”:

(O) SET usage: An "opaque encrypted tuple, which is included in a SET message but appended as external data to the PKCS encapsulated data. This avoids superencryption of the previously encrypted tuple, but guarantees linkage with the PKCS portion of the message." [SET2]

(O) SET用法:“一个不透明的加密元组,包含在SET消息中,但作为外部数据附加到PKCS封装的数据中。这避免了对先前加密的元组进行超级加密,但保证与消息的PKCS部分链接。”[SET2]

$ bandwidth (I) Commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time. Usually expressed in bits per second.

$ 带宽(I)通常用于表示通信信道在给定时间内通过信道传输数据的容量。通常以每秒比特数表示。

$ bank identification number (BIN) (N) The digits of a credit card number that identify the issuing bank. (See: primary account number.)

$ 银行识别号(BIN)(N)信用卡号的数字,用于识别发卡行。(请参阅:主帐号。)

(O) SET usage: The first six digits of a primary account number.

(O) 设置用途:主帐号的前六位数字。

$ Basic Encoding Rules (BER) (I) A standard for representing ASN.1 data types as strings of octets. [X690] (See: Distinguished Encoding Rules.)

$ 基本编码规则(BER)(I)将ASN.1数据类型表示为八位字节字符串的标准。[X690](请参阅:区分编码规则。)

$ bastion host (I) A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.

$ 堡垒主机(I)在受防火墙保护的网络中(或是防火墙的一部分),是网络中唯一可以从防火墙另一端的网络直接访问的主机(或少数主机中的一个)。

(C) Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.

(C) 防火墙中的过滤路由器通常将来自外部网络的流量限制为仅到达一台主机,即堡垒主机,该主机通常是防火墙的一部分。由于只有这一台主机可以被直接攻击,因此只有这一台主机需要得到非常有力的保护,因此可以更轻松、更便宜地维护安全性。然而,为了允许合法的内部和外部用户通过防火墙访问应用程序资源,更高层的协议和服务需要由堡垒主机中继和转发。某些服务(如DNS和SMTP)内置了转发功能;其他服务(如TELNET和FTP)需要在bastion主机上安装代理服务器。

$ BCA See: brand certification authority.

$ BCA见:品牌认证机构。

$ BCI See: brand CRL identifier.

$ BCI见:品牌CRL标识符。

$ Bell-LaPadula Model (N) A formal, mathematical, state-transition model of security policy for multilevel-secure computer systems. [Bell]

$ Bell-LaPadula模型(N):多级安全计算机系统安全策略的形式化、数学、状态转移模型。[钟]

(C) The model separates computer system elements into a set of subjects and a set of objects. To determine whether or not a subject is authorized for a particular access mode on an object, the clearance of the subject is compared to the classification of the object. The model defines the notion of a "secure state", in which the only permitted access modes of subjects to objects are in accordance with a specified security policy. It is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system is secure.

(C) 该模型将计算机系统元素分为一组主题和一组对象。为了确定主体是否被授权使用对象上的特定访问模式,将主体的清除与对象的分类进行比较。该模型定义了“安全状态”的概念,其中主体对对象的唯一允许访问模式符合指定的安全策略。证明了每个状态转换都通过从一个安全状态转移到另一个安全状态来保持安全性,从而证明了系统是安全的。

(C) In this model, a multilevel-secure system satisfies several rules, including the following:

(C) 在此模型中,多级安全系统满足多个规则,包括以下规则:

- "Confinement property" (also called "*-property", pronounced "star property"): A subject has write access to an object only if classification of the object dominates the clearance of the subject.

- “限制属性”(也称为“*-属性”,发音为“星形属性”):仅当对象的分类支配对象的清除时,对象才具有对对象的写访问权限。

- "Simple security property": A subject has read access to an object only if the clearance of the subject dominates the classification of the object.

- “简单安全属性”:仅当主体的清除主导了对象的分类时,主体才具有对对象的读取权限。

- "Tranquillity property": The classification of an object does not change while the object is being processed by the system.

- “宁静属性”:当系统处理对象时,对象的分类不会改变。

$ BER See: Basic Encoding Rules.

$ 请参阅:基本编码规则。

$ beyond A1 (O) (1.) Formally, a level of security assurance that is beyond the highest level of criteria specified by the TCSEC. (2.) Informally, a level of trust so high that it cannot be provided or verified by currently available assurance methods, and particularly not by currently available formal methods.

$ A1(O)(1.)之外的安全保证级别,正式指超出TCSEC规定的最高标准级别的安全保证级别。(2.)非正式地说,是指一种高度信任,以至于当前可用的保证方法无法提供或验证,尤其是当前可用的正式方法无法提供或验证。

$ BIN See: bank identification number.

$ 银行标识代码见:银行标识号。

$ bind (I) To inseparably associate by applying some mechanism, such as when a CA uses a digital signature to bind together a subject and a public key in a public-key certificate.

$ 绑定(I)通过应用某种机制不可分离地关联,例如CA使用数字签名将公钥证书中的主体和公钥绑定在一起。

$ biometric authentication (I) A method of generating authentication information for a person by digitizing measurements of a physical characteristic, such as a fingerprint, a hand shape, a retina pattern, a speech pattern (voiceprint), or handwriting.

$ 生物特征认证(I)通过对物理特征(如指纹、手形、视网膜模式、语音模式(声纹)或笔迹)的测量进行数字化,为个人生成认证信息的方法。

$ bit (I) The smallest unit of information storage; a contraction of the term "binary digit"; one of two symbols--"0" (zero) and "1" (one) --that are used to represent binary numbers.

$ 位(I)信息存储的最小单位;术语“二进制数字”的缩写;表示二进制数的两个符号之一--“0”(零)和“1”(一)。

$ BLACK (I) Designation for information system equipment or facilities that handle (and for data that contains) only ciphertext (or, depending on the context, only unclassified information), and for such data itself. This term derives from U.S. Government COMSEC terminology. (See: RED, RED/BLACK separation.)

$ 黑色(I)仅处理(和包含)密文的信息系统设备或设施(或,根据上下文,仅包含非保密信息的数据),以及此类数据本身的名称。该术语源自美国政府通信安全术语。(请参见:红色、红色/黑色分隔。)

$ block cipher (I) An encryption algorithm that breaks plaintext into fixed-size segments and uses the same key to transform each plaintext segment into a fixed-size segment of ciphertext. (See: mode, stream cipher.)

$ 分组密码(I)一种加密算法,它将明文分成固定大小的段,并使用相同的密钥将每个明文段转换成固定大小的密文段。(请参阅:模式,流密码。)

(C) For example, Blowfish, DEA, IDEA, RC2, and SKIPJACK. However, a block cipher can be adapted to have a different external interface, such as that of a stream cipher, by using a mode of operation to "package" the basic algorithm.

(C) 例如,河豚、DEA、IDEA、RC2和SKIPJACK。然而,通过使用操作模式“打包”基本算法,分组密码可以被调整为具有不同的外部接口,例如流密码的外部接口。

$ Blowfish (N) A symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA. [Schn]

$ Blowfish(N):一种具有可变长度密钥(32至448位)的对称分组密码,由Bruce Schneier于1993年设计,作为DES或IDEA的无专利、无许可证、免版税的替代品。[施恩]

$ brand (I) A distinctive mark or name that identifies a product or business entity.

$ 品牌(I)标识产品或企业实体的独特标志或名称。

(O) SET usage: The name of a payment card. Financial institutions and other companies have founded payment card brands, protect and advertise the brands, establish and enforce rules for use and acceptance of their payment cards, and provide networks to interconnect the financial institutions. These brands combine the roles of issuer and acquirer in interactions with cardholders and merchants. [SET1]

(O) 设置用途:支付卡的名称。金融机构和其他公司已经建立了支付卡品牌,保护和宣传这些品牌,制定和执行使用和接受其支付卡的规则,并提供连接金融机构的网络。这些品牌结合了发卡机构和收单机构在与持卡人和商户互动中的角色。[SET1]

$ brand certification authority (BCA) (O) SET usage: A CA owned by a payment card brand, such as MasterCard, Visa, or American Express. [SET2] (See: certification hierarchy, SET.)

$ 品牌认证机构(BCA)(O)设置用途:支付卡品牌(如万事达卡、Visa卡或美国运通卡)拥有的CA。[SET2](请参阅:证书层次结构,集合。)

$ brand CRL identifier (BCI) (O) SET usage: A digitally signed list, issued by a BCA, of the names of CAs for which CRLs need to be processed when verifying signatures in SET messages. [SET2]

$ 品牌CRL标识符(BCI)(O)集合用法:由BCA发布的数字签名列表,在验证集合消息中的签名时,需要为其处理CRL的CA名称。[SET2]

$ break (I) Cryptographic usage: To successfully perform cryptanalysis and thus succeed in decrypting data or performing some other cryptographic function, without initially having knowledge of the key that the function requires. (This term applies to encrypted data or, more generally, to a cryptographic algorithm or cryptographic system.)

$ 破译(I)密码用法:成功执行密码分析,从而成功解密数据或执行某些其他密码功能,而最初不知道该功能所需的密钥。(该术语适用于加密数据,或更一般地适用于加密算法或加密系统。)

$ bridge (I) A computer that is a gateway between two networks (usually two LANs) at OSI layer 2. (See: router.)

$ 网桥(I)在OSI第2层的两个网络(通常是两个LAN)之间作为网关的计算机。(请参阅:路由器。)

$ British Standard 7799 (N) Part 1 is a standard code of practice and provides guidance on how to secure an information system. Part 2 specifies the management framework, objectives, and control requirements for information security management systems [B7799]. The certification scheme works like ISO 9000. It is in use in the UK, the Netherlands, Australia, and New Zealand and might be proposed as an ISO standard or adapted to be part of the Common Criteria.

$ 英国标准7799(N)第1部分是标准实践规范,提供了如何保护信息系统的指南。第2部分规定了信息安全管理系统的管理框架、目标和控制要求[B7799]。该认证体系的工作原理类似于ISO 9000。它在英国、荷兰、澳大利亚和新西兰都在使用,可能被提议作为ISO标准,或者被修改为通用标准的一部分。

$ browser (I) An client computer program that can retrieve and display information from servers on the World Wide Web.

$ 浏览器(I)一种客户端计算机程序,可从万维网上的服务器检索和显示信息。

(C) For example, Netscape's Navigator and Communicator, and Microsoft's Explorer.

(C) 例如,Netscape的Navigator和Communicator,以及Microsoft的Explorer。

$ brute force (I) A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.

$ 暴力(I)一种密码分析技术或其他类型的攻击方法,涉及一个详尽的过程,一个接一个地尝试所有可能性。

(C) For example, for ciphertext where the analyst already knows the decryption algorithm, a brute force technique to finding the original plaintext is to decrypt the message with every possible key.

(C) 例如,对于分析员已经知道解密算法的密文,查找原始明文的蛮力技术是使用每个可能的密钥解密消息。

$ BS7799 See: British Standard 7799.

$ BS7799见:英国标准7799。

$ byte (I) A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and, today, usually means eight bits. (See: octet.)

$ 字节(I)计算机存储的基本单位;计算机体系结构中最小的可寻址单元。通常包含一个字符的信息,今天通常表示八位。(见:八位组)

(C) Larger than a "bit", but smaller than a "word". Although "byte" almost always means "octet" today, bytes had other sizes (e.g., six bits, nine bits) in earlier computer architectures.

(C) 比“位”大,但比“字”小。尽管今天“字节”几乎总是指“八位字节”,但在早期的计算机体系结构中,字节有其他大小(例如,六位、九位)。

$ CA See: certification authority.

$ CA见:证书颁发机构。

$ CA certificate (I) "A [digital] certificate for one CA issued by another CA." [X509]

$ CA证书(I)“一个CA由另一个CA颁发的[数字]证书”[X509]

(C) That is, a digital certificate whose holder is able to issue digital certificates. A v3 X.509 public-key certificate may have a "basicConstraints" extension containing a "cA" value that specifically "indicates whether or not the public key may be used to verify certificate signatures."

(C) 即,其持有人能够颁发数字证书的数字证书。v3 X.509公钥证书可能有一个“basicConstraints”扩展名,其中包含一个“cA”值,该值专门“指示公钥是否可用于验证证书签名”

$ call back (I) An authentication technique for terminals that remotely access a computer via telephone lines. The host system disconnects the caller and then calls back on a telephone number that was previously authorized for that terminal.

$ 回拨(I)通过电话线远程访问计算机的终端的身份验证技术。主机系统断开呼叫者的连接,然后使用先前为该终端授权的电话号码回拨。

$ capability (I) A token, usually an unforgeable data value (sometimes called a "ticket") that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource named or indicated by the token. (See: access control list, credential, digital certificate.)

$ 能力(I)一种令牌,通常是一种不可伪造的数据值(有时称为“票据”),它赋予承载者或持有者访问系统资源的权利。系统接受对令牌的拥有,作为持有人已被授权访问令牌命名或指示的资源的证明。(请参阅:访问控制列表、凭证、数字证书。)

(C) This concept can be implemented as a digital certificate. (See: attribute certificate.)

(C) 这个概念可以实现为数字证书。(请参阅:属性证书。)

$ CAPI See: cryptographic application programming interface.

$ CAPI See:加密应用程序编程接口。

$ CAPSTONE chip (N) An integrated circuit (the Mykotronx, Inc. MYK-82) with a Type II cryptographic processor that implements SKIPJACK, KEA, DSA, SHA, and basic mathematical functions to support asymmetric cryptography, and includes the key escrow feature of the CLIPPER chip. (See: FORTEZZA card.)

$ CAPSTONE芯片(N):一种集成电路(Mykotronx,Inc.MYK-82),带有II型密码处理器,实现SKIPJACK、KEA、DSA、SHA和基本数学函数,以支持非对称密码,并包括CLIPPER芯片的密钥托管功能。(请参阅:FORTEZZA卡。)

$ card See: cryptographic card, FORTEZZA card, payment card, PC card, smart card, token.

$ 卡见:加密卡、FORTEZZA卡、支付卡、PC卡、智能卡、代币。

$ card backup See: token backup.

$ 卡备份请参阅:令牌备份。

$ card copy See: token copy.

$ 卡副本见:令牌副本。

$ card restore See: token restore.

$ 卡还原请参阅:令牌还原。

$ cardholder (I) An entity that has been issued a card.

$ 持卡人(I)已获发信用卡的实体。

(O) SET usage: "The holder of a valid payment card account and user of software supporting electronic commerce." [SET2] A cardholder is issued a payment card by an issuer. SET ensures that in the cardholder's interactions with merchants, the payment card account information remains confidential. [SET1]

(O) SET用法:“有效支付卡帐户的持有人和支持电子商务的软件的用户。”[SET2]发卡机构向持卡人发放支付卡。SET确保在持卡人与商户的互动中,支付卡账户信息保持机密。[SET1]

$ cardholder certificate (O) SET usage: A digital certificate that is issued to a cardholder upon approval of the cardholder's issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]

$ 持卡人证书(O)设置用途:经持卡人的发卡金融机构批准后向持卡人颁发的数字证书,并通过购买请求和加密支付指令传输给商户,保证账号已由发行金融机构验证,且第三方不得更改。[SET1]

$ cardholder certification authority (CCA) (O) SET usage: A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

$ 持卡人认证机构(CCA)(O)设置用途:负责向持卡人颁发数字证书的CA,并根据品牌规则代表支付卡品牌、发卡机构或另一方运营。CCA与发卡机构保持关系,以便对持卡人账户进行验证。CCA不发行CRL,但发行根CA、品牌CA、地缘政治CA和支付网关CA发行的CRL。[SET2]

$ CAST (N) A design procedure for symmetric encryption algorithms, and a resulting family of algorithms, invented by C.A. (Carlisle Adams) and S.T. (Stafford Tavares). [R2144, R2612]

$ CAST(N)由C.A.(Carlisle Adams)和S.T.(Stafford Tavares)发明的对称加密算法的设计过程,以及由此产生的算法系列。[R2144,R2612]

$ category (I) A grouping of sensitive information items to which a non-hierarchical restrictive security label is applied to increase protection of the data. (See: compartment.)

$ 类别(I)敏感信息项的分组,其中应用了非分层限制性安全标签,以加强对数据的保护。(见:隔间。)

$ CAW See: certification authority workstation.

$ CAW请参阅:证书颁发机构工作站。

$ CBC See: cipher block chaining.

$ CBC请参阅:密码块链接。

$ CCA See: cardholder certification authority.

$ CCA见:持卡人认证机构。

$ CCITT (N) Acronym for French translation of International Telephone and Telegraph Consultative Committee. Now renamed ITU-T.

$ CCITT(N)国际电话电报咨询委员会法语翻译的首字母缩写。现更名为ITU-T。

$ CERT See: computer emergency response team.

$ 证书见:计算机应急响应小组。

$ certificate (I) General English usage: A document that attests to the truth of something or the ownership of something.

$ 证书(一)一般英语用法:证明某物真实性或所有权的文件。

(C) Security usage: See: capability, digital certificate.

(C) 安全用途:请参阅:功能、数字证书。

(C) PKI usage: See: attribute certificate, public-key certificate.

(C) PKI用法:请参阅:属性证书、公钥证书。

$ certificate authority (D) ISDs SHOULD NOT use this term because it looks like sloppy use of "certification authority", which is the term standardized by X.509.

$ 证书颁发机构(D)ISDs不应使用此术语,因为它看起来像是对“证书颁发机构”的草率使用,这是X.509标准化的术语。

$ certificate chain (D) ISDs SHOULD NOT use this term because it duplicates the meaning of a standardized term. Instead, use "certification path".

$ 证书链(D)ISDs不应使用此术语,因为它重复了标准术语的含义。相反,请使用“认证路径”。

$ certificate chain validation (D) ISDs SHOULD NOT use this term because it duplicates the meaning of standardized terms and mixes concepts in a potentially misleading way. Instead, use "certificate validation" or "path validation", depending on what is meant. (See: validate vs. verify.)

$ 证书链验证(D)ISDs不应使用此术语,因为它重复了标准化术语的含义,并以潜在误导的方式混合了概念。相反,使用“证书验证”或“路径验证”,具体取决于其含义。(请参见:验证与验证。)

$ certificate creation (I) The act or process by which a CA sets the values of a digital certificate's data fields and signs it. (See: issue.)

$ 证书创建(I)CA设置数字证书数据字段的值并对其签名的行为或过程。(见:问题)

$ certificate expiration (I) The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, validity period.)

$ 证书过期(I)证书因其分配的生存期已超过而停止有效时发生的事件。(请参阅:证书撤销,有效期。)

$ certificate extension See: extension.

$ 证书扩展请参阅:扩展。

$ certificate holder (D) ISDs SHOULD NOT use this term as a synonym for the subject of a digital certificate because the term is potentially ambiguous. For example, the term could also refer to a system entity, such as a repository, that simply has possession of a copy of the certificate. (See: certificate owner.)

$ 证书持有人(D)ISD不应将该术语用作数字证书主题的同义词,因为该术语可能不明确。例如,该术语还可以指仅拥有证书副本的系统实体,如存储库。(请参阅:证书所有者。)

$ certificate management (I) The functions that a CA may perform during the life cycle of a digital certificate, including the following:

$ 证书管理(I)CA在数字证书的生命周期内可能执行的功能,包括:

- Acquire and verify data items to bind into the certificate. - Encode and sign the certificate. - Store the certificate in a directory or repository. - Renew, rekey, and update the certificate. - Revoke the certificate and issue a CRL.

- 获取并验证要绑定到证书中的数据项。-对证书进行编码和签名。-将证书存储在目录或存储库中。-续订、重新设置密钥并更新证书。-吊销证书并颁发CRL。

(See: archive management, certificate management, key management, security architecture, token management.)

(请参阅:归档管理、证书管理、密钥管理、安全体系结构、令牌管理。)

$ certificate owner (D) ISDs SHOULD NOT use this term as a synonym for the subject of a digital certificate because the term is potentially ambiguous. For example, the term could also refer to a system entity, such as a corporation, that has acquired a certificate to operate some other entity, such as a Web server. (See: certificate holder.)

$ 证书所有者(D)ISDs不应将该术语用作数字证书主题的同义词,因为该术语可能不明确。例如,该术语还可以指已获得证书以操作其他实体(如Web服务器)的系统实体(如公司)。(见:证书持有人。)

$ certificate policy (I) "A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (See: certification practice statement.)

$ 证书策略(I)“一组命名规则,指示证书对具有通用安全要求的特定社区和/或应用程序类别的适用性。”[X509](请参阅:认证实践声明。)

(C) A certificate policy can help a certificate user decide whether a certificate should be trusted in a particular application. "For example, a particular certificate policy might indicate applicability of a type of certificate for the authentication of electronic data interchange transactions for the trading goods within a given price range." [R2527]

(C) 证书策略可以帮助证书用户决定在特定应用程序中是否应信任证书。“例如,特定的证书政策可能表明某种类型的证书适用于在给定价格范围内对交易商品的电子数据交换交易进行认证。”[R2527]

(C) A v3 X.509 public-key certificate may have a "certificatePolicies" extension that lists certificate policies, recognized by the issuing CA, that apply to the certificate and govern its use. Each policy is denoted by an object identifier and may optionally have certificate policy qualifiers.

(C) v3 X.509公钥证书可能具有“CertificatePolicys”扩展,该扩展列出了由颁发CA识别的证书策略,这些策略应用于证书并管理其使用。每个策略由对象标识符表示,并且可以选择具有证书策略限定符。

(C) SET usage: Every SET certificate specifies at least one certificate policy, that of the SET root CA. SET uses certificate policy qualifiers to point to the actual policy statement and to add qualifying policies to the root policy. (See: SET qualifier.)

(C) 集合用法:每个集合证书指定至少一个证书策略,即集合根CA的证书策略。集合使用证书策略限定符指向实际的策略语句,并将限定策略添加到根策略。(请参见:设置限定符。)

$ certificate policy qualifier (I) Information that pertains to a certificate policy and is included in a "certificatePolicies" extension in a v3 X.509 public-key certificate.

$ 证书策略限定符(I)与证书策略相关的信息,包含在v3 X.509公钥证书的“CertificatePolicys”扩展中。

$ certificate reactivation (I) The act or process by which a digital certificate, which a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.

$ 证书重新激活(I)CA已指定撤销但尚未在CRL上列出的数字证书返回到有效状态的行为或过程。

$ certificate rekey (I) The act or process by which an existing public-key certificate has its public key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)

$ 证书重设密钥(I)通过使用不同的(通常是新的)公钥颁发新证书来更改现有公钥证书的公钥值的行为或过程。(请参阅:证书续订、证书更新、重新密钥。)

(C) For an X.509 public-key certificate, the essence of rekey is that the subject stays the same and a new public key is bound to that subject. Other changes are made, and the old certificate is revoked, only as required by the PKI and CPS in support of the rekey. If changes go beyond that, the process is a "certificate update".

(C) 对于X.509公钥证书,重新密钥的本质是主体保持不变,并且新的公钥绑定到该主体。仅当PKI和CPS要求支持重新密钥时,才进行其他更改,并撤销旧证书。如果更改超出此范围,则该过程为“证书更新”。

(O) MISSI usage: To rekey a MISSI X.509 public-key certificate means that the issuing authority creates a new certificate that is identical to the old one, except the new one has a new, different KEA key; or a new, different DSS key; or new, different KEA and DSS keys. The new certificate also has a different serial number and may have a different validity period. A new key creation date and maximum key lifetime period are assigned to each newly generated key. If a new KEA key is generated, that key is assigned a new KMID. The old certificate remains valid until it expires, but may not be further renewed, rekeyed, or updated.

(O) MISSI用法:为MISSI X.509公钥证书重新设置密钥意味着颁发机构创建一个与旧证书相同的新证书,但新证书具有新的、不同的KEA密钥;或一个新的、不同的DSS密钥;或新的、不同的KEA和DSS密钥。新证书还具有不同的序列号,并且可能具有不同的有效期。为每个新生成的密钥分配一个新密钥创建日期和最大密钥生存期。如果生成了新的KEA密钥,则会为该密钥分配一个新的KMID。旧证书在到期前保持有效,但不能进一步续订、重新键入或更新。

$ certificate renewal (I) The act or process by which the validity of the data binding asserted by an existing public-key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)

$ 证书更新(I)通过颁发新证书来延长现有公钥证书所断言的数据绑定有效性的行为或过程。(请参阅:证书密钥更新、证书更新。)

(C) For an X.509 public-key certificate, this term means that the validity period is extended (and, of course, a new serial number is assigned) but the binding of the public key to the subject and

(C) 对于X.509公钥证书,该术语意味着有效期延长(当然,还分配了一个新的序列号),但公钥与主体的绑定和

to other data items stays the same. The other data items are changed, and the old certificate is revoked, only as required by the PKI and CPS to support the renewal. If changes go beyond that, the process is a "certificate rekey" or "certificate update".

到其他数据项保持不变。仅当PKI和CPS要求支持续订时,才会更改其他数据项,并吊销旧证书。如果更改超出此范围,则流程为“证书重新密钥”或“证书更新”。

$ certificate request (D) ISDs SHOULD NOT use this term because it looks like imprecise use of a term standardized by PKCS #10 and used in PKIX. Instead, use the standard term, "certification request".

$ 证书请求(D)ISDs不应使用此术语,因为它似乎不准确地使用了PKCS#10标准化的术语,并在PKIX中使用。相反,使用标准术语“认证请求”。

$ certificate revocation (I) The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with a revocation date.

$ 证书撤销(I)CA声明该CA颁发的以前有效的数字证书已失效时发生的事件;通常注明撤销日期。

(C) In X.509, a revocation is announced to potential certificate users by issuing a CRL that mentions the certificate. Revocation and listing on a CRL is only necessary before certificate expiration.

(C) 在X.509中,通过发布提及证书的CRL向潜在证书用户宣布撤销。只有在证书到期之前,才需要撤销并在CRL上列出。

$ certificate revocation list (CRL) (I) A data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, X.509 certificate revocation list.)

$ 证书撤销列表(CRL)(I)一种数据结构,列举在其预定到期之前已由发行人失效的数字证书。(请参阅:证书到期,X.509证书吊销列表。)

(O) "A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. After a certificate appears on a CRL, it is deleted from a subsequent CRL after the certificate's expiry. CRLs may be used to identify revoked public-key certificates or attribute certificates and may represent revocation of certificates issued to authorities or to users. The term CRL is also commonly used as a generic term applying to all the different types of revocation lists, including CRLs, ARLs, ACRLs, etc." [FPDAM]

(O)“一个签名列表,指示证书颁发者不再认为有效的一组证书。证书出现在CRL上后,将在证书到期后从后续CRL中删除该证书。CRL可用于标识已撤销的公钥证书或属性证书,并可表示对颁发给机构或用户的证书的撤销。术语CRL也常用作通用术语,适用于所有不同类型的撤销列表,包括CRL、ARL、ACRL等。”[FPDAM]

$ certificate revocation tree (I) A mechanism for distributing notice of certificate revocations; uses a tree of hash results that is signed by the tree's issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)

$ 证书撤销树(I)分发证书撤销通知的机制;使用由树的颁发者签名的哈希结果树。提供了发布CRL的替代方案,但在X.509中不受支持。(请参阅:证书状态响应程序。)

$ certificate serial number (I) An integer value that (a) is associated with, and may be carried in, a digital certificate; (b) is assigned to the certificate by the certificate's issuer; and (c) is unique among all the certificates produced by that issuer.

$ 证书序列号(I)(a)与数字证书关联并可携带在数字证书中的整数值;(b) 由证书的颁发者分配给证书;和(c)在该发行人生产的所有证书中是唯一的。

(O) "An integer value, unique within the issuing CA, which is unambiguously associated with a certificate issued by that CA." [X509]

(O) “一个整数值,在颁发CA中是唯一的,与该CA颁发的证书明确关联。”[X509]

$ certificate status responder (N) FPKI usage: A trusted on-line server that acts for a CA to provide authenticated certificate status information to certificate users. [FPKI] Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate revocation tree.)

$ 证书状态响应程序(N)FPKI用法:一个受信任的在线服务器,它代表CA向证书用户提供经过身份验证的证书状态信息。[FPKI]提供了发布CRL的替代方案,但在X.509中不受支持。(请参阅:证书吊销树。)

$ certificate update (I) The act or process by which non-key data items bound in an existing public-key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate. (See: certificate rekey, certificate renewal.)

$ 证书更新(I)通过颁发新证书来更改现有公钥证书中绑定的非密钥数据项(尤其是授予主体的授权)的行为或过程。(请参阅:证书重新注册、证书续订。)

(C) For an X.509 public-key certificate, the essence of this process is that fundamental changes are made in the data that is bound to the public key, such that it is necessary to revoke the old certificate. (Otherwise, the process is only a "certificate rekey" or "certificate renewal".)

(C) 对于X.509公钥证书,此过程的实质是对绑定到公钥的数据进行根本性更改,因此有必要撤销旧证书。(否则,该过程仅为“证书重新密钥”或“证书续订”。)

$ certificate user (I) A system entity that depends on the validity of information (such as another entity's public key value) provided by a digital certificate. (See: relying party.)

$ 证书用户(I)依赖于数字证书提供的信息(如另一实体的公钥值)的有效性的系统实体。(见:依赖方)

(O) "An entity that needs to know, with certainty, the public key of another entity." [X509]

(O) “需要确切了解另一实体公钥的实体。”[X509]

(C) The system entity may be a human being or an organization, or a device or process under the control of a human or an organization.

(C) 系统实体可以是人或组织,或在人或组织控制下的装置或过程。

(D) ISDs SHOULD NOT use this term as a synonym for the "subject" of a certificate.

(D) ISDs不应将此术语用作证书“主题”的同义词。

$ certificate validation (I) An act or process by which a certificate user establishes that the assertions made by a digital certificate can be trusted. (See: valid certificate, validate vs. verify.)

$ 证书验证(I)证书用户确定数字证书所做的断言可以被信任的行为或过程。(请参阅:有效证书、验证与验证。)

(O) "The process of ensuring that a certificate is valid including possibly the construction and processing of a certification path, and ensuring that all certificates in that path have not expired or been revoked." [FPDAM]

(O) “确保证书有效的过程,可能包括构建和处理证书路径,并确保该路径中的所有证书未过期或被撤销。”[FPDAM]

(C) To validate a certificate, a certificate user checks that the certificate is properly formed and signed and currently in force:

(C) 要验证证书,证书用户将检查证书的格式和签名是否正确以及当前是否有效:

- Checks the signature: Employs the issuer's public key to verify the digital signature of the CA who issued the certificate in question. If the verifier obtains the issuer's public key from the issuer's own public-key certificate, that certificate should be validated, too. That validation may lead to yet another certificate to be validated, and so on. Thus, in general, certificate validation involves discovering and validating a certification path.

- 检查签名:使用颁发者的公钥验证颁发证书的CA的数字签名。如果验证器从颁发者自己的公钥证书中获得颁发者的公钥,则该证书也应进行验证。该验证可能会导致另一个证书被验证,等等。因此,一般来说,证书验证涉及发现和验证证书路径。

- Checks the syntax and semantics: Parses the certificate's syntax and interprets its semantics, applying rules specified for and by its data fields, such as for critical extensions in an X.509 certificate.

- 检查语法和语义:解析证书的语法并解释其语义,应用由其数据字段指定的规则,例如X.509证书中的关键扩展。

- Checks currency and revocation: Verifies that the certificate is currently in force by checking that the current date and time are within the validity period (if that is specified in the certificate) and that the certificate is not listed on a CRL or otherwise announced as invalid. (CRLs themselves require a similar validation process.)

- 检查货币和吊销:通过检查当前日期和时间是否在有效期内(如果证书中指定)以及证书是否未列在CRL上或以其他方式宣布为无效,验证证书当前是否有效。(CRL本身需要类似的验证过程。)

$ certification (I) Information system usage: Technical evaluation (usually made in support of an accreditation action) of an information system's security features and other safeguards to establish the extent to which the system's design and implementation meet specified security requirements. [FP102] (See: accreditation.)

$ 认证(I)信息系统使用:对信息系统的安全功能和其他保障措施进行技术评估(通常是为了支持认证行动),以确定系统的设计和实施在多大程度上满足规定的安全要求。[FP102](见:认证)

(I) Digital certificate usage: The act or process of vouching for the truth and accuracy of the binding between data items in a certificate. (See: certify.)

(一) 数字证书使用:证明证书中数据项之间绑定的真实性和准确性的行为或过程。(见:证明)

(I) Public key usage: The act or process of vouching for the ownership of a public key by issuing a public-key certificate that binds the key to the name of the entity that possesses the matching private key. In addition to binding a key to a name, a public-key certificate may bind those items to other restrictive or explanatory data items. (See: X.509 public-key certificate.)

(一) 公钥使用:通过颁发公钥证书,将公钥绑定到拥有匹配私钥的实体的名称,从而证明公钥所有权的行为或过程。除了将密钥绑定到名称之外,公钥证书还可以将这些项绑定到其他限制性或解释性数据项。(请参阅:X.509公钥证书。)

(O) SET usage: "The process of ascertaining that a set of requirements or criteria has been fulfilled and attesting to that fact to others, usually with some written instrument. A system that has been inspected and evaluated as fully compliant with the SET protocol by duly authorized parties and process would be said to have been certified compliant." [SET2]

(O) 设置用法:“确定一套要求或标准已得到满足并向其他人证明这一事实的过程,通常使用一些书面文书。经正式授权的各方和程序检查和评估为完全符合SET协议的系统将被视为已认证符合要求。”[SET2]

$ certification authority (CA) (I) An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

$ 证书颁发机构(CA)(I)颁发数字证书(尤其是X.509证书)并为证书中的数据项之间的绑定提供担保的实体。

(O) "An authority trusted by one or more users to create and assign certificates. Optionally, the certification authority may create the user's keys." [X509]

(O) “一个或多个用户信任的用于创建和分配证书的机构。证书颁发机构也可以创建用户的密钥。”[X509]

(C) Certificate users depend on the validity of information provided by a certificate. Thus, a CA should be someone that certificate users trust, and usually holds an official position created and granted power by a government, a corporation, or some other organization. A CA is responsible for managing the life cycle of certificates (see: certificate management) and, depending on the type of certificate and the CPS that applies, may be responsible for the life cycle of key pairs associated with the certificates (see: key management).

(C) 证书用户依赖于证书提供的信息的有效性。因此,CA应该是证书用户信任的人,并且通常拥有由政府、公司或其他组织创建和授予权力的官方职位。CA负责管理证书的生命周期(请参阅:证书管理),并根据证书的类型和适用的CP,负责与证书相关联的密钥对的生命周期(请参阅:密钥管理)。

$ certification authority workstation (CAW) (I) A computer system that enables a CA to issue digital certificates and supports other certificate management functions as required.

$ 证书颁发机构工作站(CAW)(I)使CA能够颁发数字证书并支持所需的其他证书管理功能的计算机系统。

$ certification hierarchy (I) A tree-structured (loop-free) topology of relationships among CAs and the entities to whom the CAs issue public-key certificates. (See: hierarchical PKI.)

$ 证书层次结构(I)CA和CA向其颁发公钥证书的实体之间关系的树结构(无循环)拓扑。(请参阅:分层PKI。)

(C) In this structure, one CA is the top CA, the highest level of the hierarchy. (See: root, top CA.) The top CA may issue public-key certificates to one or more additional CAs that form the second highest level. Each of these CAs may issue certificates to more CAs at the third highest level, and so on. The CAs at the second-lowest of the hierarchy issue certificates only to non-CA entities, called "end entities" that form the lowest level. (See: end entity.) Thus, all certification paths begin at the top CA and descend through zero or more levels of other CAs. All certificate users base path validations on the top CA's public key.

(C) 在此结构中,一个CA是顶层CA,即层次结构的最高级别。(请参阅:root,top CA。)顶级CA可以向构成第二高级别的一个或多个附加CA颁发公钥证书。这些CA中的每一个都可以向第三高级别的更多CA颁发证书,以此类推。位于层次结构第二低层的CA仅向构成最低层的非CA实体(称为“终端实体”)颁发证书。(请参阅:end entity。)因此,所有认证路径都从顶部CA开始,并向下通过零级或多级其他CA。所有证书用户都基于顶级CA的公钥进行路径验证。

(O) MISSI usage: A MISSI certification hierarchy has three or four levels of CAs:

(O) MSI使用:一个MSI认证层次结构有三个或四个CA级别:

- A CA at the highest level, the top CA, is a "policy approving authority". - A CA at the second-highest level is a "policy creation authority".

- 最高级别的CA(最高CA)是“政策批准机构”——第二高级别的CA是“策略创建机构”。

- A CA at the third-highest level is a local authority called a "certification authority". - A CA at the fourth-highest (optional) level is a "subordinate certification authority".

- 第三高级别的CA是一个称为“认证机构”的地方机构第四高级别(可选)的CA是“下级证书颁发机构”。

(O) PEM usage: A PEM certification hierarchy has three levels of CAs [R1422]:

(O) PEM使用:PEM认证层次结构有三个CA级别[R1422]:

- The highest level is the "Internet Policy Registration Authority". - A CA at the second-highest level is a "policy certification authority". - A CA at the third-highest level is a "certification authority".

- 最高级别为“互联网政策注册机构”。-第二高级别的CA是“策略证书颁发机构”——第三高级别的CA是“证书颁发机构”。

(O) SET usage: A SET certification hierarchy has three or four levels of CAs:

(O) 集合用法:集合证书层次结构有三个或四个级别的CA:

- The highest level is a "SET root CA". - A CA at the second-highest level is a "brand certification authority". - A CA at the third-highest (optional) level is a "geopolitical certification authority". - A CA at the fourth-highest level is a "cardholder CA", a "merchant CA", or a "payment gateway CA".

- 最高级别是“设置根CA”。-第二高级别的CA是“品牌认证机构”——第三高(可选)级别的CA是“地缘政治认证机构”——第四高级别的CA是“持卡人CA”、“商户CA”或“支付网关CA”。

$ certification path (I) An ordered sequence of public-key certificates (or a sequence of public-key certificates followed by one attribute certificate) that enables a certificate user to verify the signature on the last certificate in the path, and thus enables the user to obtain a certified public key (or certified attributes) of the entity that is the subject of that last certificate. (See: certificate validation, valid certificate.)

$ 认证路径(I)公钥证书的有序序列(或公钥证书序列后跟一个属性证书),它使证书用户能够验证路径中最后一个证书上的签名,从而使用户能够获得认证公钥(或认证属性)作为最后一个证书的主体的实体。(请参阅:证书验证,有效证书。)

(O) "An ordered sequence of certificates of objects in the [X.500 Directory Information Tree] which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path." [X509, R2527]

(O) [X.500目录信息树]中对象的有序证书序列,可与路径中初始对象的公钥一起处理,以获得路径中最终对象的公钥。“[X509,R2527]

(C) The path is the "list of certificates needed to allow a particular user to obtain the public key of another." [X509] The list is "linked" in the sense that the digital signature of each certificate (except the first) is verified by the public key contained in the preceding certificate; i.e., the private key used to sign a certificate and the public key contained in the preceding certificate form a key pair owned by the entity that signed.

(C) 路径是“允许特定用户获取另一个用户的公钥所需的证书列表”。[X509]该列表是“链接”的,即每个证书(第一个证书除外)的数字签名由前一个证书中包含的公钥进行验证;i、 例如,用于签名证书的私钥和前一证书中包含的公钥构成了签名实体拥有的密钥对。

(C) In the X.509 quotation in the previous "C" paragraph, the word "particular" points out that a certification path that can be validated by one certificate user might not be able to be validated by another. That is because either the first certificate should be a trusted certificate (it might be a root certificate) or the signature on the first certificate should be verified by a trusted key (it might be a root key), but such trust is defined relative to each user, not absolutely for all users.

(C) 在前面“C”段中的X.509引用中,“特定”一词指出,可以由一个证书用户验证的证书路径可能无法由另一个证书用户验证。这是因为第一个证书应该是受信任的证书(它可能是根证书),或者第一个证书上的签名应该由受信任的密钥(它可能是根密钥)验证,但是这种信任是相对于每个用户定义的,而不是绝对针对所有用户定义的。

$ certification policy (D) ISDs SHOULD NOT use this term. Instead, use either "certificate policy" or "certification practice statement", depending on what is meant.

$ 认证政策(D)ISDs不应使用此术语。相反,使用“证书政策”或“认证实践声明”,具体取决于其含义。

$ certification practice statement (CPS) (I) "A statement of the practices which a certification authority employs in issuing certificates." [ABA96, R2527] (See: certificate policy.)

$ 认证惯例声明(CPS)(I)“认证机构在颁发证书时采用的惯例声明”。[ABA96,R2527](见:证书政策。)

(C) A CPS is a published security policy that can help a certificate user to decide whether a certificate issued by a particular CA can be trusted enough to use in a particular application. A CPS may be (a) a declaration by a CA of the details of the system and practices it employs in its certificate management operations, (b) part of a contract between the CA and an entity to whom a certificate is issued, (c) a statute or regulation applicable to the CA, or (d) a combination of these types involving multiple documents. [ABA]

(C) CPS是一种已发布的安全策略,它可以帮助证书用户确定特定CA颁发的证书是否足够可信,以便在特定应用程序中使用。CPS可以是(A)CA对其证书管理操作中采用的系统和实践细节的声明,(b)CA与证书颁发实体之间合同的一部分,(c)适用于CA的法规或条例,或(d)涉及多个文件的这些类型的组合。[ABA]

(C) A CPS is usually more detailed and procedurally oriented than a certificate policy. A CPS applies to a particular CA or CA community, while a certificate policy applies across CAs or communities. A CA with a single CPS may support multiple certificate policies, which may be used for different application purposes or by different user communities. Multiple CAs, each with a different CPS, may support the same certificate policy. [R2527]

(C) CPS通常比证书策略更详细,更面向过程。CPS适用于特定CA或CA社区,而证书策略适用于整个CA或社区。具有单个CP的CA可能支持多个证书策略,这些策略可用于不同的应用程序目的或由不同的用户社区使用。多个CA(每个CA具有不同的CP)可能支持相同的证书策略。[R2527]

$ certification request (I) A algorithm-independent transaction format, defined by PCKS #10 and used in PKIX, that contains a DN, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification, and sent to a CA, which transforms the request to an X.509 public-key certificate or another type of certificate.

$ 认证请求(I)由PCKS#10定义并在PKIX中使用的独立于算法的事务格式,包含DN、公钥和可选的一组属性,由请求认证的实体共同签名并发送给CA,将请求转换为X.509公钥证书或其他类型的证书。

$ certify 1. (I) Issue a digital certificate and thus vouch for the truth, accuracy, and binding between data items in the certificate (e.g., see: X.509 public key certificate), such as the identity of the certificate's subject and the ownership of a public key. (See: certification.)

$ 证明1。(一) 颁发数字证书,从而保证证书中数据项之间的真实性、准确性和绑定(例如,请参阅:X.509公钥证书),例如证书主体的身份和公钥的所有权。(见:认证。)

(C) To "certify a public key" means to issue a public-key certificate that vouches for the binding between the certificate's subject and the key.

(C) “认证公钥”是指颁发公钥证书,以证明证书主体与密钥之间具有约束力。

2. (I) The act by which a CA employs measures to verify the truth, accuracy, and binding between data items in a digital certificate.

2. (一) CA采用措施验证数字证书中数据项之间的真实性、准确性和约束力的行为。

(C) A description of the measures used for verification should be included in the CA's CPS.

(C) CA的CPS中应包括用于验证的措施说明。

$ CFB See: cipher feedback.

$ 参见:密码反馈。

$ Challenge Handshake Authentication Protocol (CHAP) (I) A peer entity authentication method for PPP, using a randomly-generated challenge and requiring a matching response that depends on a cryptographic hash of the challenge and a secret key. [R1994] (See: challenge-response, PAP.)

$ 质询握手身份验证协议(CHAP)(I)PPP的对等实体身份验证方法,使用随机生成的质询并要求匹配响应,该响应取决于质询的加密散列和密钥。[R1994](参见:质询响应,PAP。)

$ challenge-response (I) An authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge. In a computer system, the authentication information is usually a value that is required to be computed in response to an unpredictable challenge value.

$ 质询响应(I)通过要求提供正确的身份验证信息以响应质询来验证身份的身份验证过程。在计算机系统中,身份验证信息通常是响应不可预测的质询值而需要计算的值。

$ Challenge-Response Authentication Mechanism (CRAM) (I) IMAP4 usage: A mechanism [R2195], intended for use with IMAP4 AUTHENTICATE, by which an IMAP4 client uses a keyed hash [R2104] to authenticate itself to an IMAP4 server. (See: POP3 APOP.)

$ 质询-响应身份验证机制(CRAM)(I)IMAP4使用:一种机制[R2195],用于IMAP4身份验证,通过该机制,IMAP4客户端使用密钥哈希[R2104]向IMAP4服务器进行身份验证。(参见:POP3 APOP。)

(C) The server includes a unique timestamp in its ready response to the client. The client replies with the client's name and the hash result of applying MD5 to a string formed from concatenating the timestamp with a shared secret that is known only to the client and the server.

(C) 服务器在其对客户端的就绪响应中包含一个唯一的时间戳。客户机使用客户机的名称和将MD5应用于字符串的哈希结果进行回复,该字符串是通过将时间戳与只有客户机和服务器才知道的共享秘密连接而形成的。

$ channel (I) An information transfer path within a system. (See: covert channel.)

$ 通道(I)系统内的信息传输路径。(请参阅:隐蔽通道。)

$ CHAP See: Challenge Handshake Authentication Protocol.

$ 请参阅:质询握手身份验证协议。

$ checksum (I) A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for the purpose of detecting changes in the data. (See: cyclic redundancy check, data integrity service, error detection code, hash, keyed hash, protected checksum.)

$ 校验和(I)(A)由依赖于数据对象内容的函数计算的值,以及(b)与对象一起存储或传输的值,用于检测数据中的变化。(请参阅:循环冗余检查、数据完整性服务、错误检测代码、哈希、键控哈希、受保护校验和。)

(C) To gain confidence that a data object has not been changed, an entity that later uses the data can compute a checksum and compare it with the checksum that was stored or transmitted with the object.

(C) 为了获得数据对象未被更改的信心,以后使用数据的实体可以计算校验和,并将其与对象存储或传输的校验和进行比较。

(C) Computer systems and networks employ checksums (and other mechanisms) to detect accidental changes in data. However, active wiretapping that changes data could also change an accompanying checksum to match the changed data. Thus, some checksum functions by themselves are not good countermeasures for active attacks. To protect against active attacks, the checksum function needs to be well-chosen (see: cryptographic hash), and the checksum result needs to be cryptographically protected (see: digital signature, keyed hash).

(C) 计算机系统和网络使用校验和(和其他机制)来检测数据中的意外变化。但是,更改数据的主动窃听也可能会更改附带的校验和,以匹配更改的数据。因此,某些校验和函数本身并不是主动攻击的良好对策。为了防止主动攻击,需要正确选择校验和函数(请参阅:加密散列),并且校验和结果需要加密保护(请参阅:数字签名,密钥散列)。

$ chosen-ciphertext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of plaintext that corresponds to ciphertext selected (i.e., dictated) by the analyst.

$ 选择密文攻击(I)一种密码分析技术,分析员试图根据与分析员选择(即口述)的密文相对应的明文知识确定密钥。

$ chosen-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of ciphertext that corresponds to plaintext selected (i.e., dictated) by the analyst.

$ 选择明文攻击(I)一种密码分析技术,分析员试图根据与分析员选择(即口述)的明文相对应的密文知识来确定密钥。

$ CIAC See: Computer Incident Advisory Capability.

$ CIAC见:计算机事故咨询能力。

$ CIK See: cryptographic ignition key.

$ CIK见:加密点火钥匙。

$ cipher (I) A cryptographic algorithm for encryption and decryption.

$ 密码(I)用于加密和解密的加密算法。

$ cipher block chaining (CBC) (I) An block cipher mode that enhances electronic codebook mode by chaining together blocks of ciphertext it produces. [FP081] (See: [R1829], [R2451].)

$ 密码分组链接(CBC)(I)一种分组密码模式,通过将其产生的密文块链接在一起来增强电子码本模式。[FP081](参见:[R1829],[R2451]。)

(C) This mode operates by combining (exclusive OR-ing) the algorithm's ciphertext output block with the next plaintext block to form the next input block for the algorithm.

(C) 此模式通过将算法的密文输出块与下一个明文块组合(异或)来操作,以形成算法的下一个输入块。

$ cipher feedback (CFB) (I) An block cipher mode that enhances electronic code book mode by chaining together the blocks of ciphertext it produces and operating on plaintext segments of variable length less than or equal to the block length. [FP081]

$ 密码反馈(CFB)(I)一种分组密码模式,通过将其产生的密文块链接在一起,并在小于或等于块长度的可变长度的明文段上运行,从而增强电子码本模式。[FP081]

(C) This mode operates by using the previously generated ciphertext segment as the algorithm's input (i.e., by "feeding back" the ciphertext) to generate an output block, and then combining (exclusive OR-ing) that output block with the next plaintext segment (block length or less) to form the next ciphertext segment.

(C) 该模式通过使用先前生成的密文段作为算法的输入(即,通过“反馈”密文)来生成输出块,然后将该输出块与下一个明文段(块长度或更小)组合(异或或)来形成下一个密文段。

$ ciphertext (I) Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. (See: cleartext, plaintext.)

$ 密文(I)通过加密转换的数据,其语义信息内容(即其含义)不再可理解或直接可用。(请参阅:明文、纯文本。)

(O) "Data produced through the use of encipherment. The semantic content of the resulting data is not available." [I7498 Part 2]

(O) “通过使用加密产生的数据。结果数据的语义内容不可用。”[I7498第2部分]

$ ciphertext-only attack (I) A cryptanalysis technique in which the analyst tries to determine the key solely from knowledge of intercepted ciphertext (although the analyst may also know other clues, such as the cryptographic algorithm, the language in which the plaintext was written, the subject matter of the plaintext, and some probable plaintext words.)

$ 纯密文攻击(I)一种密码分析技术,分析人员试图仅根据截获密文的知识确定密钥(尽管分析员可能还知道其他线索,如加密算法、明文的编写语言、明文的主题以及一些可能的明文单词。)

$ CIPSO See: Common IP Security Option.

$ CIPSO请参阅:通用IP安全选项。

$ CKL See: compromised key list.

$ CKL见:泄露密钥列表。

$ class 2, 3, 4, or 5 (O) U.S. Department of Defense usage: Levels of PKI assurance based on risk and value of information to be protected [DOD3]:

$ 第2、3、4或5(O)类美国国防部使用:基于受保护信息的风险和价值的PKI保证级别[DOD3]:

- Class 2: For handling low-value information (unclassified, not mission-critical, or low monetary value) or protection of system-high information in low- to medium-risk environment.

- 第2类:用于处理低价值信息(非保密、非关键任务或低货币价值)或在低至中等风险环境中保护系统高信息。

- Class 3: For handling medium-value information in low- to medium-risk environment. Typically requires identification of a system entity as a legal person, rather than merely a member of an organization.

- 第3类:用于在中低风险环境中处理中等价值信息。通常需要将系统实体识别为法人,而不仅仅是组织的成员。

- Class 4: For handling medium- to high-value information in any environment. Typically requires identification of an entity as a legal person, rather than merely a member of an organization, and a cryptographic hardware token for protection of keying material.

- 类别4:用于在任何环境中处理中高价值信息。通常需要将实体识别为法人,而不仅仅是组织的成员,并需要加密硬件令牌来保护密钥材料。

- Class 5: For handling high-value information in a high-risk environment.

- 第5类:用于在高风险环境中处理高价值信息。

$ classification $ classification level (I) (1.) A grouping of classified information to which a hierarchical, restrictive security label is applied to increase protection of the data. (2.) The level of protection that is required to be applied to that information. (See: security level.)

$ 分类$classification level(I)(1.)一组分类信息,其中应用了分层的、限制性的安全标签,以加强对数据的保护。(2.)要求应用于该信息的保护级别。(请参阅:安全级别。)

$ classified (I) Refers to information (stored or conveyed, in any form) that is formally required by a security policy to be given data confidentiality service and to be marked with a security label (which in some cases might be implicit) to indicate its protected status. (See: unclassified.)

$ 机密(I)是指安全策略正式要求提供数据保密服务并用安全标签(在某些情况下可能是隐含的)标记以指示其受保护状态的信息(以任何形式存储或传输)。(请参阅:未分类。)

(C) The term is mainly used in government, especially in the military, although the concept underlying the term also applies outside government. In the U.S. Department of Defense, for example, it means information that has been determined pursuant to Executive Order 12958 ("Classified National Security Information", 20 April 1995) or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

(C) 该术语主要用于政府,尤其是军队,尽管该术语的基本概念也适用于政府以外的部门。例如,在美国国防部,它是指根据第12958号行政命令(“保密国家安全信息”,1995年4月20日)或任何先前命令确定的信息,要求防止未经授权的披露,并以文件形式标记以表明其保密状态。

$ clean system (I) A computer system in which the operating system and application system software and files have just been freshly installed from trusted software distribution media.

$ clean system(I)一种计算机系统,其中操作系统和应用系统软件及文件刚刚从受信任的软件分发介质中安装。

(C) A clean system is not necessarily in a secure state.

(C) 清洁的系统不一定处于安全状态。

$ clearance See: security clearance.

$ 许可见:安全许可。

$ clearance level (I) The security level of information to which a security clearance authorizes a person to have access.

$ 许可级别(I)安全许可授权人员访问的信息的安全级别。

$ cleartext (I) Data in which the semantic information content (i.e., the meaning) is intelligible or is directly available. (See: plaintext.)

$ 明文(I)语义信息内容(即含义)可理解或直接可用的数据。(请参阅:纯文本。)

(O) "Intelligible data, the semantic content of which is available." [I7498 Part 2]

(O) “可理解的数据,其语义内容可用。”[I7498第2部分]

(D) ISDs SHOULD NOT use this term as a synonym for "plaintext", the input to an encryption operation, because the plaintext input to encryption may itself be ciphertext that was output from another operation. (See: superencryption.)

(D) ISDs不应将此术语用作“明文”的同义词,即加密操作的输入,因为加密的明文输入本身可能是另一操作输出的密文。(请参阅:超级加密。)

$ client (I) A system entity that requests and uses a service provided by another system entity, called a "server". (See: server.)

$ 客户端(I)请求并使用另一个系统实体(称为“服务器”)提供的服务的系统实体。(请参阅:服务器。)

(C) Usually, the requesting entity is a computer process, and it makes the request on behalf of a human user. In some cases, the server may itself be a client of some other server.

(C) 通常,请求实体是一个计算机进程,它代表人类用户发出请求。在某些情况下,服务器本身可能是其他服务器的客户端。

$ CLIPPER chip (N) The Mykotronx, Inc. MYK-82, an integrated microcircuit with a cryptographic processor that implements the SKIPJACK encryption algorithm and supports key escrow. (See: CAPSTONE, Escrowed Encryption Standard.)

$ CLIPPER芯片(N)Mykotronx,Inc.MYK-82,一种集成微电路,带有加密处理器,可实现SKIPJACK加密算法并支持密钥托管。(参见:顶点,托管加密标准。)

(C) The key escrow scheme for a chip involves a SKIPJACK key common to all chips that protects the unique serial number of the chip, and a second SKIPJACK key unique to the chip that protects all data encrypted by the chip. The second key is escrowed as split key components held by NIST and the U.S. Treasury Department.

(C) 芯片的密钥托管方案包括一个所有芯片共有的SKIPJACK密钥,用于保护芯片的唯一序列号,以及一个芯片独有的第二个SKIPJACK密钥,用于保护芯片加密的所有数据。第二个关键部分由NIST和美国财政部托管为拆分关键部分。

$ closed security environment (O) U.S. Department of Defense usage: A system environment that meets both of the following conditions: (a) Application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control provides sufficient assurance that system applications and the equipment they run on are protected against the introduction of malicious logic prior to and during the operation of applications. [NCS04] (See: open security environment.)

$ 封闭安全环境(O)美国国防部使用:满足以下两个条件的系统环境:(A)应用程序开发人员(包括维护人员)有足够的许可和授权,以提供一个可接受的假设,即他们没有引入恶意逻辑。(b) 配置控制提供了充分的保证,系统应用程序及其运行的设备在应用程序运行之前和运行期间受到保护,防止引入恶意逻辑。[NCS04](请参阅:开放式安全环境。)

$ code (I) noun: A system of symbols used to represent information, which might originally have some other representation. (See: encode.)

$ 名词:用来表示信息的符号系统,最初可能有其他的表示形式。(请参见:编码。)

(D) ISDs SHOULD NOT use this term as synonym for the following: (a) "cipher", "hash", or other words that mean "a cryptographic algorithm"; (b) "ciphertext"; or (c) "encrypt", "hash", or other words that refer to applying a cryptographic algorithm.

(D) ISDs不应将该术语用作以下术语的同义词:(a)“密码”、“哈希”或其他表示“加密算法”的词语;(b) “密文”;或(c)“加密”、“哈希”或其他指应用加密算法的词语。

(D) ISDs SHOULD NOT this word as an abbreviation for the following terms: country code, cyclic redundancy code, Data Authentication Code, error detection code, Message Authentication Code, object code, or source code. To avoid misunderstanding, use the fully qualified term, at least at the point of first usage.

(D) ISDs不应将该词作为以下术语的缩写:国家代码、循环冗余代码、数据认证代码、错误检测代码、消息认证代码、目标代码或源代码。为避免误解,请使用完全限定的术语,至少在首次使用时使用。

$ color change (I) In a system that is being operated in periods processing mode, the act of purging all information from one processing period and then changing over to the next processing period.

$ 颜色变化(I)在周期处理模式下运行的系统中,清除一个处理周期中的所有信息,然后切换到下一个处理周期的行为。

$ Common Criteria $ Common Criteria for Information Technology Security (N) "The Common Criteria" is a standard for evaluating information technology products and systems, such as operating systems, computer networks, distributed systems, and applications. It states requirements for security functions and for assurance measures. [CCIB]

$ 通用标准$Common Criteria for Information Technology Security(N)“通用标准”是用于评估信息技术产品和系统(如操作系统、计算机网络、分布式系统和应用程序)的标准。它规定了安全功能和保证措施的要求。[CCIB]

(C) Canada, France, Germany, the Netherlands, the United Kingdom, and the United States (NIST and NSA) began developing this standard in 1993, based on the European ITSEC, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the U.S. "Federal Criteria for Information Technology Security" (FC) and its precursor, the TCSEC. Work was done in cooperation with ISO/IEC Joint Technical Committee 1 (Information Technology), Subcommittee 27 (Security Techniques), Working Group 3 (Security Criteria). Version 2.1 of the Criteria is equivalent to ISO's International Standard 15408 [I15408]. The U.S. Government intends that this standard eventually will supersede both the TCSEC and FIPS PUB 140-1. (See: NIAP.)

(C) 加拿大、法国、德国、荷兰、英国和美国(NIST和NSA)于1993年开始根据欧洲ITSEC、加拿大可信计算机产品评估标准(CTCPEC)和美国“信息技术安全联邦标准”(FC)及其前身TCSEC制定本标准。这项工作是与ISO/IEC联合技术委员会1(信息技术)、第27小组委员会(安全技术)、第3工作组(安全标准)合作完成的。标准的2.1版等同于ISO的国际标准15408[I15408]。美国政府希望本标准最终将取代TCSEC和FIPS PUB 140-1。(见:NIAP)

(C) The standard addresses data confidentiality, data integrity, and availability and may apply to other aspects of security. It focuses on threats to information arising from human activities, malicious or otherwise, but may apply to non-human threats. It applies to security measures implemented in hardware, firmware, or software. It does not apply to (a) administrative security not related directly to technical security, (b) technical physical

(C) 该标准涉及数据保密性、数据完整性和可用性,并可能适用于安全的其他方面。它侧重于人类活动(恶意或其他)对信息造成的威胁,但可能适用于非人类威胁。它适用于在硬件、固件或软件中实施的安全措施。它不适用于(a)与技术安全不直接相关的行政安全,(b)技术物理安全

aspects of security such as electromagnetic emanation control, (c) evaluation methodology or administrative and legal framework under which the criteria may be applied, (d) procedures for use of evaluation results, or (e) assessment of inherent qualities of cryptographic algorithms.

安全方面,如电磁辐射控制,(c)评估方法或适用标准的行政和法律框架,(d)评估结果的使用程序,或(e)评估加密算法的固有质量。

$ Common IP Security Option (CIPSO) See: (secondary definition under) Internet Protocol Security Option.

$ 通用IP安全选项(CIPSO)请参阅:(第二个定义下)Internet协议安全选项。

$ common name (I) A character string that (a) may be a part of the X.500 DN of a Directory object ("commonName" attribute), (b) is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization), and (c) conforms to the naming conventions of the country or culture with which it is associated. [X520] (See: ("subject" and "issuer" under) X.509 public-key certificate.)

$ 公共名称(I)一个字符串,该字符串(A)可能是目录对象的X.500 DN的一部分(“公共名称”属性),(b)是一个(可能不明确的)名称,该对象在某些有限范围内(如组织)是众所周知的,(c)符合与其相关的国家或文化的命名约定。[X520](参见:(“主体”和“颁发者”)X.509公钥证书。)

(C) For example, "Dr. E. F. Moore", "The United Nations", or "12-th Floor Laser Printer".

(C) 例如,“E.F.摩尔博士”、“联合国”或“第12层激光打印机”。

$ communication security (COMSEC) (I) Measures that implement and assure security services in a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities.

$ 通信安全(COMSEC)(I)在通信系统中实施和确保安全服务的措施,特别是提供数据机密性和数据完整性以及认证通信实体的措施。

(C) Usually understood to include cryptographic algorithms and key management methods and processes, devices that implement them, and the life cycle management of keying material and devices.

(C) 通常理解为包括加密算法、密钥管理方法和过程、实现它们的设备以及密钥材料和设备的生命周期管理。

$ community string (I) A community name in the form of an octet string that serves as a cleartext password in SNMP version 1. [R1157]

$ 社区字符串(I)以八位字节字符串形式表示的社区名称,在SNMP版本1中用作明文密码。[R1157]

$ compartment (I) A grouping of sensitive information items that require special access controls beyond those normally provided for the basic classification level of the information. (See: category.)

$ (I)一组敏感信息项,除通常为信息的基本分类级别提供的访问控制外,还需要特殊的访问控制。(请参阅:类别。)

(C) The term is usually understood to include the special handling procedures to be used for the information.

(C) 该术语通常被理解为包括用于信息的特殊处理程序。

$ compromise See: data compromise, security compromise.

$ 危害见:数据危害,安全危害。

$ compromised key list (CKL) (O) MISSI usage: A list that identifies keys for which unauthorized disclosure or alteration may have occurred. (See: compromise.)

$ 泄露密钥列表(CKL)(O)MSI用法:识别可能发生未经授权泄露或更改的密钥的列表。(见:妥协。)

(C) A CKL is issued by an CA, like a CRL is issued. But a CKL lists only KMIDs, not subjects that hold the keys, and not certificates in which the keys are bound.

(C) CKL由CA发布,就像CRL被发布一样。但是CKL只列出KMID,不列出持有密钥的主题,也不列出绑定密钥的证书。

$ COMPUSEC See: computer security.

$ 计算机安全见:计算机安全。

$ computer emergency response team (CERT) (I) An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. (See: CSIRT, security incident.)

$ 计算机应急响应团队(CERT)(I)一个研究计算机和网络信息安全的组织,旨在为攻击受害者提供事件响应服务,发布有关漏洞和威胁的警报,并提供其他信息以帮助提高计算机和网络安全性。(参见:CSIRT,安全事件)

(C) For example, the CERT Coordination Center at Carnegie-Mellon University (sometimes called "the" CERT) and the Computer Incident Advisory Capability.

(C) 例如,卡内基梅隆大学的CERT协调中心(有时称为“CERT”)和计算机事故咨询能力。

$ Computer Incident Advisory Capability (CIAC) (N) A computer emergency response team in the U.S. Department of Energy.

$ 计算机事故咨询能力(CIAC)(N)美国能源部的计算机应急响应团队。

$ computer network (I) A collection of host computers together with the subnetwork or internetwork through which they can exchange data.

$ 计算机网络(I)主机与子网或互联网络的集合,通过它们可以交换数据。

(C) This definition is intended to cover systems of all sizes and types, ranging from the complex Internet to a simple system composed of a personal computer dialing in as a remote terminal of another computer.

(C) 这一定义旨在涵盖各种规模和类型的系统,从复杂的互联网到由个人计算机作为另一台计算机的远程终端拨号组成的简单系统。

$ computer security (COMPUSEC) (I) Measures that implement and assure security services in a computer system, particularly those that assure access control service.

$ 计算机安全(COMPUSEC)(I)在计算机系统中实施和确保安全服务的措施,特别是确保访问控制服务的措施。

(C) Usually understood to include functions, features, and technical characteristics of computer hardware and software, especially operating systems.

(C) 通常理解为包括计算机硬件和软件的功能、特征和技术特征,尤其是操作系统。

$ computer security incident response team (CSIRT) (I) An organization "that coordinates and supports the response to security incidents that involve sites within a defined constituency." [R2350] (See: CERT, FIRST, security incident.)

$ 计算机安全事件响应团队(CSIRT)(I)“协调和支持对涉及指定选区内站点的安全事件的响应的组织。”[R2350](见:CERT,第一,安全事件。)

(C) To be considered a CSIRT, an organization must do as follows:

(C) 要被视为CSIRT,组织必须做到以下几点:

- Provide a (secure) channel for receiving reports about suspected security incidents. - Provide assistance to members of its constituency in handling the incidents. - Disseminate incident-related information to its constituency and other involved parties.

- 为接收可疑安全事件报告提供(安全)渠道。-协助其选区成员处理事件。-向其选区和其他相关方传播事件相关信息。

$ computer security object (I) The definition or representation of a resource, tool, or mechanism used to maintain a condition of security in computerized environments. Includes many elements referred to in standards that are either selected or defined by separate user communities. [CSOR] (See: object identifier, Computer Security Objects Register.)

$ 计算机安全对象(I)用于在计算机化环境中维护安全条件的资源、工具或机制的定义或表示。包括标准中提到的许多元素,这些元素由单独的用户社区选择或定义。[CSOR](请参阅:对象标识符,计算机安全对象寄存器。)

$ Computer Security Objects Register (CSOR) (N) A service operated by NIST is establishing a catalog for computer security objects to provide stable object definitions identified by unique names. The use of this register will enable the unambiguous specification of security parameters and algorithms to be used in secure data exchanges.

$ 计算机安全对象注册(CSOR)(N)NIST运营的一项服务正在为计算机安全对象建立目录,以提供由唯一名称标识的稳定对象定义。该寄存器的使用将使安全数据交换中使用的安全参数和算法的明确规范成为可能。

(C) The CSOR follows registration guidelines established by the international standards community and ANSI. Those guidelines establish minimum responsibilities for registration authorities and assign the top branches of an international registration hierarchy. Under that international registration hierarchy the CSOR is responsible for the allocation of unique identifiers under the branch {joint-iso-ccitt(2) country(16) us(840) gov(101) csor(3)}.

(C) CSOR遵循国际标准协会和ANSI制定的注册指南。这些准则规定了登记机关的最低责任,并指定了国际登记层级的最高分支机构。根据该国际注册层级,CSOR负责分配{联合iso ccitt(2)国家(16)美国(840)政府(101)CSOR(3)}分支下的唯一标识符。

$ COMSEC See: communication security.

$ 通信安全见:通信安全。

$ confidentiality See: data confidentiality.

$ 机密性见:数据机密性。

$ configuration control (I) The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system. (See: administrative security.)

$ 配置控制(I)在系统的整个开发和运行寿命期间,对硬件、固件、软件和文档的更改进行调节的过程。(请参阅:管理安全。)

(C) Configuration control helps protect against unauthorized or malicious alteration of a system and thus provides assurance of system integrity. (See: malicious logic.)

(C) 配置控制有助于防止未经授权或恶意更改系统,从而保证系统完整性。(请参阅:恶意逻辑。)

$ confinement property See: (secondary definition under) Bell-LaPadula Model.

$ 约束特性见:(次级定义下)Bell-LaPadula模型。

$ connectionless data integrity service (I) A security service that provides data integrity service for an individual IP datagram, by detecting modification of the datagram, without regard to the ordering of the datagram in a stream of datagrams.

$ 无连接数据完整性服务(I)通过检测数据报的修改,而不考虑数据报流中数据报的顺序,为单个IP数据报提供数据完整性服务的安全服务。

(C) A connection-oriented data integrity service would be able to detect lost or reordered datagrams within a stream of datagrams.

(C) 面向连接的数据完整性服务能够检测数据报流中丢失或重新排序的数据报。

$ contingency plan (I) A plan for emergency response, backup operations, and post-disaster recovery in a system as part of a security program to ensure availability of critical system resources and facilitate continuity of operations in a crisis. [NCS04] (See: availability.)

$ 应急计划(I)作为安全计划一部分的系统应急响应、备份操作和灾后恢复计划,以确保关键系统资源的可用性,并促进危机中操作的连续性。[NCS04](见:可用性)

$ controlled security mode (D) ISDs SHOULD NOT use this term. It was defined in an earlier version of the U.S. Department of Defense policy that regulates system accreditation, but was subsumed by "partitioned security mode" in the current version. [DOD2]

$ 受控安全模式(D)ISDs不应使用此术语。它在美国国防部管理系统认证的政策的早期版本中定义,但在当前版本中被“分区安全模式”所包含。[DOD2]

(C) The term refers to a mode of operation of an information system, wherein at least some users with access to the system have neither a security clearance nor a need-to-know for all classified material contained in the system. However, separation and control of users and classified material on the basis, respectively, of clearance and classification level are not essentially under operating system control like they are in "multilevel security mode".

(C) 该术语指的是信息系统的一种操作模式,其中至少有一些能够访问该系统的用户既没有安全许可,也不需要知道系统中包含的所有机密材料。然而,分别基于清除和分类级别的用户和分类材料的分离和控制本质上不像在“多级安全模式”中那样受操作系统控制。

(C) Controlled mode was intended to encourage ingenuity in meeting the security requirements of Defense policy in ways less restrictive than "dedicated security mode" and "system high security mode", but at a level of risk lower than that generally associated with the true "multilevel security mode". This was to be accomplished by implementation of explicit augmenting measures to reduce or remove a substantial measure of system software vulnerability together with specific limitation of the security clearance levels of users permitted concurrent access to the system.

(C) 受控模式旨在鼓励独创性,以比“专用安全模式”和“系统高安全模式”限制更少的方式满足国防政策的安全要求,但风险水平低于通常与真正的“多级安全模式”相关的风险水平。这将通过实施明确的增强措施来实现,以减少或消除系统软件漏洞的实质性措施,以及对允许并发访问系统的用户的安全许可级别的具体限制。

$ cookie (I) access control usage: A synonym for "capability" or "ticket" in an access control system.

$ cookie(I)访问控制用法:访问控制系统中“能力”或“票证”的同义词。

(I) IPsec usage: Data exchanged by ISAKMP to prevent certain denial-of-service attacks during the establishment of a security association.

(一) IPsec使用:ISAKMP交换的数据,用于在建立安全关联期间防止某些拒绝服务攻击。

(I) HTTP usage: Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.

(一) HTTP使用:HTTP服务器和浏览器(服务器的客户端)之间交换的数据,用于在客户端存储状态信息,并在以后检索以供服务器使用。

(C) An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections. A cookie may include a description of the range of URLs for which the state is valid. Future requests made by the client in that range will also send the current value of the cookie to the server. Cookies can be used to generate profiles of web usage habits, and thus may infringe on personal privacy.

(C) HTTP服务器在向客户端发送数据时,可能会发送一个cookie,该cookie在HTTP连接关闭后由客户端保留。服务器可以使用此机制为基于HTTP的应用程序维护持久的客户端状态信息,并在以后的连接中检索状态信息。cookie可能包括状态有效的URL范围的描述。客户端在该范围内发出的未来请求也会将cookie的当前值发送到服务器。Cookie可用于生成web使用习惯的配置文件,因此可能侵犯个人隐私。

$ Coordinated Universal Time (UTC) (N) UTC is derived from International Atomic Time (TAI) by adding a number of leap seconds. The International Bureau of Weights and Measures computes TAI once each month by averaging data from many laboratories. (See: GeneralizedTime, UTCTime.)

$ 协调世界时(UTC)(N)UTC是通过添加闰秒数从国际原子时(TAI)派生出来的。国际度量衡局每月通过对来自多个实验室的数据进行平均来计算TAI。(请参见:一般化时间,UTCTime。)

$ copy See: card copy.

$ 复印件见:卡片复印件。

$ correctness integrity (I) Accuracy and consistency of the information that data values represent, rather than of the data itself. Closely related to issues of accountability and error handling. (See: data integrity, source integrity.)

$ 正确性完整性(I)数据值所代表的信息的准确性和一致性,而不是数据本身的准确性和一致性。与责任和错误处理问题密切相关。(请参见:数据完整性、源完整性。)

$ correctness proof (I) A mathematical proof of consistency between a specification for system security and the implementation of that specification. (See: formal specification.)

$ 正确性证明(I)系统安全规范与该规范实施之间一致性的数学证明。(参见:正式规范。)

$ countermeasure (I) An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

$ 对策(I)通过消除或预防威胁、漏洞或攻击,通过最小化其可能造成的伤害,或通过发现和报告以采取纠正措施来减少威胁、漏洞或攻击的行动、装置、程序或技术。

(C) In an Internet protocol, a countermeasure may take the form of a protocol feature, an element function, or a usage constraint.

(C) 在因特网协议中,对策可以采取协议特征、元素功能或使用约束的形式。

$ country code (I) An identifier that is defined for a nation by ISO. [I3166]

$ 国家代码(I)ISO为国家定义的标识符。[I3166]

(C) For each nation, ISO Standard 3166 defines a unique two-character alphabetic code, a unique three-character alphabetic code, and a three-digit code. Among many uses of these codes, the two-character codes are used as top-level domain names.

(C) 对于每个国家,ISO标准3166定义了唯一的两字符字母代码、唯一的三字符字母代码和三位数代码。在这些代码的许多用途中,两个字符的代码被用作顶级域名。

$ covert channel (I) A intra-system channel that permits two cooperating entities, without exceeding their access authorizations, to transfer information in a way that violates the system's security policy. (See: channel, out of band.)

$ 隐蔽通道(I)允许两个合作实体在不超过其访问权限的情况下,以违反系统安全策略的方式传输信息的系统内通道。(请参见:通道,带外)

(O) "A communications channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy." [NCS04]

(O) “允许两个协作进程以违反系统安全策略的方式传输信息的通信通道。”[NCS04]

(C) The cooperating entities can be either two insiders or an insider and an outsider. Of course, an outsider has no access authorization at all. A covert channel is a system feature that the system architects neither designed nor intended for information transfer:

(C) 合作实体可以是两名内部人员,也可以是一名内部人员和一名外部人员。当然,局外人根本没有访问权限。隐蔽通道是系统架构师设计或设计用于信息传输的系统功能:

- "Timing channel": A system feature that enable one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity.

- “定时通道”:一种系统特性,使一个系统实体能够通过调节其自身对系统资源的使用来向另一个系统实体发送信息,从而影响第二个实体观察到的系统响应时间。

- "Storage channel": A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity.

- “存储通道”:一种系统功能,使一个系统实体能够通过直接或间接写入存储位置向另一个实体发送信息,该存储位置随后由第二个实体直接或间接读取。

$ CPS See: certification practice statement.

$ CPS见:认证实践声明。

$ cracker (I) Someone who tries to break the security of, and gain access to, someone else's system without being invited to do so. (See: hacker and intruder.)

$ 破解者(I)在未被邀请的情况下,试图破坏他人系统的安全性并访问他人系统的人。(请参阅:黑客和入侵者。)

$ CRAM See: Challenge-Response Authentication Mechanism.

$ CRAM See:质询-响应身份验证机制。

$ CRC See: cyclic redundancy check.

$ CRC见:循环冗余校验。

$ credential(s) (I) Data that is transferred or presented to establish either a claimed identity or the authorizations of a system entity. (See: authentication information, capability, ticket.)

$ 凭证(I)传输或呈现以建立系统实体的声明身份或授权的数据。(请参阅:身份验证信息、功能、票据。)

(O) "Data that is transferred to establish the claimed identity of an entity." [I7498 Part 2]

(O) “为确定实体的声称身份而传输的数据。”[I7498第2部分]

$ critical 1. (I) "Critical" system resource: A condition of a service or other system resource such that denial of access to (i.e., lack of availability of) that resource would jeopardize a system user's ability to perform a primary function or would result in other serious consequences. (See: availability, sensitive.)

$ 关键1。(一) “关键”系统资源:服务或其他系统资源的一种状况,即拒绝访问(即缺乏可用性)该资源将危及系统用户执行主要功能的能力或导致其他严重后果。(请参阅:可用性,敏感。)

2. (N) "Critical" extension: Each extension of an X.509 certificate (or CRL) is marked as being either critical or non-critical. If an extension is critical and a certificate user (or CRL user) does not recognize the extension type or does not implement its semantics, then the user is required to treat the certificate (or CRL) as invalid. If an extension is non-critical, a user that does not recognize or implement that extension type is permitted to ignore the extension and process the rest of the certificate (or CRL).

2. (N) “关键”扩展:X.509证书(或CRL)的每个扩展都标记为关键或非关键。如果扩展是关键的,并且证书用户(或CRL用户)无法识别扩展类型或未实现其语义,则要求用户将证书(或CRL)视为无效。如果扩展是非关键的,则不识别或实现该扩展类型的用户可以忽略该扩展并处理证书(或CRL)的其余部分。

$ CRL See: certificate revocation list.

$ CRL请参阅:证书吊销列表。

$ CRL distribution point See: distribution point.

$ CRL分发点请参阅:分发点。

$ CRL extension See: extension.

$ CRL扩展请参阅:扩展。

$ cross-certificate See: cross-certification.

$ 交叉认证参见:交叉认证。

$ cross-certification (I) The act or process by which two CAs each certify a public key of the other, issuing a public-key certificate to that other CA.

$ 交叉认证(I)两个CA各自认证另一个CA的公钥,并向另一个CA颁发公钥证书的行为或过程。

(C) Cross-certification enables users to validate each other's certificate when the users are certified under different certification hierarchies.

(C) 交叉认证允许用户在不同的认证层次结构下认证时验证彼此的证书。

$ cryptanalysis (I) The mathematical science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide. (See: cryptology.)

$ 密码分析(I)处理密码系统分析的数学科学,目的是获取破坏或规避系统设计提供的保护所需的知识。(见:密码学。)

(O) "The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext." [I7498 Part 2]

(O) “对密码系统和/或其输入和输出进行分析,以得出机密变量和/或敏感数据,包括明文。”[I7498第2部分]

(C) The "O" definition states the traditional goal of cryptanalysis--convert the ciphertext to plaintext (which usually is cleartext) without knowing the key--but that definition applies only to encryption systems. Today, the term is used with reference to all kinds of cryptographic algorithms and key management, and the "I" definition reflects that. In all cases, however, a cryptanalyst tries to uncover or reproduce someone else's sensitive data, such as cleartext, a key, or an algorithm. The basic cryptanalytic attacks on encryption systems are ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext; and these generalize to the other kinds of cryptography.

(C) “O”定义说明了密码分析的传统目标——在不知道密钥的情况下将密文转换为明文(通常是明文)——但该定义仅适用于加密系统。今天,这个术语被用来指代各种密码算法和密钥管理,“I”的定义反映了这一点。然而,在所有情况下,密码分析师都会试图发现或复制其他人的敏感数据,如明文、密钥或算法。对加密系统的基本密码分析攻击只有密文、已知明文、选择明文和选择密文;这也推广到了其他类型的密码学。

$ crypto (D) Except as part of certain long-established terms listed in this Glossary, ISDs SHOULD NOT use this abbreviated term because it may be misunderstood. Instead, use "cryptography" or "cryptographic".

$ 加密(D)除作为本词汇表中列出的某些长期术语的一部分外,ISDs不应使用此缩写术语,因为它可能会被误解。相反,请使用“加密”或“加密”。

$ cryptographic algorithm (I) An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.

$ 加密算法(I)采用密码学的算法,包括加密算法、加密哈希算法、数字签名算法和密钥协商算法。

$ cryptographic application programming interface (CAPI) (I) The source code formats and procedures through which an application program accesses cryptographic services, which are defined abstractly compared to their actual implementation. For example, see: PKCS #11, [R2628].

$ 加密应用程序编程接口(CAPI)(I)应用程序访问加密服务所通过的源代码格式和过程,这些服务是根据实际实现抽象定义的。例如,请参见:PKCS#11,[R2628]。

$ cryptographic card (I) A cryptographic token in the form of a smart card or a PC card.

$ 加密卡(I)智能卡或PC卡形式的加密令牌。

$ cryptographic component (I) A generic term for any system component that involves cryptography. (See: cryptographic module.)

$ 加密组件(I)涉及加密的任何系统组件的通用术语。(请参阅:加密模块。)

$ cryptographic hash See: (secondary definition under) hash function.

$ 加密散列请参阅:(第二个定义下)散列函数。

$ cryptographic ignition key (CIK) (I) A physical (usually electronic) token used to store, transport, and protect cryptographic keys. (Sometimes abbreviated as "crypto ignition key".)

$ 加密点火钥匙(CIK)(I)用于存储、传输和保护加密钥匙的物理(通常是电子)令牌。(有时缩写为“加密点火钥匙”。)

(C) A typical use is to divide a split key between a CIK and a cryptographic module, so that it is necessary to combine the two to regenerate a key-encrypting key and thus activate the module and other keys it contains.

(C) 典型的用途是在CIK和加密模块之间分割分割密钥,因此有必要将两者结合起来以重新生成密钥加密密钥,从而激活模块及其包含的其他密钥。

$ cryptographic key (I) Usually shortened to just "key". An input parameter that varies the transformation performed by a cryptographic algorithm.

$ 加密密钥(I)通常简称为“密钥”。一种输入参数,用于改变加密算法执行的转换。

(O) "A sequence of symbols that controls the operations of encipherment and decipherment." [I7498 Part 2]

(O) “控制加密和解密操作的一系列符号。”[I7498第2部分]

(C) If a key value needs to be kept secret, the sequence of symbols (usually bits) that comprise it should be random, or at least pseudo-random, because that makes the key hard for an adversary to guess. (See: cryptanalysis, brute force attack.)

(C) 如果一个密钥值需要保密,那么组成它的符号序列(通常是位)应该是随机的,或者至少是伪随机的,因为这使得对手很难猜出密钥。(参见:密码分析,暴力攻击。)

$ Cryptographic Message Syntax (CMS) (I) A encapsulation syntax for digital signatures, hashes, and encryption of arbitrary messages. [R2630]

$ 加密消息语法(CMS)(I)用于数字签名、哈希和任意消息加密的封装语法。[R2630]

(C) CMS was derived from PKCS #7. CMS values are specified with ASN.1 and use BER encoding. The syntax permits multiple encapsulation with nesting, permits arbitrary attributes to be signed along with message content, and supports a variety of architectures for digital certificate-based key management.

(C) CMS源于PKCS#7。CMS值由ASN.1指定,并使用BER编码。该语法允许使用嵌套进行多次封装,允许随消息内容一起签名任意属性,并支持各种基于数字证书的密钥管理体系结构。

$ cryptographic module (I) A set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the module's cryptographic boundary, which is an explicitly defined contiguous perimeter that establishes the physical bounds of the module. [FP140]

$ 加密模块(I)一组硬件、软件、固件或其组合,实现加密逻辑或过程,包括加密算法,并包含在模块的加密边界内,该边界是明确定义的连续边界,用于建立模块的物理边界。[FP140]

$ cryptographic system (I) A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.

$ 密码系统(I)一组密码算法和密钥管理过程,支持在某些应用环境中使用这些算法。

(C) This "I" definition covers a wider range of algorithms than the following "O" definition:

(C) 与以下“O”定义相比,“I”定义涵盖的算法范围更广:

(O) "A collection of transformations from plaintext into ciphertext and vice versa [which would exclude digital signature, cryptographic hash, and key agreement algorithms], the particular transformation(s) to be used being selected by keys. The transformations are normally defined by a mathematical algorithm." [X509]

(O) “从明文到密文的转换集合,反之亦然[不包括数字签名、加密散列和密钥协商算法],要使用的特定转换由密钥选择。这些转换通常由数学算法定义。”[X509]

$ cryptographic token (I) A portable, user-controlled, physical device used to store cryptographic information and possibly perform cryptographic functions. (See: cryptographic card, token.)

$ 加密令牌(I)一种便携式、用户控制的物理设备,用于存储加密信息并可能执行加密功能。(请参阅:加密卡、令牌。)

(C) A smart token may implement some set of cryptographic algorithms and may implement related algorithms and key management functions, such as a random number generator. A smart cryptographic token may contain a cryptographic module or may not be explicitly designed that way.

(C) 智能令牌可以实现一些密码算法集,并且可以实现相关算法和密钥管理功能,例如随机数生成器。智能加密令牌可以包含加密模块,也可以不以这种方式显式设计。

$ cryptography (I) The mathematical science that deals with transforming data to render its meaning unintelligible (i.e., to hide its semantic content), prevent its undetected alteration, or prevent its unauthorized use. If the transformation is reversible, cryptography also deals with restoring encrypted data to intelligible form. (See: cryptology, steganography.)

$ 密码学(I)处理数据转换以使其含义无法理解(即隐藏其语义内容)、防止其未被检测到的更改或防止其未经授权的使用的数学科学。如果转换是可逆的,密码学还处理将加密数据恢复为可理解形式的问题。(参见:密码学、隐写术。)

      (O) "The discipline which embodies principles, means, and methods
      for the transformation of data in order to hide its information
      content, prevent its undetected modification and/or prevent its
      unauthorized use. . . . Cryptography determines the methods used
      in encipherment and decipherment." [I7498 Part 2]
        
      (O) "The discipline which embodies principles, means, and methods
      for the transformation of data in order to hide its information
      content, prevent its undetected modification and/or prevent its
      unauthorized use. . . . Cryptography determines the methods used
      in encipherment and decipherment." [I7498 Part 2]
        

$ Cryptoki See: (secondary definition under) PKCS #11.

$ Cryptoki见:(第二定义)PKCS#11。

$ cryptology (I) The science that includes both cryptography and cryptanalysis, and sometimes is said to include steganography.

$ 密码学(I)包括密码学和密码分析的科学,有时据说包括隐写术。

$ cryptonet (I) A group of system entities that share a secret cryptographic key for a symmetric algorithm.

$ cryptonet(I)为对称算法共享密钥的一组系统实体。

$ cryptoperiod (I) The time span during which a particular key is authorized to be used in a cryptographic system. (See: key management.)

$ 密码周期(I)特定密钥被授权在密码系统中使用的时间跨度。(请参阅:密钥管理。)

(C) A cryptoperiod is usually stated in terms of calendar or clock time, but sometimes is stated in terms of the maximum amount of data permitted to be processed by a cryptographic algorithm using the key. Specifying a cryptoperiod involves a tradeoff between the cost of rekeying and the risk of successful cryptanalysis.

(C) 加密周期通常以日历或时钟时间表示,但有时以使用密钥的加密算法允许处理的最大数据量表示。指定加密周期需要在密钥更新成本和成功密码分析风险之间进行权衡。

(C) Although we deprecate its prefix, this term is long-established in COMPUSEC usage. (See: crypto) In the context of certificates and public keys, "key lifetime" and "validity period" are often used instead.

(C) 虽然我们不赞成它的前缀,但这个术语在COMPUSEC的使用中由来已久。(参见:crypto)在证书和公钥的上下文中,通常使用“密钥生存期”和“有效期”。

$ cryptosystem (D) ISDs SHOULD NOT use this term as an abbreviation for cryptographic system. (For rationale, see: crypto.)

$ 密码系统(D)ISDs不应使用此术语作为密码系统的缩写。(有关基本原理,请参见:加密。)

$ CSIRT See: computer security incident response team.

$ CSIRT见:计算机安全事件响应团队。

$ CSOR See: Computer Security Objects Register.

$ CSOR请参阅:计算机安全对象注册表。

$ cut-and-paste attack (I) An active attack on the data integrity of ciphertext, effected by replacing sections of ciphertext with other ciphertext, such that the result appears to decrypt correctly but actually decrypts to plaintext that is forged to the satisfaction of the attacker.

$ 剪切粘贴攻击(I)对密文数据完整性的主动攻击,通过用其他密文替换密文部分来实现,从而使结果看起来正确解密,但实际上解密为伪造的明文,使攻击者满意。

$ cyclic redundancy check (CRC) (I) Sometimes called "cyclic redundancy code". A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.

$ 循环冗余校验(CRC)(I)有时称为“循环冗余码”。一种校验和算法,它不是加密散列,但用于在预期数据会发生意外更改的情况下实现数据完整性服务。

$ DAC See: Data Authentication Code, discretionary access control.

$ DAC见:数据认证码,自主访问控制。

$ DASS See: Distributed Authentication Security Service.

$ DASS请参阅:分布式身份验证安全服务。

$ data (I) Information in a specific physical representation, usually a sequence of symbols that have meaning; especially a representation of information that can be processed or produced by a computer.

$ 数据(I)特定物理表示中的信息,通常是具有含义的符号序列;尤其是计算机可以处理或产生的信息的表示。

$ Data Authentication Algorithm (N) A keyed hash function equivalent to DES cipher block chaining with IV = 0. [A9009]

$ 数据认证算法(N)一个密钥哈希函数,相当于IV=0的DES密码块链。[A9009]

(D) ISDs SHOULD NOT use the uncapitalized form of this term as a synonym for other kinds of checksums.

(D) ISDs不应使用该术语的非大写形式作为其他类型校验和的同义词。

$ data authentication code vs. Data Authentication Code (DAC) 1. (N) Capitalized: "The Data Authentication Code" refers to a U.S. Government standard [FP113] for a checksum that is computed by the Data Authentication Algorithm. (Also known as the ANSI standard Message Authentication Code [A9009].)

$ 数据认证码与数据认证码(DAC)1。(N) 大写:“数据认证码”指由数据认证算法计算的校验和的美国政府标准[FP113]。(也称为ANSI标准消息验证码[A9009]。)

2. (D) Not capitalized: ISDs SHOULD NOT use "data authentication code" as a synonym for another kind of checksum, because this term mixes concepts in a potentially misleading way. (See: authentication code.) Instead, use "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum", depending on what is meant.

2. (D) 不大写:ISDs不应使用“数据认证码”作为另一种校验和的同义词,因为该术语以潜在误导的方式混合了概念。(请参阅:身份验证码。)根据其含义,使用“校验和”、“错误检测码”、“散列”、“密钥散列”、“消息身份验证码”或“受保护校验和”。

$ data compromise (I) A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information may have occurred. (See: compromise.)

$ 数据泄露(I)信息可能被未经授权的访问,从而可能发生未经授权的披露、更改或使用信息的安全事件。(见:妥协。)

$ data confidentiality (I) "The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]." [I7498 Part 2]. (See: data confidentiality service.)

$ 数据保密性(I)“信息不提供给未经授权的个人、实体或进程[即,任何未经授权的系统实体]或向其披露的财产”[I7498第2部分]。(请参阅:数据保密服务。)

(D) ISDs SHOULD NOT use this term as a synonym for "privacy", which is a different concept.

(D) ISDs不应将此术语用作“隐私”的同义词,这是一个不同的概念。

$ data confidentiality service (I) A security service that protects data against unauthorized disclosure. (See: data confidentiality.)

$ 数据保密服务(I)保护数据免受未经授权披露的安全服务。(见:数据保密。)

(D) ISDs SHOULD NOT use this term as a synonym for "privacy", which is a different concept.

(D) ISDs不应将此术语用作“隐私”的同义词,这是一个不同的概念。

$ Data Encryption Algorithm (DEA) (N) A symmetric block cipher, defined as part of the U.S. Government's Data Encryption Standard. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block. [FP046] (See: DES, symmetric cryptography.)

$ 数据加密算法(DEA)(N):一种对称分组密码,定义为美国政府数据加密标准的一部分。DEA使用一个64位密钥,其中56位是独立选择的,8位是奇偶校验位,并将一个64位块映射到另一个64位块。[FP046](参见:DES,对称加密。)

(C) This algorithm is usually referred to as "DES". The algorithm has also been adopted in standards outside the Government (e.g., [A3092]).

(C) 该算法通常称为“DES”。该算法也被政府以外的标准所采用(例如[A3092])。

$ data encryption key (DEK) (I) A cryptographic key that is used to encipher application data. (See: key-encrypting key.)

$ 数据加密密钥(DEK)(I)用于加密应用程序数据的加密密钥。(请参阅:密钥加密密钥。)

$ Data Encryption Standard (DES) (N) A U.S. Government standard [FP046] that specifies the Data Encryption Algorithm and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES, DEA.)

$ 数据加密标准(DES)(N)美国政府标准[FP046],规定了数据加密算法,并说明了使用该算法保护未分类敏感数据的政策。(见:AES,DEA)

$ data integrity (I) The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. (See: data integrity service.)

$ 数据完整性(I)数据未经授权或意外更改、销毁或丢失的属性。(请参阅:数据完整性服务。)

(O) "The property that information has not been modified or destroyed in an unauthorized manner." [I7498 Part 2]

(O) “未以未经授权的方式修改或销毁信息的财产。”[I7498第2部分]

(C) Deals with constancy of and confidence in data values, not with the information that the values represent (see: correctness integrity) or the trustworthiness of the source of the values (see: source integrity).

(C) 处理数据值的稳定性和可信度,而不是值所代表的信息(请参阅:正确性完整性)或值源的可信度(请参阅:源完整性)。

$ data integrity service (I) A security service that protects against unauthorized changes to data, including both intentional change or destruction and accidental change or loss, by ensuring that changes to data are detectable. (See: data integrity.)

$ 数据完整性服务(I)一种安全服务,通过确保可检测到数据更改,防止未经授权的数据更改,包括故意更改或破坏以及意外更改或丢失。(请参阅:数据完整性。)

(C) A data integrity service can only detect a change and report it to an appropriate system entity; changes cannot be prevented unless the system is perfect (error-free) and no malicious user has access. However, a system that offers data integrity service might also attempt to correct and recover from changes.

(C) 数据完整性服务只能检测更改并将其报告给适当的系统实体;除非系统完美(无错误)且没有恶意用户可以访问,否则无法阻止更改。但是,提供数据完整性服务的系统也可能尝试更正更改并从更改中恢复。

(C) Relationship between data integrity service and authentication services: Although data integrity service is defined separately from data origin authentication service and peer entity authentication service, it is closely related to them. Authentication services depend, by definition, on companion data integrity services. Data origin authentication service provides verification that the identity of the original source of a received data unit is as claimed; there can be no such verification if the data unit has been altered. Peer entity

(C) 数据完整性服务和身份验证服务之间的关系:虽然数据完整性服务与数据源身份验证服务和对等实体身份验证服务分开定义,但它与它们密切相关。根据定义,身份验证服务依赖于配套的数据完整性服务。数据源认证服务提供验证,以确认所接收数据单元的原始源的身份如所声称的那样;如果数据单元已更改,则无法进行此类验证。对等实体

authentication service provides verification that the identity of a peer entity in a current association is as claimed; there can be no such verification if the claimed identity has been altered.

身份验证服务验证当前关联中的对等实体的身份是否如声明的那样;如果声称的身份已被更改,则无法进行此类验证。

$ data origin authentication (I) "The corroboration that the source of data received is as claimed." [I7498 Part 2] (See: authentication.)

$ 数据来源认证(I)“对接收到的数据来源与所声称的一致的证实。”[I7498第2部分](见:认证。)

$ data origin authentication service (I) A security service that verifies the identity of a system entity that is claimed to be the original source of received data. (See: authentication, authentication service.)

$ 数据源身份验证服务(I)验证声称是接收数据原始源的系统实体身份的安全服务。(请参阅:身份验证、身份验证服务。)

(C) This service is provided to any system entity that receives or holds the data. Unlike peer entity authentication service, this service is independent of any association between the originator and the recipient, and the data in question may have originated at any time in the past.

(C) 此服务提供给接收或保存数据的任何系统实体。与对等实体身份验证服务不同,此服务独立于发端人和接收方之间的任何关联,并且所涉及的数据可能在过去的任何时间产生。

(C) A digital signature mechanism can be used to provide this service, because someone who does not know the private key cannot forge the correct signature. However, by using the signer's public key, anyone can verify the origin of correctly signed data.

(C) 数字签名机制可用于提供此服务,因为不知道私钥的人无法伪造正确的签名。但是,通过使用签名者的公钥,任何人都可以验证正确签名数据的来源。

(C) This service is usually bundled with connectionless data integrity service. (See: (relationship between data integrity service and authentication services under) data integrity service.

(C) 此服务通常与无连接数据完整性服务捆绑在一起。(请参阅:(数据完整性服务和身份验证服务之间的关系)数据完整性服务。

$ data privacy (D) ISDs SHOULD NOT use this term because it mix concepts in a potentially misleading way. Instead, use either "data confidentiality" or "privacy", depending on what is meant.

$ 数据隐私(D)ISDs不应使用此术语,因为它以潜在误导的方式混合了概念。取而代之的是使用“数据保密性”或“隐私”,具体取决于其含义。

$ data security (I) The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.

$ 数据安全(I)保护数据免受意外或故意但未经授权的披露、更改、破坏或丢失。

(C) Both data confidentiality service and data integrity service are needed to achieve data security.

(C) 为了实现数据安全,需要数据保密服务和数据完整性服务。

$ datagram (I) "A self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination." [R1983]

$ 数据报(I)“一个自包含、独立的数据实体,包含足够的信息,可以从源路由到目的地。”[R1983]

$ DEA See: Data Encryption Algorithm.

$ 数据加密算法。

$ deception See: (secondary definition under) threat consequence.

$ 欺骗见:(第二定义下)威胁后果。

$ decipher (D) ISDs SHOULD NOT use this term as a synonym for "decrypt", except in special circumstances. (See: (usage discussion under) encryption.)

$ 除特殊情况外,解密(D)ISDs不应将此术语用作“解密”的同义词。(请参阅:(加密下的用法讨论。)

$ decipherment (D) ISDs SHOULD NOT use this term as a synonym for "decryption", except in special circumstances. (See: (usage discussion under) encryption.)

$ 除特殊情况外,解密(D)ISDs不应将此术语用作“解密”的同义词。(请参阅:(加密下的用法讨论。)

$ decode (I) Convert encoded data back to its original form of representation. (See: decrypt.)

$ 解码(I)将编码数据转换回其原始表示形式。(请参阅:解密。)

(D) ISDs SHOULD NOT use this term as a synonym for "decrypt", because that would mix concepts in a potentially misleading way.

(D) ISDs不应使用该术语作为“解密”的同义词,因为这会以潜在误导的方式混淆概念。

$ decrypt (I) Cryptographically restore ciphertext to the plaintext form it had before encryption.

$ 解密(I)以加密方式将密文恢复为加密前的明文形式。

$ decryption See: (secondary definition under) encryption.

$ 解密请参阅:(第二个定义下)加密。

$ dedicated security mode (I) A mode of operation of an information system, wherein all users have the clearance or authorization, and the need-to-know, for all data handled by the system. In this mode, the system may handle either a single classification level or category of information or a range of levels and categories. [DOD2]

$ 专用安全模式(I)信息系统的一种运行模式,其中所有用户对系统处理的所有数据都有许可或授权,并且需要知道。在此模式下,系统可以处理单个分类级别或信息类别,也可以处理一系列级别和类别。[DOD2]

(C) This mode is defined formally in U.S. Department of Defense policy regarding system accreditation, but the term is also used outside the Defense Department and outside the Government.

(C) 该模式在美国国防部关于系统认证的政策中有正式定义,但该术语也在国防部和政府之外使用。

$ default account (I) A system login account (usually accessed with a user name and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service.

$ 默认帐户(I)系统登录帐户(通常使用用户名和密码访问),已在制造系统中预定义,以允许在系统首次投入使用时进行初始访问。

(C) Sometimes, the default user name and password are the same in each copy of the system. In any case, when the system is put into service, the default password should immediately be changed or the default account should be disabled.

(C) 有时,系统的每个副本中的默认用户名和密码都是相同的。在任何情况下,当系统投入使用时,应立即更改默认密码或禁用默认帐户。

$ degauss (N) Apply a magnetic field to permanently remove, erase, or clear data from a magnetic storage medium, such as a tape or disk [NCS25]. Reduce magnetic flux density to zero by applying a reversing magnetic field.

$ 消磁(N)施加磁场,以从磁带或磁盘等磁性存储介质中永久删除、擦除或清除数据[NCS25]。通过施加反向磁场将磁通密度降至零。

$ degausser (N) An electrical device that can degauss magnetic storage media.

$ 消磁器(N):一种可以对磁性存储介质进行消磁的电气设备。

$ DEK See: data encryption key.

$ 请参阅:数据加密密钥。

$ delta CRL (I) A partial CRL that only contains entries for X.509 certificates that have been revoked since the issuance of a prior, base CRL. This method can be used to partition CRLs that become too large and unwieldy.

$ delta CRL(I)仅包含X.509证书条目的部分CRL,该证书自先前的基本CRL发布以来已被撤销。此方法可用于对变得过大和不实用的CRL进行分区。

$ denial of service (I) The prevention of authorized access to a system resource or the delaying of system operations and functions. (See: availability, critical (resource of a system), flooding.)

$ 拒绝服务(I)阻止对系统资源的授权访问或延迟系统操作和功能。(请参阅:可用性、关键(系统资源)、泛洪。)

$ DES See: Data Encryption Standard.

$ DES见:数据加密标准。

$ dictionary attack (I) An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list.

$ 字典攻击(I)一种使用蛮力技术的攻击,即连续尝试某个大型、详尽列表中的所有单词。

(C) For example, an attack on an authentication service by trying all possible passwords; or an attack on encryption by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup.

(C) 例如,通过尝试所有可能的密码对身份验证服务进行攻击;或者通过使用所有可能的密钥加密某些已知的明文短语,从而通过查找获得包含该短语的任何给定加密消息的密钥,从而对加密进行攻击。

$ Diffie-Hellman (N) A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].

$ Diffie-Hellman(N)一种密钥协商算法,由Whitfield Diffie和Martin Hellman于1976年发表[DH76,R2631]。

(C) Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.

(C) Diffie Hellman负责密钥建立,而不是加密。但是,它生成的密钥可用于加密、进一步的密钥管理操作或任何其他加密。

(C) The difficulty of breaking Diffie-Hellman is considered to be equal to the difficulty of computing discrete logarithms modulo a large prime. The algorithm is described in [R2631] and [Schn]. In brief, Alice and Bob together pick large integers that satisfy

(C) 打破Diffie-Hellman的困难被认为等于计算大素数模的离散对数的困难。[R2631]和[Schn]中描述了该算法。简言之,Alice和Bob一起选择满足以下条件的大整数

certain mathematical conditions, and then use the integers to each separately compute a public-private key pair. They send each other their public key. Each person uses their own private key and the other person's public key to compute a key, k, that, because of the mathematics of the algorithm, is the same for each of them. Passive wiretapping cannot learn the shared k, because k is not transmitted, and neither are the private keys needed to compute k. However, without additional mechanisms to authenticate each party to the other, a protocol based on the algorithm may be vulnerable to a man-in-the-middle attack.

特定的数学条件,然后使用每个整数分别计算一个公钥-私钥对。他们互相发送公钥。每个人都使用自己的私钥和另一个人的公钥来计算一个密钥k,由于算法的数学性,该密钥对于他们每个人都是相同的。被动窃听无法学习共享k,因为k不被传输,计算k所需的私钥也不被传输。然而,如果没有额外的机制来向另一方验证每一方,基于该算法的协议可能容易受到中间人攻击。

$ digest See: message digest.

$ 摘要请参阅:消息摘要。

$ digital certificate (I) A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, capability, public-key certificate.)

$ 数字证书(I)数字数据对象(计算机使用的数据对象)形式的证书文档,其附加了依赖于该数据对象的计算数字签名值。(请参阅:属性证书、功能、公钥证书。)

(D) ISDs SHOULD NOT use this term to refer to a signed CRL or CKL. Although the recommended definition can be interpreted to include those items, the security community does not use the term with those meanings.

(D) ISDs不应使用此术语来指代签名的CRL或CKL。虽然建议的定义可以解释为包括这些项目,但安全界不使用具有这些含义的术语。

$ digital certification (D) ISDs SHOULD NOT use this term as a synonym for "certification", unless the context is not sufficient to distinguish between digital certification and another kind of certification, in which case it would be better to use "public-key certification" or another phrase that indicates what is being certified.

$ 数字认证(D)ISDs不应使用该术语作为“认证”的同义词,除非上下文不足以区分数字认证和另一种认证,在这种情况下,最好使用“公钥认证”或另一个表示认证内容的短语。

$ digital document (I) An electronic data object that represents information originally written in a non-electronic, non-magnetic medium (usually ink on paper) or is an analogue of a document of that type.

$ 数字文档(I)一种电子数据对象,表示最初在非电子、非磁性介质(通常为纸张上的墨水)中写入的信息,或类似于该类型文档的信息。

$ digital envelope (I) A digital envelope for a recipient is a combination of (a) encrypted content data (of any kind) and (b) the content encryption key in an encrypted form that has been prepared for the use of the recipient.

$ 数字信封(I)收件人的数字信封是(A)加密内容数据(任何类型)和(b)为收件人使用而准备的加密形式的内容加密密钥的组合。

(C) In ISDs, this term should be defined at the point of first use because, although the term is defined in PKCS #7 and used in S/MIME, it is not yet widely established.

(C) 在ISDs中,该术语应在首次使用时定义,因为尽管该术语在PKCS#7中定义并在S/MIME中使用,但尚未广泛确立。

(C) Digital enveloping is not simply a synonym for implementing data confidentiality with encryption; digital enveloping is a hybrid encryption scheme to "seal" a message or other data, by encrypting the data and sending both it and a protected form of the key to the intended recipient, so that no one other than the intended recipient can "open" the message. In PCKS #7, it means first encrypting the data using a symmetric encryption algorithm and a secret key, and then encrypting the secret key using an asymmetric encryption algorithm and the public key of the intended recipient. In S/MIME, additional methods are defined for conveying the content encryption key.

(C) 数字信封不仅仅是用加密实现数据保密的同义词;数字信封是一种混合加密方案,通过加密数据并将其和受保护的密钥形式发送给预期收件人,“密封”邮件或其他数据,以便除预期收件人以外的任何人都无法“打开”邮件。在PCKS#7中,这意味着首先使用对称加密算法和密钥对数据进行加密,然后使用非对称加密算法和预期收件人的公钥对密钥进行加密。在S/MIME中,定义了用于传输内容加密密钥的其他方法。

$ Digital ID(service mark) (D) ISDs SHOULD NOT use this term as a synonym for "digital certificate" because (a) it is the service mark of a commercial firm, (b) it unnecessarily duplicates the meaning of other, well-established terms, and (c) a certificate is not always used as authentication information. In some contexts, however, it may be useful to explain that the key conveyed in a public-key certificate can be used to verify an identity and, therefore, that the certificate can be thought of as digital identification information. (See: identification information.)

$ 数字标识(服务标志)(D)ISDs不应将此术语用作“数字证书”的同义词,因为(a)它是商业公司的服务标志,(b)它不必要地重复了其他公认术语的含义,以及(c)证书并非始终用作身份验证信息。然而,在一些上下文中,解释公钥证书中传送的密钥可用于验证身份,因此,证书可被视为数字标识信息可能是有用的。(请参阅:标识信息。)

$ digital key (C) The adjective "digital" need not be used with "key" or "cryptographic key", unless the context is insufficient to distinguish the digital key from another kind of key, such as a metal key for a door lock.

$ 数字钥匙(C)形容词“数字”无需与“钥匙”或“加密钥匙”一起使用,除非上下文不足以区分数字钥匙与其他钥匙,如门锁金属钥匙。

$ digital notary (I) Analogous to a notary public. Provides a trusted date-and-time stamp for a document, so that someone can later prove that the document existed at a point in time. May also verify the signature(s) on a signed document before applying the stamp. (See: notarization.)

$ 数字公证(I)类似于公证人。为文档提供受信任的日期和时间戳,以便稍后有人可以证明文档在某个时间点存在。也可在加盖印章前验证已签署文件上的签名。(见:公证)

$ digital signature (I) A value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity. (See: data origin authentication service, data integrity service, digitized signature, electronic signature, signer.)

$ 数字签名(I)通过加密算法计算并附加到数据对象上的值,其方式是数据的任何接收者都可以使用签名来验证数据的来源和完整性。(参见:数据来源认证服务、数据完整性服务、数字化签名、电子签名、签名人。)

(I) "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient." [I7498 Part 2]

(一) “附加到数据单元的数据或数据单元的加密转换,允许数据单元的接收者证明数据单元的来源和完整性,并防止伪造(例如由接收者伪造)。[I7498第2部分]

(C) Typically, the data object is first input to a hash function, and then the hash result is cryptographically transformed using a private key of the signer. The final resulting value is called the digital signature of the data object. The signature value is a protected checksum, because the properties of a cryptographic hash ensure that if the data object is changed, the digital signature will no longer match it. The digital signature is unforgeable because one cannot be certain of correctly creating or changing the signature without knowing the private key of the supposed signer.

(C) 通常,首先将数据对象输入到哈希函数,然后使用签名者的私钥对哈希结果进行加密转换。最终的结果值称为数据对象的数字签名。签名值是受保护的校验和,因为加密散列的属性确保如果数据对象发生更改,数字签名将不再匹配它。数字签名是不可伪造的,因为在不知道假定签名人的私钥的情况下,无法确定是否正确创建或更改签名。

(C) Some digital signature schemes use a asymmetric encryption algorithm (e.g., see: RSA) to transform the hash result. Thus, when Alice needs to sign a message to send to Bob, she can use her private key to encrypt the hash result. Bob receives both the message and the digital signature. Bob can use Alice's public key to decrypt the signature, and then compare the plaintext result to the hash result that he computes by hashing the message himself. If the values are equal, Bob accepts the message because he is certain that it is from Alice and has arrived unchanged. If the values are not equal, Bob rejects the message because either the message or the signature was altered in transit.

(C) 一些数字签名方案使用非对称加密算法(例如,请参阅:RSA)来转换哈希结果。因此,当Alice需要对发送给Bob的消息进行签名时,她可以使用私钥对哈希结果进行加密。Bob接收消息和数字签名。Bob可以使用Alice的公钥对签名进行解密,然后将明文结果与他自己对消息进行散列计算的散列结果进行比较。如果值相等,Bob接受该消息,因为他确定该消息来自Alice,并且没有更改。如果值不相等,Bob将拒绝该消息,因为消息或签名在传输过程中被更改。

(C) Other digital signature schemes (e.g., see: DSS) transform the hash result with an algorithm (e.g., see: DSA, El Gamal) that cannot be directly used to encrypt data. Such a scheme creates a signature value from the hash and provides a way to verify the signature value, but does not provide a way to recover the hash result from the signature value. In some countries, such a scheme may improve exportability and avoid other legal constraints on usage.

(C) 其他数字签名方案(例如,see:DSS)使用无法直接用于加密数据的算法(例如,see:DSA,El Gamal)转换哈希结果。这样的方案从散列创建签名值,并提供验证签名值的方法,但不提供从签名值恢复散列结果的方法。在一些国家,这样的计划可以提高出口能力,并避免对使用的其他法律限制。

$ Digital Signature Algorithm (DSA) (N) An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: Digital Signature Standard.)

$ 数字签名算法(DSA)(N):一种非对称密码算法,产生一对大数形式的数字签名。签名使用规则和参数进行计算,以便验证签名者的身份和签名数据的完整性。(请参阅:数字签名标准。)

$ Digital Signature Standard (DSS) (N) The U.S. Government standard [FP186] that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.

$ 数字签名标准(DSS)(N)规定数字签名算法(DSA)的美国政府标准[FP186],该算法涉及非对称加密。

$ digital watermarking (I) Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data--text, graphics, images, video, or audio--and for detecting or extracting the marks later.

$ 数字水印(I)在数字数据(文本、图形、图像、视频或音频)中以位的形式不可分割地嵌入不引人注目的标记或标签,并在以后检测或提取标记的计算技术。

(C) The set of embedded bits (the digital watermark) is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. [ACM]

(C) 嵌入位的集合(数字水印)有时是隐藏的,通常是不可察觉的,并且总是不引人注目。根据所使用的特定技术,数字水印可以帮助证明所有权、控制复制、跟踪分发、确保数据完整性以及执行其他保护知识产权的功能。[ACM]

$ digitized signature (D) ISDs SHOULD NOT use this term because there is no current consensus on its definition. Although it appears to be used mainly to refer to various forms of digitized images of handwritten signatures, the term should be avoided because it might be confused with "digital signature".

$ 数字签名(D)ISDs不应使用此术语,因为目前对其定义尚无共识。虽然它似乎主要用于指手写签名的各种形式的数字化图像,但应避免使用该术语,因为它可能与“数字签名”混淆。

$ directory $ Directory See: directory vs. Directory.

$ 目录$directory请参阅:目录与目录。

$ Directory Access Protocol (DAP) (N) An OSI protocol [X519] for communication between a Directory User Agent (a client) and a Directory System Agent (a server). (See: Lightweight Directory Access Protocol.)

$ 目录访问协议(DAP)(N)用于目录用户代理(客户端)和目录系统代理(服务器)之间通信的OSI协议[X519]。(请参阅:轻型目录访问协议。)

$ directory vs. Directory 1. (I) Not capitalized: The term "directory" refers generically to a database server or other system that provides information--such as a digital certificate or CRL--about an entity whose name is known.

$ 目录与目录1。(一) 不大写:术语“目录”一般指数据库服务器或其他系统,提供有关已知名称实体的信息(如数字证书或CRL)。

2. (I) Capitalized: "Directory" refers specifically to the X.500 Directory. (See: repository.)

2. (一) 大写:“目录”特别指X.500目录。(请参阅:存储库。)

$ disaster plan (D) A synonym for "contingency plan". In the interest of consistency, ISDs SHOULD use "contingency plan" instead of "disaster plan".

$ 灾难计划(D)“应急计划”的同义词。为了保持一致性,政府新闻处应使用“应急计划”而不是“灾难计划”。

$ disclosure (i.e., unauthorized disclosure) See: (secondary definition under) threat consequence.

$ 披露(即未经授权的披露)见:(威胁后果下的二级定义)。

$ discretionary access control (DAC) (I) An access control service that enforces a security policy based on the identity of system entities and their authorizations to access system resources. (See: access control list, identity-based security policy, mandatory access control.)

$ 自主访问控制(DAC)(I)一种访问控制服务,根据系统实体的身份及其访问系统资源的授权来实施安全策略。(请参阅:访问控制列表、基于身份的安全策略、强制访问控制。)

(C) This service is termed "discretionary" because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

(C) 这项服务被称为“自由裁量”,因为一个实体可能拥有访问权限,允许该实体自愿允许另一个实体访问某些资源。

(O) "A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject." [DOD1]

(O) “基于对象和/或对象所属群体的身份限制对象访问的一种方式。控制是自由裁量的,即具有特定访问权限的对象能够将该权限(可能间接)传递给任何其他主体。”[DOD1]

$ disruption See: (secondary definition under) threat consequence.

$ 破坏见:(第二定义下)威胁后果。

$ Distinguished Encoding Rules (DER) (N) A subset of the Basic Encoding Rules, which gives exactly one way to represent any ASN.1 value as an octet string [X690].

$ 可分辨编码规则(DER)(N)基本编码规则的子集,它提供了一种将任何ASN.1值表示为八位字节字符串的方法[X690]。

(C) Since there is more than one way to encode ASN.1 in BER, DER is used in applications in which a unique encoding is needed, such as when a digital signature is computed on an ASN.1 value.

(C) 由于在BER中对ASN.1进行编码的方法不止一种,因此DER用于需要唯一编码的应用中,例如在ASN.1值上计算数字签名时。

$ distinguished name (DN) (I) An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (See: domain name.)

$ 可分辨名称(DN)(I)唯一表示X.500目录信息树(DIT)中对象的标识符[X501]。(请参阅:域名。)

(C) A DN is a set of attribute values that identify the path leading from the base of the DIT to the object that is named. An X.509 public-key certificate or CRL contains a DN that identifies its issuer, and an X.509 attribute certificate contains a DN or other form of name that identifies its subject.

(C) DN是一组属性值,用于标识从DIT底部到命名对象的路径。X.509公钥证书或CRL包含标识其颁发者的DN,X.509属性证书包含标识其主题的DN或其他形式的名称。

$ Distributed Authentication Security Service (DASS) (I) An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.

$ 分布式身份验证安全服务(DASS)(I)一种实验性互联网协议[R1507],它使用加密机制在分布式环境中提供强大的相互身份验证服务。

$ distribution point (I) An X.500 Directory entry or other information source that is named in a v3 X.509 public-key certificate extension as a location from which to obtain a CRL that might list the certificate.

$ 分发点(I)在v3 X.509公钥证书扩展名中命名的X.500目录项或其他信息源,作为获取可能列出证书的CRL的位置。

(C) A v3 X.509 public-key certificate may have a "cRLDistributionPoints" extension that names places to get CRLs on which the certificate might be listed. A CRL obtained from a distribution point may (a) cover either all reasons for which a certificate might be revoked or only some of the reasons, (b) be issued by either the authority that signed the certificate or some

(C) v3 X.509公钥证书可能有一个“cRLDistributionPoints”扩展名,该扩展名指定了获取证书可能列出的CRL的位置。从分发点获得的CRL可能(A)涵盖证书可能被撤销的所有原因,或仅包括部分原因,(b)由签署证书的机构或其他机构颁发

other authority, and (c) contain revocation entries for only a subset of the full set of certificates issued by one CA or (c') contain revocation entries for multiple CAs.

其他授权,和(c)仅包含一个CA颁发的全套证书的子集的撤销条目,或(c')包含多个CA的撤销条目。

$ DN See: distinguished name.

$ 请参阅:可分辨名称。

$ DNS See: Domain Name System.

$ DNS请参阅:域名系统。

$ DOI See: Domain of Interpretation.

$ DOI See:解释领域。

$ domain (I) Security usage: An environment or context that is defined by a security policy, security model, or security architecture to include a set of system resources and the set of system entities that have the right to access the resources. (See: domain of interpretation, security perimeter.)

$ 域(I)安全使用:由安全策略、安全模型或安全体系结构定义的环境或上下文,包括一组系统资源和一组有权访问资源的系统实体。(见:解释领域,安全周界。)

(I) Internet usage: That part of the Internet domain name space tree [R1034] that is at or below the name the specifies the domain. A domain is a subdomain of another domain if it is contained within that domain. For example, D.C.B.A is a subdomain of C.B.A. (See: Domain Name System.)

(一) Internet使用情况:Internet域名空间树[R1034]中位于指定域名称处或下方的部分。如果一个域包含在另一个域中,则该域是该域的子域。例如,D.C.B.A是C.B.A的子域(请参阅:域名系统)

(O) MISSI usage: The domain of a MISSI CA is the set of MISSI users whose certificates are signed by the CA.

(O) MSI用法:MSI CA的域是其证书由CA签名的一组MSI用户。

(O) OSI usage: An administrative partition of a complex distributed OSI system.

(O) OSI使用:复杂分布式OSI系统的管理分区。

$ domain name (I) The style of identifier--a sequence of case-insensitive ASCII labels separated by dots ("bbn.com.")--defined for subtrees in the Internet Domain Name System [R1034] and used in other Internet identifiers, such as host names (e.g., "rosslyn.bbn.com."), mailbox names (e.g., "rshirey@bbn.com."), and URLs (e.g., "http://www.rosslyn.bbn.com/foo"). (See: distinguished name, domain.)

$ 域名(I)标识符的样式——由点分隔的一系列不区分大小写的ASCII标签(“bbn.com”)——为互联网域名系统[R1034]中的子树定义,并用于其他互联网标识符,如主机名(如“rosslyn.bbn.com”)、邮箱名(如rshirey@bbn.com.)和URL(例如。,"http://www.rosslyn.bbn.com/foo)(请参阅:可分辨名称、域。)

(C) The domain name space of the DNS is a tree structure in which each node and leaf holds records describing a resource. Each node has a label. The domain name of a node is the list of labels on the path from the node to the root of the tree. The labels in a domain name are printed or read left to right, from the most specific (lowest, farthest from the root) to the least specific (highest, closest to the root). The root's label is the null

(C) DNS的域名空间是一个树形结构,其中每个节点和叶都保存描述资源的记录。每个节点都有一个标签。节点的域名是从节点到树根的路径上的标签列表。域名中的标签从左到右打印或读取,从最特定的(最低的,离根最远的)到最不特定的(最高的,离根最近的)。根的标签为空

string, so a complete domain name properly ends in a dot. The top-level domains, those immediately below the root, include COM, EDU, GOV, INT, MIL, NET, ORG, and two-letter country codes (such as US) from ISO-3166. [R1591] (See: country code.)

字符串,因此完整的域名正确地以点结尾。顶级域,即根目录下的域,包括COM、EDU、GOV、INT、MIL、NET、ORG和ISO-3166中的两个字母的国家代码(如美国)。[R1591](参见:国家代码。)

$ Domain Name System (DNS) (I) The main Internet operations database, which is distributed over a collection of servers and used by client software for purposes such as translating a domain name-style host name into an IP address (e.g., "rosslyn.bbn.com" is "192.1.7.10") and locating a host that accepts mail for some mailbox address. [R1034]

$ 域名系统(DNS)(I)主要的互联网操作数据库,分布在一组服务器上,由客户端软件用于将域名样式的主机名转换为IP地址(例如,“rosslyn.bbn.com”是“192.1.7.10”),并定位接受某个邮箱地址邮件的主机。[R1034]

(C) The DNS has three major components:

(C) DNS有三个主要组件:

- Domain name space and resource records: Specifications for the tree-structured domain name space, and data associated with the names.

- 域名空间和资源记录:树状结构域名空间的规范,以及与名称关联的数据。

- Name servers: Programs that hold information about a subset of the tree's structure and data holdings, and also hold pointers to other name servers that can provide information from any part of the tree.

- 名称服务器:保存有关树的结构和数据的子集的信息的程序,还保存指向其他名称服务器的指针,这些名称服务器可以提供来自树的任何部分的信息。

- Resolvers: Programs that extract information from name servers in response to client requests; typically, system routines directly accessible to user programs.

- 解析程序:根据客户端请求从名称服务器提取信息的程序;通常,用户程序可以直接访问系统例程。

(C) Extensions to the DNS [R2065, R2137, R2536] support (a) key distribution for public keys needed for the DNS and for other protocols, (b) data origin authentication service and data integrity service for resource records, (c) data origin authentication service for transactions between resolvers and servers, and (d) access control of records.

(C) DNS[R2065、R2137、R2536]的扩展支持(a)DNS和其他协议所需公钥的密钥分发,(b)资源记录的数据源身份验证服务和数据完整性服务,(C)解析程序和服务器之间事务的数据源身份验证服务,以及(d)记录的访问控制。

$ domain of interpretation (DOI) (I) IPsec usage: An ISAKMP/IKE DOI defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes.

$ 解释域(DOI)(I)IPsec用法:ISAKMP/IKE DOI定义有效负载格式、交换类型和命名安全相关信息(如安全策略或加密算法和模式)的约定。

(C) For example, see [R2407]. The DOI concept is based on work by the TSIG's CIPSO Working Group.

(C) 例如,请参见[R2407]。内政部的概念基于TSIG的CIPSO工作组的工作。

$ dominate (I) Security level A is said to "dominate" security level B if the hierarchical classification level of A is greater (higher) than or equal to that of B and the nonhierarchical categories of A include all of those of B.

$ 主导(I)如果A的分级分类级别大于(高于)或等于B,且A的非分级类别包括B的所有类别,则称A的安全级别为“主导”安全级别B。

$ dongle (I) A portable, physical, electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)

$ 加密狗(I):一种便携式物理电子设备,需要连接到计算机上才能运行特定的软件程序。(请参阅:令牌。)

(C) A dongle is essentially a physical key used for copy protection of software, because the program will not run unless the matching dongle is attached. When the software runs, it periodically queries the dongle and quits if the dongle does not reply with the proper authentication information. Dongles were originally constructed as an EPROM (erasable programmable read-only memory) to be connected to a serial input-output port of a personal computer.

(C) 加密狗本质上是用于软件复制保护的物理密钥,因为除非连接匹配的加密狗,否则程序不会运行。当软件运行时,它会定期查询加密狗,如果加密狗没有使用正确的身份验证信息进行回复,它就会退出。加密狗最初被构造为一个EPROM(可擦除可编程只读存储器),连接到个人计算机的串行输入输出端口。

$ downgrade (I) Reduce the classification level of information in an authorized manner.

$ 降级(I)以授权的方式降低信息的分类级别。

$ draft RFC (D) ISDs SHOULD NOT use this term, because the Request for Comment series is archival in nature and does not have a "draft" category. (Instead, see: Internet Draft, Draft Standard (in Internet Standard).)

$ RFC(D)ISD草案不应使用这一术语,因为征求意见系列是存档性质的,没有“草案”类别。(请参见:互联网草案,标准草案(在互联网标准中)。)

$ DSA See: Digital Signature Algorithm.

$ DSA见:数字签名算法。

$ DSS See: Digital Signature Standard.

$ DSS见:数字签名标准。

$ dual control (I) A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. (See: no-lone zone, separation of duties, split knowledge.)

$ 双重控制(I)一种程序,使用两个或多个实体(通常是人员)协同工作来保护系统资源,这样,任何单独行动的实体都无法访问该资源。(参见:无单独区域、职责分离、知识分离。)

$ dual signature (D) ISDs SHOULD NOT use this term except when stated as "SET(trademark) dual signature" with the following meaning:

$ 双重签名(D)ISDs不应使用本术语,除非声明为具有以下含义的“SET(商标)双重签名”:

(O) SET usage: A single digital signature that protects two separate messages by including the hash results for both sets in a single encrypted value. [SET2]

(O) 集合用法:通过在单个加密值中包含两个集合的哈希结果来保护两个独立消息的单个数字签名。[SET2]

(C) Generated by hashing each message separately, concatenating the two hash results, and then hashing that value and encrypting the result with the signer's private key. Done to reduce the number of encryption operations and to enable verification of data integrity without complete disclosure of the data.

(C) 通过分别对每条消息进行散列、连接两个散列结果,然后对该值进行散列并使用签名者的私钥对结果进行加密来生成。这样做是为了减少加密操作的数量,并在不完全披露数据的情况下验证数据的完整性。

$ EAP See: Extensible Authentication Protocol

$ EAP请参阅:可扩展身份验证协议

$ eavesdropping (I) Passive wiretapping done secretly, i.e., without the knowledge of the originator or the intended recipients of the communication.

$ 窃听(I)秘密进行的被动窃听,即在通信发端人或预期接收人不知情的情况下进行。

$ ECB See: electronic codebook.

$ 欧洲央行见:电子码本。

$ ECDSA See: Elliptic Curve Digital Signature Algorithm.

$ ECDSA参见:椭圆曲线数字签名算法。

$ economy of mechanism (I) The principle that each security mechanism should be designed to be as simple as possible, so that the mechanism can be correctly implemented and so that it can be verified that the operation of the mechanism enforces the containing system's security policy. (See: least privilege.)

$ 机制的经济性(I)每个安全机制的设计原则应尽可能简单,以便正确实施该机制,并验证该机制的运行是否强制执行了包含系统的安全策略。(请参阅:最低特权。)

$ EDI See: electronic data interchange.

$ EDI见:电子数据交换。

$ EDIFACT See: (secondary definition under) electronic data interchange.

$ EDIFACT见:(第二定义)电子数据交换。

$ EE (D) ISDs SHOULD NOT use this abbreviation because of possible confusion among "end entity", "end-to-end encryption", "escrowed encryption standard", and other terms.

$ EE(D)ISDs不应使用此缩写,因为“终端实体”、“端到端加密”、“托管加密标准”和其他术语可能会混淆。

$ EES See: Escrowed Encryption Standard.

$ EES见:托管加密标准。

$ El Gamal algorithm (N) An algorithm for asymmetric cryptography, invented in 1985 by Taher El Gamal, that is based on the difficulty of calculating discrete logarithms and can be used for both encryption and digital signatures. [ElGa, Schn]

$ El-Gamal算法(N):Taher El-Gamal于1985年发明的一种非对称加密算法,该算法基于计算离散对数的困难,可用于加密和数字签名。[埃尔加,施恩]

$ electronic codebook (ECB) (I) An block cipher mode in which a plaintext block is used directly as input to the encryption algorithm and the resultant output block is used directly as ciphertext [FP081].

$ 电子码本(ECB)(I)一种分组密码模式,其中明文块直接用作加密算法的输入,生成的输出块直接用作密文[FP081]。

$ electronic commerce (I) General usage: Business conducted through paperless exchanges of information, using electronic data interchange, electronic funds transfer (EFT), electronic mail, computer bulletin boards, facsimile, and other paperless technologies.

$ 电子商务(I)一般用途:通过无纸信息交换、电子数据交换、电子资金转账(EFT)、电子邮件、计算机公告栏、传真和其他无纸技术进行的业务。

(O) SET usage: "The exchange of goods and services for payment between the cardholder and merchant when some or all of the transaction is performed via electronic communication." [SET2]

(O) SET用法:“当部分或全部交易通过电子通信进行时,持卡人和商户之间交换商品和服务进行支付。”[SET2]

$ electronic data interchange (EDI) (I) Computer-to-computer exchange, between trading partners, of business data in standardized document formats.

$ 电子数据交换(EDI)(I)贸易伙伴之间以标准文件格式进行的商业数据的计算机对计算机交换。

(C) EDI formats have been standardized primarily by ANSI X12 and by EDIFACT (EDI for Administration, Commerce, and Transportation), which is an international, UN-sponsored standard primarily used in Europe and Asia. X12 and EDIFACT are aligning to create a single, global EDI standard.

(C) EDI格式主要由ANSI X12和EDIFACT(用于行政、商业和运输的EDI)标准化,这是一种主要在欧洲和亚洲使用的联合国赞助的国际标准。X12和EDIFACT正在联合起来创建一个单一的全球EDI标准。

$ electronic signature (D) ISDs SHOULD NOT use this term because there is no current consensus on its definition. (Instead, see: digital signature.)

$ 电子签名(D)ISDs不应使用这一术语,因为目前尚未就其定义达成共识。(请参见:数字签名。)

$ elliptic curve cryptography (ECC) (I) A type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve.

$ 椭圆曲线密码术(ECC)(I)一种基于由曲线上的点定义的群的数学的非对称密码术。

(C) The most efficient implementation of ECC is claimed to be stronger per bit of key (against cryptanalysis that uses a brute force attack) than any other known form of asymmetric cryptography. ECC is based on mathematics different than the kinds originally used to define the Diffie-Hellman algorithm and the Digital Signature Algorithm. ECC is based on the mathematics of groups defined by the points on a curve, where the curve is defined by a quadratic equation in a finite field. ECC can be used to define both an algorithm for key agreement that is an analog of Diffie-Hellman and an algorithm for digital signature that is an analog of DSA. (See: ECDSA.)

(C) ECC最有效的实现据说比任何其他已知形式的非对称加密都更强大(针对使用蛮力攻击的密码分析)。ECC基于不同于最初用于定义Diffie-Hellman算法和数字签名算法的数学。ECC基于由曲线上的点定义的群的数学,其中曲线由有限域中的二次方程定义。ECC可用于定义类似Diffie-Hellman的密钥协商算法和类似DSA的数字签名算法。(见:ECDSA)

$ Elliptic Curve Digital Signature Algorithm (ECDSA) (N) A standard [A9062] that is the elliptic curve cryptography analog of the Digital Signature Algorithm.

$ 椭圆曲线数字签名算法(ECDSA)(N)一种标准[A9062],它是数字签名算法的椭圆曲线密码模拟。

$ emanation (I) An signal (electromagnetic, acoustic, or other medium) that is emitted by a system (through radiation or conductance) as a consequence (i.e., byproduct) of its operation, and that may contain information. (See: TEMPEST.)

$ 发射(I)系统(通过辐射或电导)因其运行(即副产品)而发射的信号(电磁、声学或其他介质),可能包含信息。(见《暴风雨》)

$ emanations security (EMSEC) (I) Physical constraints to prevent information compromise through signals emanated by a system, particular the application of TEMPEST technology to block electromagnetic radiation.

$ 发射安全(EMSEC)(I)物理约束,以防止通过系统发射的信号泄露信息,特别是应用TEMPEST技术阻止电磁辐射。

$ emergency plan (D) A synonym for "contingency plan". In the interest of consistency, ISDs SHOULD use "contingency plan" instead of "emergency plan".

$ 应急计划(D)“应急计划”的同义词。为了保持一致性,政府新闻处应使用“应急计划”而不是“应急计划”。

$ EMSEC See: emanations security.

$ EMSEC见:辐射安全。

$ EMV (I) An abbreviation of "Europay, MasterCard, Visa". Refers to a specification for smart cards that are used as payment cards, and for related terminals and applications. [EMV1, EMV2, EMV3]

$ EMV(I)“Europay、万事达卡、Visa”的缩写。指用作支付卡的智能卡以及相关终端和应用程序的规范。[EMV1、EMV2、EMV3]

$ Encapsulating Security Payload (ESP) (I) An Internet IPsec protocol [R2406] designed to provide a mix of security services--especially data confidentiality service--in the Internet Protocol. (See: Authentication Header.)

$ 封装安全有效载荷(ESP)(I)互联网IPsec协议[R2406],旨在在互联网协议中提供混合的安全服务,特别是数据保密服务。(请参阅:身份验证标头。)

(C) ESP may be used alone, or in combination with the IPsec AH protocol, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. The ESP header is encapsulated by the IP header, and the ESP header encapsulates either the upper layer protocol header (transport mode) or an IP header (tunnel mode). ESP can provide data confidentiality service, data origin authentication service, connectionless data integrity service, an anti-replay service, and limited traffic flow confidentiality. The set of services depends on the placement of the implementation and on options selected when the security association is established.

(C) ESP可以单独使用,也可以与IPsec AH协议结合使用,或者以嵌套方式与隧道结合使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP报头由IP报头封装,ESP报头封装上层协议报头(传输模式)或IP报头(隧道模式)。ESP可以提供数据保密服务、数据源身份验证服务、无连接数据完整性服务、防重放服务和有限流量保密性。服务集取决于实现的位置以及在建立安全关联时选择的选项。

$ encipher (D) ISDs SHOULD NOT use this term as a synonym for "encrypt". However, see the usage note under "encryption".

$ 加密(D)ISDs不应将此术语用作“加密”的同义词。但是,请参见“加密”下的用法说明。

$ encipherment (D) ISDs SHOULD NOT use this term as a synonym for "encryption", except in special circumstances that are explained in the usage discussion under "encryption".

$ 加密(D)ISDs不应将此术语用作“加密”的同义词,除非在“加密”下的用法讨论中解释的特殊情况下。

$ encode (I) Use a system of symbols to represent information, which might originally have some other representation. (See: decode.)

$ 编码(I)使用一个符号系统来表示信息,这可能最初有一些其他的表示。(请参阅:解码。)

(C) Examples include Morse code, ASCII, and BER.

(C) 示例包括摩尔斯电码、ASCII码和BER码。

(D) ISDs SHOULD NOT use this term as a synonym for "encrypt", because encoding is not usually intended to conceal meaning.

(D) ISDs不应将此术语用作“加密”的同义词,因为编码通常不是为了隐藏含义。

$ encrypt (I) Cryptographically transform data to produce ciphertext. (See: encryption.)

$ 加密(I)以加密方式转换数据以生成密文。(请参阅:加密。)

$ encryption (I) Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called "decryption", which is a transformation that restores encrypted data to its original state. (See: cryptography.)

$ 加密(I)将数据(称为“明文”)加密转换为一种形式(称为“密文”),隐藏数据的原始含义以防止其被知道或使用。如果转换是可逆的,则相应的反转过程称为“解密”,这是一种将加密数据恢复到原始状态的转换。(请参阅:密码学。)

(C) Usage note: For this concept, ISDs should use the verb "to encrypt" (and related variations: encryption, decrypt, and decryption). However, because of cultural biases, some international usage, particularly ISO and CCITT standards, avoids "to encrypt" and instead uses the verb "to encipher" (and related variations: encipherment, decipher, decipherment).

(C) 用法说明:对于这个概念,ISDs应该使用动词“to encrypt”(以及相关变体:encryption、decrypt和decryption)。然而,由于文化偏见,一些国际惯例,特别是ISO和CCITT标准,避免使用“加密”,而是使用动词“加密”(以及相关变体:加密、解密、解密)。

(O) "The cryptographic transformation of data (see: cryptography) to produce ciphertext." [I7498 Part 2]

(O) “数据的加密转换(见:密码学)以产生密文。”[I7498第2部分]

(C) Usually, the plaintext input to an encryption operation is cleartext. But in some cases, the plaintext may be ciphertext that was output from another encryption operation. (See: superencryption.)

(C) 通常,加密操作的明文输入是明文。但在某些情况下,明文可能是另一个加密操作输出的密文。(请参阅:超级加密。)

(C) Encryption and decryption involve a mathematical algorithm for transforming data. In addition to the data to be transformed, the algorithm has one or more inputs that are control parameters: (a) a key value that varies the transformation and, in some cases, (b) an initialization value that establishes the starting state of the algorithm.

(C) 加密和解密涉及转换数据的数学算法。除了要转换的数据外,算法还有一个或多个作为控制参数的输入:(a)改变转换的键值,在某些情况下,(b)建立算法启动状态的初始化值。

$ encryption certificate (I) A public-key certificate that contains a public key that is intended to be used for encrypting data, rather than for verifying digital signatures or performing other cryptographic functions.

$ 加密证书(I)包含公钥的公钥证书,用于加密数据,而不是验证数字签名或执行其他加密功能。

C) A v3 X.509 public-key certificate may have a "keyUsage" extension that indicates the purpose for which the certified public key is intended.

C) v3 X.509公钥证书可能具有“keyUsage”扩展名,该扩展名指示认证公钥的预期用途。

$ end entity (I) A system entity that is the subject of a public-key certificate and that is using, or is permitted and able to use, the matching private key only for a purpose or purposes other than signing a digital certificate; i.e., an entity that is not a CA.

$ 终端实体(I)作为公钥证书主体的系统实体,其仅为签署数字证书以外的目的使用或允许并能够使用匹配私钥;i、 例如,不是CA的实体。

(D) "A certificate subject which uses its public [sic] key for purposes other than signing certificates." [X509]

(D) “将其公钥[sic]用于证书签名以外目的的证书主体。”[X509]

(C) ISDs SHOULD NOT use the X.509 definition, because it is misleading and incomplete. First, the X.509 definition should say "private key" rather than "public key" because certificates are not usefully signed with a public key. Second, the X.509 definition is weak regarding whether an end entity may or may not use the private key to sign a certificate, i.e., whether the subject may be a CA. The intent of X.509's authors was that an end entity certificate is not valid for use in verifying a signature on an X.509 certificate or X.509 CRL. Thus, it would have been better for the X.509 definition to have said "only for purposes other than signing certificates".

(C) ISDs不应使用X.509定义,因为它具有误导性和不完整性。首先,X.509的定义应该是“私钥”而不是“公钥”,因为证书不是用公钥有效地签名的。其次,X.509的定义在最终实体是否可以使用私钥来签署证书(即主体是否是CA)方面很弱。X.509作者的意图是,最终实体证书不能用于验证X.509证书或X.509 CRL上的签名。因此,如果X.509定义中说“仅用于签署证书以外的目的”,则更好。

(C) Despite the problems in the X.509 definition, the term itself is useful in describing applications of asymmetric cryptography. The way the term is used in X.509 implies that it was meant to be defined, as we have done here, relative to roles that an entity (which is associated with an OSI end system) is playing or is permitted to play in applications of asymmetric cryptography other than the PKI that supports applications.

(C) 尽管X.509定义中存在问题,但该术语本身在描述非对称加密的应用时很有用。X.509中使用该术语的方式意味着,正如我们在这里所做的那样,该术语的定义与实体(与OSI终端系统关联)正在或允许在非对称加密应用程序中扮演的角色有关,而不是支持应用程序的PKI。

(C) Whether a subject can play both CA and non-CA roles, with either the same or different certificates, is a matter of policy. (See: certification practice statement.) A v3 X.509 public-key certificate may have a "basicConstraints" extension containing a "cA" value that specifically "indicates whether or not the public key may be used to verify certificate signatures".

(C) 主体是否可以使用相同或不同的证书同时扮演CA和非CA角色是一个政策问题。(请参阅:认证实践声明。)v3 X.509公钥证书可能有一个“basicConstraints”扩展,其中包含一个“cA”值,该值专门“指示公钥是否可用于验证证书签名”。

$ end system (I) An OSI term for a computer that implements all seven layers of the OSIRM and may attach to a subnetwork. (In the context of the Internet Protocol Suite, usually called a "host".)

$ 终端系统(I)OSI术语,指实现OSIRM所有七层并可连接到子网络的计算机。(在Internet协议套件的上下文中,通常称为“主机”。)

$ end-to-end encryption (I) Continuous protection of data that flows between two points in a network, provided by encrypting data when it leaves its source, leaving it encrypted while it passes through any intermediate computers (such as routers), and decrypting only when the data arrives at the intended destination. (See: link encryption, wiretapping.)

$ 端到端加密(I)对网络中两点之间流动的数据的连续保护,通过在数据离开源时对其进行加密、在数据通过任何中间计算机(如路由器)时对其进行加密以及仅在数据到达预定目的地时解密来提供。(请参阅:链接加密、窃听。)

(C) When two points are separated by multiple communication links that are connected by one or more intermediate relays, end-to-end encryption enables the source and destination systems to protect their communications without depending on the intermediate systems to provide the protection.

(C) 当两个点被一个或多个中间继电器连接的多个通信链路分隔时,端到端加密使源系统和目标系统能够保护其通信,而不依赖中间系统提供保护。

$ end user (I) General usage: A system entity, usually a human individual, that makes use of system resources, primarily for application purposes as opposed to system management purposes.

$ 最终用户(I)一般用途:一个系统实体,通常是个人,主要为应用目的而非系统管理目的使用系统资源。

(I) PKI usage: A synonym for "end entity"; but the term "end entity" is preferred.

(一) PKI用法:“终端实体”的同义词;但术语“最终实体”是首选。

$ entity See: system entity.

$ 实体请参见:系统实体。

$ entrapment (I) "The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit." [FP039] (See: honey pot.)

$ 诱捕(I)“故意在系统中植入明显的缺陷,以检测企图的渗透或混淆入侵者利用哪些缺陷。”[FP039](见:蜜罐)

$ ephemeral key (I) A public key or a private key that is relatively short-lived. (See: session key.)

$ 临时密钥(I)相对较短的公钥或私钥。(请参阅:会话密钥。)

$ error detection code (I) A checksum designed to detect, but not correct, accidental (i.e., unintentional) changes in data.

$ 错误检测代码(I)一种校验和,用于检测但不纠正数据中的意外(即无意)更改。

$ Escrowed Encryption Standard (EES) (N) A U.S. Government standard [FP185] that specifies use of a symmetric encryption algorithm (SKIPJACK) and a Law Enforcement

$ 托管加密标准(EES)(N)美国政府标准[FP185],规定使用对称加密算法(SKIPJACK)和执法

Access Field (LEAF) creation method to implement part of a key escrow system that provides for decryption of encrypted telecommunications when interception is lawfully authorized.

访问字段(LEAF)创建方法,用于实现密钥托管系统的一部分,该系统在合法授权拦截时提供加密电信的解密。

(C) Both SKIPJACK and the LEAF are to be implemented in equipment used to encrypt and decrypt unclassified, sensitive telecommunications data.

(C) SKIPJACK和LEAF都将在用于加密和解密非机密敏感电信数据的设备中实现。

$ ESP See: Encapsulating Security Payload.

$ ESP请参阅:封装安全有效负载。

$ Estelle (N) A language (ISO 9074-1989) for formal specification of computer network protocols.

$ Estelle(N):一种用于计算机网络协议形式规范的语言(ISO 9074-1989)。

$ evaluated products list (O) General usage: A list of information system equipment items that have been evaluated against, and found to be compliant with, a particular set of criteria.

$ 评估产品清单(O)一般用途:根据特定标准集进行评估并发现符合该标准的信息系统设备项目清单。

(O) U.S. Department of Defense usage: The Evaluated Products List (http://www.radium.ncsc.mil/tpep/epl/) contains items that have been evaluated against the TCSEC by the NCSC, or against the Common Criteria by the NCSC or one of its partner agencies in another county. The List forms Chapter 4 of NSA's "Information Systems Security Products and Services Catalogue".

(O) 美国国防部用途:评估产品清单(http://www.radium.ncsc.mil/tpep/epl/)包含NCSC根据TCSEC或NCSC或其在另一个县的合作机构的共同标准评估的项目。该清单构成了NSA“信息系统安全产品和服务目录”的第4章。

$ evaluated system (I) Refers to a system that has been evaluated against security criteria such as the TCSEC or the Common Criteria.

$ 评估系统(I)是指根据TCSEC或通用标准等安全标准进行评估的系统。

$ expire See: certificate expiration.

$ 过期请参阅:证书过期。

$ exposure See: (secondary definition under) threat consequence.

$ 暴露见:(第二定义下)威胁后果。

$ Extensible Authentication Protocol (I) A framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. [R2284]

$ 可扩展身份验证协议(I)支持PPP的多种可选身份验证机制的框架,包括明文密码、质询响应和任意对话序列。[R2284]

(C) This protocol is intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial-up lines.

(C) 该协议主要用于通过交换电路或拨号线路连接到PPP网络服务器的主机或路由器。

$ extension (I) A data item defined for optional inclusion in a v3 X.509 public-key certificate or a v2 X.509 CRL.

$ 扩展(I)定义的数据项,可选择包含在v3 X.509公钥证书或v2 X.509 CRL中。

(C) The formats defined in X.509 can be extended to provide methods for associating additional attributes with subjects and public keys and for managing a certification hierarchy:

(C) 可以扩展X.509中定义的格式,以提供将附加属性与主题和公钥关联以及管理证书层次结构的方法:

- "Certificate extension": X.509 defines standard extensions that may be included in v3 certificates to provide additional key and security policy information, subject and issuer attributes, and certification path constraints.

- “证书扩展”:X.509定义了可能包含在v3证书中的标准扩展,以提供额外的密钥和安全策略信息、主体和颁发者属性以及证书路径约束。

- "CRL extension": X.509 defines extensions that may be included in v2 CRLs to provide additional issuer key and name information, revocation reasons and constraints, and information about distribution points and delta CRLs.

- “CRL扩展”:X.509定义了可能包含在v2 CRL中的扩展,以提供额外的颁发者密钥和名称信息、撤销原因和约束,以及有关分发点和增量CRL的信息。

- "Private extension": Additional extensions, each named by an OID, can be locally defined as needed by applications or communities. (See: PKIX private extension, SET private extensions.)

- “私有扩展”:附加扩展,每个扩展都由OID命名,可以根据应用程序或社区的需要在本地定义。(请参见:PKIX专用扩展,设置专用扩展。)

$ extranet (I) A computer network that an organization uses to carry application data traffic between the organization and its business partners. (See: intranet.)

$ 外部网(I)一种计算机网络,组织使用它在组织与其业务伙伴之间传输应用程序数据通信。(见:内部网。)

(C) An extranet can be implemented securely, either on the Internet or using Internet technology, by constructing the extranet as a VPN.

(C) 通过将外联网构建为VPN,可以在Internet上或使用Internet技术安全地实现外联网。

$ fail safe (I) A mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system.

$ 故障安全(I)当系统发生故障或检测到故障时,自动使系统进程和组件处于安全状态的一种系统终止模式。

$ fail soft (I) Selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system.

$ 失效软(I)当系统发生或检测到故障时,选择性终止受影响的非基本系统功能和过程。

$ failure control (I) A methodology used to provide fail-safe or fail-soft termination and recovery of functions and processes when failures are detected or occur in a system. [FP039]

$ 故障控制(I)当系统中检测到或发生故障时,用于提供功能和过程的故障安全或故障软终止和恢复的方法。[FP039]

$ Federal Information Processing Standards (FIPS) (N) The Federal Information Processing Standards Publication (FIPS PUB) series issued by the U.S. National Institute of Standards and Technology as technical guidelines for U.S. Government procurements of information processing system equipment and services. [FP031, FP039, FP046, FP081, FP102, FP113, FP140, FP151, FP180, FP185, FP186, FP188]

$ 联邦信息处理标准(FIPS)(N)美国国家标准与技术研究所发布的联邦信息处理标准出版物(FIPS PUB)系列,作为美国政府采购信息处理系统设备和服务的技术指南。[FP031、FP039、FP046、FP081、FP102、FP113、FP140、FP151、FP180、FP185、FP186、FP188]

(C) Issued under the provisions of section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987, Public Law 100-235.

(C) 根据经1987年《计算机安全法》修订的1949年《联邦财产和行政服务法》第111(d)节的规定发布,公法100-235。

$ Federal Public-key Infrastructure (FPKI) (N) A PKI being planned to establish facilities, specifications, and policies needed by the U.S. Federal Government to use public-key certificates for INFOSEC, COMSEC, and electronic commerce involving unclassified but sensitive applications and interactions between Federal agencies as well as with entities of other branches of the Federal Government, state, and local governments, business, and the public. [FPKI]

$ 联邦公钥基础设施(FPKI)(N)计划建立美国联邦政府所需的设施、规范和政策的PKI,以便为信息安全、通信安全和通信安全使用公钥证书,以及涉及联邦机构之间以及联邦政府、州和地方政府、企业和公众的其他部门实体之间的非保密但敏感的应用程序和交互的电子商务。[FPKI]

$ Federal Standard 1027 (N) An U.S. Government document defining emanation, anti-tamper, security fault analysis, and manual key management criteria for DES encryption devices, primary for OSI layer 2. Was renamed "FIPS PUB 140" when responsibility for protecting unclassified, sensitive information was transferred from NSA to NIST, and then was superseded by FIPS PUB 140-1.

$ 联邦标准1027(N)美国政府文件,定义DES加密设备的发射、防篡改、安全故障分析和手动密钥管理标准,主要用于OSI第2层。当保护非机密敏感信息的责任从NSA转移到NIST时,更名为“FIPS PUB 140”,然后被FIPS PUB 140-1取代。

$ File Transfer Protocol (FTP) (I) A TCP-based, application-layer, Internet Standard protocol [R0959] for moving data files from one computer to another.

$ 文件传输协议(FTP)(I)基于TCP的应用层互联网标准协议[R0959],用于将数据文件从一台计算机移动到另一台计算机。

$ filtering router (I) An internetwork router that selectively prevents the passage of data packets according to a security policy.

$ 过滤路由器(I)根据安全策略有选择地防止数据包通过的网络间路由器。

(C) A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port numbers). [R2179]

(C) 过滤路由器可用作防火墙或防火墙的一部分。路由器通常从网络接收数据包,并决定在第二个网络上转发数据包的位置。过滤路由器也会这样做,但首先根据一些安全策略决定是否应该转发数据包。该策略由加载到路由器中的规则(包过滤器)实现。这些规则主要涉及数据包控制字段的值(尤其是IP源和目标地址以及TCP端口号)。[R2179]

$ financial institution (N) "An establishment responsible for facilitating customer-initiated transactions or transmission of funds for the extension of credit or the custody, loan, exchange, or issuance of money." [SET2]

$ 金融机构(N)“负责促进客户发起的交易或资金传输的机构,用于扩展信贷或保管、贷款、交换或发行货币。”[SET2]

$ fingerprint (I) A pattern of curves formed by the ridges on a fingertip. (See: biometric authentication, thumbprint.)

$ 指纹(I)指尖上的脊线形成的曲线图案。(请参阅:生物特征认证,指纹。)

(D) ISDs SHOULD NOT use this term as a synonym for "hash result" because it mixes concepts in a potentially misleading way.

(D) ISDs不应将此术语用作“哈希结果”的同义词,因为它以潜在误导的方式混合了概念。

(D) ISDs SHOULD NOT use this term with the following PGP definition, because the term and definition mix concepts in a potentially misleading way and duplicate the meaning of "hash result":

(D) ISDs不应在以下PGP定义中使用该术语,因为该术语和定义以潜在误导的方式混合概念,并重复“哈希结果”的含义:

(O) PGP usage: A hash result used to authenticate a public key (key fingerprint) or other data. [PGP]

(O) PGP用法:用于验证公钥(密钥指纹)或其他数据的哈希结果。[PGP]

$ FIPS See: Federal Information Processing Standards.

$ FIPS见:联邦信息处理标准。

$ FIPS PUB 140-1 (N) The U.S. Government standard [FP140] for security requirements to be met by a cryptographic module used to protect unclassified information in computer and communication systems. (See: Common Criteria, FIPS, Federal Standard 1027.)

$ FIPS PUB 140-1(N)美国政府标准[FP140],用于保护计算机和通信系统中未分类信息的加密模块应满足安全要求。(见:通用标准、FIPS、联邦标准1027。)

(C) The standard specifies four increasing levels (from "Level 1" to "Level 4") of requirements to cover a wide range of potential applications and environments. The requirements address basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference and electromagnetic compatibility (EMI/EMC), and self-testing. NIST and the Canadian Communication Security Establishment jointly certify modules.

(C) 该标准规定了四个不断增加的需求级别(从“级别1”到“级别4”),以涵盖广泛的潜在应用和环境。这些要求涉及基本设计和文档、模块接口、授权角色和服务、物理安全、软件安全、操作系统安全、密钥管理、加密算法、电磁干扰和电磁兼容性(EMI/EMC)以及自检。NIST和加拿大通信安全机构共同认证模块。

$ firewall (I) An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.)

$ 防火墙(I)一种网络间网关,用于限制与其中一个连接网络(称为“防火墙内”)之间的数据通信流量,从而保护该网络的系统资源免受来自另一个网络(称为“防火墙外”)的威胁。(请参阅:警卫,安全网关。)

(C) A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies security policy rules to control traffic that flows in and out of the protected network.

(C) 防火墙通常保护较小、安全的网络(如公司局域网,甚至一台主机)免受较大网络(如互联网)的攻击。防火墙安装在网络连接点,防火墙应用安全策略规则来控制进出受保护网络的流量。

(C) A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep intruders out, but usually also needs to let authorized users in and out.

(C) 防火墙并不总是一台计算机。例如,防火墙可能由一对过滤路由器和运行在一个或多个堡垒主机上的一个或多个代理服务器组成,所有这些都连接到两个路由器之间的小型专用LAN。外部路由器阻止使用IP破坏安全性的攻击(IP地址欺骗、源路由、数据包碎片),而代理服务器阻止利用更高层协议或服务中的漏洞进行攻击。内部路由器阻止流量离开受保护的网络,除非通过代理服务器。困难的部分是定义拒绝数据包通过防火墙的标准,因为防火墙不仅需要阻止入侵者,而且通常还需要允许授权用户进出。

$ firmware (I) Computer programs and data stored in hardware--typically in read-only memory (ROM) or programmable read-only memory (PROM)-- such that the programs and data cannot be dynamically written or modified during execution of the programs. (See: hardware, software.)

$ 固件(I)存储在硬件中的计算机程序和数据——通常存储在只读存储器(ROM)或可编程只读存储器(PROM)中——使得程序和数据在程序执行期间不能动态写入或修改。(请参阅:硬件、软件。)

$ FIRST See: Forum of Incident Response and Security Teams.

$ 初见:事件响应和安全团队论坛。

$ flaw hypothesis methodology (I) An evaluation or attack technique in which specifications and documentation for a system are analyzed to hypothesize flaws in the system. The list of hypothetical flaws is prioritized on the basis of the estimated probability that a flaw exists and, assuming it does, on the ease of exploiting it and the extent of control or compromise it would provide. The prioritized list is used to direct a penetration test or attack against the system. [NCS04]

$ 缺陷假设方法(I)一种评估或攻击技术,其中对系统的规范和文档进行分析,以假设系统中存在缺陷。假设缺陷列表根据缺陷存在的估计概率和(假设存在)利用缺陷的难易程度以及控制或妥协的程度进行优先排序。优先列表用于指导针对系统的渗透测试或攻击。[NCS04]

$ flooding (I) An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly. (See: denial of service.)

$ 泛洪攻击(I)试图通过提供超出实体正常处理范围的输入,导致计算机系统或其他数据处理实体出现故障(尤其是在安全性方面)的攻击。(请参阅:拒绝服务。)

$ flow analysis (I) An analysis performed on a nonprocedural formal system specification that locates potential flows of information between system variables. By assigning security levels to the variables, the analysis can find some types of covert channels.

$ 流程分析(I)对非过程正式系统规范进行的分析,确定系统变量之间的潜在信息流。通过为变量分配安全级别,分析可以发现某些类型的隐蔽通道。

$ flow control (I) A procedure or technique to ensure that information transfers within a system are not made from one security level to another security level, and especially not from a higher level to a lower level. (See: covert channel, simple security property, confinement property.)

$ 流量控制(I)一种程序或技术,用于确保系统内的信息传输不会从一个安全级别传输到另一个安全级别,特别是不会从较高级别传输到较低级别。(请参阅:隐蔽通道、简单安全属性、限制属性。)

$ formal specification (I) A specification of hardware or software functionality in a computer-readable language; usually a precise mathematical description of the behavior of the system with the aim of providing a correctness proof.

$ 形式规范(I)计算机可读语言的硬件或软件功能规范;通常是系统行为的精确数学描述,目的是提供正确性证明。

$ formulary (I) A technique for enabling a decision to grant or deny access to be made dynamically at the time the access is attempted, rather than earlier when an access control list or ticket is created.

$ 公式集(I)一种技术,用于在尝试访问时,而不是在创建访问控制列表或票证之前,动态做出授予或拒绝访问的决定。

$ FORTEZZA(trademark) (N) A registered trademark of NSA, used for a family of interoperable security products that implement a NIST/NSA-approved suite of cryptographic algorithms for digital signature, hash, encryption, and key exchange. The products include a PC card that contains a CAPSTONE chip, serial port modems, server boards, smart cards, and software implementations.

$ FORTEZZA(商标)(N)NSA的注册商标,用于一系列可互操作的安全产品,这些产品实现了NIST/NSA批准的一套用于数字签名、哈希、加密和密钥交换的加密算法。这些产品包括一个包含顶点芯片的PC卡、串行端口调制解调器、服务器板、智能卡和软件实现。

$ Forum of Incident Response and Security Teams (FIRST) (N) An international consortium of CSIRTs that work together to handle computer security incidents and promote preventive activities. (See: CSIRT, security incident.)

$ 事件响应和安全团队论坛(FIRST)(N)一个由CSIRT组成的国际联盟,共同处理计算机安全事件并促进预防活动。(参见:CSIRT,安全事件)

(C) FIRST was founded in 1990 and, as of September 1999, had nearly 70 members spanning the globe. Its mission includes:

(C) FIRST成立于1990年,截至1999年9月,全球有近70个成员。其任务包括:

- Provide members with technical information, tools, methods, assistance, and guidance. - Coordinate proactive liaison activities and analytical support. - Encourage development of quality products and services. - Improve national and international information security for government, private industry, academia, and the individual. - Enhance the image and status of the CSIRT community.

- 向成员提供技术信息、工具、方法、协助和指导。-协调主动联络活动和分析支持。-鼓励开发优质产品和服务。-改善政府、私营企业、学术界和个人的国家和国际信息安全。-提升CSIRT社区的形象和地位。

$ forward secrecy See: public-key forward secrecy.

$ 前向保密请参阅:公钥前向保密。

$ FPKI See: Federal Public-Key Infrastructure.

$ FPKI见:联邦公钥基础设施。

$ FTP See: File Transfer Protocol.

$ FTP请参阅:文件传输协议。

$ gateway (I) A relay mechanism that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables host computers on one network to communicate with hosts on the other; an intermediate system that is the interface between two computer networks. (See: bridge, firewall, guard, internetwork, proxy server, router, and subnetwork.)

$ 网关(I)一种中继机制,连接到两个(或多个)功能相似但实现方式不同的计算机网络,使一个网络上的主机能够与另一个网络上的主机通信;作为两个计算机网络之间接口的中间系统。(请参阅:网桥、防火墙、防护、互联网、代理服务器、路由器和子网络。)

(C) In theory, gateways are conceivable at any OSI layer. In practice, they operate at OSI layer 3 (see: bridge, router) or layer 7 (see: proxy server). When the two networks differ in the protocol by which they offer service to hosts, the gateway may translate one protocol into another or otherwise facilitate interoperation of hosts (see: Internet Protocol).

(C) 理论上,网关在任何OSI层都是可以想象的。实际上,它们在OSI第3层(请参阅网桥、路由器)或第7层(请参阅代理服务器)上运行。当两个网络向主机提供服务的协议不同时,网关可将一个协议转换为另一个协议,或以其他方式促进主机的互操作(请参阅:Internet协议)。

$ GCA See: geopolitical certificate authority.

$ GCA见:地缘政治证书管理局。

$ GeneralizedTime (N) The ASN.1 data type "GeneralizedTime" (specified in ISO 8601) contains a calendar date (YYYYMMDD) and a time of day, which is either (a) the local time, (b) the Coordinated Universal Time, or (c) both the local time and an offset allowing Coordinated Universal Time to be calculated. (See: Coordinated Universal Time, UTCTime.)

$ 泛化时间(N)ASN.1数据类型“泛化时间”(在ISO 8601中指定)包含日历日期(YYYYMMDD)和一天中的某个时间,即(a)本地时间,(b)协调世界时,或(c)本地时间和允许计算协调世界时的偏移量。(参见:协调世界时,UTCTime)

$ Generic Security Service Application Program Interface (GSS-API) (I) An Internet Standard protocol [R2078] that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies, thus allowing the application source code to be ported to different environments.

$ 通用安全服务应用程序接口(GSS-API)(I)一种互联网标准协议[R2078],规定了应用程序(通常是另一种通信协议)可通过其获得身份验证、完整性、,保密性和安全服务独立于底层安全机制和技术,因此允许将应用程序源代码移植到不同的环境。

(C) "A GSS-API caller accepts tokens provided to it by its local GSS-API implementation and transfers the tokens to a peer on a remote system; that peer passes the received tokens to its local

(C) “GSS-API调用方接受其本地GSS-API实现提供给它的令牌,并将令牌传输给远程系统上的对等方;该对等方将接收到的令牌传递给其本地系统

GSS-API implementation for processing. The security services available through GSS-API in this fashion are implementable (and have been implemented) over a range of underlying mechanisms based on [symmetric] and [asymmetric cryptography]." [R2078]

用于处理的GSS-API实现。通过GSS-API以这种方式提供的安全服务可在基于[对称]和[非对称加密]的一系列底层机制上实现(并且已经实现)。“[R2078]

$ geopolitical certificate authority (GCA) (O) SET usage: In a SET certification hierarchy, an optional level that is certified by a BCA and that may certify cardholder CAs, merchant CAs, and payment gateway CAs. Using GCAs enables a brand to distribute responsibility for managing certificates to geographic or political regions, so that brand policies can vary between regions as needed.

$ 地缘政治证书颁发机构(GCA)(O)集合用途:在集合认证层次结构中,由BCA认证的可选级别,可认证持卡人CA、商户CA和支付网关CA。使用GCAs使品牌能够将管理证书的责任分配给地理或政治区域,以便品牌策略可以根据需要在不同区域之间变化。

$ Green Book (D) Except as an explanatory appositive, ISDs SHOULD NOT use this term as a synonym for "Defense Password Management Guideline" [CSC2]. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: Rainbow Series.)

$ 绿皮书(D)除作为解释性同位语外,ISDs不应将该术语用作“国防密码管理指南”[CSC2]的同义词。取而代之的是,使用文件的全称,或者在后续参考文献中使用常规缩写。(请参阅:彩虹系列。)

(D) Usage note: To improve international comprehensibility of Internet Standards and the Internet Standards Process, ISDs SHOULD NOT use "cute" synonyms for document titles. No matter how popular and clearly understood a nickname may be in one community, it is likely to cause confusion in others. For example, several other information system standards also are called "the Green Book". The following are some examples:

(D) 用法说明:为提高互联网标准和互联网标准流程的国际可理解性,ISDs不应使用“cute”同义词作为文件标题。无论一个昵称在一个社区中有多么流行和清晰,它都可能在其他社区引起混乱。例如,其他一些信息系统标准也被称为“绿皮书”。以下是一些例子:

- Each volume of 1992 ITU-T (at that time, CCITT) standards. - "PostScript Language Program Design", Adobe Systems, Addison-Wesley, 1988. - IEEE 1003.1 POSIX Operating Systems Interface. - "Smalltalk-80: Bits of History, Words of Advice", Glenn Krasner, Addison-Wesley, 1983. - "X/Open Compatibility Guide". - A particular CD-ROM format developed by Phillips.

- 1992年ITU-T(当时为CCITT)标准的每卷。-“PostScript语言程序设计”,AdobeSystems,Addison-Wesley,1988年IEEE 1003.1 POSIX操作系统接口。-“Smalltalk-80:历史的点滴,忠告的话语”,格伦·克拉斯纳,艾迪生·韦斯利,1983年“X/Open兼容性指南”——菲利普斯开发的一种特殊的CD-ROM格式。

$ GRIP (I) A contraction of "Guidelines and Recommendations for Security Incident Processing", the name of the IETF working group that seeks to facilitate consistent handling of security incidents in the Internet community. (See: security incident.)

$ GRIP(I)“安全事件处理指南和建议”的缩写,IETF工作组的名称,旨在促进互联网社区中安全事件的一致处理。(见:安全事件)

(C) Guidelines to be produced by the WG will address technology vendors, network service providers, and response teams in their roles assisting organizations in resolving security incidents. These relationships are functional and can exist within and across organizational boundaries.

(C) 工作组制定的指导方针将针对技术供应商、网络服务提供商和响应团队在协助组织解决安全事件方面的作用。这些关系是功能性的,可以存在于组织内部或跨组织边界。

$ GSS-API See: Generic Security Service Application Program Interface.

$ GSS-API请参阅:通用安全服务应用程序接口。

$ guard (I) A gateway that is interposed between two networks (or computers, or other information systems) operating at different security levels (one level is usually higher than the other) and is trusted to mediate all information transfers between the two levels, either to ensure that no sensitive information from the first (higher) level is disclosed to the second (lower) level, or to protect the integrity of data on the first (higher) level. (See: firewall.)

$ guard(I)在两个网络(或计算机或其他信息系统)之间插入的网关,以不同的安全级别(一个级别通常高于另一个级别)运行,并被信任在两个级别之间调解所有信息传输,以确保没有来自第一个(更高)级别的敏感信息级别被披露到第二(更低)级别,或者保护第一(更高)级别上的数据完整性。(请参阅:防火墙。)

$ guest login See: anonymous login.

$ 来宾登录请参阅:匿名登录。

$ GULS (I) Generic Upper Layer Security service element (ISO 11586), a five-part standard for the exchange of security information and security-transformation functions that protect confidentiality and integrity of application data.

$ GULS(I)通用上层安全服务元素(ISO 11586),由五部分组成的标准,用于交换安全信息和安全转换功能,以保护应用程序数据的机密性和完整性。

$ hacker (I) Someone with a strong interest in computers, who enjoys learning about them and experimenting with them. (See: cracker.)

$ 黑客(I)对计算机有浓厚兴趣的人,喜欢学习计算机并进行实验。(请参阅:cracker。)

(C) The recommended definition is the original meaning of the term (circa 1960), which then had a neutral or positive connotation of "someone who figures things out and makes something cool happen". Today, the term is frequently misused, especially by journalists, to have the pejorative meaning of cracker.

(C) 推荐的定义是这个词的原意(大约1960年),它有一个中性或积极的含义,即“把事情弄明白并让一些很酷的事情发生的人”。今天,这个词经常被误用,特别是被记者误用,具有“饼干”的贬义。

$ handle (I) (1.) Verb: Perform processing operations on data, such as receive and transmit, collect and disseminate, create and delete, store and retrieve, read and write, and compare. (2.) Noun: An on-line pseudonym, particularly one used by a cracker; derived from citizens band radio culture.

$ 动词:对数据执行处理操作,如接收和发送、收集和分发、创建和删除、存储和检索、读和写以及比较。(2.)名词:网上的笔名,尤指黑客使用的;源于公民波段无线电文化。

$ hardware (I) The material physical components of a computer system. (See: firmware, software.)

$ 硬件(I)计算机系统的材料物理组件。(请参阅:固件、软件。)

$ hardware token See: token.

$ 硬件令牌请参阅:令牌。

$ hash code (D) ISDs SHOULD NOT use this term (especially not as a synonym for "hash result") because it mixes concepts in a potentially misleading way. A hash result is not a "code" in any sense defined by this glossary. (See: code, hash result, hash value, message digest.)

$ 哈希代码(D)ISDs不应使用该术语(尤其不应作为“哈希结果”的同义词),因为它以潜在误导的方式混合了概念。哈希结果不是本术语表定义的任何意义上的“代码”。(请参阅:代码、哈希结果、哈希值、消息摘要。)

$ hash function (I) An algorithm that computes a value based on a data object (such as a message or file; usually variable-length; possibly very large), thereby mapping the data object to a smaller data object (the "hash result") which is usually a fixed-size value. (See: checksum, keyed hash.)

$ 散列函数(I)基于数据对象(如消息或文件;通常长度可变;可能非常大)计算值的算法,从而将数据对象映射到较小的数据对象(“散列结果”),通常为固定大小的值。(请参阅:校验和、键控哈希。)

(O) "A (mathematical) function which maps values from a large (possibly very large) domain into a smaller range. A 'good' hash function is such that the results of applying the function to a (large) set of values in the domain will be evenly distributed (and apparently at random) over the range." [X509]

(O) “将大(可能非常大)域中的值映射到较小范围的(数学)函数。“良好”哈希函数是指将函数应用于域中的(大)值集的结果将均匀分布(显然是随机分布)在该范围内。”[X509]

(C) The kind of hash function needed for security applications is called a "cryptographic hash function", an algorithm for which it is computationally infeasible (because no attack is significantly more efficient than brute force) to find either (a) a data object that maps to a pre-specified hash result (the "one-way" property) or (b) two data objects that map to the same hash result (the "collision-free" property). (See: MD2, MD4, MD5, SHA-1.)

(C) 安全应用程序所需的散列函数类型称为“加密散列函数”,该算法在计算上不可行(因为没有攻击比暴力更有效),无法找到(a)映射到预先指定的散列结果的数据对象(“单向”属性)或(b)映射到相同哈希结果的两个数据对象(“无冲突”属性)。(参见:MD2、MD4、MD5、SHA-1。)

(C) A cryptographic hash is "good" in the sense stated in the "O" definition for hash function. Any change to an input data object will, with high probability, result in a different hash result, so that the result of a cryptographic hash makes a good checksum for a data object.

(C) 加密散列在散列函数的“O”定义中所述的意义上是“好的”。对输入数据对象的任何更改都极有可能导致不同的哈希结果,因此加密哈希的结果对数据对象产生良好的校验和。

$ hash result (I) The output of a hash function. (See: hash code, hash value.)

$ 散列结果(I)散列函数的输出。(请参阅:哈希代码、哈希值。)

(O) "The output produced by a hash function upon processing a message" (where "message" is broadly defined as "a digital representation of data"). [ABA] (The recommended definition is compatible with this ABA definition, but we avoid the unusual definition of "message".)

(O) “哈希函数在处理消息时产生的输出”(其中“消息”广义上定义为“数据的数字表示”)。[ABA](建议的定义与此ABA定义兼容,但我们避免使用“消息”的异常定义。)

$ hash value (D) ISDs SHOULD NOT use this term (especially not as a synonym for "hash result", the output of a hash function) because it might be confused with "hashed value" (the input to a hash function). (See: hash code, hash result, message digest.)

$ 哈希值(D)ISDs不应使用该术语(尤其不能作为“哈希结果”(哈希函数的输出)的同义词),因为它可能与“哈希值”(哈希函数的输入)混淆。(请参阅:哈希代码、哈希结果、消息摘要。)

$ hierarchical PKI (I) A PKI architecture based on a certification hierarchy. (See: mesh PKI, trust-file PKI.)

$ 层次式PKI(I)基于证书层次结构的PKI体系结构。(请参见:mesh PKI、信任文件PKI。)

$ hierarchy management (I) The process of generating configuration data and issuing public-key certificates to build and operate a certification hierarchy.

$ 层次结构管理(I)生成配置数据和颁发公钥证书以建立和运行证书层次结构的过程。

$ hierarchy of trust (D) ISDs SHOULD NOT use this term with regard to PKI, especially not as a synonym for "certification hierarchy", because this term mixes concepts in a potentially misleading way. (See: certification hierarchy, trust, web of trust.)

$ 信任层次结构(D)ISDs不应在PKI方面使用该术语,尤其不应将其作为“认证层次结构”的同义词,因为该术语以潜在误导的方式混合了各种概念。(请参阅:证书层次结构、信任、信任网。)

$ hijack attack (I) A form of active wiretapping in which the attacker seizes control of a previously established communication association. (See: man-in-the-middle attack, pagejacking, piggyback attack.)

$ 劫持攻击(I)一种主动窃听形式,其中攻击者夺取了先前建立的通信关联的控制权。(参见:中间人攻击、页面劫持、背驮攻击。)

$ HMAC (I) A keyed hash [R2104] that can be based on any iterated cryptographic hash (e.g., MD5 or SHA-1), so that the cryptographic strength of HMAC depends on the properties of the selected cryptographic hash. (See: [R2202, R2403, R2404].)

$ HMAC(I)可基于任何迭代加密散列(例如,MD5或SHA-1)的键控散列[R2104],因此HMAC的加密强度取决于所选加密散列的属性。(参见:[R2202、R2403、R2404])

(C) Assume that H is a generic cryptographic hash in which a function is iterated on data blocks of length B bytes. L is the length of the of hash result of H. K is a secret key of length L <= K <= B. The values IPAD and OPAD are fixed strings used as inner and outer padding and defined as follows: IPAD = the byte 0x36 repeated B times, OPAD = the byte 0x5C repeated B times. HMAC is computed by H(K XOR OPAD, H(K XOR IPAD, inputdata)).

(C) 假设H是一个通用加密哈希,其中函数在长度为B字节的数据块上迭代。L是H的哈希结果的长度。K是长度为L<=K<=B的密钥。值IPAD和OPAD是用作内部和外部填充的固定字符串,定义如下:IPAD=字节0x36重复B次,OPAD=字节0x5C重复B次。HMAC由H(kxor OPAD,H(kxor IPAD,inputdata))计算。

(C) The goals of HMAC are as follows:

(C) HMAC的目标如下:

- To use available cryptographic hash functions without modification, particularly functions that perform well in software and for which software is freely and widely available. - To preserve the original performance of the selected hash without significant degradation. - To use and handle keys in a simple way. - To have a well-understood cryptographic analysis of the strength of the mechanism based on reasonable assumptions about the underlying hash function. - To enable easy replacement of the hash function in case a faster or stronger hash is found or required.

- 无需修改即可使用可用的加密哈希函数,尤其是在软件中性能良好且软件可自由广泛使用的函数。-以保持所选哈希的原始性能而不会显著降级。-以简单的方式使用和处理按键。-基于对底层哈希函数的合理假设,对机制的强度进行充分理解的密码分析。-在发现或需要更快或更强的散列时,可以轻松替换散列函数。

$ honey pot (I) A system (e.g., a web server) or a system resource (e.g., a file on a server), that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears. (See: entrapment.)

$ 蜜罐(I)系统(如web服务器)或系统资源(如服务器上的文件),旨在吸引潜在的黑客和入侵者,如蜂蜜吸引熊。(见:诱捕。)

(D) It is likely that other cultures have different metaphors for this concept. To ensure international understanding, ISDs should not use this term unless they also provide an explanation like this one. (See: (usage note under) Green Book.)

(D) 其他文化可能对此概念有不同的隐喻。为确保国际理解,ISD不应使用该术语,除非他们也提供类似的解释。(参见(绿皮书下的用法说明。)

$ host (I) General computer network usage: A computer that is attached to a communication subnetwork or internetwork and can use services provided by the network to exchange data with other attached systems. (See: end system.)

$ 主机(I)一般计算机网络用途:连接到通信子网或互联网的计算机,可以使用网络提供的服务与其他连接系统交换数据。(请参见:末端系统。)

(I) Specific Internet Protocol Suite usage: A networked computer that does not forward Internet Protocol packets that are not addressed to the computer itself. (See: router.)

(一) 特定Internet协议套件用法:不转发未寻址到计算机本身的Internet协议包的联网计算机。(请参阅:路由器。)

(C) Derivation: As viewed by its users, a host "entertains" guests, providing application layer services or access to other computers attached to the network. However, even though some traditional peripheral service devices, such as printers, can now be independently connected to networks, they are not usually called hosts.

(C) 派生:在用户看来,主机“招待”客人,提供应用层服务或访问连接到网络的其他计算机。然而,尽管一些传统的外围服务设备,如打印机,现在可以独立地连接到网络,但它们通常不被称为主机。

$ HTML See: Hypertext Markup Language.

$ HTML请参阅:超文本标记语言。

$ HTTP See: Hypertext Transfer Protocol.

$ HTTP请参阅:超文本传输协议。

$ https (I) When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. (See: S-HTTP.)

$ https(I)当用于URL的第一部分(冒号之前的部分并指定访问方案或协议)时,该术语指定使用通过安全机制(通常为SSL)增强的HTTP。(请参阅:S-HTTP。)

$ hybrid encryption (I) An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. (E.g., see: digital envelope.)

$ 混合加密(I)结合两种或两种以上加密算法的加密应用,尤其是对称和非对称加密的组合。(例如,参见:数字信封。)

(C) Asymmetric algorithms require more computation than equivalently strong symmetric ones. Thus, asymmetric encryption is not normally used for data confidentiality except in distributing

(C) 非对称算法比等效强对称算法需要更多的计算量。因此,非对称加密通常不用于数据机密性,除非用于分发

symmetric keys in applications where the key data is usually short (in terms of bits) compared to the data it protects. (E.g., see: MSP, PEM, PGP.)

对称密钥在密钥数据通常比其保护的数据短(以位为单位)的应用中。(例如,参见:MSP、PEM、PGP)

$ hyperlink (I) In hypertext or hypermedia, an information object (such as a word, a phrase, or an image; usually highlighted by color or underscoring) that points (indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link (e.g., by selecting the object with a mouse pointer and then clicking).

$ 超链接(I)在超文本或超媒体中,一种信息对象(如单词、短语或图像;通常以颜色或下划线突出显示),它指向(指示如何连接)位于其他位置的相关信息,并可通过激活链接检索(例如,用鼠标指针选择对象,然后单击)。

$ hypermedia (I) A generalization of hypertext; any media that contain hyperlinks that point to material in the same or another data object.

$ 超媒体(I)超文本的泛化;包含指向同一或另一数据对象中的材质的超链接的任何媒体。

$ hypertext (I) A computer document, or part of a document, that contains hyperlinks to other documents; i.e., text that contains active pointers to other text. Usually written in Hypertext Markup Language and accessed using a web browser. (See: hypermedia.)

$ 超文本(I)包含指向其他文件超链接的计算机文件或文件的一部分;i、 例如,包含指向其他文本的活动指针的文本。通常用超文本标记语言编写并使用web浏览器访问。(请参阅:超媒体。)

$ Hypertext Markup Language (HTML) (I) A platform-independent system of syntax and semantics for adding characters to data files (particularly text files) to represent the data's structure and to point to related data, thus creating hypertext for use in the World Wide Web and other applications. [R1866]

$ 超文本标记语言(HTML)(I)一种独立于平台的语法和语义系统,用于向数据文件(尤其是文本文件)添加字符,以表示数据结构并指向相关数据,从而创建用于万维网和其他应用程序的超文本。[R1866]

$ Hypertext Transfer Protocol (HTTP) (I) A TCP-based, application-layer, client-server, Internet protocol [R2616] used to carry data requests and responses in the World Wide Web. (See: hypertext.)

$ 超文本传输协议(HTTP)(I)基于TCP的应用层、客户机-服务器、互联网协议[R2616],用于在万维网中传输数据请求和响应。(请参阅:超文本。)

$ IAB See: Internet Architecture Board.

$ IAB见:互联网架构委员会。

$ IANA See: Internet Assigned Numbers Authority.

$ IANA见:互联网分配号码管理局。

$ ICANN See: Internet Corporation for Assigned Names and Numbers.

$ ICANN见:互联网名称和号码分配公司。

$ ICMP See: Internet Control Message Protocol.

$ ICMP请参阅:Internet控制消息协议。

$ ICMP flood (I) A denial of service attack that sends a host more ICMP echo request ("ping") packets than the protocol implementation can handle. (See: flooding, smurf.)

$ ICMP洪泛(I)一种拒绝服务攻击,它向主机发送的ICMP回显请求(“ping”)数据包超过协议实现所能处理的数量。(见:洪水,蓝精灵)

$ ICRL See: indirect certificate revocation list.

$ ICRL请参阅:间接证书吊销列表。

$ IDEA See: International Data Encryption Algorithm.

$ 想法见:国际数据加密算法。

$ identification (I) An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities. (See: authentication.)

$ 识别(I)向系统提供标识符的行为或过程,以便系统能够识别系统实体并将其与其他实体区分开来。(请参阅:身份验证。)

$ Identification Protocol (I) An client-server Internet protocol [R1413] for learning the identity of a user of a particular TCP connection.

$ 识别协议(I)用于了解特定TCP连接用户身份的客户机-服务器互联网协议[R1413]。

(C) Given a TCP port number pair, the server returns a character string that identifies the owner of that connection on the server's system. The protocol is not intended for authorization or access control. At best, it provides additional auditing information with respect to TCP.

(C) 给定TCP端口号对,服务器返回一个字符串,该字符串标识服务器系统上该连接的所有者。该协议不用于授权或访问控制。充其量,它提供了有关TCP的额外审计信息。

$ identity-based security policy (I) "A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed." [I7498 Part 2] (See: rule-based security policy.)

$ 基于身份的安全策略(I)“基于用户、一组用户或代表用户和被访问资源/对象的实体的身份和/或属性的安全策略。”[I7498第2部分](请参阅:基于规则的安全策略。)

$ IEEE See: Institute of Electrical and Electronics Engineers, Inc.

$ IEEE见:电气和电子工程师协会。

$ IEEE 802.10 (N) An IEEE committee developing security standards for local area networks. (See: SILS.)

$ IEEE 802.10(N)为局域网制定安全标准的IEEE委员会。(见:SILS)

$ IEEE P1363 (N) An IEEE working group, Standard for Public-Key Cryptography, developing a comprehensive reference standard for asymmetric cryptography. Covers discrete logarithm (e.g., DSA), elliptic curve, and integer factorization (e.g., RSA); and covers key agreement, digital signature, and encryption.

$ IEEE P1363(N)IEEE工作组,公钥密码标准,为非对称密码制定综合参考标准。包括离散对数(如DSA)、椭圆曲线和整数因式分解(如RSA);包括密钥协议、数字签名和加密。

$ IESG See: Internet Engineering Steering Group.

$ IESG见:互联网工程指导小组。

$ IETF See: Internet Engineering Task Force.

$ IETF见:互联网工程任务组。

$ IKE See: IPsec Key Exchange.

$ IKE请参阅:IPsec密钥交换。

$ IMAP4 See: Internet Message Access Protocol, version 4.

$ IMAP4请参阅:Internet消息访问协议,第4版。

$ IMAP4 AUTHENTICATE (I) A IMAP4 "command" (better described as a transaction type, or a protocol-within-a-protocol) by which an IMAP4 client optionally proposes a mechanism to an IMAP4 server to authenticate the client to the server and provide other security services. (See: POP3.)

$ IMAP4身份验证(I)IMAP4“命令”(更好地描述为事务类型或协议内协议),通过该命令,IMAP4客户机可以选择向IMAP4服务器提出机制,以向服务器验证客户机并提供其他安全服务。(见:POP3。)

(C) If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms that are used by IMAP4 AUTHENTICATE--including Kerberos, GSSAPI, and S/Key--are described in [R1731].

(C) 如果服务器接受该建议,则该命令之后将执行质询-响应身份验证协议,并(可选)协商后续POP3交互的保护机制。IMAP4身份验证使用的安全机制(包括Kerberos、GSSAPI和S/Key)在[R1731]中进行了描述。

$ in the clear (I) Not encrypted. (See: cleartext.)

$ 在clear(I)中,未加密。(请参阅:明文。)

$ indirect certificate revocation list (ICRL) (I) In X.509, a CRL that may contain certificate revocation notifications for certificates issued by CAs other than the issuer of the ICRL.

$ 间接证书撤销列表(ICRL)(I)在X.509中,一种CRL,其中可能包含由除ICRL颁发者以外的CA颁发的证书的证书撤销通知。

$ indistinguishability (I) An attribute of an encryption algorithm that is a formalization of the notion that the encryption of some string is indistinguishable from the encryption of an equal-length string of nonsense.

$ 不可区分性(I)加密算法的一个属性,它是某种字符串加密与等长无意义字符串加密不可区分这一概念的形式化。

(C) Under certain conditions, this notion is equivalent to "semantic security".

(C) 在一定条件下,这一概念相当于“语义安全”。

$ information (I) Facts and ideas, which can be represented (encoded) as various forms of data.

$ 信息(I)事实和想法,可以表示(编码)为各种形式的数据。

$ Information Technology Security Evaluation Criteria (ITSEC) (N) Standard developed for use in the European Union; accommodates a wider range of security assurance and functionality combinations than the TCSEC. Superseded by the Common Criteria. [ITSEC]

$ 为在欧盟使用而制定的信息技术安全评估标准(ITSEC)(N);与TCSEC相比,它提供了更广泛的安全保证和功能组合。被共同标准取代。[ITSEC]

$ INFOSEC (I) Abbreviation for "information security", referring to security measures that implement and assure security services in computer systems (i.e., COMPUSEC) and communication systems (i.e., COMSEC).

$ 信息安全(I)“信息安全”的缩写,指在计算机系统(即计算机安全)和通信系统(即通信安全)中实施和确保安全服务的安全措施。

$ initialization value (IV) (I) An input parameter that sets the starting state of a cryptographic algorithm or mode. (Sometimes called "initialization vector" or "message indicator".)

$ 初始化值(IV)(I)设置加密算法或模式的开始状态的输入参数。(有时称为“初始化向量”或“消息指示器”。)

(C) An IV can be used to introduce cryptographic variance in addition to that provided by a key (see: salt), and to synchronize one cryptographic process with another. For an example of the latter, cipher block chaining mode requires an IV. [R2405]

(C) 除了密钥提供的密码差异外,IV还可用于引入密码差异(参见:salt),并将一个密码过程与另一个密码过程同步。对于后者的示例,密码块链接模式需要IV。[R2405]

$ initialization vector (D) For consistency, ISDs SHOULD NOT use this term as a synonym for "initialization value".

$ 初始化向量(D)为保持一致性,ISDs不应将该术语用作“初始化值”的同义词。

$ insider attack See: (secondary definition under) attack.

$ 内幕攻击见:(第二定义下)攻击。

$ Institute of Electrical and Electronics Engineers, Inc. (IEEE) (N) The IEEE is a not-for-profit association of more than 330,000 individual members in 150 countries. The IEEE produces 30 percent of the world's published literature in electrical engineering, computers, and control technology; holds annually more than 300 major conferences; and has more than 800 active standards with 700 under development. (See: Standards for Interoperable LAN/MAN Security.)

$ 电气和电子工程师协会(IEEE)(N)IEEE是一个非营利协会,在150个国家拥有超过330000名个人会员。IEEE出版的电气工程、计算机和控制技术文献占世界出版文献的30%;每年举办300多场大型会议;拥有800多个现行标准,其中700个正在开发中。(请参阅:互操作LAN/MAN安全标准。)

$ integrity See: data integrity, correctness integrity, source integrity, system integrity.

$ 完整性请参阅:数据完整性、正确性完整性、源完整性、系统完整性。

$ integrity check (D) ISDs SHOULD NOT use this term as a synonym for "cryptographic hash" or "protected checksum", because this term unnecessarily duplicates the meaning of other, well-established terms.

$ 完整性检查(D)ISDs不应将此术语用作“加密哈希”或“受保护校验和”的同义词,因为此术语不必要地重复了其他公认术语的含义。

$ intelligent threat (I) A circumstance in which an adversary has the technical and operational capability to detect and exploit a vulnerability and also has the demonstrated, presumed, or inferred intent to do so. (See: threat.)

$ 智能威胁(I)对手具有检测和利用漏洞的技术和操作能力,并且具有已证明、推定或推断的意图的情况。(见:威胁。)

$ International Data Encryption Algorithm (IDEA) (N) A patented, symmetric block cipher that uses a 128-bit key and operates on 64-bit blocks. [Schn] (See: symmetric cryptography.)

$ 国际数据加密算法(IDEA)(N):一种获得专利的对称分组密码,使用128位密钥,在64位块上运行。[Schn](请参阅:对称加密。)

$ International Standard See: (secondary definition under) ISO.

$ 国际标准见:(ISO下的二级定义)。

$ International Traffic in Arms Regulations (ITAR) (N) Rules issued by the U.S. State Department, by authority of the Arms Export Control Act (22 U.S.C. 2778), to control export and import of defense articles and defense services, including information security systems, such as cryptographic systems, and TEMPEST suppression technology. (See: Wassenaar Arrangement.)

$ 美国国务院根据《武器出口管制法》(22 U.S.C.2778)的授权发布的《国际武器贸易条例》(ITAR)(N)规则,用于控制国防物品和国防服务的进出口,包括信息安全系统,如密码系统和风暴抑制技术。(见:瓦森纳安排。)

$ internet $ Internet See: internet vs. Internet.

$ 因特网$因特网见:因特网与因特网。

$ Internet Architecture Board (IAB) (I) A technical advisory group of the ISOC, chartered by the ISOC Trustees to provide oversight of Internet architecture and protocols and, in the context of Internet Standards, a body to which decisions of the IESG may be appealed. Responsible for approving appointments to the IESG from among nominees submitted by the IETF nominating committee. [R2026]

$ 互联网体系结构委员会(IAB)(I)互联网体系结构委员会的一个技术咨询小组,由互联网体系结构委员会受托人特许,负责监督互联网体系结构和协议,并在互联网标准的背景下,对互联网体系结构和协议进行监督。互联网体系结构委员会是一个可以对IESG的决定提出上诉的机构。负责从IETF提名委员会提交的提名人中批准IESG的任命。[R2026]

$ Internet Assigned Numbers Authority (IANA) (I) From the early days of the Internet, the IANA was chartered by the ISOC and the U.S. Government's Federal Network Council to be the central coordination, allocation, and registration body for parameters for Internet protocols. Superseded by ICANN.

$ 互联网分配号码管理局(IANA)(I)从互联网诞生之初,IANA就被ISOC和美国政府联邦网络委员会特许成为互联网协议参数的中央协调、分配和注册机构。被ICANN取代。

$ Internet Control Message Protocol (ICMP) (I) An Internet Standard protocol [R0792] that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.

$ 互联网控制消息协议(ICMP)(I)互联网标准协议[R0792],用于报告IP数据报处理期间的错误情况,并交换与IP网络状态有关的其他信息。

$ Internet Corporation for Assigned Names and Numbers (ICANN) (I) The non-profit, private corporation that has assumed responsibility for the IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions formerly performed under U.S. Government contract by IANA and other entities.

$ 互联网名称和号码分配公司(ICANN)(I)负责IP地址空间分配、协议参数分配、域名系统管理的非营利私营公司,以及以前由IANA和其他实体根据美国政府合同执行的根服务器系统管理功能。

(C) The Internet Protocol Suite, as defined by the IETF and the IESG, contains numerous parameters, such as internet addresses, domain names, autonomous system numbers, protocol numbers, port numbers, management information base object identifiers, including

(C) IETF和IESG定义的互联网协议套件包含许多参数,如互联网地址、域名、自治系统号、协议号、端口号、管理信息库对象标识符,包括

private enterprise numbers, and many others. The Internet community requires that the values used in these parameter fields be assigned uniquely. ICANN makes those assignments as requested and maintains a registry of the current values.

私营企业的数量,以及许多其他。Internet社区要求对这些参数字段中使用的值进行唯一分配。ICANN根据要求进行这些分配,并维护当前值的注册表。

(C) ICANN was formed in October 1998, by a coalition of the Internet's business, technical, and academic communities. The U.S. Government designated ICANN to serve as the global consensus entity with responsibility for coordinating four key functions for the Internet: the allocation of IP address space, the assignment of protocol parameters, the management of the DNS, and the management of the DNS root server system.

(C) ICANN成立于1998年10月,由互联网的商业、技术和学术团体组成。美国政府指定ICANN作为全球共识实体,负责协调互联网的四项关键功能:IP地址空间分配、协议参数分配、DNS管理和DNS根服务器系统管理。

$ Internet Draft (I) A working document of the IETF, its areas, and its working groups. (Other groups may also distribute working documents as Internet Drafts.) An Internet Draft is not an archival document like an RFC is. Instead, an Internet Draft is a preliminary or working document that is valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use an Internet Draft as reference material or to cite it other than as "work in progress."

$ 互联网草案(I)IETF及其领域和工作组的工作文件。(其他小组也可以将工作文件作为互联网草稿分发。)互联网草稿不像RFC那样是档案文件。相反,互联网草案是一份最长有效期为六个月的初步文件或工作文件,可随时由其他文件更新、替换或作废。使用互联网草稿作为参考资料或引用它而不是“正在进行的工作”是不合适的

$ Internet Engineering Steering Group (IESG) (I) The part of the ISOC responsible for technical management of IETF activities and administration of the Internet Standards Process according to procedures approved by the ISOC Trustees. Directly responsible for actions along the "standards track", including final approval of specifications as Internet Standards. Composed of IETF Area Directors and the IETF chairperson, who also chairs the IESG. [R2026]

$ 互联网工程指导小组(IESG)(I)ISOC的一部分,负责IETF活动的技术管理,并根据ISOC受托人批准的程序管理互联网标准过程。直接负责“标准轨道”上的行动,包括最终批准作为互联网标准的规范。由IETF区域总监和IETF主席组成,IETF主席也担任IESG主席。[R2026]

$ Internet Engineering Task Force (IETF) (I) A self-organized group of people who make contributions to the development of Internet technology. The principal body engaged in developing Internet Standards, although not itself a part of the ISOC. Composed of Working Groups, which are arranged into Areas (such as the Security Area), each coordinated by one or more Area Directors. Nominations to the IAB and the IESG are made by a committee selected at random from regular IETF meeting attendees who have volunteered. [R2026, R2323]

$ 互联网工程任务组(IETF)(I)为互联网技术的发展做出贡献的自组织团队。参与制定互联网标准的主体机构,尽管其本身不是ISOC的一部分。由工作组组成,工作组分为多个区域(如安全区域),每个区域由一名或多名区域主管协调。IAB和IESG的提名由一个委员会进行,该委员会从自愿参加IETF定期会议的与会者中随机选出。[R2026,R2323]

$ Internet Message Access Protocol, version 4 (IMAP4) (I) An Internet protocol [R2060] by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client. (See: POP3.)

$ Internet邮件访问协议,第4版(IMAP4)(I)一种Internet协议[R2060],通过该协议,客户端工作站可以动态访问服务器主机上的邮箱,以操作和检索服务器已接收并为客户端保留的邮件。(见:POP3。)

(C) IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: IMAP4 AUTHENTICATE.)

(C) IMAP4有一些机制,可以选择性地向服务器验证客户端并提供其他安全服务。(请参阅:IMAP4验证。)

$ Internet Policy Registration Authority (IPRA) (I) An X.509-compliant CA that is the top CA of the Internet certification hierarchy operated under the auspices of the ISOC [R1422]. (See: (PEM usage under) certification hierarchy.)

$ 互联网政策注册机构(IPRA)(I)一个符合X.509标准的CA,它是在ISOC[R1422]主持下运行的互联网认证体系的顶级CA。(请参阅:(PEM使用)认证层次结构。)

$ Internet Protocol (IP) (I) A Internet Standard protocol (version 4 [R0791] and version 6 [R2460]) that moves datagrams (discrete sets of bits) from one computer to another across an internetwork but does not provide reliable delivery, flow control, sequencing, or other end-to-end services that TCP provides. (See: IP address, TCP/IP.)

$ 互联网协议(IP)(I)互联网标准协议(版本4[R0791]和版本6[R2460]),通过互联网将数据报(离散比特集)从一台计算机移动到另一台计算机,但不提供可靠的传输、流控制、排序或TCP提供的其他端到端服务。(请参阅:IP地址,TCP/IP。)

(C) In the OSIRM, IP would be located at the top of layer 3.

(C) 在OSIRM中,IP将位于第3层的顶部。

$ Internet Protocol security (IPsec) (I) (1.) The name of the IETF working group that is specifying a security architecture [R2401] and protocols to provide security services for Internet Protocol traffic. (2.) A collective name for that architecture and set of protocols. (Implementation of IPsec protocols is optional for IP version 4, but mandatory for IP version 6.) (See: Internet Protocol Security Option.)

$ 互联网协议安全(IPsec)(I)(1.)IETF工作组的名称,该工作组指定了安全体系结构[R2401]和协议,以为互联网协议流量提供安全服务。(2.)该体系结构和协议集的集合名称。(IPsec协议的实现对于IP版本4是可选的,但是对于IP版本6是强制性的。)(请参阅:Internet协议安全选项。)

(C) Note that the letters "sec" are lower-case.

(C) 请注意,字母“sec”是小写。

(C) The IPsec architecture specifies (a) security protocols (AH and ESP), (b) security associations (what they are, how they work, how they are managed, and associated processing), (c) key management (IKE), and (d) algorithms for authentication and encryption. The set of security services include access control service, connectionless data integrity service, data origin authentication service, protection against replays (detection of the arrival of duplicate datagrams, within a constrained window), data confidentiality service, and limited traffic flow confidentiality.

(C) IPsec体系结构规定了(a)安全协议(AH和ESP),(b)安全关联(它们是什么、如何工作、如何管理和关联处理),(C)密钥管理(IKE),以及(d)身份验证和加密算法。这组安全服务包括访问控制服务、无连接数据完整性服务、数据源身份验证服务、防止重播(在受限窗口内检测重复数据报的到达)、数据机密性服务和有限的流量机密性。

$ Internet Protocol Security Option (IPSO) (I) Refers to one of three types of IP security options, which are fields that may be added to an IP datagram for the purpose of carrying security information about the datagram. (See: IPsec.)

$ 互联网协议安全选项(IPSO)(I)是指三种类型的IP安全选项之一,它们是可添加到IP数据报的字段,用于承载有关数据报的安全信息。(请参阅:IPsec。)

(D) ISDs SHOULD NOT use this term without a modifier to indicate which of the three types is meant.

(D) ISDs不应在没有修饰符的情况下使用该术语,以指示这三种类型中的哪一种。

1. "DoD Basic Security Option" (IP option type 130): Defined for use on U.S. Department of Defense common user data networks. Identifies the Defense classification level at which the datagram is to be protected and the protection authorities whose rules apply to the datagram. [R1108]

1. “国防部基本安全选项”(IP选项类型130):定义用于美国国防部公共用户数据网络。标识要保护数据报的防御分类级别,以及其规则适用于数据报的保护机构。[R1108]

A "protection authority" is a National Access Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of Energy) or Special Access Program that specifies protection rules for transmission and processing of the information contained in the datagram. [R1108]

“保护机构”是指国家访问计划(如GENSER、SIOP-ESI、SCI、NSA、能源部)或特殊访问计划,规定数据报中包含的信息传输和处理的保护规则。[R1108]

2. "DoD Extended Security Option" (IP option type 133): Permits additional security labeling information, beyond that present in the Basic Security Option, to be supplied in the datagram to meet the needs of registered authorities. [R1108]

2. “国防部扩展安全选项”(IP选项类型133):允许在数据报中提供基本安全选项之外的附加安全标签信息,以满足注册机构的需要。[R1108]

3. "Common IP Security Option" (CIPSO) (IP option type 134): Designed by TSIG to carry hierarchic and non-hierarchic security labels. (Formerly called "Commercial IP Security Option".) Was published as Internet-Draft [CIPSO]; not advanced to RFC.

3. “通用IP安全选项”(CIPSO)(IP选项类型134):由TSIG设计,带有分层和非分层安全标签。(以前称为“商业IP安全选项”)作为互联网草案[CIPSO]出版;未升级到RFC。

$ Internet Protocol Suite See: (secondary definition under) Internet.

$ 互联网协议套件请参见:(第二定义)互联网。

$ Internet Security Association and Key Management Protocol (ISAKMP) (I) An Internet IPsec protocol [R2408] to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

$ 互联网安全关联和密钥管理协议(ISAKMP)(I)互联网IPsec协议[R2408],用于协商、建立、修改和删除安全关联,以及交换密钥生成和认证数据,与任何特定密钥生成技术、密钥建立协议、加密算法的细节无关,或身份验证机制。

(C) ISAKMP supports negotiation of security associations for protocols at all TCP/IP layers. By centralizing management of security associations, ISAKMP reduces duplicated functionality within each protocol. ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once. Strong authentication is required on ISAKMP exchanges, and a digital signature algorithm based on asymmetric cryptography is used within ISAKMP's authentication component.

(C) ISAKMP支持所有TCP/IP层协议的安全关联协商。通过集中管理安全关联,ISAKMP减少了每个协议中重复的功能。ISAKMP还可以通过一次协商整个服务堆栈来减少连接设置时间。ISAKMP交换需要强身份验证,并且在ISAKMP的身份验证组件中使用了基于非对称加密的数字签名算法。

$ Internet Society (ISOC) (I) A professional society concerned with Internet development (including technical Internet Standards); with how the Internet is and can be used; and with social, political, and technical issues

$ 互联网协会(ISOC)(I)一个关注互联网发展(包括互联网技术标准)的专业协会;互联网是如何使用的;以及社会、政治和技术问题

that result. The ISOC Board of Trustees approves appointments to the IAB from among nominees submitted by the IETF nominating committee. [R2026]

这就是结果。ISOC董事会从IETF提名委员会提交的提名人中批准IAB的任命。[R2026]

$ Internet Standard (I) A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet. [R2026] (See: RFC.)

$ 互联网标准(I)由IESG批准并作为RFC发布的规范,其稳定且易于理解,具有技术能力,具有多个独立且可互操作的实施方案,具有丰富的运营经验,得到了公众的大力支持,并且在互联网的部分或所有部分都非常有用。[R2026](参见:RFC。)

(C) The Internet Standards Process is an activity of the ISOC and is organized and managed by the IAB and the IESG. The process is concerned with all protocols, procedures, and conventions used in or by the Internet, whether or not they are part of the Internet Protocol Suite. The "Internet Standards Track" has three levels of increasing maturity: Proposed Standard, Draft Standard, and Standard. (See: (standards levels under) ISO.)

(C) 互联网标准流程是ISOC的一项活动,由IAB和IESG组织和管理。该过程涉及互联网中使用或由互联网使用的所有协议、过程和约定,无论它们是否属于互联网协议套件的一部分。“互联网标准轨道”有三个日益成熟的层次:建议标准、草案标准和标准。(见:(ISO下的标准等级)

$ Internet Standards document (ISD) (C) In this Glossary, this term refers to an RFC, Internet-Draft, or other item that is produced as part of the Internet Standards Process [R2026]. However, neither the term nor the abbreviation is widely accepted and, therefore, SHOULD NOT be used in an ISD unless it is accompanied by an explanation like this. (See: Internet Standard.)

$ 互联网标准文件(ISD)(C)在本术语表中,该术语指RFC、互联网草案或作为互联网标准过程一部分产生的其他项目[R2026]。然而,该术语或缩写均未被广泛接受,因此不应在ISD中使用,除非附有类似的解释。(请参阅:互联网标准。)

$ internet vs. Internet 1. (I) Not capitalized: A popular abbreviation for "internetwork".

$ 互联网vs.互联网1。(一) 不大写:一个流行的“互联网”缩写。

2. (I) Capitalized: "The Internet" is the single, interconnected, worldwide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the IAB [R2026] and the name and address spaces managed by the ICANN.

2. (一) 大写:“互联网”是由商业、政府、教育和其他计算机网络组成的单一、相互连接的全球系统,共享IAB[R2026]规定的协议集以及ICANN管理的名称和地址空间。

(C) The protocol set is named the "Internet Protocol Suite". It also is popularly known as "TCP/IP", because TCP and IP are two of its fundamental components. These protocols enable a user of any one of the networks in the Internet to communicate with, or use services located on, any of the other networks.

(C) 该协议集被命名为“Internet协议套件”。它也被普遍称为“TCP/IP”,因为TCP和IP是它的两个基本组件。这些协议使互联网中任何一个网络的用户能够与任何其他网络通信或使用位于任何其他网络上的服务。

(C) Although the Internet does have architectural principles [R1958], no Internet Standard formally defines a layered reference model for the IPS that is similar to the OSIRM. However, Internet community documents do refer (inconsistently) to layers: application, socket, transport, internetwork, network, data link,

(C) 尽管互联网确实有体系结构原则[R1958],但没有任何互联网标准正式定义类似于OSIRM的IP分层参考模型。但是,Internet社区文档确实(不一致地)引用了层:应用程序、套接字、传输、互联网、网络、数据链路、,

and physical. In this Glossary, Internet layers are referred to by name to avoid confusing them with OSIRM layers, which are referred to by number.

和身体。在本词汇表中,Internet层按名称引用,以避免将它们与按编号引用的OSIRM层混淆。

$ internetwork (I) A system of interconnected networks; a network of networks. Usually shortened to "internet". (See: internet vs. Internet.)

$ 互联网络(I)互联网络系统;网络的网络。通常简称为“互联网”。(请参阅:互联网与互联网。)

(C) An internet is usually built using OSI layer 3 gateways to connect a set of subnetworks. When the subnetworks differ in the OSI layer 3 protocol service they provide, the gateways sometimes implement a uniform internetwork protocol (e.g., IP) that operates at the top of layer 3 and hides the underlying heterogeneity from hosts that use communication services provided by the internet. (See: router.)

(C) internet通常使用OSI第3层网关来连接一组子网。当子网在其提供的OSI第3层协议服务中不同时,网关有时会实现一个统一的互联网协议(如IP),该协议在第3层的顶部运行,并对使用互联网提供的通信服务的主机隐藏底层异构性。(请参阅:路由器。)

$ intranet (I) A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders. (See: extranet, virtual private network.)

$ 内联网(I)一种计算机网络,特别是基于互联网技术的网络,一个组织为了自己的内部(通常是私有)目的使用该网络,并且对外部开放。(请参阅:外部网,虚拟专用网络。)

$ intruder (I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (See: cracker.)

$ 入侵者(I)未经授权而获取或试图获取对系统或系统资源访问权限的实体。(请参阅:cracker。)

$ intrusion See: security intrusion.

$ 入侵见:安全入侵。

$ intrusion detection (I) A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

$ 入侵检测(I)一种安全服务,监控和分析系统事件,以发现以未经授权的方式访问系统资源的企图,并提供实时或近实时警告。

$ invalidity date (N) An X.509 CRL entry extension that "indicates the date at which it is known or suspected that the [revoked certificate's private key] was compromised or that the certificate should otherwise be considered invalid" [X509].

$ 无效日期(N)X.509 CRL条目扩展,“表示已知或怀疑[已撤销证书的私钥]被泄露的日期,或该证书应被视为无效的日期”[X509]。

(C) This date may be earlier than the revocation date in the CRL entry, and may even be earlier than the date of issue of earlier CRLs. However, the invalidity date is not, by itself, sufficient for purposes of non-repudiation service. For example, to

(C) 该日期可能早于CRL条目中的撤销日期,甚至可能早于早期CRL的发布日期。然而,失效日期本身并不足以提供不可抵赖服务。比如说

fraudulently repudiate a validly-generated signature, a private key holder may falsely claim that the key was compromised at some time in the past.

通过欺诈性地拒绝有效生成的签名,私钥持有人可能会错误地声称密钥在过去某个时间被泄露。

$ IP See: Internet Protocol.

$ 参见:互联网协议。

$ IP address (I) A computer's internetwork address that is assigned for use by the Internet Protocol and other protocols.

$ IP地址(I)计算机的互联网地址,由互联网协议和其他协议分配使用。

(C) An IP version 4 [R0791] address is written as a series of four 8-bit numbers separated by periods. For example, the address of the host named "rosslyn.bbn.com" is 192.1.7.10.

(C) IP版本4[R0791]地址被写入由四个8位数字组成的一系列,以句点分隔。例如,名为“rosslyn.bbn.com”的主机的地址是192.1.7.10。

(C) An IP version 6 [R2373] address is written as x:x:x:x:x:x:x:x, where each "x" is the hexadecimal value of one of the eight 16-bit parts of the address. For example, 1080:0:0:0:8:800:200C:417A and FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

(C) IP版本6[R2373]地址写为x:x:x:x:x:x:x:x,其中每个“x”是地址八个16位部分之一的十六进制值。例如,1080:0:0:0:8:800:200C:417A和FEDC:BA98:7654:3210:FEDC:BA98:7654:3210。

$ IP Security Option See: Internet Protocol Security Option.

$ IP安全选项请参阅:Internet协议安全选项。

$ IPRA See: Internet Policy Registration Authority.

$ IPRA见:互联网政策注册机构。

$ IPsec See: Internet Protocol security.

$ IPsec请参阅:Internet协议安全。

$ IPsec Key Exchange (IKE) (I) An Internet, IPsec, key-establishment protocol [R2409] (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.

$ IPsec密钥交换(IKE)(I)一种互联网、IPsec、密钥建立协议[R2409](部分基于OAKLEY),用于放置经过身份验证的密钥材料,用于ISAKMP和其他安全关联,如AH和ESP。

$ IPSO See: Internet Protocol Security Option.

$ IPSO见:互联网协议安全选项。

$ ISAKMP See: Internet Security Association and Key Management Protocol.

$ ISAKMP请参阅:Internet安全关联和密钥管理协议。

$ ISD See: Internet Standards document.

$ ISD见:互联网标准文件。

$ ISO (I) International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of

$ ISO(I)国际标准化组织,一个自愿、非条约、非政府组织,成立于1947年,其有投票权的成员为指定的标准机构

participating nations and non-voting observer organizations. (See: ANSI, ITU-T.)

参加国和无表决权的观察员组织。(见:ANSI,ITU-T)

(C) Legally, ISO is a Swiss, non-profit, private organization. ISO and the IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in developing international standards through ISO and IEC technical committees that deal with particular fields of activity. Other international governmental and non-governmental organizations, in liaison with ISO and IEC, also take part. (ANSI is the U.S. voting member of ISO. ISO is a class D member of ITU-T.)

(C) 从法律上讲,ISO是一个瑞士的非营利私人组织。ISO和IEC(国际电工委员会)形成了全球标准化的专门体系。作为ISO或IEC成员的国家机构通过处理特定活动领域的ISO和IEC技术委员会参与制定国际标准。与ISO和IEC联络的其他国际政府和非政府组织也参加了会议。(ANSI是ISO的美国投票成员。ISO是ITU-T的D级成员。)

(C) The ISO standards development process has four levels of increasing maturity: Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), and International Standard (IS). (See: (standards track levels under) Internet Standard.) In information technology, ISO and IEC have a joint technical committee, ISO/IEC JTC 1. DISs adopted by JTC 1 are circulated to national bodies for voting, and publication as an IS requires approval by at least 75% of the national bodies casting a vote.

(C) ISO标准开发过程有四个日益成熟的层次:工作草案(WD)、委员会草案(CD)、国际标准草案(DIS)和国际标准(IS)。(参见:(互联网标准下的标准跟踪级别)在信息技术领域,ISO和IEC有一个联合技术委员会,即ISO/IEC JTC 1。JTC 1采用的DIS将分发给国家机构进行投票,作为IS发布需要至少75%的投票国家机构的批准。

$ ISOC See: Internet Society.

$ ISOC见:互联网协会。

$ issue (a digital certificate or CRL) (I) Generate and sign a digital certificate (or CRL) and, usually, distribute it and make it available to potential certificate users (or CRL users). (See: certificate creation.)

$ 发布(数字证书或CRL)(I)生成和签署数字证书(或CRL),通常将其分发给潜在的证书用户(或CRL用户)。(请参阅:证书创建。)

(C) The ABA Guidelines [ABA] explicitly limit this term to certificate creation, and exclude the act of publishing. In general usage, however, "issuing" a digital certificate (or CRL) includes not only certificate creation but also making it available to potential users, such as by storing it in a repository or other directory or otherwise publishing it.

(C) ABA指南[ABA]明确将该术语限制为证书创建,并排除发布行为。但是,在一般情况下,“颁发”数字证书(或CRL)不仅包括创建证书,还包括向潜在用户提供证书,例如将其存储在存储库或其他目录中或以其他方式发布。

$ issuer 1. (I) "Issuer" of a certificate or CRL: The CA that signs the digital certificate or CRL.

$ 发行人1。(一) 证书或CRL的“颁发者”:签署数字证书或CRL的CA。

(C) An X.509 certificate always includes the issuer's name. The name may include a common name value.

(C) X.509证书始终包含颁发者的名称。该名称可能包括通用名称值。

2. (N) "Issuer" of a payment card: SET usage: "The financial institution or its agent that issues the unique primary account number to the cardholder for the payment card brand." [SET2]

2. (N) 支付卡的“发卡机构”:设置用法:“为支付卡品牌向持卡人发放唯一主账号的金融机构或其代理机构。”[SET2]

(C) The institution that establishes the account for a cardholder and issues the payment card also guarantees payment for authorized transactions that use the card in accordance with card brand regulations and local legislation. [SET1]

(C) 为持卡人建立账户并发行支付卡的机构还保证根据卡品牌法规和当地法律对使用该卡的授权交易进行支付。[SET1]

$ ITAR See: International Traffic in Arms Regulations.

$ ITAR见:国际武器贩运条例。

$ ITSEC See: Information Technology System Evaluation Criteria.

$ ITSEC见:信息技术系统评估标准。

$ ITU-T (N) International Telecommunications Union, Telecommunication Standardization Sector (formerly "CCITT"), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called "Recommendations". (See: X.400, X.500.)

$ ITU-T(N)国际电信联盟,电信标准化部门(前身为“CCITT”),一个联合国条约组织,主要由成员国的邮政、电话和电报部门组成,发布称为“建议”的标准。(见:X.400、X.500)

(C) The Department of State represents the United States. ITU-T works on many kinds of communication systems. ITU-T cooperates with ISO on communication protocol standards, and many Recommendations in that area are also published as an ISO standard with an ISO name and number.

(C) 国务院代表美国。ITU-T适用于多种通信系统。ITU-T在通信协议标准方面与ISO合作,该领域的许多建议也以ISO名称和编号的ISO标准发布。

$ IV See: initialization value.

$ IV见:初始化值。

$ KDC See: Key Distribution Center.

$ KDC见:钥匙配送中心。

$ KEA See: Key Exchange Algorithm.

$ KEA-See:密钥交换算法。

$ KEK See: key-encrypting key.

$ KEK请参阅:密钥加密密钥。

$ Kerberos (N) A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. [R1510, Stei]

$ Kerberos(N):麻省理工学院开发的一种系统,依靠密码和对称加密(DES)实现分布在客户机-服务器网络环境中的基于票据的对等实体身份验证服务和访问控制服务。[R1510,Stei]

(C) Kerberos was developed by Project Athena and is named for the three-headed dog guarding Hades.

(C) Kerberos由雅典娜项目开发,以守护冥府的三头狗命名。

$ key See: cryptographic key.

$ 密钥请参阅:加密密钥。

$ key agreement (algorithm or protocol) (I) A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each computes the same key value. I.e., each can independently generate the same key value, but that key cannot be computed by other entities. (See: Diffie-Hellman, key establishment, Key Exchange Algorithm, key transport.)

$ 密钥协商(算法或协议)(I)一种密钥建立方法(特别是涉及非对称加密的方法),通过该方法,两个或多个实体在没有事先安排的情况下(除了公共数据交换(如公钥))计算相同的密钥值。即,每一个都可以独立地生成相同的键值,但该键值不能由其他实体计算。(参见:Diffie Hellman,密钥建立,密钥交换算法,密钥传输。)

(O) "A method for negotiating a key value on line without transferring the key, even in an encrypted form, e.g., the Diffie-Hellman technique." [X509]

(O) “一种在不传输密钥的情况下在线协商密钥值的方法,即使采用加密形式,例如Diffie-Hellman技术。”[X509]

(O) "The procedure whereby two different parties generate shared symmetric keys such that any of the shared symmetric keys is a function of the information contributed by all legitimate participants, so that no party [alone] can predetermine the value of the key." [A9042]

(O) “两个不同方生成共享对称密钥的过程,使得任何共享对称密钥都是所有合法参与者提供的信息的函数,因此任何一方[单独]都不能预先确定密钥的值。”[A9042]

(C) For example, a message originator and the intended recipient can each use their own private key and the other's public key with the Diffie-Hellman algorithm to first compute a shared secret value and, from that value, derive a session key to encrypt the message.

(C) 例如,消息发起者和预期接收者可以各自使用自己的私钥和另一方的公钥以及Diffie-Hellman算法来首先计算共享秘密值,并从该值派生会话密钥来加密消息。

$ key authentication (N) "The assurance of the legitimate participants in a key agreement that no non-legitimate party possesses the shared symmetric key." [A9042]

$ 密钥认证(N)“密钥协议的合法参与者保证非合法方不拥有共享对称密钥。”[A9042]

$ key center (I) A centralized key distribution process (used in symmetric cryptography), usually a separate computer system, that uses key-encrypting keys (master keys) to encrypt and distribute session keys needed in a community of users.

$ 密钥中心(I)一个集中的密钥分发过程(用于对称加密),通常是一个单独的计算机系统,它使用密钥加密密钥(主密钥)来加密和分发用户社区所需的会话密钥。

(C) An ANSI standard [A9017] defines two types of key center: key distribution center and key translation center.

(C) ANSI标准[A9017]定义了两种类型的密钥中心:密钥分发中心和密钥翻译中心。

$ key confirmation (N) "The assurance of the legitimate participants in a key establishment protocol that the intended parties sharing the symmetric key actually possess the shared symmetric key." [A9042]

$ 密钥确认(N)“密钥建立协议的合法参与者保证共享对称密钥的预期各方实际拥有共享对称密钥。”[A9042]

$ key distribution (I) A process that delivers a cryptographic key from the location where it is generated to the locations where it is used in a cryptographic algorithm. (See: key management.)

$ 密钥分发(I)将加密密钥从生成位置传递到加密算法中使用的位置的过程。(请参阅:密钥管理。)

$ key distribution center (KDC) (I) A type of key center (used in symmetric cryptography) that implements a key distribution protocol to provide keys (usually, session keys) to two (or more) entities that wish to communicate securely. (See: key translation center.)

$ 密钥分发中心(KDC)(I)一种密钥中心(用于对称加密),它实现密钥分发协议,为希望安全通信的两个(或更多)实体提供密钥(通常为会话密钥)。(请参阅:密钥翻译中心。)

(C) A KDC distributes keys to Alice and Bob, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the KDC, and (c) may not be able to generate or acquire keys by themselves. Alice requests the keys from the KDC. The KDC generates or acquires the keys and makes two identical sets. The KDC encrypts one set in the KEK it shares with Alice, and sends that encrypted set to Alice. The KDC encrypts the second set in the KEK it shares with Bob, and either sends that encrypted set to Alice for her to forward to Bob, or sends it directly to Bob (although the latter option is not supported in the ANSI standard [A9017]).

(C) KDC将密钥分发给Alice和Bob,他们(A)希望彼此通信,但当前不共享密钥,(b)各自与KDC共享KEK,以及(C)可能无法自行生成或获取密钥。Alice向KDC请求密钥。KDC生成或获取密钥,并生成两个相同的集合。KDC加密它与Alice共享的KEK中的一个集,并将该加密集发送给Alice。KDC对与Bob共享的KEK中的第二个集进行加密,并将该加密集发送给Alice供她转发给Bob,或直接发送给Bob(尽管ANSI标准[A9017]不支持后一个选项)。

$ key encapsulation See: (secondary definition under) key recovery.

$ 密钥封装请参见:(第二定义)密钥恢复。

$ key-encrypting key (KEK) (I) A cryptographic key that is used to encrypt other keys, either DEKs or other KEKs, but usually is not used to encrypt application data.

$ 密钥加密密钥(KEK)(I)用于加密其他密钥(DEK或其他KEK),但通常不用于加密应用程序数据的加密密钥。

$ key escrow See: (secondary definition under) key recovery.

$ 密钥托管参见:(第二个定义下)密钥恢复。

$ key establishment (algorithm or protocol) (I) A process that combines the key generation and key distribution steps needed to set up or install a secure communication association. (See: key agreement, key transport.)

$ 密钥建立(算法或协议)(I)结合密钥生成和密钥分发步骤的过程,需要建立或安装安全通信关联。(请参阅:密钥协议、密钥传输。)

(O) "The procedure to share a symmetric key among different parties by either key agreement or key transport." [A9042]

(O) “通过密钥协议或密钥传输在不同方之间共享对称密钥的过程。”[A9042]

(C) Key establishment involves either key agreement or key transport:

(C) 密钥建立涉及密钥协议或密钥传输:

- Key transport: One entity generates a secret key and securely sends it to the other entity. (Or each entity generates a secret value and securely sends it to the other entity, where the two values are combined to form a secret key.)

- 密钥传输:一个实体生成一个密钥并安全地发送给另一个实体。(或者每个实体生成一个秘密值并安全地将其发送给另一个实体,在该实体中,两个值组合形成一个秘密密钥。)

- Key agreement: No secret is sent from one entity to another. Instead, both entities, without prior arrangement except a public exchange of data, compute the same secret value. I.e.,

- 密钥协议:没有秘密从一个实体发送到另一个实体。相反,这两个实体在没有事先安排的情况下(除了公开数据交换),计算相同的秘密值。即。,

each can independently generate the same value, but that value cannot be computed by other entities.

每个实体都可以独立生成相同的值,但其他实体无法计算该值。

$ Key Exchange Algorithm (KEA) (N) A key agreement algorithm [NIST] that is similar to the Diffie-Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the "Secret" level by NSA. (See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)

$ 密钥交换算法(KEA)(N)一种密钥协商算法[NIST],类似于Diffie-Hellman算法,使用1024位非对称密钥,由NSA开发并以前在“机密”级别进行分类。(见:顶石、克利伯、福特扎、SKIPJACK)

(C) On 23 June 1998, the NSA announced that KEA had been declassified.

(C) 1998年6月23日,国家安全局宣布KEA已解密。

$ key generation (I) A process that creates the sequence of symbols that comprise a cryptographic key. (See: key management.)

$ 密钥生成(I)创建包含加密密钥的符号序列的过程。(请参阅:密钥管理。)

$ key generator 1. (I) An algorithm that uses mathematical rules to deterministically produce a pseudo-random sequence of cryptographic key values.

$ 钥匙生成器1。(一) 一种算法,它使用数学规则来确定地产生密码键值的伪随机序列。

2. (I) An encryption device that incorporates a key generation mechanism and applies the key to plaintext (e.g., by exclusive OR-ing the key bit string with the plaintext bit string) to produce ciphertext.

2. (一) 一种加密设备,包括密钥生成机制,并将密钥应用于明文(例如,通过将密钥位串与明文位串互斥或互锁),以生成密文。

$ key length (I) The number of symbols (usually bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)

$ 密钥长度(I)能够表示加密密钥的任何可能值所需的符号数(通常为位)。(请参见:键空间。)

$ key lifetime (N) MISSI usage: An attribute of a MISSI key pair that specifies a time span that bounds the validity period of any MISSI X.509 public-key certificate that contains the public component of the pair. (See: cryptoperiod.)

$ 密钥生存期(N)MSI使用:MSI密钥对的一个属性,指定一个时间跨度,该时间跨度限制包含该密钥对的公共组件的任何MSI X.509公钥证书的有效期。(请参阅:加密周期。)

$ key management (I) The process of handling and controlling cryptographic keys and related material (such as initialization values) during their life cycle in a cryptographic system, including ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the material. (See: key distribution, key escrow, keying material, public-key infrastructure.)

$ 密钥管理(I)在密码系统的生命周期内处理和控制密码密钥和相关材料(如初始化值)的过程,包括订购、生成、分发、存储、加载、托管、归档、审核和销毁材料。(请参阅:密钥分发、密钥托管、密钥材料、公钥基础设施。)

(O) "The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy." [I7498 Part 2]

(O) “根据安全策略生成、存储、分发、删除、存档和应用密钥。”[I7498第2部分]

(O) "The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs, counters) during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving." [FP140]

(O) “涉及在密钥的整个生命周期内处理加密密钥和其他相关安全参数(如IVs、计数器)的活动,包括密钥的生成、存储、分发、输入和使用、删除或销毁以及存档。”[FP140]

$ Key Management Protocol (KMP) (N) A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.)

$ 密钥管理协议(KMP)(N)在一对(或一组)用户之间建立共享对称密钥的协议。(一个版本的KMP由SDNS开发,另一个由SILS开发。)

$ key material identifier (KMID) (N) MISSI usage: A 64-bit identifier that is assigned to a key pair when the public key is bound in a MISSI X.509 public-key certificate.

$ 密钥材料标识符(KMID)(N)MSI用法:当公钥绑定在MSI X.509公钥证书中时,分配给密钥对的64位标识符。

$ key pair (I) A set of mathematically related keys--a public key and a private key--that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key (e.g., see: Diffie-Hellman, Rivest-Shamir-Adleman).

$ 密钥对(I)一组数学上相关的密钥——公钥和私钥——用于非对称加密,其生成方式使得从公钥的知识中导出私钥在计算上不可行(例如,参见:Diffie Hellman,Rivest Shamir Adleman)。

(C) A key pair's owner discloses the public key to other system entities so they can use the key to encrypt data, verify a digital signature, compute a protected checksum, or generate a key in a key agreement algorithm. The matching private key is kept secret by the owner, who uses it to decrypt data, generate a digital signature, verify a protected checksum, or generate a key in a key agreement algorithm.

(C) 密钥对的所有者将公钥公开给其他系统实体,以便它们可以使用该密钥加密数据、验证数字签名、计算受保护校验和或在密钥协商算法中生成密钥。匹配的私钥由所有者保密,所有者使用私钥解密数据、生成数字签名、验证受保护的校验和或在密钥协商算法中生成密钥。

$ key recovery 1. (I) A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis.)

$ 密钥恢复1。(一) 用于学习以前用于执行某些加密操作的加密密钥的值的过程。(参见:密码分析。)

2. (I) Techniques that provide an intentional, alternate (i.e., secondary) means to access the key used for data confidentiality service in an encrypted association. [DOD4]

2. (一) 提供有意的替代(即,次要)手段以访问加密关联中用于数据保密服务的密钥的技术。[DOD4]

(C) We assume that the encryption mechanism has a primary means of obtaining the key through a key establishment algorithm or protocol. For the secondary means, there are two classes of key recovery techniques--key escrow and key encapsulation:

(C) 我们假设加密机制具有通过密钥建立算法或协议获取密钥的主要手段。对于第二种方法,有两类密钥恢复技术——密钥托管和密钥封装:

- "Key escrow": A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances.

- “密钥托管”:一种密钥恢复技术,用于在一个或多个称为“托管代理”的第三方托管下存储加密密钥或其部分的知识,以便在特定情况下恢复和使用密钥。

Key escrow is typically implemented with split knowledge techniques. For example, the Escrowed Encryption Standard [FP185] entrusts two components of a device-unique split key to separate escrow agents. The agents provide the components only to someone legally authorized to conduct electronic surveillance of telecommunications encrypted by that specific device. The components are used to reconstruct the device-unique key, and it is used to obtain the session key needed to decrypt communications.

密钥托管通常使用分割知识技术实现。例如,托管加密标准[FP185]将设备唯一分割密钥的两个组件委托给单独的托管代理。代理商仅向合法授权的人员提供组件,以便对由该特定设备加密的电信进行电子监控。这些组件用于重建设备唯一密钥,并用于获取解密通信所需的会话密钥。

- "Key encapsulation": A key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key.

- “密钥封装”:一种密钥恢复技术,通过使用另一个密钥对加密密钥进行加密,并确保只有某些称为“恢复代理”的第三方可以执行解密操作来检索存储的密钥,从而存储加密密钥的知识。

Key encapsulation typically allows direct retrieval of the secret key used to provide data confidentiality.

密钥封装通常允许直接检索用于提供数据机密性的密钥。

$ key space (I) The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)

$ 密钥空间(I)加密密钥的可能值的范围;或者特定加密算法支持的不同转换的数量。(请参见:键长度。)

$ key translation center (I) A type of key center (used in a symmetric cryptography) that implements a key distribution protocol to convey keys between two (or more) parties who wish to communicate securely. (See: key distribution center.)

$ 密钥转换中心(I)一种密钥中心(用于对称加密),实现密钥分发协议,以便在希望安全通信的两(或更多)方之间传输密钥。(请参阅:密钥分发中心。)

(C) A key translation center translates keys for future communication between Bob and Alice, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the center, and (c) have the ability to generate or acquire keys by themselves. Alice generates or acquires a set of keys for communication with Bob. Alice encrypts the set in the KEK she shares with the center and sends the encrypted set to the center. The center decrypts the set, reencrypts the set in the KEK it shares with Bob, and either sends that encrypted set to Alice for her to forward to Bob, or sends it directly to Bob (although direct distribution is not supported in the ANSI standard [A9017]).

(C) 钥匙翻译中心为Bob和Alice之间的未来通信翻译钥匙,他们(A)希望彼此通信,但目前不共享钥匙,(b)每个人都与中心共享一个KEK,以及(C)能够自己生成或获取钥匙。Alice生成或获取一组用于与Bob通信的密钥。Alice对她与中心共享的桶中的集进行加密,并将加密集发送到中心。中心解密该集,在与Bob共享的KEK中重新加密该集,然后将该加密集发送给Alice,让她转发给Bob,或者直接发送给Bob(尽管ANSI标准[A9017]不支持直接分发)。

$ key transport (algorithm or protocol) (I) A key establishment method by which a secret key is generated by one entity in a communication association and securely sent to another entity in the association. (See: key agreement.)

$ 密钥传输(算法或协议)(I)一种密钥建立方法,通过该方法,通信关联中的一个实体生成密钥,并安全地发送给该关联中的另一个实体。(请参阅:关键协议。)

(O) "The procedure to send a symmetric key from one party to other parties. As a result, all legitimate participants share a common symmetric key in such a way that the symmetric key is determined entirely by one party." [A9042]

(O) “从一方向另一方发送对称密钥的过程。因此,所有合法参与者共享一个公共对称密钥,使得对称密钥完全由一方确定。”[A9042]

(C) For example, a message originator can generate a random session key and then use the Rivest-Shamir-Adleman algorithm to encrypt that key with the public key of the intended recipient.

(C) 例如,消息发起人可以生成一个随机会话密钥,然后使用Rivest-Shamir-Adleman算法使用预期收件人的公钥加密该密钥。

$ key update (I) Derive a new key from an existing key. (See: certificate rekey.)

$ 密钥更新(I)从现有密钥派生新密钥。(请参阅:证书重新密钥。)

$ key validation (N) "The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks." [A9042]

$ 密钥验证(N)“公钥接收者检查密钥是否符合该密钥的算术要求,以阻止某些类型的攻击的过程。”[A9042]

$ keyed hash (I) A cryptographic hash (e.g., [R1828]) in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. (See: checksum.)

$ 键控散列(I)加密散列(例如,[R1828]),其中到散列结果的映射由作为加密密钥的第二输入参数改变。(请参阅:校验和。)

(C) If the input data object is changed, a new hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data. There are least two forms of keyed hash:

(C) 如果更改了输入数据对象,则在不知道密钥的情况下无法正确计算新的哈希结果。因此,密钥保护散列结果,因此即使在数据受到主动攻击的威胁时,也可以将其用作校验和。键控哈希至少有两种形式:

- A function based on a keyed encryption algorithm. (E.g., see: Data Authentication Code.)

- 基于密钥加密算法的函数。(例如,请参阅:数据认证代码。)

- A function based on a keyless hash that is enhanced by combining (e.g., by concatenating) the input data object parameter with a key parameter before mapping to the hash result. (E.g., see: HMAC.)

- 一种基于无键散列的函数,在映射到散列结果之前,通过将输入数据对象参数与键参数组合(例如,通过连接)来增强该函数。(例如,见:HMAC)

$ keying material (I) Data (such as keys, key pairs, and initialization values) needed to establish and maintain a cryptographic security association.

$ 密钥材料(I)建立和维护加密安全关联所需的数据(如密钥、密钥对和初始化值)。

$ KMID See: key material identifier.

$ KMID见:关键材料标识符。

$ known-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as the knowing the cryptographic algorithm).

$ 已知明文攻击(I)一种密码分析技术,分析员试图通过对一些明文密文对的了解来确定密钥(尽管分析员也可能有其他线索,例如知道密码算法)。

$ L2F See: Layer 2 Forwarding Protocol.

$ L2F参见:第2层转发协议。

$ L2TP See: Layer 2 Tunneling Protocol.

$ L2TP参见:第2层隧道协议。

$ label See: security label.

$ 标签见:安全标签。

$ Language of Temporal Ordering Specification (LOTOS) (N) A language (ISO 8807-1990) for formal specification of computer network protocols; describes the order in which events occur.

$ 时间顺序规范语言(LOTOS)(N)计算机网络协议形式规范的语言(ISO 8807-1990);描述事件发生的顺序。

$ lattice model (I) A security model for flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. [Denn] (See: flow control, security level, security model.)

$ 格模型(I)系统中流量控制的安全模型,基于系统中有限安全级别及其偏序形成的格。[Denn](请参阅:流控制、安全级别、安全模型。)

(C) The model describes the semantic structure formed by a finite set of security levels, such as those used in military organizations.

(C) 该模型描述由一组有限的安全级别(如军事组织中使用的安全级别)形成的语义结构。

(C) A lattice is a finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound. For example, a lattice is formed by a finite set S of security levels -- i.e., a set S of all ordered pairs (x, c), where x is one of a finite set X of hierarchically ordered classification levels (X1, ..., Xm), and c is a (possibly empty) subset of a finite set C of non-hierarchical categories (C1, ..., Cn) -- together with the "dominate" relation. (See: dominate.)

(C) 格是一个有限集,其元素上有偏序,使得每对元素都有一个最小上界和一个最大下界。例如,晶格由安全级别的有限集S(即,所有有序对(x,c)的集S)和“支配”一起形成,其中x是分层有序分类级别(X1,…,Xm)的有限集x之一,c是非分层类别(C1,…,Cn)的有限集c的子集(可能为空)关系(见:支配)

$ Law Enforcement Access Field (LEAF) (N) A data item that is automatically embedded in data encrypted by devices (e.g., see: CLIPPER chip) that implement the Escrowed Encryption Standard.

$ 执法访问字段(LEAF)(N)自动嵌入由实施托管加密标准的设备(如:CLIPPER芯片)加密的数据中的数据项。

$ Layer 2 Forwarding Protocol (L2F) (N) An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user. (See: L2TP.)

$ 第2层转发协议(L2F)(N):一种互联网协议(最初由Cisco公司开发),它使用IP上PPP的隧道来创建网络上拨号链路的虚拟扩展,由拨号服务器发起,对拨号用户透明。(请参阅:L2TP。)

$ Layer 2 Tunneling Protocol (L2TP) (N) An Internet client-server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: virtual private network.)

$ 第二层隧道协议(L2TP)(N)一种互联网客户机-服务器协议,它结合了PPTP和L2F的各个方面,并支持通过IP网络或帧中继或其他交换网络对PPP进行隧道传输。(请参阅:虚拟专用网络。)

(C) PPP can in turn encapsulate any OSI layer 3 protocol. Thus, L2TP does not specify security services; it depends on protocols layered above and below it to provide any needed security.

(C) PPP反过来可以封装任何OSI第3层协议。因此,L2TP没有指定安全服务;它依赖于上下分层的协议来提供所需的安全性。

$ LDAP See: Lightweight Directory Access Protocol.

$ LDAP请参阅:轻量级目录访问协议。

$ least privilege (I) The principle that a security architecture should be designed so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. (See: economy of mechanism.)

$ 最低特权(I)安全体系结构的设计原则,即应向每个系统实体授予该实体执行其工作所需的最低系统资源和授权。(见:机制经济。)

(C) This principle tends to limit damage that can be caused by an accident, error, or unauthorized act.

(C) 这一原则倾向于限制事故、错误或未经授权的行为可能造成的损害。

$ Lightweight Directory Access Protocol (LDAP) (N) A client-server protocol that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP). [R1777]

$ 轻量级目录访问协议(LDAP)(N)一种客户端-服务器协议,支持X.500目录(或其他目录服务器)的基本使用,而无需满足完整目录访问协议(DAP)的资源需求。[R1777]

(C) Designed for simple management and browser applications that provide simple read/write interactive directory service. Supports both simple authentication and strong authentication of the client to the directory server.

(C) 专为提供简单读/写交互式目录服务的简单管理和浏览器应用程序而设计。支持客户端到目录服务器的简单身份验证和强身份验证。

$ link (I) World Wide Web usage: See: hyperlink.

$ 链接(I)万维网用法:见:超链接。

(I) Subnetwork usage: A point-to-point communication channel connecting two subnetwork relays (especially one between two packet switches) that is implemented at OSI layer 2. (See: link encryption.)

(一) 子网用途:连接两个子网中继(特别是两个分组交换机之间的一个子网中继)的点对点通信信道,在OSI第2层实现。(请参阅:链接加密。)

(C) The relay computers assume that links are logically passive. If a computer at one end of a link sends a sequence of bits, the sequence simply arrives at the other end after a finite time, although some bits may have been changed either accidentally (errors) or by active wiretapping.

(C) 中继计算机假定链路在逻辑上是被动的。如果链路一端的计算机发送一个位序列,则该序列在有限时间后到达另一端,尽管某些位可能是意外(错误)或通过主动窃听而改变的。

$ link-by-link encryption $ link encryption (I) Stepwise protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnetwork relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (See: end-to-end encryption.)

$ 逐链路加密$链路加密(I)通过对每个网络链路上的数据分别加密,即在数据离开主机或子网络中继时加密数据,并在数据到达下一个主机或中继时解密,对网络中两点之间流动的数据进行逐步保护。每个链接可能使用不同的密钥,甚至使用不同的算法。[R1455](请参阅:端到端加密。)

$ logic bomb (I) Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. (See: Trojan horse, virus, worm.)

$ 逻辑炸弹(I)当满足指定条件时激活的恶意逻辑。通常旨在导致拒绝服务或以其他方式损坏系统资源。(请参阅:特洛伊木马、病毒、蠕虫。)

$ login (I) The act of a system entity gaining access to a session in which the entity can use system resources; usually accomplished by providing a user name and password to an access control system that authenticates the user.

$ 登录(I)系统实体访问会话的行为,在该会话中,该实体可以使用系统资源;通常通过向认证用户的访问控制系统提供用户名和密码来完成。

(C) Derives from "log" file", a security audit trail that records security events, such as the beginning of sessions, and who initiates them.

(C) 派生自“日志”文件,这是一个安全审计跟踪,记录安全事件,例如会话的开始以及谁发起这些事件。

$ LOTOS See: Language of Temporal Ordering Specification.

$ LOTOS见:时态排序规范语言。

$ MAC See: mandatory access control, Message Authentication Code.

$ MAC请参阅:强制访问控制、消息身份验证代码。

$ malicious logic (I) Hardware, software, or firmware that is intentionally included or inserted in a system for a harmful purpose. (See: logic bomb, Trojan horse, virus, worm.)

$ 恶意逻辑(I)出于有害目的故意包含或插入系统的硬件、软件或固件。(请参阅:逻辑炸弹、特洛伊木马、病毒、蠕虫。)

$ malware (I) A contraction of "malicious software". (See: malicious logic.)

$ 恶意软件(I)“恶意软件”的缩写。(请参阅:恶意逻辑。)

(D) ISDs SHOULD NOT use this term because it is not listed in most dictionaries and could confuse international readers.

(D) ISDs不应该使用这个术语,因为大多数词典都没有列出这个术语,可能会使国际读者感到困惑。

$ man-in-the-middle (I) A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data in order to masquerade as one or more of the entities involved in a communication association. (See: hijack attack, piggyback attack.)

$ 中间人(I)一种主动窃听攻击形式,攻击者拦截并有选择地修改通信数据,以伪装成通信关联中涉及的一个或多个实体。(参见:劫持攻击、背驮攻击。)

(C) For example, suppose Alice and Bob try to establish a session key by using the Diffie-Hellman algorithm without data origin authentication service. A "man in the middle" could (a) block direct communication between Alice and Bob and then (b) masquerade as Alice sending data to Bob, (c) masquerade as Bob sending data to Alice, (d) establish separate session keys with each of them, and (e) function as a clandestine proxy server between them in order to capture or modify sensitive information that Alice and Bob think they are sending only to each other.

(C) 例如,假设Alice和Bob尝试使用Diffie-Hellman算法建立会话密钥,而不使用数据源身份验证服务。“中间人”可以(A)阻止Alice和Bob之间的直接通信,然后(b)伪装成Alice向Bob发送数据,(c)伪装成Bob向Alice发送数据,(d)与他们每个人建立单独的会话密钥,以及(e)充当他们之间的秘密代理服务器,以便捕获或修改Alice和Bob认为他们只向对方发送的敏感信息。

$ mandatory access control (MAC) (I) An access control service that enforces a security policy based on comparing (a) security labels (which indicate how sensitive or critical system resources are) with (b) security clearances (which indicate system entities are eligible to access certain resources). (See: discretionary access control, rule-based security policy.)

$ 强制访问控制(MAC)(I)一种访问控制服务,通过比较(a)安全标签(指示系统资源的敏感程度或关键程度)和(b)安全许可(指示系统实体有资格访问某些资源),强制执行安全策略。(请参阅:自主访问控制、基于规则的安全策略。)

(C) This kind of access control is called "mandatory" because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.

(C) 这种访问控制称为“强制”,因为拥有访问资源权限的实体可能不会仅凭自身意愿允许另一实体访问该资源。

(O) "A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity." [DOD1]

(O) “一种基于对象中所含信息的敏感性(如标签所示)以及受试者访问此类敏感性信息的正式授权(即许可)来限制访问对象的方法。”[DOD1]

$ manipulation detection code (D) ISDs SHOULD NOT use this term as a synonym for "checksum" because the word "manipulation" implies protection against active attacks, which an ordinary checksum might not provide. Instead, if such protection is intended, use "protected checksum" or some particular type thereof, depending on which is meant. If such protection is not intended, use "error detection code" or some specific type of checksum that is not protected.

$ 操纵检测代码(D)ISDs不应将此术语用作“校验和”的同义词,因为“操纵”一词意味着对主动攻击的保护,而普通校验和可能无法提供这种保护。相反,如果打算进行此类保护,则使用“受保护校验和”或某种特定类型的校验和,具体取决于其含义。如果不打算进行此类保护,请使用“错误检测代码”或未受保护的某些特定类型的校验和。

$ masquerade attack (I) A type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity. (See: spoofing attack.)

$ 伪装攻击(I)一种攻击类型,其中一个系统实体非法冒充(假定)另一个实体。(请参阅:欺骗攻击。)

$ MCA See: merchant certificate authority.

$ MCA请参阅:商户证书颁发机构。

$ MD2 (N) A cryptographic hash [R1319] that produces a 128-bit hash result, was designed by Ron Rivest, and is similar to MD4 and MD5 but slower. (See: message digest.)

$ MD2(N)一种产生128位哈希结果的加密哈希[R1319],由Ron Rivest设计,与MD4和MD5类似,但速度较慢。(请参阅:消息摘要。)

$ MD4 (N) A cryptographic hash [R1320] that produces a 128-bit hash result and was designed by Ron Rivest. (See: message digest and SHA-1.)

$ MD4(N)一种加密散列[R1320],产生128位散列结果,由Ron Rivest设计。(请参阅:信息摘要和SHA-1。)

$ MD5 (N) A cryptographic hash [R1321] that produces a 128-bit hash result and was designed by Ron Rivest to be an improved version of MD4.

$ MD5(N)一种产生128位哈希结果的加密哈希[R1321],由Ron Rivest设计为MD4的改进版本。

$ merchant (O) SET usage: "A seller of goods, services, and/or other information who accepts payment for these items electronically." [SET2] A merchant may also provide electronic selling services and/or electronic delivery of items for sale. With SET, the merchant can offer its cardholders secure electronic interactions, but a merchant that accepts payment cards is required to have a relationship with an acquirer. [SET1, SET2]

$ 商户(O)设定用法:“接受电子支付的商品、服务和/或其他信息的卖家。”[SET2]商户还可以提供电子销售服务和/或电子交付销售物品。通过SET,商户可以向其持卡人提供安全的电子交互,但接受支付卡的商户需要与收单机构建立关系。[SET1,SET2]

$ merchant certificate (O) SET usage: A public-key certificate issued to a merchant. Sometimes used to refer to a pair of such certificates where one is for digital signature use and the other is for encryption.

$ 商户证书(O)集合用法:颁发给商户的公钥证书。有时用于指一对这样的证书,其中一个用于数字签名,另一个用于加密。

$ merchant certification authority (MCA) (O) SET usage: A CA that issues digital certificates to merchants and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. Acquirers verify and approve requests for merchant certificates prior to issuance by the MCA. An MCA does not issue a CRL, but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

$ 商户认证机构(MCA)(O)设置用途:向商户颁发数字证书的CA,根据品牌规则代表支付卡品牌、收单机构或另一方运营。收单机构在MCA签发商户证书之前验证并批准商户证书申请。MCA不会发布CRL,但会分发根CA、品牌CA、地缘政治CA和支付网关CA发布的CRL。[SET2]

$ mesh PKI (I) A non-hierarchical PKI architecture in which there are several trusted CAs rather than a single root. Each certificate user bases path validations on the public key of one of the trusted CAs, usually the one that issued that user's own public-key certificate. Rather than having superior-to-subordinate

$ 网状PKI(I)一种非分层PKI体系结构,其中存在多个受信任的CA,而不是单个根。每个证书用户基于其中一个受信任CA的公钥进行路径验证,通常是颁发该用户自己的公钥证书的CA。而不是有上有下

relationships between CAs, the relationships are peer-to-peer, and CAs issue cross-certificates to each other. (See: hierarchical PKI, trust-file PKI.)

CA之间的关系,这些关系是对等的,CA相互颁发交叉证书。(请参见:分层PKI、信任文件PKI。)

$ message authentication code vs. Message Authentication Code (MAC) 1. (N) Capitalized: "(The) Message Authentication Code" refers to an ANSI standard for a checksum that is computed with a keyed hash that is based on DES. [A9009] (Also known as the U.S. Government standard Data Authentication Code. [FP113])

$ 消息身份验证码与消息身份验证码(MAC)1。(N) 大写:“(消息)身份验证代码”是指使用基于DES的键控哈希计算的校验和的ANSI标准。[A9009](也称为美国政府标准数据认证码。[FP113])

(C) The ANSI standard MAC algorithm is equivalent to cipher block chaining with IV = 0.

(C) ANSI标准MAC算法相当于IV=0的密码块链接。

2. (D) Not capitalized: ISDs SHOULD NOT use the uncapitalized form "message authentication code", because this term mixes concepts in a potentially misleading way. Instead, use "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum", depending on what is meant. (See: authentication code.)

2. (D) 不大写:ISDs不应使用非大写形式的“消息身份验证代码”,因为该术语以潜在误导的方式混合了概念。相反,使用“校验和”、“错误检测代码”、“哈希”、“密钥哈希”、“消息身份验证代码”或“受保护校验和”,具体取决于其含义。(请参阅:身份验证代码。)

(C) In the uncapitalized form, the word "message" is misleading because it implies that the mechanism is particularly suitable for or limited to electronic mail (see: Message Handling Systems), the word "authentication" is misleading because the mechanism primarily serves a data integrity function rather than an authentication function, and the word "code" is misleading because it implies that either encoding or encryption is involved or that the term refers to computer software.

(C) 在非大写形式中,“消息”一词具有误导性,因为它意味着该机制特别适用于或仅限于电子邮件(见:消息处理系统),“身份验证”一词具有误导性,因为该机制主要用于数据完整性功能而非身份验证功能,“代码”一词具有误导性,因为它意味着涉及编码或加密,或者该术语指的是计算机软件。

$ message digest (D) ISDs SHOULD NOT use this term as a synonym for "hash result" because it unnecessarily duplicates the meaning of the other, more general term and mixes concepts in a potentially misleading way. (See: cryptographic hash, Message Handling System.)

$ 信息摘要(D)ISDs不应将此术语用作“哈希结果”的同义词,因为它不必要地重复了另一个更一般术语的含义,并以潜在误导的方式混合了概念。(请参阅:加密哈希,消息处理系统。)

$ Message Handling Systems (I) A ITU-T/ISO system concept, which encompasses the notion of electronic mail but defines more comprehensive OSI systems and services that enable users to exchange messages on a store-and-forward basis. (The ISO equivalent is "Message Oriented Text Interchange System".) (See: X.400.)

$ 信息处理系统(I)ITU-T/ISO系统概念,包括电子邮件的概念,但定义了更全面的OSI系统和服务,使用户能够在存储转发的基础上交换信息。(ISO等效物是“面向消息的文本交换系统”。(参见:X.400。)

$ message indicator (D) ISDs SHOULD NOT use this term as a synonym for "initialization value" because it mixes concepts in a potentially misleading way.

$ 消息指示符(D)ISDs不应将此术语用作“初始化值”的同义词,因为它以潜在误导的方式混合了概念。

$ message integrity check $ message integrity code (D) ISDs SHOULD NOT use these terms because they mix concepts in a potentially misleading way. (The word "message" is misleading because it suggests that the mechanism is particularly suitable for or limited to electronic mail. The word "code" is misleading because it suggests that either encoding or encryption is involved, or that the term refers to computer software.) Instead, use "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum", depending on what is meant.

$ 消息完整性检查$消息完整性代码(D)ISD不应使用这些术语,因为它们以潜在误导的方式混合了概念。(单词“message”具有误导性,因为它表明该机制特别适用于或仅限于电子邮件。“code”具有误导性,因为它表明涉及编码或加密,或者该术语指的是计算机软件。)相反,使用“checksum”、“error detection code”、“hash”、“keyed hash”,“消息身份验证码”或“受保护校验和”,取决于其含义。

$ Message Security Protocol (MSP) (N) A secure message handling protocol [SDNS7] for use with X.400 and Internet mail protocols. Developed by NSA's SDNS program and used in the U.S. Defense Message System.

$ 消息安全协议(MSP)(N)用于X.400和Internet邮件协议的安全消息处理协议[SDNS7]。由美国国家安全局的SDNS计划开发,用于美国国防信息系统。

$ MHS See: message handling system.

$ MHS见:信息处理系统。

$ MIME See: Multipurpose Internet Mail Extensions.

$ MIME请参阅:多用途Internet邮件扩展。

$ MIME Object Security Services (MOSS) (I) An Internet protocol [R1848] that applies end-to-end encryption and digital signature to MIME message content, using symmetric cryptography for encryption and asymmetric cryptography for key distribution and signature. MOSS is based on features and specifications of PEM. (See: S/MIME.)

$ MIME对象安全服务(MOSS)(I)一种互联网协议[R1848],对MIME消息内容应用端到端加密和数字签名,使用对称加密进行加密,使用非对称加密进行密钥分发和签名。MOSS基于PEM的特性和规格。(见:S/MIME)

$ Minimum Interoperability Specification for PKI Components (MISPC) (N) A technical description to provide a basis for interoperation between PKI components from different vendors; consists primarily of a profile of certificate and CRL extensions and a set of transactions for PKI operation. [MISPC]

$ PKI组件最低互操作性规范(MISPC)(N)为不同供应商的PKI组件之间的互操作提供基础的技术说明;主要由证书和CRL扩展的配置文件以及用于PKI操作的一组事务组成。[MISC]

$ MISPC See: Minimum Interoperability Specification for PKI Components.

$ 请参阅:PKI组件的最低互操作性规范。

$ MISSI (N) Multilevel Information System Security Initiative, an NSA program to encourage development of interoperable, modular products for constructing secure network information systems in support of a wide variety of Government missions. (See: MSP.)

$ MSI(N)多级信息系统安全倡议,一项NSA计划,旨在鼓励开发可互操作的模块化产品,用于构建安全的网络信息系统,以支持各种政府任务。(见:MSP)

$ MISSI user (O) MISSI usage: A system entity that is the subject of one or more MISSI X.509 public-key certificates issued under a MISSI certification hierarchy. (See: personality.)

$ MSI用户(O)MSI使用:一个系统实体,是根据MSI证书层次结构颁发的一个或多个MSI X.509公钥证书的主体。(见:个性。)

(C) MISSI users include both end users and the authorities that issue certificates. A MISSI user is usually a person but may be a machine or other automated process. Some machines are required to operate non-stop. To avoid downtime needed to exchange the FORTEZZA cards of machine operators at shift changes, the machines may be issued their own cards, as if they were persons.

(C) MSI用户包括最终用户和颁发证书的机构。MSI用户通常是个人,但也可能是机器或其他自动化流程。有些机器需要不停地运转。为了避免换班时更换机器操作员的FORTEZZA卡所需的停机时间,机器可以像个人一样发放自己的卡。

$ mode $ mode of operation (I) Encryption usage: A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream. (See: electronic codebook, cipher block chaining, cipher feedback, output feedback.)

$ 模式$操作模式(I)加密使用:用于增强加密算法效果或使算法适应应用程序的技术,例如对数据块序列或数据流应用分组密码。(参见:电子码本、密码块链接、密码反馈、输出反馈。)

(I) System operation usage: A type of security policy that states the range of classification levels of information that a system is permitted to handle and the range of clearances and authorizations of users who are permitted to access the system. (See: dedicated security mode, multilevel security mode, partitioned security mode, system high security mode.)

(一) 系统操作使用:一种安全策略,说明系统允许处理的信息分类级别范围,以及允许访问系统的用户的许可和授权范围。(请参阅:专用安全模式、多级安全模式、分区安全模式、系统高安全模式。)

$ modulus (I) The defining constant in modular arithmetic, and usually a part of the public key in asymmetric cryptography that is based on modular arithmetic. (See: Diffie-Hellman, Rivest-Shamir-Adleman.)

$ 模(I)模运算中的定义常数,通常是基于模运算的非对称密码中公钥的一部分。(见:Diffie Hellman,Rivest Shamir Adleman)

$ Morris Worm (I) A worm program written by Robert T. Morris, Jr. that flooded the ARPANET in November, 1988, causing problems for thousands of hosts. (See: worm.)

$ Morris Worm(I)一个由Robert T.Morris,Jr.编写的蠕虫程序,1988年11月,它淹没了ARPANET,给成千上万的主机造成了问题。(请参阅:worm。)

$ MOSS See: MIME Object Security Services.

$ MOSS请参阅:MIME对象安全服务。

$ MSP See: Message Security Protocol.

$ MSP请参阅:消息安全协议。

$ multilevel secure (MLS) (I) A class of system that has system resources (particularly stored information) at more than one security level (i.e., has different types of sensitive resources) and that permits

$ 多级安全(MLS)(I)一类系统,具有多个安全级别的系统资源(尤其是存储的信息)(即,具有不同类型的敏感资源),并且允许

concurrent access by users who differ in security clearance and need-to-know, but is able to prevent each user from accessing resources for which the user lacks authorization.

安全许可不同且需要知道的用户的并发访问,但能够阻止每个用户访问用户缺乏授权的资源。

$ multilevel security mode (I) A mode of operation of an information system, that allows two or more classification levels of information to be processed concurrently within the same system when not all users have a clearance or formal access authorization for all data handled by the system.

$ 多级安全模式(I):信息系统的一种操作模式,当并非所有用户都拥有系统处理的所有数据的许可或正式访问授权时,允许在同一系统内同时处理两个或多个分类级别的信息。

(C) This mode is defined formally in U.S. Department of Defense policy regarding system accreditation [DOD2], but the term is also used outside the Defense Department and outside the Government.

(C) 该模式在美国国防部关于系统认证的政策[DOD2]中有正式定义,但该术语也在国防部和政府之外使用。

$ Multipurpose Internet Mail Extensions (MIME) (I) An Internet protocol [R2045] that enhances the basic format of Internet electronic mail messages [R0822] to be able to use character sets other than US-ASCII for textual headers and text content, and to carry non-textual and multi-part content. (See: S/MIME.)

$ 多用途互联网邮件扩展(MIME)(I)一种互联网协议[R2045],它增强了互联网电子邮件的基本格式[R0822],能够将US-ASCII以外的字符集用于文本标题和文本内容,并承载非文本和多部分内容。(见:S/MIME)

$ mutual suspicion (I) The state that exists between two interacting system entities in which neither entity can trust the other to function correctly with regard to some security requirement.

$ 相互怀疑(I)存在于两个相互作用的系统实体之间的状态,其中任何一个实体都不能信任另一个实体在某些安全需求方面正常工作。

$ National Computer Security Center (NCSC) (N) A U.S. Department of Defense organization, housed in NSA, that has responsibility for encouraging widespread availability of trusted computer systems throughout the Federal Government. It has established criteria for, and performs evaluations of, computer and network systems that have a trusted computing base. (See: Evaluated Products List, Rainbow Series, TCSEC.)

$ 国家计算机安全中心(NCSC)(N):美国国防部的一个组织,位于美国国家安全局,负责鼓励联邦政府广泛使用可信计算机系统。它为具有可信计算基础的计算机和网络系统建立了标准,并对其进行了评估。(参见:TCSEC彩虹系列评估产品列表。)

$ National Information Assurance Partnership (NIAP) (N) An organization created by NIST and NSA to enhance the quality of commercial products for information security and increase consumer confidence in those products through objective evaluation and testing methods.

$ 国家信息保障合作伙伴关系(NIAP)(N):由NIST和NSA创建的一个组织,旨在通过客观的评估和测试方法提高信息安全商业产品的质量,并提高消费者对这些产品的信心。

(C) NIAP is registered, through the U.S. Department of Defense, as a National Performance Review Reinvention Laboratory. NIAP functions include the following:

(C) NIAP通过美国国防部注册为国家绩效评估再创新实验室。NIAP功能包括以下内容:

- Developing tests, test methods, and other tools that developers and testing laboratories may use to improve and evaluate security products.

- 开发开发人员和测试实验室可用于改进和评估安全产品的测试、测试方法和其他工具。

- Collaborating with industry and others on research and testing programs. - Using the Common Criteria to develop protection profiles and associated test sets for security products and systems. - Cooperating with the NIST National Voluntary Laboratory Accreditation Program to develop a program to accredit private-sector laboratories for the testing of information security products using the Common Criteria. - Working to establish a formal, international mutual recognition scheme for a Common Criteria-based evaluation.

- 在研究和测试项目上与行业和其他方面合作。-使用通用标准为安全产品和系统开发保护配置文件和相关测试集。-与NIST国家自愿实验室认证计划合作,制定一项计划,对私营部门实验室进行认证,以使用通用标准测试信息安全产品。-致力于为基于共同标准的评估建立正式的国际互认方案。

$ National Institute of Standards and Technology (NIST) (N) A U.S. Department of Commerce agency that promotes U.S. economic growth by working with industry to develop and apply technology, measurements, and standards. Has primary Government responsibility for INFOSEC standards for unclassified but sensitive information. (See: ANSI, DES, DSA, DSS, FIPS, NIAP, NSA.)

$ 国家标准与技术研究所(NIST)(N):美国商务部的一个机构,通过与行业合作开发和应用技术、测量和标准,促进美国经济增长。政府主要负责非机密但敏感信息的信息安全标准。(参见:ANSI、DES、DSA、DSS、FIPS、NIAP、NSA。)

$ National Security Agency (NSA) (N) A U.S. Department of Defense intelligence agency that has primary Government responsibility for INFOSEC for classified information and for unclassified but sensitive information handled by national security systems. (See: FORTEZZA, KEA, MISSI, NIAP, NIST, SKIPJACK.)

$ 国家安全局(NSA)(N):美国国防部情报机构,主要负责机密信息和国家安全系统处理的非机密但敏感信息的信息安全。(见:FORTEZZA、KEA、MISI、NIAP、NIST、SKIPJACK)

$ need-to-know (I) The necessity for access to, knowledge of, or possession of specific information required to carry out official duties.

$ 需要了解(I)访问、了解或拥有执行公务所需特定信息的必要性。

(C) This criterion is used in security procedures that require a custodian of sensitive information, prior to disclosing the information to someone else, to establish that the intended recipient has proper authorization to access the information.

(C) 该标准用于安全程序,要求敏感信息的保管人在将信息披露给其他人之前,确定预期接收人拥有访问该信息的适当授权。

$ network See: computer network.

$ 网络见:计算机网络。

$ NIAP See: National Information Assurance Partnership.

$ NIAP见:国家信息保障伙伴关系。

$ NIST See: National Institute of Standards and Technology.

$ NIST见:国家标准与技术研究所。

$ NLSP Network Layer Security Protocol. An OSI protocol (IS0 11577) for end-to-end encryption services at the top of OSI layer 3. NLSP is derived from an SDNS protocol, SP3, but is much more complex.

$ NLSP网络层安全协议。OSI协议(IS0 11577),用于OSI第3层顶部的端到端加密服务。NLSP源于SDNS协议SP3,但要复杂得多。

$ no-lone zone (I) A room or other space to which no person may have unaccompanied access and that, when occupied, is required to be occupied by two or more appropriately authorized persons. (See: dual control.)

$ 无单独区域(I)任何人不得单独进入的房间或其他空间,且当被占用时,需要由两名或两名以上经适当授权的人员占用。(请参阅:双重控制。)

$ nonce (I) A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing liveness and thus detecting and protecting against replay attacks.

$ nonce(I)包含在协议交换的数据中的随机或非重复值,通常用于保证活动性,从而检测和防止重放攻击。

$ non-critical See: critical (extension of certificate).

$ 非关键请参阅:关键(证书扩展)。

$ non-repudiation service (I) A security service that provide protection against false denial of involvement in a communication. (See: repudiation.)

$ 不可否认服务(I)一种安全服务,可防止通信中的虚假拒绝参与。(见:否认。)

(C) Non-repudiation service does not and cannot prevent an entity from repudiating a communication. Instead, the service provides evidence that can be stored and later presented to a third party to resolve disputes that arise if and when a communication is repudiated by one of the entities involved. There are two basic kinds of non-repudiation service:

(C) 不可否认服务不会也不能阻止实体拒绝通信。相反,该服务提供的证据可以存储并随后提交给第三方,以解决在通信被其中一个相关实体拒绝时出现的争议。有两种基本的不可否认性服务:

- "Non-repudiation with proof of origin" provides the recipient of data with evidence that proves the origin of the data, and thus protects the recipient against an attempt by the originator to falsely deny sending the data. This service can be viewed as a stronger version of an data origin authentication service, in that it proves authenticity to a third party.

- “来源证明不可抵赖性”为数据接收方提供了证明数据来源的证据,从而保护接收方免受发端人错误拒绝发送数据的企图。此服务可以被视为数据源身份验证服务的更强大版本,因为它向第三方证明了真实性。

- "Non-repudiation with proof of receipt" provides the originator of data with evidence that proves the data was received as addressed, and thus protects the originator against an attempt by the recipient to falsely deny receiving the data.

- “具有接收证明的不可抵赖性”为数据的发端人提供证据,证明数据是按地址接收的,从而保护发端人不受接收方试图错误拒绝接收数据的影响。

(C) Phases of a Non-Repudiation Service: Ford [For94, For97] uses the term "critical action" to refer to the act of communication that is the subject of the service:

(C) 不可否认服务的阶段:福特[Ford[For94,For97]使用术语“关键行动”来指作为服务主题的沟通行为:

      --------   --------   --------   --------   --------   . --------
      Phase 1:   Phase 2:   Phase 3:   Phase 4:   Phase 5:   . Phase 6:
      Request    Generate   Transfer   Verify     Retain     . Resolve
      Service    Evidence   Evidence   Evidence   Evidence   . Dispute
      --------   --------   --------   --------   --------   . --------
        
      --------   --------   --------   --------   --------   . --------
      Phase 1:   Phase 2:   Phase 3:   Phase 4:   Phase 5:   . Phase 6:
      Request    Generate   Transfer   Verify     Retain     . Resolve
      Service    Evidence   Evidence   Evidence   Evidence   . Dispute
      --------   --------   --------   --------   --------   . --------
        
      Service    Critical   Evidence   Evidence   Archive    . Evidence
      Request => Action  => Stored  => Is      => Evidence   . Is
      Is Made    Occurs     For Later  Tested     In Case    . Verified
                 and        Use |          ^      Critical   .     ^
                 Evidence       v          |      Action Is  .     |
                 Is         +-------------------+ Repudiated .     |
                 Generated  |Verifiable Evidence|------> ... . ----+
                            +-------------------+
        
      Service    Critical   Evidence   Evidence   Archive    . Evidence
      Request => Action  => Stored  => Is      => Evidence   . Is
      Is Made    Occurs     For Later  Tested     In Case    . Verified
                 and        Use |          ^      Critical   .     ^
                 Evidence       v          |      Action Is  .     |
                 Is         +-------------------+ Repudiated .     |
                 Generated  |Verifiable Evidence|------> ... . ----+
                            +-------------------+
        
      Phase / Explanation
      -------------------
      1. Before the critical action, the service requester asks, either
         implicitly or explicitly, to have evidence of the action be
         generated.
      2. When the critical action occurs, evidence is generated by a
         process involving the potential repudiator and possibly also a
         trusted third party.
      3. The evidence is transferred to the requester, or stored by a
         third party, for later use if needed.
      4. The entity that holds the evidence tests to be sure that it
         will suffice if a dispute arises.
      5. The evidence is retained for possible future retrieval and use.
      6. In this phase, which occurs only if the critical action is
         repudiated, the evidence is retrieved from storage, presented,
         and verified to resolve the dispute.
        
      Phase / Explanation
      -------------------
      1. Before the critical action, the service requester asks, either
         implicitly or explicitly, to have evidence of the action be
         generated.
      2. When the critical action occurs, evidence is generated by a
         process involving the potential repudiator and possibly also a
         trusted third party.
      3. The evidence is transferred to the requester, or stored by a
         third party, for later use if needed.
      4. The entity that holds the evidence tests to be sure that it
         will suffice if a dispute arises.
      5. The evidence is retained for possible future retrieval and use.
      6. In this phase, which occurs only if the critical action is
         repudiated, the evidence is retrieved from storage, presented,
         and verified to resolve the dispute.
        

$ no-PIN ORA (NORA) (O) MISSI usage: An organizational RA that operates in a mode in which the ORA performs no card management functions and, therefore, does not require knowledge of either the SSO PIN or user PIN for an end user's FORTEZZA PC card.

$ 无PIN ORA(NORA)(O)MSI使用:在ORA不执行卡管理功能的模式下运行的组织RA,因此不需要了解最终用户FORTEZZA PC卡的SSO PIN或用户PIN。

$ NORA See: no-PIN ORA.

$ 诺拉·西:没有别针。

$ notarization (I) Registration of data under the authority or in the care of a trusted third party, thus making it possible to provide subsequent assurance of the accuracy of characteristics claimed for the data, such as content, origin, time, and delivery. [I7498 Part 2] (See: digital notary.)

$ 公证(I)在管理局或受信任的第三方的照管下对数据进行登记,从而能够对数据的内容、来源、时间和交付等特征的准确性提供后续保证。[I7498第2部分](见:数字公证)

$ NULL encryption algorithm (I) An algorithm [R2410] that does nothing to transform plaintext data; i.e., a no-op. It originated because of IPsec ESP, which always specifies the use of an encryption algorithm to provide confidentiality. The NULL encryption algorithm is a convenient way to represent the option of not applying encryption in ESP (or in any other context where this is needed).

$ 空加密算法(I)一种算法[R2410],它不转换明文数据;i、 它起源于IPsec ESP,它总是指定使用加密算法来提供机密性。空加密算法是表示不在ESP(或任何其他需要加密的上下文)中应用加密选项的一种方便方法。

$ OAKLEY (I) A key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP. [R2412]

$ OAKLEY(I)一种基于Diffie-Hellman算法的密钥建立协议(为IPsec提出,但被IKE取代),设计为ISAKMP的兼容组件。[R2412]

(C) OAKLEY establishes a shared key with an assigned identifier and associated authenticated identities for parties. I.e., OAKLEY provides authentication service to ensure the entities of each other's identity, even if the Diffie-Hellman exchange is threatened by active wiretapping. Also, provides public-key forward secrecy for the shared key and supports key updates, incorporation of keys distributed by out-of-band mechanisms, and user-defined abstract group structures for use with Diffie-Hellman.

(C) OAKLEY使用分配的标识符和相关的认证身份为各方建立共享密钥。即,即使Diffie-Hellman交换受到主动窃听的威胁,OAKLEY也提供身份验证服务,以确保彼此的身份实体。此外,还为共享密钥提供公钥前向保密,并支持密钥更新、合并由带外机制分发的密钥,以及用户定义的抽象组结构,以供Diffie Hellman使用。

$ object (I) Trusted computer system modeling usage: A system element that contains or receives information. (See: Bell-LaPadula Model, trusted computer system.)

$ 对象(I)可信计算机系统建模用法:包含或接收信息的系统元素。(参见:Bell-LaPadula模型,可信计算机系统。)

$ object identifier (OID) (I) An official, globally unique name for a thing, written as a sequence of integers (which are formed and assigned as defined in the ASN.1 standard) and used to reference the thing in abstract specifications and during negotiation of security services in a protocol.

$ 对象标识符(OID)(I)事物的官方、全局唯一名称,以整数序列(按照ASN.1标准中的定义形成和分配)的形式编写,用于在抽象规范中以及在协议中的安全服务协商期间引用该事物。

(O) "A value (distinguishable from all other such values) which is associated with an object." [X680]

(O) “与对象关联的值(可与所有其他此类值区分)。[X680]

(C) Objects named by OIDs are leaves of the object identifier tree (which is similar to but different from the X.500 Directory Information Tree). Each arc (i.e., each branch of the tree) is labeled with a non-negative integer. An OID is the sequence of integers on the path leading from the root of the tree to a named object.

(C) 由OID命名的对象是对象标识符树的叶子(与X.500目录信息树类似但不同)。每个弧(即树的每个分支)都标有一个非负整数。OID是从树的根指向命名对象的路径上的整数序列。

      (C) The OID tree has three arcs immediately below the root: {0}
      for use by ITU-T, {1} for use by ISO, and {2} for use by both
      jointly. Below ITU-T are four arcs, where {0 0} is for ITU-T
        
      (C) The OID tree has three arcs immediately below the root: {0}
      for use by ITU-T, {1} for use by ISO, and {2} for use by both
      jointly. Below ITU-T are four arcs, where {0 0} is for ITU-T
        

recommendations. Below {0 0} are 26 arcs, one for each series of recommendations starting with the letters A to Z, and below these are arcs for each recommendation. Thus, the OID for ITU-T Recommendation X.509 is {0 0 24 509}. Below ISO are four arcs, where {1 0 }is for ISO standards, and below these are arcs for each ISO standard. Thus, the OID for ISO/IEC 9594-8 (the ISO number for X.509) is {1 0 9594 8}.

建议。在{0}下面是26个弧,每一个弧代表以字母A到Z开头的一系列建议,在这些弧下面是每一个建议的弧。因此,ITU-T建议X.509的OID为{0 24 509}。ISO下面是四个弧,其中{10}表示ISO标准,这些弧下面是每个ISO标准的弧。因此,ISO/IEC 9594-8(X.509的ISO编号)的OID为{1 0 9594 8}。

(C) The following are additional examples: ANSI registers organization names below the branch {joint-iso-ccitt(2) country(16) US(840) organization(1)}. The NIST CSOR records PKI objects below the branch {joint-iso-ccitt(2) country(16) us(840) gov(101) csor(3) pki(4)}. The U.S. Department of Defense registers INFOSEC objects below the branch {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1)}. The OID for the PKIX private extension is defined in an arc below the arc for the PKIX name space, as {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 1}.

(C) 以下是其他示例:ANSI在分支机构{联合iso ccitt(2)国家(16)美国(840)组织(1)}下注册组织名称。NIST CSOR在分支机构{联合iso ccitt(2)国家(16)美国(840)政府(101)CSOR(3)PKI(4)}下记录PKI对象。美国国防部在分支机构{联合iso ccitt(2)国家(16)美国(840)组织(1)政府(101)国防部(2)信息安全(1)}下登记信息安全对象。PKIX专用扩展的OID在PKIX名称空间弧下方的弧中定义为{iso(1)标识的组织(3)国防部(6)互联网(1)安全(5)机制(5)PKIX(7)1}。

$ object reuse (N) "The reassignment and reuse of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more [information] objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the object(s) previously contained in the media." [NCS04]

$ 对象重用(N)“重新分配和重用曾经包含一个或多个[信息]对象的存储介质(如页框、磁盘扇区、磁带)。要安全地重用和分配给新对象,存储介质必须不包含来自先前包含在介质中的对象的剩余数据(剩磁)。[NCS04]

$ OCSP See: On-line Certificate Status Protocol.

$ OCSP请参阅:在线证书状态协议。

$ octet (I) A data unit of eight bits. (See: byte.)

$ 八位字节(I)八位的数据单元。(请参阅:字节。)

(c) This term is used in networking (especially in OSI standards) in preference to "byte", because some systems use "byte" for data storage units of a size other than eight.

(c) 这个术语在网络中使用(特别是在OSI标准中),优先于“字节”,因为有些系统使用“字节”作为大小不是8的数据存储单元。

$ OFB See: output feedback.

$ OFB见:输出反馈。

$ ohnosecond (C) That minuscule fraction of time in which you realize that your private key has been compromised.

$ ohnosecond(C)您意识到您的私钥已被泄露的时间的极小部分。

$ OID See: object identifier.

$ OID请参阅:对象标识符。

$ On-line Certificate Status Protocol (OCSP) (I) An Internet protocol used by a client to obtain from a server the validity status and other information concerning a digital certificate.

$ 在线证书状态协议(OCSP)(I)客户端用于从服务器获取数字证书的有效状态和其他信息的互联网协议。

(C) In some applications, such as those involving high-value commercial transactions, it may be necessary to obtain certificate revocation status that is more timely than is possible with CRLs or to obtain other kinds of status information. OCSP may be used to determine the current revocation status of a digital certificate, in lieu of or as a supplement to checking against a periodic CRL. An OCSP client issues a status request to an OCSP server and suspends acceptance of the certificate in question until the server provides a response.

(C) 在某些应用程序中,例如涉及高价值商业交易的应用程序,可能需要获取比CRL更及时的证书吊销状态,或者获取其他类型的状态信息。OCSP可用于确定数字证书的当前吊销状态,以代替或作为定期CRL检查的补充。OCSP客户端向OCSP服务器发出状态请求,并暂停接受相关证书,直到服务器提供响应。

$ one-time pad (I) An encryption algorithm in which the key is a random sequence of symbols and each symbol is used for encryption only one time-- to encrypt only one plaintext symbol to produce only one ciphertext symbol--and a copy of the key is used similarly for decryption.

$ 一次性pad(I)一种加密算法,其中密钥是符号的随机序列,每个符号只用于加密一次——只加密一个明文符号,只生成一个密文符号——密钥副本同样用于解密。

(C) To ensure one-time use, the copy of the key used for encryption is destroyed after use, as is the copy used for decryption. This is the only encryption algorithm that is truly unbreakable, even given unlimited resources for cryptanalysis [Schn], but key management costs and synchronization problems make it impractical except in special situations.

(C) 为了确保一次性使用,用于加密的密钥副本在使用后会被销毁,用于解密的密钥副本也是如此。这是唯一一种真正牢不可破的加密算法,即使密码分析[Schn]资源无限,但密钥管理成本和同步问题使其无法实现,除非在特殊情况下。

$ one-time password $ One-Time Password (OTP) 1. Not capitalized: A "one-time password" is a simple authentication technique in which each password is used only once as authentication information that verifies an identity. This technique counters the threat of a replay attack that uses passwords captured by wiretapping.

$ 一次性密码$一次性密码(OTP)1。不大写:“一次性密码”是一种简单的身份验证技术,其中每个密码仅作为验证身份的身份验证信息使用一次。这项技术可以对抗重放攻击的威胁,重放攻击使用通过窃听捕获的密码。

2. Capitalized: "One-Time Password" is an Internet protocol [R1938] that is based on S/KEY and uses a cryptographic hash function to generate one-time passwords for use as authentication information in system login and in other processes that need protection against replay attacks.

2. 大写:“一次性密码”是一种基于S/KEY的互联网协议[R1938],使用加密哈希函数生成一次性密码,作为系统登录和其他需要防止重播攻击的过程中的身份验证信息。

$ one-way encryption (I) Irreversible transformation of plaintext to ciphertext, such that the plaintext cannot be recovered from the ciphertext by other than exhaustive procedures even if the cryptographic key is known. (See: encryption.)

$ 单向加密(I)明文到密文的不可逆转换,这样即使密码密钥已知,也无法通过非穷举程序从密文中恢复明文。(请参阅:加密。)

$ one-way function (I) "A (mathematical) function, f, which is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult." [X509]

$ 单向函数(I)“一个(数学)函数,f,很容易计算,但对于范围内的一般值y,很难在域中找到一个值x,使得f(x)=y。可能有一些y的值在计算上不难找到x。”[X509]

(D) ISDs SHOULD NOT use this term as a synonym for "cryptographic hash".

(D) ISDs不应将此术语用作“加密哈希”的同义词。

$ open security environment (O) U.S. Department of Defense usage: A system environment that meets at least one of the following conditions: (a) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control does not provide sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. [NCS04] (See: closed security environment.)

$ 开放安全环境(O)美国国防部使用:至少满足以下条件之一的系统环境:(A)应用程序开发人员(包括维护人员)没有足够的许可或授权,无法提供可接受的假设,即他们没有引入恶意逻辑。(b) 配置控制不能充分保证应用程序和设备在系统应用程序运行之前和运行期间不被引入恶意逻辑。[NCS04](请参阅:封闭式安全环境。)

$ Open Systems Interconnection (OSI) Reference Model (OSIRM) (N) A joint ISO/ITU-T standard [I7498 Part 1] for a seven-layer, architectural communication framework for interconnection of computers in networks.

$ 开放系统互连(OSI)参考模型(OSIRM)(N)一种用于网络中计算机互连的七层体系结构通信框架的ISO/ITU-T联合标准[I7498第1部分]。

(C) OSI-based standards include communication protocols that are mostly incompatible with the Internet Protocol Suite, but also include security models, such as X.509, that are used in the Internet.

(C) 基于OSI的标准包括大多数与Internet协议套件不兼容的通信协议,但也包括Internet中使用的安全模型,如X.509。

(C) The OSIRM layers, from highest to lowest, are (7) Application, (6) Presentation, (5) Session, (4) Transport, (3) Network, (2) Data Link, and (1) Physical. In this Glossary, these layers are referred to by number to avoid confusing them with Internet Protocol Suite layers, which are referred to by name.

(C) OSIRM层从高到低依次为(7)应用程序层、(6)表示层、(5)会话层、(4)传输层、(3)网络层、(2)数据链路层和(1)物理层。在本术语表中,这些层按编号引用,以避免将它们与按名称引用的Internet协议套件层混淆。

(C) Some unknown person described how the OSI layers correspond to the seven deadly sins:

(C) 一些不知名人士描述了OSI层如何对应七宗罪:

7. Wrath: Application is always angry at the mess it sees below itself. (Hey! Who is it to be pointing fingers?) 6. Sloth: Presentation is too lazy to do anything productive by itself. 5. Lust: Session is always craving and demanding what truly belongs to Application's functionality. 4. Avarice: Transport wants all of the end-to-end functionality. (Of course, it deserves it, but life isn't fair.)

7. 愤怒:应用程序总是对自己下面的混乱感到愤怒。(嘿!是谁在指指点点?)。懒散:演讲太懒散了,不能自己做任何有成效的事情。5.欲望:会话总是渴望和要求真正属于应用程序功能的东西。4.贪婪:传输需要所有的端到端功能。(当然,这是值得的,但生活是不公平的。)

3. Gluttony: (Connection-Oriented) Network is overweight and overbearing after trying too often to eat Transport's lunch. 2. Envy: Poor Data Link is always starved for attention. (With Asynchronous Transfer Mode, maybe now it is feeling less neglected.) 1. Pride: Physical has managed to avoid much of the controversy, and nearly all of the embarrassment, suffered by the others.

3. 贪食:(以连接为导向)在尝试过多地吃运输公司的午餐后,网络超重且专横。2.嫉妒:糟糕的数据链接总是渴望得到关注。(对于异步传输模式,现在可能感觉不那么被忽视了。)1。骄傲:Physical成功地避免了其他人所遭受的大部分争议和几乎所有的尴尬。

(C) John G. Fletcher described how the OSI layers also correspond to Snow White's dwarf friends:

(C) John G.Fletcher描述了OSI层如何与白雪公主的矮人朋友对应:

7. Doc: Application acts as if it is in charge, but sometimes muddles its syntax. 6. Sleepy: Presentation is indolent, being guilty of the sin of Sloth. 5. Dopey: Session is confused because its charter is not very clear. 4. Grumpy: Transport is irritated because Network has encroached on Transport's turf. 3. Happy: Network smiles for the same reason that Transport is irritated. 2. Sneezy: Data Link makes loud noises in the hope of attracting attention. 1. Bashful: Physical quietly does its work, unnoticed by the others.

7. Doc:应用程序的行为就像是由它负责,但有时会弄乱它的语法。6.昏昏欲睡:表现懒惰,犯了懒惰的罪。5.多皮:会议很混乱,因为它的章程不是很清楚。4.脾气暴躁:交通部很恼火,因为网络侵占了交通部的地盘。3.快乐:网络微笑的原因与交通部恼怒的原因相同。2.喷嚏:数据链发出很大的噪音,希望引起注意。1.害羞:身体安静地做它的工作,没有被其他人注意到。

$ operational integrity (I) A synonym for "system integrity"; emphasizes the actual performance of system functions rather than just the ability to perform them.

$ 操作完整性(I)“系统完整性”的同义词;强调系统功能的实际性能,而不仅仅是执行功能的能力。

$ operations security (OPSEC) (I) A process to identify, control, and protect evidence of the planning and execution of sensitive activities and operations, and thereby prevent potential adversaries from gaining knowledge of capabilities and intentions.

$ 作战安全(OPSEC)(I)识别、控制和保护敏感活动和作战的规划和执行证据的过程,从而防止潜在对手了解能力和意图。

$ OPSEC See: operations security.

$ OPSEC见:运营安全。

$ ORA See: organizational registration authority.

$ ORA见:组织注册机构。

$ Orange Book (D) ISDs SHOULD NOT use this term as a synonym for "Trusted Computer System Evaluation Criteria" [CSC001, DOD1]. Instead, use

$ 橙皮书(D)ISDs不应将此术语用作“可信计算机系统评估标准”的同义词[CSC001,DOD1]。相反,使用

the full, proper name of the document or, in subsequent references, the abbreviation "TCSEC". (See: (usage note under) Green Book.)

文件的全称,或在后续参考文件中,简称“TCSEC”。(参见(绿皮书下的用法说明。)

$ organizational certificate (O) MISSI usage: A type of MISSI X.509 public-key certificate that is issued to support organizational message handling for the U.S. Government's Defense Message System.

$ 组织证书(O)MSI用途:一种MSI X.509公钥证书,用于支持美国政府国防消息系统的组织消息处理。

$ organizational registration authority (ORA) (I) General usage: An RA for an organization.

$ 组织注册机构(ORA)(I)一般用法:组织的RA。

(O) MISSI usage: The MISSI implementation of RA. A MISSI end entity that (a) assists a PCA, CA, or SCA to register other end entities, by gathering, verifying, and entering data and forwarding it to the signing authority and (b) may also assist with card management functions. An ORA is a local administrative authority, and the term refers both to the office or role, and to the person who fills that office. An ORA does not sign certificates, CRLs, or CKLs. (See: no-PIN ORA, SSO-PIN ORA, user-PIN ORA.)

(O) misi用法:RA的misi实现。通过收集、验证和输入数据并将其转发给签名机构来协助PCA、CA或SCA注册其他终端实体的MSI终端实体,以及(b)还可以协助卡管理功能。ORA是一个地方行政机构,该术语既指办公室或角色,也指填补该办公室的人员。ORA不签署证书、CRL或CKL。(请参阅:无PIN ORA、SSO-PIN ORA、用户PIN ORA。)

$ origin authentication $ origin authenticity (D) ISDs SHOULD NOT use these terms because they look like careless use of an internationally standardized term. Instead, use "data origin authentication" or "peer entity authentication", depending which is meant.

$ 原产地认证$原产地真实性(D)ISD不应使用这些术语,因为它们看起来像是对国际标准术语的粗心使用。相反,使用“数据源身份验证”或“对等实体身份验证”,具体取决于其含义。

$ OSI $ OSIRM See: Open Systems Interconnection Reference Model.

$ OSI$OSIRM见:开放系统互连参考模型。

$ OTP See: One-Time Password.

$ OTP见:一次性密码。

$ out of band (I) Transfer of information using a channel that is outside (i.e., separate from) the channel that is normally used. (See: covert channel.)

$ 带外(I)使用通常使用的信道之外(即,与之分离)的信道传输信息。(请参阅:隐蔽通道。)

(C) Out-of-band mechanisms are often used to distribute shared secrets (e.g., a symmetric key) or other sensitive information items (e.g., a root key) that are needed to initialize or otherwise enable the operation of cryptography or other security mechanisms. (See: key distribution.)

(C) 带外机制通常用于分发初始化或启用加密或其他安全机制操作所需的共享机密(例如,对称密钥)或其他敏感信息项(例如,根密钥)。(请参阅:密钥分发。)

$ output feedback (OFB) (N) A block cipher mode [FP081] that modifies electronic codebook mode to operate on plaintext segments of variable length less than or equal to the block length.

$ 输出反馈(OFB)(N)一种分组密码模式[FP081],它修改了电子码本模式,使其在可变长度小于或等于分组长度的明文段上运行。

(C) This mode operates by directly using the algorithm's previously generated output block as the algorithm's next input block (i.e., by "feeding back" the output block) and combining (exclusive OR-ing) the output block with the next plaintext segment (of block length or less) to form the next ciphertext segment.

(C) 此模式通过直接使用算法先前生成的输出块作为算法的下一个输入块(即,通过“反馈”输出块)并将输出块与下一个明文段(块长度或更短)组合(异或)来操作,以形成下一个密文段。

$ outside attack $ outsider attack See: (secondary definition under) attack.

$ 外部攻击$外部攻击请参阅:(第二个定义下)攻击。

$ P1363 See: IEEE P1363.

$ P1363参见:IEEE P1363。

$ PAA See: policy approving authority.

$ PAA见:政策批准机构。

$ packet filter See: (secondary definition under) filtering router.

$ 包过滤器请参阅:(第二个定义下)过滤路由器。

$ pagejacking (I) A contraction of "Web page hijacking". A masquerade attack in which the attacker copies (steals) a home page or other material from the target server, rehosts the page on a server the attacker controls, and causes the rehosted page to be indexed by the major Web search services, thereby diverting browsers from the target server to the attacker's server.

$ 网页劫持(I)“网页劫持”的缩写。一种伪装攻击,在这种攻击中,攻击者从目标服务器复制(窃取)主页或其他材料,在攻击者控制的服务器上重新定位页面,并使重新定位的页面被主要Web搜索服务索引,从而将浏览器从目标服务器转移到攻击者的服务器。

(D) ISDs SHOULD NOT use this term without including a definition, because the term is not listed in most dictionaries and could confuse international readers. (See: (usage note under) Green Book.)

(D) ISDs不应在未包含定义的情况下使用该术语,因为该术语未在大多数词典中列出,可能会使国际读者感到困惑。(参见(绿皮书下的用法说明。)

$ PAN See: primary account number.

$ 请参阅:主帐号。

$ PAP See: Password Authentication Protocol.

$ PAP见:密码认证协议。

$ partitioned security mode (N) A mode of operation of an information system, wherein all users have the clearance, but not necessarily formal access authorization and need-to-know, for all information handled by the system. This mode is defined in U.S. Department of Defense policy regarding system accreditation. [DoD2]

$ 分区安全模式(N):信息系统的一种操作模式,其中所有用户都有权限,但不一定是正式的访问授权,并且需要知道系统处理的所有信息。该模式在美国国防部关于系统认证的政策中定义。[DoD2]

$ passive attack See: (secondary definition under) attack.

$ 被动攻击见:(第二定义下)攻击。

$ passive wiretapping See: (secondary definition under) wiretapping.

$ 被动窃听参见:(第二定义)窃听。

$ password (I) A secret data value, usually a character string, that is used as authentication information. (See: challenge-response.)

$ 密码(I)用作身份验证信息的秘密数据值,通常为字符串。(请参阅:挑战响应。)

(C) A password is usually matched with a user identifier that is explicitly presented in the authentication process, but in some cases the identity may be implicit.

(C) 密码通常与身份验证过程中显式显示的用户标识符相匹配,但在某些情况下,该标识可能是隐式的。

(C) Using a password as authentication information assumes that the password is known only by the system entity whose identity is being authenticated. Therefore, in a network environment where wiretapping is possible, simple authentication that relies on transmission of static (i.e., repetitively used) passwords as cleartext is inadequate. (See: one-time password, strong authentication.)

(C) 使用密码作为身份验证信息假定密码仅由身份验证的系统实体知道。因此,在可以进行窃听的网络环境中,依赖于以明文形式传输静态(即重复使用)密码的简单身份验证是不够的。(请参阅:一次性密码、强身份验证。)

$ Password Authentication Protocol (PAP) (I) A simple authentication mechanism in PPP. In PAP, a user identifier and password are transmitted in cleartext. [R1334] (See: CHAP.)

$ 密码认证协议(PAP)(I)PPP中的一种简单认证机制。在PAP中,用户标识符和密码以明文形式传输。[R1334](见:第章)

$ password sniffing (I) Passive wiretapping, usually on a local area network, to gain knowledge of passwords. (See: (usage note under) sniffing.)

$ 密码嗅探(I)被动窃听,通常在局域网上,以获取密码信息。(请参阅:(使用说明下)嗅探。)

$ path discovery (I) For a digital certificate, the process of finding a set of public-key certificates that comprise a certification path from a trusted key to that specific certificate.

$ 路径发现(I)对于数字证书,查找一组公钥证书的过程,这些公钥证书包括从受信任密钥到该特定证书的认证路径。

$ path validation (I) The process of validating (a) all of the digital certificates in a certification path and (b) the required relationships between those certificates, thus validating the contents of the last certificate on the path. (See: certificate validation.)

$ 路径验证(I)验证(a)认证路径中的所有数字证书和(b)这些证书之间所需关系的过程,从而验证路径上最后一个证书的内容。(请参阅:证书验证。)

$ payment card (N) SET usage: Collectively refers "to credit cards, debit cards, charge cards, and bank cards issued by a financial institution and which reflects a relationship between the cardholder and the financial institution." [SET2]

$ 支付卡(N)集合用法:统称为“由金融机构发行的反映持卡人与金融机构之间关系的信用卡、借记卡、借记卡和银行卡。”

$ payment gateway (O) SET usage: A system operated by an acquirer, or a third party designated by an acquirer, for the purpose of providing electronic commerce services to the merchants in support of the acquirer, and which interfaces to the acquirer to support the authorization, capture, and processing of merchant payment messages, including payment instructions from cardholders. [SET1, SET2]

$ 支付网关(O)设置用途:由收单机构或收单机构指定的第三方操作的系统,用于向商户提供电子商务服务以支持收单机构,并与收单机构接口以支持商户支付消息的授权、捕获和处理,包括持卡人的付款指示。[SET1,SET2]

$ payment gateway certification authority (SET PCA) (O) SET usage: A CA that issues digital certificates to payment gateways and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. A SET PCA issues a CRL for compromised payment gateway certificates. [SET2] (See: PCA.)

$ 支付网关认证机构(SET PCA)(O)SET用法:向支付网关颁发数字证书的CA,根据品牌规则代表支付卡品牌、收单机构或另一方运营。一组PCA为受损的支付网关证书颁发CRL。[SET2](参见:PCA。)

$ PC card (N) A type of credit card-sized, plug-in peripheral device that was originally developed to provide memory expansion for portable computers, but is also used for other kinds of functional expansion. (See: FORTEZZA, PCMCIA.)

$ PC卡(N):一种信用卡大小的插入式外围设备,最初开发用于为便携式计算机提供内存扩展,但也用于其他类型的功能扩展。(见:FORTEZZA,PCMCIA)

(C) The international PC Card Standard defines a non-proprietary form factor in three standard sizes--Types I, II and III--each of which have a 68-pin interface between the card and the socket into which it plugs. All three types have the same length and width, roughly the size of a credit card, but differ in their thickness from 3.3 to 10.5 mm. Examples include storage modules, modems, device interface adapters, and cryptographic modules.

(C) 国际PC卡标准定义了三种标准尺寸的非专有形状系数——I、II和III型——每种类型的卡与插口之间都有68针接口。这三种类型都有相同的长度和宽度,大致相当于一张信用卡的大小,但厚度不同,从3.3毫米到10.5毫米不等。示例包括存储模块、调制解调器、设备接口适配器和加密模块。

$ PCA (D) ISDs SHOULD NOT use this acronym without a qualifying adjective because that would be ambiguous. (See: Internet policy certification authority, (MISSI) policy creation authority, (SET) payment gateway certification authority.)

$ PCA(D)ISDs不应在没有限定形容词的情况下使用该首字母缩略词,因为这会造成歧义。(请参阅:Internet策略证书颁发机构,(MSI)策略创建机构,(SET)支付网关证书颁发机构。)

$ PCMCIA (N) Personal Computer Memory Card International Association, a group of manufacturers, developers, and vendors, founded in 1989 to standardize plug-in peripheral memory cards for personal computers and now extended to deal with any technology that works in the PC card form factor. (See: PC card.)

$ PCMCIA(N)个人计算机存储卡国际协会,一个由制造商、开发人员和供应商组成的团体,成立于1989年,旨在标准化个人计算机的插入式外围存储卡,现在扩展到处理任何适用于PC卡外形的技术。(请参阅:PC卡。)

$ peer entity authentication (I) "The corroboration that a peer entity in an association is the one claimed." [I7498 Part 2] (See: authentication.)

$ 对等实体认证(I)“证明关联中的对等实体是所声称的实体的证据。”[I7498第2部分](见:认证。)

$ peer entity authentication service (I) A security service that verifies an identity claimed by or for a system entity in an association. (See: authentication, authentication service.)

$ 对等实体身份验证服务(I)一种安全服务,用于验证由关联中的系统实体声明或为其声明的身份。(请参阅:身份验证、身份验证服务。)

(C) This service is used at the establishment of, or at times during, an association to confirm the identity of one entity to another, thus protecting against a masquerade by the first entity. However, unlike data origin authentication service, this service requires an association to exist between the two entities, and the corroboration provided by the service is valid only at the current time that the service is provided.

(C) 该服务在建立关联时或关联期间用于确认一个实体对另一个实体的身份,从而防止第一个实体伪装。但是,与数据源身份验证服务不同,该服务要求两个实体之间存在关联,并且该服务提供的佐证仅在提供该服务的当前时间有效。

(C) See: "relationship between data integrity service and authentication services" under data integrity service.

(C) 请参阅数据完整性服务下的“数据完整性服务和身份验证服务之间的关系”。

$ PEM See: Privacy Enhanced Mail.

$ PEM见:隐私增强邮件。

$ penetration (I) Successful, repeatable, unauthorized access to a protected system resource. (See: attack, violation.)

$ 渗透(I)成功、可重复、未经授权访问受保护的系统资源。(参见:攻击、违规。)

$ penetration test (I) A system test, often part of system certification, in which evaluators attempt to circumvent the security features of the system. [NCS04]

$ 渗透测试(I)一种系统测试,通常是系统认证的一部分,在这种测试中,评估人员试图规避系统的安全特性。[NCS04]

(C) Penetration testing may be performed under various constraints and conditions. However, for a TCSEC evaluation, testers are assumed to have all system design and implementation documentation, including source code, manuals, and circuit diagrams, and to work under no greater constraints than those applied to ordinary users.

(C) 渗透测试可在各种约束和条件下进行。然而,对于TCSEC评估,假定测试人员拥有所有系统设计和实现文档,包括源代码、手册和电路图,并且在不比适用于普通用户的约束更大的条件下工作。

$ perfect forward secrecy See: (discussion under) public-key forward secrecy.

$ 完美的前向保密请参阅:(在下讨论)公钥前向保密。

$ perimeter See: security perimeter.

$ 周界见:安全周界。

$ periods processing (I) A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system, with the system being properly purged or sanitized between periods. (See: color change.)

$ 周期处理(I)系统运行的一种模式,在这种模式下,同一系统在明显不同的时间处理不同敏感度的信息,并在周期之间对系统进行适当的清洗或消毒。(请参见:颜色更改。)

$ permission (I) A synonym for "authorization", but "authorization" is preferred in the PKI context. (See: privilege.)

$ 许可(I)是“授权”的同义词,但在PKI上下文中,“授权”是首选。(请参阅:特权。)

$ personal identification number (PIN) (I) A character string used as a password to gain access to a system resource. (See: authentication information.)

$ 个人识别码(PIN)(I)用作访问系统资源的密码的字符串。(请参阅:身份验证信息。)

(C) Despite the words "identification" and "number", a PIN seldom serves as a user identifier, and a PIN's characters are not necessarily all numeric. A better name for this concept would have been "personal authentication system string (PASS)".

(C) 尽管有“标识”和“编号”两个词,PIN很少用作用户标识符,PIN的字符也不一定都是数字。这个概念的更好名称应该是“个人身份验证系统字符串(PASS)”。

(C) Retail banking applications commonly use 4-digit PINs. FORTEZZA PC card's use up to 12 characters for user or SSO PINs.

(C) 零售银行应用程序通常使用4位PIN。FORTEZZA PC卡的用户或SSO引脚最多使用12个字符。

$ personality $ personality label (O) MISSI usage: A set of MISSI X.509 public-key certificates that have the same subject DN, together with their associated private keys and usage specifications, that is stored on a FORTEZZA PC card to support a role played by the card's user.

$ personality$personality label(O)MSI用法:一组具有相同主题DN的MSI X.509公钥证书及其相关私钥和用法规范,存储在FORTEZZA PC卡上,以支持卡用户扮演的角色。

(C) When a card's user selects a personality to use in a FORTEZZA-aware application, the data determines behavior traits (the personality) of the application. A card's user may have multiple personalities on the card. Each has a "personality label", a user-friendly character string that applications can display to the user for selecting or changing the personality to be used. For example, a military user's card might contain three personalities: GENERAL HALFTRACK, COMMANDER FORT SWAMPY, and NEW YEAR'S EVE PARTY CHAIRMAN. Each personality includes one or more certificates of different types (such as DSA versus RSA), for different purposes (such as digital signature versus encryption), or with different authorizations.

(C) 当卡的用户选择在FORTEZZA感知应用程序中使用的个性时,数据决定应用程序的行为特征(个性)。一张卡片上的用户可能有多个个性。每个都有一个“个性标签”,一个用户友好的字符串,应用程序可以向用户显示该字符串,以选择或更改要使用的个性。例如,军事用户的卡片可能包含三个人物:半身人将军、沼泽堡指挥官和除夕党主席。每个个性包括一个或多个不同类型的证书(如DSA与RSA),用于不同的目的(如数字签名与加密),或具有不同的授权。

$ personnel security (I) Procedures to ensure that persons who access a system have proper clearance, authorization, and need-to-know as required by the system's security policy.

$ 人员安全(I)确保访问系统的人员获得适当的许可、授权,并需要按照系统安全政策的要求了解情况的程序。

$ PGP(trademark) See: Pretty Good Privacy.

$ PGP(商标)见:相当好的隐私。

$ Photuris (I) A UDP-based, key establishment protocol for session keys, designed for use with the IPsec protocols AH and ESP. Superseded by IKE.

$ Photuris(I)一种基于UDP的会话密钥密钥建立协议,设计用于IPsec协议AH和ESP,并被IKE取代。

$ phreaking (I) A contraction of "telephone breaking". An attack on or penetration of a telephone system or, by extension, any other communication or information system. [Raym]

$ (I)“电话中断”的缩写。对电话系统或任何其他通信或信息系统的攻击或渗透。[雷姆]

(D) ISDs SHOULD NOT use this term because it is not listed in most dictionaries and could confuse international readers.

(D) ISDs不应该使用这个术语,因为大多数词典都没有列出这个术语,可能会使国际读者感到困惑。

$ physical security (I) Tangible means of preventing unauthorized physical access to a system. E.g., fences, walls, and other barriers; locks, safes, and vaults; dogs and armed guards; sensors and alarm bells. [FP031, R1455]

$ 物理安全(I)防止未经授权的物理访问系统的有形手段。例如,围栏、墙壁和其他障碍物;锁、保险箱和保险库;狗和武装警卫;传感器和警铃。[FP031,R1455]

$ piggyback attack (I) A form of active wiretapping in which the attacker gains access to a system via intervals of inactivity in another user's legitimate communication connection. Sometimes called a "between-the-lines" attack. (See: hijack attack, man-in-the-middle attack.)

$ 背驮攻击(I)一种主动窃听形式,攻击者通过另一用户合法通信连接中的不活动间隔获得对系统的访问权。有时被称为“线间”攻击。(见:劫持袭击,中间人袭击。)

$ PIN See: personal identification number.

$ PIN见:个人识别号。

$ ping of death (I) An attack that sends an improperly large ICMP [R0792] echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash.

$ ping of death(I)发送不适当大的ICMP[R0792]回显请求数据包(“ping”)的攻击,目的是溢出目标计算机的输入缓冲区并导致其崩溃。

$ ping sweep (I) An attack that sends ICMP [R0792] echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.

$ ping扫描(I)向一系列IP地址发送ICMP[R0792]回显请求(“ping”)的攻击,目的是查找可探测漏洞的主机。

$ PKCS See: Public-Key Cryptography Standards.

$ PKCS见:公钥加密标准。

$ PKCS #7 (N) A standard [PKC07, R2315] from the PKCS series; defines a syntax for data that may have cryptography applied to it, such as for digital signatures and digital envelopes.

$ PKCS#7(N)来自PKCS系列的标准[PKC07,R2315];定义可能应用了加密技术的数据的语法,例如数字签名和数字信封。

$ PKCS #10 (N) A standard [PKC10] from the PKCS series; defines a syntax for requests for public-key certificates. (See: certification request.)

$ PKCS#10(N)PKCS系列中的标准[PKC10];定义公钥证书请求的语法。(请参阅:认证申请。)

(C) A PKCS #10 request contains a DN and a public key, and may contain other attributes, and is signed by the entity making the request. The request is sent to a CA, who converts it to an X.509 public-key certificate (or some other form) and returns it, possibly in PKCS #7 format.

(C) PKCS#10请求包含DN和公钥,还可能包含其他属性,并由发出请求的实体签名。请求被发送到CA,CA将其转换为X.509公钥证书(或其他形式)并返回,可能是PKCS#7格式。

$ PKCS #11 (N) A standard [PKC11] from the PKCS series; defines a software CAPI called Cryptoki (pronounced "crypto-key"; short for "cryptographic token interface") for devices that hold cryptographic information and perform cryptographic functions.

$ PKCS#11(N)PKCS系列中的标准[PKC11];为保存加密信息并执行加密功能的设备定义一个名为Cryptoki(发音为“CryptoKey”;缩写为“加密令牌接口”)的软件CAPI。

$ PKI See: public-key infrastructure.

$ PKI见:公钥基础设施。

$ PKIX (I) (1.) A contraction of "Public-Key Infrastructure (X.509)", the name of the IETF working group that is specifying an architecture and set of protocols needed to support an X.509-based PKI for the Internet. (2.) A collective name for that architecture and set of protocols.

$ PKIX(I)(1.)是“公钥基础设施(X.509)”的缩写,IETF工作组的名称,该工作组指定了支持基于X.509的互联网PKI所需的体系结构和协议集。(2.)该体系结构和协议集的集合名称。

(C) The goal of PKIX is to facilitate the use of X.509 public-key certificates in multiple Internet applications and to promote interoperability between different implementations that use those certificates. The resulting PKI is intended to provide a framework that supports a range of trust and hierarchy environments and a range of usage environments. PKIX specifies (a) profiles of the v3 X.509 public-key certificate standards and the v2 X.509 CRL standards for the Internet; (b) operational protocols used by relying parties to obtain information such as certificates or certificate status; (c) management protocols used by system entities to exchange information needed for proper management of the PKI; and (d) information about certificate policies and CPSs, covering the areas of PKI security not directly addressed in the rest of PKIX.

(C) PKIX的目标是促进在多个Internet应用程序中使用X.509公钥证书,并促进使用这些证书的不同实现之间的互操作性。由此产生的PKI旨在提供一个支持一系列信任和层次结构环境以及一系列使用环境的框架。PKIX规定了(a)互联网v3 X.509公钥证书标准和v2 X.509 CRL标准的配置文件;(b) 依赖方用于获取证书或证书状态等信息的操作协议;(c) 系统实体用于交换适当管理PKI所需信息的管理协议;以及(d)关于证书政策和CP的信息,涵盖PKI安全领域,这些领域在PKIX的其余部分中没有直接涉及。

$ PKIX private extension (I) PKIX defines a private extension to identify an on-line verification service supporting the issuing CA.

$ PKIX私有扩展(I)PKIX定义了一个私有扩展,用于标识支持颁发CA的在线验证服务。

$ plaintext (I) Data that is input to and transformed by an encryption process, or that is output by a decryption process.

$ 明文(I)通过加密过程输入和转换的数据,或通过解密过程输出的数据。

(C) Usually, the plaintext input to an encryption operation is cleartext. But in some cases, the input is ciphertext that was output from another encryption operation. (See: superencryption.)

(C) 通常,加密操作的明文输入是明文。但在某些情况下,输入是另一个加密操作输出的密文。(请参阅:超级加密。)

$ Point-to-Point Protocol (PPP) (I) An Internet Standard protocol [R1661] for encapsulation and full-duplex transportation of network layer (mainly OSI layer 3) protocol data packets over a link between two peers, and for multiplexing different network layer protocols over the same link. Includes optional negotiation to select and use a peer entity authentication protocol to authenticate the peers to each other before they exchange network layer data. (See: CHAP, EAP, PAP.)

$ 点对点协议(PPP)(I)一种互联网标准协议[R1661],用于在两个对等点之间的链路上封装和全双工传输网络层(主要是OSI第3层)协议数据包,以及在同一链路上复用不同的网络层协议。包括可选协商,以选择并使用对等实体身份验证协议,在对等实体交换网络层数据之前相互验证对等实体。(见:第章,EAP,PAP)

$ Point-to-Point Tunneling Protocol (PPTP) (I) An Internet client-server protocol (originally developed by Ascend and Microsoft) that enables a dial-up user to create a virtual extension of the dial-up link across a network by tunneling PPP over IP. (See: L2TP.)

$ 点对点隧道协议(PPTP)(I)互联网客户端-服务器协议(最初由Ascend和Microsoft开发),允许拨号用户通过IP隧道PPP在网络上创建拨号链路的虚拟扩展。(请参阅:L2TP。)

(C) PPP can encapsulate any Internet Protocol Suite network layer protocol (or OSI layer 3 protocol). Therefore, PPTP does not specify security services; it depends on protocols above and below it to provide any needed security. PPTP makes it possible to divorce the location of the initial dial-up server (i.e., the PPTP Access Concentrator, the client, which runs on a special-purpose host) from the location at which the dial-up protocol (PPP) connection is terminated and access to the network is provided (i.e., the PPTP Network Server, which runs on a general-purpose host).

(C) PPP可以封装任何Internet协议套件网络层协议(或OSI第3层协议)。因此,PPTP没有指定安全服务;它依赖于上面和下面的协议来提供所需的安全性。PPTP使初始拨号服务器(即PPTP访问集中器、运行在专用主机上的客户端)的位置与拨号协议(PPP)连接终止和提供网络访问的位置(即运行在通用主机上的PPTP网络服务器)分离成为可能.

$ policy (D) ISDs SHOULD NOT use this word as an abbreviation for either "security policy" or "certificate policy". Instead, to avoid misunderstanding, use the fully qualified term, at least at the point of first usage.

$ 策略(D)ISDs不应将此词用作“安全策略”或“证书策略”的缩写。相反,为了避免误解,至少在第一次使用时使用完全限定的术语。

$ policy approving authority (PAA) (O) MISSI usage: The top-level signing authority of a MISSI certification hierarchy. The term refers both to that authoritative office or role and to the person who plays that role. (See: root registry.)

$ 策略批准机构(PAA)(O)MSI用法:MSI证书层次结构的顶级签名机构。该术语既指该权威机构或角色,也指扮演该角色的人。(请参阅:根注册表。)

(C) A PAA registers MISSI PCAs and signs their X.509 public-key certificates. A PAA issues CRLs but does not issue a CKL. A PAA may issue cross-certificates to other PAAs.

(C) PAA注册MSI PCA并签署其X.509公钥证书。PAA发布CRL,但不发布CKL。PAA可向其他PAA颁发交叉证书。

$ policy certification authority (Internet PCA) (I) An X.509-compliant CA at the second level of the Internet certification hierarchy, under the Internet Policy Registration Authority (IPRA). Each PCA operates in accordance with its published security policy (see: certification practice statement) and within constraints established by the IPRA for all PCAs. [R1422]. (See: policy creation authority.)

$ 政策认证机构(互联网PCA)(I)互联网政策注册机构(IPRA)下互联网认证体系第二级的X.509兼容CA。各PCA根据其发布的安全政策(见:认证实践声明)并在IPRA为所有PCA制定的约束范围内运行。[R1422]。(请参阅:策略创建权限。)

$ policy creation authority (MISSI PCA) (O) MISSI usage: The second level of a MISSI certification hierarchy; the administrative root of a security policy domain of MISSI users and other, subsidiary authorities. The term refers both to that authoritative office or role and to the person who fills that office. (See: policy certification authority.)

$ 策略创建机构(MSI PCA)(O)MSI使用:MSI认证层次结构的第二级;MSI用户和其他附属机构的安全策略域的管理根。该术语既指该权威职位或角色,也指填补该职位的人员。(请参阅:策略证书颁发机构。)

(C) A MISSI PCA's certificate is issued by a policy approving authority. The PCA registers the CAs in its domain, defines their configurations, and issues their X.509 public-key certificates. (The PCA may also issue certificates for SCAs, ORAs, and other end entities, but a PCA does not usually do this.) The PCA periodically issues CRLs and CKLs for its domain.

(C) MISI PCA的证书由政策批准机构颁发。PCA在其域中注册CA,定义其配置,并颁发X.509公钥证书。(PCA也可以为SCA、ORA和其他终端实体颁发证书,但PCA通常不会这样做。)PCA定期为其域颁发CRL和CKL。

$ Policy Management Authority (N) Canadian usage: An organization responsible for PKI oversight and policy management in the Government of Canada.

$ 政策管理局(N)加拿大用法:加拿大政府负责PKI监督和政策管理的组织。

$ policy mapping (I) "Recognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain." [X509]

$ 策略映射(I)“认识到,当一个域中的CA认证另一个域中的CA时,第一个域的机构可能会认为第二个域中的特定证书策略与第一个域中的特定证书策略等效(但不一定在所有方面完全相同)。[X509]

$ POP3 See: Post Office Protocol, version 3.

$ POP3见:邮局协议,第3版。

$ POP3 APOP (I) A POP3 "command" (better described as a transaction type, or a protocol-within-a-protocol) by which a POP3 client optionally uses a keyed hash (based on MD5) to authenticate itself to a POP3 server and, depending on the server implementation, to protect against replay attacks. (See: CRAM, POP3 AUTH, IMAP4 AUTHENTICATE.)

$ POP3 APOP(I)一个POP3“命令”(更好地描述为事务类型或协议内协议),通过该命令,POP3客户端可以选择使用密钥散列(基于MD5)向POP3服务器进行身份验证,并根据服务器的实现,防止重播攻击。(请参阅:CRAM、POP3身份验证、IMAP4身份验证。)

(C) The server includes a unique timestamp in its greeting to the client. The subsequent APOP command sent by the client to the server contains the client's name and the hash result of applying MD5 to a string formed from both the timestamp and a shared secret that is known only to the client and the server. APOP was designed to provide as an alternative to using POP3's USER and PASS (i.e., password) command pair, in which the client sends a cleartext password to the server.

(C) 服务器在对客户端的问候语中包含一个唯一的时间戳。客户机发送到服务器的后续APOP命令包含客户机的名称以及将MD5应用于由时间戳和共享密钥形成的字符串的哈希结果,该字符串仅为客户机和服务器所知。APOP的设计目的是提供一种替代使用POP3的用户和密码(即密码)命令对的方法,在该命令对中,客户端向服务器发送明文密码。

$ POP3 AUTH (I) A "command" [R1734] (better described as a transaction type, or a protocol-within-a-protocol) in POP3, by which a POP3 client optionally proposes a mechanism to a POP3 server to authenticate the client to the server and provide other security services. (See: POP3 APOP, IMAP4 AUTHENTICATE.)

$ POP3身份验证(I)POP3中的“命令”[R1734](更好地描述为事务类型或协议内协议),通过该命令,POP3客户端可选地向POP3服务器提出机制,以向服务器验证客户端并提供其他安全服务。(请参阅:POP3 APOP、IMAP4。)

(C) If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms used by POP3 AUTH are those used by IMAP4.

(C) 如果服务器接受该建议,则该命令之后将执行质询-响应身份验证协议,并(可选)协商后续POP3交互的保护机制。POP3 AUTH使用的安全机制是IMAP4使用的安全机制。

$ port scan (I) An attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service.

$ 端口扫描(I)将客户端请求发送到主机上一系列服务器端口地址的攻击,目的是查找活动端口并利用该服务的已知漏洞。

$ POSIX (N) Portable Operating System Interface for Computer Environments, a standard [FP151, IS9945-1] (originally IEEE Standard P1003.1) that defines an operating system interface and environment to support application portability at the source code level. It is intended to be used by both application developers and system implementers.

$ POSIX(N)用于计算机环境的便携式操作系统接口,一种标准[FP151,IS9945-1](最初为IEEE标准P1003.1),定义了操作系统接口和环境,以支持源代码级别的应用程序可移植性。它旨在供应用程序开发人员和系统实现人员使用。

(C) P1003.1 supports security functionality like those on most UNIX systems, including discretionary access control and privilege. IEEE Draft Standard P1003.6.1 specifies additional functionality not provided in the base standard, including (a) discretionary access control, (b) audit trail mechanisms, (c) privilege mechanisms, (d) mandatory access control, and (e) information label mechanisms.

(C) P1003.1支持与大多数UNIX系统类似的安全功能,包括自主访问控制和权限。IEEE标准草案P1003.6.1规定了基础标准中未提供的附加功能,包括(a)自主访问控制,(b)审计跟踪机制,(c)特权机制,(d)强制访问控制,以及(e)信息标签机制。

$ Post Office Protocol, version 3 (POP3) (I) An Internet Standard protocol [R1939] by which a client workstation can dynamically access a mailbox on a server host to retrieve mail messages that the server has received and is holding for the client. (See: IMAP4.)

$ 邮局协议,第3版(POP3)(I)互联网标准协议[R1939],通过该协议,客户端工作站可以动态访问服务器主机上的邮箱,以检索服务器已接收并为客户端保留的邮件消息。(请参阅:IMAP4。)

(C) POP3 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: POP3 APOP, POP3 AUTH.)

(C) POP3有一些机制,可以选择向服务器验证客户端,并提供其他安全服务。(请参见:POP3 APOP,POP3 AUTH。)

$ PPP See: Point-to-Point Protocol.

$ PPP见:点对点协议。

$ PPTP See: Point-to-Point Tunneling Protocol.

$ PPTP请参阅:点对点隧道协议。

$ pre-authorization (I) A capability of a CAW that enables certification requests to be automatically validated against data provided in advance to the CA by an authorizing entity.

$ 预授权(I)CAW的一种能力,使认证请求能够根据授权实体提前向CA提供的数据进行自动验证。

$ Pretty Good Privacy(trademark) (PGP(trademark)) (O) Trademarks of Network Associates, Inc., referring to a computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet. (See: MOSS, PEM, S/MIME.)

$ Network Associates,Inc.的相当好的隐私(商标)(PGP(商标))(O)商标,指的是一种计算机程序(和相关协议),它使用加密技术为电子邮件和互联网上的其他应用程序提供数据安全。(见:莫斯、佩姆、S/MIME)

(C) PGP encrypts messages with IDEA in CFB mode, distributes the IDEA keys by encrypting them with RSA, and creates digital signatures on messages with MD5 and RSA. To establish ownership of public keys, PGP depends on the web of trust. (See: Privacy Enhanced Mail.)

(C) PGP在CFB模式下使用IDEA加密消息,通过使用RSA加密分发IDEA密钥,并使用MD5和RSA在消息上创建数字签名。为了建立公钥的所有权,PGP依赖于信任网。(请参阅:隐私增强邮件。)

$ primary account number (PAN) (O) SET usage: "The assigned number that identifies the card issuer and cardholder. This account number is composed of an issuer identification number, an individual account number identification, and an accompanying check digit as defined by ISO 7812-1985." [SET2, IS7812] (See: bank identification number.)

$ 主账号(PAN)(O)设置用法:“识别卡发卡机构和持卡人的指定号码。该账号由发卡机构标识号、个人账号标识和ISO 7812-1985定义的附带支票数字组成。”[SET2,IS7812](见:银行标识号。)

(C) The PAN is embossed, encoded, or both on a magnetic-strip-based credit card. The PAN identifies the issuer to which a transaction is to be routed and the account to which it is to be applied unless specific instructions indicate otherwise. The authority that assigns the bank identification number part of the PAN is the American Bankers Association.

(C) PAN在基于磁条的信用卡上进行压印、编码或两者兼有。PAN识别交易将被路由到的发卡机构以及交易将被应用到的账户,除非特定指示另有说明。分配PAN中银行识别号部分的机构是美国银行家协会。

$ privacy (I) The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others. (See: anonymity.)

$ 隐私(I)实体(通常是个人)代表自己决定其与环境互动程度的权利,包括实体愿意与他人分享自身信息的程度。(见:匿名。)

(O) "The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed." [I7498 Part 2]

(O) “个人有权控制或影响与他们相关的信息的收集和存储,以及由谁和向谁披露这些信息。”[I7498第2部分]

(D) ISDs SHOULD NOT use this term as a synonym for "data confidentiality" or "data confidentiality service", which are different concepts. Privacy is a reason for security rather than a kind of security. For example, a system that stores personal data needs to protect the data to prevent harm, embarrassment, inconvenience, or unfairness to any person about whom data is maintained, and to protect the person's privacy. For that reason, the system may need to provide data confidentiality service.

(D) ISDs不应将此术语用作“数据机密性”或“数据机密性服务”的同义词,这是两个不同的概念。隐私是安全的理由,而不是一种安全。例如,存储个人数据的系统需要保护数据,以防止对维护数据的任何人造成伤害、尴尬、不便或不公平,并保护该人的隐私。因此,系统可能需要提供数据保密服务。

$ Privacy Enhanced Mail (PEM) (I) An Internet protocol to provide data confidentiality, data integrity, and data origin authentication for electronic mail. [R1421, R1422]. (See: MOSS, MSP, PGP, S/MIME.)

$ 隐私增强邮件(PEM)(I)为电子邮件提供数据保密性、数据完整性和数据来源认证的互联网协议。[R1421,R1422]。(见:莫斯、MSP、PGP、S/MIME)

(C) PEM encrypts messages with DES in CBC mode, provides key distribution of DES keys by encrypting them with RSA, and signs messages with RSA over either MD2 or MD5. To establish ownership of public keys, PEM uses a certification hierarchy, with X.509 public-key certificates and X.509 CRLs that are signed with RSA and MD2. (See: Pretty Good Privacy.)

(C) PEM在CBC模式下使用DES加密消息,通过使用RSA加密DES密钥来提供密钥分发,并通过MD2或MD5使用RSA对消息进行签名。为了建立公钥的所有权,PEM使用了一个证书层次结构,其中包含使用RSA和MD2签名的X.509公钥证书和X.509 CRL。(见:相当好的隐私。)

(C) PEM is designed to be compatible with a wide range of key management methods, but is limited to specifying security services only for text messages and, like MOSS, has not been widely implemented in the Internet.

(C) PEM旨在与多种密钥管理方法兼容,但仅限于为文本消息指定安全服务,并且与MOSS一样,尚未在Internet上广泛实施。

$ private component (I) A synonym for "private key".

$ 私有组件(I)“私钥”的同义词。

(D) In most cases, ISDs SHOULD NOT use this term; to avoid confusing readers, use "private key" instead. However, the term MAY be used when specifically discussing a key pair; e.g., "A key pair has a public component and a private component."

(D) 在大多数情况下,ISDs不应使用该术语;为避免混淆读者,请改用“私钥”。然而,该术语可在具体讨论密钥对时使用;e、 例如,“密钥对有一个公共组件和一个私有组件。”

$ private extension See: (secondary definition under) extension.

$ 专用扩展请参见:(第二个定义下)扩展。

$ private key (I) The secret component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair, public key.)

$ 私钥(I)用于非对称加密的一对加密密钥的秘密部分。(请参阅:密钥对,公钥。)

(O) "(In a public key cryptosystem) that key of a user's key pair which is known only by that user." [X509]

(O) “(在公钥密码系统中)只有该用户知道的用户密钥对的密钥。”[X509]

$ privilege (I) An authorization or set of authorizations to perform security-relevant functions, especially in the context of a computer operating system.

$ 特权(I)执行安全相关功能的授权或授权集,尤其是在计算机操作系统的上下文中。

$ privilege management infrastructure (N) "The complete set of processes required to provide an authorization service", i.e., processes concerned with attribute certificates. [FPDAM] (See: PKI.)

$ 特权管理基础设施(N)“提供授权服务所需的一整套流程”,即与属性证书相关的流程。[FPDAM](见:PKI)

(D) ISDs SHOULD NOT use this term and its definition because the definition is vague, and there is no consensus on an alternate definition.

(D) ISDs不应使用该术语及其定义,因为该定义含糊不清,并且没有就替代定义达成共识。

$ privileged process (I) An computer process that is authorized (and, therefore, trusted) to perform some security-relevant functions that ordinary processes are not. (See: privilege, trusted process.)

$ 特权进程(I)一种计算机进程,它被授权(并因此被信任)执行一些与安全相关的功能,而普通进程则不具备这些功能。(请参阅:权限,受信任进程。)

$ procedural security (D) ISDs SHOULD NOT use this term as a synonym for "administrative security". Any type of security may involve procedures; therefore, the term may be misleading. Instead, use "administrative security", "communication security", "computer security", "emanations security", "personnel security", "physical security", or whatever specific type is meant. (See: security architecture.)

$ 程序安全(D)ISDs不应将此术语用作“行政安全”的同义词。任何类型的担保都可能涉及程序;因此,该术语可能具有误导性。相反,请使用“管理安全”、“通信安全”、“计算机安全”、“辐射安全”、“人员安全”、“物理安全”或任何特定类型。(请参阅:安全体系结构。)

$ proprietary (I) Refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity.

$ 专有(I)是指个人或组织拥有的信息(或其他财产),其使用受到该实体的限制。

$ protected checksum (I) A checksum that is computed for a data object by means that protect against active attacks that would attempt to change the checksum to make it match changes made to the data object. (See: digital signature, keyed hash, (discussion under) checksum.

$ 受保护校验和(I)为数据对象计算的校验和,其方法是防止试图更改校验和以使其与对数据对象所做的更改相匹配的主动攻击。(参见:数字签名,密钥散列,(下讨论)校验和。

$ protected distribution system (I) A wireline or fiber-optic system that includes sufficient safeguards (acoustic, electric, electromagnetic, and physical) to permit its use for unencrypted transmission of (cleartext) data.

$ 受保护的分发系统(I)有线或光纤系统,包括足够的保护(声音、电气、电磁和物理),以允许其用于(明文)数据的未加密传输。

$ protection authority See: (secondary definition under) Internet Protocol Security Option.

$ 保护机构请参见:(第二定义)Internet协议安全选项。

$ protection ring (I) One of a hierarchy of privileged operation modes of a system that gives certain access rights to processes authorized to operate in that mode.

$ 保护环(I)系统特权操作模式层次结构中的一种,它向授权在该模式下操作的进程授予某些访问权限。

$ protocol (I) A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. (E.g., see: Internet Protocol.)

$ 协议(I)一组规则(即格式和程序),用于实现和控制系统之间的某种类型的关联(例如通信)。(例如,参见:互联网协议。)

(C) In particular, a series of ordered steps involving computing and communication that are performed by two or more system entities to achieve a joint objective. [A9042]

(C) 具体而言,由两个或多个系统实体执行的涉及计算和通信的一系列有序步骤,以实现联合目标。[A9042]

$ protocol suite (I) A complementary collection of communication protocols used in a computer network. (See: Internet, OSI.)

$ 协议套件(I)计算机网络中使用的通信协议的补充集合。(见:互联网,OSI)

$ proxy server (I) A computer process--often used as, or as part of, a firewall-- that relays a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. (See: SOCKS.)

$ 代理服务器(I):一种计算机进程,通常用作防火墙或防火墙的一部分,通过在客户端看来是服务器,在服务器上看起来是客户端,在客户端和服务器计算机系统之间中继协议。(见:袜子。)

(C) In a firewall, a proxy server usually runs on a bastion host, which may support proxies for several protocols (e.g., FTP, HTTP, and TELNET). Instead of a client in the protected enclave connecting directly to an external server, the internal client connects to the proxy server which in turn connects to the external server. The proxy server waits for a request from inside the firewall, forwards the request to the remote server outside the firewall, gets the response, then sends the response back to the client. The proxy may be transparent to the clients, or they may need to connect first to the proxy server, and then use that association to also initiate a connection to the real server.

(C) 在防火墙中,代理服务器通常运行在堡垒主机上,该主机可能支持多种协议(例如FTP、HTTP和TELNET)的代理。与受保护的enclave中直接连接到外部服务器的客户端不同,内部客户端连接到代理服务器,而代理服务器又连接到外部服务器。代理服务器等待来自防火墙内部的请求,将请求转发到防火墙外部的远程服务器,获取响应,然后将响应发送回客户端。代理可能对客户端是透明的,或者客户端可能需要首先连接到代理服务器,然后使用该关联来启动到真实服务器的连接。

(C) Proxies are generally preferred over SOCKS for their ability to perform caching, high-level logging, and access control. A proxy can provide security service beyond that which is normally part of the relayed protocol, such as access control based on peer entity authentication of clients, or peer entity authentication of servers when clients do not have that capability. A proxy at OSI layer 7 can also provide finer-grained security service than can a filtering router at OSI layer 3. For example, an FTP proxy could permit transfers out of, but not into, a protected network.

(C) 代理通常优于SOCKS,因为它们能够执行缓存、高级日志记录和访问控制。代理可以提供超出中继协议正常部分的安全服务,例如基于客户端的对等实体身份验证的访问控制,或者当客户端不具备该功能时服务器的对等实体身份验证。OSI第7层的代理也可以提供比OSI第3层的过滤路由器更细粒度的安全服务。例如,FTP代理可以允许从受保护的网络进行传输,但不允许传输到受保护的网络。

$ pseudo-random (I) A sequence of values that appears to be random (i.e., unpredictable) but is actually generated by a deterministic algorithm. (See: random.)

$ 伪随机(I)看似随机(即不可预测)但实际上由确定性算法生成的值序列。(请参阅:随机。)

$ pseudo-random number generator (I) A process used to deterministically generate a series of numbers (usually integers) that appear to be random according to certain statistical tests, but actually are pseudo-random.

$ 伪随机数生成器(I)用于确定生成一系列数字(通常为整数)的过程,根据某些统计测试,这些数字看起来是随机的,但实际上是伪随机的。

(C) Pseudo-random number generators are usually implemented in software.

(C) 伪随机数生成器通常在软件中实现。

$ public component (I) A synonym for "public key".

$ 公共部分(I)“公钥”的同义词。

(D) In most cases, ISDs SHOULD NOT use this term; to avoid confusing readers, use "private key" instead. However, the term MAY be used when specifically discussing a key pair; e.g., "A key pair has a public component and a private component."

(D) 在大多数情况下,ISDs不应使用该术语;为避免混淆读者,请改用“私钥”。然而,该术语可在具体讨论密钥对时使用;e、 例如,“密钥对有一个公共组件和一个私有组件。”

$ public key (I) The publicly-disclosable component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair, private key.)

$ 公钥(I)用于非对称加密的一对加密密钥中可公开披露的部分。(请参阅:密钥对、私钥。)

(O) "(In a public key cryptosystem) that key of a user's key pair which is publicly known." [X509]

(O) “(在公钥密码系统中)用户密钥对中公开的密钥。”[X509]

$ public-key certificate (I) A digital certificate that binds a system entity's identity to a public key value, and possibly to additional data items; a digitally-signed data structure that attests to the ownership of a public key. (See: X.509 public-key certificate.)

$ 公钥证书(I)将系统实体的身份绑定到公钥值,并可能绑定到附加数据项的数字证书;证明公钥所有权的数字签名数据结构。(请参阅:X.509公钥证书。)

(C) The digital signature on a public-key certificate is unforgeable. Thus, the certificate can be published, such as by posting it in a directory, without the directory having to protect the certificate's data integrity.

(C) 公钥证书上的数字签名是不可伪造的。因此,可以发布证书,例如将其发布到目录中,而目录不必保护证书的数据完整性。

(O) "The public key of a user, together with some other information, rendered unforgeable by encipherment with the private key of the certification authority which issued it." [X509]

(O) “用户的公钥以及一些其他信息,通过使用颁发它的证书颁发机构的私钥进行加密而变得不可伪造。”[X509]

$ public-key cryptography (I) The popular synonym for "asymmetric cryptography".

$ 公钥密码术(I)“非对称密码术”的流行同义词。

$ Public-Key Cryptography Standards (PKCS) (I) A series of specifications published by RSA Laboratories for data structures and algorithm usage for basic applications of asymmetric cryptography. (See: PKCS #7, PKCS #10, PKCS #11.)

$ 公钥密码标准(PKCS)(I)RSA实验室发布的一系列规范,用于非对称密码基本应用的数据结构和算法使用。(见:PKCS 7、PKCS 10、PKCS 11。)

(C) The PKCS were begun in 1991 in cooperation with industry and academia, originally including Apple, Digital, Lotus, Microsoft, Northern Telecom, Sun, and MIT. Today, the specifications are widely used, but they are not sanctioned by an official standards organization, such as ANSI, ITU-T, or IETF. RSA Laboratories retains sole decision-making authority over the PKCS.

(C) PKCS于1991年开始与工业界和学术界合作,最初包括苹果、数字、莲花、微软、北方电信、Sun和麻省理工学院。今天,规范被广泛使用,但它们没有得到官方标准组织的认可,如ANSI、ITU-T或IETF。RSA Laboratories保留对PKCS的唯一决策权。

$ public-key forward secrecy (PFS) (I) For a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.

$ 公钥前向保密(PFS)(I)对于基于非对称加密的密钥协商协议,确保从一组长期公钥和私钥派生的会话密钥在将来其中一个私钥被泄露时不会被泄露的属性。

(C) Some existing RFCs use the term "perfect forward secrecy" but either do not define it or do not define it precisely. While preparing this Glossary, we tried to find a good definition for that term, but found this to be a muddled area. Experts did not agree. For all practical purposes, the literature defines "perfect forward secrecy" by stating the Diffie-Hellman algorithm. The term "public-key forward secrecy" (suggested by Hilarie Orman) and the "I" definition stated for it here were crafted to be compatible with current Internet documents, yet be narrow and leave room for improved terminology.

(C) 一些现有的RFC使用术语“完美前向保密”,但要么没有对其进行定义,要么没有对其进行精确定义。在编写本词汇表时,我们试图为该术语找到一个好的定义,但发现这是一个混乱的领域。专家们并不同意。出于所有实际目的,文献通过说明Diffie-Hellman算法来定义“完美前向保密”。术语“公钥前向保密”(Hilarie Orman建议)和此处所述的“I”定义是为了与当前的互联网文档兼容而精心设计的,但其范围很窄,并为改进术语留下了空间。

(C) Challenge to the Internet security community: We need a taxonomy--a family of mutually exclusive and collectively exhaustive terms and definitions to cover the basic properties discussed here--for the full range of cryptographic algorithms and protocols used in Internet Standards:

(C) 对互联网安全社区的挑战:我们需要一个分类法——一系列相互排斥且共同详尽的术语和定义,以涵盖此处讨论的基本属性——用于互联网标准中使用的所有加密算法和协议:

(C) Involvement of session keys vs. long-term keys: Experts disagree about the basic ideas involved.

(C) 会话密钥与长期密钥的参与:专家们对涉及的基本思想存在分歧。

- One concept of "forward secrecy" is that, given observations of the operation of a key establishment protocol up to time t, and given some of the session keys derived from those protocol runs, you cannot derive unknown past session keys or future session keys.

-“前向保密”的一个概念是,给定到时间t为止密钥建立协议的操作观察结果,并且给定从这些协议运行中派生的一些会话密钥,您无法派生未知的过去会话密钥或未来会话密钥。

- A related property is that, given observations of the protocol and knowledge of the derived session keys, you cannot derive one or more of the long-term private keys.

-一个相关的属性是,给定对协议的观察和派生会话密钥的知识,您不能派生一个或多个长期私钥。

- The "I" definition presented above involves a third concept of "forward secrecy" that refers to the effect of the compromise of long-term keys.

-上述“I”定义涉及“前向保密”的第三个概念,即长期密钥泄露的影响。

- All three concepts involve the idea that a compromise of "this" encryption key is not supposed to compromise the "next" one. There also is the idea that compromise of a single key will compromise only the data protected by the single key. In Internet literature, the focus has been on protection against decryption of back traffic in the event of a compromise of secret key material held by one or both parties to a communication.

-所有这三个概念都包含这样一个想法,即“此”加密密钥的折衷不应折衷“下一个”加密密钥。还有一种想法是,单个密钥的泄露只会泄露受单个密钥保护的数据。在互联网文献中,重点一直是在通信的一方或双方持有的密钥材料泄露的情况下防止反向通信解密。

(C) Forward vs. backward: Experts are unhappy with the word "forward", because compromise of "this" encryption key also is not supposed to compromise the "previous" one, which is "backward" rather than forward. In S/KEY, if the key used at time t is compromised, then all keys used prior to that are compromised. If the "long-term" key (i.e., the base of the hashing scheme) is compromised, then all keys past and future are compromised; thus, you could say that S/KEY has neither forward nor backward secrecy.

(C) 前向与后向:专家们对“前向”这个词不满意,因为“此”加密密钥的泄露也不应该泄露“前向”加密密钥,即“后向”而不是“前向”。在S/KEY中,如果在时间t使用的密钥被泄露,则在此之前使用的所有密钥都被泄露。如果“长期”密钥(即散列方案的基础)被泄露,则过去和将来的所有密钥都被泄露;因此,您可以说S/KEY既不具有前向保密性,也不具有后向保密性。

(C) Asymmetric cryptography vs. symmetric: Experts disagree about forward secrecy in the context of symmetric cryptographic systems. In the absence of asymmetric cryptography, compromise of any long-term key seems to compromise any session key derived from the long-term key. For example, Kerberos isn't forward secret, because compromising a client's password (thus compromising the key shared by the client and the authentication server) compromises future session keys shared by the client and the ticket-granting server.

(C) 非对称密码与对称密码:在对称密码系统的背景下,专家们对前向保密存在分歧。在没有非对称加密的情况下,任何长期密钥的泄露似乎都会泄露从长期密钥派生的任何会话密钥。例如,Kerberos不是前向机密,因为泄露客户端密码(从而泄露客户端和身份验证服务器共享的密钥)会泄露客户端和票证授予服务器共享的未来会话密钥。

(C) Ordinary forward secrecy vs. "perfect" forward secret: Experts disagree about the difference between these two. Some say there is no difference, and some say that the initial naming was unfortunate and suggest dropping the word "perfect". Some suggest using "forward secrecy" for the case where one long-term private key is compromised, and adding "perfect" for when both private keys (or, when the protocol is multi-party, all private keys) are compromised.

(C) 普通前向保密与“完美”前向保密:专家们不同意这两者之间的区别。有人说没有区别,有人说最初的命名是不幸的,建议去掉“完美”这个词。一些人建议在一个长期私钥被泄露的情况下使用“前向保密”,并在两个私钥(或者,当协议为多方协议时,所有私钥)被泄露的情况下添加“完美”。

(C) Acknowledgements: Bill Burr, Burt Kaliski, Steve Kent, Paul Van Oorschot, Michael Wiener, and, especially, Hilarie Orman contributed ideas to this discussion.

(C) 致谢:比尔·伯尔、伯特·卡利斯基、史蒂夫·肯特、保罗·范·奥斯肖特、迈克尔·维纳,尤其是希拉里·奥曼为本次讨论提供了一些想法。

$ public-key infrastructure (PKI) (I) A system of CAs (and, optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token

$ 公钥基础设施(PKI)(I)CA系统(以及可选的RAs和其他支持服务器和代理),执行一组证书管理、归档管理、密钥管理和令牌

management functions for a community of users in an application of asymmetric cryptography. (See: hierarchical PKI, mesh PKI, security management infrastructure, trust-file PKI.)

非对称加密应用程序中用户社区的管理功能。(请参阅:分层PKI、网状PKI、安全管理基础架构、信任文件PKI。)

(O) PKIX usage: The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.

(O) PKIX使用:基于非对称加密技术创建、管理、存储、分发和撤销数字证书所需的一组硬件、软件、人员、策略和过程。

(C) The core PKI functions are (a) to register users and issue their public-key certificates, (b) to revoke certificates when required, and (c) to archive data needed to validate certificates at a much later time. Key pairs for data confidentiality may be generated (and perhaps escrowed) by CAs or RAs, but requiring a PKI client to generate its own digital signature key pair helps maintain system integrity of the cryptographic system, because then only the client ever possesses the private key it uses. Also, an authority may be established to approve or coordinate CPSs, which are security policies under which components of a PKI operate.

(C) PKI的核心功能是(a)注册用户并颁发他们的公钥证书,(b)在需要时撤销证书,以及(C)在很晚的时间存档验证证书所需的数据。用于数据保密的密钥对可以由CAs或RAs生成(或者托管),但要求PKI客户端生成其自己的数字签名密钥对有助于维护加密系统的系统完整性,因为只有客户端才拥有其使用的私钥。此外,还可以建立一个机构来批准或协调CPS,CPS是PKI组件运行所依据的安全策略。

(C) A number of other servers and agents may support the core PKI, and PKI clients may obtain services from them. The full range of such services is not yet fully understood and is evolving, but supporting roles may include archive agent, certified delivery agent, confirmation agent, digital notary, directory, key escrow agent, key generation agent, naming agent who ensures that issuers and subjects have unique identifiers within the PKI, repository, ticket-granting agent, and time stamp agent.

(C) 许多其他服务器和代理可以支持核心PKI,PKI客户端可以从它们那里获得服务。此类服务的全部范围尚未完全了解,并且正在发展,但支持角色可能包括存档代理、认证交付代理、确认代理、数字公证人、目录、密钥托管代理、密钥生成代理、命名代理,以确保发行人和主体在PKI、存储库和,机票授予代理和时间戳代理。

$ RA See: registration authority.

$ 见:登记机关。

$ RA domains (I) A capability of a CAW that allows a CA to divide the responsibility for certification requests among multiple RAs.

$ RA域(I)CAW的一种能力,允许CA在多个RA之间分配认证请求的责任。

(C) This capability might be used to restrict access to private authorization data that is provided with a certification request, and to distribute the responsibility to review and approve certification requests in high volume environments. RA domains might segregate certification requests according to an attribute of the certificate subject, such as an organizational unit.

(C) 此功能可用于限制对随认证请求提供的私有授权数据的访问,并在大容量环境中分配审核和批准认证请求的责任。RA域可能会根据证书主题的属性(如组织单位)隔离证书请求。

$ RADIUS See: Remote Authentication Dial-In User Service.

$ RADIUS请参阅:远程身份验证拨入用户服务。

$ Rainbow Series (O) A set of more than 30 technical and policy documents with colored covers, issued by the NCSC, that discuss in detail the TCSEC and provide guidance for meeting and applying the criteria. (See: Green Book, Orange Book, Red Book, Yellow Book.)

$ 彩虹系列(O)由NCSC发布的一套30多个彩色封面的技术和政策文件,详细讨论了TCSEC,并为满足和应用标准提供了指导。(参见:绿皮书、橙皮书、红皮书、黄皮书。)

$ random (I) General usage: In mathematics, random means "unpredictable". A sequence of values is called random if each successive value is obtained merely by chance and does not depend on the preceding values of the sequence, and a selected individual value is called random if each of the values in the total population of possibilities has equal probability of being selected. [Knuth] (See: cryptographic key, pseudo-random, random number generator.)

$ 一般用法:在数学中,随机的意思是“不可预测的”。如果每个连续值仅仅是偶然获得的,并且不依赖于序列的先前值,则一个值序列称为随机值;如果所有可能性中的每个值都具有相同的被选择概率,则选定的单个值称为随机值。[Knuth](请参阅:加密密钥、伪随机、随机数生成器。)

(I) Security usage: In cryptography and other security applications, random means not only unpredictable, but also "unguessable". When selecting data values to use for cryptographic keys, "the requirement is for data that an adversary has a very low probability of guessing or determining." It is not sufficient to use data that "only meets traditional statistical tests for randomness or which is based on limited range sources, such as clocks. Frequently such random quantities are determinable [i.e., guessable] by an adversary searching through an embarrassingly small space of possibilities." [R1750]

(一) 安全用途:在密码学和其他安全应用程序中,随机意味着不仅不可预测,而且“不可用”。选择用于加密密钥的数据值时,“要求对手猜测或确定的概率非常低。”仅使用以下数据是不够的:“仅满足随机性的传统统计测试或基于有限范围源(如时钟)的测试。通常情况下,这样的随机数量是可以通过对手在一个令人尴尬的小空间中搜索来确定的

$ random number generator (I) A process used to generate an unpredictable, uniformly distributed series of numbers (usually integers). (See: pseudo-random, random.)

$ 随机数生成器(I)用于生成不可预测、均匀分布的数字序列(通常为整数)的过程。(请参见:伪随机、随机。)

(C) True random number generators are hardware-based devices that depend on the output of a "noisy diode" or other physical phenomena. [R1750]

(C) 真随机数发生器是基于硬件的设备,依赖于“噪声二极管”或其他物理现象的输出。[R1750]

$ RBAC See: Role-Based Access Control.

$ RBAC请参阅:基于角色的访问控制。

$ RC2 $ RC4 See: Rivest Cipher #2, Rivest Cipher #4.

$ RC2$RC4见:Rivest密码#2,Rivest密码#4。

$ realm (O) Kerberos usage: The domain of authority of a Kerberos server (consisting of an authentication server and a ticket-granting server), including the Kerberized clients and the Kerberized application servers

$ 领域(O)Kerberos用法:Kerberos服务器(由身份验证服务器和票据授予服务器组成)的权限域,包括Kerberized客户端和Kerberized应用服务器

$ RED (I) Designation for information system equipment or facilities that handle (and for data that contains) only plaintext (or, depending on the context, classified information), and for such data itself. This term derives from U.S. Government COMSEC terminology. (See: BLACK, RED/BLACK separation.)

$ 红色(I)仅处理(和包含)纯文本(或,根据上下文,机密信息)的信息系统设备或设施的名称,以及此类数据本身的名称。该术语源自美国政府通信安全术语。(请参见:黑色、红色/黑色分隔。)

$ Red Book (D) ISDs SHOULD NOT use this term as a synonym for "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" [NCS05]. Instead, use the full proper name of the document or, in subsequent references, a more conventional abbreviation. (See: TCSEC, Rainbow Series, (usage note under) Green Book.)

$ 红皮书(D)ISDs不应将此术语用作“可信计算机系统评估标准的可信网络解释”[NCS05]的同义词。取而代之的是,使用文件的全称,或者在后续参考文献中使用更为传统的缩写。(参见:TCSEC,彩虹系列,(绿皮书下的使用说明。)

$ RED/BLACK separation (I) An architectural concept for cryptographic systems that strictly separates the parts of a system that handle plaintext (i.e., RED information) from the parts that handle ciphertext (i.e., BLACK information). This term derives from U.S. Government COMSEC terminology. (See: BLACK, RED.)

$ 红/黑分离(I)密码系统的体系结构概念,它将处理明文(即红色信息)的系统部分与处理密文(即黑色信息)的系统部分严格分开。该术语源自美国政府通信安全术语。(参见:黑色、红色。)

$ reference monitor (I) "An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects." [NCS04] (See: security kernel.)

$ reference monitor(I)“一种访问控制概念,指的是一台抽象机器,它协调主体对对象的所有访问。”[NCS04](请参阅:安全内核。)

(C) A reference monitor should be (a) complete (i.e., it mediates every access), (b) isolated (i.e., it cannot be modified by other system entities), and (c) verifiable (i.e., small enough to be subjected to analysis and tests to ensure that it is correct).

(C) 参考监视器应(A)完整(即,它调解每次访问),(b)隔离(即,它不能被其他系统实体修改),(C)可验证(即,足够小,可以进行分析和测试,以确保其正确性)。

$ reflection attack (I) A type of replay attack in which transmitted data is sent back to its originator.

$ 反射攻击(I)一种重放攻击,其中传输的数据被发送回其发起者。

$ register $ registration (I) An administrative act or process whereby an entity's name and other attributes are established for the first time at a CA, prior to the CA issuing a digital certificate that has the entity's name as the subject. (See: registration authority.)

$ register$registration(I)一种行政行为或程序,在CA颁发以实体名称为主体的数字证书之前,该实体的名称和其他属性在CA首次建立。(见:登记机关。)

(C) Registration may be accomplished either directly, by the CA, or indirectly, by a separate RA. An entity is presented to the CA or RA, and the authority either records the name(s) claimed for the entity or assigns the entity's name(s). The authority also determines and records other attributes of the entity that are to

(C) 注册可以由CA直接完成,也可以由单独的RA间接完成。实体提交给CA或RA,管理局记录为该实体申请的名称或指定该实体的名称。管理局还确定并记录实体的其他属性

be bound in a certificate (such as a public key or authorizations) or maintained in the authority's database (such as street address and telephone number). The authority is responsible, possibly assisted by an RA, for authenticating the entity's identity and verifying the correctness of the other attributes, in accordance with the CA's CPS.

绑定在证书(如公钥或授权)中或保存在管理局的数据库中(如街道地址和电话号码)。管理局负责(可能由RA协助)根据CA的CPS认证实体的身份并验证其他属性的正确性。

(C) Among the registration issues that a CPS may address are the following [R2527]:

(C) CPS可能解决的注册问题包括以下[R2527]:

- How a claimed identity and other attributes are verified. - How organization affiliation or representation is verified. - What forms of names are permitted, such as X.500 DN, domain name, or IP address. - Whether names are required to be meaningful or unique, and within what domain. - How naming disputes are resolved, including the role of trademarks. - Whether certificates are issued to entities that are not persons. - Whether a person is required to appear before the CA or RA, or can instead be represented by an agent. - Whether and how an entity proves possession of the private key matching a public key.

- 如何验证声明的身份和其他属性。-如何验证组织隶属关系或代表性。-允许使用何种形式的名称,如X.500 DN、域名或IP地址。-名称是否需要有意义或唯一,以及在哪个域内。-如何解决命名争议,包括商标的作用。-是否向非法人实体颁发证书。-一个人是否需要在CA或RA前出庭,或者可以由代理人代为出庭。-实体是否以及如何证明拥有与公钥匹配的私钥。

$ registration authority (RA) (I) An optional PKI entity (separate from the CAs) that does not sign either digital certificates or CRLs but has responsibility for recording or verifying some or all of the information (particularly the identities of subjects) needed by a CA to issue certificates and CRLs and to perform other certificate management functions. (See: organizational registration authority, registration.)

$ 注册机构(RA)(I)一个可选的PKI实体(独立于CAs),不签署数字证书或CRL,但负责记录或验证部分或全部信息(特别是受试者的身份)CA需要它来颁发证书和CRL以及执行其他证书管理功能。(参见:组织登记机关,登记。)

(C) Sometimes, a CA may perform all certificate management functions for all end users for which the CA signs certificates. Other times, such as in a large or geographically dispersed community, it may be necessary or desirable to offload secondary CA functions and delegate them to an assistant, while the CA retains the primary functions (signing certificates and CRLs). The tasks that are delegated to an RA by a CA may include personal authentication, name assignment, token distribution, revocation reporting, key generation, and archiving. An RA is an optional PKI component, separate from the CA, that is assigned secondary functions. The duties assigned to RAs vary from case to case but may include the following:

(C) 有时,CA可以为其签署证书的所有最终用户执行所有证书管理功能。在其他情况下,例如在大型或地理位置分散的社区中,可能需要卸载辅助CA功能并将其委托给助手,而CA保留主要功能(签名证书和CRL)。CA委托给RA的任务可能包括个人身份验证、名称分配、令牌分发、撤销报告、密钥生成和存档。RA是一个可选的PKI组件,独立于CA,分配辅助功能。分配给RAs的职责因情况而异,但可能包括以下内容:

- Verifying a subject's identity, i.e., performing personal authentication functions. - Assigning a name to a subject. (See: distinguished name.) - Verifying that a subject is entitled to have the attributes requested for a certificate. - Verifying that a subject possesses the private key that matches the public key requested for a certificate. - Performing functions beyond mere registration, such as generating key pairs, distributing tokens, and handling revocation reports. (Such functions may be assigned to a PKI element that is separate from both the CA and the RA.)

- 验证受试者身份,即执行个人身份验证功能。-为主题指定名称。(请参阅:可分辨名称)-验证受试者是否有权拥有证书所需的属性。-验证主体是否拥有与证书请求的公钥匹配的私钥。-执行注册以外的功能,例如生成密钥对、分发令牌和处理撤销报告。(此类功能可分配给独立于CA和RA的PKI元素。)

(I) PKIX usage: An optional PKI component, separate from the CA(s). The functions that the RA performs will vary from case to case but may include identity authentication and name assignment, key generation and archiving of key pairs, token distribution, and revocation reporting. [R2510]

(一) PKIX用法:可选的PKI组件,与CA分离。RA执行的功能因情况而异,但可能包括身份验证和名称分配、密钥生成和密钥对存档、令牌分发和撤销报告。[R2510]

(O) SET usage: "An independent third-party organization that processes payment card applications for multiple payment card brands and forwards applications to the appropriate financial institutions." [SET2]

(O) SET用法:“一个独立的第三方组织,处理多个支付卡品牌的支付卡应用程序,并将应用程序转发给相应的金融机构。”[SET2]

$ regrade (I) Deliberately change the classification level of information in an authorized manner.

$ 重新评级(I)以授权方式故意更改信息的分类级别。

$ rekey (I) Change the value of a cryptographic key that is being used in an application of a cryptographic system. (See: certificate rekey.)

$ rekey(I)更改加密系统应用程序中使用的加密密钥的值。(请参阅:证书重新密钥。)

(C) For example, rekey is required at the end of a cryptoperiod or key lifetime.

(C) 例如,在加密周期或密钥生命周期结束时需要重新密钥。

$ reliability (I) The ability of a system to perform a required function under stated conditions for a specified period of time. (See: availability, survivability.)

$ 可靠性(I)系统在规定条件下在规定时间内执行所需功能的能力。(请参阅:可用性、生存能力。)

$ relying party (N) A synonym for "certificate user". Used in a legal context to mean a recipient of a certificate who acts in reliance on that certificate. (See: ABA Guidelines.)

$ 依赖方(N)“证书用户”的同义词。在法律上下文中,指依据证书行事的证书接收人。(参见:ABA指南。)

$ Remote Authentication Dial-In User Service (RADIUS) (I) An Internet protocol [R2138] for carrying dial-in users' authentication information and configuration information between a

$ 远程认证拨入用户服务(RADIUS)(I)一种互联网协议[R2138],用于在网络之间传输拨入用户的认证信息和配置信息

shared, centralized authentication server (the RADIUS server) and a network access server (the RADIUS client) that needs to authenticate the users of its network access ports. (See: TACACS.)

共享的集中式身份验证服务器(RADIUS服务器)和需要对其网络访问端口的用户进行身份验证的网络访问服务器(RADIUS客户端)。(见:TACACS)

(C) A user of the RADIUS client presents authentication information to the client, and the client passes that information to the RADIUS server. The server authenticates the client using a shared secret value, then checks the user's authentication information, and finally returns to the client all authorization and configuration information needed by the client to deliver service to the user.

(C) RADIUS客户端的用户向客户端提供身份验证信息,客户端将该信息传递给RADIUS服务器。服务器使用共享秘密值对客户端进行身份验证,然后检查用户的身份验证信息,最后将客户端向用户提供服务所需的所有授权和配置信息返回给客户端。

$ renew See: certificate renewal.

$ 续订请参阅:证书续订。

$ replay attack (I) An attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack. (See: active wiretapping.)

$ 重播攻击(I)发起人或截获数据并重新传输数据的对手恶意或欺诈性地重复有效数据传输的攻击,可能是伪装攻击的一部分。(请参见:主动窃听。)

$ repository (I) A system for storing and distributing digital certificates and related information (including CRLs, CPSs, and certificate policies) to certificate users. (See: directory.)

$ 存储库(I)向证书用户存储和分发数字证书及相关信息(包括CRL、CPS和证书策略)的系统。(请参阅:目录。)

(O) "A trustworthy system for storing and retrieving certificates or other information relevant to certificates." [ABA]

(O) “用于存储和检索证书或与证书相关的其他信息的可靠系统。”[ABA]

(C) A certificate is published to those who might need it by putting it in a repository. The repository usually is a publicly accessible, on-line server. In the Federal Public-key Infrastructure, for example, the expected repository is a directory that uses LDAP, but also may be the X.500 Directory that uses DAP, or an HTTP server, or an FTP server that permits anonymous login.

(C) 通过将证书放入存储库,将证书发布给可能需要它的人。存储库通常是一个可公开访问的在线服务器。例如,在联邦公钥基础设施中,预期的存储库是使用LDAP的目录,但也可能是使用DAP的X.500目录、HTTP服务器或允许匿名登录的FTP服务器。

$ repudiation (I) Denial by a system entity that was involved in an association (especially an association that transfers information) of having participated in the relationship. (See: accountability, non-repudiation service.)

$ 否认(I)参与关联(尤其是传输信息的关联)的系统实体拒绝参与关系。(参见:责任制、不可否认服务。)

(O) "Denial by one of the entities involved in a communication of having participated in all or part of the communication." [I7498 Part 2]

(O) “参与通信的一个实体否认参与了全部或部分通信。”[I7498第2部分]

$ Request for Comment (RFC) (I) One of the documents in the archival series that is the official channel for ISDs and other publications of the Internet Engineering Steering Group, the Internet Architecture Board, and the Internet community in general. [R2026, R2223] (See: Internet Standard.)

$ 征求意见(RFC)(I)档案系列文件之一,是互联网工程指导小组、互联网体系结构委员会和整个互联网社区的ISDs和其他出版物的官方渠道。[R2026,R2223](参见:互联网标准。)

(C) This term is *not* a synonym for "Internet Standard".

(C) 这个术语不是“互联网标准”的同义词。

$ residual risk (I) The risk that remains after countermeasures have been applied.

$ 剩余风险(I)在采取应对措施后仍然存在的风险。

$ restore See: card restore.

$ 恢复请参阅:卡恢复。

$ revocation See: certificate revocation.

$ 撤销请参阅:证书撤销。

$ revocation date (N) In an X.509 CRL entry, a date-time field that states when the certificate revocation occurred, i.e., when the CA declared the digital certificate to be invalid. (See: invalidity date.)

$ 撤销日期(N)在X.509 CRL条目中,一个日期时间字段,说明证书撤销发生的时间,即CA宣布数字证书无效的时间。(参见:失效日期。)

(C) The revocation date may not resolve some disputes because, in the worst case, all signatures made during the validity period of the certificate may have to be considered invalid. However, it may be desirable to treat a digital signature as valid even though the private key used to sign was compromised after the signing. If more is known about when the compromise actually occurred, a second date-time, an "invalidity date", can be included in an extension of the CRL entry.

(C) 撤销日期可能无法解决某些争议,因为在最坏的情况下,证书有效期内的所有签名都可能被视为无效。然而,可能希望将数字签名视为有效,即使用于签名的私钥在签名后被泄露。如果对折衷实际发生的时间有更多了解,可以在CRL条目的扩展中包括第二个日期时间,即“无效日期”。

$ revocation list See: certificate revocation list.

$ 吊销列表请参阅:证书吊销列表。

$ revoke See: certificate revocation.

$ 撤销请参阅:证书撤销。

$ RFC See: Request for Comment.

$ RFC见:征求意见。

$ risk (I) An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

$ 风险(I)损失预期,表示为特定威胁利用特定漏洞造成特定有害结果的概率。

(O) SET usage: "The possibility of loss because of one or more threats to information (not to be confused with financial or business risk)." [SET2]

(O) 集合用法:“由于一个或多个信息威胁而导致损失的可能性(不要与财务或业务风险混淆)。”[SET2]

$ risk analysis $ risk assessment (I) A process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

$ 风险分析$风险评估(I)一个过程,系统地识别有价值的系统资源和对这些资源的威胁,根据估计的发生频率和成本量化损失风险(即损失可能性),并(可选)建议如何将资源分配给应对措施,以尽量减少总风险。

(C) The analysis lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. It is usually financially and technically infeasible to counteract all aspects of risk, and so some residual risk will remain, even after all available countermeasures have been deployed. [FP031, R2196]

(C) 该分析按成本和关键性顺序列出风险,从而确定应首先在何处应用对策。通常在财务和技术上都不可能抵消所有方面的风险,因此即使在部署了所有可用的应对措施之后,仍会存在一些剩余风险。[FP031,R2196]

$ risk management (I) The process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. (See: risk analysis.)

$ 风险管理(I)识别、控制、消除或最小化可能影响系统资源的不确定事件的过程。(参见:风险分析。)

$ Rivest Cipher #2 (RC2) (N) A proprietary, variable-key-length block cipher invented by Ron Rivest for RSA Data Security, Inc. (now a wholly-owned subsidiary of Security Dynamics, Inc.).

$ Rivest Cipher#2(RC2)(N)Ron Rivest为RSA Data Security,Inc.(现在是Security Dynamics,Inc.的全资子公司)发明的专有可变密钥长度分组密码。

$ Rivest Cipher #4 (RC4) (N) A proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc. (now a wholly-owned subsidiary of Security Dynamics, Inc.).

$ Rivest Cipher#4(RC4)(N):Ron Rivest为RSA Data Security,Inc.(现在是Security Dynamics,Inc.的全资子公司)发明的专有可变密钥长度流密码。

$ Rivest-Shamir-Adleman (RSA) (N) An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78, Schn].

$ Rivest-Shamir-Adleman(RSA)(N)一种非对称密码算法,由Ron Rivest、Adi-Shamir和Leonard Adleman于1977年发明[RSA78,Schn]。

(C) RSA uses exponentiation modulo the product of two large prime numbers. The difficulty of breaking RSA is believed to be equivalent to the difficulty of factoring integers that are the product of two large prime numbers of approximately equal size.

(C) RSA使用两个大素数乘积的幂运算。打破RSA的困难被认为相当于分解两个大小近似相等的大素数的乘积的整数的困难。

(C) To create an RSA key pair, randomly choose two large prime numbers, p and q, and compute the modulus, n = pq. Randomly choose a number e, the public exponent, that is less than n and relatively prime to (p-1)(q-1). Choose another number d, the

(C) 要创建RSA密钥对,请随机选择两个大素数p和q,并计算模n=pq。随机选择一个数字e,即公共指数,它小于n,且相对素数为(p-1)(q-1)。选择另一个数字d,即

private exponent, such that ed-1 evenly divides (p-1)(q-1). The public key is the set of numbers (n,e), and the private key is the set (n,d).

私有指数,使得ed-1平均除以(p-1)(q-1)。公钥是数字的集合(n,e),私钥是集合(n,d)。

(C) It is assumed to be difficult to compute the private key (n,d) from the public key (n,e). However, if n can be factored into p and q, then the private key d can be computed easily. Thus, RSA security depends on the assumption that it is computationally difficult to factor a number that is the product of two large prime numbers. (Of course, p and q are treated as part of the private key, or else destroyed after computing n.)

(C) 假设难以从公钥(n,e)计算私钥(n,d)。然而,如果n可以分解为p和q,那么私钥d可以容易地计算。因此,RSA安全性取决于这样一种假设:计算上很难将两个大素数的乘积作为一个数的因子。(当然,p和q被视为私钥的一部分,或者在计算n后被销毁。)

(C) For encryption of a message, m, to be sent to Bob, Alice uses Bob's public key (n,e) to compute m**e (mod n) = c. She sends c to Bob. Bob computes c**d (mod n) = m. Only Bob knows d, so only Bob can compute c**d (mod n) = m to recover m.

(C) 对于要发送给Bob的消息m的加密,Alice使用Bob的公钥(n,e)来计算m**e(mod n)=C。她把c寄给鲍勃。Bob计算c**d(模n)=m。只有Bob知道d,因此只有Bob可以计算c**d(mod n)=m来恢复m。

(C) To provide data origin authentication of a message, m, to be sent to Bob, Alice computes m**d (mod n) = s, where (d,n) is Alice's private key. She sends m and s to Bob. To recover the message that only Alice could have sent, Bob computes s**e (mod n) = m, where (e,n) is Alice's public key.

(C) 为了提供发送给Bob的消息m的数据源身份验证,Alice计算m**d(mod n)=s,其中(d,n)是Alice的私钥。她把m和s寄给鲍勃。为了恢复只有Alice才能发送的消息,Bob计算s**e(mod n)=m,其中(e,n)是Alice的公钥。

(C) To ensure data integrity in addition to data origin authentication requires extra computation steps in which Alice and Bob use a cryptographic hash function h (as explained for digital signature). Alice computes the hash value h(m) = v, and then encrypts v with her private key to get s. She sends m and s. Bob receives m' and s', either of which might have been changed from the m and s that Alice sent. To test this, he decrypts s' with Alice's public key to get v'. He then computes h(m') = v". If v' equals v", Bob is assured that m' is the same m that Alice sent.

(C) 为了确保数据完整性,除了数据源身份验证外,还需要额外的计算步骤,Alice和Bob在这些步骤中使用加密哈希函数h(如数字签名所述)。Alice计算散列值h(m)=v,然后用她的私钥加密v以得到s。她送m和s。Bob接收到m'和s',其中任何一个可能已从Alice发送的m和s中更改。为了测试这一点,他解密“用Alice的公钥获得v”。然后,他计算h(m')=v。如果v'等于v,鲍勃确信m'与爱丽丝发送的m相同。

$ role-based access control (RBAC) (I) A form of identity-based access control where the system entities that are identified and controlled are functional positions in an organization or process.

$ 基于角色的访问控制(RBAC)(I)一种基于身份的访问控制形式,其中识别和控制的系统实体是组织或流程中的功能位置。

$ root (I) A CA that is directly trusted by an end entity. Acquiring the value of a root CA's public key involves an out-of-band procedure.

$ root(I)终端实体直接信任的CA。获取根CA公钥的值涉及带外过程。

(I) Hierarchical PKI usage: The CA that is the highest level (most trusted) CA in a certification hierarchy; i.e., the authority upon whose public key all certificate users base their trust. (See: top CA.)

(一) 层次化PKI使用:证书层次结构中最高级别(最受信任)的CA;i、 例如,所有证书用户信任其公钥的机构。(见:顶部CA)

(C) In a hierarchical PKI, a root issues public-key certificates to one or more additional CAs that form the second highest level. Each of these CAs may issue certificates to more CAs at the third highest level, and so on. To initialize operation of a hierarchical PKI, the root's initial public key is securely distributed to all certificate users in a way that does not depend on the PKI's certification relationships. The root's public key may be distributed simply as a numerical value, but typically is distributed in a self-signed certificate in which the root is the subject. The root's certificate is signed by the root itself because there is no higher authority in a certification hierarchy. The root's certificate is then the first certificate in every certification path.

(C) 在分层PKI中,根用户向一个或多个附加CA颁发公钥证书,这些CA构成第二高级别。这些CA中的每一个都可以向第三高级别的更多CA颁发证书,以此类推。要初始化分层PKI的操作,根用户的初始公钥将以不依赖于PKI的证书关系的方式安全地分发给所有证书用户。根的公钥可以简单地作为数字值分发,但通常在以根为主体的自签名证书中分发。根目录的证书由根目录本身签名,因为在证书层次结构中没有更高的权限。根目录的证书是每个证书路径中的第一个证书。

(O) MISSI usage: A name previously used for a MISSI policy creation authority, which is not a root as defined above for general usage, but is a CA at the second level of the MISSI hierarchy, immediately subordinate to a MISSI policy approving authority.

(O) MISSI usage:以前用于MISSI策略创建机构的名称,它不是上文定义的一般用途的根,而是位于MISSI层次结构第二级的CA,直接从属于MISSI策略批准机构。

(O) UNIX usage: A user account (also called "superuser") that has all privileges (including all security-related privileges) and thus can manage the system and its other user accounts.

(O) UNIX使用:一个用户帐户(也称为“超级用户”),它具有所有权限(包括所有与安全相关的权限),因此可以管理系统及其其他用户帐户。

$ root certificate (I) A certificate for which the subject is a root.

$ 根证书(I)主题为根的证书。

(I) Hierarchical PKI usage: The self-signed public-key certificate at the top of a certification hierarchy.

(一) 分层PKI用法:证书层次结构顶部的自签名公钥证书。

$ root key (I) A public key for which the matching private key is held by a root.

$ 根密钥(I)根持有匹配私钥的公钥。

$ root registry (O) MISSI usage: A name previously used for a MISSI policy approving authority.

$ 根注册表(O)MSI用法:以前用于MSI策略审批机构的名称。

$ router (I) A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that internetwork. The most common form of router operates on IP packets. (See: bridge.)

$ 路由器(I)作为OSI第3层两个网络之间的网关的计算机,通过该互联网络中继和引导数据包。最常见的路由器形式是在IP数据包上运行的。(见:桥梁)

(I) Internet usage: In the context of the Internet protocol suite, a networked computer that forwards Internet Protocol packets that are not addressed to the computer itself. (See: host.)

(一) Internet使用:在Internet协议套件的上下文中,一种网络计算机,它转发未发送到计算机本身的Internet协议包。(请参阅:主机。)

$ RSA See: Rivest-Shamir-Adleman.

$ RSA见:Rivest Shamir Adleman。

$ rule-based security policy (I) "A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users." [I7498 Part 2] (See: identity-based security policy.)

$ 基于规则的安全策略(I)“基于对所有用户强制实施的全局规则的安全策略。这些规则通常依赖于对所访问资源的敏感性和对用户、一组用户或代表用户行事的实体的相应属性的占有情况的比较。”[I7498第2部分](请参阅:基于身份的安全策略。)

$ safety (I) The property of a system being free from risk of causing harm to system entities and outside entities.

$ 安全(I)系统的财产不存在对系统实体和外部实体造成损害的风险。

$ SAID See: security association identifier.

$ 请参阅:安全关联标识符。

$ salt (I) A random value that is concatenated with a password before applying the one-way encryption function used to protect passwords that are stored in the database of an access control system. (See: initialization value.)

$ salt(I)在应用单向加密功能(用于保护存储在访问控制系统数据库中的密码)之前与密码连接的随机值。(请参见:初始化值。)

(C) Salt protects a password-based access control system against a dictionary attack.

(C) Salt保护基于密码的访问控制系统免受字典攻击。

$ sanitize (I) Delete sensitive data from a file, a device, or a system; or modify data so as to be able to downgrade its classification level.

$ 清理(I)从文件、设备或系统中删除敏感数据;或者修改数据,以便能够降低其分类级别。

$ SASL See: Simple Authentication and Security Layer.

$ SASL请参阅:简单身份验证和安全层。

$ SCA See: subordinate certification authority.

$ SCA请参阅:从属证书颁发机构。

$ scavenging See: (secondary definition under) threat consequence.

$ 清除见:(第二定义下)威胁后果。

$ screening router (I) A synonym for "filtering router".

$ 屏蔽路由器(I)“过滤路由器”的同义词。

$ SDE See: Secure Data Exchange.

$ SDE见:安全数据交换。

$ SDNS See: Secure Data Network System.

$ SDN请参阅:安全数据网络系统。

$ seal (O) To use cryptography to provide data integrity service for a data object. (See: sign, wrap.)

$ seal(O)使用加密技术为数据对象提供数据完整性服务。(请参见:签名、换行。)

(D) ISDs SHOULD NOT use this definition; instead, use language that is more specific with regard to the mechanism(s) used, such as "sign" when the mechanism is digital signature.

(D) ISDs不应使用此定义;相反,请使用更具体的语言来描述所使用的机制,例如当机制是数字签名时的“签名”。

$ secret (I) (1.) Adjective: The condition of information being protected from being known by any system entities except those who are intended to know it. (2.) Noun: An item of information that is protected thusly.

$ 秘密(I)(1.)形容词:保护信息不被任何系统实体所知的状态,但有意知道它的人除外。(2.)名词:受保护的信息项。

(C) This term applies to symmetric keys, private keys, and passwords.

(C) 该术语适用于对称密钥、私钥和密码。

$ secret-key cryptography (I) A synonym for "symmetric cryptography".

$ 密钥加密(I)“对称加密”的同义词。

$ Secure Data Exchange (SDE) (N) A local area network security protocol defined by the IEEE 802.10 standard.

$ 安全数据交换(SDE)(N)由IEEE 802.10标准定义的局域网安全协议。

$ Secure Data Network System (SDNS) (N) An NSA program that developed security protocols for electronic mail (Message Security Protocol), OSI layer 3 (SP3), OSI layer 4 (SP4), and key management (KMP).

$ 安全数据网络系统(SDNS)(N):一个NSA计划,为电子邮件(消息安全协议)、OSI第3层(SP3)、OSI第4层(SP4)和密钥管理(KMP)开发安全协议。

$ Secure Hash Standard (SHS) (N) The U.S. Government standard [FP180] that specifies the Secure Hash Algorithm (SHA-1), a cryptographic hash function that produces a 160-bit output (hash result) for input data of any length < 2**64 bits.

$ 安全散列标准(SHS)(N)美国政府标准[FP180],指定安全散列算法(SHA-1),一种加密散列函数,可为任何长度<2**64位的输入数据生成160位输出(散列结果)。

$ Secure Hypertext Transfer Protocol (Secure-HTTP, S-HTTP) (I) A Internet protocol for providing client-server security services for HTTP communications. (See: https.)

$ 安全超文本传输协议(安全HTTP,S-HTTP)(I)为HTTP通信提供客户端-服务器安全服务的互联网协议。(请参阅:https。)

(C) S-HTTP was originally specified by CommerceNet, a coalition of businesses interested in developing the Internet for commercial uses. Several message formats may be incorporated into S-HTTP clients and servers, particularly CMS and MOSS. S-HTTP supports choice of security policies, key management mechanisms, and cryptographic algorithms through option negotiation between

(C) S-HTTP最初由CommerceNet指定,CommerceNet是一个致力于开发商业用途互联网的企业联盟。可以将多种消息格式合并到S-HTTP客户端和服务器中,特别是CMS和MOSS。S-HTTP支持安全策略、密钥管理机制和加密算法的选择,通过在

parties for each transaction. S-HTTP supports both asymmetric and symmetric key operation modes. S-HTTP attempts to avoid presuming a particular trust model, but it attempts to facilitate multiply-rooted hierarchical trust and anticipates that principals may have many public key certificates.

每项交易的当事人。S-HTTP支持非对称和对称密钥操作模式。S-HTTP试图避免假定特定的信任模型,但它试图促进多根层次信任,并预期主体可能具有许多公钥证书。

$ Secure/MIME (S/MIME) (I) Secure/Multipurpose Internet Mail Extensions, an Internet protocol [R2633] to provide encryption and digital signatures for Internet mail messages.

$ 安全/MIME(S/MIME)(I)安全/多用途互联网邮件扩展,一种互联网协议[R2633],用于为互联网邮件消息提供加密和数字签名。

$ Secure Sockets Layer (SSL) (N) An Internet protocol (originally developed by Netscape Communications, Inc.) that uses connection-oriented end-to-end encryption to provide data confidentiality service and data integrity service for traffic between a client (often a web browser) and a server, and that can optionally provide peer entity authentication between the client and the server. (See: Transport Layer Security.)

$ 安全套接字层(SSL)(N)一种互联网协议(最初由Netscape Communications,Inc.开发),它使用面向连接的端到端加密为客户端(通常是web浏览器)和服务器之间的通信提供数据保密服务和数据完整性服务,并且可以选择在客户端和服务器之间提供对等实体身份验证。(请参阅:传输层安全。)

(C) SSL is layered below HTTP and above a reliable transport protocol (TCP). SSL is independent of the application it encapsulates, and any higher level protocol can layer on top of SSL transparently. However, many Internet applications might be better served by IPsec.

(C) SSL分层在HTTP之下和可靠传输协议(TCP)之上。SSL独立于它封装的应用程序,任何更高级别的协议都可以透明地在SSL之上分层。但是,IPsec可能更好地服务于许多Internet应用程序。

(C) SSL has two layers: (a) SSL's lower layer, the SSL Record Protocol, is layered on top of the transport protocol and encapsulates higher level protocols. One such encapsulated protocol is SSL Handshake Protocol. (b) SSL's upper layer provides asymmetric cryptography for server authentication (verifying the server's identity to the client) and optional client authentication (verifying the client's identity to the server), and also enables them to negotiate a symmetric encryption algorithm and secret session key (to use for data confidentiality) before the application protocol transmits or receives data. A keyed hash provides data integrity service for encapsulated data.

(C) SSL有两层:(a)SSL的底层,即SSL记录协议,是在传输协议之上分层的,并封装了更高级别的协议。一个这样的封装协议是SSL握手协议。(b) SSL的上层为服务器身份验证(向客户机验证服务器的身份)和可选的客户机身份验证(向服务器验证客户机的身份)提供了非对称加密,还使它们能够协商对称加密算法和秘密会话密钥(用于数据保密)在应用程序协议传输或接收数据之前。键控哈希为封装的数据提供数据完整性服务。

$ secure state (I) A system condition in which no subject can access any object in an unauthorized manner. (See: (secondary definition under) Bell-LaPadula Model, clean system.)

$ 安全状态(I)任何主体都不能以未经授权的方式访问任何对象的系统状态。(见:(下二级定义)贝尔-拉帕杜拉模型,清洁系统。)

$ security (I) (1.) Measures taken to protect a system. (2.) The condition of a system that results from the establishment and maintenance of

$ 安全(I)(1.)为保护系统而采取的措施。(2.)由于系统的建立和维护而导致的系统状态

measures to protect the system. (3.) The condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss.

保护系统的措施。(3.)系统资源没有未经授权的访问和未经授权或意外的更改、破坏或丢失的情况。

$ security architecture (I) A plan and set of principles that describe (a) the security services that a system is required to provide to meet the needs of its users, (b) the system elements required to implement the services, and (c) the performance levels required in the elements to deal with the threat environment. (See: (discussion under) security policy.)

$ 安全体系结构(I)一个计划和一组原则,描述(A)系统需要提供的安全服务以满足其用户的需求,(b)实现服务所需的系统要素,以及(c)应对威胁环境所需的要素性能水平。(请参阅:(在)安全策略下的讨论。)

(C) A security architecture is the result of applying the system engineering process. A complete system security architecture includes administrative security, communication security, computer security, emanations security, personnel security, and physical security (e.g., see: [R2179]). A complete security architecture needs to deal with both intentional, intelligent threats and accidental kinds of threats.

(C) 安全体系结构是应用系统工程过程的结果。完整的系统安全体系结构包括管理安全、通信安全、计算机安全、发射安全、人员安全和物理安全(例如,请参阅:[R2179])。一个完整的安全体系结构需要处理有意的、智能的威胁和意外的威胁。

$ security association (I) A relationship established between two or more entities to enable them to protect data they exchange. The relationship is used to negotiate characteristics of protection mechanisms, but does not include the mechanisms themselves. (See: association.)

$ 安全关联(I)两个或多个实体之间建立的关系,使它们能够保护它们交换的数据。该关系用于协商保护机制的特征,但不包括机制本身。(见:协会)

(C) A security association describes how entities will use security services. The relationship is represented by a set of information that is shared between the entities and is agreed upon and considered a contract between them.

(C) 安全关联描述实体将如何使用安全服务。这种关系由一组信息表示,这些信息在实体之间共享,并在实体之间达成协议并被视为合同。

(O) IPsec usage: A simplex (uni-directional) logical connection created for security purposes and implemented with either AH or ESP (but not both). The security services offered by a security association depend on the protocol selected, the IPsec mode (transport or tunnel), the endpoints, and the election of optional services within the protocol. A security association is identified by a triple consisting of (a) a destination IP address, (b) a protocol (AH or ESP) identifier, and (c) a Security Parameter Index.

(O) IPsec用途:为安全目的创建的单工(单向)逻辑连接,可使用AH或ESP(但不能同时使用两者)实现。安全关联提供的安全服务取决于所选协议、IPsec模式(传输或隧道)、端点以及协议内可选服务的选择。安全关联由三元组标识,三元组由(A)目标IP地址、(b)协议(AH或ESP)标识符和(c)安全参数索引组成。

$ security association identifier (SAID) (I) A data field in a security protocol (such as NLSP or SDE), used to identify the security association to which a protocol data unit is bound. The SAID value is usually used to select a key for decryption or authentication at the destination. (See: Security Parameter Index.)

$ 安全关联标识符(所述)(I)安全协议(如NLSP或SDE)中的数据字段,用于标识协议数据单元绑定到的安全关联。所述值通常用于在目的地选择用于解密或认证的密钥。(请参阅:安全参数索引。)

$ security audit (I) An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. [I7498 Part 2, NCS01]

$ 安全审计(I)对系统的记录和活动进行独立审查和检查,以确定系统控制的充分性,确保符合既定的安全政策和程序,检测安全服务中的违规行为,并建议针对应对措施的任何变更。[I7498第2部分,NCS01]

(C) The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.

(C) 基本审计目标是为发起或参与安全相关事件和行动的系统实体建立问责制。因此,需要采取措施来生成和记录安全审计跟踪,并审查和分析审计跟踪,以发现和调查攻击和安全危害。

$ security audit trail (I) A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results. [NCS04] (See: security audit.)

$ 安全审计跟踪(I)系统活动的时间顺序记录,足以重建和检查从开始到最终结果的安全相关交易中围绕或导致操作、程序或事件的环境和活动序列。[NCS04](参见:安全审计。)

$ security class (D) A synonym for "security level". For consistency, ISDs SHOULD use "security level" instead of "security class".

$ 安全等级(D)是“安全等级”的同义词。为保持一致性,ISDs应使用“安全级别”而不是“安全级别”。

$ security clearance (I) A determination that a person is eligible, under the standards of a specific security policy, for authorization to access sensitive information or other system resources. (See: clearance level.)

$ 安全许可(I)根据特定安全策略的标准,确定某人有资格获得访问敏感信息或其他系统资源的授权。(请参见:间隙水平。)

$ security compromise (I) A security violation in which a system resource is exposed, or is potentially exposed, to unauthorized access. (See: data compromise, violation.)

$ 安全隐患(I)系统资源暴露或可能暴露于未经授权的访问的安全违规行为。(请参阅:数据泄露、违规。)

$ security domain See: domain.

$ 安全域请参阅:域。

$ security environment (I) The set of external entities, procedures, and conditions that affect secure development, operation, and maintenance of a system.

$ 安全环境(I)影响系统安全开发、操作和维护的一组外部实体、程序和条件。

$ security event (I) A occurrence in a system that is relevant to the security of the system. (See: security incident.)

$ 安全事件(I)系统中与系统安全相关的事件。(见:安全事件)

(C) The term includes both events that are security incidents and those that are not. In a CA workstation, for example, a list of security events might include the following:

(C) 该术语包括安全事件和非安全事件。例如,在CA工作站中,安全事件列表可能包括以下内容:

- Performing a cryptographic operation, e.g., signing a digital certificate or CRL. - Performing a cryptographic card operation: creation, insertion, removal, or backup. - Performing a digital certificate lifecycle operation: rekey, renewal, revocation, or update. - Posting information to an X.500 Directory. - Receiving a key compromise notification. - Receiving an improper certification request. - Detecting an alarm condition reported by a cryptographic module. - Logging the operator in or out. - Failing a built-in hardware self-test or a software system integrity check.

- 执行加密操作,例如签署数字证书或CRL。-执行加密卡操作:创建、插入、删除或备份。-执行数字证书生命周期操作:重新设置密钥、续订、吊销或更新。-正在将信息发布到X.500目录。-收到密钥泄露通知。-收到不正确的认证请求。-检测加密模块报告的报警条件。-正在登录或注销操作员。-未通过内置硬件自检或软件系统完整性检查。

$ security fault analysis (I) A security analysis, usually performed on hardware at a logic gate level, gate-by-gate, to determine the security properties of a device when a hardware fault is encountered.

$ 安全故障分析(I)一种安全分析,通常在逻辑门级逐门对硬件执行,以在遇到硬件故障时确定设备的安全属性。

$ security gateway (I) A gateway that separates trusted (or relatively more trusted) hosts on the internal network side from untrusted (or less trusted) hosts on the external network side. (See: firewall and guard.)

$ 安全网关(I)将内部网络侧的受信任(或相对更受信任)主机与外部网络侧的不受信任(或不太受信任)主机分离的网关。(请参阅:防火墙和防护。)

(O) IPsec usage: "An intermediate system that implements IPsec protocols." [R2401] Normally, AH or ESP is implemented to serve a set of internal hosts, providing security services for the hosts when they communicate with other, external hosts or gateways that also implement IPsec.

(O) IPsec用法:“实现IPsec协议的中间系统。”[R2401]通常,AH或ESP用于为一组内部主机提供服务,当主机与其他也实现IPsec的外部主机或网关通信时,为主机提供安全服务。

$ security incident (I) A security event that involves a security violation. (See: CERT, GRIP, security event, security intrusion, security violation.)

$ 安全事件(I)涉及安全违规的安全事件。(请参阅:证书、抓地力、安全事件、安全入侵、安全违规。)

(C) In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached.

(C) 换句话说,与安全相关的系统事件,其中系统的安全策略被违反或以其他方式被违反。

(O) "Any adverse event which compromises some aspect of computer or network security." [R2350]

(O) “任何危害计算机或网络安全的不利事件。”[R2350]

(D) ISDs SHOULD NOT use this "O" definition because (a) a security incident may occur without actually being harmful (i.e., adverse) and (b) this Glossary defines "compromise" more narrowly in relation to unauthorized access.

(D) ISDs不应使用此“O”定义,因为(a)安全事件可能发生,但实际上没有危害性(即不利),以及(b)本术语表对未经授权访问的“危害”定义更为狭义。

$ security intrusion (I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

$ 安全入侵(I)构成安全事件的安全事件或多个安全事件的组合,其中入侵者未经授权获取或试图获取对系统(或系统资源)的访问权。

$ security kernel (I) "The hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct." [NCS04] (See: reference monitor.)

$ 安全内核(I)“实现参考监视器概念的可信计算基础的硬件、固件和软件元素。它必须调解所有访问,防止修改,并可验证为正确。”[NCS04](请参阅:参考监视器。)

(C) That is, a security kernel is an implementation of a reference monitor for a given hardware base.

(C) 也就是说,安全内核是给定硬件基础的参考监视器的实现。

$ security label (I) A marking that is bound to a system resource and that names or designates the security-relevant attributes of that resource. [I7498 Part 2, R1457]

$ 安全标签(I)绑定到系统资源并命名或指定该资源的安全相关属性的标记。[I7498第2部分,R1457]

(C) The recommended definition is usefully broad, but usually the term is understood more narrowly as a marking that represents the security level of an information object, i.e., a marking that indicates how sensitive an information object is. [NCS04]

(C) 建议的定义非常宽泛,但通常将该术语更狭义地理解为表示信息对象安全级别的标记,即指示信息对象敏感程度的标记。[NCS04]

(C) System security mechanisms interpret security labels according to applicable security policy to determine how to control access to the associated information, otherwise constrain its handling, and affix appropriate security markings to visible (printed and displayed) images thereof. [FP188]

(C) 系统安全机制根据适用的安全策略解释安全标签,以确定如何控制对相关信息的访问,否则将限制其处理,并在其可见(打印和显示)图像上粘贴适当的安全标记。[FP188]

$ security level (I) The combination of a hierarchical classification level and a set of non-hierarchical category designations that represents how sensitive information is. (See: (usage note under) classification level, dominate, lattice model.)

$ 安全级别(I)分级分类级别和一组表示信息敏感程度的非分级类别名称的组合。(请参阅:(使用说明下)分类级别、支配、晶格模型。)

$ security management infrastructure (SMI) (I) System elements and activities that support security policy by monitoring and controlling security services and mechanisms, distributing security information, and reporting security events. The associated functions are as follows [I7498-4]:

$ 安全管理基础设施(SMI)(I)通过监视和控制安全服务和机制、分发安全信息和报告安全事件来支持安全策略的系统元素和活动。相关功能如下[I7498-4]:

- Controlling (granting or restricting) access to system resources: This includes verifying authorizations and identities, controlling access to sensitive security data, and modifying access priorities and procedures in the event of attacks.

-控制(授予或限制)对系统资源的访问:这包括验证授权和身份,控制对敏感安全数据的访问,以及在发生攻击时修改访问优先级和过程。

- Retrieving (gathering) and archiving (storing) security information: This includes logging security events and analyzing the log, monitoring and profiling usage, and reporting security violations.

-检索(收集)和归档(存储)安全信息:这包括记录安全事件和分析日志、监视和分析使用情况以及报告安全违规行为。

- Managing and controlling the encryption process: This includes performing the functions of key management and reporting on key management problems. (See: public-key infrastructure.)

-管理和控制加密过程:这包括执行密钥管理功能和报告密钥管理问题。(请参阅:公钥基础设施。)

$ security mechanism (I) A process (or a device incorporating such a process) that can be used in a system to implement a security service that is provided by or within the system. (See: (discussion under) security policy.)

$ 安全机制(I)可在系统中用于实现由系统提供或在系统内提供的安全服务的过程(或包含该过程的设备)。(请参阅:(在)安全策略下的讨论。)

(C) Some examples of security mechanisms are authentication exchange, checksum, digital signature, encryption, and traffic padding.

(C) 安全机制的一些示例包括身份验证交换、校验和、数字签名、加密和流量填充。

$ security model (I) A schematic description of a set of entities and relationships by which a specified set of security services are provided by or within a system. (See: (discussion under) security policy.)

$ 安全模型(I)一组实体和关系的示意图描述,通过这些实体和关系,指定的一组安全服务由系统提供或在系统内提供。(请参阅:(在)安全策略下的讨论。)

(C) An example is the Bell-LaPadula Model.

(C) 贝尔-拉帕杜拉模型就是一个例子。

$ security parameters index (SPI) (I) IPsec usage: The type of security association identifier used in IPsec protocols. A 32-bit value used to distinguish among different security associations terminating at the same destination (IP address) and using the same IPsec security protocol (AH or ESP). Carried in AH and ESP to enable the receiving system to determine under which security association to process a received packet.

$ 安全参数索引(SPI)(I)IPsec用法:IPsec协议中使用的安全关联标识符的类型。一个32位值,用于区分终止于同一目标(IP地址)并使用相同IPsec安全协议(AH或ESP)的不同安全关联。在AH和ESP中携带,使接收系统能够确定在哪个安全关联下处理接收到的数据包。

$ security perimeter (I) The boundary of the domain in which a security policy or security architecture applies; i.e., the boundary of the space in which security services protect system resources.

$ 安全边界(I)应用安全策略或安全架构的域的边界;i、 安全服务保护系统资源的空间边界。

$ security policy (I) A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. (See: identity-based security policy, rule-based security policy, security architecture, security mechanism, security model.)

$ 安全策略(I)一组规则和实践,指定或规范系统或组织如何提供安全服务以保护敏感和关键系统资源。(请参阅:基于身份的安全策略、基于规则的安全策略、安全体系结构、安全机制、安全模型。)

(O) "The set of rules laid down by the security authority governing the use and provision of security services and facilities." [X509]

(O) “安全管理局制定的一套规则,用于管理安全服务和设施的使用和提供。”[X509]

(C) Ravi Sandhu notes that security policy is one of four layers of the security engineering process (as shown in the following diagram). Each layer provides a different view of security, ranging from what services are needed to how services are implemented.

(C) Ravi Sandhu指出,安全策略是安全工程过程的四个层次之一(如下图所示)。每一层都提供了不同的安全视图,范围从需要什么服务到如何实现服务。

         What Security Services Should Be Provided?
          ^
          | + - - - - - - - - - - - +
          | | Security Policy       |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Model        |    | A "top-level specification" |
          | + - - - - - - - - - - - + <- | is at a level below "model" |
          | | Security Architecture |    | but above "architecture".   |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Mechanism    |
          | + - - - - - - - - - - - +
          v
         How Are Security Services Implemented?
        
         What Security Services Should Be Provided?
          ^
          | + - - - - - - - - - - - +
          | | Security Policy       |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Model        |    | A "top-level specification" |
          | + - - - - - - - - - - - + <- | is at a level below "model" |
          | | Security Architecture |    | but above "architecture".   |
          | + - - - - - - - - - - - +    + - - - - - - - - - - - - - - +
          | | Security Mechanism    |
          | + - - - - - - - - - - - +
          v
         How Are Security Services Implemented?
        

$ Security Protocol 3 (SP3) (O) A protocol [SDNS3] developed by SDNS to provide connectionless data security at the top of OSI layer 3. (See: NLSP.)

$ 安全协议3(SP3)(O)由SDN开发的协议[SDNS3],用于在OSI第3层的顶部提供无连接数据安全。(见:NLSP)

$ Security Protocol 4 (SP4) (O) A protocol [SDNS4] developed by SDNS to provide either connectionless or end-to-end connection-oriented data security at the bottom of OSI layer 4. (See: TLSP.)

$ 安全协议4(SP4)(O)由SDN开发的协议[SDNS4],用于在OSI第4层的底部提供无连接或面向端到端连接的数据安全。(见:TLSP)

$ security-relevant event See: security event.

$ 安全相关事件请参阅:安全事件。

$ security service (I) A processing or communication service that is provided by a system to give a specific kind of protection to system resources. (See: access control service, audit service, availability service,

$ 安全服务(I)由系统提供的处理或通信服务,为系统资源提供特定类型的保护。(参见:访问控制服务、审核服务、可用性服务、,

data confidentiality service, data integrity service, data origin authentication service, non-repudiation service, peer entity authentication service, system integrity service.)

数据机密性服务、数据完整性服务、数据源身份验证服务、不可否认性服务、对等实体身份验证服务、系统完整性服务。)

(O) "A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or the data transfers." [I7498 Part 2]

(O) “由通信开放系统层提供的一种服务,可确保系统或数据传输的充分安全。”[I7498第2部分]

(C) Security services implement security policies, and are implemented by security mechanisms.

(C) 安全服务实现安全策略,并由安全机制实现。

$ security situation (I) ISAKMP usage: The set of all security-relevant information-- e.g., network addresses, security classifications, manner of operation (normal or emergency)--that is needed to decide the security services that are required to protect the association that is being negotiated.

$ 安全情况(I)ISAKMP用法:确定保护正在协商的关联所需的安全服务所需的所有安全相关信息的集合,例如网络地址、安全分类、操作方式(正常或紧急)。

$ security token See: token.

$ 安全令牌请参阅:令牌。

$ security violation (I) An act or event that disobeys or otherwise breaches security policy. (See: compromise, penetration, security incident.)

$ 安全违规(I)违反或以其他方式违反安全政策的行为或事件。(见:妥协、渗透、安全事件)

$ self-signed certificate (I) A public-key certificate for which the public key bound by the certificate and the private key used to sign the certificate are components of the same key pair, which belongs to the signer. (See: root certificate.)

$ 自签名证书(I)一种公钥证书,证书绑定的公钥和用于签名证书的私钥是属于签名者的同一密钥对的组成部分。(请参阅:根证书。)

(C) In a self-signed X.509 public-key certificate, the issuer's DN is the same as the subject's DN.

(C) 在自签名X.509公钥证书中,颁发者的DN与主体的DN相同。

$ semantic security (I) An attribute of a encryption algorithm that is a formalization of the notion that the algorithm not only hides the plaintext but also reveals no partial information about the plaintext. Whatever is efficiently computable about the plaintext when given the ciphertext, is also efficiently computable without the ciphertext. (See: indistinguishability.)

$ 语义安全性(I)加密算法的一个属性,它是算法不仅隐藏明文,而且不显示明文的部分信息这一概念的形式化。当给定密文时,关于明文的任何可有效计算的内容,在没有密文的情况下也是可有效计算的。(请参阅:不可区分性。)

$ sensitive (information) (I) Information is sensitive if disclosure, alteration, destruction, or loss of the information would adversely affect the interests or business of its owner or user. (See: critical.)

$ 敏感(信息)(I)如果信息的披露、更改、销毁或丢失会对其所有者或用户的利益或业务产生不利影响,则该信息为敏感信息。(请参阅:关键。)

$ separation of duties (I) The practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process. (See: dual control, administrative security.)

$ 职责分离(I)在不同的个人之间划分系统功能中的步骤,以防止单个个人破坏过程的做法。(请参阅:双重控制、管理安全。)

$ serial number See: certificate serial number.

$ 序列号请参阅:证书序列号。

$ server (I) A system entity that provides a service in response to requests from other system entities called clients.

$ 服务器(I)一个系统实体,它提供服务以响应来自称为客户端的其他系统实体的请求。

$ session key (I) In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. (See: ephemeral key, key distribution center, master key.)

$ 会话密钥(I)在对称加密环境中,是一种临时密钥或使用时间相对较短的密钥。(请参阅:临时钥匙、钥匙配送中心、主钥匙。)

(C) Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be rekeyed frequently.

(C) 通常,会话密钥用于两台计算机之间定义的通信周期,例如单个连接或事务集的持续时间,或者在保护相对大量数据的应用程序中使用该密钥,因此需要频繁地重新设置密钥。

$ SET See: SET Secure Electronic Transaction(trademark).

$ 设置请参见:设置安全电子交易(商标)。

$ SET private extension (O) One of the private extensions defined by SET for X.509 certificates. Carries information about hashed root key, certificate type, merchant data, cardholder certificate requirements, encryption support for tunneling, or message support for payment instructions.

$ SET private extension(O)SET为X.509证书定义的私有扩展之一。包含有关哈希根密钥、证书类型、商户数据、持卡人证书要求、隧道加密支持或支付指令消息支持的信息。

$ SET qualifier (O) A certificate policy qualifier that provides information about the location and content of a SET certificate policy.

$ SET qualifier(O)一种证书策略限定符,提供有关设置证书策略的位置和内容的信息。

(C) In addition to the policies and qualifiers inherited from its own certificate, each CA in the SET certification hierarchy may add one qualifying statement to the root policy when the CA issues a certificate. The additional qualifier is a certificate policy for that CA. Each policy in a SET certificate may have these qualifiers:

(C) 除了从自己的证书继承的策略和限定符之外,当CA颁发证书时,集合证书层次结构中的每个CA都可以向根策略添加一条限定语句。附加限定符是该CA的证书策略。一组证书中的每个策略都可能具有以下限定符:

- A URL where a copy of the policy statement may be found. - An electronic mail address where a copy of the policy statement may be found.

- 可在其中找到策略声明副本的URL。-可在其中找到保单副本的电子邮件地址。

- A hash result of the policy statement, computed using the indicated algorithm. - A statement declaring any disclaimers associated with the issuing of the certificate.

- 策略语句的哈希结果,使用指定的算法计算。-声明与证书颁发相关的任何免责声明的声明。

$ SET Secure Electronic Transaction(trademark) or SET(trademark) (N) A protocol developed jointly by MasterCard International and Visa International and published as an open standard to provide confidentiality of transaction information, payment integrity, and authentication of transaction participants for payment card transactions over unsecured networks, such as the Internet. [SET1] (See: acquirer, brand, cardholder, dual signature, electronic commerce, issuer, merchant, payment gateway, third party.)

$ SET安全电子交易(商标)或SET(商标)(N)由万事达卡国际和Visa国际共同开发的协议,作为公开标准发布,以提供交易信息保密性、支付完整性,以及通过不安全网络(如互联网)进行支付卡交易的交易参与者身份验证。[SET1](参见:收单机构、品牌、持卡人、双重签名、电子商务、发卡机构、商户、支付网关、第三方。)

(C) This term and acronym are trademarks of SETCo. MasterCard and Visa announced the SET standard on 1 February 1996. On 19 December 1997, MasterCard and Visa formed SET Secure Electronic Transaction LLC (commonly referred to as "SETCo") to implement the SET 1.0 specification. A memorandum of understanding adds American Express and JCB Credit Card Company as co-owners of SETCo.

(C) 本术语和首字母缩略词是SETCo的商标。万事达卡和Visa于1996年2月1日宣布了这一既定标准。1997年12月19日,万事达卡和Visa国际组织成立了SET安全电子交易有限责任公司(通常称为“SETCo”),以实施SET 1.0规范。一份谅解备忘录将美国运通和JCB信用卡公司添加为SETCo的共同所有者。

$ SETCo See: (secondary definition under) SET Secure Electronic Transaction.

$ SETCo见:(第二定义下)设置安全电子交易。

$ SHA-1 See: Secure Hash Standard.

$ SHA-1参见:安全散列标准。

$ shared secret (I) A synonym for "keying material" or "cryptographic key".

$ 共享秘密(I)“密钥材料”或“加密密钥”的同义词。

$ S-HTTP See: Secure HTTP.

$ S-HTTP请参阅:安全HTTP。

$ sign (I) Create a digital signature for a data object.

$ 签名(I)为数据对象创建数字签名。

$ signature See: digital signature, electronic signature.

$ 签名见:数字签名、电子签名。

$ signature certificate (I) A public-key certificate that contains a public key that is intended to be used for verifying digital signatures, rather than for encrypting data or performing other cryptographic functions.

$ 签名证书(I)包含公钥的公钥证书,用于验证数字签名,而不是用于加密数据或执行其他加密功能。

(C) A v3 X.509 public-key certificate may have a "keyUsage" extension which indicates the purpose for which the certified public key is intended.

(C) v3 X.509公钥证书可能具有“keyUsage”扩展名,该扩展名指示认证公钥的预期用途。

$ signer (N) A human being or an organization entity that uses its private key to create a digital signature for a data object. [ABA]

$ 签名者(N)使用其私钥为数据对象创建数字签名的人或组织实体。[ABA]

$ SILS See: Standards for Interoperable LAN/MAN Security.

$ SILS参见:互操作LAN/MAN安全标准。

$ simple authentication (I) An authentication process that uses a password as the information needed to verify an identity claimed for an entity. (See: strong authentication.)

$ 简单身份验证(I)一种身份验证过程,它使用密码作为验证为实体声明的身份所需的信息。(请参阅:强身份验证。)

(O) "Authentication by means of simple password arrangements." [X509]

(O) “通过简单的密码安排进行身份验证。”[X509]

$ Simple Authentication and Security Layer (SASL) (I) An Internet specification [R2222] for adding authentication service to connection-based protocols. To use SASL, a protocol includes a command for authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. The command names a registered security mechanism. SASL mechanisms include Kerberos, GSSAPI, S/KEY, and others. Some protocols that use SASL are IMAP4 and POP3.

$ 简单身份验证和安全层(SASL)(I)用于向基于连接的协议添加身份验证服务的互联网规范[R2222]。为了使用SASL,协议包括一个命令,用于向服务器验证用户,并可选地协商后续协议交互的保护。该命令命名已注册的安全机制。SASL机制包括Kerberos、GSSAPI、S/KEY等。使用SASL的一些协议是IMAP4和POP3。

$ Simple Key-management for Internet Protocols (SKIP) (I) A key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets. [R2356] (See: IKE, IPsec.)

$ Internet协议的简单密钥管理(SKIP)(I)一种密钥分发协议,它使用混合加密来传输用于加密IP数据包中数据的会话密钥。[R2356](参见:IKE,IPsec。)

(C) SKIP uses the Diffie-Hellman algorithm (or could use another key agreement algorithm) to generate a key-encrypting key for use between two entities. A session key is used with a symmetric algorithm to encrypt data in one or more IP packets that are to be sent from one of the entities to the other. The KEK is used with a symmetric algorithm to encrypt the session key, and the encrypted session key is placed in a SKIP header that is added to each IP packet that is encrypted with that session key.

(C) SKIP使用Diffie-Hellman算法(或者可以使用另一种密钥协商算法)生成密钥加密密钥,供两个实体之间使用。会话密钥与对称算法一起用于加密一个或多个IP数据包中的数据,这些数据包将从一个实体发送到另一个实体。KEK与对称算法一起用于加密会话密钥,加密的会话密钥放在一个跳过报头中,该报头添加到使用该会话密钥加密的每个IP数据包中。

$ Simple Mail Transfer Protocol (SMTP) (I) A TCP-based, application-layer, Internet Standard protocol [R0821] for moving electronic mail messages from one computer to another.

$ 简单邮件传输协议(SMTP)(I)基于TCP的应用层互联网标准协议[R0821],用于将电子邮件从一台计算机移动到另一台计算机。

$ Simple Network Management Protocol (SNMP) (I) A UDP-based, application-layer, Internet Standard protocol [R2570, R2574] for conveying management information between managers and agents.

$ 简单网络管理协议(SNMP)(I)基于UDP的应用层互联网标准协议[R2570,R2574],用于在管理者和代理之间传输管理信息。

(C) SNMP version 1 uses cleartext passwords for authentication and access control. (See: community string.) Version 2 adds cryptographic mechanisms based on DES and MD5. Version 3 provides enhanced, integrated support for security services, including data confidentiality, data integrity, data origin authentication, and message timeliness and limited replay protection.

(C) SNMP版本1使用明文密码进行身份验证和访问控制。(请参阅:community string。)版本2添加了基于DES和MD5的加密机制。版本3为安全服务提供了增强的集成支持,包括数据机密性、数据完整性、数据源身份验证、消息及时性和有限的重播保护。

$ simple security property See: (secondary definition under) Bell-LaPadula Model.

$ 简单安全属性请参见:(第二个定义下)Bell-LaPadula模型。

$ single sign-on (I) A system that enables a user to access multiple computer platforms (usually a set of hosts on the same network) or application systems after being authenticated just one time. (See: Kerberos.)

$ 单点登录(I)一种系统,允许用户在经过一次身份验证后访问多个计算机平台(通常是同一网络上的一组主机)或应用程序系统。(请参阅:Kerberos。)

(C) Typically, a user logs in just once, and then is transparently granted access to a variety of permitted resources with no further login being required until after the user logs out. Such a system has the advantages of being user friendly and enabling authentication to be managed consistently across an entire enterprise, and has the disadvantage of requiring all hosts and applications to trust the same authentication mechanism.

(C) 通常,用户只登录一次,然后被透明地授予对各种允许资源的访问权限,在用户注销之前不需要进一步登录。这种系统的优点是用户友好,能够在整个企业中一致地管理身份验证,缺点是要求所有主机和应用程序信任相同的身份验证机制。

$ situation See: security situation.

$ 情况见:安全局势。

$ S/Key (I) A security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. [R1760]

$ S/Key(I)一种安全机制,它使用加密哈希函数为远程用户登录生成64位一次性密码序列。[R1760]

(C) The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one. (Thus, an intruder using wiretapping cannot compute a valid password from knowledge of one previously used.) The server verifies a password by hashing the currently presented password (or initialization value) one time and comparing the hash result with the previously presented password.

(C) 客户端通过对用户的密钥多次应用MD4加密哈希函数来生成一次性密码。对于用户的每个连续身份验证,哈希应用程序的数量减少一个。(因此,使用窃听的入侵者无法根据之前使用的密码计算有效密码。)服务器通过将当前显示的密码(或初始化值)散列一次并将散列结果与之前显示的密码进行比较来验证密码。

$ SKIP See: Simple Key-management for IP.

$ 请参阅:IP的简单密钥管理。

$ SKIPJACK (N) A Type II block cipher [NIST] with a block size of 64 bits and a key size of 80 bits, that was developed by NSA and formerly classified at the U.S. Department of Defense "Secret" level. (See: CAPSTONE, CLIPPER, FORTEZZA, Key Exchange Algorithm.)

$ SKIPJACK(N):一种II型分组密码[NIST],其块大小为64位,密钥大小为80位,由NSA开发,以前被美国国防部列为“机密”级别。(请参阅:CAPSTONE、CLIPPER、FORTEZZA、密钥交换算法。)

(C) On 23 June 1998, NSA announced that SKIPJACK had been declassified.

(C) 1998年6月23日,国家安全局宣布SKIPJACK已经解密。

$ slot (O) MISSI usage: One of the FORTEZZA PC card storage areas that are each able to hold an X.509 certificate and additional data that is associated with the certificate, such as the matching private key.

$ 插槽(O)MSI使用:FORTEZZA PC卡存储区之一,每个存储区都能够保存X.509证书和与证书相关的附加数据,如匹配的私钥。

$ smart card (I) A credit-card sized device containing one or more integrated circuit chips, which perform the functions of a computer's central processor, memory, and input/output interface. (See: PC card.)

$ 智能卡(I)信用卡大小的设备,包含一个或多个集成电路芯片,执行计算机中央处理器、存储器和输入/输出接口的功能。(请参阅:PC卡。)

(C) Sometimes this term is used rather strictly to mean a card that closely conforms to the dimensions and appearance of the kind of plastic credit card issued by banks and merchants. At other times, the term is used loosely to include cards that are larger than credit cards, especially cards that are thicker, such as PC cards.

(C) 有时,这一术语被严格地用来指与银行和商家发行的塑料信用卡的尺寸和外观完全一致的卡。在其他时候,这个术语被松散地用于包括比信用卡大的卡,特别是厚的卡,如PC卡。

(C) A "smart token" is a device that conforms to the definition of smart card except that rather than having standard credit card dimensions, the token is packaged in some other form, such as a dog tag or door key shape.

(C) “智能代币”是一种符合智能卡定义的设备,除了代币没有标准的信用卡尺寸外,代币是以其他形式包装的,如狗标签或门钥匙形状。

$ smart token See: (secondary definition under) smart card.

$ 智能令牌请参见:(第二个定义)智能卡。

$ SMI See: security management infrastructure.

$ SMI请参阅:安全管理基础架构。

$ S/MIME See: Secure/MIME.

$ S/MIME请参阅:Secure/MIME。

$ SMTP See: Simple Mail Transfer Protocol.

$ SMTP请参阅:简单邮件传输协议。

$ smurf (I) Software that mounts a denial-of-service attack ("smurfing") by exploiting IP broadcast addressing and ICMP ping packets to cause flooding. (See: flood, ICMP flood.)

$ smurf(I)软件,通过利用IP广播寻址和ICMP ping数据包造成洪水,安装拒绝服务攻击(“smurfing”)。(请参阅:洪水,ICMP洪水。)

(D) ISDs SHOULD NOT use this term because it is not listed in most dictionaries and could confuse international readers.

(D) ISDs不应该使用这个术语,因为大多数词典都没有列出这个术语,可能会使国际读者感到困惑。

(C) A smurf program builds a network packet that appears to originate from another address, that of the "victim", either a host or an IP router. The packet contains an ICMP ping message that is addressed to an IP broadcast address, i.e., to all IP addresses in a given network. The echo responses to the ping message return to the victim's address. The goal of smurfing may be either to deny service at a particular host or to flood all or part of an IP network.

(C) smurf程序构建的网络数据包似乎来自另一个地址,即“受害者”的地址,即主机或IP路由器。该数据包包含一条ICMP ping消息,该消息发往IP广播地址,即发往给定网络中的所有IP地址。对ping消息的回显响应返回到受害者的地址。smurfing的目标可能是拒绝特定主机上的服务,也可能是淹没整个或部分IP网络。

$ sniffing (C) A synonym for "passive wiretapping". (See: password sniffing.)

$ 嗅探是“被动窃听”的同义词。(请参阅:密码嗅探。)

(D) ISDs SHOULD NOT use this term because it unnecessarily duplicates the meaning of a term that is better established. (See: (usage note under) Green Book.

(D) ISDs不应使用该术语,因为它不必要地重复了一个更为明确的术语的含义。(见:(使用说明下)绿皮书。

$ SNMP See: Simple Network Management Protocol.

$ SNMP请参阅:简单网络管理协议。

$ social engineering (I) A euphemism for non-technical or low-technology means--such as lies, impersonation, tricks, bribes, blackmail, and threats--used to attack information systems. (See: masquerade attack.)

$ 社会工程(I)用于攻击信息系统的非技术或低技术手段的委婉说法,如谎言、模仿、诡计、贿赂、勒索和威胁。(请参阅:伪装攻击。)

(D) ISDs SHOULD NOT use this term because it is vague; instead, use a term that is specific with regard to the means of attack.

(D) ISDs不应该使用这个术语,因为它是模糊的;相反,使用一个与攻击手段相关的术语。

$ SOCKS (I) An Internet protocol [R1928] that provides a generalized proxy server that enables client-server applications--such as TELNET, FTP, and HTTP; running over either TCP or UDP--to use the services of a firewall.

$ SOCKS(I)一个互联网协议[R1928],它提供了一个通用的代理服务器,支持客户端服务器应用程序,如TELNET、FTP和HTTP;通过TCP或UDP运行--使用防火墙的服务。

(C) SOCKS is layered under the application layer and above the transport layer. When a client inside a firewall wishes to establish a connection to an object that is reachable only through the firewall, it uses TCP to connect to the SOCKS server, negotiates with the server for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. The SOCKS server evaluates the request, typically based on source and destination addresses, and either establishes the appropriate connection or denies it.

(C) SOCKS是在应用层之下和传输层之上分层的。当防火墙内的客户端希望建立到只能通过防火墙访问的对象的连接时,它使用TCP连接到SOCKS服务器,与服务器协商要使用的身份验证方法,使用所选方法进行身份验证,然后发送中继请求。SOCKS服务器通常根据源地址和目标地址评估请求,并建立适当的连接或拒绝连接。

$ soft TEMPEST (O) The use of software techniques to reduce the radio frequency information leakage from computer displays and keyboards. [Kuhn] (See: TEMPEST.)

$ 软TEMPEST(O)使用软件技术减少计算机显示器和键盘的射频信息泄漏。[Kuhn](参见:《暴风雨》)

$ software (I) Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution. (See: firmware, hardware.)

$ 软件(I)可在执行期间动态写入或修改的计算机程序(存储在计算机硬件中并由计算机硬件执行)和相关数据(也存储在硬件中)。(请参阅:固件、硬件。)

$ SORA See: SSO-PIN ORA.

$ 索拉见:SSO-PIN ORA。

$ source authentication (D) ISDs SHOULD NOT use this term because it is ambiguous. If the intent is to authenticate the original creator or packager of data received, then say "data origin authentication". If the intent is to authenticate the identity of the sender of data, then say "peer entity authentication". (See: data origin authentication, peer entity authentication).

$ 源身份验证(D)ISDs不应使用此术语,因为它不明确。如果目的是对接收到的数据的原始创建者或包装者进行身份验证,则称为“数据源身份验证”。如果目的是验证数据发送者的身份,则称为“对等实体验证”。(请参阅:数据源身份验证、对等实体身份验证)。

$ source integrity (I) The degree of confidence that can be placed in information based on the trustworthiness of its sources. (See: integrity.)

$ 来源完整性(I)基于信息来源的可信度,可以对信息进行信任的程度。(见:诚信。)

$ SP3 See: Security Protocol 3.

$ 参见:安全协议3。

$ SP4 See: Security Protocol 4.

$ 参见:安全协议4。

$ spam (I) (1.) Verb: To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. (2.) Noun: electronic "junk mail". [R2635]

$ 垃圾邮件动词:不加区别地发送未经请求的、不需要的、无关的或不适当的信息,尤指大量的商业广告。名词:电子“垃圾邮件”。[R2635]

(D) This term SHOULD NOT be written in upper-case letters, because SPAM(trademark) is a trademark of Hormel Foods Corporation. Hormel says, "We do not object to use of this slang term [spam] to describe [unsolicited commercial email (UCE)], although we do object to the use of our product image in association with that term. Also, if the term is to be used, it should be used in all lower-case letters to distinguish it from our trademark SPAM, which should be used with all uppercase letters."

(D) 本术语不应使用大写字母书写,因为SPAM(商标)是霍梅尔食品公司的商标。霍梅尔说:“我们不反对使用这个俚语术语[垃圾邮件]来描述[未经请求的商业电子邮件(UCE)],尽管我们反对将我们的产品图像与该术语关联使用。此外,如果要使用该术语,则应在所有小写字母中使用该术语,以区别于我们的商标垃圾邮件(应与所有大写字母一起使用)。”

(C) In sufficient volume, spam can cause denial of service. (See: flooding.) According to the SPAM Web site, the term was adopted as a result of the Monty Python skit in which a group of Vikings sang a chorus of 'SPAM, SPAM, SPAM . . .' in an increasing crescendo, drowning out other conversation. Hence, the analogy applied because UCE was drowning out normal discourse on the Internet.

(C) 如果数量足够大,垃圾邮件会导致拒绝服务。(见:洪水。)据垃圾邮件网站称,这个词是在《巨蟒》短剧中被采用的,在该短剧中,一群维京人合唱了“垃圾邮件,垃圾邮件,垃圾邮件…”越来越强的声音淹没了其他的谈话。因此,这一类比之所以适用,是因为UCE正在淹没互联网上的正常话语。

$ SPC See: software publisher certificate.

$ SPC请参阅:软件发布者证书。

$ SPI See: Security Parameters Index.

$ 请参阅:安全参数索引。

$ split key (I) A cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items. (See: dual control, split knowledge.)

$ 分割密钥(I)被分割为两个或多个单独数据项的加密密钥,这些数据项各自不传递组合这些数据项所产生的整个密钥的知识。(请参阅:双重控制、分割知识。)

$ split knowledge (I) A security technique in which two or more entities separately hold data items that individually convey no knowledge of the information that results from combining the items. (See: dual control, split key.)

$ 分割知识(I)一种安全技术,其中两个或多个实体分别持有数据项,这些数据项单独不传递组合这些数据项所产生的信息的知识。(请参阅:双控、拆分键。)

(O) "A condition under which two or more entities separately have key components which individually convey no knowledge of the plaintext key which will be produced when the key components are combined in the cryptographic module." [FP140]

(O) “两个或多个实体分别拥有密钥组件的一种情况,当密钥组件组合在加密模块中时,这些密钥组件单独不传递有关明文密钥的知识。”[FP140]

$ spoofing attack (I) A synonym for "masquerade attack".

$ 欺骗攻击(I)“伪装攻击”的同义词。

$ SSH (I) A protocol for secure remote login and other secure network services over an insecure network.

$ SSH(I)通过不安全网络进行安全远程登录和其他安全网络服务的协议。

(C) Consists of three major components:

(C) 由三个主要部分组成:

- Transport layer protocol: Provides server authentication, confidentiality, and integrity. It may optionally also provide compression. The transport layer will typically be run over a TCP/IP connection, but might also be used on top of any other reliable data stream.

- 传输层协议:提供服务器身份验证、机密性和完整性。它还可以选择性地提供压缩。传输层通常通过TCP/IP连接运行,但也可以在任何其他可靠数据流之上使用。

- User authentication protocol: Authenticates the client-side user to the server. It runs over the transport layer protocol.

- 用户身份验证协议:向服务器验证客户端用户。它通过传输层协议运行。

- Connection protocol: Multiplexes the encrypted tunnel into several logical channels. It runs over the user authentication protocol.

- 连接协议:将加密隧道多路复用到多个逻辑通道中。它通过用户身份验证协议运行。

$ SSL See: Secure Sockets Layer, Standard Security Label.

$ SSL请参阅:安全套接字层,标准安全标签。

$ SSO See: system security officer.

$ SSO见:系统安全官员。

$ SSO PIN (O) MISSI usage: One of two personal identification numbers that control access to the functions and stored data of a FORTEZZA PC card. Knowledge of the SSO PIN enables the card user to perform the FORTEZZA functions intended for use by an end user and also the functions intended for use by a MISSI certification authority. (See: user PIN.)

$ SSO PIN(O)MSI使用:控制访问FORTEZZA PC卡功能和存储数据的两个个人识别号之一。了解SSO PIN后,卡用户可以执行最终用户使用的FORTEZZA功能以及MSI认证机构使用的功能。(请参阅:用户PIN。)

$ SSO-PIN ORA (SORA) (O) MISSI usage: A MISSI organizational RA that operates in a mode in which the ORA performs all card management functions and, therefore, requires knowledge of the SSO PIN for an end user's FORTEZZA PC card.

$ SSO-PIN ORA(SORA)(O)MSI使用:在ORA执行所有卡管理功能的模式下运行的MSI组织RA,因此需要了解最终用户FORTEZZA PC卡的SSO PIN。

$ Standards for Interoperable LAN/MAN Security (SILS) (N) (1.) The IEEE 802.10 standards committee. (2.) A developing set of IEEE standards, which has eight parts: (a) Model, including security management, (b) Secure Data Exchange protocol, (c) Key Management, (d) [has been incorporated in (a)], (e) SDE Over Ethernet 2.0, (f) SDE Sublayer Management, (g) SDE Security Labels, and (h) SDE PICS Conformance. Parts b, e, f, g, and h are incorporated in IEEE Standard 802.10-1998.

$ 可互操作局域网/城域网安全标准(SILS)(N)(1.)IEEE 802.10标准委员会。(2.)一套正在开发的IEEE标准,包括八个部分:(A)模型,包括安全管理,(b)安全数据交换协议,(c)密钥管理,(d)[已纳入(A)],(e)以太网SDE 2.0,(f)SDE子层管理,(g)SDE安全标签,以及(h)SDE PICS一致性。第b、e、f、g和h部分包含在IEEE标准802.10-1998中。

$ star property (I) (Written "*-property".) See: "confinement property" under Bell-LaPadula Model.

$ 星属性(I)(写为“*-属性”。)见贝尔-拉帕杜拉模型下的“限制属性”。

$ Star Trek attack (C) An attack that penetrates your system where no attack has ever gone before.

$ 星际迷航攻击(C):一种渗透到你的系统的攻击,这种攻击以前从未发生过。

$ steganography (I) Methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. (See: cryptology.)

$ 隐写术(I)隐藏消息或其他数据存在的方法。这与加密不同,加密隐藏消息的含义,但不隐藏消息本身。(见:密码学。)

(C) An example of a steganographic method is "invisible" ink. (See: digital watermark.)

(C) 隐写术方法的一个例子是“隐形”墨水。(请参阅:数字水印。)

$ storage channel See: (secondary definition under) covert channel.

$ 存储通道请参阅:(第二个定义下)隐蔽通道。

$ stream cipher (I) An encryption algorithm that breaks plaintext into a stream of successive bits (or characters) and encrypts the n-th plaintext bit with the n-th element of a parallel key stream, thus converting the plaintext bit stream into a ciphertext bit stream. [Schn] (See: block cipher.)

$ 流密码(I)一种加密算法,它将明文分解为连续位(或字符)流,并使用并行密钥流的第n个元素对第n个明文位进行加密,从而将明文位流转换为密文位流。[Schn](参见:分组密码。)

$ strong authentication (I) An authentication process that uses cryptography--particularly public-key certificates--to verify the identity claimed for an entity. (See: X.509.)

$ 强身份验证(I)使用加密技术(特别是公钥证书)来验证为实体声明的身份的身份验证过程。(见:X.509)

(O) "Authentication by means of cryptographically derived credentials." [X509]

(O) “通过加密派生凭据进行身份验证。”[X509]

$ subject 1. (I) In a computer system: A system entity that causes information to flow among objects or changes the system state; technically, a process-domain pair. (See: Bell-LaPadula Model.)

$ 主题1。(一) 在计算机系统中:使信息在对象之间流动或改变系统状态的系统实体;从技术上讲,是一个进程域对。(见:贝尔-拉帕杜拉模型。)

2. (I) Of a certificate: The entity name that is bound to the data items in a digital certificate, and particularly a name that is bound to a key value in a public-key certificate.

2. (一) 证书的名称:绑定到数字证书中的数据项的实体名称,尤其是绑定到公钥证书中的键值的名称。

$ subnetwork (N) An OSI term for a system of packet relays and connecting links that implement the lower three protocol layers of the OSIRM to provide a communication service that interconnects attached end systems. Usually the relays operate at OSI layer 3 and are all of the same type (e.g., all X.25 packet switches, or all interface units in an IEEE 802.3 LAN). (See: gateway, internet, router.)

$ 子网(N):OSI术语,指包中继和连接链路系统,实现OSIRM较低的三个协议层,以提供连接终端系统的通信服务。通常,继电器在OSI第3层运行,且均为同一类型(例如,所有X.25分组交换机或IEEE 802.3 LAN中的所有接口单元)。(请参阅:网关、互联网、路由器。)

$ subordinate certification authority (SCA) (I) A CA whose public-key certificate is issued by another (superior) CA. (See: certification hierarchy.)

$ 下级证书颁发机构(SCA)(I)其公钥证书由另一个(上级)CA颁发的CA。(请参阅:证书层次结构。)

(O) MISSI usage: The fourth-highest (bottom) level of a MISSI certification hierarchy; a MISSI CA whose public-key certificate is signed by a MISSI CA rather than by a MISSI PCA. A MISSI SCA is the administrative authority for a subunit of an organization, established when it is desirable to organizationally distribute or decentralize the CA service. The term refers both to that authoritative office or role, and to the person who fills that

(O) MSI使用:MSI认证层次结构的第四高(底部)级别;其公钥证书由MSI CA而不是由MSI PCA签名的一种MSI CA。MSI SCA是一个组织的子单元的管理权限,当需要在组织上分发或分散CA服务时建立。该术语既指该权威职位或角色,也指填补该职位或角色的人员

office. A MISSI SCA registers end users and issues their certificates and may also register ORAs, but may not register other CAs. An SCA periodically issues a CRL.

办公室MSI SCA注册最终用户并颁发其证书,还可以注册ORA,但不能注册其他CA。SCA定期发布CRL。

$ subordinate distinguished name (I) An X.500 DN is subordinate to another X.500 DN if it begins with a set of attributes that is the same as the entire second DN except for the terminal attribute of the second DN (which is usually the name of a CA). For example, the DN <C=FooLand, O=Gov, OU=Treasurer, CN=DukePinchpenny> is subordinate to the DN <C=FooLand, O=Gov, CN=KingFooCA>.

$ 从属可分辨名称(I)如果某个X.500 DN以一组属性开始,而这些属性与整个第二个DN相同,但第二个DN的terminal属性除外(通常是CA的名称),则该X.500 DN从属于另一个X.500 DN。例如,DN<C=傻瓜,O=Gov,OU=司库,CN=DukePinchpenny>从属于DN<C=傻瓜,O=Gov,CN=KingFooCA>。

$ superencryption (I) An encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

$ 超级加密(I)将要转换的明文输入作为先前加密操作的密文输出的加密操作。

$ survivability (I) The ability of a system to remain in operation or existence despite adverse conditions, including both natural occurrences, accidental actions, and attacks on the system. (See: availability, reliability.)

$ 生存能力(I)系统在不利条件下保持运行或存在的能力,包括自然发生、意外动作和对系统的攻击。(请参阅:可用性、可靠性。)

$ symmetric cryptography (I) A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). (See: asymmetric cryptography.)

$ 对称密码学(I)密码学的一个分支,涉及在算法的两个不同步骤(如加密和解密,或签名创建和签名验证)中使用相同密钥的算法。(请参阅:非对称加密。)

(C) Symmetric cryptography has been used for thousands of years [Kahn]. A modern example of a symmetric encryption algorithm is the U.S. Government's Data Encryption Algorithm. (See: DEA, DES.)

(C) 对称密码术已经使用了数千年[Kahn]。对称加密算法的一个现代例子是美国政府的数据加密算法。(见:DEA,DES)

(C) Symmetric cryptography is sometimes called "secret-key cryptography" (versus public-key cryptography) because the entities that share the key, such as the originator and the recipient of a message, need to keep the key secret. For example, when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a secret key, and Bob uses the same key to decrypt. Keeping the shared key secret entails both cost and risk when the key is distributed to both Alice and Bob. Thus, symmetric cryptography has a key management disadvantage compared to asymmetric cryptography.

(C) 对称加密有时被称为“密钥加密”(相对于公钥加密),因为共享密钥的实体,例如消息的发起者和接收者,需要将密钥保密。例如,当Alice希望确保发送给Bob的数据的机密性时,她会使用密钥对数据进行加密,Bob使用相同的密钥进行解密。当密钥同时分发给Alice和Bob时,保持共享密钥的机密性会带来成本和风险。因此,与非对称加密相比,对称加密具有密钥管理缺点。

$ symmetric key (I) A cryptographic key that is used in a symmetric cryptographic algorithm.

$ 对称密钥(I)在对称加密算法中使用的加密密钥。

$ SYN flood (I) A denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle. (See: flooding.)

$ SYN flood(I)一种拒绝服务攻击,它向主机发送的TCP SYN数据包(请求同步序列号,在打开连接时使用)超过协议实现所能处理的数量。(见:洪水)

$ system (C) In this Glossary, the term is mainly used as an abbreviation for "automated information system".

$ 系统(C)在本术语表中,该术语主要用作“自动化信息系统”的缩写。

$ system entity (I) An active element of a system--e.g., an automated process, a subsystem, a person or group of persons--that incorporates a specific set of capabilities.

$ 系统实体(I)一个系统的活动元素,例如,一个自动化流程、一个子系统、一个人或一群人,包含一组特定的功能。

$ system high (I) The highest security level supported by a system at a particular time or in a particular environment. (See: system high security mode.)

$ system high(系统高)(I)系统在特定时间或特定环境中支持的最高安全级别。(请参阅:系统高安全模式。)

$ system high security mode (I) A mode of operation of an information system, wherein all users having access to the system possess a security clearance or authorization, but not necessarily a need-to-know, for all data handled by the system. (See: mode of operation.)

$ 系统高安全模式(I)信息系统的一种操作模式,其中所有访问系统的用户都拥有系统处理的所有数据的安全许可或授权,但不一定需要知道。(请参阅:操作模式。)

(C) This mode is defined formally in U.S. Department of Defense policy regarding system accreditation [DOD2], but the term is widely used outside the Defense Department and outside the Government.

(C) 该模式在美国国防部系统认证政策[DOD2]中有正式定义,但该术语在国防部和政府之外广泛使用。

$ system integrity (I) "The quality that a system has when it can perform its intended function in a unimpaired manner, free from deliberate or inadvertent unauthorized manipulation." [NCS04] (See: system integrity service.)

$ 系统完整性(I)“当系统能够以不受损害的方式执行其预期功能,不受故意或无意的未经授权的操纵时,系统所具有的质量。”[NCS04](见:系统完整性服务。)

$ system integrity service (I) A security service that protects system resources in a verifiable manner against unauthorized or accidental change, loss, or destruction. (See: system integrity.)

$ 系统完整性服务(I)以可验证的方式保护系统资源免受未经授权或意外更改、丢失或破坏的安全服务。(请参阅:系统完整性。)

$ system low (I) The lowest security level supported by a system at a particular time or in a particular environment. (See: system high.)

$ 系统低(I)系统在特定时间或特定环境中支持的最低安全级别。(请参阅:系统高。)

$ system resource (I) Data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (i.e., a system component--hardware, firmware, software, or documentation); or a facility that houses system operations and equipment.

$ 系统资源(I)信息系统中包含的数据;或系统提供的服务;或系统能力,例如处理能力或通信带宽;或一项系统设备(即系统组件——硬件、固件、软件或文档);或容纳系统操作和设备的设施。

$ system security officer (SSO) (I) A person responsible for enforcement or administration of the security policy that applies to the system.

$ 系统安全官员(SSO)(I)负责执行或管理适用于系统的安全策略的人员。

$ system verification See: (secondary definition under) verification.

$ 系统验证见:(第二定义下)验证。

$ TACACS $ TACACS+ See: Terminal Access Controller (TAC) Access Control System.

$ TACACS$TACACS+参见:终端访问控制器(TAC)访问控制系统。

$ tamper (I) Make an unauthorized modification in a system that alters the system's functioning in a way that degrades the security services that the system was intended to provide.

$ 篡改(I)对系统进行未经授权的修改,以降低系统预期提供的安全服务的方式改变系统的功能。

$ TCB See: trusted computing base.

$ TCB见:可信计算基础。

$ TCP See: Transmission Control Protocol.

$ TCP请参阅:传输控制协议。

$ TCP/IP (I) A synonym for "Internet Protocol Suite", in which the Transmission Control Protocol (TCP) and the Internet Protocol (IP) are important parts.

$ TCP/IP(I)是“互联网协议套件”的同义词,其中传输控制协议(TCP)和互联网协议(IP)是重要组成部分。

$ TCSEC See: Trusted Computer System Evaluation Criteria.

$ TCSEC请参阅:可信计算机系统评估标准。

$ TELNET (I) A TCP-based, application-layer, Internet Standard protocol [R0854] for remote login from one host to another.

$ TELNET(I)基于TCP的应用层互联网标准协议[R0854],用于从一台主机远程登录到另一台主机。

$ TEMPEST (O) A nickname for specifications and standards for limiting the strength of electromagnetic emanations from electrical and electronic equipment and thus reducing vulnerability to eavesdropping. This term originated in the U.S. Department of Defense. [Army, Kuhn, Russ] (See: emanation security, soft tempest.)

$ TEMPEST(O):规范和标准的昵称,用于限制电气和电子设备的电磁辐射强度,从而降低窃听的脆弱性。这个术语起源于美国国防部。[陆军,库恩,俄罗斯](见:发射安全,软风暴。)

(D) ISDs SHOULD NOT use this term as a synonym for "electromagnetic emanations security".

(D) ISDs不应将此术语用作“电磁辐射安全”的同义词。

$ Terminal Access Controller (TAC) Access Control System (TACACS) (I) A UDP-based authentication and access control protocol [R1492] in which a network access server receives an identifier and password from a remote terminal and passes them to a separate authentication server for verification.

$ 终端访问控制器(TAC)访问控制系统(TACACS)(I)基于UDP的身份验证和访问控制协议[R1492],其中网络访问服务器从远程终端接收标识符和密码,并将其传递给单独的身份验证服务器进行验证。

(C) TACACS was developed for ARPANET and has evolved for use in commercial equipment. TACs were a type of network access server computer used to connect terminals to the early Internet, usually using dial-up modem connections. TACACS used centralized authentication servers and served not only network access servers like TACs but also routers and other networked computing devices. TACs are no longer in use, but TACACS+ is. [R1983]

(C) TACACS是为ARPANET开发的,并已发展为用于商业设备。TAC是一种网络访问服务器计算机,用于将终端连接到早期的Internet,通常使用拨号调制解调器连接。TACACS使用集中式身份验证服务器,不仅服务于网络访问服务器(如TAC),还服务于路由器和其他网络计算设备。TAC不再使用,但TACACS+正在使用。[R1983]

- "XTACACS": The name of Cisco Corporation's implementation, which enhances and extends the original TACACS.

- “XTACACS”:思科公司实施的名称,它增强并扩展了原有的TACACS。

- "TACACS+": A TCP-based protocol that improves on TACACS and XTACACS by separating the functions of authentication, authorization, and accounting and by encrypting all traffic between the network access server and authentication server. It is extensible to allow any authentication mechanism to be used with TACACS+ clients.

- “TACACS+”:一种基于TCP的协议,通过分离身份验证、授权和记帐功能,并通过加密网络访问服务器和身份验证服务器之间的所有通信量,对TACACS和XTACCS进行改进。它是可扩展的,允许任何身份验证机制与TACACS+客户端一起使用。

$ TESS See: The Exponential Encryption System.

$ 苔丝:指数加密系统。

$ The Exponential Encryption System (TESS) (I) A system of separate but cooperating cryptographic mechanisms and functions for the secure authenticated exchange of cryptographic keys, the generation of digital signatures, and the distribution of public keys. TESS employs asymmetric cryptography, based on discrete exponentiation, and a structure of self-certified public keys. [R1824]

$ 指数加密系统(TESS)(I)一个由单独但相互协作的加密机制和功能组成的系统,用于加密密钥的安全认证交换、数字签名的生成和公钥的分发。TESS采用基于离散幂运算的非对称加密技术和自认证公钥结构。[R1824]

$ threat (I) A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. (See: attack, threat action, threat consequence.)

$ 威胁(I)当存在可能破坏安全并造成伤害的情况、能力、行动或事件时,存在违反安全的可能性。(参见:攻击、威胁行动、威胁后果。)

(C) That is, a threat is a possible danger that might exploit a vulnerability. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal

(C) 也就是说,威胁是一种可能利用漏洞的危险。威胁可以是“故意的”(即,智能的;例如,个人的破坏者或罪犯)

organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado).

组织)或“意外”(例如,计算机故障的可能性,或“天灾”的可能性,如地震、火灾或龙卷风)。

(C) In some contexts, such as the following, the term is used narrowly to refer only to intelligent threats:

(C) 在某些情况下,如以下情况,该术语仅狭义地用于指智能威胁:

(N) U. S. Government usage: The technical and operational capability of a hostile entity to detect, exploit, or subvert friendly information systems and the demonstrated, presumed, or inferred intent of that entity to conduct such activity.

(N) 美国政府使用:敌对实体检测、利用或颠覆友好信息系统的技术和操作能力,以及该实体进行此类活动的已证明、推定或推断意图。

$ threat action (I) An assault on system security. (See: attack, threat, threat consequence.)

$ 威胁行动(I)攻击系统安全。(参见:攻击、威胁、威胁后果。)

(C) A complete security architecture deals with both intentional acts (i.e. attacks) and accidental events [FIPS31]. Various kinds of threat actions are defined as subentries under "threat consequence".

(C) 一个完整的安全体系结构同时处理故意行为(即攻击)和意外事件[FIPS31]。各种威胁行为被定义为“威胁后果”下的子项。

$ threat analysis (I) An analysis of the probability of occurrences and consequences of damaging actions to a system.

$ 威胁分析(I)对系统破坏行为发生概率和后果的分析。

$ threat consequence (I) A security violation that results from a threat action. Includes disclosure, deception, disruption, and usurpation. (See: attack, threat, threat action.)

$ 威胁后果(I)威胁行为导致的安全违规。包括披露、欺骗、破坏和篡夺。(参见:攻击、威胁、威胁行动。)

(C) The following subentries describe four kinds of threat consequences, and also list and describe the kinds of threat actions that cause each consequence. Threat actions that are accidental events are marked by "*".

(C) 以下子条目描述了四种威胁后果,并列出和描述了导致每种后果的威胁行为。意外事件的威胁行动以“*”标记。

1. "(Unauthorized) Disclosure" (a threat consequence): A circumstance or event whereby an entity gains access to data for which the entity is not authorized. (See: data confidentiality.) The following threat actions can cause unauthorized disclosure:

1. “(未经授权的)披露”(威胁后果):实体获取未经授权的数据访问权的情况或事件。(请参阅:数据机密性。)以下威胁行为可能导致未经授权的披露:

A. "Exposure": A threat action whereby sensitive data is directly released to an unauthorized entity. This includes:

A.“暴露”:将敏感数据直接发布给未经授权实体的威胁行为。这包括:

a. "Deliberate Exposure": Intentional release of sensitive data to an unauthorized entity.

a. “故意泄露”:故意将敏感数据泄露给未经授权的实体。

b. "Scavenging": Searching through data residue in a system to gain unauthorized knowledge of sensitive data.

b. “清除”:搜索系统中的数据残留,以获得敏感数据的未经授权的知识。

c* "Human error": Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data.

c*“人为错误”:人为行为或不作为,无意中导致实体获得未经授权的敏感数据知识。

d* "Hardware/software error". System failure that results in an entity gaining unauthorized knowledge of sensitive data.

d*“硬件/软件错误”。导致实体未经授权获取敏感数据的系统故障。

B. "Interception": A threat action whereby an unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations. This includes:

B.“拦截”:未经授权的实体直接访问在授权来源和目的地之间传输的敏感数据的威胁行为。这包括:

a. "Theft": Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic tape or disk, that holds the data.

a. “盗窃”:通过盗窃存储数据的物理介质(如磁带或磁盘)来获取敏感数据。

b. "Wiretapping (passive)": Monitoring and recording data that is flowing between two points in a communication system. (See: wiretapping.)

b. “窃听(被动)”:监控和记录通信系统中两点之间的数据流。(请参阅:窃听。)

c. "Emanations analysis": Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data. (See: emanation.)

c. “放射分析”:通过监测和解析系统发出的信号,获取对已传输数据的直接了解,该信号包含数据,但不用于传输数据。(见:放射。)

C. "Inference": A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. This includes:

C.“推断”:未经授权的实体通过根据通信的特征或副产品进行推理间接访问敏感数据(但不一定是通信中包含的数据)的威胁行为。这包括:

a. Traffic analysis: Gaining knowledge of data by observing the characteristics of communications that carry the data. (See: (main Glossary entry for) traffic analysis.)

a. 流量分析:通过观察传输数据的通信特性来获取数据知识。(请参阅:(主要词汇表条目)流量分析。)

b. "Signals analysis": Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data. (See: emanation.)

b. “信号分析”:通过监测和分析系统发出的、包含数据但不用于传输数据的信号,获取传输数据的间接信息。(见:放射。)

D. "Intrusion": A threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's security protections. This includes:

D.“入侵”:一种威胁行为,未经授权的实体通过绕过系统的安全保护获得对敏感数据的访问。这包括:

a. "Trespass": Gaining unauthorized physical access to sensitive data by circumventing a system's protections.

a. “侵入”:通过绕过系统保护,获得对敏感数据的未经授权的物理访问。

b. "Penetration": Gaining unauthorized logical access to sensitive data by circumventing a system's protections.

b. “渗透”:通过绕过系统保护,获得对敏感数据的未经授权的逻辑访问。

c. "Reverse engineering": Acquiring sensitive data by disassembling and analyzing the design of a system component.

c. “逆向工程”:通过分解和分析系统组件的设计来获取敏感数据。

d. Cryptanalysis: Transforming encrypted data into plaintext without having prior knowledge of encryption parameters or processes. (See: (main Glossary entry for) cryptanalysis.)

d. 密码分析:在事先不知道加密参数或过程的情况下,将加密数据转换为明文。(请参阅:(密码分析的主要词汇表条目。)

2. "Deception" (a threat consequence): A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. The following threat actions can cause deception:

2. “欺骗”(威胁后果):可能导致授权实体接收虚假数据并相信其真实性的情况或事件。以下威胁行为可能导致欺骗:

A. "Masquerade": A threat action whereby an unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity. (See: (main Glossary entry for) masquerade attack.)

A.“伪装”:未经授权的实体冒充授权实体获取系统访问权或实施恶意行为的威胁行为。(请参阅:(伪装攻击的主要词汇表条目。)

a. "Spoof": Attempt by an unauthorized entity to gain access to a system by posing as an authorized user.

a. “欺骗”:未经授权的实体冒充授权用户试图访问系统。

b. "Malicious logic": In context of masquerade, any hardware, firmware, or software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. (See: (main Glossary entry for) malicious logic.)

b. “恶意逻辑”:在伪装的情况下,任何硬件、固件或软件(如特洛伊木马)看似执行有用或需要的功能,但实际上未经授权访问系统资源或欺骗用户执行其他恶意逻辑。(请参阅:(恶意逻辑的主要术语表条目。)

B. "Falsification": A threat action whereby false data deceives an authorized entity. (See: active wiretapping.)

B.“伪造”:虚假数据欺骗授权实体的威胁行为。(请参见:主动窃听。)

a. "Substitution": Altering or replacing valid data with false data that serves to deceive an authorized entity.

a. “替换”:用虚假数据更改或替换有效数据,以欺骗授权实体。

b. "Insertion": Introducing false data that serves to deceive an authorized entity.

b. “插入”:引入虚假数据以欺骗授权实体。

C. "Repudiation": A threat action whereby an entity deceives another by falsely denying responsibility for an act. (See: non-repudiation service, (main Glossary entry for) repudiation.)

C.“否认”:一个实体通过虚假否认对某一行为的责任来欺骗另一实体的威胁行为。(参见:不可抵赖服务,(主要术语表条目)抵赖。)

a. "False denial of origin": Action whereby the originator of data denies responsibility for its generation.

a. “虚假来源否认”:数据的原始人否认对其产生负责的行为。

b. "False denial of receipt": Action whereby the recipient of data denies receiving and possessing the data.

b. “虚假拒绝接收”:数据接收方拒绝接收和拥有数据的行为。

3. "Disruption" (a threat consequence): A circumstance or event that interrupts or prevents the correct operation of system services and functions. (See: denial of service.) The following threat actions can cause disruption:

3. “中断”(威胁后果):中断或阻止系统服务和功能正确运行的情况或事件。(请参阅:拒绝服务。)以下威胁操作可能导致中断:

A. "Incapacitation": A threat action that prevents or interrupts system operation by disabling a system component.

A.“失效”:通过禁用系统组件来阻止或中断系统运行的威胁动作。

a. "Malicious logic": In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb) intentionally introduced into a system to destroy system functions or resources. (See: (main Glossary entry for) malicious logic.)

a. “恶意逻辑”:在丧失能力的情况下,故意引入系统以破坏系统功能或资源的任何硬件、固件或软件(如逻辑炸弹)。(请参阅:(恶意逻辑的主要术语表条目。)

b. "Physical destruction": Deliberate destruction of a system component to interrupt or prevent system operation.

b. “物理破坏”:故意破坏系统组件以中断或阻止系统运行。

c* "Human error": Action or inaction that unintentionally disables a system component.

c*“人为错误”:无意中禁用系统组件的操作或不操作。

d* "Hardware or software error": Error that causes failure of a system component and leads to disruption of system operation.

d*“硬件或软件错误”:导致系统组件故障并导致系统操作中断的错误。

e* "Natural disaster": Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component. [FP031 section 2]

e*“自然灾害”:使系统组件失效的任何“天灾”(如火灾、洪水、地震、闪电或风)。[FP031第2节]

B. "Corruption": A threat action that undesirably alters system operation by adversely modifying system functions or data.

B.“损坏”:通过对系统功能或数据进行不利修改而不希望改变系统运行的威胁行为。

a. "Tamper": In context of corruption, deliberate alteration of a system's logic, data, or control information to interrupt or prevent correct operation of system functions.

a. “篡改”:在损坏的情况下,故意改变系统的逻辑、数据或控制信息,以中断或阻止系统功能的正确运行。

b. "Malicious logic": In context of corruption, any hardware, firmware, or software (e.g., a computer virus) intentionally introduced into a system to modify system functions or data. (See: (main Glossary entry for) malicious logic.)

b. “恶意逻辑”:在损坏的情况下,故意引入系统以修改系统功能或数据的任何硬件、固件或软件(如计算机病毒)。(请参阅:(恶意逻辑的主要术语表条目。)

c* "Human error": Human action or inaction that unintentionally results in the alteration of system functions or data.

c*“人为错误”:无意中导致系统功能或数据更改的人为行为或不作为。

d* "Hardware or software error": Error that results in the alteration of system functions or data.

d*“硬件或软件错误”:导致系统功能或数据改变的错误。

e* "Natural disaster": Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data. [FP031 section 2]

e*“自然灾害”:任何改变系统功能或数据的“天灾”(如闪电引起的电涌)。[FP031第2节]

C. "Obstruction": A threat action that interrupts delivery of system services by hindering system operations.

C.“阻碍”:通过阻碍系统运行而中断系统服务交付的威胁行为。

a. "Interference": Disruption of system operations by blocking communications or user data or control information.

a. “干扰”:通过阻断通信或用户数据或控制信息而中断系统运行。

b. "Overload": Hindrance of system operation by placing excess burden on the performance capabilities of a system component. (See: flooding.)

b. “过载”:通过给系统组件的性能能力增加额外负担而阻碍系统运行。(见:洪水)

4. "Usurpation" (a threat consequence): A circumstance or event that results in control of system services or functions by an unauthorized entity. The following threat actions can cause usurpation:

4. “篡夺”(威胁后果):导致未经授权实体控制系统服务或功能的情况或事件。以下威胁行为可能导致篡夺:

A. "Misappropriation": A threat action whereby an entity assumes unauthorized logical or physical control of a system resource.

A.“挪用”:实体对系统资源进行未经授权的逻辑或物理控制的威胁行为。

a. "Theft of service": Unauthorized use of service by an entity.

a. “服务盗窃”:实体未经授权使用服务。

b. "Theft of functionality": Unauthorized acquisition of actual hardware, software, or firmware of a system component.

b. “功能盗窃”:未经授权获取系统组件的实际硬件、软件或固件。

c. "Theft of data": Unauthorized acquisition and use of data.

c. “数据盗窃”:未经授权获取和使用数据。

B. "Misuse": A threat action that causes a system component to perform a function or service that is detrimental to system security.

B.“误用”:导致系统组件执行对系统安全有害的功能或服务的威胁行为。

a. "Tamper": In context of misuse, deliberate alteration of a system's logic, data, or control information to cause the system to perform unauthorized functions or services.

a. “篡改”:在误用的情况下,故意改变系统的逻辑、数据或控制信息,导致系统执行未经授权的功能或服务。

b. "Malicious logic": In context of misuse, any hardware, software, or firmware intentionally introduced into a system to perform or control execution of an unauthorized function or service.

b. “恶意逻辑”:在误用情况下,故意引入系统以执行或控制未经授权的功能或服务的任何硬件、软件或固件。

c. "Violation of permissions": Action by an entity that exceeds the entity's system privileges by executing an unauthorized function.

c. “违反权限”:实体通过执行未经授权的功能而超出其系统权限的操作。

$ thumbprint (I) A pattern of curves formed by the ridges on the tip of a thumb. (See: biometric authentication, fingerprint.)

$ 指纹(I)由拇指尖上的脊线形成的曲线图案。(请参阅:生物特征认证、指纹。)

(D) ISDs SHOULD NOT use this term as a synonym for "hash result" because that meaning mixes concepts in a potentially misleading way.

(D) ISDs不应使用该术语作为“哈希结果”的同义词,因为该含义以潜在误导的方式混合了概念。

$ ticket (I) A synonym for "capability". (See: Kerberos.)

$ 票证(I)“能力”的同义词。(请参阅:Kerberos。)

(C) A ticket is usually granted by a centralized access control server (ticket-granting agent) to authorize access to a system resource for a limited time. Tickets have been implemented with symmetric cryptography, but can also be implemented as attribute certificates using asymmetric cryptography.

(C) 票证通常由集中式访问控制服务器(票证授予代理)授予,以在有限的时间内授权对系统资源的访问。票证已使用对称加密实现,但也可以使用非对称加密实现为属性证书。

$ timing channel See: (secondary definition under) covert channel.

$ 定时通道请参见:(第二个定义下)隐蔽通道。

$ TLS See: Transport Layer Security. (See: TLSP.)

$ TLS请参阅:传输层安全。(见:TLSP)

$ TLSP See: Transport Layer Security Protocol. (See: TLS.)

$ TLSP请参阅:传输层安全协议。(见:TLS)

$ token 1. (I) General usage: An object that is used to control access and is passed between cooperating entities in a protocol that synchronizes use of a shared resource. Usually, the entity that currently holds the token has exclusive access to the resource.

$ 令牌1。(一) 一般用法:用于控制访问的对象,在同步使用共享资源的协议中在协作实体之间传递。通常,当前持有令牌的实体具有对资源的独占访问权。

2. (I) Authentication usage: A data object or a portable, user-controlled, physical device used to verify an identity in an authentication process. (See: authentication information, dongle.)

2. (一) 身份验证用途:用于在身份验证过程中验证身份的数据对象或便携式、用户控制的物理设备。(请参阅:身份验证信息,加密狗。)

3. (I) Cryptographic usage: See: cryptographic token.

3. (一) 加密用法:请参阅:加密令牌。

4. (O) SET usage: "A portable device [e.g., smart card or PCMCIA card] specifically designed to store cryptographic information and possibly perform cryptographic functions in a secure manner." [SET2]

4. (O) 设置用法:“专门设计用于存储加密信息并可能以安全方式执行加密功能的便携式设备[如智能卡或PCMCIA卡]。[SET2]

$ token backup (I) A token management operation that stores sufficient information in a database (e.g., in a CAW) to recreate or restore a security token (e.g., a smart card) if it is lost or damaged.

$ 令牌备份(I)一种令牌管理操作,在数据库(如CAW)中存储足够的信息,以便在安全令牌(如智能卡)丢失或损坏时重新创建或恢复安全令牌。

$ token copy (I) A token management operation that copies all the personality information from one security token to another. However, unlike in a token restore operation, the second token is initialized with its own, different local security values such as PINs and storage keys.

$ 令牌复制(I)一种令牌管理操作,将所有个性信息从一个安全令牌复制到另一个安全令牌。但是,与令牌还原操作不同,第二个令牌使用其自己的、不同的本地安全值(如PIN和存储密钥)进行初始化。

$ token management (I) The process of initializing security tokens (e.g., see: smart card), loading data into the tokens, and controlling the tokens during their life cycle. May include performing key management and certificate management functions; generating and installing PINs; loading user personality data; performing card backup, card copy, and card restore operations; and updating firmware.

$ 令牌管理(I)初始化安全令牌(例如,请参阅:智能卡)、将数据加载到令牌以及在其生命周期内控制令牌的过程。可能包括执行密钥管理和证书管理功能;生成和安装销钉;加载用户个性数据;执行卡备份、卡复制和卡还原操作;以及更新固件。

$ token restore (I) A token management operation that loads a security token with data for the purpose of recreating (duplicating) the contents previously held by that or another token.

$ 令牌还原(I)一种令牌管理操作,它使用数据加载安全令牌,以便重新创建(复制)该令牌或另一令牌先前持有的内容。

$ token storage key (I) A cryptography key used to protect data that is stored on a security token.

$ 令牌存储密钥(I)用于保护存储在安全令牌上的数据的加密密钥。

$ top CA (I) A CA that is the highest level (i.e., is the most trusted CA) in a certification hierarchy. (See: root.)

$ 顶级CA(I)是证书层次结构中最高级别(即,最受信任的CA)的CA。(请参阅:root。)

$ top-level specification (I) "A non-procedural description of system behavior at the most abstract level; typically a functional specification that omits all implementation details." [NCS04] (See: (discussion under) security policy.)

$ 顶层规范(I)“在最抽象的层次上对系统行为的非过程性描述;通常是省略所有实现细节的功能规范。”[NCS04](请参阅:(在)安全策略下的讨论。)

(C) A top-level specification may be descriptive or formal:

(C) 顶级规范可以是描述性的,也可以是正式的:

- "Descriptive top-level specification": One that is written in a natural language like English or an informal design notation.

-“描述性顶层规范”:用自然语言(如英语或非正式设计符号)编写的规范。

- "Formal top-level specification": One that is written in a formal mathematical language to enable theorems to be proven that show that the specification correctly implements a set of formal requirements or a formal security model. (See: correctness proof.)

-“正式顶层规范”:用正式数学语言编写的规范,用于证明定理,证明规范正确实现了一组正式需求或正式安全模型。(请参阅:正确性证明。)

$ traffic analysis (I) Inference of information from observable characteristics of data flow(s), even when the data is encrypted or otherwise not directly available. Such characteristics include the identities and locations of the source(s) and destination(s), and the presence, amount, frequency, and duration of occurrence. (See: wiretapping.)

$ 流量分析(I)从数据流的可观察特征推断信息,即使数据加密或不直接可用。此类特征包括来源和目的地的身份和位置,以及发生的存在、数量、频率和持续时间。(请参阅:窃听。)

(O) "The inference of information from observation of traffic flows (presence, absence, amount, direction, and frequency)." [I7498 Part 2]

(O) “通过观察交通流(存在、不存在、数量、方向和频率)推断信息。”[I7498第2部分]

$ traffic flow confidentiality (I) A data confidentiality service to protect against traffic analysis.

$ 流量机密性(I)数据机密性服务,用于防止流量分析。

(O) "A confidentiality service to protect against traffic analysis." [I7498 Part 2]

(O) “防止流量分析的保密服务。”[I7498第2部分]

$ traffic padding (I) "The generation of spurious instances of communication, spurious data units, and/or spurious data within data units." [I7498 Part 2]

$ 流量填充(I)“通信、虚假数据单元和/或数据单元内虚假数据的虚假实例的生成。”[I7498第2部分]

$ tranquillity property See: (secondary definition under) Bell-LaPadula Model.

$ 宁静属性见:(次级定义下)贝尔-拉帕杜拉模型。

$ Transmission Control Protocol (TCP) (I) An Internet Standard protocol [R0793] that reliably delivers a sequence of datagrams (discrete sets of bits) from one computer to another in a computer network. (See: TCP/IP.)

$ 传输控制协议(TCP)(I)一种互联网标准协议[R0793],在计算机网络中可靠地从一台计算机向另一台计算机传输数据报序列(离散的比特集)。(请参阅:TCP/IP。)

(C) TCP is designed to fit into a layered hierarchy of protocols that support internetwork applications. TCP assumes it can obtain a simple, potentially unreliable datagram service (such as the Internet Protocol) from the lower-layer protocols.

(C) TCP被设计成一个支持互联网应用的分层协议层次结构。TCP假定它可以从较低层协议获得简单的、可能不可靠的数据报服务(如Internet协议)。

$ Transport Layer Security (TLS) (I) TLS Version 1.0 is an Internet protocol [R2246] based-on and very similar to SSL Version 3.0. (See: TLSP.)

$ 传输层安全性(TLS)(I)TLS 1.0版是一种基于SSL 3.0版的互联网协议[R2246]。(见:TLSP)

(C) The TLS protocol is misnamed, because it operates well above the transport layer (OSI layer 4).

(C) TLS协议命名错误,因为它在传输层(OSI第4层)之上运行。

$ Transport Layer Security Protocol (TLSP) (I) An end-to-end encryption protocol(ISO Standard 10736) that provides security services at the bottom of OSI layer 4, i.e., directly above layer 3. (See: TLS.)

$ 传输层安全协议(TLSP)(I)一种端到端加密协议(ISO标准10736),在OSI第4层的底部,即第3层的正上方提供安全服务。(见:TLS)

(C) TLSP evolved directly from the SP4 protocol of SDNS.

(C) TLSP直接从SDN的SP4协议演变而来。

$ transport mode vs. tunnel mode (I) IPsec usage: Two ways to apply IPsec protocols (AH and ESP) to protect communications:

$ 传输模式与隧道模式(I)IPsec使用:应用IPsec协议(AH和ESP)保护通信的两种方法:

- "Transport mode": The protection applies to (i.e., the IPsec protocol encapsulates) the packets of upper-layer protocols, the ones that are carried above IP.

- “传输模式”:保护适用于(即,IPsec协议封装)上层协议的数据包,即IP上承载的数据包。

- "Tunnel mode": The protection applies to (i.e., the IPsec protocol encapsulates) IP packets.

- “隧道模式”:保护适用于(即,IPsec协议封装)IP数据包。

(C) A transport mode security association is always between two hosts. In a tunnel mode security association, each end may be either a host or a gateway. Whenever either end of an IPsec security association is a security gateway, the association is required to be in tunnel mode.

(C) 传输模式安全关联始终位于两台主机之间。在隧道模式安全关联中,每一端可以是主机或网关。每当IPsec安全关联的任意一端是安全网关时,该关联都需要处于隧道模式。

$ trap door (I) A hidden computer flaw known to an intruder, or a hidden computer mechanism (usually software) installed by an intruder, who can activate the trap door to gain access to the computer without being blocked by security services or mechanisms. (See: back door, Trojan horse.)

$ 陷阱门(I)入侵者已知的隐藏计算机缺陷,或入侵者安装的隐藏计算机机制(通常为软件),入侵者可以激活陷阱门以访问计算机,而不会被安全服务或机制阻止。(请参阅:后门、特洛伊木马。)

$ triple DES (I) A block cipher, based on DES, that transforms each 64-bit plaintext block by applying the Data Encryption Algorithm three successive times, using either two or three different keys, for an effective key length of 112 or 168 bits. [A9052] (See: DES.)

$ 三重DES(I)一种基于DES的分组密码,通过连续三次应用数据加密算法,使用两个或三个不同的密钥,对每个64位明文块进行转换,有效密钥长度为112或168位。[A9052](见:DES)

(C) IPsec usage: The algorithm variation proposed for ESP uses a 168-bit key, consisting of three independent 56-bit quantities used by the Data Encryption Algorithm, and a 64-bit initialization value. Each datagram contains an IV to ensure that each received datagram can be decrypted even when other datagrams are dropped or a sequence of datagrams is reordered in transit. [R1851]

(C) IPsec用法:为ESP提出的算法变体使用168位密钥,由数据加密算法使用的三个独立的56位量和一个64位初始化值组成。每个数据报都包含一个IV,以确保即使在传输过程中丢弃其他数据报或对数据报序列重新排序时,每个接收到的数据报也可以解密。[R1851]

$ triple-wrapped (I) S/MIME usage: Data that has been signed with a digital signature, and then encrypted, and then signed again. [R2634]

$ 三重包装(I)S/MIME用法:使用数字签名签名,然后加密,然后再次签名的数据。[R2634]

$ Trojan horse (I) A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

$ 特洛伊木马(I)一种计算机程序,它似乎具有有用的功能,但也具有隐藏的和潜在的恶意功能,可以逃避安全机制,有时可以利用调用该程序的系统实体的合法授权。

$ trust 1. (I) Information system usage: The extent to which someone who relies on a system can have confidence that the system meets its specifications, i.e., that the system does what it claims to do and does not perform unwanted functions. (See: trust level.)

$ 信任1。(一) 信息系统使用情况:依赖系统的人对系统满足其规格的信心程度,即系统执行其声称的功能,不执行不需要的功能。(请参阅:信任级别。)

(C) "trusted vs. trustworthy": In discussing a system or system process or object, this Glossary (and industry usage) prefers the term "trusted" to describe a system that operates as expected, according to design and policy. When the trust can also be guaranteed in some convincing way, such as through formal analysis or code review, the system is termed "trustworthy"; this differs from the ABA Guidelines definition (see: trustworthy system).

(C) “可信与可信”:在讨论系统或系统过程或对象时,本术语表(和行业用法)更倾向于使用“可信”一词来描述根据设计和策略按预期运行的系统。当信任也能以某种令人信服的方式得到保证时,例如通过正式分析或代码审查,系统被称为“可信的”;这与ABA指南的定义不同(参见:可信系统)。

2. (I) PKI usage: A relationship between a certificate user and a CA in which the user acts according to the assumption that the CA creates only valid digital certificates.

2. (一) PKI使用:证书用户和CA之间的关系,其中用户根据CA仅创建有效数字证书的假设进行操作。

(O) "Generally, an entity can be said to 'trust' a second entity when it (the first entity) makes the assumption that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. The key role of trust in [X.509] is to describe the relationship between an entity and a [certification] authority; an entity shall be certain that it can trust the certification authority to create only valid and reliable certificates." [X509]

(O) “通常,当一个实体(第一个实体)假设第二个实体的行为与第一个实体的预期完全一致时,可以说该实体“信任”了第二个实体。这种信任可能只适用于某些特定功能。[X.509]中信任的关键作用是描述实体与[认证]之间的关系认证机构;实体应确保其可以信任认证机构仅创建有效和可靠的证书。”[X509]

$ trust chain (D) ISDs SHOULD NOT use this term as a synonym for "certification path" because it mixes concepts in a potentially misleading way. (See: trust.)

$ 信任链(D)ISDs不应使用该术语作为“认证路径”的同义词,因为它以潜在误导的方式混合了概念。(见:信托。)

$ trust-file PKI (I) A non-hierarchical PKI in which each certificate user has a local file (which is used by application software) of public-key certificates that the user trusts as starting points (i.e., roots) for certification paths. (See: hierarchical PKI, mesh PKI, root, web of trust.)

$ 信任文件PKI(I)一种非分层PKI,其中每个证书用户都有一个公钥证书的本地文件(由应用软件使用),用户信任该文件作为证书路径的起点(即根)。(请参阅:分层PKI、网状PKI、根、信任网。)

(C) For example, popular browsers are distributed with an initial file of trusted certificates, which often are self-signed certificates. Users can add certificates to the file or delete from it. The file may be directly managed by the user, or the user's organization may manage it from a centralized server.

(C) 例如,流行的浏览器分发有可信证书的初始文件,这些文件通常是自签名证书。用户可以向文件中添加证书或从中删除证书。该文件可以由用户直接管理,或者用户的组织可以从集中式服务器进行管理。

$ trust hierarchy (D) ISDs SHOULD NOT use this term as a synonym for "certification hierarchy" because this term mixes concepts (see: trust) in a potentially misleading way and duplicates the meaning of another, standardized term. (See: trust, web of trust.)

$ 信任层次结构(D)ISDs不应使用该术语作为“认证层次结构”的同义词,因为该术语以潜在误导的方式混合了概念(参见:信任),并重复了另一个标准术语的含义。(请参见:信任,信任之网。)

$ trust level (I) A characterization of a standard of security protection to be met by a computer system.

$ 信任级别(I)计算机系统要满足的安全保护标准的特征。

(C) The TCSEC defines eight trust levels. From the lowest to the highest, they are D, C1, C2, B1, B2, B3, and A1. A trust level is based not only on the presence of security mechanisms but also on the use of systems engineering discipline to properly structure the system and implementation analysis to ensure that the system provides an appropriate degree of trust.

(C) TCSEC定义了八个信任级别。从最低到最高,它们是D、C1、C2、B1、B2、B3和A1。信任级别不仅基于安全机制的存在,还基于使用系统工程规程来正确构建系统和实施分析,以确保系统提供适当程度的信任。

$ trusted See: (discussion under) trust.

$ 受信任请参见:(讨论内容)信任。

$ trusted certificate (I) A certificate upon which a certificate user relies as being valid without the need for validation testing; especially a public-key certificate that is used to provide the first public key in a certification path. (See: certification path, root certificate, validation.)

$ 可信证书(I)证书用户无需验证测试即可依赖的有效证书;特别是一种公钥证书,用于提供证书路径中的第一个公钥。(请参阅:证书路径、根证书、验证。)

(C) A trusted public-key certificate might be (a) the root certificate in a hierarchical PKI, (b) the certificate of the CA that issued the user's own certificate in a mesh PKI, or (c) any certificate accepted by the user in a trust-file PKI.

(C) 受信任的公钥证书可以是(A)分层PKI中的根证书,(b)在网状PKI中颁发用户自己证书的CA的证书,或者(C)用户在信任文件PKI中接受的任何证书。

$ trusted computer system (I) Multilevel security usage: "A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information." [NCS04] (See: (discussion under) trust.)

$ 可信计算机系统(I)多级安全使用:“采用足够的硬件和软件保证措施,允许同时处理一系列敏感或机密信息的系统。”[NCS04](见:(在)信任下讨论。)

$ Trusted Computer System Evaluation Criteria (TCSEC) (N) A standard for evaluating the security provided by operating systems [CSC001, DOD1]. Informally called the "Orange Book"

$ 可信计算机系统评估标准(TCSEC)(N)用于评估操作系统提供的安全性的标准[CSC001,DOD1]。非正式地称为“橘子书”

because of the color of its cover; first document in the Rainbow Series. (See: Common Criteria, (usage note under) Green Book, Orange Book, trust level.)

因为它的封面颜色;彩虹系列的第一个文档。(请参阅:通用标准,(使用说明下)绿皮书、橙皮书、信任级别。)

$ trusted computing base (TCB) (I) "The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy." [NCS04] (See: (discussion of "trusted" under) trust.)

$ 可信计算基础(TCB)(I)“计算机系统内的所有保护机制,包括硬件、固件和软件,它们的组合负责实施安全策略。”[NCS04](参见:(信任下的“可信”讨论)

$ trusted distribution (I) "A trusted method for distributing the TCB hardware, software, and firmware components, both originals and updates, that provides methods for protecting the TCB from modification during distribution and for detection of any changes to the TCB that may occur." [NCS04]

$ 可信分发(I)“分发TCB硬件、软件和固件组件(原件和更新件)的可信方法,该方法提供了在分发过程中保护TCB不受修改以及检测可能发生的TCB更改的方法。”[NCS04]

$ trusted key (I) A public key upon which a user relies; especially a public key that can be used as the first public key in a certification path. (See: certification path, root key, validation.)

$ 可信密钥(I)用户依赖的公钥;特别是一种公钥,可以用作证书路径中的第一个公钥。(请参阅:证书路径、根密钥、验证。)

(C) A trusted public key might be (a) the root key in a hierarchical PKI, (b) the key of the CA that issued the user's own certificate in a mesh PKI, or (c) any key accepted by the user in a trust-file PKI.

(C) 可信公钥可以是(A)分层PKI中的根密钥,(b)在网状PKI中颁发用户自己证书的CA的密钥,或者(C)用户在信任文件PKI中接受的任何密钥。

$ trusted path (I) COMPUSEC usage: A mechanism by which a computer system user can communicate directly and reliably with the trusted computing base (TCB) and that can only be activated by the user or the TCB and cannot be imitated by untrusted software within the computer. [NCS04]

$ 可信路径(I)计算机安全使用:计算机系统用户可以直接可靠地与可信计算基础(TCB)通信的一种机制,该机制只能由用户或TCB激活,并且不能被计算机内不受信任的软件模仿。[NCS04]

(I) COMSEC usage: A mechanism by which a person or process can communicate directly with a cryptographic module and that can only be activated by the person, process, or module, and cannot be imitated by untrusted software within the module. [FP140]

(一) 通信安全使用:一种机制,通过该机制,个人或进程可以直接与加密模块通信,并且只能由个人、进程或模块激活,并且不能被模块内不受信任的软件模仿。[FP140]

$ trusted process (I) A system process that has privileges that enable it to affect the state of system security and that can, therefore, through incorrect or malicious execution, violate the system's security policy. (See: privileged process, (discussion of "trusted" under) trust.)

$ 受信任进程(I)具有特权的系统进程,使其能够影响系统安全状态,因此,通过错误或恶意执行,可能会违反系统的安全策略。(请参阅:特权流程(在“信任”下讨论“受信任”)

$ trusted subnetwork (I) A subnetwork containing hosts and routers that trust each other not to engage in active or passive attacks. (There also is an assumption that the underlying communication channels--e.g., telephone lines, or a LAN--are protected from attack by some means.)

$ 可信子网(I)包含主机和路由器的子网,主机和路由器相互信任,不会进行主动或被动攻击。(还有一种假设,即基础通信信道(例如电话线或LAN)通过某种方式受到保护,免受攻击。)

$ trusted system See: (discussion under) trust, trusted computer system, trustworthy system.

$ 可信系统请参阅:(在下讨论)信任,可信计算机系统,可信系统。

$ Trusted Systems Interoperability Group (TSIG) (N) A forum of computer vendors, system integrators, and users devoted to promoting interoperability of trusted computer systems. TSIG meetings are open to all persons who are working in the INFOSEC area.

$ 可信系统互操作性小组(TSIG)(N):由计算机供应商、系统集成商和用户组成的论坛,致力于促进可信计算机系统的互操作性。TSIG会议对在信息安全领域工作的所有人员开放。

$ trustworthy system (O) ABA usage: "Computer hardware, software, and procedures that: (a) are reasonably secure from intrusion and misuse; (b) provide a reasonably reliable level of availability, reliability, and correct operation; (c) are reasonably suited to performing their intended functions; and (d) adhere to generally accepted security principles." [ABA] This differs somewhat from other industry usage. (See: (discussion of "trusted vs. trustworthy" under) trust.)

$ 可信系统(O)ABA用法:“计算机硬件、软件和程序:(a)合理地防止入侵和误用;(b)提供合理可靠的可用性、可靠性和正确操作水平;(c)合理地适合于执行其预期功能;以及(d)遵守普遍接受的安全原则。”[ABA]这与其他行业用途有所不同。(请参阅:(在“信任”下讨论“信任与可信任”。)

$ TSIG See: Trusted System Interoperability Group.

$ TSIG请参阅:受信任的系统互操作性组。

$ tunnel (I) A communication channel created in a computer network by encapsulating (carrying, layering) a communication protocol's data packets in (on top of) a second protocol that normally would be carried above, or at the same layer as, the first one. (See: L2TP, VPN.)

$ 隧道(I)在计算机网络中通过将通信协议的数据包封装(携带、分层)在第二协议中(在其之上)而创建的通信信道,该第二协议通常会携带在第一协议之上或与第一协议在同一层上。(请参阅:L2TP,VPN。)

(C) Tunneling can involve almost any OSI or TCP/IP protocol layers; for example, a TCP connection between two hosts could conceivably be tunneled through email messages across the Internet. Most often, a tunnel is a logical point-to-point link-- i.e., an OSI layer 2 connection--created by encapsulating the layer 2 protocol in a transport protocol (such as TCP), in a network or internetwork layer protocol (such as IP), or in another link layer protocol. Often, encapsulation is accomplished with an extra, intermediate protocol, i.e., a tunneling protocol (such as L2TP) that is layered between the tunneled layer 2 protocol and the encapsulating protocol.

(C) 隧道可以涉及几乎任何OSI或TCP/IP协议层;例如,两台主机之间的TCP连接可以通过互联网上的电子邮件进行隧道传输。通常,隧道是一种逻辑点到点链路(即OSI第2层连接),通过将第2层协议封装在传输协议(如TCP)、网络或网络间层协议(如IP)或另一链路层协议中而创建。通常,封装是通过额外的中间协议来完成的,即隧道协议(例如L2TP),它分层在隧道层2协议和封装协议之间。

(C) Tunneling can move data between computers that use a protocol not supported by the network connecting them. Tunneling also can enable a computer network to use the services of a second network as though the second network were a set of point-to-point links between the first network's nodes. (See: virtual private network.)

(C) 隧道可以在使用连接它们的网络不支持的协议的计算机之间移动数据。隧道还可以使计算机网络能够使用第二网络的服务,就像第二网络是第一网络节点之间的一组点对点链路一样。(请参阅:虚拟专用网络。)

(O) SET usage: The name of a SET private extension that indicates whether the CA or the payment gateway supports passing encrypted messages to the cardholder through the merchant. If so, the extension lists OIDs of symmetric encryption algorithms that are supported.

(O) SET usage:SET private extension的名称,指示CA或支付网关是否支持通过商户向持卡人传递加密消息。如果是,扩展将列出受支持的对称加密算法的OID。

$ tunnel mode (I) IPsec usage: See: transport mode vs. tunnel mode.

$ 隧道模式(I)IPsec使用:请参阅:传输模式与隧道模式。

$ two-person control (I) The close surveillance and control of a system, process, or materials (especially with regard to cryptography) at all times by a minimum of two appropriately authorized persons, each capable of detecting incorrect and unauthorized procedures with respect to the tasks to be performed and each familiar with established security requirements. (See: dual control, no-lone zone.)

$ 双人控制(I)由至少两名经适当授权的人员在任何时候对系统、过程或材料(尤其是密码)进行密切监视和控制,每个人都能够检测到与要执行的任务有关的错误和未经授权的程序,并且都熟悉既定的安全要求。(请参阅:双控,无单独区域。)

$ Type I cryptography (O) A cryptographic algorithm or device approved by NSA for protecting classified information.

$ I类加密(O):经国家安全局批准用于保护机密信息的加密算法或装置。

$ Type II cryptography (O) A cryptographic algorithm or device approved by NSA for protecting sensitive unclassified information (as specified in section 2315 of Title 10 United States Code, or section 3502(2) of Title 44, United States Code.)

$ II类加密(O)经NSA批准用于保护敏感非保密信息的加密算法或装置(如《美国法典》第10编第2315节或《美国法典》第44编第3502(2)节所述)

$ Type III cryptography (O) A cryptographic algorithm or device approved as a Federal Information Processing Standard.

$ III类加密(O)一种被批准为联邦信息处理标准的加密算法或装置。

$ UDP See: User Datagram Protocol.

$ UDP请参阅:用户数据报协议。

$ unclassified (I) Not classified.

$ 未分类(I)未分类。

$ unencrypted (I) Not encrypted.

$ 未加密(I)未加密。

$ unforgeable (I) Cryptographic usage: The property of a cryptographic data structure (i.e., a data structure that is defined using one or more cryptographic functions) that makes it computationally infeasible to construct (i.e., compute) an unauthorized but correct value of the structure without having knowledge of one of more keys. (E.g., see: digital certificate.)

$ 不可伪造(I)加密使用:加密数据结构(即,使用一个或多个加密函数定义的数据结构)的属性,使得在不知道一个或多个密钥的情况下构造(即,计算)未经授权但正确的结构值在计算上不可行。(例如,请参阅:数字证书。)

(C) This definition is narrower than general English usage, where "unforgeable" means unable to be fraudulently created or duplicated. In that broader sense, anyone can forge a digital certificate containing any set of data items whatsoever by generating the to-be-signed certificate and signing it with any private key whatsoever. But for PKI purposes, the forged data structure is invalid if it is not signed with the true private key of the claimed issuer; thus, the forgery will be detected when a certificate user uses the true public key of the claimed issuer to verify the signature.

(C) 这个定义比一般的英语用法要窄,其中“不可伪造”的意思是不能被欺诈地创建或复制。从更广泛的意义上讲,任何人都可以通过生成待签名证书并使用任何私钥对其进行签名来伪造包含任何数据项集的数字证书。但出于PKI目的,如果伪造的数据结构未使用声称的发行人的真实私钥签名,则该数据结构无效;因此,当证书用户使用声称的颁发者的真实公钥来验证签名时,将检测到伪造。

$ uniform resource identifier (URI) (I) A type of formatted identifier that encapsulates the name of an Internet object, and labels it with an identification of the name space, thus producing a member of the universal set of names in registered name spaces and of addresses referring to registered protocols or name spaces. [R1630]

$ 统一资源标识符(URI)(I)一种格式化标识符,它封装了Internet对象的名称,并用名称空间的标识对其进行标记,从而在注册名称空间中生成通用名称集的成员,以及引用注册协议或名称空间的地址。[R1630]

(C) URIs are used in HTML to identify the target of hyperlinks. In common practice, URIs include uniform resource locators [R2368] and relative URLs, and may be URNs. [R1808]

(C) URI在HTML中用于标识超链接的目标。在一般实践中,URI包括统一资源定位器[R2368]和相对URL,可能是URN。[R1808]

$ uniform resource locator (URL) (I) A type of formatted identifier that describes the access method and location of an information resource object on the Internet. [R1738]

$ 统一资源定位器(URL)(I)一种格式化标识符,描述互联网上信息资源对象的访问方法和位置。[R1738]

(C) A URL is a URI that provides explicit instructions on how to access the named object. For example, "ftp://bbnarchive.bbn.com/foo/bar/picture/cambridge.zip" is a URL. The part before the colon specifies the access scheme or protocol, and the part after the colon is interpreted according to that access method. Usually, two slashes after the colon indicate the host name of a server (written as a domain name). In an FTP or HTTP URL, the host name is followed by the path name of a file on the server. The last (optional) part of a URL may be either a fragment identifier that indicates a position in the file, or a query string.

(C) URL是一个URI,提供有关如何访问命名对象的明确说明。例如,”ftp://bbnarchive.bbn.com/foo/bar/picture/cambridge.zip“是一个URL。冒号前面的部分指定访问方案或协议,冒号后面的部分根据该访问方法进行解释。通常,冒号后的两个斜杠表示服务器的主机名(写为域名)。在FTP或HTTP URL中,主机名后跟服务器上文件的路径名。URL的最后(可选)部分可以是指示文件中位置的片段标识符,也可以是查询字符串。

$ uniform resource name (URN) (I) A URI that has an institutional commitment to persistence and availability.

$ 统一资源名称(URN)(I)对持久性和可用性具有机构承诺的URI。

$ untrusted process (I) A system process that is not able to affect the state of system security through incorrect or malicious operation, usually because its operation is confined by a security kernel. (See: trusted process.)

$ 不受信任进程(I)一个系统进程,它不能通过不正确或恶意的操作影响系统安全状态,通常是因为其操作受到安全内核的限制。(请参阅:受信任的进程。)

$ UORA See: user-PIN ORA.

$ UORA见:用户PIN ORA。

$ update See: certificate update and key update.

$ 更新请参阅:证书更新和密钥更新。

$ URI See: uniform resource identifier.

$ URI请参阅:统一资源标识符。

$ URL See: uniform resource locator.

$ URL请参阅:统一资源定位器。

$ URN See: uniform resource name.

$ URN请参阅:统一资源名称。

$ user (I) A person, organization entity, or automated process that accesses a system, whether authorized to do so or not. (See: [R2504].)

$ 用户(I)访问系统的个人、组织实体或自动化流程,无论是否授权。(见:[R2504])

(C) Any ISD that uses this term SHOULD provide an explicit definition, because this term is used in many ways and can easily be misunderstood.

(C) 任何使用该术语的ISD都应提供明确的定义,因为该术语有多种用途,很容易被误解。

$ User Datagram Protocol (UDP) (I) An Internet Standard protocol [R0768] that provides a datagram mode of packet-switched computer communication in an internetwork.

$ 用户数据报协议(UDP)(I)一种互联网标准协议[R0768],在互联网中提供分组交换计算机通信的数据报模式。

(C) UDP is a transport layer protocol, and it assumes that IP is the underlying protocol. UDP enables application programs to send transaction-oriented data to other programs with minimal protocol mechanism. UDP does not provide reliable delivery, flow control, sequencing, or other end-to-end services that TCP provides.

(C) UDP是一种传输层协议,它假定IP是底层协议。UDP允许应用程序使用最小的协议机制将面向事务的数据发送到其他程序。UDP不提供可靠的传递、流控制、排序或TCP提供的其他端到端服务。

$ user identifier (I) A character string or symbol that is used in a system to uniquely name a specific user or group of users.

$ 用户标识符(I)在系统中用于唯一命名特定用户或用户组的字符串或符号。

(C) Often verified by a password in an authentication process.

(C) 通常在身份验证过程中通过密码验证。

$ user PIN (O) MISSI usage: One of two personal identification numbers that control access to the functions and stored data of a FORTEZZA PC card. Knowledge of the user PIN enables the card user to perform the FORTEZZA functions that are intended for use by an end user. (See: SSO PIN.)

$ 用户PIN(O)MSI使用:控制访问FORTEZZA PC卡功能和存储数据的两个个人识别号之一。了解用户PIN后,卡用户可以执行供最终用户使用的FORTEZZA功能。(请参阅:SSO PIN。)

$ user-PIN ORA (UORA) (O) A MISSI organizational RA that operates in a mode in which the ORA performs only the subset of card management functions that are possible with knowledge of the user PIN for a FORTEZZA PC card. (See: no-PIN ORA, SSO-PIN ORA.)

$ 用户PIN ORA(UORA)(O)在ORA仅执行卡管理功能子集的模式下运行的一种MSI组织RA,在了解FORTEZZA PC卡的用户PIN的情况下,该功能子集是可能的。(请参阅:无PIN ORA,SSO-PIN ORA。)

$ usurpation See: (secondary definition under) threat consequence.

$ 篡夺见:(第二定义下)威胁后果。

$ UTCTime (N) The ASN.1 data type "UTCTime" contains a calendar date (YYMMDD) and a time to a precision of either one minute (HHMM) or one second (HHMMSS), where the time is either (a) Coordinated Universal Time or (b) the local time followed by an offset that enables Coordinated Universal Time to be calculated. Note: UTCTime has the Year 2000 problem. (See: Coordinated Universal Time, GeneralizedTime.)

$ UTCTime(N)ASN.1数据类型“UTCTime”包含一个日历日期(YYMMDD)和一个精度为一分钟(HHMM)或一秒(hhmms)的时间,其中时间是(a)协调世界时或(b)本地时间,后跟一个允许计算协调世界时的偏移量。注意:UTCTime有2000年问题。(请参阅:协调世界时,通用时间。)

$ v1 certificate (C) Ambiguously refers to either an X.509 public-key certificate in its version 1 format, or an X.509 attribute certificate in its version 1 format. However, many people who use this term are not aware that X.509 specifies attribute certificates that do not contain a public key. Therefore, ISDs MAY use this term as an abbreviation for "version 1 X.509 public-key certificate", but only after using the full term at the first instance.

$ v1证书(C)含糊不清地表示版本1格式的X.509公钥证书或版本1格式的X.509属性证书。但是,许多使用此术语的人并不知道X.509指定的属性证书不包含公钥。因此,ISDs可以使用该术语作为“版本1 X.509公钥证书”的缩写,但必须首先使用完整术语。

(D) ISDs SHOULD NOT use this term as an abbreviation for "version 1 X.509 attribute certificate".

(D) ISDs不应使用该术语作为“版本1 X.509属性证书”的缩写。

$ v1 CRL (I) An abbreviation for "X.509 CRL in version 1 format".

$ v1 CRL(I)“版本1格式的X.509 CRL”的缩写。

(C) ISDs should use this abbreviation only after using the full term at its first occurrence and defining the abbreviation.

(C) ISDs只有在第一次使用完整术语并定义缩写后才应使用此缩写。

$ v2 certificate (I) An abbreviation for "X.509 public-key certificate in version 2 format".

$ v2证书(I)“版本2格式的X.509公钥证书”的缩写。

(C) ISDs should use this abbreviation only after using the full term at its first occurrence and defining the abbreviation.

(C) ISDs只有在第一次使用完整术语并定义缩写后才应使用此缩写。

$ v2 CRL (I) An abbreviation for "X.509 CRL in version 2 format".

$ v2 CRL(I)“版本2格式的X.509 CRL”的缩写。

(C) ISDs should use this abbreviation only after using the full term at its first occurrence and defining the abbreviation.

(C) ISDs只有在第一次使用完整术语并定义缩写后才应使用此缩写。

$ v3 certificate (I) An abbreviation for "X.509 public-key certificate in version 3 format".

$ v3证书(I)“版本3格式的X.509公钥证书”的缩写。

(C) ISDs should use this abbreviation only after using the full term at its first occurrence and defining the abbreviation.

(C) ISDs只有在第一次使用完整术语并定义缩写后才应使用此缩写。

$ valid certificate (I) A digital certificate for which the binding of the data items can be trusted; one that can be validated successfully. (See: validate vs. verify.)

$ 有效证书(I)可信任数据项绑定的数字证书;一个可以被成功验证的程序。(请参见:验证与验证。)

$ valid signature (D) ISDs SHOULD NOT use this term; instead, use "authentic signature". This Glossary recommends saying "validate the certificate" and "verify the signature"; therefore, it would be inconsistent to say that a signature is "valid". (See: validate vs. verify.)

$ 有效签名(D)ISDs不应使用该术语;相反,使用“真实签名”。本术语表建议说“验证证书”和“验证签名”;因此,说签字“有效”是不一致的。(请参见:验证与验证。)

$ validate vs. verify (C) The PKI community uses words inconsistently when describing what a certificate user does to make certain that a digital certificate can be trusted. Usually, we say "verify the signature" but say "validate the certificate"; i.e., we "verify" atomic truths but "validate" data structures, relationships, and systems that are composed of or depend on verified items. Too often, however, verify and validate are used interchangeably.

$ 验证与验证(C)PKI社区在描述证书用户如何确保数字证书可信任时使用的词语不一致。通常,我们说“验证签名”,但说“验证证书”;i、 例如,我们“验证”原子真理,但“验证”由验证项组成或依赖于验证项的数据结构、关系和系统。然而,验证和验证经常交替使用。

ISDs SHOULD comply with the following two rules to ensure consistency and to align Internet security terminology with ordinary English:

ISD应遵守以下两条规则,以确保一致性,并使互联网安全术语与普通英语保持一致:

- Rule 1: Use "validate" when referring to a process intended to establish the soundness or correctness of a construct. (E.g., see: certificate validation.)

- 规则1:当提及旨在确定结构的可靠性或正确性的过程时,使用“验证”。(例如,请参见:证书验证。)

- Rule 2: Use "verify" when referring to a process intended to test or prove the truth or accuracy of a fact or value. (E.g., see: authenticate.)

- 规则2:当提及旨在测试或证明事实或价值的真实性或准确性的过程时,使用“验证”。(例如,请参阅:验证。)

The rationale for Rule 1 is that "valid" derives from a word that means "strong" in Latin. Thus, to validate means to make sure that a construction is sound. A certificate user validates a public-key certificate to establish trust in the binding that the certificate asserts between an identity and a key. (To validate can also mean to officially approve something; e.g., NIST validates cryptographic modules for conformance with FIPS PUB 140-1.)

规则1的基本原理是“有效”源自拉丁语中“强”的意思。因此,验证意味着确保结构是可靠的。证书用户验证公钥证书,以在证书在标识和密钥之间断言的绑定中建立信任。(验证也可能意味着正式批准某事;例如,NIST验证加密模块是否符合FIPS PUB 140-1。)

The rationale for Rule 2 is that "verify" derives from a word that means "true" in Latin. Thus, to verify means to prove the truth of an assertion by examining evidence or performing tests. To verify an identity, an authentication process examines identification information that is presented or generated. To validate a certificate, a certificate user verifies the digital signature on the certificate by performing calculations; verifies that the current time is within the certificate's validity period; and may need to validate a certification path involving additional certificates.

规则2的基本原理是,“验证”一词源自拉丁语中“真实”的意思。因此,验证意味着通过检查证据或进行测试来证明断言的真实性。为了验证身份,身份验证过程检查呈现或生成的身份信息。为了验证证书,证书用户通过执行计算来验证证书上的数字签名;验证当前时间是否在证书的有效期内;并且可能需要验证涉及其他证书的证书路径。

$ validation See: validate vs. verify.

$ 验证请参见:验证与验证。

$ validity period (I) A data item in a digital certificate that specifies the time period for which the binding between data items (especially between the subject name and the public key value in a public-key certificate) is valid, except if the certificate appears on a CRL or the key appears on a CKL.

$ 有效期(I)数字证书中的数据项,指定数据项之间的绑定(尤其是公钥证书中的使用者名称和公钥值之间的绑定)有效的时间段,除非证书出现在CRL上或密钥出现在CKL上。

$ value-added network (VAN) (I) A computer network or subnetwork (which is usually a commercial enterprise) that transmits, receives, and stores EDI transactions on behalf of its customers.

$ 增值网络(VAN)(I)代表客户传输、接收和存储EDI交易的计算机网络或子网络(通常为商业企业)。

(C) A VAN may also provide additional services, ranging from EDI format translation, to EDI-to-FAX conversion, to integrated business systems.

(C) VAN还可以提供其他服务,从EDI格式转换到EDI到传真转换,再到集成业务系统。

$ VAN See: value-added network.

$ VAN See:增值网络。

$ verification 1. System verification: The process of comparing two levels of system specification for proper correspondence, such as comparing a security policy with a top-level specification, a top-level specification with source code, or source code with object code. [NCS04]

$ 核查1。系统验证:比较两个级别的系统规范是否正确对应的过程,例如将安全策略与顶级规范、顶级规范与源代码或源代码与目标代码进行比较。[NCS04]

2. Identification verification: Presenting information to establish the truth of a claimed identity.

2. 身份验证:提供信息以确定所声称身份的真实性。

$ verify See: validate vs. verify.

$ 验证请参见:验证与验证。

$ violation See: security violation.

$ 违规请参阅:安全违规。

$ virtual private network (VPN) (I) A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

$ 虚拟专用网(VPN)(I)一种限制使用的逻辑(即人工或模拟)计算机网络,由相对公开的物理(即真实)网络(如互联网)的系统资源构成,通常使用加密(位于主机或网关上),通常通过隧道连接虚拟网络和真实网络。

(C) For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a) using encrypted tunnels to connect from firewall to firewall across the Internet and (b) not allowing any other traffic through the firewalls. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network.

(C) 例如,如果一家公司在几个不同的站点上有局域网,每个站点都通过防火墙连接到Internet,那么该公司可以通过以下方式创建VPN:(a)使用加密隧道跨Internet从防火墙连接到防火墙;(b)不允许任何其他流量通过防火墙。VPN的构建和运行成本通常低于专用真实网络,因为虚拟网络与真实网络的其他用户共享系统资源成本。

$ virus (I) A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting--i.e., inserting a copy of itself into and becoming part of--another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

$ 病毒(I)计算机软件的一个隐藏的、自我复制的部分,通常是恶意逻辑,通过感染(即,将自身的一个副本插入另一个程序并成为其一部分)进行传播。病毒不能自行运行;它要求运行主机程序以激活病毒。

$ VPN See: virtual private network.

$ VPN请参阅:虚拟专用网络。

$ vulnerability (I) A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

$ 漏洞(I)系统设计、实施或操作和管理中的缺陷或弱点,可被利用来违反系统的安全策略。

(C) Most systems have vulnerabilities of some sort, but this does not mean that the systems are too flawed to use. Not every threat results in an attack, and not every attack succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the effectiveness of any countermeasures in use. If the attacks needed to exploit a vulnerability are very difficult to carry out, then the vulnerability may be tolerable. If the

(C) 大多数系统都有某种类型的漏洞,但这并不意味着系统有太多缺陷而无法使用。并非所有威胁都会导致攻击,也并非所有攻击都会成功。成功与否取决于脆弱性的程度、攻击的强度以及所使用的任何对策的有效性。如果利用漏洞所需的攻击很难实施,那么该漏洞可能是可以容忍的。如果

perceived benefit to an attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the attacks are well understood and easily made, and if the vulnerable system is employed by a wide range of users, then it is likely that there will be enough benefit for someone to make an attack.

攻击者感知到的好处很小,那么即使是容易被攻击的漏洞也可以容忍。然而,如果攻击被很好地理解并且容易进行,并且如果易受攻击的系统被广泛的用户使用,那么很可能有足够的好处让某人进行攻击。

$ W3 See: World Wide Web.

$ W3见:万维网。

$ war dialer (I) A computer program that automatically dials a series of telephone numbers to find lines connected to computer systems, and catalogs those numbers so that a cracker can try to break into the systems.

$ 战争拨号器(I)一种计算机程序,它自动拨打一系列电话号码,以查找与计算机系统相连的线路,并对这些号码进行编目,以便黑客可以尝试闯入这些系统。

$ Wassenaar Arrangement (N) The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a global, multilateral agreement approved by 33 countries in July 1996 to contribute to regional and international security and stability, by promoting information exchange concerning, and greater responsibility in, transfers of arms and dual-use items, thus preventing destabilizing accumulations. (See: International Traffic in Arms Regulations.)

$ 瓦塞纳尔安排(N)《关于常规武器及两用货物和技术出口管制的瓦塞纳尔安排》是一项全球多边协定,于1996年7月获得33个国家的批准,目的是通过促进有关下列方面的信息交流和更大的责任,促进区域和国际安全与稳定:,武器和两用物品的转让,从而防止破坏稳定的积累。(见:国际武器贩运条例。)

(C) The Arrangement began operations in September 1996. The participating countries are Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom, and United States. Participants meet on a regular basis in Vienna, where the Arrangement has its headquarters.

(C) 该安排于1996年9月开始运作。参与国为阿根廷、澳大利亚、奥地利、比利时、保加利亚、加拿大、捷克共和国、丹麦、芬兰、法国、德国、希腊、匈牙利、爱尔兰、意大利、日本、卢森堡、荷兰、新西兰、挪威、波兰、葡萄牙、大韩民国、罗马尼亚、俄罗斯联邦、斯洛伐克共和国、西班牙、瑞典、瑞士、土耳其、,乌克兰、英国和美国。与会者定期在维也纳举行会议,该安排在那里设有总部。

Participating countries seek through their national policies to ensure that transfers do not contribute to the development or enhancement of military capabilities that undermine the goals of the arrangement, and are not diverted to support such capabilities. The countries maintain effective export controls for items on the agreed lists, which are reviewed periodically to account for technological developments and experience gained. Through transparency and exchange of views and information, suppliers of arms and dual-use items can develop common understandings of the risks associated with their transfer and assess the scope for coordinating national control policies to combat these risks. Members provide semi-annual notification of arms transfers, covering seven categories derived from the UN

参与国通过其国家政策寻求确保转让不会有助于发展或增强破坏《安排》目标的军事能力,也不会被转用于支持这种能力。这些国家对商定清单上的物品保持有效的出口管制,并定期审查这些物品,以说明技术发展和取得的经验。通过透明度和交换意见和信息,武器和两用物品的供应商可以就与武器和两用物品转让有关的风险达成共识,并评估协调国家管制政策以应对这些风险的范围。成员国每半年提供一次武器转让通知,涵盖来自联合国的七类武器

Register of Conventional Arms. Members also report transfers or denials of transfers of certain controlled dual-use items. However, the decision to transfer or deny transfer of any item is the sole responsibility of each participating country. All measures undertaken with respect to the arrangement are in accordance with national legislation and policies and are implemented on the basis of national discretion.

常规武器登记册。成员国还报告转让或拒绝转让某些受管制的两用物品。然而,转让或拒绝转让任何物品的决定是每个参与国的唯一责任。与该安排有关的所有措施均符合国家立法和政策,并在国家自由裁量权的基础上实施。

$ watermarking See: digital watermarking.

$ 水印参见:数字水印。

$ web of trust (O) PGP usage: A trust-file PKI technique used in PGP for building a file of validated public keys by making personal judgments about being able to trust certain people to be holding properly certified keys of other people. (See: certification hierarchy, mesh PKI.)

$ 信任网(O)PGP用法:PGP中使用的一种信任文件PKI技术,用于通过个人判断是否能够信任某些人持有其他人正确认证的密钥,从而构建一个有效公钥文件。(请参阅:证书层次结构,mesh PKI。)

$ web server (I) A software process that runs on a host computer connected to the Internet to respond to HTTP requests for documents from client web browsers.

$ web服务器(I)在连接到Internet的主机上运行的软件进程,用于响应客户端web浏览器对文档的HTTP请求。

$ web vs. Web 1. (I) Capitalized: ISDs SHOULD capitalize "Web" when using the term (as either a noun or an adjective) to refer specifically to the World Wide Web. (Similarly, see: internet vs. Internet.)

$ 网络对网络1。(一) 大写:ISDs在使用术语(作为名词或形容词)专门指代万维网时,应将“Web”大写。(类似地,请参见:互联网与互联网。)

2. (C) Not capitalized: ISDs SHOULD NOT capitalize "web" when using the term (usually as an adjective) to refer generically to technology--such as web browsers, web servers, HTTP, and HTML-- that is used in the Web or similar networks.

2. (C) 不大写:ISDs在使用术语(通常作为形容词)泛指web或类似网络中使用的技术(如web浏览器、web服务器、HTTP和HTML)时,不应将“web”大写。

(C) IETF documents SHOULD spell out "World Wide Web" fully at the first instance of usage and SHOULD Use "Web" and "web" especially carefully where confusion with the PGP "web of trust" is possible.

(C) IETF文件应在第一次使用时就充分说明“万维网”,并在可能与PGP“信任网”混淆的情况下特别小心地使用“网络”和“网络”。

$ wiretapping (I) An attack that intercepts and accesses data and other information contained in a flow in a communication system.

$ 窃听(I)截获和访问通信系统中包含在流中的数据和其他信息的攻击。

(C) Although the term originally referred to making a mechanical connection to an electrical conductor that links two nodes, it is now used to refer to reading information from any sort of medium used for a link or even directly from a node, such as gateway or subnetwork switch.

(C) 虽然该术语最初指的是与连接两个节点的电导体进行机械连接,但现在用于指从用于链接的任何类型的介质中读取信息,甚至直接从节点(如网关或子网络交换机)读取信息。

(C) "Active wiretapping" attempts to alter the data or otherwise affect the flow; "passive wiretapping" only attempts to observe the flow and gain knowledge of information it contains. (See: active attack, end-to-end encryption, passive attack.)

(C) “主动窃听”试图改变数据或以其他方式影响流量;“被动窃听”只是试图观察信息流并获取其所包含信息的知识。(请参阅:主动攻击、端到端加密、被动攻击。)

$ work factor (I) General security usage: The estimated amount of effort or time that can be expected to be expended by a potential intruder to penetrate a system, or defeat a particular countermeasure, when using specified amounts of expertise and resources.

$ 工作因素(I)一般安全使用:当使用指定数量的专业知识和资源时,潜在入侵者为穿透系统或击败特定对策而预计花费的工作量或时间。

(I) Cryptography usage: The estimated amount of computing time and power needed to break a cryptographic system.

(一) 密码使用:破解密码系统所需的估计计算时间和功率。

$ World Wide Web ("the Web", WWW, W3) (N) The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms. (See: web vs. Web, [R2084].)

$ 万维网(“万维网”,WWW,W3)(N)基于超媒体的全球性信息和服务集合,可在互联网服务器上使用,并可通过浏览器使用超文本传输协议和其他信息检索机制进行访问。(参见:网络vs.网络[R2084]。)

$ worm (I) A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. (See: Morris Worm, virus.)

$ worm(I)可以独立运行的计算机程序,可以将自身的完整工作版本传播到网络上的其他主机上,并可能以破坏性方式消耗计算机资源。(见:莫里斯蠕虫病毒)

$ wrap (O) To use cryptography to provide data confidentiality service for a data object. (See: encrypt, seal.)

$ wrap(O)使用加密技术为数据对象提供数据机密性服务。(请参见:加密、密封。)

(D) ISDs SHOULD NOT use this term with this definition because it duplicates the meaning of other, standard terms. Instead, use "encrypt" or use a term that is specific with regard to the mechanism used.

(D) ISDs不应将此术语与此定义一起使用,因为它与其他标准术语的含义重复。相反,使用“加密”或使用特定于所用机制的术语。

$ WWW See: World Wide Web.

$ WWW见:万维网。

$ X.400 (N) An ITU-T Recommendation [X400] that is one part of a joint ITU-T/ISO multi-part standard (X.400-X.421) that defines the Message Handling Systems. (The ISO equivalent is IS 10021, parts 1-7.) (See: Message Handling Systems.)

$ X.400(N)ITU-T建议[X400],是定义信息处理系统的ITU-T/ISO多部分联合标准(X.400-X.421)的一部分。(ISO等效标准为10021,第1-7部分)(参见:信息处理系统。)

$ X.500 $ X.500 Directory (N) An ITU-T Recommendation [X500] that is one part of a joint ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500

$ X.500$X.500目录(N)ITU-T建议[X500],是定义X.500的ITU-T/ISO多部分联合标准(X.500-X.525)的一部分

Directory, a conceptual collection of systems that provide distributed directory capabilities for OSI entities, processes, applications, and services. (The ISO equivalent is IS 9594-1 and related standards, IS 9594-x.) (See: directory vs. Directory, X.509.)

目录,为OSI实体、进程、应用程序和服务提供分布式目录功能的系统的概念集合。(ISO等效标准为9594-1,相关标准为9594-x)(参见:目录与目录,x.509。)

(C) The X.500 Directory is structured as a tree (the Directory Information Tree), and information is stored in directory entries. Each entry is a collection of information about one object, and each object has a DN. A directory entry is composed of attributes, each with a type and one or more values. For example, if a PKI uses the Directory to distribute certificates, then the X.509 public-key certificate of an end user is normally stored as a value of an attribute of type "userCertificate" in the Directory entry that has the DN that is the subject of the certificate.

(C) X.500目录结构为一棵树(目录信息树),信息存储在目录条目中。每个条目都是关于一个对象的信息集合,每个对象都有一个DN。目录项由属性组成,每个属性都有一个类型和一个或多个值。例如,如果PKI使用目录分发证书,则最终用户的X.509公钥证书通常作为“userCertificate”类型属性的值存储在具有作为证书主题的DN的目录条目中。

$ X.509 (N) An ITU-T Recommendation [X509] that defines a framework to provide and support data origin authentication and peer entity authentication services, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs. (The ISO equivalent is IS 9498-4.) (See: X.500.)

$ X.509(N)ITU-T建议[X509],该建议定义了一个框架,以提供和支持数据源身份验证和对等实体身份验证服务,包括X.509公钥证书、X.509属性证书和X.509 CRL的格式。(ISO等效标准为9498-4)(参见:X.500。)

(C) X.509 describes two levels of authentication: simple authentication based on a password, and strong authentication based on a public-key certificate.

(C) X.509描述了两个级别的身份验证:基于密码的简单身份验证和基于公钥证书的强身份验证。

$ X.509 attribute certificate (N) An attribute certificate in the version 1 (v1) format defined by X.509. (The v1 designation for an X.509 attribute certificate is disjoint from the v1 designation for an X.509 public-key certificate, and from the v1 designation for an X.509 CRL.)

$ X.509属性证书(N)X.509定义的版本1(v1)格式的属性证书。(X.509属性证书的v1指定与X.509公钥证书的v1指定和X.509 CRL的v1指定不相交。)

(C) An X.509 attribute certificate has a subject field, but the attribute certificate is a separate data structure from that subject's public-key certificate. A subject may have multiple attribute certificates associated with each of its public-key certificates, and an attribute certificate may be issued by a different CA than the one that issued the associated public-key certificate.

(C) X.509属性证书有一个subject字段,但属性证书是一个独立于该subject的公钥证书的数据结构。一个主体可以有多个属性证书与其每个公钥证书相关联,并且属性证书可以由不同于颁发相关公钥证书的CA颁发。

(C) An X.509 attribute certificate contains a sequence of data items and has a digital signature that is computed from that sequence. In addition to the signature, an attribute certificate contains items 1 through 9 listed below:

(C) X.509属性证书包含一系列数据项,并具有根据该序列计算的数字签名。除签名外,属性证书还包含下列第1项至第9项:

1. version Identifies v1. 2. subject Is one of the following: 2a. baseCertificateID - Issuer and serial number of an X.509 public-key certificate. 2b. subjectName - DN of the subject. 3. issuer DN of the issuer (the CA who signed). 4. signature OID of algorithm that signed the cert.

1. 版本标识v1。2.主题是以下内容之一:2a。baseCertificateID—X.509公钥证书的颁发者和序列号。2b。subjectName—主题的DN。3.发行人(签名的CA)的发行人DN。4.签名证书的算法的签名OID。

5. serialNumber Certificate serial number; an integer assigned by the issuer. 6. attCertValidityPeriod Validity period; a pair of UTCTime values: "not before" and "not after". 7. attributes Sequence of attributes describing the subject. 8. issuerUniqueId Optional, when a DN is not sufficient. 9. extensions Optional.

5. 序列号证书序列号;由颁发者分配的整数。6.attCertValidityPeriod有效期;一对UTCTime值:“不在之前”和“不在之后”。7.属性描述主题的属性序列。8.当DN不足时,issuerUniqueId可选。9扩展是可选的。

$ X.509 authority revocation list (N) An ARL in one of the formats defined by X.509--version 1 (v1) or version 2 (v2). A specialized kind of certificate revocation list.

$ X.509权限撤销列表(N)采用X.509版本1(v1)或版本2(v2)定义的格式之一的ARL。一种特殊类型的证书吊销列表。

$ X.509 certificate (N) Either an X.509 public-key certificate or an X.509 attribute certificate.

$ X.509证书(N)X.509公钥证书或X.509属性证书。

(C) This Glossary uses the term with the precise meaning recommended here. However, some who use the term may not be aware that X.509 specifies attribute certificates that do not contain a public key. Even among those who are aware, this term is commonly used as an abbreviation to mean "X.509 public-key certificate". ISDs MAY use the term as an abbreviation for "X.509 public-key certificate", but only after using the full term at the first instance.

(C) 本词汇表使用的术语具有此处推荐的确切含义。但是,一些使用该术语的人可能不知道X.509指定的属性证书不包含公钥。即使在那些知道的人中,这个术语也常用作“X.509公钥证书”的缩写。ISDs可使用该术语作为“X.509公钥证书”的缩写,但仅在首次使用完整术语后使用。

(D) ISDs SHOULD NOT use this term as an abbreviation to mean "X.509 attribute certificate".

(D) ISDs不应将此术语用作“X.509属性证书”的缩写。

$ X.509 certificate revocation list (CRL) (N) A CRL in one of the formats defined by X.509--version 1 (v1) or version 2 (v2). (The v1 and v2 designations for an X.509 CRL are disjoint from the v1 and v2 designations for an X.509 public-key certificate, and from the v1 designation for an X.509 attribute certificate.) (See: certificate revocation.)

$ X.509证书撤销列表(CRL)(N)采用X.509版本1(v1)或版本2(v2)定义的格式之一的CRL。(X.509 CRL的v1和v2指定与X.509公钥证书的v1和v2指定以及X.509属性证书的v1指定不相交。)(请参阅:证书吊销。)

(C) ISDs SHOULD NOT refer to an X.509 CRL as a digital certificate, but note that an X.509 CRL does meet this Glossary's definition of "digital certificate". Like a digital certificate,

(C) ISDs不应将X.509 CRL称为数字证书,但请注意,X.509 CRL确实符合本术语表中“数字证书”的定义。就像数字证书一样,

an X.509 CRL makes an assertion and is signed by a CA. But instead of binding a key or other attributes to a subject, an X.509 CRL asserts that certain previously-issued X.509 certificates have been revoked.

X.509 CRL进行断言并由CA签名。但X.509 CRL不是将密钥或其他属性绑定到主题,而是断言某些以前颁发的X.509证书已被吊销。

(C) An X.509 CRL contains a sequence of data items and has a digital signature computed on that sequence. In addition to the signature, both v1 and v2 contain items 2 through 6b listed below. Version 2 contains item 1 and may optionally contain 6c and 7.

(C) X.509 CRL包含一个数据项序列,并根据该序列计算数字签名。除签名外,v1和v2均包含下列第2项至第6b项。版本2包含第1项,并且可以选择包含6c和7项。

1. version Optional. If present, identifies v2. 2. signature OID of the algorithm that signed CRL. 3. issuer DN of the issuer (the CA who signed). 4. thisUpdate A UTCTime value. 5. nextUpdate A UTCTime value. 6. revokedCertificates 3-tuples of 6a, 6b, and (optional) 6c: 6a. userCertificate A certificate's serial number. 6b. revocationDate UTCTime value for the revocation date. 6c. crlEntryExtensions Optional. 7. crlExtensions Optional.

1. 版本可选。如果存在,则标识v2。2.签名CRL的算法的签名OID。3.发行人(签名的CA)的发行人DN。4.这将更新UTCTime值。5.nextUpdate一个UTCTime值。6.撤销6a、6b和(可选)6c:6a的3元组证书。userCertificate证书的序列号。6b。吊销日期的revocationDate UTCTime值。6c。crlEntryExtensions可选。7.CRL是可选的。

$ X.509 public-key certificate (N) A public-key certificate in one of the formats defined by X.509--version 1 (v1), version 2 (v2), or version 3 (v3). (The v1 and v2 designations for an X.509 public-key certificate are disjoint from the v1 and v2 designations for an X.509 CRL, and from the v1 designation for an X.509 attribute certificate.)

$ X.509公钥证书(N)采用X.509版本1(v1)、版本2(v2)或版本3(v3)定义的格式之一的公钥证书。(X.509公钥证书的v1和v2指定与X.509 CRL的v1和v2指定以及X.509属性证书的v1指定不相交。)

(C) An X.509 public-key certificate contains a sequence of data items and has a digital signature computed on that sequence. In addition to the signature, all three versions contain items 1 through 7 listed below. Only v2 and v3 certificates may also contain items 8 and 9, and only v3 may contain item 10.

(C) X.509公钥证书包含一系列数据项,并具有根据该序列计算的数字签名。除签名外,所有三个版本均包含下列第1项至第7项。只有v2和v3证书可以包含第8项和第9项,只有v3可以包含第10项。

1. version Identifies v1, v2, or v3. 2. serialNumber Certificate serial number; an integer assigned by the issuer. 3. signature OID of algorithm that was used to sign the certificate. 4. issuer DN of the issuer (the CA who signed). 5. validity Validity period; a pair of UTCTime values: "not before" and "not after". 6. subject DN of entity who owns the public key. 7. subjectPublicKeyInfo Public key value and algorithm OID. 8. issuerUniqueIdentifier Defined for v2, v3; optional. 9. subjectUniqueIdentifier Defined for v2, v2; optional. 10. extensions Defined only for v3; optional.

1. 版本标识v1、v2或v3。2.序列号证书序列号;由颁发者分配的整数。3.用于对证书进行签名的算法的签名OID。4.发行人(签名的CA)的发行人DN。5.有效期;一对UTCTime值:“不在之前”和“不在之后”。6.拥有公钥的实体的主题DN。7.subjectPublicKeyInfo公钥值和算法OID。8.为v2、v3定义的issuerUniqueIdentifier;可选择的9为v2定义的subjectionIdentifier,v2;可选择的10仅为v3定义的扩展;可选择的

$ XTACACS See: (secondary definition under) Terminal Access Controller (TAC) Access Control System.

$ XTACACS请参见:(第二定义)终端访问控制器(TAC)访问控制系统。

$ Yellow Book (D) ISDs SHOULD NOT use this term as a synonym for "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments" [CSC3]. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: (usage note under) Green Book, Rainbow Series.)

$ 黄皮书(D)ISDs不应将此术语用作“计算机安全要求:在特定环境中应用国防部可信计算机系统评估标准指南”的同义词[CSC3]。取而代之的是,使用文件的全称,或者在后续参考文献中使用常规缩写。(见:(使用说明下)绿皮书,彩虹系列。)

$ zeroize (I) Use erasure or other means to render stored data unusable and unrecoverable, particularly a key stored in a cryptographic module or other device.

$ zeroize(I)使用擦除或其他方式使存储的数据不可用和不可恢复,尤其是存储在加密模块或其他设备中的密钥。

(O) Erase electronically stored data by altering the contents of the data storage so as to prevent the recovery of the data. [FP140]

(O) 通过改变数据存储器的内容来擦除以电子方式存储的数据,以防止数据恢复。[FP140]

4. References
4. 工具书类

This Glossary focuses on the Internet Standards Process. Therefore, this set of references emphasizes international, governmental, and industry standards documents; only a few other texts are listed. RFCs are listed, but not Internet-Drafts, because the latter are not an archival document series and should not be cited or quoted in an RFC.

本术语表重点介绍互联网标准过程。因此,这组参考文件强调国际、政府和行业标准文件;只列出了少数其他文本。列出了RFC,但未列出互联网草稿,因为后者不是档案文件系列,不应在RFC中引用。

[A3092] American National Standards Institute, "American National Standard Data Encryption Algorithm", ANSI X3.92-1981, 30 Dec 1980.

[A3092]美国国家标准协会,“美国国家标准数据加密算法”,ANSI X3.92-1981,1980年12月30日。

   [A9009]  ---, "Financial Institution Message Authentication
            (Wholesale)", ANSI X9.9-1986, 15 Aug 1986.
        
   [A9009]  ---, "Financial Institution Message Authentication
            (Wholesale)", ANSI X9.9-1986, 15 Aug 1986.
        
   [A9017]  ---, "Financial Institution Key Management (Wholesale)",
            X9.17, 4 Apr 1985. [Defines procedures for the manual and
            automated management of keying material and uses DES to
            provide key management for a variety of operational
            environments.]
        
   [A9017]  ---, "Financial Institution Key Management (Wholesale)",
            X9.17, 4 Apr 1985. [Defines procedures for the manual and
            automated management of keying material and uses DES to
            provide key management for a variety of operational
            environments.]
        
   [A9042]  ---, "Public key Cryptography for the Financial Service
            Industry: Agreement of Symmetric Keys Using Diffie-Hellman
            and MQV Algorithms", X9.42, 29 Jan 1999.
        
   [A9042]  ---, "Public key Cryptography for the Financial Service
            Industry: Agreement of Symmetric Keys Using Diffie-Hellman
            and MQV Algorithms", X9.42, 29 Jan 1999.
        
   [A9052]  ---, "Triple Data Encryption Algorithm Modes of Operation",
            X9.52-1998, ANSI approval 9 Nov 1998.
        
   [A9052]  ---, "Triple Data Encryption Algorithm Modes of Operation",
            X9.52-1998, ANSI approval 9 Nov 1998.
        
   [A9062]  ---, "Public Key Cryptography for the Financial Services
            Industry: The Elliptic Curve Digital Signature Algorithm
            (ECDSA)", X9.62-1998, ANSI approval 7 Jan 1999.
        
   [A9062]  ---, "Public Key Cryptography for the Financial Services
            Industry: The Elliptic Curve Digital Signature Algorithm
            (ECDSA)", X9.62-1998, ANSI approval 7 Jan 1999.
        

[ABA] American Bar Association, "Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Secure Electronic Commerce", Chicago, IL, 1 Aug 1996.

[ABA]美国律师协会,“数字签名指南:认证机构和安全电子商务的法律基础设施”,伊利诺伊州芝加哥,1996年8月1日。

[ACM] Association for Computing Machinery, "Communications of the ACM", Jul 1998 issue with: Minerva M. Yeung, "Digital Watermarking"; Nasir Memom and Ping Wah Wong, "Protecting Digital Media Content"; and Scott Craver, Boon-Lock Yeo, and Minerva Yeung, "Technical Trials and Legal Tribulations".

[ACM]计算机械协会,“ACM的通信”,1998年7月号,作者:Minerva M.Yang,“数字水印”;Nasir回忆录和王平华,“保护数字媒体内容”;Scott Craver、Boon Lock Yeo和Minerva Yeung,“技术审判和法律磨难”。

[Army] U.S. Army Corps of Engineers, "Electromagnetic Pulse (EMP) and Tempest Protection for Facilities", EP 1110-3-2, 31 Dec 1990.

[陆军]美国陆军工程兵团,“设施的电磁脉冲(EMP)和暴风雨防护”,EP 1110-3-2,1990年12月31日。

[B7799] British Standards Institution, "Information Security Management, Part 1: Code of Practice for Information Security Management", BS 7799-1:1999, effective 15 May 1999.

[B7799]英国标准协会,“信息安全管理,第1部分:信息安全管理实施规程”,BS 7799-1:1999,1999年5月15日生效。

            ---, ---, "Part 2: Specification for Information Security
            Management Systems", BS 7799-2:1999, effective 15 May 1999.
        
            ---, ---, "Part 2: Specification for Information Security
            Management Systems", BS 7799-2:1999, effective 15 May 1999.
        

[Bell] D. E. Bell and L. J. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model", M74-244, The MITRE Corporation, Bedford, MA, May 1973. (Available as AD-771543, National Technical Information Service, Springfield, VA.)

[Bell]D.E.Bell和L.J.LaPadula,“安全计算机系统:数学基础和模型”,M74-244,麻省贝德福德米特尔公司,1973年5月。(可作为AD-771543,弗吉尼亚州斯普林菲尔德国家技术信息服务局提供。)

[CCIB] Common Criteria Implementation Board, "Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model", ver. 2.1, CCIB-99-01, Aug 1999.

[CCIB]通用标准实施委员会,“信息技术安全评估通用标准,第1部分:简介和通用模型”,第。2.1,CCIB-99-01,1999年8月。

[CIPSO] Trusted Systems Interoperability Working Group, "Common IP Security Option", ver. 2.3, 9 Mar 1993. [A "work in progress" that is probably defunct.]

[CIPSO]可信系统互操作性工作组,“通用IP安全选项”,版本:。2.3,1993年3月9日。[可能已经失效的“正在进行的工作”。]

[CSC1] U.S. Department of Defense Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", CSC-STD-001-83, 15 Aug 1983. (Superseded by [DOD1].)

[CSC1]美国国防部计算机安全中心,“国防部可信计算机系统评估标准”,CSC-STD-001-831983年8月15日。(被[DOD1]取代)

   [CSC2]   ---, "Department of Defense Password Management Guideline",
            CSC-STD-002-85, 12 Apr 1985.
        
   [CSC2]   ---, "Department of Defense Password Management Guideline",
            CSC-STD-002-85, 12 Apr 1985.
        
   [CSC3]   ---, "Computer Security Requirements: Guidance for Applying
            the Department of Defense Trusted Computer System Evaluation
            Criteria in Specific Environments", CSC-STD-003-85, 25 Jun
            1985.
        
   [CSC3]   ---, "Computer Security Requirements: Guidance for Applying
            the Department of Defense Trusted Computer System Evaluation
            Criteria in Specific Environments", CSC-STD-003-85, 25 Jun
            1985.
        

[CSOR] U.S. Department of Commerce, "General Procedures for Registering Computer Security Objects", National Institute of Standards Interagency Report 5308, Dec 1993.

[CSOR]美国商务部,“注册计算机安全对象的一般程序”,国家标准协会机构间报告5308,1993年12月。

[Denn] D. E. Denning, "A Lattice Model of Secure Information Flow", in "Communications of the ACM", vol. 19, no. 5, May 1976, pp. 236-243.

[Denn]D.E.Denning,“安全信息流的晶格模型”,载于“ACM的通信”,第19卷,第5期,1976年5月,第236-243页。

[DH76] W. Diffie and M. H. Hellman, "New Directions in Cryptography" in "IEEE Transactions on Information Theory", vol. IT-22, no. 6, Nov 1976, pp. 644-654.

[DH76]W.Diffie和M.H.Hellman,“密码学的新方向”,摘自《IEEE信息论交易》,第IT-22卷,第6期,1976年11月,第644-654页。

[DOD1] U.S. Department of Defense, "Department of Defense Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, 26 Dec 1985. (Supersedes [CSC1].)

[DOD1]美国国防部,“国防部可信计算机系统评估标准”,国防部5200.28-STD,1985年12月26日。(取代[CSC1]。)

   [DOD2]   ---, Directive 5200.28, "Security Requirements for Automated
            Information Systems (AISs)", 21 Mar 1988.
        
   [DOD2]   ---, Directive 5200.28, "Security Requirements for Automated
            Information Systems (AISs)", 21 Mar 1988.
        
   [DOD3]   ---, "X.509 Certificate Policy", ver. 2, Mar 1999.
        
   [DOD3]   ---, "X.509 Certificate Policy", ver. 2, Mar 1999.
        
   [DOD4]   ---, "NSA Key Recovery Assessment Criteria", 8 Jun 1998.
        
   [DOD4]   ---, "NSA Key Recovery Assessment Criteria", 8 Jun 1998.
        

[ElGa] T. El Gamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" in "IEEE Transactions on Information Theory", vol. IT-31, no. 4, 1985, pp. 469- 472.

[ElGa]T.El Gamal,“基于离散对数的公钥密码系统和签名方案”,载于“IEEE信息论交易”,第IT-31卷,第4期,1985年,第469-472页。

[EMV1] Europay International S.A., MasterCard International Incorporated, and Visa International Service Association, "EMV '96 Integrated Circuit Card Specification for Payment Systems", ver. 3.1.1, 31 May 1998.

[EMV1]Europay International S.A.,MasterCard International Incorporated和Visa国际服务协会,“支付系统用EMV'96集成电路卡规范”,版本。3.1.1,1998年5月31日。

   [EMV2]   ---, "EMV '96 Integrated Circuit Card Terminal Specification
            for Payment Systems", ver. 3.1.1, 31 May 1998.
        
   [EMV2]   ---, "EMV '96 Integrated Circuit Card Terminal Specification
            for Payment Systems", ver. 3.1.1, 31 May 1998.
        
   [EMV3]   ---, EMV '96 Integrated Circuit Card Application
            Specification for Payment Systems", ver. 3.1.1, 31 May 1998.
        
   [EMV3]   ---, EMV '96 Integrated Circuit Card Application
            Specification for Payment Systems", ver. 3.1.1, 31 May 1998.
        

[For94] W. Ford, "Computer Communications Security: Principles, Standard Protocols and Techniques", ISBN 0-13-799453-2, 1994.

[For 94]W.Ford,“计算机通信安全:原理、标准协议和技术”,ISBN 0-13-799453-21994。

[For97] W. Ford and M. Baum, "Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption", ISBN 0-13-476342-4, 1994.

[97]W.Ford和M.Baum,“安全电子商务:构建数字签名和加密基础设施”,ISBN 0-13-476342-41994。

[FP031] U.S. Department of Commerce, "Guidelines for Automatic Data Processing Physical Security and Risk Management", Federal Information Processing Standards Publication (FIPS PUB) 31, Jun 1974.

[FP031]美国商务部,“自动数据处理物理安全和风险管理指南”,联邦信息处理标准出版物(FIPS PUB)311974年6月。

   [FP039]  ---, "Glossary for Computer Systems Security", FIPS PUB 39,
            15 Feb 1976.
        
   [FP039]  ---, "Glossary for Computer Systems Security", FIPS PUB 39,
            15 Feb 1976.
        
   [FP046]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-2, 30 Dec
            1993.
        
   [FP046]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-2, 30 Dec
            1993.
        
   [FP081]  ---, "DES Modes of Operation", FIPS PUB 81, 2 Dec 1980.
        
   [FP081]  ---, "DES Modes of Operation", FIPS PUB 81, 2 Dec 1980.
        
   [FP102]  ---, "Guideline for Computer Security Certification and
            Accreditation", FIPS PUB 102, 27 Sep 1983.
        
   [FP102]  ---, "Guideline for Computer Security Certification and
            Accreditation", FIPS PUB 102, 27 Sep 1983.
        
   [FP113]  ---, "Computer Data Authentication", FIPS PUB 113, 30 May
            1985.
        
   [FP113]  ---, "Computer Data Authentication", FIPS PUB 113, 30 May
            1985.
        
   [FP140]  ---, "Security Requirements for Cryptographic Modules", FIPS
            PUB 140-1, 11 Jan 1994.
        
   [FP140]  ---, "Security Requirements for Cryptographic Modules", FIPS
            PUB 140-1, 11 Jan 1994.
        
   [FP151]  ---, "Portable Operating System Interface (POSIX)--System
            Application Program Interface [C Language]", FIPS PUB 151-2,
            12 May 1993
        
   [FP151]  ---, "Portable Operating System Interface (POSIX)--System
            Application Program Interface [C Language]", FIPS PUB 151-2,
            12 May 1993
        
   [FP180]  ---, "Secure Hash Standard", FIPS PUB 180-1, 17 Apr 1995.
        
   [FP180]  ---, "Secure Hash Standard", FIPS PUB 180-1, 17 Apr 1995.
        
   [FP185]  ---, "Escrowed Encryption Standard", FIPS PUB 185, 9 Feb
            1994.
        
   [FP185]  ---, "Escrowed Encryption Standard", FIPS PUB 185, 9 Feb
            1994.
        
   [FP186]  ---, "Digital Signature Standard (DSS)", FIPS PUB 186, 19
            May 1994.
        
   [FP186]  ---, "Digital Signature Standard (DSS)", FIPS PUB 186, 19
            May 1994.
        
   [FP188]  ---, "Standard Security Label for Information Transfer",
            FIPS PUB 188, 6 Sep 1994.
        
   [FP188]  ---, "Standard Security Label for Information Transfer",
            FIPS PUB 188, 6 Sep 1994.
        

[FPDAM] Collaborative ITU and ISO/IEC meeting on the Directory, "Final Proposed Draft Amendment on Certificate Extensions", April 1999. (This draft proposes changes to [X.509].)

[FPDAM]国际电联和国际标准化组织/国际电工委员会关于目录的合作会议,“关于证书延期的最终拟议修正草案”,1999年4月。(本草案建议对[X.509]进行修改。)

[FPKI] U.S. Department of Commerce, "Public Key Infrastructure (PKI) Technical Specifications: Part A--Technical Concept of Operations", National Institute of Standards, 4 Sep 1998.

[FPKI]美国商务部,“公钥基础设施(PKI)技术规范:A部分——操作的技术概念”,国家标准协会,1998年9月4日。

[I3166] International Standards Organization, "Codes for the Representation of Names of countries and Their Subdivisions --Part 1: Country Codes", ISO 3166-1:1997.

[I3166]国际标准组织,“国家及其分支机构名称表示代码——第1部分:国家代码”,ISO 3166-1:1997。

            ---, --- "Part 2: Country Subdivision Codes", ISO/DIS 3166-
            2.
        
            ---, --- "Part 2: Country Subdivision Codes", ISO/DIS 3166-
            2.
        
            ---, --- "Part 3: Codes for Formerly Used Names of
            Countries", ISO/DIS 3166-3.
        
            ---, --- "Part 3: Codes for Formerly Used Names of
            Countries", ISO/DIS 3166-3.
        
   [I7498]  ---, "Information Processing Systems--Open Systems
            Interconnection Reference Model--[Part 1:] Basic Reference
            Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation
            X.200.)
        
   [I7498]  ---, "Information Processing Systems--Open Systems
            Interconnection Reference Model--[Part 1:] Basic Reference
            Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation
            X.200.)
        
            ---, --- "Part 2: Security Architecture", ISO/IEC 7499-2.
        
            ---, --- "Part 2: Security Architecture", ISO/IEC 7499-2.
        
            ---, --- "Part 4: Management Framework", ISO/IEC 7498-4.
        
            ---, --- "Part 4: Management Framework", ISO/IEC 7498-4.
        
   [I7812]  ---, "Identification cards--Identification of Issuers--Part
            1: Numbering System", ISO/IEC 7812-1:1993
        
   [I7812]  ---, "Identification cards--Identification of Issuers--Part
            1: Numbering System", ISO/IEC 7812-1:1993
        
            ---, --- "Part 2: Application and Registration Procedures",
            ISO/IEC 7812-2:1993.
        
            ---, --- "Part 2: Application and Registration Procedures",
            ISO/IEC 7812-2:1993.
        
   [I9945]  ---, "Portable Operating System Interface for Computer
            Environments", ISO/IEC 9945-1:1990.
        
   [I9945]  ---, "Portable Operating System Interface for Computer
            Environments", ISO/IEC 9945-1:1990.
        
   [I15408] ---, "Information Technology--Security Techniques--
            Evaluation criteria for IT Security--Part 1: Introduction
            and General Model", ISO/IEC 15408-1:1999.
        
   [I15408] ---, "Information Technology--Security Techniques--
            Evaluation criteria for IT Security--Part 1: Introduction
            and General Model", ISO/IEC 15408-1:1999.
        

[ITSEC] "Information Technology Security Evaluation Criteria (ITSEC): Harmonised Criteria of France, Germany, the Netherlands, and the United Kingdom", ver. 1.2, U.K. Department of Trade and Industry, Jun 1991.

[ITSEC]“信息技术安全评估标准(ITSEC):法国、德国、荷兰和英国的统一标准”,第。1.2,英国贸易和工业部,1991。

[Kahn] David Kahn, "The Codebreakers: The Story of Secret Writing", The Macmillan Company, New York, 1967.

大卫·卡恩,“密码破坏者:秘密写作的故事”,麦克米伦公司,纽约,1967年。

[Knuth] D. E. Knuth, Chapter 3 ("Random Numbers") in Volume 2 ("Seminumerical Algorithms") of "The Art of Computer Programming", Addison-Wesley, Reading, MA, 1969.

[Knuth]D.E.Knuth,《计算机编程艺术》第二卷(“半数值算法”)第三章(“随机数”),艾迪生·韦斯利,马萨诸塞州雷丁市,1969年。

[Kuhn] Markus G. Kuhn and Ross J. Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in David Aucsmith, ed., "Information Hiding, Second International Workshop, IH'98", Portland, Oregon, USA, 15-17 Apr 1998, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp. 124-142.

[Kuhn]Markus G.Kuhn和Ross J.Anderson,“软风暴:利用电磁辐射的隐藏数据传输”,David Aucsmith主编,“信息隐藏,第二届国际研讨会,IH'98”,美国俄勒冈州波特兰,1998年4月15日至17日,LNCS 1525,斯普林格·维拉格,ISBN 3-540-65386-4,第124-142页。

[MISPC] U.S. Department of Commerce, "Minimum Interoperability Specification for PKI Components (MISPC), Version 1", National Institute of Standards Special Publication 800-15, Sep 1997.

[MISPC]美国商务部,“PKI组件最低互操作性规范(MISPC),第1版”,国家标准协会特别出版物800-15,1997年9月。

[NCS01] National Computer Security Center, "A Guide to Understanding Audit in Trusted Systems", NCSC-TG-001, 1 Jun 1988. (Part of the Rainbow Series.)

[NCS01]国家计算机安全中心,“可信系统审计理解指南”,NCSC-TG-001,1988年6月1日。(彩虹系列的一部分。)

   [NCS04]  ---, "Glossary of Computer Security Terms", NCSC-TG-004,
            ver. 1, 21 Oct 1988. (Part of the Rainbow Series.)
        
   [NCS04]  ---, "Glossary of Computer Security Terms", NCSC-TG-004,
            ver. 1, 21 Oct 1988. (Part of the Rainbow Series.)
        
   [NCS05]  ---, "Trusted Network Interpretation of the Trusted Computer
            System Evaluation Criteria", NCSC-TG-005, ver. 1, 31 Jul
            1987. (Part of the Rainbow Series.)
        
   [NCS05]  ---, "Trusted Network Interpretation of the Trusted Computer
            System Evaluation Criteria", NCSC-TG-005, ver. 1, 31 Jul
            1987. (Part of the Rainbow Series.)
        
   [NCS25]  ---, "A Guide to Understanding Data Remanence in Automated
            Information Systems", NCSC-TG-025, ver. 2, Sep 1991. (Part
            of the Rainbow Series.)
        
   [NCS25]  ---, "A Guide to Understanding Data Remanence in Automated
            Information Systems", NCSC-TG-025, ver. 2, Sep 1991. (Part
            of the Rainbow Series.)
        
   [NIST]   National Institute of Standards and Technology, "SKIPJACK
            and KEA Algorithm Specifications", ver. 2, 29 May 1998.
            (http://csrc.nist.gov/encryption/skipjack-kea.htm)
        
   [NIST]   National Institute of Standards and Technology, "SKIPJACK
            and KEA Algorithm Specifications", ver. 2, 29 May 1998.
            (http://csrc.nist.gov/encryption/skipjack-kea.htm)
        

[PGP] Simson Garfinkel, "PGP: Pretty Good Privacy", O'Reilly & Associates, Inc., Sebastopol, CA, 1995.

[PGP]Simson Garfinkel,“PGP:相当好的隐私”,O'Reilly&Associates,Inc.,加利福尼亚州塞巴斯托波尔,1995年。

[PKCS] Burton S. Kaliski, Jr., "An Overview of the PKCS Standards", RSA Data Security, Inc., 3 Jun 1991.

[PKCS]Burton S.Kaliski,Jr.,“PKCS标准概述”,RSA数据安全公司,1991年6月3日。

[PKC07] RSA Laboratories, "PKCS #7: Cryptographic Message Syntax Standard", ver. 1.5, RSA Laboratories Technical Note, 1 Nov 1993.

[PKC07]RSA实验室,“PKCS#7:加密消息语法标准”,版本。1.5,RSA实验室技术说明,1993年11月1日。

   [PKC10]  ---, "PKCS #10: Certification Request Syntax Standard", ver.
            1.0, RSA Laboratories Technical Note, 1 Nov 1993.
        
   [PKC10]  ---, "PKCS #10: Certification Request Syntax Standard", ver.
            1.0, RSA Laboratories Technical Note, 1 Nov 1993.
        
   [PKC11]  ---, "PKCS #11: Cryptographic Token Interface Standard",
            ver. 1.0, 28 Apr 1995.
        
   [PKC11]  ---, "PKCS #11: Cryptographic Token Interface Standard",
            ver. 1.0, 28 Apr 1995.
        

[R0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.

[R0768]Postel,J.,“用户数据报协议”,STD 6,RFC 768,1980年8月。

[R0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.

[R0791]Postel,J.,“互联网协议”,STD 5,RFC 7911981年9月。

[R0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, September 1981. [See: RFC 1885.]

[R0792]Postel,J.,“互联网控制消息协议”,STD 5,RFC 792,1981年9月。[见:RFC 1885。]

[R0793] Postel, J., ed., "Transmission Control Protocol", STD 7, RFC 793, September 1981.

[R0793]Postel,J.,编辑,“传输控制协议”,标准7,RFC 793,1981年9月。

[R0821] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1982.

[R0821]Postel,J.,“简单邮件传输协议”,STD 10,RFC 821,1982年8月。

[R0822] Crocker, D., "Standard for the Format of ARPA Internet Text Messages", STD 11, RFC 822, August 1982.

[R0822]Crocker,D.,“ARPA互联网文本信息格式标准”,STD 11,RFC 822,1982年8月。

[R0854] Postel, J. and J. Reynolds, "TELNET Protocol Specification", STD 8, RFC 854, May 1983.

[R0854]Postel,J.和J.Reynolds,“TELNET协议规范”,STD 8,RFC 854,1983年5月。

[R0959] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)", STD 9, RFC 959, October 1985.

[R0959]Postel,J.和J.Reynolds,“文件传输协议(FTP)”,标准9,RFC 959,1985年10月。

[R1034] Mockapetris, P., "Domain Names--Concepts and Facilities", STD 13, RFC 1034, November 1987.

[R1034]Mockapetris,P.,“域名——概念和设施”,STD 13,RFC 1034,1987年11月。

[R1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "A Simple Network Management Protocol (SNMP)" [version 1], STD 15, RFC 1157, May 1990.

[R1157]Case,J.,Fedor,M.,Schoffstall,M.和J.Davin,“简单网络管理协议(SNMP)”[version 1],STD 15,RFC 1157,1990年5月。

[R1208] Jacobsen O. and D. Lynch, "A Glossary of Networking Terms", RFC 1208, March 1991.

[R1208]Jacobsen O.和D.Lynch,“网络术语表”,RFC 12081991年3月。

[R1319] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992.

[R1319]Kaliski,B.,“MD2消息摘要算法”,RFC1319,1992年4月。

[R1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.

[R1320]Rivest,R.,“MD4消息摘要算法”,RFC1320,1992年4月。

[R1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.

[R1321]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。

[R1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", RFC 1334, October 1992.

[R1334]Lloyd,B.和W.Simpson,“PPP认证协议”,RFC 13341992年10月。

[R1413] St. Johns, M., "Identification Protocol", RFC 1413, February 1993.

[R1413]圣约翰,M.,“识别协议”,RFC 1413,1993年2月。

[R1421] Linn, J., "Privacy Enhancement for Internet Electronic Mail, Part I: Message Encryption and Authentication Procedures", RFC 1421, February 1993.

[R1421]Linn,J.,“互联网电子邮件的隐私增强,第一部分:信息加密和认证程序”,RFC 1421,1993年2月。

[R1422] Kent, S., "Privacy Enhancement for Internet Electronic Mail, Part II: Certificate-Based Key Management", RFC 1422, February 1993.

[R1422]Kent,S.,“互联网电子邮件的隐私增强,第二部分:基于证书的密钥管理”,RFC 1422,1993年2月。

[R1455] Eastlake, D., "Physical Link Security Type of Service", RFC 1455, May 1993.

[R1455]Eastlake,D.,“物理链路安全服务类型”,RFC 1455,1993年5月。

[R1457] Housley, R., "Security Label Framework for the Internet", RFC 1457, May 1993.

[R1457]Housley,R.,“互联网安全标签框架”,RFC 1457,1993年5月。

[R1492] Finseth, C., "An Access Control Protocol, Sometimes Called TACACS", RFC 1492, July 1993.

[R1492]Finseth,C.,“访问控制协议,有时称为TACACS”,RFC 1492,1993年7月。

[R1507] Kaufman, C., "DASS: Distributed Authentication Security Service", RFC 1507, September 1993.

[R1507]Kaufman,C.,“DASS:分布式认证安全服务”,RFC1507,1993年9月。

[R1510] Kohl, J. and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.

[R1510]Kohl,J.和C.Neuman,“Kerberos网络身份验证服务(V5)”,RFC 1510,1993年9月。

[R1591] Kohl, J. and C. Neuman, "Domain Name System Structure and Delegation", March 1994.

[R1591]Kohl,J.和C.Neuman,“域名系统结构和授权”,1994年3月。

[R1630] Berners-Lee, T., "Universal Resource Identifiers in WWW", RFC 1630, June 1994.

[R1630]Berners Lee,T.,“WWW中的通用资源标识符”,RFC 1630,1994年6月。

[R1661] Simpson, W., ed., " The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[R1661]辛普森,W.,编辑,“点对点协议(PPP)”,STD 51,RFC 1661994年7月。

[R1731] Myers, J., "IMAP4 Authentication Mechanisms", RFC 1731, December 1994.

[R1731]迈尔斯,J.,“IMAP4认证机制”,RFC 17311994年12月。

[R1734] Myers, J., "POP3 AUTHentication Command", RFC 1734, December 1994.

[R1734]迈尔斯,J.,“POP3认证命令”,RFC 17341994年12月。

[R1738] Myers, J., Masinter, L. and M. McCahill, ed's., "Uniform Resource Locators (URL)", RFC 1738, December 1994.

[R1738]Myers,J.,Masinter,L.和M.McCahill,教育版,“统一资源定位器(URL)”,RFC 17381994年12月。

[R1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.

[R1750]Eastlake,D.,Crocker,S.和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。

[R1777] Yeong, W., Howes, T. and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.

[R1777]Yeong,W.,Howes,T.和S.Kille,“轻量级目录访问协议”,RFC 1777,1995年3月。

[R1808] Fielding, R., "Relative Uniform Resource Locators", RFC 1808, June 1995.

[R1808]菲尔丁,R.,“相对统一资源定位器”,RFC 18081995年6月。

[R1824] Danisch, H., "The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4)", RFC 1824, August 1995.

[R1824]Danisch,H.,“指数安全系统TESS:用于认证密钥交换的基于身份的加密协议(E.I.S.S.-报告1995/4)”,RFC 1824,1995年8月。

[R1828] Metzger, P. and W. Simpson, "IP Authentication using Keyed MD5", RFC 1828, August 1995.

[R1828]Metzger,P.和W.Simpson,“使用密钥MD5的IP认证”,RFC 1828,1995年8月。

[R1829] Karn, P., Metzger, P. and W. Simpson, "The ESP DES-CBC Transform", RFC 1829, August 1995.

[R1829]Karn,P.,Metzger,P.和W.Simpson,“ESP DES-CBC转换”,RFC 1829,1995年8月。

[R1848] Crocker, S., Freed, N., Galvin, J. and S. Murphy, "MIME Object Security Services", RFC 1848, October 1995.

[R1848]Crocker,S.,Freed,N.,Galvin,J.和S.Murphy,“MIME对象安全服务”,RFC 18481995年10月。

[R1851] Karn, P., Metzger, P. and W. Simpson, "The ESP Triple DES Transform", RFC 1851, September 1995.

[R1851]Karn,P.,Metzger,P.和W.Simpson,“ESP三重DES变换”,RFC 18511995年9月。

[R1866] Berners-Lee, T., "Hypertext Markup Language--2.0", RFC 1866, November 1995.

[R1866]Berners Lee,T.,“超文本标记语言——2.0”,RFC 18661995年11月。

[R1885] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 1885, December 1995.

[R1885]Conta,A.和S.Deering,“互联网协议版本6(IPv6)规范的互联网控制消息协议(ICMPv6)”,RFC 18851995年12月。

[R1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D. and L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996.

[R1928]Leech,M.,Ganis,M.,Lee,Y.,Kuris,R.,Koblas,D.和L.Jones,“SOCKS协议版本5”,RFC 19281996年3月。

[R1938] Haller, N. and C. Metzion, "A One-Time Password System", RFC 1938, May 1996.

[R1938]Haller,N.和C.Metzion,“一次性密码系统”,RFC 19381996年5月。

[R1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, May 1996.

[R1939]迈尔斯,J.和M.罗斯,“邮局协议-第3版”,STD 53,RFC 1939,1996年5月。

[R1958] Carpenter, B., ed., "Architectural Principles of the Internet", RFC 1958, June 1996.

[R1958]Carpenter,B.,ed.“互联网的架构原则”,RFC 19581996年6月。

[R1983] Malkin, G., ed., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996.

[R1983]Malkin,G.,ed.,“互联网用户词汇表”,第18期参考资料,RFC 1983,1996年8月。

[R1994] Simpson, W. "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[R1994]辛普森,W.“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[R2023] Postel, J. and J. Reynolds, "Instructions to RFC Authors", RFC 2023, October 1997.

[R2023]Postel,J.和J.Reynolds,“RFC作者须知”,RFC 2023,1997年10月。

[R2026] Bradner, S., "The Internet Standards Process--Revision 3", BCP 9, RFC 2026, March 1994.

[R2026]Bradner,S.,“互联网标准过程——第3版”,BCP 9,RFC 2026,1994年3月。

[R2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, November 1996.

[R2045]Freed,N.和N.Borenstein,“多用途Internet邮件扩展(MIME)第一部分:Internet邮件正文格式”,RFC 20451996年11月。

[R2060] Crispin, M., "Internet Message Access Protocol--Version 4 Revision 1", RFC 2060, December 1996.

[R2060]Crispin,M.,“互联网消息访问协议——第4版第1版”,RFC 20601996年12月。

[R2065] Eastlake, D., 3rd, "Domain Name System Security Extensions", RFC 2065, January 1997.

[R2065]Eastlake,D.,第3期,“域名系统安全扩展”,RFC 2065,1997年1月。

[R2078] Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2078, January 1997.

[R2078]林恩,J.,“通用安全服务应用程序接口,第2版”,RFC 2078,1997年1月。

[R2084] Bossert, G., Cooper, S. and W. Drummond, "Considerations for Web Transaction Security", RFC 2084, January 1997.

[R2084]Bossert,G.,Cooper,S.和W.Drummond,“Web事务安全的注意事项”,RFC 2084,1997年1月。

[R2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[R2104]Krawczyk,H.,Bellare,M.和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。

[R2119] Bradner, S., "Key Words for Use in RFCs To Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[R2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[R2138] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.

[R2138]Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。

[R2137] Eastlake, D., "Secure Domain Name System Dynamic Update", RFC 2137, April 1997.

[R2137]Eastlake,D.,“安全域名系统动态更新”,RFC 2137,1997年4月。

[R2179] Gwinn, A., "Network Security For Trade Shows", RFC 2179, July 1997.

[R2179]Gwinn,A.,“贸易展览会的网络安全”,RFC 2179,1997年7月。

[R2195] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, Sepember 1997.

[R2195]Klensin,J.,Catoe,R.和P.Krumviede,“简单质询/响应的IMAP/POP授权扩展”,RFC 2195,1997年12月。

[R2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, Sepember 1997.

[R2196]弗雷泽,B.,《现场安全手册》,第8期,RFC 2196,1997年11月。

[R2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, Sepember 1997.

[R2202]Cheng,P.和R.Glenn,“HMAC-MD5和HMAC-SHA-1的测试案例”,RFC 2202,1997年12月。

[R2222] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997.

[R2222]迈尔斯,J.,“简单认证和安全层(SASL)”,RFC22221997年10月。

[R2223] Postel, J., "Instructions to RFC Authors", RFC 2223, October 1997.

[R2223]Postel,J.,“RFC作者须知”,RFC2223,1997年10月。

[R2246] Dierks, T. and C. Allen, "The TLS Protocol, Version 1.0", RFC 2246, January 1999.

[R2246]Dierks,T.和C.Allen,“TLS协议,版本1.0”,RFC 2246,1999年1月。

[R2284] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.

[R2284]Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。

[R2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax, Version 1.5", RFC 2315, March 1998.

[R2315]Kaliski,B.,“PKCS#7:加密消息语法,1.5版”,RFC 2315,1998年3月。

[R2323] Ramos, A., "IETF Identification and Security Guidelines", RFC 2323, 1 April 1998. [Intended for humorous entertainment ("please laugh loud and hard"); does not contain serious security information.]

[R2323]Ramos,A.,“IETF识别和安全指南”,RFC 23231998年4月1日。[用于幽默娱乐(“请大声大笑”);不包含严重的安全信息。]

[R2350] Brownlee, N. and E. Guttman, "Expectations for Computer Security Incident Response", RFC 2350, June 1998.

[R2350]Brownlee,N.和E.Guttman,“对计算机安全事件响应的期望”,RFC 23501998年6月。

[R2356] Montenegro, C. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998.

[R2356]黑山,C.和V.Gupta,“Sun的移动IP跳过防火墙穿越”,RFC 2356,1998年6月。

[R2373] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 2998.

[R2373]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 23732998年7月。

[R2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.

[R2401]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。

[R2402] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.

[R2402]Kent,S.和R.Atkinson,“IP认证头”,RFC 2402,1998年11月。

[R2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH", RFC 2403, November 1998.

[R2403]Madson,C.和R.Glenn,“HMAC-MD5-96在ESP和AH中的使用”,RFC 2403,1998年11月。

[R2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998.

[R2404]Madson,C.和R.Glenn,“在ESP和AH中使用HMAC-SHA-1-96”,RFC 2404,1998年11月。

[R2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm With Explicit IV", RFC 2405, November 1998.

[R2405]Madson,C.和N.Doraswamy,“带显式IV的ESP DES-CBC密码算法”,RFC 2405,1998年11月。

[R2406] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.

[R2406]Kent,S.和R.Atkinson,“IP封装安全有效载荷(ESP)”,RFC 2406,1998年11月。

[R2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.

[R2407]Piper,D.,“ISAKMP解释的互联网IP安全域”,RFC 2407,1998年11月。

[R2408] Maughan, D., Schertler, M., Schneider, M. and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998.

[R2408]Maughan,D.,Schertler,M.,Schneider,M.和J.Turner,“互联网安全协会和密钥管理协议(ISAKMP)”,RFC 2408,1998年11月。

[R2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.

[R2409]Harkins,D.和D.Carrel,“互联网密钥交换(IKE)”,RFC 2409,1998年11月。

[R2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November 1998.

[R2410]Glenn,R.和S.Kent,“空加密算法及其在IPsec中的使用”,RFC 2410,1998年11月。

[R2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November 1998.

[R2412]Orman,H.,“奥克利密钥确定协议”,RFC 2412,1998年11月。

[R2451] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher Algorithms", RFC 2451, November 1998.

[R2451]Pereira,R.和R.Adams,“ESP CBC模式密码算法”,RFC 2451,1998年11月。

[R2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.

[R2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。

[R2504] Guttman, E., Leong, L. and G. Malkin, "Users' Security Handbook", RFC 2504, February 1999.

[R2504] Guttman, E., Leong, L. and G. Malkin, "Users' Security Handbook", RFC 2504, February 1999.translate error, please retry

[R2510] Adams, C. and S. Farrell, "Internet X.509 Public Key Infrastructure Certificate Management Protocols", RFC 2510, March 1999.

[R2510]Adams,C.和S.Farrell,“互联网X.509公钥基础设施证书管理协议”,RFC2510,1999年3月。

[R2527] Chokhani, S. and W. Ford, "Internet X.509 Public Key Infrastructure, Certificate Policy and Certification Practices Framework", RFC 2527, March 1999.

[R2527]Chokhani,S.和W.Ford,“Internet X.509公钥基础设施、证书政策和认证实践框架”,RFC 2527,1999年3月。

[R2536] EastLake, D., "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2536, March 1999.

[R2536]EastLake,D.,“域名系统(DNS)中的DSA密钥和SIG”,RFC 25361999年3月。

[R2570] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction to Version 3 of the Internet-Standard Network Management Framework", RFC 2570, April 1999.

[R2570]Case,J.,Mundy,R.,Partain,D.和B.Stewart,“互联网标准网络管理框架第3版简介”,RFC 25701999年4月。

[R2574] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for Version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999.

[R2574]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)第3版基于用户的安全模型(USM)”,RFC 2574,1999年4月。

[R2612] Adams, C. and J. Gilchrist, "The CAST-256 Encryption Algorithm", RFC 2612, June 1999.

[R2612]Adams,C.和J.Gilchrist,“CAST-256加密算法”,RFC2612,1999年6月。

[R2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol-- HTTP/1.1", RFC 2616, June 1999.

[R2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC2616,1999年6月。

[R2628] Smyslov, V., "Simple Cryptographic Program Interface", RFC 2628, June 1999.

[R2628]Smyslov,V.,“简单密码程序接口”,RFC 26281999年6月。

[R2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999.

[R2630]Housley,R.,“加密消息语法”,RFC2630,1999年6月。

[R2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999.

[R2631]Rescorla,E.,“Diffie-Hellman密钥协商方法”,RFC 26311999年6月。

[R2633] Ramsdell, B., ed., "S/MIME Version 3 Message Specification", RFC 2633, June 1999.

[R2633]拉姆斯代尔,B.,编辑,“S/MIME版本3消息规范”,RFC2633,1999年6月。

[R2634] Hoffman, P., ed., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.

[R2634]Hoffman,P.,ed.“S/MIME的增强安全服务”,RFC 2634,1999年6月。

[R2635] Hambridge, S. and A. Lunde, "Don't Spew: A Set of Guidelines for Mass Unsolicited Mailings and Postings", RFC 2635, June 1999.

[R2635]Hambridge,S.和A.Lunde,“不要吐:大量未经请求的邮件和帖子的一套指南”,RFC 26351999年6月。

[Raym] E. S. Raymond, ed., "The On-Line Hacker Jargon File", ver. 4.0.0, 24 Jul 1996. (Also available as "The New Hacker's Dictionary", 2nd edition, MIT Press, Sep 1993, ISBN 0-262- 18154-1. See: http://www.tuxedo.org/jargon/ for the latest version.)

[Raym]E.S.Raymond,ed.,“在线黑客行话文件”,第。1996年7月24日,4.0.0。(另见《新黑客词典》,第二版,麻省理工学院出版社,1993年9月,ISBN 0-262-18154-1。见:http://www.tuxedo.org/jargon/ 以获取最新版本。)

[Russ] D. Russell and G. T. Gangemi Sr., Chapter 10 ("TEMPEST") in "Computer Security Basics", ISBN 0-937175-71-4, 1991.

[Russ]D.Russell和G.T.Gangemi Sr.,《计算机安全基础》第10章(“暴风雨”),ISBN 0-937175-71-41991。

[Schn] B. Schneier, "Applied Cryptography", John Wiley & Sons, Inc., New York, 1994.

[Schn]B.Schneier,“应用密码学”,约翰·威利父子公司,纽约,1994年。

[SDNS3] U.S. Department of Defense, National Security Agency, "Secure Data Network Systems, Security Protocol 3 (SP3)", document SDN.301, Revision 1.5, 15 May 1989.

[SDNS3]美国国防部,国家安全局,“安全数据网络系统,安全协议3(SP3)”,文件SDN.301,修订版1.5,1989年5月15日。

   [SDNS4]  ---, ---, "Security Protocol 4 (SP4)", document SDN.401,
            Revision 1.2, 12 Jul 1988.
        
   [SDNS4]  ---, ---, "Security Protocol 4 (SP4)", document SDN.401,
            Revision 1.2, 12 Jul 1988.
        
   [SDNS7]  ---, ---, "Secure data Network System, Message Security
            Protocol (MSP)", document SDN.701, Revision 4.0, 7 Jun 1996,
            with Corrections to Message Security Protocol, SDN.701, Rev
            4.0", 96-06-07, 30 Aug, 1996.
        
   [SDNS7]  ---, ---, "Secure data Network System, Message Security
            Protocol (MSP)", document SDN.701, Revision 4.0, 7 Jun 1996,
            with Corrections to Message Security Protocol, SDN.701, Rev
            4.0", 96-06-07, 30 Aug, 1996.
        

[SET1] MasterCard and Visa, "SET Secure Electronic Transaction Specification, Book 1: Business Description", ver. 1.0, 31 May 1997.

[SET1]万事达卡和Visa,“设置安全电子交易规范,第1册:业务描述”,版本。1.0,1997年5月31日。

   [SET2]   ---, "SET Secure Electronic Transaction Specification, Book
            2: Programmer's Guide", ver. 1.0, 31 May 1997.
        
   [SET2]   ---, "SET Secure Electronic Transaction Specification, Book
            2: Programmer's Guide", ver. 1.0, 31 May 1997.
        

[Stei] J. Steiner, C. Neuman, and J. Schiller, "Kerberos: An Authentication Service for Open Network Systems" in "Usenix Conference Proceedings", Feb 1988.

[Stei]J.Steiner、C.Neuman和J.Schiller,“Kerberos:开放网络系统的身份验证服务”,发表于《Usenix会议记录》,1988年2月。

[X400] International Telecommunications Union--Telecommunication Standardization Sector (formerly "CCITT"), Recommendation X.400, "Message Handling Services: Message Handling System and Service Overview".

[X400]国际电信联盟——电信标准化部门(原“CCITT”),建议X.400,“信息处理服务:信息处理系统和服务概述”。

   [X500]   ---, Recommendation X.500, "Information Technology--Open
            Systems Interconnection--The Directory: Overview of
            Concepts, Models, and Services". (Equivalent to ISO 9594-1.)
        
   [X500]   ---, Recommendation X.500, "Information Technology--Open
            Systems Interconnection--The Directory: Overview of
            Concepts, Models, and Services". (Equivalent to ISO 9594-1.)
        
   [X501]   ---, Recommendation X.501, "Information Technology--Open
            Systems Interconnection--The Directory: Models".
        
   [X501]   ---, Recommendation X.501, "Information Technology--Open
            Systems Interconnection--The Directory: Models".
        
   [X509]   ---, Recommendation X.509, "Information Technology--Open
            Systems Interconnection--The Directory: Authentication
            Framework". (Equivalent to ISO 9594-8.)
        
   [X509]   ---, Recommendation X.509, "Information Technology--Open
            Systems Interconnection--The Directory: Authentication
            Framework". (Equivalent to ISO 9594-8.)
        
   [X519]   ---, Recommendation X.519, "Information Technology--Open
            Systems Interconnection--The Directory: Protocol
            Specifications".
        
   [X519]   ---, Recommendation X.519, "Information Technology--Open
            Systems Interconnection--The Directory: Protocol
            Specifications".
        
   [X520]   ---, Recommendation X.520, "Information Technology--Open
            Systems Interconnection--The Directory: Selected Attribute
            Types".
        
   [X520]   ---, Recommendation X.520, "Information Technology--Open
            Systems Interconnection--The Directory: Selected Attribute
            Types".
        
   [X680]   ---, Recommendation X.680, "Information Technology--Abstract
            Syntax Notation One (ASN.1)--Specification of Basic
            Notation", 15 Nov 1994. (Equivalent to ISO/IEC 8824-1.)
        
   [X680]   ---, Recommendation X.680, "Information Technology--Abstract
            Syntax Notation One (ASN.1)--Specification of Basic
            Notation", 15 Nov 1994. (Equivalent to ISO/IEC 8824-1.)
        
   [X690]   ---, Recommendation X.690, "Information Technology--ASN.1
            Encoding Rules--Specification of Basic Encoding Rules (BER),
            Canonical Encoding Rules (CER) and Distinguished Encoding
            Rules (DER)", 15 Nov 1994. (Equivalent to ISO/IEC 8825-1.)
        
   [X690]   ---, Recommendation X.690, "Information Technology--ASN.1
            Encoding Rules--Specification of Basic Encoding Rules (BER),
            Canonical Encoding Rules (CER) and Distinguished Encoding
            Rules (DER)", 15 Nov 1994. (Equivalent to ISO/IEC 8825-1.)
        
5. Security Considerations
5. 安全考虑

This document only defines security terms and recommends how to use them. It does not describe in detail the vulnerabilities of, threats to, or mechanisms that protect specific Internet protocols.

本文档仅定义安全术语并建议如何使用它们。它没有详细描述保护特定互联网协议的漏洞、威胁或机制。

6. Acknowledgments
6. 致谢

Pat Cain, Mike Kong, and Charles Lynn provided meticulous comments on an early draft.

Pat Cain、Mike Kong和Charles Lynn对早期草案进行了细致的评论。

7. Author's Address
7. 作者地址

Please address all comments to:

请将所有意见发送至:

   Robert W. Shirey                   GTE / BBN Technologies
   EMail: rshirey@bbn.com             Suite 1200, Mail Stop 30/12B2
   Phone: +1 (703) 284-4641           1300 Seventeenth Street North
   Fax:   +1 (703) 284-2766           Arlington, VA  22209-3801 USA
        
   Robert W. Shirey                   GTE / BBN Technologies
   EMail: rshirey@bbn.com             Suite 1200, Mail Stop 30/12B2
   Phone: +1 (703) 284-4641           1300 Seventeenth Street North
   Fax:   +1 (703) 284-2766           Arlington, VA  22209-3801 USA
        
8. Full Copyright Statement
8. 完整版权声明

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。