Network Working Group                                          R. Shirey
Request for Comments: 4949                                   August 2007
FYI: 36
Obsoletes: 2828
Category: Informational
        
Network Working Group                                          R. Shirey
Request for Comments: 4949                                   August 2007
FYI: 36
Obsoletes: 2828
Category: Informational
        

Internet Security Glossary, Version 2

互联网安全词汇表,第2版

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

RFC Editor Note

RFC编辑说明

This document is both a major revision and a major expansion of the Security Glossary in RFC 2828. This revised Glossary is an extensive reference that should help the Internet community to improve the clarity of documentation and discussion in an important area of Internet technology. However, readers should be aware of the following:

本文档是RFC 2828中安全术语表的主要修订和主要扩展。本修订词汇表是一份广泛的参考资料,应有助于互联网社区提高互联网技术一个重要领域的文档和讨论的清晰度。但是,读者应注意以下几点:

(1) The recommendations and some particular interpretations in definitions are those of the author, not an official IETF position. The IETF has not taken a formal position either for or against recommendations made by this Glossary, and the use of RFC 2119 language (e.g., SHOULD NOT) in the Glossary must be understood as unofficial. In other words, the usage rules, wording interpretations, and other recommendations that the Glossary offers are personal opinions of the Glossary's author. Readers must judge for themselves whether or not to follow his recommendations, based on their own knowledge combined with the reasoning presented in the Glossary.

(1) 定义中的建议和某些特定解释是作者的建议和解释,而不是IETF的官方立场。IETF尚未采取正式立场支持或反对本术语表提出的建议,术语表中使用RFC 2119语言(如不应)必须理解为非官方。换句话说,术语表提供的使用规则、措辞解释和其他建议是术语表作者的个人意见。读者必须根据自己的知识,结合词汇表中的推理,自行判断是否遵循他的建议。

(2) The glossary is rich in the history of early network security work, but it may be somewhat incomplete in describing recent security work, which has been developing rapidly.

(2) 该词汇表丰富了早期网络安全工作的历史,但在描述最近迅速发展的安全工作时可能有些不完整。

Abstract

摘要

This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.

本术语表提供信息系统安全术语的定义、缩写和解释。334页的条目为提高互联网标准过程(RFC 2026)中产生的书面材料的可理解性提供了建议。这些建议遵循的原则是,此类文字应(a)在提及相同概念时使用相同的术语或定义;(b) 使用最简单的词典意义上的术语;(c) 使用公开出版物中已经确立的术语;和(d)避免使用有利于特定供应商或有利于特定技术或机制的条款,而不是使用已经存在或可以开发的其他竞争技术。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Format of Entries ...............................................4
      2.1. Order of Entries ...........................................4
      2.2. Capitalization and Abbreviations ...........................5
      2.3. Support for Automated Searching ............................5
      2.4. Definition Type and Context ................................5
      2.5. Explanatory Notes ..........................................6
      2.6. Cross-References ...........................................6
      2.7. Trademarks .................................................6
      2.8. The New Punctuation ........................................6
   3. Types of Entries ................................................7
      3.1. Type "I": Recommended Definitions of Internet Origin .......7
      3.2. Type "N": Recommended Definitions of Non-Internet Origin ...8
      3.3. Type "O": Other Terms and Definitions To Be Noted ..........8
      3.4. Type "D": Deprecated Terms and Definitions .................8
      3.5. Definition Substitutions ...................................8
   4. Definitions .....................................................9
   5. Security Considerations .......................................343
   6. Normative Reference ...........................................343
   7. Informative References ........................................343
   8. Acknowledgments ...............................................364
        
   1. Introduction ....................................................3
   2. Format of Entries ...............................................4
      2.1. Order of Entries ...........................................4
      2.2. Capitalization and Abbreviations ...........................5
      2.3. Support for Automated Searching ............................5
      2.4. Definition Type and Context ................................5
      2.5. Explanatory Notes ..........................................6
      2.6. Cross-References ...........................................6
      2.7. Trademarks .................................................6
      2.8. The New Punctuation ........................................6
   3. Types of Entries ................................................7
      3.1. Type "I": Recommended Definitions of Internet Origin .......7
      3.2. Type "N": Recommended Definitions of Non-Internet Origin ...8
      3.3. Type "O": Other Terms and Definitions To Be Noted ..........8
      3.4. Type "D": Deprecated Terms and Definitions .................8
      3.5. Definition Substitutions ...................................8
   4. Definitions .....................................................9
   5. Security Considerations .......................................343
   6. Normative Reference ...........................................343
   7. Informative References ........................................343
   8. Acknowledgments ...............................................364
        
1. Introduction
1. 介绍

This Glossary is *not* an Internet Standard, and its recommendations represent only the opinions of its author. However, this Glossary gives reasons for its recommendations -- especially for the SHOULD NOTs -- so that readers can judge for themselves what to do.

本术语表*不是*互联网标准,其建议仅代表其作者的意见。然而,这个词汇表给出了建议的理由——特别是不应该这样做的理由——以便读者能够自己判断该做什么。

This Glossary provides an internally consistent and self-contained set of terms, abbreviations, and definitions -- supported by explanations, recommendations, and references -- for terminology that concerns information system security. The intent of this Glossary is to improve the comprehensibility of written materials that are generated in the Internet Standards Process (RFC 2026) -- i.e., RFCs, Internet-Drafts, and other items of discourse -- which are referred to here as IDOCs. A few non-security, networking terms are included to make the Glossary self-contained, but more complete glossaries of such terms are available elsewhere [A1523, F1037, R1208, R1983].

本术语表提供了一组内部一致且自包含的术语、缩写和定义,并提供了与信息系统安全相关的术语的解释、建议和参考。本词汇表旨在提高互联网标准过程(RFC 2026)中产生的书面材料的可理解性,即RFC、互联网草案和其他话语项目,此处称为IDOC。为了使术语表更加完整,还包括了一些非安全性的网络术语,但在其他地方可以找到更完整的此类术语表[A1523、F1037、R1208、R1983]。

This Glossary supports the goals of the Internet Standards Process:

本术语表支持互联网标准过程的目标:

o Clear, Concise, Easily Understood Documentation

o 清晰、简洁、易于理解的文档

This Glossary seeks to improve comprehensibility of security-related content of IDOCs. That requires wording to be clear and understandable, and requires the set of security-related terms and definitions to be consistent and self-supporting. Also, terminology needs to be uniform across all IDOCs; i.e., the same term or definition needs to be used whenever and wherever the same concept is mentioned. Harmonization of existing IDOCs need not be done immediately, but it is desirable to correct and standardize terminology when new versions are issued in the normal course of standards development and evolution.

本词汇表旨在提高IDOCs安全相关内容的可理解性。这要求措辞清晰易懂,并要求一套与安全相关的术语和定义保持一致和自我支持。此外,所有IDOC的术语都需要统一;i、 例如,无论何时何地提及相同的概念,都需要使用相同的术语或定义。不需要立即对现有的IDOC进行协调,但在标准开发和演变的正常过程中发布新版本时,需要纠正和标准化术语。

o Technical Excellence

o 技术卓越

Just as Internet Standard (STD) protocols should operate effectively, IDOCs should use terminology accurately, precisely, and unambiguously to enable standards to be implemented correctly.

正如互联网标准(STD)协议应该有效运行一样,IDOC应该准确、准确、明确地使用术语,以使标准能够正确实施。

o Prior Implementation and Testing

o 预先实施和测试

Just as STD protocols require demonstrated experience and stability before adoption, IDOCs need to use well-established language; and the robustness principle for protocols -- "be liberal in what you accept, and conservative in what you send" -- is also applicable to the language used in IDOCs that describe protocols. Using terms in their plainest, dictionary sense (when appropriate) helps to make them more easily understood by

正如STD协议在采用前需要证明经验和稳定性,IDOC需要使用成熟的语言;协议的健壮性原则——“接受的内容要自由,发送的内容要保守”——也适用于描述协议的IDoc中使用的语言。使用最简单的、词典意义上的术语(在适当的时候)有助于让读者更容易理解

international readers. IDOCs need to avoid using private, newly invented terms in place of generally accepted terms from open publications. IDOCs need to avoid substituting new definitions that conflict with established ones. IDOCs need to avoid using "cute" synonyms (e.g., "Green Book"), because no matter how popular a nickname may be in one community, it is likely to cause confusion in another.

国际读者。IDoc需要避免使用私人的、新发明的术语来代替公开出版物中普遍接受的术语。IDoc需要避免替换与现有定义冲突的新定义。idoc需要避免使用“可爱”的同义词(例如,“绿皮书”),因为无论一个昵称在一个社区中多么流行,它都可能在另一个社区中引起混淆。

However, although this Glossary strives for plain, internationally understood English language, its terms and definitions are biased toward English as used in the United States of America (U.S.). Also, with regard to terminology used by national governments and in national defense areas, the glossary addresses only U.S. usage.

然而,尽管本词汇表力求使用通俗易懂的国际英语,但其术语和定义偏向于美国(U.S.)使用的英语。此外,关于国家政府和国防领域使用的术语,术语表仅涉及美国的用法。

o Openness, Fairness, and Timeliness

o 公开、公平和及时性

IDOCs need to avoid using proprietary and trademarked terms for purposes other than referring to those particular systems. IDOCs also need to avoid terms that either favor a particular vendor or favor a particular security technology or mechanism over other, competing techniques that already exist or might be developed in the future. The set of terminology used across the set of IDOCs needs to be flexible and adaptable as the state of Internet security art evolves.

IDoc需要避免将专有和商标术语用于特定系统以外的目的。idoc还需要避免使用有利于特定供应商或特定安全技术或机制的术语,而不是使用已经存在或将来可能开发的其他竞争性技术。随着互联网安全技术的发展,IDOC中使用的术语集需要具有灵活性和适应性。

In support of those goals, this Glossary offers guidance by marking terms and definitions as being either endorsed or deprecated for use in IDOCs. The key words "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are intended to be interpreted the same way as in an Internet Standard (i.e., as specified in RFC 2119 [R2119]). Other glossaries (e.g., [Raym]) list additional terms that deal with Internet security but have not been included in this Glossary because they are not appropriate for IDOCs.

为了支持这些目标,本术语表通过将术语和定义标记为已认可或已弃用以在IDOCs中使用来提供指导。关键词“应该”、“不应该”、“建议”、“可能”和“可选”的解释方式与互联网标准中的解释方式相同(即,如RFC 2119[R2119]中的规定)。其他词汇表(例如,[Raym])列出了涉及互联网安全的其他术语,但由于这些术语不适用于IDOC,因此未包含在本词汇表中。

2. Format of Entries
2. 条目格式

Section 4 presents Glossary entries in the following manner:

第4节以以下方式介绍术语表条目:

2.1. Order of Entries
2.1. 条目顺序

Entries are sorted in lexicographic order, without regard to capitalization. Numeric digits are treated as preceding alphabetic characters, and special characters are treated as preceding digits. Blanks are treated as preceding non-blank characters, except that a hyphen or slash between the parts of a multiword entry (e.g., "RED/BLACK separation") is treated like a blank.

条目按字典顺序排序,不考虑大小写。数字被视为前面的字母字符,特殊字符被视为前面的数字。空白字符被视为前面的非空白字符,但多字条目各部分之间的连字符或斜杠(例如,“红/黑分隔”)被视为空白字符。

If an entry has multiple definitions (e.g., "domain"), they are numbered beginning with "1", and any of those multiple definitions that are RECOMMENDED for use in IDOCs are presented before other definitions for that entry. If definitions are closely related (e.g., "threat"), they are denoted by adding letters to a number, such as "1a" and "1b".

如果一个条目有多个定义(例如,“域”),则它们以“1”开头编号,并且建议在IDoc中使用的任何多个定义都会在该条目的其他定义之前显示。如果定义密切相关(例如,“威胁”),则通过在数字上添加字母来表示,如“1a”和“1b”。

2.2. Capitalization and Abbreviations
2.2. 大写和缩写

Entries that are proper nouns are capitalized (e.g., "Data Encryption Algorithm"), as are other words derived from proper nouns (e.g., "Caesar cipher"). All other entries are not capitalized (e.g., "certification authority"). Each acronym or other abbreviation that appears in this Glossary, either as an entry or in a definition or explanation, is defined in this Glossary, except items of common English usage, such as "a.k.a.", "e.g.", "etc.", "i.e.", "vol.", "pp.", and "U.S.".

专有名词条目大写(例如,“数据加密算法”),从专有名词派生的其他单词大写(例如,“凯撒密码”)。所有其他条目均不大写(例如,“认证机构”)。本词汇表中出现的每个首字母缩略词或其他缩写词,无论是作为词条还是定义或解释,均在本词汇表中定义,但常见英语用法的项目除外,如“a.k.a.”、“e.g.”、“等”、“i.e.”、“vol.”、“pp.”和“U.S.”。

2.3. Support for Automated Searching
2.3. 支持自动搜索

Each entry is preceded by a dollar sign ($) and a space. This makes it possible to find the defining entry for an item "X" by searching for the character string "$ X", without stopping at other entries in which "X" is used in explanations.

每个条目前面都有一个美元符号($)和一个空格。这使得可以通过搜索字符串“$X”来查找项目“X”的定义条目,而无需在解释中使用“X”的其他条目处停止。

2.4. Definition Type and Context
2.4. 定义类型和上下文

Each entry is preceded by a character -- I, N, O, or D -- enclosed in parentheses, to indicate the type of definition (as is explained further in Section 3): - "I" for a RECOMMENDED term or definition of Internet origin. - "N" if RECOMMENDED but not of Internet origin. - "O" for a term or definition that is NOT recommended for use in IDOCs but is something that authors of Internet documents should know about. - "D" for a term or definition that is deprecated and SHOULD NOT be used in Internet documents.

每个条目前面都有一个字符——I、N、O或D——用括号括起来,以表示定义的类型(如第3节中进一步解释的):“I”表示推荐的术语或互联网来源的定义。-“N”如果推荐,但不是来自互联网。-“O”表示一个术语或定义,该术语或定义不建议在IDOC中使用,但互联网文档的作者应该知道。-“D”表示已弃用且不应在Internet文档中使用的术语或定义。

If a definition is valid only in a specific context (e.g., "baggage"), that context is shown immediately following the definition type and is enclosed by a pair of slash symbols (/). If the definition is valid only for specific parts of speech, that is shown in the same way (e.g., "archive").

如果定义仅在特定上下文(例如“baggage”)中有效,则该上下文将紧跟在定义类型之后显示,并由一对斜杠符号(/)括起。如果定义仅对特定词类有效,则以相同方式显示(例如,“存档”)。

2.5. Explanatory Notes
2.5. 注释

Some entries have explanatory text that is introduced by one or more of the following keywords: - Deprecated Abbreviation (e.g., "AA") - Deprecated Definition (e.g., "digital certification") - Deprecated Usage (e.g., "authenticate") - Deprecated Term (e.g., "certificate authority") - Pronunciation (e.g., "*-property") - Derivation (e.g., "discretionary access control") - Tutorial (e.g., "accreditation") - Example (e.g., "back door") - Usage (e.g., "access")

一些条目具有解释性文本,由以下一个或多个关键字引入:-不推荐的缩写(例如,“AA”)-不推荐的定义(例如,“数字认证”)-不推荐的用法(例如,“认证”)-不推荐的术语(例如,“证书颁发机构”)-发音(例如“*-属性”)-派生(例如。,“自主访问控制”)-教程(如“认证”)-示例(如“后门”)-用法(如“访问”)

Explanatory text in this Glossary MAY be reused in IDOCs. However, this text is not intended to authoritatively supersede text of an IDOC in which the Glossary entry is already used.

本术语表中的解释性文本可在IDOCs中重复使用。但是,本文本并不打算权威性地取代已经使用词汇表条目的IDOC文本。

2.6. Cross-References
2.6. 交叉引用

Some entries contain a parenthetical remark of the form "(See: X.)", where X is a list of other, related terms. Some entries contain a remark of the form "(Compare: X)", where X is a list of terms that either are antonyms of the entry or differ in some other manner worth noting.

有些条目包含形式为“(见:X.)”的附加注释,其中X是其他相关术语的列表。有些条目包含形式为“(比较:X)”的备注,其中X是条目的反义词或以其他值得注意的方式不同的术语列表。

2.7. Trademarks
2.7. 商标

All servicemarks and trademarks that appear in this Glossary are used in an editorial fashion and to the benefit of the mark owner, without any intention of infringement.

本术语表中出现的所有服务商标和商标均以编辑方式使用,并符合商标所有者的利益,无任何侵权意图。

2.8. The New Punctuation
2.8. 新标点符号

This Glossary uses the "new" or "logical" punctuation style favored by computer programmers, as described by Raymond [Raym]: Programmers use pairs of quotation marks the same way they use pairs of parentheses, i.e., as balanced delimiters. For example, if "Alice sends" is a phrase, and so are "Bill receives" and "Eve listens", then a programmer would write the following sentence:

本术语表使用计算机程序员喜欢的“新”或“逻辑”标点符号样式,如Raymond[Raym]所述:程序员使用引号对的方式与使用括号对的方式相同,即作为平衡分隔符。例如,如果“Alice sends”是一个短语,“Bill receives”和“Eve listens”也是一个短语,那么程序员将编写以下句子:

"Alice sends", "Bill receives", and "Eve listens".

“爱丽丝发送”、“比尔接收”和“伊芙倾听”。

According to standard American usage, the punctuation in that sentence is incorrect; the continuation commas and the final period should go inside the string quotes, like this:

根据美国的标准用法,那个句子中的标点符号不正确;连续逗号和最后一个句点应位于字符串引号内,如下所示:

"Alice sends," "Bill receives," and "Eve listens."

“爱丽丝发送”、“比尔接收”和“伊芙倾听。”

However, a programmer would not include a character in a literal string if the character did not belong there, because that could cause an error. For example, suppose a sentence in a draft of a tutorial on the vi editing language looked like this:

但是,如果某个字符不属于文本字符串,程序员将不会在该字符串中包含该字符,因为这可能会导致错误。例如,假设vi编辑语言教程草稿中的一句话如下所示:

Then delete one line from the file by typing "dd".

然后通过键入“dd”从文件中删除一行。

A book editor following standard usage might change the sentence to look like this:

遵循标准用法的图书编辑可能会将句子更改为:

Then delete one line from the file by typing "dd."

然后通过键入“dd”从文件中删除一行

However, in the vi language, the dot character repeats the last command accepted. So, if a reader entered "dd.", two lines would be deleted instead of one.

但是,在vi语言中,点字符重复接受的最后一个命令。因此,如果读卡器输入“dd.”,将删除两行而不是一行。

Similarly, use of standard American punctuation might cause misunderstanding in entries in this Glossary. Thus, the new punctuation is used here, and we recommend it for IDOCs.

同样,使用标准的美国标点符号可能会导致本词汇表中条目的误解。因此,这里使用了新的标点符号,我们建议IDOCs使用它。

3. Types of Entries
3. 条目类型

Each entry in this Glossary is marked as type I, N, O, or D:

本术语表中的每个条目都标记为I、N、O或D类:

3.1. Type "I": Recommended Definitions of Internet Origin
3.1. “I”类:互联网来源的建议定义

The marking "I" indicates two things: - Origin: "I" (as opposed to "N") means either that the Internet Standards Process or Internet community is authoritative for the definition *or* that the term is sufficiently generic that this Glossary can freely state a definition without contradicting a non-Internet authority (e.g., "attack"). - Recommendation: "I" (as opposed to "O") means that the term and definition are RECOMMENDED for use in IDOCs. However, some "I" entries may be accompanied by a "Usage" note that states a limitation (e.g., "certification"), and IDOCs SHOULD NOT use the defined term outside that limited context.

标记“I”表示两件事:-来源:“I”(与“N”相对)表示互联网标准流程或互联网社区对定义具有权威性*或*该术语具有足够的通用性,因此本术语表可以自由陈述定义,而不会与非互联网权威相抵触(例如,“攻击”)。-建议:“I”(与“O”相对)表示建议在IDOC中使用该术语和定义。但是,一些“I”条目可能会附带一个“用法”注释,说明限制(例如,“认证”),IDOC不应在该限制上下文之外使用定义的术语。

Many "I" entries are proper nouns (e.g., "Internet Protocol") for which the definition is intended only to provide basic information; i.e., the authoritative definition of such terms is found elsewhere. For a proper noun described as an "Internet protocol", please refer to the current edition of "Internet Official Protocol Standards" (Standard 1) for the standardization status of the protocol.

许多“I”条目是专有名词(例如,“互联网协议”),其定义仅用于提供基本信息;i、 例如,此类术语的权威定义可在其他地方找到。对于被描述为“互联网协议”的专有名词,请参考当前版本的“互联网官方协议标准”(标准1),了解协议的标准化状态。

3.2. Type "N": Recommended Definitions of Non-Internet Origin
3.2. 类型“N”:非互联网来源的建议定义

The marking "N" indicates two things: - Origin: "N" (as opposed to "I") means that the entry has a non-Internet basis or origin. - Recommendation: "N" (as opposed to "O") means that the term and definition are RECOMMENDED for use in IDOCs, if they are needed at all in IDOCs. Many of these entries are accompanied by a label that states a context (e.g., "package") or a note that states a limitation (e.g., "data integrity"), and IDOCs SHOULD NOT use the defined term outside that context or limit. Some of the contexts are rarely if ever expected to occur in an IDOC (e.g., "baggage"). In those cases, the listing exists to make Internet authors aware of the non-Internet usage so that they can avoid conflicts with non-Internet documents.

标记“N”表示两件事:-来源:“N”(与“I”相对)表示条目具有非互联网基础或来源。-建议:“N”(与“O”相对)是指建议在IDOC中使用该术语和定义,前提是IDOC中需要这些术语和定义。其中许多条目都附有一个说明上下文的标签(例如,“包”)或一个说明限制的注释(例如,“数据完整性”),IDOC不应在该上下文或限制之外使用定义的术语。有些上下文很少出现在IDOC中(如“baggage”)。在这些情况下,该清单的存在是为了让互联网作者了解非互联网使用情况,从而避免与非互联网文档发生冲突。

3.3. Type "O": Other Terms and Definitions To Be Noted
3.3. 类型“O”:需注明的其他术语和定义

The marking "O" means that the definition is of non-Internet origin and SHOULD NOT be used in IDOCs *except* in cases where the term is specifically identified as non-Internet.

标记“O”表示该定义来源于非互联网,不应在IDOCs*中使用,除非该术语被明确标识为非互联网。

For example, an IDOC might mention "BCA" (see: brand certification authority) or "baggage" as an example of some concept; in that case, the document should specifically say "SET(trademark) BCA" or "SET(trademark) baggage" and include the definition of the term.

例如,IDOC可能会提到“BCA”(参见:品牌认证机构)或“baggage”作为某些概念的示例;在这种情况下,文件应特别注明“SET(商标)BCA”或“SET(商标)行李”,并包括该术语的定义。

3.4. Type "D": Deprecated Terms and Definitions
3.4. 类型“D”:不推荐使用的术语和定义

If this Glossary recommends that a term or definition SHOULD NOT be used in IDOCs, then the entry is marked as type "D", and an explanatory note -- "Deprecated Term", "Deprecated Abbreviation", "Deprecated Definition", or "Deprecated Usage" -- is provided.

如果本术语表建议在IDOCs中不使用术语或定义,则条目将标记为类型“D”,并提供解释性说明——“不推荐使用的术语”、“不推荐使用的缩写”、“不推荐使用的定义”或“不推荐使用的用法”。

3.5. Definition Substitutions
3.5. 定义替换

Some terms have a definition published by a non-Internet authority -- a government (e.g., "object reuse"), an industry (e.g., "Secure Data Exchange"), a national authority (e.g., "Data Encryption Standard"), or an international body (e.g., "data confidentiality") -- that is suitable for use in IDOCs. In those cases, this Glossary marks the definition "N", recommending its use in Internet documents.

一些术语的定义由非互联网机构发布——政府(如“对象重用”)、行业(如“安全数据交换”)、国家机构(如“数据加密标准”)或国际机构(如“数据保密”)——适合在IDOC中使用。在这些情况下,本术语表将定义标记为“N”,建议在互联网文档中使用。

Other such terms have definitions that are inadequate or inappropriate for IDOCs. For example, a definition might be outdated or too narrow, or it might need clarification by substituting more careful wording (e.g., "authentication exchange") or explanations, using other terms that are defined in this Glossary. In those cases,

其他此类术语的定义不适用于IDOC。例如,一个定义可能已经过时或过于狭窄,或者可能需要通过使用本术语表中定义的其他术语替换更仔细的措辞(例如,“身份验证交换”)或解释来进行澄清。在这些情况下,

this Glossary marks the entry "O", and provides an "I" or "N" entry that precedes, and is intended to supersede, the "O" entry.

本术语表对条目“O”进行了标记,并在“O”条目之前提供了一个“I”或“N”条目,旨在取代“O”条目。

In some cases where this Glossary provides a definition to supersede an "O" definition, the substitute is intended to subsume the meaning of the "O" entry and not conflict with it. For the term "security service", for example, the "O" definition deals narrowly with only communication services provided by layers in the OSIRM and is inadequate for the full range of IDOC usage, while the new "I" definition provided by this Glossary can be used in more situations and for more kinds of service. However, the "O" definition is also listed so that IDOC authors will be aware of the context in which the term is used more narrowly.

在某些情况下,如果本术语表提供了一个取代“O”定义的定义,则替换词旨在包含“O”条目的含义,而不是与之冲突。例如,就术语“安全服务”而言,“O”定义仅狭隘地涉及OSIRM中各层提供的通信服务,不适合IDOC的全部使用,而本术语表提供的新“I”定义可用于更多情况和更多种类的服务。然而,也列出了“O”的定义,以便IDOC的作者了解该术语使用范围更窄的上下文。

When making substitutions, this Glossary attempts to avoid contradicting any non-Internet authority. Still, terminology differs between authorities such as the American Bar Association, OSI, SET, the U.S. DoD, and other authorities; and this Glossary probably is not exactly aligned with any of them.

在进行替换时,本术语表试图避免与任何非互联网权威相矛盾。尽管如此,美国律师协会、OSI、SET、美国国防部等机构和其他机构的术语仍有所不同;这个术语表可能与它们中的任何一个都不完全一致。

4. Definitions
4. 定义

$ *-property (N) Synonym for "confinement property" in the context of the Bell-LaPadula model. Pronunciation: star property.

$ *-属性(N)是贝尔-拉帕杜拉模型中“限制属性”的同义词。发音:星级酒店。

$ 3DES (N) See: Triple Data Encryption Algorithm.

$ 3DES(N)参见:三重数据加密算法。

$ A1 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria". (Compare: beyond A1.)

$ A1计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。(比较:超出A1。)

$ AA (D) See: Deprecated Usage under "attribute authority".

$ AA(D)参见“属性权限”下的不推荐用法。

$ ABA Guidelines (N) "American Bar Association (ABA) Digital Signature Guidelines" [DSG], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.

$ 美国律师协会指南(N)“美国律师协会(ABA)数字签名指南”[DSG],在电子商务中使用数字签名和数字证书的法律原则框架。

$ Abstract Syntax Notation One (ASN.1) (N) A standard for describing data objects. [Larm, X680] (See: CMS.)

$ 抽象语法符号1(ASN.1)(N)描述数据对象的标准。[Larm,X680](参见:CMS)

Usage: IDOCs SHOULD use the term "ASN.1" narrowly to describe the notation or language called "Abstract Syntax Notation One". IDOCs MAY use the term more broadly to encompass the notation, its

用法:IDOCs应该狭义地使用术语“ASN.1”来描述称为“抽象语法符号1”的符号或语言。IDOCs可能会更广泛地使用该术语来包含符号,即

associated encoding rules (see: BER), and software tools that assist in its use, when the context makes this meaning clear.

相关的编码规则(请参阅:BER)和软件工具,当上下文明确了这一含义时,可帮助使用。

Tutorial: OSIRM defines computer network functionality in layers. Protocols and data objects at higher layers are abstractly defined to be implemented using protocols and data objects from lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define those transfers concretely as strings of bits. Syntax is needed to specify data formats of abstract objects, and encoding rules are needed to transform abstract objects into bit strings at lower layers. OSI standards use ASN.1 for those specifications and use various encoding rules for those transformations. (See: BER.)

教程:OSIRM在层中定义计算机网络功能。高层的协议和数据对象被抽象定义为使用下层的协议和数据对象来实现。上层可以定义计算机之间抽象对象的传输,下层可以将这些传输具体定义为位串。语法需要指定抽象对象的数据格式,编码规则需要在较低层将抽象对象转换为位字符串。OSI标准对这些规范使用ASN.1,并对这些转换使用各种编码规则。(见:BER)

In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is "certificateRevocationList".

在ASN.1中,正式名称是不带空格的,名称中的单独单词是通过大写每个单词的第一个字母来表示的,第一个单词除外。例如,CRL的名称是“CertificatereJournalist”。

$ ACC (I) See: access control center.

$ ACC(一)见:门禁中心。

$ acceptable risk (I) A risk that is understood and tolerated by a system's user, operator, owner, or accreditor, usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. (See: adequate security, risk, "second law" under "Courtney's laws".)

$ 可接受风险(I)系统用户、运营商、所有者或认证机构理解和容忍的风险,通常是因为针对相关漏洞实施有效对策的成本或难度超过了损失预期。(参见:充分的安全、风险、“考特尼定律”下的“第二定律”。)

$ access 1a. (I) The ability and means to communicate with or otherwise interact with a system to use system resources either to handle information or to gain knowledge of the information the system contains. (Compare: handle.)

$ 通道1a。(一) 与系统通信或以其他方式与系统交互以使用系统资源来处理信息或获取系统包含的信息的能力和方法。(比较:句柄。)

Usage: The definition is intended to include all types of communication with a system, including one-way communication in either direction. In actual practice, however, passive users might be treated as not having "access" and, therefore, be exempt from most requirements of the system's security policy. (See: "passive user" under "user".)

用法:该定义旨在包括与系统的所有类型的通信,包括任一方向的单向通信。然而,在实际操作中,被动用户可能被视为没有“访问权”,因此可以免除系统安全策略的大多数要求。(请参阅“用户”下的“被动用户”。)

1b. (O) "Opportunity to make use of an information system (IS) resource." [C4009]

1b。(O) “利用信息系统(IS)资源的机会。”[C4009]

2. (O) /formal model/ "A specific type of interaction between a subject and an object that results in the flow of information from one to the other." [NCS04]

2. (O) /formal model/“主体和客体之间的一种特定类型的交互,导致信息从一个流向另一个。”[NCS04]

$ Access Certificate for Electronic Services (ACES) (O) A PKI operated by the U.S. Government's General Services Administration in cooperation with industry partners. (See: CAM.)

$ 电子服务访问证书(ACES)(O)由美国政府总务管理局与行业合作伙伴合作运营的PKI。(请参阅:CAM。)

$ access control 1. (I) Protection of system resources against unauthorized access.

$ 访问控制1。(一) 保护系统资源,防止未经授权的访问。

2. (I) A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy. (See: access, access control service, computer security, discretionary access control, mandatory access control, role-based access control.)

2. (一) 一种过程,通过该过程,系统资源的使用根据安全策略进行管理,并且根据该策略,只有授权实体(用户、程序、进程或其他系统)才允许使用系统资源。(请参阅:访问、访问控制服务、计算机安全、自主访问控制、强制访问控制、基于角色的访问控制。)

3. (I) /formal model/ Limitations on interactions between subjects and objects in an information system.

3. (一) /形式模型/信息系统中主体和对象之间交互的限制。

4. (O) "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner." [I7498-2]

4. (O) “防止未经授权使用资源,包括防止以未经授权的方式使用资源。”[I7498-2]

5. (O) /U.S. Government/ A system using physical, electronic, or human controls to identify or admit personnel with properly authorized access to a SCIF.

5. (O) /美国政府/A使用物理、电子或人工控制来识别或接纳有权访问SCIF的人员的系统。

$ access control center (ACC) (I) A computer that maintains a database (possibly in the form of an access control matrix) defining the security policy for an access control service, and that acts as a server for clients requesting access control decisions.

$ 访问控制中心(ACC)(I)维护数据库(可能以访问控制矩阵的形式)的计算机,该数据库定义访问控制服务的安全策略,并充当请求访问控制决策的客户端的服务器。

Tutorial: An ACC is sometimes used in conjunction with a key center to implement access control in a key-distribution system for symmetric cryptography. (See: BLACKER, Kerberos.)

教程:ACC有时与密钥中心结合使用,以实现对称加密密钥分发系统中的访问控制。(请参阅:BLACKER,Kerberos。)

$ access control list (ACL) (I) /information system/ A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity. (Compare: access control matrix, access list, access profile, capability list.)

$ 访问控制列表(ACL)(I)/信息系统/通过列举允许访问资源的系统实体并隐式或显式说明授予每个实体的访问模式,实现系统资源访问控制的机制。(比较:访问控制矩阵、访问列表、访问配置文件、能力列表。)

$ access control matrix (I) A rectangular array of cells, with one row per subject and one column per object. The entry in a cell -- that is, the entry for a particular subject-object pair -- indicates the access mode that the subject is permitted to exercise on the object. Each column is

$ 访问控制矩阵(I)单元格的矩形阵列,每个主题一行,每个对象一列。单元格中的条目(即特定的subject-object对的条目)表示允许主体在对象上执行的访问模式。每列都是

equivalent to an "access control list" for the object; and each row is equivalent to an "access profile" for the subject.

相当于对象的“访问控制列表”;每一行相当于主题的“访问配置文件”。

$ access control service (I) A security service that protects against a system entity using a system resource in a way not authorized by the system's security policy. (See: access control, discretionary access control, identity-based security policy, mandatory access control, rule-based security policy.)

$ 访问控制服务(I)防止系统实体以未经系统安全策略授权的方式使用系统资源的安全服务。(请参阅:访问控制、自主访问控制、基于身份的安全策略、强制访问控制、基于规则的安全策略。)

Tutorial: This service includes protecting against use of a resource in an unauthorized manner by an entity (i.e., a principal) that is authorized to use the resource in some other manner. (See: insider.) The two basic mechanisms for implementing this service are ACLs and tickets.

教程:此服务包括防止被授权以其他方式使用资源的实体(即主体)以未经授权的方式使用资源。(请参阅:insider。)实现此服务的两种基本机制是ACL和票证。

$ access level 1. (D) Synonym for the hierarchical "classification level" in a security level. [C4009] (See: security level.)

$ 访问级别1。(D) 安全级别中分层“分类级别”的同义词。[C4009](请参阅:安全级别。)

2. (D) Synonym for "clearance level".

2. (D) “清除水平”的同义词。

Deprecated Definitions: IDOCs SHOULD NOT use this term with these definitions because they duplicate the meaning of more specific terms. Any IDOC that uses this term SHOULD provide a specific definition for it because access control may be based on many attributes other than classification level and clearance level.

不推荐使用的定义:IDoc不应将此术语与这些定义一起使用,因为它们重复了更具体术语的含义。任何使用该术语的IDOC都应该为其提供一个特定的定义,因为访问控制可能基于除分类级别和清除级别之外的许多属性。

$ access list (I) /physical security/ Roster of persons who are authorized to enter a controlled area. (Compare: access control list.)

$ 有权进入控制区的人员名单(I)/人身安全/名册。(比较:访问控制列表。)

$ access mode (I) A distinct type of data processing operation (e.g., read, write, append, or execute, or a combination of operations) that a subject can potentially perform on an object in an information system. [Huff] (See: read, write.)

$ 访问模式(I)主体可能对信息系统中的对象执行的不同类型的数据处理操作(例如,读取、写入、附加或执行,或操作组合)。[Huff](参见:读、写)

$ access policy (I) A kind of "security policy". (See: access, access control.)

$ 访问策略(I)一种“安全策略”。(请参见:访问,访问控制。)

$ access profile (O) Synonym for "capability list".

$ 访问配置文件(O)是“能力列表”的同义词。

Usage: IDOCs that use this term SHOULD state a definition for it because the definition is not widely known.

用法:使用这个术语的IDoc应该为它声明一个定义,因为这个定义并不广为人知。

$ access right (I) Synonym for "authorization"; emphasizes the possession of the authorization by a system entity.

$ 访问权(I)“授权”的同义词;强调系统实体拥有授权。

$ accountability (I) The property of a system or system resource that ensures that the actions of a system entity may be traced uniquely to that entity, which can then be held responsible for its actions. [Huff] (See: audit service.)

$ 责任(I)系统或系统资源的属性,确保系统实体的行为可以唯一地追溯到该实体,然后该实体可以对其行为负责。[Huff](请参阅:审计服务。)

Tutorial: Accountability (a.k.a. individual accountability) typically requires a system ability to positively associate the identity of a user with the time, method, and mode of the user's access to the system. This ability supports detection and subsequent investigation of security breaches. Individual persons who are system users are held accountable for their actions after being notified of the rules of behavior for using the system and the penalties associated with violating those rules.

教程:责任制(也称为个人责任制)通常要求系统能够将用户身份与用户访问系统的时间、方法和模式积极关联。此功能支持对安全漏洞的检测和后续调查。作为系统用户的个人在被告知使用系统的行为规则以及与违反这些规则相关的处罚后,应对其行为负责。

$ accounting See: COMSEC accounting.

$ 会计见:通信安全会计。

$ accounting legend code (ALC) (O) /U.S. Government/ Numeric system used to indicate the minimum accounting controls required for items of COMSEC material within the CMCS. [C4009] (See: COMSEC accounting.)

$ 会计图例代码(ALC)(O)/美国政府/数字系统,用于指示CMCS内通信安全材料项目所需的最低会计控制。[C4009](参见:通信安全会计)

$ accreditation (N) An administrative action by which a designated authority declares that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. [FP102, SP37] (See: certification.)

$ 认证(N):一种行政行为,指定机构通过该行为宣布信息系统已获准在特定的安全配置下运行,并具有一套规定的安全措施。[FP102,SP37](参见:认证。)

Tutorial: An accreditation is usually based on a technical certification of the system's security mechanisms. To accredit a system, the approving authority must determine that any residual risk is an acceptable risk. Although the terms "certification" and "accreditation" are used more in the U.S. DoD and other U.S. Government agencies than in commercial organizations, the concepts apply any place where managers are required to deal with and accept responsibility for security risks. For example, the American Bar Association is developing accreditation criteria for CAs.

教程:认证通常基于系统安全机制的技术认证。要认证系统,审批机构必须确定任何剩余风险都是可接受的风险。虽然“认证”和“认可”这两个术语在美国国防部和其他美国政府机构中的使用比在商业组织中的使用要多,但这些概念适用于要求管理人员处理和承担安全风险责任的任何地方。例如,美国律师协会正在为CAs制定认证标准。

$ accreditation boundary (O) Synonym for "security perimeter". [C4009]

$ 认证边界(O)是“安全边界”的同义词。[C4009]

$ accreditor (N) A management official who has been designated to have the formal authority to "accredit" an information system, i.e., to authorize the operation of, and the processing of sensitive data in, the system and to accept the residual risk associated with the system. (See: accreditation, residual risk.)

$ 授权人(N):被指定具有正式授权对信息系统进行“授权”的管理人员,即授权对系统中的敏感数据进行操作和处理,并接受与系统相关的剩余风险。(参见:认证,剩余风险。)

$ ACES (O) See: Access Certificate for Electronic Services.

$ ACES(O)见:电子服务准入证书。

$ ACL (I) See: access control list.

$ ACL(I)见:访问控制列表。

$ acquirer 1. (O) /SET/ "The financial institution that establishes an account with a merchant and processes payment card authorizations and payments." [SET1]

$ 收单机构1。(O) /SET/“与商户建立账户并处理支付卡授权和支付的金融机构。”[SET1]

2. (O) /SET/ "The institution (or its agent) that acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system." [SET2]

2. (O) /SET/“从卡接受人处获取与交易有关的财务数据并将该数据导入交换系统的机构(或其代理人)。[SET2]

$ activation data (N) Secret data, other than keys, that is required to access a cryptographic module. (See: CIK. Compare: initialization value.)

$ 激活数据(N)访问加密模块所需的除密钥以外的机密数据。(请参见:CIK.Compare:初始化值。)

$ active attack (I) See: secondary definition under "attack".

$ 主动攻击(I)见“攻击”下的二级定义。

$ active content 1a. (I) Executable software that is bound to a document or other data file and that executes automatically when a user accesses the file, without explicit initiation by the user. (Compare: mobile code.)

$ 活性成分1a。(一) 绑定到文档或其他数据文件并在用户访问该文件时自动执行的可执行软件,无需用户明确启动。(比较:移动代码。)

Tutorial: Active content can be mobile code when its associated file is transferred across a network.

教程:通过网络传输相关文件时,活动内容可以是移动代码。

1b. (O) "Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. [This technology enables] mobile code associated with a document to execute as the document is rendered." [SP28]

1b。(O) “无需用户干预即可在计算机平台上自动执行或触发操作的电子文档。[该技术使]与文档相关联的移动代码能够在呈现文档时执行。”[SP28]

$ active user (I) See: secondary definition under "system user".

$ 活动用户(I)参见“系统用户”下的二级定义。

$ active wiretapping (I) A wiretapping attack that attempts to alter data being communicated or otherwise affect data flow. (See: wiretapping. Compare: active attack, passive wiretapping.)

$ 主动窃听(I)试图改变正在通信的数据或以其他方式影响数据流的窃听攻击。(请参阅:窃听。比较:主动攻击和被动窃听。)

$ add-on security (N) The retrofitting of protection mechanisms, implemented by hardware or software, in an information system after the system has become operational. [FP039] (Compare: baked-in security.)

$ 附加安全性(N):在信息系统开始运行后,通过硬件或软件对保护机制进行改造。[FP039](比较:安全烘焙。)

$ adequate security (O) /U.S. DoD/ "Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information." (See: acceptable risk, residual risk.)

$ 充分安全(O)/美国国防部/“与信息丢失、误用或未经授权访问或修改造成的危害风险和程度相称的安全。”(参见:可接受风险,剩余风险。)

$ administrative security 1. (I) Management procedures and constraints to prevent unauthorized access to a system. (See: "third law" under "Courtney's laws", manager, operational security, procedural security, security architecture. Compare: technical security.)

$ 行政安全1。(一) 防止未经授权访问系统的管理程序和限制。(参见“科特尼定律”下的“第三定律”,运营安全、程序安全、安全架构经理。比较:技术安全。)

Examples: Clear delineation and separation of duties; configuration control.

例如:职责的明确划分和分离;配置控制。

Usage: Administrative security is usually understood to consist of methods and mechanisms that are implemented and executed primarily by people, rather than by automated systems.

用法:管理安全性通常被理解为由主要由人而不是由自动化系统实现和执行的方法和机制组成。

2. (O) "The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data." [FP039]

2. (O) “为为敏感数据提供可接受的保护水平而建立的管理约束、操作程序、问责程序和补充控制。”[FP039]

$ administrator 1. (O) /Common Criteria/ A person that is responsible for configuring, maintaining, and administering the TOE in a correct manner for maximum security. (See: administrative security.)

$ 管理员1。(O) /Common Criteria/负责以正确的方式配置、维护和管理TOE以实现最大安全性的人员。(请参阅:管理安全。)

2. (O) /ITSEC/ A person in contact with the TOE, who is responsible for maintaining its operational capability.

2. (O) /ITSEC/与TOE接触的人员,负责维持其操作能力。

$ Advanced Encryption Standard (AES) (N) A U.S. Government standard [FP197] (the successor to DES) that (a) specifies "the AES algorithm", which is a symmetric block cipher that is based on Rijndael and uses key sizes of 128, 192, or 256 bits to operate on a 128-bit block, and (b) states policy for using that algorithm to protect unclassified, sensitive data.

$ 高级加密标准(AES)(N)美国政府标准[FP197](DES的继承者),其中(A)规定了“AES算法”,这是一种基于Rijndael的对称分组密码,使用128、192或256位密钥大小对128位块进行操作,并且(b)规定了使用该算法保护未分类数据的策略,敏感数据。

Tutorial: Rijndael was designed to handle additional block sizes and key lengths that were not adopted in the AES. Rijndael was selected by NIST through a public competition that was held to find a successor to the DEA; the other finalists were MARS, RC6, Serpent, and Twofish.

教程:Rijndael设计用于处理AES中未采用的额外块大小和键长度。Rijndael是NIST通过公开竞争选出的,该竞争旨在寻找DEA的继任者;其他入围者是MARS、RC6、Serpent和Twofish。

$ adversary 1. (I) An entity that attacks a system. (Compare: cracker, intruder, hacker.)

$ 对手1。(一) 攻击系统的实体。(比较:黑客、入侵者、黑客。)

2. (I) An entity that is a threat to a system.

2. (一) 对系统构成威胁的实体。

$ AES (N) See: Advanced Encryption Standard.

$ AES(N)参见:高级加密标准。

$ Affirm (O) A formal methodology, language, and integrated set of software tools developed at the University of Southern California's Information Sciences Institute for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

$ 肯定(o)在南加州大学信息科学研究所开发的用于指定、编码和验证软件以产生正确和可靠程序的正式方法、语言和成套软件工具。[车]

$ aggregation (I) A circumstance in which a collection of information items is required to be classified at a higher security level than any of the items is classified individually. (See: classification.)

$ 聚合(I)一种情况,在这种情况下,信息项集合需要在比单独分类的任何信息项更高的安全级别上进行分类。(见:分类。)

$ AH (I) See: Authentication Header

$ AH(I)参见:认证头

$ air gap (I) An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control). (See: sneaker net. Compare: gateway.)

$ 气隙(I)两个系统之间的接口,其中(a)它们没有物理连接,(b)任何逻辑连接都不是自动的(即,数据仅在人工控制下通过接口传输)。(参见:运动鞋网。比较:网关。)

Example: Computer A and computer B are on opposite sides of a room. To move data from A to B, a person carries a disk across the room. If A and B operate in different security domains, then moving data across the air gap may involve an upgrade or downgrade operation.

示例:计算机A和计算机B位于房间的两侧。要将数据从A移动到B,一个人携带一张磁盘穿过房间。如果A和B在不同的安全域中运行,那么跨气隙移动数据可能涉及升级或降级操作。

$ ALC (O) See: accounting legend code.

$ ALC(O)参见:会计图例代码。

$ algorithm (I) A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer. (See: cryptographic algorithm.)

$ 算法(I)用于解决问题或计算过程的一组有限的分步指令,特别是可以由计算机实现的指令。(请参阅:加密算法。)

$ alias (I) A name that an entity uses in place of its real name, usually for the purpose of either anonymity or masquerade.

$ 别名(I)实体用以代替真实姓名的名称,通常用于匿名或伪装。

$ Alice and Bob (I) The parties that are most often called upon to illustrate the operation of bipartite security protocols. These and other dramatis personae are listed by Schneier [Schn].

$ Alice和Bob(I)最常被要求说明双边安全协议操作的各方。Schneier[Schn]列出了这些和其他戏剧人物。

$ American National Standards Institute (ANSI) (N) A private, not-for-profit association that administers U.S. private-sector voluntary standards.

$ 美国国家标准协会(ANSI)(N):一个管理美国私营部门自愿性标准的非营利私人协会。

Tutorial: ANSI has approximately 1,000 member organizations, including equipment users, manufacturers, and others. These include commercial firms, governmental agencies, and other institutions and international entities.

教程:ANSI有大约1000个成员组织,包括设备用户、制造商和其他组织。其中包括商业公司、政府机构以及其他机构和国际实体。

ANSI is the sole U.S. representative to (a) ISO and (b) (via the U.S. National Committee) the International Electrotechnical Commission (IEC), which are the two major, non-treaty, international standards organizations.

ANSI是(a)ISO和(b)(通过美国国家委员会)国际电工委员会(IEC)的唯一美国代表,这两个主要的非条约国际标准组织。

ANSI provides a forum for ANSI-accredited standards development groups. Among those groups, the following are especially relevant to Internet security: - International Committee for Information Technology Standardization (INCITS) (formerly X3): Primary U.S. focus of standardization in information and communications technologies, encompassing storage, processing, transfer, display, management, organization, and retrieval of information. Example: [A3092]. - Accredited Standards Committee X9: Develops, establishes, maintains, and promotes standards for the financial services industry. Example: [A9009]. - Alliance for Telecommunications Industry Solutions (ATIS): Develops standards, specifications, guidelines, requirements, technical reports, industry processes, and verification tests for interoperability and reliability of telecommunications networks, equipment, and software. Example: [A1523].

ANSI为ANSI认证的标准开发小组提供了一个论坛。在这些群体中,以下群体与互联网安全特别相关:-国际信息技术标准化委员会(INCITS)(前身为X3):美国信息和通信技术标准化的主要重点,包括存储、处理、传输、显示、管理、组织,和信息检索。示例:[A3092]。-认可标准委员会X9:为金融服务行业制定、建立、维护和推广标准。示例:[A9009]。-电信行业解决方案联盟(ATIS):为电信网络、设备和软件的互操作性和可靠性制定标准、规范、指南、要求、技术报告、行业流程和验证测试。示例:[A1523]。

$ American Standard Code for Information Interchange (ASCII) (N) A scheme that encodes 128 specified characters -- the numbers 0-9, the letters a-z and A-Z, some basic punctuation symbols, some control codes that originated with Teletype machines, and a blank space -- into the 7-bit binary integers. Forms the basis of the character set representations used in most computers and many Internet standards. [FP001] (See: code.)

$ 美国信息交换标准代码(ASCII)(N)一种将128个指定字符(数字0-9、字母A-z和A-z、一些基本标点符号、一些源自电传打字机的控制代码和一个空格)编码为7位二进制整数的方案。构成大多数计算机和许多Internet标准中使用的字符集表示的基础。[FP001](见:代码)

$ Anderson report (O) A 1972 study of computer security that was written by James P. Anderson for the U.S. Air Force [Ande].

$ 安德森报告(O):一份1972年的计算机安全研究报告,由詹姆斯·安德森为美国空军[Ande]撰写。

Tutorial: Anderson collaborated with a panel of experts to study Air Force requirements for multilevel security. The study recommended research and development that was urgently needed to provide secure information processing for command and control systems and support systems. The report introduced the reference monitor concept and provided development impetus for computer and network security technology. However, many of the security problems that the 1972 report called "current" still plague information systems today.

教程:安德森与专家小组合作,研究空军对多级安全的要求。这项研究建议进行迫切需要的研究和开发,以便为指挥和控制系统及支助系统提供安全的信息处理。该报告介绍了参考监视器的概念,并为计算机和网络安全技术提供了发展动力。然而,1972年报告称之为“当前”的许多安全问题至今仍困扰着信息系统。

$ anomaly detection (I) An intrusion detection method that searches for activity that is different from the normal behavior of system entities and system resources. (See: IDS. Compare: misuse detection.)

$ 异常检测(I)一种入侵检测方法,用于搜索与系统实体和系统资源的正常行为不同的活动。(请参阅:IDS.Compare:误用检测。)

$ anonymity (I) The condition of an identity being unknown or concealed. (See: alias, anonymizer, anonymous credential, anonymous login, identity, onion routing, persona certificate. Compare: privacy.)

$ 匿名性(I)身份未知或隐藏的情况。(请参阅:别名、匿名者、匿名凭据、匿名登录、身份、洋葱路由、角色证书。比较:隐私。)

Tutorial: An application may require security services that maintain anonymity of users or other system entities, perhaps to preserve their privacy or hide them from attack. To hide an entity's real name, an alias may be used; for example, a financial institution may assign account numbers. Parties to transactions can thus remain relatively anonymous, but can also accept the transactions as legitimate. Real names of the parties cannot be easily determined by observers of the transactions, but an authorized third party may be able to map an alias to a real name, such as by presenting the institution with a court order. In other applications, anonymous entities may be completely untraceable.

教程:应用程序可能需要维护用户或其他系统实体匿名性的安全服务,可能是为了保护他们的隐私或隐藏他们免受攻击。为了隐藏实体的真实名称,可以使用别名;例如,金融机构可能会分配账号。因此,交易各方可以保持相对匿名,但也可以将交易视为合法。交易观察员无法轻易确定当事人的真实姓名,但经授权的第三方可以将别名映射为真实姓名,例如向机构提交法院命令。在其他应用程序中,匿名实体可能完全不可追踪。

$ anonymizer (I) An internetwork service, usually provided via a proxy server, that provides anonymity and privacy for clients. That is, the service enables a client to access servers (a) without allowing

$ 匿名者(I)通常通过代理服务器提供的互联网服务,为客户提供匿名性和隐私。也就是说,该服务允许客户端访问服务器(a),而不允许

anyone to gather information about which servers the client accesses and (b) without allowing the accessed servers to gather information about the client, such as its IP address.

任何人都可以收集有关客户端访问哪些服务器的信息,并且(b)不允许被访问的服务器收集有关客户端的信息,例如其IP地址。

$ anonymous credential (D) /U.S. Government/ A credential that (a) can be used to authenticate a person as having a specific attribute or being a member of a specific group (e.g., military veterans or U.S. citizens) but (b) does not reveal the individual identity of the person that presents the credential. [M0404] (See: anonymity.)

$ 匿名凭证(D)/美国政府/一种凭证,该凭证(A)可用于认证具有特定属性的人员或特定群体的成员(如退伍军人或美国公民),但(b)不显示出示凭证人员的个人身份。[M0404](参见:匿名。)

Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. For example, when the credential is an X.509 certificate, the term could be misunderstood to mean that the certificate was signed by a CA that has a persona certificate. Instead, use "attribute certificate", "organizational certificate", or "persona certificate" depending on what is meant, and provide additional explanations as needed.

不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。例如,当凭证是X.509证书时,该术语可能会被误解为该证书是由具有角色证书的CA签署的。相反,使用“属性证书”、“组织证书”或“角色证书”取决于其含义,并根据需要提供其他解释。

$ anonymous login (I) An access control feature (actually, an access control vulnerability) in many Internet hosts that enables users to gain access to general-purpose or public services and resources of a host (such as allowing any user to transfer data using FTP) without having a pre-established, identity-specific account (i.e., user name and password). (See: anonymity.)

$ 匿名登录(I)许多Internet主机中的一种访问控制功能(实际上是一种访问控制漏洞),使用户能够访问主机的通用或公共服务和资源(例如,允许任何用户使用FTP传输数据),而无需预设特定于身份的帐户(即用户名和密码)。(请参阅:匿名。)

Tutorial: This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions. A user logs in using a special, publicly known user name (e.g., "anonymous", "guest", or "ftp"). To use the public login name, the user is not required to know a secret password and may not be required to input anything at all except the name. In other cases, to complete the normal sequence of steps in a login protocol, the system may require the user to input a matching, publicly known password (such as "anonymous") or may ask the user for an e-mail address or some other arbitrary character string.

教程:与所有用户都是已知的、预先注册的、对其行为负责的实体相比,此功能使系统面临更多的威胁。用户使用特殊的、公开的用户名(例如,“匿名”、“来宾”或“ftp”)登录。要使用公共登录名,用户无需知道密码,也无需输入除名称以外的任何内容。在其他情况下,为了完成登录协议中的正常步骤序列,系统可能要求用户输入匹配的公开密码(例如“匿名”),或者可能要求用户输入电子邮件地址或其他任意字符串。

$ ANSI (N) See: American National Standards Institute.

$ ANSI(N)见:美国国家标准协会。

$ anti-jam (N) "Measures ensuring that transmitted information can be received despite deliberate jamming attempts." [C4009] (See: electronic security, frequency hopping, jam, spread spectrum.)

$ 抗干扰(N)“确保在故意干扰的情况下仍能接收传输信息的措施。”[C4009](见:电子安全、跳频、干扰、扩频。)

$ apex trust anchor (N) The trust anchor that is superior to all other trust anchors in a particular system or context. (See: trust anchor, top CA.)

$ 顶点信任锚(N)在特定系统或上下文中优于所有其他信任锚的信任锚。(请参阅:信任锚,顶部CA)

$ API (I) See: application programming interface.

$ API(I)见:应用程序编程接口。

$ APOP (I) See: POP3 APOP.

$ APOP(I)见:POP3 APOP。

$ Application Layer See: Internet Protocol Suite, OSIRM.

$ 应用层请参阅:互联网协议套件,OSIRM。

$ application program (I) A computer program that performs a specific function directly for a user (as opposed to a program that is part of a computer operating system and exists to perform functions in support of application programs).

$ 应用程序(I)直接为用户执行特定功能的计算机程序(与作为计算机操作系统的一部分并用于执行支持应用程序的功能的程序相反)。

$ architecture (I) See: security architecture, system architecture.

$ 架构(I)参见:安全架构、系统架构。

$ archive 1a. (I) /noun/ A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (Compare: backup, repository.)

$ 档案1a。(一) /noon/A出于历史和其他目的(如支持审核服务、可用性服务或系统完整性服务)而存储相对较长时间的数据集合。(比较:备份、存储库。)

1b. (I) /verb/ To store data in such a way as to create an archive. (Compare: back up.)

1b。(一) /verb/以创建存档的方式存储数据。(比较:备份。)

Tutorial: A digital signature may need to be verified many years after the signing occurs. The CA -- the one that issued the certificate containing the public key needed to verify that signature -- may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates.

教程:数字签名可能需要在签名发生多年后进行验证。CA(颁发包含验证该签名所需公钥的证书的CA)可能不会保持那么长时间的运行。因此,每个CA都需要长期存储所需的信息,以验证向其颁发证书的人的签名。

$ ARPANET (I) Advanced Research Projects Agency (ARPA) Network, a pioneer packet-switched network that (a) was designed, implemented, operated, and maintained by BBN from January 1969 until July 1975 under contract to the U.S. Government; (b) led to the development of today's Internet; and (c) was decommissioned in June 1990. [B4799, Hafn]

$ ARPANET(I)高级研究计划署(ARPA)网络,一个先锋分组交换网络,根据与美国政府签订的合同,BBN于1969年1月至1975年7月设计、实施、运营和维护;(b) 导致了当今互联网的发展;(c)于1990年6月退役。[B4799,哈芬]

$ ASCII (N) See: American Standard Code for Information Interchange.

$ ASCII(N)参见:美国信息交换标准代码。

$ ASN.1 (N) See: Abstract Syntax Notation One.

$ ASN.1(N)见:抽象语法符号一。

$ asset (I) A system resource that is (a) required to be protected by an information system's security policy, (b) intended to be protected by a countermeasure, or (c) required for a system's mission.

$ 资产(I)(A)需要由信息系统安全策略保护的系统资源,(b)打算由对策保护的系统资源,或(c)系统任务所需的系统资源。

$ association (I) A cooperative relationship between system entities, usually for the purpose of transferring information between them. (See: security association.)

$ 关联(I)系统实体之间的合作关系,通常用于在它们之间传输信息。(见:安全协会。)

$ assurance See: security assurance.

$ 保证见:安全保证。

$ assurance level (N) A rank on a hierarchical scale that judges the confidence someone can have that a TOE adequately fulfills stated security requirements. (See: assurance, certificate policy, EAL, TCSEC.)

$ 保证水平(N):等级等级评定中的一个等级,用于判断某人对某个脚趾能够充分满足规定的安全要求的信心。(参见:保证、证书政策、EAL、TCSEC。)

Example: U.S. Government guidance [M0404] describes four assurance levels for identity authentication, where each level "describes the [U.S. Federal Government] agency's degree of certainty that the user has presented [a credential] that refers to [the user's] identity." In that guidance, assurance is defined as (a) "the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued" and (b) "the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued."

示例:美国政府指南[M0404]描述了身份验证的四个保证级别,其中每个级别“描述了[美国联邦政府]机构对用户已提交[用户]身份的[凭证]的确定程度。”在该指南中,保证定义为(a)“用于确定证书颁发给的个人身份的审查过程的置信度”和(b)“使用证书的个人是证书颁发给的个人的置信度。”

The four levels are described as follows: - Level 1: Little or no confidence in the asserted identity. - Level 2: Some confidence in the asserted identity. - Level 3: High confidence in the asserted identity. - Level 4: Very high confidence in the asserted identity.

四个级别的描述如下:-级别1:对断言的身份几乎没有信心或没有信心。-第2级:对断言的身份有一定的信心。-第3级:对断言的身份高度信任。-第4级:对所声称的身份非常信任。

Standards for determining these levels are provided in a NIST publication [SP12]. However, as noted there, an assurance level is "a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases, virtually impossible -- to know exactly how secure a system is."

NIST出版物[SP12]中提供了确定这些水平的标准。然而,正如文中所指出的,保证水平是“一种置信度,而不是系统实际安全程度的真实衡量标准。这种区分是必要的,因为准确地知道系统的安全程度是极其困难的,在许多情况下,几乎是不可能的。”

$ asymmetric cryptography (I) A modern branch of cryptography (popularly known as "public-key cryptography") in which the algorithms use a pair of keys (a public key and a private key) and use a different component of the pair for each of two counterpart cryptographic operations (e.g.,

$ 非对称密码学(I)密码学的一个现代分支(通常称为“公钥密码学”),其中算法使用一对密钥(公钥和私钥),并为两个对应的加密操作(例如。,

encryption and decryption, or signature creation and signature verification). (See: key pair, symmetric cryptography.)

加密和解密,或签名创建和签名验证)。(请参阅:密钥对,对称加密。)

Tutorial: Asymmetric algorithms have key management advantages over equivalently strong symmetric ones. First, one key of the pair need not be known by anyone but its owner; so it can more easily be kept secret. Second, although the other key is shared by all entities that use the algorithm, that key need not be kept secret from other, non-using entities; thus, the key-distribution part of key management can be done more easily.

教程:非对称算法比等价的强对称算法具有密钥管理优势。首先,这对钥匙中的一把不需要任何人知道,只有它的主人知道;所以它更容易被保密。第二,尽管其他密钥由使用该算法的所有实体共享,但该密钥不需要对其他非使用实体保密;因此,可以更容易地完成密钥管理的密钥分发部分。

Asymmetric cryptography can be used to create algorithms for encryption, digital signature, and key agreement: - In an asymmetric encryption algorithm (e.g., "RSA"), when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a public key provided by Bob. Only Bob has the matching private key that is needed to decrypt the data. (Compare: seal.) - In an asymmetric digital signature algorithm (e.g., "DSA"), when Alice wants to ensure data integrity or provide authentication for data she sends to Bob, she uses her private key to sign the data (i.e., create a digital signature based on the data). To verify the signature, Bob uses the matching public key that Alice has provided. - In an asymmetric key-agreement algorithm (e.g., "Diffie-Hellman-Merkle"), Alice and Bob each send their own public key to the other party. Then each uses their own private key and the other's public key to compute the new key value.

非对称加密可用于创建加密、数字签名和密钥协商的算法:-在非对称加密算法(如“RSA”)中,当Alice希望确保发送给Bob的数据的机密性时,她使用Bob提供的公钥对数据进行加密。只有Bob具有解密数据所需的匹配私钥。(比较:seal.)-在非对称数字签名算法(例如,“DSA”)中,当Alice希望确保数据完整性或为发送给Bob的数据提供身份验证时,她使用私钥对数据进行签名(即,基于数据创建数字签名)。为了验证签名,Bob使用Alice提供的匹配公钥。-在非对称密钥协商算法(例如,“Diffie-Hellman-Merkle”)中,Alice和Bob各自向另一方发送自己的公钥。然后,每一方使用自己的私钥和另一方的公钥来计算新的密钥值。

$ asymmetric key (I) A cryptographic key that is used in an asymmetric cryptographic algorithm. (See: asymmetric cryptography, private key, public key.)

$ 非对称密钥(I)非对称加密算法中使用的加密密钥。(请参阅:非对称加密、私钥、公钥。)

$ ATIS (N) See: "Alliance for Telecommunications Industry Solutions" under "ANSI".

$ ATI(N)参见“ANSI”下的“电信行业解决方案联盟”。

$ attack 1. (I) An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.)

$ 攻击1。(一) 实体试图逃避安全服务并违反系统安全策略的故意行为。也就是说,对系统安全的实际攻击源自智能威胁。(请参阅:渗透、违规、漏洞。)

2. (I) A method or technique used in an assault (e.g., masquerade). (See: blind attack, distributed attack.)

2. (一) 在攻击中使用的方法或技巧(如伪装)。(请参阅:盲攻击、分布式攻击。)

Tutorial: Attacks can be characterized according to intent: - An "active attack" attempts to alter system resources or affect their operation. - A "passive attack" attempts to learn or make use of information from a system but does not affect system resources of that system. (See: wiretapping.)

教程:攻击可以根据意图来描述:-“主动攻击”试图改变系统资源或影响其操作。-“被动攻击”试图从系统中学习或利用信息,但不影响该系统的系统资源。(请参阅:窃听。)

The object of a passive attack might be to obtain data that is needed for an off-line attack. - An "off-line attack" is one in which the attacker obtains data from the target system and then analyzes the data on a different system of the attacker's own choosing, possibly in preparation for a second stage of attack on the target.

被动攻击的目标可能是获取离线攻击所需的数据。-“离线攻击”是指攻击者从目标系统获取数据,然后在攻击者自己选择的不同系统上分析数据,可能是为了准备对目标进行第二阶段攻击。

Attacks can be characterized according to point of initiation: - An "inside attack" is one that is initiated by an entity inside the security perimeter (an "insider"), i.e., an entity that is authorized to access system resources but uses them in a way not approved by the party that granted the authorization. - An "outside attack" is initiated from outside the security perimeter, by an unauthorized or illegitimate user of the system (an "outsider"). In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments. Attacks can be characterized according to method of delivery: - In a "direct attack", the attacker addresses attacking packets to the intended victim(s). - In an "indirect attack", the attacker addresses packets to a third party, and the packets either have the address(es) of the intended victim(s) as their source address(es) or indicate the intended victim(s) in some other way. The third party responds by sending one or more attacking packets to the intended victims. The attacker can use third parties as attack amplifiers by providing a broadcast address as the victim address (e.g., "smurf attack"). (See: reflector attack. Compare: reflection attack, replay attack.)

攻击可以根据发起点进行描述:-“内部攻击”是指由安全边界内的实体(“内部人”)发起的攻击,即被授权访问系统资源但以未经授权方批准的方式使用这些资源的实体。-“外部攻击”是由系统的未经授权或非法用户(“外部人员”)从安全外围发起的。在互联网上,潜在的外部攻击者包括业余恶作剧者、有组织犯罪分子、国际恐怖分子和敌对政府。攻击可以根据传递方法进行描述:-在“直接攻击”中,攻击者将攻击数据包发送给目标受害者在“间接攻击”中,攻击者向第三方发送数据包地址,数据包的源地址为目标受害者的地址,或者以其他方式指示目标受害者。第三方通过向目标受害者发送一个或多个攻击包进行响应。攻击者可以通过提供广播地址作为受害者地址(例如,“蓝精灵攻击”)将第三方用作攻击放大器。(请参阅:反射攻击。比较:反射攻击、重放攻击。)

The term "attack" relates to some other basic security terms as shown in the following diagram:

术语“攻击”涉及一些其他基本安全术语,如下图所示:

      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
        
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
        

$ attack potential (I) The perceived likelihood of success should an attack be launched, expressed in terms of the attacker's ability (i.e., expertise and resources) and motivation. (Compare: threat, risk.)

$ 攻击可能性(I)攻击成功的感知可能性,以攻击者的能力(即专业知识和资源)和动机表示。(比较:威胁、风险。)

$ attack sensing, warning, and response (I) A set of security services that cooperate with audit service to detect and react to indications of threat actions, including both inside and outside attacks. (See: indicator.)

$ 攻击感知、警告和响应(I)一组安全服务,与审计服务合作,以检测和响应威胁行动的迹象,包括内部和外部攻击。(见:指标。)

$ attack tree (I) A branching, hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specified way. [Moor]

$ 攻击树(I)一种分支、分层的数据结构,表示一组潜在的方法,以实现以特定方式渗透或破坏系统安全的事件。[摩尔]

Tutorial: Attack trees are special cases of fault trees. The security incident that is the goal of the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are iteratively and incrementally represented as branches and subnodes of the tree. Each subnode defines a subgoal, and each subgoal may have its own set of further subgoals, etc. The final nodes on the paths outward from the root, i.e., the leaf nodes, represent different ways to initiate an attack. Each node other than a leaf is either an AND-node or an OR-node. To achieve the goal represented by an AND-node, the subgoals represented by all of that node's subnodes must be achieved; and for an OR-node, at least one of the subgoals must be achieved. Branches can be labeled with values representing difficulty, cost, or other attack attributes, so that alternative attacks can be compared.

教程:攻击树是故障树的特例。作为攻击目标的安全事件表示为树的根节点,攻击者达到该目标的方式以迭代和增量的方式表示为树的分支和子节点。每个子节点定义一个子目标,每个子目标可能有自己的一组其他子目标等。从根向外的路径上的最终节点,即叶节点,表示发起攻击的不同方式。除叶以外的每个节点都是AND节点或or节点。要实现由AND节点表示的目标,必须实现由该节点的所有子节点表示的子目标;对于OR节点,必须至少实现一个子目标。分支可以用表示难度、成本或其他攻击属性的值进行标记,以便比较备选攻击。

$ attribute (N) Information of a particular type concerning an identifiable system entity or object. An "attribute type" is the component of an attribute that indicates the class of information given by the attribute; and an "attribute value" is a particular instance of the class of information indicated by an attribute type. (See: attribute certificate.)

$ 属性(N)与可识别系统实体或对象有关的特定类型的信息。“属性类型”是一个属性的组成部分,表示该属性给出的信息类别;“属性值”是由属性类型指示的信息类的特定实例。(请参阅:属性证书。)

$ attribute authority (AA) 1. (N) A CA that issues attribute certificates.

$ 属性权限(AA)1。(N) 颁发属性证书的CA。

2. (O) "An authority [that] assigns privileges by issuing attribute certificates." [X509]

2. (O) “通过颁发属性证书来分配权限的机构。”[X509]

Deprecated Usage: The abbreviation "AA" SHOULD NOT be used in an IDOC unless it is first defined in the IDOC.

不推荐使用:除非IDOC中首先定义了缩写“AA”,否则不应在IDOC中使用缩写“AA”。

$ attribute certificate 1. (I) A digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. (See: capability token.)

$ 属性证书1。(一) 一种数字证书,它将一组描述性数据项(公钥除外)直接绑定到使用者名称或另一证书(公钥证书)的标识符上。(请参阅:功能令牌。)

2. (O) "A data structure, digitally signed by an [a]ttribute [a]uthority, that binds some attribute values with identification information about its holder." [X509]

2. (O) “一种数据结构,由[A]属性[A]权限进行数字签名,将某些属性值与其持有者的标识信息绑定在一起。”[X509]

Tutorial: A public-key certificate binds a subject name to a public key value, along with information needed to perform certain cryptographic functions using that key. Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.

教程:公钥证书将使用者名称绑定到公钥值,以及使用该密钥执行某些加密功能所需的信息。主体的其他属性,例如安全许可,可以在称为属性证书的单独类型的数字证书中进行认证。一个主题可以有多个属性证书与其名称或每个公钥证书相关联。

An attribute certificate might be issued to a subject in the following situations: - Different lifetimes: When the lifetime of an attribute binding is shorter than that of the related public-key certificate, or when it is desirable not to need to revoke a subject's public key just to revoke an attribute. - Different authorities: When the authority responsible for the attributes is different than the one that issues the public-key certificate for the subject. (There is no requirement that an attribute certificate be issued by the same CA that issued the associated public-key certificate.)

属性证书可能在以下情况下颁发给主题:-不同的生存期:当属性绑定的生存期短于相关公钥证书的生存期时,或者不需要仅为了撤销属性而撤销主题的公钥时。-不同权限:当负责属性的权限不同于为主题颁发公钥证书的权限时。(不要求属性证书由颁发相关公钥证书的同一CA颁发。)

$ audit See: security audit.

$ 审计参见:安全审计。

$ audit log (I) Synonym for "security audit trail".

$ 审核日志(I)“安全审核跟踪”的同义词。

$ audit service (I) A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them. (See: security audit.)

$ 审计服务(I)一种安全服务,记录建立系统事件责任和导致系统事件的系统实体行为责任所需的信息。(请参阅:安全审计。)

$ audit trail (I) See: security audit trail.

$ 审计跟踪(I)参见:安全审计跟踪。

$ AUTH (I) See: POP3 AUTH.

$ AUTH(I)参见:POP3 AUTH。

$ authenticate (I) Verify (i.e., establish the truth of) an attribute value claimed by or for a system entity or system resource. (See: authentication, validate vs. verify, "relationship between data integrity service and authentication services" under "data integrity service".)

$ 验证(I)验证(即,确定)系统实体或系统资源声明的属性值。(请参阅“数据完整性服务”下的“身份验证、验证与验证”、“数据完整性服务与身份验证服务之间的关系”。)

Deprecated Usage: In general English usage, this term is used with the meaning "to prove genuine" (e.g., an art expert authenticates a Michelangelo painting); but IDOCs should restrict usage as follows: - IDOCs SHOULD NOT use this term to refer to proving or checking that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. Instead, use "verify". - IDOCs SHOULD NOT use this term to refer to proving the truth or accuracy of a fact or value such as a digital signature. Instead, use "verify". - IDOCs SHOULD NOT use this term to refer to establishing the soundness or correctness of a construct, such as a digital certificate. Instead, use "validate".

不推荐的用法:在一般英语用法中,该术语的含义是“证明真实”(例如,艺术专家鉴定米开朗基罗的绘画);但IDOCs应按以下方式限制使用:-IDOCs不应使用此术语来证明或检查数据未被更改、销毁或以未经授权或意外的方式丢失。相反,请使用“验证”。-IDOCs不应使用此术语来指证明事实或价值(如数字签名)的真实性或准确性。相反,请使用“验证”。-IDOCs不应使用此术语来指建立结构(如数字证书)的可靠性或正确性。相反,使用“验证”。

$ authentication (I) The process of verifying a claim that a system entity or system resource has a certain attribute value. (See: attribute, authenticate, authentication exchange, authentication information, credential, data origin authentication, peer entity authentication, "relationship between data integrity service and authentication services" under "data integrity service", simple authentication, strong authentication, verification, X.509.)

$ 认证(I)验证系统实体或系统资源具有特定属性值的声明的过程。(请参阅:属性、身份验证、身份验证交换、身份验证信息、凭证、数据源身份验证、对等实体身份验证、“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”、简单身份验证、强身份验证、验证,X.509。)

Tutorial: Security services frequently depend on authentication of the identity of users, but authentication may involve any type of attribute that is recognized by a system. A claim may be made by a subject about itself (e.g., at login, a user typically asserts its identity) or a claim may be made on behalf of a subject or object by some other system entity (e.g., a user may claim that a data object originates from a specific source, or that a data object is classified at a specific security level).

教程:安全服务通常依赖于用户身份的身份验证,但身份验证可能涉及系统识别的任何类型的属性。主体可以就其自身提出声明(例如,在登录时,用户通常声明其身份),或者其他系统实体可以代表主体或对象提出声明(例如,用户可以声明数据对象源自特定源,或者数据对象在特定安全级别上被分类)。

An authentication process consists of two basic steps: - Identification step: Presenting the claimed attribute value (e.g., a user identifier) to the authentication subsystem. - Verification step: Presenting or generating authentication information (e.g., a value signed with a private key) that acts as evidence to prove the binding between the attribute and that for which it is claimed. (See: verification.)

身份验证过程包括两个基本步骤:-标识步骤:向身份验证子系统呈现声明的属性值(例如,用户标识符)。-验证步骤:显示或生成身份验证信息(例如,使用私钥签名的值),该信息用作证明属性与声明属性之间绑定的证据。(见:核查。)

$ authentication code (D) Synonym for a checksum based on cryptography. (Compare: Data Authentication Code, Message Authentication Code.)

$ 身份验证码(D)是基于密码学的校验和的同义词。(比较:数据身份验证代码、消息身份验证代码。)

Deprecated Term: IDOCs SHOULD NOT use this uncapitalized term as a synonym for any kind of checksum, regardless of whether or not the checksum is cryptographic. Instead, use "checksum", "Data Authentication Code", "error detection code", "hash", "keyed hash", "Message Authentication Code", "protected checksum", or some other recommended term, depending on what is meant.

不推荐使用的术语:IDOCs不应将此未大写术语用作任何类型校验和的同义词,无论校验和是否为加密的。相反,使用“校验和”、“数据验证码”、“错误检测码”、“散列”、“密钥散列”、“消息验证码”、“受保护校验和”或其他一些推荐术语,具体取决于其含义。

The term mixes concepts in a potentially misleading way. The word "authentication" is misleading because the checksum may be used to perform a data integrity function rather than a data origin authentication function.

该术语以一种潜在误导的方式混合了各种概念。“身份验证”一词具有误导性,因为校验和可用于执行数据完整性功能,而不是数据源身份验证功能。

$ authentication exchange 1. (I) A mechanism to verify the identity of an entity by means of information exchange.

$ 身份验证exchange 1。(一) 通过信息交换验证实体身份的机制。

2. (O) "A mechanism intended to ensure the identity of an entity by means of information exchange." [I7498-2]

2. (O) “旨在通过信息交换确保实体身份的机制。”[I7498-2]

$ Authentication Header (AH) (I) An Internet protocol [R2402, R4302] designed to provide connectionless data integrity service and connectionless data origin authentication service for IP datagrams, and (optionally) to provide partial sequence integrity and protection against replay attacks. (See: IPsec. Compare: ESP.)

$ 认证头(AH)(I)互联网协议[R2402,R4302],旨在为IP数据报提供无连接数据完整性服务和无连接数据源认证服务,以及(可选)提供部分序列完整性和防止重放攻击。(请参阅:IPsec。比较:ESP)

Tutorial: Replay protection may be selected by the receiver when a security association is established. AH authenticates the upper-layer PDU that is carried as an IP SDU, and also authenticates as much of the IP PCI (i.e., the IP header) as possible. However, some IP header fields may change in transit, and the value of these fields, when the packet arrives at the receiver, may not be predictable by the sender. Thus, the values of such fields cannot be protected end-to-end by AH; protection of the IP header by AH is only partial when such fields are present.

教程:当建立安全关联时,接收方可以选择重播保护。AH认证作为IP SDU携带的上层PDU,并且还认证尽可能多的IP PCI(即,IP报头)。然而,一些IP报头字段可能在传输过程中发生变化,并且当数据包到达接收方时,发送方可能无法预测这些字段的值。因此,AH不能端到端地保护这些字段的值;仅当存在此类字段时,AH对IP报头的保护才是部分的。

AH may be used alone, or in combination with the ESP, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. ESP can provide nearly the same security services as AH, and ESP can also provide data confidentiality service. The main difference between authentication services provided by ESP and AH is the extent of the coverage; ESP does not protect IP header fields unless they are encapsulated by AH.

AH可单独使用,或与ESP结合使用,或与隧道嵌套使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP可以提供与AH几乎相同的安全服务,ESP还可以提供数据保密服务。ESP和AH提供的认证服务的主要区别在于覆盖范围;ESP不保护IP头字段,除非它们由AH封装。

$ authentication information (I) Information used to verify an identity claimed by or for an entity. (See: authentication, credential, user. Compare: identification information.)

$ 身份验证信息(I)用于验证实体声明的身份或为实体声明的身份的信息。(请参阅:身份验证、凭据、用户。比较:标识信息。)

Tutorial: Authentication information may exist as, or be derived from, one of the following: (a) Something the entity knows (see: password); (b) something the entity possesses (see: token); (c) something the entity is (see: biometric authentication).

教程:身份验证信息可能作为以下信息之一存在,或来源于以下信息之一:(a)实体知道的信息(请参阅:密码);(b) 实体拥有的东西(参见:令牌);(c) 实体是什么(参见:生物特征认证)。

$ authentication service (I) A security service that verifies an identity claimed by or for an entity. (See: authentication.)

$ 身份验证服务(I)验证实体声明的身份或为实体声明的身份的安全服务。(请参阅:身份验证。)

Tutorial: In a network, there are two general forms of authentication service: data origin authentication service and peer entity authentication service.

教程:在网络中,有两种常见的身份验证服务形式:数据源身份验证服务和对等实体身份验证服务。

$ authenticity (I) The property of being genuine and able to be verified and be trusted. (See: authenticate, authentication, validate vs. verify.)

$ 真实性(I)真实、可验证和可信任的属性。(请参阅:身份验证、身份验证、验证与验证。)

$ authority (D) /PKI/ "An entity [that is] responsible for the issuance of certificates." [X509]

$ 管理局(D)/PKI/“负责颁发证书的实体。”[X509]

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for attribute authority, certification authority, registration authority, or similar terms; the shortened form may cause confusion. Instead, use the full term at the first instance of usage and then, if it is necessary to shorten text, use AA, CA, RA, and other abbreviations defined in this Glossary.

不推荐使用:IDOCs不应将此术语用作属性颁发机构、证书颁发机构、注册机构或类似术语的同义词;缩写形式可能会引起混淆。相反,在第一次使用时使用完整术语,如果需要缩短文本,则使用AA、CA、RA和本词汇表中定义的其他缩写。

$ authority certificate (D) "A certificate issued to an authority (e.g. either to a certification authority or to an attribute authority)." [X509] (See: authority.)

$ 颁发机构证书(D)“颁发给颁发机构的证书(例如,颁发给证书颁发机构或属性颁发机构)。”[X509](请参阅:颁发机构。)

Deprecated Term: IDOCs SHOULD NOT use this term because it is ambiguous. Instead, use the full term "certification authority certificate", "attribute authority certificate", "registration authority certificate", etc. at the first instance of usage and then, if it is necessary to shorten text, use AA, CA, RA, and other abbreviations defined in this Glossary.

不推荐使用的术语:IDOCs不应使用此术语,因为它不明确。相反,在第一次使用时应使用完整术语“认证机构证书”、“属性机构证书”、“注册机构证书”等,如果需要缩短文本,则使用AA、CA、RA和本词汇表中定义的其他缩写。

$ Authority Information Access extension (I) The private extension defined by PKIX for X.509 certificates to indicate "how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data." [R3280] (See: private extension.)

$ 权限信息访问扩展(I)PKIX为X.509证书定义的专用扩展,用于指示“如何访问证书颁发者的CA信息和服务(扩展出现在其中)。信息和服务可能包括在线验证服务和CA策略数据。”[R3280](请参阅:专用扩展。)

$ authorization 1a. (I) An approval that is granted to a system entity to access a system resource. (Compare: permission, privilege.)

$ 授权1a。(一) 授予系统实体访问系统资源的批准。(比较:权限、特权。)

Usage: Some synonyms are "permission" and "privilege". Specific terms are preferred in certain contexts: - /PKI/ "Authorization" SHOULD be used, to align with "certification authority" in the standard [X509]. - /role-based access control/ "Permission" SHOULD be used, to align with the standard [ANSI]. - /computer operating systems/ "Privilege" SHOULD be used, to align with the literature. (See: privileged process, privileged user.)

用法:有些同义词是“权限”和“特权”。特定上下文中首选特定术语:-/PKI/“授权”应使用,以与标准[X509]中的“认证机构”保持一致/应使用基于角色的访问控制/权限,以符合标准[ANSI]。-/应使用计算机操作系统/特权,以与文献保持一致。(请参阅:特权进程,特权用户。)

Tutorial: The semantics and granularity of authorizations depend on the application and implementation (see: "first law" under "Courtney's laws"). An authorization may specify a particular access mode -- such as read, write, or execute -- for one or more system resources.

教程:授权的语义和粒度取决于应用程序和实现(请参阅“考特尼定律”下的“第一定律”)。授权可以为一个或多个系统资源指定特定的访问模式,如读、写或执行。

1b. (I) A process for granting approval to a system entity to access a system resource.

1b。(一) 一种批准系统实体访问系统资源的过程。

2. (O) /SET/ "The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed -- provided, of course, that the merchant followed the rules associated with the authorization process.)" [SET2]

2. (O) /SET/“一个或多个适当任命的人员授权代表组织执行某些操作的过程。此过程评估交易风险,确认给定交易不会使账户持有人的债务超过账户的信用限额,并保留指定的信用额度。(当商户获得授权时,保证支付授权金额——当然,前提是商户遵守与授权流程相关的规则。)“[SET2]

$ authorization credential (I) See: /access control/ under "credential".

$ 授权凭证(I)请参见“凭证”下的:/access control/。

$ authorize (I) Grant an authorization to a system entity.

$ 授权(I)向系统实体授予授权。

$ authorized user (I) /access control/ A system entity that accesses a system resource for which the entity has received an authorization. (Compare: insider, outsider, unauthorized user.)

$ 授权用户(I)/访问控制/访问实体已收到授权的系统资源的系统实体。(比较:内部人、外部人、未授权用户。)

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

不推荐的用法:使用此术语的IDoc应说明其定义,因为该术语有多种用途,很容易被误解。

$ automated information system See: information system.

$ 自动化信息系统见:信息系统。

$ availability 1. (I) The property of a system or a system resource being accessible, or usable or operational upon demand, by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. (See: critical, denial of service. Compare: precedence, reliability, survivability.)

$ 可用性1。(一) 根据系统性能规范,授权系统实体可访问、可用或按需操作的系统或系统资源的属性;i、 例如,如果系统在用户请求时根据系统设计提供服务,则系统可用。(请参阅:关键,拒绝服务。比较:优先级,可靠性,生存能力。)

2. (O) "The property of being accessible and usable upon demand by an authorized entity." [I7498-2]

2. (O) “经授权实体要求可访问和使用的财产。”[I7498-2]

3. (D) "Timely, reliable access to data and information services for authorized users." [C4009]

3. (D) “授权用户及时、可靠地访问数据和信息服务。”[C4009]

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3; the definition mixes "availability" with "reliability", which is a different property. (See: reliability.)

不推荐使用的定义:IDOC不应使用定义为3的术语;该定义将“可用性”与“可靠性”混为一谈,后者是一种不同的属性。(见:可靠性。)

Tutorial: Availability requirements can be specified by quantitative metrics, but sometimes are stated qualitatively, such as in the following: - "Flexible tolerance for delay" may mean that brief system outages do not endanger mission accomplishment, but extended outages may endanger the mission. - "Minimum tolerance for delay" may mean that mission accomplishment requires the system to provide requested services in a short time.

教程:可用性要求可以通过定量指标来规定,但有时是定性的,如以下内容:-“灵活的延迟容忍度”可能意味着短暂的系统中断不会危及任务完成,但延长的中断可能危及任务。-“最小延迟容忍度”可能意味着完成任务需要系统在短时间内提供所需服务。

$ availability service (I) A security service that protects a system to ensure its availability.

$ 可用性服务(I)保护系统以确保其可用性的安全服务。

Tutorial: This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control of system resources, and thus depends on access control service and other security services.

教程:此服务解决拒绝服务攻击引起的安全问题。它依赖于对系统资源的适当管理和控制,因此依赖于访问控制服务和其他安全服务。

$ avoidance (I) See: secondary definition under "security".

$ 避免(I)见“担保”下的第二定义。

$ B1, B2, or B3 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".

$ B1、B2或B3计算机系统(O)/TCSEC/请参阅“可信计算机系统评估标准”下的教程。

$ back door 1. (I) /COMPUSEC/ A computer system feature -- which may be (a) an unintentional flaw, (b) a mechanism deliberately installed by the system's creator, or (c) a mechanism surreptitiously installed by an intruder -- that provides access to a system resource by other than the usual procedure and usually is hidden or otherwise not well-known. (See: maintenance hook. Compare: Trojan Horse.)

$ 后门1。(一) /COMPUSEC/一种计算机系统功能,它可能是(A)无意中的缺陷,(b)系统创建者故意安装的机制,或(c)入侵者秘密安装的机制,提供对系统资源的访问,而不是通常的过程,通常是隐藏的或不为人所知的。(请参阅:维护挂钩。比较:特洛伊木马。)

Example: A way to access a computer other than through a normal login. Such an access path is not necessarily designed with malicious intent; operating systems sometimes are shipped by the manufacturer with hidden accounts intended for use by field service technicians or the vendor's maintenance programmers.

示例:通过普通登录以外的方式访问计算机。这种访问路径不一定是恶意设计的;操作系统有时由制造商提供,带有隐藏帐户,供现场服务技术人员或供应商的维护程序员使用。

2. (I) /cryptography/ A feature of a cryptographic system that makes it easily possible to break or circumvent the protection that the system is designed to provide.

2. (一) /cryptography/cryptography(密码术)/密码系统的一种功能,可轻易破坏或绕过系统设计提供的保护。

Example: A feature that makes it possible to decrypt cipher text much more quickly than by brute-force cryptanalysis, without having prior knowledge of the decryption key.

示例:这项功能使解密密文的速度比暴力密码分析快得多,而无需事先了解解密密钥。

$ back up (I) /verb/ Create a reserve copy of data or, more generally, provide alternate means to perform system functions despite loss of system resources. (See: contingency plan. Compare: archive.)

$ 备份(I)/动词/创建数据的保留副本,或者更一般地说,提供替代方法,以在系统资源丢失的情况下执行系统功能。(参见:应急计划。比较:存档。)

$ backup (I) /noun or adjective/ Refers to alternate means of performing system functions despite loss of system resources. (See: contingency plan).

$ 备份(I)/名词或形容词/指在系统资源丢失的情况下执行系统功能的替代方法。(见:应急计划)。

Example: A reserve copy of data, preferably one that is stored separately from the original, for use if the original becomes lost or damaged. (Compare: archive.)

示例:数据的保留副本,最好与原件分开存储,以便在原件丢失或损坏时使用。(比较:存档。)

$ bagbiter (D) /slang/ "An entity, such as a program or a computer, that fails to work or that works in a remarkably clumsy manner. A person who has caused some trouble, inadvertently or otherwise, typically by failing to program the computer properly." [NCSSG] (See: flaw.)

$ bagbiter(D)/俚语/“一种实体,如程序或计算机,无法工作或工作异常笨拙。通常由于未能正确编程而在无意中或其他方面造成一些麻烦的人。”[NCSSG](见:缺陷。)

Deprecated Term: It is likely that other cultures use different metaphors for these concepts. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对这些概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ baggage (O) /SET/ An "opaque encrypted tuple, which is included in a SET message but appended as external data to the PKCS encapsulated data. This avoids superencryption of the previously encrypted tuple, but guarantees linkage with the PKCS portion of the message." [SET2]

$ baggage(O)/SET/一个“不透明的加密元组,包含在SET消息中,但作为外部数据附加到PKCS封装的数据中。这避免了对先前加密的元组进行超级加密,但保证了与消息的PKCS部分的链接。”[SET2]

Deprecated Usage: IDOCs SHOULD NOT use this term to describe a data element, except in the form "SET(trademark) baggage" with the meaning given above.

不推荐使用:IDOCs不应使用此术语来描述数据元素,除非以具有上述含义的“SET(商标)baggage”形式出现。

$ baked-in security (D) The inclusion of security mechanisms in an information system beginning at an early point in the system's lifecycle, i.e., during the design phase, or at least early in the implementation phase. (Compare: add-on security.)

$ 烘焙式安全(D)从系统生命周期的早期开始,即在设计阶段,或至少在实施阶段的早期,在信息系统中包含安全机制。(比较:附加安全性。)

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term (unless they also provide a definition like this one). (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际误解,IDOC不应该使用这个术语(除非他们也提供了这样的定义)。(请参阅“绿皮书”下不推荐的用法。)

$ bandwidth (I) The total width of the frequency band that is available to or used by a communication channel; usually expressed in Hertz (Hz). (RFC 3753) (Compare: channel capacity.)

$ 带宽(I)通信信道可用或使用的频带总宽度;通常以赫兹(Hz)表示。(RFC 3753)(比较:信道容量)

$ bank identification number (BIN) 1. (O) The digits of a credit card number that identify the issuing bank. (See: primary account number.)

$ 银行识别号(BIN)1。(O) 识别发卡行的信用卡号的数字。(请参阅:主帐号。)

2. (O) /SET/ The first six digits of a primary account number.

2. (O) /SET/主帐号的前六位数字。

$ Basic Encoding Rules (BER) (I) A standard for representing ASN.1 data types as strings of octets. [X690] (See: Distinguished Encoding Rules.)

$ 基本编码规则(BER)(I)将ASN.1数据类型表示为八位字节字符串的标准。[X690](请参阅:区分编码规则。)

Deprecated Usage: Sometimes incorrectly treated as part of ASN.1. However, ASN.1 properly refers only to a syntax description language, and not to the encoding rules for the language.

不推荐使用:有时被错误地视为ASN.1的一部分。但是,ASN.1只正确地引用语法描述语言,而不是该语言的编码规则。

$ Basic Security Option (I) See: secondary definition under "IPSO".

$ 基本安全备选办法(I)见“国际公共部门会计准则”下的二级定义。

$ bastion host (I) A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few) in the network that can be directly accessed from networks on the other side of the firewall. (See: firewall.)

$ 堡垒主机(I)在受防火墙保护的网络中(或是防火墙的一部分),是网络中唯一可以从防火墙另一端的网络直接访问的主机(或少数主机中的一个)。(请参阅:防火墙。)

Tutorial: Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher-layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.

教程:防火墙中的过滤路由器通常将来自外部网络的流量限制为仅到达一台主机,即堡垒主机,该主机通常是防火墙的一部分。由于只有这一台主机可以被直接攻击,因此只有这一台主机需要得到非常有力的保护,因此可以更轻松、更便宜地维护安全性。然而,为了允许合法的内部和外部用户通过防火墙访问应用程序资源,更高层的协议和服务需要由堡垒主机中继和转发。某些服务(如DNS和SMTP)内置了转发功能;其他服务(如TELNET和FTP)需要在bastion主机上安装代理服务器。

$ BBN Technologies Corp. (BBN) (O) The research-and-development company (originally called Bolt Baranek and Newman, Inc.) that built the ARPANET.

$ BBN Technologies Corp.(BBN)(O)建造ARPANET的研发公司(原名为Bolt Baranek and Newman,Inc.)。

$ BCA (O) See: brand certification authority.

$ BCA(O)见:品牌认证机构。

$ BCR (O) See: BLACK/Crypto/RED.

$ BCR(O)见:黑色/加密/红色。

$ BCI (O) See: brand CRL identifier.

$ BCI(O)见:品牌CRL标识符。

$ Bell-LaPadula model (N) A formal, mathematical, state-transition model of confidentiality policy for multilevel-secure computer systems [Bell]. (Compare: Biba model, Brewer-Nash model.)

$ Bell-LaPadula模型(N)多级安全计算机系统保密策略的形式化、数学、状态转移模型[Bell]。(比较:Biba模型、Brewer-Nash模型。)

Tutorial: The model, devised by David Bell and Leonard LaPadula at The MITRE Corporation in 1973, characterizes computer system elements as subjects and objects. To determine whether or not a subject is authorized for a particular access mode on an object, the clearance of the subject is compared to the classification of the object. The model defines the notion of a "secure state", in which the only permitted access modes of subjects to objects are in accordance with a specified security policy. It is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system is secure. In this model, a multilevel-secure system satisfies several rules, including the "confinement property" (a.k.a. the "*-property"), the "simple security property", and the "tranquility property".

教程:该模型由米特公司的大卫·贝尔和莱纳德·拉帕杜拉于1973年设计,将计算机系统元素描述为主体和客体。为了确定主体是否被授权使用对象上的特定访问模式,将主体的清除与对象的分类进行比较。该模型定义了“安全状态”的概念,其中主体对对象的唯一允许访问模式符合指定的安全策略。证明了每个状态转换都通过从一个安全状态转移到另一个安全状态来保持安全性,从而证明了系统是安全的。在该模型中,多级安全系统满足多个规则,包括“限制属性”(也称“*”属性)、“简单安全属性”和“宁静属性”。

$ benign 1. (N) /COMSEC/ "Condition of cryptographic data [such] that [the data] cannot be compromised by human access [to the data]." [C4009]

$ 良性1。(N) /COMSEC/“加密数据的状态[使[数据]不会被[数据]的人工访问所破坏]。”[C4009]

2. (O) /COMPUSEC/ See: secondary definition under "trust".

2. (O) /COMPUSEC/请参阅“信任”下的辅助定义。

$ benign fill (N) Process by which keying material is generated, distributed, and placed into an ECU without exposure to any human or other system entity, except the cryptographic module that consumes and uses the material. (See: benign.)

$ 良性填充(N)过程,通过该过程生成、分发密钥材料,并将其放入ECU中,而不暴露于任何人类或其他系统实体,消费和使用该材料的加密模块除外。(见:良性)

$ BER (I) See: Basic Encoding Rules.

$ BER(I)参见:基本编码规则。

$ beyond A1 1. (O) /formal/ A level of security assurance that is beyond the highest level (level A1) of criteria specified by the TCSEC. (See: Tutorial under "Trusted Computer System Evaluation Criteria".)

$ 超越A1 1。(O) /正式/超出TCSEC规定的最高标准(A1级)的安全保证级别。(请参阅“受信任的计算机系统评估标准”下的教程。)

2. (O) /informal/ A level of trust so high that it is beyond state-of-the-art technology; i.e., it cannot be provided or verified by currently available assurance methods, and especially not by currently available formal methods.

2. (O) /非正式/高度信任,超越最先进的技术;i、 例如,目前可用的保证方法无法提供或验证,尤其是目前可用的正式方法无法提供或验证。

$ Biba integrity (N) Synonym for "source integrity".

$ Biba integrity(N)是“源完整性”的同义词。

$ Biba model (N) A formal, mathematical, state-transition model of integrity policy for multilevel-secure computer systems [Biba]. (See: source integrity. Compare: Bell-LaPadula model.)

$ Biba模型(N):多级安全计算机系统完整性策略的形式化、数学、状态转移模型[Biba]。(参见:源完整性。比较:Bell-LaPadula模型。)

Tutorial: This model for integrity control is analogous to the Bell-LaPadula model for confidentiality control. Each subject and object is assigned an integrity level and, to determine whether or not a subject is authorized for a particular access mode on an object, the integrity level of the subject is compared to that of the object. The model prohibits the changing of information in an object by a subject with a lesser or incomparable level. The rules of the Biba model are duals of the corresponding rules in the Bell-LaPadula model.

教程:此完整性控制模型类似于贝尔-拉帕杜拉保密性控制模型。每个主体和对象都被分配一个完整性级别,为了确定主体是否被授权使用对象上的特定访问模式,将主体的完整性级别与对象的完整性级别进行比较。该模型禁止具有较低或不可比级别的主体更改对象中的信息。Biba模型的规则是Bell-LaPadula模型中相应规则的对偶。

$ billet (N) "A personnel position or assignment that may be filled by one person." [JCP1] (Compare: principal, role, user.)

$ (N)“可由一人担任的人员职位或任务。”[JCP1](比较:负责人、角色、用户。)

Tutorial: In an organization, a "billet" is a populational position, of which there is exactly one instance; but a "role" is functional position, of which there can be multiple instances. System entities are in one-to-one relationships with their billets, but may be in many-to-one and one-to-many relationships with their roles.

教程:在一个组织中,“方坯”是一个人口位置,其中只有一个实例;但“角色”是功能位置,可以有多个实例。系统实体与其坯料处于一对一关系中,但可能与其角色处于多对一和一对多关系中。

$ BIN (O) See: bank identification number.

$ 银行标识代码(O)见:银行标识代码。

$ bind (I) To inseparably associate by applying some security mechanism.

$ 绑定(I)通过应用某种安全机制进行不可分割的关联。

Example: A CA creates a public-key certificate by using a digital signature to bind together (a) a subject name, (b) a public key, and usually (c) some additional data items (e.g., "X.509 public-key certificate").

示例:CA通过使用数字签名将(A)使用者名称、(b)公钥和通常(c)一些附加数据项(例如,“X.509公钥证书”)绑定在一起,从而创建公钥证书。

$ biometric authentication (I) A method of generating authentication information for a person by digitizing measurements of a physical or behavioral

$ 生物特征认证(I)通过数字化物理或行为特征的测量值,为个人生成认证信息的方法

characteristic, such as a fingerprint, hand shape, retina pattern, voiceprint, handwriting style, or face.

特征,如指纹、手形、视网膜图案、声纹、笔迹或脸。

$ birthday attack (I) A class of attacks against cryptographic functions, including both encryption functions and hash functions. The attacks take advantage of a statistical property: Given a cryptographic function having an N-bit output, the probability is greater than 1/2 that for 2**(N/2) randomly chosen inputs, the function will produce at least two outputs that are identical. (See: Tutorial under "hash function".)

$ 生日攻击(I)针对加密函数的一类攻击,包括加密函数和哈希函数。这些攻击利用了统计特性:给定一个具有N位输出的加密函数,其概率大于1/2,即对于2**(N/2)个随机选择的输入,该函数将产生至少两个相同的输出。(请参阅“哈希函数”下的教程。)

Derivation: From the somewhat surprising fact (often called the "birthday paradox") that although there are 365 days in a year, the probability is greater than 1/2 that two of more people share the same birthday in any randomly chosen group of 23 people.

推导:从一个有些令人惊讶的事实(通常被称为“生日悖论”)得出,尽管一年中有365天,但在随机选择的23人组中,多人中有两人共享同一个生日的概率大于1/2。

Birthday attacks enable an adversary to find two inputs for which a cryptographic function produces the same cipher text (or find two inputs for which a hash functions produces the same hash result) much faster than a brute-force attack can; and a clever adversary can use such a capability to create considerable mischief. However, no birthday attack can enable an adversary to decrypt a given cipher text (or find a hash input that results in a given hash result) any faster than a brute-force attack can.

生日攻击使对手能够比暴力攻击更快地找到加密函数产生相同密文的两个输入(或找到哈希函数产生相同哈希结果的两个输入);聪明的对手可以利用这种能力制造相当大的伤害。但是,任何生日攻击都不能使对手比暴力攻击更快地解密给定的密文(或找到导致给定哈希结果的哈希输入)。

$ bit (I) A contraction of the term "binary digit"; the smallest unit of information storage, which has two possible states or values. The values usually are represented by the symbols "0" (zero) and "1" (one). (See: block, byte, nibble, word.)

$ 位(I)术语“二进制数字”的缩写;信息存储的最小单位,有两种可能的状态或值。值通常由符号“0”(零)和“1”(一)表示。(请参阅:块、字节、半字节、字。)

$ bit string (I) A sequence of bits, each of which is either "0" or "1".

$ 位串(I)一个位序列,每个位都是“0”或“1”。

$ BLACK 1. (N) Designation for data that consists only of cipher text, and for information system equipment items or facilities that handle only cipher text. Example: "BLACK key". (See: BCR, color change, RED/BLACK separation. Compare: RED.)

$ 黑色1。(N) 仅由密文组成的数据以及仅处理密文的信息系统设备项或设施的名称。示例:“黑键”。(参见:BCR、颜色变化、红/黑分离。比较:红色。)

2. (O) /U.S. Government/ "Designation applied to information systems, and to associated areas, circuits, components, and equipment, in which national security information is encrypted or is not processed." [C4009]

2. (O) /U.S.Government/“适用于国家安全信息加密或未处理的信息系统以及相关区域、电路、组件和设备的名称。”[C4009]

3. (D) Any data that can be disclosed without harm.

3. (D) 任何可以在不造成损害的情况下披露的数据。

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3 because the definition is ambiguous with regard to whether or not the data is protected.

不推荐使用的定义:IDOCs不应使用定义为3的术语,因为该定义在数据是否受保护方面不明确。

$ BLACK/Crypto/RED (BCR) (N) An experimental, end-to-end, network packet encryption system developed in a working prototype form by BBN and the Collins Radio division of Rockwell Corporation in the 1975-1980 time frame for the U.S. DoD. BCR was the first network security system to support TCP/IP traffic, and it incorporated the first DES chips that were validated by the U.S. National Bureau of Standards (now called NIST). BCR also was the first to use a KDC and an ACC to manage connections.

$ BLACK/Crypto/RED(BCR)(N)一种实验性的端到端网络数据包加密系统,由BBN和罗克韦尔公司柯林斯无线电部门在1975-1980年的时间框架内为美国国防部以工作原型形式开发。BCR是第一个支持TCP/IP通信的网络安全系统,它包含了第一个经美国国家标准局(现称NIST)验证的DES芯片。BCR也是第一个使用KDC和ACC来管理连接的公司。

$ BLACK key (N) A key that is protected with a key-encrypting key and that must be decrypted before use. (See: BLACK. Compare: RED key.)

$ 黑密钥(N):受密钥加密密钥保护且在使用前必须解密的密钥。(请参见:黑色。比较:红色键。)

$ BLACKER (O) An end-to-end encryption system for computer data networks that was developed by the U.S. DoD in the 1980s to provide host-to-host data confidentiality service for datagrams at OSIRM Layer 3. [Weis] (Compare: CANEWARE, IPsec.)

$ BLACKER(O):一种用于计算机数据网络的端到端加密系统,由美国国防部在20世纪80年代开发,为OSIRM第3层的数据报提供主机到主机的数据保密服务。[Weis](比较:CANEWARE、IPsec)

Tutorial: Each user host connects to its own bump-in-the-wire encryption device called a BLACKER Front End (BFE, TSEC/KI-111), through which the host connects to the subnetwork. The system also includes two types of centralized devices: one or more KDCs connect to the subnetwork and communicate with assigned sets of BFEs, and one or more ACCs connect to the subnetwork and communicate with assigned KDCs. BLACKER uses only symmetric encryption. A KDC distributes session keys to BFE pairs as authorized by an ACC. Each ACC maintains a database for a set of BFEs, and the database determines which pairs from that set (i.e., which pairs of user hosts behind the BFEs) are authorized to communicate and at what security levels.

教程:每个用户主机都连接到称为BLACKER Front End(BFE,TSEC/KI-111)的有线加密设备中自己的凸起,主机通过该凸起连接到子网。该系统还包括两种类型的集中式设备:一个或多个KDC连接到子网并与指定的BFE集通信,以及一个或多个ACC连接到子网并与指定的KDC通信。BLACKER只使用对称加密。KDC将会话密钥分发给ACC授权的BFE对。每个ACC为一组BFE维护一个数据库,该数据库确定该组中的哪些对(即BFE后面的哪些用户主机对)被授权通信以及处于何种安全级别。

The BLACKER system is MLS in three ways: (a) The BFEs form a security perimeter around a subnetwork, separating user hosts from the subnetwork, so that the subnetwork can operate at a different security level (possibly a lower, less expensive level) than the hosts. (b) The BLACKER components are trusted to separate datagrams of different security levels, so that each datagram of a given security level can be received only by a host that is authorized for that security level; and thus BLACKER can separate host communities that operate at different security levels. (c) The host side of a BFE is itself MLS and can recognize a security label on each packet, so that an MLS user host can be authorized

较黑的系统在三个方面是MLS:(a)BFE围绕子网形成安全周界,将用户主机与子网分开,以便子网可以在不同于主机的安全级别(可能更低、更便宜的级别)下运行。(b) 更黑的组件被信任来分离不同安全级别的数据报,以便给定安全级别的每个数据报只能由授权该安全级别的主机接收;因此BLACKER可以分离以不同安全级别运行的主机社区。(c) BFE的主机端本身就是MLS,可以识别每个数据包上的安全标签,因此可以授权MLS用户主机

to successively transmit datagrams that are labeled with different security levels.

连续传输标有不同安全级别的数据报。

$ blind attack (I) A type of network-based attack method that does not require the attacking entity to receive data traffic from the attacked entity; i.e., the attacker does not need to "see" data packets sent by the victim. Example: SYN flood.

$ 盲攻击(I)一种基于网络的攻击方法,不要求攻击实体从被攻击实体接收数据流量;i、 例如,攻击者不需要“查看”受害者发送的数据包。示例:synflood。

Tutorial: If an attack method is blind, the attacker's packets can carry (a) a false IP source address (making it difficult for the victim to find the attacker) and (b) a different address on every packet (making it difficult for the victim to block the attack). If the attacker needs to receive traffic from the victim, the attacker must either (c) reveal its own IP address to the victim (which enables the victim to find the attacker or block the attack by filtering) or (d) provide a false address and also subvert network routing mechanisms to divert the returning packets to the attacker (which makes the attack more complex, more difficult, or more expensive). [R3552]

教程:如果攻击方法是盲的,攻击者的数据包可能携带(a)错误的IP源地址(使受害者难以找到攻击者)和(b)每个数据包上的不同地址(使受害者难以阻止攻击)。如果攻击者需要接收来自受害者的流量,则攻击者必须(c)向受害者透露自己的IP地址(这使受害者能够找到攻击者或通过过滤阻止攻击)或(d)提供虚假地址,并破坏网络路由机制,以将返回的数据包转移给攻击者(这使得攻击更复杂、更困难或更昂贵)。[R3552]

$ block (I) A bit string or bit vector of finite length. (See: bit, block cipher. Compare: byte, word.)

$ 块(I)有限长度的位字符串或位向量。(请参阅:位,分组密码。比较:字节,字。)

Usage: An "N-bit block" contains N bits, which usually are numbered from left to right as 1, 2, 3, ..., N.

用法:“N位块”包含N位,通常从左到右编号为1、2、3、…、N。

$ block cipher (I) An encryption algorithm that breaks plain text into fixed-size segments and uses the same key to transform each plaintext segment into a fixed-size segment of cipher text. Examples: AES, Blowfish, DEA, IDEA, RC2, and SKIPJACK. (See: block, mode. Compare: stream cipher.)

$ 分组密码(I)一种加密算法,它将明文分成固定大小的段,并使用相同的密钥将每个明文段转换成固定大小的密文段。示例:AES、河豚、DEA、IDEA、RC2和SKIPJACK。(请参阅:块,模式。比较:流密码。)

Tutorial: A block cipher can be adapted to have a different external interface, such as that of a stream cipher, by using a mode of cryptographic operation to package the basic algorithm. (See: CBC, CCM, CFB, CMAC, CTR, DEA, ECB, OFB.)

教程:通过使用加密操作模式打包基本算法,可以调整分组密码以具有不同的外部接口,例如流密码的外部接口。(参见:CBC、CCM、CFB、CMAC、CTR、DEA、ECB、OFB。)

$ Blowfish (N) A symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA. [Schn] (See: Twofish.)

$ Blowfish(N):一种具有可变长度密钥(32至448位)的对称分组密码,由Bruce Schneier于1993年设计,作为DES或IDEA的无专利、无许可证、免版税的替代品。[Schn](见:双鱼)

$ brain-damaged (D) /slang/ "Obviously wrong: extremely poorly designed. Calling something brain-damaged is very extreme. The word implies that the thing is completely unusable, and that its failure to work is due to poor design, not accident." [NCSSG] (See: flaw.)

$ 脑损伤(D)/俚语/“显然是错误的:设计极为糟糕。将某事物称为脑损伤是非常极端的。该词暗示该事物完全无法使用,其失效是由于设计不当,而非意外。”[NCSSG](见:缺陷。)

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ brand 1. (I) A distinctive mark or name that identifies a product or business entity.

$ 品牌1。(一) 标识产品或商业实体的独特标记或名称。

2. (O) /SET/ The name of a payment card. (See: BCA.)

2. (O) /SET/支付卡的名称。(见:BCA)

Tutorial: Financial institutions and other companies have founded payment card brands, protect and advertise the brands, establish and enforce rules for use and acceptance of their payment cards, and provide networks to interconnect the financial institutions. These brands combine the roles of issuer and acquirer in interactions with cardholders and merchants. [SET1]

教程:金融机构和其他公司已经建立了支付卡品牌,保护和宣传了这些品牌,制定并实施了使用和接受其支付卡的规则,并提供了连接金融机构的网络。这些品牌结合了发卡机构和收单机构在与持卡人和商户互动中的角色。[SET1]

$ brand certification authority (BCA) (O) /SET/ A CA owned by a payment card brand, such as MasterCard, Visa, or American Express. [SET2] (See: certification hierarchy, SET.)

$ 品牌认证机构(BCA)(O)/SET/A支付卡品牌(如万事达卡、Visa卡或美国运通卡)拥有的CA。[SET2](请参阅:证书层次结构,集合。)

$ brand CRL identifier (BCI) (O) /SET/ A digitally signed list, issued by a BCA, of the names of CAs for which CRLs need to be processed when verifying signatures in SET messages. [SET2]

$ 品牌CRL标识符(BCI)(O)/SET/BCA发布的数字签名列表,在验证SET消息中的签名时,需要为其处理CRL的CA名称。[SET2]

$ break (I) /cryptography/ To successfully perform cryptanalysis and thus succeed in decrypting data or performing some other cryptographic function, without initially having knowledge of the key that the function requires. (See: penetrate, strength, work factor.)

$ break(I)/cryptography/成功执行密码分析,从而成功解密数据或执行其他加密功能,而最初不知道该功能所需的密钥。(参见:穿透力、强度、功系数。)

Usage: This term applies to encrypted data or, more generally, to a cryptographic algorithm or cryptographic system. Also, while the most common use is to refer to completely breaking an algorithm, the term is also used when a method is found that substantially reduces the work factor.

用法:该术语适用于加密数据,或者更一般地,适用于加密算法或加密系统。此外,虽然最常见的用法是指完全破坏一个算法,但当发现一种方法可以大大降低工作系数时,也会使用该术语。

$ Brewer-Nash model (N) A security model [BN89] to enforce the Chinese wall policy. (Compare: Bell-LaPadula model, Clark-Wilson model.)

$ Brewer-Nash模型(N)一种安全模型[BN89],用于实施中国墙政策。(比较:贝尔-拉帕杜拉模型、克拉克-威尔逊模型。)

Tutorial: All proprietary information in the set of commercial firms F(1), F(2), ..., F(N) is categorized into mutually exclusive conflict-of-interest classes I(1), I(2), ..., I(M) that apply across all firms. Each firm belongs to exactly one class. The Brewer-Nash model has the following mandatory rules: - Brewer-Nash Read Rule: Subject S can read information object O from firm F(i) only if either (a) O is from the same firm as some object previously read by S *or* (b) O belongs to a class I(i) from which S has not previously read any object. (See: object, subject.) - Brewer-Nash Write Rule: Subject S can write information object O to firm F(i) only if (a) S can read O by the Brewer-Nash Read Rule *and* (b) no object can be read by S from a different firm F(j), no matter whether F(j) belongs to the same class as F(i) or to a different class.

教程:商业公司F(1),F(2),…,F(N)集合中的所有专有信息被归类为相互排斥的利益冲突类别I(1),I(2),…,I(M),适用于所有公司。每家公司只属于一个类别。Brewer-Nash模型具有以下强制性规则:-Brewer-Nash读取规则:主体S可以从公司F(i)读取信息对象O,前提是(a)O与S*以前读取的某个对象来自同一公司,或者*(b)O属于S以前没有从中读取任何对象的类i(i)。(参见:对象,主体。)-布鲁尔-纳什写入规则:主体S可以将信息对象O写入公司F(i),前提是(a)S可以通过布鲁尔-纳什读取规则*读取O,并且*(b)S不能从不同的公司F(j)读取对象,无论F(j)属于与F(i)相同的类别还是属于不同的类别。

$ bridge (I) A gateway for traffic flowing at OSIRM Layer 2 between two networks (usually two LANs). (Compare: bridge CA, router.)

$ 网桥(I)两个网络(通常是两个局域网)之间OSIRM第2层流量的网关。(比较:网桥CA、路由器。)

$ bridge CA (I) A PKI consisting of only a CA that cross-certifies with CAs of some other PKIs. (See: cross-certification. Compare: bridge.)

$ 桥接CA(I)仅由一个CA组成的PKI,该CA与一些其他PKI的CA交叉认证。(请参阅:交叉认证。比较:桥接。)

Tutorial: A bridge CA functions as a hub that enables a certificate user in any of the PKIs that attach to the bridge, to validate certificates issued in the other attached PKIs.

教程:网桥CA起到集线器的作用,使连接到网桥的任何PKI中的证书用户能够验证在其他连接的PKI中颁发的证书。

      For example, a bridge CA (BCA)                 CA1
      could cross-certify with four                   ^
      PKIs that have the roots CA1,                   |
      CA2, CA3, and CA4. The cross-                   v
      certificates that the roots            CA2 <-> BCA <-> CA3
      exchange with the BCA enable an                 ^
      end entity EE1 certified under                  |
      under CA1 in PK1 to construct                   v
      a certification path needed to                 CA4
      validate the certificate of
      end entity EE2 under CA2,           CA1 -> BCA -> CA2 -> EE2
      or vice versa.                     CA2 -> BCA -> CA1 -> EE1
        
      For example, a bridge CA (BCA)                 CA1
      could cross-certify with four                   ^
      PKIs that have the roots CA1,                   |
      CA2, CA3, and CA4. The cross-                   v
      certificates that the roots            CA2 <-> BCA <-> CA3
      exchange with the BCA enable an                 ^
      end entity EE1 certified under                  |
      under CA1 in PK1 to construct                   v
      a certification path needed to                 CA4
      validate the certificate of
      end entity EE2 under CA2,           CA1 -> BCA -> CA2 -> EE2
      or vice versa.                     CA2 -> BCA -> CA1 -> EE1
        

$ British Standard 7799 (N) Part 1 of the standard is a code of practice for how to secure an information system. Part 2 specifies the management framework, objectives, and control requirements for information security management systems. [BS7799] (See: ISO 17799.)

$ 英国标准7799(N)本标准的第1部分是关于如何保护信息系统的实施规程。第2部分规定了信息安全管理系统的管理框架、目标和控制要求。[BS7799](见:ISO 17799)

$ browser (I) A client computer program that can retrieve and display information from servers on the World Wide Web. Examples: Netscape Navigator and Microsoft Internet Explorer.

$ 浏览器(I)一种客户端计算机程序,可从万维网上的服务器检索和显示信息。示例:Netscape Navigator和Microsoft Internet Explorer。

$ brute force (I) A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries a large number of possible solutions to the problem. (See: impossible, strength, work factor.)

$ 暴力(I)一种密码分析技术或其他类型的攻击方法,涉及一个穷举过程,尝试大量可能的问题解决方案。(参见:不可能、强度、工作系数。)

Tutorial: In some cases, brute force involves trying all of the possibilities. For example, for cipher text where the analyst already knows the decryption algorithm, a brute-force technique for finding matching plain text is to decrypt the message with every possible key. In other cases, brute force involves trying a large number of possibilities but substantially fewer than all of them. For example, given a hash function that produces an N-bit hash result, the probability is greater than 1/2 that the analyst will find two inputs that have the same hash result after trying only 2**(N/2) randomly chosen inputs. (See: birthday attack.)

教程:在某些情况下,暴力包括尝试所有的可能性。例如,对于分析人员已经知道解密算法的密文,查找匹配纯文本的蛮力技术是使用每个可能的密钥解密消息。在其他情况下,暴力包括尝试大量的可能性,但比所有可能性都少。例如,给定一个产生N位散列结果的散列函数,分析员在仅尝试2**(N/2)个随机选择的输入后,找到具有相同散列结果的两个输入的概率大于1/2。(见:生日攻击。)

$ BS7799 (N) See: British Standard 7799.

$ BS7799(N)参见:英国标准7799。

$ buffer overflow (I) Any attack technique that exploits a vulnerability resulting from computer software or hardware that does not check for exceeding the bounds of a storage area when data is written into a sequence of storage locations beginning in that area.

$ 缓冲区溢出(I)利用计算机软件或硬件产生的漏洞进行攻击的任何攻击技术,当数据写入从该区域开始的存储位置序列时,该漏洞未检查是否超出存储区域的边界。

Tutorial: By causing a normal system operation to write data beyond the bounds of a storage area, the attacker seeks to either disrupt system operation or cause the system to execute malicious software inserted by the attacker.

教程:通过使正常系统操作将数据写入存储区域边界之外,攻击者试图中断系统操作或使系统执行攻击者插入的恶意软件。

$ buffer zone (I) A neutral internetwork segment used to connect other segments that each operate under a different security policy.

$ 缓冲区(I)一个中立的网络网段,用于连接在不同安全策略下运行的其他网段。

Tutorial: To connect a private network to the Internet or some other relatively public network, one could construct a small, separate, isolated LAN and connect it to both the private network and the public network; one or both of the connections would implement a firewall to limit the traffic that could pass through the buffer zone.

教程:要将专用网络连接到Internet或其他相对公用的网络,可以构建一个小型、独立、隔离的LAN,并将其连接到专用网络和公用网络;一个或两个连接将实现防火墙,以限制可能通过缓冲区的流量。

$ bulk encryption 1. (I) Encryption of multiple channels by aggregating them into a single transfer path and then encrypting that path. (See: channel.)

$ 批量加密1。(一) 通过将多个通道聚合到单个传输路径中,然后对该路径进行加密,对多个通道进行加密。(请参阅:频道。)

2. (O) "Simultaneous encryption of all channels of a multichannel telecommunications link." [C4009] (Compare: bulk keying material.)

2. (O) “同时加密多信道电信链路的所有信道。”[C4009](比较:批量密钥材料。)

Usage: The use of "simultaneous" in definition 2 could be interpreted to mean that multiple channels are encrypted separately but at the same time. However, the common meaning of the term is that multiple data flows are combined into a single stream and then that stream is encrypted as a whole.

用法:定义2中“同时”的使用可以解释为多个通道分别加密,但同时加密。然而,该术语的共同含义是将多个数据流组合成单个流,然后将该流作为一个整体进行加密。

$ bulk key (D) In a few published descriptions of hybrid encryption for SSH, Windows 2000, and other applications, this term refers to a symmetric key that (a) is used to encrypt a relatively large amount of data and (b) is itself encrypted with a public key. (Compare: bulk keying material, session key.)

$ 大容量密钥(D)在为SSH、Windows 2000和其他应用程序发布的一些混合加密描述中,该术语指(a)用于加密相对大量数据的对称密钥,以及(b)本身使用公钥加密的对称密钥。(比较:批量关键点材质、会话关键点。)

Example: To send a large file to Bob, Alice (a) generates a symmetric key and uses it to encrypt the file (i.e., encrypt the bulk of the information that is to be sent) and then (b) encrypts that symmetric key (the "bulk key") with Bob's public key.

示例:要向Bob发送一个大文件,Alice(a)生成一个对称密钥并使用它加密文件(即加密要发送的大部分信息),然后(b)使用Bob的公钥加密该对称密钥(“批量密钥”)。

Deprecated Term: IDOCs SHOULD NOT use this term or definition; the term is not well-established and could be confused with the established term "bulk keying material". Instead, use "symmetric key" and carefully explain how the key is applied.

不推荐使用的术语:IDOC不应使用此术语或定义;该术语的定义不明确,可能与已确定的术语“批量键控材料”混淆。相反,请使用“对称密钥”,并仔细解释如何应用该密钥。

$ bulk keying material (N) Refers to handling keying material in large quantities, e.g., as a dataset that contains many items of keying material. (See: type 0. Compare: bulk key, bulk encryption.)

$ 批量键控材料(N)是指大量处理键控材料,例如,作为包含许多键控材料项的数据集。(请参见:键入0。比较:批量密钥、批量加密。)

$ bump-in-the-stack (I) An implementation approach that places a network security mechanism inside the system that is to be protected. (Compare: bump-in-the-wire.)

$ 堆栈中的bump(I)一种将网络安全机制置于要保护的系统内的实现方法。(比较:导线中的凹凸。)

Example: IPsec can be implemented inboard, in the protocol stack of an existing system or existing system design, by placing a new layer between the existing IP layer and the OSIRM Layer 3 drivers. Source code access for the existing stack is not required, but the system that contains the stack does need to be modified [R4301].

示例:通过在现有IP层和OSIRM第3层驱动程序之间放置一个新层,IPsec可以在现有系统或现有系统设计的协议栈中内置实现。不需要对现有堆栈进行源代码访问,但需要修改包含该堆栈的系统[R4301]。

$ bump-in-the-wire (I) An implementation approach that places a network security mechanism outside of the system that is to be protected. (Compare: bump-in-the-stack.)

$ 线路中断(I)将网络安全机制置于受保护系统之外的一种实现方法。(比较:堆栈中的凹凸。)

Example: IPsec can be implemented outboard, in a physically separate device, so that the system that receives the IPsec protection does not need to be modified at all [R4301]. Military-grade link encryption has mainly been implemented as bump-in-the-wire devices.

示例:IPsec可以在物理上独立的设备中实现,因此接收IPsec保护的系统根本不需要修改[R4301]。军用级链路加密主要作为有线设备中的bump实现。

$ business-case analysis (N) An extended form of cost-benefit analysis that considers factors beyond financial metrics, including security factors such as the requirement for security services, their technical and programmatic feasibility, their qualitative benefits, and associated risks. (See: risk analysis.)

$ 业务案例分析(N):成本效益分析的一种扩展形式,它考虑财务指标以外的因素,包括安全因素,如安全服务的要求、其技术和规划可行性、其质量效益和相关风险。(参见:风险分析。)

$ byte (I) A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and, today, usually means eight bits. (Compare: octet.)

$ 字节(I)计算机存储的基本单位;计算机体系结构中最小的可寻址单元。通常包含一个字符的信息,今天通常表示八位。(比较:八位组。)

Usage: Understood to be larger than a "bit", but smaller than a "word". Although "byte" almost always means "octet" today, some computer architectures have had bytes in other sizes (e.g., six bits, nine bits). Therefore, an STD SHOULD state the number of bits in a byte where the term is first used in the STD.

用法:理解为大于一个“位”,但小于一个“字”。虽然“字节”在今天几乎总是意味着“八位字节”,但一些计算机架构有其他大小的字节(例如,六位、九位)。因此,STD应说明STD中首次使用术语的字节中的位数。

$ C field (D) See: Compartments field.

$ C字段(D)参见:隔间字段。

$ C1 or C2 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".

$ C1或C2计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。

$ CA (I) See: certification authority.

$ CA(I)见:认证机构。

$ CA certificate (D) "A [digital] certificate for one CA issued by another CA." [X509]

$ CA证书(D)“一个CA由另一个CA颁发的[数字]证书”[X509]

Deprecated Definition: IDOCs SHOULD NOT use the term with this definition; the definition is ambiguous with regard to how the certificate is constructed and how it is intended to be used. IDOCs that use this term SHOULD provide a technical definition for it. (See: certificate profile.)

不推荐使用的定义:IDoc不应使用此定义的术语;该定义在如何构造证书以及如何使用证书方面模棱两可。使用该术语的IDoc应提供该术语的技术定义。(请参阅:证书配置文件。)

Tutorial: There is no single, obvious choice for a technical definition of this term. Different PKIs can use different certificate profiles, and X.509 provides several choices of how to issue certificates to CAs. For example, one possible definition is the following: A v3 X.509 public-key certificate that has a "basicConstraints" extension containing a "cA" value of "TRUE". That would specifically indicate that "the certified public key may be used to verify certificate signatures", i.e., that the private key may be used by a CA.

教程:对于这个术语的技术定义,没有单一的、明显的选择。不同的PKI可以使用不同的证书配置文件,X.509提供了几种向CA颁发证书的方法。例如,一个可能的定义如下:v3 X.509公钥证书,其“basicConstraints”扩展名包含“cA”值“TRUE”。这将明确表示“经认证的公钥可用于验证证书签名”,即,私钥可由CA使用。

However, there also are other ways to indicate such usage. The certificate may have a "key Usage" extension that indicates the purposes for which the public key may be used, and one of the values that X.509 defines for that extension is "keyCertSign", to indicate that the certificate may be used for verifying a CA's signature on certificates. If "keyCertSign" is present in a certificate that also has a "basicConstraints" extension, then "cA" is set to "TRUE" in that extension. Alternatively, a CA could be issued a certificate in which "keyCertSign" is asserted without "basicConstraints" being present; and an entity that acts as a CA could be issued a certificate with "keyUsage" set to other values, either with or without "keyCertSign".

然而,也有其他方式表明这种用法。证书可能有一个“密钥使用”扩展,该扩展指示公钥可用于的目的,X.509为该扩展定义的值之一是“keyCertSign”,以指示证书可用于验证证书上CA的签名。如果“keyCertSign”出现在同时具有“basicConstraints”扩展名的证书中,则该扩展名中的“cA”设置为“TRUE”。或者,CA可以被颁发一个证书,其中“keyCertSign”被断言,而“basicConstraints”不存在;作为CA的实体可以被颁发一个证书,该证书的“keyUsage”设置为其他值,无论是否带有“keyCertSign”。

$ CA domain (N) /PKI/ A security policy domain that "consists of a CA and its subjects [i.e., the entities named in the certificates issued by the CA]. Sometimes referred to as a PKI domain." [PAG] (See: domain.)

$ CA域(N)/PKI/一种安全策略域,“由CA及其主题[即CA颁发的证书中命名的实体]组成”。有时称为PKI域。“[PAG](请参阅:域。)

   $ Caesar cipher
      (I) A cipher that is defined for an alphabet of N characters,
      A(1), A(2), ..., A(N), and creates cipher text by replacing each
      plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]
        
   $ Caesar cipher
      (I) A cipher that is defined for an alphabet of N characters,
      A(1), A(2), ..., A(N), and creates cipher text by replacing each
      plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]
        

Examples: (a) During the Gallic wars, Julius Caesar used a cipher with K=3. In a Caesar cipher with K=3 for the English alphabet, A is replaced by D, B by E, C by F, ..., W by Z, X by A, Y by B, Z

例子:(a)在高卢战争期间,朱利叶斯·凯撒使用了一个K=3的密码。在英语字母表中K=3的凯撒密码中,a被D替换,B被E替换,C被F替换,…,W被Z替换,X被a替换,Y被B替换,Z替换

by C. (b) UNIX systems sometimes include "ROT13" software that implements a Caesar cipher with K=13 (i.e., ROTate by 13).

C.(b)UNIX系统有时包括“ROT13”软件,该软件实现了K=13的凯撒密码(即,按13旋转)。

$ call back (I) An authentication technique for terminals that remotely access a computer via telephone lines; the host system disconnects the caller and then reconnects on a telephone number that was previously authorized for that terminal.

$ 回拨(I)用于通过电话线远程访问计算机的终端的认证技术;主机系统断开呼叫者的连接,然后重新连接先前为该终端授权的电话号码。

$ CAM (O) See: Certificate Arbitrator Module.

$ CAM(O)请参阅:证书仲裁器模块。

$ CANEWARE (O) An end-to-end encryption system for computer data networks that was developed by the U.S. DoD in the 1980s to provide host-to-host data confidentiality service for datagrams in OSIRM Layer 3. [Roge] (Compare: BLACKER, IPsec.)

$ CANEWARE(O):一种用于计算机数据网络的端到端加密系统,由美国国防部在20世纪80年代开发,用于为OSIRM第3层中的数据报提供主机到主机的数据保密服务。[Roge](比较:BLACKER,IPsec)

Tutorial: Each user host connects to its own bump-in-the-wire encryption device called a CANEWARE Front End (CFE), through which the host connects to the subnetwork. CANEWARE uses symmetric encryption for CFE-to-CFE traffic, but also uses FIREFLY to establish those session keys. The public-key certificates issued by the FIREFLY system include credentials for mandatory access control. For discretionary access control, the system also includes one or more centralized CANEWARE Control Processors (CCPs) that connect to the subnetwork, maintain a database for discretionary access control authorizations, and communicate those authorizations to assigned sets of CFEs.

教程:每个用户主机都连接到称为CANEWARE前端(CFE)的有线加密设备中自己的凸点,主机通过该凸点连接到子网络。CANEWARE对CFE-to-CFE通信使用对称加密,但也使用FIREFLY建立这些会话密钥。FIREFLY系统颁发的公钥证书包括用于强制访问控制的凭据。对于自主访问控制,系统还包括一个或多个集中式CANEWARE控制处理器(CCP),这些处理器连接到子网,维护自主访问控制授权数据库,并将这些授权传递给指定的CFE集。

The CANEWARE system is MLS in only two of the three ways that BLACKER is MLS: (a) Like BLACKER BFEs, CFEs form a security perimeter around a subnetwork, separating user hosts from the subnetwork, so that the subnetwork can operate at a different security level than the hosts. (b) Like BLACKER, the CANEWARE components are trusted to separate datagrams of different security levels, so that each datagram of a given security level can be received only by a host that is authorized for that security level; and thus CANEWARE can separate host communities that operate at different security levels. (c) Unlike a BFE, the host side of a CFE is not MLS, and treats all packets received from a user host as being at the same mandatory security level.

CANEWARE系统在三种方式中只有两种是MLS,BLACKER是MLS:(a)与BLACKER BFE一样,CFE在子网周围形成一个安全周界,将用户主机与子网分开,因此子网可以在不同于主机的安全级别上运行。(b) 与BLACKER一样,CANEWARE组件被信任来分离不同安全级别的数据报,因此给定安全级别的每个数据报只能由授权该安全级别的主机接收;因此,CANEWARE可以分离以不同安全级别运行的主机社区。(c) 与BFE不同,CFE的主机端不是MLS,并且将从用户主机接收的所有数据包视为处于相同的强制安全级别。

$ capability list (I) /information system/ A mechanism that implements access control for a system entity by enumerating the system resources that the entity is permitted to access and, either implicitly or explicitly, the access modes granted for each resource. (Compare:

$ 能力列表(I)/信息系统/通过枚举允许实体访问的系统资源以及隐式或显式为每个资源授予的访问模式,实现系统实体访问控制的机制。(比较:

access control list, access control matrix, access profile, capability token.)

访问控制列表、访问控制矩阵、访问配置文件、功能令牌。)

$ capability token (I) A token (usually an unforgeable data object) that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource indicated by the token. (See: attribute certificate, capability list, credential, digital certificate, ticket, token.)

$ 能力令牌(I)一种令牌(通常是不可伪造的数据对象),赋予承载者或持有者访问系统资源的权利。系统接受对令牌的拥有作为持有者已被授权访问令牌指示的资源的证据。(请参阅:属性证书、能力列表、凭证、数字证书、票证、令牌。)

$ Capability Maturity Model (CMM) (N) Method for judging the maturity of software processes in an organization and for identifying crucial practices needed to increase process maturity. [Chris] (Compare: Common Criteria.)

$ 能力成熟度模型(CMM)(N)用于判断组织中软件过程的成熟度并识别提高过程成熟度所需的关键实践的方法。[Chris](比较:通用标准。)

Tutorial: The CMM does not specify security evaluation criteria (see: assurance level), but its use may improve security assurance. The CMM describes principles and practices that can improve software processes in terms of evolving from ad hoc processes to disciplined processes. The CMM has five levels: - Initial: Software processes are ad hoc or chaotic, and few are well-defined. Success depends on individual effort and heroics. - Repeatable: Basic project management processes are established to track cost, schedule, and functionality. Necessary process discipline is in place to repeat earlier successes on projects with similar applications. - Defined: Software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. Each project uses an approved, tailored version of the organization's standard process for developing and maintaining software. - Managed: Detailed measures of software process and product quality are collected. Both software process and products are quantitatively understood and controlled. - Optimizing: Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

教程:CMM没有指定安全评估标准(请参阅:保证级别),但它的使用可能会改进安全保证。CMM描述了可以改进软件过程的原则和实践,这些原则和实践从即席过程演变为规范过程。CMM有五个级别:-初始:软件过程是临时的或混乱的,很少有定义良好的。成功取决于个人的努力和英雄气概可重复:建立基本项目管理流程以跟踪成本、进度和功能。必要的工艺规程已到位,以在具有类似应用的项目上重复先前的成功。-定义:对管理和工程活动的软件过程进行记录、标准化,并将其集成到组织的标准软件过程中。每个项目都使用经批准、定制的组织标准流程版本来开发和维护软件。-管理:收集软件过程和产品质量的详细度量。软件过程和产品都是定量理解和控制的。-优化:持续的流程改进是通过流程的定量反馈以及创新理念和技术的试验实现的。

$ CAPI (I) See: cryptographic application programming interface.

$ CAPI(I)见:加密应用程序编程接口。

$ CAPSTONE (N) An integrated microcircuit (in MYK-8x series manufactured by Mykotronx, Inc.) that implements SKIPJACK, KEA, DSA, SHA, and basic mathematical functions needed to support asymmetric cryptography; has a non-deterministic random number generator; and supports key escrow. (See: FORTEZZA. Compare: CLIPPER.)

$ CAPSTONE(N)集成微电路(Mykotronx,Inc.制造的MYK-8x系列),实现SKIPJACK、KEA、DSA、SHA以及支持非对称加密所需的基本数学函数;具有非确定性随机数生成器;并支持密钥托管。(参见:FORTEZZA。比较:CLIPPER。)

$ card See: cryptographic card, FORTEZZA, payment card, PC card, smart card, token.

$ 卡片见:加密卡,FORTEZZA,支付卡,PC卡,智能卡,代币。

$ card backup See: token backup.

$ 卡备份请参阅:令牌备份。

$ card copy See: token copy.

$ 卡副本见:令牌副本。

$ card restore See: token restore.

$ 卡还原请参阅:令牌还原。

$ cardholder 1. (I) An entity to whom or to which a card has been issued.

$ 持卡人1。(一) 向其或向其发放信用卡的实体。

Usage: Usually refers to a living human being, but might refer (a) to a position (see: billet, role) in an organization or (b) to an automated process. (Compare: user.)

用法:通常指一个活着的人,但可能指(a)一个组织中的职位(参见:角色),或(b)一个自动化流程。(比较:用户。)

2. (O) /SET/ "The holder of a valid payment card account and user of software supporting electronic commerce." [SET2] A cardholder is issued a payment card by an issuer. SET ensures that in the cardholder's interactions with merchants, the payment card account information remains confidential. [SET1]

2. (O) /SET/“有效支付卡账户的持有人和支持电子商务的软件的用户。”[SET2]发卡机构向持卡人发放支付卡。SET确保在持卡人与商户的互动中,支付卡账户信息保持机密。[SET1]

$ cardholder certificate (O) /SET/ A digital certificate that is issued to a cardholder upon approval of the cardholder's issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]

$ 持卡人证书(O)/SET/经持卡人的发卡金融机构批准后向持卡人颁发的数字证书,通过购买请求和加密支付指令传输给商户,保证账号已由发行金融机构验证,且第三方不得更改。[SET1]

$ cardholder certification authority (CCA) (O) /SET/ A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

$ 持卡人认证机构(CCA)(O)/SET/A CA负责向持卡人颁发数字证书,并根据品牌规则代表支付卡品牌、发卡机构或另一方运营。CCA与发卡机构保持关系,以便对持卡人账户进行验证。CCA不发行CRL,但发行根CA、品牌CA、地缘政治CA和支付网关CA发行的CRL。[SET2]

$ CAST (N) A design procedure for symmetric encryption algorithms, and a resulting family of algorithms, invented by Carlisle Adams (C.A.) and Stafford Tavares (S.T.). [R2144, R2612]

$ CAST(N)对称加密算法的设计过程,以及由此产生的算法系列,由Carlisle Adams(C.A.)和Stafford Tavares(S.T.)发明。[R2144,R2612]

$ category (I) A grouping of sensitive information items to which a non-hierarchical restrictive security label is applied to increase protection of the data. (See: formal access approval. Compare: compartment, classification.)

$ 类别(I)敏感信息项的分组,其中应用了非分层限制性安全标签,以加强对数据的保护。(参见:正式访问批准。比较:隔间,分类。)

$ CAW (N) See: certification authority workstation.

$ CAW(N)参见:证书颁发机构工作站。

$ CBC (N) See: cipher block chaining.

$ CBC(N)参见:密码块链接。

$ CCA (O) See: cardholder certification authority.

$ CCA(O)见:持卡人认证机构。

$ CCEP (O) See: Commercial COMSEC Endorsement Program.

$ CCEP(O)见:商业通信安全认可计划。

$ CCI (O) See: Controlled Cryptographic Item.

$ CCI(O)参见:受控加密项。

$ CCITT (N) Acronym for French translation of International Telephone and Telegraph Consultative Committee. Now renamed ITU-T.

$ CCITT(N)国际电话电报咨询委员会法语翻译的首字母缩写。现更名为ITU-T。

$ CCM (N) See: Counter with Cipher Block Chaining-Message Authentication Code.

$ CCM(N)请参阅:带有密码块链接消息认证码的计数器。

$ CERIAS (O) Purdue University's Center for Education and Research in Information Assurance and Security, which includes faculty from multiple schools and departments and takes a multidisciplinary approach to security problems ranging from technical to ethical, legal, educational, communicational, linguistic, and economic.

$ CERIAS(O)普渡大学信息保障和安全教育与研究中心,包括来自多个学校和部门的教员,对安全问题采取多学科方法,从技术到道德、法律、教育、通信、语言和经济。

$ CERT (I) See: computer emergency response team.

$ 证书(I)见:计算机应急响应小组。

$ certificate 1. (I) /general English/ A document that attests to the truth of something or the ownership of something.

$ 证书1。(一) /通用英语/证明某物真实性或所有权的文件。

2. (I) /general security/ See: capability token, digital certificate.

2. (一) /general security/请参阅:功能令牌、数字证书。

3. (I) /PKI/ See: attribute certificate, public-key certificate.

3. (一) /PKI/请参阅:属性证书、公钥证书。

$ Certificate Arbitrator Module (CAM) (O) An open-source software module that is designed to be integrated with an application for routing, replying to, and otherwise managing and meditating certificate validation requests between that application and the CAs in the ACES PKI.

$ 证书仲裁模块(CAM)(O):一种开源软件模块,设计用于与应用程序集成,用于路由、回复、管理和考虑该应用程序与ACES PKI中的CAs之间的证书验证请求。

$ certificate authority (D) Synonym for "certification authority".

$ 证书颁发机构(D)“证书颁发机构”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the term "certification authority", which is preferred in PKI standards (e.g., [X509, R3280]).

不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用术语“证书颁发机构”,这在PKI标准中是首选(例如,[X509,R3280])。

$ certificate chain (D) Synonym for "certification path". (See: trust chain.)

$ 证书链(D)是“证书路径”的同义词。(请参阅:信任链。)

Deprecated Term: IDOCs SHOULD NOT use this term; it duplicates the meaning of a standardized term. Instead, use "certification path".

不推荐使用的术语:IDoc不应使用此术语;它重复了标准化术语的含义。相反,请使用“认证路径”。

$ certificate chain validation (D) Synonym for "certificate validation" or "path validation".

$ 证书链验证(D)“证书验证”或“路径验证”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it duplicates the meaning of standardized terms and mixes concepts in a potentially misleading way. Instead, use "certificate validation" or "path validation", depending on what is meant. (See: validate vs. verify.)

不推荐使用的术语:IDoc不应使用此术语;它复制了标准化术语的含义,并以潜在误导的方式混合了概念。相反,使用“证书验证”或“路径验证”,具体取决于其含义。(请参见:验证与验证。)

$ certificate creation (I) The act or process by which a CA sets the values of a digital certificate's data fields and signs it. (See: issue.)

$ 证书创建(I)CA设置数字证书数据字段的值并对其签名的行为或过程。(见:问题)

$ certificate expiration (I) The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, expire.)

$ 证书过期(I)证书因其分配的生存期已超过而停止有效时发生的事件。(请参阅:证书吊销,过期。)

Tutorial: The assigned lifetime of an X.509 certificate is stated in the certificate itself. (See: validity period.)

教程:X.509证书的指定生存期在证书本身中说明。(见:有效期。)

$ certificate extension (I) See: extension.

$ 证书扩展(I)参见:扩展。

$ certificate holder (D) Synonym for the "subject" of a digital certificate. (Compare: certificate owner, certificate user.)

$ 证书持有人(D)数字证书“主体”的同义词。(比较:证书所有者、证书用户。)

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for the subject of a digital certificate; the term is potentially ambiguous. For example, the term could be misunderstood as referring to a system entity or component, such as a repository, that simply has possession of a copy of the certificate.

不推荐使用的定义:IDOCs不应将此术语用作数字证书主题的同义词;这一术语可能模棱两可。例如,该术语可能被误解为指仅拥有证书副本的系统实体或组件,如存储库。

$ certificate management (I) The functions that a CA may perform during the lifecycle of a digital certificate, including the following: - Acquire and verify data items to bind into the certificate. - Encode and sign the certificate. - Store the certificate in a directory or repository. - Renew, rekey, and update the certificate. - Revoke the certificate and issue a CRL. (See: archive management, certificate management, key management, security architecture, token management.)

$ 证书管理(I)CA在数字证书生命周期内可能执行的功能,包括:-获取和验证要绑定到证书中的数据项。-对证书进行编码和签名。-将证书存储在目录或存储库中。-续订、重新设置密钥并更新证书。-吊销证书并颁发CRL。(请参阅:归档管理、证书管理、密钥管理、安全体系结构、令牌管理。)

$ certificate management authority (CMA) (D) /U.S. DoD/ Used to mean either a CA or an RA. [DoD7, SP32]

$ 证书管理机构(CMA)(D)/美国国防部/用于指CA或RA。[DoD7,SP32]

Deprecated Term: IDOCs SHOULD NOT use this term because it is potentially ambiguous, such as in a context involving ICRLs. Instead, use CA, RA, or both, depending on what is meant.

不推荐使用的术语:IDOCs不应使用此术语,因为它可能不明确,例如在涉及ICRL的上下文中。相反,使用CA、RA或两者,具体取决于其含义。

$ certificate owner (D) Synonym for the "subject" of a digital certificate. (Compare: certificate holder, certificate user.)

$ 证书所有者(D)是数字证书“主体”的同义词。(比较:证书持有人、证书用户。)

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for the subject of a digital certificate; the term is potentially ambiguous. For example, the term could refer to a system entity, such as a corporation, that has purchased a certificate to operate equipment, such as a Web server.

不推荐使用的定义:IDOCs不应将此术语用作数字证书主题的同义词;这一术语可能模棱两可。例如,该术语可指已购买证书以操作设备(如Web服务器)的系统实体(如公司)。

$ certificate path (D) Synonym for "certification path".

$ 证书路径(D)是“证书路径”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of "certification path", which is preferred in PKI standards (e.g., [X509, R3280]).

不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用“认证路径”,这是PKI标准(例如[X509,R3280])中的首选。

$ certificate policy (I) "A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (Compare: CPS, security policy.)

$ 证书策略(I)“一组命名规则,指示证书对具有通用安全要求的特定社区和/或应用程序类别的适用性。”[X509](比较:CPS,安全策略。)

Example: U.S. DoD's certificate policy [DoD7] defined four classes (i.e., assurance levels) for X.509 public-key certificates and defines the applicability of those classes. (See: class 2.)

示例:美国国防部的证书政策[DoD7]为X.509公钥证书定义了四个类别(即保证级别),并定义了这些类别的适用性。(见第2类)

Tutorial: A certificate policy can help a certificate user to decide whether a certificate should be trusted in a particular application. "For example, a particular certificate policy might indicate applicability of a type of certificate for the authentication of electronic data interchange transactions for the trading of goods within a given price range." [R3647]

教程:证书策略可以帮助证书用户决定在特定应用程序中是否应信任证书。“例如,特定的证书政策可能表明一种证书类型适用于在给定价格范围内进行商品交易的电子数据交换交易的认证。”[R3647]

A v3 X.509 public-key certificate may have a "certificatePolicies" extension that lists certificate policies, recognized by the issuing CA, that apply to the certificate and govern its use. Each policy is denoted by an object identifier and may optionally have certificate policy qualifiers. (See: certificate profile.)

v3 X.509公钥证书可能具有“CertificatePolicys”扩展,该扩展列出了由颁发CA识别的证书策略,这些策略应用于证书并管理其使用。每个策略由对象标识符表示,并且可以选择具有证书策略限定符。(请参阅:证书配置文件。)

Each SET certificate specifies at least one certificate policy, that of the SET root CA. SET uses certificate policy qualifiers to point to the actual policy statement and to add qualifying policies to the root policy. (See: SET qualifier.)

每个集合证书指定至少一个证书策略,即集合根CA的证书策略。集合使用证书策略限定符指向实际的策略语句,并将限定策略添加到根策略。(请参见:设置限定符。)

$ certificate policy qualifier (I) Information that pertains to a certificate policy and is included in a "certificatePolicies" extension in a v3 X.509 public-key certificate.

$ 证书策略限定符(I)与证书策略相关的信息,包含在v3 X.509公钥证书的“CertificatePolicys”扩展中。

$ certificate profile (I) A specification (e.g., [DoD7, R3280]) of the format and semantics of public-key certificates or attribute certificates, constructed for use in a specific application context by selecting from among options offered by a broader standard. (Compare: protection profile.)

$ 证书配置文件(I)公钥证书或属性证书的格式和语义规范(如[DoD7,R3280]),通过从更广泛的标准提供的选项中进行选择,构建用于特定应用程序上下文。(比较:保护配置文件。)

$ certificate reactivation (I) The act or process by which a digital certificate, that a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.

$ 证书重新激活(I)CA指定要撤销但尚未在CRL上列出的数字证书返回到有效状态的行为或过程。

$ certificate rekey 1. (I) The act or process by which an existing public-key certificate has its key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)

$ 证书密钥1。(一) 通过使用不同(通常是新的)公钥颁发新证书来更改现有公钥证书的密钥值的行为或过程。(请参阅:证书续订、证书更新、重新密钥。)

Tutorial: For an X.509 public-key certificate, the essence of rekey is that the subject stays the same and a new public key is bound to that subject. Other changes are made, and the old

教程:对于X.509公钥证书,重新密钥的本质是主体保持不变,并且新的公钥绑定到该主体。进行了其他更改,旧的

certificate is revoked, only as required by the PKI and CPS in support of the rekey. If changes go beyond that, the process is a "certificate update".

只有在PKI和CPS要求支持重新密钥时,证书才会被吊销。如果更改超出此范围,则该过程为“证书更新”。

2. (O) /MISSI/ The act or process by which a MISSI CA creates a new X.509 public-key certificate that is identical to the old one, except the new one has (a) a new, different KEA key or (b) a new, different DSS key or (c) new, different KEA and DSS keys. The new certificate also has a different serial number and may have a different validity period. A new key creation date and maximum key lifetime period are assigned to each newly generated key. If a new KEA key is generated, that key is assigned a new KMID. The old certificate remains valid until it expires, but may not be further renewed, rekeyed, or updated.

2. (O) /MISSI/MISSI CA创建与旧X.509公钥证书相同的新X.509公钥证书的行为或过程,但新证书具有(a)新的不同KEA密钥或(b)新的不同DSS密钥或(c)新的不同KEA和DSS密钥除外。新证书还具有不同的序列号,并且可能具有不同的有效期。为每个新生成的密钥分配一个新密钥创建日期和最大密钥生存期。如果生成了新的KEA密钥,则会为该密钥分配一个新的KMID。旧证书在到期前保持有效,但不能进一步续订、重新键入或更新。

$ certificate renewal (I) The act or process by which the validity of the binding asserted by an existing public-key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)

$ 证书续期(I)通过颁发新证书来及时延长现有公钥证书声明的绑定有效性的行为或过程。(请参阅:证书密钥更新、证书更新。)

Tutorial: For an X.509 public-key certificate, this term means that the validity period is extended (and, of course, a new serial number is assigned) but the binding of the public key to the subject and to other data items stays the same. The other data items are changed, and the old certificate is revoked, only as required by the PKI and CPS to support the renewal. If changes go beyond that, the process is a "certificate rekey" or "certificate update".

教程:对于X.509公钥证书,该术语表示有效期延长(当然,还指定了新的序列号),但公钥与主题和其他数据项的绑定保持不变。仅当PKI和CPS要求支持续订时,才会更改其他数据项,并吊销旧证书。如果更改超出此范围,则流程为“证书重新密钥”或“证书更新”。

$ certificate request (D) Synonym for "certification request".

$ 证书申请(D)“证书申请”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the term "certification request", which is preferred in PKI standards (e.g., see PKCS #10).

不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用术语“认证请求”,这是PKI标准中的首选(例如,见PKCS#10)。

$ certificate revocation (I) The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with an effective date.

$ 证书撤销(I)CA声明该CA颁发的以前有效的数字证书已失效时发生的事件;通常注明生效日期。

Tutorial: In X.509, a revocation is announced to potential certificate users by issuing a CRL that mentions the certificate. Revocation and listing on a CRL is only necessary prior to the certificate's scheduled expiration.

教程:在X.509中,通过发布提及证书的CRL向潜在证书用户宣布撤销。只有在证书计划到期之前,才需要撤销并在CRL上列出。

$ certificate revocation list (CRL) 1. (I) A data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, delta CRL, X.509 certificate revocation list.)

$ 证书吊销列表(CRL)1。(一) 一种数据结构,枚举在计划到期之前已由其颁发者失效的数字证书。(请参阅:证书到期、delta CRL、X.509证书吊销列表。)

2. (O) "A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. In addition to the generic term CRL, some specific CRL types are defined for CRLs that cover particular scopes." [X509]

2. (O) “一个签名列表,指示证书颁发者不再认为有效的一组证书。除了通用术语CRL外,还为覆盖特定范围的CRL定义了一些特定的CRL类型。”[X509]

$ certificate revocation tree (N) A mechanism for distributing notices of certificate revocations; uses a tree of hash results that is signed by the tree's issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)

$ 证书撤销树(N)分发证书撤销通知的机制;使用由树的颁发者签名的哈希结果树。提供了发布CRL的替代方案,但在X.509中不受支持。(请参阅:证书状态响应程序。)

$ certificate serial number 1. (I) An integer value that (a) is associated with, and may be carried in, a digital certificate; (b) is assigned to the certificate by the certificate's issuer; and (c) is unique among all the certificates produced by that issuer.

$ 证书序列号1。(一) (a)与数字证书相关联并且可以携带在数字证书中的整数值;(b) 由证书的颁发者分配给证书;和(c)在该发行人生产的所有证书中是唯一的。

2. (O) "An integer value, unique within the issuing CA, [that] is unambiguously associated with a certificate issued by that CA." [X509]

2. (O) “一个整数值,在颁发CA内唯一,[该值]与该CA颁发的证书明确关联。”[X509]

$ certificate status authority (D) /U.S. DoD/ "A trusted entity that provides on-line verification to a Relying Party of a subject certificate's trustworthiness [should instead say 'validity'], and may also provide additional attribute information for the subject certificate." [DoD7]

$ 证书状态管理局(D)/美国国防部/“向依赖方提供主体证书可信度在线验证的受信任实体[应改为说‘有效性’],还可以提供主体证书的附加属性信息。”[DoD7]

Deprecated Term: IDOCs SHOULD NOT use this term because it is not widely accepted; instead, use "certificate status responder" or "OCSP server", or otherwise explain what is meant.

不推荐使用的术语:IDOCs不应使用此术语,因为它未被广泛接受;相反,请使用“证书状态响应器”或“OCSP服务器”,或解释其含义。

$ certificate status responder (N) /FPKI/ A trusted online server that acts for a CA to provide authenticated certificate status information to certificate users [FPKI]. Offers an alternative to issuing a CR. (See: certificate revocation tree, OCSP.)

$ 证书状态响应程序(N)/FPKI/一个受信任的在线服务器,它代表CA向证书用户提供经过身份验证的证书状态信息[FPKI]。提供了颁发CR的替代方案。(请参阅:证书吊销树,OCSP。)

$ certificate update (I) The act or process by which non-key data items bound in an existing public-key certificate, especially authorizations granted

$ 证书更新(I)将非密钥数据项绑定到现有公钥证书中的行为或过程,尤其是授予的授权

to the subject, are changed by issuing a new certificate. (See: certificate rekey, certificate renewal.)

对于主题,通过颁发新证书进行更改。(请参阅:证书重新注册、证书续订。)

Usage: For an X.509 public-key certificate, the essence of this process is that fundamental changes are made in the data that is bound to the public key, such that it is necessary to revoke the old certificate. (Otherwise, the process is only a "certificate rekey" or "certificate renewal".)

用法:对于X.509公钥证书,此过程的实质是对绑定到公钥的数据进行根本性更改,因此有必要撤销旧证书。(否则,该过程仅为“证书重新密钥”或“证书续订”。)

$ certificate user 1. (I) A system entity that depends on the validity of information (such as another entity's public key value) provided by a digital certificate. (See: relying party. Compare: /digital certificate/ subject.)

$ 证书用户1。(一) 依赖于数字证书提供的信息(如另一实体的公钥值)的有效性的系统实体。(请参阅:依赖方。比较:/digital certificate/主题。)

Usage: The depending entity may be a human being or an organization, or a device or process controlled by a human or organization. (See: user.)

用法:依赖实体可以是人或组织,也可以是由人或组织控制的设备或过程。(请参阅:用户。)

2. (O) "An entity that needs to know, with certainty, the public key of another entity." [X509]

2. (O) “需要确切了解另一实体公钥的实体。”[X509]

3. (D) Synonym for "subject" of a digital certificate.

3. (D) 数字证书“主题”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 3; the term could be confused with one of the other two definitions given above.

不推荐使用的定义:IDOC不应将此术语与定义3一起使用;该术语可能与上面给出的另外两个定义之一混淆。

$ certificate validation 1. (I) An act or process by which a certificate user establishes that the assertions made by a digital certificate can be trusted. (See: valid certificate, validate vs. verify.)

$ 证书验证1。(一) 一种行为或过程,证书用户通过该行为或过程确定数字证书所作的断言是可信的。(请参阅:有效证书、验证与验证。)

2. (O) "The process of ensuring that a certificate was valid at a given time, including possibly the construction and processing of a certification path [R4158], and ensuring that all certificates in that path were valid (i.e. were not expired or revoked) at that given time." [X509]

2. (O) “确保证书在给定时间有效的过程,可能包括构建和处理证书路径[R4158],并确保该路径中的所有证书在给定时间有效(即未过期或吊销)。[X509]

Tutorial: To validate a certificate, a certificate user checks that the certificate is properly formed and signed and is currently in force: - Checks the syntax and semantics: Parses the certificate's syntax and interprets its semantics, applying rules specified for and by its data fields, such as for critical extensions in an X.509 certificate.

教程:要验证证书,证书用户将检查证书的格式和签名是否正确以及当前是否有效:-检查语法和语义:解析证书的语法并解释其语义,应用其数据字段指定的规则,例如X.509证书中的关键扩展。

- Checks the signature: Uses the issuer's public key to verify the digital signature of the CA who issued the certificate in question. If the verifier obtains the issuer's public key from the issuer's own public-key certificate, that certificate should be validated, too. That validation may lead to yet another certificate to be validated, and so on. Thus, in general, certificate validation involves discovering and validating a certification path. - Checks currency and revocation: Verifies that the certificate is currently in force by checking that the current date and time are within the validity period (if that is specified in the certificate) and that the certificate is not listed on a CRL or otherwise announced as invalid. (The CRLs also must be checked by a similar validation process.)

- 检查签名:使用颁发者的公钥验证颁发证书的CA的数字签名。如果验证器从颁发者自己的公钥证书中获得颁发者的公钥,则该证书也应进行验证。该验证可能会导致另一个证书被验证,等等。因此,一般来说,证书验证涉及发现和验证证书路径检查货币和吊销:通过检查当前日期和时间是否在有效期内(如果证书中指定)以及证书是否未列在CRL上或以其他方式宣布为无效,验证证书当前是否有效。(CRL还必须通过类似的验证过程进行检查。)

$ certification 1. (I) /information system/ Comprehensive evaluation (usually made in support of an accreditation action) of an information system's technical security features and other safeguards to establish the extent to which the system's design and implementation meet a set of specified security requirements. [C4009, FP102, SP37] (See: accreditation. Compare: evaluation.)

$ 证书1。(一) /信息系统/对信息系统的技术安全功能和其他保障措施进行综合评估(通常是为了支持认证行动),以确定系统的设计和实施在多大程度上满足一系列特定的安全要求。[C4009、FP102、SP37](参见:认证。比较:评估。)

2. (I) /digital certificate/ The act or process of vouching for the truth and accuracy of the binding between data items in a certificate. (See: certify.)

2. (一) /数字证书/证明证书中数据项之间绑定的真实性和准确性的行为或过程。(见:证明)

3. (I) /PKI/ The act or process of vouching for the ownership of a public key by issuing a public-key certificate that binds the key to the name of the entity that possesses the matching private key. Besides binding a key with a name, a public-key certificate may bind those items with other restrictive or explanatory data items. (See: X.509 public-key certificate.)

3. (一) /PKI/通过颁发公钥证书,将公钥绑定到拥有匹配私钥的实体的名称,从而证明公钥所有权的行为或过程。除了使用名称绑定密钥外,公钥证书还可以将这些项与其他限制性或解释性数据项绑定。(请参阅:X.509公钥证书。)

4. (O) /SET/ "The process of ascertaining that a set of requirements or criteria has been fulfilled and attesting to that fact to others, usually with some written instrument. A system that has been inspected and evaluated as fully compliant with the SET protocol by duly authorized parties and process would be said to have been certified compliant." [SET2]

4. (O) /SET/“确定一套要求或标准已得到满足并向其他人证明该事实的过程,通常使用一些书面文书。经正式授权方检查和评估为完全符合SET协议的系统和过程将被视为已被证明符合要求。”[SET2]

$ certification authority (CA) 1. (I) An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

$ 核证机关(CA)1。(一) 颁发数字证书(特别是X.509证书)并为证书中的数据项之间的绑定提供担保的实体。

2. (O) "An authority trusted by one or more users to create and assign certificates. Optionally the certification authority may create the user's keys." [X509]

2. (O) “一个或多个用户信任的用于创建和分配证书的机构。证书颁发机构也可以创建用户的密钥。”[X509]

Tutorial: Certificate users depend on the validity of information provided by a certificate. Thus, a CA should be someone that certificate users trust and that usually holds an official position created and granted power by a government, a corporation, or some other organization. A CA is responsible for managing the life cycle of certificates (see: certificate management) and, depending on the type of certificate and the CPS that applies, may be responsible for the lifecycle of key pairs associated with the certificates (see: key management).

教程:证书用户取决于证书提供的信息的有效性。因此,CA应该是证书用户信任的人,通常担任由政府、公司或其他组织创建和授予权力的官方职位。CA负责管理证书的生命周期(请参阅:证书管理),并根据证书的类型和适用的CP,负责与证书相关联的密钥对的生命周期(请参阅:密钥管理)。

$ certification authority workstation (CAW) (N) A computer system that enables a CA to issue digital certificates and supports other certificate management functions as required.

$ 证书颁发机构工作站(CAW)(N)一种计算机系统,使CA能够颁发数字证书,并根据需要支持其他证书管理功能。

$ certification hierarchy 1. (I) A tree-structured (loop-free) topology of relationships between CAs and the entities to whom the CAs issue public-key certificates. (See: hierarchical PKI, hierarchy management.)

$ 认证层次结构1。(一) CA与CA向其颁发公钥证书的实体之间关系的树结构(无循环)拓扑。(请参阅:分层PKI,分层管理。)

Tutorial: In this structure, one CA is the top CA, the highest level of the hierarchy. (See: root, top CA.) The top CA may issue public-key certificates to one or more additional CAs that form the second-highest level. Each of these CAs may issue certificates to more CAs at the third-highest level, and so on. The CAs at the second-lowest level issue certificates only to non-CA entities that form the lowest level (see: end entity). Thus, all certification paths begin at the top CA and descend through zero or more levels of other CAs. All certificate users base path validations on the top CA's public key.

教程:在此结构中,一个CA是顶级CA,即层次结构的最高级别。(请参阅:root,top CA。)顶级CA可以向构成第二高级别的一个或多个附加CA颁发公钥证书。这些CA中的每一个都可以向第三高级别的更多CA颁发证书,以此类推。处于第二最低级别的CA仅向构成最低级别的非CA实体颁发证书(请参阅:end entity)。因此,所有认证路径都从顶部CA开始,然后下降到其他CA的零个或多个级别。所有证书用户都基于顶级CA的公钥进行路径验证。

2. (I) /PEM/ A certification hierarchy for PEM has three levels of CAs [R1422]: - The highest level is the "Internet Policy Registration Authority". - A CA at the second-highest level is a "policy certification authority". - A CA at the third-highest level is a "certification authority".

2. (一) /PEM/PEM的认证层次结构有三个级别的CA[R1422]:-最高级别是“Internet策略注册机构”。-第二高级别的CA是“策略证书颁发机构”——第三高级别的CA是“证书颁发机构”。

3. (O) /MISSI/ A certification hierarchy for MISSI has three or four levels of CAs: - A CA at the highest level, the top CA, is a "policy approving authority".

3. (O) /MISSI/A MISSI的认证层次结构有三到四个CA级别:-最高级别的CA,即顶级CA,是“策略批准机构”。

- A CA at the second-highest level is a "policy creation authority". - A CA at the third-highest level is a local authority called a "certification authority". - A CA at the fourth-highest (optional) level is a "subordinate certification authority".

- 第二高级别的CA是“策略创建机构”。-第三高级别的CA是一个称为“认证机构”的地方机构第四高级别(可选)的CA是“下级证书颁发机构”。

4. (O) /SET/ A certification hierarchy for SET has three or four levels of CAs: - The highest level is a "SET root CA". - A CA at the second-highest level is a "brand certification authority". - A CA at the third-highest (optional) level is a "geopolitical certification authority". - A CA at the fourth-highest level is a "cardholder CA", a "merchant CA", or a "payment gateway CA".

4. (O) /SET/SET的证书层次结构有三个或四个CA级别:-最高级别是“集合根CA”。-第二高级别的CA是“品牌认证机构”——第三高(可选)级别的CA是“地缘政治认证机构”——第四高级别的CA是“持卡人CA”、“商户CA”或“支付网关CA”。

$ certification path 1. (I) A linked sequence of one or more public-key certificates, or one or more public-key certificates and one attribute certificate, that enables a certificate user to verify the signature on the last certificate in the path, and thus enables the user to obtain (from that last certificate) a certified public key, or certified attributes, of the system entity that is the subject of that last certificate. (See: trust anchor, certificate validation, valid certificate.)

$ 认证路径1。(一) 一个或多个公钥证书或一个或多个公钥证书和一个属性证书的链接序列,使证书用户能够验证路径中最后一个证书上的签名,从而使用户能够(从该最后一个证书)获得经认证的公钥或经认证的属性,作为最后一个证书主题的系统实体的。(请参阅:信任锚、证书验证、有效证书。)

2. (O) "An ordered sequence of certificates of objects in the [X.500 Directory Information Tree] which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path." [R3647, X509]

2. (O) [X.500目录信息树]中对象的有序证书序列,可与路径中初始对象的公钥一起处理,以获得路径中最终对象的公钥。“[R3647,X509]

Tutorial: The list is "linked" in the sense that the digital signature of each certificate (except possibly the first) is verified by the public key contained in the preceding certificate; i.e., the private key used to sign a certificate and the public key contained in the preceding certificate form a key pair that has previously been bound to the authority that signed.

教程:列表是“链接”的,因为每个证书(第一个证书除外)的数字签名都是由前一个证书中包含的公钥验证的;i、 例如,用于签署证书的私钥和前一证书中包含的公钥形成了一对密钥,该密钥先前已绑定到签署证书的机构。

The path is the "list of certificates needed to [enable] a particular user to obtain the public key [or attributes] of another [user]." [X509] Here, the word "particular" points out that a certification path that can be validated by one certificate user might not be able to be validated by another. That is because either the first certificate needs to be a trusted certificate or the signature on the first certificate needs to be verifiable by a trusted key (e.g., a root key), but such trust is established only

路径是“特定用户获得另一[用户]的公钥[或属性]所需的证书列表”。[X509]这里,“特定”一词指出,可以由一个证书用户验证的证书路径可能无法由另一个证书用户验证。这是因为第一个证书需要是受信任的证书,或者第一个证书上的签名需要可由受信任的密钥(例如,根密钥)验证,但是这种信任仅建立

relative to a "particular" (i.e., specific) user, not absolutely for all users.

相对于“特定”(即特定)用户,并非绝对适用于所有用户。

$ certification policy (D) Synonym for either "certificate policy" or "certification practice statement".

$ 认证政策(D)“认证政策”或“认证实践声明”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; that would be duplicative and would mix concepts in a potentially misleading way. Instead, use either "certificate policy" or "certification practice statement", depending on what is meant.

不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这将是重复的,并将以一种潜在误导的方式混合概念。相反,使用“证书政策”或“认证实践声明”,具体取决于其含义。

$ certification practice statement (CPS) (I) "A statement of the practices which a certification authority employs in issuing certificates." [DSG, R3647] (See: certificate policy.)

$ 认证惯例声明(CPS)(I)“认证机构在颁发证书时采用的惯例声明。”[DSG,R3647](见:证书政策。)

Tutorial: A CPS is a published security policy that can help a certificate user to decide whether a certificate issued by a particular CA can be trusted enough to use in a particular application. A CPS may be (a) a declaration by a CA of the details of the system and practices it uses in its certificate management operations, (b) part of a contract between the CA and an entity to whom a certificate is issued, (c) a statute or regulation applicable to the CA, or (d) a combination of these types involving multiple documents. [DSG]

教程:CPS是一种已发布的安全策略,它可以帮助证书用户确定特定CA颁发的证书是否足够可信,以便在特定应用程序中使用。CPS可以是(A)CA对其证书管理操作中使用的系统和实践细节的声明,(b)CA与证书颁发给的实体之间的合同的一部分,(c)适用于CA的法规或条例,或(d)涉及多个文件的这些类型的组合。[DSG]

A CPS is usually more detailed and procedurally oriented than a certificate policy. A CPS applies to a particular CA or CA community, while a certificate policy applies across CAs or communities. A CA with its single CPS may support multiple certificate policies, which may be used for different application purposes or by different user communities. On the other hand, multiple CAs, each with a different CPS, may support the same certificate policy. [R3647]

CPS通常比证书策略更详细,更面向过程。CPS适用于特定CA或CA社区,而证书策略适用于整个CA或社区。具有单个CP的CA可能支持多个证书策略,这些策略可用于不同的应用程序目的或由不同的用户社区使用。另一方面,多个CA(每个CA具有不同的CP)可能支持相同的证书策略。[R3647]

$ certification request (I) An algorithm-independent transaction format (e.g., PKCS #10, RFC 4211) that contains a DN, and a public key or, optionally, a set of attributes, collectively signed by the entity requesting certification, and sent to a CA, which transforms the request to an X.509 public-key certificate or another type of certificate.

$ 认证请求(I)一种独立于算法的事务格式(如PKCS#10、RFC 4211),其中包含一个DN、一个公钥或一组属性,由请求认证的实体共同签名,并发送给CA,CA将请求转换为X.509公钥证书或其他类型的证书。

$ certify 1. (I) Issue a digital certificate and thus vouch for the truth, accuracy, and binding between data items in the certificate (e.g., "X.509 public-key certificate"), such as the identity of the

$ 证明1。(一) 颁发数字证书,从而保证证书中数据项(例如,“X.509公钥证书”)之间的真实性、准确性和绑定性,例如

certificate's subject and the ownership of a public key. (See: certification.)

证书的主题和公钥的所有权。(见:认证。)

Usage: To "certify a public key" means to issue a public-key certificate that vouches for the binding between the certificate's subject and the key.

用法:“认证公钥”是指颁发公钥证书,以证明证书主题与密钥之间的绑定。

2. (I) The act by which a CA uses measures to verify the truth, accuracy, and binding between data items in a digital certificate.

2. (一) CA使用措施验证数字证书中数据项之间的真实性、准确性和绑定的行为。

Tutorial: A description of the measures used for verification should be included in the CA's CPS.

教程:CA的CPS中应包含用于验证的措施说明。

$ CFB (N) See: cipher feedback.

$ CFB(N)参见:密码反馈。

$ chain (D) See: trust chain.

$ 链(D)参见:信任链。

$ Challenge Handshake Authentication Protocol (CHAP) (I) A peer entity authentication method (employed by PPP and other protocols, e.g., RFC 3720) that uses a randomly generated challenge and requires a matching response that depends on a cryptographic hash of some combination of the challenge and a secret key. [R1994] (See: challenge-response, PAP.)

$ 质询握手认证协议(CHAP)(I)对等实体认证方法(由PPP和其他协议使用,例如RFC 3720),该方法使用随机生成的质询,并需要取决于质询和密钥的某种组合的密码散列的匹配响应。[R1994](参见:质询响应,PAP。)

$ challenge-response (I) An authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge. In a computer system, the authentication information is usually a value that is required to be computed in response to an unpredictable challenge value, but it might be just a password.

$ 质询响应(I)通过要求提供正确的身份验证信息以响应质询来验证身份的身份验证过程。在计算机系统中,身份验证信息通常是响应不可预测的质询值而需要计算的值,但它可能只是一个密码。

$ Challenge-Response Authentication Mechanism (CRAM) (I) /IMAP4/ A mechanism [R2195], intended for use with IMAP4 AUTHENTICATE, by which an IMAP4 client uses a keyed hash [R2104] to authenticate itself to an IMAP4 server. (See: POP3 APOP.)

$ 质询-响应身份验证机制(CRAM)(I)/IMAP4/A机制[R2195],用于IMAP4身份验证,通过该机制,IMAP4客户端使用密钥哈希[R2104]向IMAP4服务器进行身份验证。(参见:POP3 APOP。)

Tutorial: The server includes a unique time stamp in its ready response to the client. The client replies with the client's name and the hash result of applying MD5 to a string formed from concatenating the time stamp with a shared secret that is known only to the client and the server.

教程:服务器在其对客户端的就绪响应中包含一个唯一的时间戳。客户机使用客户机的名称和将MD5应用于字符串的哈希结果进行回复,该字符串是通过将时间戳与只有客户机和服务器才知道的共享秘密连接而形成的。

$ channel 1. (I) An information transfer path within a system. (See: covert channel.)

$ 第一频道。(一) 系统内的信息传输路径。(请参阅:隐蔽通道。)

2. (O) "A subdivision of the physical medium allowing possibly shared independent uses of the medium." (RFC 3753)

2. (O) “物理介质的一个细分,允许可能共享的独立介质使用。”(RFC 3753)

$ channel capacity (I) The total capacity of a link to carry information; usually expressed in bits per second. (RFC 3753) (Compare: bandwidth.)

$ 信道容量(I)链路承载信息的总容量;通常以每秒比特数表示。(RFC 3753)(比较:带宽)

Tutorial: Within a given bandwidth, the theoretical maximum channel capacity is given by Shannon's Law. The actual channel capacity is determined by the bandwidth, the coding system used, and the signal-to-noise ratio.

教程:在给定带宽内,理论最大信道容量由香农定律给出。实际信道容量由带宽、使用的编码系统和信噪比决定。

$ CHAP (I) See: Challenge Handshake Authentication Protocol.

$ 第(I)章见:质询握手认证协议。

$ checksum (I) A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data. (See: cyclic redundancy check, data integrity service, error detection code, hash, keyed hash, parity bit, protected checksum.)

$ 校验和(I)(A)由依赖于数据对象内容的函数计算的值,以及(b)与对象一起存储或传输的值,用于检测数据中的变化。(请参阅:循环冗余校验、数据完整性服务、错误检测代码、哈希、键控哈希、奇偶校验位、受保护校验和。)

Tutorial: To gain confidence that a data object has not been changed, an entity that later uses the data can independently recompute the checksum value and compare the result with the value that was stored or transmitted with the object.

教程:为了确保数据对象未被更改,以后使用数据的实体可以独立地重新计算校验和值,并将结果与对象存储或传输的值进行比较。

Computer systems and networks use checksums (and other mechanisms) to detect accidental changes in data. However, active wiretapping that changes data could also change an accompanying checksum to match the changed data. Thus, some checksum functions by themselves are not good countermeasures for active attacks. To protect against active attacks, the checksum function needs to be well-chosen (see: cryptographic hash), and the checksum result needs to be cryptographically protected (see: digital signature, keyed hash).

计算机系统和网络使用校验和(和其他机制)来检测数据中的意外变化。但是,更改数据的主动窃听也可能会更改附带的校验和,以匹配更改的数据。因此,某些校验和函数本身并不是主动攻击的良好对策。为了防止主动攻击,需要正确选择校验和函数(请参阅:加密散列),并且校验和结果需要加密保护(请参阅:数字签名,密钥散列)。

$ Chinese wall policy (I) A security policy to prevent conflict of interest caused by an entity (e.g., a consultant) interacting with competing firms. (See: Brewer-Nash model.)

$ 中国墙政策(I)防止实体(如顾问)与竞争公司互动造成利益冲突的安全政策。(参见:布鲁尔-纳什模型。)

      Tutorial: All information is categorized into mutually exclusive
      conflict-of-interest classes I(1), I(2), ..., I(M), and each firm
      F(1), F(2), ..., F(N) belongs to exactly one class. The policy
      states that if a consultant has access to class I(i) information
      from a firm in that class, then the consultant may not access
      information from another firm in that same class, but may access
        
      Tutorial: All information is categorized into mutually exclusive
      conflict-of-interest classes I(1), I(2), ..., I(M), and each firm
      F(1), F(2), ..., F(N) belongs to exactly one class. The policy
      states that if a consultant has access to class I(i) information
      from a firm in that class, then the consultant may not access
      information from another firm in that same class, but may access
        

information from another firm that is in a different class. Thus, the policy creates a barrier to communication between firms that are in the same conflict-of-interest class. Brewer and Nash modeled enforcement of this policy [BN89], including dealing with policy violations that could occur because two or more consultants work for the same firm.

来自不同类别的另一家公司的信息。因此,该政策对处于同一利益冲突类别的公司之间的沟通造成了障碍。Brewer和Nash对该政策的执行进行了建模[BN89],包括处理由于两名或多名顾问为同一家公司工作而可能发生的违反政策行为。

$ chosen-ciphertext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of plain text that corresponds to cipher text selected (i.e., dictated) by the analyst.

$ 选择密文攻击(I)一种密码分析技术,分析员试图根据与分析员选择(即口述)的密文相对应的纯文本知识确定密钥。

$ chosen-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of cipher text that corresponds to plain text selected (i.e., dictated) by the analyst.

$ 选择明文攻击(I)一种密码分析技术,分析员试图根据密码文本的知识确定密钥,密码文本对应于分析员选择(即口述)的明文。

$ CIAC (O) See: Computer Incident Advisory Capability.

$ CIAC(O)见:计算机事故咨询能力。

$ CIK (N) See: cryptographic ignition key.

$ CIK(N)参见:加密点火钥匙。

$ cipher (I) A cryptographic algorithm for encryption and decryption.

$ 密码(I)用于加密和解密的加密算法。

$ cipher block chaining (CBC) (N) A block cipher mode that enhances ECB mode by chaining together blocks of cipher text it produces. [FP081] (See: block cipher, [R1829], [R2405], [R2451], [SP38A].)

$ 密码分组链接(CBC)(N)一种分组密码模式,它通过将产生的密文块链接在一起来增强ECB模式。[FP081](参见:分组密码[R1829]、[R2405]、[R2451]、[SP38A]。)

Tutorial: This mode operates by combining (exclusive OR-ing) the algorithm's ciphertext output block with the next plaintext block to form the next input block for the algorithm.

教程:此模式通过将算法的密文输出块与下一个明文块组合(异或)来操作,以形成算法的下一个输入块。

$ cipher feedback (CFB) (N) A block cipher mode that enhances ECB mode by chaining together the blocks of cipher text it produces and operating on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)

$ 密码反馈(CFB)(N)一种分组密码模式,通过将其产生的密文块链接在一起,并对长度小于或等于块长度的明文段进行操作,从而增强ECB模式。[FP081](参见:分组密码[SP38A]。)

Tutorial: This mode operates by using the previously generated ciphertext segment as the algorithm's input (i.e., by "feeding back" the cipher text) to generate an output block, and then combining (exclusive OR-ing) that output block with the next plaintext segment (block length or less) to form the next ciphertext segment.

教程:此模式通过使用先前生成的密文段作为算法的输入(即,通过“反馈”密文)生成输出块,然后将该输出块与下一个明文段(块长度或更短)组合(异或)形成下一个密文段。

$ cipher text 1. (I) /noun/ Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. (See: ciphertext. Compare: clear text, plain text.)

$ 密文1。(一) /noon/通过加密转换的数据,其语义信息内容(即其含义)不再可理解或直接可用。(请参阅:密文。比较:明文和纯文本。)

2. (O) "Data produced through the use of encipherment. The semantic content of the resulting data is not available." [I7498-2]

2. (O) “通过使用加密产生的数据。结果数据的语义内容不可用。”[I7498-2]

$ ciphertext 1. (O) /noun/ Synonym for "cipher text" [I7498-2].

$ 密文1。(O) /名词/同义词“密文”[I7498-2]。

2. (I) /adjective/ Referring to cipher text. Usage: Commonly used instead of "cipher-text". (Compare: cleartext, plaintext.)

2. (一) /形容词/指密文。用法:常用代替“密文”。(比较:明文、明文。)

$ ciphertext auto-key (CTAK) (D) "Cryptographic logic that uses previous cipher text to generate a key stream." [C4009, A1523] (See: KAK.)

$ 密文自动密钥(CTAK)(D)“使用以前的密文生成密钥流的加密逻辑。”[C4009,A1523](参见:KAK.)

Deprecated Term: IDOCs SHOULD NOT use this term; it is neither well-known nor precisely defined. Instead, use terms associated with modes that are defined in standards, such as CBC, CFB, and OFB.

不推荐使用的术语:IDoc不应使用此术语;它既不是众所周知的,也不是精确定义的。相反,使用与标准中定义的模式相关的术语,如CBC、CFB和OFB。

$ ciphertext-only attack (I) A cryptanalysis technique in which the analyst tries to determine the key solely from knowledge of intercepted cipher text (although the analyst may also know other clues, such as the cryptographic algorithm, the language in which the plain text was written, the subject matter of the plain text, and some probable plaintext words.)

$ 纯密文攻击(I)一种密码分析技术,分析人员试图仅从截获密文的知识中确定密钥(尽管分析员可能还知道其他线索,例如加密算法、明文的编写语言、明文的主题以及一些可能的明文单词。)

$ ciphony (O) The process of encrypting audio information.

$ 加密(O)对音频信息进行加密的过程。

$ CIPSO (I) See: Common IP Security Option.

$ CIPSO(I)见:通用IP安全选项。

$ CKL (I) See: compromised key list.

$ CKL(I)见:泄露密钥列表。

$ Clark-Wilson model (N) A security model [Clark] to maintain data integrity in the commercial world. (Compare: Bell-LaPadula model.)

$ Clark Wilson模型(N)一种在商业领域维护数据完整性的安全模型[Clark]。(比较:Bell-LaPadula模型。)

$ class 2, 3, 4, 5 (O) /U.S. DoD/ Assurance levels for PKIs, and for X.509 public-key certificates issued by a PKI. [DoD7] (See: "first law" under "Courtney's laws".) - "Class 2": Intended for applications handling unclassified, low-value data in minimally or moderately protected environments. - "Class 3": Intended for applications handling unclassified, medium-value data in moderately protected environments, or handling unclassified or high-value data in highly protected environments, and for discretionary access control of classified data in highly protected environments. - "Class 4": Intended for applications handling unclassified, high-value data in minimally protected environments. - "Class 5": Intended for applications handling classified data in minimally protected environments, and for authentication of material that would affect the security of classified systems.

$ PKI和PKI颁发的X.509公钥证书的第2、3、4、5(O)类/美国国防部/保证级别。[DoD7](参见“考特尼定律”下的“第一定律”)-“第2类”:适用于在最低或适度保护的环境中处理非机密、低价值数据的应用程序。-“3级”:适用于在中度保护环境中处理非机密、中等价值数据的应用程序,或在高度保护环境中处理非机密或高价值数据的应用程序,以及在高度保护环境中对机密数据进行自主访问控制的应用程序。-“4级”:适用于在最低保护环境中处理非机密、高价值数据的应用程序。-“5级”:用于在最低保护环境中处理机密数据的应用程序,以及用于对可能影响机密系统安全性的材料进行认证。

      The environments are defined as follows:
      -  "Highly protected environment": Networks that are protected
         either with encryption devices approved by NSA for protection
         of classified data or via physical isolation, and that are
         certified for processing system-high classified data, where
         exposure of unencrypted data is limited to U.S. citizens
         holding appropriate security clearances.
      -  "Moderately protected environment":
         -- Physically isolated unclassified, unencrypted networks in
            which access is restricted based on legitimate need.
         -- Networks protected by NSA-approved, type 1 encryption,
            accessible by U.S.-authorized foreign nationals.
      -  "Minimally protected environments": Unencrypted networks
         connected to either the Internet or NIPRNET, either directly or
         via a firewall.
        
      The environments are defined as follows:
      -  "Highly protected environment": Networks that are protected
         either with encryption devices approved by NSA for protection
         of classified data or via physical isolation, and that are
         certified for processing system-high classified data, where
         exposure of unencrypted data is limited to U.S. citizens
         holding appropriate security clearances.
      -  "Moderately protected environment":
         -- Physically isolated unclassified, unencrypted networks in
            which access is restricted based on legitimate need.
         -- Networks protected by NSA-approved, type 1 encryption,
            accessible by U.S.-authorized foreign nationals.
      -  "Minimally protected environments": Unencrypted networks
         connected to either the Internet or NIPRNET, either directly or
         via a firewall.
        

$ Class A1, B3, B2, B1, C2, or C1 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".

$ A1类、B3类、B2类、B1类、C2类或C1类计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。

$ classification 1. (I) A grouping of classified information to which a hierarchical, restrictive security label is applied to increase protection of the data from unauthorized disclosure. (See: aggregation, classified, data confidentiality service. Compare: category, compartment.)

$ 第1类。(一) 一组机密信息,对其应用分层的、限制性的安全标签,以加强对数据的保护,防止未经授权的泄露。(请参阅:聚合、分类、数据保密服务。比较:类别、隔间。)

2. (I) An authorized process by which information is determined to be classified and assigned to a security level. (Compare: declassification.)

2. (一) 一种经过授权的过程,通过该过程,信息被确定为机密信息并分配给安全级别。(比较:解密。)

Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)

用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)

$ classification label (I) A security label that tells the degree of harm that will result from unauthorized disclosure of the labeled data, and may also tell what countermeasures are required to be applied to protect the data from unauthorized disclosure. Example: IPSO. (See: classified, data confidentiality service. Compare: integrity label.)

$ 分类标签(I)一种安全标签,说明未经授权披露标签数据将造成的危害程度,还可能说明需要采取哪些对策来保护数据不被未经授权披露。例如:IPSO。(请参阅:机密数据保密服务。比较:完整性标签。)

Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)

用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)

$ classification level (I) A hierarchical level of protection (against unauthorized disclosure) that is required to be applied to certain classified data. (See: classified. Compare: security level.)

$ 分类级别(I)要求应用于某些机密数据的分层保护级别(防止未经授权的披露)。(请参阅:已分类。比较:安全级别。)

Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)

用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)

$ classified 1. (I) Refers to information (stored or conveyed, in any form) that is formally required by a security policy to receive data confidentiality service and to be marked with a security label (which, in some cases, might be implicit) to indicate its protected status. (See: classify, collateral information, SAP, security level. Compare: unclassified.)

$ 第1类。(一) 指安全策略正式要求的信息(以任何形式存储或传输),以接收数据保密服务,并用安全标签(在某些情况下可能是隐式的)标记以指示其受保护状态。(请参阅:分类、辅助信息、SAP、安全级别。比较:未分类。)

Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)

用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)

Mainly used by national governments, especially by the military, but the underlying concept also applies outside of governments.

主要用于国家政府,特别是军队,但基本概念也适用于政府以外的部门。

2. (O) /U.S. Government/ "Information that has been determined pursuant to Executive Order 12958 or any predecessor Order, or by the Atomic Energy Act of 1954, as amended, to require protection

2. (O) /U.S.Government/“根据12958号行政命令或任何先前命令或经修订的1954年《原子能法》确定需要保护的信息

against unauthorized disclosure and is marked to indicate its classified status." [C4009]

防止未经授权的披露,并标记以表明其保密状态。”[C4009]

$ classify (I) To officially designate an information item or type of information as being classified and assigned to a specific security level. (See: classified, declassify, security level.)

$ 分类(I)将信息项或信息类型正式指定为已分类并分配给特定安全级别。(请参阅:机密、解密、安全级别。)

$ clean system (I) A computer system in which the operating system and application system software and files have been freshly installed from trusted software distribution media. (Compare: secure state.)

$ clean system(I)一种计算机系统,其中操作系统和应用系统软件及文件是从受信任的软件分发介质新安装的。(比较:安全状态。)

$ clear (D) /verb/ Synonym for "erase". [C4009]

$ 清除(D)/动词/同义词“擦除”。[C4009]

Deprecated Definition: IDOCs SHOULD NOT use the term with this definition; that could be confused with "clear text" in which information is directly recoverable.

不推荐使用的定义:IDoc不应使用此定义的术语;这可能与“明文”相混淆,在“明文”中,信息可以直接恢复。

$ clear text 1. (I) /noun/ Data in which the semantic information content (i.e., the meaning) is intelligible or is directly available, i.e., not encrypted. (See: cleartext, in the clear. Compare: cipher text, plain text.)

$ 明文1。(一) /名词/语义信息内容(即含义)可理解或直接可用(即未加密)的数据。(请参见:明文,在明文中。比较:密文,纯文本。)

2. (O) /noun/ "Intelligible data, the semantic content of which is available." [I7498-2]

2. (O) /noun/“可理解的数据,其语义内容可用。”[I7498-2]

3. (D) /noun/ Synonym for "plain text".

3. (D) /noun/纯文本的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "plain text", because the plain text that is input to an encryption operation may itself be cipher text that was output from a previous encryption operation. (See: superencryption.)

不推荐使用的定义:IDOCs不应将此术语用作“纯文本”的同义词,因为输入到加密操作的纯文本本身可能是先前加密操作输出的密码文本。(请参阅:超级加密。)

$ clearance See: security clearance.

$ 许可见:安全许可。

$ clearance level (I) The security level of information to which a security clearance authorizes a person to have access.

$ 许可级别(I)安全许可授权人员访问的信息的安全级别。

$ cleartext 1. (O) /noun/ Synonym for "clear text" [I7498-2].

$ 明文1。(O) /名词/同义词“明文”[I7498-2]。

2. (I) /adjective/ Referring to clear text. Usage: Commonly used instead of "clear-text". (Compare: ciphertext, plaintext.)

2. (一) /形容词/指明文。用法:常用而非“明文”。(比较:密文、明文。)

3. (D) /adjective/ Synonym for "plaintext".

3. (D) /形容词/同义词“明文”。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "plaintext", because the plaintext data that is input to an encryption operation may itself be ciphertext data that was output from a previous encryption operation. (See: superencryption.)

不推荐使用的定义:IDOC不应将此术语用作“明文”的同义词,因为输入到加密操作的明文数据本身可能是先前加密操作输出的密文数据。(请参阅:超级加密。)

$ CLEF (N) See: commercially licensed evaluation facility.

$ CLEF(N)见:商业许可评估机构。

$ client (I) A system entity that requests and uses a service provided by another system entity, called a "server". (See: server.)

$ 客户端(I)请求并使用另一个系统实体(称为“服务器”)提供的服务的系统实体。(请参阅:服务器。)

Tutorial: Usually, it is understood that the client and server are automated components of the system, and the client makes the request on behalf of a human user. In some cases, the server may itself be a client of some other server.

教程:通常情况下,客户机和服务器是系统的自动化组件,客户机代表人类用户发出请求。在某些情况下,服务器本身可能是其他服务器的客户端。

$ client-server system (I) A distributed system in which one or more entities, called clients, request a specific service from one or more other entities, called servers, that provide the service to the clients.

$ 客户机-服务器系统(I)一个分布式系统,其中一个或多个实体(称为客户机)向向客户机提供服务的一个或多个其他实体(称为服务器)请求特定服务。

Example: The Word Wide Web, in which component servers provide information that is requested by component clients called "browsers".

示例:WordWideWeb,其中组件服务器提供组件客户端(称为“浏览器”)请求的信息。

$ CLIPPER (N) An integrated microcircuit (in MYK-7x series manufactured by Mykotronx, Inc.) that implements SKIPJACK, has a non-deterministic random number generator, and supports key escrow. (See: Escrowed Encryption Standard. Compare: CLIPPER.)

$ CLIPPER(N)一种集成微电路(MYK-7x系列,由Mykotronx,Inc.制造),实现SKIPJACK,具有非确定性随机数生成器,并支持密钥托管。(请参阅:托管加密标准。比较:CLIPPER。)

Tutorial: The chip was mainly intended for protecting telecommunications over the public switched network. The key escrow scheme for the chip involves a SKIPJACK key that is common to all chips and that protects the unique serial number of the chip, and a second SKIPJACK key unique to the chip that protects all data encrypted by the chip. The second key is escrowed as split key components held by NIST and the U.S. Treasury Department.

教程:该芯片主要用于保护公共交换网络上的电信。芯片的密钥托管方案包括一个对所有芯片通用且保护芯片唯一序列号的SKIPJACK密钥,以及一个对芯片唯一且保护芯片加密的所有数据的SKIPJACK密钥。第二个关键部分由NIST和美国财政部托管为拆分关键部分。

$ closed security environment (O) /U.S. DoD/ A system environment that meets both of the following conditions: (a) Application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced

$ 满足以下两个条件的封闭安全环境(O)/美国国防部/A系统环境:(A)应用程序开发人员(包括维护人员)有足够的许可和授权,以提供一个可接受的假设,即他们没有引入

malicious logic. (b) Configuration control provides sufficient assurance that system applications and the equipment they run on are protected against the introduction of malicious logic prior to and during the operation of applications. [NCS04] (See: "first law" under "Courtney's laws". Compare: open security environment.)

恶意逻辑。(b) 配置控制提供了充分的保证,系统应用程序及其运行的设备在应用程序运行之前和运行期间受到保护,防止引入恶意逻辑。[NCS04](参见“考特尼定律”下的“第一定律”。比较:开放安全环境。)

$ CMA (D) See: certificate management authority.

$ CMA(D)参见:证书管理机构。

$ CMAC (N) A message authentication code [SP38B] that is based on a symmetric block cipher. (See: block cipher.)

$ CMAC(N)基于对称分组密码的消息身份验证码[SP38B]。(请参阅:分组密码。)

Derivation: Cipher-based MAC. (Compare: HMAC.)

派生:基于密码的MAC。(比较:HMAC)

Tutorial: Because CMAC is based on approved, symmetric-key block ciphers, such as AES, CMAC can be considered a mode of operation for those block ciphers. (See: mode of operation.)

教程:因为CMAC是基于认可的对称密钥分组密码,例如AES,CMAC可以被认为是这些分组密码的一种操作模式。(请参阅:操作模式。)

$ CMCS (O) See: COMSEC Material Control System.

$ CMCS(O)见:通信安全材料控制系统。

$ CMM (N) See: Capability Maturity Model.

$ CMM(N)参见:能力成熟度模型。

$ CMS (I) See: Cryptographic Message Syntax.

$ CMS(I)见:加密消息语法。

$ code 1. (I) A system of symbols used to represent information, which might originally have some other representation. Examples: ASCII, BER, country code, Morse code. (See: encode, object code, source code.)

$ 代码1。(一) 一种用于表示信息的符号系统,最初可能有其他表示形式。示例:ASCII、BER、国家代码、摩尔斯电码。(请参见:编码、目标代码、源代码。)

Deprecated Abbreviation: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as an abbreviation of "country code", "cyclic redundancy code", "Data Authentication Code", "error detection code", or "Message Authentication Code". To avoid misunderstanding, use the fully qualified term in these other cases, at least at the point of first usage.

不推荐使用的缩写:为避免与定义1混淆,IDOC不应使用“代码”作为“国家代码”、“循环冗余代码”、“数据身份验证代码”、“错误检测代码”或“消息身份验证代码”的缩写。为避免误解,在其他情况下,至少在首次使用时,使用完全限定术语。

2. (I) /cryptography/ An encryption algorithm based on substitution; i.e., a system for providing data confidentiality by using arbitrary groups (called "code groups") of letters, numbers, or symbols to represent units of plain text of varying length. (See: codebook, cryptography.)

2. (一) /加密/基于替换的加密算法;i、 例如,通过使用字母、数字或符号的任意组(称为“代码组”)来表示不同长度的纯文本单位,从而提供数据保密性的系统。(请参阅:代码本,密码学。)

Deprecated Usage: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as a synonym for any of the following terms: (a) "cipher", "hash", or other words that mean "a cryptographic algorithm"; (b) "cipher text"; or (c) "encrypt", "hash", or other words that refer to applying a cryptographic algorithm.

不推荐使用:为避免与定义1混淆,IDOC不应将“code”用作以下任何术语的同义词:(a)“cipher”、“hash”或其他表示“加密算法”的词语;(b) “密文”;或(c)“加密”、“哈希”或其他指应用加密算法的词语。

3. (I) An algorithm based on substitution, but used to shorten messages rather than to conceal their content.

3. (一) 一种基于替换的算法,但用于缩短消息而不是隐藏其内容。

4. (I) /computer programming/ To write computer software. (See: object code, source code.)

4. (一) /计算机编程/编写计算机软件。(请参见:目标代码,源代码。)

Deprecated Abbreviation: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as an abbreviation of "object code" or "source code". To avoid misunderstanding, use the fully qualified term in these other cases, at least at the point of first usage.

不推荐使用的缩写:为避免与定义1混淆,IDOC不应使用“代码”作为“目标代码”或“源代码”的缩写。为避免误解,在其他情况下,至少在首次使用时,使用完全限定术语。

$ code book 1. (I) Document containing a systematically arranged list of plaintext units and their ciphertext equivalents. [C4009]

$ 代码手册1。(一) 包含系统排列的明文单元及其密文等价物列表的文件。[C4009]

2. (I) An encryption algorithm that uses a word substitution technique. [C4009] (See: code, ECB.)

2. (一) 一种使用字替换技术的加密算法。[C4009](见:欧洲中央银行代码)

$ code signing (I) A security mechanism that uses a digital signature to provide data integrity and data origin authentication for software that is being distributed for use. (See: mobile code, trusted distribution.)

$ 代码签名(I)一种安全机制,使用数字签名为正在分发使用的软件提供数据完整性和数据源身份验证。(请参阅:移动代码,可信分发。)

Tutorial: In some cases, the signature on a software module may imply some assertion that the signer makes about the software. For example, a signature may imply that the software has been designed, developed, or tested according to some criterion.

教程:在某些情况下,软件模块上的签名可能意味着签名者对软件的某些断言。例如,签名可能意味着软件是根据某种标准设计、开发或测试的。

$ code word (O) /U.S. Government/ A single word that is used as a security label (usually applied to classified information) but which itself has a classified meaning. (See: classified, /U.S. Government/ security label.)

$ 代码词(O)/美国政府/用作安全标签的单个词(通常用于机密信息),但其本身具有机密含义。(请参阅:分类/美国政府/安全标签。)

$ COI (I) See: community of interest.

$ COI(I)见:利益共同体。

$ cold start (N) /cryptographic module/ A procedure for initially keying cryptographic equipment. [C4009]

$ 冷启动(N)/加密模块/用于初始键入加密设备的程序。[C4009]

$ collateral information (O) /U.S. Government/ Information that is classified but is not required to be protected by an SAP. (See: /U.S. Government/ classified.)

$ 附属信息(O)/美国政府/已分类但不需要SAP保护的信息。(见:/美国政府/机密文件)

$ color change (I) In a system being operated in periods-processing mode, the act of purging all information from one processing period and then changing over to the next processing period. (See: BLACK, RED.)

$ 颜色变化(I)在周期处理模式下运行的系统中,清除一个处理周期中的所有信息,然后切换到下一个处理周期的行为。(参见:黑色、红色。)

$ Commercial COMSEC Evaluation Program (CCEP) (O) "Relationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product." [C4009]

$ 商业通信安全评估计划(CCEP)(O)“NSA与行业之间的关系,其中NSA提供通信安全专业知识(即标准、算法、评估和指导),行业提供设计、开发和生产能力,以生产1类或2类产品。”[C4009]

$ commercially licensed evaluation facility (CLEF) (N) An organization that has official approval to evaluate the security of products and systems under the Common Criteria, ITSEC, or some other standard. (Compare: KLIF.)

$ 商业许可评估机构(CLEF)(N):获得官方批准,根据通用标准、ITSEC或其他标准评估产品和系统安全性的组织。(比较:KLIF。)

$ Committee on National Security Systems (CNSS) (O) /U.S. Government/ A Government, interagency, standing committee of the President's Critical Infrastructure Protection Board. The CNSS is chaired by the Secretary of Defense and provides a forum for the discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems. The Secretary of Defense and the Director of Central Intelligence are responsible for developing and overseeing the implementation of Government-wide policies, principles, standards, and guidelines for the security of systems that handle national security information.

$ 国家安全系统委员会(CNSS)(O)/美国政府/A政府、跨机构、总统关键基础设施保护委员会常务委员会。CNSS由国防部长担任主席,为讨论政策问题提供论坛,制定国家政策,并发布国家安全系统安全的方向、操作程序和指南。国防部长和中央情报局局长负责制定和监督政府范围内有关处理国家安全信息系统安全的政策、原则、标准和指南的实施。

$ Common Criteria for Information Technology Security (N) A standard for evaluating information technology (IT) products and systems. It states requirements for security functions and for assurance measures. [CCIB] (See: CLEF, EAL, packages, protection profile, security target, TOE. Compare: CMM.)

$ 信息技术安全通用标准(N)评估信息技术(IT)产品和系统的标准。它规定了安全功能和保证措施的要求。[CCIB](参见:CLEF、EAL、包、保护配置文件、安全目标、TOE。比较:CMM。)

Tutorial: Canada, France, Germany, the Netherlands, the United Kingdom, and the United States (NIST and NSA) began developing this standard in 1993, based on the European ITSEC, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the U.S. "Federal Criteria for Information Technology Security" and its precursor, the TCSEC. Work was done in cooperation with ISO/IEC Joint Technical Committee 1 (Information Technology),

教程:加拿大、法国、德国、荷兰、英国和美国(NIST和NSA)于1993年开始根据欧洲ITSEC、加拿大可信计算机产品评估标准(CTCPEC)和美国“信息技术安全联邦标准”及其前身TCSEC制定本标准。工作是与ISO/IEC联合技术委员会1(信息技术)合作完成的,

Subcommittee 27 (Security Techniques), Working Group 3 (Security Criteria). Version 2.0 of the Criteria has been issued as ISO's International Standard 15408. The U.S. Government intends this standard to supersede both the TCSEC and FIPS PUB 140. (See: NIAP.)

第27小组委员会(安全技术),第3工作组(安全标准)。标准的2.0版已作为ISO的国际标准15408发布。美国政府打算用本标准取代TCSEC和FIPS PUB 140。(见:NIAP)

The standard addresses data confidentiality, data integrity, and availability and may apply to other aspects of security. It focuses on threats to information arising from human activities, malicious or otherwise, but may apply to non-human threats. It applies to security measures implemented in hardware, firmware, or software. It does not apply to (a) administrative security not related directly to technical security, (b) technical physical aspects of security such as electromagnetic emanation control, (c) evaluation methodology or administrative and legal framework under which the criteria may be applied, (d) procedures for use of evaluation results, or (e) assessment of inherent qualities of cryptographic algorithms.

该标准涉及数据保密性、数据完整性和可用性,并可能适用于安全的其他方面。它侧重于人类活动(恶意或其他)对信息造成的威胁,但可能适用于非人类威胁。它适用于在硬件、固件或软件中实施的安全措施。它不适用于(a)与技术安全不直接相关的行政安全,(b)安全的技术物理方面,如电磁辐射控制,(c)适用标准的评估方法或行政和法律框架,(d)评估结果的使用程序,或(e)密码算法固有质量的评估。

Part 1, Introduction and General Model, defines general concepts and principles of IT security evaluation; presents a general model of evaluation; and defines constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems.

第一部分,引言和一般模型,定义了IT安全评估的一般概念和原则;提出了评价的一般模型;并定义用于表达IT安全目标、选择和定义IT安全需求以及为产品和系统编写高级规范的结构。

Part 2, Security Functional Requirements, contains a catalog of well-defined and well-understood functional requirement statements that are intended to be used as a standard way of expressing the security requirements for IT products and systems.

第2部分“安全功能需求”包含一系列定义明确且易于理解的功能需求声明,这些功能需求声明旨在用作表示IT产品和系统安全需求的标准方式。

Part 3, Security Assurance Requirements, contains a catalog of assurance components for use as a standard way of expressing such requirements for IT products and systems, and defines evaluation criteria for protection profiles and security targets.

第3部分“安全保证要求”包含一个保证组件目录,用作表示IT产品和系统此类要求的标准方式,并定义了保护配置文件和安全目标的评估标准。

$ Common IP Security Option (CIPSO) (I) See: secondary definition under "IPSO".

$ 通用IP安全选项(CIPSO)(I)见“IPSO”下的二级定义。

$ common name (N) A character string that (a) may be a part of the X.500 DN of a Directory object ("commonName" attribute), (b) is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization), and (c) conforms to the naming conventions of the country or culture with which it is associated. [X520] (See: "subject" and "issuer" under "X.509 public-key certificate".)

$ common name(N)(A)可能是目录对象的X.500 DN的一部分(“commonName”属性),(b)是一个(可能不明确的)名称,通过该名称,对象在某些有限范围内(如组织)是众所周知的,(c)符合与其关联的国家或文化的命名约定。[X520](参见“X.509公钥证书”下的“主体”和“颁发者”。)

Examples: "Dr. Albert Einstein", "The United Nations", and "12-th Floor Laser Printer".

例如:“阿尔伯特·爱因斯坦博士”、“联合国”和“第12层激光打印机”。

$ communications cover (N) "Concealing or altering of characteristic communications patterns to hide information that could be of value to an adversary." [C4009] (See: operations security, traffic-flow confidentiality, TRANSEC.)

$ 通信内容包括(N)“隐藏或改变特征通信模式,以隐藏可能对敌方有价值的信息。”[C4009](参见:作战安全、交通流保密、TRANSEC。)

$ communication security (COMSEC) (I) Measures that implement and assure security services in a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities.

$ 通信安全(COMSEC)(I)在通信系统中实施和确保安全服务的措施,特别是提供数据机密性和数据完整性以及认证通信实体的措施。

Usage: COMSEC is usually understood to include (a) cryptography and its related algorithms and key management methods and processes, devices that implement those algorithms and processes, and the lifecycle management of the devices and keying material. Also, COMSEC is sometimes more broadly understood as further including (b) traffic-flow confidentiality, (c) TRANSEC, and (d) steganography [Kahn]. (See: cryptology, signal security.)

用法:通信安全通常被理解为包括(a)加密及其相关算法和密钥管理方法和流程、实施这些算法和流程的设备以及设备和密钥材料的生命周期管理。此外,通信安全有时被更广泛地理解为进一步包括(b)交通流机密性,(c)TRANSEC和(d)隐写术[Kahn]。(参见:密码学,信号安全。)

$ community of interest (COI) 1. (I) A set of entities that operate under a common security policy. (Compare: domain.)

$ 利益共同体(COI)1。(一) 在通用安全策略下运行的一组实体。(比较:域。)

2. (I) A set of entities that exchange information collaboratively for some purpose.

2. (一) 为某种目的协同交换信息的一组实体。

$ community risk (N) Probability that a particular vulnerability will be exploited within an interacting population and adversely affect some members of that population. [C4009] (See: Morris worm, risk.)

$ 社区风险(N):特定脆弱性在相互作用的人群中被利用并对该人群中的某些成员产生不利影响的概率。[C4009](参见:莫里斯蠕虫,风险)

$ community string (I) A community name in the form of an octet string that serves as a cleartext password in SNMP version 1 (RFC 1157) and version 2 (RFC 1901). (See: password, Simple Network Management Protocol.)

$ 社区字符串(I)以八位字节字符串形式表示的社区名称,在SNMP版本1(RFC 1157)和版本2(RFC 1901)中用作明文密码。(请参阅:密码,简单网络管理协议。)

Tutorial: The SNMPv1 and SNMPv2 protocols have been declared "historic" and have been replaced by the more secure SNMPv3 standard (RFCs 3410-3418), which does not use cleartext passwords.

教程:SNMPv1和SNMPv2协议已被宣布为“历史”协议,并被更安全的SNMPv3标准(RFCs 3410-3418)所取代,该标准不使用明文密码。

$ compartment 1. (I) A grouping of sensitive information items that require special access controls beyond those normally provided for the basic classification level of the information. (See: compartmented security mode. Compare: category, classification.)

$ 1舱。(一) 需要特殊访问控制的一组敏感信息项,超出了通常为信息基本分类级别提供的访问控制。(请参阅:分隔安全模式。比较:类别、分类。)

Usage: The term is usually understood to include the special handling procedures to be used for the information.

用法:该术语通常被理解为包括用于信息的特殊处理程序。

2. (I) Synonym for "category".

2. (一) “类别”的同义词。

Deprecated Usage: This Glossary defines "category" with a slightly narrower meaning than "compartment". That is, a security label is assigned to a category because the data owner needs to handle the data as a compartment. However, a compartment could receive special protection in a system without being assigned a category label.

不推荐使用的用法:本术语表对“类别”的定义比“隔间”的含义略窄。也就是说,安全标签被分配给一个类别,因为数据所有者需要将数据作为一个分区来处理。但是,隔室可以在系统中接受特殊保护,而无需指定类别标签。

$ compartmented security mode (N) A mode of system operation wherein all users having access to the system have the necessary security clearance for the single, hierarchical classification level of all data handled by the system, but some users do not have the clearance for a non-hierarchical category of some data handled by the system. (See: category, /system operation/ under "mode", protection level, security clearance.)

$ 分区安全模式(N):一种系统操作模式,其中所有访问系统的用户都对系统处理的所有数据的单一层次分类级别具有必要的安全许可,但一些用户对系统处理的某些数据的非层次分类没有许可。(请参阅:类别/系统操作/在“模式”下、保护级别、安全许可。)

Usage: Usually abbreviated as "compartmented mode". This term was defined in U.S. Government policy on system accreditation. In this mode, a system may handle (a) a single hierarchical classification level and (b) multiple non-hierarchical categories within that level.

用法:通常缩写为“分隔模式”。该术语的定义见美国政府系统认证政策。在此模式下,系统可以处理(a)单个层次分类级别和(b)该级别内的多个非层次分类。

$ Compartments field (I) A 16-bit field (the "C field") that specifies compartment values in the security option (option type 130) of version 4 IP's datagram header format. The valid field values are assigned by the U.S. Government, as specified in RFC 791.

$ 隔间字段(I)一个16位字段(“C字段”),用于指定版本4 IP数据报报头格式的安全选项(选项类型130)中的隔间值。根据RFC 791的规定,有效字段值由美国政府指定。

Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "C field"; the abbreviation is potentially ambiguous. Instead, use "Compartments field".

不推荐使用的缩写:IDOC不应使用缩写“C字段”;缩写可能有歧义。相反,使用“隔间字段”。

$ component See: system component.

$ 组件请参见:系统组件。

$ compression (I) A process that encodes information in a way that minimizes the number of resulting code symbols and thus reduces storage space or transmission time.

$ 压缩(I)一种编码信息的过程,其编码方式可使产生的代码符号数量最小化,从而减少存储空间或传输时间。

Tutorial: A data compression algorithm may be "lossless", i.e., retain all information that was encoded in the data, so that decompression can recover all the information; or an algorithm may be "lossy". Text usually needs to be compressed losslessly, but images are often compressed with lossy schemes.

教程:数据压缩算法可能是“无损的”,即保留数据中编码的所有信息,以便解压缩可以恢复所有信息;或者算法可能是“有损的”。文本通常需要进行无损压缩,但图像通常使用有损压缩方案进行压缩。

Not all schemes that encode information losslessly for machine processing are efficient in terms of minimizing the number of output bits. For example, ASCII encoding is lossless, but ASCII data can often be losslessly reencoded in fewer bits with other schemes. These more efficient schemes take advantage of some sort of inherent imbalance, redundancy, or repetition in the data, such as by replacing a character string in which all characters are the same by a shorter string consisting of only the single character and a character count.

并非所有为机器处理而无损编码信息的方案在最小化输出比特数方面都是有效的。例如,ASCII编码是无损的,但使用其他方案,ASCII数据通常可以以较少的位无损地重新编码。这些更有效的方案利用了数据中某种固有的不平衡、冗余或重复,例如,将所有字符都相同的字符串替换为仅由单个字符和字符计数组成的较短字符串。

Lossless compression schemes cannot effectively reduce the number of bits in cipher text produced by a strong encryption algorithm, because the cipher text is essentially a pseudorandom bit string that does not contain patterns susceptible to reencoding. Therefore, protocols that offer both encryption and compression services (e.g., SSL) need to perform the compression operation before the encryption operation.

无损压缩方案无法有效减少强加密算法产生的密文中的位数,因为密文本质上是一个伪随机位字符串,不包含易重新编码的模式。因此,同时提供加密和压缩服务(例如SSL)的协议需要在加密操作之前执行压缩操作。

$ compromise See: data compromise, security compromise.

$ 危害见:数据危害,安全危害。

$ compromise recovery (I) The process of regaining a secure state for a system after detecting that the system has experienced a security compromise.

$ 折衷恢复(I)在检测到系统发生安全折衷后,恢复系统安全状态的过程。

$ compromised key list (CKL) (N) /MISSI/ A list that identifies keys for which unauthorized disclosure or alteration may have occurred. (See: compromise.)

$ 泄露密钥列表(CKL)(N)/MSI/A识别可能发生未经授权泄露或更改的密钥的列表。(见:妥协。)

Tutorial: A CKL is issued by a CA, like a CRL is issued. But a CKL lists only KMIDs, not subjects that hold the keys, and not certificates in which the keys are bound.

教程:CKL由CA发布,就像CRL被发布一样。但是CKL只列出KMID,不列出持有密钥的主题,也不列出绑定密钥的证书。

$ COMPUSEC (I) See: computer security.

$ 计算机安全(I)见:计算机安全。

$ computer emergency response team (CERT) (I) An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. (See: CSIRT, security incident.)

$ 计算机应急响应团队(CERT)(I)一个研究计算机和网络信息安全的组织,旨在为攻击受害者提供事件响应服务,发布有关漏洞和威胁的警报,并提供其他信息以帮助提高计算机和网络安全性。(参见:CSIRT,安全事件)

Examples: CERT Coordination Center at Carnegie Mellon University (sometimes called "the" CERT); CIAC.

例如:卡内基梅隆大学CERT协调中心(有时称为“CERT”);中情局。

$ Computer Incident Advisory Capability (CIAC) (O) The centralized CSIRT of the U.S. Department of Energy; a member of FIRST.

$ 计算机事故咨询能力(CIAC)(O)美国能源部的中央CSIRT;第一委员会的成员。

$ computer network (I) A collection of host computers together with the subnetwork or internetwork through which they can exchange data.

$ 计算机网络(I)主机与子网或互联网络的集合,通过它们可以交换数据。

Usage: This definition is intended to cover systems of all sizes and types, ranging from the complex Internet to a simple system composed of a personal computer dialing in as a remote terminal of another computer.

用法:此定义旨在涵盖所有大小和类型的系统,从复杂的Internet到由个人计算机作为另一台计算机的远程终端拨号组成的简单系统。

$ computer platform (I) A combination of computer hardware and an operating system (which may consist of software, firmware, or both) for that hardware. (Compare: computer system.)

$ 计算机平台(I)计算机硬件和用于该硬件的操作系统(可能包括软件、固件或两者)的组合。(比较:计算机系统。)

$ computer security (COMPUSEC) 1. (I) Measures to implement and assure security services in a computer system, particularly those that assure access control service.

$ 计算机安全(计算机安全)1。(一) 在计算机系统中实施和保证安全服务的措施,特别是保证访问控制服务的措施。

Usage: Usually refers to internal controls (functions, features, and technical characteristics) that are implemented in software (especially in operating systems); sometimes refers to internal controls implemented in hardware; rarely used to refer to external controls.

用法:通常指在软件(尤其是操作系统)中实现的内部控制(功能、特性和技术特性);有时指在硬件中实施的内部控制;很少用于指外部控制。

2. (O) "The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)." [SP12]

2. (O) “为实现保护信息系统资源(包括硬件、软件、固件、信息/数据和电信)的完整性、可用性和机密性的适用目标而对自动化信息系统提供的保护。”[SP12]

$ computer security incident response team (CSIRT) (I) An organization "that coordinates and supports the response to security incidents that involve sites within a defined constituency." [R2350] (See: CERT, FIRST, security incident.)

$ 计算机安全事件响应团队(CSIRT)(I)“协调和支持对涉及指定选区内站点的安全事件的响应的组织。”[R2350](见:CERT,第一,安全事件。)

Tutorial: To be considered a CSIRT, an organization must do as follows: (a) Provide a (secure) channel for receiving reports about suspected security incidents. (b) Provide assistance to members of its constituency in handling the incidents. (c) Disseminate incident-related information to its constituency and other involved parties.

教程:要被视为CSIRT,组织必须做到以下几点:(a)提供一个(安全的)渠道来接收可疑安全事件的报告。(b) 协助其选区成员处理事件。(c) 向其选区和其他相关方传播事件相关信息。

$ computer security object (I) The definition or representation of a resource, tool, or mechanism used to maintain a condition of security in computerized environments. Includes many items referred to in standards that are either selected or defined by separate user communities. [CSOR] (See: object identifier, Computer Security Objects Register.)

$ 计算机安全对象(I)用于在计算机化环境中维护安全条件的资源、工具或机制的定义或表示。包括标准中提及的许多项目,这些项目由单独的用户社区选择或定义。[CSOR](请参阅:对象标识符,计算机安全对象寄存器。)

$ Computer Security Objects Register (CSOR) (N) A service operated by NIST is establishing a catalog for computer security objects to provide stable object definitions identified by unique names. The use of this register will enable the unambiguous specification of security parameters and algorithms to be used in secure data exchanges. (See: object identifier.)

$ 计算机安全对象注册(CSOR)(N)NIST运营的一项服务正在为计算机安全对象建立目录,以提供由唯一名称标识的稳定对象定义。该寄存器的使用将使安全数据交换中使用的安全参数和算法的明确规范成为可能。(请参见:对象标识符。)

Tutorial: The CSOR follows registration guidelines established by the international standards community and ANSI. Those guidelines establish minimum responsibilities for registration authorities and assign the top branches of an international registration hierarchy. Under that international registration hierarchy, the CSOR is responsible for the allocation of unique identifiers under the branch: {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3)}.

教程:CSOR遵循国际标准协会和ANSI制定的注册指南。这些准则规定了登记机关的最低责任,并指定了国际登记层级的最高分支机构。根据这一国际注册层级,CSOR负责分配分支机构下的唯一标识符:{联合iso ccitt(2)国家(16)美国(840)组织(1)政府(101)CSOR(3)}。

$ computer system (I) Synonym for "information system", or a component thereof. (Compare: computer platform.)

$ 计算机系统(I)“信息系统”或其组成部分的同义词。(比较:计算机平台。)

$ Computers At Risk (O) The 1991 report [NRC91] of the System Security Study Committee, sponsored by the U.S. National Academy of Sciences and supported by the Defense Advanced Research Projects Agency of the U.S. DoD. It made many recommendations for industry and governments to improve computer security and trustworthiness. Some of the most important recommendations (e.g., establishing an

$ 风险计算机(O)系统安全研究委员会1991年的报告[NRC91],由美国国家科学院赞助,美国国防部国防高级研究计划局支持。它为业界和政府提出了许多建议,以提高计算机的安全性和可靠性。一些最重要的建议(例如,建立

Information Security Foundation chartered by the U.S. Government) have not been implemented at all, and others (e.g., codifying Generally Accepted System Security Principles similar to accounting principles) have been implemented but not widely adopted [SP14, SP27].

美国政府特许的信息安全基金会根本没有实施,而其他(例如,编纂普遍接受的类似于会计原则的系统安全原则)已经实施,但未被广泛采用[SP14,SP27 ]。

$ COMSEC (I) See: communication security.

$ 通信安全(I)见:通信安全。

$ COMSEC account (O) /U.S. Government/ "Administrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material." [C4009] (See: COMSEC custodian.)

$ 通信安全账户(O)/美国政府/“由账号标识的行政实体,用于维护通信安全材料的责任、保管和控制。”[C4009](见:通信安全保管人。)

$ COMSEC accounting (O) /U.S. Government/ The process of creating, collecting, and maintaining data records that describe the status and custody of designated items of COMSEC material. (See: accounting legend code.)

$ 通信安全会计(O)/美国政府/创建、收集和维护描述通信安全材料指定项目状态和保管的数据记录的过程。(请参阅:会计图例代码。)

Tutorial: Almost any secure information system needs to record a security audit trail, but a system that manages COMSEC material needs to record additional data about the status and custody of COMSEC items. - COMSEC tracking: The process of automatically collecting, recording, and managing information that describes the status of designated items of COMSEC material at all times during each product's lifecycle. - COMSEC controlling: The process of supplementing tracking data with custody data, which consists of explicit acknowledgements of system entities that they (a) have received specific COMSEC items and (b) are responsible for preventing exposure of those items.

教程:几乎任何安全信息系统都需要记录安全审计跟踪,但管理通信安全材料的系统需要记录有关通信安全项目状态和保管的附加数据。-通信安全跟踪:自动收集、记录和管理信息的过程,这些信息描述了在每个产品的生命周期中,通信安全材料指定项目的状态。-通信安全控制:用保管数据补充跟踪数据的过程,包括明确确认系统实体(a)已收到特定通信安全项目,以及(b)负责防止这些项目暴露。

For example, a key management system that serves a large customer base needs to record tracking data for the same reasons that a national parcel delivery system does, i.e., to answer the question "Where is that thing now?". If keys are encrypted immediately upon generation and handled only in BLACK form between the point of generation and the point of use, then tracking may be all that is needed. However, in cases where keys are handled at least partly in RED form and are potentially subject to exposure, then tracking needs to be supplemented by controlling.

例如,为大型客户群提供服务的关键管理系统需要记录跟踪数据,原因与国家包裹递送系统相同,即回答“该东西现在在哪里?”。如果密钥在生成时立即加密,并且在生成点和使用点之间仅以黑色形式进行处理,则可能只需要跟踪。但是,如果钥匙至少部分以红色形式处理,并且可能会暴露,则需要通过控制来补充跟踪。

Data that is used purely for tracking need be retained only temporarily, until an item's status changes. Data that is used for controlling is retained indefinitely to ensure accountability and support compromise recovery.

纯粹用于跟踪的数据只需暂时保留,直到项目状态发生变化。用于控制的数据将无限期保留,以确保问责制并支持恢复。

$ COMSEC boundary (N) "Definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage." [C4009] (Compare: cryptographic boundary.)

$ 通信安全边界(N)“可定义的边界,包括执行关键通信安全功能的所有硬件、固件和软件组件,如密钥生成、密钥处理和存储。”[C4009](比较:加密边界。)

$ COMSEC custodian (O) /U.S. Government/ "Individual designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding, and destruction of COMSEC material assigned to a COMSEC account." [C4009]

$ 通信安全托管人(O)/美国政府/“经适当授权指定负责接收、转移、核算、保护和销毁分配给通信安全账户的通信安全材料的个人。”[C4009]

$ COMSEC material (N) /U.S. Government/ Items designed to secure or authenticate communications or information in general; these items include (but are not limited to) keys; equipment, devices, documents, firmware, and software that embodies or describes cryptographic logic; and other items that perform COMSEC functions. [C4009] (Compare: keying material.)

$ 通信安全材料(N)/美国政府/设计用于保护或认证通信或信息的物品;这些项目包括(但不限于)钥匙;包含或描述加密逻辑的设备、装置、文件、固件和软件;以及执行通信安全功能的其他项目。[C4009](比较:键控材质。)

$ COMSEC Material Control System (CMCS) (O) /U.S. Government/ "Logistics and accounting system through which COMSEC material marked 'CRYPTO' is distributed, controlled, and safeguarded." [C4009] (See: COMSEC account, COMSEC custodian.)

$ 通信安全物资控制系统(CMCS)(O)/美国政府/“分配、控制和保护标有“加密”的通信安全物资的物流和会计系统。”[C4009](见:通信安全账户,通信安全保管人。)

$ confidentiality See: data confidentiality.

$ 机密性见:数据机密性。

$ concealment system (O) "A method of achieving confidentiality in which sensitive information is hidden by embedding it in irrelevant data." [NCS04] (Compare: steganography.)

$ 隐藏系统(O)“一种实现机密性的方法,通过将敏感信息嵌入无关数据中来隐藏它。”[NCS04](比较:隐写术。)

$ configuration control (I) The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system. (See: administrative security, harden, trusted distribution.)

$ 配置控制(I)在系统的整个开发和运行寿命期间,对硬件、固件、软件和文档的更改进行调节的过程。(请参阅:管理安全、强化、可信分发。)

Tutorial: Configuration control helps protect against unauthorized or malicious alteration of a system and thus provides assurance of system integrity. (See: malicious logic.)

教程:配置控制有助于防止未经授权或恶意更改系统,从而保证系统完整性。(请参阅:恶意逻辑。)

$ confinement property (N) /formal model/ Property of a system whereby a subject has write access to an object only if the classification of the object dominates the clearance of the subject. (See: *-property, Bell-LaPadula model.)

$ 限制属性(N)/系统的正式模型/属性,根据该系统,仅当对象的分类支配对象的清除时,对象才具有对对象的写访问权限。(见:*-物业,贝尔-拉帕杜拉模型)

$ constraint (I) /access control/ A limitation on the function of an identity, role, or privilege. (See: rule-based access control.)

$ 约束(I)/访问控制/对身份、角色或权限功能的限制。(请参阅:基于规则的访问控制。)

Tutorial: In effect, a constraint is a form of security policy and may be either static or dynamic: - "Static constraint": A constraint that must be satisfied at the time the policy is defined, and then continues to be satisfied until the constraint is removed. - "Dynamic constraint": A constraint that may be defined to apply at various times that the identity, role, or other object of the constraint is active in the system.

教程:实际上,约束是安全策略的一种形式,可以是静态的,也可以是动态的:-“静态约束”:定义策略时必须满足的约束,然后继续满足,直到约束被删除。-“动态约束”:可定义为在约束的标识、角色或其他对象在系统中处于活动状态时应用的约束。

$ content filter (I) /World Wide Web/ Application software used to prevent access to certain Web servers, such as by parents who do not want their children to access pornography. (See: filter, guard.)

$ 内容过滤器(I)/万维网/用于阻止访问某些Web服务器的应用程序软件,例如不希望孩子访问色情内容的家长。(请参阅:过滤器、防护装置。)

Tutorial: The filter is usually browser-based, but could be part of an intermediate cache server. The two basic content filtering techniques are (a) to block a specified list of URLs and (b) to block material that contains specified words and phrases.

教程:过滤器通常基于浏览器,但也可以是中间缓存服务器的一部分。两种基本的内容过滤技术是(a)阻止指定的URL列表和(b)阻止包含指定单词和短语的材料。

$ contingency plan (I) A plan for emergency response, backup operations, and post-disaster recovery in a system as part of a security program to ensure availability of critical system resources and facilitate continuity of operations in a crisis. [NCS04] (See: availability.)

$ 应急计划(I)作为安全计划一部分的系统应急响应、备份操作和灾后恢复计划,以确保关键系统资源的可用性,并促进危机中操作的连续性。[NCS04](见:可用性)

$ control zone (O) "The space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient physical and technical control to preclude an unauthorized entry or compromise." [NCSSG] (Compare: inspectable space, TEMPEST zone.)

$ 控制区(O)“周围处理敏感信息的设备受到充分的物理和技术控制,以防止未经授权的进入或破坏的空间,以英尺半径表示。”[NCSSG](比较:可检查空间,风暴区。)

$ controlled access protection (O) /TCSEC/ The level of evaluation criteria for a C2 computer system.

$ 受控访问保护(O)/TCSEC/指挥与控制计算机系统的评估标准等级。

Tutorial: The major features of the C2 level are individual accountability, audit, access control, and object reuse.

教程:C2级别的主要功能是个人责任、审计、访问控制和对象重用。

$ controlled cryptographic item (CCI) (O) /U.S. Government/ "Secure telecommunications or information handling equipment, or associated cryptographic component, that is unclassified but governed by a special set of control requirements." [C4009] (Compare: EUCI.)

$ 受控密码项目(CCI)(O)/美国政府/“未分类但受特殊控制要求约束的安全电信或信息处理设备或相关密码组件。”[C4009](比较:EUCI.)

Tutorial: This category of equipment was established in 1985 to promote broad use of secure equipment for protecting both classified and unclassified information in the national interest. CCI equipment uses a classified cryptographic logic, but the hardware or firmware embodiment of that logic is unclassified. Drawings, software implementations, and other descriptions of that logic remain classified. [N4001]

教程:这类设备成立于1985年,旨在促进安全设备的广泛使用,以保护国家利益中的机密和非机密信息。CCI设备使用分类密码逻辑,但该逻辑的硬件或固件实施例未分类。图纸、软件实现和该逻辑的其他描述仍然是保密的。[N4001]

$ controlled interface (I) A mechanism that facilitates the adjudication of the different security policies of interconnected systems. (See: domain, guard.)

$ 受控接口(I)一种有助于判定互联系统不同安全策略的机制。(请参阅:域、保护。)

$ controlled security mode (D) /U.S. DoD/ A mode of system operation wherein (a) two or more security levels of information are allowed to be handled concurrently within the same system when some users having access to the system have neither a security clearance nor need-to-know for some of the data handled by the system, but (b) separation of the users and the classified material on the basis, respectively, of clearance and classification level are not dependent only on operating system control (like they are in multilevel security mode). (See: /system operation/ under "mode", protection level.)

$ 受控安全模式(D)/U.S.DoD/A系统运行模式,其中(A)允许在同一系统内同时处理两个或两个以上的安全级别的信息,当一些访问系统的用户既没有安全许可,也不需要知道系统处理的某些数据时,但是(b)分别基于清除和分类级别的用户和分类材料的分离不仅仅取决于操作系统控制(就像在多级安全模式下一样)。(请参阅:/系统操作/在“模式”下,保护级别。)

Deprecated Term: IDOCs SHOULD NOT use this term. It was defined in a U.S. Government policy regarding system accreditation and was subsumed by "partitioned security mode" in a later policy. Both terms were dropped in still later policies.

不推荐使用的术语:IDOCs不应使用此术语。它在美国政府关于系统认证的政策中定义,并在后来的政策中被“分区安全模式”所包含。这两个术语在后来的政策中都被删除了。

Tutorial: Controlled mode was intended to encourage ingenuity in meeting data confidentiality requirements in ways less restrictive than "dedicated security mode" and "system-high security mode", but at a level of risk lower than that generally associated with true "multilevel security mode". This was intended to be accomplished by implementation of explicit augmenting measures to reduce or remove a substantial measure of system software vulnerability together with specific limitation of the security clearance levels of users having concurrent access to the system.

教程:受控模式旨在鼓励以比“专用安全模式”和“系统高安全模式”限制性更小的方式满足数据保密要求的独创性,但风险水平低于通常与真正的“多级安全模式”相关的风险水平。这是通过实施明确的增强措施来实现的,以减少或消除系统软件漏洞的实质性措施,以及对同时访问系统的用户的安全许可级别的具体限制。

$ controlling authority (O) /U.S. Government/ "Official responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet." [C4009, N4006]

$ 控制机构(O)/美国政府/“负责指导加密网操作以及管理分配给加密网的密钥材料的操作使用和控制的官员。”[C4009,N4006]

$ cookie 1. (I) /HTTP/ Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.

$ 曲奇1。(一) /HTTP/HTTP服务器和浏览器(服务器的客户端)之间交换的数据,用于在客户端存储状态信息,并在以后检索以供服务器使用。

Tutorial: An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections. A cookie may include a description of the range of URLs for which the state is valid. Future requests made by the client in that range will also send the current value of the cookie to the server. Cookies can be used to generate profiles of web usage habits, and thus may infringe on personal privacy.

教程:HTTP服务器在向客户端发送数据时,可能会发送一个cookie,该cookie在HTTP连接关闭后由客户端保留。服务器可以使用此机制为基于HTTP的应用程序维护持久的客户端状态信息,并在以后的连接中检索状态信息。cookie可能包括状态有效的URL范围的描述。客户端在该范围内发出的未来请求也会将cookie的当前值发送到服务器。Cookie可用于生成web使用习惯的配置文件,因此可能侵犯个人隐私。

2. (I) /IPsec/ Data objects exchanged by ISAKMP to prevent certain denial-of-service attacks during the establishment of a security association.

2. (一) /IPsec/由ISAKMP交换的数据对象,用于在建立安全关联期间防止某些拒绝服务攻击。

3. (D) /access control/ Synonym for "capability token" or "ticket".

3. (D) /访问控制/同义词“能力令牌”或“票证”。

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 3; that would duplicate the meaning of better-established terms and mix concepts in a potentially misleading way.

不推荐使用的定义:IDOC不应将此术语与定义3一起使用;这将重复更好的术语的含义,并以潜在误导的方式混合概念。

$ Coordinated Universal Time (UTC) (N) UTC is derived from International Atomic Time (TAI) by adding a number of leap seconds. The International Bureau of Weights and Measures computes TAI once each month by averaging data from many laboratories. (See: GeneralizedTime, UTCTime.)

$ 协调世界时(UTC)(N)UTC是通过添加闰秒数从国际原子时(TAI)派生出来的。国际度量衡局每月通过对来自多个实验室的数据进行平均来计算TAI。(请参见:一般化时间,UTCTime。)

$ correction (I) /security/ A system change made to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence. (See: secondary definition under "security".)

$ 纠正(I)/安全性/为消除或降低安全违规或威胁后果再次发生的风险而进行的系统变更。(见“安全”下的第二个定义)

$ correctness (I) "The property of a system that is guaranteed as the result of formal verification activities." [Huff] (See: correctness proof, verification.)

$ 正确性(I)“作为正式验证活动的结果而得到保证的系统属性。”[Huff](参见:正确性证明,验证。)

$ correctness integrity (I) The property that the information represented by data is accurate and consistent. (Compare: data integrity, source integrity.)

$ 正确性和完整性(I)数据所代表的信息是准确和一致的。(比较:数据完整性、源完整性。)

Tutorial: IDOCs SHOULD NOT use this term without providing a definition; the term is neither well-known nor precisely defined. Data integrity refers to the constancy of data values, and source integrity refers to confidence in data values. However,

教程:IDOCs不应该在没有定义的情况下使用这个术语;这个术语既不广为人知,也没有精确的定义。数据完整性指数据值的恒定性,源完整性指数据值的可信度。然而

correctness integrity refers to confidence in the underlying information that data values represent, and this property is closely related to issues of accountability and error handling.

正确性完整性是指对数据值所表示的底层信息的信心,该属性与责任和错误处理问题密切相关。

$ correctness proof (I) A mathematical proof of consistency between a specification for system security and the implementation of that specification. (See: correctness, formal specification.)

$ 正确性证明(I)系统安全规范与该规范实施之间一致性的数学证明。(参见:正确性,正式规范。)

$ corruption (I) A type of threat action that undesirably alters system operation by adversely modifying system functions or data. (See: disruption.)

$ 腐败(I)一种威胁行为,通过对系统功能或数据进行不利修改,不希望改变系统运行。(见:中断。)

Usage: This type of threat action includes the following subtypes: - "Tampering": /corruption/ Deliberately altering a system's logic, data, or control information to interrupt or prevent correct operation of system functions. (See: misuse, main entry for "tampering".) - "Malicious logic": /corruption/ Any hardware, firmware, or software (e.g., a computer virus) intentionally introduced into a system to modify system functions or data. (See: incapacitation, main entry for "malicious logic", masquerade, misuse.) - "Human error": /corruption/ Human action or inaction that unintentionally results in the alteration of system functions or data. - "Hardware or software error": /corruption/ Error that results in the alteration of system functions or data. - "Natural disaster": /corruption/ Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data. [FP031 Section 2]

用法:此类威胁操作包括以下子类型:-“篡改”:/损坏/故意更改系统的逻辑、数据或控制信息,以中断或阻止系统功能的正确运行。(请参阅:误用,“篡改”的主要条目)-“恶意逻辑”:/损坏/故意引入系统以修改系统功能或数据的任何硬件、固件或软件(如计算机病毒)。(参见:丧失能力,主要条目为“恶意逻辑”、伪装、误用。)-“人为错误”:/腐败/人为行为或不行为无意中导致系统功能或数据的更改。-“硬件或软件错误”:/损坏/导致系统功能或数据更改的错误。-“自然灾害”:/腐败/任何改变系统功能或数据的“天灾”(如闪电引起的电涌)。[FP031第2节]

$ counter 1. (N) /noun/ See: counter mode.

$ 柜台1。(N) /名词/参见:计数器模式。

2. (I) /verb/ See: countermeasure.

2. (一) /动词/见:对策。

$ counter-countermeasure (I) An action, device, procedure, or technique used by an attacker to offset a defensive countermeasure.

$ 反对策(I)攻击者用来抵消防御对策的行动、设备、程序或技术。

Tutorial: For every countermeasure devised to protect computers and networks, some cracker probably will be able to devise a counter-countermeasure. Thus, systems must use "defense in depth".

教程:对于每一个为保护计算机和网络而设计的对策,一些破解者可能会设计出一个反对策。因此,系统必须使用“纵深防御”。

$ counter mode (CTR) (N) A block cipher mode that enhances ECB mode by ensuring that each encrypted block is different from every other block encrypted under the same key. [SP38A] (See: block cipher.)

$ 计数器模式(CTR)(N)一种分组密码模式,通过确保每个加密块与在同一密钥下加密的每个其他块不同,从而增强ECB模式。[SP38A](参见:分组密码。)

Tutorial: This mode operates by first encrypting a generated sequence of blocks, called "counters", that are separate from the input sequence of plaintext blocks which the mode is intended to protect. The resulting sequence of encrypted counters is exclusive-ORed with the sequence of plaintext blocks to produce the final ciphertext output blocks. The sequence of counters must have the property that each counter is different from every other counter for all of the plain text that is encrypted under the same key.

教程:该模式首先对生成的块序列(称为“计数器”)进行加密,这些块与模式要保护的明文块的输入序列分开。生成的加密计数器序列与明文块序列进行异或运算,以生成最终的密文输出块。计数器序列必须具有以下属性:对于在同一密钥下加密的所有纯文本,每个计数器都不同于其他计数器。

$ Counter with Cipher Block Chaining-Message Authentication Code (CCM) (N) A block cipher mode [SP38C] that provides both data confidentiality and data origin authentication, by combining the techniques of CTR and a CBC-based message authentication code. (See: block cipher.)

$ 带有密码分组链接消息认证码(CCM)的计数器(N)通过结合CTR技术和基于CBC的消息认证码,提供数据机密性和数据源认证的分组密码模式[SP38C]。(请参阅:分组密码。)

$ countermeasure (I) An action, device, procedure, or technique that meets or opposes (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

$ 对策(I)通过消除或防止威胁、漏洞或攻击,通过最小化其可能造成的伤害,或通过发现和报告以采取纠正措施,满足或对抗(即反击)威胁、漏洞或攻击的行动、装置、程序或技术。

Tutorial: In an Internet protocol, a countermeasure may take the form of a protocol feature, a component function, or a usage constraint.

教程:在Internet协议中,对策可能采用协议功能、组件功能或使用限制的形式。

$ country code (I) An identifier that is defined for a nation by ISO. [I3166]

$ 国家代码(I)ISO为国家定义的标识符。[I3166]

Tutorial: For each nation, ISO Standard 3166 defines a unique two-character alphabetic code, a unique three-character alphabetic code, and a three-digit code. Among many uses of these codes, the two-character codes are used as top-level domain names.

教程:对于每个国家,ISO标准3166定义了唯一的两字符字母代码、唯一的三字符字母代码和三位数代码。在这些代码的许多用途中,两个字符的代码被用作顶级域名。

$ Courtney's laws (N) Principles for managing system security that were stated by Robert H. Courtney, Jr.

$ 小罗伯特·H·考特尼(Robert H.Courtney,Jr。

      Tutorial: Bill Murray codified Courtney's laws as follows: [Murr]
      -  Courtney's first law: You cannot say anything interesting
         (i.e., significant) about the security of a system except in
         the context of a particular application and environment.
      -  Courtney's second law: Never spend more money eliminating a
         security exposure than tolerating it will cost you. (See:
         acceptable risk, risk analysis.)
         -- First corollary: Perfect security has infinite cost.
         -- Second corollary: There is no such thing as zero risk.
      -  Courtney's third law: There are no technical solutions to
         management problems, but there are management solutions to
         technical problems.
        
      Tutorial: Bill Murray codified Courtney's laws as follows: [Murr]
      -  Courtney's first law: You cannot say anything interesting
         (i.e., significant) about the security of a system except in
         the context of a particular application and environment.
      -  Courtney's second law: Never spend more money eliminating a
         security exposure than tolerating it will cost you. (See:
         acceptable risk, risk analysis.)
         -- First corollary: Perfect security has infinite cost.
         -- Second corollary: There is no such thing as zero risk.
      -  Courtney's third law: There are no technical solutions to
         management problems, but there are management solutions to
         technical problems.
        

$ covert action (I) An operation that is planned and executed in a way that conceals the identity of the operator.

$ 隐蔽行动(I)以隐藏操作员身份的方式计划和执行的操作。

$ covert channel 1. (I) An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations. (See: covert storage channel, covert timing channel, out-of-band, tunnel.)

$ 隐蔽通道1。(一) 一种非故意或未经授权的系统内通道,使两个合作实体能够以违反系统安全策略但不超过实体访问权限的方式传输信息。(请参阅:隐蔽存储通道、隐蔽定时通道、带外通道、通道。)

2. (O) "A communications channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy." [NCS04]

2. (O) “允许两个协作进程以违反系统安全策略的方式传输信息的通信通道。”[NCS04]

Tutorial: The cooperating entities can be either two insiders or an insider and an outsider. Of course, an outsider has no access authorization at all. A covert channel is a system feature that the system architects neither designed nor intended for information transfer.

教程:合作实体可以是两个内部人,也可以是一个内部人和一个外部人。当然,局外人根本没有访问权限。隐蔽通道是系统架构师既没有设计也没有打算用于信息传输的系统功能。

$ covert storage channel (I) A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity. (See: covert channel.)

$ 隐蔽存储通道(I)一种系统功能,使一个系统实体能够通过直接或间接写入存储位置向另一个实体发送信息,该存储位置随后由第二个实体直接或间接读取。(请参阅:隐蔽通道。)

$ covert timing channel (I) A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity. (See: covert channel.)

$ 隐蔽定时信道(I)一种系统特性,使一个系统实体能够通过调制其自身对系统资源的使用来向另一个系统实体发送信息,从而影响第二实体观察到的系统响应时间。(请参阅:隐蔽通道。)

$ CPS (I) See: certification practice statement.

$ CPS(I)见:认证实践声明。

$ cracker (I) Someone who tries to break the security of, and gain unauthorized access to, someone else's system, often with malicious intent. (See: adversary, intruder, packet monkey, script kiddy. Compare: hacker.)

$ 破解者(I)试图破坏他人系统的安全性并获得未经授权的访问权限的人,通常带有恶意意图。(参见:敌手、入侵者、包猴、脚本小子。比较:黑客。)

Usage: Was sometimes spelled "kracker". [NCSSG]

用法:有时拼写为“kracker”。[NCSSG]

$ CRAM (I) See: Challenge-Response Authentication Mechanism.

$ CRAM(I)See:质询-响应认证机制。

$ CRC (I) See: cyclic redundancy check.

$ CRC(I)见:循环冗余校验。

$ credential 1. (I) /authentication/ "identifier credential": A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system. Example: X.509 public-key certificate. (See: anonymous credential.)

$ 凭证1。(一) /authentication/“identifier credential”:一种数据对象,是标识符和身份验证信息单元之间关联的可移植表示,可用于验证试图访问系统的实体声明的身份。示例:X.509公钥证书。(请参阅:匿名凭据。)

2. (I) /access control/ "authorization credential": A data object that is a portable representation of the association between an identifier and one or more access authorizations, and that can be presented for use in verifying those authorizations for an entity that attempts such access. Example: X.509 attribute certificate. (See: capability token, ticket.)

2. (一) /access control/“authorization credential”:一种数据对象,它是标识符与一个或多个访问授权之间关联的可移植表示,可用于验证尝试访问的实体的这些授权。示例:X.509属性证书。(请参阅:功能令牌、票据。)

3. (D) /OSIRM/ "Data that is transferred to establish the claimed identity of an entity." [I7498-2]

3. (D) /OSIRM/“为确定实体的声明身份而传输的数据。”[I7498-2]

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3. As explained in the tutorial below, an authentication process can involve the transfer of multiple data objects, and not all of those are credentials.

不推荐使用的定义:IDOCs不应使用定义为3的术语。正如下面的教程中所解释的,身份验证过程可能涉及多个数据对象的传输,而不是所有这些都是凭据。

4. (D) /U.S. Government/ "An object that is verified when presented to the verifier in an authentication transaction." [M0404]

4. (D) /U.S.Government/“在身份验证事务中提交给验证者时被验证的对象。”[M0404]

Deprecated Definition: IDOCs SHOULD NOT use the term with definition 4; it mixes concepts in a potentially misleading way. For example, in an authentication process, it is the identity that is "verified", not the credential; the credential is "validated". (See: validate vs. verify.)

不推荐使用的定义:IDOC不应使用定义为4的术语;它以一种潜在误导的方式混合概念。例如,在认证过程中,“验证”的是身份,而不是凭证;凭证已“验证”。(请参见:验证与验证。)

Tutorial: In general English, "credentials" are evidence or testimonials that (a) support a claim of identity or authorization and (b) usually are intended to be used more than once (i.e., a credential's life is long compared to the time needed for one use). Some examples are a policeman's badge, an automobile driver's license, and a national passport. An authentication or access control process that uses a badge, license, or passport is outwardly simple: the holder just shows the thing.

教程:在普通英语中,“凭证”是指(a)支持身份或授权声明的证据或证明,(b)通常用于多次使用(即,凭证的使用寿命比一次使用所需的时间长)。例如警察徽章、汽车驾驶执照和国家护照。使用徽章、许可证或护照的身份验证或访问控制过程表面上很简单:持有者只需出示物品。

The problem with adopting this term in Internet security is that an automated process for authentication or access control usually requires multiple steps using multiple data objects, and it might not be immediately obvious which of those objects should get the name "credential".

在Internet安全中采用此术语的问题在于,身份验证或访问控制的自动化过程通常需要使用多个数据对象执行多个步骤,并且可能无法立即确定哪些对象应获得名称“凭据”。

For example, if the verification step in a user authentication process employs public-key technology, then the process involves at least three data items: (a) the user's private key, (b) a signed value -- signed with that private key and passed to the system, perhaps in response to a challenge from the system -- and (c) the user's public-key certificate, which is validated by the system and provides the public key needed to verify the signature. - Private key: The private key is *not* a credential, because it is never transferred or presented. Instead, the private key is "authentication information", which is associated with the user's identifier for a specified period of time and can be used in multiple authentications during that time. - Signed value: The signed value is *not* a credential; the signed value is only ephemeral, not long lasting. The OSIRM definition could be interpreted to call the signed value a credential, but that would conflict with general English. - Certificate: The user's certificate *is* a credential. It can be "transferred" or "presented" to any person or process that needs it at any time. A public-key certificate may be used as an "identity credential", and an attribute certificate may be used as an "authorization credential".

例如,如果用户身份验证过程中的验证步骤采用公钥技术,那么该过程至少涉及三个数据项:(a)用户的私钥,(b)签名值——用该私钥签名并传递给系统,可能是为了响应系统的质询——和(c)用户的公钥证书,由系统验证,并提供验证签名所需的公钥。-私钥:私钥*不是*凭证,因为它从未被传输或呈现。相反,私钥是“身份验证信息”,它在指定的时间段内与用户的标识符相关联,并可在该时间段内用于多次身份验证。-签名值:签名值*不是*凭证;符号值只是短暂的,而不是持久的。OSIRM定义可以解释为将签名值称为凭证,但这与通用英语冲突。-证书:用户的证书*是*凭证。它可以在任何时候“转移”或“呈现”给任何需要它的人或流程。公钥证书可用作“身份凭证”,属性证书可用作“授权凭证”。

$ critical 1. (I) /system resource/ A condition of a system resource such that denial of access to, or lack of availability of, that resource would jeopardize a system user's ability to perform a primary function or would result in other serious consequences, such as human injury or loss of life. (See: availability, precedence. Compare: sensitive.)

$ 关键1。(一) /系统资源/系统资源的一种状况,即拒绝访问或缺少该资源将危及系统用户执行主要功能的能力,或导致其他严重后果,如人身伤害或生命损失。(请参阅:可用性,优先级。比较:敏感。)

2. (N) /extension/ An indication that an application is not permitted to ignore an extension. [X509]

2. (N) /extension/表示不允许应用程序忽略扩展。[X509]

Tutorial: Each extension of an X.509 certificate or CRL is flagged as either "critical" or "non-critical". In a certificate, if a computer program does not recognize an extension's type (i.e., does not implement its semantics), then if the extension is critical, the program is required to treat the certificate as invalid; but if the extension is non-critical, the program is permitted to ignore the extension.

教程:X.509证书或CRL的每个扩展都标记为“关键”或“非关键”。在证书中,如果计算机程序不识别扩展的类型(即,不实现其语义),则如果扩展是关键的,则程序需要将证书视为无效;但如果扩展是非关键的,则允许程序忽略扩展。

In a CRL, if a program does not recognize a critical extension that is associated with a specific certificate, the program is required to assume that the listed certificate has been revoked and is no longer valid, and then take whatever action is required by local policy.

在CRL中,如果程序不识别与特定证书关联的关键扩展,则程序需要假定列出的证书已被吊销且不再有效,然后采取本地策略要求的任何操作。

When a program does not recognize a critical extension that is associated with the CRL as a whole, the program is required to assume that all listed certificates have been revoked and are no longer valid. However, since failing to process the extension may mean that the list has not been completed, the program cannot assume that other certificates are valid, and the program needs to take whatever action is therefore required by local policy.

当程序无法识别与CRL整体关联的关键扩展时,程序需要假定所有列出的证书已被吊销且不再有效。但是,由于未能处理扩展可能意味着列表尚未完成,因此程序不能假定其他证书有效,因此程序需要采取本地政策要求的任何措施。

$ critical information infrastructure (I) Those systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety.

$ 关键信息基础设施(I)对一个国家至关重要的系统,这些系统的失效或破坏将对国家安全、经济或公共卫生和安全产生不利影响。

$ CRL (I) See: certificate revocation list.

$ CRL(I)见:证书撤销清单。

$ CRL distribution point (I) See: distribution point.

$ CRL配送点(I)见:配送点。

$ CRL extension (I) See: extension.

$ CRL分机(I)见:分机。

$ cross-certificate (I) A public-key certificate issued by a CA in one PKI to a CA in another PKI. (See: cross-certification.)

$ 交叉证书(I)由一个PKI中的CA向另一个PKI中的CA颁发的公钥证书。(请参阅:交叉认证。)

$ cross-certification (I) The act or process by which a CA in one PKI issues a public-key certificate to a CA in another PKI. [X509] (See: bridge CA.)

$ 交叉认证(I)一个PKI中的CA向另一个PKI中的CA颁发公钥证书的行为或过程。[X509](见:桥梁CA)

Tutorial: X.509 says that a CA (say, CA1) may issue a "cross-certificate" in which the subject is another CA (say, CA2). X.509 calls CA2 the "subject CA" and calls CA1 an "intermediate CA", but

教程:X.509说CA(比如,CA1)可以颁发一个“交叉证书”,其中主体是另一个CA(比如,CA2)。X.509将CA2称为“主体CA”,将CA1称为“中间CA”,但

this Glossary deprecates those terms. (See: intermediate CA, subject CA).

本术语表不支持这些术语。(参见:中级CA,受试者CA)。

Cross-certification of CA2 by CA1 appears similar to certification of a subordinate CA by a superior CA, but cross-certification involves a different concept. The "subordinate CA" concept applies when both CAs are in the same PKI, i.e., when either (a) CA1 and CA2 are under the same root or (b) CA1 is itself a root. The "cross-certification" concept applies in other cases:

CA1对CA2的交叉认证似乎类似于上级CA对下级CA的认证,但交叉认证涉及不同的概念。当两个CA位于同一个PKI中时,即(a)CA1和CA2在同一根下或(b)CA1本身是根时,“从属CA”概念适用。“交叉认证”概念适用于其他情况:

First, cross-certification applies when two CAs are in different PKIs, i.e., when CA1 and CA2 are under different roots, or perhaps are both roots themselves. Issuing the cross-certificate enables end entities certified under CA1 in PK1 to construct the certification paths needed to validate the certificates of end entities certified under CA2 in PKI2. Sometimes, a pair of cross-certificates is issued -- by CA1 to CA2, and by CA2 to CA1 -- so that an end entity in either PKI can validate certificates issued in the other PKI.

首先,当两个CA位于不同的PKI中时,即当CA1和CA2位于不同的根下,或者可能都是根本身时,交叉认证适用。颁发交叉证书使根据PK1中的CA1认证的终端实体能够构造验证根据PK2中的CA2认证的终端实体的证书所需的认证路径。有时,通过CA1到CA2和CA2到CA1颁发一对交叉证书,以便任何一个PKI中的最终实体都可以验证在另一个PKI中颁发的证书。

Second, X.509 says that two CAs in some complex, multi-CA PKI can cross-certify one another to shorten the certification paths constructed by end entities. Whether or not a CA may perform this or any other form of cross-certification, and how such certificates may be used by end entities, should be addressed by the local certificate policy and CPS.

其次,X.509指出,在一些复杂的多CA PKI中,两个CA可以相互交叉认证,以缩短由终端实体构建的认证路径。CA是否可以执行此交叉认证或任何其他形式的交叉认证,以及最终实体如何使用此类证书,应由本地证书政策和CP解决。

$ cross-domain solution 1. (D) Synonym for "guard".

$ 跨域解决方案1。(D) “守卫”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "guard"; this term unnecessarily (and verbosely) duplicates the meaning of the long-established "guard".

不推荐使用的术语:IDOCs不应将此术语用作“guard”的同义词;这一术语不必要地(和详细地)重复了由来已久的“警卫”的含义。

2. (O) /U.S. Government/ A process or subsystem that provides a capability (which could be either manual or automated) to access two or more differing security domains in a system, or to transfer information between such domains. (See: domain, guard.)

2. (O) /U.S.Government/提供访问系统中两个或多个不同安全域或在这些域之间传输信息能力(可手动或自动)的过程或子系统。(请参阅:域、保护。)

$ cryptanalysis 1. (I) The mathematical science that deals with analysis of a cryptographic system to gain knowledge needed to break or circumvent the protection that the system is designed to provide. (See: cryptology, secondary definition under "intrusion".)

$ 密码分析1。(一) 一门数学科学,处理对密码系统的分析,以获得打破或绕过该系统设计提供的保护所需的知识。(参见:密码学,“入侵”下的二级定义。)

2. (O) "The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext." [I7498-2]

2. (O) “对密码系统和/或其输入和输出进行分析,以得出机密变量和/或敏感数据,包括明文。”[I7498-2]

Tutorial: Definition 2 states the traditional goal of cryptanalysis, i.e., convert cipher text to plain text (which usually is clear text) without knowing the key; but that definition applies only to encryption systems. Today, the term is used with reference to all kinds of cryptographic algorithms and key management, and definition 1 reflects that. In all cases, however, a cryptanalyst tries to uncover or reproduce someone else's sensitive data, such as clear text, a key, or an algorithm. The basic cryptanalytic attacks on encryption systems are ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext; and these generalize to the other kinds of cryptography.

教程:定义2说明了密码分析的传统目标,即在不知道密钥的情况下将密文转换为纯文本(通常是明文);但该定义仅适用于加密系统。今天,这个术语被用来指代各种密码算法和密钥管理,定义1反映了这一点。然而,在所有情况下,密码分析师都会试图发现或复制其他人的敏感数据,如明文、密钥或算法。对加密系统的基本密码分析攻击只有密文、已知明文、选择明文和选择密文;这也推广到了其他类型的密码学。

$ crypto, CRYPTO 1. (N) A prefix ("crypto-") that means "cryptographic".

$ 加密,加密1。(N) 表示“加密”的前缀(“加密-”)。

Usage: IDOCs MAY use this prefix when it is part of a term listed in this Glossary. Otherwise, IDOCs SHOULD NOT use this prefix; instead, use the unabbreviated adjective, "cryptographic".

用法:当此前缀是本词汇表中所列术语的一部分时,IDOCs可以使用此前缀。否则,IDOC不应使用此前缀;相反,使用未加修饰的形容词“加密”。

2. (D) In lower case, "crypto" is an abbreviation for the adjective "cryptographic", or for the nouns "cryptography" or "cryptographic component".

2. (D) 在小写字母中,“crypto”是形容词“cryptographic”或名词“cryptographic”或“cryptocomponent”的缩写。

Deprecated Abbreviation: IDOCs SHOULD NOT use this abbreviation because it could easily be misunderstood in some technical sense.

不推荐使用的缩写:IDOCs不应该使用这个缩写,因为它很容易在某种技术意义上被误解。

3. (O) /U.S. Government/ In upper case, "CRYPTO" is a marking or designator that identifies "COMSEC keying material used to secure or authenticate telecommunications carrying classified or sensitive U.S. Government or U.S. Government-derived information." [C4009] (See: security label, security marking.)

3. (O) /U.S.Government/大写,“CRYPTO”是一个标记或指示符,用于标识“用于保护或认证携带机密或敏感美国政府或美国政府衍生信息的电信的通信安全密钥材料”。[C4009](参见:安全标签,安全标记。)

$ cryptographic (I) An adjective that refers to cryptography.

$ 密码学(I)指密码学的形容词。

$ cryptographic algorithm (I) An algorithm that uses the science of cryptography, including (a) encryption algorithms, (b) cryptographic hash algorithms, (c) digital signature algorithms, and (d) key-agreement algorithms.

$ 加密算法(I)使用密码学的算法,包括(a)加密算法,(b)加密哈希算法,(c)数字签名算法和(d)密钥协商算法。

$ cryptographic application programming interface (CAPI) (I) The source code formats and procedures through which an application program accesses cryptographic services, which are defined abstractly compared to their actual implementation. Example, see: PKCS #11, [R2628].

$ 加密应用程序编程接口(CAPI)(I)应用程序访问加密服务所通过的源代码格式和过程,这些服务是根据实际实现抽象定义的。例如,见:PKCS#11,[R2628]。

$ cryptographic association (I) A security association that involves the use of cryptography to provide security services for data exchanged by the associated entities. (See: ISAKMP.)

$ 加密关联(I)涉及使用加密技术为关联实体交换的数据提供安全服务的安全关联。(见:ISAKMP)

$ cryptographic boundary (I) See: secondary definition under "cryptographic module".

$ 加密边界(I)参见“加密模块”下的二级定义。

$ cryptographic card (I) A cryptographic token in the form of a smart card or a PC card.

$ 加密卡(I)智能卡或PC卡形式的加密令牌。

$ cryptographic component (I) A generic term for any system component that involves cryptography. (See: cryptographic module.)

$ 加密组件(I)涉及加密的任何系统组件的通用术语。(请参阅:加密模块。)

$ cryptographic hash (I) See: secondary definition under "hash function".

$ 加密散列(I)参见“散列函数”下的二级定义。

$ cryptographic ignition key (CIK) 1. (N) A physical (usually electronic) token used to store, transport, and protect cryptographic keys and activation data. (Compare: dongle, fill device.)

$ cryptographic ignition key (CIK) 1. (N) A physical (usually electronic) token used to store, transport, and protect cryptographic keys and activation data. (Compare: dongle, fill device.)translate error, please retry

Tutorial: A key-encrypting key could be divided (see: split key) between a CIK and a cryptographic module, so that it would be necessary to combine the two to regenerate the key, use it to decrypt other keys and data contained in the module, and thus activate the module.

教程:密钥加密密钥可以在CIK和加密模块之间分割(请参见:分割密钥),因此有必要将两者结合起来重新生成密钥,使用它解密模块中包含的其他密钥和数据,从而激活模块。

2. (O) "Device or electronic key used to unlock the secure mode of cryptographic equipment." [C4009] Usage: Abbreviated as "crypto-ignition key".

2. (O) “用于解锁加密设备安全模式的设备或电子钥匙。”[C4009]用法:缩写为“加密点火钥匙”。

$ cryptographic key (I) See: key. Usage: Usually shortened to just "key".

$ 加密密钥(I)参见:密钥。用法:通常缩写为“key”。

$ Cryptographic Message Syntax (CMS) (I) An encapsulation syntax (RFC 3852) for digital signatures, hashes, and encryption of arbitrary messages.

$ 加密消息语法(CMS)(I)用于数字签名、哈希和任意消息加密的封装语法(RFC 3852)。

Tutorial: CMS derives from PKCS #7. CMS values are specified with ASN.1 and use BER encoding. The syntax permits multiple encapsulation with nesting, permits arbitrary attributes to be signed along with message content, and supports a variety of architectures for digital certificate-based key management.

教程:CMS源于PKCS#7。CMS值由ASN.1指定,并使用BER编码。该语法允许使用嵌套进行多次封装,允许随消息内容一起签名任意属性,并支持各种基于数字证书的密钥管理体系结构。

$ cryptographic module (I) A set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the module's "cryptographic boundary", which is an explicitly defined contiguous perimeter that establishes the physical bounds of the module. [FP140]

$ 加密模块(I)一组硬件、软件、固件或其组合,实现加密逻辑或过程,包括加密算法,并包含在模块的“加密边界”内,该边界是明确定义的连续边界,用于建立模块的物理边界。[FP140]

$ cryptographic system 1. (I) A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.

$ 密码系统1。(一) 一组密码算法和密钥管理过程,支持在某些应用程序上下文中使用这些算法。

Usage: IDOCs SHOULD use definition 1 because it covers a wider range of algorithms than definition 2.

用法:IDOCs应该使用定义1,因为它比定义2涵盖更广泛的算法范围。

2. (O) "A collection of transformations from plain text into cipher text and vice versa [which would exclude digital signature, cryptographic hash, and key-agreement algorithms], the particular transformation(s) to be used being selected by keys. The transformations are normally defined by a mathematical algorithm." [X509]

2. (O) “从纯文本到密文的转换集合,反之亦然[不包括数字签名、加密哈希和密钥协商算法],要使用的特定转换由密钥选择。这些转换通常由数学算法定义。”[X509]

$ cryptographic token 1. (I) A portable, user-controlled, physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions. (See: cryptographic card, token.)

$ 加密令牌1。(一) 一种便携式、用户控制的物理设备(如智能卡或PCMCIA卡),用于存储加密信息,并可能执行加密功能。(请参阅:加密卡、令牌。)

Tutorial: A smart token might implement some set of cryptographic algorithms and might incorporate related key management functions, such as a random number generator. A smart cryptographic token may contain a cryptographic module or may not be explicitly designed that way.

教程:智能令牌可能实现一些加密算法集,并可能包含相关的密钥管理功能,如随机数生成器。智能加密令牌可以包含加密模块,也可以不以这种方式显式设计。

$ cryptography 1. (I) The mathematical science that deals with transforming data to render its meaning unintelligible (i.e., to hide its semantic content), prevent its undetected alteration, or prevent its unauthorized use. If the transformation is reversible, cryptography also deals with restoring encrypted data to intelligible form. (See: cryptology, steganography.)

$ 密码学1。(一) 处理转换数据以使其含义无法理解(即隐藏其语义内容)、防止其未被检测到的更改或防止其未经授权的使用的数学科学。如果转换是可逆的,密码学还处理将加密数据恢复为可理解形式的问题。(参见:密码学、隐写术。)

      2. (O) "The discipline which embodies principles, means, and
      methods for the transformation of data in order to hide its
      information content, prevent its undetected modification and/or
      prevent its unauthorized use.... Cryptography determines the
      methods used in encipherment and decipherment." [I7498-2]
        
      2. (O) "The discipline which embodies principles, means, and
      methods for the transformation of data in order to hide its
      information content, prevent its undetected modification and/or
      prevent its unauthorized use.... Cryptography determines the
      methods used in encipherment and decipherment." [I7498-2]
        

Tutorial: Comprehensive coverage of applied cryptographic protocols and algorithms is provided by Schneier [Schn]. Businesses and governments use cryptography to make data incomprehensible to outsiders; to make data incomprehensible to both outsiders and insiders, the data is sent to lawyers for a rewrite.

教程:Schneier[Schn]全面介绍了应用的加密协议和算法。企业和政府使用加密技术使外部人士无法理解数据;为了让外部人士和内部人士都无法理解数据,数据被发送给律师进行重写。

$ Cryptoki (N) A CAPI defined in PKCS #11. Pronunciation: "CRYPTO-key". Derivation: Abbreviation of "cryptographic token interface".

$ Cryptoki(N)PKCS#11中定义的CAPI。发音:“加密密钥”。派生词:“加密令牌接口”的缩写。

$ cryptology (I) The science of secret communication, which includes both cryptography and cryptanalysis.

$ 密码学(I)保密通信科学,包括密码学和密码分析。

Tutorial: Sometimes the term is used more broadly to denote activity that includes both rendering signals secure (see: signal security) and extracting information from signals (see: signal intelligence) [Kahn].

教程:有时该术语更广泛地用于表示活动,包括呈现安全信号(参见:信号安全)和从信号中提取信息(参见:信号智能)[Kahn]。

$ cryptonet (I) A network (i.e., a communicating set) of system entities that share a secret cryptographic key for a symmetric algorithm. (See: controlling authority.)

$ cryptonet(I)系统实体的网络(即通信集),共享对称算法的密钥。(见:控制机构。)

(O) "Stations holding a common key." [C4009]

(O) “持有公用钥匙的电台。”[C4009]

$ cryptoperiod (I) The time span during which a particular key value is authorized to be used in a cryptographic system. (See: key management.)

$ 密码周期(I)特定密钥值被授权在密码系统中使用的时间跨度。(请参阅:密钥管理。)

Usage: This term is long-established in COMPUSEC usage. In the context of certificates and public keys, "key lifetime" and "validity period" are often used instead.

用法:这个术语在COMPUSEC的用法中由来已久。在证书和公钥的上下文中,通常使用“密钥生存期”和“有效期”。

Tutorial: A cryptoperiod is usually stated in terms of calendar or clock time, but sometimes is stated in terms of the maximum amount of data permitted to be processed by a cryptographic algorithm using the key. Specifying a cryptoperiod involves a tradeoff between the cost of rekeying and the risk of successful cryptoanalysis.

教程:加密周期通常以日历或时钟时间表示,但有时以使用密钥的加密算法允许处理的最大数据量表示。指定加密周期需要在密钥更新成本和成功密码分析风险之间进行权衡。

$ cryptosystem (I) Contraction of "cryptographic system".

$ 密码系统(I)“密码系统”的缩写。

$ cryptovariable (D) Synonym for "key".

$ 加密变量(D)是“密钥”的同义词。

Deprecated Usage: In contemporary COMSEC usage, the term "key" has replaced the term "cryptovariable".

不推荐使用:在当代通信安全使用中,术语“密钥”已取代术语“加密变量”。

$ CSIRT (I) See: computer security incident response team.

$ CSIRT(I)见:计算机安全事件响应小组。

$ CSOR (N) See: Computer Security Objects Register.

$ CSOR(N)参见:计算机安全对象寄存器。

$ CTAK (D) See: ciphertext auto-key.

$ CTAK(D)参见:密文自动密钥。

$ CTR (N) See: counter mode.

$ CTR(N)参见:计数器模式。

$ cut-and-paste attack (I) An active attack on the data integrity of cipher text, effected by replacing sections of cipher text with other cipher text, such that the result appears to decrypt correctly but actually decrypts to plain text that is forged to the satisfaction of the attacker.

$ 剪切粘贴攻击(I)对密文数据完整性的主动攻击,通过将密文部分替换为其他密文来实现,从而使结果看起来正确解密,但实际上解密为伪造的纯文本,使攻击者满意。

$ cyclic redundancy check (CRC) (I) A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected. Sometimes called "cyclic redundancy code".

$ 循环冗余校验(CRC)(I)一种校验和算法,它不是加密散列,但用于实现数据完整性服务,其中预期会对数据进行意外更改。有时称为“循环冗余码”。

$ DAC (N) See: Data Authentication Code, discretionary access control.

$ DAC(N)参见:数据认证码,自主访问控制。

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because this abbreviation is ambiguous.

不推荐使用:使用此术语的IDoc应说明其定义,因为此缩写不明确。

$ daemon (I) A computer program that is not invoked explicitly but waits until a specified condition occurs, and then runs with no associated user (principal), usually for an administrative purpose. (See: zombie.)

$ daemon(I)一种计算机程序,通常出于管理目的,它不被显式调用,而是等待指定的条件发生,然后在没有相关用户(主体)的情况下运行。(见:僵尸。)

$ dangling threat (O) A threat to a system for which there is no corresponding vulnerability and, therefore, no implied risk.

$ 悬空威胁(O)对系统的威胁,该系统没有相应的漏洞,因此没有隐含风险。

$ dangling vulnerability (O) A vulnerability of a system for which there is no corresponding threat and, therefore, no implied risk.

$ 悬空漏洞(O)系统中没有相应威胁,因此没有隐含风险的漏洞。

$ DASS (I) See: Distributed Authentication Security Service.

$ DASS(I)见:分布式身份验证安全服务。

$ data (I) Information in a specific representation, usually as a sequence of symbols that have meaning.

$ 数据(I)特定表示形式的信息,通常作为具有意义的符号序列。

Usage: Refers to both (a) representations that can be recognized, processed, or produced by a computer or other type of machine, and (b) representations that can be handled by a human.

用法:指(a)可由计算机或其他类型机器识别、处理或生成的表示,以及(b)可由人类处理的表示。

$ Data Authentication Algorithm, data authentication algorithm 1. (N) /capitalized/ The ANSI standard for a keyed hash function that is equivalent to DES cipher block chaining with IV = 0. [A9009]

$ 数据认证算法,数据认证算法1。(N) /capitalized/键控哈希函数的ANSI标准,相当于IV=0的DES密码块链接。[A9009]

2. (D) /not capitalized/ Synonym for some kind of "checksum".

2. (D) /未大写/某种“校验和”的同义词。

Deprecated Term: IDOCs SHOULD NOT use the uncapitalized form "data authentication algorithm" as a synonym for any kind of checksum, regardless of whether or not the checksum is based on a hash. Instead, use "checksum", "Data Authentication Code", "error detection code", "hash", "keyed hash", "Message Authentication Code", "protected checksum", or some other specific term, depending on what is meant.

不推荐使用的术语:IDOCs不应使用非资本主义形式的“数据认证算法”作为任何类型校验和的同义词,无论校验和是否基于散列。相反,使用“校验和”、“数据验证码”、“错误检测码”、“散列”、“密钥散列”、“消息验证码”、“受保护校验和”或其他特定术语,具体取决于其含义。

The uncapitalized term can be confused with the Data Authentication Code and also mixes concepts in a potentially misleading way. The word "authentication" is misleading because the checksum may be used to perform a data integrity function rather than a data origin authentication function.

未资本化的术语可能与数据认证代码混淆,也可能以潜在误导的方式混淆概念。“身份验证”一词具有误导性,因为校验和可用于执行数据完整性功能,而不是数据源身份验证功能。

$ Data Authentication Code, data authentication code 1. (N) /capitalized/ A specific U.S. Government standard [FP113] for a checksum that is computed by the Data Authentication Algorithm. Usage: a.k.a. Message Authentication Code [A9009].) (See: DAC.)

$ 数据认证码,数据认证码1。(N) /capitalized/由数据认证算法计算的校验和的特定美国政府标准[FP113]。用法:a.k.a.消息身份验证代码[A9009]。(请参阅:DAC。)

2. (D) /not capitalized/ Synonym for some kind of "checksum".

2. (D) /未大写/某种“校验和”的同义词。

Deprecated Term: IDOCs SHOULD NOT use the uncapitalized form "data authentication code" as a synonym for any kind of checksum, regardless of whether or not the checksum is based on the Data Authentication Algorithm. The uncapitalized term can be confused with the Data Authentication Code and also mixes concepts in a potentially misleading way (see: authentication code).

不推荐使用的术语:IDOCs不应使用未大写形式的“数据身份验证代码”作为任何类型校验和的同义词,无论校验和是否基于数据身份验证算法。未资本化的术语可能与数据身份验证代码混淆,也可能以潜在误导的方式混淆概念(请参阅:身份验证代码)。

$ data compromise 1. (I) A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information might have occurred. (Compare: security compromise, security incident.)

$ 数据泄露1。(一) 一种安全事件,其中信息可能会被未经授权的访问,从而可能会发生未经授权的信息披露、更改或使用。(比较:安全隐患、安全事故。)

2. (O) /U.S. DoD/ A "compromise" is a "communication or physical transfer of information to an unauthorized recipient." [DoD5]

2. (O) /U.S.DoD/A“妥协”是指“向未经授权的接收者通信或物理传输信息。”[DoD5]

3. (O) /U.S. Government/ "Type of [security] incident where information is disclosed to unauthorized individuals or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred." [C4009]

3. (O) /U.S.Government/“向未经授权的个人披露信息或违反系统安全政策的[安全]事件类型,其中可能发生未经授权的故意或无意披露、修改、破坏或丢失对象的事件。”[C4009]

$ data confidentiality 1. (I) The property that data is not disclosed to system entities unless they have been authorized to know the data. (See: Bell-LaPadula model, classification, data confidentiality service, secret. Compare: privacy.)

$ 数据保密1。(一) 不向系统实体披露数据的属性,除非系统实体被授权了解数据。(参见:贝尔-拉帕杜拉模型、分类、数据保密服务、机密。比较:隐私。)

2. (D) "The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]." [I7498-2].

2. (D) “未向未经授权的个人、实体或进程[即任何未经授权的系统实体]提供或披露信息的财产。”[I7498-2]。

Deprecated Definition: The phrase "made available" might be interpreted to mean that the data could be altered, and that would confuse this term with the concept of "data integrity".

不推荐使用的定义:“可用”一词可能被解释为意味着数据可能会被更改,这将使该术语与“数据完整性”概念混淆。

$ data confidentiality service (I) A security service that protects data against unauthorized disclosure. (See: access control, data confidentiality, datagram confidentiality service, flow control, inference control.)

$ 数据保密服务(I)保护数据免受未经授权披露的安全服务。(请参阅:访问控制、数据保密、数据报保密服务、流控制、推理控制。)

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "privacy", which is a different concept.

不推荐使用:IDOCs不应将此术语用作“隐私”的同义词,这是一个不同的概念。

$ Data Encryption Algorithm (DEA) (N) A symmetric block cipher, defined in the U.S. Government's DES. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block. [FP046] (See: AES, symmetric cryptography.)

$ 数据加密算法(DEA)(N):美国政府DES中定义的对称分组密码。DEA使用一个64位密钥,其中56位是独立选择的,8位是奇偶校验位,并将一个64位块映射到另一个64位块。[FP046](参见:AES,对称加密。)

Usage: This algorithm is usually referred to as "DES". The algorithm has also been adopted in standards outside the Government (e.g., [A3092]).

用法:此算法通常称为“DES”。该算法也被政府以外的标准所采用(例如[A3092])。

$ data encryption key (DEK) (I) A cryptographic key that is used to encipher application data. (Compare: key-encrypting key.)

$ 数据加密密钥(DEK)(I)用于加密应用程序数据的加密密钥。(比较:密钥加密密钥。)

$ Data Encryption Standard (DES) (N) A U.S. Government standard [FP046] that specifies the DEA and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES.)

$ 数据加密标准(DES)(N)美国政府标准[FP046],规定了DEA和使用算法保护未分类敏感数据的州政策。(见:AES)

$ data integrity 1. (I) The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. (See: data integrity service. Compare: correctness integrity, source integrity.)

$ 数据完整性1。(一) 未经授权或意外地更改、销毁或丢失数据的属性。(请参阅:数据完整性服务。比较:正确性完整性、源完整性。)

2. (O) "The property that information has not been modified or destroyed in an unauthorized manner." [I7498-2]

2. (O) “未以未经授权的方式修改或销毁信息的财产。”[I7498-2]

Usage: Deals with (a) constancy of and confidence in data values, and not with either (b) information that the values represent (see: correctness integrity) or (c) the trustworthiness of the source of the values (see: source integrity).

用法:处理(a)数据值的恒定性和可信度,而不是(b)值所代表的信息(参见:正确性完整性)或(c)值源的可信度(参见:源完整性)。

$ data integrity service (I) A security service that protects against unauthorized changes to data, including both intentional change or destruction and accidental change or loss, by ensuring that changes to data are detectable. (See: data integrity, checksum, datagram integrity service.)

$ 数据完整性服务(I)一种安全服务,通过确保可检测到数据更改,防止未经授权的数据更改,包括故意更改或破坏以及意外更改或丢失。(请参阅:数据完整性、校验和、数据报完整性服务。)

Tutorial: A data integrity service can only detect a change and report it to an appropriate system entity; changes cannot be prevented unless the system is perfect (error-free) and no malicious user has access. However, a system that offers data integrity service might also attempt to correct and recover from changes.

教程:数据完整性服务只能检测更改并将其报告给适当的系统实体;除非系统完美(无错误)且没有恶意用户可以访问,否则无法阻止更改。但是,提供数据完整性服务的系统也可能尝试更正更改并从更改中恢复。

The ability of this service to detect changes is limited by the technology of the mechanisms used to implement the service. For example, if the mechanism were a one-bit parity check across each entire SDU, then changes to an odd number of bits in an SDU would be detected, but changes to an even number of bits would not.

此服务检测更改的能力受到用于实现该服务的机制技术的限制。例如,如果该机制是跨整个SDU的一位奇偶校验,则将检测到SDU中奇数位数的更改,但不会检测到偶数位数的更改。

Relationship between data integrity service and authentication services: Although data integrity service is defined separately from data origin authentication service and peer entity authentication service, it is closely related to them. Authentication services depend, by definition, on companion data integrity services. Data origin authentication service provides

数据完整性服务和身份验证服务之间的关系:虽然数据完整性服务与数据源身份验证服务和对等实体身份验证服务分开定义,但它与它们密切相关。根据定义,身份验证服务依赖于配套的数据完整性服务。数据源身份验证服务提供

verification that the identity of the original source of a received data unit is as claimed; there can be no such verification if the data unit has been altered. Peer entity authentication service provides verification that the identity of a peer entity in a current association is as claimed; there can be no such verification if the claimed identity has been altered.

验证所接收数据单元的原始源的身份是否如所声称的那样;如果数据单元已更改,则无法进行此类验证。对等实体认证服务验证当前关联中的对等实体的身份是否如声明的那样;如果声称的身份已被更改,则无法进行此类验证。

$ data origin authentication (I) "The corroboration that the source of data received is as claimed." [I7498-2] (See: authentication.)

$ 数据来源认证(I)“所接收数据来源与所声称的一致的确证。”[I7498-2](见:认证。)

$ data origin authentication service (I) A security service that verifies the identity of a system entity that is claimed to be the original source of received data. (See: authentication, authentication service.)

$ 数据源身份验证服务(I)验证声称是接收数据原始源的系统实体身份的安全服务。(请参阅:身份验证、身份验证服务。)

Tutorial: This service is provided to any system entity that receives or holds the data. Unlike peer entity authentication service, this service is independent of any association between the originator and the recipient, and the data in question may have originated at any time in the past.

教程:此服务提供给接收或保存数据的任何系统实体。与对等实体身份验证服务不同,此服务独立于发端人和接收方之间的任何关联,并且所涉及的数据可能在过去的任何时间产生。

A digital signature mechanism can be used to provide this service, because someone who does not know the private key cannot forge the correct signature. However, by using the signer's public key, anyone can verify the origin of correctly signed data.

数字签名机制可用于提供此服务,因为不知道私钥的人无法伪造正确的签名。但是,通过使用签名者的公钥,任何人都可以验证正确签名数据的来源。

This service is usually bundled with connectionless data integrity service. (See: "relationship between data integrity service and authentication services" under "data integrity service".

此服务通常与无连接数据完整性服务捆绑在一起。(请参阅“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”。

$ data owner (N) The organization that has the final statutory and operational authority for specified information.

$ 数据所有者(N):对特定信息拥有最终法定和操作权限的组织。

$ data privacy (D) Synonym for "data confidentiality".

$ 数据隐私(D)“数据机密性”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. Instead, use either "data confidentiality" or "privacy" or both, depending on what is meant.

不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。取而代之的是,使用“数据机密性”或“隐私性”或两者兼用,具体取决于其含义。

$ data recovery 1. (I) /cryptanalysis/ A process for learning, from some cipher text, the plain text that was previously encrypted to produce the cipher text. (See: recovery.)

$ 数据恢复1。(一) /Cryptoanalysis/Cryptoanalysis从某些密文中学习先前加密以生成密文的纯文本的过程。(见:恢复。)

2. (I) /system integrity/ The process of restoring information following damage or destruction.

2. (一) /系统完整性/损坏或破坏后恢复信息的过程。

$ data security (I) The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.

$ 数据安全(I)保护数据免受意外或故意但未经授权的披露、更改、破坏或丢失。

Tutorial: Both data confidentiality service and data integrity service are needed to achieve data security.

教程:实现数据安全性需要数据机密性服务和数据完整性服务。

$ datagram (I) "A self-contained, independent entity of data [i.e., a packet] carrying sufficient information to be routed from the source [computer] to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." [R1983] Example: A PDU of IP.

$ 数据报(I)“一种自包含、独立的数据实体[即,数据包],承载足够的信息,可从源[计算机]路由到目标计算机,而不依赖该源和目标计算机以及传输网络之间的早期交换。”[R1983]示例:IP的PDU。

$ datagram confidentiality service (I) A data confidentiality service that preserves the confidentiality of data in a single, independent, packet; i.e., the service applies to datagrams one-at-a-time. Example: ESP. (See: data confidentiality.)

$ 数据报保密服务(I)一种数据保密服务,在单个独立数据包中保护数据的机密性;i、 例如,该服务一次一个地应用于数据报。示例:ESP(请参阅:数据机密性)

Usage: When a protocol is said to provide data confidentiality service, this is usually understood to mean that only the SDU is protected in each packet. IDOCs that use the term to mean that the entire PDU is protected should include a highlighted definition.

用法:当一个协议被称为提供数据保密服务时,这通常被理解为在每个数据包中只有SDU受到保护。使用该术语表示整个PDU受保护的IDoc应包括突出显示的定义。

Tutorial: This basic form of network confidentiality service suffices for protecting the data in a stream of packets in both connectionless and connection-oriented protocols. Except perhaps for traffic flow confidentiality, nothing further is needed to protect the confidentiality of data carried by a packet stream. The OSIRM distinguishes between connection confidentiality and connectionless confidentiality. The IPS need not make that distinction, because those services are just instances of the same service (i.e., datagram confidentiality) being offered in two different protocol contexts. (For data integrity service, however, additional effort is needed to protect a stream, and the IPS does need to distinguish between "datagram integrity service" and "stream integrity service".)

教程:这种基本形式的网络保密服务足以在无连接和面向连接的协议中保护数据包流中的数据。也许除了业务流机密性之外,不需要进一步保护分组流所携带的数据的机密性。OSIRM区分连接机密性和无连接机密性。IP不需要做出这种区分,因为这些服务只是在两个不同协议上下文中提供的相同服务(即数据报机密性)的实例。(然而,对于数据完整性服务,需要额外的努力来保护流,IPS确实需要区分“数据报完整性服务”和“流完整性服务”。)

$ datagram integrity service (I) A data integrity service that preserves the integrity of data in a single, independent, packet; i.e., the service applies to datagrams one-at-a-time. (See: data integrity. Compare: stream integrity service.)

$ 数据报完整性服务(I)在单个独立数据包中保持数据完整性的数据完整性服务;i、 例如,该服务一次一个地应用于数据报。(请参阅:数据完整性。比较:流完整性服务。)

Tutorial: The ability to provide appropriate data integrity is important in many Internet security situations, and so there are different kinds of data integrity services suited to different applications. This service is the simplest kind; it is suitable for connectionless data transfers.

教程:在许多互联网安全情况下,提供适当的数据完整性的能力非常重要,因此有适合不同应用程序的不同类型的数据完整性服务。这种服务是最简单的;它适用于无连接的数据传输。

Datagram integrity service usually is designed only to attempt to detect changes to the SDU in each packet, but it might also attempt to detect changes to some or all of the PCI in each packet (see: selective field integrity). In contrast to this simple, one-at-a-time service, some security situations demand a more complex service that also attempts to detect deleted, inserted, or reordered datagrams within a stream of datagrams (see: stream integrity service).

数据报完整性服务通常设计为仅尝试检测每个数据包中SDU的更改,但也可能尝试检测每个数据包中部分或全部PCI的更改(请参阅:选择性字段完整性)。与此简单的一次一个服务不同,某些安全情况需要更复杂的服务,该服务还尝试检测数据报流中已删除、插入或重新排序的数据报(请参阅:流完整性服务)。

$ DEA (N) See: Data Encryption Algorithm.

$ DEA(N)参见:数据加密算法。

$ deception (I) A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. (See: authentication.)

$ 欺诈(I)可能导致授权实体接收虚假数据并相信其真实性的情况或事件。(请参阅:身份验证。)

Tutorial: This is a type of threat consequence, and it can be caused by the following types of threat actions: masquerade, falsification, and repudiation.

教程:这是一种威胁后果,可能由以下类型的威胁行为引起:伪装、伪造和否认。

$ decipher (D) Synonym for "decrypt".

$ 解密(D)“解密”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "decrypt". However, see usage note under "encryption".

不推荐使用的定义:IDOCs不应将此术语用作“解密”的同义词。但是,请参见“加密”下的用法说明。

$ decipherment (D) Synonym for "decryption".

$ 解密(D)“解密”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "decryption". However, see the Usage note under "encryption".

不推荐使用的定义:IDOCs不应将此术语用作“解密”的同义词。但是,请参见“加密”下的用法说明。

$ declassification (I) An authorized process by which information is declassified. (Compare: classification.)

$ 解密(I)信息解密的授权过程。(比较:分类。)

$ declassify (I) To officially remove the security level designation of a classified information item or information type, such that the information is no longer classified (i.e., becomes unclassified). (See: classified, classify, security level. Compare: downgrade.)

$ 解密(I)正式删除保密信息项或信息类型的安全级别指定,使信息不再保密(即变得不保密)。(请参阅:分类、分类、安全级别。比较:降级。)

$ decode 1. (I) Convert encoded data back to its original form of representation. (Compare: decrypt.)

$ 解码1。(一) 将编码数据转换回其原始表示形式。(比较:解密。)

2. (D) Synonym for "decrypt".

2. (D) “解密”的同义词。

Deprecated Definition: Encoding is not usually meant to conceal meaning. Therefore, IDOCs SHOULD NOT use this term as a synonym for "decrypt", because that would mix concepts in a potentially misleading way.

不推荐使用的定义:编码通常不是为了隐藏含义。因此,IDOCs不应该使用这个术语作为“decrypt”的同义词,因为这会以潜在误导的方式混合概念。

$ decrypt (I) Cryptographically restore cipher text to the plaintext form it had before encryption.

$ 解密(I)以加密方式将密文恢复为加密前的明文形式。

$ decryption (I) See: secondary definition under "encryption".

$ 解密(I)见“加密”下的第二定义。

$ dedicated security mode (I) A mode of system operation wherein all users having access to the system possess, for all data handled by the system, both (a) all necessary authorizations (i.e., security clearance and formal access approval) and (b) a need-to-know. (See: /system operation/ under "mode", formal access approval, need to know, protection level, security clearance.)

$ 专用安全模式(I)一种系统操作模式,其中所有访问系统的用户都拥有系统处理的所有数据(A)所有必要的授权(即安全许可和正式访问批准)和(b)需要知道。(参见:/系统操作/在“模式”下,正式访问批准,需要知道,保护级别,安全许可。)

Usage: Usually abbreviated as "dedicated mode". This mode was defined in U.S. Government policy on system accreditation, but the term is also used outside the Government. In this mode, the system may handle either (a) a single classification level or category of information or (b) a range of levels and categories.

用法:通常缩写为“专用模式”。这种模式在美国政府的系统认证政策中有定义,但该术语也在政府之外使用。在此模式下,系统可以处理(a)单个分类级别或信息类别,或(b)一系列级别和类别。

$ default account (I) A system login account (usually accessed with a user identifier and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service. (See: harden.)

$ 默认帐户(I)在制造系统中预定义的系统登录帐户(通常使用用户标识符和密码访问),以便在系统首次投入使用时允许初始访问。(请参见:硬化。)

Tutorial: A default account becomes a serious vulnerability if not properly administered. Sometimes, the default identifier and password are well-known because they are the same in each copy of the system. In any case, when a system is put into service, any default password should immediately be changed or the default account should be disabled.

教程:如果管理不当,默认帐户将成为严重漏洞。有时,默认标识符和密码是众所周知的,因为它们在系统的每个副本中都是相同的。在任何情况下,当系统投入使用时,应立即更改任何默认密码或禁用默认帐户。

$ defense in depth (N) "The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial

$ 纵深防御(N)“相互支持的防御阵地的选址,旨在吸收并逐渐削弱攻击,防止初始攻击

observations of the whole position by the enemy, and [enable] the commander to maneuver the reserve." [JP1]

敌方对整个阵地的观察,并[使]指挥官能够操纵预备队。”[JP1]

Tutorial: In information systems, defense in depth means constructing a system's security architecture with layered and complementary security mechanisms and countermeasures, so that if one security mechanism is defeated, one or more other mechanisms (which are "behind" or "beneath" the first mechanism) still provide protection.

教程:在信息系统中,纵深防御意味着构建具有分层和互补安全机制和对策的系统安全架构,以便在一个安全机制失败时,一个或多个其他机制(在第一个机制的“后面”或“下面”)仍能提供保护。

This architectural concept is appealing because it aligns with traditional warfare doctrine, which applies defense in depth to physical, geospatial structures; but applying the concept to logical, cyberspace structures of computer networks is more difficult. The concept assumes that networks have a spatial or topological representation. It also assumes that there can be implemented -- from the "outer perimeter" of a network, through its various "layers" of components, to its "center" (i.e., to the subscriber application systems supported by the network) -- a varied series of countermeasures that together provide adequate protection. However, it is more difficult to map the topology of networks and make certain that no path exists by which an attacker could bypass all defensive layers.

这一建筑概念之所以吸引人,是因为它与传统战争理论相一致,传统战争理论将纵深防御应用于物理、地理空间结构;但将这一概念应用于计算机网络的逻辑、网络空间结构则更为困难。该概念假设网络具有空间或拓扑表示。它还假设可以实施一系列不同的对策,从网络的“外围”,通过其不同的“层”组件,到其“中心”(即,到网络支持的用户应用系统),共同提供充分的保护。然而,更难的是映射网络拓扑并确保不存在攻击者可以绕过所有防御层的路径。

$ Defense Information Infrastructure (DII) (O) /U.S. DoD/ The U.S. DoD's shared, interconnected system of computers, communications, data, applications, security, people, training, and support structures, serving information needs worldwide. (See: DISN.) Usage: Has evolved to be called the GIG.

$ 国防信息基础设施(DII)(O)/美国国防部/美国国防部的共享互联系统,包括计算机、通信、数据、应用、安全、人员、培训和支持结构,服务于全球信息需求。用法:已演变为GIG。

Tutorial: The DII connects mission support, command and control, and intelligence computers and users through voice, data, imagery, video, and multimedia services, and provides information processing and value-added services to subscribers over the DISN. Users' own data and application software are not considered part of the DII.

教程:DII通过语音、数据、图像、视频和多媒体服务连接任务支持、指挥和控制以及情报计算机和用户,并通过DISN向用户提供信息处理和增值服务。用户自己的数据和应用软件不被视为DII的一部分。

$ Defense Information Systems Network (DISN) (O) /U.S. DoD/ The U.S. DoD's consolidated, worldwide, enterprise level telecommunications infrastructure that provides end-to-end information transfer for supporting military operations; a part of the DII. (Compare: GIG.)

$ 国防信息系统网络(DISN)(O)/美国国防部/美国国防部的综合全球企业级电信基础设施,为支持军事行动提供端到端信息传输;DII的一部分。(比较:GIG)

$ degauss 1a. (N) Apply a magnetic field to permanently remove data from a magnetic storage medium, such as a tape or disk [NCS25]. (Compare: erase, purge, sanitize.)

$ 消磁1a。(N) 施加磁场以从磁带或磁盘等磁性存储介质中永久删除数据[NCS25]。(比较:擦除、清除、消毒。)

1b. (N) Reduce magnetic flux density to zero by applying a reversing magnetic field. (See: magnetic remanence.)

1b。(N) 通过施加反向磁场将磁通密度降至零。(参见:剩磁。)

$ degausser (N) An electrical device that can degauss magnetic storage media.

$ 消磁器(N):一种可以对磁性存储介质进行消磁的电气设备。

$ DEK (I) See: data encryption key.

$ DEK(I)见:数据加密密钥。

$ delay (I) /packet/ See: secondary definition under "stream integrity service".

$ 延迟(I)/数据包/见“流完整性服务”下的二级定义。

$ deletion (I) /packet/ See: secondary definition under "stream integrity service".

$ 删除(I)/数据包/见“流完整性服务”下的二级定义。

$ deliberate exposure (I) /threat action/ See: secondary definition under "exposure".

$ 故意暴露(I)/威胁行动/见“暴露”下的二级定义。

$ delta CRL (I) A partial CRL that only contains entries for certificates that have been revoked since the issuance of a prior, base CRL [X509]. This method can be used to partition CRLs that become too large and unwieldy. (Compare: CRL distribution point.)

$ 增量CRL(I)部分CRL,仅包含自发布以前的基本CRL[X509]以来已撤销的证书的条目。此方法可用于对变得过大和不实用的CRL进行分区。(比较:CRL分布点。)

$ demilitarized zone (DMZ) (D) Synonym for "buffer zone".

$ 非军事区(DMZ)(D)是“缓冲区”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term because it mixes concepts in a potentially misleading way. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:IDOCs不应该使用这个术语,因为它以一种潜在误导的方式混合了概念。(请参阅“绿皮书”下不推荐的用法。)

$ denial of service (I) The prevention of authorized access to a system resource or the delaying of system operations and functions. (See: availability, critical, flooding.)

$ 拒绝服务(I)阻止对系统资源的授权访问或延迟系统操作和功能。(请参阅:可用性、关键性、泛洪。)

Tutorial: A denial-of-service attack can prevent the normal conduct of business on the Internet. There are four types of solutions to this security problem: - Awareness: Maintaining cognizance of security threats and vulnerabilities. (See: CERT.) - Detection: Finding attacks on end systems and subnetworks. (See: intrusion detection.) - Prevention: Following defensive practices on network-connected systems. (See: [R2827].)

Tutorial: A denial-of-service attack can prevent the normal conduct of business on the Internet. There are four types of solutions to this security problem: - Awareness: Maintaining cognizance of security threats and vulnerabilities. (See: CERT.) - Detection: Finding attacks on end systems and subnetworks. (See: intrusion detection.) - Prevention: Following defensive practices on network-connected systems. (See: [R2827].)translate error, please retry

- Response: Reacting effectively when attacks occur. (See: CSIRT, contingency plan.)

- 响应:在发生攻击时有效地作出反应。(参见:CSIRT,应急计划。)

$ DES (N) See: Data Encryption Standard.

$ DES(N)见:数据加密标准。

$ designated approving authority (DAA) (O) /U.S. Government/ Synonym for "accreditor".

$ 指定审批机构(DAA)(O)/美国政府/同义词“认证人”。

$ detection (I) See: secondary definition under "security".

$ 检测(I)见“安全”下的二级定义。

$ deterrence (I) See: secondary definition under "security".

$ 威慑(一)见“安全”下的第二个定义。

$ dictionary attack (I) An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list.

$ 字典攻击(I)一种使用蛮力技术的攻击,即连续尝试某个大型、详尽列表中的所有单词。

Examples: Attack an authentication service by trying all possible passwords. Attack an encryption service by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup.

示例:通过尝试所有可能的密码来攻击身份验证服务。通过使用所有可能的密钥加密某些已知的明文短语来攻击加密服务,以便通过查找获得包含该短语的任何给定加密消息的密钥。

$ Diffie-Hellman $ Diffie-Hellman-Merkle (N) A key-agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].

$ Diffie-Hellman$Diffie-Hellman-Merkle(N)一种密钥协商算法,由Whitfield Diffie和Martin Hellman于1976年发布[DH76,R2631]。

Usage: The algorithm is most often called "Diffie-Hellman". However, in the November 1978 issue of "IEEE Communications Magazine", Hellman wrote that the algorithm "is a public key distribution system, a concept developed by [Ralph C.] Merkle, and hence should be called 'Diffie-Hellman-Merkle' ... to recognize Merkle's equal contribution to the invention of public key cryptography."

用法:该算法通常被称为“Diffie-Hellman”。然而,在1978年11月发行的《IEEE通信杂志》中,Hellman写道,该算法“是一个公钥分发系统,是由[Ralph C.]Merkle提出的一个概念,因此应称为“Diffie Hellman Merkle”……以承认Merkle对公钥密码术的发明做出了同等贡献。”

Tutorial: Diffie-Hellman-Merkle does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.

教程:Diffie Hellman Merkle负责密钥建立,而不是加密。但是,它生成的密钥可用于加密、进一步的密钥管理操作或任何其他加密。

The algorithm is described in [R2631] and [Schn]. In brief, Alice and Bob together pick large integers that satisfy certain mathematical conditions, and then use the integers to each separately compute a public-private key pair. They send each other their public key. Each person uses their own private key and the

[R2631]和[Schn]中描述了该算法。简言之,Alice和Bob一起选择满足特定数学条件的大整数,然后使用这些整数分别计算一个公私密钥对。他们互相发送公钥。每个人都使用自己的私钥和

other person's public key to compute a key, k, that, because of the mathematics of the algorithm, is the same for each of them. Passive wiretapping cannot learn the shared k, because k is not transmitted, and neither are the private keys needed to compute k.

另一个人的公钥,用于计算一个密钥k,由于算法的数学性,该密钥对于每个人都是相同的。被动窃听无法学习共享k,因为k不被传输,计算k所需的私钥也不被传输。

The difficulty of breaking Diffie-Hellman-Merkle is considered to be equal to the difficulty of computing discrete logarithms modulo a large prime. However, without additional mechanisms to authenticate each party to the other, a protocol based on the algorithm may be vulnerable to a man-in-the-middle attack.

打破Diffie-Hellman-Merkle的困难被认为等于计算大素数模的离散对数的困难。然而,如果没有额外的机制来向另一方验证每一方,基于该算法的协议可能容易受到中间人攻击。

$ digest See: message digest.

$ 摘要请参阅:消息摘要。

$ digital certificate (I) A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, public-key certificate.)

$ 数字证书(I)数字数据对象(计算机使用的数据对象)形式的证书文档,其附加了依赖于该数据对象的计算数字签名值。(请参阅:属性证书、公钥证书。)

Deprecated Usage: IDOCs SHOULD NOT use this term to refer to a signed CRL or CKL. Although the recommended definition can be interpreted to include other signed items, the security community does not use the term with those meanings.

不推荐使用:IDOCs不应使用此术语来指代已签名的CRL或CKL。虽然建议的定义可以解释为包括其他签名项,但安全社区不使用具有这些含义的术语。

$ digital certification (D) Synonym for "certification".

$ 数字认证(D)“认证”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this definition unless the context is not sufficient to distinguish between digital certification and another kind of certification, in which case it would be better to use "public-key certification" or another phrase that indicates what is being certified.

不推荐使用的定义:IDOC不应使用此定义,除非上下文不足以区分数字认证和其他类型的认证,在这种情况下,最好使用“公钥认证”或指示认证内容的其他短语。

$ digital document (I) An electronic data object that represents information originally written in a non-electronic, non-magnetic medium (usually ink on paper) or is an analogue of a document of that type.

$ 数字文档(I)一种电子数据对象,表示最初在非电子、非磁性介质(通常为纸张上的墨水)中写入的信息,或类似于该类型文档的信息。

$ digital envelope (I) A combination of (a) encrypted content data (of any kind) intended for a recipient and (b) the content encryption key in an encrypted form that has been prepared for the use of the recipient.

$ 数字信封(I)(A)为收件人准备的加密内容数据(任何类型)和(b)为收件人准备的加密形式的内容加密密钥的组合。

Usage: In IDOCs, the term SHOULD be defined at the point of first use because, although the term is defined in PKCS #7 and used in S/MIME, it is not widely known.

用法:在IDOCs中,应在首次使用时定义该术语,因为尽管该术语在PKCS#7中定义并在S/MIME中使用,但并不广为人知。

Tutorial: Digital enveloping is not simply a synonym for implementing data confidentiality with encryption; digital enveloping is a hybrid encryption scheme to "seal" a message or other data, by encrypting the data and sending both it and a protected form of the key to the intended recipient, so that no one other than the intended recipient can "open" the message. In PKCS #7, it means first encrypting the data using a symmetric encryption algorithm and a secret key, and then encrypting the secret key using an asymmetric encryption algorithm and the public key of the intended recipient. In S/MIME, additional methods are defined for encrypting the content encryption key.

教程:数字信封不仅仅是用加密实现数据机密性的同义词;数字信封是一种混合加密方案,通过加密数据并将其和受保护的密钥形式发送给预期收件人,“密封”邮件或其他数据,以便除预期收件人以外的任何人都无法“打开”邮件。在PKCS#7中,这意味着首先使用对称加密算法和密钥对数据进行加密,然后使用非对称加密算法和预期收件人的公钥对密钥进行加密。在S/MIME中,定义了用于加密内容加密密钥的其他方法。

$ Digital ID(service mark) (D) Synonym for "digital certificate".

$ 数字标识(服务标志)(D)“数字证书”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term. It is a service mark of a commercial firm, and it unnecessarily duplicates the meaning of a better-established term. (See: credential.)

不推荐使用的术语:IDOCs不应使用此术语。它是一个商业公司的服务标志,不必要地重复了一个更好的术语的含义。(请参阅:凭证。)

$ digital key (D) Synonym for an input parameter of a cryptographic algorithm or other process. (See: key.)

$ 数字密钥(D)是密码算法或其他过程的输入参数的同义词。(请参阅:键。)

Deprecated Usage: The adjective "digital" need not be used with "key" or "cryptographic key", unless the context is insufficient to distinguish the digital key from another kind of key, such as a metal key for a door lock.

不推荐使用:形容词“digital”不必与“key”或“cryptographic key”一起使用,除非上下文不足以区分数字钥匙和其他钥匙,例如门锁的金属钥匙。

$ digital notary (I) An electronic functionary analogous to a notary public. Provides a trusted timestamp for a digital document, so that someone can later prove that the document existed at that point in time; verifies the signature(s) on a signed document before applying the stamp. (See: notarization.)

$ 数字公证人(I)类似于公证人的电子工作人员。为数字文档提供可信的时间戳,以便稍后有人可以证明该文档在该时间点存在;在加盖印章之前,验证已签名文档上的签名。(见:公证)

$ digital signature 1. (I) A value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity. (See: data origin authentication service, data integrity service, signer. Compare: digitized signature, electronic signature.)

$ 数字签名1。(一) 用加密算法计算的一种值,它与数据对象相关联,数据的任何接收者都可以使用签名来验证数据的来源和完整性。(请参阅:数据源身份验证服务、数据完整性服务、签名者。比较:数字签名、电子签名。)

2. (O) "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient." [I7498-2]

2. (O) “附加到数据单元的数据或数据单元的加密转换,允许数据单元的接收者证明数据单元的来源和完整性,并防止伪造(例如由接收者伪造)。[I7498-2]

Tutorial: A digital signature should have these properties: - Be capable of being verified. (See: validate vs. verify.) - Be bound to the signed data object in such a way that if the data is changed, then when an attempt is made to verify the signature, it will be seen as not authentic. (In some schemes, the signature is appended to the signed object as stated by definition 2, but in other it, schemes is not.) - Uniquely identify a system entity as being the signer. - Be under the signer's sole control, so that it cannot be created by any other entity.

教程:数字签名应该具有以下属性:-能够被验证。(请参阅:验证vs.验证)-绑定到已签名的数据对象时,如果数据发生更改,则在尝试验证签名时,签名将被视为不真实。(在某些方案中,如定义2所述,签名被附加到签名对象,但在另一些方案中,签名不是。)-唯一地将系统实体标识为签名者。-由签字人单独控制,因此不能由任何其他实体创建。

To achieve these properties, the data object is first input to a hash function, and then the hash result is cryptographically transformed using a private key of the signer. The final resulting value is called the digital signature of the data object. The signature value is a protected checksum, because the properties of a cryptographic hash ensure that if the data object is changed, the digital signature will no longer match it. The digital signature is unforgeable because one cannot be certain of correctly creating or changing the signature without knowing the private key of the supposed signer.

为了实现这些属性,首先将数据对象输入到哈希函数,然后使用签名者的私钥对哈希结果进行加密转换。最终的结果值称为数据对象的数字签名。签名值是受保护的校验和,因为加密散列的属性确保如果数据对象发生更改,数字签名将不再匹配它。数字签名是不可伪造的,因为在不知道假定签名人的私钥的情况下,无法确定是否正确创建或更改签名。

Some digital signature schemes use an asymmetric encryption algorithm (e.g., "RSA") to transform the hash result. Thus, when Alice needs to sign a message to send to Bob, she can use her private key to encrypt the hash result. Bob receives both the message and the digital signature. Bob can use Alice's public key to decrypt the signature, and then compare the plaintext result to the hash result that he computes by hashing the message himself. If the values are equal, Bob accepts the message because he is certain that it is from Alice and has arrived unchanged. If the values are not equal, Bob rejects the message because either the message or the signature was altered in transit.

一些数字签名方案使用非对称加密算法(例如,“RSA”)来转换哈希结果。因此,当Alice需要对发送给Bob的消息进行签名时,她可以使用私钥对哈希结果进行加密。Bob接收消息和数字签名。Bob可以使用Alice的公钥对签名进行解密,然后将明文结果与他自己对消息进行散列计算的散列结果进行比较。如果值相等,Bob接受该消息,因为他确定该消息来自Alice,并且没有更改。如果值不相等,Bob将拒绝该消息,因为消息或签名在传输过程中被更改。

Other digital signature schemes (e.g., "DSS") transform the hash result with an algorithm (e.g., "DSA", "El Gamal") that cannot be directly used to encrypt data. Such a scheme creates a signature value from the hash and provides a way to verify the signature value, but does not provide a way to recover the hash result from the signature value. In some countries, such a scheme may improve exportability and avoid other legal constraints on usage. Alice sends the signature value to Bob along with both the message and its hash result. The algorithm enables Bob to use Alice's public

其他数字签名方案(例如,“DSS”)使用无法直接用于加密数据的算法(例如,“DSA”、“El Gamal”)转换哈希结果。这样的方案从散列创建签名值,并提供验证签名值的方法,但不提供从签名值恢复散列结果的方法。在一些国家,这样的计划可以提高出口能力,并避免对使用的其他法律限制。Alice将签名值连同消息及其哈希结果一起发送给Bob。该算法使Bob能够使用Alice的公共

signature key and the signature value to verify the hash result he receives. Then, as before, he compares that hash result she sent to the one that he computes by hashing the message himself.

签名密钥和签名值,以验证他收到的哈希结果。然后,像以前一样,他将她发送的散列结果与他自己对消息进行散列计算的结果进行比较。

$ Digital Signature Algorithm (DSA) (N) An asymmetric cryptographic algorithm for a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: DSS.)

$ 数字签名算法(DSA)(N)以一对大数字的形式对数字签名进行非对称加密的算法。签名使用规则和参数进行计算,以便验证签名者的身份和签名数据的完整性。(见:DSS)

$ Digital Signature Standard (DSS) (N) The U.S. Government standard [FP186] that specifies the DSA.

$ 数字签名标准(DSS)(N)规定数字签名的美国政府标准[FP186]。

$ digital watermarking (I) Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data -- text, graphics, images, video, or audio -- and for detecting or extracting the marks later.

$ 数字水印(I)在数字数据(文本、图形、图像、视频或音频)中以位的形式不可分割地嵌入不引人注目的标记或标签,并在以后检测或提取标记的计算技术。

Tutorial: A "digital watermark", i.e., the set of embedded bits, is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. [ACM]

教程:“数字水印”,即嵌入位的集合,有时是隐藏的,通常是不可察觉的,并且总是为了不引人注目。根据所使用的特定技术,数字水印可以帮助证明所有权、控制复制、跟踪分发、确保数据完整性以及执行其他保护知识产权的功能。[ACM]

$ digitized signature (D) Denotes various forms of digitized images of handwritten signatures. (Compare: digital signature).

$ 数字签名(D)表示手写签名的各种形式的数字化图像。(比较:数字签名)。

Deprecated Term: IDOCs SHOULD NOT use this term without including this definition. This term suggests careless use of "digital signature", which is the term standardized by [I7498-2]. (See: electronic signature.)

不推荐使用的术语:IDOCs不应在不包含此定义的情况下使用此术语。这一术语表示不小心使用了“数字签名”,这是[I7498-2]标准化的术语。(见:电子签名。)

$ DII (O) See: Defense Information Infrastructure.

$ DII(O)见:国防信息基础设施。

$ direct attack (I) See: secondary definition under "attack". (Compare: indirect attack.)

$ 直接攻击(I)见“攻击”下的二级定义。(比较:间接攻击。)

$ directory, Directory 1. (I) /not capitalized/ Refers generically to a database server or other system that stores and provides access to values of descriptive or operational data items that are associated with the components of a system. (Compare: repository.)

$ 目录,目录1。(一) /未大写/泛指存储并提供对与系统组件相关的描述性或操作性数据项值的访问的数据库服务器或其他系统。(比较:存储库。)

2. (N) /capitalized/ Refers specifically to the X.500 Directory. (See: DN, X.500.)

2. (N) /capitalized/专门指X.500目录。(见:DN,X.500)

$ Directory Access Protocol (DAP) (N) An OSI protocol [X519] for communication between a Directory User Agent (a type of X.500 client) and a Directory System Agent (a type of X.500 server). (See: LDAP.)

$ 目录访问协议(DAP)(N)用于目录用户代理(一种X.500客户端)和目录系统代理(一种X.500服务器)之间通信的OSI协议[X519]。(请参阅:LDAP。)

$ disaster plan (O) Synonym for "contingency plan".

$ 灾难计划(O)是“应急计划”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; instead, for consistency and neutrality of language, IDOCs SHOULD use "contingency plan".

不推荐使用的术语:IDoc不应使用此术语;相反,为了语言的一致性和中立性,IDOC应该使用“应急计划”。

$ disclosure See: unauthorized disclosure. Compare: exposure.

$ 披露见:未经授权的披露。比较:曝光。

$ discretionary access control 1a. (I) An access control service that (a) enforces a security policy based on the identity of system entities and the authorizations associated with the identities and (b) incorporates a concept of ownership in which access rights for a system resource may be granted and revoked by the entity that owns the resource. (See: access control list, DAC, identity-based security policy, mandatory access control.)

$ 自主访问控制1a。(一) 一种访问控制服务,其(a)基于系统实体的身份和与该身份相关联的授权强制执行安全策略,以及(b)包含所有权概念,其中系统资源的访问权可由拥有该资源的实体授予和撤销。(请参阅:访问控制列表、DAC、基于身份的安全策略、强制访问控制。)

Derivation: This service is termed "discretionary" because an entity can be granted access rights to a resource such that the entity can by its own volition enable other entities to access the resource.

派生:这项服务被称为“自主”服务,因为一个实体可以被授予对资源的访问权,这样该实体就可以根据自己的意愿使其他实体访问该资源。

1b. (O) /formal model/ "A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject." [DoD1]

1b。(O) /formal model/“一种基于对象和/或对象所属群体的身份限制对象访问的方法。控制是自由裁量的,即具有特定访问权限的对象能够将该权限(可能间接)传递给任何其他主体。”[DoD1]

$ DISN (O) See: Defense Information Systems Network (DISN).

$ 国防信息系统网络(DISN)见:国防信息系统网络(DISN)。

$ disruption (I) A circumstance or event that interrupts or prevents the correct operation of system services and functions. (See: availability, critical, system integrity, threat consequence.)

$ 中断(I)中断或阻止系统服务和功能正确运行的情况或事件。(请参阅:可用性、关键性、系统完整性、威胁后果。)

Tutorial: Disruption is a type of threat consequence; it can be caused by the following types of threat actions: incapacitation, corruption, and obstruction.

教程:中断是一种威胁后果;它可能由以下类型的威胁行为引起:丧失能力、腐败和阻碍。

$ Distinguished Encoding Rules (DER) (N) A subset of the Basic Encoding Rules that always provides only one way to encode any data structure defined by ASN.1. [X690].

$ 可分辨编码规则(DER)(N)基本编码规则的子集,它始终只提供一种方法来编码ASN.1定义的任何数据结构。[X690]。

Tutorial: For a data structure defined abstractly in ASN.1, BER often provides for encoding the structure into an octet string in more than one way, so that two separate BER implementations can legitimately produce different octet strings for the same ASN.1 definition. However, some applications require all encodings of a structure to be the same, so that encodings can be compared for equality. Therefore, DER is used in applications in which unique encoding is needed, such as when a digital signature is computed on a structure defined by ASN.1.

教程:对于ASN.1中抽象定义的数据结构,BER通常以多种方式将结构编码为八位字符串,因此两个单独的BER实现可以合法地为同一ASN.1定义生成不同的八位字符串。然而,有些应用程序要求一个结构的所有编码都相同,这样就可以比较编码是否相等。因此,DER用于需要唯一编码的应用中,例如在ASN.1定义的结构上计算数字签名时。

$ distinguished name (DN) (N) An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (Compare: domain name, identity, naming authority.)

$ 可分辨名称(DN)(N)唯一表示X.500目录信息树(DIT)中对象的标识符[X501]。(比较:域名、身份、命名机构。)

Tutorial: A DN is a set of attribute values that identify the path leading from the base of the DIT to the object that is named. An X.509 public-key certificate or CRL contains a DN that identifies its issuer, and an X.509 attribute certificate contains a DN or other form of name that identifies its subject.

教程:DN是一组属性值,用于标识从DIT底部到命名对象的路径。X.509公钥证书或CRL包含标识其颁发者的DN,X.509属性证书包含标识其主题的DN或其他形式的名称。

$ distributed attack 1a. (I) An attack that is implemented with distributed computing. (See: zombie.)

$ 分布式攻击1a。(一) 一种通过分布式计算实现的攻击。(见:僵尸。)

1b. (I) An attack that deploys multiple threat agents.

1b。(一) 部署多个威胁代理的攻击。

$ Distributed Authentication Security Service (DASS) (I) An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.

$ 分布式身份验证安全服务(DASS)(I)一种实验性互联网协议[R1507],它使用加密机制在分布式环境中提供强大的相互身份验证服务。

$ distributed computing (I) A technique that disperses a single, logically related set of tasks among a group of geographically separate yet cooperating computers. (See: distributed attack.)

$ 分布式计算(I)一种技术,它将一组逻辑上相关的任务分散在一组地理上独立但相互协作的计算机中。(请参阅:分布式攻击。)

$ distribution point (I) An X.500 Directory entry or other information source that is named in a v3 X.509 public-key certificate extension as a location from which to obtain a CRL that may list the certificate.

$ 分发点(I)v3 X.509公钥证书扩展名中指定的X.500目录项或其他信息源,作为获取可能列出证书的CRL的位置。

Tutorial: A v3 X.509 public-key certificate may have a "cRLDistributionPoints" extension that names places to get CRLs on which the certificate might be listed. (See: certificate profile.) A CRL obtained from a distribution point may (a) cover either all reasons for which a certificate might be revoked or only some of the reasons, (b) be issued by either the authority that signed the certificate or some other authority, and (c) contain revocation entries for only a subset of the full set of certificates issued by one CA or (d) contain revocation entries for multiple CAs.

教程:v3 X.509公钥证书可能有一个“cRLDistributionPoints”扩展名,该扩展名指定了获取证书可能列出的CRL的位置。(参见:证书简介。)从分发点获得的CRL可能(A)涵盖证书可能被撤销的所有原因,或仅包括部分原因,(b)由签署证书的机构或其他机构颁发,以及(c)仅包含一个CA颁发的全套证书的子集的吊销条目,或(d)包含多个CA的吊销条目。

$ DKIM (I) See: Domain Keys Identified Mail.

$ DKIM(I)见:域密钥识别邮件。

$ DMZ (D) See: demilitarized zone.

$ 非军事区(D)见:非军事区。

$ DN (N) See: distinguished name.

$ DN(N)参见:可分辨名称。

$ DNS (I) See: Domain Name System.

$ DNS(一)见:域名系统。

$ doctrine See: security doctrine.

$ 原则见:安全原则。

$ DoD (N) Department of Defense.

$ 国防部(N)国防部。

Usage: To avoid international misunderstanding, IDOCs SHOULD use this abbreviation only with a national qualifier (e.g., U.S. DoD).

用法:为避免国际误解,IDOC应仅在国家限定词(如美国国防部)中使用此缩写。

$ DOI (I) See: Domain of Interpretation.

$ 内政部(一)见:解释领域。

$ domain 1a. (I) /general security/ An environment or context that (a) includes a set of system resources and a set of system entities that have the right to access the resources and (b) usually is defined by a security policy, security model, or security architecture. (See: CA domain, domain of interpretation, security perimeter. Compare: COI, enclave.)

$ 域1a。(一) /通用安全性/一种环境或上下文(a)包括一组系统资源和一组有权访问资源的系统实体,以及(b)通常由安全策略、安全模型或安全体系结构定义。(参见:CA域、解释域、安全周界。比较:COI、enclave。)

Tutorial: A "controlled interface" or "guard" is required to transfer information between network domains that operate under different security policies.

教程:在不同安全策略下运行的网络域之间传输信息需要“受控接口”或“防护”。

1b. (O) /security policy/ A set of users, their information objects, and a common security policy. [DoD6, SP33]

1b。(O) /security policy/一组用户、他们的信息对象和通用安全策略。[DoD6,SP33]

1c. (O) /security policy/ A system or collection of systems that (a) belongs to a community of interest that implements a consistent security policy and (b) is administered by a single authority.

1c。(O) /security policy/A系统或系统集合,其(A)属于实施一致安全策略的利益团体,且(b)由单一机构管理。

2. (O) /COMPUSEC/ An operating state or mode of a set of computer hardware.

2. (O) /COMPUSEC/一组计算机硬件的操作状态或模式。

Tutorial: Most computers have at least two hardware operating modes [Gass]: - "Privileged" mode: a.k.a. "executive", "master", "system", "kernel", or "supervisor" mode. In this mode, software can execute all machine instructions and access all storage locations. - "Unprivileged" mode: a.k.a. "user", "application", or "problem" mode. In this mode, software is restricted to a subset of the instructions and a subset of the storage locations.

教程:大多数计算机至少有两种硬件操作模式[Gass]:-“特权”模式:也称为“执行”、“主控”、“系统”、“内核”或“监控”模式。在此模式下,软件可以执行所有机器指令并访问所有存储位置。-“非特权”模式:又称“用户”、“应用程序”或“问题”模式。在此模式下,软件仅限于指令子集和存储位置子集。

3. (O) "A distinct scope within which certain common characteristics are exhibited and common rules are observed." [CORBA]

3. (O) “展示某些共同特征和遵守共同规则的独特范围。”[CORBA]

4. (O) /MISSI/ The domain of a MISSI CA is the set of MISSI users whose certificates are signed by the CA.

4. (O) /MISSI/MISSI CA的域是其证书由CA签名的一组MISSI用户。

5. (I) /Internet/ That part of the tree-structured name space of the DNS that is at or below the name that specifies the domain. A domain is a subdomain of another domain if it is contained within that domain. For example, D.C.B.A is a subdomain of C.B.A

5. (一) /Internet/DNS的树状结构名称空间中位于或低于指定域的名称的部分。如果一个域包含在另一个域中,则该域是该域的子域。例如,D.C.B.A是C.B.A的子域

6. (O) /OSI/ An administrative partition of a complex distributed OSI system.

6. (O) /OSI/复杂分布式OSI系统的管理分区。

$ Domain Keys Identified Mail (DKIM) (I) A protocol, which is being specified by the IETF working group of the same name, to provide data integrity and domain-level (see: DNS, domain name) data origin authentication for Internet mail messages. (Compare: PEM.)

$ 域密钥识别邮件(DKIM)(I)IETF同名工作组指定的一种协议,用于为Internet邮件消息提供数据完整性和域级(请参阅:DNS,域名)数据源身份验证。(比较:PEM)

Tutorial: DKIM employs asymmetric cryptography to create a digital signature for an Internet email message's body and selected

教程:DKIM使用非对称加密技术为Internet电子邮件正文和选定内容创建数字签名

headers (see RFC 1822), and the signature is then carried in a header of the message. A recipient of the message can verify the signature and, thereby, authenticate the identity of the originating domain and the integrity of the signed content, by using a public key belonging to the domain. The key can be obtained from the DNS.

消息头(参见RFC1822),然后签名被携带在消息头中。消息的接收者可以通过使用属于该域的公钥来验证签名,从而认证发起域的身份和签名内容的完整性。可以从DNS获取密钥。

$ domain name (I) The style of identifier that is defined for subtrees in the Internet DNS -- i.e., a sequence of case-insensitive ASCII labels separated by dots (e.g., "bbn.com") -- and also is used in other types of Internet identifiers, such as host names (e.g., "rosslyn.bbn.com"), mailbox names (e.g., "rshirey@bbn.com") and URLs (e.g., "http://www.rosslyn.bbn.com/foo"). (See: domain. Compare: DN.)

$ 域名(I)为Internet DNS中的子树定义的标识符样式——即,由点分隔的不区分大小写的ASCII标签序列(例如,“bbn.com”)——也用于其他类型的Internet标识符,如主机名(例如,“rosslyn.bbn.com”)、邮箱名(例如rshirey@bbn.com)和URL(例如。,"http://www.rosslyn.bbn.com/foo)(请参阅:域。比较:DN。)

Tutorial: The name space of the DNS is a tree structure in which each node and leaf holds records describing a resource. Each node has a label. The domain name of a node is the list of labels on the path from the node to the root of the tree. The labels in a domain name are printed or read left to right, from the most specific (lowest, farthest from the root) to the least specific (highest, closest to the root), but the root's label is the null string. (See: country code.)

教程:DNS的名称空间是一个树结构,其中每个节点和叶都保存描述资源的记录。每个节点都有一个标签。节点的域名是从节点到树根的路径上的标签列表。域名中的标签从左到右打印或读取,从最特定的(最低,离根最远)到最不特定的(最高,离根最近),但根的标签是空字符串。(请参阅:国家代码。)

$ Domain Name System (DNS) (I) The main Internet operations database, which is distributed over a collection of servers and used by client software for purposes such as (a) translating a domain name-style host name into an IP address (e.g., "rosslyn.bbn.com" translates to "192.1.7.10") and (b) locating a host that accepts mail for a given mailbox address. (RFC 1034) (See: domain name.)

$ 域名系统(DNS)(I)主要的互联网操作数据库,分布在一组服务器上,由客户端软件用于(a)将域名样式的主机名转换为IP地址(例如,“rosslyn.bbn.com”转换为“192.1.7.10”)和(b)查找接受给定邮箱地址邮件的主机。(RFC1034)(见:域名)

Tutorial: The DNS has three major components: - Domain name space and resource records: Specifications for the tree-structured domain name space, and data associated with the names. - Name servers: Programs that hold information about a subset of the tree's structure and data holdings, and also hold pointers to other name servers that can provide information from any part of the tree. - Resolvers: Programs that extract information from name servers in response to client requests; typically, system routines directly accessible to user programs.

教程:DNS有三个主要组件:-域名空间和资源记录:树状结构域名空间的规范,以及与名称相关的数据。-名称服务器:保存有关树的结构和数据的子集信息的程序,还保存指向其他名称服务器的指针,这些名称服务器可以提供来自树的任何部分的信息。-解析程序:根据客户端请求从名称服务器提取信息的程序;通常,用户程序可以直接访问系统例程。

Extensions to the DNS [R4033, R4034, R4035] support (a) key distribution for public keys needed for the DNS and for other protocols, (b) data origin authentication service and data

DNS的扩展[R4033、R4034、R4035]支持(a)DNS和其他协议所需公钥的密钥分发,(b)数据源身份验证服务和数据

integrity service for resource records, (c) data origin authentication service for transactions between resolvers and servers, and (d) access control of records.

资源记录的完整性服务,(c)解析程序和服务器之间事务的数据源身份验证服务,以及(d)记录的访问控制。

$ domain of interpretation (DOI) (I) /IPsec/ A DOI for ISAKMP or IKE defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes. Example: See [R2407].

$ ISAKMP或IKE的解释域(DOI)(I)/IPsec/A DOI定义了有效负载格式、交换类型和命名安全相关信息(如安全策略或加密算法和模式)的约定。示例:请参见[R2407]。

Derivation: The DOI concept is based on work by the TSIG's CIPSO Working Group.

推导:内政部概念基于TSIG的CIPSO工作组的工作。

$ dominate (I) Security level A is said to "dominate" security level B if the (hierarchical) classification level of A is greater (higher) than or equal to that of B, and A's (nonhierarchical) categories include (as a subset) all of B's categories. (See: lattice, lattice model.)

$ 主导(I)如果A的(分层)分类级别大于(高于)或等于B的分类级别,且A的(非分层)类别包括(作为子集)B的所有类别,则称A的安全级别为“主导”安全级别B。(请参见:晶格,晶格模型。)

$ dongle (I) A portable, physical, usually electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)

$ 加密狗(I):一种便携式物理设备,通常是电子设备,需要连接到计算机上才能运行特定的软件程序。(请参阅:令牌。)

Tutorial: A dongle is essentially a physical key used for copy protection of software; that is, the program will not run unless the matching dongle is attached. When the software runs, it periodically queries the dongle and quits if the dongle does not reply with the proper authentication information. Dongles were originally constructed as an EPROM (erasable programmable read-only memory) to be connected to a serial input-output port of a personal computer.

教程:加密狗本质上是用于软件拷贝保护的物理密钥;也就是说,除非连接了匹配的加密狗,否则程序不会运行。当软件运行时,它会定期查询加密狗,如果加密狗没有使用正确的身份验证信息进行回复,它就会退出。加密狗最初被构造为一个EPROM(可擦除可编程只读存储器),连接到个人计算机的串行输入输出端口。

$ downgrade (I) /data security/ Reduce the security level of data (especially the classification level) without changing the information content of the data. (Compare: downgrade.)

$ 降级(I)/数据安全性/在不改变数据信息内容的情况下降低数据的安全级别(尤其是分类级别)。(比较:降级。)

$ downgrade attack (I) A type of man-in-the-middle attack in which the attacker can cause two parties, at the time they negotiate a security association, to agree on a lower level of protection than the highest level that could have been supported by both of them. (Compare: downgrade.)

$ 降级攻击(I)一种中间人攻击类型,在这种攻击中,攻击者可以使双方在协商安全关联时,就低于双方可能支持的最高级别的保护级别达成一致。(比较:降级。)

$ draft RFC (D) A preliminary, temporary version of a document that is intended to become an RFC. (Compare: Internet-Draft.)

$ RFC草案(D):旨在成为RFC的文件的初步、临时版本。(比较:互联网草稿。)

Deprecated Term: IDOCs SHOULD NOT use this term. The RFC series is archival in nature and consists only of documents in permanent form. A document that is intended to become an RFC usually needs to be published first as an Internet-Draft (RFC 2026). (See: "Draft Standard" under "Internet Standard".)

不推荐使用的术语:IDOCs不应使用此术语。RFC系列本质上是存档的,只包含永久形式的文档。打算成为RFC的文件通常需要首先作为互联网草案(RFC 2026)发布。(参见“互联网标准”下的“标准草案”。)

$ Draft Standard (I) See: secondary definition under "Internet Standard".

$ 标准草案(I)见“互联网标准”下的二级定义。

$ DSA (N) See: Digital Signature Algorithm.

$ DSA(N)参见:数字签名算法。

$ DSS (N) See: Digital Signature Standard.

$ DSS(N)参见:数字签名标准。

$ dual control (I) A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. (See: no-lone zone, separation of duties, split knowledge.)

$ 双重控制(I)一种程序,使用两个或多个实体(通常是人员)协同工作来保护系统资源,这样,任何单独行动的实体都无法访问该资源。(参见:无单独区域、职责分离、知识分离。)

$ dual signature (O) /SET/ A single digital signature that protects two separate messages by including the hash results for both sets in a single encrypted value. [SET2]

$ 双重签名(O)/SET/一种单一数字签名,通过在单个加密值中包含两个集合的哈希结果来保护两个单独的消息。[SET2]

Deprecated Usage: IDOCs SHOULD NOT use this term except when qualified as "SET(trademark) dual signature" with this definition.

不推荐使用:IDOCs不应使用此术语,除非符合此定义的“集(商标)双重签名”。

Tutorial: Generated by hashing each message separately, concatenating the two hash results, and then hashing that value and encrypting the result with the signer's private key. Done to reduce the number of encryption operations and to enable verification of data integrity without complete disclosure of the data.

教程:分别对每条消息进行散列,连接两个散列结果,然后对该值进行散列,并使用签名者的私钥对结果进行加密。这样做是为了减少加密操作的数量,并在不完全披露数据的情况下验证数据的完整性。

$ dual-use certificate (O) A certificate that is intended for use with both digital signature and data encryption services. [SP32]

$ 两用证书(O)用于数字签名和数据加密服务的证书。[SP32]

Usage: IDOCs that use this term SHOULD state a definition for it by identifying the intended uses of the certificate, because there are more than just these two uses mentioned in the NIST publication. A v3 X.509 public-key certificate may have a "key

用法:使用该术语的IDOC应通过确定证书的预期用途来说明其定义,因为NIST出版物中提到的不仅仅是这两种用途。v3 X.509公钥证书可能具有“密钥”

Usage" extension, which indicates the purposes for which the public key may be used. (See: certificate profile.)

“用法”扩展名,指示公钥可用于的目的。(请参阅:证书配置文件。)

$ duty (I) An attribute of a role that obligates an entity playing the role to perform one or more tasks, which usually are essential for the functioning of the system. [Sand] (Compare authorization, privilege. See: role, billet.)

$ 职责(I)角色的一种属性,该属性要求扮演角色的实体执行一项或多项任务,这些任务通常对系统的运行至关重要。[Sand](比较授权和特权。请参阅:角色和权限。)

$ e-cash (O) Electronic cash; money that is in the form of data and can be used as a payment mechanism on the Internet. (See: IOTP.)

$ 电子现金(O)电子现金;以数据形式存在并可在互联网上用作支付机制的货币。(见:IOTP)

Usage: IDOCs that use this term SHOULD state a definition for it because many different types of electronic cash have been devised with a variety of security mechanisms.

用法:使用此术语的IDoc应说明其定义,因为许多不同类型的电子现金都设计了各种安全机制。

$ EAP (I) See: Extensible Authentication Protocol.

$ EAP(I)见:可扩展认证协议。

$ EAL (O) See: evaluation assurance level.

$ EAL(O)见:评估保证水平。

$ Easter egg (O) "Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes is entered. Easter eggs are typically used to display the credits for the development team and [are] intended to be non-threatening" [SP28], but Easter eggs have the potential to contain malicious code.

$ 复活节彩蛋(O)“应用程序中的隐藏功能,当输入一组未记录且通常复杂的命令和击键时,该功能将被激活。复活节彩蛋通常用于显示开发团队的积分,[被]设计为非威胁性”[SP28],但是复活节彩蛋有可能包含恶意代码。

Deprecated Usage: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐的用法:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ eavesdropping (I) Passive wiretapping done secretly, i.e., without the knowledge of the originator or the intended recipients of the communication.

$ 窃听(I)秘密进行的被动窃听,即在通信发端人或预期接收人不知情的情况下进行。

$ ECB (N) See: electronic codebook.

$ 欧洲央行(N)见:电子码本。

$ ECDSA (N) See: Elliptic Curve Digital Signature Algorithm.

$ ECDSA(N)参见:椭圆曲线数字签名算法。

$ economy of alternatives (I) The principle that a security mechanism should be designed to minimize the number of alternative ways of achieving a service. (Compare: economy of mechanism.)

$ 替代方案的经济性(I)安全机制的设计原则应尽量减少实现服务的替代方法的数量。(比较:机制的经济性。)

$ economy of mechanism (I) The principle that a security mechanism should be designed to be as simple as possible, so that (a) the mechanism can be correctly implemented and (b) it can be verified that the operation of the mechanism enforces the system's security policy. (Compare: economy of alternatives, least privilege.)

$ 机制的经济性(I)安全机制应设计为尽可能简单的原则,以便(a)机制能够正确实施,以及(b)能够验证机制的运行是否强制执行系统的安全策略。(比较:替代方案的经济性,最低特权。)

$ ECU (N) See: end cryptographic unit.

$ ECU(N)参见:结束加密单元。

$ EDI (I) See: electronic data interchange.

$ 电子数据交换(一)见:电子数据交换。

$ EDIFACT (N) See: secondary definition under "electronic data interchange".

$ EDIFACT(N)见“电子数据交换”下的二级定义。

$ EE (D) Abbreviation of "end entity" and other terms.

$ EE(D)“最终实体”和其他术语的缩写。

Deprecated Abbreviation: IDOCs SHOULD NOT use this abbreviation; there could be confusion among "end entity", "end-to-end encryption", "escrowed encryption standard", and other terms.

不推荐使用的缩写:IDOCs不应使用此缩写;“端实体”、“端到端加密”、“托管加密标准”和其他术语之间可能存在混淆。

$ EES (O) See: Escrowed Encryption Standard.

$ EES(O)参见:托管加密标准。

$ effective key length (O) "A measure of strength of a cryptographic algorithm, regardless of actual key length." [IATF] (See: work factor.)

$ 有效密钥长度(O)“密码算法强度的度量,与实际密钥长度无关。”[IATF](参见:工作系数。)

$ effectiveness (O) /ITSEC/ A property of a TOE representing how well it provides security in the context of its actual or proposed operational use.

$ 有效性(O)/ITSEC/TOE的一种属性,表示TOE在实际或拟议的操作使用中提供安全性的程度。

$ El Gamal algorithm (N) An algorithm for asymmetric cryptography, invented in 1985 by Taher El Gamal, that is based on the difficulty of calculating discrete logarithms and can be used for both encryption and digital signatures. [ElGa]

$ El-Gamal算法(N):Taher El-Gamal于1985年发明的一种非对称加密算法,该算法基于计算离散对数的困难,可用于加密和数字签名。[ElGa]

$ electronic codebook (ECB) (N) A block cipher mode in which a plaintext block is used directly as input to the encryption algorithm and the resultant output block is used directly as cipher text [FP081]. (See: block cipher, [SP38A].)

$ 电子码本(ECB)(N)一种分组密码模式,其中明文块直接用作加密算法的输入,而生成的输出块直接用作密文[FP081]。(参见:分组密码[SP38A]。)

$ electronic commerce 1. (I) Business conducted through paperless exchanges of information, using electronic data interchange, electronic funds transfer (EFT), electronic mail, computer bulletin boards, facsimile, and other paperless technologies.

$ 电子商务1。(一) 通过无纸信息交换、电子数据交换、电子资金转账(EFT)、电子邮件、计算机公告板、传真和其他无纸技术开展的业务。

2. (O) /SET/ "The exchange of goods and services for payment between the cardholder and merchant when some or all of the transaction is performed via electronic communication." [SET2]

2. (O) /SET/“当部分或全部交易通过电子通信进行时,持卡人和商户之间为支付而交换商品和服务。”[SET2]

$ electronic data interchange (EDI) (I) Computer-to-computer exchange, between trading partners, of business data in standardized document formats.

$ 电子数据交换(EDI)(I)贸易伙伴之间以标准文件格式进行的商业数据的计算机对计算机交换。

Tutorial: EDI formats have been standardized primarily by ANSI X12 and by EDIFACT (EDI for Administration, Commerce, and Transportation), which is an international, UN-sponsored standard primarily used in Europe and Asia. X12 and EDIFACT are aligning to create a single, global EDI standard.

教程:EDI格式主要由ANSI X12和EDIFACT(用于行政、商业和运输的EDI)标准化,这是一种主要在欧洲和亚洲使用的联合国赞助的国际标准。X12和EDIFACT正在联合起来创建一个单一的全球EDI标准。

$ Electronic Key Management System (EKMS) (O) "Interoperable collection of systems developed by ... the U.S. Government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic keying material and the management of other types of COMSEC material." [C4009]

$ 电子钥匙管理系统(EKMS)(O)“……美国政府开发的可互操作的系统集合,用于自动规划、订购、生成、分发、存储、填充、使用和销毁电子钥匙材料以及管理其他类型的通信安全材料。”[C4009]

$ electronic signature (D) Synonym for "digital signature" or "digitized signature".

$ 电子签名(D)“数字签名”或“数字签名”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; there is no current consensus on its definition. Instead, use "digital signature", if that is what was intended

不推荐使用的术语:IDoc不应使用此术语;目前还没有就其定义达成共识。相反,如果打算使用“数字签名”,请使用“数字签名”

$ electronic wallet (D) A secure container to hold, in digitized form, some sensitive data objects that belong to the owner, such as electronic money, authentication material, and various types of personal information. (See: IOTP.)

$ 电子钱包(D):一种安全的容器,以数字化形式存放属于所有者的一些敏感数据对象,如电子货币、身份验证材料和各种类型的个人信息。(见:IOTP)

Deprecated Term: IDOCs SHOULD NOT use this term. There is no current consensus on its definition; and some uses and definitions

不推荐使用的术语:IDOCs不应使用此术语。目前还没有就其定义达成共识;以及一些用法和定义

may be proprietary. Meanings range from virtual wallets implemented by data structures to physical wallets implemented by cryptographic tokens. (See: Deprecated Usage under "Green Book".)

可能是专有的。含义从数据结构实现的虚拟钱包到加密令牌实现的物理钱包。(请参阅“绿皮书”下不推荐的用法。)

$ elliptic curve cryptography (ECC) (I) A type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve, where the curve is defined by a quadratic equation in a finite field. [Schn]

$ 椭圆曲线密码术(ECC)(I)一种基于由曲线上的点定义的群的数学的非对称密码术,其中曲线由有限域中的二次方程定义。[施恩]

Tutorial: ECC is based on mathematics different than that originally used to define the Diffie-Hellman-Merkle algorithm and the DSA, but ECC can be used to define an algorithm for key agreement that is an analog of Diffie-Hellman-Merkle [A9063] and an algorithm for digital signature that is an analog of DSA [A9062]. The mathematical problem upon which ECC is based is believed to be more difficult than the problem upon which Diffie-Hellman-Merkle is based and, therefore, that keys for ECC can be shorter for a comparable level of security. (See: ECDSA.)

教程:ECC基于不同于最初用于定义Diffie-Hellman-Merkle算法和DSA的数学,但ECC可用于定义类似Diffie-Hellman-Merkle[A9063]的密钥协商算法和类似DSA[A9062]的数字签名算法。ECC所基于的数学问题被认为比Diffie-Hellman-Merkle所基于的问题更难,因此,ECC的密钥可以更短,以达到相当的安全级别。(见:ECDSA)

$ Elliptic Curve Digital Signature Algorithm (ECDSA) (N) A standard [A9062] that is the analog, in elliptic curve cryptography, of the Digital Signature Algorithm.

$ 椭圆曲线数字签名算法(ECDSA)(N)标准[A9062],在椭圆曲线密码学中模拟数字签名算法。

$ emanation (I) A signal (e.g., electromagnetic or acoustic) that is emitted by a system (e.g., through radiation or conductance) as a consequence (i.e., byproduct) of the system's operation, and that may contain information. (See: emanations security.)

$ 发射(I)系统(例如通过辐射或电导)作为系统运行的结果(即副产品)发射的信号(例如电磁或声学),可能包含信息。(见:放射安全。)

$ emanations analysis (I) /threat action/ See: secondary definition under "interception".

$ 辐射分析(I)/威胁行动/见“拦截”下的二级定义。

$ emanations security (EMSEC) (I) Physical security measures to protect against data compromise that could occur because of emanations that might be received and read by an unauthorized party. (See: emanation, TEMPEST.)

$ 放射安全(EMSEC)(I)物理安全措施,以防止因未经授权方接收和读取放射而可能发生的数据泄露。(见:放射,暴风雨。)

Usage: Refers either to preventing or limiting emanations from a system and to preventing or limiting the ability of unauthorized parties to receive the emissions.

用途:指防止或限制系统排放,以及防止或限制未经授权方接收排放的能力。

$ embedded cryptography (N) "Cryptography engineered into an equipment or system whose basic function is not cryptographic." [C4009]

$ 嵌入式加密技术(N)“设计成基本功能不是加密的设备或系统的加密技术。”[C4009]

$ emergency plan (D) Synonym for "contingency plan".

$ 应急计划(D)“应急计划”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term. Instead, for neutrality and consistency of language, use "contingency plan".

不推荐使用的术语:IDOCs不应使用此术语。相反,为了语言的中立性和一致性,使用“应急计划”。

$ emergency response (O) An urgent response to a fire, flood, civil commotion, natural disaster, bomb threat, or other serious situation, with the intent of protecting lives, limiting damage to property, and minimizing disruption of system operations. [FP087] (See: availability, CERT, emergency plan.)

$ 应急响应(O)对火灾、洪水、内乱、自然灾害、炸弹威胁或其他严重情况的紧急响应,旨在保护生命、限制财产损失并最大限度地减少系统运行中断。[FP087](见:可用性、证书、应急计划)

$ EMSEC (I) See: emanations security.

$ EMSEC(I)见:辐射安全。

$ EMV (N) Abbreviation of "Europay, MasterCard, Visa". Refers to a specification for smart cards that are used as payment cards, and for related terminals and applications. [EMV1, EMV2, EMV3]

$ EMV(N)“Europay、万事达卡、Visa”的缩写。指用作支付卡的智能卡以及相关终端和应用程序的规范。[EMV1、EMV2、EMV3]

$ Encapsulating Security Payload (ESP) (I) An Internet protocol [R2406, R4303] designed to provide data confidentiality service and other security services for IP datagrams. (See: IPsec. Compare: AH.)

$ 封装安全有效载荷(ESP)(I)互联网协议[R2406,R4303],旨在为IP数据报提供数据保密服务和其他安全服务。(请参阅:IPsec。比较:AH)

Tutorial: ESP may be used alone, or in combination with AH, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. The ESP header is encapsulated by the IP header, and the ESP header encapsulates either the upper-layer protocol header (transport mode) or an IP header (tunnel mode). ESP can provide data confidentiality service, data origin authentication service, connectionless data integrity service, an anti-replay service, and limited traffic-flow confidentiality. The set of services depends on the placement of the implementation and on options selected when the security association is established.

教程:ESP可以单独使用,也可以与AH结合使用,或者以嵌套方式与隧道结合使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP报头由IP报头封装,ESP报头封装上层协议报头(传输模式)或IP报头(隧道模式)。ESP可以提供数据保密服务、数据源身份验证服务、无连接数据完整性服务、防重放服务和有限流量保密性。服务集取决于实现的位置以及在建立安全关联时选择的选项。

$ encipher (D) Synonym for "encrypt".

$ Encrypher(D)“encrypt”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encrypt". However, see Usage note under "encryption".

不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词。但是,请参见“加密”下的用法说明。

$ encipherment (D) Synonym for "encryption".

$ 加密(D)“加密”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encryption". However, see Usage note under "encryption".

不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词。但是,请参见“加密”下的用法说明。

$ enclave 1. (I) A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter. (Compare: domain.)

$ 飞地1。(一) 在同一安全域中运行的一组系统资源,它们共享单个、公共、连续安全外围的保护。(比较:域。)

2. (D) /U.S. Government/ "Collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security." [C4009]

2. (D) /U.S.Government/“由一个或多个内部网络连接的计算环境的集合,在单一机构和安全政策的控制下,包括人员和物理安全。”[C4009]

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2 because the definition applies to what is usually called a "security domain". That is, a security domain is a set of one or more security enclaves.

不推荐使用的定义:IDOCs不应将此术语与定义2一起使用,因为该定义适用于通常称为“安全域”的内容。也就是说,安全域是一个或多个安全飞地的集合。

$ encode 1. (I) Use a system of symbols to represent information, which might originally have some other representation. Example: Morse code. (See: ASCII, BER.) (See: code, decode.)

$ 编码1。(一) 使用符号系统来表示信息,这些信息最初可能具有其他表示形式。例子:摩尔斯电码。(参见:ASCII,BER。)(参见:编码,解码。)

2. (D) Synonym for "encrypt".

2. (D) “加密”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encrypt"; encoding is not always meant to conceal meaning.

不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词;编码并不总是为了隐藏意义。

$ encrypt (I) Cryptographically transform data to produce cipher text. (See: encryption. Compare: seal.)

$ 加密(I)以加密方式转换数据以生成密文。(请参见:加密。比较:密封。)

$ encryption 1. (I) Cryptographic transformation of data (called "plain text") into a different form (called "cipher text") that conceals the data's original meaning and prevents the original form from being used. The corresponding reverse process is "decryption", a transformation that restores encrypted data to its original form. (See: cryptography.)

$ 加密1。(一) 将数据(称为“纯文本”)加密转换为另一种形式(称为“密文”),以隐藏数据的原始含义并防止原始形式被使用。相应的反向过程是“解密”,一种将加密数据恢复为原始形式的转换。(请参阅:密码学。)

2. (O) "The cryptographic transformation of data to produce ciphertext." [I7498-2]

2. (O) “对数据进行加密转换以产生密文。”[I7498-2]

Usage: For this concept, IDOCs SHOULD use the verb "to encrypt" (and related variations: encryption, decrypt, and decryption). However, because of cultural biases involving human burial, some international documents (particularly ISO and CCITT standards) avoid "to encrypt" and instead use the verb "to encipher" (and related variations: encipherment, decipher, decipherment).

用法:对于这个概念,idoc应该使用动词“to encrypt”(以及相关变体:encrypt、decrypt和decryption)。然而,由于涉及人类埋葬的文化偏见,一些国际文件(特别是ISO和CCITT标准)避免使用“加密”,而是使用动词“加密”(以及相关变体:加密、解密、解密)。

Tutorial: Usually, the plaintext input to an encryption operation is clear text. But in some cases, the plain text may be cipher text that was output from another encryption operation. (See: superencryption.)

教程:通常,加密操作的明文输入是明文。但在某些情况下,纯文本可能是另一个加密操作输出的密文。(请参阅:超级加密。)

Encryption and decryption involve a mathematical algorithm for transforming data. Besides the data to be transformed, the algorithm has one or more inputs that are control parameters: (a) a key that varies the transformation and, in some cases, (b) an IV that establishes the starting state of the algorithm.

加密和解密涉及转换数据的数学算法。除了要转换的数据外,算法还有一个或多个作为控制参数的输入:(a)改变转换的键,在某些情况下,(b)建立算法启动状态的IV。

$ encryption certificate (I) A public-key certificate that contains a public key that is intended to be used for encrypting data, rather than for verifying digital signatures or performing other cryptographic functions.

$ 加密证书(I)包含公钥的公钥证书,用于加密数据,而不是验证数字签名或执行其他加密功能。

Tutorial: A v3 X.509 public-key certificate may have a "keyUsage" extension that indicates the purpose for which the certified public key is intended. (See: certificate profile.)

教程:v3 X.509公钥证书可能有一个“keyUsage”扩展名,用于指示认证公钥的用途。(请参阅:证书配置文件。)

$ end cryptographic unit (ECU) 1. (N) Final destination device into which a key is loaded for operational use.

$ 结束加密单元(ECU)1。(N) 将密钥加载到其中以供操作使用的最终目标设备。

2. (N) A device that (a) performs cryptographic functions, (b) typically is part of a larger system for which the device provides security services, and (c), from the viewpoint of a supporting security infrastructure such as a key management system, is the lowest level of identifiable component with which a management transaction can be conducted

2. (N) 设备(A)执行加密功能,(b)通常是设备提供安全服务的较大系统的一部分,并且(c)从诸如密钥管理系统之类的支持安全基础设施的观点来看,是可用于执行管理事务的最低级别的可识别组件

$ end entity 1. (I) A system entity that is the subject of a public-key certificate and that is using, or is permitted and able to use, the matching private key only for purposes other than signing a digital certificate; i.e., an entity that is not a CA.

$ 结束实体1。(一) 作为公钥证书主体的系统实体,且仅出于签署数字证书以外的目的使用或允许并能够使用匹配私钥;i、 例如,不是CA的实体。

2. (O) "A certificate subject [that] uses its public [sic] key for purposes other than signing certificates." [X509]

2. (O) “将其公钥[sic]用于证书签名以外的目的的证书主体。”[X509]

Deprecated Definition: IDOCs SHOULD NOT use definition 2, which is misleading and incomplete. First, that definition should have said "private key" rather than "public key" because certificates are not usefully signed with a public key. Second, the X.509 definition is ambiguous regarding whether an end entity may or may not use the private key to sign a certificate, i.e., whether the subject may be a CA. The intent of X.509's authors was that an end entity certificate is not valid for use in verifying a signature

不推荐使用的定义:IDOCs不应使用定义2,因为它具有误导性且不完整。首先,该定义应该说是“私钥”而不是“公钥”,因为证书不是用公钥有效地签名的。其次,X.509的定义对于终端实体是否可以使用私钥签署证书(即,主体是否是CA)是不明确的。X.509作者的意图是终端实体证书在验证签名时无效

on an X.509 certificate or X.509 CRL. Thus, it would have been better for the X.509 definition to have said "only for purposes other than signing certificates".

在X.509证书或X.509 CRL上。因此,如果X.509定义中说“仅用于签署证书以外的目的”,则更好。

Usage: Despite the problems in the X.509 definition, the term itself is useful in describing applications of asymmetric cryptography. The way the term is used in X.509 implies that it was meant to be defined, as we have done here, relative to roles that an entity (which is associated with an OSI end system) is playing or is permitted to play in applications of asymmetric cryptography other than the PKI that supports applications.

用法:尽管X.509定义中存在问题,但该术语本身在描述非对称加密的应用时很有用。X.509中使用该术语的方式意味着,正如我们在这里所做的那样,该术语的定义与实体(与OSI终端系统关联)正在或允许在非对称加密应用程序中扮演的角色有关,而不是支持应用程序的PKI。

Tutorial: Whether a subject can play both CA and non-CA roles, with either the same or different certificates, is a matter of policy. (See: CPS.) A v3 X.509 public-key certificate may have a "basicConstraints" extension containing a "cA" value that specifically "indicates whether or not the public key may be used to verify certificate signatures". (See: certificate profile.)

教程:主题是否可以使用相同或不同的证书同时扮演CA和非CA角色是一个政策问题。(请参阅:CPS。)v3 X.509公钥证书可能有一个“basicConstraints”扩展,其中包含一个“cA”值,该值专门“指示公钥是否可用于验证证书签名”。(请参阅:证书配置文件。)

$ end system (N) /OSIRM/ A computer that implements all seven layers of the OSIRM and may attach to a subnetwork. Usage: In the IPS context, an end system is called a "host".

$ 终端系统(N)/OSIRM/实现所有七层OSIRM并可连接到子网络的计算机。用法:在IPS上下文中,终端系统称为“主机”。

$ end-to-end encryption (I) Continuous protection of data that flows between two points in a network, effected by encrypting data when it leaves its source, keeping it encrypted while it passes through any intermediate computers (such as routers), and decrypting it only when it arrives at the intended final destination. (See: wiretapping. Compare: link encryption.)

$ 端到端加密(I)对网络中两点之间流动的数据的连续保护,通过在数据离开源时加密数据、在数据通过任何中间计算机(如路由器)时保持加密以及仅在数据到达预定最终目的地时解密来实现。(请参见:窃听。比较:链接加密。)

Examples: A few are BLACKER, CANEWARE, IPLI, IPsec, PLI, SDNS, SILS, SSH, SSL, TLS.

示例:一些是Black、CANEWARE、IPLI、IPsec、PLI、SDN、SILS、SSH、SSL、TLS。

Tutorial: When two points are separated by multiple communication links that are connected by one or more intermediate relays, end-to-end encryption enables the source and destination systems to protect their communications without depending on the intermediate systems to provide the protection.

教程:当两个点被由一个或多个中间继电器连接的多个通信链路分隔时,端到端加密使源系统和目标系统能够保护其通信,而无需依赖中间系统来提供保护。

$ end user 1. (I) /information system/ A system entity, usually a human individual, that makes use of system resources, primarily for application purposes as opposed to system management purposes.

$ 最终用户1。(一) /信息系统/利用系统资源的系统实体,通常是个人,主要用于应用目的而非系统管理目的。

2. (D) /PKI/ Synonym for "end entity".

2. (D) /PKI/是“最终实体”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use "end user" as a synonym for "end entity", because that would mix concepts in a potentially misleading way.

不推荐使用的定义:IDOCs不应使用“最终用户”作为“最终实体”的同义词,因为这会以潜在误导的方式混合概念。

$ endorsed-for-unclassified cryptographic item (EUCI) (O) /U.S. Government/ "Unclassified cryptographic equipment that embodies a U.S. Government classified cryptographic logic and is endorsed by NSA for the protection of national security information." [C4009] (Compare: CCI, type 2 product.)

$ 为非保密密码项目(EUCI)(O)/美国政府/背书“包含美国政府保密密码逻辑并由NSA背书用于保护国家安全信息的非保密密码设备”。[C4009](比较:CCI,2类产品。)

$ entity See: system entity.

$ 实体请参见:系统实体。

$ entrapment (I) "The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit." [FP039] (See: honey pot.)

$ 诱捕(I)“故意在系统中植入明显的缺陷,以检测企图的渗透或混淆入侵者利用哪些缺陷。”[FP039](见:蜜罐)

$ entropy 1. (I) An information-theoretic measure (usually stated as a number of bits) of the amount of uncertainty that an attacker faces to determine the value of a secret. [SP63] (See: strength.)

$ 熵1。(一) 攻击者在确定秘密价值时所面临的不确定性量的信息论度量(通常以位数表示)。[SP63](见:强度)

Example: If a password is said to contain at least 20 bits of entropy, that means that it must be as hard to find the password as to guess a 20-bit random number.

例如:如果一个密码至少包含20位的熵,这意味着找到密码一定和猜测一个20位的随机数一样困难。

2. (I) An information-theoretic measure (usually stated as a number of bits) of the amount of information in a message; i.e., the minimum number of bits needed to encode all possible meanings of that message. [Schn] (See: uncertainty.)

2. (一) 消息中信息量的信息论度量(通常表示为位数);i、 例如,对该消息的所有可能含义进行编码所需的最小位数。[Schn](见:不确定性)

$ ephemeral (I) /adjective/ Refers to a cryptographic key or other cryptographic parameter or data object that is short-lived, temporary, or used one time. (See: session key. Compare: static.)

$ 短暂的(I)/形容词/指的是一个密码密钥或其他密码参数或数据对象,它是短暂的、临时的或一次性使用的。(请参阅:会话密钥。比较:静态。)

$ erase 1. (I) Delete stored data. (See: sanitize, zeroize.)

$ 删除1。(一) 删除存储的数据。(请参见:消毒、归零。)

2. (O) /U.S. Government/ Delete magnetically stored data in such a way that the data cannot be recovered by ordinary means, but might be recoverable by laboratory methods. [C4009] (Compare: /U.S. Government/ purge.)

2. (O) /U.S.Government/删除磁存储数据时,应确保数据无法通过普通方式恢复,但可以通过实验室方法恢复。[C4009](比较:/U.S.政府/清除)

$ error detection code (I) A checksum designed to detect, but not correct, accidental (i.e., unintentional) changes in data.

$ 错误检测代码(I)一种校验和,用于检测但不纠正数据中的意外(即无意)更改。

$ Escrowed Encryption Standard (EES) (N) A U.S. Government standard [FP185] that specifies how to use a symmetric encryption algorithm (SKIPJACK) and create a Law Enforcement Access Field (LEAF) for implementing part of a key escrow system that enables decryption of telecommunications when interception is lawfully authorized.

$ 托管加密标准(EES)(N)美国政府标准[FP185],规定如何使用对称加密算法(SKIPJACK)并创建执法访问字段(LEAF),以实现密钥托管系统的一部分,该系统在合法授权拦截时能够对电信进行解密。

Tutorial: Both SKIPJACK and the LEAF are intended for use in equipment used to encrypt and decrypt sensitive, unclassified, telecommunications data.

教程:SKIPJACK和LEAF都适用于加密和解密敏感、非机密电信数据的设备。

$ ESP (I) See: Encapsulating Security Payload.

$ ESP(I)见:封装安全有效负载。

$ Estelle (N) A language (ISO 9074-1989) for formal specification of computer network protocols.

$ Estelle(N):一种用于计算机网络协议形式规范的语言(ISO 9074-1989)。

$ ETSI (N) See: European Telecommunication Standards Institute.

$ ETSI(N)见:欧洲电信标准协会。

$ EUCI (O) See: endorsed-for-unclassified cryptographic item.

$ EUCI(O)见:未分类密码项目背书。

$ European Telecommunication Standards Institute (ETSI) (N) An independent, non-profit organization, based in France, that is officially recognized by the European Commission and responsible for standardization of information and communication technologies within Europe.

$ 欧洲电信标准协会(ETSI)(N):一个独立的非营利组织,总部设在法国,经欧盟委员会正式认可,负责欧洲内部信息和通信技术的标准化。

Tutorial: ETSI maintains the standards for a number of security algorithms, including encryption algorithms for mobile telephone systems in Europe.

教程:ETSI维护许多安全算法的标准,包括欧洲移动电话系统的加密算法。

$ evaluated system (I) A system that has been evaluated against security criteria (for example, against the TCSEC or against a profile based on the Common Criteria).

$ 评估系统(I)根据安全标准(例如,根据TCSEC或基于通用标准的概要文件)进行评估的系统。

$ evaluation (I) Assessment of an information system against defined security criteria (for example, against the TCSEC or against a profile based on the Common Criteria). (Compare: certification.)

$ 评估(I)根据定义的安全标准(例如,根据TCSEC或基于通用标准的概要文件)对信息系统进行评估。(比较:认证。)

$ evaluation assurance level (EAL) (N) A predefined package of assurance components that represents a point on the Common Criteria's scale for rating confidence in the security of information technology products and systems.

$ 评估保证级别(EAL)(N)一个预定义的保证组件包,代表信息技术产品和系统安全性的通用标准等级上的一个点。

Tutorial: The Common Criteria defines a scale of seven, hierarchically ordered EALs for rating a TOE. From highest to lowest, they are as follows: - EAL7. Formally verified design and tested. - EAL6. Semiformally verified design and tested. - EAL5. Semiformally designed and tested. - EAL4. Methodically designed, tested, and reviewed. - EAL3. Methodically tested and checked. - EAL2. Structurally tested. - EAL1. Functionally tested.

教程:通用标准定义了七个等级的EAL,用于对脚趾进行评级。从最高到最低,它们如下:-EAL7。正式验证设计和测试。-EAL6。半正式验证设计和测试。-EAL5。半正式设计和测试。-EAL4。系统地设计、测试和审查。-EAL3。系统地测试和检查。-EAL2。结构测试。-EAL1。功能测试。

An EAL is a consistent, baseline set of requirements. The increase in assurance from EAL to EAL is accomplished by substituting higher assurance components (i.e., criteria of increasing rigor, scope, or depth) from seven assurance classes: (a) configuration management, (b) delivery and operation, (c) development, (d) guidance documents, (e) lifecycle support, (f) tests, and (g) vulnerability assessment.

EAL是一组一致的基线需求。从EAL到EAL的保证增加是通过从七个保证级别(a)配置管理,(b)交付和运行,(c)开发,(d)指导文件,(e)生命周期支持,(f)测试和(g)中替换更高的保证组件(即,增加严格性、范围或深度的标准)来实现的脆弱性评估。

The EALs were developed with the goal of preserving concepts of assurance that were adopted from earlier criteria, so that results of previous evaluations would remain relevant. For example, EALs levels 2-7 are generally equivalent to the assurance portions of the TCSEC C2-A1 scale. However, this equivalency should be used with caution. The levels do not derive assurance in the same manner, and exact mappings do not exist.

制定EAL的目的是保留从早期标准中采用的保证概念,以便先前评估的结果保持相关性。例如,EALs等级2-7通常相当于TCSEC C2-A1等级的保证部分。但是,应谨慎使用这种等效性。级别不以相同的方式派生保证,并且不存在精确的映射。

$ expire (I) /credential/ Cease to be valid (i.e., change from being valid to being invalid) because its assigned lifetime has been exceeded. (See: certificate expiration.)

$ 过期(I)/凭证/不再有效(即从有效更改为无效),因为已超过其分配的生存期。(请参阅:证书到期。)

$ exposure (I) A type of threat action whereby sensitive data is directly released to an unauthorized entity. (See: unauthorized disclosure.)

$ 暴露(I)一种威胁行为,即敏感数据直接发布给未经授权的实体。(请参阅:未经授权的披露。)

Usage: This type of threat action includes the following subtypes: - "Deliberate Exposure": Intentional release of sensitive data to an unauthorized entity. - "Scavenging": Searching through data residue in a system to gain unauthorized knowledge of sensitive data. - "Human error": /exposure/ Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption, incapacitation.) - "Hardware or software error": /exposure/ System failure that unintentionally results in an entity gaining unauthorized

用法:这种类型的威胁行为包括以下子类型:-“故意暴露”:故意向未经授权的实体发布敏感数据。-“清除”:搜索系统中的数据残留,以获得未经授权的敏感数据信息。-“人为错误”:/暴露/人为行为或不作为,无意中导致实体获得未经授权的敏感数据知识。(比较:腐败、丧失能力):“硬件或软件错误”:/暴露/系统故障,无意中导致实体获得未经授权的许可

knowledge of sensitive data. (Compare: corruption, incapacitation.)

敏感数据知识。(比较:腐败、无能。)

$ Extended Security Option (I) See: secondary definition under "IPSO".

$ 扩展安全选项(I)见“IPSO”下的二级定义。

$ Extensible Authentication Protocol (EAP) (I) An extension framework for PPP that supports multiple, optional authentication mechanisms, including cleartext passwords, challenge-response, and arbitrary dialog sequences. [R3748] (Compare: GSS-API, SASL.)

$ 可扩展身份验证协议(EAP)(I)PPP的扩展框架,支持多种可选身份验证机制,包括明文密码、质询响应和任意对话序列。[R3748](比较:GSS-API和SASL。)

Tutorial: EAP typically runs directly over IPS data link protocols or OSIRM Layer 2 protocols, i.e., without requiring IP. Originally, EAP was developed for use in PPP, by a host or router that connects to a network server via switched circuits or dial-up lines. Today, EAP's domain of applicability includes other areas of network access control; it is used in wired and wireless LANs with IEEE 802.1X, and in IPsec with IKEv2. EAP is conceptually related to other authentication mechanism frameworks, such as SASL and GSS-API.

教程:EAP通常直接在IPS数据链路协议或OSIRM第2层协议上运行,即不需要IP。最初,EAP是为PPP开发的,由主机或路由器通过交换电路或拨号线路连接到网络服务器。今天,EAP的适用范围包括网络访问控制的其他领域;它用于具有IEEE 802.1X的有线和无线局域网,以及具有IKEv2的IPsec。EAP在概念上与其他身份验证机制框架相关,如SASL和GSS-API。

$ Extensible Markup Language (XML) (N) A version of Standard Generalized Markup Language (ISO 8879) that separately represents a document's content and its structure. XML was designed by W3C for use on the World Wide Web.

$ 可扩展标记语言(XML)(N):标准通用标记语言(ISO 8879)的一个版本,分别表示文档的内容及其结构。XML由W3C设计用于万维网。

$ extension (I) /protocol/ A data item or a mechanism that is defined in a protocol to extend the protocol's basic or original functionality.

$ 扩展(I)/协议/协议中定义的数据项或机制,用于扩展协议的基本或原始功能。

Tutorial: Many protocols have extension mechanisms, and the use of these extension is usually optional. IP and X.509 are two examples of protocols that have optional extensions. In IP version 4, extensions are called "options", and some of the options have security purposes (see: IPSO).

教程:许多协议都有扩展机制,这些扩展的使用通常是可选的。IP和X.509是具有可选扩展的协议的两个示例。在IP版本4中,扩展称为“选项”,其中一些选项具有安全性目的(请参阅:IPSO)。

In X.509, certificate and CRL formats can be extended to provide methods for associating additional attributes with subjects and public keys and for managing a certification hierarchy: - A "certificate extension": X.509 defines standard extensions that may be included in v3 certificates to provide additional key and security policy information, subject and issuer attributes, and certification path constraints. - A "CRL extension": X.509 defines extensions that may be included in v2 CRLs to provide additional issuer key and name information, revocation reasons and constraints, and information about distribution points and delta CRLs.

在X.509中,可以扩展证书和CRL格式,以提供将附加属性与主题和公钥关联以及管理证书层次结构的方法:-“证书扩展”:X.509定义了v3证书中可能包含的标准扩展,以提供附加密钥和安全策略信息,主题和颁发者属性,以及认证路径约束。-“CRL扩展”:X.509定义了可能包含在v2 CRL中的扩展,以提供额外的颁发者密钥和名称信息、撤销原因和约束,以及有关分发点和增量CRL的信息。

- A "private extension": Additional extensions, each named by an OID, can be locally defined as needed by applications or communities. (See: Authority Information Access extension, SET private extensions.)

- “私有扩展”:附加扩展,每个扩展由OID命名,可以根据应用程序或社区的需要在本地定义。(请参见:权限信息访问扩展,设置专用扩展。)

$ external controls (I) /COMPUSEC/ Refers to administrative security, personnel security, and physical security. (Compare: internal controls.)

$ 外部控制(I)/COMPUSEC/指管理安全、人员安全和物理安全。(比较:内部控制。)

$ extranet (I) A computer network that an organization uses for application data traffic between the organization and its business partners. (Compare: intranet.)

$ 外部网(I)一个组织用于组织与其业务伙伴之间的应用程序数据通信的计算机网络。(比较:内部网。)

Tutorial: An extranet can be implemented securely, either on the Internet or using Internet technology, by constructing the extranet as a VPN.

教程:通过将外联网构建为VPN,可以在Internet上或使用Internet技术安全地实现外联网。

$ extraction resistance (O) Ability of cryptographic equipment to resist efforts to extract keying material directly from the equipment (as opposed to gaining knowledge of keying material by cryptanalysis). [C4009]

$ 抗提取能力(O):加密设备抵抗直接从设备中提取密钥材料的能力(与通过密码分析获取密钥材料的知识相反)。[C4009]

$ extrusion detection (I) Monitoring for unauthorized transfers of sensitive information and other communications that originate inside a system's security perimeter and are directed toward the outside; i.e., roughly the opposite of "intrusion detection".

$ 挤出检测(I)监控敏感信息和其他通信的未经授权传输,这些信息和通信源自系统的安全周界内部,并指向外部;i、 与“入侵检测”大致相反。

$ fail-safe 1. (I) Synonym for "fail-secure".

$ 故障安全1。(一) “故障保护”的同义词。

2. (I) A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise). (See: failure control.)

2. (一) 系统功能的一种终止模式,当系统发生故障或检测到故障(但故障仍可能导致安全隐患)时,可防止对指定的系统资源和系统实体(即指定的数据、属性和寿命)造成损坏。(请参阅:故障控制。)

Tutorial: Definitions 1 and 2 are opposing design alternatives. Therefore, IDOCs SHOULD NOT use this term without providing a definition for it. If definition 1 is intended, IDOCs can avoid ambiguity by using "fail-secure" instead.

教程:定义1和定义2是相反的设计方案。因此,IDOCs不应该在没有定义的情况下使用这个术语。如果打算使用定义1,IDOCs可以通过使用“故障保护”来避免歧义。

$ fail-secure (I) A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). (See: failure control. Compare: fail-safe.)

$ 故障保护(I)当系统发生故障或检测到故障时(但故障仍可能导致某些系统资源或系统实体损坏),系统功能终止的一种模式,可防止失去安全状态。(请参阅:故障控制。比较:故障安全。)

$ fail-soft (I) Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system. (See: failure control.)

$ 故障软(I)当系统发生故障或检测到故障时,选择性终止受影响的非必要系统功能。(请参阅:故障控制。)

$ failure control (I) A methodology used to provide fail-safe, fail-secure or fail-soft termination and recovery of system functions. [FP039]

$ 故障控制(I)用于提供系统功能的故障安全、故障安全或故障软终止和恢复的方法。[FP039]

$ fairness (I) A property of an access protocol for a system resource whereby the resource is made equitably or impartially available to all eligible users. (RFC 3753)

$ 公平性(I)系统资源访问协议的一种属性,通过该属性,所有合格用户都可以公平或公正地使用该资源。(RFC 3753)

Tutorial: Fairness can be used to defend against some types of denial-of-service attacks on a system connected to a network. However, this technique assumes that the system can properly receive and process inputs from the network. Therefore, the technique can mitigate flooding but is ineffective against jamming.

教程:公平性可用于防御连接到网络的系统上的某些类型的拒绝服务攻击。然而,这种技术假设系统能够正确地接收和处理来自网络的输入。因此,该技术可以缓解洪水,但对干扰无效。

$ falsification (I) A type of threat action whereby false data deceives an authorized entity. (See: active wiretapping, deception.)

$ 伪造(I)虚假数据欺骗授权实体的一种威胁行为。(参见:主动窃听、欺骗。)

Usage: This type of threat action includes the following subtypes: - "Substitution": Altering or replacing valid data with false data that serves to deceive an authorized entity. - "Insertion": Introducing false data that serves to deceive an authorized entity.

用法:此类威胁行为包括以下子类型:-“替换”:用虚假数据更改或替换有效数据,以欺骗授权实体。-“插入”:引入虚假数据以欺骗授权实体。

$ fault tree (I) A branching, hierarchical data structure that is used to represent events and to determine the various combinations of component failures and human acts that could result in a specified undesirable system event. (See: attack tree, flaw hypothesis methodology.)

$ 故障树(I)一种分支、分层数据结构,用于表示事件,并确定可能导致特定不良系统事件的组件故障和人为行为的各种组合。(参见:攻击树,缺陷假设方法。)

Tutorial: "Fault-tree analysis" is a technique in which an undesired state of a system is specified and the system is studied in the context of its environment and operation to find all credible ways in which the event could occur. The specified fault event is represented as the root of the tree. The remainder of the tree represents AND or OR combinations of subevents, and sequential combinations of subevents, that could cause the root event to occur. The main purpose of a fault-tree analysis is to calculate the probability of the root event, using statistics or other analytical methods and incorporating actual or predicted

教程:“故障树分析”是一种技术,其中规定了系统的非期望状态,并在其环境和运行的背景下对系统进行研究,以找到事件可能发生的所有可信方式。指定的故障事件表示为树的根。树的其余部分表示可能导致根事件发生的子事件和/或子事件组合,以及子事件的顺序组合。故障树分析的主要目的是使用统计或其他分析方法,结合实际或预测的故障,计算根事件的概率

quantitative reliability and maintainability data. When the root event is a security violation, and some of the subevents are deliberate acts intended to achieve the root event, then the fault tree is an attack tree.

定量可靠性和可维护性数据。如果根事件是安全违规,并且某些子事件是有意实现根事件的故意行为,那么故障树就是攻击树。

$ FEAL (O) A family of symmetric block ciphers that was developed in Japan; uses a 64-bit block, keys of either 64 or 128 bits, and a variable number of rounds; and has been successfully attacked by cryptanalysts. [Schn]

$ FEAL(O)一个在日本发展起来的对称分组密码家族;使用64位块、64位或128位密钥以及可变轮数;并且被密码分析人员成功攻击。[施恩]

$ Federal Information Processing Standards (FIPS) (N) The Federal Information Processing Standards Publication (FIPS PUB) series issued by NIST under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987 (Public Law 100-235) as technical guidelines for U.S. Government procurements of information processing system equipment and services. (See: "[FPxxx]" items in Section 7, Informative References.)

$ 联邦信息处理标准(FIPS)(N)NIST根据《1949年联邦财产和行政服务法》第111(d)节的规定发布的联邦信息处理标准出版物(FIPS PUB)系列,经1987年《计算机安全法》(公法100-235)修订作为美国政府采购信息处理系统设备和服务的技术指南。(见第7节“参考资料”中的“[FPxxx]”项。)

$ Federal Public-key Infrastructure (FPKI) (O) A PKI being planned to establish facilities, specifications, and policies needed by the U.S. Government to use public-key certificates in systems involving unclassified but sensitive applications and interactions between Federal agencies as well as with entities of state and local governments, the business community, and the public. [FPKI]

$ 联邦公钥基础设施(FPKI)(O)计划建立美国政府所需的设施、规范和政策的PKI,以在涉及非保密但敏感应用程序的系统中使用公钥证书,以及联邦机构之间以及与州和地方政府实体之间的交互,商界和公众。[FPKI]

$ Federal Standard 1027 (N) An U.S. Government document defining emanation, anti-tamper, security fault analysis, and manual key management criteria for DES encryption devices, primary for OSIRM Layer 2. Was renamed "FIPS PUB 140" when responsibility for protecting unclassified, sensitive information was transferred from NSA to NIST, and has since been superseded by newer versions of that standard [FP140].

$ 联邦标准1027(N)美国政府文件,定义DES加密设备的发射、防篡改、安全故障分析和手动密钥管理标准,主要用于OSIRM第2层。当保护非机密敏感信息的责任从NSA转移到NIST时,更名为“FIPS PUB 140”,此后被该标准的更新版本取代[FP140]。

$ File Transfer Protocol (FTP) (I) A TCP-based, Application-Layer, Internet Standard protocol (RFC 959) for moving data files from one computer to another.

$ 文件传输协议(FTP)(I)基于TCP的应用层互联网标准协议(RFC 959),用于将数据文件从一台计算机移动到另一台计算机。

$ fill device (N) /COMSEC/ A device used to transfer or store keying material in electronic form or to insert keying material into cryptographic equipment.

$ 填充装置(N)/COMSEC/用于以电子形式传输或存储密钥材料或将密钥材料插入加密设备的装置。

$ filter 1. (I) /noun/ Synonym for "guard". (Compare: content filter, filtering router.)

$ 过滤器1。(一) /名词/同义词“警卫”。(比较:内容过滤器、过滤路由器。)

2. (I) /verb/ To process a flow of data and selectively block passage or permit passage of individual data items according to a security policy.

2. (一) /verb/处理数据流,并根据安全策略有选择地阻止或允许单个数据项的通过。

$ filtering router (I) An internetwork router that selectively prevents the passage of data packets according to a security policy. (See: guard.)

$ 过滤路由器(I)根据安全策略有选择地防止数据包通过的网络间路由器。(请参阅:防护罩。)

Tutorial: A router usually has two or more physical connections to networks or other systems; and when the router receives a packet on one of those connections, it forwards the packet on a second connection. A filtering router does the same; but it first decides, according to some security policy, whether the packet should be forwarded at all. The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port numbers) [R2179]. A filtering router may be used alone as a simple firewall or be used as a component of a more complex firewall.

教程:路由器通常与网络或其他系统有两个或多个物理连接;当路由器在其中一个连接上接收到数据包时,它会在第二个连接上转发该数据包。过滤路由器也这样做;但它首先根据一些安全策略决定是否应该转发数据包。该策略由加载到路由器中的规则(包过滤器)实现。这些规则主要涉及数据包控制字段的值(尤其是IP源和目标地址以及TCP端口号)[R2179]。过滤路由器可以单独用作简单防火墙,也可以用作更复杂防火墙的组件。

$ financial institution (N) "An establishment responsible for facilitating customer-initiated transactions or transmission of funds for the extension of credit or the custody, loan, exchange, or issuance of money." [SET2]

$ 金融机构(N)“负责促进客户发起的交易或资金传输的机构,用于扩展信贷或保管、贷款、交换或发行货币。”[SET2]

$ fingerprint 1. (I) A pattern of curves formed by the ridges on a fingertip. (See: biometric authentication. Compare: thumbprint.)

$ 指纹1。(一) 由指尖上的脊线形成的曲线图案。(请参阅:生物特征认证。比较:指纹。)

2. (D) /PGP/ A hash result ("key fingerprint") used to authenticate a public key or other data. [PGP]

2. (D) /PGP/用于验证公钥或其他数据的哈希结果(“密钥指纹”)。[PGP]

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2, and SHOULD NOT use this term as a synonym for "hash result" of *any* kind. Either use would mix concepts in a potentially misleading way.

不推荐使用的定义:IDOCs不应将此术语与定义2一起使用,也不应将此术语用作*任何*类型的“哈希结果”的同义词。这两种用法都会以潜在误导的方式混淆概念。

$ FIPS (N) See: Federal Information Processing Standards.

$ FIPS(N)参见:联邦信息处理标准。

$ FIPS PUB 140 (N) The U.S. Government standard [FP140] for security requirements to be met by a cryptographic module when the module is used to protect unclassified information in computer and communication systems. (See: Common Criteria, FIPS, Federal Standard 1027.)

$ FIPS PUB 140(N)美国政府标准[FP140],当密码模块用于保护计算机和通信系统中的非保密信息时,密码模块应满足安全要求。(见:通用标准、FIPS、联邦标准1027。)

Tutorial: The standard specifies four increasing levels (from "Level 1" to "Level 4") of requirements to cover a wide range of potential applications and environments. The requirements address basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference and electromagnetic compatibility (EMI/EMC), and self-testing. NIST and the Canadian Communication Security Establishment jointly certify modules.

教程:该标准规定了四个不断增加的需求级别(从“级别1”到“级别4”),以涵盖广泛的潜在应用和环境。这些要求涉及基本设计和文档、模块接口、授权角色和服务、物理安全、软件安全、操作系统安全、密钥管理、加密算法、电磁干扰和电磁兼容性(EMI/EMC)以及自检。NIST和加拿大通信安全机构共同认证模块。

$ FIREFLY (O) /U.S. Government/ "Key management protocol based on public-key cryptography." [C4009]

$ FIREFLY(O)/美国政府/“基于公钥加密的密钥管理协议。”[C4009]

$ firewall 1. (I) An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.)

$ 防火墙1。(一) 一种网络间网关,用于限制与一个已连接网络(称为“防火墙内”的网络)之间的数据通信流量,从而保护该网络的系统资源免受来自另一个网络(称为“防火墙外”的网络)的威胁。(请参阅:警卫,安全网关。)

2. (O) A device or system that controls the flow of traffic between networks using differing security postures. [SP41]

2. (O) 一种设备或系统,使用不同的安全姿态控制网络之间的流量。[SP41]

Tutorial: A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies policy rules to control traffic that flows in and out of the protected network.

教程:防火墙通常保护较小、安全的网络(如公司局域网,甚至仅一台主机)免受较大网络(如Internet)的攻击。防火墙安装在网络连接点,防火墙应用策略规则来控制进出受保护网络的流量。

A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN (see: buffer zone) between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher-layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep unauthorized traffic (i.e., intruders) out, but usually also needs to let authorized traffic pass both in and out.

防火墙并不总是一台计算机。例如,防火墙可能由一对过滤路由器和一台或多台运行在一台或多台堡垒主机上的一台或多台代理服务器组成,所有这些都连接到两台路由器之间的小型专用LAN(请参阅:缓冲区)。外部路由器阻止使用IP破坏安全性的攻击(IP地址欺骗、源路由、数据包碎片),而代理服务器阻止利用更高层协议或服务中的漏洞进行攻击。内部路由器阻止流量离开受保护的网络,除非通过代理服务器。困难的部分是定义拒绝数据包通过防火墙的标准,因为防火墙不仅需要阻止未经授权的流量(即入侵者),而且通常还需要允许授权的流量进出。

$ firmware (I) Computer programs and data stored in hardware -- typically in read-only memory (ROM) or programmable read-only memory (PROM) -- such that the programs and data cannot be dynamically written or modified during execution of the programs. (See: hardware, software.)

$ 固件(I)存储在硬件中的计算机程序和数据——通常存储在只读存储器(ROM)或可编程只读存储器(PROM)中——使得程序和数据在程序执行期间不能动态写入或修改。(请参阅:硬件、软件。)

$ FIRST (N) See: Forum of Incident Response and Security Teams.

$ 第一(N)见:事件响应和安全团队论坛。

$ flaw 1. (I) An error in the design, implementation, or operation of an information system. A flaw may result in a vulnerability. (Compare: vulnerability.)

$ 缺陷1。(一) 信息系统设计、实施或操作中的错误。缺陷可能会导致漏洞。(比较:漏洞。)

2. (D) "An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed." [NCSSG] (Compare: vulnerability. See: brain-damaged.)

2. (D) “在允许绕过保护机制的系统中,由于疏忽、疏忽或疏忽造成的错误。”[NCSSG](比较:脆弱性。参见:大脑受损。)

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2; not every flaw is a vulnerability.

不推荐使用的定义:IDOC不应将此术语与定义2一起使用;并非每个缺陷都是漏洞。

$ flaw hypothesis methodology (I) An evaluation or attack technique in which specifications and documentation for a system are analyzed to hypothesize flaws in the system. The list of hypothetical flaws is prioritized on the basis of the estimated probability that a flaw exists and, assuming it does, on the ease of exploiting it and the extent of control or compromise it would provide. The prioritized list is used to direct a penetration test or attack against the system. [NCS04] (See: fault tree, flaw.)

$ 缺陷假设方法(I)一种评估或攻击技术,其中对系统的规范和文档进行分析,以假设系统中存在缺陷。假设缺陷列表根据缺陷存在的估计概率和(假设存在)利用缺陷的难易程度以及控制或妥协的程度进行优先排序。优先列表用于指导针对系统的渗透测试或攻击。[NCS04](参见:故障树、缺陷)

$ flooding 1. (I) An attack that attempts to cause a failure in a system by providing more input than the system can process properly. (See: denial of service, fairness. Compare: jamming.)

$ 洪水1。(一) 试图通过提供超出系统正常处理范围的输入而导致系统故障的一种攻击。(请参阅:拒绝服务,公平性。比较:干扰。)

Tutorial: Flooding uses "overload" as a type of "obstruction" intended to cause "disruption".

教程:洪水使用“过载”作为一种“障碍物”,旨在造成“破坏”。

2. (I) The process of delivering data or control messages to every node of a network. (RFC 3753)

2. (一) 向网络的每个节点传送数据或控制信息的过程。(RFC 3753)

$ flow analysis (I) An analysis performed on a nonprocedural, formal, system specification that locates potential flows of information between system variables. By assigning security levels to the variables, the analysis can find some types of covert channels. [Huff]

$ 流程分析(I)对非程序、正式的系统规范进行的分析,确定系统变量之间的潜在信息流。通过为变量分配安全级别,分析可以发现某些类型的隐蔽通道。[怒火]

$ flow control 1. (I) /data security/ A procedure or technique to ensure that information transfers within a system are not made from one security level to another security level, and especially not from a higher level to a lower level. [Denns] (See: covert channel, confinement property, information flow policy, simple security property.)

$ 流量控制1。(一) /数据安全性/确保系统内的信息传输不会从一个安全级别传输到另一个安全级别,特别是不会从较高级别传输到较低级别的程序或技术。[Denns](请参阅:隐蔽通道、限制属性、信息流策略、简单安全属性。)

2. (O) /data security/ "A concept requiring that information transfers within a system be controlled so that information in certain types of objects cannot, via any channel within the system, flow to certain other types of objects." [NCSSG]

2. (O) /data security/“一种概念,要求控制系统内的信息传输,使某些类型对象中的信息不能通过系统内的任何通道流向某些其他类型的对象。”[NCSSG]

$ For Official Use Only (FOUO) (O) /U.S. DoD/ A U.S. Government designation for information that has not been given a security classification pursuant to the criteria of an Executive Order dealing with national security, but which may be withheld from the public because disclosure would cause a foreseeable harm to an interest protected by one of the exemptions stated in the Freedom of Information Act (Section 552 of title 5, United States Code). (See: security label, security marking. Compare: classified.)

$ 仅供官方使用(FOUO)(O)/美国国防部/美国政府指定,用于未根据涉及国家安全的行政命令标准进行安全分类的信息,但由于披露会对受《信息自由法》(美国法典第5编第552节)所述豁免之一保护的利益造成可预见的损害,因此可能会对公众隐瞒。(参见:安全标签、安全标记。比较:分类。)

$ formal (I) Expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts. [CCIB] (Compare: informal, semiformal.)

$ 形式(I)用受限语法语言表示,语义定义基于成熟的数学概念。[CCIB](比较:非正式、半正式。)

$ formal access approval (O) /U.S. Government/ Documented approval by a data owner to allow access to a particular category of information in a system. (See: category.)

$ 正式访问批准(O)/美国政府/数据所有者书面批准,允许访问系统中特定类别的信息。(请参阅:类别。)

$ Formal Development Methodology (O) See: Ina Jo.

$ 正式开发方法(O)见:Ina Jo。

$ formal model (I) A security model that is formal. Example: Bell-LaPadula model. [Land] (See: formal, security model.)

$ 形式模型(I)形式化的安全模型。示例:贝尔-拉帕杜拉模型。[土地](见:正式的安全模型。)

$ formal proof (I) "A complete and convincing mathematical argument, presenting the full logical justification for each step in the proof, for the truth of a theorem or set of theorems." [NCSSG]

$ 形式证明(I)“一个完整且令人信服的数学论证,为证明中的每一步提供完整的逻辑证明,证明一个定理或一组定理的真理。”[NCSSG]

$ formal specification (I) A precise description of the (intended) behavior of a system, usually written in a mathematical language, sometimes for the

$ 形式规范(I)系统(预期)行为的精确描述,通常用数学语言编写,有时用于

purpose of supporting formal verification through a correctness proof. [Huff] (See: Affirm, Gypsy, HDM, Ina Jo.) (See: formal.)

通过正确性证明支持形式验证的目的。[Huff](参见:确认、吉普赛、HDM、Ina Jo)(参见:正式)

Tutorial: A formal specification can be written at any level of detail but is usually a top-level specification.

教程:正式规范可以在任何详细级别编写,但通常是顶级规范。

$ formal top-level specification (I) "A top-level specification that is written in a formal mathematical language to allow theorems showing the correspondence of the system specification to its formal requirements to be hypothesized and formally proven." [NCS04] (See: formal specification.)

$ 正式顶层规范(I)“以正式数学语言编写的顶层规范,允许假设和正式证明表明系统规范与其正式需求对应关系的定理。”[NCS04](见:正式规范。)

$ formulary (I) A technique for enabling a decision to grant or deny access to be made dynamically at the time the access is attempted, rather than earlier when an access control list or ticket is created.

$ 公式集(I)一种技术,用于在尝试访问时,而不是在创建访问控制列表或票证之前,动态做出授予或拒绝访问的决定。

$ FORTEZZA(trademark) (O) A registered trademark of NSA, used for a family of interoperable security products that implement a NIST/NSA-approved suite of cryptographic algorithms for digital signature, hash, encryption, and key exchange. The products include a PC card (which contains a CAPSTONE chip), and compatible serial port modems, server boards, and software implementations.

$ FORTEZZA(商标)(O)NSA的注册商标,用于实现NIST/NSA批准的用于数字签名、哈希、加密和密钥交换的加密算法套件的可互操作安全产品系列。这些产品包括一个PC卡(包含一个CAPSTONE芯片)、兼容的串行端口调制解调器、服务器板和软件实现。

$ Forum of Incident Response and Security Teams (FIRST) (N) An international consortium of CSIRTs (e.g., CIAC) that work together to handle computer security incidents and promote preventive activities. (See: CSIRT, security incident.)

$ 事件响应和安全团队论坛(第一)(N)CSIRT的国际联盟(如CIAC),共同处理计算机安全事件并促进预防活动。(参见:CSIRT,安全事件)

Tutorial: FIRST was founded in 1990 and, as of July 2004, had more than 100 members spanning the globe. Its mission includes: - Provide members with technical information, tools, methods, assistance, and guidance. - Coordinate proactive liaison activities and analytical support. - Encourage development of quality products and services. - Improve national and international information security for governments, private industry, academia, and the individual. - Enhance the image and status of the CSIRT community.

教程:FIRST成立于1990年,截至2004年7月,在全球拥有100多名会员。其任务包括:-为成员提供技术信息、工具、方法、协助和指导。-协调主动联络活动和分析支持。-鼓励开发优质产品和服务。-改善政府、私营企业、学术界和个人的国家和国际信息安全。-提升CSIRT社区的形象和地位。

$ forward secrecy (I) See: perfect forward secrecy.

$ 前向保密(I)见:完美前向保密。

$ FOUO (O) See: For Official Use Only.

$ FOUO(O)见:仅供官方使用。

$ FPKI (O) See: Federal Public-Key Infrastructure.

$ FPKI(O)见:联邦公钥基础设施。

$ fraggle attack (D) /slang/ A synonym for "smurf attack".

$ 脆弱攻击(D)/俚语/蓝精灵攻击的同义词。

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term.

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。

Derivation: The Fraggles are a fictional race of small humanoids (represented as hand puppets in a children's television series, "Fraggle Rock") that live underground.

起源:Fraggles是一个虚构的小型人形种族(在儿童电视剧《Fraggle Rock》中表现为手木偶),生活在地下。

$ frequency hopping (N) Repeated switching of frequencies during radio transmission according to a specified algorithm. [C4009] (See: spread spectrum.)

$ 跳频(N):根据指定的算法在无线电传输过程中重复切换频率。[C4009](参见:扩频。)

Tutorial: Frequency hopping is a TRANSEC technique to minimize the potential for unauthorized interception or jamming.

教程:跳频是一种TRANSEC技术,可以最大限度地降低未经授权的拦截或干扰的可能性。

$ fresh (I) Recently generated; not replayed from some earlier interaction of the protocol.

$ 新的(I)最近产生的;未从协议的某些早期交互中重播。

Usage: Describes data contained in a PDU that is received and processed for the first time. (See: liveness, nonce, replay attack.)

用法:描述首次接收和处理的PDU中包含的数据。(请参阅:活跃度、暂时性、重放攻击。)

$ FTP (I) See: File Transfer Protocol.

$ FTP(I)见:文件传输协议。

$ gateway (I) An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks. (See: bridge, firewall, guard, internetwork, proxy server, router, and subnetwork.)

$ 网关(I)连接到两个(或多个)功能相似但实现方式不同的计算机网络的中间系统(接口、中继),可实现网络之间的单向或双向通信。(请参阅:网桥、防火墙、防护、互联网、代理服务器、路由器和子网络。)

Tutorial: The networks may differ in any of several aspects, including protocols and security mechanisms. When two computer networks differ in the protocol by which they offer service to hosts, a gateway may translate one protocol into the other or otherwise facilitate interoperation of hosts (see: Internet Protocol). In theory, gateways between computer networks are conceivable at any OSIRM layer. In practice, they usually operate

教程:网络可能在几个方面有所不同,包括协议和安全机制。当两个计算机网络向主机提供服务的协议不同时,网关可将一个协议转换为另一个协议,或以其他方式促进主机的互操作(请参阅:Internet协议)。理论上,计算机网络之间的网关在任何OSIRM层都是可以想象的。在实践中,它们通常会运行

at OSIRM Layer 2 (see: bridge), 3 (see: router), or 7 (see: proxy server).

在OSIRM第2层(请参阅:网桥)、第3层(请参阅:路由器)或第7层(请参阅:代理服务器)。

$ GCA (O) See: geopolitical certificate authority.

$ GCA(O)见:地缘政治证书管理局。

$ GDOI (O) See: Group Domain of Interpretation.

$ GDOI(O)见:集团解释领域。

$ GeldKarte (O) A smartcard-based, electronic money system that is maintained by the German banking industry, incorporates cryptography, and can be used to make payments via the Internet. (See: IOTP.)

$ Geldkart(O)是一种基于智能卡的电子货币系统,由德国银行业维护,采用加密技术,可用于通过互联网进行支付。(见:IOTP)

$ GeneralizedTime (N) The ASN.1 data type "GeneralizedTime" (ISO 8601) contains a calendar date (YYYYMMDD) and a time of day, which is either (a) the local time, (b) the Coordinated Universal Time, or (c) both the local time and an offset that enables Coordinated Universal Time to be calculated. (See: Coordinated Universal Time. Compare: UTCTime.)

$ 泛化时间(N)ASN.1数据类型“泛化时间”(ISO 8601)包含日历日期(YYYYMMDD)和一天中的某个时间,即(a)本地时间,(b)协调世界时间,或(c)本地时间和允许计算协调世界时间的偏移量。(参见:协调世界时。比较:UTCTime。)

$ Generic Security Service Application Program Interface (GSS-API) (I) An Internet Standard protocol [R2743] that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies, thus enabling the application source code to be ported to different environments. (Compare: EAP, SASL.)

$ 通用安全服务应用程序接口(GSS-API)(I)一种互联网标准协议[R2743],规定了应用程序(通常是另一种通信协议)可通过其获得身份验证、完整性、,保密性和安全性服务独立于底层安全机制和技术,从而使应用程序源代码能够移植到不同的环境。(比较:EAP、SASL)

Tutorial: "A GSS-API caller accepts tokens provided to it by its local GSS-API implementation and transfers the tokens to a peer on a remote system; that peer passes the received tokens to its local GSS-API implementation for processing. The security services available through GSS-API in this fashion are implementable (and have been implemented) over a range of underlying mechanisms based on [symmetric] and [asymmetric cryptography]." [R2743]

教程:“GSS-API调用方接受其本地GSS-API实现提供给它的令牌,并将令牌传输给远程系统上的对等方;该对等方将接收到的令牌传递给其本地GSS-API实现进行处理。通过GSS-API以这种方式提供的安全服务是可实现的(并且已经实现)基于[对称]和[非对称加密]的一系列底层机制

$ geopolitical certificate authority (GCA) (O) /SET/ In a SET certification hierarchy, an optional level that is certified by a BCA and that may certify cardholder CAs, merchant CAs, and payment gateway CAs. Using GCAs enables a brand to distribute responsibility for managing certificates to geographic or political regions, so that brand policies can vary between regions as needed.

$ 地缘政治证书颁发机构(GCA)(O)/SET/在SET认证层次结构中,由BCA认证的可选级别,可认证持卡人CA、商户CA和支付网关CA。使用GCAs使品牌能够将管理证书的责任分配给地理或政治区域,以便品牌策略可以根据需要在不同区域之间变化。

$ GIG (O) See: Global Information Grid.

$ 全球信息栅格(GIG)见:全球信息栅格。

$ Global Information Grid (GIG) (O) /U.S. DoD/ The GIG is "a globally interconnected, end-to-end set of information capabilities, associated processes and personnel for collecting, processing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel." [IATF] Usage: Formerly referred to as the DII.

$ 全球信息网格(GIG)(O)/美国国防部/全球信息网格是“一组全球互联、端到端的信息能力、相关流程和人员,用于收集、处理、存储、传播和管理作战人员、决策者和支持人员所需的信息。”[IATF]用法:以前称为DII。

$ good engineering practice(s) (N) A term used to specify or characterize design, implementation, installation, or operating practices for an information system, when a more explicit specification is not possible. Generally understood to refer to the state of the engineering art for commercial systems that have problems and solutions equivalent to the system in question.

$ 良好工程实践(N):当无法制定更明确的规范时,用于指定或描述信息系统的设计、实施、安装或操作实践的术语。一般理解为指商业系统的工程技术水平,其问题和解决方案相当于所讨论的系统。

$ granularity 1. (N) /access control/ Relative fineness to which an access control mechanism can be adjusted.

$ 粒度1。(N) /访问控制/访问控制机制可调整的相对精细度。

2. (N) /data security/ "The size of the smallest protectable unit of information" in a trusted system. [Huff]

2. (N) /data security/“受信任系统中可保护的最小信息单元的大小”。[怒火]

$ Green Book (D) /slang/ Synonym for "Defense Password Management Guideline" [CSC2].

$ 绿皮书(D)/俚语/同义词“国防密码管理指南”[CSC2]。

Deprecated Term: Except as an explanatory appositive, IDOCs SHOULD NOT use this term, regardless of the associated definition. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: Rainbow Series.)

不推荐使用的术语:除了作为解释性同位语外,IDOCs不应使用该术语,无论相关定义如何。取而代之的是,使用文件的全称,或者在后续参考文献中使用常规缩写。(请参阅:彩虹系列。)

Deprecated Usage: To improve international comprehensibility of Internet Standards and the Internet Standards Process, IDOCs SHOULD NOT use "cute" synonyms. No matter how clearly understood or popular a nickname may be in one community, it is likely to cause confusion or offense in others. For example, several other information system standards also are called "the Green Book"; the following are some examples: - Each volume of 1992 ITU-T (known at that time as CCITT) standards. - "PostScript Language Program Design", Adobe Systems, Addison-Wesley, 1988. - IEEE 1003.1 POSIX Operating Systems Interface.

不推荐使用:为了提高互联网标准和互联网标准过程的国际可理解性,IDOC不应使用“可爱”同义词。无论一个昵称在一个社区中被理解得多么清楚或多么流行,它都有可能在其他社区引起混乱或冒犯。例如,其他一些信息系统标准也被称为“绿皮书”;以下是一些示例:-1992年ITU-T(当时称为CCITT)标准的每一卷。-“PostScript语言程序设计”,AdobeSystems,Addison-Wesley,1988年IEEE 1003.1 POSIX操作系统接口。

- "Smalltalk-80: Bits of History, Words of Advice", Glenn Krasner, Addison-Wesley, 1983. - "X/Open Compatibility Guide". - A particular CD-ROM format developed by Phillips.

- “Smalltalk-80:历史的点滴,忠告的话语”,格伦·克拉斯纳,艾迪生·韦斯利,1983年“X/Open兼容性指南”——菲利普斯开发的一种特殊的CD-ROM格式。

$ Group Domain of Interpretation (GDOI) (I) An ISAKMP/IKE domain of interpretation for group key management; i.e., a phase 2 protocol in ISAKMP. [R3547] (See: secure multicast.)

$ 集团解释域(GDOI)(I)用于集团密钥管理的ISAKMP/IKE解释域;i、 例如,ISAKMP中的第2阶段协议。[R3547](请参阅:安全多播。)

Tutorial: In this group key management model that extends the ISAKMP standard, the protocol is run between a group member and a "group controller/key server", which establishes security associations [R4301] among authorized group members. The GDOI protocol is itself protected by an ISAKMP phase 1 association.

教程:在此扩展ISAKMP标准的组密钥管理模型中,协议在组成员和“组控制器/密钥服务器”之间运行,该服务器在授权组成员之间建立安全关联[R4301]。GDOI协议本身受ISAKMP第1阶段关联的保护。

For example, multicast applications may use ESP to protect their data traffic. GDOI carries the needed security association parameters for ESP. In this way, GDOI supports multicast ESP with group authentication of ESP packets using a shared, group key.

例如,多播应用程序可以使用ESP来保护其数据流量。GDOI携带ESP所需的安全关联参数。通过这种方式,GDOI支持使用共享组密钥对ESP数据包进行组身份验证的多播ESP。

$ group identity (I) See: secondary definition under "identity".

$ 集团标识(I)见“标识”下的二级定义。

$ group security association (I) "A bundling of [security associations] (SAs) that together define how a group communicates securely. The [group SA] may include a registration protocol SA, a rekey protocol SA, and one or more data security protocol SAs." [R3740]

$ 组安全关联(I)“[安全关联](SA)的捆绑,共同定义组如何安全通信。[组SA]可能包括注册协议SA、密钥更新协议SA和一个或多个数据安全协议SA。”[R3740]

$ GSS-API (I) See: Generic Security Service Application Program Interface.

$ GSS-API(I)见:通用安全服务应用程序接口。

$ guard (I) A computer system that (a) acts as gateway between two information systems operating under different security policies and (b) is trusted to mediate information data transfers between the two. (See: controlled interface, cross-domain solution, domain, filter. Compare: firewall.)

$ guard(I)一种计算机系统,它(A)充当两个在不同安全策略下运行的信息系统之间的网关,并且(b)受信任在两个系统之间进行信息数据传输。(请参阅:受控接口、跨域解决方案、域、筛选器。比较:防火墙。)

Usage: Frequently understood to mean that one system is operating at a higher security level than the other, and that the gateway's purpose is to prevent unauthorized disclosure of data from the higher system to the lower. However, the purpose might also be to protect the data integrity, availability, or general system integrity of one system from threats posed by connecting to the other system. The mediation may be entirely automated or may involve "reliable human review".

用法:通常理解为一个系统的安全级别高于另一个系统,网关的目的是防止未经授权将数据从较高的系统泄露给较低的系统。但是,其目的也可能是保护一个系统的数据完整性、可用性或一般系统完整性,使其免受连接到另一个系统所造成的威胁。调解可能完全自动化,也可能涉及“可靠的人工审查”。

$ guest login (I) See: anonymous login.

$ 来宾登录(I)见:匿名登录。

$ GULS (I) Generic Upper Layer Security service element (ISO 11586), a five-part standard for the exchange of security information and security-transformation functions that protect confidentiality and integrity of application data.

$ GULS(I)通用上层安全服务元素(ISO 11586),由五部分组成的标准,用于交换安全信息和安全转换功能,以保护应用程序数据的机密性和完整性。

$ Gypsy verification environment (O) A methodology, language, and integrated set of software tools developed at the University of Texas for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

$ 吉普赛验证环境(O)一种在德克萨斯大学开发的方法、语言和成套软件工具,用于指定、编码和验证软件以产生正确和可靠的程序。[车]

$ H field (D) See: Deprecated Usage under "Handling Restrictions field".

$ H字段(D)请参阅“处理限制字段”下的不推荐使用。

$ hack 1a. (I) /verb/ To work on something, especially to program a computer. (See: hacker.)

$ 黑客1a。(一) /动词/做某事,尤指为计算机编程。(见:黑客)

1b. (I) /verb/ To do some kind of mischief, especially to play a prank on, or penetrate, a system. (See: hacker, cracker.)

1b。(一) 做某种恶作剧,尤指恶作剧或渗透系统。(请参阅:黑客、黑客。)

2. (I) /noun/ An item of completed work, or a solution for a problem, that is non-generalizable, i.e., is very specific to the application area or problem being solved.

2. (一) /noon/完成的工作项目或问题的解决方案,不可概括,即非常特定于所解决的应用领域或问题。

Tutorial: Often, the application area or problem involves computer programming or other use of a computer. Characterizing something as a hack can be a compliment, such as when the solution is minimal and elegant; or it can be derogatory, such as when the solution fixes the problem but leaves the system in an unmaintainable state.

教程:通常,应用领域或问题涉及计算机编程或计算机的其他使用。将某物描述为黑客可以是一种恭维,例如当解决方案是最小且优雅的;或者它可能是贬义的,例如当解决方案修复了问题,但使系统处于无法维护的状态时。

See [Raym] for several other meanings of this term and also definitions of several derivative terms.

有关该术语的其他含义以及几个衍生术语的定义,请参见[Raym]。

$ hacker 1. (I) Someone with a strong interest in computers, who enjoys learning about them, programming them, and experimenting and otherwise working with them. (See: hack. Compare: adversary, cracker, intruder.)

$ 黑客1。(一) 对计算机有浓厚兴趣的人,他们喜欢学习计算机、编程、实验和使用计算机。(参见:黑客。比较:敌手、黑客、入侵者。)

Usage: This first definition is the original meaning of the term (circa 1960); it then had a neutral or positive connotation of "someone who figures things out and makes something cool happen".

用法:第一个定义是该术语的原始含义(约1960年);然后,它有一个中性或积极的内涵,即“一个能把事情弄明白并让一些很酷的事情发生的人”。

2. (O) "An individual who spends an inordinate amount of time working on computer systems for other than professional purposes." [NCSSG]

2. (O) “在计算机系统上花费过多时间而非出于专业目的的个人。”[NCSSG]

3. (D) Synonym for "cracker".

3. (D) “饼干”的同义词。

Deprecated Usage: Today, the term is frequently (mis)used (especially by journalists) with definition 3.

不推荐的用法:今天,这个词经常(误用)(尤其是记者)在定义3中使用。

$ handle 1. (I) /verb/ Perform processing operations on data, such as receive and transmit, collect and disseminate, create and delete, store and retrieve, read and write, and compare. (See: access.)

$ 处理1。(一) /verb/对数据执行处理操作,如接收和发送、收集和分发、创建和删除、存储和检索、读和写以及比较。(请参阅:访问。)

2. (I) /noun/ An online pseudonym, particularly one used by a cracker; derived from citizens' band radio culture.

2. (一) /名词/网上的笔名,尤指黑客使用的;源自市民的波段无线电文化。

$ handling restriction (I) A type of access control other than (a) the rule-based protections of mandatory access control and (b) the identity-based protections of discretionary access control; usually involves administrative security.

$ 处理限制(I)除(A)基于规则的强制访问控制保护和(b)基于身份的自主访问控制保护以外的一种访问控制;通常涉及管理安全。

$ Handling Restrictions field (I) A 16-bit field that specifies a control and release marking in the security option (option type 130) of IP's datagram header format. The valid field values are alphanumeric digraphs assigned by the U.S. Government, as specified in RFC 791.

$ 处理限制字段(I)一个16位字段,指定IP数据报报头格式的安全选项(选项类型130)中的控制和释放标记。根据RFC 791的规定,有效字段值为美国政府指定的字母数字有向图。

Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "H field" because it is potentially ambiguous. Instead, use "Handling Restrictions field".

不推荐使用的缩写:IDOCs不应使用缩写“H字段”,因为它可能不明确。相反,请使用“处理限制字段”。

$ handshake (I) Protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other.

$ 握手(I)两个系统之间的协议对话,用于相互识别和验证自身,或用于使其操作同步。

$ Handshake Protocol (I) /TLS/ The TLS Handshake Protocol consists of three parts (i.e., subprotocols) that enable peer entities to agree upon security parameters for the record layer, authenticate themselves to each other, instantiate negotiated security parameters, and report error conditions to each other. [R4346]

$ 握手协议(I)/TLS/TLS握手协议由三个部分(即子协议)组成,使对等实体能够就记录层的安全参数达成一致,彼此进行身份验证,实例化协商的安全参数,并相互报告错误情况。[R4346]

$ harden (I) To protect a system by configuring it to operate in a way that eliminates or mitigates known vulnerabilities. Example: [RSCG]. (See: default account.)

$ 强化(I)通过配置系统以消除或缓解已知漏洞的方式运行来保护系统。示例:[RSCG]。(请参阅:默认帐户。)

$ hardware (I) The material physical components of an information system. (See: firmware, software.)

$ 硬件(I)信息系统的重要物理组件。(请参阅:固件、软件。)

$ hardware error (I) /threat action/ See: secondary definitions under "corruption", "exposure", and "incapacitation".

$ 硬件错误(I)/威胁行动/见“腐败”、“暴露”和“丧失能力”下的二级定义。

$ hardware token See: token.

$ 硬件令牌请参阅:令牌。

$ hash code (D) Synonym for "hash result" or "hash function".

$ 哈希代码(D)“哈希结果”或“哈希函数”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. A hash result is not a "code", and a hash function does not "encode" in any sense defined by this glossary. (See: hash value, message digest.)

不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。散列结果不是“代码”,散列函数也不是本术语表定义的任何意义上的“编码”。(请参阅:哈希值,消息摘要。)

$ hash function 1. (I) A function H that maps an arbitrary, variable-length bit string, s, into a fixed-length string, h = H(s) (called the "hash result"). For most computing applications, it is desirable that given a string s with H(s) = h, any change to s that creates a different string s' will result in an unpredictable hash result H(s') that is, with high probability, not equal to H(s).

$ 散列函数1。(一) 一种函数H,它将任意可变长度的位字符串s映射为固定长度的字符串H=H(s)(称为“哈希结果”)。对于大多数计算应用程序,理想的情况是给定一个H(s)=H的字符串s,对s的任何更改都会产生一个不可预测的散列结果H(s'),即高概率不等于H(s)。

2. (O) "A (mathematical) function which maps values from a large (possibly very large) domain into a smaller range. A 'good' hash function is such that the results of applying the function to a (large) set of values in the domain will be evenly distributed (and apparently at random) over the range." [X509]

2. (O) “将大(可能非常大)域中的值映射到较小范围的(数学)函数。“良好”哈希函数是指将函数应用于域中的(大)值集的结果将均匀分布(显然是随机分布)在该范围内。”[X509]

Tutorial: A hash function operates on variable-length input (e.g., a message or a file) and outputs a fixed-length output, which typically is much shorter than most input values. If the algorithm is "good" as described in the "O" definition, then the hash function may be a candidate for use in a security mechanism to detect accidental changes in data, but not necessarily for a mechanism to detect changes made by active wiretapping. (See: Tutorial under "checksum".)

教程:哈希函数对可变长度输入(例如,消息或文件)进行操作,并输出固定长度的输出,通常比大多数输入值短得多。如果如“O”定义中所描述的算法是“好的”,则散列函数可以是在安全机制中用于检测数据中的意外变化的候选函数,但不一定是用于检测由活动窃听进行的变化的机制的候选函数。(请参阅“校验和”下的教程。)

Security mechanisms require a "cryptographic hash function" (e.g., MD2, MD4, MD5, SHA-1, Snefru), i.e., a good hash function that also has the one-way property and one of the two collision-free properties: - "One-way property": Given H and a hash result h = H(s), it is hard (i.e., computationally infeasible, "impossible") to find s. (Of course, given H and an input s, it must be relatively easy to compute the hash result H(s).) - "Weakly collision-free property": Given H and an input s, it is hard (i.e., computationally infeasible, "impossible") to find a different input, s', such that H(s) = H(s'). - "Strongly collision-free property": Given H, it is hard to find any pair of inputs s and s' such that H(s) = H(s').

安全机制需要一个“加密散列函数”(例如,MD2、MD4、MD5、SHA-1、Snefru),即一个好的散列函数,它也具有单向属性和两个无冲突属性中的一个:-“单向属性”:给定H和散列结果H=H(s),很难(即,计算上不可行,“不可能”)找到s。(当然,给定H和输入s,计算散列结果H(s)必须相对容易。”—“弱无冲突属性”:给定H和输入s,很难(即,计算上不可行,“不可能”)找到不同的输入s',使得H(s)=H(s')。-“强无碰撞特性”:给定H,很难找到任何一对输入s和s',使得H(s)=H(s')。

If H produces a hash result N bits long, then to find an s' where H(s') = H(s) for a specific given s, the amount of computation required is O(2**n); i.e., it is necessary to try on the order of 2 to the power n values of s' before finding a collision. However, to simply find any pair of values s and s' that collide, the amount of computation required is only O(2**(n/2)); i.e., after computing H(s) for 2 to the power n/2 randomly chosen values of s, the probability is greater than 1/2 that two of those values have the same hash result. (See: birthday attack.)

如果H产生一个N比特长的散列结果,那么为了找到一个s',其中H(s')=H(s),对于特定的给定s,所需的计算量是O(2**N);i、 例如,在发现碰撞之前,有必要尝试s'的幂n值的2阶。然而,为了简单地找到碰撞的任何一对值s和s’,所需的计算量仅为O(2**(n/2));i、 例如,在将2的H(s)计算为随机选择的s的n/2的幂之后,这些值中的两个具有相同散列结果的概率大于1/2。(见:生日攻击。)

$ hash result 1. (I) The output of a hash function. (See: hash code, hash value. Compare: hash value.)

$ 散列结果1。(一) 散列函数的输出。(请参阅:哈希代码、哈希值。比较:哈希值。)

2. (O) "The output produced by a hash function upon processing a message" (where "message" is broadly defined as "a digital representation of data"). [DSG]

2. (O) “哈希函数在处理消息时产生的输出”(其中“消息”广义上定义为“数据的数字表示”)。[DSG]

Usage: IDOCs SHOULD avoid the unusual usage of "message" that is seen in the "O" definition.

用法:idoc应该避免在“O”定义中看到的“message”的异常用法。

$ hash value (D) Synonym for "hash result".

$ 哈希值(D)是“哈希结果”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term for the output of a hash function; the term could easily be confused with "hashed value", which means the input to a hash function. (See: hash code, hash result, message digest.)

不推荐使用的术语:IDOCs不应将此术语用于哈希函数的输出;这个术语很容易与“散列值”混淆,即散列函数的输入。(请参阅:哈希代码、哈希结果、消息摘要。)

$ HDM (O) See: Hierarchical Development Methodology.

$ HDM(O)参见:分层开发方法。

$ Hierarchical Development Methodology (HDM) (O) A methodology, language, and integrated set of software tools developed at SRI International for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

$ 分层开发方法(HDM)(O)SRI International开发的一套方法、语言和综合软件工具,用于指定、编码和验证软件,以生成正确可靠的程序。[车]

$ hierarchical PKI (I) A PKI architecture based on a certification hierarchy. (Compare: mesh PKI, trust-file PKI.)

$ 层次式PKI(I)基于证书层次结构的PKI体系结构。(比较:网状PKI、信任文件PKI。)

$ hierarchy management (I) The process of generating configuration data and issuing public-key certificates to build and operate a certification hierarchy. (See: certificate management.)

$ 层次结构管理(I)生成配置数据和颁发公钥证书以建立和运行证书层次结构的过程。(请参阅:证书管理。)

$ hierarchy of trust (D) Synonym for "certification hierarchy".

$ 信任层次结构(D)“认证层次结构”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. (See: certification hierarchy, trust, web of trust.)

不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。(请参阅:证书层次结构、信任、信任网。)

$ high-assurance guard (O) "An oxymoron," said Lt. Gen. William H. Campbell, former U.S. Army chief information officer, speaking at an Armed Forces Communications and Electronics Association conference.

$ 前美国陆军首席信息官威廉·H·坎贝尔中将在美国武装部队通信和电子协会的一次会议上说:“这是一个自相矛盾的说法。”。

Usage: IDOCs that use this term SHOULD state a definition for it because the term mixes concepts and could easily be misunderstood.

用法:使用这个术语的IDoc应该为它声明一个定义,因为这个术语混合了概念,很容易被误解。

$ hijack attack (I) A form of active wiretapping in which the attacker seizes control of a previously established communication association. (See: man-in-the-middle attack, pagejacking, piggyback attack.)

$ 劫持攻击(I)一种主动窃听形式,其中攻击者夺取了先前建立的通信关联的控制权。(参见:中间人攻击、页面劫持、背驮攻击。)

$ HIPAA (N) Health Information Portability and Accountability Act of 1996, a U.S. law (Public Law 104-191) that is intended to protect the privacy of patients' medical records and other health information in all forms, and mandates security for that information, including for its electronic storage and transmission.

$ 《1996年HIPAA(N)健康信息可移植性和责任法案》,一项美国法律(公法104-191),旨在保护患者医疗记录和其他各种形式健康信息的隐私,并要求对该信息进行安全保护,包括其电子存储和传输。

$ HMAC (I) A keyed hash [R2104] that can be based on any iterated cryptographic hash (e.g., MD5 or SHA-1), so that the cryptographic strength of HMAC depends on the properties of the selected cryptographic hash. (See: [R2202, R2403, R2404].)

$ HMAC(I)可基于任何迭代加密散列(例如,MD5或SHA-1)的键控散列[R2104],因此HMAC的加密强度取决于所选加密散列的属性。(参见:[R2202、R2403、R2404])

Derivation: Hash-based MAC. (Compare: CMAC.)

派生:基于哈希的MAC。(比较:CMAC。)

Tutorial: Assume that H is a generic cryptographic hash in which a function is iterated on data blocks of length B bytes. L is the length of the of hash result of H. K is a secret key of length L <= K <= B. The values IPAD and OPAD are fixed strings used as inner and outer padding and defined as follows: IPAD = the byte 0x36 repeated B times, and OPAD = the byte 0x5C repeated B times. HMAC is computed by H(K XOR OPAD, H(K XOR IPAD, inputdata)).

教程:假设H是一个通用加密哈希,其中函数在长度为B字节的数据块上迭代。L是H的散列结果的长度。K是长度为L<=K<=B的密钥。值IPAD和OPAD是用作内部和外部填充的固定字符串,定义如下:IPAD=字节0x36重复B次,OPAD=字节0x5C重复B次。HMAC由H(kxor OPAD,H(kxor IPAD,inputdata))计算。

HMAC has the following goals: - To use available cryptographic hash functions without modification, particularly functions that perform well in software and for which software is freely and widely available. - To preserve the original performance of the selected hash without significant degradation. - To use and handle keys in a simple way. - To have a well-understood cryptographic analysis of the strength of the mechanism based on reasonable assumptions about the underlying hash function. - To enable easy replacement of the hash function in case a faster or stronger hash is found or required.

HMAC有以下目标:-不经修改地使用可用的加密哈希函数,特别是在软件中性能良好且软件可自由广泛使用的函数。-以保持所选哈希的原始性能而不会显著降级。-以简单的方式使用和处理按键。-基于对底层哈希函数的合理假设,对机制的强度进行充分理解的密码分析。-在发现或需要更快或更强的散列时,可以轻松替换散列函数。

$ honey pot (N) A system (e.g., a web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears. (See: entrapment.)

$ 蜜罐(honey pot)(N)一种系统(如web服务器)或系统资源(如服务器上的文件),旨在吸引潜在的黑客和入侵者,如蜂蜜吸引熊。(见:诱捕。)

Usage: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, an IDOC SHOULD NOT use this term without providing a definition for it. (See: Deprecated Usage under "Green Book".)

用法:其他文化可能对此概念使用不同的隐喻。因此,为避免国际误解,IDOC不应在未提供定义的情况下使用该术语。(请参阅“绿皮书”下不推荐的用法。)

$ host 1. (I) /general/ A computer that is attached to a communication subnetwork or internetwork and can use services provided by the network to exchange data with other attached systems. (See: end system. Compare: server.)

$ 主持人1。(一) /general/连接到通信子网或互联网络的计算机,可以使用网络提供的服务与其他连接的系统交换数据。(请参见:结束系统。比较:服务器。)

2. (I) /IPS/ A networked computer that does not forward IP packets that are not addressed to the computer itself. (Compare: router.)

2. (一) /IPS/不转发未寻址到计算机本身的IP数据包的网络计算机。(比较:路由器。)

Derivation: As viewed by its users, a host "entertains" them, providing Application-Layer services or access to other computers attached to the network. However, even though some traditional peripheral service devices, such as printers, can now be

派生:在用户看来,主机“招待”他们,提供应用层服务或访问连接到网络的其他计算机。然而,即使一些传统的外围服务设备,如打印机,现在可以

independently connected to networks, they are not usually called hosts.

它们独立连接到网络,通常不称为主机。

$ HTML (I) See: Hypertext Markup Language.

$ HTML(I)见:超文本标记语言。

$ HTTP (I) See: Hypertext Transfer Protocol.

$ HTTP(I)参见:超文本传输协议。

$ https (I) When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. (Compare: S-HTTP.)

$ https(I)当用于URL的第一部分(冒号之前的部分并指定访问方案或协议)时,该术语指定使用通过安全机制(通常为SSL)增强的HTTP。(比较:S-HTTP。)

$ human error (I) /threat action/ See: secondary definitions under "corruption", "exposure", and "incapacitation".

$ 人为错误(I)/威胁行动/见“腐败”、“暴露”和“丧失行为能力”下的二级定义。

$ hybrid encryption (I) An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. Examples: digital envelope, MSP, PEM, PGP. (Compare: superencryption.)

$ 混合加密(I)结合两种或两种以上加密算法的加密应用,尤其是对称和非对称加密的组合。示例:数字信封、MSP、PEM、PGP。(比较:超级加密。)

Tutorial: Asymmetric algorithms require more computation than equivalently strong symmetric ones. Thus, asymmetric encryption is not normally used for data confidentiality except to distribute a symmetric key in a hybrid encryption scheme, where the symmetric key is usually very short (in terms of bits) compared to the data file it protects. (See: bulk key.)

教程:非对称算法比等价的强对称算法需要更多的计算。因此,非对称加密通常不用于数据保密,除非在混合加密方案中分发对称密钥,其中对称密钥通常比其保护的数据文件短(以位计)。(请参阅:批量密钥。)

$ hyperlink (I) In hypertext or hypermedia, an information object (such as a word, a phrase, or an image, which usually is highlighted by color or underscoring) that points (i.e., indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link (e.g., by selecting the object with a mouse pointer and then clicking).

$ 超链接(I)在超文本或超媒体中,一种信息对象(如单词、短语或图像,通常以颜色或下划线突出显示),它指向(即指示如何连接)位于别处的相关信息,并可通过激活链接检索(例如,用鼠标指针选择对象,然后单击)。

$ hypermedia (I) A generalization of hypertext; any media that contain hyperlinks that point to material in the same or another data object.

$ 超媒体(I)超文本的泛化;包含指向同一或另一数据对象中的材质的超链接的任何媒体。

$ hypertext (I) A computer document, or part of a document, that contains hyperlinks to other documents; i.e., text that contains active pointers to other text. Usually written in HTML and accessed using a web browser. (See: hypermedia.)

$ 超文本(I)包含指向其他文件超链接的计算机文件或文件的一部分;i、 例如,包含指向其他文本的活动指针的文本。通常用HTML编写并使用web浏览器访问。(请参阅:超媒体。)

$ Hypertext Markup Language (HTML) (I) A platform-independent system of syntax and semantics (RFC 1866) for adding characters to data files (particularly text files) to represent the data's structure and to point to related data, thus creating hypertext for use in the World Wide Web and other applications. (Compare: XML.)

$ 超文本标记语言(HTML)(I)一种独立于平台的语法和语义系统(RFC 1866),用于向数据文件(尤其是文本文件)添加字符,以表示数据的结构并指向相关数据,从而创建超文本,供万维网和其他应用程序使用。(比较:XML。)

$ Hypertext Transfer Protocol (HTTP) (I) A TCP-based, Application-Layer, client-server, Internet protocol (RFC 2616) that is used to carry data requests and responses in the World Wide Web. (See: hypertext.)

$ 超文本传输协议(HTTP)(I)基于TCP的应用层、客户机-服务器、互联网协议(RFC 2616),用于在万维网中传输数据请求和响应。(请参阅:超文本。)

$ IAB (I) See: Internet Architecture Board.

$ IAB(I)见:互联网架构委员会。

$ IANA (I) See: Internet Assigned Numbers Authority.

$ IANA(I)见:互联网分配号码管理局。

$ IATF (O) See: Information Assurance Technical Framework.

$ IATF(O)见:信息保障技术框架。

$ ICANN (I) See: Internet Corporation for Assigned Names and Numbers.

$ ICANN(I)见:互联网名称和号码分配公司。

$ ICMP (I) See: Internet Control Message Protocol.

$ ICMP(I)见:互联网控制消息协议。

$ ICMP flood (I) A denial-of-service attack that sends a host more ICMP echo request ("ping") packets than the protocol implementation can handle. (See: flooding, smurf.)

$ ICMP洪泛(I)一种拒绝服务攻击,它向主机发送的ICMP回显请求(“ping”)数据包超过协议实现所能处理的数量。(见:洪水,蓝精灵)

$ ICRL (N) See: indirect certificate revocation list.

$ ICRL(N)参见:间接证书撤销列表。

$ IDEA (N) See: International Data Encryption Algorithm.

$ IDEA(N)见:国际数据加密算法。

$ identification (I) An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities. (See: authentication.)

$ 识别(I)向系统提供标识符的行为或过程,以便系统能够识别系统实体并将其与其他实体区分开来。(请参阅:身份验证。)

$ identification information (D) Synonym for "identifier"; synonym for "authentication information". (See: authentication, identifying information.)

$ 识别信息(D)“标识符”的同义词;“身份验证信息”的同义词。(请参阅:身份验证,识别信息。)

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; this term (a) is not as precise as they are and (b) mixes concepts in a potentially misleading way. Instead, use "identifier" or "authentication information", depending on what is meant.

不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这个术语(a)并不像它们那样精确,(b)以一种潜在的误导方式混合了概念。相反,使用“标识符”或“身份验证信息”,具体取决于其含义。

$ Identification Protocol (I) A client-server Internet protocol [R1413] for learning the identity of a user of a particular TCP connection.

$ 识别协议(I)用于了解特定TCP连接用户身份的客户机-服务器互联网协议[R1413]。

Tutorial: Given a TCP port number pair, the server returns a character string that identifies the owner of that connection on the server's system. The protocol does not provide an authentication service and is not intended for authorization or access control. At best, it provides additional auditing information with respect to TCP.

教程:给定TCP端口号对,服务器返回一个字符串,该字符串标识服务器系统上该连接的所有者。该协议不提供身份验证服务,也不用于授权或访问控制。充其量,它提供了有关TCP的额外审计信息。

$ identifier (I) A data object -- often, a printable, non-blank character string -- that definitively represents a specific identity of a system entity, distinguishing that identity from all others. (Compare: identity.)

$ 标识符(I)一个数据对象——通常是一个可打印的非空字符串——它最终表示系统实体的特定标识,将该标识与所有其他标识区分开来。(比较:标识。)

Tutorial: Identifiers for system entities must be assigned very carefully, because authenticated identities are the basis for other security services, such as access control service.

教程:必须非常小心地分配系统实体的标识符,因为经过身份验证的标识是其他安全服务(如访问控制服务)的基础。

$ identifier credential 1. (I) See: /authentication/ under "credential".

$ 标识符凭据1。(一) 请参阅“凭证”下的:/authentication/。

2. (D) Synonym for "signature certificate".

2. (D) “签名证书”的同义词。

Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

用法:使用此术语的IDoc应说明其定义,因为该术语的使用方式多种多样,很容易被误解。

$ identifying information (D) Synonym for "identifier"; synonym for "authentication information". (See: authentication, identification information.)

$ 识别信息(D)“标识符”的同义词;“身份验证信息”的同义词。(请参阅:身份验证、标识信息。)

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; this term (a) is not as precise as they are and (b) mixes concepts in a potentially misleading way. Instead,

不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这个术语(a)并不像它们那样精确,(b)以一种潜在的误导方式混合了概念。相反

use "identifier" or "authentication information", depending on what is meant.

根据含义使用“标识符”或“身份验证信息”。

$ identity (I) The collective aspect of a set of attribute values (i.e., a set of characteristics) by which a system user or other system entity is recognizable or known. (See: authenticate, registration. Compare: identifier.)

$ 标识(I)一组属性值(即一组特征)的集合方面,通过该集合,系统用户或其他系统实体是可识别或已知的。(请参阅:验证、注册。比较:标识符。)

Usage: An IDOC MAY apply this term to either a single entity or a set of entities. If an IDOC involves both meanings, the IDOC SHOULD use the following terms and definitions to avoid ambiguity: - "Singular identity": An identity that is registered for an entity that is one person or one process. - "Shared identity": An identity that is registered for an entity that is a set of singular entities (1) in which each member is authorized to assume the identity individually and (2) for which the registering system maintains a record of the singular entities that comprise the set. In this case, we would expect each member entity to be registered with a singular identity before becoming associated with the shared identity. - "Group identity": An identity that is registered for an entity (1) that is a set of entities (2) for which the registering system does not maintain a record of singular entities that comprise the set.

用法:IDOC可以将此术语应用于单个实体或一组实体。如果IDOC同时包含两种含义,IDOC应使用以下术语和定义以避免歧义:-“单一身份”:为一个人或一个过程的实体注册的身份。-“共享身份”:为一个实体注册的身份,该实体是一组单一实体(1),其中每个成员都有权单独使用该身份,以及(2)注册系统维护组成该集合的单一实体的记录。在这种情况下,我们希望每个成员实体在与共享身份关联之前都以单一身份注册。-“集团身份”:为一个实体(1)注册的身份,该实体(1)是一组实体(2),注册系统不维护组成该组实体的单一实体的记录。

Tutorial: When security services are based on identities, two properties are desirable for the set of attributes used to define identities: - The set should be sufficient to distinguish each entity from all other entities, i.e., to represent each entity uniquely. - The set should be sufficient to distinguish each identity from any other identities of the same entity.

教程:当安全服务基于标识时,用于定义标识的属性集需要两个属性:-该属性集应足以将每个实体与所有其他实体区分开来,即唯一地表示每个实体。-该集合应足以将每个标识与同一实体的任何其他标识区分开来。

The second property is needed if a system permits an entity to register two or more concurrent identities. Having two or more identities for the same entity implies that the entity has two separate justifications for registration. In that case, the set of attributes used for identities must be sufficient to represent multiple identities for a single entity.

如果系统允许实体注册两个或多个并发身份,则需要第二个属性。同一实体拥有两个或多个身份意味着该实体有两个单独的注册理由。在这种情况下,用于标识的属性集必须足以表示单个实体的多个标识。

Having two or more identities registered for the same entity is different from concurrently associating two different identifiers with the same identity, and also is different from a single identity concurrently accessing the system in two different roles. (See: principal, role-based access control.)

为同一实体注册两个或多个标识不同于将两个不同标识符与同一标识同时关联,也不同于以两个不同角色同时访问系统的单个标识。(请参阅:主体,基于角色的访问控制。)

When an identity of a user is being registered in a system, the system may require presentation of evidence that proves the identity's authenticity (i.e., that the user has the right to claim or use the identity) and its eligibility (i.e., that the identity is qualified to be registered and needs to be registered).

当用户的身份正在系统中注册时,系统可能要求出示证明该身份的真实性(即,用户有权要求或使用该身份)及其资格(即,该身份有资格注册且需要注册)的证据。

The following diagram illustrates how this term relates to some other terms in a PKI system: authentication information, identifier, identifier credential, registration, registered user, subscriber, and user.

下图说明了该术语与PKI系统中的其他一些术语的关系:身份验证信息、标识符、标识符凭证、注册、注册用户、订户和用户。

      Relationships:  === one-to-one, ==> one-to-many, <=> many-to-many.
                  +- - - - - - - - - - - - - - - - - - - - - - - - - - +
                  |                      PKI System                    |
      + - - - - + | +------------------+   +-------------------------+ |
      |  User,  | | |Subscriber, i.e., |   | Identity of Subscriber  | |
      |i.e., one| | | Registered User, |   |    is system-unique     | |
      | of the  | | | is system-unique |   | +---------------------+ | |
      |following| | | +--------------+ |   | |     Subscriber      | | |
      |         | | | | User's core  | |   | |     Identity's      | | |
      | +-----+ |===| | Registration | |==>| |  Registration data  | | |
      | |human| | | | | data, i.e.,  | |   | |+-------------------+| | |
      | |being| | | | | an entity's  | |   | ||  same core data   || | |
      | +-----+ | | | |distinguishing|========|for all Identities || | |
      |   or    | | | |  attribute   | |   | || of the same User  || | |
      | +-----+ | | | |   values     | | +===|+-------------------+| | |
      | |auto-| | | | +--------------+ | | | +---------------------+ | |
      | |mated| | | +------------------+ | +------------|------------+ |
      | |pro- | | |         |    +=======+              |              |
      | |cess | | | +-------v----|----------------------|------------+ |
      | +-----+ | | | +----------v---+     +------------v----------+ | |
      |   or    | | | |Authentication|<===>|Identifier of Identity | | |
      |+-------+| | | | Information  |     |    is system-unique   | | |
      || a set || | | +--------------+     +-----------------------+ | |
      ||  of   || | | Identifier Credential that associates unit of  | |
      || either|| | | Authentication Information with the Identifier | |
      |+-------+| | +------------------------------------------------+ |
      + - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - -+
        
      Relationships:  === one-to-one, ==> one-to-many, <=> many-to-many.
                  +- - - - - - - - - - - - - - - - - - - - - - - - - - +
                  |                      PKI System                    |
      + - - - - + | +------------------+   +-------------------------+ |
      |  User,  | | |Subscriber, i.e., |   | Identity of Subscriber  | |
      |i.e., one| | | Registered User, |   |    is system-unique     | |
      | of the  | | | is system-unique |   | +---------------------+ | |
      |following| | | +--------------+ |   | |     Subscriber      | | |
      |         | | | | User's core  | |   | |     Identity's      | | |
      | +-----+ |===| | Registration | |==>| |  Registration data  | | |
      | |human| | | | | data, i.e.,  | |   | |+-------------------+| | |
      | |being| | | | | an entity's  | |   | ||  same core data   || | |
      | +-----+ | | | |distinguishing|========|for all Identities || | |
      |   or    | | | |  attribute   | |   | || of the same User  || | |
      | +-----+ | | | |   values     | | +===|+-------------------+| | |
      | |auto-| | | | +--------------+ | | | +---------------------+ | |
      | |mated| | | +------------------+ | +------------|------------+ |
      | |pro- | | |         |    +=======+              |              |
      | |cess | | | +-------v----|----------------------|------------+ |
      | +-----+ | | | +----------v---+     +------------v----------+ | |
      |   or    | | | |Authentication|<===>|Identifier of Identity | | |
      |+-------+| | | | Information  |     |    is system-unique   | | |
      || a set || | | +--------------+     +-----------------------+ | |
      ||  of   || | | Identifier Credential that associates unit of  | |
      || either|| | | Authentication Information with the Identifier | |
      |+-------+| | +------------------------------------------------+ |
      + - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - -+
        

$ identity-based security policy (I) "A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed." [I7498-2] (See: rule-based security policy.)

$ 基于身份的安全策略(I)“基于用户、一组用户或代表用户和被访问资源/对象的实体的身份和/或属性的安全策略。”[I7498-2](请参阅:基于规则的安全策略。)

$ identity proofing (I) A process that vets and verifies the information that is used to establish the identity of a system entity. (See: registration.)

$ 身份验证(I)审查和验证用于确定系统实体身份的信息的过程。(见:注册。)

$ IDOC (I) An abbreviation used in this Glossary to refer to a document or other item of written material that is generated in the Internet Standards Process (RFC 2026), i.e., an RFC, an Internet-Draft, or some other item of discourse.

$ IDOC(I)本词汇表中使用的缩写词,指在互联网标准过程(RFC 2026)中生成的文件或其他书面材料,即RFC、互联网草案或其他一些论述项目。

Deprecated Usage: This abbreviation SHOULD NOT be used in an IDOC unless it is first defined in the IDOC because the abbreviation was invented for this Glossary and is not widely known.

不推荐使用:除非IDOC中首先定义了该缩写,否则不应在IDOC中使用该缩写,因为该缩写是为本词汇表而发明的,并不广为人知。

$ IDS (I) See: intrusion detection system.

$ IDS(一)见:入侵检测系统。

$ IEEE (N) See: Institute of Electrical and Electronics Engineers, Inc.

$ IEEE(N)见:电气和电子工程师协会。

$ IEEE 802.10 (N) An IEEE committee developing security standards for LANs. (See: SILS.)

$ IEEE 802.10(N)IEEE为局域网制定安全标准的委员会。(见:SILS)

$ IEEE P1363 (N) An IEEE working group, Standard for Public-Key Cryptography, engaged in developing a comprehensive reference standard for asymmetric cryptography. Covers discrete logarithm (e.g., DSA), elliptic curve, and integer factorization (e.g., RSA); and covers key agreement, digital signature, and encryption.

$ IEEE P1363(N)IEEE公开密钥加密标准工作组,致力于开发非对称加密的综合参考标准。包括离散对数(如DSA)、椭圆曲线和整数因式分解(如RSA);包括密钥协议、数字签名和加密。

$ IESG (I) See: Internet Engineering Steering Group.

$ IESG(I)见:互联网工程指导小组。

$ IETF (I) See: Internet Engineering Task Force.

$ IETF(I)见:互联网工程任务组。

$ IKE (I) See: IPsec Key Exchange.

$ IKE(I)参见:IPsec密钥交换。

$ IMAP4 (I) See: Internet Message Access Protocol, version 4.

$ IMAP4(I)见:互联网信息访问协议,第4版。

$ IMAP4 AUTHENTICATE (I) An IMAP4 command (better described as a transaction type, or subprotocol) by which an IMAP4 client optionally proposes a mechanism to an IMAP4 server to authenticate the client to the server and provide other security services. (See: POP3.)

$ IMAP4 AUTHENTICATE(I)IMAP4命令(更好地描述为事务类型或子程序),通过该命令,IMAP4客户端可选地向IMAP4服务器提出一种机制,以向服务器验证客户端并提供其他安全服务。(见:POP3。)

Tutorial: If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms that are used by IMAP4 AUTHENTICATE -- including Kerberos, GSS-API, and S/Key -- are described in [R1731].

教程:如果服务器接受该建议,则该命令后面将执行质询-响应身份验证协议,并(可选)协商后续POP3交互的保护机制。IMAP4身份验证使用的安全机制(包括Kerberos、GSS-API和S/Key)在[R1731]中进行了描述。

$ impossible (O) Cannot be done in any reasonable amount of time. (See: break, brute force, strength, work factor.)

$ 不可能(O)不能在任何合理的时间内完成。(参见:断裂、强力、强度、功系数。)

$ in the clear (I) Not encrypted. (See: clear text.)

$ 在clear(I)中,未加密。(请参阅:明文。)

$ Ina Jo (O) A methodology, language, and integrated set of software tools developed at the System Development Corporation for specifying, coding, and verifying software to produce correct and reliable programs. Usage: a.k.a. the Formal Development Methodology. [Cheh]

$ Ina Jo(O):由系统开发公司开发的一套方法、语言和集成的软件工具,用于指定、编码和验证软件,以生成正确可靠的程序。用法:又称正式开发方法。[车]

$ incapacitation (I) A type of threat action that prevents or interrupts system operation by disabling a system component. (See: disruption.)

$ 失效(I)一种通过禁用系统组件来阻止或中断系统运行的威胁行为。(见:中断。)

Usage: This type of threat action includes the following subtypes: - "Malicious logic": In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb) intentionally introduced into a system to destroy system functions or resources. (See: corruption, main entry for "malicious logic", masquerade, misuse.) - "Physical destruction": Deliberate destruction of a system component to interrupt or prevent system operation. - "Human error": /incapacitation/ Action or inaction that unintentionally disables a system component. (See: corruption, exposure.) - "Hardware or software error": /incapacitation/ Error that unintentionally causes failure of a system component and leads to disruption of system operation. (See: corruption, exposure.) - "Natural disaster": /incapacitation/ Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component. [FP031 Section 2]

用法:这种类型的威胁行为包括以下子类型:-“恶意逻辑”:在丧失能力的情况下,故意引入系统以破坏系统功能或资源的任何硬件、固件或软件(如逻辑炸弹)。(请参阅:损坏、“恶意逻辑”、伪装、误用的主要条目。)-“物理破坏”:故意破坏系统组件以中断或阻止系统运行。-“人为错误”:/无能力/无意中禁用系统组件的操作或不操作。(请参阅:损坏、暴露)-“硬件或软件错误”:/失效/无意中导致系统组件故障并导致系统操作中断的错误。(参见:腐败、暴露)-“自然灾害”:/丧失能力/任何导致系统组件失效的“天灾”(如火灾、洪水、地震、闪电或风)。[FP031第2节]

$ incident See: security incident.

$ 事件见:安全事件。

$ INCITS (N) See: "International Committee for Information Technology Standardization" under "ANSI".

$ INCITS(N)见“ANSI”下的“国际信息技术标准化委员会”。

$ indicator (N) An action -- either specific, generalized, or theoretical -- that an adversary might be expected to take in preparation for an attack. [C4009] (See: "attack sensing, warning, and response". Compare: message indicator.)

$ 指标(N)一种行动——具体的、概括的或理论上的——对手为准备攻击而可能采取的行动。[C4009](请参阅:“攻击感知、警告和响应”。比较:消息指示器。)

$ indirect attack (I) See: secondary definition under "attack". Compare: direct attack.

$ 间接攻击(I)见“攻击”下的第二定义。比较:直接攻击。

$ indirect certificate revocation list (ICRL) (N) In X.509, a CRL that may contain certificate revocation notifications for certificates issued by CAs other than the issuer (i.e., signer) of the ICRL.

$ 间接证书撤销列表(ICRL)(N)X.509中的一种CRL,其中可能包含由CA(而非ICRL的颁发者(即签名者))颁发的证书的证书撤销通知。

$ indistinguishability (I) An attribute of an encryption algorithm that is a formalization of the notion that the encryption of some string is indistinguishable from the encryption of an equal-length string of nonsense. (Compare: semantic security.)

$ 不可区分性(I)加密算法的一个属性,它是某种字符串加密与等长无意义字符串加密不可区分这一概念的形式化。(比较:语义安全性。)

$ inference 1. (I) A type of threat action that reasons from characteristics or byproducts of communication and thereby indirectly accesses sensitive data, but not necessarily the data contained in the communication. (See: traffic analysis, signal analysis.)

$ 推论1。(一) 一种威胁行为,由通信的特征或副产品引起,从而间接访问敏感数据,但不一定访问通信中包含的数据。(参见:交通分析、信号分析。)

2. (I) A type of threat action that indirectly gains unauthorized access to sensitive information in a database management system by correlating query responses with information that is already known.

2. (一) 一种威胁行为,通过将查询响应与已知信息关联起来,间接获得对数据库管理系统中敏感信息的未经授权访问。

$ inference control (I) Protection of data confidentiality against inference attack. (See: traffic-flow confidentiality.)

$ 推理控制(I)针对推理攻击保护数据机密性。(请参阅:交通流保密。)

Tutorial: A database management system containing N records about individuals may be required to provide statistical summaries about subsets of the population, while not revealing sensitive information about a single individual. An attacker may try to obtain sensitive information about an individual by isolating a desired record at the intersection of a set of overlapping queries. A system can attempt to prevent this by restricting the size and overlap of query sets, distorting responses by rounding or otherwise perturbing database values, and limiting queries to random samples. However, these techniques may be impractical to implement or use, and no technique is totally effective. For example, restricting the minimum size of a query set -- that is,

教程:可能需要一个包含N条个人记录的数据库管理系统,以提供关于人口子集的统计摘要,同时不披露关于单个个人的敏感信息。攻击者可能试图通过在一组重叠查询的交叉点隔离所需记录来获取有关个人的敏感信息。系统可以通过限制查询集的大小和重叠,通过舍入或以其他方式干扰数据库值来扭曲响应,以及将查询限制为随机样本来尝试防止这种情况。然而,这些技术可能无法实现或使用,并且没有一种技术是完全有效的。例如,限制查询集的最小大小--即,

not responding to queries for which there are fewer than K or more than N-K records that satisfy the query -- usually cannot prevent unauthorized disclosure. An attacker can pad small query sets with extra records, and then remove the effect of the extra records. The formula for identifying the extra records is called the "tracker". [Denns]

不响应满足查询的记录少于K条或多于N-K条的查询通常无法防止未经授权的泄露。攻击者可以用额外记录填充小查询集,然后删除额外记录的影响。识别额外记录的公式称为“跟踪器”。[丹尼斯]

$ INFOCON (O) See: information operations condition

$ 信息大会(O)见:信息操作条件

$ informal (N) Expressed in natural language. [CCIB] (Compare: formal, semiformal.)

$ 非正式的(N)用自然语言表达。[CCIB](比较:正式、半正式。)

$ information 1. (I) Facts and ideas, which can be represented (encoded) as various forms of data.

$ 信息1。(一) 事实和想法,可以表示(编码)为各种形式的数据。

2. (I) Knowledge -- e.g., data, instructions -- in any medium or form that can be communicated between system entities.

2. (一) 系统实体之间可以交流的任何媒介或形式的知识,例如数据、指令。

Tutorial: Internet security could be defined simply as protecting information in the Internet. However, the perceived need to use different protective measures for different types of information (e.g., authentication information, classified information, collateral information, national security information, personal information, protocol control information, sensitive compartmented information, sensitive information) has led to the diversity of terminology listed in this Glossary.

教程:Internet安全可以简单地定义为保护Internet中的信息。然而,对于不同类型的信息(例如,认证信息、机密信息、辅助信息、国家安全信息、个人信息、协议控制信息、敏感分隔信息、敏感信息)使用不同保护措施的感知需求这导致了本词汇表中所列术语的多样性。

$ information assurance (N) /U.S. Government/ "Measures that protect and defend information and information systems by ensuring their availability integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities." [C4009]

$ 信息保证(N)/美国政府/“通过确保信息和信息系统的可用性、完整性、身份验证、机密性和不可否认性来保护和保护信息和信息系统的措施。这些措施包括通过整合保护、检测和反应能力来恢复信息系统。”[C4009]

$ Information Assurance Technical Framework (IATF) (O) A publicly available document [IATF], developed through a collaborative effort by organizations in the U.S. Government and industry, and issued by NSA. Intended for security managers and system security engineers as a tutorial and reference document about security problems in information systems and networks, to improve awareness of tradeoffs among available technology solutions and of desired characteristics of security approaches for particular problems. (See: ISO 17799, [SP14].)

$ 信息保障技术框架(IATF)(O):一份公开的文件[IATF],由美国政府和行业组织合作开发,由NSA发布。面向安全管理人员和系统安全工程师,作为信息系统和网络安全问题的教程和参考文件,以提高对可用技术解决方案之间的权衡以及对特定问题的安全方法所需特性的认识。(见:ISO 17799[SP14]。)

$ information domain (O) See: secondary definition under "domain".

$ 信息领域(O)见“领域”下的二级定义。

$ information domain security policy (O) See: secondary definition under "domain".

$ 信息域安全策略(O)请参阅“域”下的二级定义。

$ information flow policy (N) /formal model/ A triple consisting of a set of security levels (or their equivalent security labels), a binary operator that maps each pair of security levels into a security level, and a binary relation on the set that selects a set of pairs of levels such that information is permitted to flow from an object of the first level to an object of the second level. (See: flow control, lattice model.)

$ 信息流策略(N)/正式模型/由一组安全级别(或其等效安全标签)组成的三元组,一个将每对安全级别映射到一个安全级别的二进制运算符,以及所述集合上的二元关系,所述二元关系选择一组成对的层级,从而允许信息从第一层级的对象流向第二层级的对象。(请参见:流控制,晶格模型。)

$ information operations condition (INFOCON) (O) /U.S. DoD/ A comprehensive defense posture and response based on the status of information systems, military operations, and intelligence assessments of adversary capabilities and intent. (See: threat)

$ 信息作战条件(INFOCON)(O)/美国国防部/基于信息系统状态、军事行动和敌方能力和意图的情报评估的综合防御态势和反应。(见:威胁)

Derivation: From DEFCON, i.e., defense condition.

推导:来自DEFCON,即防御条件。

Tutorial: The U.S. DoD defines five INFOCON levels: NORMAL (normal activity), ALPHA (increased risk of attack), BRAVO (specific risk of attack), CHARLIE (limited attack), and DELTA (general attack).

教程:美国国防部定义了五个信息控制级别:正常(正常活动)、ALPHA(增加攻击风险)、BRAVO(特定攻击风险)、CHARLIE(有限攻击)和DELTA(一般攻击)。

$ information security (INFOSEC) (N) Measures that implement and assure security services in information systems, including in computer systems (see: COMPUSEC) and in communication systems (see: COMSEC).

$ 信息安全(INFOSEC)(N)在信息系统中实施和确保安全服务的措施,包括在计算机系统(见:COMPUSEC)和通信系统(见:COMSEC)中。

$ information system (I) An organized assembly of computing and communication resources and procedures -- i.e., equipment and services, together with their supporting infrastructure, facilities, and personnel -- that create, collect, record, process, store, transport, retrieve, display, disseminate, control, or dispose of information to accomplish a specified set of functions. (See: system entity, system resource. Compare: computer platform.)

$ 信息系统(I)计算和通信资源和程序的有组织的集合,即设备和服务及其支持基础设施、设施和人员,用于创建、收集、记录、处理、存储、运输、检索、显示、传播、控制、,或处理信息以完成指定的一组功能。(请参阅:系统实体、系统资源。比较:计算机平台。)

$ Information Technology Security Evaluation Criteria (ITSEC) (N) A Standard [ITSEC] jointly developed by France, Germany, the Netherlands, and the United Kingdom for use in the European Union; accommodates a wider range of security assurance and functionality combinations than the TCSEC. Superseded by the Common Criteria.

$ 信息技术安全评估标准(ITSEC)(N)由法国、德国、荷兰和英国联合制定的供欧盟使用的标准[ITSEC];与TCSEC相比,它提供了更广泛的安全保证和功能组合。被共同标准取代。

$ INFOSEC (I) See: information security.

$ 信息安全(一)见:信息安全。

$ ingress filtering (I) A method [R2827] for countering attacks that use packets with false IP source addresses, by blocking such packets at the boundary between connected networks.

$ 入口过滤(I)一种方法[R2827],用于通过在连接的网络之间的边界处阻止使用具有虚假IP源地址的数据包的攻击。

Tutorial: Suppose network A of an internet service provider (ISP) includes a filtering router that is connected to customer network B, and an attacker in B at IP source address "foo" attempts to send packets with false source address "bar" into A. The false address may be either fixed or randomly changing, and it may either be unreachable or be a forged address that legitimately exists within either B or some other network C. In ingress filtering, the ISP's router blocks all inbound packet that arrive from B with a source address that is not within the range of legitimately advertised addresses for B. This method does not prevent all attacks that can originate from B, but the actual source of such attacks can be more easily traced because the originating network is known.

教程:假设internet服务提供商(ISP)的网络A包含一个连接到客户网络B的过滤路由器,B中IP源地址为“foo”的攻击者试图将假源地址为“bar”的数据包发送到A。假地址可能是固定的,也可能是随机变化的,它可能是不可访问的,或者是合法存在于B或其他网络C中的伪造地址。在入口过滤中,ISP的路由器阻止从B到达的所有入站数据包,这些数据包的源地址不在合法公布的B地址范围内。这种方法不能阻止所有可能源于B的攻击,但由于源网络已知,因此可以更容易地追踪此类攻击的实际源。

$ initialization value (IV) (I) /cryptography/ An input parameter that sets the starting state of a cryptographic algorithm or mode. (Compare: activation data.)

$ 初始化值(IV)(I)/加密/设置加密算法或模式的启动状态的输入参数。(比较:激活数据。)

Tutorial: An IV can be used to synchronize one cryptographic process with another; e.g., CBC, CFB, and OFB use IVs. An IV also can be used to introduce cryptographic variance (see: salt) besides that provided by a key.

教程:IV可用于同步一个加密进程与另一个加密进程;e、 g、CBC、CFB和OFB使用IVs。除了密钥提供的密码差异外,IV还可以用于引入密码差异(参见:salt)。

$ initialization vector (D) /cryptography/ Synonym for "initialization value".

$ 初始化向量(D)/密码学/同义词“初始化值”。

Deprecated Term: To avoid international misunderstanding, IDOCs SHOULD NOT use this term in the context of cryptography because most dictionary definitions of "vector" includes a concept of direction or magnitude, which are irrelevant to cryptographic use.

不推荐使用的术语:为避免国际误解,IDOC不应在加密上下文中使用此术语,因为大多数字典中对“向量”的定义都包含方向或大小的概念,这与加密使用无关。

$ insertion 1. (I) /packet/ See: secondary definition under "stream integrity service".

$ 插入1。(一) /packet/请参阅“流完整性服务”下的二级定义。

2. (I) /threat action/ See: secondary definition under "falsification".

2. (一) /威胁行动/见“伪造”下的二级定义。

$ inside attack (I) See: secondary definition under "attack". Compare: insider.

$ 内部攻击(I)见“攻击”下的二级定义。比较:内幕人士。

$ insider 1. (I) A user (usually a person) that accesses a system from a position that is inside the system's security perimeter. (Compare: authorized user, outsider, unauthorized user.)

$ 内幕人士1。(一) 从系统安全边界内的位置访问系统的用户(通常是个人)。(比较:授权用户、外部用户、未授权用户。)

Tutorial: An insider has been assigned a role that has more privileges to access system resources than do some other types of users, or can access those resources without being constrained by some access controls that are applied to outside users. For example, a salesclerk is an insider who has access to the cash register, but a store customer is an outsider.

教程:已为内部人员分配了一个角色,该角色具有比其他类型用户更多的访问系统资源的权限,或者可以访问这些资源,而不受应用于外部用户的某些访问控制的约束。例如,售货员是可以使用收银机的内部人员,而商店客户是外部人员。

The actions performed by an insider in accessing the system may be either authorized or unauthorized; i.e., an insider may act either as an authorized user or as an unauthorized user.

内幕人士在访问系统时所采取的行动可能是授权的,也可能是未经授权的;i、 例如,内幕人士可以作为授权用户或未授权用户。

2. (O) A person with authorized physical access to the system. Example: In this sense, an office janitor is an insider, but a burglar or casual visitor is not. [NRC98]

2. (O) 有权实际访问系统的人员。从这个意义上讲,办公室清洁工是内幕人士,而窃贼或临时访客则不是。[NRC98]

3. (O) A person with an organizational status that causes the system or members of the organization to view access requests as being authorized. Example: In this sense, a purchasing agent is an insider but a vendor is not. [NRC98]

3. (O) 具有组织状态的人员,使系统或组织成员将访问请求视为已授权。从这个意义上讲,采购代理是内部人,而供应商不是。[NRC98]

$ inspectable space (O) /EMSEC/ "Three-dimensional space surrounding equipment that process classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists." [C4009] (Compare: control zone, TEMPEST zone.)

$ 可检查空间(O)/EMSEC/“处理机密和/或敏感信息的设备周围的三维空间,在这些信息中,TEMPEST利用被认为是不可行的,或者存在识别和/或消除潜在TEMPEST利用的法律授权。”[C4009](比较:控制区、TEMPEST区。)

$ Institute of Electrical and Electronics Engineers, Inc. (IEEE) (N) The IEEE is a not-for-profit association of approximately 300,000 individual members in 150 countries. The IEEE produces nearly one third of the world's published literature in electrical engineering, computers, and control technology; holds hundreds of major, annual conferences; and maintains more than 800 active standards, with many more under development. (See: SILS.)

$ 电气和电子工程师协会(IEEE)(N)IEEE是一个非营利协会,在150个国家拥有约300000名个人会员。IEEE出版的电气工程、计算机和控制技术文献占世界出版文献的近三分之一;举办数百场大型年会;并保持800多个现行标准,还有更多标准正在开发中。(见:SILS)

$ integrity See: data integrity, datagram integrity service, correctness integrity, source integrity, stream integrity service, system integrity.

$ 完整性请参阅:数据完整性、数据报完整性服务、正确性完整性、源完整性、流完整性服务、系统完整性。

$ integrity check (D) A computation that is part of a mechanism to provide data integrity service or data origin authentication service. (Compare: checksum.)

$ 完整性检查(D)作为提供数据完整性服务或数据源身份验证服务的机制的一部分的计算。(比较:校验和。)

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "cryptographic hash" or "protected checksum". This term unnecessarily duplicates the meaning of other, well-established terms; this term only mentions integrity, even though the intended service may be data origin authentication; and not every checksum is cryptographically protected.

不推荐使用的术语:IDOCs不应将此术语用作“加密哈希”或“受保护校验和”的同义词。该术语不必要地重复了其他公认术语的含义;该术语仅提及完整性,即使预期服务可能是数据源身份验证;并不是每个校验和都受到加密保护。

$ integrity label (I) A security label that tells the degree of confidence that may be placed in the data, and may also tell what countermeasures are required to be applied to protect the data from alteration and destruction. (See: integrity. Compare: classification label.)

$ 完整性标签(I)一种安全标签,说明数据中可能存在的置信度,还可以说明需要采取哪些措施来保护数据不受更改和破坏。(请参阅:完整性。比较:分类标签。)

$ intelligent threat (I) A circumstance in which an adversary has the technical and operational ability to detect and exploit a vulnerability and also has the demonstrated, presumed, or inferred intent to do so. (See: threat.)

$ 智能威胁(I)对手具有检测和利用漏洞的技术和操作能力,并且具有已证明、假定或推断的意图的情况。(见:威胁。)

$ interception (I) A type of threat action whereby an unauthorized entity directly accesses sensitive data while the data is traveling between authorized sources and destinations. (See: unauthorized disclosure.)

$ 拦截(I)一种威胁行为,未经授权的实体在数据在授权源和目标之间传输时直接访问敏感数据。(请参阅:未经授权的披露。)

Usage: This type of threat action includes the following subtypes: - "Theft": Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic tape or disk, that holds the data. - "Wiretapping (passive)": Monitoring and recording data that is flowing between two points in a communication system. (See: wiretapping.) - "Emanations analysis": Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but was not intended to communicate the data. (See: emanation.)

用法:这种类型的威胁行为包括以下子类型:-“盗窃”:通过窃取存储数据的物理介质(如磁带或磁盘)来访问敏感数据。-“窃听(被动)”:监控和记录通信系统中两点之间的数据流。(见:窃听)-“辐射分析”:通过监测和解析系统发出的信号,获取有关传输数据的直接信息,该信号包含数据,但并非用于传输数据。(见:放射。)

$ interference (I) /threat action/ See: secondary definition under "obstruction".

$ 干扰(I)/威胁行动/见“障碍”下的二级定义。

$ intermediate CA (D) The CA that issues a cross-certificate to another CA. [X509] (See: cross-certification.)

$ 中间CA(D)向另一CA颁发交叉证书的CA。[X509](请参阅:交叉证书。)

Deprecated Term: IDOCs SHOULD NOT use this term because it is not widely known and mixes concepts in a potentially misleading way. For example, suppose that end entity 1 ("EE1) is in one PKI ("PKI1"), end entity 2 ("EE2) is in another PKI ("PKI2"), and the root in PKI1 ("CA1") cross-certifies the root CA in PKI2 ("CA2"). Then, if EE1 constructs the certification path CA1-to-CA2-to-EE2 to validate a certificate of EE2, conventional English usage would describe CA2 as being in the "intermediate" position in that path, not CA1.

不推荐使用的术语:IDOCs不应该使用这个术语,因为它并不广为人知,并且以潜在误导的方式混合了概念。例如,假设终端实体1(“EE1”)在一个PKI(“PKI1”)中,终端实体2(“EE2”)在另一个PKI(“PKI2”)中,并且PKI1(“CA1”)中的根交叉认证PKI2(“CA2”)中的根CA。然后,如果EE1构建了认证路径CA1-to-CA2-to-EE2来验证EE2的证书,传统的英语用法会将CA2描述为在该路径中处于“中间”位置,而不是CA1。

$ internal controls (I) /COMPUSEC/ Functions, features, and technical characteristics of computer hardware and software, especially of operating systems. Includes mechanisms to regulate the operation of a computer system with regard to access control, flow control, and inference control. (Compare: external controls.)

$ 内部控制(I)/COMPUSEC/计算机硬件和软件的功能、特征和技术特征,尤其是操作系统。包括在访问控制、流控制和推理控制方面调节计算机系统操作的机制。(比较:外部控件。)

$ International Data Encryption Algorithm (IDEA) (N) A patented, symmetric block cipher that uses a 128-bit key and operates on 64-bit blocks. [Schn] (See: symmetric cryptography.)

$ 国际数据加密算法(IDEA)(N):一种获得专利的对称分组密码,使用128位密钥,在64位块上运行。[Schn](请参阅:对称加密。)

$ International Standard (N) See: secondary definition under "ISO".

$ 国际标准(N)见“ISO”下的二级定义。

$ International Traffic in Arms Regulations (ITAR) (O) Rules issued by the U.S. State Department, by authority of the Arms Export Control Act (22 U.S.C. 2778), to control export and import of defense articles and defense services, including information security systems, such as cryptographic systems, and TEMPEST suppression technology. (See: type 1 product, Wassenaar Arrangement.)

$ 美国国务院根据《武器出口管制法》(22 U.S.C.2778)的授权发布的《国际武器贸易条例》(ITAR)(O)规则,用于控制国防用品和国防服务的进出口,包括信息安全系统,如密码系统和风暴抑制技术。(见:1类产品,瓦森纳安排)

$ internet, Internet 1. (I) /not capitalized/ Abbreviation of "internetwork".

$ 互联网,互联网1。(一) /未大写/是“internetwork”的缩写。

2. (I) /capitalized/ The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB (RFC 2026) and (b) the name and address spaces managed by the ICANN. (See: Internet Layer, Internet Protocol Suite.)

2. (一) /capitalized/互联网是由商业、政府、教育和其他计算机网络组成的单一、互联的全球系统,共享(a)IAB(RFC 2026)指定的协议套件和(b)ICANN管理的名称和地址空间。(请参阅:Internet层,Internet协议套件。)

Usage: Use with definite article ("the") when using as a noun. For example, say "My LAN is small, but the Internet is large." Don't say "My LAN is small, but Internet is large."

用法:用作名词时与定冠词(“the”)连用。例如,说“我的局域网很小,但互联网很大。”不要说“我的局域网很小,但互联网很大。”

$ Internet Architecture Board (IAB) (I) A technical advisory group of the ISOC, chartered by the ISOC Trustees to provide oversight of Internet architecture and protocols and, in the context of Internet Standards, a body to which decisions of the IESG may be appealed. Responsible for approving appointments to the IESG from among nominees submitted by the IETF nominating committee. (RFC 2026)

$ 互联网体系结构委员会(IAB)(I)互联网体系结构委员会的一个技术咨询小组,由互联网体系结构委员会受托人特许,负责监督互联网体系结构和协议,并在互联网标准的背景下,对互联网体系结构和协议进行监督。互联网体系结构委员会是一个可以对IESG的决定提出上诉的机构。负责从IETF提名委员会提交的提名人中批准IESG的任命。(RFC 2026)

$ Internet Assigned Numbers Authority (IANA) (I) From the early days of the Internet, the IANA was chartered by the ISOC and the U.S. Government's Federal Network Council to be the central coordination, allocation, and registration body for parameters for Internet protocols. Superseded by ICANN.

$ 互联网分配号码管理局(IANA)(I)从互联网诞生之初,IANA就被ISOC和美国政府联邦网络委员会特许成为互联网协议参数的中央协调、分配和注册机构。被ICANN取代。

$ Internet Control Message Protocol (ICMP) (I) An Internet Standard protocol (RFC 792) that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.

$ Internet控制消息协议(ICMP)(I)一种Internet标准协议(RFC 792),用于报告IP数据报处理期间的错误情况,并交换有关IP网络状态的其他信息。

$ Internet Corporation for Assigned Names and Numbers (ICANN) (I) The non-profit, private corporation that has assumed responsibility for the IP address space allocation, protocol parameter assignment, DNS management, and root server system management functions formerly performed under U.S. Government contract by IANA and other entities.

$ 互联网名称和号码分配公司(ICANN)(I)负责IP地址空间分配、协议参数分配、DNS管理和根服务器系统管理功能的非营利私人公司,以前由IANA和其他实体根据美国政府合同执行。

Tutorial: The IPS, as defined by the IETF and the IESG, contains numerous parameters, such as Internet addresses, domain names, autonomous system numbers, protocol numbers, port numbers, management information base OIDs, including private enterprise numbers, and many others. The Internet community requires that the values used in these parameter fields be assigned uniquely. ICANN makes those assignments as requested and maintains a registry of the current values.

教程:IETF和IESG定义的IPS包含许多参数,如互联网地址、域名、自治系统号、协议号、端口号、管理信息库OID(包括私有企业号)和许多其他参数。Internet社区要求对这些参数字段中使用的值进行唯一分配。ICANN根据要求进行这些分配,并维护当前值的注册表。

ICANN was formed in October 1998, by a coalition of the Internet's business, technical, and academic communities. The U.S. Government designated ICANN to serve as the global consensus entity with responsibility for coordinating four key functions for the Internet: allocation of IP address space, assignment of protocol parameters, management of the DNS, and management of the DNS root server system.

ICANN成立于1998年10月,由互联网的商业、技术和学术团体组成。美国政府指定ICANN作为全球共识实体,负责协调互联网的四项关键功能:IP地址空间分配、协议参数分配、DNS管理和DNS根服务器系统管理。

$ Internet-Draft (I) A working document of the IETF, its areas, and its working groups. (RFC 2026) (Compare: RFC.)

$ 互联网草案(I)IETF及其领域和工作组的工作文件。(RFC 2026)(比较:RFC.)

Usage: The term is customarily hyphenated when used either as a adjective or a noun, even though the latter is not standard English punctuation.

用法:当用作形容词或名词时,该术语通常使用连字符,即使后者不是标准的英语标点符号。

Tutorial: An Internet-Draft is not an archival document like an RFC is. Instead, an Internet-Draft is a preliminary or working document that is valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use an Internet-Draft as reference material or to cite it other than as a "work in progress". Although most of the Internet-Drafts are produced by the IETF, any interested organization may request to have its working documents published as Internet-Drafts.

教程:互联网草稿不像RFC那样是存档文档。相反,互联网草案是一份最长有效期为六个月的初步文件或工作文件,可随时由其他文件更新、替换或作废。使用互联网草案作为参考材料或引用它而不是作为“正在进行的工作”是不合适的。尽管大多数互联网草稿由IETF制作,但任何感兴趣的组织都可以要求将其工作文件作为互联网草稿发布。

$ Internet Engineering Steering Group (IESG) (I) The part of the ISOC responsible for technical management of IETF activities and administration of the Internet Standards Process according to procedures approved by the ISOC Trustees. Directly responsible for actions along the "standards track", including final approval of specifications as Internet Standards. Composed of IETF Area Directors and the IETF chairperson, who also chairs the IESG. (RFC 2026)

$ 互联网工程指导小组(IESG)(I)ISOC的一部分,负责IETF活动的技术管理,并根据ISOC受托人批准的程序管理互联网标准过程。直接负责“标准轨道”上的行动,包括最终批准作为互联网标准的规范。由IETF区域总监和IETF主席组成,IETF主席也担任IESG主席。(RFC 2026)

$ Internet Engineering Task Force (IETF) (I) A self-organized group of people who make contributions to the development of Internet technology. The principal body engaged in developing Internet Standards, although not itself a part of the ISOC. Composed of Working Groups, which are arranged into Areas (such as the Security Area), each coordinated by one or more Area Directors. Nominations to the IAB and the IESG are made by a committee selected at random from regular IETF meeting attendees who have volunteered. (RFCs 2026, 3935) [R2323]

$ 互联网工程任务组(IETF)(I)为互联网技术的发展做出贡献的自组织团队。参与制定互联网标准的主体机构,尽管其本身不是ISOC的一部分。由工作组组成,工作组分为多个区域(如安全区域),每个区域由一名或多名区域主管协调。IAB和IESG的提名由一个委员会进行,该委员会从自愿参加IETF定期会议的与会者中随机选出。(RFCs 20263935)[R2323]

$ Internet Key Exchange (IKE) (I) An Internet, IPsec, key-establishment protocol [R4306] for putting in place authenticated keying material (a) for use with ISAKMP and (b) for other security associations, such as in AH and ESP.

$ 互联网密钥交换(IKE)(I)互联网、IPsec、密钥建立协议[R4306],用于放置经过身份验证的密钥材料(a)用于ISAKMP,以及(b)用于其他安全关联,如AH和ESP。

Tutorial: IKE is based on three earlier protocol designs: ISAKMP, OAKLEY, and SKEME.

教程:IKE基于三种早期的协议设计:ISAKMP、OAKLEY和SKEME。

$ Internet Layer (I) See: Internet Protocol Suite.

$ 互联网层(I)见:互联网协议套件。

$ Internet Message Access Protocol, version 4 (IMAP4) (I) An Internet protocol (RFC 2060) by which a client workstation can dynamically access a mailbox on a server host to manipulate

$ Internet消息访问协议,版本4(IMAP4)(I)一种Internet协议(RFC 2060),通过该协议,客户端工作站可以动态访问服务器主机上的邮箱以进行操作

and retrieve mail messages that the server has received and is holding for the client. (See: POP3.)

和检索服务器已接收并为客户端保留的邮件消息。(见:POP3。)

Tutorial: IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: IMAP4 AUTHENTICATE.)

教程:IMAP4提供了一些机制,可以选择向服务器验证客户端,并提供其他安全服务。(请参阅:IMAP4验证。)

$ Internet Open Trading Protocol (IOTP) (I) An Internet protocol [R2801] proposed as a general framework for Internet commerce, able to encapsulate transactions of various proprietary payment systems (e.g., GeldKarte, Mondex, SET, Visa Cash). Provides optional security services by incorporating various Internet security mechanisms (e.g., MD5) and protocols (e.g., TLS).

$ 互联网开放交易协议(IOTP)(I)互联网协议[R2801]被提议作为互联网商务的通用框架,能够封装各种专有支付系统(如Geldkart、Mondex、SET、Visa Cash)的交易。通过整合各种互联网安全机制(如MD5)和协议(如TLS),提供可选的安全服务。

$ Internet Policy Registration Authority (IPRA) (I) An X.509-compliant CA that is the top CA of the Internet certification hierarchy operated under the auspices of the ISOC [R1422]. (See: /PEM/ under "certification hierarchy".)

$ 互联网政策注册机构(IPRA)(I)一个符合X.509标准的CA,它是在ISOC[R1422]主持下运行的互联网认证体系的顶级CA。(请参阅“认证层次结构”下的:/PEM/。)

$ Internet Private Line Interface (IPLI) (O) A successor to the PLI, updated to use TCP/IP and newer military-grade COMSEC equipment (TSEC/KG-84). The IPLI was a portable, modular system that was developed for use in tactical, packet-radio networks. (See: end-to-end encryption.)

$ 互联网专用线路接口(IPLI)(O)是PLI的继任者,更新为使用TCP/IP和更新的军用级通信安全设备(TSEC/KG-84)。IPLI是一种便携式模块化系统,开发用于战术分组无线电网络。(请参阅:端到端加密。)

$ Internet Protocol (IP) (I) An Internet Standard, Internet-Layer protocol that moves datagrams (discrete sets of bits) from one computer to another across an internetwork but does not provide reliable delivery, flow control, sequencing, or other end-to-end services that TCP provides. IP version 4 (IPv4) is specified in RFC 791, and IP version 6 (IPv6) is specified in RFC 2460. (See: IP address, TCP/IP.)

$ 互联网协议(IP)(I)一种互联网标准、互联网层协议,通过互联网将数据报(离散的比特集)从一台计算机移动到另一台计算机,但不提供可靠的传输、流量控制、排序或TCP提供的其他端到端服务。RFC 791中指定了IP版本4(IPv4),RFC 2460中指定了IP版本6(IPv6)。(请参阅:IP地址,TCP/IP。)

Tutorial: If IP were used in an OSIRM stack, IP would be placed at the top of Layer 3, above other Layer 3 protocols in the stack.

教程:如果在OSIRM堆栈中使用IP,IP将位于第3层的顶部,位于堆栈中其他第3层协议的上方。

In any IPS stack, IP is always present in the Internet Layer and is always placed at the top of that layer, on top of any other protocols that are used in that layer. In some sense, IP is the only protocol specified for the IPS Internet Layer; other protocols used there, such as AH and ESP, are just IP variations.

在任何IP协议栈中,IP始终存在于Internet层中,并且始终位于该层的顶部,位于该层中使用的任何其他协议的顶部。在某种意义上,IP是为IPS Internet层指定的唯一协议;那里使用的其他协议,如AH和ESP,只是IP的变体。

$ Internet Protocol security See: IP Security Protocol.

$ Internet协议安全请参阅:IP安全协议。

$ Internet Protocol Security Option (IPSO) (I) Refers to one of three types of IP security options, which are fields that may be added to an IP datagram for carrying security information about the datagram. (Compare: IPsec.)

$ 互联网协议安全选项(IPSO)(I)是指三种类型的IP安全选项之一,它们是可添加到IP数据报的字段,用于承载关于数据报的安全信息。(比较:IPsec。)

      Deprecated Usage: IDOCs SHOULD NOT use this term without a
      modifier to indicate which of the following three types is meant:
      -  "DoD Basic Security Option" (IP option type 130): Defined for
         use on U.S. DoD common-use data networks. Identifies the DoD
         classification level at which the datagram is to be protected
         and the protection authorities whose rules apply to the
         datagram. (A "protection authority" is a National Access
         Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of
         Energy) or Special Access Program that specifies protection
         rules for transmission and processing of the information
         contained in the datagram.) [R1108]
      -  "DoD Extended Security Option" (IP option type 133): Permits
         additional security labeling information, beyond that present
         in the Basic Security Option, to be supplied in the datagram to
         meet the needs of registered authorities. [R1108]
      -  "Common IP Security Option" (CIPSO) (IP option type 134):
         Designed by TSIG to carry hierarchic and non-hierarchic
         security labels. (Formerly called "Commercial IP Security
         Option"; a version 2.3 draft was published 9 March 1993 as an
         Internet-Draft but did not advance to RFC form.) [CIPSO]
        
      Deprecated Usage: IDOCs SHOULD NOT use this term without a
      modifier to indicate which of the following three types is meant:
      -  "DoD Basic Security Option" (IP option type 130): Defined for
         use on U.S. DoD common-use data networks. Identifies the DoD
         classification level at which the datagram is to be protected
         and the protection authorities whose rules apply to the
         datagram. (A "protection authority" is a National Access
         Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of
         Energy) or Special Access Program that specifies protection
         rules for transmission and processing of the information
         contained in the datagram.) [R1108]
      -  "DoD Extended Security Option" (IP option type 133): Permits
         additional security labeling information, beyond that present
         in the Basic Security Option, to be supplied in the datagram to
         meet the needs of registered authorities. [R1108]
      -  "Common IP Security Option" (CIPSO) (IP option type 134):
         Designed by TSIG to carry hierarchic and non-hierarchic
         security labels. (Formerly called "Commercial IP Security
         Option"; a version 2.3 draft was published 9 March 1993 as an
         Internet-Draft but did not advance to RFC form.) [CIPSO]
        

$ Internet Protocol Suite (IPS) (I) The set of network communication protocols that are specified by the IETF, and approved as Internet Standards by the IESG, within the oversight of the IAB. (See: OSIRM Security Architecture. Compare: OSIRM.)

$ 互联网协议套件(IPS)(I)由IETF指定并由IESG批准为互联网标准的一组网络通信协议,由IAB监督。(请参阅:OSIRM安全体系结构。比较:OSIRM。)

Usage: This set of protocols is popularly known as "TCP/IP" because TCP and IP are its most basic and important components.

用法:这组协议通常被称为“TCP/IP”,因为TCP和IP是其最基本和最重要的组件。

For clarity, this Glossary refers to IPS protocol layers by name and capitalizes those names, and refers to OSIRM protocol layers by number.

为清楚起见,本术语表按名称引用IPS协议层并将这些名称大写,并按编号引用OSIRM协议层。

Tutorial: The IPS does have architectural principles [R1958], but there is no Internet Standard that defines a layered IPS reference model like the OSIRM. Still, Internet community literature has referred (inconsistently) to IPS layers since early in the Internet's development [Padl].

教程:IPS确实有体系结构原则[R1958],但没有像OSIRM那样定义分层IPS参考模型的互联网标准。尽管如此,自互联网发展早期[Padl]起,互联网社区文献就(不一致地)提到了IPS层。

This Glossary treats the IPS as having five protocol layers -- Application, Transport, Internet, Network Interface, and Network Hardware (or Network Substrate) -- which are illustrated in the following diagram:

本术语表将IP视为具有五个协议层——应用程序、传输、Internet、网络接口和网络硬件(或网络基板)——如下图所示:

      OSIRM Layers       Examples          IPS Layers     Examples
      ------------------ ---------------  --------------- --------------
      Message Format:    P2   [X420]      Message Format: ARPA (RFC 822)
      +----------------+                  +-------------+
      |7.Application   | P1   [X419]      | Application | SMTP (RFC 821)
      +----------------+ -  -  -  -  -  - |             |
      |6.Presentation  |      [I8823]     |             |
      +----------------+ -  -  -  -  -  - |             |
      |5.Session       |      [I8327]     +-------------+
      +----------------+ -  -  -  -  -  - |  Transport  | TCP  (RFC 793)
      |4.Transport     | TP4  [I8073]     |             |
      +----------------+ -  -  -  -  -  - +-------------+
      |3.Network       | CLNP [I8473]     |  Internet   | IP   (RFC 791)
      |                |                  +-------------+
      |                |                  |   Network   | IP over IEEE
      +----------------+ -  -  -  -  -  - |  Interface  | 802 (RFC 1042)
      |2.Data Link     |                  +-------------+
      |                | LLC  [I8802-2]   -   Network   - The IPS does
      |                | MAC  [I8802-3]   -  Hardware   - not include
      +----------------+                  - (or Network - standards for
      |1.Physical      | Baseband         -  Substrate) - this layer.
      +----------------+ Signaling [Stal] + - - - - - - +
        
      OSIRM Layers       Examples          IPS Layers     Examples
      ------------------ ---------------  --------------- --------------
      Message Format:    P2   [X420]      Message Format: ARPA (RFC 822)
      +----------------+                  +-------------+
      |7.Application   | P1   [X419]      | Application | SMTP (RFC 821)
      +----------------+ -  -  -  -  -  - |             |
      |6.Presentation  |      [I8823]     |             |
      +----------------+ -  -  -  -  -  - |             |
      |5.Session       |      [I8327]     +-------------+
      +----------------+ -  -  -  -  -  - |  Transport  | TCP  (RFC 793)
      |4.Transport     | TP4  [I8073]     |             |
      +----------------+ -  -  -  -  -  - +-------------+
      |3.Network       | CLNP [I8473]     |  Internet   | IP   (RFC 791)
      |                |                  +-------------+
      |                |                  |   Network   | IP over IEEE
      +----------------+ -  -  -  -  -  - |  Interface  | 802 (RFC 1042)
      |2.Data Link     |                  +-------------+
      |                | LLC  [I8802-2]   -   Network   - The IPS does
      |                | MAC  [I8802-3]   -  Hardware   - not include
      +----------------+                  - (or Network - standards for
      |1.Physical      | Baseband         -  Substrate) - this layer.
      +----------------+ Signaling [Stal] + - - - - - - +
        

The diagram approximates how the five IPS layers align with the seven OSIRM layers, and it offers examples of protocol stacks that provide roughly equivalent electronic mail service over a private LAN that uses baseband signaling.

该图大致描述了五个IPS层如何与七个OSIRM层对齐,并提供了协议栈的示例,这些协议栈通过使用基带信令的专用LAN提供大致等效的电子邮件服务。

- IPS Application Layer: The user runs an application program. The program selects the data transport service it needs -- either a sequence of data messages or a continuous stream of data -- and hands application data to the Transport Layer for delivery.

- IPS应用层:用户运行应用程序。程序选择它需要的数据传输服务——一系列数据消息或连续的数据流——并将应用程序数据交给传输层进行传输。

- IPS Transport Layer: This layer divides application data into packets, adds a destination address to each, and communicates them end-to-end -- from one application program to another -- optionally regulating the flow and ensuring reliable (error-free and sequenced) delivery.

- IPS传输层:该层将应用程序数据分为多个数据包,为每个数据包添加一个目的地地址,并端到端地进行通信(从一个应用程序到另一个应用程序),可以选择调节流量并确保可靠(无错误且有序)交付。

- IPS Internet Layer: This layer carries transport packets in IP datagrams. It moves each datagram independently, from its source computer to its addressed destination computer, routing

- IPS互联网层:该层承载IP数据报中的传输包。它独立地将每个数据报从其源计算机移动到其寻址的目标计算机(路由)

the datagram through a sequence of networks and relays and selecting appropriate network interfaces en route.

数据报通过一系列网络和中继,并在途中选择适当的网络接口。

- IPS Network Interface Layer: This layer accepts datagrams for transmission over a specific network. This layer specifies interface conventions for carrying IP over OSIRM Layer 3 protocols and over Media Access Control sublayer protocols of OSIRM Layer 2. An example is IP over IEEE 802 (RFD 1042).

- IPS网络接口层:该层接受通过特定网络传输的数据报。该层指定通过OSIRM第3层协议和OSIRM第2层的媒体访问控制子层协议承载IP的接口约定。一个例子是IEEE802上的IP(RFD1042)。

- IPS Network Hardware Layer: This layer consists of specific, physical communication media. However, the IPS does not specify its own peer-to-peer protocols in this layer. Instead, the layering conventions specified by the Network Interface Layer use Layer 2 and Layer 3 protocols that are specified by bodies other than the IETF. That is, the IPS addresses *inter*-network functions and does not address *intra*-network functions.

- IPS网络硬件层:该层由特定的物理通信媒体组成。但是,IPS在此层中没有指定自己的对等协议。相反,网络接口层指定的分层约定使用IETF以外的机构指定的第2层和第3层协议。也就是说,IP地址*内部*网络功能,而不地址*内部*网络功能。

The two models are most dissimilar in the upper layers, where the IPS model does not include Session and Presentation layers. However, this omission causes fewer functional differences between the models than might be imagined, and the differences have relatively few security implications:

这两个模型在上层最为不同,IPS模型不包括会话层和表示层。然而,这种省略导致模型之间的功能差异比想象的要小,并且这些差异对安全的影响相对较小:

- Formal separation of OSIRM Layers 5, 6, and 7 is not needed in implementations; the functions of these layers sometimes are mixed in a single software unit, even in protocols in the OSI suite.

- 实现中不需要OSIRM第5、6和7层的正式分离;这些层的功能有时混合在单个软件单元中,甚至在OSI套件中的协议中也是如此。

- Some OSIRM Layer 5 services -- for example, connection termination -- are built into TCP, and the remaining Layer 5 and 6 functions are built into IPS Application-Layer protocols where needed.

- 一些OSIRM第5层服务(例如,连接终止)内置于TCP中,其余第5层和第6层功能在需要时内置于IPS应用层协议中。

- The OSIRM does not place any security services in Layer 5 (see: OSIRM Security Architecture).

- OSIRM没有在第5层中放置任何安全服务(请参阅:OSIRM安全体系结构)。

- The lack of an explicit Presentation Layer in the IPS sometimes makes it simpler to implement security in IPS applications. For example, a primary function of Layer 6 is to convert data between internal and external forms, using a transfer syntax to unambiguously encode data for transmission. If an OSIRM application encrypts data to protect against disclosure during transmission, the transfer encoding must be done before the encryption. If an application does encryption, as is done in OSI message handling and directory service protocols, then Layer 6 functions must be replicated in Layer 7. [X400, X500].

- IPS中缺乏明确的表示层,这使得在IPS应用程序中实现安全性变得更加简单。例如,第6层的主要功能是在内部和外部表单之间转换数据,使用传输语法对数据进行明确编码以进行传输。如果OSIRM应用程序对数据进行加密以防止传输过程中的泄露,则必须在加密之前进行传输编码。如果应用程序进行加密,就像OSI消息处理和目录服务协议中所做的那样,那么第6层功能必须在第7层中复制。[X400,X500]。

The two models are most alike at the top of OSIRM Layer 3, where the OSI Connectionless Network Layer Protocol (CLNP) and the IPS IP are quite similar. Connection-oriented security services offered in OSIRM Layer 3 are inapplicable in the IPS, because the IPS Internet Layer lacks the explicit, connection-oriented service offered in the OSIRM.

这两个模型在OSIRM第3层的顶部最为相似,OSI无连接网络层协议(CLNP)和IPS IP非常相似。OSIRM第3层中提供的面向连接的安全服务不适用于IPS,因为IPS Internet层缺少OSIRM中提供的明确的、面向连接的服务。

$ Internet Security Association and Key Management Protocol (ISAKMP) (I) An Internet IPsec protocol [R2408] to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

$ 互联网安全关联和密钥管理协议(ISAKMP)(I)互联网IPsec协议[R2408],用于协商、建立、修改和删除安全关联,以及交换密钥生成和认证数据,与任何特定密钥生成技术、密钥建立协议、加密算法的细节无关,或身份验证机制。

Tutorial: ISAKMP supports negotiation of security associations for protocols at all IPS layers. By centralizing management of security associations, ISAKMP reduces duplicated functionality within each protocol. ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once. Strong authentication is required on ISAKMP exchanges, and a digital signature algorithm based on asymmetric cryptography is used within ISAKMP's authentication component.

教程:ISAKMP支持所有IPS层协议的安全关联协商。通过集中管理安全关联,ISAKMP减少了每个协议中重复的功能。ISAKMP还可以通过一次协商整个服务堆栈来减少连接设置时间。ISAKMP交换需要强身份验证,并且在ISAKMP的身份验证组件中使用了基于非对称加密的数字签名算法。

ISAKMP negotiations are conducted in two "phases": - "Phase 1 negotiation". A phase 1 negotiation establishes a security association to be used by ISAKMP to protect its own protocol operations. - "Phase 2 negotiation". A phase 2 negotiation (which is protected by a security association that was established by a phase 1 negotiation) establishes a security association to be used to protect the operations of a protocol other than ISAKMP, such as ESP.

ISAKMP谈判分为两个“阶段”:“第一阶段谈判”。第1阶段协商建立一个安全关联,由ISAKMP用于保护其自身的协议操作。-“第二阶段谈判”。第2阶段协商(由第1阶段协商建立的安全关联保护)建立安全关联,用于保护除ISAKMP以外的协议(如ESP)的操作。

$ Internet Society (ISOC) (I) A professional society concerned with Internet development (including technical Internet Standards); with how the Internet is and can be used; and with social, political, and technical issues that result. The ISOC Board of Trustees approves appointments to the IAB from among nominees submitted by the IETF nominating committee. (RFC 2026)

$ 互联网协会(ISOC)(I)一个关注互联网发展(包括互联网技术标准)的专业协会;互联网是如何使用的;以及由此产生的社会、政治和技术问题。ISOC董事会从IETF提名委员会提交的提名人中批准IAB的任命。(RFC 2026)

$ Internet Standard (I) A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet. (RFC 2026) (Compare: RFC.)

$ 互联网标准(I)由IESG批准并作为RFC发布的规范,其稳定且易于理解,具有技术能力,具有多个独立且可互操作的实施方案,具有丰富的运营经验,得到了公众的大力支持,并且在互联网的部分或所有部分都非常有用。(RFC 2026)(比较:RFC.)

Tutorial: The "Internet Standards Process" is an activity of the ISOC and is organized and managed by the IAB and the IESG. The process is concerned with all protocols, procedures, and conventions used in or by the Internet, whether or not they are part of the IPS. The "Internet Standards Track" has three levels of increasing maturity: Proposed Standard, Draft Standard, and Standard. (Compare: ISO, W3C.)

教程:“互联网标准流程”是ISOC的一项活动,由IAB和IESG组织和管理。该过程涉及互联网中使用或由互联网使用的所有协议、程序和约定,无论它们是否是IP的一部分。“互联网标准轨道”有三个日益成熟的层次:建议标准、草案标准和标准。(比较:ISO、W3C。)

$ internetwork (I) A system of interconnected networks; a network of networks. Usually shortened to "internet". (See: internet, Internet.)

$ 互联网络(I)互联网络系统;网络的网络。通常简称为“互联网”。(请参阅:internet,internet。)

Tutorial: An internet can be built using OSIRM Layer 3 gateways to implement connections between a set of similar subnetworks. With dissimilar subnetworks, i.e., subnetworks that differ in the Layer 3 protocol service they offer, an internet can be built by implementing a uniform internetwork protocol (e.g., IP) that operates at the top of Layer 3 and hides the underlying subnetworks' heterogeneity from hosts that use communication services provided by the internet. (See: router.)

教程:可以使用OSIRM第3层网关构建internet,以实现一组类似子网之间的连接。对于不同的子网,即它们提供的第3层协议服务不同的子网,可以通过实现在第3层顶部运行的统一互联网协议(如IP)来构建互联网,并对使用互联网提供的通信服务的主机隐藏底层子网的异构性。(请参阅:路由器。)

$ intranet (I) A computer network, especially one based on Internet technology, that an organization uses for its own internal (and usually private) purposes and that is closed to outsiders. (See: extranet, VPN.)

$ 内联网(I)一种计算机网络,特别是基于互联网技术的网络,一个组织为了自己的内部(通常是私人)目的而使用,并且对外部开放。(请参阅:外部网、VPN。)

$ intruder (I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (See: intrusion. Compare: adversary, cracker, hacker.)

$ 入侵者(I)未经授权而获取或试图获取对系统或系统资源访问权限的实体。(请参阅:入侵。比较:敌手、黑客、黑客。)

$ intrusion 1. (I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so. (See: IDS.)

$ 入侵1。(一) 构成安全事件的一种安全事件或多个安全事件的组合,其中入侵者未经授权获取或试图获取对系统或系统资源的访问权。(请参阅:IDS。)

2. (I) A type of threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's security protections. (See: unauthorized disclosure.)

2. (一) 一种威胁行为,未经授权的实体通过绕过系统的安全保护来访问敏感数据。(请参阅:未经授权的披露。)

Usage: This type of threat action includes the following subtypes: - "Trespass": Gaining physical access to sensitive data by circumventing a system's protections. - "Penetration": Gaining logical access to sensitive data by circumventing a system's protections.

用法:这种类型的威胁操作包括以下子类型:-“主动变更”:通过绕过系统保护获得对敏感数据的物理访问。-“渗透”:通过绕过系统保护,获得对敏感数据的逻辑访问。

- "Reverse engineering": Acquiring sensitive data by disassembling and analyzing the design of a system component. - "Cryptanalysis": Transforming encrypted data into plain text without having prior knowledge of encryption parameters or processes. (See: main entry for "cryptanalysis".)

- “逆向工程”:通过分解和分析系统组件的设计来获取敏感数据。-“密码分析”:将加密数据转换为纯文本,而无需事先了解加密参数或过程。(请参阅“密码分析”的主条目。)

$ intrusion detection (I) Sensing and analyzing system events for the purpose of noticing (i.e., becoming aware of) attempts to access system resources in an unauthorized manner. (See: anomaly detection, IDS, misuse detection. Compare: extrusion detection.) [IDSAN, IDSSC, IDSSE, IDSSY]

$ 入侵检测(I)感应和分析系统事件,以发现(即意识到)以未经授权的方式访问系统资源的企图。(请参阅:异常检测、IDS、误用检测。比较:挤出检测。)[IDSAN、IDSSC、IDSSE、IDSSY]

Usage: This includes the following subtypes: - "Active detection": Real-time or near-real-time analysis of system event data to detect current intrusions, which result in an immediate protective response. - "Passive detection": Off-line analysis of audit data to detect past intrusions, which are reported to the system security officer for corrective action. (Compare: security audit.)

用法:包括以下子类型:-“主动检测”:实时或近实时分析系统事件数据,以检测当前入侵,从而产生即时保护响应。-“被动检测”:对审计数据进行离线分析,以检测过去的入侵,并将其报告给系统安全官员以采取纠正措施。(比较:安全审计。)

$ intrusion detection system (IDS) 1. (N) A process or subsystem, implemented in software or hardware, that automates the tasks of (a) monitoring events that occur in a computer network and (b) analyzing them for signs of security problems. [SP31] (See: intrusion detection.)

$ 入侵检测系统(IDS)1。(N) 一种用软件或硬件实现的过程或子系统,它自动执行以下任务:(A)监视计算机网络中发生的事件,以及(b)分析这些事件是否有安全问题的迹象。[SP31](请参阅:入侵检测。)

2. (N) A security alarm system to detect unauthorized entry. [DC6/9].

2. (N) 用于检测未经授权进入的安全报警系统。[DC6/9]。

Tutorial: Active intrusion detection processes can be either host-based or network-based: - "Host-based": Intrusion detection components -- traffic sensors and analyzers -- run directly on the hosts that they are intended to protect. - "Network-based": Sensors are placed on subnetwork components, and analysis components run either on subnetwork components or hosts.

教程:主动入侵检测过程可以是基于主机的,也可以是基于网络的:-“基于主机的”:入侵检测组件--流量传感器和分析仪--直接在它们要保护的主机上运行。-“基于网络”:传感器放置在子网络组件上,分析组件在子网络组件或主机上运行。

$ invalidity date (N) An X.509 CRL entry extension that "indicates the date at which it is known or suspected that the [revoked certificate's private key] was compromised or that the certificate should otherwise be considered invalid." [X509].

$ 无效日期(N)X.509 CRL条目扩展,“表示已知或怀疑[已撤销证书的私钥]被泄露的日期,或该证书应被视为无效的日期。”[X509]。

Tutorial: This date may be earlier than the revocation date in the CRL entry, and may even be earlier than the date of issue of earlier CRLs. However, the invalidity date is not, by itself,

教程:此日期可能早于CRL条目中的撤销日期,甚至可能早于早期CRL的发布日期。然而,失效日期本身并不是,

sufficient for purposes of non-repudiation service. For example, to fraudulently repudiate a validly generated signature, a private key holder may falsely claim that the key was compromised at some time in the past.

足以提供不可抵赖服务。例如,为了欺诈性地拒绝有效生成的签名,私钥持有人可能会错误地声称密钥在过去某个时间被泄露。

$ IOTP (I) See: Internet Open Trading Protocol.

$ IOTP(I)见:互联网开放交易协议。

$ IP (I) See: Internet Protocol.

$ IP(I)见:互联网协议。

$ IP address (I) A computer's internetwork address that is assigned for use by IP and other protocols.

$ IP地址(I)分配给IP和其他协议使用的计算机网络间地址。

Tutorial: An IP version 4 address (RFC 791) has four 8-bit parts and is written as a series of four decimal numbers separated by periods. Example: The address of the host named "rosslyn.bbn.com" is 192.1.7.10.

教程:IP版本4地址(RFC 791)有四个8位部分,由四个小数点组成,以句点分隔。示例:名为“rosslyn.bbn.com”的主机的地址是192.1.7.10。

An IP version 6 address (RFC 2373) has eight 16-bit parts and is written as eight hexadecimal numbers separated by colons. Examples: 1080:0:0:0:8:800:200C:417A and FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

IP版本6地址(RFC 2373)有八个16位部分,由八个十六进制数字组成,用冒号分隔。示例:1080:0:0:0:8:800:200C:417A和FEDC:BA98:7654:3210:FEDC:BA98:7654:3210。

$ IP Security Option (I) See: Internet Protocol Security Option.

$ IP安全选项(I)请参阅:Internet协议安全选项。

$ IP Security Protocol (IPsec) 1a. (I) The name of the IETF working group that is specifying an architecture [R2401, R4301] and set of protocols to provide security services for IP traffic. (See: AH, ESP, IKE, SAD, SPD. Compare: IPSO.)

$ IP安全协议(IPsec)1a。(一) 指定体系结构[R2401,R4301]和协议集以提供IP通信安全服务的IETF工作组的名称。(参见:啊,ESP,IKE,SAD,SPD。比较:IPSO。)

1b. (I) A collective name for the IP security architecture [R4301] and associated set of protocols (primarily AH, ESP, and IKE).

1b。(一) IP安全体系结构[R4301]和相关协议集(主要是AH、ESP和IKE)的统称。

Usage: In IDOCs that use the abbreviation "IPsec", the letters "IP" SHOULD be in uppercase, and the letters "sec" SHOULD NOT.

用法:在使用缩写“IPsec”的IDOC中,字母“IP”应为大写,字母“sec”不应为大写。

Tutorial: The security services provided by IPsec include access control service, connectionless data integrity service, data origin authentication service, protection against replays (detection of the arrival of duplicate datagrams, within a constrained window), data confidentiality service, and limited traffic-flow confidentiality. IPsec specifies (a) security protocols (AH and ESP), (b) security associations (what they are, how they work, how they are managed, and associated processing),

教程:IPsec提供的安全服务包括访问控制服务、无连接数据完整性服务、数据源身份验证服务、防止重播(在受约束的窗口内检测重复数据报的到达)、数据保密服务和有限的流量保密性。IPsec指定(a)安全协议(AH和ESP),(b)安全关联(它们是什么、如何工作、如何管理以及相关处理),

(c) key management (IKE), and (d) algorithms for authentication and encryption. Implementation of IPsec is optional for IP version 4, but mandatory for IP version 6. (See: transport mode, tunnel mode.)

(c) 密钥管理(IKE)和(d)认证和加密算法。IPsec的实现对于IP版本4是可选的,但是对于IP版本6是强制性的。(请参见:传输模式、隧道模式。)

$ IPLI (I) See: Internet Private Line Interface.

$ IPLI(I)见:互联网专线接口。

$ IPRA (I) See: Internet Policy Registration Authority.

$ IPRA(I)见:互联网政策注册机构。

$ IPS (I) See: Internet Protocol Suite.

$ IPS(I)见:互联网协议套件。

$ IPsec (I) See: IP Security Protocol.

$ IPsec(I)见:IP安全协议。

$ IPSO (I) See: Internet Protocol Security Option.

$ IPSO(I)见:互联网协议安全选项。

$ ISAKMP (I) See: Internet Security Association and Key Management Protocol.

$ ISAKMP(I)参见:互联网安全关联和密钥管理协议。

$ ISO (I) International Organization for Standardization, a voluntary, non-treaty, non-governmental organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations. (Compare: ANSI, IETF, ITU-T, W3C.)

$ ISO(I)国际标准化组织,一个自愿、非条约、非政府组织,成立于1947年,有投票权的成员是参与国的指定标准机构和无投票权的观察员组织。(比较:ANSI、IETF、ITU-T、W3C。)

Tutorial: Legally, ISO is a Swiss, non-profit, private organization. ISO and the IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in developing international standards through ISO and IEC technical committees that deal with particular fields of activity. Other international governmental and non-governmental organizations, in liaison with ISO and IEC, also take part. (ANSI is the U.S. voting member of ISO. ISO is a class D member of ITU-T.)

教程:从法律上讲,ISO是一个瑞士的非营利私人组织。ISO和IEC(国际电工委员会)形成了全球标准化的专门体系。作为ISO或IEC成员的国家机构通过处理特定活动领域的ISO和IEC技术委员会参与制定国际标准。与ISO和IEC联络的其他国际政府和非政府组织也参加了会议。(ANSI是ISO的美国投票成员。ISO是ITU-T的D级成员。)

The ISO standards development process has four levels of increasing maturity: Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), and International Standard (IS). (Compare: "Internet Standards Track" under "Internet Standard".) In information technology, ISO and IEC have a joint technical committee, ISO/IEC JTC 1. DISs adopted by JTC 1 are

ISO标准开发过程有四个日益成熟的层次:工作草案(WD)、委员会草案(CD)、国际标准草案(DIS)和国际标准(IS)。(比较“互联网标准”下的“互联网标准轨道”。)在信息技术领域,ISO和IEC有一个联合技术委员会,即ISO/IEC JTC 1。JTC 1采用的DIS为

circulated to national bodies for voting, and publication as an IS requires approval by at least 75% of the national bodies casting a vote.

分发给国家机构进行投票,并作为IS发布需要至少75%的投票国家机构的批准。

$ ISO 17799 (N) An International Standard that is a code of practice, derived from Part 1 of British Standard 7799, for managing the security of information systems in an organization. This standard does not provide definitive or specific material on any security topic. It provides general guidance on a wide variety of topics, but typically does not go into depth. (See: IATF, [SP14].)

$ ISO 17799(N)源自英国标准7799第1部分的一种国际标准,是一种实践规范,用于管理组织中信息系统的安全性。本标准不提供任何安全主题的最终或特定材料。它提供了广泛主题的一般指导,但通常不深入。(参见:IATF,[SP14]。)

$ ISOC (I) See: Internet Society.

$ ISOC(I)见:互联网协会。

$ issue (I) /PKI/ Generate and sign a digital certificate (or a CRL) and, usually, distribute it and make it available to potential certificate users (or CRL users). (See: certificate creation.)

$ 颁发(I)/PKI/生成并签署数字证书(或CRL),通常分发该证书并将其提供给潜在的证书用户(或CRL用户)。(请参阅:证书创建。)

Usage: The term "issuing" is usually understood to refer not only to creating a digital certificate (or a CRL) but also to making it available to potential users, such as by storing it in a repository or other directory or otherwise publishing it. However, the ABA [DSG] explicitly limits this term to the creation process and excludes any related publishing or distribution process.

用法:术语“颁发”通常理解为不仅指创建数字证书(或CRL),还指使其可供潜在用户使用,例如将其存储在存储库或其他目录中或以其他方式发布。然而,ABA[DSG]明确将该术语限制在创建过程中,并排除任何相关的发布或分发过程。

$ issuer 1. (I) /certificate, CRL/ The CA that signs a digital certificate or CRL.

$ 发行人1。(一) /certificate,CRL/签署数字证书或CRL的CA。

Tutorial: An X.509 certificate always includes the issuer's name. The name may include a common name value.

教程:X.509证书始终包含颁发者的名称。该名称可能包括通用名称值。

2. (O) /payment card, SET/ "The financial institution or its agent that issues the unique primary account number to the cardholder for the payment card brand." [SET2]

2. (O) /支付卡,SET/“为支付卡品牌向持卡人发放唯一主账号的金融机构或其代理机构。”[SET2]

Tutorial: The institution that establishes the account for a cardholder and issues the payment card also guarantees payment for authorized transactions that use the card in accordance with card brand regulations and local legislation. [SET1]

教程:为持卡人建立账户并发行支付卡的机构还保证根据卡品牌法规和当地法律对使用该卡的授权交易进行支付。[SET1]

$ ITAR (O) See: International Traffic in Arms Regulations.

$ ITAR(O)见:国际武器贩运条例。

$ ITSEC (N) See: Information Technology System Evaluation Criteria.

$ ITSEC(N)见:信息技术系统评估标准。

$ ITU-T (N) International Telecommunications Union, Telecommunication Standardization Sector (formerly "CCITT"), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called "Recommendations". (See: X.400, X.500.)

$ ITU-T(N)国际电信联盟,电信标准化部门(前身为“CCITT”),一个联合国条约组织,主要由成员国的邮政、电话和电报部门组成,发布称为“建议”的标准。(见:X.400、X.500)

Tutorial: The Department of State represents the United States. ITU-T works on many kinds of communication systems. ITU-T cooperates with ISO on communication protocol standards, and many Recommendations in that area are also published as an ISO standard with an ISO name and number.

教程:国务院代表美国。ITU-T适用于多种通信系统。ITU-T在通信协议标准方面与ISO合作,该领域的许多建议也以ISO名称和编号的ISO标准发布。

$ IV (I) See: initialization value.

$ IV(I)见:初始化值。

$ jamming (N) An attack that attempts to interfere with the reception of broadcast communications. (See: anti-jam, denial of service. Compare: flooding.)

$ 干扰(N)试图干扰广播通信接收的攻击。(请参阅:抗干扰、拒绝服务。比较:泛洪。)

Tutorial: Jamming uses "interference" as a type of "obstruction" intended to cause "disruption". Jamming a broadcast signal is typically done by broadcasting a second signal that receivers cannot separate from the first one. Jamming is mainly thought of in the context of wireless communication, but also can be done in some wired technologies, such as LANs that use contention techniques to share a broadcast medium.

教程:干扰使用“干扰”作为一种“障碍物”,旨在造成“干扰”。干扰广播信号通常是通过广播接收机无法与第一个信号分离的第二个信号来实现的。干扰主要是在无线通信环境中考虑的,但也可以在一些有线技术中进行,例如使用争用技术共享广播媒体的局域网。

$ KAK (D) See: key-auto-key. (Compare: KEK.)

$ KAK(D)参见:钥匙自动钥匙。(比较:KEK)

$ KDC (I) See: Key Distribution Center.

$ KDC(一)见:钥匙配送中心。

$ KEA (N) See: Key Exchange Algorithm.

$ KEA(N)参见:密钥交换算法。

$ KEK (I) See: key-encrypting key. (Compare: KAK.)

$ KEK(I)参见:密钥加密密钥。(比较:KAK。)

$ Kerberos (I) A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. [R4120, Stei] (See: realm.)

$ Kerberos(I)麻省理工学院开发的一种系统,依靠密码和对称加密(DES)实现分布在客户机-服务器网络环境中的基于票据的对等实体身份验证服务和访问控制服务。[R4120,Stei](参见:领域)

Tutorial: Kerberos was originally developed by Project Athena and is named for the mythical three-headed dog that guards Hades. The system architecture includes authentication servers and ticket-granting servers that function as an ACC and a KDC.

教程:Kerberos最初是由雅典娜项目开发的,以守护地狱的神秘三头狗命名。系统架构包括身份验证服务器和票据授予服务器,它们作为ACC和KDC运行。

RFC 4556 describes extensions to the Kerberos specification that modify the initial authentication exchange between a client and the KDC. The extensions employ public-key cryptography to enable the client and KDC to mutually authenticate and establish shared, symmetric keys that are used to complete the exchange. (See: PKINIT.)

RFC4556描述了对Kerberos规范的扩展,这些扩展修改了客户端和KDC之间的初始身份验证交换。这些扩展采用公钥加密技术,使客户机和KDC能够相互验证并建立用于完成交换的共享对称密钥。(见:PKINIT)

$ kernel (I) A small, trusted part of a system that provides services on which the other parts of the system depend. (See: security kernel.)

$ 内核(I)系统的一个小的、可信任的部分,它提供系统其他部分所依赖的服务。(请参阅:安全内核。)

$ Kernelized Secure Operating System (KSOS) (O) An MLS computer operating system, designed to be a provably secure replacement for UNIX Version 6, and consisting of a security kernel, non-kernel security-related utility programs, and optional UNIX application development and support environments. [Perr]

$ 内核化安全操作系统(KSOS)(O):一种MLS计算机操作系统,旨在作为UNIX版本6的可证明安全的替代品,由安全内核、非内核安全相关实用程序以及可选的UNIX应用程序开发和支持环境组成。[佩尔]

Tutorial: KSOS-6 was the implementation on a SCOMP. KSOS-11 was the implementation by Ford Aerospace and Communications Corporation on the DEC PDP-11/45 and PDP-11/70 computers.

教程:KSOS-6是SCOMP上的实现。KSOS-11是福特航空航天通信公司在DEC PDP-11/45和PDP-11/70计算机上实施的。

$ key 1a. (I) /cryptography/ An input parameter used to vary a transformation function performed by a cryptographic algorithm. (See: private key, public key, storage key, symmetric key, traffic key. Compare: initialization value.)

$ 图例1a。(一) /cryptography/用于改变加密算法执行的转换函数的输入参数。(请参阅:私钥、公钥、存储密钥、对称密钥、流量密钥。比较:初始化值。)

1b. (O) /cryptography/ Used in singular form as a collective noun referring to keys or keying material. Example: A fill device can be used transfer key between two cryptographic devices.

1b。(O) /cryptography/以单数形式用作一个集合名词,指密钥或密钥材料。示例:可以使用填充设备在两个加密设备之间传输密钥。

2. (I) /anti-jam/ An input parameter used to vary a process that determines patterns for an anti-jam measure. (See: frequency hopping, spread spectrum.)

2. (一) /anti-jam/一个输入参数,用于改变确定防干扰措施模式的流程。(参见:跳频、扩频。)

Tutorial: A key is usually specified as a sequence of bits or other symbols. If a key value needs to be kept secret, the sequence of symbols that comprise it should be random, or at least pseudorandom, because that makes the key harder for an adversary to guess. (See: brute-force attack, cryptanalysis, strength.)

教程:键通常指定为位序列或其他符号。如果一个密钥值需要保密,那么组成它的符号序列应该是随机的,或者至少是伪随机的,因为这使得密钥更难被对手猜到。(参见:暴力攻击、密码分析、力量。)

$ key agreement (algorithm or protocol) 1. (I) A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each can generate the same key value. That is, the method does not send a secret from one entity to the other; instead, both entities, without prior arrangement except a public exchange of data, can compute the same secret value, but that value cannot be computed by other, unauthorized entities. (See: Diffie-Hellman-Merkle, key establishment, KEA, MQV. Compare: key transport.)

$ 密钥协议(算法或协议)1。(一) 一种密钥建立方法(特别是涉及非对称加密的方法),通过这种方法,两个或多个实体,除公开数据交换(如公钥)外,无需事先安排,都可以生成相同的密钥值。即,该方法不将秘密从一个实体发送到另一个实体;相反,两个实体在没有事先安排的情况下(除了公开数据交换),都可以计算相同的秘密值,但该值不能由其他未经授权的实体计算。(参见:Diffie Hellman Merkle,密钥建立,KEA,MQV。比较:密钥传输。)

2. (O) "A method for negotiating a key value on line without transferring the key, even in an encrypted form, e.g., the Diffie-Hellman technique." [X509] (See: Diffie-Hellman-Merkle.)

2. (O) “一种在线协商密钥值而不传输密钥的方法,即使是加密形式,例如Diffie-Hellman技术。”[X509](参见:Diffie-Hellman-Merkle。)

3. (O) "The procedure whereby two different parties generate shared symmetric keys such that any of the shared symmetric keys is a function of the information contributed by all legitimate participants, so that no party [alone] can predetermine the value of the key." [A9042]

3. (O) “两个不同方生成共享对称密钥的过程,使得任何共享对称密钥都是所有合法参与者提供的信息的函数,因此任何一方[单独]都不能预先确定密钥的值。”[A9042]

Example: A message originator and the intended recipient can each use their own private key and the other's public key with the Diffie-Hellman-Merkle algorithm to first compute a shared secret value and, from that value, derive a session key to encrypt the message.

示例:消息发起人和预期收件人可以各自使用自己的私钥和另一方的公钥以及Diffie-Hellman-Merkle算法,首先计算共享密钥值,并从该值派生会话密钥以加密消息。

$ key authentication (N) "The assurance of the legitimate participants in a key agreement [i.e., in a key-agreement protocol] that no non-legitimate party possesses the shared symmetric key." [A9042]

$ 密钥认证(N)“密钥协议[即密钥协议协议]的合法参与者保证非合法方不拥有共享对称密钥。”[A9042]

$ key-auto-key (KAK) (D) "Cryptographic logic [i.e., a mode of operation] using previous key to produce key." [C4009, A1523] (See: CTAK, /cryptographic operation/ under "mode".)

$ 密钥自动密钥(KAK)(D)“使用先前密钥生成密钥的加密逻辑[即操作模式]”[C4009,A1523](参见:CTAK,/Cryptographic operation/在“模式”下)

Deprecated Term: IDOCs SHOULD NOT use this term; it is neither well-known nor precisely defined. Instead, use terms associated with modes that are defined in standards, such as CBC, CFB, and OFB.

不推荐使用的术语:IDoc不应使用此术语;它既不是众所周知的,也不是精确定义的。相反,使用与标准中定义的模式相关的术语,如CBC、CFB和OFB。

$ key center (I) A centralized, key-distribution process (used in symmetric cryptography), usually a separate computer system, that uses master keys (i.e., KEKs) to encrypt and distribute session keys needed by a community of users.

$ 密钥中心(I):一个集中的密钥分发过程(用于对称加密),通常是一个独立的计算机系统,使用主密钥(即KEK)加密和分发用户社区所需的会话密钥。

Tutorial: An ANSI standard [A9017] defines two types of key center: "key distribution center" and "key translation center".

教程:ANSI标准[A9017]定义了两种类型的密钥中心:“密钥分发中心”和“密钥翻译中心”。

$ key confirmation (N) "The assurance [provided to] the legitimate participants in a key establishment protocol that the [parties that are intended to share] the symmetric key actually possess the shared symmetric key." [A9042]

$ 密钥确认(N)“向密钥建立协议的合法参与者提供的保证,即[打算共享]对称密钥的各方实际拥有共享对称密钥。”[A9042]

$ key distribution (I) A process that delivers a cryptographic key from the location where it is generated to the locations where it is used in a cryptographic algorithm. (See: key establishment, key management.)

$ 密钥分发(I)将加密密钥从生成位置传递到加密算法中使用的位置的过程。(参见:密钥建立、密钥管理。)

$ key distribution center (KDC) 1. (I) A type of key center (used in symmetric cryptography) that implements a key-distribution protocol to provide keys (usually, session keys) to two (or more) entities that wish to communicate securely. (Compare: key translation center.)

$ 密钥分发中心(KDC)1。(一) 一种密钥中心(用于对称加密),它实现密钥分发协议,为两个(或更多)希望安全通信的实体提供密钥(通常是会话密钥)。(比较:关键翻译中心。)

2. (N) "COMSEC facility generating and distributing key in electrical form." [C4009]

2. (N) “通信安全设施以电子形式生成和分配密钥。”[C4009]

Tutorial: A KDC distributes keys to Alice and Bob, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the KDC, and (c) may not be able to generate or acquire keys by themselves. Alice requests the keys from the KDC. The KDC generates or acquires the keys and makes two identical sets. The KDC encrypts one set in the KEK it shares with Alice, and sends that encrypted set to Alice. The KDC encrypts the second set in the KEK it shares with Bob, and either (a) sends that encrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although the latter option is not supported in the ANSI standard [A9017]).

教程:KDC将密钥分发给Alice和Bob,他们(A)希望彼此通信但当前不共享密钥,(b)每个人都与KDC共享一个KEK,以及(c)可能无法自行生成或获取密钥。Alice向KDC请求密钥。KDC生成或获取密钥,并生成两个相同的集合。KDC加密它与Alice共享的KEK中的一个集,并将该加密集发送给Alice。KDC加密与Bob共享的KEK中的第二个集,并且(a)将该加密集发送给Alice,让她转发给Bob,或者(b)直接发送给Bob(尽管ANSI标准[A9017]不支持后一个选项)。

$ key encapsulation (N) A key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation typically permits direct retrieval of a secret key used to provide data confidentiality. (Compare: key escrow.)

$ 密钥封装(N)一种密钥恢复技术,用于通过使用另一密钥对加密密钥进行加密并确保只有称为“恢复代理”的特定第三方可以执行解密操作以检索存储的密钥来存储加密密钥的知识。密钥封装通常允许直接检索用于提供数据机密性的密钥。(比较:密钥托管。)

$ key-encrypting key (KEK) (I) A cryptographic key that (a) is used to encrypt other keys (either DEKs or other TEKs) for transmission or storage but (b) (usually) is not used to encrypt application data. Usage: Sometimes called "key-encryption key".

$ 密钥加密密钥(KEK)(I)(A)用于加密用于传输或存储的其他密钥(DEK或其他TEK),但(b)(通常)不用于加密应用程序数据的加密密钥。用法:有时称为“密钥加密密钥”。

$ key escrow (N) A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances. (Compare: key encapsulation.)

$ 密钥托管(N)一种密钥恢复技术,用于将加密密钥或其部分的知识存储在一个或多个第三方(称为“托管代理”)的托管下,以便在特定情况下恢复和使用密钥。(比较:键封装。)

Tutorial: Key escrow is typically implemented with split knowledge techniques. For example, the Escrowed Encryption Standard [FP185] entrusts two components of a device-unique split key to separate escrow agents. The agents provide the components only to someone legally authorized to conduct electronic surveillance of telecommunications encrypted by that specific device. The components are used to reconstruct the device-unique key, and it is used to obtain the session key needed to decrypt communications.

教程:密钥托管通常使用分割知识技术实现。例如,托管加密标准[FP185]将设备唯一分割密钥的两个组件委托给单独的托管代理。代理商仅向合法授权的人员提供组件,以便对由该特定设备加密的电信进行电子监控。这些组件用于重建设备唯一密钥,并用于获取解密通信所需的会话密钥。

$ key establishment (algorithm or protocol) 1. (I) A procedure that combines the key-generation and key-distribution steps needed to set up or install a secure communication association.

$ 密钥建立(算法或协议)1。(一) 一种结合密钥生成和密钥分发步骤的过程,用于建立或安装安全通信关联。

2. (I) A procedure that results in keying material being shared among two or more system entities. [A9042, SP56]

2. (一) 导致在两个或多个系统实体之间共享关键帧材质的过程。[A9042,SP56]

Tutorial: The two basic techniques for key establishment are "key agreement" and "key transport".

教程:密钥建立的两个基本技术是“密钥协议”和“密钥传输”。

$ Key Exchange Algorithm (KEA) (N) A key-agreement method [SKIP, R2773] that is based on the Diffie-Hellman-Merkle algorithm and uses 1024-bit asymmetric keys. (See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)

$ 密钥交换算法(KEA)(N)一种基于Diffie-Hellman-Merkle算法并使用1024位非对称密钥的密钥协商方法[SKIP,R2773]。(见:顶石、克利伯、福特扎、SKIPJACK)

Tutorial: KEA was developed by NSA and formerly classified at the U.S. DoD "Secret" level. On 23 June 1998, the NSA announced that KEA had been declassified.

教程:KEA是由NSA开发的,以前是美国国防部的“机密”级别。1998年6月23日,国家安全局宣布KEA已解密。

$ key generation (I) A process that creates the sequence of symbols that comprise a cryptographic key. (See: key management.)

$ 密钥生成(I)创建包含加密密钥的符号序列的过程。(请参阅:密钥管理。)

$ key generator 1. (I) An algorithm that uses mathematical rules to deterministically produce a pseudorandom sequence of cryptographic key values.

$ 钥匙生成器1。(一) 一种算法,它使用数学规则来确定地产生密码键值的伪随机序列。

2. (I) An encryption device that incorporates a key-generation mechanism and applies the key to plain text to produce cipher text

2. (一) 一种加密装置,包含密钥生成机制,并将密钥应用于纯文本以生成密文

(e.g., by exclusive OR-ing (a) a bit-string representation of the key with (b) a bit-string representation of the plaintext).

(例如,通过将(a)密钥的位字符串表示与(b)明文的位字符串表示进行异或运算)。

$ key length (I) The number of symbols (usually stated as a number of bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)

$ 密钥长度(I)能够表示加密密钥的任何可能值所需的符号数(通常表示为比特数)。(请参见:键空间。)

$ key lifetime 1. (D) Synonym for "cryptoperiod".

$ 密钥生命周期1。(D) “加密周期”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 1 because a key's cryptoperiod may be only a part of the key's lifetime. A key could be generated at some time prior to when its cryptoperiod begins and might not be destroyed (i.e., zeroized) until some time after its cryptoperiod ends.

不推荐使用的定义:IDOCs不应在定义1中使用此术语,因为密钥的加密周期可能只是密钥生命周期的一部分。密钥可以在其密码周期开始之前的某个时间生成,并且在其密码周期结束后的某个时间之前可能不会被销毁(即,归零)。

2. (O) /MISSI/ An attribute of a MISSI key pair that specifies a time span that bounds the validity period of any MISSI X.509 public-key certificate that contains the public component of the pair. (See: cryptoperiod.)

2. (O) /misi/misi密钥对的一种属性,指定一个时间跨度,该时间跨度限定了包含该密钥对的公共组件的任何misi X.509公钥证书的有效期。(请参阅:加密周期。)

$ key loader (N) Synonym for "fill device".

$ 钥匙加载器(N)是“加注装置”的同义词。

$ key loading and initialization facility (KLIF) (N) A place where ECU hardware is activated after being fabricated. (Compare: CLEF.)

$ 钥匙加载和初始化设施(KLIF)(N)制造后激活ECU硬件的地方。(比较:谱号。)

Tutorial: Before going to its KLIF, an ECU is not ready to be fielded, usually because it is not yet able to receive DEKs. The KLIF employs trusted processes to complete the ECU by installing needed data such as KEKs, seed values, and, in some cases, cryptographic software. After KLIF processing, the ECU is ready for deployment.

教程:在去KLIF之前,ECU还没有准备好部署,通常是因为它还不能接收DEK。KLIF通过安装所需的数据(如KEK、种子值,在某些情况下还包括加密软件),采用可信的过程来完成ECU。KLIF处理后,ECU准备展开。

$ key management 1a. (I) The process of handling keying material during its life cycle in a cryptographic system; and the supervision and control of that process. (See: key distribution, key escrow, keying material, public-key infrastructure.)

$ 密钥管理1a。(一) 在密码系统的生命周期内处理密钥材料的过程;以及对该过程的监督和控制。(请参阅:密钥分发、密钥托管、密钥材料、公钥基础设施。)

Usage: Usually understood to include ordering, generating, storing, archiving, escrowing, distributing, loading, destroying, auditing, and accounting for the material.

用法:通常理解为包括材料的订购、生成、存储、归档、托管、分发、加载、销毁、审核和核算。

1b. (O) /NIST/ "The activities involving the handling of cryptographic keys and other related security parameters (e.g.,

1b。(O) /NIST/“涉及处理加密密钥和其他相关安全参数的活动(例如。,

IVs, counters) during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving." [FP140, SP57]

在密钥的整个生命周期内,包括密钥的生成、存储、分发、输入和使用、删除或销毁以及存档。”[FP140,SP57]

2. (O) /OSIRM/ "The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy." [I7498-2]

2. (O) /OSIRM/“根据安全策略生成、存储、分发、删除、存档和应用密钥。”[I7498-2]

$ Key Management Protocol (KMP) (N) A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.) Superseded by ISAKMP and IKE.

$ 密钥管理协议(KMP)(N)在一对(或一组)用户之间建立共享对称密钥的协议。(一个版本的KMP由SDNS开发,另一个由SILS开发)被ISAKMP和IKE取代。

$ key material (D) Synonym for "keying material".

$ 关键材料(D)“关键材料”的同义词。

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "keying material".

不推荐使用:IDOCs不应将此术语用作“键控材料”的同义词。

$ key pair (I) A set of mathematically related keys -- a public key and a private key -- that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key. (See: Diffie-Hellman-Merkle, RSA.)

$ 密钥对(I)一组数学上相关的密钥——公钥和私钥——用于非对称加密,其生成方式使得从公钥知识中导出私钥在计算上不可行。(见:Diffie Hellman Merkle,RSA)

Tutorial: A key pair's owner discloses the public key to other system entities so they can use the key to (a) encrypt data, (b) verify a digital signature, or (c) generate a key with a key-agreement algorithm. The matching private key is kept secret by the owner, who uses it to (a') decrypt data, (b') generate a digital signature, or (c') generate a key with a key-agreement algorithm.

教程:密钥对的所有者向其他系统实体公开公钥,以便他们可以使用该密钥(A)加密数据,(b)验证数字签名,或(c)使用密钥协商算法生成密钥。匹配的私钥由所有者保密,所有者使用私钥(a')解密数据,(b')生成数字签名,或(c')使用密钥协商算法生成密钥。

$ key recovery 1. (I) /cryptanalysis/ A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis, recovery.)

$ 密钥恢复1。(一) /CryptoAnalysis/CryptoAnalysis用于学习以前用于执行某些加密操作的加密密钥的值的过程。(请参阅:密码分析,恢复。)

2. (I) /backup/ Techniques that provide an intentional, alternate means to access the key used for data confidentiality service in an encrypted association. [DoD4] (Compare: recovery.)

2. (一) /backup/提供一种有意的替代方法来访问加密关联中用于数据保密服务的密钥的技术。[DoD4](比较:恢复。)

Tutorial: It is assumed that the cryptographic system includes a primary means of obtaining the key through a key-establishment algorithm or protocol. For the secondary means, there are two classes of key recovery techniques: key encapsulation and key escrow.

教程:假设加密系统包括通过密钥建立算法或协议获取密钥的主要方法。对于第二种方法,有两类密钥恢复技术:密钥封装和密钥托管。

$ key space (I) The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)

$ 密钥空间(I)加密密钥的可能值的范围;或者特定加密算法支持的不同转换的数量。(请参见:键长度。)

$ key translation center (I) A type of key center that implements a key-distribution protocol (based on symmetric cryptography) to convey keys between two (or more) parties who wish to communicate securely. (Compare: key distribution center.)

$ 密钥转换中心(I)一种密钥中心,它实现密钥分发协议(基于对称密码),以便在希望安全通信的两(或更多)方之间传输密钥。(比较:关键配送中心。)

Tutorial: A key translation center transfers keys for future communication between Bob and Alice, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the center, and (c) have the ability to generate or acquire keys by themselves. Alice generates or acquires a set of keys for communication with Bob. Alice encrypts the set in the KEK she shares with the center and sends the encrypted set to the center. The center decrypts the set, reencrypts the set in the KEK it shares with Bob, and either (a) sends that reencrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although direct distribution is not supported in the ANSI standard [A9017]).

教程:钥匙翻译中心为Bob和Alice之间的未来通信传输钥匙,他们(A)希望彼此通信,但目前不共享钥匙,(b)每个人与中心共享一个KEK,以及(c)能够自行生成或获取钥匙。Alice生成或获取一组用于与Bob通信的密钥。Alice对她与中心共享的桶中的集进行加密,并将加密集发送到中心。中心解密该集,在与Bob共享的KEK中重新加密该集,然后(a)将重新加密的集发送给Alice,让她转发给Bob,或者(b)直接发送给Bob(尽管ANSI标准[A9017]不支持直接分发)。

$ key transport (algorithm or protocol) 1. (I) A key establishment method by which a secret key is generated by a system entity in a communication association and securely sent to another entity in the association. (Compare: key agreement.)

$ 密钥传输(算法或协议)1。(一) 一种密钥建立方法,通过该方法,保密密钥由通信关联中的系统实体生成,并安全地发送给该关联中的另一实体。(比较:关键协议。)

Tutorial: Either (a) one entity generates a secret key and securely sends it to the other entity, or (b) each entity generates a secret value and securely sends it to the other entity, where the two values are combined to form a secret key. For example, a message originator can generate a random session key and then use the RSA algorithm to encrypt that key with the public key of the intended recipient.

教程:要么(a)一个实体生成一个密钥并安全地发送给另一个实体,要么(b)每个实体生成一个秘密值并安全地发送给另一个实体,其中两个值组合在一起形成一个密钥。例如,消息发起人可以生成一个随机会话密钥,然后使用RSA算法使用预期收件人的公钥加密该密钥。

2. (O) "The procedure to send a symmetric key from one party to other parties. As a result, all legitimate participants share a common symmetric key in such a way that the symmetric key is determined entirely by one party." [A9042]

2. (O) “从一方向另一方发送对称密钥的过程。因此,所有合法参与者共享一个公共对称密钥,使得对称密钥完全由一方确定。”[A9042]

$ key update 1. (I) Derive a new key from an existing key. (Compare: rekey.)

$ 密钥更新1。(一) 从现有密钥派生新密钥。(比较:重新设置。)

2. (O) Irreversible cryptographic process that modifies a key to produce a new key. [C4009]

2. (O) 修改密钥以产生新密钥的不可逆加密过程。[C4009]

$ key validation 1. (I) "The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks." [A9042] (See: weak key)

$ 关键验证1。(一) “公钥接收者检查密钥是否符合该密钥的算术要求,以阻止某些类型的攻击的过程。”[A9042](参见:弱密钥)

2. (D) Synonym for "certificate validation".

2. (D) “证书验证”的同义词。

Deprecated Usage: IDOCs SHOULD NOT use the term as a synonym for "certificate validation"; that would unnecessarily duplicate the meaning of the latter term and mix concepts in a potentially misleading way. In validating an X.509 public-key certificate, the public key contained in the certificate is normally treated as an opaque data object.

不推荐使用:IDOCs不应将该术语用作“证书验证”的同义词;这将不必要地重复后一术语的含义,并以潜在误导的方式混淆概念。在验证X.509公钥证书时,证书中包含的公钥通常被视为不透明数据对象。

$ keyed hash (I) A cryptographic hash (e.g., [R1828]) in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. (See: checksum.)

$ 键控散列(I)加密散列(例如,[R1828]),其中到散列结果的映射由作为加密密钥的第二输入参数改变。(请参阅:校验和。)

Tutorial: If the input data object is changed, a new, corresponding hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data. There are two basic types of keyed hash: - A function based on a keyed encryption algorithm. Example: Data Authentication Code. - A function based on a keyless hash that is enhanced by combining (e.g., by concatenating) the input data object parameter with a key parameter before mapping to the hash result. Example: HMAC.

教程:如果更改了输入数据对象,则在不知道密钥的情况下,无法正确计算新的相应哈希结果。因此,密钥保护散列结果,因此即使在数据受到主动攻击的威胁时,也可以将其用作校验和。密钥散列有两种基本类型:-基于密钥加密算法的函数。示例:数据身份验证代码。-一种基于无键散列的函数,在映射到散列结果之前,通过将输入数据对象参数与键参数组合(例如,通过连接)来增强该函数。例如:HMAC。

$ keying material 1. (I) Data that is needed to establish and maintain a cryptographic security association, such as keys, key pairs, and IVs.

$ 键控材料1。(一) 建立和维护加密安全关联所需的数据,如密钥、密钥对和IVs。

2. (O) "Key, code, or authentication information in physical or magnetic form." [C4009] (Compare: COMSEC material.)

2. (O) “物理或磁性形式的密钥、代码或身份验证信息。”[C4009](比较:通信安全资料。)

$ keying material identifier (KMID) 1. (I) An identifier assigned to an item of keying material.

$ 键入物料标识符(KMID)1。(一) 分配给键控材料项的标识符。

2. (O) /MISSI/ A 64-bit identifier that is assigned to a key pair when the public key is bound in a MISSI X.509 public-key certificate.

2. (O) /misi/当公钥绑定到misi X.509公钥证书中时分配给密钥对的64位标识符。

$ Khafre (N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]

$ Khafre(N):一种获得专利的对称分组密码,由Ralph C.Merkle设计,作为DES的插件替代。[施恩]

Tutorial: Khafre was designed for efficient encryption of small amounts of data. However, because Khafre does not precompute tables used for encryption, it is slower than Khufu for large amounts of data.

教程:Khafre是为有效加密少量数据而设计的。但是,由于Khafre不预计算用于加密的表,因此对于大量数据,它比Khufu慢。

$ Khufu (N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]

$ Khufu(N):一种获得专利的对称分组密码,由Ralph C.Merkle设计,作为DES的插件替代。[施恩]

Tutorial: Khufu was designed for fast encryption of large amounts of data. However, because Khufu precomputes tables used in encryption, it is less efficient than Khafre for small amounts of data.

教程:胡夫是为快速加密大量数据而设计的。然而,由于Khufu预先计算加密中使用的表,因此对于少量数据,它的效率不如Khafre。

$ KLIF (N) See: key loading and initialization facility.

$ KLIF(N)参见:密钥加载和初始化设施。

$ KMID (I) See: keying material identifier.

$ KMID(I)见:键入材料标识符。

$ known-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as knowing the cryptographic algorithm).

$ 已知明文攻击(I)一种密码分析技术,分析员试图根据一些明文-密文对的知识确定密钥(尽管分析员也可能有其他线索,例如知道密码算法)。

$ kracker (O) Old spelling for "cracker".

$ 克拉克(O)是“饼干”的老拼法。

$ KSOS, KSOS-6, KSOS-11 (O) See: Kernelized Secure Operating System.

$ KSOS,KSOS-6,KSOS-11(O)参见:内核化安全操作系统。

$ L2F (N) See: Layer 2 Forwarding Protocol.

$ L2F(N)参见:第2层转发协议。

$ L2TP (N) See: Layer 2 Tunneling Protocol.

$ L2TP(N)参见:第2层隧道协议。

$ label See: time stamp, security label.

$ 标签见:时间戳、安全标签。

$ laboratory attack (O) "Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media." [C4009]

$ 实验室攻击(O)“在实验室环境中使用复杂的信号恢复设备从数据存储介质中恢复信息。”[C4009]

$ LAN (I) Abbreviation for "local area network" [R1983]. (See: [FP191].)

$ LAN(I)“局域网”的缩写[R1983]。(见:[FP191])

$ land attack (I) A denial-of-service attack that sends an IP packet that (a) has the same address in both the Source Address and Destination Address fields and (b) contains a TCP SYN packet that has the same port number in both the Source Port and Destination Port fields.

$ 陆地攻击(I)一种拒绝服务攻击,它发送一个IP数据包,该IP数据包(A)在源地址和目标地址字段中具有相同的地址,并且(b)包含一个在源端口和目标端口字段中具有相同端口号的TCP SYN数据包。

Derivation: This single-packet attack was named for "land", the program originally published by the cracker who invented this exploit. Perhaps that name was chosen because the inventor thought of multi-packet (i.e., flooding) attacks as arriving by sea.

派生:这一单包攻击以“land”命名,该程序最初由发明此漏洞的破解者发布。选择这个名称可能是因为发明家认为多包(即洪水)攻击是通过海上到达的。

$ Language of Temporal Ordering Specification (LOTOS) (N) A language (ISO 8807-1990) for formal specification of computer network protocols; describes the order in which events occur.

$ 时间顺序规范语言(LOTOS)(N)计算机网络协议形式规范的语言(ISO 8807-1990);描述事件发生的顺序。

$ lattice (I) A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.

$ 格(I)有限集及其元素上的偏序,使得每对元素都有一个最小上界和一个最大下界。

Example: A lattice is formed by a finite set S of security levels -- i.e., a set S of all ordered pairs (x,c), where x is one of a finite set X of hierarchically ordered classification levels X(1), non-hierarchical categories C(1), ..., C(M) -- together with the "dominate" relation. Security level (x,c) is said to "dominate" (x',c') if and only if (a) x is greater (higher) than or equal to x' and (b) c includes at least all of the elements of c'. (See: dominate, lattice model.)

示例:晶格由安全级别的有限集合S(即,所有有序对(x,c)的集合S)以及“支配”关系构成,其中x是分层有序分类级别x(1)、非分层类别c(1),…,c(M)的有限集合x之一。当且仅当(a)x大于(高于)或等于x’且(b)c至少包括c’的所有元素时,安全级别(x,c)称为“支配”(x',c’)。(请参见:控制,晶格模型。)

Tutorial: Lattices are used in some branches of cryptography, both as a basis for hard computational problems upon which cryptographic algorithms can be defined, and also as a basis for attacks on cryptographic algorithms.

教程:格在密码学的一些分支中使用,既可以作为定义密码算法的硬计算问题的基础,也可以作为攻击密码算法的基础。

$ lattice model 1. (I) A description of the semantic structure formed by a finite set of security levels, such as those used in military organizations. (See: dominate, lattice, security model.)

$ 晶格模型1。(一) 由一组有限的安全级别(如军事组织中使用的安全级别)形成的语义结构的描述。(请参见:支配、晶格、安全模型。)

2. (I) /formal model/ A model for flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. [Denn]

2. (一) /形式模型/系统中的流量控制模型,基于由系统中的有限安全级别及其偏序形成的晶格。[丹尼]

$ Law Enforcement Access Field (LEAF) (N) A data item that is automatically embedded in data encrypted by devices (e.g., CLIPPER chip) that implement the Escrowed Encryption Standard.

$ 执法访问字段(LEAF)(N)自动嵌入由实施托管加密标准的设备(如CLIPPER芯片)加密的数据中的数据项。

$ Layer 1, 2, 3, 4, 5, 6, 7 (N) See: OSIRM.

$ 第1、2、3、4、5、6、7(N)层见:OSIRM。

$ Layer 2 Forwarding Protocol (L2F) (N) An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user. (See: L2TP.)

$ 第2层转发协议(L2F)(N):一种互联网协议(最初由Cisco公司开发),它使用IP上PPP的隧道来创建网络上拨号链路的虚拟扩展,由拨号服务器发起,对拨号用户透明。(请参阅:L2TP。)

$ Layer 2 Tunneling Protocol (L2TP) (N) An Internet client-server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: VPN.)

$ 第二层隧道协议(L2TP)(N)一种互联网客户机-服务器协议,它结合了PPTP和L2F的各个方面,并支持通过IP网络或帧中继或其他交换网络对PPP进行隧道传输。(请参阅:VPN。)

Tutorial: PPP can in turn encapsulate any OSIRM Layer 3 protocol. Thus, L2TP does not specify security services; it depends on protocols layered above and below it to provide any needed security.

教程:PPP可以反过来封装任何OSIRM第3层协议。因此,L2TP没有指定安全服务;它依赖于上下分层的协议来提供所需的安全性。

$ LDAP (I) See: Lightweight Directory Access Protocol.

$ LDAP(I)参见:轻量级目录访问协议。

$ least common mechanism (I) The principle that a security architecture should minimize reliance on mechanisms that are shared by many users.

$ 最不常见的机制(I)安全体系结构应尽量减少对多个用户共享的机制的依赖的原则。

Tutorial: Shared mechanisms may include cross-talk paths that permit a breach of data security, and it is difficult to make a single mechanism operate in a correct and trusted manner to the satisfaction of a wide range of users.

教程:共享机制可能包括允许破坏数据安全的串扰路径,并且很难使单个机制以正确和可信的方式运行,以满足广大用户的需求。

$ least privilege (I) The principle that a security architecture should be designed so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. (Compare: economy of mechanism, least trust.)

$ 最低特权(I)安全体系结构的设计原则,即应向每个系统实体授予该实体执行其工作所需的最低系统资源和授权。(比较:机制经济,信任最少。)

Tutorial: This principle tends to limit damage that can be caused by an accident, error, or unauthorized act. This principle also tends to reduce complexity and promote modularity, which can make certification easier and more effective. This principle is similar to the principle of protocol layering, wherein each layer provides specific, limited communication services, and the functions in one layer are independent of those in other layers.

教程:这一原则倾向于限制事故、错误或未经授权的行为可能造成的损害。这一原则还倾向于降低复杂性和促进模块化,从而使认证更容易、更有效。该原则类似于协议分层的原则,其中每一层提供特定的、有限的通信服务,并且一层中的功能独立于其他层中的功能。

$ least trust (I) The principle that a security architecture should be designed in a way that minimizes (a) the number of components that require trust and (b) the extent to which each component is trusted. (Compare: least privilege, trust level.)

$ 最少信任(I)安全体系结构的设计原则应尽量减少(a)需要信任的组件数量和(b)每个组件的信任程度。(比较:最低权限、信任级别。)

$ legacy system (I) A system that is in operation but will not be improved or expanded while a new system is being developed to supersede it.

$ 遗留系统(I)正在运行但在开发新系统以取代其时不会改进或扩展的系统。

$ legal non-repudiation (I) See: secondary definition under "non-repudiation".

$ 法律不可抵赖性(I)见“不可抵赖性”下的二级定义。

$ leap of faith 1. (I) /general security/ Operating a system as though it began operation in a secure state, even though it cannot be proven that such a state was established (i.e., even though a security compromise might have occurred at or before the time when operation began).

$ 信仰的飞跃1。(一) /一般安全性/将系统当作在安全状态下开始运行,即使无法证明这种状态已建立(即,即使在操作开始时或之前可能发生安全危害)。

2. (I) /COMSEC/ The initial part, i.e., the first communication step, or steps, of a protocol that is vulnerable to attack (especially a man-in-the-middle attack) during that part but, if that part is completed without being attacked, is subsequently not vulnerable in later steps (i.e., results in a secure communication association for which no man-in-the-middle attack is possible).

2. (一) /COMSEC/协议的初始部分,即第一个或多个通信步骤,在该部分期间易受攻击(尤其是中间人攻击),但如果该部分在未受攻击的情况下完成,则随后在后续步骤中不易受攻击(即,导致不可能进行中间人攻击的安全通信关联)。

Usage: This term is listed in English dictionaries, but their definitions are broad and can be interpreted in many ways in Internet contexts. Similarly, the definition stated here can be interpreted in several ways. Therefore, IDOCs that use this term (especially IDOCs that are protocol specifications) SHOULD state a more specific definition for it.

用法:这一术语在英语词典中有列出,但它们的定义很广泛,在互联网环境中可以用多种方式进行解释。同样,这里所述的定义可以用几种方式来解释。因此,使用该术语的IDOC(特别是作为协议规范的IDOC)应该对其进行更具体的定义。

Tutorial: In a protocol, a leap of faith typically consists of accepting a claim of peer identity, data origin, or data integrity without authenticating that claim. When a protocol includes such a step, the protocol might also be designed so that if a man-in-the-middle attack succeeds during the vulnerable first part, then the attacker must remain in the middle for all subsequent

教程:在协议中,信任的飞跃通常包括接受对等身份、数据来源或数据完整性的声明,而不验证该声明。当协议包括这样的步骤时,该协议也可以被设计为如果中间人攻击在脆弱的第一部分成功,那么攻击者必须保持在所有后续的中间。

exchanges or else one of the legitimate parties will be able to detect the attack.

交换或其他合法方之一将能够检测到攻击。

$ level of concern (N) /U.S. DoD/ A rating assigned to an information system that indicates the extent to which protective measures, techniques, and procedures must be applied. (See: critical, sensitive, level of robustness.)

$ 指定给信息系统的关注级别(N)/美国国防部/A评级,表明必须应用保护措施、技术和程序的程度。(请参阅:关键、敏感、鲁棒性级别。)

$ level of robustness (N) /U.S. DoD/ A characterization of (a) the strength of a security function, mechanism, service, or solution and (b) the assurance (or confidence) that it is implemented and functioning. [Cons, IATF] (See: level of concern.)

$ 鲁棒性等级(N)/美国国防部/A(A)安全功能、机制、服务或解决方案的强度和(b)其实施和运行的保证(或信心)的特征。[Cons,IATF](参见:关注程度。)

$ Liberty Alliance (O) An international consortium of more than 150 commercial, nonprofit, and governmental organizations that was created in 2001 to address technical, business, and policy problems of identity and identity-based Web services and develop a standard for federated network identity that supports current and emerging network devices.

$ Liberty Alliance(O):由150多个商业、非营利和政府组织组成的国际联盟,成立于2001年,旨在解决身份和基于身份的Web服务的技术、商业和政策问题,并开发支持当前和新兴网络设备的联合网络身份标准。

$ Lightweight Directory Access Protocol (LDAP) (I) An Internet client-server protocol (RFC 3377) that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP).

$ 轻量级目录访问协议(LDAP)(I)一种Internet客户机-服务器协议(RFC 3377),支持基本使用X.500目录(或其他目录服务器),而不产生完整目录访问协议(DAP)的资源需求。

Tutorial: Designed for simple management and browser applications that provide simple read/write interactive directory service. Supports both simple authentication and strong authentication of the client to the directory server.

教程:专为提供简单读/写交互式目录服务的简单管理和浏览器应用程序而设计。支持客户端到目录服务器的简单身份验证和强身份验证。

$ link 1a. (I) A communication facility or physical medium that can sustain data communications between multiple network nodes, in the protocol layer immediately below IP. (RFC 3753)

$ 链接1a。(一) 一种通信设施或物理介质,可在IP正下方的协议层中维持多个网络节点之间的数据通信。(RFC 3753)

1b. (I) /subnetwork/ A communication channel connecting subnetwork relays (especially one between two packet switches) that is implemented at OSIRM Layer 2. (See: link encryption.)

1b。(一) /subnetwork/OSIRM第2层实现的连接子网中继(尤其是两个分组交换机之间的中继)的通信信道。(请参阅:链接加密。)

Tutorial: The relay computers assume that links are logically passive. If a computer at one end of a link sends a sequence of bits, the sequence simply arrives at the other end after a finite time, although some bits may have been changed either accidentally (errors) or by active wiretapping.

教程:中继计算机假定链路在逻辑上是被动的。如果链路一端的计算机发送一个位序列,则该序列在有限时间后到达另一端,尽管某些位可能是意外(错误)或通过主动窃听而改变的。

2. (I) /World Wide Web/ See: hyperlink.

2. (一) /万维网/请参阅:超级链接。

$ link encryption (I) Stepwise (link-by-link) protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnetwork relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (Compare: end-to-end encryption.)

$ 链路加密(I)逐步(逐链路)保护网络中两点之间流动的数据,通过在每个网络链路上分别加密数据提供,即在数据离开主机或子网络中继时加密数据,并在数据到达下一个主机或中继时解密。每个链接可能使用不同的密钥,甚至使用不同的算法。[R1455](比较:端到端加密。)

$ liveness (I) A property of a communication association or a feature of a communication protocol that provides assurance to the recipient of data that the data is being freshly transmitted by its originator, i.e., that the data is not being replayed, by either the originator or a third party, from a previous transmission. (See: fresh, nonce, replay attack.)

$ 活跃度(I)通信关联的一种属性或通信协议的一种特征,它向数据接收者保证数据是由其发端人新传输的,即数据不是由发端人或第三方从以前的传输中重放的。(请参阅:新鲜、暂时、重放攻击。)

$ logic bomb (I) Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. (See: Trojan horse, virus, worm.)

$ 逻辑炸弹(I)当满足指定条件时激活的恶意逻辑。通常旨在导致拒绝服务或以其他方式损坏系统资源。(请参阅:特洛伊木马、病毒、蠕虫。)

$ login 1a. (I) An act by which a system entity establishes a session in which the entity can use system resources. (See: principal, session.)

$ 登录1a。(一) 系统实体建立会话的一种行为,在此会话中该实体可以使用系统资源。(见:校长,会议。)

1b. (I) An act by which a system user has its identity authenticated by the system. (See: principal, session.)

1b。(一) 一种行为,通过这种行为,系统用户的身份得到系统的认证。(见:校长,会议。)

Usage: Usually understood to be accomplished by providing an identifier and matching authentication information (e.g., a password) to a security mechanism that authenticates the user's identity; but sometimes refers to establishing a connection with a server when no authentication or specific authorization is involved.

用法:通常理解为通过向认证用户身份的安全机制提供标识符和匹配的认证信息(例如,密码)来实现;但有时指的是在不涉及身份验证或特定授权的情况下与服务器建立连接。

Derivation: Refers to "log" file, a security audit trail that records (a) security events, such as the beginning of a session, and (b) the names of the system entities that initiate events.

派生:指“日志”文件,这是一个安全审计跟踪,记录(a)安全事件,例如会话的开始,以及(b)启动事件的系统实体的名称。

$ long title (O) /U.S. Government/ "Descriptive title of [an item of COMSEC material]." [C4009] (Compare: short title.)

$ 长标题(O)/美国政府/“通信安全材料的描述标题”[C4009](比较:短标题)

$ low probability of detection (I) Result of TRANSEC measures used to hide or disguise a communication.

$ 低检测概率(I)用于隐藏或伪装通信的TRANSEC测量结果。

$ low probability of intercept (I) Result of TRANSEC measures used to prevent interception of a communication.

$ 低截获概率(I)用于防止截获通信的TRANSEC措施的结果。

$ LOTOS (N) See: Language of Temporal Ordering Specification.

$ LOTOS(N)参见:时态排序规范语言。

$ MAC (N) See: mandatory access control, Message Authentication Code.

$ MAC(N)请参阅:强制访问控制、消息身份验证代码。

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because this abbreviation is ambiguous.

不推荐使用:使用此术语的IDoc应说明其定义,因为此缩写不明确。

$ magnetic remanence (N) Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. [NCS25] (See: clear, degauss, purge.)

$ 剩磁(N):清除磁性介质后,磁性介质上剩余信息的磁性表示。[NCS25](参见:清除、消磁、净化。)

$ main mode (I) See: /IKE/ under "mode".

$ 主模式(I)见“模式”下的:/IKE/项。

$ maintenance hook (N) "Special instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation." [C4009] (See: back door.)

$ 维护挂钩(N)“软件中的特殊指令(活板门),允许轻松维护和附加功能开发。由于维护挂钩经常允许在不进行常规检查的情况下进入代码,如果在实时实施之前不将其移除,则会造成严重的安全风险。”[C4009](请参阅:后门。)

$ malicious logic (I) Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose. (See: logic bomb, Trojan horse, spyware, virus, worm. Compare: secondary definitions under "corruption", "incapacitation", "masquerade", and "misuse".)

$ 恶意逻辑(I)出于有害目的故意包含或插入系统的硬件、固件或软件。(参见:逻辑炸弹、特洛伊木马、间谍软件、病毒、蠕虫。比较:“腐败”、“丧失能力”、“伪装”和“滥用”下的二级定义。)

$ malware (D) A contraction of "malicious software". (See: malicious logic.)

$ 恶意软件(D)“恶意软件”的缩写。(请参阅:恶意逻辑。)

Deprecated Term: IDOCs SHOULD NOT use this term; it is not listed in most dictionaries and could confuse international readers.

不推荐使用的术语:IDoc不应使用此术语;大多数词典都没有列出它,这可能会使国际读者感到困惑。

$ MAN (I) metropolitan area network.

$ 城域网。

$ man-in-the-middle attack (I) A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association. (See: hijack attack, piggyback attack.)

$ 中间人攻击(I)一种主动窃听攻击形式,攻击者截获并有选择地修改通信数据,伪装成通信关联中涉及的一个或多个实体。(参见:劫持攻击、背驮攻击。)

Tutorial: For example, suppose Alice and Bob try to establish a session key by using the Diffie-Hellman-Merkle algorithm without data origin authentication service. A "man in the middle" could (a) block direct communication between Alice and Bob and then (b) masquerade as Alice sending data to Bob, (c) masquerade as Bob sending data to Alice, (d) establish separate session keys with each of them, and (e) function as a clandestine proxy server between them to capture or modify sensitive information that Alice and Bob think they are sending only to each other.

教程:例如,假设Alice和Bob尝试使用Diffie-Hellman-Merkle算法建立会话密钥,而不使用数据源身份验证服务。“中间人”可以(A)阻止Alice和Bob之间的直接通信,然后(b)伪装成Alice向Bob发送数据,(c)伪装成Bob向Alice发送数据,(d)与他们每个人建立单独的会话密钥,以及(e)充当他们之间的秘密代理服务器,以捕获或修改Alice和Bob认为他们只向对方发送的敏感信息。

$ manager (I) A person who controls the service configuration of a system or the functional privileges of operators and other users. (See: administrative security. Compare: operator, SSO, user.)

$ 管理者(I)控制系统服务配置或操作员和其他用户功能特权的人。(请参阅:管理安全性。比较:操作员、SSO、用户。)

$ mandatory access control 1. (I) An access control service that enforces a security policy based on comparing (a) security labels, which indicate how sensitive or critical system resources are, with (b) security clearances, which indicate that system entities are eligible to access certain resources. (See: discretionary access control, MAC, rule-based security policy.)

$ 强制访问控制1。(一) 一种访问控制服务,它通过比较(a)安全标签(表示系统资源的敏感程度或关键程度)和(b)安全许可(表示系统实体有资格访问某些资源)来实施安全策略。(请参阅:自主访问控制、MAC、基于规则的安全策略。)

Derivation: This kind of access control is called "mandatory" because an entity that has clearance to access a resource is not permitted, just by its own volition, to enable another entity to access that resource.

派生:这种访问控制被称为“强制”,因为拥有访问资源权限的实体仅凭自身意愿不允许允许另一实体访问该资源。

2. (O) "A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity." [DoD1]

2. (O) “一种基于对象中所含信息的敏感性(如标签所示)以及受试者访问此类敏感性信息的正式授权(即许可)来限制访问对象的方法。”[DoD1]

$ manipulation detection code (D) Synonym for "checksum".

$ 操作检测代码(D)是“校验和”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "checksum"; the word "manipulation" implies protection against active attacks, which an ordinary checksum might not provide. Instead, if such protection is intended, use "protected checksum" or some particular type thereof, depending on which is meant. If

不推荐使用的术语:IDOCs不应将此术语用作“校验和”的同义词;“操纵”一词意味着防止主动攻击,而普通校验和可能无法提供这种保护。相反,如果打算进行此类保护,则使用“受保护校验和”或某种特定类型的校验和,具体取决于其含义。如果

such protection is not intended, use "error detection code" or some specific type of checksum that is not protected.

此类保护不是有意的,请使用“错误检测代码”或未受保护的某些特定类型的校验和。

$ marking See: time stamp, security marking.

$ 标记见:时间戳、安全标记。

$ MARS (O) A symmetric, 128-bit block cipher with variable key length (128 to 448 bits), developed by IBM as a candidate for the AES.

$ MARS(O):一种对称的128位分组密码,密钥长度可变(128到448位),由IBM开发,作为AES的候选。

$ Martian (D) /slang/ A packet that arrives unexpectedly at the wrong address or on the wrong network because of incorrect routing or because it has a non-registered or ill-formed IP address. [R1208]

$ 火星语(D)/俚语/由于路由错误或IP地址未注册或格式错误而意外到达错误地址或错误网络的数据包。[R1208]

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ masquerade (I) A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity. (See: deception.)

$ 伪装(I)一种威胁行为,未经授权的实体通过非法伪装为授权实体获得对系统的访问权或实施恶意行为。(见:欺骗。)

Usage: This type of threat action includes the following subtypes: - "Spoof": Attempt by an unauthorized entity to gain access to a system by posing as an authorized user. - "Malicious logic": In context of masquerade, any hardware, firmware, or software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. (See: corruption, incapacitation, main entry for "malicious logic", misuse.)

用法:这种类型的威胁操作包括以下子类型:-“欺骗”:未经授权的实体冒充授权用户试图访问系统。-“恶意逻辑”:在伪装的情况下,任何硬件、固件或软件(如特洛伊木马)看似执行有用或需要的功能,但实际上未经授权访问系统资源或欺骗用户执行其他恶意逻辑。(参见:腐败、丧失能力、“恶意逻辑”的主要条目、滥用。)

$ MCA (O) See: merchant certification authority.

$ MCA(O)见:商户认证机构。

$ MD2 (N) A cryptographic hash [R1319] that produces a 128-bit hash result, was designed by Ron Rivest, and is similar to MD4 and MD5 but slower.

$ MD2(N)一种产生128位哈希结果的加密哈希[R1319],由Ron Rivest设计,与MD4和MD5类似,但速度较慢。

Derivation: Apparently, an abbreviation of "message digest", but that term is deprecated by this Glossary.

派生词:显然是“消息摘要”的缩写,但该术语在本术语表中已被弃用。

$ MD4 (N) A cryptographic hash [R1320] that produces a 128-bit hash result and was designed by Ron Rivest. (See: Derivation under "MD2", SHA-1.)

$ MD4(N)一种加密散列[R1320],产生128位散列结果,由Ron Rivest设计。(见“MD2”项下的推导,SHA-1。)

$ MD5 (N) A cryptographic hash [R1321] that produces a 128-bit hash result and was designed by Ron Rivest to be an improved version of MD4. (See: Derivation under "MD2".)

$ MD5(N)一种产生128位哈希结果的加密哈希[R1321],由Ron Rivest设计为MD4的改进版本。(见“MD2”项下的推导)

$ merchant (O) /SET/ "A seller of goods, services, and/or other information who accepts payment for these items electronically." [SET2] A merchant may also provide electronic selling services and/or electronic delivery of items for sale. With SET, the merchant can offer its cardholders secure electronic interactions, but a merchant that accepts payment cards is required to have a relationship with an acquirer. [SET1, SET2]

$ 商户(O)/SET/“以电子方式接受这些物品付款的商品、服务和/或其他信息的卖家。”[SET2]商户还可以提供电子销售服务和/或以电子方式交付待售物品。通过SET,商户可以向其持卡人提供安全的电子交互,但接受支付卡的商户需要与收单机构建立关系。[SET1,SET2]

$ merchant certificate (O) /SET/ A public-key certificate issued to a merchant. Sometimes used to refer to a pair of such certificates where one is for digital signature use and the other is for encryption.

$ 商户证书(O)/SET/颁发给商户的公钥证书。有时用于指一对这样的证书,其中一个用于数字签名,另一个用于加密。

$ merchant certification authority (MCA) (O) /SET/ A CA that issues digital certificates to merchants and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. Acquirers verify and approve requests for merchant certificates prior to issuance by the MCA. An MCA does not issue a CRL, but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]

$ 商户认证机构(MCA)(O)/SET/A一种CA,向商户颁发数字证书,并根据品牌规则代表支付卡品牌、收单机构或另一方运营。收单机构在MCA签发商户证书之前验证并批准商户证书申请。MCA不会发布CRL,但会分发根CA、品牌CA、地缘政治CA和支付网关CA发布的CRL。[SET2]

$ mesh PKI (I) A non-hierarchical PKI architecture in which there are several trusted CAs rather than a single root. Each certificate user bases path validations on the public key of one of the trusted CAs, usually the one that issued that user's own public-key certificate. Rather than having superior-to-subordinate relationships between CAs, the relationships are peer-to-peer, and CAs issue cross-certificates to each other. (Compare: hierarchical PKI, trust-file PKI.)

$ 网状PKI(I)一种非分层PKI体系结构,其中存在多个受信任的CA,而不是单个根。每个证书用户基于其中一个受信任CA的公钥进行路径验证,通常是颁发该用户自己的公钥证书的CA。CA之间没有上下级关系,而是对等关系,CA相互颁发交叉证书。(比较:分层PKI、信任文件PKI。)

$ Message Authentication Code (MAC), message authentication code 1. (N) /capitalized/ A specific ANSI standard for a checksum that is computed with a keyed hash that is based on DES. [A9009] Usage: a.k.a. Data Authentication Code, which is a U.S. Government standard. [FP113] (See: MAC.)

$ 消息身份验证码(MAC),消息身份验证码1。(N) /capitalized/使用基于DES的键控哈希计算校验和的特定ANSI标准。[A9009]用法:又称数据认证码,是美国政府标准。[FP113](见:MAC.)

2. (D) /not capitalized/ Synonym for "error detection code".

2. (D) /未大写/是“错误检测代码”的同义词。

Deprecated Term: IDOCs SHOULD NOT use the uncapitalized form "message authentication code". Instead, use "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum", depending on what is meant. (See: authentication code.)

不推荐使用的术语:IDOCs不应使用未资本化的形式“消息身份验证代码”。相反,使用“校验和”、“错误检测代码”、“哈希”、“密钥哈希”、“消息身份验证代码”或“受保护校验和”,具体取决于其含义。(请参阅:身份验证代码。)

The uncapitalized form mixes concepts in a potentially misleading way. The word "message" is misleading because it implies that the mechanism is particularly suitable for or limited to electronic mail (see: Message Handling Systems). The word "authentication" is misleading because the mechanism primarily serves a data integrity function rather than an authentication function. The word "code" is misleading because it implies that either encoding or encryption is involved or that the term refers to computer software.

非资本主义形式以一种潜在误导的方式混合了概念。“消息”一词具有误导性,因为它意味着该机制特别适用于或仅限于电子邮件(见:消息处理系统)。“身份验证”一词具有误导性,因为该机制主要用于数据完整性功能,而不是身份验证功能。“代码”一词具有误导性,因为它意味着涉及编码或加密,或者该术语指的是计算机软件。

$ message digest (D) Synonym for "hash result". (See: cryptographic hash.)

$ 消息摘要(D)“哈希结果”的同义词。(请参阅:加密哈希。)

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "hash result"; this term unnecessarily duplicates the meaning of the other, more general term and mixes concepts in a potentially misleading way. The word "message" is misleading because it implies that the mechanism is particularly suitable for or limited to electronic mail (see: Message Handling Systems).

不推荐使用的术语:IDOCs不应将此术语用作“哈希结果”的同义词;这个术语不必要地重复了另一个更一般的术语的含义,并以潜在误导的方式混合了概念。“消息”一词具有误导性,因为它意味着该机制特别适用于或仅限于电子邮件(见:消息处理系统)。

$ message handling system (D) Synonym for the Internet electronic mail system.

$ 信息处理系统(D)是Internet电子邮件系统的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term, because it could be confused with Message Handling System. Instead, use "Internet electronic mail" or some other, more specific term.

不推荐使用的术语:IDOCs不应使用此术语,因为它可能与消息处理系统混淆。相反,使用“互联网电子邮件”或其他更具体的术语。

$ Message Handling System (O) An ITU-T system concept that encompasses the notion of electronic mail but defines more comprehensive OSI systems and services that enable users to exchange messages on a store-and-forward basis. (The ISO equivalent is "Message Oriented Text Interchange System".) (See: X.400.)

$ 信息处理系统(O)ITU-T系统概念,包括电子邮件的概念,但定义了更全面的OSI系统和服务,使用户能够在存储转发的基础上交换信息。(ISO等效物是“面向消息的文本交换系统”。(参见:X.400。)

$ message indicator 1. (D) /cryptographic function/ Synonym for "initialization value". (Compare: indicator.)

$ 信息指示器1。(D) /cryptographic function/是“初始化值”的同义词。(比较:指示器。)

2. (D) "Sequence of bits transmitted over a communications system for synchronizing cryptographic equipment." [C4009]

2. (D) “通过通信系统传输的用于同步加密设备的位序列。”[C4009]

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "initialization value"; the term mixes concepts in a potentially misleading way. The word "message" is misleading because it suggests that the mechanism is specific to electronic mail. (See: Message Handling System.)

不推荐使用的术语:IDOCs不应将此术语用作“初始化值”的同义词;该术语以一种潜在误导的方式混合了各种概念。“消息”一词具有误导性,因为它表明该机制是针对电子邮件的。(请参阅:消息处理系统。)

$ message integrity check $ message integrity code (MIC) (D) Synonyms for some form of "checksum".

$ 消息完整性检查$消息完整性代码(MIC)(D)是某种形式的“校验和”的同义词。

Deprecated Term: IDOCs SHOULD NOT use these terms for any form of checksum. Instead, use "checksum", "error detection code", "hash", "keyed hash", "Message Authentication Code", or "protected checksum", depending on what is meant.

不推荐使用的术语:IDOCs不应将这些术语用于任何形式的校验和。相反,使用“校验和”、“错误检测代码”、“哈希”、“密钥哈希”、“消息身份验证代码”或“受保护校验和”,具体取决于其含义。

These two terms mix concepts in potentially misleading ways. The word "message" is misleading because it suggests that the mechanism is particularly suitable for or limited to electronic mail. The word "integrity" is misleading because the checksum may be used to perform a data origin authentication function rather than an integrity function. The word "code" is misleading because it suggests either that encoding or encryption is involved or that the term refers to computer software.

这两个术语以潜在误导的方式混合了概念。“信息”一词具有误导性,因为它表明该机制特别适用于或仅限于电子邮件。“完整性”一词具有误导性,因为校验和可用于执行数据源身份验证功能,而不是完整性功能。“代码”一词具有误导性,因为它暗示可能涉及编码或加密,或者该术语指的是计算机软件。

$ Message Security Protocol (MSP) (N) A secure message handling protocol [SDNS7] for use with X.400 and Internet mail protocols. Developed by NSA's SDNS program and used in the U.S. DoD's Defense Message System.

$ 消息安全协议(MSP)(N)用于X.400和Internet邮件协议的安全消息处理协议[SDNS7]。由NSA的SDNS计划开发,并用于美国国防部的国防信息系统。

$ meta-data (I) Descriptive information about a data object; i.e., data about data, or data labels that describe other data. (See: security label. Compare: metadata)

$ 元数据(I)关于数据对象的描述性信息;i、 例如,关于数据的数据,或描述其他数据的数据标签。(请参阅:安全标签。比较:元数据)

Tutorial: Meta-data can serve various management purposes: - System management: File name, type, size, creation date. - Application management: Document title, version, author. - Usage management: Data categories, keywords, classifications.

教程:元数据可以用于各种管理目的:-系统管理:文件名、类型、大小、创建日期。-应用程序管理:文档标题、版本、作者。-使用管理:数据类别、关键字、分类。

Meta-data can be associated with a data object in two basic ways: - Explicitly: Be part of the data object (e.g., a header field of a data file or packet) or be linked to the object. - Implicitly: Be associated with the data object because of some other, explicit attribute of the object.

元数据可以通过两种基本方式与数据对象关联:-明确:成为数据对象的一部分(例如,数据文件或数据包的头字段)或链接到对象。-隐式:由于对象的某些其他显式属性而与数据对象关联。

$ metadata, Metadata(trademark), METADATA(trademark) (D) Proprietary variants of "meta-data". (See: SPAM(trademark).)

$ 元数据、元数据(商标)、元数据(商标)(D)“元数据”的专有变体。(请参阅:垃圾邮件(商标)。)

Deprecated Usage: IDOCs SHOULD NOT use these unhypenated forms; IDOCs SHOULD use only the uncapitalized, hyphenated "meta-data". The terms "Metadata" and "METADATA" are claimed as registered trademarks (numbers 1,409,260 and 2,185,504) owned by The Metadata Company, originally known as Metadata Information Partners, a company founded by Jack Myers. The status of "metadata" is unclear.

不推荐使用:idoc不应使用这些未键入的表单;IDOCs应该只使用未大写、连字符的“元数据”。术语“Metadata”和“Metadata”被称为元数据公司拥有的注册商标(编号1409260和2185504),该公司最初被称为Metadata Information Partners,是由Jack Myers创建的一家公司。“元数据”的状态不清楚。

$ MHS (N) See: message handling system.

$ MHS(N)见:信息处理系统。

$ MIC (D) See: message integrity code.

$ 话筒(D)见:信息完整性代码。

$ MIME (I) See: Multipurpose Internet Mail Extensions.

$ MIME(I)见:多用途互联网邮件扩展。

$ MIME Object Security Services (MOSS) (I) An Internet protocol [R1848] that applies end-to-end encryption and digital signature to MIME message content, using symmetric cryptography for encryption and asymmetric cryptography for key distribution and signature. MOSS is based on features and specifications of PEM. (See: S/MIME.)

$ MIME对象安全服务(MOSS)(I)一种互联网协议[R1848],对MIME消息内容应用端到端加密和数字签名,使用对称加密进行加密,使用非对称加密进行密钥分发和签名。MOSS基于PEM的特性和规格。(见:S/MIME)

$ Minimum Interoperability Specification for PKI Components (MISPC) (N) A technical description to provide a basis for interoperation between PKI components from different vendors; consists primarily of a profile of certificate and CRL extensions and a set of transactions for PKI operation. [SP15]

$ PKI组件最低互操作性规范(MISPC)(N)为不同供应商的PKI组件之间的互操作提供基础的技术说明;主要由证书和CRL扩展的配置文件以及用于PKI操作的一组事务组成。[SP15]

$ misappropriation (I) A type of threat action whereby an entity assumes unauthorized logical or physical control of a system resource. (See: usurpation.)

$ 盗用(I)一种威胁行为,实体借此对系统资源进行未经授权的逻辑或物理控制。(见:篡夺)

Usage: This type of threat action includes the following subtypes: - Theft of data: Unauthorized acquisition and use of data contained in a system. - Theft of service: Unauthorized use of a system service. - Theft of functionality: Unauthorized acquisition of actual hardware, firmware, or software of a system component.

用途:此类威胁行为包括以下子类型:-数据盗窃:未经授权获取和使用系统中包含的数据。-服务盗窃:未经授权使用系统服务。-功能盗窃:未经授权获取系统组件的实际硬件、固件或软件。

$ MISPC (N) See: Minimum Interoperability Specification for PKI Components.

$ MISPC(N)参见:PKI组件的最低互操作性规范。

$ MISSI (O) Multilevel Information System Security Initiative, an NSA program to encourage development of interoperable, modular products for constructing secure network information systems in support of a wide variety of U.S. Government missions. (See: MSP, SP3, SP4.)

$ MSI(O)多级信息系统安全倡议,是一项NSA计划,旨在鼓励开发可互操作的模块化产品,用于构建安全的网络信息系统,以支持各种美国政府任务。(见:MSP、SP3、SP4)

$ MISSI user (O) /MISSI/ A system entity that is the subject of one or more MISSI X.509 public-key certificates issued under a MISSI certification hierarchy. (See: personality.)

$ MSI用户(O)/MSI/一个系统实体,是根据MSI证书体系颁发的一个或多个MSI X.509公钥证书的主体。(见:个性。)

Tutorial: MISSI users include both end users and the authorities that issue certificates. A MISSI user is usually a person but may be a machine or other automated process. Machines that are required to operate nonstop may be issued their own certificates to avoid downtime needed to exchange the FORTEZZA cards of machine operators at shift changes.

教程:MSI用户包括最终用户和颁发证书的机构。MSI用户通常是个人,但也可能是机器或其他自动化流程。要求不间断运行的机器可以获得自己的证书,以避免换班时更换机器操作员的FORTEZZA卡所需的停机时间。

$ mission (I) A statement of a (relatively long-term) duty or (relatively short-term) task that is assigned to an organization or system, indicates the purpose and objectives of the duty or task, and may indicate the actions to be taken to achieve it.

$ 任务(I)分配给组织或系统的(相对长期的)职责或(相对短期的)任务的说明,表明职责或任务的目的和目标,并可能表明为实现该职责或任务而采取的行动。

$ mission critical (I) A condition of a system service or other system resource such that denial of access to, or lack of availability of, the resource would jeopardize a system user's ability to perform a primary mission function or would result in other serious consequences. (See: Critical. Compare: mission essential.)

$ 任务关键型(I)系统服务或其他系统资源的一种状况,即拒绝访问或缺乏资源的可用性将危及系统用户执行主要任务功能的能力或导致其他严重后果。(参见:关键。比较:任务关键。)

$ mission essential (O) /U.S. DoD/ Refers to materiel that is authorized and available to combat, combat support, combat service support, and combat readiness training forces to accomplish their assigned missions. [JP1] (Compare: mission critical.)

$ 任务基本要素(O)/美国国防部/指经授权并可用于作战、作战支援、作战勤务支援和战备训练部队完成其分配任务的装备。[JP1](比较:任务关键型。)

$ misuse 1. (I) The intentional use (by authorized users) of system resources for other than authorized purposes. Example: An authorized system administrator creates an unauthorized account for a friend. (See: misuse detection.)

$ 误用1。(一) (授权用户)出于授权目的以外的目的故意使用系统资源。示例:授权系统管理员为朋友创建未经授权的帐户。(请参阅:误用检测。)

2. (I) A type of threat action that causes a system component to perform a function or service that is detrimental to system security. (See: usurpation.)

2. (一) 导致系统组件执行对系统安全有害的功能或服务的一种威胁行为。(见:篡夺)

Usage: This type of threat action includes the following subtypes: - "Tampering": /misuse/ Deliberately altering a system's logic, data, or control information to cause the system to perform unauthorized functions or services. (See: corruption, main entry for "tampering".) - "Malicious logic": /misuse/ Any hardware, firmware, or software intentionally introduced into a system to perform or control execution of an unauthorized function or service. (See: corruption, incapacitation, main entry for "malicious logic", masquerade.) - "Violation of authorizations": Action by an entity that exceeds the entity's system privileges by executing an unauthorized function. (See: authorization.)

用法:此类威胁操作包括以下子类型:-“篡改”:/误用/故意更改系统的逻辑、数据或控制信息,以导致系统执行未经授权的功能或服务。(请参阅:损坏,“篡改”的主要条目)-“恶意逻辑”:/误用/故意引入系统以执行或控制未经授权的功能或服务的任何硬件、固件或软件。(请参阅:腐败、丧失能力、“恶意逻辑”的主要条目、伪装。)-“违反授权”:实体通过执行未经授权的功能而超出其系统权限的行为。(请参阅:授权。)

$ misuse detection (I) An intrusion detection method that is based on rules that specify system events, sequences of events, or observable properties of a system that are believed to be symptomatic of security incidents. (See: IDS, misuse. Compare: anomaly detection.)

$ 误用检测(I)一种基于规则的入侵检测方法,该规则指定系统事件、事件序列或被认为是安全事件征兆的系统的可观察属性。(请参阅:IDS,误用。比较:异常检测。)

$ MLS (I) See: multilevel secure

$ MLS(I)见:多级安全

$ mobile code 1a. (I) Software that originates from a remote server, is transmitted across a network, and is loaded onto and executed on a local client system without explicit initiation by the client's user and, in some cases, without that user's knowledge. (Compare: active content.)

$ 手机代码1a。(一) 源于远程服务器、通过网络传输、加载到本地客户端系统并在本地客户端系统上执行的软件,无需客户端用户明确启动,在某些情况下,用户不知道。(比较:活动内容。)

Tutorial: One form of mobile code is active content in a file that is transferred across a network.

教程:移动代码的一种形式是通过网络传输的文件中的活动内容。

1b. (O) /U.S. DoD/ "Software modules obtained from remote systems, transferred across a network, and then downloaded and executed on local systems without explicit installation or execution by the recipient." [JP1]

1b。(O) /U.S.DoD/“从远程系统获得的软件模块,通过网络传输,然后下载并在本地系统上执行,而无需接收方明确安装或执行。”[JP1]

2a. (O) /U.S. DoD/ Technology that enables the creation of executable information that can be delivered to an information system and directly executed on any hardware/software architecture that has an appropriate host execution environment.

2a。(O) /U.S.DoD/能够创建可执行信息的技术,这些信息可以传送到信息系统,并直接在具有适当主机执行环境的任何硬件/软件体系结构上执行。

2b. (O) "Programs (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics" [SP28]. (See: active content.)

2b。(O) “程序(如脚本、宏或其他可移植指令),可以原封不动地发送到异构平台集合,并以相同的语义执行”[SP28]。(请参见:活动内容。)

Tutorial: Mobile code might be malicious. Using techniques such as "code signing" and a "sandbox" can reduce the risks of receiving and executing mobile code.

教程:移动代码可能是恶意的。使用诸如“代码签名”和“沙箱”之类的技术可以降低接收和执行移动代码的风险。

$ mode $ mode of operation 1. (I) /cryptographic operation/ A technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream. (See: CBC, CCM, CMAC, CFB, CTR, ECB, OFB.)

$ 模式$操作模式1。(一) /cryptographic operation/一种用于增强加密算法效果或使算法适应应用的技术,例如对数据块序列或数据流应用分组密码。(参见:CBC、CCM、CMAC、CFB、CTR、ECB、OFB。)

2. (I) /system operation/ A type of security policy that states the range of classification levels of information that a system is permitted to handle and the range of clearances and authorizations of users who are permitted to access the system. (See: compartmented security mode, controlled security mode, dedicated security mode, multilevel security mode, partitioned security mode, system-high security mode. Compare: protection level.)

2. (一) /系统操作/一种安全策略,说明允许系统处理的信息分类级别范围以及允许访问系统的用户的许可和授权范围。(请参阅:分区安全模式、受控安全模式、专用安全模式、多级安全模式、分区安全模式、系统高安全模式。比较:保护级别。)

3. (I) /IKE/ IKE refers to its various types of ISAKMP-scripted exchanges of messages as "modes". Among these are the following: - "Main mode": One of IKE's two phase 1 modes. (See: ISAKMP.) - "Quick mode": IKE's only phase 2 mode. (See: ISAKMP.)

3. (一) /IKE/IKE将其各种类型的ISAKMP脚本消息交换称为“模式”。其中包括以下内容:-“主模式”:IKE的两种第一阶段模式之一。(参见:ISAKMP.-“快速模式”:IKE唯一的第二阶段模式。(见:ISAKMP)

$ model See: formal model, security model.

$ 模型见:形式模型、安全模型。

$ modulus (I) The defining constant in modular arithmetic, and usually a part of the public key in asymmetric cryptography that is based on modular arithmetic. (See: Diffie-Hellman-Merkle, RSA.)

$ 模(I)模运算中的定义常数,通常是基于模运算的非对称密码中公钥的一部分。(见:Diffie Hellman Merkle,RSA)

$ Mondex (O) A smartcard-based electronic money system that incorporates cryptography and can be used to make payments via the Internet. (See: IOTP.)

$ Mondex(O):一种基于智能卡的电子货币系统,采用加密技术,可用于通过互联网进行支付。(见:IOTP)

$ Morris Worm (I) A worm program that flooded the ARPANET in November 1988, causing problems for thousands of hosts. [R1135] (See: community risk, worm)

$ Morris Worm(I)1988年11月,一个蠕虫程序淹没了ARPANET,给成千上万的主机造成了问题。[R1135](参见:社区风险,worm)

$ MOSS (I) See: MIME Object Security Services.

$ MOSS(I)见:MIME对象安全服务。

$ MQV (N) A key-agreement protocol [Mene] that was proposed by A.J. Menezes, M. Qu, and S.A. Vanstone in 1995 and is based on the Diffie-Hellman-Merkle algorithm.

$ MQV(N)一种密钥协商协议[Mene],由A.J.Menezes、M.Qu和S.A.Vanstone于1995年提出,基于Diffie-Hellman-Merkle算法。

$ MSP (N) See: Message Security Protocol.

$ MSP(N)请参阅:消息安全协议。

$ multicast security See: secure multicast

$ 多播安全请参阅:安全多播

$ Multics (N) MULTiplexed Information and Computing Service, an MLS computer timesharing system designed and implemented during 1965-69 by a consortium including Massachusetts Institute of Technology, General Electric, and Bell Laboratories, and later offered commercially by Honeywell.

$ Multics(N)多路复用信息和计算服务,一种MLS计算机分时系统,由包括麻省理工学院、通用电气和贝尔实验室在内的一个财团在1965-69年间设计和实施,后来由霍尼韦尔商业提供。

Tutorial: Multics was one of the first large, general-purpose, operating systems to include security as a primary goal from the inception of the design and development and was rated in TCSEC Class B2. Its many innovative hardware and software security mechanisms (e.g., protection ring) were adopted by later systems.

教程:Multics是从设计和开发之初就将安全性作为首要目标的第一个大型通用操作系统之一,被评为TCSEC B2级。其许多创新的硬件和软件安全机制(如保护环)被后来的系统采用。

$ multilevel secure (MLS) (I) Describes an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security levels. (Examples: BLACKER, CANEWARE, KSOS, Multics, SCOMP.)

$ 多级安全(MLS)(I)描述了一种信息系统,该信息系统被信任包含不同安全级别的资源(尤其是存储的数据),并在这些资源之间保持分离。(示例:BLACKER、CANEWARE、KSO、Multics、SCOMP。)

Usage: Usually understood to mean that the system permits concurrent access by users who differ in their access authorizations, while denying users access to resources for which they lack authorization.

用法:通常理解为系统允许不同访问权限的用户并发访问,同时拒绝用户访问他们缺乏授权的资源。

$ multilevel security mode 1. (N) A mode of system operation wherein (a) two or more security levels of information are allowed to be to be handled concurrently within the same system when some users having access to the system have neither a security clearance nor need-to-know for some of the data handled by the system and (b) separation of the users and the classified material on the basis, respectively, of clearance and classification level are dependent on operating system control. (See: /system operation/ under "mode", need to know, protection level, security clearance. Compare: controlled mode.)

$ 多级安全模式1。(N) 一种系统操作模式,其中(A)当一些访问系统的用户既没有安全许可证,也不需要知道系统处理的某些数据时,允许在同一系统内同时处理两个或两个以上安全级别的信息,以及(b)用户和分类材料的分离分别基于清除和分类级别,取决于操作系统控制。(请参阅:/系统操作/在“模式”下,需要知道、保护级别、安全许可。比较:受控模式。)

Usage: Usually abbreviated as "multilevel mode". This term was defined in U.S. Government policy regarding system accreditation, but the term is also used outside the Government.

用法:通常缩写为“多级模式”。该术语在美国政府关于系统认证的政策中有定义,但该术语也在政府之外使用。

2. (O) A mode of system operation in which all three of the following statements are true: (a) Some authorized users do not have a security clearance for all the information handled in the system. (b) All authorized users have the proper security clearance and appropriate specific access approval for the information to which they have access. (c) All authorized users have a need-to-know only for information to which they have access. [C4009] (See: formal access approval, protection level.)

2. (O) 一种系统操作模式,其中以下三种陈述均为真:(A)某些授权用户没有系统中处理的所有信息的安全许可。(b) 所有授权用户都有适当的安全许可,并对其访问的信息有适当的特定访问批准。(c) 所有授权用户只需要知道他们可以访问的信息。[C4009](参见:正式访问批准,保护级别。)

$ Multipurpose Internet Mail Extensions (MIME) (I) An Internet protocol (RFC 2045) that enhances the basic format of Internet electronic mail messages (RFC 822) (a) to enable character sets other than U.S. ASCII to be used for textual headers and content and (b) to carry non-textual and multi-part content. (See: S/MIME.)

$ 多用途互联网邮件扩展(MIME)(I)一种互联网协议(RFC 2045),它增强了互联网电子邮件的基本格式(RFC 822)(a)以使除美国ASCII以外的字符集能够用于文本标题和内容,以及(b)承载非文本和多部分内容。(见:S/MIME)

$ mutual suspicion (I) The state that exists between two interacting system entities in which neither entity can trust the other to function correctly with regard to some security requirement.

$ 相互怀疑(I)存在于两个相互作用的系统实体之间的状态,其中任何一个实体都不能信任另一个实体在某些安全需求方面正常工作。

$ name (I) Synonym for "identifier".

$ 名称(I)“标识符”的同义词。

$ naming authority (O) /U.S. DoD/ An organizational entity responsible for assigning DNs and for assuring that each DN is meaningful and unique within its domain. [DoD9]

$ 命名机构(O)/美国国防部/负责分配域名并确保每个域名在其域内有意义且唯一的组织实体。[DoD9]

$ National Computer Security Center (NCSC) (O) A U.S. DoD organization, housed in NSA, that has responsibility for encouraging widespread availability of trusted systems throughout the U.S. Federal Government. It has established criteria for, and performed evaluations of, computer and network systems that have a TCB. (See: Rainbow Series, TCSEC.)

$ 国家计算机安全中心(NCSC)(O):美国国防部的一个组织,位于NSA内,负责鼓励在整个美国联邦政府中广泛使用受信任的系统。它为具有TCB的计算机和网络系统建立了标准,并对其进行了评估。(见:彩虹系列,TCSEC)

$ National Information Assurance Partnership (NIAP) (N) A joint initiative of NIST and NSA to enhance the quality of commercial products for information security and increase consumer confidence in those products through objective evaluation and testing methods.

$ 国家信息保障合作伙伴关系(NIAP)(N)NIST和NSA的一项联合倡议,旨在通过客观的评估和测试方法,提高信息安全商业产品的质量,并增强消费者对这些产品的信心。

Tutorial: NIAP is registered, through the U.S. DoD, as a National Performance Review Reinvention Laboratory. NIAP functions include the following: - Developing tests, test methods, and other tools that developers and testing laboratories may use to improve and evaluate security products. - Collaborating with industry and others on research and testing programs. - Using the Common Criteria to develop protection profiles and associated test sets for security products and systems. - Cooperating with the NIST National Voluntary Laboratory Accreditation Program to develop a program to accredit private-sector laboratories for the testing of information security products using the Common Criteria. - Working to establish a formal, international mutual recognition scheme for a Common Criteria-based evaluation.

教程:NIAP通过美国国防部注册为国家绩效评估再创新实验室。NIAP功能包括:-开发测试、测试方法以及开发人员和测试实验室可用于改进和评估安全产品的其他工具。-在研究和测试项目上与行业和其他方面合作。-使用通用标准为安全产品和系统开发保护配置文件和相关测试集。-与NIST国家自愿实验室认证计划合作,制定一项计划,对私营部门实验室进行认证,以使用通用标准测试信息安全产品。-致力于为基于共同标准的评估建立正式的国际互认方案。

$ National Institute of Standards and Technology (NIST) (N) A U.S. Department of Commerce organization that promotes U.S. economic growth by working with industry to develop and apply technology, measurements, and standards. Has primary U.S. Government responsibility for INFOSEC standards for sensitive unclassified information. (See: ANSI, DES, DSA, DSS, FIPS, NIAP, NSA.)

$ 国家标准与技术研究所(NIST)(N):美国商务部的一个组织,通过与行业合作开发和应用技术、测量和标准,促进美国经济增长。美国政府主要负责敏感非保密信息的信息安全标准。(参见:ANSI、DES、DSA、DSS、FIPS、NIAP、NSA。)

$ National Reliability and Interoperability Council (NRIC) (N) An advisory committee chartered by the U.S. Federal Communications Commission (FCC), with participation by network service providers and vendors, to provide recommendations to the FCC for assuring reliability, interoperability, robustness, and security of wireless, wireline, satellite, cable, and public data communication networks.

$ 国家可靠性和互操作性委员会(NRIC)(N):美国联邦通信委员会(FCC)特许成立的咨询委员会,由网络服务提供商和供应商参与,为FCC提供建议,以确保无线、有线、卫星的可靠性、互操作性、健壮性和安全性,电缆和公共数据通信网络。

$ national security (O) /U.S. Government/ The national defense or foreign relations of the United States of America.

$ 国家安全(O)/美国政府/美利坚合众国的国防或外交关系。

$ National Security Agency (NSA) (N) A U.S. DoD organization that has primary U.S. Government responsibility for INFOSEC standards for classified information and for sensitive unclassified information handled by national security systems. (See: FORTEZZA, KEA, MISSI, national security system, NIAP, NIST, SKIPJACK.)

$ 国家安全局(NSA)(N):美国国防部的一个组织,主要负责保密信息和国家安全系统处理的敏感非保密信息的信息安全标准。(见:FORTEZZA、KEA、MSI、国家安全系统、NIAP、NIST、SKIPJACK。)

$ national security information (O) /U.S. Government/ Information that has been determined, pursuant to Executive Order 12958 or any predecessor order, to require protection against unauthorized disclosure. [C4009]

$ 国家安全信息(O)/美国政府/根据12958号行政命令或任何先前命令确定需要保护以防止未经授权披露的信息。[C4009]

$ national security system (O) /U.S. Government/ Any Government-operated information system for which the function, operation, or use (a) involves intelligence activities; (b) involves cryptologic activities related to national security; (c) involves command and control of military forces; (d) involves equipment that is an integral part of a weapon or weapon system; or (e) is critical to the direct fulfillment of military or intelligence missions and does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). [Title 40 U.S.C. Section 1552, Information Technology Management Reform Act of 1996.] (See: type 2 product.)

$ 国家安全系统(O)/美国政府/功能、操作或使用(a)涉及情报活动的任何政府操作的信息系统;(b) 涉及涉及国家安全的密码学活动;(c) 涉及军事力量的指挥和控制;(d) 涉及作为武器或武器系统组成部分的设备;或(e)对于直接完成军事或情报任务至关重要,不包括用于日常行政和业务应用(包括工资、财务、后勤和人事管理应用)的系统。[标题40 U.S.C.第1552节,1996年信息技术管理改革法案](见:第2类产品。)

$ natural disaster (I) /threat action/ See: secondary definitions under "corruption" and "incapacitation".

$ 自然灾害(I)/威胁行动/见“腐败”和“丧失能力”下的二级定义。

$ NCSC (O) See: National Computer Security Center.

$ NCSC(O)见:国家计算机安全中心。

$ need to know, need-to-know (I) The necessity for access to, knowledge of, or possession of specific information required to carry out official duties.

$ 需要知道,需要知道(I)访问、了解或拥有执行公务所需的特定信息的必要性。

Usage: The compound "need-to-know" is commonly used as either an adjective or a noun.

用法:复合词“需要知道”通常用作形容词或名词。

Tutorial: The need-to-know criterion is used in security procedures that require a custodian of sensitive information, prior to disclosing the information to someone else, to establish that the intended recipient has proper authorization to access the information.

教程:需要知道标准用于安全程序中,该程序要求敏感信息的保管人在将信息披露给其他人之前,确定预期接收人拥有访问该信息的适当授权。

$ network (I) An information system comprised of a collection of interconnected nodes. (See: computer network.)

$ 网络(I)由互连节点集合组成的信息系统。(请参阅:计算机网络。)

$ Network Hardware Layer (I) See: Internet Protocol Suite.

$ 网络硬件层(I)见:互联网协议套件。

$ Network Interface Layer (I) See: Internet Protocol Suite.

$ 网络接口层(I)见:互联网协议套件。

$ Network Layer Security Protocol (NLSP). (N) An OSI protocol (IS0 11577) for end-to-end encryption services at the top of OSIRM Layer 3. NLSP is derived from SP3 but is more complex. (Compare: IPsec.)

$ 网络层安全协议(NLSP)。(N) OSIRM第3层顶部用于端到端加密服务的OSI协议(IS0 11577)。NLSP源于SP3,但更为复杂。(比较:IPsec。)

$ Network Substrate Layer (I) Synonym for "Network Hardware Layer".

$ 网络基板层(I)是“网络硬件层”的同义词。

$ network weaving (I) A penetration technique in which an intruder avoids detection and traceback by using multiple, linked, communication networks to access and attack a system. [C4009]

$ 网络编织(I)一种渗透技术,入侵者通过使用多个链接的通信网络访问和攻击系统来避免检测和回溯。[C4009]

$ NIAP (N) See: National Information Assurance Partnership.

$ NIAP(N)见:国家信息保障伙伴关系。

$ nibble (D) Half of a byte (i.e., usually, 4 bits).

$ 半字节(D)半字节(即,通常为4位)。

Deprecated Term: To avoid international misunderstanding, IDOCs SHOULD NOT use this term; instead, state the size of the block explicitly (e.g., "4-bit block"). (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:为避免国际误解,IDOC不应使用该术语;相反,请明确说明块的大小(例如,“4位块”)。(请参阅“绿皮书”下不推荐的用法。)

$ NIPRNET (O) The U.S. DoD's common-use Non-Classified Internet Protocol Router Network; the part of the Internet that is wholly controlled by the U.S. DoD and is used for official DoD business.

$ NIPRNET(O)美国国防部常用的非机密互联网协议路由器网络;互联网的一部分,完全由美国国防部控制,用于国防部的官方业务。

$ NIST (N) See: National Institute of Standards and Technology.

$ NIST(N)见:国家标准与技术研究所。

$ NLSP (N) See: Network Layer Security Protocol

$ NLSP(N)请参阅:网络层安全协议

$ no-lone zone (I) A room or other space or area to which no person may have unaccompanied access and that, when occupied, is required to be occupied by two or more appropriately authorized persons. [C4009] (See: dual control.)

$ 无单独区域(I)任何人不得单独进入的房间或其他空间或区域,且在被占用时,需要由两名或两名以上经适当授权的人员占用。[C4009](参见:双控。)

$ no-PIN ORA (NORA) (O) /MISSI/ An organizational RA that operates in a mode in which the ORA performs no card management functions and, therefore, does not require knowledge of either the SSO PIN or user PIN for an end user's FORTEZZA PC card.

$ 无PIN ORA(NORA)(O)/MSI/在ORA不执行卡管理功能的模式下运行的组织RA,因此不需要了解最终用户FORTEZZA PC卡的SSO PIN或用户PIN。

$ node (I) A collection of related subsystems located on one or more computer platforms at a single site. (See: site.)

$ 节点(I)位于单个站点的一个或多个计算机平台上的相关子系统的集合。(请参阅:网站。)

$ nonce (I) A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing liveness and thus detecting and protecting against replay attacks. (See: fresh.)

$ nonce(I)包含在协议交换的数据中的随机或非重复值,通常用于保证活动性,从而检测和防止重放攻击。(见:新鲜)

$ non-critical See: critical.

$ 非关键请参阅:关键。

$ non-repudiation service 1. (I) A security service that provide protection against false denial of involvement in an association (especially a communication association that transfers data). (See: repudiation, time stamp.)

$ 不可抵赖服务1。(一) 一种安全服务,用于防止关联(尤其是传输数据的通信关联)中的虚假拒绝。(请参阅:否认,时间戳。)

Tutorial: Two separate types of denial are possible -- an entity can deny that it sent a data object, or it can deny that it received a data object -- and, therefore, two separate types of non-repudiation service are possible. (See: non-repudiation with proof of origin, non-repudiation with proof of receipt.)

教程:两种不同类型的拒绝是可能的——实体可以拒绝发送数据对象,也可以拒绝接收数据对象——因此,两种不同类型的不可否认服务是可能的。(见:不可抵赖原产地证明、不可抵赖收据证明。)

2. (D) "Assurance [that] the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data." [C4009]

2. (D) “保证[确保]向数据发送方提供了交付证明,并向接收方提供了发送方身份证明,因此双方都不能否认已处理数据。”[C4009]

Deprecated Definition: IDOCs SHOULD NOT use definition 2 because it bundles two security services -- non-repudiation with proof of origin, and non-repudiation with proof of receipt -- that can be provided independently of each other.

不推荐使用的定义:IDOCs不应该使用定义2,因为它捆绑了两个安全服务——不可否认性和原产地证明,以及不可否认性和收据证明——它们可以彼此独立提供。

Usage: IDOCs SHOULD distinguish between the technical aspects and the legal aspects of a non-repudiation service: - "Technical non-repudiation": Refers to the assurance a relying party has that if a public key is used to validate a digital signature, then that signature had to have been made by the corresponding private signature key. [SP32] - "Legal non-repudiation": Refers to how well possession or control of the private signature key can be established. [SP32]

用法:IDOC应区分不可否认服务的技术方面和法律方面:-“技术不可否认”:指依赖方保证,如果使用公钥验证数字签名,则该签名必须由相应的私人签名密钥进行。[SP32]-“法律不可否认”:指私人签名密钥的拥有或控制程度。[SP32]

Tutorial: Non-repudiation service does not prevent an entity from repudiating a communication. Instead, the service provides evidence that can be stored and later presented to a third party to resolve disputes that arise if and when a communication is repudiated by one of the entities involved.

教程:不可否认服务不会阻止实体拒绝通信。相反,该服务提供的证据可以存储并随后提交给第三方,以解决在通信被其中一个相关实体拒绝时出现的争议。

Ford describes the six phases of a complete non-repudiation service and uses "critical action" to refer to the act of communication that is the subject of the service [For94, For97]:

福特描述了完整的不可否认服务的六个阶段,并使用“关键行动”来指作为服务主题的沟通行为[For94,For97]:

      --------   --------   --------   --------   --------   . --------
      Phase 1:   Phase 2:   Phase 3:   Phase 4:   Phase 5:   . Phase 6:
      Request    Generate   Transfer   Verify     Retain     . Resolve
      Service    Evidence   Evidence   Evidence   Evidence   . Dispute
      --------   --------   --------   --------   --------   . --------
        
      --------   --------   --------   --------   --------   . --------
      Phase 1:   Phase 2:   Phase 3:   Phase 4:   Phase 5:   . Phase 6:
      Request    Generate   Transfer   Verify     Retain     . Resolve
      Service    Evidence   Evidence   Evidence   Evidence   . Dispute
      --------   --------   --------   --------   --------   . --------
        
      Service    Critical   Evidence   Evidence   Archive    . Evidence
      Request => Action  => Stored  => Is      => Evidence   . Is
      Is Made    Occurs     For Later  Tested     In Case    . Verified
                 and        Use |          ^      Critical   .    ^
                 Evidence       v          |      Action Is  .    |
                 Is         +-------------------+ Repudiated .    |
                 Generated  |Verifiable Evidence|------> ... . ----+
                            +-------------------+
        
      Service    Critical   Evidence   Evidence   Archive    . Evidence
      Request => Action  => Stored  => Is      => Evidence   . Is
      Is Made    Occurs     For Later  Tested     In Case    . Verified
                 and        Use |          ^      Critical   .    ^
                 Evidence       v          |      Action Is  .    |
                 Is         +-------------------+ Repudiated .    |
                 Generated  |Verifiable Evidence|------> ... . ----+
                            +-------------------+
        
      Phase / Explanation
      -------------------
      1. Request service: Before the critical action, the service
         requester asks, either implicitly or explicitly, to have
         evidence of the action be generated.
      2. Generate evidence: When the critical action occurs, evidence is
         generated by a process involving the potential repudiator and
         possibly also a trusted third party.
      3. Transfer evidence: The evidence is transferred to the requester
         or stored by a third party, for later use (if needed).
      4. Verify evidence: The entity that holds the evidence tests it to
         be sure that it will suffice if a dispute arises.
      5. Retain evidence: The evidence is retained for possible future
         retrieval and use.
      6. Resolve dispute: In this phase, which occurs only if the
         critical action is repudiated, the evidence is retrieved from
         storage, presented, and verified to resolve the dispute.
        
      Phase / Explanation
      -------------------
      1. Request service: Before the critical action, the service
         requester asks, either implicitly or explicitly, to have
         evidence of the action be generated.
      2. Generate evidence: When the critical action occurs, evidence is
         generated by a process involving the potential repudiator and
         possibly also a trusted third party.
      3. Transfer evidence: The evidence is transferred to the requester
         or stored by a third party, for later use (if needed).
      4. Verify evidence: The entity that holds the evidence tests it to
         be sure that it will suffice if a dispute arises.
      5. Retain evidence: The evidence is retained for possible future
         retrieval and use.
      6. Resolve dispute: In this phase, which occurs only if the
         critical action is repudiated, the evidence is retrieved from
         storage, presented, and verified to resolve the dispute.
        

$ non-repudiation with proof of origin (I) A security service that provides the recipient of data with evidence that proves the origin of the data, and thus protects the recipient against an attempt by the originator to falsely deny sending the data. (See: non-repudiation service.)

$ 来源证明不可抵赖性(I)向数据接收方提供证据证明数据来源的安全服务,从而保护接收方免受发端人错误拒绝发送数据的企图。(请参阅:不可抵赖服务。)

Tutorial: This service is a strong version of data origin authentication service. This service can not only verify the identity of a system entity that is the original source of received data; it can also provide proof of that identity to a third party.

教程:此服务是数据源身份验证服务的强大版本。该服务不仅可以验证作为接收数据原始源的系统实体的身份;它还可以向第三方提供身份证明。

$ non-repudiation with proof of receipt (I) A security service that provides the originator of data with evidence that proves the data was received as addressed, and thus protects the originator against an attempt by the recipient to falsely deny receiving the data. (See: non-repudiation service.)

$ 具有接收证明的不可否认性(I)向数据发端人提供证据证明数据已按地址接收的安全服务,从而保护发端人免受接收人错误拒绝接收数据的企图。(请参阅:不可抵赖服务。)

$ non-volatile media (I) Storage media that, once written into, provide stable storage of information without an external power supply. (Compare: permanent storage, volatile media.)

$ 非易失性介质(I)一种存储介质,一旦写入,无需外部电源即可提供稳定的信息存储。(比较:永久存储、易失性介质。)

$ NORA (O) See: no-PIN ORA.

$ 诺拉(O)见:没有针。

$ notarization (I) Registration of data under the authority or in the care of a trusted third party, thus making it possible to provide subsequent assurance of the accuracy of characteristics claimed for the data, such as content, origin, time of existence, and delivery. [I7498-2] (See: digital notary.)

$ 公证(I)在管理局或受信任的第三方的照管下对数据进行登记,从而能够对数据的内容、来源、存在时间和交付等特征的准确性提供后续保证。[I7498-2](见:数字公证)

$ NRIC (N) See: Network Reliability and Interoperability Council.

$ NRIC(N)见:网络可靠性和互操作性委员会。

$ NSA (N) See: National Security Agency

$ NSA(N)见:国家安全局

$ null (N) /encryption/ "Dummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes." [C4009]

$ null(N)/encryption/“插入加密消息中的虚拟字母、字母符号或代码组,用于延迟或阻止其解密,或出于传输或传输安全目的完成加密组。”[C4009]

$ NULL encryption algorithm (I) An algorithm [R2410] that is specified as doing nothing to transform plaintext data; i.e., a no-op. It originated because ESP always specifies the use of an encryption algorithm for confidentiality. The NULL encryption algorithm is a convenient way to represent the option of not applying encryption in ESP (or in any other context where a no-op is needed). (Compare: null.)

$ 空加密算法(I)指定为不转换明文数据的算法[R2410];i、 例如,一个no-op。它起源于ESP,因为ESP总是指定使用加密算法来保密。空加密算法是表示不在ESP(或需要no op的任何其他上下文)中应用加密选项的一种方便方法。(比较:空。)

$ OAKLEY (I) A key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman-Merkle algorithm and designed to be a compatible component of ISAKMP. [R2412]

$ OAKLEY(I)一种基于Diffie-Hellman-Merkle算法的密钥建立协议(为IPsec提出,但被IKE取代),设计为ISAKMP的兼容组件。[R2412]

Tutorial: OAKLEY establishes a shared key with an assigned identifier and associated authenticated identities for parties;

教程:OAKLEY为各方建立一个带有指定标识符和相关认证标识的共享密钥;

i.e., OAKLEY provides authentication service to ensure the entities of each other's identity, even if the Diffie-Hellman-Merkle exchange is threatened by active wiretapping. Also, it provides public-key forward secrecy for the shared key and supports key updates, incorporation of keys distributed by out-of-band mechanisms, and user-defined abstract group structures for use with Diffie-Hellman-Merkle.

i、 例如,即使Diffie-Hellman-Merkle交换受到主动窃听的威胁,OAKLEY也提供身份验证服务,以确保实体之间相互的身份。此外,它还为共享密钥提供公钥前向保密,并支持密钥更新、通过带外机制分发的密钥合并,以及用于Diffie-Hellman-Merkle的用户定义的抽象组结构。

$ object (I) /formal model/ Trusted-system modeling usage: A system component that contains or receives information. (See: Bell-LaPadula model, object reuse, trusted system.)

$ 对象(I)/正式模型/可信系统建模用法:包含或接收信息的系统组件。(请参阅:Bell-LaPadula模型、对象重用、可信系统。)

$ object identifier (OID) 1. (N) An official, globally unique name for a thing, written as a sequence of integers (which are formed and assigned as defined in the ASN.1 standard) and used to reference the thing in abstract specifications and during negotiation of security services in a protocol.

$ 对象标识符(OID)1。(N) 事物的官方、全局唯一的名称,以整数序列(按照ASN.1标准的定义形成和分配)的形式编写,用于在抽象规范和协议中的安全服务协商期间引用该事物。

2. (O) "A value (distinguishable from all other such values) [that] is associated with an object." [X680]

2. (O) “与对象相关联的值(可与所有其他此类值区分)。[X680]

Tutorial: Objects named by OIDs are leaves of the object identifier tree (which is similar to but different from the X.500 Directory Information Tree). Each arc (i.e., each branch of the tree) is labeled with a non-negative integer. An OID is the sequence of integers on the path leading from the root of the tree to a named object.

教程:由OID命名的对象是对象标识符树的叶子(与X.500目录信息树类似但不同)。每个弧(即树的每个分支)都标有一个非负整数。OID是从树的根指向命名对象的路径上的整数序列。

The OID tree has three arcs immediately below the root: {0} for use by ITU-T, {1} for use by ISO, and {2} for use by both jointly. Below ITU-T are four arcs, where {0 0} is for ITU-T recommendations. Below {0 0} are 26 arcs, one for each series of recommendations starting with the letters A to Z, and below these are arcs for each recommendation. Thus, the OID for ITU-T Recommendation X.509 is {0 0 24 509}. Below ISO are four arcs, where {1 0 }is for ISO standards, and below these are arcs for each ISO standard. Thus, the OID for ISO/IEC 9594-8 (the ISO number for X.509) is {1 0 9594 8}.

OID树在根的正下方有三个弧:{0}供ITU-T使用,{1}供ISO使用,{2}供两者联合使用。ITU-T下面是四个ARC,其中{0}表示ITU-T建议。在{0}下面是26个弧,每一个弧代表以字母A到Z开头的一系列建议,在这些弧下面是每一个建议的弧。因此,ITU-T建议X.509的OID为{0 24 509}。ISO下面是四个弧,其中{10}表示ISO标准,这些弧下面是每个ISO标准的弧。因此,ISO/IEC 9594-8(X.509的ISO编号)的OID为{1 0 9594 8}。

ANSI registers organization names below the branch {joint-iso-ccitt(2) country(16) US(840) organization(1) gov(101) csor(3)}. The NIST CSOR records PKI objects below the branch {joint-iso-itu-t(2) country(16) us(840) organization (1) gov(101) csor(3)}. The U.S. DoD registers INFOSEC objects below the branch {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1)}.

ANSI在分支机构{联合iso ccitt(2)国家(16)美国(840)组织(1)政府(101)csor(3)}下登记组织名称。NIST CSOR在分支机构{joint-iso-itu-t(2)国家(16)美国(840)组织(1)政府(101)CSOR(3)下方记录PKI对象。美国国防部在分支机构{joint-iso-itu-t(2)country(16)us(840)organization(1)gov(101)DoD(2)INFOSEC(1)}下注册INFOSEC对象。

      The IETF's Public-Key Infrastructure (pkix) Working Group
      registers PKI objects below the branch {iso(1) identified-
      organization(3) dod(6) internet(1) security(5) mechanisms(5)
      pkix(7)}. [R3280]
        
      The IETF's Public-Key Infrastructure (pkix) Working Group
      registers PKI objects below the branch {iso(1) identified-
      organization(3) dod(6) internet(1) security(5) mechanisms(5)
      pkix(7)}. [R3280]
        

$ object reuse (N) /COMPUSEC/ Reassignment and reuse of an area of a storage medium (e.g., random-access memory, floppy disk, magnetic tape) that once contained sensitive data objects. Before being reassigned for use by a new subject, the area needs to be erased or, in some cases, purged. [NCS04] (See: object.)

$ 对象重用(N)/COMPUSEC/重新分配和重用存储介质中曾经包含敏感数据对象的区域(例如,随机存取存储器、软盘、磁带)。在重新分配给新主题使用之前,需要擦除该区域,或者在某些情况下清除该区域。[NCS04](请参见:对象。)

$ obstruction (I) A type of threat action that interrupts delivery of system services by hindering system operations. (See: disruption.)

$ 阻碍(I)通过阻碍系统运行而中断系统服务交付的一种威胁行为。(见:中断。)

Tutorial: This type of threat action includes the following subtypes: - "Interference": Disruption of system operations by blocking communication of user data or control information. (See: jamming.) - "Overload": Hindrance of system operation by placing excess burden on the performance capabilities of a system component. (See: flooding.)

教程:此类威胁操作包括以下子类型:-“干扰”:通过阻止用户数据或控制信息的通信而中断系统操作。(参见:干扰)-“过载”:通过给系统组件的性能能力增加额外负担而阻碍系统运行。(见:洪水)

$ OCSP (I) See: Online Certificate Status Protocol.

$ OCSP(I)参见:在线证书状态协议。

$ octet (I) A data unit of eight bits. (Compare: byte.)

$ 八位字节(I)八位的数据单元。(比较:字节。)

Usage: This term is used in networking (especially in OSI standards) in preference to "byte", because some systems use "byte" for data storage units of a size other than eight bits.

用法:在网络中(特别是在OSI标准中)优先使用“字节”,因为有些系统使用“字节”作为大小不同于8位的数据存储单元。

$ OFB (N) See: output feedback.

$ OFB(N)参见:输出反馈。

$ off-line attack (I) See: secondary definition under "attack".

$ 离线攻击(I)见“攻击”下的二级定义。

$ ohnosecond (D) That minuscule fraction of time in which you realize that your private key has been compromised.

$ ohnosecond(D)您意识到您的私钥已被泄露的时间的极小部分。

Deprecated Usage: IDOCs SHOULD NOT use this term; it is a joke for English speakers. (See: Deprecated Usage under "Green Book".)

不推荐使用:IDOCs不应使用此术语;这对说英语的人来说是个笑话。(请参阅“绿皮书”下不推荐的用法。)

$ OID (N) See: object identifier.

$ OID(N)请参阅:对象标识符。

$ Online Certificate Status Protocol (OCSP) (I) An Internet protocol [R2560] used by a client to obtain from a server the validity status and other information about a digital certificate. (Mentioned in [X509] but not specified there.)

$ 在线证书状态协议(OCSP)(I)一种互联网协议[R2560],客户端使用该协议从服务器获取数字证书的有效性状态和其他信息。(在[X509]中提到,但未在此处指定。)

Tutorial: In some applications, such as those involving high-value commercial transactions, it may be necessary either (a) to obtain certificate revocation status that is timelier than is possible with CRLs or (b) to obtain other kinds of status information. OCSP may be used to determine the current revocation status of a digital certificate, in lieu of or as a supplement to checking against a periodic CRL. An OCSP client issues a status request to an OCSP server and suspends acceptance of the certificate in question until the server provides a response.

教程:在某些应用程序中,例如涉及高价值商业交易的应用程序中,可能需要(a)获取比CRL更及时的证书吊销状态,或者(b)获取其他类型的状态信息。OCSP可用于确定数字证书的当前吊销状态,以代替或作为定期CRL检查的补充。OCSP客户端向OCSP服务器发出状态请求,并暂停接受相关证书,直到服务器提供响应。

$ one-time pad 1. (N) A manual encryption system in the form of a paper pad for one-time use.

$ 一次性垫1。(N) 一种一次性使用的纸垫形式的手动加密系统。

2. (I) An encryption algorithm in which the key is a random sequence of symbols and each symbol is used for encryption only one time -- i.e., used to encrypt only one plaintext symbol and thus produce only one ciphertext symbol -- and a copy of the key is used similarly for decryption.

2. (一) 一种加密算法,其中密钥是一个随机符号序列,每个符号只用于加密一次,即只用于加密一个明文符号,因此只产生一个密文符号,密钥副本同样用于解密。

Tutorial: To ensure one-time use, the copy of the key used for encryption is destroyed after use, as is the copy used for decryption. This is the only encryption algorithm that is truly unbreakable, even given unlimited resources for cryptanalysis [Schn], but key management costs and synchronization problems make it impractical except in special situations.

教程:为了确保一次性使用,用于加密的密钥副本在使用后会被销毁,用于解密的密钥副本也是如此。这是唯一一种真正牢不可破的加密算法,即使密码分析[Schn]资源无限,但密钥管理成本和同步问题使其无法实现,除非在特殊情况下。

$ one-time password, One-Time Password (OTP) 1. (I) /not capitalized/ A "one-time password" is a simple authentication technique in which each password is used only once as authentication information that verifies an identity. This technique counters the threat of a replay attack that uses passwords captured by wiretapping.

$ 一次性密码,一次性密码(OTP)1。(一) /not capitalized/A“一次性密码”是一种简单的身份验证技术,其中每个密码仅作为验证身份的身份验证信息使用一次。这项技术可以对抗重放攻击的威胁,重放攻击使用通过窃听捕获的密码。

2. (I) /capitalized/ "One-Time Password" is an Internet protocol [R2289] that is based on S/KEY and uses a cryptographic hash function to generate one-time passwords for use as authentication information in system login and in other processes that need protection against replay attacks.

2. (一) /capitaled/“一次性密码”是一种基于S/KEY的互联网协议[R2289],使用加密哈希函数生成一次性密码,作为系统登录和其他需要防止重播攻击的过程中的身份验证信息。

$ one-way encryption (I) Irreversible transformation of plain text to cipher text, such that the plain text cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known. (See: brute force, encryption.)

$ 单向加密(I)将纯文本不可逆地转换为密码文本,这样,即使密码密钥已知,也无法通过非穷举过程从密码文本中恢复纯文本。(请参阅:暴力、加密。)

$ one-way function (I) "A (mathematical) function, f, [that] is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult." [X509]

$ 单向函数(I)“一个(数学)函数,f,[它]易于计算,但对于范围内的一般值y,在计算上很难在域中找到值x,使得f(x)=y。可能有一些y值在计算上不难找到x。”[X509]

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "cryptographic hash".

不推荐使用:IDOCs不应将此术语用作“加密哈希”的同义词。

$ onion routing (I) A system that can be used to provide both (a) data confidentiality and (b) traffic-flow confidentiality for network packets, and also provide (c) anonymity for the source of the packets.

$ 洋葱路由(I)一种系统,可用于为网络数据包提供(A)数据机密性和(b)流量机密性,并为数据包源提供(c)匿名性。

Tutorial: The source, instead of sending a packet directly to the intended destination, sends it to an "onion routing proxy" that builds an anonymous connection through several other "onion routers" to the destination. The proxy defines a route through the "onion routing network" by encapsulating the original payload in a layered data packet called an "onion", in which each layer defines the next hop in the route and each layer is also encrypted. Along the route, each onion router that receives the onion peels off one layer; decrypts that layer and reads from it the address of the next onion router on the route; pads the remaining onion to some constant size; and sends the padded onion to that next router.

教程:源不是直接将数据包发送到目标,而是将其发送到“洋葱路由代理”,该代理通过其他几个“洋葱路由器”建立匿名连接到目标。代理通过将原始有效负载封装在称为“洋葱”的分层数据包中来定义通过“洋葱路由网络”的路由,其中每一层定义路由中的下一跳,并且每一层也被加密。沿着这条路线,每个接收洋葱的洋葱路由器都会剥离一层;解密该层并从中读取路由上下一个洋葱路由器的地址;把剩下的洋葱垫成一定的大小;然后把填好的洋葱送到下一个路由器。

$ open security environment (O) /U.S. DoD/ A system environment that meets at least one of the following two conditions: (a) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control does not provide sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. [NCS04] (See: "first law" under "Courtney's laws". Compare: closed security environment.)

$ 开放式安全环境(O)/美国国防部/A系统环境至少满足以下两个条件之一:(A)应用程序开发人员(包括维护人员)没有足够的许可或授权,无法提供一个可接受的假设,即他们没有引入恶意逻辑。(b) 配置控制不能充分保证应用程序和设备在系统应用程序运行之前和运行期间不被引入恶意逻辑。[NCS04](参见“考特尼定律”下的“第一定律”。比较:封闭安全环境。)

$ open storage (N) /U.S. Government/ "Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel." [C4009]

$ 开放式存储(N)/美国政府/“当授权人员未占用设施时,在经认证的设施内存储机密信息,但不在总务管理局批准的安全容器内。”[C4009]

$ Open Systems Interconnection (OSI) Reference Model (OSIRM) (N) A joint ISO/ITU-T standard [I7498-1] for a seven-layer, architectural communication framework for interconnection of computers in networks. (See: OSIRM Security Architecture. Compare: Internet Protocol Suite.)

$ 开放系统互连(OSI)参考模型(OSIRM)(N)一种用于网络中计算机互连的七层体系结构通信框架的联合ISO/ITU-T标准[I7498-1]。(请参阅:OSIRM安全体系结构。比较:Internet协议套件。)

Tutorial: OSIRM-based standards include communication protocols that are mostly incompatible with the IPS, but also include security models, such as X.509, that are used in the Internet.

教程:基于OSIRM的标准包括大多数与IPS不兼容的通信协议,但也包括Internet中使用的安全模型,如X.509。

The OSIRM layers, from highest to lowest, are (7) Application, (6) Presentation, (5) Session, (4) Transport, (3) Network, (2) Data Link, and (1) Physical.

OSIRM层从高到低依次为(7)应用程序层、(6)表示层、(5)会话层、(4)传输层、(3)网络层、(2)数据链路层和(1)物理层。

Usage: This Glossary refers to OSIRM layers by number to avoid confusing them with IPS layers, which are referred to by name.

用法:本术语表按编号引用OSIRM层,以避免将它们与按名称引用的IPS层混淆。

Some unknown person described how the OSIRM layers correspond to the seven deadly sins:

一些不知名人士描述了OSIRM层如何对应七宗罪:

7. Wrath: Application is always angry with the mess it sees below itself. (Hey! Who is it to be pointing fingers?) 6. Sloth: Presentation is too lazy to do anything productive by itself. 5. Lust: Session is always craving and demanding what truly belongs to Application's functionality. 4. Avarice: Transport wants all of the end-to-end functionality. (Of course, it deserves it, but life isn't fair.) 3. Gluttony: (Connection-Oriented) Network is overweight and overbearing after trying too often to eat Transport's lunch. 2. Envy: Poor Data Link is always starved for attention. (With Asynchronous Transfer Mode, maybe now it is feeling less neglected.) 1. Pride: Physical has managed to avoid much of the controversy, and nearly all of the embarrassment, suffered by the others.

7. 愤怒:应用程序总是对自己下面的混乱感到愤怒。(嘿!是谁在指指点点?)。懒散:演讲太懒散了,不能自己做任何有成效的事情。5.欲望:会话总是渴望和要求真正属于应用程序功能的东西。4.贪婪:传输需要所有的端到端功能。(当然,这是值得的,但生活是不公平的。)。贪食:(以连接为导向)在尝试过多地吃运输公司的午餐后,网络超重且专横。2.嫉妒:糟糕的数据链接总是渴望得到关注。(对于异步传输模式,现在可能感觉不那么被忽视了。)1。骄傲:Physical成功地避免了其他人所遭受的大部分争议和几乎所有的尴尬。

John G. Fletcher described how the OSIRM layers correspond to Snow White's dwarf friends:

约翰·G·弗莱彻描述了OSIRM层如何与白雪公主的矮人朋友对应:

7. Doc: Application acts as if it is in charge, but sometimes muddles its syntax.

7. Doc:应用程序的行为就像是由它负责,但有时会弄乱它的语法。

6. Sleepy: Presentation is indolent, being guilty of the sin of Sloth. 5. Dopey: Session is confused because its charter is not very clear. 4. Grumpy: Transport is irritated because Network has encroached on Transport's turf. 3. Happy: Network smiles for the same reason that Transport is irritated. 2. Sneezy: Data Link makes loud noises in the hope of attracting attention. 1. Bashful: Physical quietly does its work, unnoticed by the others.

6. 昏昏欲睡:表现懒惰,犯了懒惰的罪。5.多皮:会议很混乱,因为它的章程不是很清楚。4.脾气暴躁:交通部很恼火,因为网络侵占了交通部的地盘。3.快乐:网络微笑的原因与交通部恼怒的原因相同。2.喷嚏:数据链发出很大的噪音,希望引起注意。1.害羞:身体安静地做它的工作,没有被其他人注意到。

$ operational integrity (I) Synonym for "system integrity"; this synonym emphasizes the actual performance of system functions rather than just the ability to perform them.

$ 操作完整性(I)“系统完整性”的同义词;这个同义词强调系统功能的实际性能,而不仅仅是执行它们的能力。

$ operational security 1. (I) System capabilities, or performance of system functions, that are needed either (a) to securely manage a system or (b) to manage security features of a system. (Compare: operations security (OPSEC).)

$ 业务安全1。(一) (a)安全管理系统或(b)管理系统安全功能所需的系统功能或系统功能性能。(比较:操作安全性(OPSEC)。)

Usage: IDOCs that use this term SHOULD state a definition because (a) the definition provided here is general and vague and (b) the term could easily be confused with "operations security", which is a different concept.

用法:使用该术语的IDOC应说明定义,因为(a)此处提供的定义是一般性的和模糊的,(b)该术语很容易与“操作安全性”混淆,后者是一个不同的概念。

Tutorial: For example, in the context of an Internet service provider, the term could refer to capabilities to manage network devices in the event of attacks, simplify troubleshooting, keep track of events that affect system integrity, help analyze sources of attacks, and provide administrators with control over network addresses and protocols to help mitigate the most common attacks and exploits. [R3871]

教程:例如,在互联网服务提供商的上下文中,该术语可以指在发生攻击时管理网络设备、简化故障排除、跟踪影响系统完整性的事件、帮助分析攻击源、以及,并为管理员提供对网络地址和协议的控制,以帮助减轻最常见的攻击和利用。[R3871]

2. (D) Synonym for "administrative security".

2. (D) “管理安全”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "administrative security". Any type of security may affect system operations; therefore, the term may be misleading. Instead, use "administrative security", "communication security", "computer security", "emanations security", "personnel security", "physical security", or whatever specific type is meant. (See: security architecture. Compare: operational integrity, OPSEC.)

不推荐使用的定义:IDOCs不应将此术语用作“管理安全性”的同义词。任何类型的安全都可能影响系统运行;因此,该术语可能具有误导性。相反,请使用“管理安全”、“通信安全”、“计算机安全”、“辐射安全”、“人员安全”、“物理安全”或任何特定类型。(请参阅:安全体系结构。比较:操作完整性,OPSEC。)

$ operations security (OPSEC) (I) A process to identify, control, and protect evidence of the planning and execution of sensitive activities and operations, and thereby prevent potential adversaries from gaining knowledge of capabilities and intentions. (See: communications cover. Compare: operational security.)

$ 作战安全(OPSEC)(I)识别、控制和保护敏感活动和作战的规划和执行证据的过程,从而防止潜在对手了解能力和意图。(参见:通信覆盖。比较:运营安全。)

$ operator (I) A person who has been authorized to direct selected functions of a system. (Compare: manager, user.)

$ 操作员(I)被授权指导系统选定功能的人员。(比较:经理、用户。)

Usage: IDOCs that use this term SHOULD state a definition for it because a system operator may or may not be treated as a "user".

用法:使用此术语的IDoc应说明其定义,因为系统操作员可能被视为也可能不被视为“用户”。

$ OPSEC 1. (I) Abbreviation for "operations security".

$ 执行部分第1节。(一) “操作安全”的缩写。

2. (D) Abbreviation for "operational security".

2. (D) “操作安全”的缩写。

Deprecated Usage: IDOCs SHOULD NOT use this abbreviation for "operational security" (as defined in this Glossary), because its use for "operations security" has been well established for many years, particular in the military community.

不推荐使用:IDOCs不应使用“作战安全”的缩写(定义见本术语表),因为其用于“作战安全”已有多年的历史,特别是在军事领域。

$ ORA See: organizational registration authority.

$ ORA见:组织注册机构。

$ Orange Book (D) /slang/ Synonym for "Trusted Computer System Evaluation Criteria" [CSC1, DoD1].

$ 橙皮书(D)/俚语/同义词“可信计算机系统评估标准”[CSC1,DoD1]。

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "Trusted Computer System Evaluation Criteria" [CSC1, DoD1]. Instead, use the full, proper name of the document or, in subsequent references, the abbreviation "TCSEC". (See: Deprecated Usage under "Green Book".)

不推荐使用:IDOCs不应将此术语用作“可信计算机系统评估标准”的同义词[CSC1,DoD1]。取而代之的是,使用文件的全称或在后续参考文献中使用缩写“TCSEC”。(请参阅“绿皮书”下不推荐的用法。)

$ organizational certificate 1. (I) An X.509 public-key certificate in which the "subject" field contains the name of an institution or set (e.g., a business, government, school, labor union, club, ethnic group, nationality, system, or group of individuals playing the same role), rather than the name of an individual person or device. (Compare: persona certificate, role certificate.)

$ 组织证书1。(一) 一种X.509公钥证书,其中“主题”字段包含机构或集合的名称(例如,企业、政府、学校、工会、俱乐部、民族、国籍、系统或扮演相同角色的个人团体),而不是个人或装置的名称。(比较:角色证书、角色证书。)

Tutorial: Such a certificate might be issued for one of the following purposes:

教程:颁发此类证书可能出于以下目的之一:

- To enable an individual to prove membership in the organization. - To enable an individual to represent the organization, i.e., to act in its name and with its powers or permissions.

- 使个人能够证明其为组织成员。-使个人能够代表组织,即以其名义并以其权力或许可行事。

2. (O) /MISSI/ A type of MISSI X.509 public-key certificate that is issued to support organizational message handling for the U.S. DoD's Defense Message System.

2. (O) /misi/misi X.509公钥证书的一种,用于支持美国国防部国防信息系统的组织信息处理。

$ organizational registration authority (ORA) 1. (I) /PKI/ An RA for an organization.

$ 组织登记机关(ORA)1。(一) /PKI/组织的RA。

2. (O) /MISSI/ An end entity that (a) assists a PCA, CA, or SCA to register other end entities, by gathering, verifying, and entering data and forwarding it to the signing authority and (b) may also assist with card management functions. An ORA is a local administrative authority, and the term refers both to the role and to the person who plays that role. An ORA does not sign certificates, CRLs, or CKLs. (See: no-PIN ORA, SSO-PIN ORA, user-PIN ORA.)

2. (O) /misi/一种终端实体,其(a)通过收集、验证和输入数据并将其转发给签名机构,协助PCA、CA或SCA注册其他终端实体,以及(b)还可协助卡管理功能。ORA是一个地方行政当局,该术语既指角色,也指扮演该角色的人。ORA不签署证书、CRL或CKL。(请参阅:无PIN ORA、SSO-PIN ORA、用户PIN ORA。)

$ origin authentication (D) Synonym for "data origin authentication". (See: authentication, data origin authentication.)

$ 来源认证(D)“数据来源认证”的同义词。(请参阅:身份验证、数据源身份验证。)

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the internationally standardized term "data origin authentication" and also could be confused with "peer entity authentication."

不推荐使用的术语:IDoc不应使用此术语;这意味着不小心使用了国际标准化术语“数据源身份验证”,也可能与“对等实体身份验证”混淆

$ origin authenticity (D) Synonym for "data origin authentication". (See: authenticity, data origin authentication.)

$ 来源真实性(D)“数据来源认证”的同义词。(请参阅:真实性、数据源身份验证。)

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the internationally standardized term "data origin authentication" and mixes concepts in a potentially misleading way.

不推荐使用的术语:IDoc不应使用此术语;它暗示了对国际标准化术语“数据来源认证”的粗心使用,并以潜在误导的方式混淆了概念。

$ OSI, OSIRM (N) See: Open Systems Interconnection Reference Model.

$ OSI,OSIRM(N)参见:开放系统互连参考模型。

$ OSIRM Security Architecture (N) The part of the OSIRM [I7498-2] that specifies the security services and security mechanisms that can be applied to protect communications between two systems. (See: security architecture.)

$ OSIRM安全体系结构(N)OSIRM[I7498-2]的一部分,指定可用于保护两个系统之间通信的安全服务和安全机制。(请参阅:安全体系结构。)

Tutorial: This part of the OSIRM includes an allocation of security services to protocol layers. The following table shows which security services (see definitions in this Glossary) are permitted by the OSIRM in each of its layers. (Also, an application process that operates above the Application Layer may itself provide security services.) Similarly, the table suggests which services are suitable for each IPS layer. However, explaining and justifying these allocations is beyond the scope of this Glossary.

教程:OSIRM的这一部分包括将安全服务分配给协议层。下表显示了OSIRM在其每个层中允许哪些安全服务(请参见本术语表中的定义)。(同样,在应用层之上运行的应用程序进程本身也可以提供安全服务。)同样,该表建议了适用于每个IPS层的服务。然而,解释和证明这些分配超出了本词汇表的范围。

Legend for Table Entries: O = Yes, [I7498-2] permits the service in this OSIRM layer. I = Yes, the service can be incorporated in this IPS layer. * = This layer subsumed by Application Layer in IPS.

表条目的图例:O=Yes,[I7498-2]允许此OSIRM层中的服务。I=是,该服务可并入该IPS层。*=该层包含在IPS中的应用程序层中。

      IPS Protocol Layers    +-----------------------------------------+
                             |Network| Net |In-| Trans |  Application  |
                             |  H/W  |Inter|ter| -port |               |
                             |       |-face|net|       |               |
      OSIRM Protocol Layers  +-----------------------------------------+
                             |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
      Confidentiality        +-----------------------------------------+
      -  Datagram            | O I | O I | O I | O I |     | O * | O I |
      -  Selective Field     |     |     |   I |     |     | O * | O I |
      -  Traffic Flow        | O   |     | O   |     |     |     | O   |
         -- Full             |   I |     |     |     |     |     |     |
         -- Partial          |     |   I |   I |     |     |     |   I |
      Integrity              +-----------------------------------------+
      -  Datagram            |   I |   I | O I | O I |     |     | O I |
      -  Selective Field     |     |     |   I |     |     |     | O I |
      -  Stream              |     |     | O I | O I |     |     | O I |
      Authentication         +-----------------------------------------+
      -  Peer Entity         |     |   I | O I | O I |     |     | O I |
      -  Data Origin         |     |   I | O I | O I |     |     | O I |
      Access Control         +-----------------------------------------+
      -  type as appropriate |     |   I | O I | O I |     |     | O I |
      Non-Repudiation        +-----------------------------------------+
      -  of Origin           |     |     |     |     |     |     | O I |
      -  of Receipt          |     |     |     |     |     |     | O I |
                             +-----------------------------------------+
        
      IPS Protocol Layers    +-----------------------------------------+
                             |Network| Net |In-| Trans |  Application  |
                             |  H/W  |Inter|ter| -port |               |
                             |       |-face|net|       |               |
      OSIRM Protocol Layers  +-----------------------------------------+
                             |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
      Confidentiality        +-----------------------------------------+
      -  Datagram            | O I | O I | O I | O I |     | O * | O I |
      -  Selective Field     |     |     |   I |     |     | O * | O I |
      -  Traffic Flow        | O   |     | O   |     |     |     | O   |
         -- Full             |   I |     |     |     |     |     |     |
         -- Partial          |     |   I |   I |     |     |     |   I |
      Integrity              +-----------------------------------------+
      -  Datagram            |   I |   I | O I | O I |     |     | O I |
      -  Selective Field     |     |     |   I |     |     |     | O I |
      -  Stream              |     |     | O I | O I |     |     | O I |
      Authentication         +-----------------------------------------+
      -  Peer Entity         |     |   I | O I | O I |     |     | O I |
      -  Data Origin         |     |   I | O I | O I |     |     | O I |
      Access Control         +-----------------------------------------+
      -  type as appropriate |     |   I | O I | O I |     |     | O I |
      Non-Repudiation        +-----------------------------------------+
      -  of Origin           |     |     |     |     |     |     | O I |
      -  of Receipt          |     |     |     |     |     |     | O I |
                             +-----------------------------------------+
        

$ OTAR (N) See: over-the-air rekeying.

$ OTAR(N)请参阅:空中重新键入。

$ OTP (I) See: One-Time Password.

$ OTP(一)见:一次性密码。

$ out-of-band (I) /adjective, adverb/ Information transfer using a channel or method that is outside (i.e., separate from or different from) the main channel or normal method.

$ 带外(I)/形容词、副词/使用主通道或正常方法之外(即独立于或不同于主通道或正常方法)的通道或方法进行的信息传递。

Tutorial: Out-of-band mechanisms are often used to distribute shared secrets (e.g., a symmetric key) or other sensitive information items (e.g., a root key) that are needed to initialize or otherwise enable the operation of cryptography or other security mechanisms. Example: Using postal mail to distribute printed or magnetic media containing symmetric cryptographic keys for use in Internet encryption devices. (See: key distribution.)

教程:带外机制通常用于分发初始化或启用加密或其他安全机制操作所需的共享机密(例如,对称密钥)或其他敏感信息项(例如,根密钥)。示例:使用邮政邮件分发包含对称加密密钥的打印或磁性介质,以便在Internet加密设备中使用。(请参阅:密钥分发。)

$ output feedback (OFB) (N) A block cipher mode that modifies ECB mode to operate on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)

$ 输出反馈(OFB)(N)一种分组密码模式,它修改ECB模式,使其在可变长度小于或等于分组长度的明文段上运行。[FP081](参见:分组密码[SP38A]。)

Tutorial: This mode operates by directly using the algorithm's previously generated output block as the algorithm's next input block (i.e., by "feeding back" the output block) and combining (exclusive OR-ing) the output block with the next plaintext segment (of block length or less) to form the next ciphertext segment.

教程:此模式通过直接使用算法先前生成的输出块作为算法的下一个输入块(即,通过“反馈”输出块)并将输出块与下一个明文段(块长度或更短)组合(异或)形成下一个密文段来操作。

$ outside attack (I) See: secondary definition under "attack". Compare: outsider.)

$ 外部攻击(I)见“攻击”下的第二定义。比较:局外人。)

$ outsider (I) A user (usually a person) that accesses a system from a position that is outside the system's security perimeter. (Compare: authorized user, insider, unauthorized user.)

$ 局外人(I)从系统安全边界之外的位置访问系统的用户(通常是个人)。(比较:授权用户、内部人员、未授权用户。)

Tutorial: The actions performed by an outsider in accessing the system may be either authorized or unauthorized; i.e., an outsider may act either as an authorized user or as an unauthorized user.

教程:外部人员在访问系统时执行的操作可能是授权的,也可能是未经授权的;i、 例如,外部人员可以作为授权用户或未授权用户。

$ over-the-air rekeying (OTAR) (N) Changing a key in a remote cryptographic device by sending a new key directly to the device via a channel that the device is protecting. [C4009]

$ 空中密钥更新(OTAR)(N)通过设备保护的通道直接向设备发送新密钥,从而更改远程加密设备中的密钥。[C4009]

$ overload (I) /threat action/ See: secondary definition under "obstruction".

$ 超载(I)/威胁行动/见“障碍物”下的二级定义。

$ P1363 (N) See: IEEE P1363.

$ P1363(N)参见:IEEE P1363。

$ PAA (O) See: policy approving authority.

$ PAA(O)参见:政策审批机构。

$ package (N) /Common Criteria/ A reusable set of either functional or assurance components, combined in a single unit to satisfy a set of identified security objectives. (Compare: protection profile.)

$ 包(N)/通用标准/一组可重复使用的功能或保证组件,组合在一个单元中,以满足一组确定的安全目标。(比较:保护配置文件。)

Example: The seven EALs defined in Part 3 of the Common Criteria are predefined assurance packages.

示例:通用标准第3部分中定义的七个EAL是预定义的保证包。

Tutorial: A package is a combination of security requirement components and is intended to be reusable in the construction of either more complex packages or protection profiles and security targets. A package expresses a set of either functional or assurance requirements that meet some particular need, expressed as a set of security objectives.

教程:包是安全需求组件的组合,旨在在构建更复杂的包或保护配置文件和安全目标时可重用。包表示满足某些特定需求的一组功能或保证需求,表示为一组安全目标。

$ packet (I) A block of data that is carried from a source to a destination through a communication channel or, more generally, across a network. (Compare: datagram, PDU.)

$ 数据包(I)通过通信信道或更一般地通过网络从源传送到目的地的数据块。(比较:数据报、PDU)

$ packet filter (I) See: secondary definition under "filtering router".

$ 包过滤器(I)参见“过滤路由器”下的二级定义。

$ packet monkey (D) /slang/ Someone who floods a system with packets, creating a denial-of-service condition for the system's users. (See: cracker.)

$ packetmonkey(D)/俚语/向系统发送大量数据包,为系统用户造成拒绝服务条件的人。(请参阅:cracker。)

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ pagejacking (D) /slang/ A contraction of "Web page hijacking". A masquerade attack in which the attacker copies (steals) a home page or other material from the target server, rehosts the page on a server the attacker controls, and causes the rehosted page to be indexed by the major Web search services, thereby diverting browsers from the target server to the attacker's server.

$ 网页劫持(D)/俚语/是“网页劫持”的缩写。一种伪装攻击,在这种攻击中,攻击者从目标服务器复制(窃取)主页或其他材料,在攻击者控制的服务器上重新定位页面,并使重新定位的页面被主要Web搜索服务索引,从而将浏览器从目标服务器转移到攻击者的服务器。

Deprecated Term: IDOCs SHOULD NOT use this contraction. The term is not listed in most dictionaries and could confuse international readers. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:idoc不应使用此收缩。大多数词典都没有列出这个词,可能会使国际读者感到困惑。(请参阅“绿皮书”下不推荐的用法。)

$ PAN (O) See: primary account number.

$ PAN(O)参见:主账号。

$ PAP (I) See: Password Authentication Protocol.

$ PAP(I)参见:密码认证协议。

$ parity bit (I) A checksum that is computed on a block of bits by computing the binary sum of the individual bits in the block and then discarding all but the low-order bit of the sum. (See: checksum.)

$ 奇偶校验位(I)通过计算块中各个位的二进制和,然后丢弃除低阶位以外的所有位,在一个位块上计算的校验和。(请参阅:校验和。)

$ partitioned security mode (N) A mode of system operation wherein all users having access to the system have the necessary security clearances for all data handled by the system, but some users might not have either formal access approval or need-to-know for all the data. (See: /system operation/ under "mode", formal access approval, need to know, protection level, security clearance.)

$ 分区安全模式(N):一种系统操作模式,其中所有访问系统的用户都拥有系统处理的所有数据的必要安全许可,但一些用户可能没有正式的访问批准或不需要了解所有数据。(参见:/系统操作/在“模式”下,正式访问批准,需要知道,保护级别,安全许可。)

Usage: Usually abbreviated as "partitioned mode". This term was defined in U.S. Government policy on system accreditation.

用法:通常缩写为“分区模式”。该术语的定义见美国政府系统认证政策。

$ PASS (N) See: personnel authentication system string.

$ 通过(N)请参阅:人员身份验证系统字符串。

$ passive attack (I) See: secondary definition under "attack".

$ 被动攻击(I)见“攻击”下的第二个定义。

$ passive user (I) See: secondary definition under "system user".

$ 被动用户(I)参见“系统用户”下的二级定义。

$ passive wiretapping (I) A wiretapping attack that attempts only to observe a communication flow and gain knowledge of the data it contains, but does not alter or otherwise affect that flow. (See: wiretapping. Compare: passive attack, active wiretapping.)

$ 被动窃听(I)一种窃听攻击,它仅试图观察通信流并了解其包含的数据,但不会改变或以其他方式影响该通信流。(请参阅:窃听。比较:被动攻击和主动窃听。)

$ password 1a. (I) A secret data value, usually a character string, that is presented to a system by a user to authenticate the user's identity. (See: authentication information, challenge-response, PIN, simple authentication.)

$ 密码1a。(一) 一种秘密数据值,通常是字符串,由用户提供给系统以验证用户身份。(请参阅:身份验证信息、质询响应、PIN、简单身份验证。)

1b. (O) "A character string used to authenticate an identity." [CSC2]

1b。(O) “用于身份验证的字符串。”[CSC2]

1c. (O) "A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization." [FP140]

1c。(O) “用于验证身份或验证访问授权的字符串(字母、数字和其他符号)。[FP140]

1d. (O) "A secret that a claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings." [SP63]

1d。(O) “索赔人记忆并用于验证其身份的秘密。密码通常是字符串。”[SP63]

Tutorial: A password is usually paired with a user identifier that is explicit in the authentication process, although in some cases the identifier may be implicit. A password is usually verified by matching it to a stored value held by the access control system for that identifier.

教程:密码通常与身份验证过程中显式的用户标识符配对,尽管在某些情况下标识符可能是隐式的。密码通常通过与访问控制系统为该标识符保存的存储值进行匹配来验证。

Using a password as authentication information is based on assuming that the password is known only by the system entity for which the identity is being authenticated. Therefore, in a network environment where wiretapping is possible, simple authentication that relies on transmission of static (i.e., repetitively used) passwords in cleartext form is inadequate. (See: one-time password, strong authentication.)

使用密码作为身份验证信息是基于假设密码仅由身份验证的系统实体知道。因此,在可以进行窃听的网络环境中,依赖明文形式的静态(即重复使用)密码传输的简单身份验证是不够的。(请参阅:一次性密码、强身份验证。)

$ Password Authentication Protocol (PAP) (I) A simple authentication mechanism in PPP. In PAP, a user identifier and password are transmitted in cleartext form. [R1334] (See: CHAP.)

$ 密码认证协议(PAP)(I)PPP中的一种简单认证机制。在PAP中,用户标识符和密码以明文形式传输。[R1334](见:第章)

$ password sniffing (D) /slang/ Passive wiretapping to gain knowledge of passwords. (See: Deprecated Usage under "sniffing".)

$ 密码嗅探(D)/俚语/被动窃听以了解密码。(请参阅“嗅探”下不推荐的用法。)

$ path discovery (I) For a digital certificate, the process of finding a set of public-key certificates that comprise a certification path from a trusted key to that specific certificate.

$ 路径发现(I)对于数字证书,查找一组公钥证书的过程,这些公钥证书包括从受信任密钥到该特定证书的认证路径。

$ path validation (I) The process of validating (a) all of the digital certificates in a certification path and (b) the required relationships between those certificates, thus validating the contents of the last certificate on the path. (See: certificate validation.)

$ 路径验证(I)验证(a)认证路径中的所有数字证书和(b)这些证书之间所需关系的过程,从而验证路径上最后一个证书的内容。(请参阅:证书验证。)

Tutorial: To promote interoperable PKI applications in the Internet, RFC 3280 specifies a detailed algorithm for validation of a certification path.

教程:为了在Internet上推广可互操作的PKI应用程序,RFC3280指定了验证证书路径的详细算法。

$ payment card (N) /SET/ Collectively refers "to credit cards, debit cards, charge cards, and bank cards issued by a financial institution and which reflects a relationship between the cardholder and the financial institution." [SET2]

$ 支付卡(N)/SET/统称为“由金融机构发行的反映持卡人与金融机构之间关系的信用卡、借记卡、借记卡和银行卡。”[SET2]

$ payment gateway (O) /SET/ A system operated by an acquirer, or a third party designated by an acquirer, to provide electronic commerce services to the merchants in support of the acquirer, and which interfaces to the acquirer to support the authorization, capture, and processing of merchant payment messages, including payment instructions from cardholders. [SET1, SET2]

$ 支付网关(O)/SET/A由收单机构或收单机构指定的第三方操作的系统,用于向商户提供电子商务服务以支持收单机构,并与收单机构接口以支持商户支付消息的授权、捕获和处理,包括持卡人的付款指示。[SET1,SET2]

$ payment gateway certification authority (SET PCA) (O) /SET/ A CA that issues digital certificates to payment gateways and is operated on behalf of a payment card brand, an acquirer, or another party according to brand rules. A SET PCA issues a CRL for compromised payment gateway certificates. [SET2] (See: PCA.)

$ 支付网关认证机构(SET PCA)(O)/SET/A向支付网关颁发数字证书的CA,并根据品牌规则代表支付卡品牌、收单机构或另一方运营。一组PCA为受损的支付网关证书颁发CRL。[SET2](参见:PCA。)

$ PC card (N) A type of credit card-sized, plug-in peripheral device that was originally developed to provide memory expansion for portable computers, but is also used for other kinds of functional expansion. (See: FORTEZZA, PCMCIA.)

$ PC卡(N):一种信用卡大小的插入式外围设备,最初开发用于为便携式计算机提供内存扩展,但也用于其他类型的功能扩展。(见:FORTEZZA,PCMCIA)

Tutorial: The international PC Card Standard defines a non-proprietary form factor in three sizes -- Types I, II, and III -- each of which have a 68-pin interface between the card and the socket into which it plugs. All three types have the same length and width, roughly the size of a credit card, but differ in their thickness from 3.3 to 10.5 mm. Examples include storage modules, modems, device interface adapters, and cryptographic modules.

教程:国际PC卡标准定义了三种尺寸的非专有外形系数——I、II和III型——每种尺寸在卡和插口之间都有68针接口。这三种类型都有相同的长度和宽度,大致相当于一张信用卡的大小,但厚度不同,从3.3毫米到10.5毫米不等。示例包括存储模块、调制解调器、设备接口适配器和加密模块。

$ PCA (D) Abbreviation of various kinds of "certification authority". (See: Internet policy certification authority, (MISSI) policy creation authority, (SET) payment gateway certification authority.)

$ PCA(D)各种“认证机构”的缩写。(请参阅:Internet策略证书颁发机构,(MSI)策略创建机构,(SET)支付网关证书颁发机构。)

Deprecated Usage: An IDOC that uses this abbreviation SHOULD define it at the point of first use.

不推荐使用:使用此缩写的IDOC应该在首次使用时定义它。

$ PCI (N) See: "protocol control information" under "protocol data unit".

$ PCI(N)参见“协议数据单元”下的“协议控制信息”。

$ PCMCIA (N) Personal Computer Memory Card International Association, a group of manufacturers, developers, and vendors, founded in 1989 to standardize plug-in peripheral memory cards for personal computers and now extended to deal with any technology that works in the PC Card form factor. (See: PC card.)

$ PCMCIA(N)个人计算机存储卡国际协会,一个由制造商、开发人员和供应商组成的团体,成立于1989年,旨在标准化个人计算机的插入式外围存储卡,现在扩展到处理任何适用于PC卡外形的技术。(请参阅:PC卡。)

$ PDS (N) See: protective distribution system.

$ PDS(N)见:保护配电系统。

$ PDU (N) See: protocol data unit.

$ PDU(N)参见:协议数据单元。

$ peer entity authentication (I) "The corroboration that a peer entity in an association is the one claimed." [I7498-2] (See: authentication.)

$ 对等实体认证(I)“证明关联中的对等实体是所声称的实体。”[I7498-2](见:认证。)

$ peer entity authentication service (I) A security service that verifies an identity claimed by or for a system entity in an association. (See: authentication, authentication service.)

$ 对等实体身份验证服务(I)一种安全服务,用于验证由关联中的系统实体声明或为其声明的身份。(请参阅:身份验证、身份验证服务。)

Tutorial: This service is used at the establishment of, or at times during, an association to confirm the identity of one entity to another, thus protecting against a masquerade by the first entity. However, unlike data origin authentication service, this service requires an association to exist between the two entities, and the corroboration provided by the service is valid only at the current time that the service is provided. (See: "relationship between data integrity service and authentication services" under "data integrity service").

教程:此服务用于建立关联时或关联期间,以确认一个实体对另一个实体的身份,从而防止第一个实体伪装。但是,与数据源身份验证服务不同,该服务要求两个实体之间存在关联,并且该服务提供的佐证仅在提供该服务的当前时间有效。(请参阅“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”)。

$ PEM (I) See: Privacy Enhanced Mail.

$ PEM(I)见:隐私增强邮件。

$ penetrate 1a. (I) Circumvent a system's security protections. (See: attack, break, violation.)

$ 穿透1a。(一) 规避系统的安全保护。(参见:攻击、中断、违规。)

1b. (I) Successfully and repeatedly gain unauthorized access to a protected system resource. [Huff]

1b。(一) 成功并反复获得对受保护系统资源的未经授权访问。[怒火]

$ penetration (I) /threat action/ See: secondary definition under "intrusion".

$ 渗透(I)/威胁行动/见“入侵”下的二级定义。

$ penetration test (I) A system test, often part of system certification, in which evaluators attempt to circumvent the security features of a system. [NCS04, SP42] (See: tiger team.)

$ 渗透测试(I)一种系统测试,通常是系统认证的一部分,在这种测试中,评估人员试图规避系统的安全特性。[NCS04,SP42](见:老虎队)

Tutorial: Penetration testing evaluates the relative vulnerability of a system to attacks and identifies methods of gaining access to a system by using tools and techniques that are available to adversaries. Testing may be performed under various constraints and conditions, including a specified level of knowledge of the system design and implementation. For a TCSEC evaluation, testers are assumed to have all system design and implementation documentation, including source code, manuals, and circuit diagrams, and to work under no greater constraints than those applied to ordinary users.

教程:渗透测试评估系统对攻击的相对脆弱性,并确定通过使用对手可用的工具和技术访问系统的方法。测试可以在各种约束和条件下进行,包括系统设计和实施的特定知识水平。对于TCSEC评估,假设测试人员拥有所有系统设计和实现文档,包括源代码、手册和电路图,并且在不比适用于普通用户的约束更大的约束下工作。

$ perfect forward secrecy (I) For a key agreement protocol, the property that compromises long-term keying material does not compromise session keys that were previously derived from the long-term material. (Compare: public-key forward secrecy.)

$ 完美前向保密(I)对于密钥协商协议,泄露长期密钥材料的属性不会泄露以前从长期材料中派生的会话密钥。(比较:公钥前向保密。)

Usage: Some existing RFCs use this term but either do not define it or do not define it precisely. While preparing this Glossary, we found this to be a muddled area. Experts did not agree. For all practical purposes, the literature defines "perfect forward secrecy" by stating the Diffie-Hellman-Merkle algorithm. The term "public-key forward secrecy" (suggested by Hilarie Orman) and the definition stated for it in this Glossary were crafted to be compatible with current Internet documents, yet be narrow and leave room for improved terminology.

用法:一些现有的RFC使用此术语,但未对其进行定义或未对其进行精确定义。在编写本词汇表时,我们发现这是一个混乱的领域。专家们并不同意。出于所有实际目的,文献通过说明Diffie-Hellman-Merkle算法来定义“完美前向保密”。术语“公钥前向保密”(由Hilarie Orman提出)和本术语表中的定义是为了与当前的互联网文档兼容而精心设计的,但其范围很窄,并为改进术语留下了空间。

Challenge to the Internet security community: We need a taxonomy of terms and definitions to cover the basic properties discussed here for the full range of cryptographic algorithms and protocols used in Internet Standards:

互联网安全社区面临的挑战:我们需要一个术语和定义分类法,以涵盖此处讨论的互联网标准中使用的各种加密算法和协议的基本属性:

Involvement of session keys vs. long-term keys: Experts disagree about the basic ideas involved: - One concept of "forward secrecy" is that, given observations of the operation of a key establishment protocol up to time t, and given some of the session keys derived from those protocol runs, you cannot derive unknown past session keys or future session keys. - A related property is that, given observations of the protocol and knowledge of the derived session keys, you cannot derive one or more of the long-term private keys.

会话密钥与长期密钥的关系:专家们对所涉及的基本思想持不同意见:-“前向保密”的一个概念是,鉴于对时间t之前密钥建立协议操作的观察,以及从这些协议运行中获得的一些会话密钥,无法派生未知的过去会话密钥或未来会话密钥。-一个相关的属性是,给定对协议的观察和派生会话密钥的知识,您不能派生一个或多个长期私钥。

- The "I" definition presented above involves a third concept of "forward secrecy" that refers to the effect of the compromise of long-term keys. - All three concepts involve the idea that a compromise of "this" encryption key is not supposed to compromise the "next" one. There also is the idea that compromise of a single key will compromise only the data protected by the single key. In Internet literature, the focus has been on protection against decryption of back traffic in the event of a compromise of secret key material held by one or both parties to a communication.

- 上述“I”定义涉及第三个“前向保密”概念,指长期密钥泄露的影响。-所有这三个概念都包含这样一个想法,即“此”加密密钥的折衷不应折衷“下一个”加密密钥。还有一种想法是,单个密钥的泄露只会泄露受单个密钥保护的数据。在互联网文献中,重点一直是在通信的一方或双方持有的密钥材料泄露的情况下防止反向通信解密。

Forward vs. backward: Experts are unhappy with the word "forward", because compromise of "this" encryption key also is not supposed to compromise the "previous" one, which is "backward" rather than forward. In S/KEY, if the key used at time t is compromised, then all keys used prior to that are compromised. If the "long-term" key (i.e., the base of the hashing scheme) is compromised, then all keys past and future are compromised; thus, you could say that S/KEY has neither forward nor backward secrecy.

前向与后向:专家们对“前向”这个词不满意,因为“此”加密密钥的泄露也不应该泄露“前向”加密密钥,即“后向”而不是“前向”。在S/KEY中,如果在时间t使用的密钥被泄露,则在此之前使用的所有密钥都被泄露。如果“长期”密钥(即散列方案的基础)被泄露,则过去和将来的所有密钥都被泄露;因此,您可以说S/KEY既不具有前向保密性,也不具有后向保密性。

Asymmetric cryptography vs. symmetric: Experts disagree about forward secrecy in the context of symmetric cryptographic systems. In the absence of asymmetric cryptography, compromise of any long-term key seems to compromise any session key derived from the long-term key. For example, Kerberos isn't forward secret, because compromising a client's password (thus compromising the key shared by the client and the authentication server) compromises future session keys shared by the client and the ticket-granting server.

非对称密码与对称密码:在对称密码系统的背景下,专家们对前向保密存在分歧。在没有非对称加密的情况下,任何长期密钥的泄露似乎都会泄露从长期密钥派生的任何会话密钥。例如,Kerberos不是前向机密,因为泄露客户端密码(从而泄露客户端和身份验证服务器共享的密钥)会泄露客户端和票证授予服务器共享的未来会话密钥。

Ordinary forward secrecy vs. "perfect" forward secret: Experts disagree about the difference between these two. Some say there is no difference, and some say that the initial naming was unfortunate and suggest dropping the word "perfect". Some suggest using "forward secrecy" for the case where one long-term private key is compromised, and adding "perfect" for when both private keys (or, when the protocol is multi-party, all private keys) are compromised.

普通前向保密与“完美”前向保密:专家们不同意这两者之间的区别。有人说没有区别,有人说最初的命名是不幸的,建议去掉“完美”这个词。一些人建议在一个长期私钥被泄露的情况下使用“前向保密”,并在两个私钥(或者,当协议为多方协议时,所有私钥)被泄露的情况下添加“完美”。

Acknowledgements: Bill Burr, Burt Kaliski, Steve Kent, Paul Van Oorschot, Jonathan Trostle, Michael Wiener, and, especially, Hilarie Orman contributed ideas to this discussion.

致谢:比尔·伯尔、伯特·卡利斯基、史蒂夫·肯特、保罗·范·奥斯肖特、乔纳森·特罗斯特勒、迈克尔·维纳,尤其是希拉里·奥曼为本次讨论提供了意见。

$ perimeter See: security perimeter.

$ 周界见:安全周界。

$ periods processing (I) A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system, with the system being properly purged or sanitized between periods. (See: color change.)

$ 周期处理(I)系统运行的一种模式,在这种模式下,同一系统在明显不同的时间处理不同敏感度的信息,并在周期之间对系统进行适当的清洗或消毒。(请参见:颜色更改。)

Tutorial: The security mode of operation and maximum classification of data handled by the system is established for an interval of time and then is changed for the following interval of time. A period extends from the secure initialization of the system to the completion of any purging of sensitive data handled by the system during the period.

教程:在一段时间内建立系统处理的数据的安全操作模式和最大分类,然后在接下来的时间间隔内更改。从系统的安全初始化到在此期间完成系统处理的敏感数据的任何清除,都有一段时间。

$ permanent storage (I) Non-volatile media that, once written into, can never be completely erased.

$ 永久存储器(I)非易失性介质,一旦写入,永远无法完全擦除。

$ permission 1a. (I) Synonym for "authorization". (Compare: privilege.)

$ 许可证1a。(一) “授权”的同义词。(比较:特权。)

1b. (N) An authorization or set of authorizations to perform security-relevant functions in the context of role-based access control. [ANSI]

1b。(N) 在基于角色的访问控制上下文中执行安全相关功能的一种或一组授权。[美国国家标准协会]

Tutorial: A permission is a positively stated authorization for access that (a) can be associated with one or more roles and (b) enables a user in a role to access a specified set of system resources by causing a specific set of system actions to be performed on the resources.

教程:权限是一种明确声明的访问授权,它(A)可以与一个或多个角色关联,并且(b)通过对资源执行特定的系统操作集,使角色中的用户能够访问指定的系统资源集。

$ persona certificate (I) An X.509 certificate issued to a system entity that wishes to use a persona to conceal its true identity when using PEM or other Internet services that depend on PKI support. (See: anonymity.) [R1422]

$ 角色证书(I)颁发给系统实体的X.509证书,该系统实体希望在使用PEM或依赖PKI支持的其他互联网服务时使用角色隐藏其真实身份。(见:匿名)。[R1422]

Tutorial: PEM designers intended that (a) a CA issuing persona certificates would explicitly not be vouching for the identity of the system entity to whom the certificate is issued, (b) such certificates would be issued only by CAs subordinate to a policy CA having a policy stating that purpose (i.e., that would warn relying parties that the "subject" field DN represented only a persona and not a true, vetted user identity), and (c) the CA would not need to maintain records binding the true identity of the subject to the certificate.

教程:PEM设计人员打算(a)颁发角色证书的CA不会明确证明证书颁发给的系统实体的身份,(b)此类证书将仅由从属于具有声明该目的的策略CA的CA颁发(即警告依赖方“主体”字段DN仅代表一个角色,而不是真实的、经过审查的用户身份),并且(c)CA不需要维护将主体的真实身份绑定到证书的记录。

However, the PEM designers also intended that a CA issuing persona certificates would establish procedures (d) to enable "the holder of a PERSONA certificate to request that his certificate be revoked" and (e) to ensure that it did not issue the same subject DN to multiple users. The latter condition implies that a persona certificate is not an organizational certificate unless the organization has just one member or representative.

然而,PEM设计者还打算,颁发角色证书的CA将建立程序(d)以允许“角色证书持有人请求撤销其证书”,以及(e)确保其不会向多个用户颁发相同的主题DN。后一个条件意味着角色证书不是组织证书,除非组织只有一个成员或代表。

$ personal identification number (PIN) 1a. (I) A character string used as a password to gain access to a system resource. (See: authentication information.)

$ 个人识别号(PIN)1a。(一) 用作访问系统资源的密码的字符串。(请参阅:身份验证信息。)

Example: A cryptographic token typically requires its user to enter a PIN in order to access information stored in the token and invoke the token's cryptographic functions.

示例:加密令牌通常要求其用户输入PIN以访问令牌中存储的信息并调用令牌的加密功能。

1b. (O) An alphanumeric code or password used to authenticate an identity.

1b。(O) 用于验证身份的字母数字代码或密码。

Tutorial: Despite the words "identification" and "number", a PIN seldom serves as a user identifier, and a PIN's characters are not necessarily all numeric. Retail banking applications use 4-digit numeric user PINs, but the FORTEZZA PC card uses 12-character alphanumeric SSO PINs. (See: SSO PIN, user PIN.)

教程:尽管有“标识”和“编号”两个词,PIN很少用作用户标识符,PIN的字符也不一定都是数字。零售银行应用程序使用4位数字用户PIN,但FORTEZZA PC卡使用12个字符的字母数字SSO PIN。(请参见:SSO PIN、用户PIN。)

A better name for this concept would have been "personnel authentication system string" (PASS), in which case, an alphanumeric character string for this purpose would have been called, obviously, a "PASSword".

这个概念的更好名称是“人员身份验证系统字符串”(PASS),在这种情况下,用于此目的的字母数字字符串显然被称为“密码”。

$ personal information (I) Information about a particular person, especially information of an intimate or critical nature, that could cause harm or pain to that person if disclosed to unauthorized parties. Examples: medical record, arrest record, credit report, academic transcript, training report, job application, credit card number, Social Security number. (See: privacy.)

$ 个人信息(I)关于特定人员的信息,特别是亲密或关键性质的信息,如果披露给未经授权的方,可能会对该人员造成伤害或痛苦。例如:病历、逮捕记录、信用报告、成绩单、培训报告、工作申请、信用卡号、社会保险号。(见:隐私。)

$ personality 1. (I) Synonym for "principal".

$ 个性1。(一) “校长”的同义词。

2. (O) /MISSI/ A set of MISSI X.509 public-key certificates that have the same subject DN, together with their associated private keys and usage specifications, that is stored on a FORTEZZA PC card to support a role played by the card's user.

2. (O) /MISSI/一组具有相同主题DN的MISSI X.509公钥证书及其相关私钥和使用规范,存储在FORTEZZA PC卡上,以支持卡用户扮演的角色。

Tutorial: When a card's user selects a personality to use in a FORTEZZA-aware application, the data determines behavior traits

教程:当一张卡片的用户选择一个用于FORTEZZA感知应用程序的个性时,数据决定了行为特征

(the personality) of the application. A card's user may have multiple personalities on the card. Each has a "personality label", a user-friendly character string that applications can display to the user for selecting or changing the personality to be used. For example, a military user's card might contain three personalities: GENERAL HALFTRACK, COMMANDER FORT SWAMPY, and NEW YEAR'S EVE PARTY CHAIRMAN. Each personality includes one or more certificates of different types (such as DSA versus RSA), for different purposes (such as digital signature versus encryption), or with different authorizations.

(人格)的申请。一张卡片上的用户可能有多个个性。每个都有一个“个性标签”,一个用户友好的字符串,应用程序可以向用户显示该字符串,以选择或更改要使用的个性。例如,军事用户的卡片可能包含三个人物:半身人将军、沼泽堡指挥官和除夕党主席。每个个性包括一个或多个不同类型的证书(如DSA与RSA),用于不同的目的(如数字签名与加密),或具有不同的授权。

$ personnel authentication system string (PASS) (N) See: Tutorial under "personal identification number".

$ 人员身份验证系统字符串(PASS)(N)请参阅“个人身份号码”下的教程。

$ personnel security (I) Procedures to ensure that persons who access a system have proper clearance, authorization, and need-to-know as required by the system's security policy. (See: security architecture.)

$ 人员安全(I)确保访问系统的人员获得适当的许可、授权,并需要按照系统安全政策的要求了解情况的程序。(请参阅:安全体系结构。)

$ PGP(trademark) (O) See: Pretty Good Privacy(trademark).

$ PGP(商标)(O)见:相当好的隐私(商标)。

$ phase 1 negotiation $ phase 2 negotiation (I) /ISAKMP/ See: secondary definition under "Internet Security Association and Key Management Protocol".

$ 第一阶段协商$第二阶段协商(I)/ISAKMP/See:“互联网安全关联和密钥管理协议”下的二级定义。

$ phishing (D) /slang/ A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a Web site, in which the perpetrator masquerades as a legitimate business or reputable person. (See: social engineering.)

$ 网络钓鱼(D)/俚语/一种试图通过电子邮件或网站上的欺诈性招揽获取敏感数据(如银行账号)的技术,在这种技术中,犯罪者伪装成合法企业或信誉良好的人。(见:社会工程)

Derivation: Possibly from "phony fishing"; the solicitation usually involves some kind of lure or bait to hook unwary recipients. (Compare: phreaking.)

来源:可能来自“假钓鱼”;招徕通常包括某种诱饵或诱饵,以吸引不小心的接受者。(比较:phreaking。)

Deprecated Term: IDOCs SHOULD NOT use this term; it is not listed in most dictionaries and could confuse international readers. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:IDoc不应使用此术语;大多数词典都没有列出它,这可能会使国际读者感到困惑。(请参阅“绿皮书”下不推荐的用法。)

$ Photuris (I) A UDP-based, key establishment protocol for session keys, designed for use with the IPsec protocols AH and ESP. Superseded by IKE.

$ Photuris(I)一种基于UDP的会话密钥密钥建立协议,设计用于IPsec协议AH和ESP,并被IKE取代。

$ phreaking (D) A contraction of "telephone breaking". An attack on or penetration of a telephone system or, by extension, any other communication or information system. [Raym]

$ (D)“电话中断”的缩写。对电话系统或任何其他通信或信息系统的攻击或渗透。[雷姆]

Deprecated Term: IDOCs SHOULD NOT use this contraction; it is not listed in most dictionaries and could confuse international readers. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:idoc不应使用此收缩;大多数词典都没有列出它,这可能会使国际读者感到困惑。(请参阅“绿皮书”下不推荐的用法。)

$ physical destruction (I) /threat action/ See: secondary definition under "incapacitation".

$ 物理破坏(I)/威胁行动/见“丧失行为能力”下的第二个定义。

$ physical security (I) Tangible means of preventing unauthorized physical access to a system. Examples: Fences, walls, and other barriers; locks, safes, and vaults; dogs and armed guards; sensors and alarm bells. [FP031, R1455] (See: security architecture.)

$ 物理安全(I)防止未经授权的物理访问系统的有形手段。示例:围栏、墙壁和其他屏障;锁、保险箱和保险库;狗和武装警卫;传感器和警铃。[FP031,R1455](请参阅:安全体系结构。)

$ piggyback attack (I) A form of active wiretapping in which the attacker gains access to a system via intervals of inactivity in another user's legitimate communication connection. Sometimes called a "between-the-lines" attack. (See: hijack attack, man-in-the-middle attack.)

$ 背驮攻击(I)一种主动窃听形式,攻击者通过另一用户合法通信连接中的不活动间隔获得对系统的访问权。有时被称为“线间”攻击。(见:劫持袭击,中间人袭击。)

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term could confuse international readers.

不推荐使用:使用此术语的IDoc应该为其说明定义,因为此术语可能会使国际读者感到困惑。

$ PIN (I) See: personal identification number.

$ PIN(I)见:个人识别号。

$ ping of death (D) A denial-of-service attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of causing the destination system to fail. (See: ping sweep, teardrop.)

$ ping of death(D)一种拒绝服务攻击,它发送一个不适当的大ICMP回显请求数据包(“ping”),目的是导致目标系统失败。(请参见:平扫、泪滴。)

Deprecated Term: IDOCs SHOULD NOT use this term; instead, use "ping packet overflow attack" or some other term that is specific with regard to the attack mechanism.

不推荐使用的术语:IDoc不应使用此术语;相反,请使用“ping数据包溢出攻击”或其他特定于攻击机制的术语。

Tutorial: This attack seeks to exploit an implementation vulnerability. The IP specification requires hosts to be prepared to accept datagrams of up to 576 octets, but also permits IP datagrams to be up to 65,535 octets long. If an IP implementation does not properly handle very long IP packets, the ping packet may overflow the input buffer and cause a fatal system error.

教程:此攻击试图利用实现漏洞进行攻击。IP规范要求主机准备接受多达576个八位字节的数据报,但也允许IP数据报的长度达到65535个八位字节。如果IP实现不能正确处理很长的IP数据包,ping数据包可能会溢出输入缓冲区并导致致命的系统错误。

$ ping sweep (I) An attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities. (See: ping of death. Compare: port scan.)

$ ping扫描(I)将ICMP回显请求(“ping”)发送到一系列IP地址的攻击,目的是查找可探测漏洞的主机。(请参阅:ping of death。比较:端口扫描。)

$ PKCS (N) See: Public-Key Cryptography Standards.

$ PKCS(N)参见:公钥加密标准。

$ PKCS #5 (N) A standard [PKC05] (see: RFC 2898) from the PKCS series; defines a method for encrypting an octet string with a secret key derived from a password.

$ PKCS#5(N)PKCS系列中的标准[PKC05](参见:RFC 2898);定义一种使用从密码派生的密钥加密八位字节字符串的方法。

Tutorial: Although the method can be used for arbitrary octet strings, its intended primary application in public-key cryptography is for encrypting private keys when transferring them from one computer system to another, as described in PKCS #8.

教程:尽管该方法可用于任意八位字节字符串,但其在公钥加密中的主要应用是在将私钥从一个计算机系统传输到另一个计算机系统时加密私钥,如PKCS#8所述。

$ PKCS #7 (N) A standard [PKC07] (see: RFC 2315) from the PKCS series; defines a syntax for data that may have cryptography applied to it, such as for digital signatures and digital envelopes. (See: CMS.)

$ PKCS#7(N)PKCS系列中的标准[PKC07](见:RFC 2315);定义可能应用了加密技术的数据的语法,例如数字签名和数字信封。(见:CMS)

$ PKCS #10 (N) A standard [PKC10] (see: RFC 2986) from the PKCS series; defines a syntax for certification requests. (See: certification request.)

$ PKCS#10(N)PKCS系列中的标准[PKC10](参见:RFC 2986);定义证书请求的语法。(请参阅:认证申请。)

Tutorial: A PKCS #10 request contains a DN and a public key, and may contain other attributes, and is signed by the entity making the request. The request is sent to a CA, who converts it to an X.509 public-key certificate (or some other form), and returns it, possibly in PKCS #7 format.

教程:PKCS#10请求包含DN和公钥,还可能包含其他属性,并由发出请求的实体签名。请求被发送到CA,CA将其转换为X.509公钥证书(或其他形式),并返回它,可能是PKCS#7格式。

$ PKCS #11 (N) A standard [PKC11] from the PKCS series; defines CAPI called "Cryptoki" for devices that hold cryptographic information and perform cryptographic functions.

$ PKCS#11(N)PKCS系列中的标准[PKC11];为保存加密信息并执行加密功能的设备定义称为“Cryptoki”的CAPI。

$ PKI (I) See: public-key infrastructure.

$ PKI(I)见:公钥基础设施。

$ PKINIT (I) Abbreviation for "Public Key Cryptography for Initial Authentication in Kerberos" (RFC 4556). (See: Tutorial under "Kerberos".)

$ PKINIT(I)“Kerberos中用于初始身份验证的公钥密码术”(RFC 4556)的缩写。(请参阅“Kerberos”下的教程。)

$ PKIX 1a. (I) A contraction of "Public-Key Infrastructure (X.509)", the name of the IETF working group that is specifying an architecture [R3280] and set of protocols [R4210] to provide X.509-based PKI services for the Internet.

$ PKIX 1a。(一) “公钥基础设施(X.509)”的缩写,IETF工作组的名称,该工作组指定了一个体系结构[R3280]和一组协议[R4210],为互联网提供基于X.509的PKI服务。

1b. (I) A collective name for that Internet PKI architecture and associated set of protocols.

1b。(一) Internet PKI体系结构和相关协议集的集合名称。

Tutorial: The goal of PKIX is to facilitate the use of X.509 public-key certificates in multiple Internet applications and to promote interoperability between different implementations that use those certificates. The resulting PKI is intended to provide a framework that supports a range of trust and hierarchy environments and a range of usage environments. PKIX specifies (a) profiles of the v3 X.509 public-key certificate standards and the v2 X.509 CRL standards for the Internet, (b) operational protocols used by relying parties to obtain information such as certificates or certificate status, (c) management protocols used by system entities to exchange information needed for proper management of the PKI, and (d) information about certificate policies and CPSs, covering the areas of PKI security not directly addressed in the rest of PKIX.

教程:PKIX的目标是促进在多个Internet应用程序中使用X.509公钥证书,并促进使用这些证书的不同实现之间的互操作性。由此产生的PKI旨在提供一个支持一系列信任和层次结构环境以及一系列使用环境的框架。PKIX规定了(a)用于互联网的v3 X.509公钥证书标准和v2 X.509 CRL标准的配置文件,(b)依赖方用于获取证书或证书状态等信息的操作协议,(c)系统实体用于交换正确管理PKI所需信息的管理协议,以及(d)关于证书策略和CP的信息,涵盖PKI安全领域,PKIX的其余部分未直接涉及。

$ plain text 1. (I) /noun/ Data that is input to an encryption process. (See: plaintext. Compare: cipher text, clear text.)

$ 纯文本1。(一) /noon/输入到加密过程的数据。(请参阅:明文。比较:密文和明文。)

2. (D) /noun/ Synonym for "clear text".

2. (D) /noun/是“明文”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "clear text". Sometimes plain text that is input to an encryption operation is clear text, but other times plain text is cipher text that was output from a previous encryption operation. (See: superencryption.)

不推荐使用的定义:IDOCs不应将此术语用作“明文”的同义词。有时,输入到加密操作的纯文本是明文,但有时,纯文本是从以前的加密操作输出的密文。(请参阅:超级加密。)

$ plaintext 1. (O) /noun/ Synonym for "plain text".

$ 纯文本1。(O) /noun/纯文本的同义词。

2. (I) /adjective/ Referring to plain text. Usage: Commonly used instead of "plain-text". (Compare: ciphertext, cleartext.)

2. (一) /形容词/指纯文本。用法:常用而非“纯文本”。(比较:密文、明文。)

3. (D) /noun/ Synonym for "cleartext".

3. (D) /noun/是“明文”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "cleartext". Cleartext data is, by definition, not encrypted; but plaintext data that is input to an encryption operation may be

不推荐使用的定义:IDOCs不应将此术语用作“明文”的同义词。根据定义,明文数据是不加密的;但输入到加密操作的明文数据可能是

cleartext data or may be ciphertext data that was output from a previous encryption operation. (See: superencryption.)

明文数据或可能是先前加密操作输出的密文数据。(请参阅:超级加密。)

$ PLI (I) See: Private Line Interface.

$ PLI(I)见:专用线路接口。

$ PMA (N) See: policy management authority.

$ PMA(N)请参阅:策略管理权限。

$ Point-to-Point Protocol (PPP) (I) An Internet Standard protocol (RFC 1661) for encapsulation and full-duplex transportation of protocol data packets in OSIRM Layer 3 over an OSIRM Layer 2 link between two peers, and for multiplexing different Layer 3 protocols over the same link. Includes optional negotiation to select and use a peer entity authentication protocol to authenticate the peers to each other before they exchange Layer 3 data. (See: CHAP, EAP, PAP.)

$ 点对点协议(PPP)(I)一种互联网标准协议(RFC 1661),用于通过两个对等方之间的OSIRM第2层链路封装和全双工传输OSIRM第3层中的协议数据包,以及在同一链路上复用不同的第3层协议。包括可选协商,以选择并使用对等实体身份验证协议,在对等实体交换第3层数据之前相互验证对等实体。(见:第章,EAP,PAP)

$ Point-to-Point Tunneling Protocol (PPTP) (I) An Internet client-server protocol (RFC 2637) (originally developed by Ascend and Microsoft) that enables a dial-up user to create a virtual extension of the dial-up link across a network by tunneling PPP over IP. (See: L2TP.)

$ 点对点隧道协议(PPTP)(I)互联网客户端-服务器协议(RFC 2637)(最初由Ascend和Microsoft开发),允许拨号用户通过IP隧道PPP在网络上创建拨号链路的虚拟扩展。(请参阅:L2TP。)

Tutorial: PPP can encapsulate any IPS Network Interface Layer protocol or OSIRM Layer 3 protocol. Therefore, PPTP does not specify security services; it depends on protocols above and below it to provide any needed security. PPTP makes it possible to divorce the location of the initial dial-up server (i.e., the PPTP Access Concentrator, the client, which runs on a special-purpose host) from the location at which the dial-up protocol (PPP) connection is terminated and access to the network is provided (i.e., at the PPTP Network Server, which runs on a general-purpose host).

教程:PPP可以封装任何IPS网络接口层协议或OSIRM第3层协议。因此,PPTP没有指定安全服务;它依赖于上面和下面的协议来提供所需的安全性。PPTP使初始拨号服务器(即PPTP访问集中器、运行在专用主机上的客户端)的位置与拨号协议(PPP)连接终止和提供网络访问的位置分离成为可能(即,在通用主机上运行的PPTP网络服务器上)。

$ policy 1a. (I) A plan or course of action that is stated for a system or organization and is intended to affect and direct the decisions and deeds of that entity's components or members. (See: security policy.)

$ 政策1a。(一) 为一个系统或组织制定的计划或行动方针,旨在影响和指导该实体组成部分或成员的决策和行为。(请参阅:安全策略。)

1b. (O) A definite goal, course, or method of action to guide and determine present and future decisions, that is implemented or executed within a particular context, such as within a business unit. [R3198]

1b。(O) 指导和确定当前和未来决策的明确目标、过程或行动方法,在特定环境中实施或执行,如在业务单元内。[R3198]

Deprecated Abbreviation: IDOCs SHOULD NOT use "policy" as an abbreviation of either "security policy" or "certificate policy".

不推荐使用的缩写:IDOC不应使用“策略”作为“安全策略”或“证书策略”的缩写。

Instead, to avoid misunderstanding, use a fully qualified term, at least at the point of first usage.

相反,为了避免误解,使用完全限定的术语,至少在第一次使用时。

Tutorial: The introduction of new technology to replace traditional systems can result in new systems being deployed without adequate policy definition and before the implications of the new technology are fully understand. In some cases, it can be difficult to establish policies for new technology before the technology has been operationally tested and evaluated. Thus, policy changes tend to lag behind technological changes, such that either old policies impede the technical innovation, or the new technology is deployed without adequate policies to govern its use.

教程:引入新技术来取代传统系统可能会导致在没有充分的策略定义和充分理解新技术的含义之前部署新系统。在某些情况下,在对新技术进行操作测试和评估之前,很难制定新技术政策。因此,政策变化往往滞后于技术变化,要么旧政策阻碍了技术创新,要么新技术的部署没有足够的政策来管理其使用。

When new technology changes the ways that things are done, new "procedures" must be defined to establish operational guidelines for using the technology and achieving satisfactory results, and new "practices" must be established for managing new systems and monitoring results. Practices and procedures are more directly coupled to actual systems and business operations than are polices, which tend to be more abstract. - "Practices" define how a system is to be managed and what controls are in place to monitor the system and detect abnormal behavior or quality problems. Practices are established to ensure that a system is managed in compliance with stated policies. System audits are primarily concerned with whether or not practices are being followed. Auditors evaluate the controls to make sure they conform to accepted industry standards, and then confirm that controls are in place and that control measurements are being gathered. Audit trails are examples of control measurements that are recorded as part of system operations. - "Procedures" define how a system is operated, and relate closely to issues of what technology is used, who the operators are, and how the system is deployed physically. Procedures define both normal and abnormal operating circumstances. - For every control defined by a practice statement, there should be corresponding procedures to implement the control and provide ongoing measurement of the control parameters. Conversely, procedures require management practices to insure consistent and correct operational behavior.

当新技术改变了工作方式时,必须定义新的“程序”,以建立使用该技术和取得令人满意结果的操作指南,并且必须建立新的“实践”,以管理新系统和监测结果。与政策相比,实践和程序更直接地耦合到实际系统和业务操作,而政策往往更抽象。-“实践”定义了系统的管理方式,以及监控系统和检测异常行为或质量问题的控制措施。建立实践以确保系统按照规定的政策进行管理。系统审核主要关注是否遵循实践。审核员对控制措施进行评估,以确保其符合公认的行业标准,然后确认控制措施已到位,并且正在收集控制措施。审计跟踪是作为系统操作一部分记录的控制测量示例。-“程序”定义了系统的操作方式,并与使用什么技术、操作员是谁以及系统的物理部署方式等问题密切相关。程序定义了正常和异常操作情况。-对于实践声明中定义的每个控制,应具有相应的程序来实施控制,并提供控制参数的持续测量。相反,程序需要管理实践来确保一致和正确的操作行为。

$ policy approval authority (D) /PKI/ Synonym for "policy management authority". [PAG]

$ 政策审批机构(D)/PKI/同义词“政策管理机构”。[页码]

Deprecated Term: IDOCs SHOULD NOT use this term as synonym for "policy management authority". The term suggests a limited, passive role that is not typical of PMAs.

不推荐使用的术语:IDOC不应将此术语用作“策略管理机构”的同义词。这一术语暗示了一种有限的、被动的角色,而这种角色在PMA中并不常见。

$ policy approving authority (PAA) (O) /MISSI/ The top-level signing authority of a MISSI certification hierarchy. The term refers both to that authoritative office or role and to the person who plays that role. (See: policy management authority, root registry.)

$ 政策批准机构(PAA)(O)/MSI/MSI认证体系的顶级签署机构。该术语既指该权威机构或角色,也指扮演该角色的人。(请参阅:策略管理机构,根注册表。)

Tutorial: A MISSI PAA (a) registers MISSI PCAs and signs their X.509 public-key certificates, (b) issues CRLs but does not issue a CKL, and (c) may issue cross-certificates to other PAAs.

教程:MSI PAA(A)注册MSI PCA并签署其X.509公钥证书,(b)颁发CRL但不颁发CKL,以及(c)可以向其他PAA颁发交叉证书。

$ policy authority (D) /PKI/ Synonym for "policy management authority". [PAG]

$ 政策授权(D)/PKI/同义词“政策管理授权”。[页码]

Deprecated Term: IDOCs SHOULD NOT use this term as synonym for "policy management authority". The term is unnecessarily vague and thus may be confused with other PKI entities, such as CAs and RAs, that enforce of apply various aspects of PKI policy.

不推荐使用的术语:IDOC不应将此术语用作“策略管理机构”的同义词。该术语不必要地含糊不清,因此可能与强制实施或应用PKI策略各个方面的其他PKI实体(如CA和RAs)混淆。

$ policy certification authority (Internet PCA) (I) An X.509-compliant CA at the second level of the Internet certification hierarchy, under the IPRA. Each PCA operates under its published security policy (see: certificate policy, CPS) and within constraints established by the IPRA for all PCAs. [R1422]. (See: policy creation authority.)

$ 政策认证机构(互联网PCA)(I)在IPRA下的互联网认证层次结构的第二级上的符合X.509的CA。每个PCA在其发布的安全策略(见:证书策略,CPS)下运行,并在IPRA为所有PCA建立的约束范围内运行。[R1422]。(请参阅:策略创建权限。)

$ policy creation authority (MISSI PCA) (O) /MISSI/ The second level of a MISSI certification hierarchy; the administrative root of a security policy domain of MISSI users and other, subsidiary authorities. The term refers both to that authoritative office or role and to the person who fills that office. (See: policy certification authority.)

$ 策略创建机构(MSI PCA)(O)/MSI/MSI认证体系的第二级;MSI用户和其他附属机构的安全策略域的管理根。该术语既指该权威职位或角色,也指填补该职位的人员。(请参阅:策略证书颁发机构。)

Tutorial: A MISSI PCA's certificate is issued by a PAA. The PCA registers the CAs in its domain, defines their configurations, and issues their X.509 public-key certificates. (The PCA may also issue certificates for SCAs, ORAs, and other end entities, but a PCA does not usually do this.) The PCA periodically issues CRLs and CKLs for its domain.

教程:MSI PCA的证书由PAA颁发。PCA在其域中注册CA,定义其配置,并颁发X.509公钥证书。(PCA也可以为SCA、ORA和其他终端实体颁发证书,但PCA通常不会这样做。)PCA定期为其域颁发CRL和CKL。

$ policy management authority (PMA) (I) /PKI/ A person, role, or organization within a PKI that is responsible for (a) creating or approving the content of the certificate policies and CPSs that are used in the PKI; (b) ensuring the administration of those policies; and (c) approving any cross-certification or interoperability agreements with CAs external to the PKI and any related policy mappings. The PMA may also be the accreditor for the PKI as a whole or for some of its

$ 策略管理机构(PMA)(I)/PKI/PKI中负责(A)创建或批准PKI中使用的证书策略和CP内容的个人、角色或组织;(b) 确保这些政策的执行;以及(c)批准与PKI之外的CA签订的任何交叉认证或互操作性协议以及任何相关的策略映射。PMA也可以是PKI整体或部分PKI的认证机构

components or applications. [DoD9, PAG] (See: policy approving authority.)

组件或应用程序。[DoD9,PAG](参见:政策审批机构。)

Example: In the U.S. Department of Defense, an organization called the Policy Management Authority is responsible for DoD PKI [DoD9].

示例:在美国国防部,一个名为策略管理局的组织负责DoD PKI[DoD9]。

$ policy mapping (I) "Recognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain." [X509]

$ 策略映射(I)“认识到,当一个域中的CA认证另一个域中的CA时,第一个域的机构可能会认为第二个域中的特定证书策略与第一个域中的特定证书策略等效(但不一定在所有方面完全相同)。[X509]

$ policy rule (I) A building block of a security policy; it (a) defines a set of system conditions and (b) specifies a set of system actions that are to be performed if those conditions occur. [R3198]

$ 策略规则(I)安全策略的构建块;它(a)定义了一组系统条件,并且(b)指定了在这些条件发生时要执行的一组系统动作。[R3198]

$ POP3 (I) See: Post Office Protocol, version 3.

$ POP3(I)见:邮局协议,第3版。

$ POP3 APOP (I) A POP3 command (better described as a transaction type, or subprotocol) by which a POP3 client optionally uses a keyed hash (based on MD5) to authenticate itself to a POP3 server and, depending on the server implementation, to protect against replay attacks. (See: CRAM, POP3 AUTH, IMAP4 AUTHENTICATE.)

$ POP3 APOP(I)一个POP3命令(更好地描述为事务类型或子策略),POP3客户机可通过该命令选择使用密钥散列(基于MD5)向POP3服务器进行身份验证,并根据服务器的实现防止重播攻击。(请参阅:CRAM、POP3身份验证、IMAP4身份验证。)

Tutorial: The server includes a unique time stamp in its greeting to the client. The subsequent APOP command sent by the client to the server contains the client's name and the hash result of applying MD5 to a string formed from both the time stamp and a shared secret value that is known only to the client and the server. APOP was designed to provide an alternative to using POP3's USER and PASS (i.e., password) command pair, in which the client sends a cleartext password to the server.

教程:服务器在向客户端致意时包含一个唯一的时间戳。客户机发送到服务器的后续APOP命令包含客户机的名称以及将MD5应用于由时间戳和共享秘密值组成的字符串的哈希结果,该字符串仅为客户机和服务器所知。APOP旨在提供一种替代使用POP3的用户和密码(即密码)命令对的方法,在该命令对中,客户端向服务器发送明文密码。

$ POP3 AUTH (I) A POP3 command [R1734] (better described as a transaction type, or subprotocol) by which a POP3 client optionally proposes a mechanism to a POP3 server to authenticate the client to the server and provide other security services. (See: POP3 APOP, IMAP4 AUTHENTICATE.)

$ POP3 AUTH(I)POP3命令[R1734](更好地描述为事务类型或子策略),通过该命令,POP3客户端可以选择向POP3服务器提出一种机制,以向服务器验证客户端并提供其他安全服务。(请参阅:POP3 APOP、IMAP4。)

Tutorial: If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for

教程:如果服务器接受该建议,则该命令后面将执行质询-响应身份验证协议,并(可选)协商一个请求的保护机制

subsequent POP3 interactions. The security mechanisms used by POP3 AUTH are those used by IMAP4.

随后的POP3相互作用。POP3 AUTH使用的安全机制是IMAP4使用的安全机制。

$ port scan (I) A technique that sends client requests to a range of service port addresses on a host. (See: probe. Compare: ping sweep.)

$ 端口扫描(I)将客户端请求发送到主机上一系列服务端口地址的技术。(请参见:探测。比较:ping扫描。)

Tutorial: A port scan can be used for pre-attack surveillance, with the goal of finding an active port and subsequently exploiting a known vulnerability of that port's service. A port scan can also be used as a flooding attack.

教程:端口扫描可用于攻击前监视,目标是找到活动端口,然后利用该端口服务的已知漏洞。端口扫描也可以用作泛洪攻击。

$ positive authorization (I) The principle that a security architecture should be designed so that access to system resources is permitted only when explicitly granted; i.e., in the absence of an explicit authorization that grants access, the default action shall be to refuse access. (See: authorization, access.)

$ 积极授权(I)安全体系结构的设计原则,即只有在明确授权时才允许访问系统资源;i、 例如,在没有授予访问权限的明确授权的情况下,默认操作应为拒绝访问。(请参阅:授权、访问。)

$ POSIX (N) Portable Operating System Interface for Computer Environments, a standard [FP151, I9945] (originally IEEE Standard P1003.1) that defines an operating system interface and environment to support application portability at the source code level. It is intended to be used by both application developers and system implementers.

$ POSIX(N)用于计算机环境的便携式操作系统接口,一种标准[FP151,I9945](最初为IEEE标准P1003.1),定义了操作系统接口和环境,以支持源代码级别的应用程序可移植性。它旨在供应用程序开发人员和系统实现人员使用。

Tutorial: P1003.1 supports security functionality like that on most UNIX systems, including discretionary access control and privileges. IEEE Draft Standard P1003.6 specifies additional functionality not provided in the base standard, including (a) discretionary access control, (b) audit trail mechanisms, (c) privilege mechanisms, (d) mandatory access control, and (e) information label mechanisms.

教程:P1003.1支持与大多数UNIX系统类似的安全功能,包括自主访问控制和权限。IEEE标准草案P1003.6规定了基础标准中未提供的附加功能,包括(a)自主访问控制,(b)审计跟踪机制,(c)特权机制,(d)强制访问控制,以及(e)信息标签机制。

$ Post Office Protocol, version 3 (POP3) (I) An Internet Standard protocol (RFC 1939) by which a client workstation can dynamically access a mailbox on a server host to retrieve mail messages that the server has received and is holding for the client. (See: IMAP4.)

$ 邮局协议,第3版(POP3)(I)互联网标准协议(RFC 1939),通过该协议,客户端工作站可以动态访问服务器主机上的邮箱,以检索服务器已接收并为客户端保留的邮件。(请参阅:IMAP4。)

Tutorial: POP3 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: POP3 APOP, POP3 AUTH.)

教程:POP3有一些机制,可以选择性地向服务器验证客户端,并提供其他安全服务。(请参见:POP3 APOP,POP3 AUTH。)

$ PPP (I) See: Point-to-Point Protocol.

$ PPP(I)见:点对点协议。

$ PPTP (I) See: Point-to-Point Tunneling Protocol.

$ PPTP(I)见:点对点隧道协议。

$ preauthorization (N) /PKI/ A CAW feature that enables certification requests to be automatically validated against data provided in advance to the CA by an authorizing entity.

$ 预授权(N)/PKI/A CAW功能,允许根据授权实体提前向CA提供的数据自动验证认证请求。

$ precedence 1. (I) /information system/ A ranking assigned to events or data objects that determines the relative order in which they are processed.

$ 优先权1。(一) /信息系统/分配给事件或数据对象的一种排名,确定处理事件或数据对象的相对顺序。

2. (N) /communication system/ A designation assigned to a communication (i.e., packet, message, data stream, connection, etc.) by the originator to state the importance or urgency of that communication versus other communications, and thus indicate to the transmission system the relative order of handling, and indicate to the receiver the order in which the communication is to be noted. [F1037] (See: availability, critical, preemption.)

2. (N) /通信系统/由发起者分配给通信(即,数据包、消息、数据流、连接等)的名称,用于说明该通信相对于其他通信的重要性或紧迫性,从而向传输系统指示处理的相对顺序,并向接收器指示通信的记录顺序。[F1037](参见:可用性、关键性、抢占)

Example: The "Precedence" subfield of the "Type of Service" field of the IPv4 header supports the following designations (in descending order of importance): 111 Network Control, 110 Internetwork Control, 101 CRITIC/ECP (Critical Intelligence Communication/Emergency Command Precedence), 100 Flash Override, 011 Flash, 010 Immediate, 001 Priority, and 000 Routine. These designations were adopted from U.S. DoD systems that existed before ARPANET.

示例:IPv4报头的“服务类型”字段的“优先级”子字段支持以下指定(按重要性降序排列):111网络控制、110网络间控制、101批评家/ECP(关键情报通信/紧急命令优先级)、100闪存覆盖、011闪存、010立即、001优先级,和000例行程序。这些名称取自ARPANET之前存在的美国国防部系统。

$ preemption (N) The seizure, usually automatic, of system resources that are being used to serve a lower-precedence communication, in order to serve immediately a higher-precedence communication. [F1037]

$ 抢占(preemption,N):通常自动占用用于服务低优先级通信的系统资源,以便立即服务于高优先级通信。[F1037]

$ Pretty Good Privacy(trademark) (PGP(trademark)) (O) Trademarks of Network Associates, Inc., referring to a computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet. (Compare: DKIM, MOSS, MSP, PEM, S/MIME.)

$ Network Associates,Inc.的相当好的隐私(商标)(PGP(商标))(O)商标,指的是一种计算机程序(和相关协议),它使用加密技术为电子邮件和互联网上的其他应用程序提供数据安全。(比较:DKIM、MOSS、MSP、PEM、S/MIME。)

Tutorial: PGP encrypts messages with a symmetric algorithm (originally, IDEA in CFB mode), distributes the symmetric keys by encrypting them with an asymmetric algorithm (originally, RSA), and creates digital signatures on messages with a cryptographic hash and an asymmetric encryption algorithm (originally, MD5 and RSA). To establish ownership of public keys, PGP depends on the "web of trust".

教程:PGP使用对称算法(最初,CFB模式下的IDEA)加密消息,通过使用非对称算法(最初,RSA)加密对称密钥来分发对称密钥,并使用加密哈希和非对称加密算法(最初,MD5和RSA)在消息上创建数字签名。为了建立公钥的所有权,PGP依赖于“信任网”。

$ prevention (I) See: secondary definition under "security".

$ 预防(一)见“安全”下的第二个定义。

$ primary account number (PAN) (O) /SET/ "The assigned number that identifies the card issuer and cardholder. This account number is composed of an issuer identification number, an individual account number identification, and an accompanying check digit as defined by ISO 7812-1985." [SET2, I7812] (See: bank identification number.)

$ 主账号(PAN)(O)/SET/“识别卡发卡机构和持卡人的指定号码。该账号由发卡机构识别号、个人账号识别号和ISO 7812-1985定义的附带支票数字组成。”[SET2,I7812](见:银行识别号。)

Tutorial: The PAN is embossed, encoded, or both on a magnetic-strip-based credit card. The PAN identifies the issuer to which a transaction is to be routed and the account to which it is to be applied unless specific instructions indicate otherwise. The authority that assigns the BIN part of the PAN is the American Bankers Association.

教程:PAN在基于磁条的信用卡上压印、编码或两者兼有。PAN识别交易将被路由到的发卡机构以及交易将被应用到的账户,除非特定指示另有说明。分配PAN银行标识代码部分的机构是美国银行家协会。

$ principal (I) A specific identity claimed by a user when accessing a system.

$ 主体(I)用户在访问系统时声明的特定身份。

Usage: Usually understood to be an identity that is registered in and authenticated by the system; equivalent to the notion of login account identifier. Each principal is normally assigned to a single user, but a single user may be assigned (or attempt to use) more than one principal. Each principal can spawn one or more subjects, but each subject is associated with only one principal. (Compare: role, subject, user.)

用法:通常理解为在系统中注册并由系统验证的身份;相当于登录帐户标识符的概念。每个主体通常分配给单个用户,但单个用户可能被分配(或尝试使用)多个主体。每个主体可以生成一个或多个主体,但每个主体仅与一个主体关联。(比较:角色、主题、用户。)

(I) /Kerberos/ A uniquely identified (i.e., uniquely named) client or server instance that participates in a network communication.

(一) /Kerberos/参与网络通信的唯一标识(即唯一命名)的客户端或服务器实例。

$ priority (I) /information system/ Precedence for processing an event or data object, determined by security importance or other factors. (See: precedence.)

$ 优先级(I)/信息系统/处理事件或数据对象的优先级,由安全重要性或其他因素决定。(请参阅:优先级。)

$ privacy 1. (I) The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share its personal information with others. (See: HIPAA, personal information, Privacy Act of 1974. Compare: anonymity, data confidentiality.) [FP041]

$ 隐私1。(一) 实体(通常是个人)代表自己决定其与环境互动程度的权利,包括实体愿意与他人分享其个人信息的程度。(参见:HIPAA,个人信息,1974年隐私法。比较:匿名性,数据保密性。)[FP041]

2. (O) "The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed." [I7498-2]

2. (O) “个人有权控制或影响与他们相关的信息的收集和存储,以及由谁和向谁披露这些信息。”[I7498-2]

3. (D) Synonym for "data confidentiality".

3. (D) “数据机密性”的同义词。

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "data confidentiality" or "data confidentiality service", which are different concepts. Privacy is a reason for security rather than a kind of security. For example, a system that stores personal data needs to protect the data to prevent harm, embarrassment, inconvenience, or unfairness to any person about whom data is maintained, and to protect the person's privacy. For that reason, the system may need to provide data confidentiality service.

不推荐使用的定义:IDOCs不应将此术语用作“数据机密性”或“数据机密性服务”的同义词,这是不同的概念。隐私是安全的理由,而不是一种安全。例如,存储个人数据的系统需要保护数据,以防止对维护数据的任何人造成伤害、尴尬、不便或不公平,并保护该人的隐私。因此,系统可能需要提供数据保密服务。

Tutorial: The term "privacy" is used for various separate but related concepts, including bodily privacy, territorial privacy, personal information privacy, and communication privacy. IDOCs are expected to address only communication privacy, which in this Glossary is defined primarily by "data confidentiality" and secondarily by "data integrity".

教程:“隐私”一词用于各种独立但相关的概念,包括身体隐私、领土隐私、个人信息隐私和通信隐私。IDOC仅涉及通信隐私,在本术语表中,通信隐私主要由“数据机密性”定义,其次是“数据完整性”。

IDOCs are not expected to address information privacy, but this Glossary provides definition 1 for that concept because personal information privacy is often confused with communication privacy. IDOCs are not expected to address bodily privacy or territorial privacy, and this Glossary does not define those concepts because they are not easily confused with communication privacy.

IDOC不应涉及信息隐私,但本术语表为该概念提供了定义1,因为个人信息隐私通常与通信隐私相混淆。IDOC不应涉及身体隐私或领土隐私,本术语表不定义这些概念,因为它们不容易与通信隐私混淆。

$ Privacy Act of 1974 (O) A U.S. Federal law (Section 552a of Title 5, United States Code) that seeks to balance the U.S. Government's need to maintain data about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies' collection, maintenance, use, and disclosure of personal data. (See: privacy.)

$ 1974年《隐私法》(O)美国联邦法律(《美国法典》第5编第552a节),旨在平衡美国政府维护个人数据的需要与保护个人隐私免受联邦机构收集、维护、使用和处置不当侵犯的权利,以及披露个人资料。(见:隐私。)

Tutorial: In 1974, the U.S. Congress was concerned with the potential for abuses that could arise from the Government's increasing use of computers to store and retrieve personal data. Therefore, the Act has four basic policy objectives: - To restrict disclosure of personally identifiable records maintained by Federal agencies. - To grant individuals increased rights of access to Federal agency records maintained on themselves. - To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete. - To establish a code of "fair information practices" that requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.

教程:1974年,美国国会担心由于政府越来越多地使用计算机存储和检索个人数据而可能出现的滥用行为。因此,该法案有四个基本政策目标:-限制联邦机构保存的个人身份记录的披露。-授予个人更多的访问自己保存的联邦机构记录的权利。-授予个人权利,在证明记录不准确、不相关、不及时或不完整时,要求修改保存在自己身上的机构记录。-建立“公平信息实践”准则,要求机构遵守记录收集、维护和传播的法定规范。

$ Privacy Enhanced Mail (PEM) (I) An Internet protocol to provide data confidentiality, data integrity, and data origin authentication for electronic mail. [R1421, R1422]. (Compare: DKIM, MOSS, MSP, PGP, S/MIME.)

$ 隐私增强邮件(PEM)(I)为电子邮件提供数据保密性、数据完整性和数据来源认证的互联网协议。[R1421,R1422]。(比较:DKIM、MOSS、MSP、PGP、S/MIME。)

Tutorial: PEM encrypts messages with a symmetric algorithm (originally, DES in CBC mode), provides distribution for the symmetric keys by encrypting them with an asymmetric algorithm (originally, RSA), and signs messages with an asymmetric encryption algorithm over a cryptographic hash (originally, RSA over either MD2 or MD5). To establish ownership of public keys, PEM uses a certification hierarchy, with X.509 public-key certificates and X.509 CRLs that are signed with an asymmetric encryption algorithm over a cryptographic hash (originally, RSA over MD2).

教程:PEM使用对称算法(最初,CBC模式下的DES)对消息进行加密,通过使用非对称算法(最初,RSA)对对称密钥进行加密来分发对称密钥,并通过加密哈希(最初,MD2或MD5上的RSA)使用非对称加密算法对消息进行签名。为了建立公钥的所有权,PEM使用证书层次结构,X.509公钥证书和X.509 CRL通过加密散列(最初是RSA over MD2)通过非对称加密算法签名。

PEM is designed to be compatible with a wide range of key management methods, but is limited to specifying security services only for text messages and, like MOSS, has not been widely implemented in the Internet.

PEM旨在与多种密钥管理方法兼容,但仅限于为文本消息指定安全服务,并且与MOSS一样,尚未在Internet上广泛实施。

$ private component (I) Synonym for "private key".

$ 专用组件(I)“私钥”的同义词。

Deprecated Usage: In most cases, IDOCs SHOULD NOT use this term; instead, to avoid confusing readers, use "private key". However, the term MAY be used when discussing a key pair; e.g., "A key pair has a public component and a private component."

不推荐使用:在大多数情况下,IDOCs不应该使用这个术语;相反,为了避免混淆读者,请使用“私钥”。然而,在讨论密钥对时可以使用该术语;e、 例如,“密钥对有一个公共组件和一个私有组件。”

$ private extension (I) See: secondary definition under "extension".

$ 私人扩展(I)见“扩展”下的第二个定义。

$ private key 1. (I) The secret component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair, public key, secret key.)

$ 私钥1。(一) 用于非对称加密的一对加密密钥的秘密部分。(请参阅:密钥对、公钥、私钥。)

2. (O) In a public key cryptosystem, "that key of a user's key pair which is known only by that user." [X509]

2. (O) 在公钥密码系统中,“只有该用户知道的用户密钥对的密钥。”[X509]

$ Private Line Interface (PLI) (I) The first end-to-end packet encryption system for a computer network, developed by BBN starting in 1975 for the U.S. DoD, incorporating U.S. Government-furnished, military-grade COMSEC equipment (TSEC/KG-34). [B1822] (Compare: IPLI.)

$ 专用线路接口(PLI)(I)第一个用于计算机网络的端到端数据包加密系统,由BBN从1975年开始为美国国防部开发,包括美国政府提供的军用级通信安全设备(TSEC/KG-34)。[B1822](比较:IPLI。)

$ privilege 1a. (I) /access control/ A synonym for "authorization". (See authorization. Compare: permission.)

$ 特权1a。(一) /access control/A“授权”的同义词。(请参阅授权。比较:权限。)

1b. (I) /computer platform/ An authorization to perform a security-relevant function in the context of a computer's operating system.

1b。(一) /计算机平台/在计算机操作系统上下文中执行安全相关功能的授权。

$ privilege management infrastructure (O) "The infrastructure able to support the management of privileges in support of a comprehensive authorization service and in relationship with a" PKI; i.e., processes concerned with attribute certificates. [X509]

$ 特权管理基础设施(O)“能够支持特权管理的基础设施,以支持综合授权服务,并与“PKI”相关;i、 例如,与属性证书有关的进程。[X509]

Deprecated Usage: IDOCs SHOULD NOT use this term with this definition. This definition is vague, and there is no consensus on a more specific one.

不推荐使用:IDOCs不应将此术语与此定义一起使用。这一定义是模糊的,没有就更具体的定义达成共识。

$ privileged process (I) A computer process that is authorized (and, therefore, trusted) to perform some security-relevant functions that ordinary processes are not. (See: privilege, trusted process.)

$ 特权进程(I)一种计算机进程,它被授权(并因此被信任)执行一些与安全相关的功能,而普通进程则不具备这些功能。(请参阅:权限,受信任进程。)

$ privileged user (I) An user that has access to system control, monitoring, or administration functions. (See: privilege, /UNIX/ under "root", superuser, user.)

$ 特权用户(I)可以访问系统控制、监视或管理功能的用户。(请参阅:特权,/UNIX/在“根”下,超级用户,用户。)

Tutorial: Privileged users include the following types: - Users with near or complete control of a system, who are authorized to set up and administer user accounts, identifiers, and authentication information, or are authorized to assign or change other users' access to system resources. - Users that are authorized to change control parameters (e.g., network addresses, routing tables, processing priorities) on routers, multiplexers, and other important equipment. - Users that are authorized to monitor or perform troubleshooting for a system's security functions, typically using special tools and features that are not available to ordinary users.

教程:特权用户包括以下类型:-几乎或完全控制系统的用户,他们有权设置和管理用户帐户、标识符和身份验证信息,或有权分配或更改其他用户对系统资源的访问权限。-有权更改路由器、多路复用器和其他重要设备上的控制参数(例如,网络地址、路由表、处理优先级)的用户。-有权监视或执行系统安全功能故障排除的用户,通常使用普通用户无法使用的特殊工具和功能。

$ probe (I) /verb/ A technique that attempts to access a system to learn something about the system. (See: port scan.)

$ 探测(I)/动词/一种试图访问系统以了解该系统的技术。(请参阅:端口扫描。)

Tutorial: The purpose of a probe may be offensive, e.g., an attempt to gather information for circumventing the system's protections; or the purpose may be defensive, e.g., to verify that the system is working properly.

教程:探测的目的可能具有攻击性,例如,试图收集信息以规避系统保护;或者目的可能是防御性的,例如,验证系统是否正常工作。

$ procedural security (D) Synonym for "administrative security".

$ 程序安全(D)“行政安全”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "administrative security". The term may be misleading because any type of security may involve procedures, and procedures may be either external to the system or internal. Instead, use "administrative security", "communication security", "computer security", "emanations security", "personnel security", "physical security", or whatever specific type is meant. (See: security architecture.)

不推荐使用的术语:IDOCs不应将此术语用作“管理安全性”的同义词。该术语可能具有误导性,因为任何类型的担保都可能涉及程序,程序可能是系统外部的,也可能是内部的。相反,请使用“管理安全”、“通信安全”、“计算机安全”、“辐射安全”、“人员安全”、“物理安全”或任何特定类型。(请参阅:安全体系结构。)

$ profile See: certificate profile, protection profile.

$ 配置文件请参阅:证书配置文件、保护配置文件。

$ proof-of-possession protocol (I) A protocol whereby a system entity proves to another that it possesses and controls a cryptographic key or other secret information. (See: zero-knowledge proof.)

$ 占有证明协议(I)系统实体向另一实体证明其拥有并控制加密密钥或其他秘密信息的协议。(请参阅:零知识证明。)

$ proprietary (I) Refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity.

$ 专有(I)是指个人或组织拥有的信息(或其他财产),其使用受到该实体的限制。

$ protected checksum (I) A checksum that is computed for a data object by means that protect against active attacks that would attempt to change the checksum to make it match changes made to the data object. (See: digital signature, keyed hash, Tutorial under "checksum".)

$ 受保护校验和(I)为数据对象计算的校验和,其方法是防止试图更改校验和以使其与对数据对象所做的更改相匹配的主动攻击。(请参阅:数字签名、密钥散列、“校验和”下的教程。)

$ protective packaging (N) "Packaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use." [C4009] (See: tamper-evident, tamper-resistant. Compare: QUADRANT.)

$ 保护性包装(N)“通信安全材料的包装技术,用于阻止渗透,显示渗透已经发生或尝试过,或在键控材料暴露使用之前禁止查看或复制键控材料。”[C4009](参见:防篡改、防篡改。比较:象限。)

$ protection authority (I) See: secondary definition under "Internet Protocol Security Option".

$ 保护机构(I)见“互联网协议安全选项”下的二级定义。

$ protection level (N) /U.S. Government/ An indication of the trust that is needed in a system's technical ability to enforce security policy for confidentiality. (Compare: /system operation/ under "mode of operation".)

$ 保护级别(N)/美国政府/表示系统执行保密安全策略的技术能力所需的信任度。(比较:/系统操作/在“操作模式”下。)

Tutorial: An organization's security policy could define protection levels that are based on comparing (a) the sensitivity of information handled by a system to (b) the authorizations of users that receive information from the system without manual intervention and reliable human review. For each level, the policy could specify security features and assurances that must be included in any system that was intended to operate at that level.

教程:组织的安全策略可以定义保护级别,其基础是比较(a)系统处理的信息的敏感度和(b)无需手动干预和可靠的人工审查即可从系统接收信息的用户的授权。对于每一个级别,该政策都可以规定在该级别运行的任何系统中必须包含的安全特性和保证。

Example: Given some set of data objects that are classified at one or more hierarchical levels and in one or more non-hierarchical categories, the following table defines five protection levels for systems that would handle that data. Beginning with PL1 and evolving to PL5, each successive level would require stronger features and assurances to handle the dataset. (See: clearance, formal access approval, and need-to-know.)

示例:给定按一个或多个分层级别和一个或多个非分层级别分类的一组数据对象,下表为处理该数据的系统定义了五个保护级别。从PL1开始,发展到PL5,每个后续级别都需要更强大的功能和保证来处理数据集。(请参阅:许可、正式访问批准和需要知道。)

             Lowest Clearance      Formal Access       Need-To-Know
              Among All Users    Approval of Users      of Users
           +-------------------+-------------------+-------------------+
      PL5  | Some user has no  | [Does not matter.]| [Does not matter.]|
      High | clearance at all. |                   |                   |
           +-------------------+-------------------+-------------------+
      PL4  | All are cleared   | [Does not matter.]| [Does not matter.]|
           | for some data.    |                   |                   |
           +-------------------+-------------------+-------------------+
      PL3  | All are cleared   | Some not approved | [Does not matter.]|
           | for all data.     | for all data.     |                   |
           +-------------------+-------------------+-------------------+
      PL2  | All are cleared   | All are approved  | Some don't need to|
           | for all data.     | for all data.     | to know all data. |
           +-------------------+-------------------+-------------------+
      PL1  | All are cleared   | All are approved  | All have a need   |
      Low  | for all data.     | for all data.     | to know all data. |
           +-------------------+-------------------+-------------------+
        
             Lowest Clearance      Formal Access       Need-To-Know
              Among All Users    Approval of Users      of Users
           +-------------------+-------------------+-------------------+
      PL5  | Some user has no  | [Does not matter.]| [Does not matter.]|
      High | clearance at all. |                   |                   |
           +-------------------+-------------------+-------------------+
      PL4  | All are cleared   | [Does not matter.]| [Does not matter.]|
           | for some data.    |                   |                   |
           +-------------------+-------------------+-------------------+
      PL3  | All are cleared   | Some not approved | [Does not matter.]|
           | for all data.     | for all data.     |                   |
           +-------------------+-------------------+-------------------+
      PL2  | All are cleared   | All are approved  | Some don't need to|
           | for all data.     | for all data.     | to know all data. |
           +-------------------+-------------------+-------------------+
      PL1  | All are cleared   | All are approved  | All have a need   |
      Low  | for all data.     | for all data.     | to know all data. |
           +-------------------+-------------------+-------------------+
        

Each of these protection levels can be viewed as being equivalent to one or more modes of system operation defined in this Glossary: - PL5 is equivalent to multilevel security mode. - PL4 is equivalent to either multilevel or compartmented security mode, depending on the details of users' clearances. - PL3 is equivalent to partitioned security mode. - PL2 is equivalent to system-high security mode. - PL1 is equivalent to dedicated security mode.

这些保护级别中的每一个都可以被视为等同于本术语表中定义的一个或多个系统运行模式:-PL5相当于多级安全模式。-PL4相当于多级或分区安全模式,具体取决于用户许可的详细信息。-PL3相当于分区安全模式。-PL2相当于系统高安全模式。-PL1相当于专用安全模式。

$ protection profile (N) /Common Criteria/ An implementation-independent set of security requirements for a category of targets of evaluation that

$ 保护配置文件(N)/通用标准/针对一类评估目标的独立于实施的一套安全要求

meet specific consumer needs. [CCIB] Example: [IDSAN]. (See: target of evaluation. Compare: certificate profile, package.)

满足特定的消费者需求。[CCIB]示例:[IDSAN]。(请参阅:评估目标。比较:证书配置文件,包。)

Tutorial: A protection profile (PP) is the kind of document used by consumers to specify functional requirements they want in a product, and a security target (ST) is the kind of document used by vendors to make functional claims about a product.

教程:保护配置文件(PP)是消费者用来指定他们想要的产品功能需求的文档,而安全目标(ST)是供应商用来对产品进行功能声明的文档。

A PP is intended to be a reusable statement of product security needs, which are known to be useful and effective, for a set of information technology security products that could be built. A PP contains a set of security requirements, preferably taken from the catalogs in Parts 2 and 3 of the Common Criteria, and should include an EAL. A PP could be developed by user communities, product developers, or any other parties interested in defining a common set of requirements.

PP是一种可重用的产品安全需求声明,对于可以构建的一组信息技术安全产品来说,它是有用且有效的。PP包含一组安全要求,最好取自通用标准第2部分和第3部分的目录,并应包括EAL。PP可以由用户社区、产品开发人员或对定义公共需求集感兴趣的任何其他方开发。

$ protection ring (I) One of a hierarchy of privileged operation modes of a system that gives certain access rights to processes authorized to operate in that mode. (See: Multics.)

$ 保护环(I)系统特权操作模式层次结构中的一种,它向授权在该模式下操作的进程授予某些访问权限。(请参阅:Multics。)

$ protective distribution system (PDS) (N) A wireline or fiber-optic communication system used to transmit cleartext classified information through an area of lesser classification or control. [N7003]

$ 保护性分配系统(PDS)(N):一种有线或光纤通信系统,用于通过较低分类或控制的区域传输明文分类信息。[N7003]

$ protocol 1a. (I) A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. Example: Internet Protocol.

$ 第1a号议定书。(一) 用于实现和控制系统之间某种类型的关联(如通信)的一组规则(即格式和程序)。例如:因特网协议。

1b. (I) A series of ordered computing and communication steps that are performed by two or more system entities to achieve a joint objective. [A9042]

1b。(一) 由两个或多个系统实体为实现联合目标而执行的一系列有序计算和通信步骤。[A9042]

$ protocol control information (PCI) (N) See: secondary definition under "protocol data unit".

$ 协议控制信息(PCI)(N)参见“协议数据单元”下的二级定义。

$ protocol data unit (PDU) (N) A data packet that is defined for peer-to-peer transfers in a protocol layer.

$ 协议数据单元(PDU)(N)为协议层中的对等传输定义的数据包。

Tutorial: A PDU consists of two disjoint subsets of data: the SDU and the PCI. (Although these terms -- PDU, SDU, and PCI -- originated in the OSIRM, they are also useful and permissible in an IPS context.)

教程:PDU由两个不相交的数据子集组成:SDU和PCI。(尽管这些术语——PDU、SDU和PCI——起源于OSIRM,但它们在IPS上下文中也是有用且允许的。)

- The "service data unit" (SDU) in a packet is data that the protocol transfers between peer protocol entities on behalf of the users of that layer's services. For Layers 1 through 6, the layer's users are peer protocol entities at a higher layer; for Layer 7, the users are application entities outside the scope of the OSIRM. - The "protocol control information" (PCI) in a packet is data that peer protocol entities exchange between themselves to control their joint operation of the layer.

- 数据包中的“服务数据单元”(SDU)是协议代表该层服务的用户在对等协议实体之间传输的数据。对于第1层到第6层,该层的用户是更高层的对等协议实体;对于第7层,用户是OSIRM范围之外的应用程序实体。-数据包中的“协议控制信息”(PCI)是对等协议实体之间交换的数据,以控制其层的联合操作。

$ protocol suite (I) A complementary collection of communication protocols used in a computer network. (See: IPS, OSI.)

$ 协议套件(I)计算机网络中使用的通信协议的补充集合。(见:IPS,OSI)

$ proxy 1. (I) A computer process that acts on behalf of a user or client.

$ 代理1。(一) 代表用户或客户机的计算机进程。

2. (I) A computer process -- often used as, or as part of, a firewall -- that relays application transactions or a protocol between client and server computer systems, by appearing to the client to be the server and appearing to the server to be the client. (See: SOCKS.)

2. (一) 一种计算机进程,通常用作防火墙或防火墙的一部分,通过在客户端看来是服务器,在服务器上看起来是客户端,在客户端和服务器计算机系统之间传递应用程序事务或协议。(见:袜子。)

Tutorial: In a firewall, a proxy server usually runs on a bastion host, which may support proxies for several applications and protocols (e.g., FTP, HTTP, and TELNET). Instead of a client in the protected enclave connecting directly to an external server, the internal client connects to the proxy server, which in turn connects to the external server. The proxy server waits for a request from inside the firewall, forwards the request to the server outside the firewall, gets the response, then sends the response back to the client. The proxy may be transparent to the clients, or they may need to connect first to the proxy server, and then use that association to also initiate a connection to the real server.

教程:在防火墙中,代理服务器通常运行在bastion主机上,该主机可能支持多个应用程序和协议(例如FTP、HTTP和TELNET)的代理。内部客户端连接到代理服务器,代理服务器又连接到外部服务器,而不是受保护的enclave中的客户端直接连接到外部服务器。代理服务器等待来自防火墙内部的请求,将请求转发到防火墙外部的服务器,获取响应,然后将响应发送回客户端。代理可能对客户端是透明的,或者客户端可能需要首先连接到代理服务器,然后使用该关联来启动到真实服务器的连接。

Proxies are generally preferred over SOCKS for their ability to perform caching, high-level logging, and access control. A proxy can provide security service beyond that which is normally part of the relayed protocol, such as access control based on peer entity authentication of clients, or peer entity authentication of servers when clients do not have that ability. A proxy at OSIRM Layer 7 can also provide finer-grained security service than can a filtering router at Layer 3. For example, an FTP proxy could permit transfers out of, but not into, a protected network.

代理通常优于SOCKS,因为它们能够执行缓存、高级日志记录和访问控制。代理可以提供超出中继协议正常部分的安全服务,例如基于客户端的对等实体身份验证的访问控制,或者当客户端不具备该能力时服务器的对等实体身份验证。OSIRM第7层的代理也可以提供比第3层的过滤路由器更细粒度的安全服务。例如,FTP代理可以允许从受保护的网络进行传输,但不允许传输到受保护的网络。

$ proxy certificate (I) An X.509 public-key certificate derived from an end-entity certificate, or from another proxy certificate, for the purpose of establishing proxies and delegating authorizations in the context of a PKI-based authentication system. [R3820]

$ 代理证书(I)从终端实体证书或另一个代理证书派生的X.509公钥证书,用于在基于PKI的认证系统中建立代理和授权。[R3820]

Tutorial: A proxy certificate has the following properties: - It contains a critical extension that (a) identifies it as a proxy certificate and (b) may contain a certification path length constraint and policy constraints. - It contains the public component of a key pair that is distinct from that associated with any other certificate. - It is signed by the private component of a key pair that is associated with an end-entity certificate or another proxy certificate. - Its associated private key can be used to sign only other proxy certificates (not end-entity certificates). - Its "subject" DN is derived from its "issuer" DN and is unique. - Its "issuer" DN is the "subject" DN of an end-entity certificate or another proxy certificate.

教程:代理证书具有以下属性:-它包含一个关键扩展,该扩展(A)将其标识为代理证书,(b)可能包含证书路径长度约束和策略约束。-它包含与任何其他证书关联的密钥对不同的公钥组件。-它由与终端实体证书或其他代理证书关联的密钥对的私有组件签名。-其关联私钥只能用于签署其他代理证书(而不是最终实体证书)。-其“主体”DN源自其“发行人”DN,并且是唯一的。-其“颁发者”DN是最终实体证书或其他代理证书的“主体”DN。

$ pseudorandom (I) A sequence of values that appears to be random (i.e., unpredictable) but is actually generated by a deterministic algorithm. (See: compression, random, random number generator.)

$ 伪随机(I)看似随机(即不可预测)但实际上由确定性算法生成的值序列。(请参见:压缩、随机、随机数生成器。)

$ pseudorandom number generator (I) See: secondary definition under "random number generator".

$ 伪随机数发生器(I)见“随机数发生器”下的二级定义。

$ public component (I) Synonym for "public key".

$ 公共部分(I)“公钥”的同义词。

Deprecated Usage: In most cases, IDOCs SHOULD NOT use this term; to avoid confusing readers, use "private key" instead. However, the term MAY be used when discussing a key pair; e.g., "A key pair has a public component and a private component."

不推荐使用:在大多数情况下,IDOCs不应该使用这个术语;为避免混淆读者,请改用“私钥”。然而,在讨论密钥对时可以使用该术语;e、 例如,“密钥对有一个公共组件和一个私有组件。”

$ public key 1. (I) The publicly disclosable component of a pair of cryptographic keys used for asymmetric cryptography. (See: key pair. Compare: private key.)

$ 公钥1。(一) 用于非对称加密的一对加密密钥中可公开披露的部分。(请参见:密钥对。比较:私钥。)

2. (O) In a public key cryptosystem, "that key of a user's key pair which is publicly known." [X509]

2. (O) 在公钥密码系统中,“用户密钥对中公开的密钥。”[X509]

$ public-key certificate 1. (I) A digital certificate that binds a system entity's identifier to a public key value, and possibly to additional, secondary data items; i.e., a digitally signed data structure that attests to the ownership of a public key. (See: X.509 public-key certificate.)

$ 公钥证书1。(一) 一种数字证书,将系统实体的标识符绑定到公钥值,并可能绑定到附加的辅助数据项;i、 例如,一种数字签名的数据结构,证明公钥的所有权。(请参阅:X.509公钥证书。)

2. (O) "The public key of a user, together with some other information, rendered unforgeable by encipherment with the private key of the certification authority which issued it." [X509]

2. (O) “用户的公钥以及一些其他信息,通过使用颁发它的证书颁发机构的私钥进行加密而变得不可伪造。”[X509]

Tutorial: The digital signature on a public-key certificate is unforgeable. Thus, the certificate can be published, such as by posting it in a directory, without the directory having to protect the certificate's data integrity.

教程:公钥证书上的数字签名是不可伪造的。因此,可以发布证书,例如将其发布到目录中,而目录不必保护证书的数据完整性。

$ public-key cryptography (I) Synonym for "asymmetric cryptography".

$ 公钥密码术(I)“非对称密码术”的同义词。

$ Public-Key Cryptography Standards (PKCS) (N) A series of specifications published by RSA Laboratories for data structures and algorithms used in basic applications of asymmetric cryptography. [PKCS] (See: PKCS #5 through PKCS #11.)

$ 公钥密码标准(PKCS)(N)RSA实验室发布的一系列规范,用于非对称密码基本应用中的数据结构和算法。[PKCS](见:PKCS#5至PKCS#11)

Tutorial: The PKCS were begun in 1991 in cooperation with industry and academia, originally including Apple, Digital, Lotus, Microsoft, Northern Telecom, Sun, and MIT. Today, the specifications are widely used, but they are not sanctioned by an official standards organization, such as ANSI, ITU-T, or IETF. RSA Laboratories retains sole decision-making authority over the PKCS.

教程:PKC于1991年开始与业界和学术界合作,最初包括苹果、数字、莲花、微软、北方电信、Sun和麻省理工学院。今天,规范被广泛使用,但它们没有得到官方标准组织的认可,如ANSI、ITU-T或IETF。RSA Laboratories保留对PKCS的唯一决策权。

$ public-key forward secrecy (PFS) (I) For a key-agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. (See: Usage note and other discussion under "perfect forward secrecy".)

$ 公钥前向保密(PFS)(I)对于基于非对称加密的密钥协商协议,确保从一组长期公钥和私钥派生的会话密钥在将来其中一个私钥被泄露时不会被泄露的属性。(请参阅“完美正向保密”下的使用说明和其他讨论。)

$ public-key Kerberos (I) See: Tutorial under "Kerberos", PKINIT.

$ 公钥Kerberos(I)参见“Kerberos”下的教程,PKINIT。

$ public-key infrastructure (PKI) 1. (I) A system of CAs (and, optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token management functions for a community of users in an application of asymmetric cryptography. (See: hierarchical PKI, mesh PKI, security management infrastructure, trust-file PKI.)

$ 公钥基础设施(PKI)1。(一) 在非对称加密应用程序中,为用户社区执行一组证书管理、归档管理、密钥管理和令牌管理功能的CA系统(以及可选的RAs和其他支持服务器和代理)。(请参阅:分层PKI、网状PKI、安全管理基础架构、信任文件PKI。)

2. (I) /PKIX/ The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.

2. (一) /PKIX/基于非对称加密技术创建、管理、存储、分发和吊销数字证书所需的一组硬件、软件、人员、策略和过程。

Tutorial: The core PKI functions are (a) to register users and issue their public-key certificates, (b) to revoke certificates when required, and (c) to archive data needed to validate certificates at a much later time. Key pairs for data confidentiality may be generated (and perhaps escrowed) by CAs or RAs, but requiring a PKI client to generate its own digital signature key pair helps maintain system integrity of the cryptographic system, because then only the client ever possesses the private key it uses. Also, an authority may be established to approve or coordinate CPSs, which are security policies under which components of a PKI operate.

教程:PKI的核心功能是(a)注册用户并颁发他们的公钥证书,(b)在需要时撤销证书,以及(c)在以后很长时间内归档验证证书所需的数据。用于数据保密的密钥对可以由CAs或RAs生成(或者托管),但要求PKI客户端生成其自己的数字签名密钥对有助于维护加密系统的系统完整性,因为只有客户端才拥有其使用的私钥。此外,还可以建立一个机构来批准或协调CPS,CPS是PKI组件运行所依据的安全策略。

A number of other servers and agents may support the core PKI, and PKI clients may obtain services from them, such as certificate validation services. The full range of such services is not yet fully understood and is evolving, but supporting roles may include archive agent, certified delivery agent, confirmation agent, digital notary, directory, key escrow agent, key generation agent, naming agent who ensures that issuers and subjects have unique identifiers within the PKI, repository, ticket-granting agent, time-stamp agent, and validation agent.

许多其他服务器和代理可以支持核心PKI,PKI客户端可以从它们那里获得服务,例如证书验证服务。此类服务的全部范围尚未完全了解,并且正在发展,但支持角色可能包括存档代理、认证交付代理、确认代理、数字公证人、目录、密钥托管代理、密钥生成代理、命名代理,以确保发行人和主体在PKI、存储库和,票证授予代理、时间戳代理和验证代理。

$ purge 1. (I) Synonym for "erase".

$ 吹扫1。(一) “擦除”的同义词。

2. (O) /U.S. Government/ Use degaussing or other methods to render magnetically stored data unusable and irrecoverable by any means, including laboratory methods. [C4009] (Compare: /U.S. Government/ erase.)

2. (O) /美国政府/使用消磁或其他方法,以任何方式(包括实验室方法)使磁存储数据不可用和不可恢复。[C4009](比较:/U.S.政府/删除)

$ QUADRANT (O) /U.S. Government/ Short name for technology and methods that protect cryptographic equipment by making the equipment tamper-resistant. [C4009] (Compare: protective packaging, TEMPEST.)

$ 象限(O)/美国政府/通过使设备抗篡改来保护加密设备的技术和方法的简称。[C4009](比较:保护性包装,TEMPEST。)

Tutorial: Equipment cannot be made completely tamper-proof, but it can be made tamper-resistant or tamper-evident.

教程:设备不能完全防篡改,但可以防篡改或防篡改。

$ qualified certificate (I) A public-key certificate that has the primary purpose of identifying a person with a high level of assurance, where the certificate meets some qualification requirements defined by an applicable legal framework, such as the European Directive on Electronic Signature. [R3739]

$ 合格证书(I)一种公钥证书,其主要目的是识别具有高度保证的人员,该证书符合适用法律框架(如《欧洲电子签名指令》)规定的某些资格要求。[R3739]

$ quick mode (I) See: /IKE/ under "mode".

$ 快速模式(I)见“模式”下的:/IKE/项。

$ RA (I) See: registration authority.

$ RA(I)见:登记机关。

$ RA domains (I) A feature of a CAW that allows a CA to divide the responsibility for certificate requests among multiple RAs.

$ RA域(I)CAW的一种功能,允许CA在多个RA之间分配证书请求的责任。

Tutorial: This ability might be used to restrict access to private authorization data that is provided with a certificate request, and to distribute the responsibility to review and approve certificate requests in high-volume environments. RA domains might segregate certificate requests according to an attribute of the certificate's subject, such as an organizational unit.

教程:此功能可用于限制对随证书请求提供的私有授权数据的访问,并在高容量环境中分配审阅和批准证书请求的职责。RA域可能根据证书主题的属性(如组织单位)隔离证书请求。

$ RADIUS (I) See: Remote Authentication Dial-In User Service.

$ RADIUS(I)见:远程身份验证拨入用户服务。

$ Rainbow Series (O) /COMPUSEC/ A set of more than 30 technical and policy documents with colored covers, issued by the NCSC, that discuss in detail the TCSEC and provide guidance for meeting and applying the criteria. (See: Green Book, Orange Book, Red Book, Yellow Book.)

$ 彩虹系列(O)/COMPUSEC/NCSC发布的一套30多个彩色封面的技术和政策文件,详细讨论了TCSEC,并为满足和应用标准提供指导。(参见:绿皮书、橙皮书、红皮书、黄皮书。)

$ random (I) In essence, "random" means "unpredictable". [SP22, Knut, R4086] (See: cryptographic key, pseudorandom.) - "Random sequence": A sequence in which each successive value is obtained merely by chance and does not depend on the preceding values of the sequence. In a random sequence of bits, each bit is unpredictable; i.e., (a) the probability of each bit being a "0" or "1" is 1/2, and (b) the value of each bit is independent of any other bit in the sequence. - "Random value": An individual value that is unpredictable; i.e., each value in the total population of possibilities has equal probability of being selected.

$ 随机(I)本质上,“随机”意味着“不可预测”。[SP22,Knut,R4086](参见:密码密钥,伪随机)-“随机序列”:一种序列,其中每个连续值仅是偶然获得的,不依赖于序列的先前值。在随机比特序列中,每个比特都是不可预测的;i、 e.,(a)每个位为“0”或“1”的概率为1/2,并且(b)每个位的值独立于序列中的任何其他位。-“随机值”:不可预测的单个值;i、 例如,所有可能性中的每个值都具有相同的被选择概率。

$ random number generator (I) A process that is invoked to generate a random sequence of values (usually a sequence of bits) or an individual random value.

$ 随机数生成器(I)调用以生成随机值序列(通常为位序列)或单个随机值的过程。

Tutorial: There are two basic types of generators. [SP22] - "(True) random number generator": It uses one or more non-deterministic bit sources (e.g., electrical circuit noise, timing of human processes such as key strokes or mouse movements, semiconductor quantum effects, and other physical

教程:有两种基本类型的生成器。[SP22]-“(真)随机数生成器”:它使用一个或多个非确定性位源(例如电路噪声、人类过程的计时,如按键或鼠标移动、半导体量子效应和其他物理特性)

phenomena) and a processing function that formats the bits, and it outputs a sequence of values that is unpredictable and uniformly distributed. - "Pseudorandom number generator": It uses a deterministic computational process (usually implemented by software) that has one or more inputs called "seeds", and it outputs a sequence of values that appears to be random according to specified statistical tests.

现象)和格式化位的处理函数,并输出不可预测且均匀分布的值序列。-“伪随机数生成器”:它使用确定性计算过程(通常由软件实现),具有一个或多个称为“种子”的输入,并根据指定的统计测试输出一系列看似随机的值。

$ RBAC (N) See: role-based access control, rule-based access control.

$ RBAC(N)参见:基于角色的访问控制,基于规则的访问控制。

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the abbreviation is ambiguous.

不推荐使用:使用此术语的IDoc应说明其定义,因为缩写不明确。

$ RC2, RC4, RC6 (N) See: Rivest Cipher #2, #4, #6.

$ RC2,RC4,RC6(N)参见:Rivest密码#2,#4,#6。

$ read (I) /security model/ A system operation that causes a flow of information from an object to a subject. (See: access mode. Compare: write.)

$ 读取(I)/安全模型/导致信息从对象流向主题的系统操作。(请参见:访问模式。比较:写入。)

$ realm (I) /Kerberos/ A domain consisting of a set of Kerberized clients, Kerberized application servers, and one or more Kerberos authentication servers and ticket-granting servers that support the clients and applications, all operating under the same security policy. (See: domain.)

$ 领域(I)/Kerberos/由一组Kerberized客户端、Kerberized应用程序服务器、一个或多个支持客户端和应用程序的Kerberos身份验证服务器和票证授予服务器组成的域,所有这些服务器均在相同的安全策略下运行。(请参阅:域。)

$ recovery 1. (I) /cryptography/ The process of learning or obtaining cryptographic data or plain text through cryptanalysis. (See: key recovery, data recovery.)

$ 恢复1。(一) /密码术/通过密码分析学习或获取密码数据或纯文本的过程。(请参阅:密钥恢复、数据恢复。)

2a. (I) /system integrity/ The process of restoring a secure state in a system after there has been an accidental failure or a successful attack. (See: secondary definition under "security", system integrity.)

2a。(一) /系统完整性/发生意外故障或成功攻击后,在系统中恢复安全状态的过程。(参见“安全性”下的二级定义,系统完整性。)

2b. (I) /system integrity/ The process of restoring an information system's assets and operation following damage or destruction. (See: contingency plan.)

2b。(一) /系统完整性/在信息系统损坏或破坏后恢复其资产和操作的过程。(见:应急计划。)

$ RED 1. (N) Designation for data that consists only of clear text, and for information system equipment items and facilities that handle

$ 红色1。(N) 仅由明文组成的数据的名称,以及用于处理

clear text. Example: "RED key". (See: BCR, color change, RED/BLACK separation. Compare: BLACK.)

明文。例如:“红色钥匙”。(参见:BCR、颜色变化、红/黑分离。比较:黑色。)

Derivation: From the practice of marking equipment with colors to prevent operational errors.

衍生:使用颜色标记设备以防止操作错误的实践。

2. (O) /U.S. Government/ Designation applied to information systems, and to associated areas, circuits, components, and equipment, "in which unencrypted national security information is being processed." [C4009]

2. (O) /美国政府/适用于信息系统和相关区域、电路、组件和设备的名称,“其中正在处理未加密的国家安全信息。”[C4009]

$ RED/BLACK separation (N) An architectural concept for cryptographic systems that strictly separates the parts of a system that handle plain text (i.e., RED information) from the parts that handle cipher text (i.e., BLACK information). (See: BLACK, RED.)

$ 红/黑分离(RED/BLACK separation,N):密码系统的一种体系结构概念,它将处理纯文本(即红色信息)的系统部分与处理密文(即黑色信息)的系统部分严格分开。(参见:黑色、红色。)

$ Red Book (D) /slang/ Synonym for "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" [NCS05].

$ 红皮书(D)/俚语/同义词“可信网络对可信计算机系统评估标准的解释”[NCS05]。

Deprecated Term: IDOCs SHOULD NOT use this term. Instead, use the full proper name of the document or, in subsequent references, a more conventional abbreviation, e.g., TNI-TCSEC. (See: TCSEC, Rainbow Series, Deprecated Usage under "Green Book".)

不推荐使用的术语:IDOCs不应使用此术语。相反,应使用文件的全称,或在后续参考文献中使用更为传统的缩写,如TNI-TCSEC。(参见:TCSEC,Rainbow系列,“绿皮书”下的弃用用法。)

$ RED key (N) A cleartext key, which is usable in its present form (i.e., it does not need to be decrypted before being used). (See: RED. Compare: BLACK key.)

$ 红色密钥(N)一种明文密钥,可用其当前形式(即,在使用前不需要解密)。(请参见:红色。比较:黑色键。)

$ reference monitor (I) "An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects." [NCS04] (See: security kernel.)

$ reference monitor(I)“一种访问控制概念,指的是一台抽象机器,它协调主体对对象的所有访问。”[NCS04](请参阅:安全内核。)

Tutorial: This concept was described in the Anderson report. A reference monitor should be (a) complete (i.e., it mediates every access), (b) isolated (i.e., it cannot be modified by other system entities), and (c) verifiable (i.e., small enough to be subjected to analysis and tests to ensure that it is correct).

教程:安德森报告中描述了这一概念。参考监视器应(A)完整(即,它调解每次访问),(b)隔离(即,它不能被其他系统实体修改),(c)可验证(即,足够小,可以进行分析和测试,以确保其正确性)。

$ reflection attack (I) An attack in which a valid data transmission is replayed to the originator by an attacker who intercepts the original transmission. (Compare: indirect attack, replay attack.)

$ 反射攻击(I)截获原始传输的攻击者将有效数据传输重播给发起人的攻击。(比较:间接攻击、重放攻击。)

$ reflector attack (D) Synonym for "indirect attack".

$ 反射器攻击(D)“间接攻击”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it could be confused with "reflection attack", which is a different concept.

不推荐使用的术语:IDoc不应使用此术语;它可能与“反射攻击”混淆,后者是一个不同的概念。

$ registered user (I) A system entity that is authorized to receive a system's products and services or otherwise access system resources. (See: registration, user.)

$ 注册用户(I)被授权接收系统产品和服务或以其他方式访问系统资源的系统实体。(请参阅:注册,用户。)

$ registration 1. (I) /information system/ A system process that (a) initializes an identity (of a system entity) in the system, (b) establishes an identifier for that identity, (c) may associate authentication information with that identifier, and (d) may issue an identifier credential (depending on the type of authentication mechanism being used). (See: authentication information, credential, identifier, identity, identity proofing.)

$ 注册1。(一) /信息系统/一种系统过程,其(A)初始化系统中的(系统实体的)标识,(b)为该标识建立标识符,(c)可将认证信息与该标识符相关联,以及(d)可颁发标识符凭证(取决于所使用的认证机制的类型)。(请参阅:身份验证信息、凭据、标识符、身份、身份验证。)

2. (I) /PKI/ An administrative act or process whereby an entity's name and other attributes are established for the first time at a CA, prior to the CA issuing a digital certificate that has the entity's name as the subject. (See: registration authority.)

2. (一) /PKI/在CA颁发以实体名称为主体的数字证书之前,在CA首次建立实体名称和其他属性的行政行为或过程。(见:登记机关。)

Tutorial: Registration may be accomplished either directly, by the CA, or indirectly, by a separate RA. An entity is presented to the CA or RA, and the authority either records the name(s) claimed for the entity or assigns the entity's name(s). The authority also determines and records other attributes of the entity that are to be bound in a certificate (such as a public key or authorizations) or maintained in the authority's database (such as street address and telephone number). The authority is responsible, possibly assisted by an RA, for verifying the entity's identity and vetting the other attributes, in accordance with the CA's CPS.

教程:注册可以由CA直接完成,也可以由单独的RA间接完成。实体提交给CA或RA,管理局记录为该实体申请的名称或指定该实体的名称。管理局还确定并记录实体的其他属性,这些属性将绑定在证书中(如公钥或授权),或保存在管理局的数据库中(如街道地址和电话号码)。管理局负责(可能由RA协助)根据CA的CPS验证实体的身份并审查其他属性。

Among the registration issues that a CPS may address are the following [R3647]: - How a claimed identity and other attributes are verified. - How organization affiliation or representation is verified. - What forms of names are permitted, such as X.500 DN, domain name, or IP address. - Whether names are required to be meaningful or unique, and within what domain. - How naming disputes are resolved, including the role of trademarks. - Whether certificates are issued to entities that are not persons.

CPS可能解决的注册问题包括以下[R3647]:-如何验证声明的身份和其他属性。-如何验证组织隶属关系或代表性。-允许使用何种形式的名称,如X.500 DN、域名或IP地址。-名称是否需要有意义或唯一,以及在哪个域内。-如何解决命名争议,包括商标的作用。-是否向非法人实体颁发证书。

- Whether a person is required to appear before the CA or RA, or can instead be represented by an agent. - Whether and how an entity proves possession of the private key matching a public key.

- 一个人是否需要在CA或RA前出庭,或者可以由代理人代为出庭。-实体是否以及如何证明拥有与公钥匹配的私钥。

$ registration authority (RA) 1. (I) An optional PKI entity (separate from the CAs) that does not sign either digital certificates or CRLs but has responsibility for recording or verifying some or all of the information (particularly the identities of subjects) needed by a CA to issue certificates and CRLs and to perform other certificate management functions. (See: ORA, registration.)

$ 登记机关(RA)1。(一) 一种可选的PKI实体(独立于CA),不签署数字证书或CRL,但负责记录或验证CA颁发证书和CRL以及执行其他证书管理功能所需的部分或全部信息(尤其是主体身份)。(见:ORA,注册。)

2. (I) /PKIX/ An optional PKI component, separate from the CA(s). The functions that the RA performs will vary from case to case but may include identity authentication and name assignment, key generation and archiving of key pairs, token distribution, and revocation reporting. [R4210]

2. (一) /PKIX/可选的PKI组件,独立于CA。RA执行的功能因情况而异,但可能包括身份验证和名称分配、密钥生成和密钥对存档、令牌分发和撤销报告。[R4210]

Tutorial: Sometimes, a CA may perform all certificate management functions for all end users for which the CA signs certificates. Other times, such as in a large or geographically dispersed community, it may be necessary or desirable to offload secondary CA functions and delegate them to an assistant, while the CA retains the primary functions (signing certificates and CRLs). The tasks that are delegated to an RA by a CA may include personal authentication, name assignment, token distribution, revocation reporting, key generation, and archiving.

教程:有时,CA可能会为其签署证书的所有最终用户执行所有证书管理功能。在其他情况下,例如在大型或地理位置分散的社区中,可能需要卸载辅助CA功能并将其委托给助手,而CA保留主要功能(签名证书和CRL)。CA委托给RA的任务可能包括个人身份验证、名称分配、令牌分发、撤销报告、密钥生成和存档。

An RA is an optional PKI entity, separate from the CA, that is assigned secondary functions. The duties assigned to RAs vary from case to case but may include the following: - Verifying a subject's identity, i.e., performing personal authentication functions. - Assigning a name to a subject. (See: distinguished name.) - Verifying that a subject is entitled to have the attributes requested for a certificate. - Verifying that a subject possesses the private key that matches the public key requested for a certificate. - Performing functions beyond mere registration, such as generating key pairs, distributing tokens, handling revocation reports, and archiving data. (Such functions may be assigned to a PKI component that is separate from both the CA and the RA.)

RA是一个可选的PKI实体,独立于CA,分配辅助功能。分配给RAs的职责因情况而异,但可能包括以下内容:-验证受试者的身份,即执行个人身份验证功能。-为主题指定名称。(请参阅:可分辨名称)-验证受试者是否有权拥有证书所需的属性。-验证主体是否拥有与证书请求的公钥匹配的私钥。-执行注册以外的功能,例如生成密钥对、分发令牌、处理撤销报告和归档数据。(此类功能可分配给独立于CA和RA的PKI组件。)

3. (O) /SET/ "An independent third-party organization that processes payment card applications for multiple payment card brands and forwards applications to the appropriate financial institutions." [SET2]

3. (O) /SET/“一个独立的第三方组织,负责处理多个支付卡品牌的支付卡应用程序,并将应用程序转发给相应的金融机构。”[SET2]

$ regrade (I) Deliberately change the security level (especially the hierarchical classification level) of information in an authorized manner. (See: downgrade, upgrade.)

$ 重新分级(I)以授权的方式故意更改信息的安全级别(特别是分层分类级别)。(请参阅:降级、升级。)

$ rekey (I) Change the value of a cryptographic key that is being used in an application of a cryptographic system. (See: certificate rekey.)

$ rekey(I)更改加密系统应用程序中使用的加密密钥的值。(请参阅:证书重新密钥。)

Tutorial: Rekey is required at the end of a cryptoperiod or key lifetime.

教程:加密周期或密钥生命周期结束时需要重新密钥。

$ reliability (I) The ability of a system to perform a required function under stated conditions for a specified period of time. (Compare: availability, survivability.)

$ 可靠性(I)系统在规定条件下在规定时间内执行所需功能的能力。(比较:可用性、生存能力。)

$ reliable human review (I) Any manual, automated, or hybrid process or procedure that ensures that a human examines a digital object, such as text or an image, to determine whether the object may be permitted, according to some security policy, to be transferred across a controlled interface. (See: guard.)

$ 可靠的人工审查(I)任何手动、自动或混合过程或程序,确保人员检查数字对象,如文本或图像,以确定根据某些安全策略,是否允许对象通过受控接口传输。(请参阅:防护罩。)

$ relying party (I) Synonym for "certificate user".

$ 依赖方(I)“证书用户”的同义词。

Usage: Used in a legal context to mean a recipient of a certificate who acts in reliance on that certificate. (See: ABA Guidelines.)

用法:在法律上下文中用于指依赖证书行事的证书接收人。(参见:ABA指南。)

$ remanence (I) Residual information that can be recovered from a storage medium after clearing. (See: clear, magnetic remanence, purge.)

$ 剩磁(I)清除后可从存储介质中恢复的剩余信息。(请参阅:清除、剩磁、清除。)

$ Remote Authentication Dial-In User Service (RADIUS) (I) An Internet protocol [R2865] for carrying dial-in users' authentication information and configuration information between a shared, centralized authentication server (the RADIUS server) and a network access server (the RADIUS client) that needs to authenticate the users of its network access ports. (See: TACACS.)

$ 远程认证拨入用户服务(RADIUS)(I)一种互联网协议[R2865],用于在共享的集中式认证服务器(RADIUS服务器)和网络访问服务器(RADIUS客户端)之间承载拨入用户的认证信息和配置信息需要对其网络访问端口的用户进行身份验证。(见:TACACS)

User presents authentication and possibly other information to the RADIUS client (e.g., health information regarding the user device).

用户向RADIUS客户端提供身份验证和可能的其他信息(例如,有关用户设备的健康信息)。

Tutorial: A user presents authentication information and possibly other information to the RADIUS client, and the client passes that information to the RADIUS server. The server authenticates the client using a shared secret value and checks the presented information, and then returns to the client all authorization and configuration information needed by the client to serve the user.

教程:用户向RADIUS客户机提供身份验证信息和其他信息,客户机将这些信息传递给RADIUS服务器。服务器使用共享秘密值对客户端进行身份验证,并检查提供的信息,然后将客户端为用户服务所需的所有授权和配置信息返回给客户端。

$ renew See: certificate renewal.

$ 续订请参阅:证书续订。

$ reordering (I) /packet/ See: secondary definition under "stream integrity service".

$ 重新排序(I)/数据包/参见“流完整性服务”下的二级定义。

$ replay attack (I) An attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by a third party who intercepts the data and retransmits it, possibly as part of a masquerade attack. (See: active wiretapping, fresh, liveness, nonce. Compare: indirect attack, reflection attack.)

$ 重播攻击(I)发起人或截获数据并重新传输数据的第三方恶意或欺诈性地重复有效数据传输的攻击,可能是伪装攻击的一部分。(请参阅:主动窃听、新鲜、活跃、暂时。比较:间接攻击、反射攻击。)

$ repository 1. (I) A system for storing and distributing digital certificates and related information (including CRLs, CPSs, and certificate policies) to certificate users. (Compare: archive, directory.)

$ 储存库1。(一) 向证书用户存储和分发数字证书及相关信息(包括CRL、CPS和证书策略)的系统。(比较:存档,目录。)

2. (O) "A trustworthy system for storing and retrieving certificates or other information relevant to certificates." [DSG]

2. (O) “用于存储和检索证书或与证书相关的其他信息的可靠系统。”[DSG]

Tutorial: A certificate is published to those who might need it by putting it in a repository. The repository usually is a publicly accessible, on-line server. In the FPKI, for example, the expected repository is a directory that uses LDAP, but also may be an X.500 Directory that uses DAP, or an HTTP server, or an FTP server that permits anonymous login.

教程:通过将证书放入存储库,将证书发布给可能需要它的人。存储库通常是一个可公开访问的在线服务器。例如,在FPKI中,预期的存储库是一个使用LDAP的目录,但也可能是一个使用DAP的X.500目录,或HTTP服务器,或允许匿名登录的FTP服务器。

$ repudiation 1. (I) Denial by a system entity that was involved in an association (especially a communication association that transfers data) of having participated in the relationship. (See: accountability, non-repudiation service.)

$ 否认1。(一) 参与关联(尤其是传输数据的通信关联)的系统实体拒绝参与关系。(参见:责任制、不可否认服务。)

2. (I) A type of threat action whereby an entity deceives another by falsely denying responsibility for an act. (See: deception.)

2. (一) 一种威胁行为,一个实体通过错误地否认对某一行为的责任来欺骗另一个实体。(见:欺骗。)

Usage: This type of threat action includes the following subtypes: - False denial of origin: Action whereby an originator denies responsibility for sending data. - False denial of receipt: Action whereby a recipient denies receiving and possessing data.

用法:这种类型的威胁行为包括以下子类型:-错误拒绝来源:发起人拒绝发送数据的行为。-虚假拒绝接收:接收人拒绝接收和拥有数据的行为。

3. (O) /OSIRM/ "Denial by one of the entities involved in a communication of having participated in all or part of the communication." [I7498-2]

3. (O) /OSIRM/“参与通信的实体之一拒绝参与全部或部分通信。”[I7498-2]

$ Request for Comment (RFC) 1. (I) One of the documents in the archival series that is the official channel for IDOCs and other publications of the Internet Engineering Steering Group, the Internet Architecture Board, and the Internet community in general. (RFC 2026, 2223) (See: Internet Standard.)

$ 征求意见(RFC)1。(一) 档案系列中的文件之一,是互联网工程指导小组、互联网体系结构委员会和整个互联网社区的IDOC和其他出版物的官方渠道。(RFC 2026223)(参见:互联网标准。)

2. (D) A popularly misused synonym for a document on the Internet Standards Track, i.e., an Internet Standard, Draft Standard, or Proposed Standard. (See: Internet Standard.)

2. (D) 互联网标准轨道上文档的一个普遍被误用的同义词,即互联网标准、草案标准或提议的标准。(请参阅:互联网标准。)

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2 because many other types of documents also are published as RFCs.

不推荐使用的定义:IDOC不应将此术语与定义2一起使用,因为许多其他类型的文档也作为RFC发布。

$ residual risk (I) The portion of an original risk or set of risks that remains after countermeasures have been applied. (Compare: acceptable risk, risk analysis.)

$ 剩余风险(I)在采取应对措施后,原始风险或一组风险的剩余部分。(比较:可接受风险、风险分析)

$ restore See: card restore.

$ 恢复请参阅:卡恢复。

$ reverse engineering (I) /threat action/ See: secondary definition under "intrusion".

$ 逆向工程(I)/威胁行动/见“入侵”下的二级定义。

$ revocation See: certificate revocation.

$ 撤销请参阅:证书撤销。

$ revocation date (N) /X.509/ In a CRL entry, a date-time field that states when the certificate revocation occurred, i.e., when the CA declared the digital certificate to be invalid. (See: invalidity date.)

$ 撤销日期(N)/X.509/在CRL条目中,一个日期时间字段,说明证书撤销发生的时间,即CA宣布数字证书无效的时间。(参见:失效日期。)

Tutorial: The revocation date may not resolve some disputes because, in the worst case, all signatures made during the validity period of the certificate may have to be considered invalid. However, it may be desirable to treat a digital signature

指南:撤销日期可能无法解决某些争议,因为在最坏的情况下,证书有效期内的所有签名都可能被视为无效。然而,可能希望处理数字签名

as valid even though the private key used to sign was compromised after the signing. If more is known about when the compromise actually occurred, a second date-time, an "invalidity date", can be included in an extension of the CRL entry.

即使用于签名的私钥在签名后被泄露,仍然有效。如果对折衷实际发生的时间有更多了解,可以在CRL条目的扩展中包括第二个日期时间,即“无效日期”。

$ revocation list See: certificate revocation list.

$ 吊销列表请参阅:证书吊销列表。

$ revoke (I) See: certificate revocation.

$ 撤销(I)参见:证书撤销。

$ RFC (I) See: Request for Comment.

$ RFC(一)见:征求意见。

$ Rijndael (N) A symmetric, block cipher that was designed by Joan Daemen and Vincent Rijmen as a candidate for the AES, and that won that competition. [Daem] (See: Advanced Encryption Standard.)

$ Rijndael(N):一种对称分组密码,由Joan Daemen和Vincent Rijmen设计,作为AES的候选,并赢得了该竞赛。[Daem](请参阅:高级加密标准。)

$ risk 1. (I) An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. (See: residual risk.)

$ 风险1。(一) 损失预期,表示为特定威胁利用特定漏洞造成特定有害结果的概率。(参见:剩余风险。)

2. (O) /SET/ "The possibility of loss because of one or more threats to information (not to be confused with financial or business risk)." [SET2]

2. (O) /SET/“由于对信息的一种或多种威胁而造成损失的可能性(不要与财务或业务风险混淆)。”[SET2]

Tutorial: There are four basic ways to deal with a risk [SP30]: - "Risk avoidance": Eliminate the risk by either countering the threat or removing the vulnerability. (Compare: "avoidance" under "security".) - "Risk transference": Shift the risk to another system or entity; e.g., buy insurance to compensate for potential loss. - "Risk limitation": Limit the risk by implementing controls that minimize resulting loss. - "Risk assumption": Accept the potential for loss and continue operating the system.

教程:有四种处理风险的基本方法[SP30]:-“风险规避”:通过对抗威胁或消除漏洞来消除风险。(比较“安全”下的“规避”)-“风险转移”:将风险转移到另一个系统或实体;e、 例如,购买保险以补偿潜在损失“风险限制”:通过实施最小化由此造成的损失的控制措施来限制风险。-“风险假设”:接受潜在的损失并继续运行系统。

$ risk analysis (I) An assessment process that systematically (a) identifies valuable system resources and threats to those resources, (b) quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (c) (optionally) recommends how to allocate available resources to countermeasures so as to minimize total exposure. (See: risk management, business-case analysis. Compare: threat analysis.)

$ 风险分析(I)一个评估过程,该过程系统地(a)识别有价值的系统资源和对这些资源的威胁,(b)根据估计的发生频率和成本量化损失风险(即损失可能性),以及(c)(可选)建议如何为应对措施分配可用资源,以尽量减少总风险。(参见:风险管理,商业案例分析。比较:威胁分析。)

Tutorial: Usually, it is financially and technically infeasible to avoid or transfer all risks (see: "first corollary" of "second law" under "Courtney's laws"), and some residual risks will remain, even after all available countermeasures have been deployed (see: "second corollary" of "second law" under "Courtney's laws"). Thus, a risk analysis typically lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. [FP031, R2196]

教程:通常情况下,避免或转移所有风险在财务和技术上都是不可行的(参见“科特尼定律”下“第二定律”的“第一推论”),即使在部署了所有可用的应对措施之后,一些剩余风险仍将存在(参见“科特尼定律”下“第二定律”的“第二推论”)。因此,风险分析通常按照成本和关键性的顺序列出风险,从而确定应首先在哪里应用对策。[FP031,R2196]

In some contexts, it is infeasible or inadvisable to attempt a complete or quantitative risk analysis because needed data, time, and expertise are not available. Instead, basic answers to questions about threats and risks may be already built into institutional security policies. For example, U.S. DoD policies for data confidentiality "do not explicitly itemize the range of expected threats" but instead "reflect an operational approach ... by stating the particular management controls that must be used to achieve [confidentiality] ... Thus, they avoid listing threats, which would represent a severe risk in itself, and avoid the risk of poor security design implicit in taking a fresh approach to each new problem". [NRC91]

在某些情况下,尝试进行完整或定量的风险分析是不可行或不可取的,因为没有必要的数据、时间和专业知识。相反,关于威胁和风险问题的基本答案可能已经纳入机构安全政策。例如,美国国防部的数据保密政策“没有明确列出预期威胁的范围”,而是“通过说明实现[保密性]必须使用的特定管理控制措施,反映了一种作战方法”…因此,他们避免列出威胁,这本身就是一种严重的风险,并避免对每一个新问题采取新方法所隐含的安全设计差的风险。”。[NRC91]

$ risk assumption (I) See: secondary definition under "risk".

$ 风险假设(I)见“风险”下的二级定义。

$ risk avoidance (I) See: secondary definition under "risk".

$ 风险规避(I)见“风险”下的二级定义。

$ risk limitation (I) See: secondary definition under "risk".

$ 风险限制(I)见“风险”下的二级定义。

$ risk management 1. (I) The process of identifying, measuring, and controlling (i.e., mitigating) risks in information systems so as to reduce the risks to a level commensurate with the value of the assets protected. (See: risk analysis.)

$ 风险管理1。(一) 识别、测量和控制(即减轻)信息系统中的风险的过程,以便将风险降低到与受保护资产的价值相称的水平。(参见:风险分析。)

2. (I) The process of controlling uncertain events that may affect information system resources.

2. (一) 控制可能影响信息系统资源的不确定事件的过程。

3. (O) "The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws." [SP30]

3. (O)“识别、控制和缓解信息系统相关风险的整个过程。它包括风险评估;成本效益分析;以及保障措施的选择、实施、测试和安全评估。该总体系统安全审查考虑了有效性和效率,包括对任务的影响以及政策、法规和法律造成的限制。”[SP30]

$ risk transference (I) See: secondary definition under "risk".

$ 风险转移(I)见“风险”下的二级定义。

$ Rivest Cipher #2 (RC2) (N) A proprietary, variable-key-length block cipher invented by Ron Rivest for RSA Data Security, Inc.

$ Rivest Cipher#2(RC2)(N)Ron Rivest为RSA Data Security,Inc.发明的专有可变密钥长度分组密码。

$ Rivest Cipher #4 (RC4) (N) A proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc.

$ Rivest Cipher#4(RC4)(N)Ron Rivest为RSA Data Security,Inc.发明的专有可变密钥长度流密码。

$ Rivest Cipher #6 (RC6) (N) A symmetric, block cipher with 128-bit or longer key length, developed by Ron Rivest for RSA Data Security, Inc. as a candidate for the AES.

$ Rivest Cipher#6(RC6)(N):一种具有128位或更长密钥长度的对称分组密码,由Ron Rivest为RSA Data Security,Inc.开发,作为AES的候选。

$ Rivest-Shamir-Adleman (RSA) (N) An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78].

$ Rivest-Shamir-Adleman(RSA)(N)一种非对称密码算法,由Ron Rivest、Adi-Shamir和Leonard Adleman于1977年发明[RSA78]。

Tutorial: RSA uses exponentiation modulo the product of two large prime numbers. The difficulty of breaking RSA is believed to be equivalent to the difficulty of factoring integers that are the product of two large prime numbers of approximately equal size.

教程:RSA使用两个大素数乘积的幂运算。打破RSA的困难被认为相当于分解两个大小近似相等的大素数的乘积的整数的困难。

To create an RSA key pair, randomly choose two large prime numbers, p and q, and compute the modulus, n = pq. Randomly choose a number e, the public exponent, that is less than n and relatively prime to (p-1)(q-1). Choose another number d, the private exponent, such that ed-1 evenly divides (p-1)(q-1). The public key is the set of numbers (n,e), and the private key is the set (n,d).

要创建RSA密钥对,请随机选择两个大素数p和q,并计算模n=pq。随机选择一个数字e,即公共指数,它小于n,且相对素数为(p-1)(q-1)。选择另一个数字d,即私有指数,使ed-1平均除以(p-1)(q-1)。公钥是数字的集合(n,e),私钥是集合(n,d)。

It is assumed to be difficult to compute the private key (n,d) from the public key (n,e). However, if n can be factored into p and q, then the private key d can be computed easily. Thus, RSA security depends on the assumption that it is computationally difficult to factor a number that is the product of two large prime numbers. (Of course, p and q are treated as part of the private key, or else are destroyed after computing n.)

假设难以从公钥(n,e)计算私钥(n,d)。然而,如果n可以分解为p和q,那么私钥d可以容易地计算。因此,RSA安全性取决于这样一种假设:计算上很难将两个大素数的乘积作为一个数的因子。(当然,p和q被视为私钥的一部分,或者在计算n后被销毁。)

For encryption of a message, m, to be sent to Bob, Alice uses Bob's public key (n,e) to compute m**e (mod n) = c. She sends c to Bob. Bob computes c**d (mod n) = m. Only Bob knows d, so only Bob can compute c**d (mod n) to recover m.

对于要发送给Bob的消息m的加密,Alice使用Bob的公钥(n,e)来计算m**e(mod n)=c。她把c寄给鲍勃。Bob计算c**d(模n)=m。只有Bob知道d,因此只有Bob可以计算c**d(mod n)来恢复m。

To provide data origin authentication of a message, m, to be sent to Bob, Alice computes m**d (mod n) = s, where (d,n) is Alice's

为了提供要发送给Bob的消息m的数据源身份验证,Alice计算m**d(mod n)=s,其中(d,n)是Alice的

private key. She sends m and s to Bob. To recover the message that only Alice could have sent, Bob computes s**e (mod n) = m, where (e,n) is Alice's public key.

私钥。她把m和s寄给鲍勃。为了恢复只有Alice才能发送的消息,Bob计算s**e(mod n)=m,其中(e,n)是Alice的公钥。

To ensure data integrity in addition to data origin authentication requires extra computation steps in which Alice and Bob use a cryptographic hash function h (see: digital signature). Alice computes the hash value h(m) = v, and then encrypts v with her private key to get s. She sends m and s. Bob receives m' and s', either of which might have been changed from the m and s that Alice sent. To test this, he decrypts s' with Alice's public key to get v'. He then computes h(m') = v". If v' equals v", Bob is assured that m' is the same m that Alice sent.

为了确保数据完整性,除了数据源身份验证外,还需要额外的计算步骤,Alice和Bob在这些步骤中使用加密哈希函数h(请参阅:数字签名)。Alice计算散列值h(m)=v,然后用她的私钥加密v以得到s。她送m和s。Bob接收到m'和s',其中任何一个可能已从Alice发送的m和s中更改。为了测试这一点,他解密“用Alice的公钥获得v”。然后,他计算h(m')=v。如果v'等于v,鲍勃确信m'与爱丽丝发送的m相同。

$ robustness (N) See: level of robustness.

$ 稳健性(N)参见:稳健性水平。

$ role 1. (I) A job function or employment position to which people or other system entities may be assigned in a system. (See: role-based access control. Compare: duty, billet, principal, user.)

$ 角色1。(一) 在一个系统中,人员或其他系统实体可以分配到的一种工作职能或工作岗位。(请参阅:基于角色的访问控制。比较:职责、权限、负责人、用户。)

2. (O) /Common Criteria/ A pre-defined set of rules establishing the allowed interactions between a user and the TOE.

2. (O) /Common Criteria/一组预定义的规则,用于建立用户和TOE之间允许的交互。

$ role-based access control (I) A form of identity-based access control wherein the system entities that are identified and controlled are functional positions in an organization or process. [Sand] (See: authorization, constraint, identity, principal, role.)

$ 基于角色的访问控制(I)一种基于身份的访问控制形式,其中识别和控制的系统实体是组织或流程中的功能位置。[Sand](请参阅:授权、约束、身份、主体、角色。)

Tutorial: Administrators assign permissions to roles as needed to perform functions in the system. Administrators separately assign user identities to roles. When a user accesses the system in an identity (for which the user has been registered) and initiates a session using a role (to which the user has been assigned), then the permissions that have been assigned to the role are available to be exercised by the user.

教程:管理员根据需要为角色分配权限,以在系统中执行功能。管理员分别为角色分配用户标识。当用户以身份(已注册用户)访问系统并使用角色(已分配用户)启动会话时,则已分配给角色的权限可供用户行使。

The following diagram shows that role-based access control involves five different relationships: (a) administrators assign identities to roles, (b) administrators assign permissions to roles, (c) administrators assign roles to roles, (d) users select identities in sessions, and (e) users select roles in sessions. Security policies may define constraints on these assignments and selections.

下图显示了基于角色的访问控制涉及五种不同的关系:(a)管理员将身份分配给角色,(b)管理员将权限分配给角色,(c)管理员将角色分配给角色,(d)用户在会话中选择身份,以及(e)用户在会话中选择角色。安全策略可以定义这些分配和选择的约束。

         (c) Permission Inheritance Assignments (i.e., Role Hierarchy)
                               [Constraints]
                                  +=====+
                                  |     |
                   (a) Identity   v     v  (b) Permission
      +----------+  Assignments  +-------+  Assignments  +----------+
      |Identities|<=============>| Roles |<=============>|Permissions|
      +----------+ [Constraints] +-------+ [Constraints] +----------+
           |   |                   ^   ^
           |   |   +-----------+   |   |       +---------------------+
           |   |   | +-------+ |   |   |       |       Legend        |
           |   +====>|Session|=====+   |       |                     |
           |       | +-------+ |       |       |     One-to-One      |
           |       |    ...   |       |       | =================== |
           |       | +-------+ |       |       |                     |
           +========>|Session|=========+       |     One-to-Many     |
      (d) Identity | +-------+ |  (e) Role     | ==================> |
       Selections  |           | Selections    |                     |
      [Constraints]|  Access   |[Constraints]  |    Many-to-Many     |
                   | Sessions  |               | <=================> |
                   +-----------+               +---------------------+
        
         (c) Permission Inheritance Assignments (i.e., Role Hierarchy)
                               [Constraints]
                                  +=====+
                                  |     |
                   (a) Identity   v     v  (b) Permission
      +----------+  Assignments  +-------+  Assignments  +----------+
      |Identities|<=============>| Roles |<=============>|Permissions|
      +----------+ [Constraints] +-------+ [Constraints] +----------+
           |   |                   ^   ^
           |   |   +-----------+   |   |       +---------------------+
           |   |   | +-------+ |   |   |       |       Legend        |
           |   +====>|Session|=====+   |       |                     |
           |       | +-------+ |       |       |     One-to-One      |
           |       |    ...   |       |       | =================== |
           |       | +-------+ |       |       |                     |
           +========>|Session|=========+       |     One-to-Many     |
      (d) Identity | +-------+ |  (e) Role     | ==================> |
       Selections  |           | Selections    |                     |
      [Constraints]|  Access   |[Constraints]  |    Many-to-Many     |
                   | Sessions  |               | <=================> |
                   +-----------+               +---------------------+
        

$ role certificate (I) An organizational certificate that is issued to a system entity that is a member of the set of users that have identities that are assigned to the same role. (See: role-based access control.)

$ 角色证书(I)颁发给系统实体的组织证书,该系统实体是具有分配给相同角色的标识的用户集的成员。(请参阅:基于角色的访问控制。)

$ root, root CA 1. (I) /PKI/ A CA that is directly trusted by an end entity. (See: trust anchor, trusted CA.)

$ 根,根约1。(一) /PKI/终端实体直接信任的CA。(请参阅:信任锚,受信任CA)

2. (I) /hierarchical PKI/ The CA that is the highest level (most trusted) CA in a certification hierarchy; i.e., the authority upon whose public key all certificate users base their validation of certificates, CRLs, certification paths, and other constructs. (See: top CA.)

2. (一) /hierarchy PKI/证书层次结构中最高级别(最受信任)的CA;i、 例如,所有证书用户对证书、CRL、证书路径和其他构造的验证都基于其公钥的机构。(见:顶部CA)

Tutorial: The root CA in a certification hierarchy issues public-key certificates to one or more additional CAs that form the second-highest level. Each of these CAs may issue certificates to more CAs at the third-highest level, and so on. To initialize operation of a hierarchical PKI, the root's initial public key is securely distributed to all certificate users in a way that does not depend on the PKI's certification relationships, i.e., by an out-of-band procedure. The root's public key may be distributed simply as a numerical value, but typically is distributed in a self-signed certificate in which the root is the subject. The

教程:证书层次结构中的根CA将公钥证书颁发给构成第二高级别的一个或多个附加CA。这些CA中的每一个都可以向第三高级别的更多CA颁发证书,以此类推。为了初始化分级PKI的操作,根用户的初始公钥以不依赖于PKI的证书关系的方式(即通过带外过程)安全地分发给所有证书用户。根的公钥可以简单地作为数字值分发,但通常在以根为主体的自签名证书中分发。这个

root's certificate is signed by the root itself because there is no higher authority in a certification hierarchy. The root's certificate is then the first certificate in every certification path.

根的证书由根本身签名,因为在证书层次结构中没有更高的权限。根目录的证书是每个证书路径中的第一个证书。

3. (I) /DNS/ The base of the tree structure that defines the name space for the Internet DNS. (See: domain name.)

3. (一) /DNS/定义Internet DNS名称空间的树结构的基础。(请参阅:域名。)

4. (O) /MISSI/ A name previously used for a MISSI policy creation authority, which is not a root as defined above for general usage, but is a CA at the second level of the MISSI hierarchy, immediately subordinate to a MISSI policy approving authority.

4. (O) /MISSI/以前用于MISSI策略创建机构的名称,它不是上文定义的一般用途的根,而是位于MISSI层次结构第二级的CA,直接从属于MISSI策略批准机构。

5. (O) /UNIX/ A user account (a.k.a. "superuser") that has all privileges (including all security-related privileges) and thus can manage the system and its other user accounts.

5. (O) /UNIX/具有所有权限(包括所有安全相关权限)的用户帐户(也称为“超级用户”),因此可以管理系统及其其他用户帐户。

$ root certificate 1. (I) /PKI/ A certificate for which the subject is a root. (See: trust anchor certificate, trusted certificate.)

$ 根证书1。(一) /PKI/主题为根的证书。(请参阅:信任锚证书、受信任证书。)

2. (I) /hierarchical PKI/ The self-signed public-key certificate at the top of a certification hierarchy.

2. (一) /hierarchy PKI/证书层次结构顶部的自签名公钥证书。

$ root key (I) /PKI/ A public key for which the matching private key is held by a root. (See: trust anchor key, trusted key.)

$ 根密钥(I)/PKI/根持有匹配私钥的公钥。(请参阅:信任锚定密钥,受信任密钥。)

$ root registry (O) /MISSI/ A name previously used for a MISSI PAA.

$ 根注册表(O)/misi/以前用于misi PAA的名称。

$ ROT13 (I) See: secondary definition under "Caesar cipher".

$ ROT13(I)见“凯撒密码”下的二级定义。

$ router 1a. (I) /IP/ A networked computer that forwards IP packets that are not addressed to the computer itself. (Compare: host.)

$ 路由器1a。(一) /IP/一种网络计算机,用于转发未寻址到计算机本身的IP数据包。(比较:主机。)

1b. (I) /IPS/ A gateway that operates in the IPS Internet Layer to connect two or more subnetworks.

1b。(一) /IPS/在IPS Internet层中运行以连接两个或多个子网的网关。

1c. (N) /OSIRM/ A computer that is a gateway between two networks at OSIRM Layer 3 and that relays and directs data packets through that internetwork. (Compare: bridge, proxy.)

1c。(N) /OSIRM/作为OSIRM第3层两个网络之间的网关的计算机,通过该互联网络中继和引导数据包。(比较:桥、代理。)

$ RSA (N) See: Rivest-Shamir-Adleman.

$ RSA(N)见:Rivest Shamir Adleman。

$ rule See: policy rule.

$ 规则请参阅:策略规则。

$ rule-based security policy (I) "A security policy based on global rules [i.e., policy rules] imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users." [I7498-2] (Compare: identity-based security policy, policy rule, RBAC.)

$ 基于规则的安全策略(I)“基于对所有用户强制实施的全局规则[即策略规则]的安全策略。这些规则通常依赖于对所访问资源的敏感性和对用户、一组用户或代表用户的实体的相应属性的拥有情况的比较。”[I7498-2](比较:基于身份的安全策略、策略规则、RBAC。)

$ rules of behavior (I) A body of security policy that has been established and implemented concerning the responsibilities and expected behavior of entities that have access to a system. (Compare: [R1281].)

$ 行为规则(I)已建立和实施的安全策略主体,涉及有权访问系统的实体的责任和预期行为。(比较:[R1281]。)

Tutorial: For persons employed by a corporation or government, the rules might cover such matters as working at home, remote access, use of the Internet, use of copyrighted works, use of system resources for unofficial purpose, assignment and limitation of system privileges, and individual accountability.

教程:对于受雇于公司或政府的人员,规则可能涵盖以下事项:在家工作、远程访问、使用互联网、使用受版权保护的作品、为非官方目的使用系统资源、分配和限制系统特权以及个人问责。

$ S field (D) See: Security Level field.

$ S字段(D)请参阅:安全级别字段。

$ S-BGP (I) See: Secure BGP.

$ S-BGP(一)见:安全BGP。

$ S-HTTP (I) See: Secure Hypertext Transfer Protocol.

$ S-HTTP(I)见:安全超文本传输协议。

$ S/Key (I) A security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. [R1760]

$ S/Key(I)一种安全机制,它使用加密哈希函数为远程用户登录生成64位一次性密码序列。[R1760]

Tutorial: The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one. (Thus, an intruder using wiretapping cannot compute a valid password from knowledge of one previously used.) The server verifies a password by hashing the currently presented password (or initialization value) one time and comparing the hash result with the previously presented password.

教程:客户端通过对用户的密钥多次应用MD4加密哈希函数来生成一次性密码。对于用户的每个连续身份验证,哈希应用程序的数量减少一个。(因此,使用窃听的入侵者无法根据之前使用的密码计算有效密码。)服务器通过将当前显示的密码(或初始化值)散列一次并将散列结果与之前显示的密码进行比较来验证密码。

$ S/MIME (I) See: Secure/MIME.

$ S/MIME(I)参见:Secure/MIME。

$ SAD (I) See: Security Association Database.

$ SAD(I)见:安全关联数据库。

$ safety (I) The property of a system being free from risk of causing harm (especially physical harm) to its system entities. (Compare: security.)

$ 安全性(I)系统的财产不存在对其系统实体造成伤害(尤其是物理伤害)的风险。(比较:安全性。)

$ SAID (I) See: security association identifier.

$ 所述(I)见:安全协会标识符。

$ salami swindle (D) /slang/ "Slicing off a small amount from each transaction. This kind of theft was made worthwhile by automation. Given a high transaction flow, even rounding down to the nearest cent and putting the 'extra' in a bogus account can be very profitable." [NCSSG]

$ 意大利腊肠诈骗(D)/俚语/“从每笔交易中切掉一小部分。这种盗窃行为通过自动化变得值得。在高交易流量下,即使舍入到最接近的一分钱,并将“额外”存入伪造账户也会非常有利可图。”[NCSSG]

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ salt (I) A data value used to vary the results of a computation in a security mechanism, so that an exposed computational result from one instance of applying the mechanism cannot be reused by an attacker in another instance. (Compare: initialization value.)

$ salt(I)用于改变安全机制中计算结果的数据值,以便攻击者无法在另一个实例中重用应用该机制的一个实例中暴露的计算结果。(比较:初始化值。)

Example: A password-based access control mechanism might protect against capture or accidental disclosure of its password file by applying a one-way encryption algorithm to passwords before storing them in the file. To increase the difficulty of off-line, dictionary attacks that match encrypted values of potential passwords against a copy of the password file, the mechanism can concatenate each password with its own random salt value before applying the one-way function.

示例:基于密码的访问控制机制可以通过在将密码存储在文件中之前对密码应用单向加密算法来防止其密码文件被捕获或意外泄露。为了增加离线字典攻击的难度,该攻击将潜在密码的加密值与密码文件的副本相匹配,该机制可以在应用单向函数之前将每个密码与其自身的随机salt值连接起来。

$ SAML (N) See: Security Assertion Markup Language (SAML).

$ SAML(N)请参阅:安全断言标记语言(SAML)。

$ sandbox (I) A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.

$ 沙盒(I)一种受限制、受控的执行环境,可防止潜在的恶意软件(如移动代码)访问任何系统资源,软件授权的系统资源除外。

$ sanitize 1. (I) Delete sensitive data from a file, device, or system. (See: erase, zeroize.)

$ 消毒1。(一) 从文件、设备或系统中删除敏感数据。(请参见:擦除、归零。)

2. (I) Modify data so as to be able either (a) to completely declassify it or (b) to downgrade it to a lower security level.

2. (一) 修改数据,以便能够(a)完全解密,或(b)将其降级到较低的安全级别。

$ SAP (O) See: special access program.

$ SAP(O)见:特殊访问计划。

$ SASL (I) See: Simple Authentication and Security Layer.

$ SASL(I)见:简单身份验证和安全层。

$ SCA (I) See: subordinate certification authority.

$ SCA(I)参见:下级证书颁发机构。

$ scavenging (I) /threat action/ See: secondary definition under "exposure".

$ 清除(I)/威胁行动/见“暴露”下的二级定义。

$ SCI (O) See: sensitive compartmented information.

$ SCI(O)见:敏感分隔信息。

$ SCIF (O) See: sensitive compartmented information facility.

$ SCIF(O)见:敏感隔离信息设施。

$ SCOMP (N) Secure COMmunications Processor; an enhanced, MLS version of the Honeywell Level 6 minicomputer. It was the first system to be rated in TCSEC Class A1. (See: KSOS.)

$ SCOMP(N)安全通信处理器;霍尼韦尔6级微型计算机的增强型MLS版本。这是第一个被评为TCSEC A1级的系统。(见:KSOS)

$ screen room (D) /slang/ Synonym for "shielded enclosure" in the context of electromagnetic emanations. (See: EMSEC, TEMPEST.)

$ 屏蔽室(D)/俚语/电磁辐射背景下“屏蔽外壳”的同义词。(见:EMSEC,TEMPEST)

Deprecated Term: To avoid international misunderstanding, IDOCs SHOULD NOT use this term.

不推荐使用的术语:为避免国际误解,IDOC不应使用此术语。

$ screening router (I) Synonym for "filtering router".

$ 屏蔽路由器(I)“过滤路由器”的同义词。

$ script kiddy (D) /slang/ A cracker who is able to use existing attack techniques (i.e., to read scripts) and execute existing attack software, but is unable to invent new exploits or manufacture the tools to perform them; pejoratively, an immature or novice cracker.

$ script kiddy(D)/俚语/能够使用现有攻击技术(即读取脚本)和执行现有攻击软件,但无法发明新的漏洞或制造工具来执行这些攻击的黑客;轻蔑地说,一个不成熟或新手。

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ SDE (N) See: Secure Data Exchange.

$ SDE(N)参见:安全数据交换。

$ SDNS (O) See: Secure Data Network System.

$ SDN(O)参见:安全数据网络系统。

$ SDU (N) See: "service data unit" under "protocol data unit".

$ SDU(N)参见“协议数据单元”下的“服务数据单元”。

$ seal 1. (I) To use asymmetric cryptography to encrypt plain text with a public key in such a way that only the holder of the matching private key can learn what was the plain text. [Chau] (Compare: shroud, wrap.)

$ 封条1。(一) 使用非对称加密技术用公钥加密纯文本,只有匹配私钥的持有者才能知道什么是纯文本。[周](比较:裹尸布、包裹)

Deprecated Usage: An IDOC SHOULD NOT use this term with definition 1 unless the IDOC includes the definition, because the definition is not widely known and the concept can be expressed by using other, standard terms. Instead, use "salt and encrypt" or other terminology that is specific with regard to the mechanism being used.

不推荐使用:除非IDOC包含该定义,否则IDOC不应将该术语与定义1一起使用,因为该定义并不广为人知,并且该概念可以通过使用其他标准术语来表达。相反,使用“salt和encrypt”或其他特定于所用机制的术语。

Tutorial: The definition does *not* say "only the holder of the matching private key can decrypt the ciphertext to learn what was the plaintext"; sealing is stronger than that. If Alice simply encrypts a plaintext P with a public key K to produce ciphertext C = K(P), then if Bob guesses that P = X, Bob could verify the guess by checking whether K(P) = K(X). To "seal" P and block Bob's guessing attack, Alice could attach a long string R of random bits to P before encrypting to produce C = K(P,R); if Bob guesses that P = X, Bob can only test the guess by also guessing R. (See: salt.)

教程:定义没有说“只有匹配私钥的持有者才能解密密文来了解什么是明文”;密封性比这强。如果Alice简单地用公钥K加密明文P以生成密文C=K(P),那么如果Bob猜测P=X,Bob可以通过检查K(P)=K(X)来验证猜测。为了“密封”P并阻止Bob的猜测攻击,Alice可以在加密产生C=K(P,R)之前将一个随机位的长字符串R附加到P上;如果Bob猜测P=X,Bob只能通过猜测R来测试猜测。(参见:salt。)

2. (D) To use cryptography to provide data integrity service for a data object. (See: sign.)

2. (D) 使用加密技术为数据对象提供数据完整性服务。(见:标志)

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2. Instead, use a term that is more specific with regard to the mechanism used to provide the data integrity service; e.g., use "sign" when the mechanism is digital signature.

不推荐使用的定义:IDOCs不应将此术语与定义2一起使用。相反,使用更具体的术语来描述用于提供数据完整性服务的机制;e、 例如,当机制是数字签名时,使用“签名”。

$ secret 1a. (I) /adjective/ The condition of information being protected from being known by any system entities except those that are intended to know it. (See: data confidentiality.)

$ 秘密1a。(一) /形容词/保护信息不被任何系统实体所知的状态,但打算知道它的系统实体除外。(见:数据保密。)

1b. (I) /noun/ An item of information that is protected thusly.

1b。(一) /noon/受保护的信息项。

Usage: This term applies to symmetric keys, private keys, and passwords.

用法:该术语适用于对称密钥、私钥和密码。

$ secret key (D) A key that is kept secret or needs to be kept secret.

$ 秘钥(D)被保密或需要保密的密钥。

Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. In the context of asymmetric cryptography, IDOCs SHOULD use "private key". In the context of symmetric cryptography, the adjective "secret" is unnecessary because all keys must be kept secret.

不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。在非对称加密的上下文中,idoc应该使用“私钥”。在对称密码的上下文中,形容词“secret”是不必要的,因为所有密钥都必须保密。

$ secret-key cryptography (D) Synonym for "symmetric cryptography".

$ 密钥加密(D)“对称加密”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it could be confused with "asymmetric cryptography", in which the private key is kept secret.

不推荐使用的术语:IDoc不应使用此术语;它可能与“非对称加密”相混淆,即私钥是保密的。

Derivation: Symmetric cryptography is sometimes called "secret-key cryptography" because entities that share the key, such as the originator and the recipient of a message, need to keep the key secret from other entities.

派生:对称加密有时被称为“密钥加密”,因为共享密钥的实体,如消息的发起者和接收者,需要对其他实体保密。

$ Secure BGP (S-BGP) (I) A project of BBN Technologies, sponsored by the U.S. DoD's Defense Advanced Research Projects Agency, to design and demonstrate an architecture to secure the Border Gateway Protocol (RFC 1771) and to promote deployment of that architecture in the Internet.

$ 安全BGP(S-BGP)(I)BBN Technologies的一个项目,由美国国防部国防高级研究项目局赞助,旨在设计和演示一种保护边界网关协议(RFC 1771)的体系结构,并促进该体系结构在互联网上的部署。

Tutorial: S-BGP incorporates three security mechanisms: - A PKI supports authentication of ownership of IP address blocks, autonomous system (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS. This PKI parallels and takes advantage of the Internet's existing IP address and AS number assignment system. - A new, optional, BGP transitive path attribute carries digital signatures (in "attestations") covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to

教程:S-BGP包含三种安全机制:-PKI支持IP地址块、自治系统(AS)编号、AS标识、BGP路由器标识及其代表AS的授权的所有权验证。此PKI与Internet现有的IP地址和AS号码分配系统并行并利用了它们。-新的可选BGP传递路径属性携带数字签名(在“证明”中),覆盖BGP更新中的路由信息。这些签名以及来自S-BGP PKI的证书使BGP路由更新的接收方能够

validate the attribute and gain trust in the address prefixes and path information that it contains. - IPsec provides data and partial sequence integrity, and enables BGP routers to authenticate each other for exchanges of BGP control traffic.

验证该属性并获得其包含的地址前缀和路径信息的信任。-IPsec提供数据和部分序列完整性,并使BGP路由器能够相互验证以交换BGP控制流量。

$ Secure Data Exchange (SDE) (N) A LAN security protocol defined by the IEEE 802.10 standard.

$ 安全数据交换(SDE)(N)由IEEE 802.10标准定义的局域网安全协议。

$ Secure Data Network System (SDNS) (O) An NSA program that developed security protocols for electronic mail (see: MSP), OSIRM Layer 3 (see: SP3), OSIRM Layer 4 (see: SP4), and key establishment (see: KMP).

$ 安全数据网络系统(SDNS)(O)一个NSA计划,为电子邮件(请参阅:MSP)、OSIRM第3层(请参阅:SP3)、OSIRM第4层(请参阅:SP4)和密钥建立(请参阅:KMP)开发安全协议。

$ secure distribution (I) See: trusted distribution.

$ 安全分发(I)请参阅:可信分发。

$ Secure Hash Algorithm (SHA) (N) A cryptographic hash function (specified in SHS) that produces an output (see: "hash result") -- of selectable length of either 160, 224, 256, 384, or 512 bits -- for input data of any length < 2**64 bits.

$ 安全散列算法(SHA)(N):一种加密散列函数(在SHS中指定),它为任何长度小于2**64位的输入数据生成输出(请参阅:“散列结果”)——可选择长度为160、224、256、384或512位。

$ Secure Hash Standard (SHS) (N) The U.S. Government standard [FP180] that specifies SHA.

$ 安全哈希标准(SHS)(N)指定SHA的美国政府标准[FP180]。

$ Secure Hypertext Transfer Protocol (S-HTTP) (I) An Internet protocol [R2660] for providing client-server security services for HTTP communications. (Compare: https.)

$ 安全超文本传输协议(S-HTTP)(I)为HTTP通信提供客户机-服务器安全服务的互联网协议[R2660]。(比较:https。)

Tutorial: S-HTTP was originally specified by CommerceNet, a coalition of businesses interested in developing the Internet for commercial uses. Several message formats may be incorporated into S-HTTP clients and servers, particularly CMS and MOSS. S-HTTP supports choice of security policies, key management mechanisms, and cryptographic algorithms through option negotiation between parties for each transaction. S-HTTP supports modes of operation for both asymmetric and symmetric cryptography. S-HTTP attempts to avoid presuming a particular trust model, but it attempts to facilitate multiply rooted, hierarchical trust and anticipates that principals may have many public-key certificates.

教程:S-HTTP最初由CommerceNet指定,CommerceNet是一个致力于开发商业用途互联网的企业联盟。可以将多种消息格式合并到S-HTTP客户端和服务器中,特别是CMS和MOSS。S-HTTP支持安全策略、密钥管理机制和加密算法的选择,通过各方之间为每个事务进行选项协商。S-HTTP支持非对称和对称加密的操作模式。S-HTTP试图避免假定特定的信任模型,但它试图促进多根、分层信任,并预期主体可能具有许多公钥证书。

$ Secure/MIME (S/MIME) (I) Secure/Multipurpose Internet Mail Extensions, an Internet protocol [R3851] to provide encryption and digital signatures for Internet mail messages.

$ 安全/MIME(S/MIME)(I)安全/多用途互联网邮件扩展,一种互联网协议[R3851],用于为互联网邮件消息提供加密和数字签名。

$ secure multicast (I) Refers generally to providing security services for multicast groups of various types (e.g., 1-to-N and M-to-N) and to classes of protocols used to protect multicast packets.

$ 安全多播(I)通常指为各种类型的多播组(例如,1-to-N和M-to-N)和用于保护多播分组的协议类别提供安全服务。

Tutorial: Multicast applications include video broadcast and multicast file transfer, and many of these applications require network security services. The Multicast Security Reference Framework [R3740] covers three functional areas: - Multicast data handling: Security-related treatment of multicast data by the sender and the receiver. - Group key management: Secure distribution and refreshment of keying material. (See: Group Domain of Interpretation.) - Multicast security policy: Policy translation and interpretation across the multiple administrative domains that typically are spanned by a multicast application.

教程:多播应用程序包括视频广播和多播文件传输,其中许多应用程序需要网络安全服务。多播安全参考框架[R3740]涵盖三个功能领域:-多播数据处理:发送方和接收方对多播数据的安全相关处理。-组密钥管理:密钥材料的安全分发和更新。(请参阅:组解释域。)-多播安全策略:多播应用程序通常跨越多个管理域的策略转换和解释。

$ Secure Shell(trademark) (SSH(trademark)) (N) Refers to a protocol for secure remote login and other secure network services.

$ Secure Shell(商标)(SSH(商标))(N)指用于安全远程登录和其他安全网络服务的协议。

Usage: On the Web site of SSH Communication Security Corporation, at http://www.ssh.com/legal_notice.html, it says, "SSH [and] the SSH logo ... are either trademarks or registered trademarks of SSH." This Glossary seeks to make readers aware of this trademark claim but takes no position on its validity.

用法:在SSH通信安全公司的网站上http://www.ssh.com/legal_notice.html,它说,“SSH[和]SSH徽标…要么是SSH的商标,要么是SSH的注册商标。”本词汇表旨在让读者了解这一商标声明,但对其有效性不持任何立场。

Tutorial: SSH has three main parts: - Transport layer protocol: Provides server authentication, confidentiality, and integrity; and can optionally provide compression. This layer typically runs over a TCP connection, but might also run on top of any other reliable data stream. - User authentication protocol: Authenticates the client-side user to the server. It runs over the transport layer protocol. - Connection protocol: Multiplexes the encrypted tunnel into several logical channels. It runs over the user authentication protocol.

教程:SSH有三个主要部分:-传输层协议:提供服务器身份验证、机密性和完整性;并且可以选择性地提供压缩。该层通常通过TCP连接运行,但也可能在任何其他可靠数据流上运行。-用户身份验证协议:向服务器验证客户端用户。它通过传输层协议运行连接协议:将加密隧道多路复用到多个逻辑通道中。它通过用户身份验证协议运行。

$ Secure Sockets Layer (SSL) (N) An Internet protocol (originally developed by Netscape Communications, Inc.) that uses connection-oriented end-to-end encryption to provide data confidentiality service and data integrity service for traffic between a client (often a web browser) and a server, and that can optionally provide peer entity authentication between the client and the server. (See: Transport Layer Security.)

$ 安全套接字层(SSL)(N)一种互联网协议(最初由Netscape Communications,Inc.开发),它使用面向连接的端到端加密为客户端(通常是web浏览器)和服务器之间的通信提供数据保密服务和数据完整性服务,并且可以选择在客户端和服务器之间提供对等实体身份验证。(请参阅:传输层安全。)

Tutorial: SSL has two layers; SSL's lower layer, the SSL Record Protocol, is layered on top of an IPS Transport-Layer protocol and encapsulates protocols that run in the upper layer. The upper-layer protocols are the three SSL management protocols -- SSL Handshake Protocol, SSL Change Cipher Spec Protocol, or SSL Alert Protocol -- and some Application-Layer protocol (e.g., HTTP).

教程:SSL有两层;SSL的底层,即SSL记录协议,是在IPS传输层协议之上分层的,它封装了在上层运行的协议。上层协议是三个SSL管理协议——SSL握手协议、SSL更改密码规范协议或SSL警报协议——以及一些应用层协议(例如HTTP)。

The SSL management protocols provide asymmetric cryptography for server authentication (verifying the server's identity to the client) and optional client authentication (verifying the client's identity to the server), and also enable them, before the application protocol transmits or receives data, to negotiate a symmetric encryption algorithm and secret session key (to use for data confidentiality service) and a keyed hash (to use for data integrity service).

SSL管理协议为服务器身份验证(向客户端验证服务器的身份)和可选客户端身份验证(向服务器验证客户端的身份)提供非对称加密,并在应用协议传输或接收数据之前启用它们,协商对称加密算法和秘密会话密钥(用于数据保密服务)以及密钥散列(用于数据完整性服务)。

SSL is independent of the application it encapsulates, and any application can layer on top of SSL transparently. However, many Internet applications might be better served by IPsec.

SSL独立于它封装的应用程序,任何应用程序都可以透明地在SSL之上分层。但是,IPsec可能更好地服务于许多Internet应用程序。

$ secure state 1a. (I) A system condition in which the system is in conformance with the applicable security policy. (Compare: clean system, transaction.)

$ 安全状态1a。(一) 系统符合适用安全策略的一种系统状态。(比较:清洁系统、事务。)

1b. (I) /formal model/ A system condition in which no subject can access any object in an unauthorized manner. (See: secondary definition under "Bell-LaPadula model".)

1b。(一) /正式模型/主体不能以未经授权的方式访问任何对象的系统条件。(见“Bell-LaPadula模型”下的二级定义。)

$ security 1a. (I) A system condition that results from the establishment and maintenance of measures to protect the system.

$ 安全1a。(一) 由于建立和维护保护系统的措施而导致的系统状态。

1b. (I) A system condition in which system resources are free from unauthorized access and from unauthorized or accidental change, destruction, or loss. (Compare: safety.)

1b。(一) 一种系统状态,在此状态下,系统资源不受未经授权的访问,也不受未经授权或意外的更改、破坏或丢失。(比较:安全性。)

2. (I) Measures taken to protect a system.

2. (一) 为保护系统而采取的措施。

Tutorial: Parker [Park] suggests that providing a condition of system security may involve the following six basic functions, which overlap to some extent: - "Deterrence": Reducing an intelligent threat by discouraging action, such as by fear or doubt. (See: attack, threat action.) - "Avoidance": Reducing a risk by either reducing the value of the potential loss or reducing the probability that the loss will occur. (See: risk analysis. Compare: "risk avoidance" under "risk".)

教程:Park[Park]建议,提供系统安全条件可能涉及以下六个基本功能,这些功能在某种程度上重叠:-“威慑”:通过阻止行动(如恐惧或怀疑)来减少智能威胁。(参见:攻击、威胁行动)-“规避”:通过降低潜在损失的价值或降低损失发生的概率来降低风险。(参见:风险分析。比较“风险”下的“风险规避”。)

- "Prevention": Impeding or thwarting a potential security violation by deploying a countermeasure. - "Detection": Determining that a security violation is impending, is in progress, or has recently occurred, and thus make it possible to reduce the potential loss. (See: intrusion detection.) - "Recovery": Restoring a normal state of system operation by compensating for a security violation, possibly by eliminating or repairing its effects. (See: contingency plan, main entry for "recovery".) - "Correction": Changing a security architecture to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence, such as by eliminating a vulnerability.

- “预防”:通过部署对策来阻止或挫败潜在的安全违规行为。-“检测”:确定安全违规即将发生、正在发生或最近发生,从而有可能减少潜在损失。(请参阅:入侵检测)-“恢复”:通过补偿安全违规,可能通过消除或修复其影响,恢复系统运行的正常状态。(请参阅:应急计划,“恢复”的主要条目)-“纠正”:更改安全体系结构以消除或减少安全违规或威胁后果再次发生的风险,例如通过消除漏洞。

$ security architecture (I) A plan and set of principles that describe (a) the security services that a system is required to provide to meet the needs of its users, (b) the system components required to implement the services, and (c) the performance levels required in the components to deal with the threat environment (e.g., [R2179]). (See: defense in depth, IATF, OSIRM Security Architecture, security controls, Tutorial under "security policy".)

$ 安全架构(I)一个计划和一组原则,描述(A)系统需要提供的安全服务以满足其用户的需求,(b)实现服务所需的系统组件,以及(c)组件处理威胁环境所需的性能级别(例如,[R2179])。(请参阅:纵深防御、IATF、OSIRM安全体系结构、安全控制、“安全策略”下的教程。)

Tutorial: A security architecture is the result of applying the system engineering process. A complete system security architecture includes administrative security, communication security, computer security, emanations security, personnel security, and physical security. A complete security architecture needs to deal with both intentional, intelligent threats and accidental threats.

教程:安全体系结构是应用系统工程过程的结果。完整的系统安全架构包括管理安全、通信安全、计算机安全、发射安全、人员安全和物理安全。一个完整的安全体系结构需要同时处理有意的、智能的威胁和意外的威胁。

$ Security Assertion Markup Language (SAML) (N) A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between on-line business partners. [SAML]

$ 安全断言标记语言(SAML)(N):一种协议,由基于XML的请求和响应消息格式组成,用于在在线业务合作伙伴之间交换安全信息,以主题断言的形式表示。[SAML]

$ security association 1. (I) A relationship established between two or more entities to enable them to protect data they exchange. (See: association, ISAKMP, SAD. Compare: session.)

$ 安全协会1。(一) 两个或多个实体之间建立的关系,使它们能够保护它们交换的数据。(请参阅:关联、ISAKMP、SAD。比较:会话。)

Tutorial: The relationship is represented by a set of data that is shared between the entities and is agreed upon and considered a contract between them. The data describes how the associated entities jointly use security services. The relationship is used to negotiate characteristics of security mechanisms, but the

教程:关系由一组数据表示,这些数据在实体之间共享,并在实体之间达成一致并被视为一个契约。数据描述了关联实体如何联合使用安全服务。该关系用于协商安全机制的特征,但

relationship is usually understood to exclude the mechanisms themselves.

关系通常被理解为排除机制本身。

2. (I) /IPsec/ A simplex (uni-directional) logical connection created for security purposes and implemented with either AH or ESP (but not both). The security services offered by a security association depend on the protocol (AH or ESP), the IPsec mode (transport or tunnel), the endpoints, and the election of optional services within the protocol. A security association is identified by a triple consisting of (a) a destination IP address, (b) a protocol (AH or ESP) identifier, and (c) a Security Parameter Index.

2. (一) /IPsec/为安全目的创建的单工(单向)逻辑连接,可使用AH或ESP(但不能同时使用两者)实现。安全关联提供的安全服务取决于协议(AH或ESP)、IPsec模式(传输或隧道)、端点以及协议中可选服务的选择。安全关联由三元组标识,三元组由(A)目标IP地址、(b)协议(AH或ESP)标识符和(c)安全参数索引组成。

3. (O) "A set of policy and cryptographic keys that provide security services to network traffic that matches that policy". [R3740] (See: cryptographic association, group security association.)

3. (O) “为符合该策略的网络流量提供安全服务的一组策略和加密密钥”。[R3740](请参阅:加密关联、组安全关联。)

4. (O) "The totality of communications and security mechanisms and functions (e.g., communications protocols, security protocols, security mechanisms and functions) that securely binds together two security contexts in different end systems or relay systems supporting the same information domain." [DoD6]

4. (O) “将支持同一信息域的不同终端系统或中继系统中的两个安全上下文安全地绑定在一起的通信和安全机制及功能(如通信协议、安全协议、安全机制和功能)的总和。”[DoD6]

$ Security Association Database (SAD) (I) /IPsec/ In an IPsec implementation that operates in a network node, a database that contains parameters to describe the status and operation of each of the active security associations that the node has established with other nodes. Separate inbound and outbound SADs are needed because of the directionality of IPsec security associations. [R4301] (Compare: SPD.)

$ 安全关联数据库(SAD)(I)/IPsec/在网络节点中运行的IPsec实现中,包含参数的数据库,用于描述节点与其他节点建立的每个活动安全关联的状态和操作。由于IPsec安全关联的方向性,需要单独的入站和出站SAD。[R4301](比较:SPD)

$ security association identifier (SAID) (I) A data field in a security protocol (such as NLSP or SDE), used to identify the security association to which a PDU is bound. The SAID value is usually used to select a key for decryption or authentication at the destination. (See: Security Parameter Index.)

$ 安全关联标识符(所述)(I)安全协议(如NLSP或SDE)中的数据字段,用于标识PDU绑定到的安全关联。所述值通常用于在目的地选择用于解密或认证的密钥。(请参阅:安全参数索引。)

$ security assurance 1. (I) An attribute of an information system that provides grounds for having confidence that the system operates such that the system's security policy is enforced. (Compare: trust.)

$ 安全保证1。(一) 信息系统的一种属性,它使人们有理由相信该系统的运行能够执行系统的安全策略。(比较:信任。)

2. (I) A procedure that ensures a system is developed and operated as intended by the system's security policy.

2. (一) 确保系统按照系统安全策略的预期开发和运行的程序。

3. (D) "The degree of confidence one has that the security controls operate correctly and protect the system as intended." [SP12]

3. (D) “安全控制正确运行并按预期保护系统的信心程度。”[SP12]

Deprecated Definition: IDOCs SHOULD NOT use definition 3; it is a definition for "assurance level" rather than for "assurance".

不推荐使用的定义:IDoc不应使用定义3;它是对“保证水平”的定义,而不是对“保证”的定义。

4. (D) /U.S. Government, identity authentication/ The (a) "degree of confidence in the vetting process used to establish the identity of the individual to whom the [identity] credential was issued" and the (b) "degree of confidence that the individual who uses the credential is the individual to whom the credential was issued". [M0404]

4. (D) /美国政府,身份认证/a“用于确定[身份]凭证颁发给的个人身份的审查过程的信任度”和b“使用凭证的个人是凭证颁发给的个人的信任度”。[M0404]

Deprecated Definition: IDOCs SHOULD NOT use definition 4; it mixes concepts in a potentially misleading way. Part "a" is a definition for "assurance level" (rather than "security assurance") of an identity registration process; and part "b" is a definition for "assurance level" (rather than "security assurance") of an identity authentication process. Also, the processes of registration and authentication should be defined and designed separately to ensure clarity in certification.

不推荐使用的定义:IDoc不应使用定义4;它以一种潜在误导的方式混合概念。“a”部分是对身份登记过程的“保证级别”(而非“安全保证”)的定义;“b”部分是身份验证过程的“保证级别”(而不是“安全保证”)的定义。此外,登记和认证过程应单独定义和设计,以确保认证的清晰性。

$ security audit (I) An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. [I7498-2, NCS01] (Compare: accounting, intrusion detection.)

$ 安全审计(I)对系统的记录和活动进行独立审查和检查,以确定系统控制的充分性,确保符合既定的安全政策和程序,检测安全服务中的违规行为,并建议针对应对措施的任何变更。[I7498-2,NCS01](比较:记帐、入侵检测。)

Tutorial: The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions. Thus, means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate security violations.

教程:基本审计目标是为发起或参与安全相关事件和行动的系统实体建立问责制。因此,需要采取措施来生成和记录安全审计跟踪,并审查和分析审计跟踪,以发现和调查安全违规行为。

$ security audit trail (I) A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results. [NCS04] (See: security audit.)

$ 安全审计跟踪(I)系统活动的时间顺序记录,足以重建和检查从开始到最终结果的安全相关交易中围绕或导致操作、程序或事件的环境和活动序列。[NCS04](参见:安全审计。)

$ security by obscurity (O) Attempting to maintain or increase security of a system by keeping secret the design or construction of a security mechanism.

$ 隐蔽性安全(O)试图通过保密安全机制的设计或构造来维护或提高系统的安全性。

Tutorial: This approach has long been discredited in cryptography, where the phrase refers to trying to keep an algorithm secret, rather than just concealing the keys [Schn]. One must assume that mass-produced or widely fielded cryptographic devices eventually will be lost or stolen and, therefore, that the algorithms will be reverse engineered and become known to the adversary. Thus, one should rely on only those algorithms and protocols that are strong enough to have been published widely, and have been peer reviewed for long enough that their flaws have been found and removed. For example, NIST used a long, public process to select AES to replace DES.

教程:这种方法长期以来在密码学中受到质疑,这个短语指的是试图对算法保密,而不仅仅是隐藏密钥[Schn]。我们必须假设大规模生产或广泛部署的加密设备最终将丢失或被盗,因此,算法将被反向工程并为对手所知。因此,我们应该只依赖那些足够强大的算法和协议,这些算法和协议已经被广泛发布,并且已经被同行评审了足够长的时间,从而发现并消除了它们的缺陷。例如,NIST使用了一个漫长的公共过程来选择AES来取代DES。

In computer and network security, the principle of "no security by obscurity" also applies to security mechanisms other than cryptography. For example, if the design and implementation of a protocol for access control are strong, then reading the protocol's source code should not enable you to find a way to evade the protection and penetrate the system.

在计算机和网络安全中,“隐蔽不安全”原则也适用于加密以外的安全机制。例如,如果访问控制协议的设计和实现非常强大,那么阅读该协议的源代码不应使您能够找到逃避保护和渗透系统的方法。

$ security class (D) Synonym for "security level".

$ 安全等级(D)是“安全等级”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term. Instead, use "security level", which is more widely established and understood.

不推荐使用的术语:IDOCs不应使用此术语。取而代之的是,使用“安全级别”,这是一个更广泛建立和理解的级别。

$ security clearance (I) A determination that a person is eligible, under the standards of a specific security policy, for authorization to access sensitive information or other system resources. (See: clearance level.)

$ 安全许可(I)根据特定安全策略的标准,确定某人有资格获得访问敏感信息或其他系统资源的授权。(请参见:间隙水平。)

$ security compromise (I) A security violation in which a system resource is exposed, or is potentially exposed, to unauthorized access. (Compare: data compromise, exposure, violation.)

$ 安全隐患(I)系统资源暴露或可能暴露于未经授权的访问的安全违规行为。(比较:数据泄露、暴露、违规。)

$ security controls (N) The management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system which, taken together, satisfy the specified security requirements and adequately protect the confidentiality, integrity, and availability of the system and its information. [FP199] (See: security architecture.)

$ 安全控制(N)为信息系统规定的管理、操作和技术控制(保障措施或对策),这些控制措施合在一起满足规定的安全要求,并充分保护系统及其信息的机密性、完整性和可用性。[FP199](参见:安全体系结构。)

$ security doctrine (I) A specified set of procedures or practices that direct or provide guidance for how to comply with security policy. (Compare: security mechanism, security policy.)

$ 安全原则(I)指导或指导如何遵守安全政策的一套特定程序或实践。(比较:安全机制、安全策略。)

Tutorial: Security policy and security doctrine are closely related. However, policy deals mainly with strategy, and doctrine deals with tactics.

教程:安全策略和安全原则密切相关。然而,政策主要涉及战略,理论则涉及战术。

Security doctrine is often understood to refer mainly to administrative security, personnel security, and physical security. For example, security mechanisms and devices that implement them are normally designed to operate in a limited range of environmental and administrative conditions, and these conditions must be met to complement and ensure the technical protection afforded by the hardware, firmware, and software in the devices. Security doctrine specifies how to achieve those conditions. (See: "first law" under "Courtney's laws".)

安全原则通常被理解为主要指行政安全、人员安全和人身安全。例如,安全机制和实现它们的设备通常设计为在有限的环境和管理条件下运行,必须满足这些条件,以补充和确保设备中的硬件、固件和软件提供的技术保护。安全原则规定了如何实现这些条件。(见“考特尼定律”下的“第一定律”。)

$ security domain (I) See: domain.

$ 安全域(I)请参阅:域。

$ security environment (I) The set of external entities, procedures, and conditions that affect secure development, operation, and maintenance of a system. (See: "first law" under "Courtney's laws".)

$ 安全环境(I)影响系统安全开发、操作和维护的一组外部实体、程序和条件。(见“考特尼定律”下的“第一定律”。)

$ security event (I) An occurrence in a system that is relevant to the security of the system. (See: security incident.)

$ 安全事件(I)系统中与系统安全相关的事件。(见:安全事件)

Tutorial: The term covers both events that are security incidents and those that are not. In a CA workstation, for example, a list of security events might include the following: - Logging an operator into or out of the system. - Performing a cryptographic operation, e.g., signing a digital certificate or CRL. - Performing a cryptographic card operation: creation, insertion, removal, or backup. - Performing a digital certificate lifecycle operation: rekey, renewal, revocation, or update. - Posting a digital certificate to an X.500 Directory. - Receiving a key compromise notification. - Receiving an improper certification request. - Detecting an alarm condition reported by a cryptographic module. - Failing a built-in hardware self-test or a software system integrity check.

教程:该术语包括安全事件和非安全事件。例如,在CA工作站中,安全事件列表可能包括以下内容:-将操作员登录或注销系统。-执行加密操作,例如签署数字证书或CRL。-执行加密卡操作:创建、插入、删除或备份。-执行数字证书生命周期操作:重新设置密钥、续订、吊销或更新。-将数字证书发布到X.500目录。-收到密钥泄露通知。-收到不正确的认证请求。-检测加密模块报告的报警条件。-未通过内置硬件自检或软件系统完整性检查。

$ security fault analysis (I) A security analysis, usually performed on hardware at the level of gate logic, gate-by-gate, to determine the security properties of a device when a hardware fault is encountered.

$ 安全故障分析(I)一种安全分析,通常在门逻辑级别对硬件执行,逐门分析,以确定遇到硬件故障时设备的安全属性。

$ security function (I) A function in a system that is relevant to the security of the system; i.e., a system function that must operate correctly to ensure adherence to the system's security policy.

$ 安全功能(I)系统中与系统安全相关的功能;i、 例如,必须正确运行的系统功能,以确保遵守系统的安全策略。

$ security gateway 1. (I) An internetwork gateway that separates trusted (or relatively more trusted) hosts on one side from untrusted (or less trusted) hosts on the other side. (See: firewall and guard.)

$ 安全网关1。(一) 一种互联网网关,用于将一端受信任(或相对更受信任)的主机与另一端不受信任(或不太受信任)的主机分开。(请参阅:防火墙和防护。)

2. (O) /IPsec/ "An intermediate system that implements IPsec protocols." [R4301]

2. (O) /IPsec/“实现IPsec协议的中间系统。”[R4301]

Tutorial: IPsec's AH or ESP can be implemented on a gateway between a protected network and an unprotected network, to provide security services to the protected network's hosts when they communicate across the unprotected network to other hosts and gateways.

教程:IPsec的AH或ESP可以在受保护网络和未受保护网络之间的网关上实现,以便在受保护网络的主机通过未受保护的网络与其他主机和网关通信时为其提供安全服务。

$ security incident 1. (I) A security event that involves a security violation. (See: CERT, security event, security intrusion, security violation.)

$ 安全事件1。(一) 涉及安全违规的安全事件。(请参阅:证书、安全事件、安全入侵、安全违规。)

Tutorial: In other words, a security event in which the system's security policy is disobeyed or otherwise breached.

教程:换句话说,一种安全事件,在这种事件中,系统的安全策略被违反或以其他方式被破坏。

2. (D) "Any adverse event [that] compromises some aspect of computer or network security." [R2350]

2. (D) “任何危害计算机或网络安全的不利事件。”[R2350]

Deprecated Definition: IDOCs SHOULD NOT use definition 2 because (a) a security incident may occur without actually being harmful (i.e., adverse) and because (b) this Glossary defines "compromise" more narrowly in relation to unauthorized access.

不推荐使用的定义:IDOCs不应使用定义2,因为(a)安全事件可能发生,但实际上并不有害(即不利),并且(b)本术语表对未经授权访问的“危害”定义更为狭义。

3. (D) "A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices." [SP61]

3. (D) “违反或即将威胁违反计算机安全策略、可接受的使用策略或标准计算机安全实践。”[SP61]

Deprecated Definition: IDOCs SHOULD NOT use definition 3 because it mixes concepts in way that does not agree with common usage; a security incident is commonly thought of as involving a realization of a threat (see: threat action), not just a threat.

不推荐使用的定义:IDOCs不应该使用定义3,因为它以与常用用法不一致的方式混合概念;安全事件通常被认为涉及威胁的实现(参见:威胁行动),而不仅仅是威胁。

$ security intrusion (I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

$ 安全入侵(I)构成安全事件的安全事件或多个安全事件的组合,其中入侵者未经授权获取或试图获取对系统或系统资源的访问权。

$ security kernel (I) "The hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct." [NCS04] (See: kernel, TCB.)

$ 安全内核(I)“实现参考监视器概念的可信计算基础的硬件、固件和软件元素。它必须调解所有访问,防止修改,并可验证为正确。”[NCS04](参见:内核,TCB。)

Tutorial: A security kernel is an implementation of a reference monitor for a given hardware base. [Huff]

教程:安全内核是给定硬件基础的参考监视器的实现。[怒火]

$ security label (I) An item of meta-data that designates the value of one or more security-relevant attributes (e.g., security level) of a system resource. (See: [R1457]. Compare: security marking.)

$ 安全标签(I)元数据项,用于指定系统资源的一个或多个安全相关属性(例如,安全级别)的值。(请参见:[R1457]。比较:安全标记。)

Deprecated usage: To avoid confusion, IDOCs SHOULD NOT use "security label" for "security marking", or vice versa, even though that is commonly done (including in some national and international standards that should know better).

不推荐的用法:为避免混淆,IDOC不应将“安全标签”用于“安全标记”,反之亦然,即使通常这样做(包括在一些应该更清楚的国家和国际标准中)。

Tutorial: Humans and automated security mechanisms use a security label of a system resource to determine, according to applicable security policy, how to control access to the resource (and they affix appropriate, matching security markings to physical instances of the resource). Security labels are most often used to support data confidentiality policy, and sometimes used to support data integrity policy.

教程:人工和自动安全机制使用系统资源的安全标签,根据适用的安全策略确定如何控制对资源的访问(并将适当的匹配安全标记粘贴到资源的物理实例)。安全标签通常用于支持数据机密性策略,有时用于支持数据完整性策略。

As explained in [R1457], the form that is taken by security labels of a protocol's packets varies depending on the OSIRM layer in which the protocol operates. Like meta-data generally, a security label of a data packet may be either explicit (e.g., IPSO) or implicit (e.g., Alice treats all messages received from Bob as being labeled "Not For Public Release"). In a connectionless protocol, every packet might have an explicit label; but in a connection-oriented protocol, all packets might have the same implicit label that is determined at the time the connection is established.

如[R1457]所述,协议数据包的安全标签所采用的形式因协议运行所在的OSIRM层而异。与一般元数据一样,数据包的安全标签可以是显式的(例如IPSO)或隐式的(例如,Alice将从Bob收到的所有消息都标记为“不公开发布”)。在无连接协议中,每个数据包可能有一个明确的标签;但在面向连接的协议中,所有数据包都可能具有在建立连接时确定的相同隐式标签。

Both classified and unclassified system resources may require a security label. (See: FOUO.)

机密和非机密系统资源都可能需要安全标签。(见:FOUO)

$ security level (I) The combination of a hierarchical classification level and a set of non-hierarchical category designations that represents how sensitive a specified type or item of information is. (See: dominate, lattice model. Compare: classification level.)

$ 安全级别(I)分级分类级别和一组非分级类别名称的组合,表示指定类型或信息项的敏感程度。(请参见:支配,晶格模型。比较:分类级别。)

Usage: IDOCs that use this term SHOULD state a definition for it. The term is usually understood to involve sensitivity to disclosure, but it also is used in many other ways and could easily be misunderstood.

用法:使用此术语的IDoc应说明其定义。该术语通常被理解为涉及对披露的敏感性,但它也被用于许多其他方式,很容易被误解。

$ Security Level field (I) A 16-bit field that specifies a security level value in the security option (option type 130) of version 4 IP's datagram header format.

$ 安全级别字段(I)一个16位字段,指定版本4 IP数据报报头格式的安全选项(选项类型130)中的安全级别值。

Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "S field", which is potentially ambiguous.

不推荐使用的缩写:IDOCs不应使用缩写“S”字段,这可能会造成歧义。

$ security management infrastructure (SMI) (I) System components and activities that support security policy by monitoring and controlling security services and mechanisms, distributing security information, and reporting security events.

$ 安全管理基础设施(SMI)(I)通过监视和控制安全服务和机制、分发安全信息和报告安全事件来支持安全策略的系统组件和活动。

Tutorial: The associated functions are as follows [I7498-4]: - Controlling (granting or restricting) access to system resources: This includes verifying authorizations and identities, controlling access to sensitive security data, and modifying access priorities and procedures in the event of attacks. - Retrieving (gathering) and archiving (storing) security information: This includes logging security events and analyzing the log, monitoring and profiling usage, and reporting security violations. - Managing and controlling the encryption process: This includes performing the functions of key management and reporting on key management problems. (See: PKI.)

教程:相关功能如下[I7498-4]:-控制(授予或限制)对系统资源的访问:这包括验证授权和身份,控制对敏感安全数据的访问,以及在发生攻击时修改访问优先级和过程。-检索(收集)和归档(存储)安全信息:这包括记录安全事件和分析日志、监视和分析使用情况以及报告安全违规行为。-管理和控制加密过程:这包括执行密钥管理功能和报告密钥管理问题。(见:PKI)

$ security marking (I) A physical marking that is bound to an instance of a system resource and that represents a security label of the resource, i.e., that names or designates the value of one or more security-relevant attributes of the resource. (Compare: security label.)

$ 安全标记(I)绑定到系统资源实例的物理标记,表示资源的安全标签,即命名或指定资源的一个或多个安全相关属性的值。(比较:安全标签。)

Tutorial: A security label may be represented by various equivalent markings depending on the physical form taken by the labeled resource. For example, a document could have a marking composed of a bit pattern [FP188] when the document is stored electronically as a file in a computer, and also a marking of printed alphabetic characters when the document is in paper form.

教程:安全标签可以由各种等效标记表示,具体取决于标记资源所采用的物理形式。例如,当文档以电子方式作为文件存储在计算机中时,文档可以具有由位模式[FP188]组成的标记,并且当文档以纸质形式存储时,还可以具有打印字母字符的标记。

$ security mechanism (I) A method or process (or a device incorporating it) that can be used in a system to implement a security service that is provided by or within the system. (See: Tutorial under "security policy". Compare: security doctrine.)

$ 安全机制(I)可在系统中用于实现由系统提供或在系统内提供的安全服务的方法或过程(或包含它的设备)。(请参阅“安全策略”下的教程。比较:安全原则。)

Usage: Usually understood to refer primarily to components of communication security, computer security, and emanation security.

用法:通常理解为主要指通信安全、计算机安全和发射安全的组件。

Examples: Authentication exchange, checksum, digital signature, encryption, and traffic padding.

示例:身份验证交换、校验和、数字签名、加密和流量填充。

$ security model (I) A schematic description of a set of entities and relationships by which a specified set of security services are provided by or within a system. Example: Bell-LaPadula model, OSIRM. (See: Tutorial under "security policy".)

$ 安全模型(I)一组实体和关系的示意图描述,通过这些实体和关系,指定的一组安全服务由系统提供或在系统内提供。示例:贝尔-拉帕杜拉模型,OSIRM。(请参阅“安全策略”下的教程。)

$ security parameters index (SPI) 1. (I) /IPsec/ A 32-bit identifier used to distinguish among security associations that terminate at the same destination (IP address) and use the same security protocol (AH or ESP). Carried in AH and ESP to enable the receiving system to determine under which security association to process a received packet.

$ 安全参数索引(SPI)1。(一) /IPsec/一个32位标识符,用于区分终止于同一目标(IP地址)并使用相同安全协议(AH或ESP)的安全关联。在AH和ESP中携带,使接收系统能够确定在哪个安全关联下处理接收到的数据包。

2. (I) /mobile IP/ A 32-bit index identifying a security association from among the collection of associations that are available between a pair of nodes, for application to mobile IP protocol messages that the nodes exchange.

2. (一) /mobile IP/32位索引,从一对节点之间可用的关联集合中识别安全关联,用于节点交换的应用程序到移动IP协议消息。

$ security perimeter (I) A physical or logical boundary that is defined for a domain or enclave and within which a particular security policy or security architecture applies. (See: insider, outsider.)

$ 安全边界(I)为域或飞地定义的物理或逻辑边界,特定安全策略或安全架构适用于该边界。(参见:内部人、外部人。)

$ security policy 1. (I) A definite goal, course, or method of action to guide and determine present and future decisions concerning security in a system. [NCS03, R3198] (Compare: certificate policy.)

$ 安全政策1。(一) 一种明确的目标、过程或行动方法,用于指导和确定当前和未来有关系统安全性的决策。[NCS03,R3198](比较:证书策略。)

2a. (I) A set of policy rules (or principles) that direct how a system (or an organization) provides security services to protect sensitive and critical system resources. (See: identity-based security policy, policy rule, rule-based security policy, rules of behavior. Compare: security architecture, security doctrine, security mechanism, security model, [R1281].)

2a。(一) 指导系统(或组织)如何提供安全服务以保护敏感和关键系统资源的一组策略规则(或原则)。(请参阅:基于身份的安全策略、策略规则、基于规则的安全策略、行为规则。比较:安全体系结构、安全原则、安全机制、安全模型,[R1281]。)

2b. (O) A set of rules to administer, manage, and control access to network resources. [R3060, R3198]

2b。(O) 用于管理、管理和控制对网络资源的访问的一组规则。[R3060,R3198]

2c. (O) /X.509/ A set of rules laid down by an authority to govern the use and provision of security services and facilities.

2c。(O) /X.509/由当局制定的一套规则,用于管理安全服务和设施的使用和提供。

2d. (O) /Common Criteria/ A set of rules that regulate how assets are managed, protected, and distributed within a TOE.

2d。(O) /Common Criteria/TOE中管理、保护和分配资产的一组规则。

Tutorial: Ravi Sandhu suggests that security policy is one of four layers of the security engineering process (as shown in the following diagram). Each layer provides a different view of security, ranging from what services are needed to how services are implemented.

教程:Ravi Sandhu建议安全策略是安全工程过程的四层之一(如下图所示)。每一层都提供了不同的安全视图,范围从需要什么服务到如何实现服务。

         What Security Services
         Should Be Provided?        +- - - - - - - - - - - - -+
         ^  +- - - - - - - - - - - -| Mission Functions View  |
         |  | Security Policy       |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Domain Practices View   |
         |  | Security Model        |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Enclave Services View   |
         |  | Security Architecture |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Agent Mechanisms View   |
         |  | Security Mechanism    |- - - - - - - - - - - - -+
         v  +- - - - - - - - - - - -| Platform Devices View   |
         How Are Security           +- - - - - - - - - - - - -+
         Services Implemented?
        
         What Security Services
         Should Be Provided?        +- - - - - - - - - - - - -+
         ^  +- - - - - - - - - - - -| Mission Functions View  |
         |  | Security Policy       |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Domain Practices View   |
         |  | Security Model        |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Enclave Services View   |
         |  | Security Architecture |- - - - - - - - - - - - -+
         |  +- - - - - - - - - - - -| Agent Mechanisms View   |
         |  | Security Mechanism    |- - - - - - - - - - - - -+
         v  +- - - - - - - - - - - -| Platform Devices View   |
         How Are Security           +- - - - - - - - - - - - -+
         Services Implemented?
        

We suggest that each of Sandhu's four layers is a mapping between two points of view that differ in their degree of abstraction, according to the perspectives of various participants in system design, development, and operation activities, as follows:. - Mission functions view: The perspective of a user of system resources. States time-phased protection needs for resources and identifies sensitive and critical resources -- networks, hosts, applications, and databases. Independent of rules and practices used to achieve protection. - Domain practices view: The perspective of an enterprise manager who sets protection standards for resources. States rules and practices for protection. Identifies domain members; i.e., entities (users/providers) and resources (including data objects). Independent of system topology. Not required to be hierarchical. - Enclave services view: The perspective of a system designer who allocates security functions to major components. Assigns security services to system topology structures and their

根据系统设计、开发和运营活动的不同参与者的观点,我们认为Sandhu的四个层中的每一层都是两个抽象程度不同的观点之间的映射,如下所示:任务功能视图:系统资源用户的视角。说明资源的分阶段保护需求,并确定敏感和关键资源—网络、主机、应用程序和数据库。独立于用于实现保护的规则和实践。-域实践视图:为资源设置保护标准的企业经理的视角。国家保护的规则和惯例。识别域成员;i、 实体(用户/提供者)和资源(包括数据对象)。独立于系统拓扑。不要求具有层次结构。-Enclave服务视图:将安全功能分配给主要组件的系统设计师的视角。将安全服务分配给系统拓扑结构及其

contents. Independent of security mechanisms. Hierarchical across all domains. - Agent mechanisms view: The perspective of a system engineer who specifies security mechanisms to implement security services. Specifies mechanisms to be used by protocol, database, and application engines. Independent of type and manufacture of platforms and other physical devices. - Platform devices view: The perspective of an as-built description of the system in operation. Specifies exactly how to build or assemble the system, and also specifies procedures for operating the system.

目录独立于安全机制。跨所有域的层次结构。-代理机制视图:指定安全机制以实现安全服务的系统工程师的视角。指定协议、数据库和应用程序引擎要使用的机制。独立于平台和其他物理设备的类型和制造。-平台设备视图:运行中系统的竣工描述透视图。精确指定如何构建或组装系统,还指定操作系统的过程。

$ Security Policy Database (SPD) (I) /IPsec/ In an IPsec implementation operating in a network node, a database that contains parameters that specify policies set by a user or administrator to determine what IPsec services, if any, are to be provided to IP datagrams sent or received by the node, and in what fashion they are provided. For each datagram, the SPD specifies one of three choices: discard the datagram, apply IPsec services (e.g., AH or ESP), or bypass IPsec. Separate inbound and outbound SPDs are needed because of the directionality of IPsec security associations. [R4301] (Compare: SAD.)

$ 安全策略数据库(SPD)(I)/IPsec/在网络节点中运行的IPsec实现中,包含参数的数据库,这些参数指定用户或管理员设置的策略,以确定将向节点发送或接收的IP数据报提供哪些IPsec服务(如果有),以及以何种方式提供这些服务。对于每个数据报,SPD指定三种选择之一:丢弃数据报、应用IPsec服务(例如AH或ESP)或绕过IPsec。由于IPsec安全关联的方向性,需要单独的入站和出站SPD。[R4301](比较:悲伤)

$ Security Protocol 3 (SP3) (O) A protocol [SDNS3] developed by SDNS to provide connectionless data security at the top of OSIRM Layer 3. (Compare: IPsec, NLSP.)

$ 安全协议3(SP3)(O)由SDN开发的协议[SDNS3],用于在OSIRM第3层的顶部提供无连接数据安全。(比较:IPsec和NLSP。)

$ Security Protocol 4 (SP4) (O) A protocol [SDNS4] developed by SDNS to provide either connectionless or end-to-end connection-oriented data security at the bottom of OSIRM Layer 4. (See: TLSP.)

$ 安全协议4(SP4)(O)由SDN开发的协议[SDNS4],用于在OSIRM第4层底部提供无连接或面向端到端连接的数据安全。(见:TLSP)

$ security-relevant event (D) Synonym for "security event".

$ 安全相关事件(D)“安全事件”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it is wordy.

不推荐使用的术语:IDoc不应使用此术语;太罗嗦了。

$ security-sensitive function (D) Synonym for "security function".

$ 安全敏感功能(D)“安全功能”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this term; it is wordy.

不推荐使用的术语:IDoc不应使用此术语;太罗嗦了。

$ security service 1. (I) A processing or communication service that is provided by a system to give a specific kind of protection to system resources. (See: access control service, audit service, availability service, data confidentiality service, data integrity service, data origin

$ 保安服务1。(一) 由系统提供的一种处理或通信服务,为系统资源提供某种特定的保护。(请参阅:访问控制服务、审核服务、可用性服务、数据保密服务、数据完整性服务、数据来源)

authentication service, non-repudiation service, peer entity authentication service, system integrity service.)

认证服务、不可否认性服务、对等实体认证服务、系统完整性服务。)

Tutorial: Security services implement security policies, and are implemented by security mechanisms.

教程:安全服务实现安全策略,并通过安全机制实现。

2. (O) "A service, provided by a layer of communicating open systems, [that] ensures adequate security of the systems or the data transfers." [I7498-2]

2. (O) “由通信开放系统层提供的一种服务,[确保]系统或数据传输的充分安全。”[I7498-2]

$ security situation (I) /ISAKMP/ The set of all security-relevant information (e.g., network addresses, security classifications, manner of operation such as normal or emergency) that is needed to decide the security services that are required to protect the association that is being negotiated.

$ 安全状况(I)/ISAKMP/确定保护正在协商的关联所需的安全服务所需的所有安全相关信息(例如,网络地址、安全分类、正常或紧急操作方式)的集合。

$ security target (N) /Common Criteria/ A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.

$ 安全目标(N)/通用标准/一套安全要求和规范,用作评估已识别TOE的基础。

Tutorial: A security target (ST) is a statement of security claims for a particular information technology security product or system, and is the basis for agreement among all parties as to what security the product or system offers. An ST parallels the structure of a protection profile, but has additional elements that include product-specific detailed information. An ST contains a summary specification, which defines the specific measures taken in the product or system to meet the security requirements.

教程:安全目标(ST)是特定信息技术安全产品或系统的安全声明,是各方就产品或系统提供的安全性达成一致的基础。ST与保护配置文件的结构相似,但具有包含特定于产品的详细信息的附加元素。ST包含一个摘要规范,该规范定义了产品或系统中为满足安全要求而采取的具体措施。

$ security token (I) See: token.

$ 安全令牌(I)见:令牌。

$ security violation (I) An act or event that disobeys or otherwise breaches security policy. (See: compromise, penetration, security incident.)

$ 安全违规(I)违反或以其他方式违反安全政策的行为或事件。(见:妥协、渗透、安全事件)

$ seed (I) A value that is an input to a pseudorandom number generator.

$ 种子(I)作为伪随机数生成器输入的值。

$ selective-field confidentiality (I) A data confidentiality service that preserves confidentiality for one or more parts (i.e., fields) of each packet. (See: selective-field integrity.)

$ 选择性字段保密(I)为每个数据包的一个或多个部分(即字段)保密的数据保密服务。(请参阅:选择性字段完整性。)

Tutorial: Data confidentiality service usually is applied to entire SDUs, but some situations might require protection of only

教程:数据保密服务通常应用于整个SDU,但在某些情况下可能只需要对数据进行保护

part of each packet. For example, when Alice uses a debit card at an automated teller machine (ATM), perhaps only her PIN is enciphered for confidentiality when her transaction request is transmitted from the ATM to her bank's computer.

每个包的一部分。例如,当Alice在自动柜员机(ATM)上使用借记卡时,当她的交易请求从ATM传输到银行的计算机时,可能只有她的PIN被加密以保密。

In any given operational situation, there could be many different reasons for using selective field confidentiality. In the ATM example, there are at least four possibilities: The service may provide a fail-safe mode of operation, ensuring that the bank can still process transactions (although with some risk) even when the encryption system fails. It may make messages easier to work with when doing system fault isolation. It may avoid problems with laws that prevent shipping enciphered data across international borders. It may improve efficiency by reducing processing load at a central computer site.

在任何给定的操作情况下,使用选择性现场保密可能有许多不同的原因。在ATM示例中,至少有四种可能性:该服务可提供故障安全操作模式,确保即使加密系统出现故障,银行仍能处理交易(尽管存在一定风险)。在进行系统故障隔离时,它可以使消息更易于处理。它可以避免法律上的问题,这些法律禁止将加密数据跨境运输。它可以通过减少中央计算机站点的处理负载来提高效率。

$ selective-field integrity (I) A data integrity service that preserves integrity for one or more parts (i.e., fields) of each packet. (See: selective-field confidentiality.)

$ 选择性字段完整性(I)为每个数据包的一个或多个部分(即字段)保留完整性的数据完整性服务。(请参阅:选择性字段保密。)

Tutorial: Data integrity service may be implemented in a protocol to protect the SDU part of packets, the PCI part, or both. - SDU protection: When service is provided for SDUs, it usually is applied to entire SDUs, but it might be applied only to parts of SDUs in some situations. For example, an IPS Application-Layer protocol might need protection of only part of each packet, and this might enable faster processing. - PCI protection: To prevent active wiretapping, it might be desirable to apply data integrity service to the entire PCI, but some PCI fields in some protocols need to be mutable in transit. For example, the "Time to Live" field in IPv4 is changed each time a packet passes through a router in the Internet Layer. Thus, the value that the field will have when the packet arrives at its destination is not predictable by the sender and cannot be included in a checksum computed by the sender. (See: Authentication Header.)

教程:数据完整性服务可以在协议中实现,以保护数据包的SDU部分、PCI部分或两者。-SDU保护:当为SDU提供服务时,通常应用于整个SDU,但在某些情况下可能仅应用于SDU的一部分。例如,IPS应用层协议可能只需要保护每个数据包的一部分,这可能会加快处理速度。-PCI保护:为了防止主动窃听,可能需要对整个PCI应用数据完整性服务,但某些协议中的某些PCI字段在传输过程中需要可变。例如,每当数据包通过互联网层的路由器时,IPv4中的“生存时间”字段就会发生更改。因此,当数据包到达其目的地时,字段将具有的值是发送方无法预测的,并且不能包含在发送方计算的校验和中。(请参阅:身份验证标头。)

$ self-signed certificate (I) A public-key certificate for which the public key bound by the certificate and the private key used to sign the certificate are components of the same key pair, which belongs to the signer. (Compare: root certificate.)

$ 自签名证书(I)一种公钥证书,证书绑定的公钥和用于签名证书的私钥是属于签名者的同一密钥对的组成部分。(比较:根证书。)

Tutorial: In a self-signed X.509 public-key certificate, the issuer's DN is the same as the subject's DN.

教程:在自签名的X.509公钥证书中,颁发者的DN与主体的DN相同。

$ semantic security (I) An attribute of an encryption algorithm that is a formalization of the notion that the algorithm not only hides the plain text but also reveals no partial information about the plain text; i.e., whatever is computable about the plain text when given the cipher text, is also computable without the cipher text. (Compare: indistinguishability.)

$ 语义安全性(I)加密算法的一个属性,它是算法不仅隐藏纯文本,而且不显示纯文本的部分信息这一概念的形式化;i、 例如,当给定密文时,关于纯文本的任何可计算内容,在没有密文的情况下也是可计算的。(比较:不可区分。)

$ semiformal (I) Expressed in a restricted syntax language with defined semantics. [CCIB] (Compare: formal, informal.)

$ 半形式的(I)用限定的语法语言表达,具有定义的语义。[CCIB](比较:正式、非正式)

$ sensitive (I) A condition of a system resource such that the loss of some specified property of that resource, such as confidentiality or integrity, would adversely affect the interests or business of its owner or user. (See: sensitive information. Compare: critical.)

$ 敏感(I)系统资源的一种状况,即该资源的某些特定财产(如机密性或完整性)的损失将对其所有者或用户的利益或业务产生不利影响。(请参阅:敏感信息。比较:关键。)

$ sensitive compartmented information (SCI) (O) /U.S. Government/ Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal control systems established by the Director of Central Intelligence. [C4009] (See: compartment, SAP, SCIF. Compare: collateral information.)

$ 敏感隔离信息(SCI)(O)/美国政府/涉及或源自情报来源、方法或分析过程的机密信息,需要在中央情报局局长建立的正式控制系统内处理。[C4009](参见:隔间、SAP、SCIF。比较:附属信息。)

$ sensitive compartmented information facility (SCIF) (O) /U.S. Government/ "An accredited area, room, group of rooms, building, or installation where SCI may be stored, used, discussed, and/or processed." [C4009] (See: SCI. Compare: shielded enclosure.)

$ 敏感分隔信息设施(SCIF)(O)/美国政府/“SCI可存储、使用、讨论和/或处理的经认可区域、房间、房间组、建筑物或装置。”[C4009](见:SCI.比较:屏蔽外壳。)

$ sensitive information 1. (I) Information for which (a) disclosure, (b) alteration, or (c) destruction or loss could adversely affect the interests or business of its owner or user. (See: data confidentiality, data integrity, sensitive. Compare: classified, critical.)

$ 敏感信息1。(一) (a)披露、(b)变更或(c)销毁或丢失可能对其所有者或用户的利益或业务产生不利影响的信息。(请参阅:数据机密性、数据完整性、敏感。比较:机密性、关键性。)

2. (O) /U.S. Government/ Information for which (a) loss, (b) misuse, (c) unauthorized access, or (d) unauthorized modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act of 1974, but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

2. (O) /美国政府/信息(a)丢失,(b)滥用,(c)未经授权的访问,或(d)未经授权的修改可能对国家利益或联邦计划的实施产生不利影响,或个人根据1974年《隐私法》有权享有的隐私权,但根据行政命令或国会法案规定的标准,为了国防或外交政策的利益,这并没有得到明确授权。

Tutorial: Systems that are not U.S. national security systems, but contain sensitive U.S. Federal Government information, must be

教程:非美国国家安全系统,但包含敏感美国联邦政府信息的系统必须

protected according to the Computer Security Act of 1987 (Public Law 100-235). (See: national security.)

受1987年《计算机安全法》(公法100-235)保护。(见:国家安全。)

$ sensitivity label (D) Synonym for "classification label".

$ 灵敏度标签(D)“分类标签”的同义词。

Deprecated term: IDOCs SHOULD NOT use this term because the definition of "sensitive" involves not only data confidentiality, but also data integrity.

不推荐使用的术语:idoc不应使用此术语,因为“敏感”的定义不仅涉及数据机密性,还涉及数据完整性。

$ sensitivity level (D) Synonym for "classification level".

$ 敏感度等级(D)是“分类等级”的同义词。

Deprecated term: IDOCs SHOULD NOT use this term because the definition of "sensitive" involves not only data confidentiality, but also data integrity.

不推荐使用的术语:idoc不应使用此术语,因为“敏感”的定义不仅涉及数据机密性,还涉及数据完整性。

$ separation of duties (I) The practice of dividing the steps in a system process among different individual entities (i.e., different users or different roles) so as to prevent a single entity acting alone from being able to subvert the process. Usage: a.k.a. "separation of privilege". (See: administrative security, dual control.)

$ 职责分离(I)在不同实体(即不同用户或不同角色)之间划分系统流程步骤的做法,以防止单独行动的单个实体能够破坏流程。用法:又称“特权分离”。(请参阅:管理安全、双重控制。)

$ serial number See: certificate serial number.

$ 序列号请参阅:证书序列号。

$ Serpent (O) A symmetric, 128-bit block cipher designed by Ross Anderson, Eli Biham, and Lars Knudsen as a candidate for the AES.

$ 蛇(O):一种对称的128位分组密码,由Ross Anderson、Eli Biham和Lars Knudsen设计,作为AES的候选密码。

$ server (I) A system entity that provides a service in response to requests from other system entities called clients.

$ 服务器(I)一个系统实体,它提供服务以响应来自称为客户端的其他系统实体的请求。

$ service data unit (SDU) (N) See: secondary definition under "protocol data unit".

$ 服务数据单元(SDU)(N)参见“协议数据单元”下的二级定义。

$ session 1a. (I) /computer usage/ A continuous period of time, usually initiated by a login, during which a user accesses a computer system.

$ 会议1a。(一) /计算机使用情况/用户访问计算机系统的连续时间段,通常由登录启动。

1b. (I) /computer activity/ The set of transactions or other computer activities that are performed by or for a user during a period of computer usage.

1b。(一) /计算机活动/在计算机使用期间由用户执行或为用户执行的一组事务或其他计算机活动。

2. (I) /access control/ A temporary mapping of a principal to one or more roles. (See: role-based access control.)

2. (一) /访问控制/主体到一个或多个角色的临时映射。(请参阅:基于角色的访问控制。)

Tutorial: A user establishes a session as a principal and activates some subset of roles to which the principal has been assigned. The authorizations available to the principal in the session are the union of the permissions of all the roles activated in the session. Each session is associated with a single principal and, therefore, with a single user. A principal may have multiple, concurrent sessions and may activate a different set of roles in each session.

教程:用户将会话建立为主体,并激活主体已分配到的角色子集。会话中主体可用的授权是会话中激活的所有角色的权限的联合。每个会话与单个主体关联,因此与单个用户关联。主体可以有多个并发会话,并且可以在每个会话中激活一组不同的角色。

3. (I) /computer network/ A persistent but (normally) temporary association between a user agent (typically a client) and a second process (typically a server). The association may persist across multiple exchanges of data, including multiple connections. (Compare: security association.)

3. (一) /computer network/用户代理(通常是客户端)和第二个进程(通常是服务器)之间的持久但(通常)临时关联。该关联可以在多个数据交换(包括多个连接)中保持。(比较:安全协会。)

$ session key (I) In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. (See: ephemeral, KDC, session. Compare: master key.)

$ 会话密钥(I)在对称加密环境中,是一种临时密钥或使用时间相对较短的密钥。(请参阅:转瞬即逝、KDC、会话。比较:主密钥。)

Tutorial: A session key is used for a defined period of communication between two system entities or components, such as for the duration of a single connection or transaction set; or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be rekeyed frequently.

教程:会话密钥用于两个系统实体或组件之间定义的通信周期,例如单个连接或事务集的持续时间;或者,密钥用于保护相对大量数据的应用程序中,因此需要频繁地重新设置密钥。

$ SET(trademark) (O) See: SET Secure Electronic Transaction(trademark).

$ SET(商标)(O)参见:SET安全电子交易(商标)。

$ SET private extension (O) One of the private extensions defined by SET for X.509 certificates. Carries information about hashed root key, certificate type, merchant data, cardholder certificate requirements, encryption support for tunneling, or message support for payment instructions.

$ SET private extension(O)SET为X.509证书定义的私有扩展之一。包含有关哈希根密钥、证书类型、商户数据、持卡人证书要求、隧道加密支持或支付指令消息支持的信息。

$ SET qualifier (O) A certificate policy qualifier that provides information about the location and content of a SET certificate policy.

$ SET qualifier(O)一种证书策略限定符,提供有关设置证书策略的位置和内容的信息。

Tutorial: Besides the policies and qualifiers inherited from its own certificate, each CA in the SET certification hierarchy may add one qualifying statement to the root policy when the CA issues a certificate. The additional qualifier is a certificate policy for that CA. Each policy in a SET certificate may have these

教程:除了从自己的证书继承的策略和限定符之外,当CA颁发证书时,集合证书层次结构中的每个CA都可以向根策略添加一条限定语句。附加的限定符是该CA的证书策略。一组证书中的每个策略都可能有以下内容

qualifiers: (a) a URL where a copy of the policy statement may be found; (b) an electronic mail address where a copy of the policy statement may be found; (c) a hash result of the policy statement, computed using the indicated algorithm; and (d) a statement declaring any disclaimers associated with the issuing of the certificate.

限定词:(a)可以找到策略声明副本的URL;(b) 可找到保单副本的电子邮件地址;(c) 使用所指示的算法计算的策略语句的散列结果;以及(d)声明与证书颁发相关的任何免责声明的声明。

$ SET Secure Electronic Transaction(trademark) or SET(trademark) (N) A protocol developed jointly by MasterCard International and Visa International and published as an open standard to provide confidentiality of transaction information, payment integrity, and authentication of transaction participants for payment card transactions over unsecured networks, such as the Internet. [SET1] (See: acquirer, brand, cardholder, dual signature, electronic commerce, IOTP, issuer, merchant, payment gateway, third party.)

$ SET安全电子交易(商标)或SET(商标)(N)由万事达卡国际和Visa国际共同开发的协议,作为公开标准发布,以提供交易信息保密性、支付完整性,以及通过不安全网络(如互联网)进行支付卡交易的交易参与者身份验证。[SET1](参见:收单机构、品牌、持卡人、双重签名、电子商务、物联网、发卡机构、商户、支付网关、第三方。)

Tutorial: This term and acronym are trademarks of SETCo. MasterCard and Visa announced the SET standard on 1 February 1996.

教程:此术语和首字母缩略词是SETCo的商标。万事达卡和Visa于1996年2月1日宣布了这一既定标准。

$ SETCo (O) Abbreviation of "SET Secure Electronic Transaction LLC", formed on 19 December 1997 by MasterCard and Visa for implementing the SET Secure Electronic Transaction(trademark) standard. A later memorandum of understanding added American Express and JCB Credit Card Company as co-owners of SETCo.

$ SETCo(O)“SET Secure Electronic Transaction LLC”的缩写,由万事达卡和Visa于1997年12月19日为实施SET Secure Electronic Transaction(商标)标准而成立。后来的一份谅解备忘录将美国运通和JCB信用卡公司添加为SETCo的共同所有者。

$ SHA, SHA-1, SHA-2 (N) See: Secure Hash Algorithm.

$ SHA,SHA-1,SHA-2(N)参见:安全散列算法。

$ shared identity (I) See: secondary definition under "identity".

$ 共享身份(I)见“身份”下的第二个定义。

$ shared secret (D) Synonym for "cryptographic key" or "password".

$ 共享密钥(D)“加密密钥”或“密码”的同义词。

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

不推荐的用法:使用此术语的IDoc应说明其定义,因为该术语有多种用途,很容易被误解。

$ shielded enclosure (O) "Room or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations." [C4009] (See: emanation. Compare: SCIF.)

$ 屏蔽外壳(O)“设计用于衰减电磁辐射、声信号或辐射的房间或容器。”[C4009](参见:辐射。比较:SCIF。)

$ short title (O) "Identifying combination of letters and numbers assigned to certain items of COMSEC material to facilitate handling, accounting, and controlling." [C4009] (Compare: KMID, long title.)

$ 短标题(O)“识别分配给通信安全材料某些项目的字母和数字组合,以便于处理、核算和控制。”[C4009](比较:KMID,长标题。)

$ shroud (D) /verb/ To encrypt a private key, possibly in concert with a policy that prevents the key from ever being available in cleartext form beyond a certain, well-defined security perimeter. [PKC12] (See: encrypt. Compare: seal, wrap.)

$ 裹尸布(D)/verb/加密私钥,可能与防止密钥以明文形式在特定的、定义良好的安全边界之外可用的策略相一致。[PKC12](请参见:加密。比较:密封、包裹。)

Deprecated Term: IDOCs SHOULD NOT use this term as defined here; the definition duplicates the meaning of other, standard terms. Instead, use "encrypt" or other terminology that is specific with regard to the mechanism being used.

不推荐使用的术语:IDOC不应使用此处定义的术语;该定义与其他标准术语的含义重复。相反,使用“加密”或其他特定于所用机制的术语。

$ SHS (N) See: Secure Hash Standard.

$ SHS(N)参见:安全哈希标准。

$ sign (I) Create a digital signature for a data object. (See: signer.)

$ 签名(I)为数据对象创建数字签名。(见签名人)

$ signal analysis (I) Gaining indirect knowledge (inference) of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data. (See: emanation. Compare: traffic analysis.)

$ 信号分析(I)通过监测和分析系统发出的、包含数据但不用于传输数据的信号,获取传输数据的间接知识(推理)。(参见:放射。比较:流量分析。)

$ signal intelligence (I) The science and practice of extracting information from signals. (See: signal security.)

$ 信号智能(I)从信号中提取信息的科学和实践。(见:信号安全。)

$ signal security (N) (I) The science and practice of protecting signals. (See: cryptology, security.)

$ 信号安全(N)(I)保护信号的科学和实践。(参见:密码学、安全。)

Tutorial: The term "signal" denotes (a) communication in almost any form and also (b) emanations for other purposes, such as radar. Signal security is opposed by signal intelligence, and each discipline includes opposed sub-disciplines as follows [Kahn]:

教程:术语“信号”表示(a)几乎任何形式的通信,以及(b)其他用途的发射,如雷达。信号安全与信号情报相对,每个学科都包含如下对立的子学科[Kahn]:

      Signal Security                 Signal Intelligence
      ------------------------------  ---------------------------------
      1. Communication Security       1. Communication Intelligence
         1a. Cryptography                1a. Cryptanalysis
         1b. Traffic Security            1b. Traffic Analysis
         1c. Steganography               1c. Detection and Interception
      2. Electronic Security          2. Electronic Intelligence
         2a. Emission Security           2a. Electronic Reconnaissance
         2b. Counter-Countermeasures     2b. Countermeasures
      ------------------------------  ---------------------------------
        
      Signal Security                 Signal Intelligence
      ------------------------------  ---------------------------------
      1. Communication Security       1. Communication Intelligence
         1a. Cryptography                1a. Cryptanalysis
         1b. Traffic Security            1b. Traffic Analysis
         1c. Steganography               1c. Detection and Interception
      2. Electronic Security          2. Electronic Intelligence
         2a. Emission Security           2a. Electronic Reconnaissance
         2b. Counter-Countermeasures     2b. Countermeasures
      ------------------------------  ---------------------------------
        

$ signature (O) A symbol or process adopted or executed by a system entity with present intention to declare that a data object is genuine. (See: digital signature, electronic signature.)

$ 签名(O)系统实体采用或执行的一种符号或过程,旨在声明数据对象是真实的。(见:数字签名、电子签名)

$ signature certificate (I) A public-key certificate that contains a public key that is intended to be used for verifying digital signatures, rather than for encrypting data or performing other cryptographic functions.

$ 签名证书(I)包含公钥的公钥证书,用于验证数字签名,而不是用于加密数据或执行其他加密功能。

Tutorial: A v3 X.509 public-key certificate may have a "keyUsage" extension that indicates the purpose for which the certified public key is intended. (See: certificate profile.)

教程:v3 X.509公钥证书可能有一个“keyUsage”扩展名,用于指示认证公钥的用途。(请参阅:证书配置文件。)

$ signed receipt (I) An S/MIME service [R2634] that (a) provides, to the originator of a message, proof of delivery of the message and (b) enables the originator to demonstrate to a third party that the recipient was able to verify the signature of the original message.

$ 签名回执(I)S/MIME服务[R2634],该服务(a)向消息的发起人提供消息传递的证明,以及(b)使发起人能够向第三方证明收件人能够验证原始消息的签名。

Tutorial: The receipt is bound to the original message by a signature; consequently, the service may be requested only for a message that is signed. The receipt sender may optionally also encrypt the receipt to provide confidentiality between the receipt sender and the receipt recipient.

教程:收据通过签名绑定到原始邮件;因此,可能仅针对已签名的消息请求服务。收据发送方还可以选择性地加密收据,以在收据发送方和收据接收方之间提供机密性。

$ signer (N) A human being or organization entity that uses a private key to sign (i.e., create a digital signature on) a data object. [DSG]

$ 签名者(N)使用私钥对数据对象进行签名(即创建数字签名)的人或组织实体。[DSG]

$ SILS (N) See: Standards for Interoperable LAN/MAN Security.

$ SILS(N)参见:互操作LAN/MAN安全标准。

$ simple authentication 1. (I) An authentication process that uses a password as the information needed to verify an identity claimed for an entity. (Compare: strong authentication.)

$ 简单身份验证1。(一) 一种身份验证过程,使用密码作为验证为实体声明的身份所需的信息。(比较:强身份验证。)

2. (O) "Authentication by means of simple password arrangements." [X509]

2. (O) “通过简单的密码安排进行身份验证。”[X509]

$ Simple Authentication and Security Layer (SASL) (I) An Internet specification [R2222, R4422] for adding authentication service to connection-based protocols. (Compare: EAP, GSS-API.)

$ 简单认证和安全层(SASL)(I)互联网规范[R2222,R4422],用于向基于连接的协议添加认证服务。(比较:EAP、GSS-API)

Tutorial: To use SASL, a protocol includes a command for authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. The command names a registered security mechanism. SASL mechanisms include Kerberos, GSS-API, S/KEY, and others. Some protocols that use SASL are IMAP4 and POP3.

教程:要使用SASL,协议包含一个命令,用于向服务器验证用户,并可选地协商后续协议交互的保护。该命令命名已注册的安全机制。SASL机制包括Kerberos、GSS-API、S/KEY等。使用SASL的一些协议是IMAP4和POP3。

$ Simple Key Management for Internet Protocols (SKIP) (I) A key-distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets. (See: SKIP reference in [R2356].)

$ Internet协议的简单密钥管理(SKIP)(I)一种密钥分发协议,它使用混合加密来传输用于加密IP数据包中数据的会话密钥。(请参阅:跳过[R2356]中的引用。)

Tutorial: SKIP was designed by Ashar Aziz and Whitfield Diffie at Sun Microsystems and proposed as the standard key management protocol for IPsec, but IKE was chosen instead. Although IKE is mandatory for an IPsec implementation, the use of SKIP is not excluded.

教程:SKIP由Sun Microsystems的Ashar Aziz和Whitfield Diffie设计,并被提议作为IPsec的标准密钥管理协议,但选择了IKE。虽然IKE对于IPsec实现是强制性的,但不排除使用SKIP。

SKIP uses the Diffie-Hellman-Merkle algorithm (or could use another key-agreement algorithm) to generate a key-encrypting key for use between two entities. A session key is used with a symmetric algorithm to encrypt data in one or more IP packets that are to be sent from one entity to the other. A symmetric KEK is established and used to encrypt the session key, and the encrypted session key is placed in a SKIP header that is added to each IP packet that is encrypted with that session key.

SKIP使用Diffie-Hellman-Merkle算法(或者可以使用另一种密钥协商算法)生成密钥加密密钥,供两个实体之间使用。会话密钥与对称算法一起用于加密一个或多个IP数据包中的数据,这些数据包将从一个实体发送到另一个实体。建立对称KEK并用于加密会话密钥,加密的会话密钥被放置在一个跳过报头中,该报头被添加到使用该会话密钥加密的每个IP数据包中。

$ Simple Mail Transfer Protocol (SMTP) (I) A TCP-based, Application-Layer, Internet Standard protocol (RFC 821) for moving electronic mail messages from one computer to another.

$ 简单邮件传输协议(SMTP)(I)基于TCP的应用层互联网标准协议(RFC 821),用于将电子邮件从一台计算机移动到另一台计算机。

$ Simple Network Management Protocol (SNMP) (I) A (usually) UDP-based, Application-Layer, Internet Standard protocol (RFCs 3410-3418) for conveying management information between system components that act as managers and agents.

$ 简单网络管理协议(SNMP)(I)一种(通常)基于UDP的应用层互联网标准协议(RFCs 3410-3418),用于在充当管理器和代理的系统组件之间传输管理信息。

$ Simple Public Key Infrastructure (SPKI) (I) A set of experimental concepts (RFCs 2692, 2693) that were proposed as alternatives to the concepts standardized in PKIX.

$ 简单公钥基础设施(SPKI)(I)作为PKIX标准化概念的替代方案而提出的一组实验性概念(RFCs 2692693)。

$ simple security property (N) /formal model/ Property of a system whereby a subject has read access to an object only if the clearance of the subject dominates the classification of the object. See: Bell-LaPadula model.

$ 简单安全属性(N)/系统的正式模型/属性,根据该系统,仅当主体的清除控制了对象的分类时,主体才具有对对象的读取权限。见:贝尔-拉帕杜拉模型。

$ single sign-on 1. (I) An authentication subsystem that enables a user to access multiple, connected system components (such as separate hosts on a network) after a single login at only one of the components. (See: Kerberos.)

$ 单点登录1。(一) 一种身份验证子系统,用户只需在其中一个组件上登录一次,即可访问多个连接的系统组件(如网络上的独立主机)。(请参阅:Kerberos。)

2. (O) /Liberty Alliance/ A security subsystem that enables a user identity to be authenticated at an identity provider -- i.e., at a service that authenticates and asserts the user's identity -- and then have that authentication be honored by other service providers.

2. (O) /Liberty Alliance/一种安全子系统,它允许用户身份在身份提供商处进行身份验证,即在对用户身份进行身份验证和断言的服务处进行身份验证,然后让其他服务提供商遵守该身份验证。

Tutorial: A single sign-on subsystem typically requires a user to log in once at the beginning of a session, and then during the session transparently grants access by the user to multiple, separately protected hosts, applications, or other system resources, without further login action by the user (unless, of course, the user logs out). Such a subsystem has the advantages of being user friendly and enabling authentication to be managed consistently across an entire enterprise. Such a subsystem also has the disadvantage of requiring all the accessed components to depend on the security of the same authentication information.

教程:单点登录子系统通常要求用户在会话开始时登录一次,然后在会话期间透明地授予用户对多个单独保护的主机、应用程序或其他系统资源的访问权限,而无需用户进行进一步的登录操作(当然,除非用户注销)。这样的子系统的优点是用户友好,并且能够在整个企业中一致地管理身份验证。这样的子系统还有一个缺点,即要求所有被访问的组件依赖于相同身份验证信息的安全性。

$ singular identity (I) See: secondary definition under "identity".

$ 单一同一性(I)见“同一性”下的第二个定义。

$ site (I) A facility -- i.e., a physical space, room, or building together with its physical, personnel, administrative, and other safeguards -- in which system functions are performed. (See: node.)

$ 现场(I)执行系统功能的设施,即物理空间、房间或建筑物及其物理、人员、管理和其他安全设施。(请参见:节点。)

$ situation (I) See: security situation.

$ 情况(一)见:安全局势。

$ SKEME (I) A key-distribution protocol from which features were adapted for IKE. [SKEME]

$ SKEME(I)一种密钥分发协议,其特征适用于IKE。[斯凯姆]

$ SKIP (I) See: Simple Key Management for Internet Protocols.

$ 跳过(I)参见:Internet协议的简单密钥管理。

$ SKIPJACK (N) A type 2, 64-bit block cipher [SKIP, R2773] with a key size of 80 bits. (See: CAPSTONE, CLIPPER, FORTEZZA, Key Exchange Algorithm.)

$ SKIPJACK(N)一种2型64位分组密码[SKIP,R2773],密钥大小为80位。(请参阅:CAPSTONE、CLIPPER、FORTEZZA、密钥交换算法。)

Tutorial: SKIPJACK was developed by NSA and formerly classified at the U.S. DoD "Secret" level. On 23 June 1998, NSA announced that SKIPJACK had been declassified.

教程:SKIPJACK由美国国家安全局开发,以前被美国国防部列为“机密”级别。1998年6月23日,国家安全局宣布SKIPJACK已经解密。

$ slot (O) /MISSI/ One of the FORTEZZA PC card storage areas that are each able to hold an X.509 certificate plus other data, including the private key that is associated with a public-key certificate.

$ 插槽(O)/MSI/FORTEZZA PC卡存储区之一,每个存储区都能够保存X.509证书和其他数据,包括与公钥证书关联的私钥。

$ smart card (I) A credit-card sized device containing one or more integrated circuit chips that perform the functions of a computer's central processor, memory, and input/output interface. (See: PC card, smart token.)

$ 智能卡(I)信用卡大小的设备,包含一个或多个集成电路芯片,执行计算机中央处理器、存储器和输入/输出接口的功能。(请参阅:PC卡、智能令牌。)

Usage: Sometimes this term is used rather strictly to mean a card that closely conforms to the dimensions and appearance of the kind of plastic credit card issued by banks and merchants. At other times, the term is used loosely to include cards that are larger than credit cards, especially cards that are thicker, such as PC cards.

用法:有时这一术语被严格地用来指与银行和商家发行的塑料信用卡的尺寸和外观完全一致的卡。在其他时候,这个术语被松散地用于包括比信用卡大的卡,特别是厚的卡,如PC卡。

$ smart token (I) A device that conforms to the definition of "smart card" except that rather than having the standard dimensions of a credit card, the token is packaged in some other form, such as a military dog tag or a door key. (See: smart card, cryptographic token.)

$ 智能代币(I)符合“智能卡”定义的设备,但代币不具有信用卡的标准尺寸,而是以其他形式包装,如军犬标签或门钥匙。(请参阅:智能卡、加密令牌。)

$ SMI (I) See: security management infrastructure.

$ SMI(I)见:安全管理基础设施。

$ SMTP (I) See: Simple Mail Transfer Protocol.

$ SMTP(I)见:简单邮件传输协议。

$ smurf attack (D) /slang/ A denial-of-service attack that uses IP broadcast addressing to send ICMP ping packets with the intent of flooding a system. (See: fraggle attack, ICMP flood.)

$ smurf攻击(D)/俚语/一种拒绝服务攻击,使用IP广播寻址发送ICMP ping数据包,意图淹没系统。(请参阅:脆弱攻击,ICMP洪水。)

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term.

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。

Derivation: The Smurfs are a fictional race of small, blue creatures that were created by a cartoonist. Perhaps the inventor of this attack thought that a swarm of ping packets resembled a gang of smurfs. (See: Deprecated Usage under "Green Book".)

来源:《蓝精灵》是一个虚构的蓝色小生物种族,由漫画家创作。也许这一攻击的发明者认为一群ping数据包就像一群蓝精灵。(请参阅“绿皮书”下不推荐的用法。)

Tutorial: The attacker sends ICMP echo request ("ping") packets that appear to originate not from the attacker's own IP address, but from the address of the host or router that is the target of the attack. Each packet is addressed to an IP broadcast address, e.g., to all IP addresses in a given network. Thus, each echo request that is sent by the attacker results in many echo responses being sent to the target address. This attack can disrupt service at a particular host, at the hosts that depend on a particular router, or in an entire network.

教程:攻击者发送ICMP回显请求(“ping”)数据包,这些数据包似乎不是来自攻击者自己的IP地址,而是来自作为攻击目标的主机或路由器的地址。每个数据包被寻址到IP广播地址,例如,给定网络中的所有IP地址。因此,攻击者发送的每个回显请求都会导致许多回显响应被发送到目标地址。此攻击可中断特定主机、依赖特定路由器的主机或整个网络中的服务。

$ sneaker net (D) /slang/ A process that transfers data between systems only manually, under human control; i.e., a data transfer process that involves an air gap.

$ sneaker net(D)/俚语/仅在人工控制下在系统之间传输数据的过程;i、 例如,涉及气隙的数据传输过程。

Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term.

不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。

$ Snefru (N) A public-domain, cryptographic hash function (a.k.a. "The Xerox Secure Hash Function") designed by Ralph C. Merkle at Xerox Corporation. Snefru can produce either a 128-bit or 256-bit output (i.e., hash result). [Schn] (See: Khafre, Khufu.)

$ Snefru(N)一种公共域加密哈希函数(又称“施乐安全哈希函数”),由施乐公司的拉尔夫·C·梅克尔设计。Snefru可以产生128位或256位输出(即散列结果)。[Schn](见:哈夫雷,胡夫)

$ sniffing (D) /slang/ Synonym for "passive wiretapping"; most often refers to capturing and examining the data packets carried on a LAN. (See: password sniffing.)

$ 嗅探(D)/俚语/被动窃听的同义词;通常指捕获和检查局域网上携带的数据包。(请参阅:密码嗅探。)

Deprecated Term: IDOCs SHOULD NOT use this term; it unnecessarily duplicates the meaning of a term that is better established. (See: Deprecated Usage under "Green Book".

不推荐使用的术语:IDoc不应使用此术语;它不必要地重复了一个更为明确的术语的含义。(请参阅“绿皮书”下不推荐的用法。)。

$ SNMP (I) See: Simple Network Management Protocol.

$ SNMP(I)参见:简单网络管理协议。

$ social engineering (D) Euphemism for non-technical or low-technology methods, often involving trickery or fraud, that are used to attack information systems. Example: phishing.

$ 社会工程(social engineering,D):用于攻击信息系统的非技术或低技术方法的委婉说法,通常涉及欺骗或欺诈。例如:网络钓鱼。

Deprecated Term: IDOCs SHOULD NOT use this term; it is too vague. Instead, use a term that is specific with regard to the means of attack, e.g., blackmail, bribery, coercion, impersonation, intimidation, lying, or theft.

不推荐使用的术语:IDoc不应使用此术语;太模糊了。相反,使用一个与攻击手段相关的术语,例如勒索、贿赂、胁迫、冒充、恐吓、撒谎或盗窃。

$ SOCKS (I) An Internet protocol [R1928] that provides a generalized proxy server that enables client-server applications (e.g., TELNET, FTP, or HTTP; running over either TCP or UDP) to use the services of a firewall.

$ SOCKS(I)一种互联网协议[R1928],提供通用代理服务器,使客户机服务器应用程序(如TELNET、FTP或HTTP;通过TCP或UDP运行)能够使用防火墙的服务。

Tutorial: SOCKS is layered under the IPS Application Layer and above the Transport Layer. When a client inside a firewall wishes to establish a connection to an object that is reachable only through the firewall, it uses TCP to connect to the SOCKS server, negotiates with the server for the authentication method to be used, authenticates with the chosen method, and then sends a relay request. The SOCKS server evaluates the request, typically based on source and destination addresses, and either establishes the appropriate connection or denies it.

教程:SOCKS是在IPS应用层之下和传输层之上分层的。当防火墙内的客户端希望建立到只能通过防火墙访问的对象的连接时,它使用TCP连接到SOCKS服务器,与服务器协商要使用的身份验证方法,使用所选方法进行身份验证,然后发送中继请求。SOCKS服务器通常根据源地址和目标地址评估请求,并建立适当的连接或拒绝连接。

$ soft TEMPEST (O) The use of software techniques to reduce the radio frequency information leakage from computer displays and keyboards. [Kuhn] (See: TEMPEST.)

$ 软TEMPEST(O)使用软件技术减少计算机显示器和键盘的射频信息泄漏。[Kuhn](参见:《暴风雨》)

$ soft token (D) A data object that is used to control access or authenticate authorization. (See: token.)

$ 软令牌(D)用于控制访问或验证授权的数据对象。(请参阅:令牌。)

Deprecated Term: IDOCs SHOULD NOT use this term as defined here; the definition duplicates the meaning of other, standard terms. Instead, use "attribute certificate" or another term that is specific with regard to the mechanism being used.

不推荐使用的术语:IDOC不应使用此处定义的术语;该定义与其他标准术语的含义重复。相反,请使用“属性证书”或其他特定于所用机制的术语。

$ software (I) Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution. (Compare: firmware.)

$ 软件(I)可在执行期间动态写入或修改的计算机程序(存储在计算机硬件中并由计算机硬件执行)和相关数据(也存储在硬件中)。(比较:固件。)

$ software error (I) /threat action/ See: secondary definitions under "corruption", "exposure", and "incapacitation".

$ 软件错误(I)/威胁行动/见“腐败”、“暴露”和“丧失能力”下的二级定义。

$ SORA (O) See: SSO-PIN ORA.

$ 索拉(O)见:SSO-PIN ORA。

$ source authentication (D) Synonym for "data origin authentication" or "peer entity authentication". (See: data origin authentication, peer entity authentication).

$ 源身份验证(D)“数据源身份验证”或“对等实体身份验证”的同义词。(请参阅:数据源身份验证、对等实体身份验证)。

Deprecated Term: IDOCs SHOULD NOT use this term because it is ambiguous and, in either meaning, duplicates the meaning of internationally standardized terms. If the intent is to authenticate the original creator or packager of data received, then use "data origin authentication". If the intent is to authenticate the identity of the sender of data in the current instance, then use "peer entity authentication".

不推荐使用的术语:IDOCs不应使用此术语,因为它不明确,并且在任何一种意义上都与国际标准术语的含义重复。如果目的是验证接收数据的原始创建者或包装者,则使用“数据源验证”。如果目的是验证当前实例中数据发送者的身份,则使用“对等实体验证”。

$ source integrity (I) The property that data is trustworthy (i.e., worthy of reliance or trust), based on the trustworthiness of its sources and the trustworthiness of any procedures used for handling data in the system. Usage: a.k.a. Biba integrity. (See: integrity. Compare: correctness integrity, data integrity.)

$ 源完整性(I)基于数据源的可信度和系统中用于处理数据的任何过程的可信度,数据是可信的(即值得信赖或信任的)属性。用法:又称毕巴完整性。(请参阅:完整性。比较:正确性完整性、数据完整性。)

Tutorial: For this kind of integrity, there are formal models of unauthorized modification (see: Biba model) that logically complement the more familiar models of unauthorized disclosure (see: Bell-LaPadula model). In these models, objects are labeled to indicate the credibility of the data they contain, and there are rules for access control that depend on the labels.

教程:对于这种完整性,有未经授权修改的正式模型(参见:Biba模型),在逻辑上补充了更熟悉的未经授权披露模型(参见:Bell-LaPadula模型)。在这些模型中,对象被标记以表明其包含的数据的可信度,并且存在依赖于标签的访问控制规则。

$ SP3 (O) See: Security Protocol 3.

$ SP3(O)见:安全协议3。

$ SP4 (O) See: Security Protocol 4.

$ SP4(O)见:安全协议4。

$ spam 1a. (I) /slang verb/ To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities.

$ 垃圾邮件1a。(一) /俚语动词/不加区别地发送未经请求的、不需要的、无关的或不适当的信息,尤指大量的商业广告。

1b. (I) /slang noun/ Electronic "junk mail". [R2635]

1b。(一) /俚语名词/电子“垃圾邮件”。[R2635]

Deprecated Usage: IDOCs SHOULD NOT use this term in uppercase letters, because SPAM(trademark) is a trademark of Hormel Foods Corporation. Hormel says, "We do not object to use of this slang term [spam] to describe [unsolicited advertising email], although we do object to the use of our product image in association with that term. Also, if the term is to be used, it SHOULD be used in all lower-case letters to distinguish it from our trademark SPAM, which SHOULD be used with all uppercase letters." (See: metadata.)

不推荐使用:IDOCs不应使用大写字母,因为SPAM(商标)是霍梅尔食品公司的商标。霍梅尔说:“我们不反对用这个俚语术语[垃圾邮件]来描述[未经请求的广告电子邮件],尽管我们反对将我们的产品图像与该术语关联使用。此外,如果要使用该术语,则应在所有小写字母中使用该术语,以区别于我们的商标垃圾邮件,该商标垃圾邮件应与所有大写字母一起使用。”(请参阅:元数据)

Tutorial: In sufficient volume, spam can cause denial of service. (See: flooding.) According to Hormel, the term was adopted as a result of a Monty Python skit in which a group of Vikings sang a chorus of 'SPAM, SPAM, SPAM ...' in an increasing crescendo,

教程:如果数量足够大,垃圾邮件可能会导致拒绝服务。(见:洪水。)据霍梅尔说,这个词是在一部巨蟒短剧中被采用的,在这部短剧中,一群维京人合唱“垃圾邮件,垃圾邮件,垃圾邮件…”的节奏越来越快,

drowning out other conversation. This lyric became a metaphor for the unsolicited advertising messages that threaten to overwhelm other discourse on the Internet.

淹没了其他的谈话。这首抒情诗成了一个暗喻,暗喻那些不请自来的广告信息可能会压倒互联网上的其他话语。

$ SPD (I) See: Security Policy Database.

$ SPD(I)见:安全策略数据库。

$ special access program (SAP) (O) /U.S. Government/ "Sensitive program, [that is] approved in writing by a head of agency with [i.e., who has] original top secret classification authority, [and] that imposes need-to-know and access controls beyond those normally provided for access to Confidential, Secret, or Top Secret information. The level of controls is based on the criticality of the program and the assessed hostile intelligence threat. The program may be an acquisition program, an intelligence program, or an operations and support program." [C4009] (See: formal access approval, SCI. Compare: collateral information.)

$ 特别访问计划(SAP)(O)/美国政府/“敏感计划,[由]具有[即]原始绝密保密机构的机构负责人书面批准,[和]这就要求了解和访问控制超出了通常为访问机密、机密或绝密信息而提供的控制。控制级别取决于计划的关键性和评估的敌对情报威胁。该计划可能是采办计划、情报计划或作战与支援计划计划“[C4009](参见:正式访问批准,SCI.比较:附属信息。)

$ SPI (I) See: Security Parameters Index.

$ SPI(I)见:安全参数索引。

$ SPKI (I) See: Simple Public Key Infrastructure.

$ SPKI(I)见:简单公钥基础设施。

$ split key (I) A cryptographic key that is generated and distributed as two or more separate data items that individually convey no knowledge of the whole key that results from combining the items. (See: dual control, split knowledge.)

$ 分割密钥(I)作为两个或多个单独的数据项生成和分发的加密密钥,这些数据项不单独传递组合这些数据项所产生的整个密钥的知识。(请参阅:双重控制、分割知识。)

$ split knowledge 1. (I) A security technique in which two or more entities separately hold data items that individually do not convey knowledge of the information that results from combining the items. (See: dual control, split key.)

$ 分割知识1。(一) 一种安全技术,其中两个或多个实体分别保存数据项,这些数据项单独不传递由组合这些数据项而产生的信息的知识。(请参阅:双控、拆分键。)

2. (O) "A condition under which two or more entities separately have key components [that] individually convey no knowledge of the plaintext key [that] will be produced when the key components are combined in the cryptographic module." [FP140]

2. (O) “两个或多个实体分别拥有密钥组件的一种情况,当密钥组件组合在加密模块中时,这些密钥组件单独不传递关于将产生的明文密钥的知识。”[FP140]

$ spoof (I) /threat action/ See: secondary definition under "masquerade".

$ 欺骗(I)/威胁行动/见“伪装”下的二级定义。

$ spoofing attack (I) Synonym for "masquerade attack".

$ 欺骗攻击(I)“伪装攻击”的同义词。

$ spread spectrum (N) A TRANSEC technique that transmits a signal in a bandwidth much greater than the transmitted information needs. [F1037] Example: frequency hopping.

$ 扩频(N):一种以远大于传输信息所需的带宽传输信号的传输技术。[F1037]示例:跳频。

Tutorial: Usually uses a sequential, noise-like signal structure to spread the normally narrowband information signal over a relatively wide band of frequencies. The receiver correlates the signals to retrieve the original information signal. This technique decreases potential interference to other receivers, while achieving data confidentiality and increasing immunity of spread spectrum receivers to noise and interference.

教程:通常使用连续的、类似噪声的信号结构将通常窄带的信息信号传播到相对较宽的频带上。接收器将这些信号关联起来以检索原始信息信号。该技术降低了对其他接收机的潜在干扰,同时实现了数据保密性,并提高了扩频接收机对噪声和干扰的免疫力。

$ spyware (D) /slang/ Software that an intruder has installed surreptitiously on a networked computer to gather data from that computer and send it through the network to the intruder or some other interested party. (See: malicious logic, Trojan horse.)

$ 间谍软件(D)/俚语/入侵者秘密安装在联网计算机上的软件,用于从该计算机收集数据并通过网络发送给入侵者或其他相关方。(请参阅:恶意逻辑、特洛伊木马。)

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

不推荐的用法:使用此术语的IDoc应说明其定义,因为该术语有多种用途,很容易被误解。

Tutorial: Some examples of the types of data that might be gathered by spyware are application files, passwords, email addresses, usage histories, and keystrokes. Some examples of motivations for gathering the data are blackmail, financial fraud, identity theft, industrial espionage, market research, and voyeurism.

教程:间谍软件可能收集的数据类型的一些示例包括应用程序文件、密码、电子邮件地址、使用历史记录和击键。收集数据的动机包括勒索、金融欺诈、身份盗窃、工业间谍、市场调查和偷窥。

$ SSH(trademark) (N) See: Secure Shell(trademark).

$ SSH(商标)(N)请参阅:安全外壳(商标)。

$ SSL (I) See: Secure Sockets Layer.

$ SSL(I)参见:安全套接字层。

$ SSO (I) See: system security officer.

$ SSO(I)见:系统安全官员。

$ SSO PIN (O) /MISSI/ One of two PINs that control access to the functions and stored data of a FORTEZZA PC card. Knowledge of the SSO PIN enables a card user to perform the FORTEZZA functions intended for use by an end user and also the functions intended for use by a MISSI CA. (See: user PIN.)

$ SSO引脚(O)/MSI/控制访问FORTEZZA PC卡功能和存储数据的两个引脚之一。了解SSO PIN后,卡用户可以执行最终用户使用的FORTEZZA功能以及MSI CA使用的功能。(请参阅:用户PIN。)

$ SSO-PIN ORA (SORA) (O) /MISSI/ A MISSI organizational RA that operates in a mode in which the ORA performs all card management functions and, therefore, requires knowledge of the SSO PIN for FORTEZZA PC cards issued to end users.

$ SSO-PIN ORA(SORA)(O)/MSI/A在ORA执行所有卡管理功能的模式下运行的MSI组织RA,因此需要了解发给最终用户的FORTEZZA PC卡的SSO PIN。

$ Standards for Interoperable LAN/MAN Security (SILS) 1. (N) The IEEE 802.10 standards committee. (See: [FP191].)

$ 互操作局域网/城域网安全标准(SILS)1。(N) IEEE 802.10标准委员会。(见:[FP191])

2. (N) A set of IEEE standards, which has eight parts: (a) Model, including security management, (b) Secure Data Exchange protocol, (c) Key Management, (d) [has been incorporated in (a)], (e) SDE Over Ethernet 2.0, (f) SDE Sublayer Management, (g) SDE Security Labels, and (h) SDE PICS Conformance. Parts b, e, f, g, and h are incorporated in IEEE Standard 802.10-1998.

2. (N) 一套IEEE标准,包括八个部分:(A)模型,包括安全管理,(b)安全数据交换协议,(c)密钥管理,(d)[已纳入(A)],(e)以太网SDE 2.0,(f)SDE子层管理,(g)SDE安全标签,以及(h)SDE PICS一致性。第b、e、f、g和h部分包含在IEEE标准802.10-1998中。

$ star property (N) See: *-property.

$ 星型物业(N)见:*-物业。

$ Star Trek attack (D) /slang/ An attack that penetrates your system where no attack has ever gone before.

$ 《星际迷航》攻击(D)/俚语/一种侵入你系统的攻击,以前从未发生过这种攻击。

Deprecated Usage: IDOCs SHOULD NOT use this term; it is a joke for Trekkies. (See: Deprecated Usage under "Green Book".)

不推荐使用:IDOCs不应使用此术语;这对徒步旅行者来说是个笑话。(请参阅“绿皮书”下不推荐的用法。)

$ static (I) /adjective/ Refers to a cryptographic key or other parameter that is relatively long-lived. (Compare: ephemeral.)

$ 静态(I)/形容词/指的是密码密钥或其他相对长寿命的参数。(比较:短暂的。)

$ steganography (I) Methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. Examples: For classic, physical methods, see [Kahn]; for modern, digital methods, see [John]. (See: cryptology. Compare: concealment system, digital watermarking.)

$ 隐写术(I)隐藏消息或其他数据存在的方法。这与加密不同,加密隐藏消息的含义,但不隐藏消息本身。示例:有关经典物理方法,请参见[Kahn];有关现代数字方法,请参见[John]。(参见:密码学。比较:隐藏系统,数字水印。)

$ storage channel (I) See: covert storage channel.

$ 存储通道(I)参见:隐蔽存储通道。

$ storage key (I) A cryptographic key used by a device for protecting information that is being maintained in the device, as opposed to protecting information that is being transmitted between devices. (See: cryptographic token, token copy. Compare: traffic key.)

$ 存储密钥(I)设备使用的加密密钥,用于保护设备中维护的信息,而不是保护设备之间传输的信息。(请参阅:加密令牌,令牌副本。比较:流量密钥。)

$ stream cipher (I) An encryption algorithm that breaks plain text into a stream of successive elements (usually, bits) and encrypts the n-th plaintext element with the n-th element of a parallel key stream, thus converting the plaintext stream into a ciphertext stream. [Schn] (See: block cipher.)

$ 流密码(I)一种加密算法,它将明文分解为连续元素流(通常为位),并用并行密钥流的第n个元素对第n个明文元素进行加密,从而将明文流转换为密文流。[Schn](参见:分组密码。)

$ stream integrity service (I) A data integrity service that preserves integrity for a sequence of data packets, including both (a) bit-by-bit datagram integrity of each individual packet in the set and (b) packet-by-packet sequential integrity of the set as a whole. (See: data integrity. Compare: datagram integrity service.)

$ 流完整性服务(I)保持数据包序列完整性的数据完整性服务,包括(A)集合中每个单独包的逐位数据报完整性和(b)集合作为整体的逐包序列完整性。(请参阅:数据完整性。比较:数据报完整性服务。)

Tutorial: Some internetwork applications need only datagram integrity, but others require that an entire stream of packets be protected against insertion, reordering, deletion, and delay: - "Insertion": The destination receives an additional packet that was not sent by the source. - "Reordering": The destination receives packets in a different order than that in which they were sent by the source. - "Deletion": A packet sent by the source is not ever delivered to the intended destination. - "Delay": A packet is detained for some period of time at a relay, thus hampering and postponing the packet's normal timely delivery from source to destination.

教程:一些网络间应用程序只需要数据报完整性,但其他应用程序需要保护整个数据包流不受插入、重新排序、删除和延迟的影响:-“插入”:目的地接收源未发送的附加数据包。-“重新排序”:目标接收数据包的顺序与源发送数据包的顺序不同。-“删除”:源发送的数据包从未发送到预期目的地。-“延迟”:数据包在中继器处被扣留一段时间,从而妨碍和延迟数据包从源到目的地的正常及时传递。

$ strength 1. (I) /cryptography/ A cryptographic mechanism's level of resistance to attacks [R3766]. (See: entropy, strong, work factor.)

$ 实力1。(一) /cryptography/A加密机制的抗攻击级别[R3766]。(参见:熵,强,功因子。)

2. (N) /Common Criteria/ "Strength of function" is a "qualification of a TOE security function expressing the minimum efforts assumed necessary to defeat its expected security behavior by directly attacking its underlying security mechanisms": (See: strong.) - Basic: "A level of the TOE strength of function where analysis shows that the function provides adequate protection against casual breach of TOE security by attackers possessing a low attack potential." - Medium: "... against straightforward or intentional breach ... by attackers possessing a moderate attack potential." - High: "... against deliberately planned or organized breach ... by attackers possessing a high attack potential."

2. (N) /Common Criteria/“功能强度”是指“通过直接攻击其底层安全机制来证明其预期安全行为所需的最低努力的TOE安全功能鉴定”:(见:strong.)-基本:“功能的脚趾强度水平,分析表明该功能提供了足够的保护,防止具有低攻击潜力的攻击者偶然破坏脚趾安全。”-中:“。。。反对直接或故意违反。。。攻击者具有中等攻击潜力。”-高:“。。。针对故意计划或有组织的破坏。。。由具有高攻击潜力的攻击者攻击。”

$ strong 1. (I) /cryptography/ Used to describe a cryptographic algorithm that would require a large amount of computational power to defeat it. (See: strength, work factor, weak key.)

$ 强1。(一) /cryptography/用于描述需要大量计算能力才能击败它的加密算法。(参见:强度、工作系数、弱键。)

2. (I) /COMPUSEC/ Used to describe a security mechanism that would be difficult to defeat. (See: strength, work factor.)

2. (一) /COMPUSEC/用于描述难以击败的安全机制。(参见:强度、工作系数。)

$ strong authentication 1. (I) An authentication process that uses a cryptographic security mechanism -- particularly public-key certificates -- to verify the identity claimed for an entity. (Compare: simple authentication.)

$ 强身份验证1。(一) 一种身份验证过程,使用加密安全机制(特别是公钥证书)来验证为实体声明的身份。(比较:简单身份验证。)

2. (O) "Authentication by means of cryptographically derived credentials." [X509]

2. (O) “通过加密派生凭据进行身份验证。”[X509]

$ subject 1a. (I) A process in a computer system that represents a principal and that executes with the privileges that have been granted to that principal. (Compare: principal, user.)

$ 主题1a。(一) 计算机系统中的一种进程,它代表一个主体,并以授予该主体的特权执行。(比较:主体、用户。)

1b. (I) /formal model/ A system entity that causes information to flow among objects or changes the system state; technically, a process-domain pair. A subject may itself be an object relative to some other subject; thus, the set of subjects in a system is a subset of the set of objects. (See: Bell-LaPadula model, object.)

1b。(一) /正式模型/使信息在对象之间流动或改变系统状态的系统实体;从技术上讲,是一个进程域对。主体本身可能是相对于其他主体的客体;因此,系统中的主题集是对象集的子集。(请参见:贝尔-拉帕杜拉模型,对象。)

2. (I) /digital certificate/ The name (of a system entity) that is bound to the data items in a digital certificate; e.g., a DN that is bound to a key in a public-key certificate. (See: X.509.)

2. (一) /数字证书/绑定到数字证书中数据项的(系统实体)名称;e、 例如,绑定到公钥证书中的密钥的DN。(见:X.509)

$ subject CA (D) The CA that is the subject of a cross-certificate issued by another CA. [X509] (See: cross-certification.)

$ 主体CA(D)是由另一CA颁发的交叉证书的主体的CA。[X509](请参阅:交叉证书。)

Deprecated Term: IDOCs SHOULD NOT use this term because it is not widely known and could be misunderstood. Instead, say "the CA that is the subject of the cross-certificate".

不推荐使用的术语:IDOCs不应该使用这个术语,因为它并不广为人知,可能会被误解。而是说“作为交叉证书主体的CA”。

$ subnetwork (N) An OSI term for a system of packet relays and connecting links that implement OSIRM layer 2 or 3 to provide a communication service that interconnects attached end systems. Usually, the relays are all of the same type (e.g., X.25 packet switches, or interface units in an IEEE 802.3 LAN). (See: gateway, internet, router.)

$ 子网(N):OSI术语,指包中继和连接链路系统,实现OSIRM第2层或第3层,以提供互连连接终端系统的通信服务。通常,继电器都是相同类型的(例如,X.25分组交换机或IEEE 802.3 LAN中的接口单元)。(请参阅:网关、互联网、路由器。)

$ subordinate CA (SCA) 1. (I) A CA whose public-key certificate is issued by another (superior) CA. (See: certification hierarchy. Compare: cross-certification.)

$ 下属CA(SCA)1。(一) 其公钥证书由另一个(上级)CA颁发的CA。(请参阅:证书层次结构。比较:交叉证书。)

2. (O) /MISSI/ The fourth-highest (i.e., bottom) level of a MISSI certification hierarchy; a MISSI CA whose public-key certificate is signed by a MISSI CA rather than by a MISSI PCA. A MISSI SCA is the administrative authority for a subunit of an organization, established when it is desirable to organizationally distribute or decentralize the CA service. The term refers both to that authoritative office or role, and to the person who fills that office. A MISSI SCA registers end users and issues their certificates and may also register ORAs, but may not register other CAs. An SCA periodically issues a CRL.

2. (O) /misi/misi认证层次结构的第四高(即底部)级别;其公钥证书由MSI CA而不是由MSI PCA签名的一种MSI CA。MSI SCA是一个组织的子单元的管理权限,当需要在组织上分发或分散CA服务时建立。该术语既指该权威机构或角色,也指填补该机构的人员。MSI SCA注册最终用户并颁发其证书,还可以注册ORA,但不能注册其他CA。SCA定期发布CRL。

$ subordinate DN (I) An X.500 DN is subordinate to another X.500 DN if it begins with a set of attributes that is the same as the entire second DN except for the terminal attribute of the second DN (which is usually the name of a CA). For example, the DN <C=FooLand, O=Gov, OU=Treasurer, CN=DukePinchpenny> is subordinate to the DN <C=FooLand, O=Gov, CN=KingFooCA>.

$ 从属DN(I)如果一个X.500 DN以一组属性开始,除了第二个DN的terminal属性(通常是CA的名称)外,其他属性与整个第二个DN相同,则该X.500 DN从属于另一个X.500 DN。例如,DN<C=傻瓜,O=Gov,OU=司库,CN=DukePinchpenny>从属于DN<C=傻瓜,O=Gov,CN=KingFooCA>。

$ subscriber (I) /PKI/ A user that is registered in a PKI and, therefore, can be named in the "subject" field of a certificate issued by a CA in that PKI. (See: registration, user.)

$ 订户(I)/PKI/在PKI中注册的用户,因此可以在该PKI中CA颁发的证书的“主题”字段中命名。(请参阅:注册,用户。)

Usage: This term is needed to distinguish registered users from two other kinds of PKI users: - Users that access the PKI but are not identified to it: For example, a relying party may access a PKI repository to obtain the certificate of some other party. (See: access.) - Users that do not access the PKI: For example, a relying party (see: certificate user) may use a digital certificate that was obtained from a database that is not part of the PKI that issued the certificate.

用法:需要使用该术语将注册用户与其他两类PKI用户区分开来:-访问PKI但未对其进行标识的用户:例如,依赖方可以访问PKI存储库以获取其他方的证书。(请参阅:访问)-不访问PKI的用户:例如,依赖方(请参阅:证书用户)可以使用从数据库获得的数字证书,该数据库不是颁发证书的PKI的一部分。

$ substitution 1. (I) /cryptography/ A method of encryption in which elements of the plain text retain their sequential position but are replaced by elements of cipher text. (Compare: transposition.)

$ 替代1。(一) /cryptography/一种加密方法,其中纯文本元素保留其顺序位置,但被密文元素替换。(比较:换位。)

2. (I) /threat action/ See: secondary definition under "falsification".

2. (一) /威胁行动/见“伪造”下的二级定义。

$ subsystem (I) A collection of related system components that together perform a system function or deliver a system service.

$ 子系统(I)共同执行系统功能或提供系统服务的相关系统组件的集合。

$ superencryption (I) An encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation. (Compare: hybrid encryption.)

$ 超级加密(I)将要转换的明文输入作为先前加密操作的密文输出的加密操作。(比较:混合加密。)

$ superuser (I) /UNIX/ Synonym for "root".

$ 超级用户(I)/UNIX/根的同义词。

$ survivability (I) The ability of a system to remain in operation or existence despite adverse conditions, including natural occurrences, accidental actions, and attacks. (Compare: availability, reliability.)

$ 生存能力(I)系统在不利条件下保持运行或存在的能力,包括自然发生、意外动作和攻击。(比较:可用性、可靠性。)

$ swIPe (I) An encryption protocol for IP that provides confidentiality, integrity, and authentication and can be used for both end-to-end and intermediate-hop security. [Ioan] (Compare: IPsec.)

$ swIPe(I)IP加密协议,提供机密性、完整性和身份验证,可用于端到端和中间跳安全。[Ioan](比较:IPsec)

Tutorial: The swIPe protocol is an IP predecessor that is concerned only with encryption mechanisms; policy and key management are handled outside the protocol.

教程:swIPe协议是IP的前身,只涉及加密机制;策略和密钥管理在协议之外处理。

$ syllabary (N) /encryption/ A list of individual letters, combinations of letters, or syllables, with their equivalent code groups, used for spelling out proper names or other unusual words that are not present in the basic vocabulary (i.e., are not in the codebook) of a code used for encryption.

$ 音节(N)/加密/单个字母、字母组合或音节及其等效代码组的列表,用于拼写用于加密的代码的基本词汇表(即代码本中未包含的)中未出现的专有名称或其他不寻常的单词。

$ symmetric cryptography (I) A branch of cryptography in which the algorithms use the same key for both of two counterpart cryptographic operations (e.g., encryption and decryption). (See: asymmetric cryptography. Compare: secret-key cryptography.)

$ 对称密码学(I)密码学的一个分支,其中算法对两个对应的加密操作(例如加密和解密)使用相同的密钥。(请参阅:非对称加密。比较:密钥加密。)

Tutorial: Symmetric cryptography has been used for thousands of years [Kahn]. A modern example is AES.

教程:对称加密已经使用了数千年[Kahn]。一个现代的例子是AES。

Symmetric cryptography has a disadvantage compared to asymmetric cryptography with regard to key distribution. For example, when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a key, and Bob uses the same key to decrypt. However, keeping the shared key secret entails both cost

与非对称密码相比,对称密码在密钥分配方面有一个缺点。例如,当Alice希望确保发送给Bob的数据的机密性时,她使用密钥对数据进行加密,Bob使用相同的密钥进行解密。然而,保持共享密钥的机密性需要两方面的成本

and risk when the key is distributed to both Alice and Bob. (See: key distribution, key management.)

当密钥同时分发给Alice和Bob时,会有风险。(请参阅:密钥分发、密钥管理。)

$ symmetric key (I) A cryptographic key that is used in a symmetric cryptographic algorithm. (See: symmetric cryptography.)

$ 对称密钥(I)在对称加密算法中使用的加密密钥。(请参阅:对称加密。)

$ SYN flood (I) A denial-of-service attack that sends a large number of TCP SYN (synchronize) packets to a host with the intent of disrupting the operation of that host. (See: blind attack, flooding.)

$ SYN flood(I)一种拒绝服务攻击,向主机发送大量TCP SYN(同步)数据包,目的是中断该主机的运行。(请参阅:盲目攻击、洪水。)

Tutorial: This attack seeks to exploit a vulnerability in the TCP specification or in a TCP implementation. Normally, two hosts use a three-way exchange of packets to establish a TCP connection: (a) host 1 requests a connection by sending a SYN packet to host 2; (b) host 2 replies by sending a SYN-ACK (acknowledgement) packet to host 1; and (c) host 1 completes the connection by sending an ACK packet to host 2. To attack host 2, host 1 can send a series of TCP SYNs, each with a different phony source address. ([R2827] discusses how to use packet filtering to prevent such attacks from being launched from behind an Internet service provider's aggregation point.) Host 2 treats each SYN as a request from a separate host, replies to each with a SYN-ACK, and waits to receive the matching ACKs. (The attacker can use random or unreachable sources addresses in the SYN packets, or can use source addresses that belong to third parties, that then become secondary victims.)

教程:此攻击试图利用TCP规范或TCP实现中的漏洞进行攻击。通常,两台主机使用三路数据包交换来建立TCP连接:(a)主机1通过向主机2发送SYN数据包来请求连接;(b) 主机2通过向主机1发送SYN-ACK(确认)数据包进行应答;和(c)主机1通过向主机2发送ACK分组来完成连接。要攻击主机2,主机1可以发送一系列TCP SYN,每个都有不同的虚假源地址。([R2827]讨论如何使用数据包过滤来防止此类攻击从Internet服务提供商的聚合点后面发起。)主机2将每个SYN视为来自单独主机的请求,使用SYN-ACK回复每个SYN,并等待接收匹配的ACK。(攻击者可以在SYN数据包中使用随机或无法访问的源地址,也可以使用属于第三方的源地址,这些源地址随后成为次要受害者。)

For each SYN-ACK that is sent, the TCP process in host 2 needs some memory space to store state information while waiting for the matching ACK to be returned. If the matching ACK never arrives at host 2, a timer associated with the pending SYN-ACK will eventually expire and release the space. But if host 1 (or a cooperating group of hosts) can rapidly send many SYNs to host 2, host 2 will need to store state information for many pending SYN-ACKs and may run out of space. This can prevent host 2 from responding to legitimate connection requests from other hosts or even, if there are flaws in host 2's TCP implementation, crash when the available space is exhausted.

对于发送的每个SYN-ACK,主机2中的TCP进程需要一些内存空间来存储状态信息,同时等待返回匹配的ACK。如果匹配的ACK从未到达主机2,则与挂起的SYN-ACK相关联的计时器最终将过期并释放空间。但是,如果主机1(或主机的协作组)可以快速向主机2发送许多SYN,那么主机2将需要存储许多挂起SYN ACK的状态信息,并且可能会耗尽空间。这可能会阻止主机2响应来自其他主机的合法连接请求,甚至,如果主机2的TCP实现存在缺陷,在可用空间耗尽时崩溃。

$ synchronization (I) Any technique by which a receiving (decrypting) cryptographic process attains an internal state that matches the transmitting (encrypting) process, i.e., has the appropriate keying material to process the cipher text and is correctly initialized to do so.

$ 同步(I)接收(解密)加密过程达到与发送(加密)过程匹配的内部状态的任何技术,即,具有适当的密钥材料来处理密文,并正确初始化以进行同步。

$ system (I) Synonym for "information system".

$ 系统(I)“信息系统”的同义词。

Usage: This is a generic definition, and is the one with which the term is used in this Glossary. However, IDOCs that use the term, especially IDOCs that are protocol specifications, SHOULD state a more specific definition. Also, IDOCs that specify security features, services, and assurances need to define which system components and system resources are inside the applicable security perimeter and which are outside. (See: security architecture.)

用法:这是一个通用定义,也是本术语表中使用该术语的定义。但是,使用该术语的IDoc,尤其是作为协议规范的IDoc,应该说明更具体的定义。此外,指定安全特性、服务和保证的IDoc需要定义哪些系统组件和系统资源在适用的安全范围内,哪些在适用的安全范围外。(请参阅:安全体系结构。)

$ system architecture (N) The structure of system components, their relationships, and the principles and guidelines governing their design and evolution over time. [DoD10] (Compare: security architecture.)

$ 系统架构(N):系统组件的结构、它们之间的关系,以及管理它们的设计和随时间演化的原则和指南。[DoD10](比较:安全体系结构)

$ system component 1. (I) A collection of system resources that (a) forms a physical or logical part of the system, (b) has specified functions and interfaces, and (c) is treated (e.g., by policies or specifications) as existing independently of other parts of the system. (See: subsystem.)

$ 系统组成部分1。(一) 系统资源的集合,其(A)构成系统的物理或逻辑部分,(b)具有指定的功能和接口,以及(c)被视为(例如,通过策略或规范)独立于系统的其他部分而存在。(请参阅:子系统。)

2. (O) /ITSEC/ An identifiable and self-contained part of a TOE.

2. (O) /ITSEC/脚趾的可识别和独立部分。

Usage: Component is a relative term because components may be nested; i.e., one component of a system may be a part of another component of that system.

用法:组件是一个相对术语,因为组件可以嵌套;i、 例如,一个系统的一个组件可以是该系统的另一个组件的一部分。

Tutorial: Components can be characterized as follows: - A "physical component" has mass and takes up space. - A "logical component" is an abstraction used to manage and coordinate aspects of the physical environment, and typically represents a set of states or capabilities of the system.

教程:组件的特征如下:-“物理组件”具有质量并占用空间。-“逻辑组件”是用于管理和协调物理环境各个方面的抽象,通常表示系统的一组状态或功能。

$ system entity (I) An active part of a system -- a person, a set of persons (e.g., some kind of organization), an automated process, or a set of processes (see: subsystem) -- that has a specific set of capabilities. (Compare: subject, user.)

$ 系统实体(I)系统的活动部分——一个人、一组人(例如,某种组织)、一个自动化流程或一组流程(参见:子系统)——具有一组特定功能。(比较:主题、用户。)

$ system high (I) The highest security level at which a system operates, or is capable of operating, at a particular time or in a particular environment. (See: system-high security mode.)

$ 系统高(I)系统在特定时间或特定环境下运行或能够运行的最高安全级别。(请参阅:系统高安全模式。)

$ system-high security mode (I) A mode of system operation wherein all users having access to the system possess all necessary authorizations (both security clearance and formal access approval) for all data handled by the system, but some users might not have need-to-know for all the data. (See: /system operation/ under "mode", formal access approval, protection level, security clearance.)

$ 系统高安全模式(I)一种系统操作模式,其中所有访问系统的用户都拥有系统处理的所有数据的所有必要授权(安全许可和正式访问批准),但一些用户可能不需要知道所有数据。(请参阅:/系统操作/在“模式”下,正式访问批准、保护级别、安全许可。)

Usage: Usually abbreviated as "system-high mode". This mode was defined in U.S. DoD policy that applied to system accreditation, but the term is widely used outside the Government.

用法:通常缩写为“系统高模式”。该模式在适用于系统认证的美国国防部政策中定义,但该术语在政府之外广泛使用。

$ system integrity 1. (I) An attribute or quality "that a system has when it can perform its intended function in a unimpaired manner, free from deliberate or inadvertent unauthorized manipulation." [C4009, NCS04] (See: recovery, system integrity service.)

$ 系统完整性1。(一) 一种属性或质量,“当系统能够以不受损害的方式执行其预期功能时,不受故意或无意的未经授权的操纵。”[C4009,NCS04](参见:恢复,系统完整性服务。)

2. (D) "Quality of an [information system] reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data." [from an earlier version of C4009]

2. (D) “反映操作系统逻辑正确性和可靠性的[信息系统]质量;实施保护机制的硬件和软件的逻辑完整性;以及数据结构的一致性和存储数据的出现。”[来自C4009的早期版本]

Deprecated Definition: IDOCs SHOULD NOT use definition 2 because it mixes several concepts in a potentially misleading way. Instead, IDOCs should use the term with definition 1 and, depending on what is meant, couple the term with additional, more specifically descriptive and informative terms, such as "correctness", "reliability", and "data integrity".

不推荐使用的定义:IDOCs不应该使用定义2,因为它以一种潜在误导的方式混合了几个概念。相反,IDOC应使用定义为1的术语,并根据其含义,将该术语与其他更具体的描述性和信息性术语结合起来,如“正确性”、“可靠性”和“数据完整性”。

$ system integrity service (I) A security service that protects system resources in a verifiable manner against unauthorized or accidental change, loss, or destruction. (See: system integrity.)

$ 系统完整性服务(I)以可验证的方式保护系统资源免受未经授权或意外更改、丢失或破坏的安全服务。(请参阅:系统完整性。)

$ system low (I) The lowest security level supported by a system at a particular time or in a particular environment. (Compare: system high.)

$ 系统低(I)系统在特定时间或特定环境中支持的最低安全级别。(比较:系统高。)

$ system resource (I) Data contained in an information system; or a service provided by a system; or a system capacity, such as processing power or communication bandwidth; or an item of system equipment (i.e.,

$ 系统资源(I)信息系统中包含的数据;或系统提供的服务;或系统容量,如处理能力或通信带宽;或一项系统设备(即:。,

hardware, firmware, software, or documentation); or a facility that houses system operations and equipment. (See: system component.)

硬件、固件、软件或文档);或容纳系统操作和设备的设施。(请参见:系统组件。)

$ system security officer (SSO) (I) A person responsible for enforcement or administration of the security policy that applies to a system. (Compare: manager, operator.)

$ 系统安全官员(SSO)(I)负责执行或管理适用于系统的安全策略的人员。(比较:经理、操作员。)

$ system user (I) A system entity that consumes a product or service provided by the system, or that accesses and employs system resources to produce a product or service of the system. (See: access, [R2504]. Compare: authorized user, manager, operator, principal, privileged user, subject, subscriber, system entity, unauthorized user.)

$ 系统用户(I)使用系统提供的产品或服务,或访问和使用系统资源生产系统产品或服务的系统实体。(请参阅:访问[R2504]。比较:授权用户、经理、操作员、负责人、特权用户、主题、订户、系统实体、未授权用户。)

Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood: - This term usually refers to an entity that has been authorized to access the system, but the term sometimes is used without regard for whether access is authorized. - This term usually refers to a living human being acting either personally or in an organizational role. However, the term also may refer to an automated process in the form of hardware, software, or firmware; to a set of persons; or to a set of processes. - IDOCs SHOULD NOT use the term to refer to a mixed set containing both persons and processes. This exclusion is intended to prevent situations that might cause a security policy to be interpreted in two different and conflicting ways.

用法:使用该术语的IDOC应说明其定义,因为该术语的使用方式多种多样,容易被误解:-该术语通常指已被授权访问系统的实体,但有时使用该术语时不考虑访问是否被授权。-这个术语通常指的是一个活着的人,无论是个人还是组织角色。然而,该术语也可指硬件、软件或固件形式的自动化过程;一组人;或一组过程IDoc不应使用该术语来指同时包含人员和流程的混合集合。此排除旨在防止可能导致以两种不同且相互冲突的方式解释安全策略的情况。

A system user can be characterized as direct or indirect: - "Passive user": A system entity that is (a) outside the system's security perimeter *and* (b) can receive output from the system but cannot provide input or otherwise interact with the system. - "Active user": A system entity that is (a) inside the system's security perimeter *or* (b) can provide input or otherwise interact with the system.

系统用户可以被描述为直接或间接的:-“被动用户”:一个系统实体,它(A)在系统安全边界*之外*(b)可以从系统接收输出,但不能提供输入或与系统交互。-“活动用户”:系统实体(A)位于系统安全周界*或*(b)内,可提供输入或以其他方式与系统交互。

$ TACACS (I) See: Terminal Access Controller (TAC) Access Control System.

$ TACACS(I)见:终端访问控制器(TAC)访问控制系统。

$ TACACS+ (I) A TCP-based protocol that improves on TACACS by separating the functions of authentication, authorization, and accounting and by encrypting all traffic between the network access server and

$ TACACS+(I)一种基于TCP的协议,通过分离身份验证、授权和记帐功能,并通过加密网络访问服务器和服务器之间的所有通信量,对TACACS进行改进

authentication server. TACACS+ is extensible to allow any authentication mechanism to be used with TACACS+ clients.

身份验证服务器。TACACS+是可扩展的,允许任何身份验证机制与TACACS+客户端一起使用。

$ tamper (I) Make an unauthorized modification in a system that alters the system's functioning in a way that degrades the security services that the system was intended to provide. (See: QUADRANT. Compare: secondary definitions under "corruption" and "misuse".)

$ 篡改(I)对系统进行未经授权的修改,以降低系统预期提供的安全服务的方式改变系统的功能。(参见:象限。比较:“腐败”和“滥用”下的二级定义。)

$ tamper-evident (I) A characteristic of a system component that provides evidence that an attack has been attempted on that component or system.

$ 防篡改(I)系统组件的一种特征,它提供了有人试图对该组件或系统进行攻击的证据。

Usage: Usually involves physical evidence. (See: tamper.)

用法:通常包括物证。(请参阅:篡改。)

$ tamper-resistant (I) A characteristic of a system component that provides passive protection against an attack. (See: tamper.)

$ 防篡改(I)系统组件的一种特性,可提供针对攻击的被动保护。(请参阅:篡改。)

Usage: Usually involves physical means of protection.

用法:通常包括物理保护手段。

$ tampering (I) /threat action/ See: secondary definitions under "corruption" and "misuse".

$ 篡改(I)/威胁行动/见“腐败”和“滥用”下的二级定义。

$ target of evaluation (TOE) (N) /Common Criteria/ An information technology product or system that is the subject of a security evaluation, together with the product's associated administrator and user documentation. (Compare: protection profile.)

$ 评估目标(TOE)(N)/通用标准/作为安全评估主题的信息技术产品或系统,以及产品的相关管理员和用户文档。(比较:保护配置文件。)

Tutorial: The security characteristics of the target of evaluation (TOE) are described in specific terms by a corresponding security target, or in more general terms by a protection profile. In Common Criteria philosophy, it is important that a TOE be evaluated against the specific set of criteria expressed in the target. This evaluation consists of rigorous analysis and testing performed by an accredited, independent laboratory. The scope of a TOE evaluation is set by the EAL and other requirements specified in the target. Part of this process is an evaluation of the target itself, to ensure that it is correct, complete, and internally consistent and can be used as the baseline for the TOE evaluation.

教程:评估目标(TOE)的安全特性由相应的安全目标以特定术语描述,或由保护配置文件以更一般的术语描述。在通用标准哲学中,根据目标中表达的特定标准集对TOE进行评估非常重要。该评估包括由经认证的独立实验室进行的严格分析和测试。脚趾评估的范围由EAL和目标中规定的其他要求确定。该过程的一部分是对目标本身的评估,以确保其正确、完整且内部一致,并可作为脚趾评估的基线。

$ TCB (N) See: trusted computing base.

$ TCB(N)参见:可信计算基础。

$ TCC field (I) See: Transmission Control Code field.

$ 变矩器离合器字段(I)参见:变速器控制代码字段。

$ TCG (N) See: Trusted Computing Group.

$ TCG(N)参见:可信计算组。

$ TCP (I) See: Transmission Control Protocol.

$ TCP(I)参见:传输控制协议。

$ TCP/IP (I) Synonym for "Internet Protocol Suite".

$ TCP/IP(I)是“互联网协议套件”的同义词。

$ TCSEC (N) See: Trusted Computer System Evaluation Criteria. (Compare: TSEC.)

$ TCSEC(N)请参阅:可信计算机系统评估标准。(比较:TSEC)

$ TDEA (I) See: Triple Data Encryption Algorithm.

$ TDEA(I)见:三重数据加密算法。

$ teardrop attack (D) /slang/ A denial-of-service attack that sends improperly formed IP packet fragments with the intent of causing the destination system to fail.

$ 泪滴攻击(D)/俚语/一种拒绝服务攻击,发送格式不正确的IP数据包片段,目的是导致目标系统失败。

Deprecated Term: IDOCs that use this term SHOULD state a definition for it because the term is often used imprecisely and could easily be misunderstood. (See: Deprecated Usage under "Green Book".)

不推荐使用的术语:使用该术语的IDoc应说明其定义,因为该术语通常使用不准确,很容易被误解。(请参阅“绿皮书”下不推荐的用法。)

$ technical non-repudiation (I) See: (secondary definition under) non-repudiation.

$ 技术不可抵赖性(I)见:(第二定义)不可抵赖性。

$ technical security (I) Security mechanisms and procedures that are implemented in and executed by computer hardware, firmware, or software to provide automated protection for a system. (See: security architecture. Compare: administrative security.)

$ 技术安全(I)在计算机硬件、固件或软件中实施并由其执行的安全机制和程序,以为系统提供自动保护。(请参阅:安全体系结构。比较:管理安全。)

$ Telecommunications Security Word System (TSEC) (O) /U.S. Government/ A terminology for designating telecommunication security equipment. (Compare: TCSEC.)

$ 电信安全字系统(TSEC)(O)/美国政府/A指定电信安全设备的术语。(比较:TCSEC)

Tutorial: A TSEC designator has the following parts: - Prefix "TSEC/" for items and systems, or suffix "/TSEC" for assemblies. (Often omitted when the context is clear.) - First letter, for function: "C" COMSEC equipment system, "G" general purpose, "K" cryptographic, "H" crypto-ancillary, "M" manufacturing, "N" noncryptographic, "S" special purpose. - Second letter, for type or purpose: "G" key generation, "I" data transmission, "L" literal conversion, "N" signal conversion, "O" multipurpose, "P" materials production, "S"

教程:TSEC指示器具有以下部分:-项目和系统的前缀为“TSEC/”,或部件的后缀为“/TSEC”。(上下文清楚时通常省略。)-功能的第一个字母:“C”通信安全设备系统,“G”通用,“K”加密,“H”加密辅助,“M”制造,“N”非加密,“S”专用。-第二个字母,用于类型或用途:“G”键生成,“I”数据传输,“L”文字转换,“N”信号转换,“O”多用途,“P”材料生产,“S”

special purpose, "T" testing or checking, "U" television, "W" teletypewriter, "X" facsimile, "Y" speech. - Optional third letter, used only in designations of assemblies, for type or purpose: "A" advancing, "B" base or cabinet, "C" combining, "D" drawer or panel, "E" strip or chassis, "F" frame or rack, "G" key generator, "H" keyboard, "I" translator or reader, "J" speech processing, "K" keying or permuting, "L" repeater, "M" memory or storage, "O" observation, "P" power supply or converter, "R" receiver, "S" synchronizing, "T" transmitter, "U" printer, "V" removable COMSEC component, "W" logic programmer/programming, "X" special purpose. - Model number, usually two or three digits, assigned sequentially within each letter combination (e.g., KG-34, KG-84). - Optional suffix letter, used to designate a version. First version has no letter, next version has "A" (e.g., KG-84, KG-84A), etc.

特殊用途,“T”测试或检查,“U”电视,“W”电传打字机,“X”传真机,“Y”语音。-可选第三个字母,仅用于组件名称,用于类型或用途:“A”前进,“B”底座或机柜,“C”组合,“D”抽屉或面板,“E”条带或机箱,“F”框架或机架,“G”键生成器,“H”键盘,“I”翻译器或读卡器,“J”语音处理,“K”键控或置换,“L”中继器,“M”内存或存储器,“O”观察,“P”电源或转换器,“R”接收器,“S”同步,“T”发射机,“U”打印机,“V”可移动通信安全组件,“W”逻辑编程器/编程,“X”专用。-型号,通常为两位或三位数字,在每个字母组合内按顺序分配(例如,KG-34、KG-84)。-可选后缀字母,用于指定版本。第一个版本没有字母,下一个版本有“A”(如KG-84、KG-84A)等。

$ TELNET (I) A TCP-based, Application-Layer, Internet Standard protocol (RFC 854) for remote login from one host to another.

$ TELNET(I)基于TCP的应用层互联网标准协议(RFC 854),用于从一台主机远程登录到另一台主机。

$ TEMPEST 1. (N) Short name for technology and methods for protecting against data compromise due to electromagnetic emanations from electrical and electronic equipment. [Army, Russ] (See: inspectable space, soft TEMPEST, TEMPEST zone. Compare: QUADRANT)

$ 暴风雨一号。(N) 防止因电气和电子设备的电磁辐射而导致数据泄露的技术和方法的简称。[陆军,俄罗斯](参见:可检查空间,软风暴,风暴区。比较:象限)

2. (O) /U.S. Government/ "Short name referring to investigation, study, and control of compromising emanations from IS equipment." [C4009]

2. (O) /U.S.Government/“简称,指调查、研究和控制IS设备产生的有害气体。”[C4009]

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "electromagnetic emanations security"; instead, use EMSEC. Also, the term is NOT an acronym for Transient Electromagnetic Pulse Surveillance Technology.

不推荐使用:IDOCs不应将此术语用作“电磁辐射安全”的同义词;相反,使用EMSEC。此外,该术语不是瞬态电磁脉冲监测技术的首字母缩写。

Tutorial: The U.S. Federal Government issues security policies that (a) state specifications and standards for techniques to reduce the strength of emanations from systems and reduce the ability of unauthorized parties to receive and make use of emanations and (b) state rules for applying those techniques. Other nations presumably do the same.

教程:美国联邦政府发布的安全政策包括:(a)制定技术规范和标准,以降低系统辐射强度,降低未经授权方接收和使用辐射的能力;(b)制定应用这些技术的规则。其他国家大概也会这样做。

$ TEMPEST zone (O) "Designated area [i.e., a physical volume] within a facility where equipment with appropriate TEMPEST characteristics ... may

$ 风暴区(O)“设施内的指定区域[即物理体积],具有适当风暴特征的设备可在该区域使用

be operated." [C4009] (See: emanation security, TEMPEST. Compare: control zone, inspectable space.)

被操作。“[C4009](参见:放射安全,暴风雨。比较:控制区,可检查空间。)

Tutorial: The strength of an electromagnetic signal decreases in proportion to the square of the distance between the source and the receiver. Therefore, EMSEC for electromagnetic signals can be achieved by a combination of (a) reducing the strength of emanations to a defined level and (b) establishing around that equipment an appropriately sized physical buffer zone from which unauthorized entities are excluded. By making the zone large enough, it is possible to limit the signal strength available to entities outside the zone to a level lower than can be received and read with known, state-of-the-art methods. Typically, the need for and size of a TEMPEST zone established by a security policy depends not only on the measured level of signal emitted by equipment, but also on the perceived threat level in the equipment's environment.

教程:电磁信号的强度与源和接收器之间距离的平方成比例减小。因此,电磁信号的EMSEC可以通过以下两种方式实现:(a)将辐射强度降低到规定的水平;(b)在该设备周围建立一个适当大小的物理缓冲区,将未经授权的实体排除在外。通过使区域足够大,可以将区域外实体可用的信号强度限制在低于可用已知最先进方法接收和读取的水平。通常,安全策略建立的风暴区的需要和大小不仅取决于设备发出的测量信号水平,还取决于设备环境中的感知威胁水平。

$ Terminal Access Controller (TAC) Access Control System (TACACS) (I) A UDP-based authentication and access control protocol [R1492] in which a network access server receives an identifier and password from a remote terminal and passes them to a separate authentication server for verification. (See: TACACS+.)

$ 终端访问控制器(TAC)访问控制系统(TACACS)(I)基于UDP的身份验证和访问控制协议[R1492],其中网络访问服务器从远程终端接收标识符和密码,并将其传递给单独的身份验证服务器进行验证。(见:TACACS+)

Tutorial: TACACS can provide service not only for network access servers but also routers and other networked computing devices via one or more centralized authentication servers. TACACS was originally developed for ARPANET and has evolved for use in commercial equipment.

教程:TACACS不仅可以为网络访问服务器提供服务,还可以通过一个或多个集中式身份验证服务器为路由器和其他网络计算设备提供服务。TACACS最初是为ARPANET开发的,并已发展为用于商业设备。

$ TESS (I) See: The Exponential Encryption System.

$ 苔丝(我)看:指数加密系统。

$ The Exponential Encryption System (TESS) (I) A system of separate but cooperating cryptographic mechanisms and functions for the secure authenticated exchange of cryptographic keys, the generation of digital signatures, and the distribution of public keys. TESS uses asymmetric cryptography, based on discrete exponentiation, and a structure of self-certified public keys. [R1824]

$ 指数加密系统(TESS)(I)一个由单独但相互协作的加密机制和功能组成的系统,用于加密密钥的安全认证交换、数字签名的生成和公钥的分发。TESS使用基于离散幂运算的非对称加密技术和自认证公钥结构。[R1824]

$ theft (I) /threat action/ See: secondary definitions under "interception" and "misappropriation".

$ 盗窃(I)/威胁行动/见“拦截”和“挪用”下的二级定义。

$ threat 1a. (I) A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event

$ 威胁1a。(一) 当存在实体、环境、能力、行动或事件时,存在违反安全的可能性

that could cause harm. (See: dangling threat, INFOCON level, threat action, threat agent, threat consequence. Compare: attack, vulnerability.)

那可能会造成伤害。(请参阅:悬空威胁、信息控制级别、威胁行动、威胁代理、威胁后果。比较:攻击、漏洞。)

1b. (N) Any circumstance or event with the potential to adversely affect a system through unauthorized access, destruction, disclosure, or modification of data, or denial of service. [C4009] (See: sensitive information.)

1b。(N) 任何可能通过未经授权的访问、破坏、披露或修改数据或拒绝服务而对系统产生不利影响的情况或事件。[C4009](请参阅:敏感信息。)

Usage: (a) Frequently misused with the meaning of either "threat action" or "vulnerability". (b) In some contexts, "threat" is used more narrowly to refer only to intelligent threats; for example, see definition 2 below. (c) In some contexts, "threat" is used more broadly to cover both definition 1 and other concepts, such as in definition 3 below.

用法:(a)经常误用“威胁行动”或“脆弱性”的含义。(b) 在某些情况下,“威胁”的使用范围更窄,仅指智能威胁;例如,请参见下面的定义2。(c) 在某些情况下,“威胁”被更广泛地用于涵盖定义1和其他概念,如下文定义3。

Tutorial: A threat is a possible danger that might exploit a vulnerability. Thus, a threat may be intentional or not: - "Intentional threat": A possibility of an attack by an intelligent entity (e.g., an individual cracker or a criminal organization). - "Accidental threat": A possibility of human error or omission, unintended equipment malfunction, or natural disaster (e.g., fire, flood, earthquake, windstorm, and other causes listed in [FP031]).

教程:威胁是可能利用漏洞进行攻击的危险。因此,威胁可能是故意的,也可能不是故意的:——“故意威胁”:智能实体(例如,个人黑客或犯罪组织)进行攻击的可能性“意外威胁”:人为错误或疏忽、意外设备故障或自然灾害(如火灾、洪水、地震、风暴和[FP031]中列出的其他原因)的可能性。

The Common Criteria characterizes a threat in terms of (a) a threat agent, (b) a presumed method of attack, (c) any vulnerabilities that are the foundation for the attack, and (d) the system resource that is attacked. That characterization agrees with the definitions in this Glossary (see: diagram under "attack").

共同标准的特征是威胁(a)威胁代理,(b)假定的攻击方法,(c)任何攻击的基础弱点,以及(d)攻击的系统资源。该描述与本术语表中的定义一致(参见“攻击”下的图表)。

2. (O) The technical and operational ability of a hostile entity to detect, exploit, or subvert a friendly system and the demonstrated, presumed, or inferred intent of that entity to conduct such activity.

2. (O) 敌对实体检测、利用或颠覆友好系统的技术和操作能力,以及该实体进行此类活动的已证明、推定或推断意图。

Tutorial: To be likely to launch an attack, an adversary must have (a) a motive to attack, (b) a method or technical ability to make the attack, and (c) an opportunity to appropriately access the targeted system.

教程:要有可能发起攻击,对手必须(a)有攻击动机,(b)进行攻击的方法或技术能力,以及(c)有机会适当访问目标系统。

3. (D) "An indication of an impending undesirable event." [Park]

3. (D) “即将发生的不良事件的迹象。”【公园】

Deprecated Definition: IDOCs SHOULD NOT use this term with definition 3 because the definition is ambiguous; the definition was intended to include the following three meanings:

不推荐使用的定义:IDOCs不应将此术语与定义3一起使用,因为定义不明确;该定义旨在包括以下三种含义:

- "Potential threat": A possible security violation; i.e., the same as definition 1. - "Active threat": An expression of intent to violate security. (Context usually distinguishes this meaning from the previous one.) - "Accomplished threat" or "actualized threat": That is, a threat action. Deprecated Usage: IDOCs SHOULD NOT use the term "threat" with this meaning; instead, use "threat action".

- “潜在威胁”:可能违反安全规定;i、 与定义1相同“主动威胁”:表示意图侵犯安全。(上下文通常将此含义与前一含义区分开来。)-“已完成的威胁”或“已实现的威胁”:即威胁行为。不推荐使用:IDoc不应使用具有此含义的术语“威胁”;相反,使用“威胁行动”。

$ threat action (I) A realization of a threat, i.e., an occurrence in which system security is assaulted as the result of either an accidental event or an intentional act. (See: attack, threat, threat consequence.)

$ 威胁行为(I)威胁的实现,即系统安全因意外事件或故意行为而受到攻击的事件。(参见:攻击、威胁、威胁后果。)

Tutorial: A complete security architecture deals with both intentional acts (i.e., attacks) and accidental events [FP031]. (See: various kinds of threat actions defined under the four kinds of "threat consequence".)

教程:完整的安全体系结构处理故意行为(即攻击)和意外事件[FP031]。(参见:四种“威胁后果”下定义的各种威胁行为。)

$ threat agent (I) A system entity that performs a threat action, or an event that results in a threat action.

$ 威胁代理(I)执行威胁操作或导致威胁操作的事件的系统实体。

$ threat analysis (I) An analysis of the threat actions that might affect a system, primarily emphasizing their probability of occurrence but also considering their resulting threat consequences. Example: RFC 3833. (Compare: risk analysis.)

$ threat analysis (I) An analysis of the threat actions that might affect a system, primarily emphasizing their probability of occurrence but also considering their resulting threat consequences. Example: RFC 3833. (Compare: risk analysis.)translate error, please retry

$ threat consequence (I) A security violation that results from a threat action.

$ 威胁后果(I)威胁行为导致的安全违规。

Tutorial: The four basic types of threat consequence are "unauthorized disclosure", "deception", "disruption", and "usurpation". (See main Glossary entries of each of these four terms for lists of the types of threat actions that can result in these consequences.)

教程:威胁后果的四种基本类型是“未经授权的披露”、“欺骗”、“破坏”和“篡夺”。(有关可能导致这些后果的威胁行为类型列表,请参见这四个术语的主要词汇表条目。)

$ thumbprint 1. (I) A pattern of curves formed by the ridges on the tip of a thumb. (See: biometric authentication, fingerprint.)

$ 指纹1。(一) 拇指尖上的脊形成的曲线图案。(请参阅:生物特征认证、指纹。)

2. (D) Synonym for some type of "hash result". (See: biometric authentication. Compare: fingerprint.)

2. (D) 某种类型的“哈希结果”的同义词。(请参阅:生物特征认证。比较:指纹。)

Deprecated Usage: IDOCs SHOULD NOT use this term with definition 2 because that meaning mixes concepts in a potentially misleading way.

不推荐的用法:IDOCs不应该在定义2中使用这个术语,因为这意味着以潜在误导的方式混合了概念。

$ ticket (I) Synonym for "capability token".

$ 票证(I)“能力令牌”的同义词。

Tutorial: A ticket is usually granted by a centralized access control server (ticket-granting agent) to authorize access to a system resource for a limited time. Tickets can be implemented with either symmetric cryptography (see: Kerberos) or asymmetric cryptography (see: attribute certificate).

教程:票证通常由集中式访问控制服务器(票证授予代理)授予,以在有限的时间内授权对系统资源的访问。票证可以使用对称加密(请参阅:Kerberos)或非对称加密(请参阅:属性证书)实现。

$ tiger team (O) A group of evaluators employed by a system's managers to perform penetration tests on the system.

$ tiger团队(O):系统经理雇佣的一组评估人员,对系统进行渗透测试。

Deprecated Usage: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)

不推荐的用法:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)

$ time stamp 1. (I) /noun/ With respect to a data object, a label or marking in which is recorded the time (time of day or other instant of elapsed time) at which the label or marking was affixed to the data object. (See: Time-Stamp Protocol.)

$ 时间戳1。(一) /noon/对于数据对象,一种标签或标记,其中记录了将标签或标记粘贴到数据对象上的时间(一天中的时间或经过的时间的其他瞬间)。(请参阅:时间戳协议。)

2. (O) /noun/ "With respect to a recorded network event, a data field in which is recorded the time (time of day or other instant of elapsed time) at which the event took place." [A1523]

2. (O) /noon/“对于记录的网络事件,一种数据字段,其中记录了事件发生的时间(一天中的时间或经过的时间的其他瞬间)。[A1523]

Tutorial: A time stamp can be used as evidence to prove that a data object existed (or that an event occurred) at or before a particular time. For example, a time stamp might be used to prove that a digital signature based on a private key was created while the corresponding public-key certificate was valid, i.e., before the certificate either expired or was revoked. Establishing this proof would enable the certificate to be used after its expiration or revocation, to verify a signature that was created earlier. This kind of proof is required as part of implementing PKI services, such as non-repudiation service, and long-term security services, such as audit.

教程:时间戳可以用作证明数据对象在特定时间或之前存在(或事件发生)的证据。例如,可以使用时间戳来证明基于私钥的数字签名是在相应的公钥证书有效时创建的,即在证书过期或被撤销之前创建的。建立此证明将使证书能够在到期或撤销后使用,以验证先前创建的签名。这种证明是实现PKI服务(如不可否认服务)和长期安全服务(如审计)的一部分。

$ Time-Stamp Protocol (I) An Internet protocol (RFC 3161) that specifies how a client requests and receives a time stamp from a server for a data object held by the client.

$ 时间戳协议(I)一种互联网协议(RFC 3161),指定客户端如何从服务器请求和接收客户端持有的数据对象的时间戳。

Tutorial: The protocol describes the format of (a) a request sent to a time-stamp authority and (b) the response that is returned containing a time stamp. The authority creates the stamp by

教程:协议描述了(a)发送给时间戳机构的请求和(b)返回的包含时间戳的响应的格式。管理局通过以下方式创建印章:

concatenating (a) a hash value of the input data object with (b) a UTC time value and other parameters (policy OID, serial number, indication of time accuracy, nonce, DN of the authority, and various extensions), and then signing that dataset with the authority's private key as specified in CMS. Such an authority typically would operate as a trusted third-party service, but other operational models might be used.

将(a)输入数据对象的哈希值与(b)UTC时间值和其他参数(策略OID、序列号、时间精度指示、nonce、权限DN和各种扩展)连接起来,然后使用CMS中指定的权限私钥对该数据集进行签名。这样的机构通常会作为可信的第三方服务运行,但也可以使用其他运行模式。

$ timing channel (I) See: covert timing channel.

$ 定时通道(I)见:隐蔽定时通道。

$ TKEY (I) A mnemonic referring to an Internet protocol (RFC 2930) for establishing a shared secret key between a DNS resolver and a DNS name server. (See: TSIG.)

$ TKEY(I)指互联网协议(RFC 2930)的助记符,用于在DNS解析程序和DNS名称服务器之间建立共享密钥。(见:TSIG)

$ TLS (I) See: Transport Layer Security.

$ TLS(I)参见:传输层安全。

$ TLSP (N) See: Transport Layer Security Protocol.

$ TLSP(N)请参阅:传输层安全协议。

$ TOE (N) See: target of evaluation.

$ TOE(N)见:评估目标。

$ token 1. (I) /cryptography/ See: cryptographic token. (Compare: dongle.)

$ 令牌1。(一) /cryptography/请参阅:加密令牌。(比较:加密狗。)

2. (I) /access control/ An object that is used to control access and is passed between cooperating entities in a protocol that synchronizes use of a shared resource. Usually, the entity that currently holds the token has exclusive access to the resource. (See: capability token.)

2. (一) /access control/用于控制访问的对象,在同步共享资源使用的协议中在协作实体之间传递。通常,当前持有令牌的实体具有对资源的独占访问权。(请参阅:功能令牌。)

Usage: This term is heavily overloaded in the computing literature; therefore, IDOCs SHOULD NOT use this term with any definition other than 1 or 2.

用法:这个术语在计算文献中被严重重载;因此,IDOC不应将此术语与1或2以外的任何定义一起使用。

3a. (D) /authentication/ A data object or a physical device used to verify an identity in an authentication process.

3a。(D) /authentication/用于在身份验证过程中验证身份的数据对象或物理设备。

3b. (D) /U.S. Government/ Something that the claimant in an authentication process (i.e., the entity that claims an identity) possesses and controls, and uses to prove the claim during the verification step of the process. [SP63]

3b。(D) /美国政府/认证过程中索赔人(即声称身份的实体)拥有和控制的物品,并在认证过程的验证步骤中用于证明索赔。[SP63]

Deprecated usage: IDOCs SHOULD NOT use this term with definitions 3a and 3b; instead, use more specifically descriptive and

不推荐使用:IDOCs不应在定义3a和3b时使用该术语;相反,使用更具体的描述性和

informative terms such as "authentication information" or "cryptographic token", depending on what is meant.

信息性术语,如“身份验证信息”或“加密令牌”,取决于其含义。

NIST defines four types of claimant tokens for electronic authentication in an information system [SP63]. IDOCs SHOULD NOT use these four NIST terms; they mix concepts in potentially confusing ways and duplicate the meaning of better-established terms. These four terms can be avoided by using more specifically descriptive terms as follows: - NIST "hard token": A hardware device that contains a protected cryptographic key. (This is a type of "cryptographic token", and the key is a type of "authentication information".) - NIST "one-time password device token": A personal hardware device that generates one-time passwords. (One-time passwords are typically generated cryptographically. Therefore, this is a type of "cryptographic token", and the key is a type of "authentication information".) - NIST "soft token": A cryptographic key that typically is stored on disk or some other magnetic media. (The key is a type of "authentication information"; "authentication key" would be a better description.) - NIST "password token": A secret data value that the claimant memorizes. (This is a "password" that is being used as "authentication information".)

NIST为信息系统中的电子认证定义了四种类型的索赔令牌[SP63]。IDOC不应使用这四个NIST术语;它们以可能令人困惑的方式混合概念,并复制更好的术语的含义。这四个术语可以通过使用以下更具体的描述性术语来避免:-NIST“硬令牌”:包含受保护加密密钥的硬件设备。(这是一种“加密令牌”,密钥是一种“身份验证信息”)-NIST“一次性密码设备令牌”:生成一次性密码的个人硬件设备。(一次性密码通常以加密方式生成。因此,这是一种“加密令牌”,密钥是一种“身份验证信息”)-NIST“软令牌”:通常存储在磁盘或其他一些磁性介质上的加密密钥。(密钥是一种“身份验证信息”;“身份验证密钥”是更好的描述。)-NIST“密码令牌”:索赔人记忆的秘密数据值。(这是用作“身份验证信息”的“密码”。)

$ token backup (I) A token management operation that stores sufficient information in a database (e.g., in a CAW) to recreate or restore a security token (e.g., a smart card) if it is lost or damaged.

$ 令牌备份(I)一种令牌管理操作,在数据库(如CAW)中存储足够的信息,以便在安全令牌(如智能卡)丢失或损坏时重新创建或恢复安全令牌。

$ token copy (I) A token management operation that copies all the personality information from one security token to another. However, unlike in a token restore operation, the second token is initialized with its own, different local security values such as PINs and storage keys.

$ 令牌复制(I)一种令牌管理操作,将所有个性信息从一个安全令牌复制到另一个安全令牌。但是,与令牌还原操作不同,第二个令牌使用其自己的、不同的本地安全值(如PIN和存储密钥)进行初始化。

$ token management (I) The process that includes initializing security tokens (e.g., "smart card"), loading data into the tokens, and controlling the tokens during their lifecycle. May include performing key management and certificate management functions; generating and installing PINs; loading user personality data; performing card backup, card copy, and card restore operations; and updating firmware.

$ 令牌管理(I)包括初始化安全令牌(例如,“智能卡”)、将数据加载到令牌以及在令牌生命周期内控制令牌的过程。可能包括执行密钥管理和证书管理功能;生成和安装销钉;加载用户个性数据;执行卡备份、卡复制和卡还原操作;以及更新固件。

$ token restore (I) A token management operation that loads a security token with data for the purpose of recreating (duplicating) the contents previously held by that or another token. (See: recovery.)

$ 令牌还原(I)一种令牌管理操作,它使用数据加载安全令牌,以便重新创建(复制)该令牌或另一令牌先前持有的内容。(见:恢复。)

$ token storage key (I) A cryptographic key used to protect data that is stored on a security token.

$ 令牌存储密钥(I)用于保护存储在安全令牌上的数据的加密密钥。

$ top CA (I) Synonym for "root" in a certification hierarchy. (See: apex trust anchor.)

$ 证书层次结构中“根”的顶级CA(I)同义词。(请参阅:apex trust anchor。)

$ top-level specification (I) "A non-procedural description of system behavior at the most abstract level; typically a functional specification that omits all implementation details." [NCS04] (See: formal top-level specification, Tutorial under "security policy".)

$ 顶层规范(I)“在最抽象的层次上对系统行为的非过程性描述;通常是省略所有实现细节的功能规范。”[NCS04](参见:正式顶层规范,教程“安全策略”下)

Tutorial: A top-level specification is at a level of abstraction below "security model" and above "security architecture" (see: Tutorial under "security policy").

教程:顶级规范在“安全模型”之下和“安全体系结构”之上的抽象级别上(请参阅“安全策略”下的教程)。

A top-level specification may be descriptive or formal: - "Descriptive top-level specification": One that is written in a natural language like English or an informal design notation. - "Formal top-level specification": One that is written in a formal mathematical language to enable theorems to be proven that show that the specification correctly implements a set of formal requirements or a formal security model. (See: correctness proof.)

顶级规范可以是描述性的或正式的:-“描述性顶级规范”:用自然语言(如英语)或非正式设计符号编写的规范。-“正式顶层规范”:用正式数学语言编写的规范,用于证明定理,证明规范正确实现了一组正式需求或正式安全模型。(请参阅:正确性证明。)

$ TPM (N) See: Trusted Platform Module.

$ TPM(N)请参阅:受信任的平台模块。

$ traceback (I) Identification of the source of a data packet. (See: masquerade, network weaving.)

$ 回溯(I)识别数据包的来源。(请参见:伪装、网络编织。)

$ tracker (N) An attack technique for achieving unauthorized disclosure from a statistical database. [Denns] (See: Tutorial under "inference control".)

$ tracker(N)一种攻击技术,用于从统计数据库中获取未经授权的泄露信息。[Denns](参见“推理控制”下的教程)

$ traffic analysis 1. (I) Gaining knowledge of information by inference from observable characteristics of a data flow, even if the information is not directly available (e.g., when the data is encrypted).

$ 交通分析1。(一) 通过从数据流的可观察特征推断获得信息的知识,即使信息不是直接可用的(例如,当数据被加密时)。

These characteristics include the identities and locations of the source(s) and destination(s) of the flow, and the flow's presence, amount, frequency, and duration of occurrence. The object of the analysis might be information in SDUs, information in the PCI, or both. (See: inference, traffic-flow confidentiality, wiretapping. Compare: signal analysis.)

这些特征包括流的源和目的地的身份和位置,以及流的存在、数量、频率和持续时间。分析的对象可能是SDU中的信息,也可能是PCI中的信息,或者两者兼而有之。(参见:推断、交通流保密、窃听。比较:信号分析。)

2. (O) "The inference of information from observation of traffic flows (presence, absence, amount, direction, and frequency)." [I7498-2]

2. (O) “通过观察交通流(存在、不存在、数量、方向和频率)推断信息。”[I7498-2]

$ traffic-flow analysis (I) Synonym for "traffic analysis".

$ 交通流分析(I)“交通分析”的同义词。

$ traffic-flow confidentiality (TFC) 1. (I) A data confidentiality service to protect against traffic analysis. (See: communications cover.)

$ 交通流保密(TFC)1。(一) 一种数据保密服务,用于防止流量分析。(参见:通讯封面。)

2. (O) "A confidentiality service to protect against traffic analysis." [I7498-2]

2. (O) “防止流量分析的保密服务。”[I7498-2]

Tutorial: Confidentiality concerns involve both direct and indirect disclosure of data, and the latter includes traffic analysis. However, operational considerations can make TFC difficult to achieve. For example, if Alice sends a product idea to Bob in an email message, she wants data confidentiality for the message's content, and she might also want to conceal the destination of the message to hide Bob's identity from her competitors. However, the identity of the intended recipient, or at least a network address for that recipient, needs to be made available to the mail system. Thus, complex forwarding schemes may be needed to conceal the ultimate destination as the message travels through the open Internet (see: onion routing).

教程:保密问题涉及数据的直接和间接披露,后者包括流量分析。然而,运营方面的考虑可能使TFC难以实现。例如,如果Alice在电子邮件中向Bob发送了一个产品创意,她希望消息内容的数据保密,并且她可能还希望隐藏消息的目的地,以向竞争对手隐藏Bob的身份。但是,需要向邮件系统提供预期收件人的身份,或者至少是该收件人的网络地址。因此,可能需要复杂的转发方案来隐藏消息在开放互联网上传输时的最终目的地(参见:洋葱路由)。

Later, if Alice uses an ATM during a clandestine visit to negotiate with Bob, she might prefer that her bank conceal the origin of her transaction, because knowledge of the ATM's location might allow a competitor to infer Bob's identity. The bank, on the other hand, might prefer to protect only Alice's PIN (see: selective-field confidentiality).

后来,如果Alice在秘密访问期间使用ATM机与Bob进行谈判,她可能更希望她的银行隐瞒她的交易来源,因为知道ATM机的位置可能会让竞争对手推断Bob的身份。另一方面,银行可能更愿意只保护Alice的PIN(参见:选择性字段保密)。

A TFC service can be either full or partial: - "Full TFC": This type of service conceals all traffic characteristics. - "Partial TFC": This type of service either (a) conceals some but not all of the characteristics or (b) does not completely conceal some characteristic.

TFC服务可以是完全或部分:-“完全TFC”:这种类型的服务隐藏所有流量特征。-“部分TFC”:这类服务要么(a)隐藏部分但不是全部特征,要么(b)不完全隐藏某些特征。

On point-to-point data links, full TFC can be provided by enciphering all PDUs and also generating a continuous, random data stream to seamlessly fill all gaps between PDUs. To a wiretapper, the link then appears to be carrying an unbroken stream of enciphered data. In other cases -- including on a shared or broadcast medium, or end-to-end in a network -- only partial TFC is possible, and that may require a combination of techniques. For example, a LAN that uses "carrier sense multiple access with collision detection" (CSMA/CD; a.k.a. "listen while talk") to control access to the medium, relies on detecting intervals of silence, which prevents using full TFC. Partial TFC can be provided on that LAN by measures such as adding spurious PDUs, padding PDUs to a constant size, or enciphering addresses just above the Physical Layer; but these measures reduce the efficiency with which the LAN can carry traffic. At higher protocol layers, SDUs can be protected, but addresses and other items of PCI must be visible at the layers below.

在点对点数据链路上,可以通过加密所有PDU并生成连续、随机的数据流来无缝地填补PDU之间的所有空白,从而提供完整的TFC。对窃听者来说,这个链接似乎承载着一个完整的加密数据流。在其他情况下——包括在共享或广播媒体上,或在网络中端到端——只可能实现部分TFC,这可能需要多种技术的组合。例如,使用“带冲突检测的载波侦听多址访问”(CSMA/CD;又称“边听边谈”)来控制对介质访问的LAN依赖于检测静默间隔,这会阻止使用全TFC。通过添加虚假PDU、将PDU填充为恒定大小或加密物理层上方的地址等措施,可以在该LAN上提供部分TFC;但这些措施降低了局域网承载流量的效率。在更高的协议层,SDU可以受到保护,但地址和PCI的其他项必须在下面的层可见。

$ traffic key (I) A cryptographic key used by a device for protecting information that is being transmitted between devices, as opposed to protecting information that being is maintained in the device. (Compare: storage key.)

$ 流量密钥(I)设备使用的加密密钥,用于保护设备之间传输的信息,而不是保护设备中维护的信息。(比较:存储密钥。)

$ traffic padding (I) "The generation of spurious instances of communication, spurious data units, and/or spurious data within data units." [I7498-2]

$ 流量填充(I)“通信、虚假数据单元和/或数据单元内虚假数据的生成。”[I7498-2]

$ tranquility property (N) /formal model/ Property of a system whereby the security level of an object cannot change while the object is being processed by the system. (See: Bell-LaPadula model.)

$ 宁静属性(N)/系统的正式模型/属性,在系统处理对象时,对象的安全级别不能改变。(见:贝尔-拉帕杜拉模型。)

$ transaction 1. (I) A unit of interaction between an external entity and a system, or between components within a system, that involves a series of system actions or events.

$ 交易1。(一) 外部实体与系统之间或系统内组件之间的交互单元,涉及一系列系统动作或事件。

2. (O) "A discrete event between user and systems that supports a business or programmatic purpose." [M0404]

2. (O) “支持业务或编程目的的用户和系统之间的离散事件。”[M0404]

Tutorial: To maintain secure state, transactions need to be processed coherently and reliably. Usually, they need to be designed to be atomic, consistent, isolated, and durable [Gray]: - "Atomic": All actions and events that comprise the transaction are guaranteed to be completed successfully, or else the result is as if none at all were executed.

教程:为了维护安全状态,需要连贯可靠地处理事务。通常,它们需要被设计成原子的、一致的、隔离的和持久的[Gray]:-“原子的”:组成事务的所有操作和事件都保证成功完成,否则结果就好像根本没有执行过一样。

- "Consistent": The transaction satisfies correctness constraints defined for the data that is being processed. - "Isolated": If two transactions are performed concurrently, they do not interfere with each other, and it appears as though the system performs one at a time. - "Durable": System state and transaction semantics survive system failures.

- “一致”:事务满足为正在处理的数据定义的正确性约束。-“隔离”:如果两个事务同时执行,它们不会相互干扰,并且看起来系统一次执行一个事务。-“持久”:系统状态和事务语义在系统故障后仍然有效。

$ TRANSEC (I) See: transmission security.

$ TRANSEC(I)见:传输安全。

$ Transmission Control Code field (TCC field) (I) A data field that provides a means to segregate traffic and define controlled communities of interest in the security option (option type = 130) of IPv4's datagram header format. The TCC values are alphanumeric trigraphs assigned by the U.S. Government as specified in RFC 791.

$ 传输控制代码字段(TCC字段)(I)一个数据字段,提供了一种隔离通信量的方法,并在IPv4数据报报头格式的安全选项(选项类型=130)中定义了感兴趣的受控社区。TCC值为RFC 791中规定的美国政府指定的字母数字三角图。

$ Transmission Control Protocol (TCP) (I) An Internet Standard, Transport-Layer protocol (RFC 793) that reliably delivers a sequence of datagrams from one computer to another in a computer network. (See: TCP/IP.)

$ 传输控制协议(TCP)(I)一种因特网标准,传输层协议(RFC 793),在计算机网络中可靠地将一系列数据报从一台计算机传送到另一台计算机。(请参阅:TCP/IP。)

Tutorial: TCP is designed to fit into a layered suite of protocols that support internetwork applications. TCP assumes it can obtain a simple but potentially unreliable end-to-end datagram service (such as IP) from the lower-layer protocols.

教程:TCP被设计成一套支持互联网应用程序的分层协议。TCP假定它可以从较低层协议获得简单但可能不可靠的端到端数据报服务(如IP)。

$ transmission security (TRANSEC) (I) COMSEC measures that protect communications from interception and exploitation by means other than cryptanalysis. Example: frequency hopping. (Compare: anti-jam, traffic flow confidentiality.)

$ 传输安全(TRANSEC)(I)通信安全措施,保护通信不被截获和利用,而不是通过密码分析。例如:跳频。(比较:防堵塞、交通流保密)

$ Transport Layer See: Internet Protocol Suite, OSIRM.

$ 传输层请参阅:互联网协议套件,OSIRM。

$ Transport Layer Security (TLS) (I) TLS is an Internet protocol [R4346] that is based on, and very similar to, SSL Version 3.0. (Compare: TLSP.)

$ 传输层安全(TLS)(I)TLS是一种基于SSL版本3.0的互联网协议[R4346]。(比较:TLSP。)

Tutorial: The TLS protocol is misnamed. The name misleadingly suggests that TLS is situated in the IPS Transport Layer, but TLS is always layered above a reliable Transport-Layer protocol (usually TCP) and either layered immediately below or integrated with an Application-Layer protocol (often HTTP).

教程:TLS协议命名错误。该名称误导性地暗示TLS位于IPS传输层,但TLS总是在可靠传输层协议(通常为TCP)之上分层,或者直接在其之下分层,或者与应用层协议(通常为HTTP)集成。

$ Transport Layer Security Protocol (TLSP) (N) An end-to-end encryption protocol (ISO 10736) that provides security services at the bottom of OSIRM Layer 4, i.e., directly above Layer 3. (Compare: TLS.)

$ 传输层安全协议(TLSP)(N):一种端到端加密协议(ISO 10736),在OSIRM第4层的底部,即第3层的正上方提供安全服务。(比较:TLS。)

Tutorial: TLSP evolved directly from SP4.

教程:TLSP直接从SP4演变而来。

$ transport mode (I) One of two ways to apply AH or ESP to protect data packets; in this mode, the IPsec protocol encapsulates (i.e., the protection applies to) the packets of an IPS Transport-Layer protocol (e.g., TCP, UDP), which normally is carried directly above IP in an IPS protocol stack. (Compare: tunnel mode.)

$ 传输模式(I)应用AH或ESP保护数据包的两种方法之一;在此模式下,IPsec协议封装(即,保护适用于)IPS传输层协议(例如,TCP、UDP)的数据包,该数据包通常直接在IPS协议栈中的IP之上传输。(比较:隧道模式。)

Tutorial: An IPsec transport-mode security association is always between two hosts; neither end has the role of a security gateway. Whenever either end of an IPsec security association is a security gateway, the association is required to be in tunnel mode.

教程:IPsec传输模式安全关联始终位于两台主机之间;两端都没有安全网关的角色。每当IPsec安全关联的任意一端是安全网关时,该关联都需要处于隧道模式。

$ transposition (I) /cryptography/ A method of encryption in which elements of the plain text retain their original form but undergo some change in their sequential position. (Compare: substitution.)

$ 转置(I)/密码学/一种加密方法,其中纯文本元素保留其原始形式,但其顺序位置发生一些变化。(比较:替换。)

$ trap door (I) Synonym for "back door".

$ 活板门(I)“后门”的同义词。

$ trespass (I) /threat action/ See: secondary definition under "intrusion".

$ 侵入(I)/威胁行动/见“侵入”下的二级定义。

$ Triple Data Encryption Algorithm (I) A block cipher that transforms each 64-bit plaintext block by applying the DEA three successive times, using either two or three different keys for an effective key length of 112 or 168 bits. [A9052, SP67]

$ 三重数据加密算法(I)一种分组密码,通过连续三次应用DEA对每个64位明文块进行转换,使用两个或三个不同的密钥,有效密钥长度为112或168位。[A9052,SP67]

Example: A variation proposed for IPsec's ESP uses a 168-bit key, consisting of three independent 56-bit values used by the DEA, and a 64-bit initialization vector. Each datagram contains an IV to ensure that each received datagram can be decrypted even when other datagrams are dropped or a sequence of datagrams is reordered in transit. [R1851]

示例:为IPsec的ESP提出的一种变体使用168位密钥,由DEA使用的三个独立的56位值和一个64位初始化向量组成。每个数据报都包含一个IV,以确保即使在传输过程中丢弃其他数据报或对数据报序列重新排序时,每个接收到的数据报也可以解密。[R1851]

$ triple-wrapped (I) /S-MIME/ Data that has been signed with a digital signature, then encrypted, and then signed again. [R2634]

$ 三重包装(I)/S-MIME/数据,已使用数字签名签名,然后加密,然后再次签名。[R2634]

$ Trojan horse (I) A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. (See: malware, spyware. Compare: logic bomb, virus, worm.)

$ 特洛伊木马(I)一种计算机程序,它似乎具有有用的功能,但也具有隐藏的和潜在的恶意功能,可以逃避安全机制,有时可以利用调用该程序的系统实体的合法授权。(请参阅:恶意软件、间谍软件。比较:逻辑炸弹、病毒、蠕虫。)

$ trust 1. (I) /information system/ A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system will not fail or (b) that the system meets its specifications (i.e., the system does what it claims to do and does not perform unwanted functions). (See: trust level, trusted system, trustworthy system. Compare: assurance.)

$ 信任1。(一) /信息系统/一种确定感(有时基于非决定性证据)(A)系统不会出现故障或(b)系统符合其规范(即,系统执行其声称的功能,不执行不需要的功能)。(请参阅:信任级别、受信任系统、可信任系统。比较:保证。)

Tutorial: Components of a system can be grouped into three classes of trust [Gass]: - "Trusted": The component is responsible for enforcing security policy on other components; the system's security depends on flawless operation of the component. (See: trusted process.) - "Benign": The component is not responsible for enforcing security policy, but it has sensitive authorizations. It must be trusted not to intentionally violate security policy, but security violations are assumed to be accidental and not likely to affect overall system security. - "Untrusted": The component is of unknown or suspicious provenance and must be treated as deliberately malicious. (See: malicious logic.)

教程:系统的组件可以分为三类信任[Gass]:-“受信任”:该组件负责在其他组件上强制实施安全策略;系统的安全性取决于组件的完美运行。(请参阅:trusted process。)-“良性”:该组件不负责强制执行安全策略,但具有敏感授权。必须相信它不会故意违反安全策略,但安全违规被认为是偶然的,不太可能影响整个系统的安全。-“不可信”:组件来源不明或可疑,必须被视为故意恶意。(请参阅:恶意逻辑。)

2. (I) /PKI/ A relationship between a certificate user and a CA in which the user acts according to the assumption that the CA creates only valid digital certificates.

2. (一) /PKI/证书用户和CA之间的关系,其中用户根据CA仅创建有效数字证书的假设进行操作。

Tutorial: "Generally, an entity is said to 'trust' a second entity when the first entity makes the assumption that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. The key role of trust in [X.509] is to describe the relationship between an entity [i.e., a certificate user] and a [CA]; an entity shall be certain that it can trust the CA to create only valid and reliable certificates." [X509]

教程:“通常,当第一个实体假设第二个实体的行为完全符合第一个实体的预期时,该实体被称为‘信任’第二个实体。这种信任可能仅适用于某些特定功能。[X.509]中信任的关键作用是描述实体[即证书用户]之间的关系以及[CA];实体应确保其可以信任CA仅创建有效和可靠的证书。”[X509]

$ trust anchor (I) /PKI/ An established point of trust (usually based on the authority of some person, office, or organization) from which a certificate user begins the validation of a certification path. (See: apex trust anchor, path validation, trust anchor CA, trust anchor certificate, trust anchor key.)

$ 信任锚(I)/PKI/已建立的信任点(通常基于某个人、办公室或组织的权限),证书用户从该信任点开始验证证书路径。(请参阅:apex信任锚、路径验证、信任锚CA、信任锚证书、信任锚密钥。)

Usage: IDOCs that use this term SHOULD state a definition for it because it is used in various ways in existing IDOCs and other PKI literature. The literature almost always uses this term in a sense that is equivalent to this definition, but usage often differs with regard to what constitutes the point of trust.

用法:使用此术语的IDOC应说明其定义,因为它在现有IDOC和其他PKI文献中以各种方式使用。文献中几乎总是在相当于这个定义的意义上使用这个术语,但是对于什么构成信任点,用法往往不同。

Tutorial: A trust anchor may be defined as being based on a public key, a CA, a public-key certificate, or some combination or variation of those:

教程:信任锚可以定义为基于公钥、CA、公钥证书或以下各项的组合或变体:

- 1. A public key as a point of trust: Although a certification path is defined as beginning with a "sequence of public-key certificates", an implementation of a path validation process might not explicitly handle a root certificate as part of the path, but instead begin the process by using a trusted root key to verify the signature on a certificate that was issued by the root.

- 1.公钥作为信任点:尽管认证路径定义为以“公钥证书序列”开头,但路径验证过程的实现可能不会显式地将根证书作为路径的一部分来处理,而是通过使用受信任的根密钥来验证根颁发的证书上的签名来开始该过程。

Therefore, "trust anchor" is sometimes defined as just a public key. (See: root key, trust anchor key, trusted key.)

因此,“信任锚”有时被定义为一个公钥。(请参阅:根密钥、信任锚密钥、受信任密钥。)

- 2. A CA as a point of trust: A trusted public key is just one of the data elements needed for path validation; the IPS path validation algorithm [R3280] also needs the name of the CA to which that key belongs, i.e., the DN of the issuer of the first X.509 certificate to be validated on the path. (See: issue.)

- 2.CA作为信任点:受信任的公钥只是路径验证所需的数据元素之一;IPS路径验证算法[R3280]还需要该密钥所属CA的名称,即要在路径上验证的第一个X.509证书的颁发者的DN。(见:问题)

Therefore, "trust anchor" is sometimes defined as either just a CA (where some public key is implied) or as a CA together with a specified public key belonging to that CA. (See: root, trust anchor CA, trusted CA.)

因此,“信任锚”有时被定义为一个CA(其中隐含一些公钥),或者是一个CA以及属于该CA的指定公钥(请参阅:根、信任锚CA、受信任CA)

Example: "A public key and the name of a [CA] that is used to validate the first certificate in a sequence of certificates. The trust anchor public key is used to verify the signature on a certificate issued by a trust anchor [CA]." [SP57]

示例:“用于验证证书序列中第一个证书的公钥和[CA]名称。信任锚公钥用于验证信任锚[CA]颁发的证书上的签名。”[SP57]

- 3. A public-key certificate as a point of trust: Besides the trusted CA's public key and name, the path validation algorithm needs to know the digital signature algorithm and any associated parameters with which the public key is used, and also any constraints that have been placed on the set of paths that may be validated using the key. All of this information is available from a CA's public-key certificate.

- 3.作为信任点的公钥证书:除了受信任CA的公钥和名称外,路径验证算法还需要知道数字签名算法和使用公钥的任何相关参数,以及可能使用密钥验证的路径集上的任何约束。所有这些信息都可以从CA的公钥证书中获得。

Therefore, "trust anchor" is sometimes defined as a public-key certificate of a CA. (See: root certificate, trust anchor certificate, trusted certificate.)

因此,“信任锚”有时被定义为CA的公钥证书(请参阅:根证书、信任锚证书、受信任证书)

- 4. Combinations: Combinations and variations of the first three definitions are also used in the PKI literature.

- 4.组合:PKI文献中也使用了前三个定义的组合和变体。

Example: "trust anchor information". The IPS standard for path validation [R3280] specifies the information that describes "a CA that serves as a trust anchor for the certification path. The trust anchor information includes: (a) the trusted issuer name, (b) the trusted public key algorithm, (c) the trusted public key, and (d) optionally, the trusted public key parameters associated with the public key. The trust anchor information may be provided to the path processing procedure in the form of a self-signed certificate. The trusted anchor information is trusted because it was delivered to the path processing procedure by some trustworthy out-of-band procedure. If the trusted public key algorithm requires parameters, then the parameters are provided along with the trusted public key."

示例:“信任锚信息”。IPS路径验证标准[R3280]指定了描述“作为认证路径信任锚的CA”的信息。信任锚信息包括:(a)受信任的颁发者名称,(b)受信任的公钥算法,(c)受信任的公钥,以及(d)(可选)与公钥关联的受信任公钥参数。可以以自签名证书的形式将信任锚信息提供给路径处理过程。受信任锚信息是受信任的,因为它是由某个可信的带外过程传递给路径处理过程的。如果可信公钥算法需要参数,然后随可信公钥一起提供参数。”

$ trust anchor CA (I) A CA that is the subject of a trust anchor certificate or otherwise establishes a trust anchor key. (See: root, trusted CA.)

$ 信任锚CA(I)作为信任锚证书的主体或以其他方式建立信任锚密钥的CA。(请参阅:root,受信任的CA)

Tutorial: The selection of a CA to be a trust anchor is a matter of policy. Some of the possible choices include (a) the top CA in a hierarchical PKI, (b) the CA that issued the verifier's own certificate, or (c) any other CA in a network PKI. Different applications may rely on different trust anchors, or may accept paths that begin with any of a set of trust anchors. The IPS path validation algorithm is the same, regardless of the choice.

教程:选择CA作为信任锚是一个策略问题。一些可能的选择包括(a)分层PKI中的顶级CA,(b)颁发验证者自己证书的CA,或(c)网络PKI中的任何其他CA。不同的应用程序可能依赖于不同的信任锚,或者可能接受以一组信任锚中的任何一个开始的路径。无论选择什么,IPS路径验证算法都是相同的。

$ trust anchor certificate (I) A public-key certificate that is used to provide the first public key in a certification path. (See: root certificate, trust anchor, trusted certificate.)

$ 信任锚证书(I)用于提供证书路径中的第一个公钥的公钥证书。(请参阅:根证书、信任锚点、受信任证书。)

$ trust anchor key (I) A public key that is used as the first public key in a certification path. (See: root key, trust anchor, trusted public key.)

$ 信任锚密钥(I)用作证书路径中第一个公钥的公钥。(请参阅:根密钥、信任锚点、受信任公钥。)

$ trust anchor information (I) See: secondary definition under "trust anchor".

$ 信任锚信息(I)参见“信任锚”下的二级定义。

$ trust chain (D) Synonym for "certification path". (See: trust anchor, trusted certificate.)

$ 信任链(D)是“认证路径”的同义词。(请参阅:信任锚、受信任证书。)

Deprecated Term: IDOCs SHOULD NOT use this term, because it unnecessarily duplicates the meaning of the internationally standardized term.

不推荐使用的术语:IDOCs不应使用此术语,因为它不必要地重复了国际标准术语的含义。

Also, the term mixes concepts in a potentially misleading way. Having "trust" involves factors unrelated to simply verifying signatures and performing other tests as specified by a standard algorithm for path validation (e.g., RFC 3280). Thus, even if a user is able to validate a certification path algorithmically, the user still might distrust one of the CAs that issued certificates in that path or distrust some other aspects of the PKI.

此外,该术语以潜在误导的方式混合了概念。拥有“信任”涉及与简单验证签名和执行路径验证标准算法(如RFC 3280)规定的其他测试无关的因素。因此,即使用户能够通过算法验证证书路径,用户仍然可能不信任在该路径中颁发证书的ca之一,或者不信任PKI的某些其他方面。

$ trust-file PKI (I) A non-hierarchical PKI in which each certificate user has its own local file (which is used by application software) of trust anchors, i.e., either public keys or public-key certificates that the user trusts as starting points for certification paths. (See: trust anchor, web of trust. Compare: hierarchical PKI, mesh PKI.)

$ 信任文件PKI(I)一种非分层PKI,其中每个证书用户都有自己的信任锚本地文件(由应用程序软件使用),即用户信任的公钥或公钥证书作为认证路径的起点。(请参阅:信任锚、信任网。比较:层次PKI、网状PKI。)

Example: Popular browsers are distributed with an initial file of trust anchor certificates, which often are self-signed certificates. Users can add certificates to the file or delete from it. The file may be directly managed by the user, or the user's organization may manage it from a centralized server.

示例:流行的浏览器分布有信任锚证书的初始文件,这些证书通常是自签名证书。用户可以向文件中添加证书或从中删除证书。该文件可以由用户直接管理,或者用户的组织可以从集中式服务器进行管理。

$ trust hierarchy (D) Synonym for "certification hierarchy".

$ 信任层次结构(D)是“证书层次结构”的同义词。

Deprecated Usage: IDOCs SHOULD NOT use this term because it mixes concepts in a potentially misleading way, and because a trust hierarchy could be implemented in other ways. (See: trust, trust chain, web of trust.)

不推荐使用:IDOCs不应该使用这个术语,因为它以一种潜在的误导方式混合了概念,并且因为信任层次结构可以用其他方式实现。(请参见:信任、信任链、信任网。)

$ trust level (N) A characterization of a standard of security protection to be met by an information system. (See: Common Criteria, TCSEC.)

$ 信任级别(N):信息系统要达到的安全保护标准的特征。(参见:通用标准,TCSEC)

Tutorial: A trust level is based not only on (a) the presence of security mechanisms, but also on the use of (b) systems engineering discipline to properly structure the system and (c) implementation analysis to ensure that the system provides an appropriate degree of trust.

教程:信任级别不仅基于(A)安全机制的存在,还基于(b)系统工程规程的使用,以正确构建系统和(c)实现分析,以确保系统提供适当程度的信任。

$ trusted (I) See: secondary definition under "trust".

$ 受信任(I)参见“信任”下的第二个定义。

$ trusted CA (I) A CA upon which a certificate user relies as issuing valid certificates; especially a CA that is used as a trust anchor CA. (See: certification path, root, trust anchor CA, validation.)

$ 可信CA(I)证书用户在颁发有效证书时所依赖的CA;特别是用作信任锚CA的CA(请参阅:证书路径、根、信任锚CA、验证)

Tutorial. This trust is transitive to the extent that the X.509 certificate extensions permit; that is, if a trusted CA issues a certificate to another CA, a user that trusts the first CA also trusts the second CA if the user succeeds in validating the certificate path (see: path validation).

辅导的在X.509证书扩展允许的范围内,该信托是可转让的;也就是说,如果受信任的CA向另一个CA颁发证书,那么如果用户成功验证证书路径,则信任第一个CA的用户也信任第二个CA(请参阅:路径验证)。

$ trusted certificate (I) A digital certificate that a certificate user accepts as being valid "a priori", i.e., without testing the certificate to validate it as the final certificate on a certification path; especially a certificate that is used as a trust anchor certificate. (See: certification path, root certificate, trust anchor certificate, trust-file PKI, validation.)

$ 可信证书(I)证书用户“先验”接受为有效的数字证书,即不测试证书以验证其为证书路径上的最终证书;特别是用作信任锚证书的证书。(请参阅:证书路径、根证书、信任锚证书、信任文件PKI、验证。)

Tutorial: The acceptance of a certificate as trusted is a matter of policy and choice. Usually, a certificate is accepted as trusted because the user obtained it by reliable, out-of-band means that cause the user to believe the certificate accurately binds its subject's name to the subject's public key or other attribute values. Many choices are possible; e.g., a trusted public-key certificate might be (a) the root certificate in a hierarchical PKI, (b) the certificate of the CA that issued the user's own certificate in a mesh PKI, or (c) a certificate provided with an application that uses a trust-file PKI.

教程:接受证书为受信任证书是一个策略和选择的问题。通常,证书被认为是可信的,因为用户通过可靠的带外方式获得证书,这会导致用户相信证书准确地将其使用者的姓名绑定到使用者的公钥或其他属性值。有许多选择是可能的;e、 例如,可信公钥证书可以是(a)分层PKI中的根证书,(b)在网状PKI中颁发用户自己证书的CA的证书,或者(c)与使用信任文件PKI的应用程序一起提供的证书。

$ Trusted Computer System Evaluation Criteria (TCSEC) (N) A standard for evaluating the security provided by operating systems [CSC1, DoD1]. Known as the "Orange Book" because of the color of its cover; first document in the Rainbow Series. (See: Common Criteria, Deprecated Usage under "Green Book", Orange Book, trust level, trusted system. Compare: TSEC.)

$ 可信计算机系统评估标准(TCSEC)(N)用于评估操作系统提供的安全性的标准[CSC1,DoD1]。因封面颜色而被称为“橙色书”;彩虹系列的第一个文档。(请参阅:通用标准,“绿皮书”下的不推荐用法、橘皮书、信任级别、受信任系统。比较:TSEC。)

Tutorial: The TCSEC defines classes of hierarchically ordered assurance levels for rating computer systems. From highest to lowest, the classes are as follows: - Division A: Verified protection. Beyond A1 Beyond current technology. (See: beyond A1.) Class A1 Verified design. (See: SCOMP.) - Division B: Mandatory protection. Class B3 Security domains. Class B2 Structured protection. (See: Multics.) Class B1 Labeled security protection.

教程:TCSEC为计算机系统评级定义了分层有序的保证级别。从最高到最低,等级如下:-A部分:验证保护。超越A1,超越当前技术。(参见:超越A1。)A1级验证设计。(参见:SCOMP)-B部分:强制性保护。B3类安全域。B2类结构化保护。(参见:Multics.)B1级标记为安全保护。

- Division C: Discretionary protection. Class C2 Controlled access protection. Class C1 Discretionary security protection. - Division D: Minimal protection, i.e., has been evaluated but does not meet the requirements for a higher evaluation class.

- C部分:酌情保护。C2类受控访问保护。C1类自由裁量安全保护。-D部分:最低保护,即已评估,但不符合更高评估等级的要求。

$ trusted computing base (TCB) (N) "The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy." [NCS04] (See: "trusted" under "trust". Compare: TPM.)

$ 可信计算基础(TCB)(N)“计算机系统内的所有保护机制,包括硬件、固件和软件,这些机制的组合负责实施安全策略。”[NCS04](请参阅“信任”下的“受信任”。比较:TPM。)

$ Trusted Computing Group (TCG) (N) A not-for-profit, industry standards organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. (See: TPM, trusted system. Compare: TSIG.)

$ Trusted Computing Group(TCG)(N)一个非营利的行业标准组织,旨在跨多个平台、外围设备和设备开发、定义和推广硬件支持的可信计算和安全技术的开放标准,包括硬件构建块和软件接口。(请参阅:TPM,受信任的系统。比较:TSIG。)

$ trusted distribution (I) /COMPUSEC/ "A trusted method for distributing the TCB hardware, software, and firmware components, both originals and updates, that provides methods for protecting the TCB from modification during distribution and for detection of any changes to the TCB that may occur." [NCS04] (See: code signing, configuration control.)

$ trusted distribution(I)/COMPUSEC/“分发TCB硬件、软件和固件组件(原件和更新件)的受信任方法,提供了在分发过程中保护TCB不受修改以及检测可能发生的TCB任何更改的方法。”[NCS04](请参阅:代码签名,配置控制。)

$ trusted key (D) Abbreviation for "trusted public key" and also for other types of keys. (See: root key, trust anchor key.)

$ 可信密钥(D)“可信公钥”的缩写,也用于其他类型的密钥。(请参见:根密钥、信任锚密钥。)

Deprecated Usage: IDOCs SHOULD either (a) state a definition for this term or (b) use a different, less ambiguous term. This term is ambiguous when it stands alone; e.g., it could refer to a trusted public key or to a private key or symmetric key that is believed to be secure (i.e., not compromised).

不推荐使用:IDOCs应该(a)说明此术语的定义,或者(b)使用不同的、不太含糊的术语。这一术语单独存在时是不明确的;e、 例如,它可以指可信公钥或被认为是安全的私钥或对称密钥(即,未泄露)。

$ trusted path 1a. (I) /COMPUSEC/ A mechanism by which a computer system user can communicate directly and reliably with the TCB and that can only be activated by the user or the TCB and cannot be imitated by untrusted software within the computer. [NCS04]

$ 可信路径1a。(一) /COMPUSEC/计算机系统用户可以直接可靠地与TCB通信的一种机制,该机制只能由用户或TCB激活,并且不能被计算机内不受信任的软件模仿。[NCS04]

1b. (I) /COMSEC/ A mechanism by which a person or process can communicate directly with a cryptographic module and that can only be activated by the person, process, or module, and cannot be imitated by untrusted software within the module. [FP140]

1b。(一) /COMSEC/一种机制,通过该机制,个人或进程可以直接与加密模块通信,并且只能由个人、进程或模块激活,并且不能被模块内不受信任的软件模仿。[FP140]

$ Trusted Platform Module (TPM) (N) The name of a specification, published by the TCG, for a microcontroller that can store secured information; and also the general name of implementations of that specification. (Compare: TCB.)

$ 可信平台模块(TPM)(N)TCG发布的微控制器规范名称,用于存储安全信息;以及该规范实现的通用名称。(比较:TCB。)

$ trusted process (I) A system component that has privileges that enable it to affect the state of system security and that can, therefore, through incorrect or malicious execution, violate the system's security policy. (See: privileged process, trusted system.)

$ 受信任进程(I)具有特权的系统组件,使其能够影响系统安全状态,因此,通过不正确或恶意执行,可以违反系统的安全策略。(请参阅:特权进程、受信任系统。)

$ trusted public key (I) A public key upon which a user relies; especially a public key that is used as a trust anchor key. (See: certification path, root key, trust anchor key, validation.)

$ 可信公钥(I)用户依赖的公钥;特别是用作信任锚密钥的公钥。(请参阅:证书路径、根密钥、信任锚密钥、验证。)

Tutorial: A trusted public key could be (a) the root key in a hierarchical PKI, (b) the key of the CA that issued the user's own certificate in a mesh PKI, or (c) any key accepted by the user in a trust-file PKI.

教程:受信任公钥可以是(A)分层PKI中的根密钥,(b)在网状PKI中颁发用户自己证书的CA的密钥,或者(c)用户在信任文件PKI中接受的任何密钥。

$ trusted recovery (I) A process that, after a system has experienced a failure or an attack, restores the system to normal operation (or to a secure state) without causing a security compromise. (See: recovery.)

$ 可信恢复(I)在系统发生故障或攻击后,将系统恢复到正常运行(或安全状态)而不会造成安全危害的过程。(见:恢复。)

$ trusted subnetwork (I) A subnetwork containing hosts and routers that trust each other not to engage in active or passive attacks. (There also is an assumption that the underlying communication channels, such as telephone lines or a LAN, are protected from attack.)

$ 可信子网(I)包含主机和路由器的子网,主机和路由器相互信任,不会进行主动或被动攻击。(还假设基础通信信道(如电话线或LAN)受到保护,不受攻击。)

$ trusted system 1. (I) /information system/ A system that operates as expected, according to design and policy, doing what is required -- despite environmental disruption, human user and operator errors, and attacks by hostile parties -- and not doing other things [NRC98]. (See: trust level, trusted process. Compare: trustworthy.)

$ 可信系统1。(一) /信息系统/根据设计和政策,按照预期运行的系统,尽管存在环境破坏、人为用户和操作员错误以及敌对方的攻击,但仍能完成所需任务,而不做其他事情[NRC98]。(请参阅:信任级别,受信任的进程。比较:可信。)

2. (N) /multilevel secure/ "A [trusted system is a] system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information." [NCS04] (See: multilevel security mode.)

2. (N) /multilevel secure/“受信任系统是一种采用足够的硬件和软件保证措施,允许同时处理一系列敏感或机密信息的系统。”[NCS04](请参阅:多级安全模式。)

$ Trusted Systems Interoperability Group (TSIG) (N) A forum of computer vendors, system integrators, and users devoted to promoting interoperability of trusted computer systems. (See: trusted system. Compare: TCG.)

$ 可信系统互操作性小组(TSIG)(N):由计算机供应商、系统集成商和用户组成的论坛,致力于促进可信计算机系统的互操作性。(请参阅:受信任的系统。比较:TCG。)

$ trustworthy system 1. (I) A system that not only is trusted, but also warrants that trust because the system's behavior can be validated in some convincing way, such as through formal analysis or code review. (See: trust. Compare: trusted.)

$ 值得信赖的系统1。(一) 一个系统不仅是可信的,而且还保证了这种信任,因为系统的行为可以通过某种令人信服的方式进行验证,比如通过正式的分析或代码审查。(请参见:信任。比较:信任。)

2. (O) /Digital Signature Guidelines/ "Computer hardware, software, and procedures that: (a) are reasonably secure from intrusion and misuse; (b) provide a reasonably reliable level of availability, reliability, and correct operation; (c) are reasonably suited to performing their intended functions; and (d) adhere to generally accepted security principles." [DSG]

2. (O) /Digital Signature Guidelines/“计算机硬件、软件和程序:(a)具有合理的安全性,防止入侵和误用;(b)提供合理可靠的可用性、可靠性和正确操作;(c)合理地适合于执行其预期功能;以及(d)遵守公认的安全原则。”[DSG]

$ TSEC (O) See: Telecommunications Security Nomenclature System. (Compare: TCSEC.)

$ TSEC(O)见:电信安全命名系统。(比较:TCSEC)

$ TSIG 1. (N) See: Trusted System Interoperability Group.

$ TSIG 1。(N) 请参阅:受信任的系统互操作性组。

2. (I) A mnemonic (presumed to be derived from "Transaction SIGnature") referring to an Internet protocol (RFC 2845) for data origin authentication and data integrity for certain DNS operations. (See: TKEY.)

2. (一) 指互联网协议(RFC 2845)的助记符(假定源自“交易签名”),用于某些DNS操作的数据源身份验证和数据完整性。(请参阅:TKEY。)

$ tunnel 1. (I) A communication channel created in a computer network by encapsulating (i.e., layering) a communication protocol's data packets in (i.e., above) a second protocol that normally would be carried above, or at the same layer as, the first one. (See: L2TP, tunnel mode, VPN. Compare: covert channel.)

$ 一号隧道。(一) 计算机网络中的一种通信信道,通过将通信协议的数据包封装(即分层)在第二协议中(即在上面),而该第二协议通常在第一协议之上或与第一协议在同一层进行传输。(请参阅:L2TP,隧道模式,VPN。比较:隐蔽通道。)

Tutorial: Tunneling can involve almost any two IPS protocol layers. For example, a TCP connection between two hosts could conceivably be carried above SMTP (i.e., in SMTP messages) as a covert channel to evade access controls that a security gateway applies to the normal TCP layer that is below SMTP.

教程:隧道几乎可以涉及任何两个IPS协议层。例如,两台主机之间的TCP连接可以作为隐蔽通道在SMTP(即,在SMTP消息中)之上进行,以逃避安全网关应用于SMTP之下的正常TCP层的访问控制。

Usually, however, a tunnel is a logical point-to-point link -- i.e., an OSIRM Layer 2 connection -- created by encapsulating the Layer 2 protocol in one of the following three types of IPS protocols: (a) an IPS Transport-Layer protocol (such as TCP), (b) an IPS Network-Layer or Internet-Layer protocol (such as IP), or

然而,通常情况下,隧道是一种逻辑点对点链路,即OSIRM第2层连接,通过将第2层协议封装在以下三种类型的IPS协议中的一种来创建:(a)IPS传输层协议(如TCP),(b)IPS网络层或互联网层协议(如IP),或

(c) another Layer 2 protocol. In many cases, the encapsulation is accomplished with an extra, intermediate protocol (i.e., a "tunneling protocol"; e.g., L2TP) that is layered below the tunneled Layer 2 protocol and above the encapsulating protocol.

(c) 另一个第二层协议。在许多情况下,封装是通过一个额外的中间协议(即“隧道协议”;例如L2TP)来完成的,该协议分层在隧道层2协议之下和封装协议之上。

Tunneling can be used to move data between computers that use a protocol not supported by the network connecting them. Tunneling also can enable a computer network to use the services of a second network as though the second network were a set of point-to-point links between the first network's nodes. (See: VPN.)

隧道可用于在使用连接它们的网络不支持的协议的计算机之间移动数据。隧道还可以使计算机网络能够使用第二网络的服务,就像第二网络是第一网络节点之间的一组点对点链路一样。(请参阅:VPN。)

2. (O) /SET/ The name of a SET private extension that indicates whether the CA or the payment gateway supports passing encrypted messages to the cardholder through the merchant. If so, the extension lists OIDs of symmetric encryption algorithms that are supported.

2. (O) /SET/SET专用扩展名的名称,指示CA或支付网关是否支持通过商户向持卡人传递加密消息。如果是,扩展将列出受支持的对称加密算法的OID。

$ tunnel mode (I) One of two ways to apply the IPsec protocols (AH and ESP) to protect data packets; in this mode, the IPsec protocol encapsulates (i.e., the protection applies to) IP packets, rather than the packets of higher-layer protocols. (See: tunnel. Compare: transport mode.)

$ 隧道模式(I)应用IPsec协议(AH和ESP)保护数据包的两种方法之一;在此模式下,IPsec协议封装(即,保护适用于)IP数据包,而不是更高层协议的数据包。(请参见:隧道。比较:运输模式。)

Tutorial: Each end of a tunnel-mode security association may be either a host or a security gateway. Whenever either end of an IPsec security association is a security gateway, the association is required to be in tunnel mode.

教程:隧道模式安全关联的每一端都可以是主机或安全网关。每当IPsec安全关联的任意一端是安全网关时,该关联都需要处于隧道模式。

$ two-person control (I) The close surveillance and control of a system, a process, or materials (especially with regard to cryptography) at all times by a minimum of two appropriately authorized persons, each capable of detecting incorrect and unauthorized procedures with respect to the tasks to be performed and each familiar with established security requirements. (See: dual control, no-lone zone.)

$ 两人控制(I)由至少两名适当授权的人员随时密切监视和控制系统、过程或材料(尤其是关于加密技术),每个人都能够检测到与要执行的任务有关的错误和未经授权的程序,并且都熟悉既定的安全要求。(请参阅:双控,无单独区域。)

$ Twofish (O) A symmetric, 128-bit block cipher with variable key length (128, 192, or 256 bits), developed by Counterpane Labs as a candidate for the AES. (See: Blowfish.)

$ Twofish(O):一种对称的128位分组密码,密钥长度可变(128、192或256位),由Counterpane实验室开发,作为AES的候选。(见:河豚)

$ type 0 product (O) /cryptography, U.S. Government/ Classified cryptographic equipment endorsed by NSA for use (when appropriately keyed) in electronically distributing bulk keying material.

$ 0类产品(O)/加密技术,美国政府/经NSA认可的保密加密设备,用于电子分发批量密钥材料(适当键入时)。

$ type 1 key (O) /cryptography, U.S. Government/ "Generated and distributed under the auspices of NSA for use in a cryptographic device for the protection of classified and sensitive national security information." [C4009]

$ 1类密钥(O)/密码学,美国政府/“在NSA的支持下生成和分发,用于加密设备,以保护机密和敏感的国家安全信息。”[C4009]

$ type 1 product (O) /cryptography, U.S. Government/ "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring the most stringent protection mechanisms." [C4009]

$ 第1类产品(O)/密码学,美国政府/“经国家安全局分类或认证的加密设备、组件或组件,用于加密和解密机密和敏感的国家安全信息(当适当加密时)。使用已建立的NSA业务流程开发,并包含NSA批准的算法。用于保护需要最严格保护机制的系统。“[C4009]

Tutorial: The current definition of this term is less specific than an earlier version: "Classified or controlled cryptographic item endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed. The term refers only to products, and not to information, key, services, or controls. Type 1 products contain classified NSA algorithms. They are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulation." [from an earlier version of C4009] (See: ITAR.)

教程:与早期版本相比,该术语的当前定义没有那么具体:“国家安全局认可的保密或受控加密项目,用于在适当键入时保护机密和敏感的美国政府信息。该术语仅指产品,而非信息、密钥、服务或控制。类型1产品包含分类NSA算法。美国政府用户、其承包商和联邦政府赞助的非美国政府活动均可使用这些武器,但这些活动须遵守国际武器贸易条例的出口限制。”[摘自C4009的早期版本](见:ITAR。)

$ type 2 key (O) /cryptography, U.S. Government/ "Generated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified national security information." [C4009]

$ 第2类密钥(O)/密码学,美国政府/“在NSA的支持下生成和分发,用于加密设备,以保护未保密的国家安全信息。”[C4009]

$ type 2 product (O) /cryptography, U.S. Government/ "Cryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified national security information." [C4009]

$ 第2类产品(O)/密码学,美国政府/“经国家安全局认证的加密设备、组件或组件,用于加密或解密敏感的国家安全信息(当适当加密时)。使用已建立的NSA业务流程开发,并包含NSA批准的算法。用于保护需要超过最佳商业惯例的保护机制的系统,包括用于保护未保密国家安全信息的系统。“[C4009]

Tutorial: The current definition of this term is less specific than an earlier version: "Unclassified cryptographic equipment, assembly, or component, endorsed by the NSA, for use in national security systems as defined in Title 40 U.S.C. Section 1452." [from an earlier version of C4009] (See: national security system. Compare: EUCI.)

教程:与早期版本相比,该术语的当前定义不够具体:“经NSA认可,用于《美国法典》第40篇第1452节中定义的国家安全系统的非保密加密设备、组件或组件。”[来自C4009的早期版本](见:国家安全系统。比较:EUCI。)

$ type 3 key (O) /cryptography, U.S. Government/ "Used in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product." [C4009]

$ 第3类密钥(O)/密码学,美国政府/“用于加密设备以保护非保密敏感信息,即使用于第1类或第2类产品。”[C4009]

$ type 3 product (O) /cryptography, U.S. Government/ "Unclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP)." [C4009]

$ 第3类产品(O)/密码学,美国政府/“非保密加密设备、组件或组件,在适当加密后,用于加密或解密非保密敏感美国政府或商业信息,并保护需要符合标准商业惯例的保护机制的系统。使用既定商业标准开发,包含NIST批准的加密算法/模块,或由国家信息保障合作伙伴关系(NIAP)成功评估。”[C4009]

$ type 4 key (O) /cryptography, U.S. Government/ "Used by a cryptographic device in support of its Type 4 functionality; i.e., any provision of key that lacks U.S. Government endorsement or oversight." [C4009]

$ 类型4密钥(O)/密码学,美国政府/“由加密设备用于支持其类型4功能;即,任何缺少美国政府认可或监督的密钥提供。”[C4009]

$ type 4 product (O) /cryptography, U.S. Government/ "Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor's commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS." [C4009]

$ 第4类产品(O)/密码学,美国政府/“未经评估的商用密码设备、组件或组件,NSA或NIST均未对任何政府用途进行认证。这些产品通常作为商业产品的一部分交付,并与供应商的商业惯例相称。这些产品可能包含供应商专有算法、NIST注册的算法或NIST注册并在FIPS中发布的算法。”[C4009]

$ UDP (I) See: User Datagram Protocol.

$ UDP(I)见:用户数据报协议。

$ UDP flood (I) A denial-of-service attack that takes advantage of (a) one system's UDP test function that generates a series of characters for each packet it receives and (b) another system's UPD test function that echoes any character it receives; the attack connects (a) to (b) to cause a nonstop flow of data between the two systems. (See: flooding.)

$ UDP洪泛(I)一种拒绝服务攻击,利用(A)一个系统的UDP测试函数为其接收的每个数据包生成一系列字符,以及(b)另一个系统的UPD测试函数回显其接收的任何字符;该攻击连接(a)到(b)以导致两个系统之间的数据流不间断。(见:洪水)

$ unauthorized disclosure (I) A circumstance or event whereby an entity gains access to information for which the entity is not authorized.

$ 未经授权的披露(I)实体获取未经授权的信息的情况或事件。

Tutorial: This type of threat consequence can be caused by the following types of threat actions: exposure, interception, inference, and intrusion. Some methods of protecting against this consequence include access control, flow control, and inference control. (See: data confidentiality.)

教程:这种类型的威胁后果可能由以下类型的威胁操作引起:暴露、拦截、推断和入侵。一些防止这种后果的方法包括访问控制、流控制和推理控制。(见:数据保密。)

$ unauthorized user (I) /access control/ A system entity that accesses a system resource for which the entity has not received an authorization. (See: user. Compare: authorized user, insider, outsider.)

$ 未经授权的用户(I)/访问控制/访问系统资源的系统实体,该实体尚未收到授权。(请参阅:用户。比较:授权用户、内部人员、外部人员。)

Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

用法:使用此术语的IDoc应说明其定义,因为该术语的使用方式多种多样,很容易被误解。

$ uncertainty (N) An information-theoretic measure (usually stated as a number of bits) of the minimum amount of plaintext information that needs to be recovered from cipher text to learn the entire plain text that was encrypted. [SP63] (See: entropy.)

$ 不确定性(N):需要从密文中恢复的最小纯文本信息量的信息论度量(通常表示为位数),以了解加密的整个纯文本。[SP63](见:熵。)

$ unclassified (I) Not classified. (Compare: FOUO.)

$ 未分类(I)未分类。(比较:FOUO)

$ unencrypted (I) Not encrypted.

$ 未加密(I)未加密。

$ unforgeable (I) /cryptography/ The property of a cryptographic data structure (i.e., a data structure that is defined using one or more cryptographic functions, e.g., "digital certificate") that makes it computationally infeasible to construct (i.e., compute) an unauthorized but correct value of the structure without having knowledge of one of more keys.

$ 不可伪造(I)/加密/加密数据结构(即,使用一个或多个加密函数定义的数据结构,例如,“数字证书”)的属性,使得在计算上无法构造(即,计算)未经授权但正确的结构值,而不知道一个或多个键。

Tutorial: This definition is narrower than general English usage, where "unforgeable" means unable to be fraudulently created or duplicated. In that broader sense, anyone can forge a digital certificate containing any set of data items whatsoever by generating the to-be-signed certificate and signing it with any private key whatsoever. But for PKI purposes, the forged data structure is invalid if it is not signed with the true private key of the claimed issuer; thus, the forgery will be detected when a certificate user uses the true public key of the claimed issuer to verify the signature.

教程:这个定义比一般的英语用法要窄,其中“不可伪造”的意思是不能被欺诈地创建或复制。从更广泛的意义上讲,任何人都可以通过生成待签名证书并使用任何私钥对其进行签名来伪造包含任何数据项集的数字证书。但出于PKI目的,如果伪造的数据结构未使用声称的发行人的真实私钥签名,则该数据结构无效;因此,当证书用户使用声称的颁发者的真实公钥来验证签名时,将检测到伪造。

$ uniform resource identifier (URI) (I) A type of formatted identifier (RFC 3986) that encapsulates the name of an Internet object, and labels it with an identification of the name space, thus producing a member of the universal set of names in registered name spaces and of addresses referring to registered protocols or name spaces.

$ 统一资源标识符(URI)(I)一种格式化标识符(RFC 3986),它封装互联网对象的名称,并用名称空间的标识对其进行标记,从而在注册名称空间中生成通用名称集的成员,以及引用注册协议或名称空间的地址。

Example: HTML uses URIs to identify the target of hyperlinks.

示例:HTML使用URI来标识超链接的目标。

Usage: "A URI can be classified as a locator (see: URL), a name (see: URN), or both. ... Instances of URIs from any given scheme may have the characteristics of names or locators or both, often depending on the persistence and care in the assignment of identifiers by the naming authority, rather than on any quality of the scheme." IDOCs SHOULD "use the general term 'URI' rather than the more restrictive terms 'URL' and 'URN'." (RFC 3986)

用法:“URI可以分类为定位器(请参阅:URL)、名称(请参阅:URN)或两者……来自任何给定方案的URI实例可能具有名称或定位器或两者的特征,通常取决于命名机构在分配标识符时的持久性和谨慎性,而不是方案的任何质量。”IDOC应该“使用通用术语‘URI’,而不是更严格的术语‘URL’和‘URN’。”(RFC 3986)

$ uniform resource locator (URL) (I) A URI that describes the access method and location of an information resource object on the Internet. (See: Usage under "URI". Compare: URN.)

$ 统一资源定位器(URL)(I)描述Internet上信息资源对象的访问方法和位置的URI。(请参阅“URI”下的用法。比较:URN。)

Tutorial: The term URL "refers to the subset of URIs that, besides identifying a resource, provide a means of locating the resource by describing its primary access mechanism (e.g., its network 'location')." (RFC 3986)

教程:术语URL“是指URI的子集,它除了标识资源外,还通过描述资源的主要访问机制(例如,其网络“位置”)提供定位资源的方法”(RFC 3986)

A URL provides explicit instructions on how to access the named object. For example, "ftp://bbnarchive.bbn.com/foo/bar/picture/cambridge.zip" is a URL. The part before the colon specifies the access scheme or protocol, and the part after the colon is interpreted according to that access method. Usually, two slashes after the colon indicate the host name of a server (written as a domain name). In an FTP or HTTP URL, the host name is followed by the path name of a file on the server. The last (optional) part of a URL may be either a fragment identifier that indicates a position in the file, or a query string.

URL提供有关如何访问命名对象的明确说明。例如,”ftp://bbnarchive.bbn.com/foo/bar/picture/cambridge.zip“是一个URL。冒号前面的部分指定访问方案或协议,冒号后面的部分根据该访问方法进行解释。通常,冒号后的两个斜杠表示服务器的主机名(写为域名)。在FTP或HTTP URL中,主机名后跟服务器上文件的路径名。URL的最后(可选)部分可以是指示文件中位置的片段标识符,也可以是查询字符串。

$ uniform resource name (URN) (I) A URI with the properties of a name. (See: Usage under "URI". Compare: URL.)

$ 统一资源名(URN)(I)具有名称属性的URI。(请参阅“URI”下的用法。比较:URL。)

Tutorial: The term URN "has been used historically to refer to both URIs under the "urn" scheme (RFC 2141), which are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable, and to any other URI with the properties of a name." (RFC 3986)

教程:术语URN“历来用于指“URN”方案(RFC 2141)下的URI(即使资源不再存在或变得不可用,也需要保持全局唯一性和持久性),以及具有名称属性的任何其他URI。”(RFC 3986)

$ untrusted (I) See: secondary definition under "trust".

$ 不受信任(I)参见“信任”下的第二个定义。

$ untrusted process 1. (I) A system component that is not able to affect the state of system security through incorrect or malicious operation. Example: A component that has its operations confined by a security kernel. (See: trusted process.)

$ 不受信任的进程1。(一) 无法通过错误或恶意操作影响系统安全状态的系统组件。示例:操作受安全内核限制的组件。(请参阅:受信任的进程。)

2. (I) A system component that (a) has not been evaluated or examined for adherence to a specified security policy and, therefore, (b) must be assumed to contain logic that might attempt to circumvent system security.

2. (一) 一种系统组件,其(A)未经评估或检查是否符合指定的安全策略,因此,(b)必须假定包含可能试图规避系统安全的逻辑。

$ UORA (O) See: user-PIN ORA.

$ UORA(O)见:用户PIN ORA。

$ update See: "certificate update" and "key update".

$ 更新请参阅:“证书更新”和“密钥更新”。

$ upgrade (I) /data security/ Increase the classification level of data without changing the information content of the data. (See: classify, downgrade, regrade.)

$ 升级(I)/数据安全性/在不改变数据信息内容的情况下提高数据的分类级别。(请参见:分类、降级、重新分级。)

$ URI (I) See: uniform resource identifier.

$ URI(I)参见:统一资源标识符。

$ URL (I) See: uniform resource locator.

$ URL(I)参见:统一资源定位器。

$ URN (I) See: uniform resource name.

$ URN(I)见:统一资源名称。

$ user See: system user.

$ 用户请参阅:系统用户。

Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.

用法:使用此术语的IDoc应说明其定义,因为该术语的使用方式多种多样,很容易被误解。

$ user authentication service (I) A security service that verifies the identity claimed by an entity that attempts to access the system. (See: authentication, user.)

$ 用户身份验证服务(I)验证试图访问系统的实体所声明的身份的安全服务。(请参阅:身份验证,用户。)

$ User Datagram Protocol (UDP) (I) An Internet Standard, Transport-Layer protocol (RFC 768) that delivers a sequence of datagrams from one computer to another in a computer network. (See: UPD flood.)

$ 用户数据报协议(UDP)(I)一种互联网标准传输层协议(RFC 768),在计算机网络中,将一系列数据报从一台计算机传送到另一台计算机。(见:UPD洪水)

Tutorial: UDP assumes that IP is the underlying protocol. UDP enables application programs to send transaction-oriented data to other programs with minimal protocol mechanism. UDP does not provide reliable delivery, flow control, sequencing, or other end-to-end service guarantees that TCP does.

教程:UDP假定IP是基础协议。UDP允许应用程序使用最小的协议机制将面向事务的数据发送到其他程序。UDP不提供可靠的传递、流控制、排序或TCP提供的其他端到端服务保证。

$ user identifier (I) See: identifier.

$ 用户标识符(I)参见:标识符。

$ user identity (I) See: identity.

$ 用户标识(I)参见:标识。

$ user PIN (O) /MISSI/ One of two PINs that control access to the functions and stored data of a FORTEZZA PC card. Knowledge of the user PIN enables a card user to perform the FORTEZZA functions that are intended for use by an end user. (See: PIN. Compare: SSO PIN.)

$ 用户PIN(O)/MSI/控制访问FORTEZZA PC卡功能和存储数据的两个PIN之一。了解用户PIN可使卡用户执行最终用户使用的FORTEZZA功能。(请参见:PIN。比较:SSO PIN。)

$ user-PIN ORA (UORA) (O) /MISSI/ A MISSI organizational RA that operates in a mode in which the ORA performs only the subset of card management functions that are possible with knowledge of the user PIN for a FORTEZZA PC card. (See: no-PIN ORA, SSO-PIN ORA.)

$ 用户PIN ORA(UORA)(O)/MISSI/A MISSI组织RA,在这种模式下,ORA仅执行卡管理功能的子集,在了解FORTEZZA PC卡的用户PIN的情况下,这些功能是可能的。(请参阅:无PIN ORA,SSO-PIN ORA。)

$ usurpation (I) A circumstance or event that results in control of system services or functions by an unauthorized entity. This type of threat consequence can be caused by the following types of threat actions: misappropriation, misuse. (See: access control.)

$ 篡夺(I)导致未经授权实体控制系统服务或功能的情况或事件。这种类型的威胁后果可能由以下类型的威胁行为引起:挪用、滥用。(请参阅:访问控制。)

$ UTCTime (N) The ASN.1 data type "UTCTime" contains a calendar date (YYMMDD) and a time to a precision of either one minute (HHMM) or one second (HHMMSS), where the time is either (a) Coordinated Universal Time or (b) the local time followed by an offset that enables Coordinated Universal Time to be calculated. (See: Coordinated Universal Time. Compare: GeneralizedTime.)

$ UTCTime(N)ASN.1数据类型“UTCTime”包含一个日历日期(YYMMDD)和一个精度为一分钟(HHMM)或一秒(hhmms)的时间,其中时间是(a)协调世界时或(b)本地时间,后跟一个允许计算协调世界时的偏移量。(请参阅:协调世界时。比较:一般化时间。)

Usage: If you care about centuries or millennia, you probably need to use the GeneralizedTime data type instead of UTCTime.

用法:如果您关心几个世纪或几千年,您可能需要使用GeneratedTime数据类型而不是UTCTime。

$ v1 certificate (N) An abbreviation that ambiguously refers to either an "X.509 public-key certificate in version 1 format" or an "X.509 attribute certificate in version 1 format".

$ v1 certificate(N)一个缩写,模糊地表示“版本1格式的X.509公钥证书”或“版本1格式的X.509属性证书”。

Deprecated Usage: IDOCs MAY use this term as an abbreviation of "version 1 X.509 public-key certificate", but only after using the full term at the first instance. Otherwise, the term is ambiguous, because X.509 specifies both v1 public-key certificates and v1 attribute certificates. (See: X.509 attribute certificate, X.509 public-key certificate.)

不推荐使用:IDOCs可以将此术语用作“Version1X.509公钥证书”的缩写,但仅在第一次使用完整术语后使用。否则,该术语是不明确的,因为X.509同时指定v1公钥证书和v1属性证书。(请参阅:X.509属性证书、X.509公钥证书。)

$ v1 CRL (N) Abbreviation of "X.509 CRL in version 1 format".

$ v1 CRL(N)“版本1格式的X.509 CRL”的缩写。

Usage: IDOCs MAY use this abbreviation, but SHOULD use the full term at its first occurrence and define the abbreviation there.

用法:IDOCs可以使用此缩写,但应在第一次出现时使用完整术语,并在此处定义缩写。

$ v2 certificate (N) Abbreviation of "X.509 public-key certificate in version 2 format".

$ v2证书(N)“版本2格式的X.509公钥证书”的缩写。

Usage: IDOCs MAY use this abbreviation, but SHOULD use the full term at its first occurrence and define the abbreviation there.

用法:IDOCs可以使用此缩写,但应在第一次出现时使用完整术语,并在此处定义缩写。

$ v2 CRL (N) Abbreviation of "X.509 CRL in version 2 format".

$ v2 CRL(N)“第2版格式的X.509 CRL”的缩写。

Usage: IDOCs MAY use this abbreviation, but SHOULD use the full term at its first occurrence and define the abbreviation there.

用法:IDOCs可以使用此缩写,但应在第一次出现时使用完整术语,并在此处定义缩写。

$ v3 certificate (N) Abbreviation of "X.509 public-key certificate in version 3 format".

$ v3证书(N)“版本3格式的X.509公钥证书”的缩写。

Usage: IDOCs MAY use this abbreviation, but SHOULD use the full term at its first occurrence and define the abbreviation there.

用法:IDOCs可以使用此缩写,但应在第一次出现时使用完整术语,并在此处定义缩写。

$ valid certificate 1. (I) A digital certificate that can be validated successfully. (See: validate, verify.)

$ 有效证书1。(一) 可以成功验证的数字证书。(请参见:验证、验证。)

2. (I) A digital certificate for which the binding of the data items can be trusted.

2. (一) 可以信任数据项绑定的数字证书。

$ valid signature (D) Synonym for "verified signature".

$ 有效签名(D)“验证签名”的同义词。

Deprecated Term: IDOCs SHOULD NOT use this synonym. This Glossary recommends saying "validate the certificate" and "verify the signature"; therefore, it would be inconsistent to say that a signature is "valid". (See: validate, verify.)

不推荐使用的术语:IDOCs不应使用此同义词。本术语表建议说“验证证书”和“验证签名”;因此,说签字“有效”是不一致的。(请参见:验证、验证。)

$ validate 1. (I) Establish the soundness or correctness of a construct. Example: certificate validation. (See: validate vs. verify.)

$ 验证1。(一) 确定一个结构的可靠性或正确性。示例:证书验证。(请参见:验证与验证。)

2. (I) To officially approve something, sometimes in relation to a standard. Example: NIST validates cryptographic modules for conformance with [FP140].

2. (一) 正式批准某物,有时与标准有关。示例:NIST验证加密模块是否符合[FP140]。

$ validate vs. verify Usage: To ensure consistency and align with ordinary English usage, IDOCs SHOULD comply with the following two rules: - Rule 1: Use "validate" when referring to a process intended to establish the soundness or correctness of a construct (e.g., "certificate validation"). (See: validate.) - Rule 2: Use "verify" when referring to a process intended to test or prove the truth or accuracy of a fact or value (e.g., "authenticate"). (See: verify.)

$ 验证与验证用法:为确保一致性并与普通英语用法保持一致,IDOC应遵守以下两条规则:-规则1:在提及旨在确定结构的可靠性或正确性的过程时使用“验证”(例如,“证书验证”)。(见:验证)-规则2:在提及旨在测试或证明事实或价值的真实性或准确性的过程时使用“验证”(例如,“验证”)。(请参见:验证。)

Tutorial: The Internet security community sometimes uses these two terms inconsistently, especially in a PKI context. Most often, however, we say "verify the signature" but say "validate the certificate". That is, we "verify" atomic truths but "validate" data structures, relationships, and systems that are composed of or depend on verified items. This usage has a basis in Latin:

教程:Internet安全社区有时会不一致地使用这两个术语,尤其是在PKI环境中。然而,我们通常说“验证签名”,但说“验证证书”。也就是说,我们“验证”原子真理,但“验证”由验证项组成或依赖于验证项的数据结构、关系和系统。这种用法以拉丁语为基础:

The word "valid" derives from a Latin word that means "strong". Thus, to validate means to check that a construct is sound. For example, a certificate user validates a public-key certificate to establish trust in the binding that the certificate asserts between an identity and a key. This can include checking various aspects of the certificate's construction, such as verifying the digital signature on the certificate by performing calculations, verifying that the current time is within the certificate's validity period, and validating a certification path involving additional certificates.

“有效”一词来源于拉丁语,意思是“强”。因此,验证意味着检查构造是否正确。例如,证书用户验证公钥证书,以在证书在标识和密钥之间断言的绑定中建立信任。这可以包括检查证书构造的各个方面,例如通过执行计算来验证证书上的数字签名,验证当前时间是否在证书的有效期内,以及验证涉及其他证书的证书路径。

The word "verify" derives from a Latin word that means "true". Thus, to verify means to check the truth of an assertion by examining evidence or performing tests. For example, to verify an identity, an authentication process examines identification information that is presented or generated. To validate a certificate, a certificate user verifies the digital signature on the certificate by performing calculations, verifies that the

“验证”一词来源于拉丁语,意思是“真实”。因此,验证意味着通过检查证据或进行测试来检查断言的真实性。例如,为了验证身份,身份验证过程检查呈现或生成的身份信息。要验证证书,证书用户通过执行计算来验证证书上的数字签名,并验证

current time is within the certificate's validity period, and may need to validate a certification path involving additional certificates.

当前时间在证书的有效期内,可能需要验证涉及其他证书的证书路径。

$ validation (I) See: validate vs. verify.

$ 验证(I)参见:验证与验证。

$ validity period (I) /PKI/ A data item in a digital certificate that specifies the time period for which the binding between data items (especially between the subject name and the public key value in a public-key certificate) is valid, except if the certificate appears on a CRL or the key appears on a CKL. (See: cryptoperiod, key lifetime.)

$ 有效期(I)/PKI/数字证书中的数据项,指定数据项之间的绑定(特别是公钥证书中的使用者名称和公钥值之间的绑定)有效的时间段,除非证书出现在CRL上或密钥出现在CKL上。(请参阅:加密周期、密钥生存期。)

$ value-added network (VAN) (I) A computer network or subnetwork (usually a commercial enterprise) that transmits, receives, and stores EDI transactions on behalf of its users.

$ 增值网络(VAN)(I)代表用户传输、接收和存储EDI交易的计算机网络或子网络(通常为商业企业)。

Tutorial: A VAN may also provide additional services, ranging from EDI format translation, to EDI-to-FAX conversion, to integrated business systems.

教程:VAN还可以提供其他服务,从EDI格式转换到EDI到传真转换,再到集成业务系统。

$ VAN (I) See: value-added network.

$ VAN(一)见:增值网络。

$ verification 1. (I) /authentication/ The process of examining information to establish the truth of a claimed fact or value. (See: validate vs. verify, verify. Compare: authentication.)

$ 核查1。(一) /认证/检查信息以确定所声称事实或价值的真实性的过程。(请参见:验证与验证,验证。比较:验证。)

2. (N) /COMPUSEC/ The process of comparing two levels of system specification for proper correspondence, such as comparing a security model with a top-level specification, a top-level specification with source code, or source code with object code. [NCS04]

2. (N) /COMPUSEC/比较两个级别的系统规范以获得适当对应的过程,例如将安全模型与顶级规范、顶级规范与源代码或源代码与目标代码进行比较。[NCS04]

$ verified design (O) See: TCSEC Class A1.

$ 验证设计(O)见:TCSEC A1级。

$ verify (I) To test or prove the truth or accuracy of a fact or value. (See: validate vs. verify, verification. Compare: authenticate.)

$ 验证(I)测试或证明事实或价值的真实性或准确性。(请参阅:验证与验证,验证。比较:验证。)

$ vet (I) /verb/ To examine or evaluate thoroughly. (Compare: authenticate, identity proofing, validate, verify.)

$ 彻底检查或评估。(比较:验证、身份验证、验证、验证。)

$ violation See: security violation.

$ 违规请参阅:安全违规。

$ virtual private network (VPN) (I) A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (e.g., the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. (See: tunnel.)

$ 虚拟专用网(VPN)(I)一种受限使用的逻辑(即人工或模拟)计算机网络,由相对公共的物理(即真实)网络(如互联网)的系统资源构成,通常使用加密(位于主机或网关上),通常通过隧道连接虚拟网络和真实网络。(见:隧道)

Tutorial: A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the underlying real network. For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by using encrypted tunnels to connect from firewall to firewall across the Internet.

教程:VPN的构建和运行成本通常低于专用真实网络,因为虚拟网络与底层真实网络的其他用户共享系统资源成本。例如,如果一家公司在几个不同的站点上有局域网,每个站点都通过防火墙连接到Internet,那么该公司可以通过使用加密隧道在Internet上从防火墙连接到防火墙来创建VPN。

$ virus (I) A self-replicating (and usually hidden) section of computer software (usually malicious logic) that propagates by infecting -- i.e., inserting a copy of itself into and becoming part of -- another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

$ 病毒(I)计算机软件(通常是恶意逻辑)的自我复制(通常是隐藏)部分,通过感染(即,将自身的副本插入另一个程序并成为其一部分)进行传播。病毒不能自行运行;它要求运行主机程序以激活病毒。

$ Visa Cash (O) A smartcard-based electronic money system that incorporates cryptography and can be used to make payments via the Internet. (See: IOTP.)

$ Visa Cash(O):一种基于智能卡的电子货币系统,采用加密技术,可用于通过互联网进行支付。(见:IOTP)

$ volatile media (I) Storage media that require an external power supply to maintain stored information. (Compare: non-volatile media, permanent storage.)

$ 易失性介质(I)需要外部电源来维护存储信息的存储介质。(比较:非易失性介质、永久存储。)

$ VPN (I) See: virtual private network.

$ VPN(I)见:虚拟专用网络。

$ vulnerability (I) A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. (See: harden.)

$ 漏洞(I)系统设计、实施或操作和管理中的缺陷或弱点,可被利用来违反系统的安全策略。(请参见:硬化。)

Tutorial: A system can have three types of vulnerabilities: (a) vulnerabilities in design or specification; (b) vulnerabilities in implementation; and (c) vulnerabilities in operation and management. Most systems have one or more vulnerabilities, but

教程:系统可能有三种类型的漏洞:(A)设计或规范中的漏洞;(b) 执行中的脆弱性;以及(c)运营和管理方面的漏洞。大多数系统都有一个或多个漏洞,但是

this does not mean that the systems are too flawed to use. Not every threat results in an attack, and not every attack succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the effectiveness of any countermeasures in use. If the attacks needed to exploit a vulnerability are very difficult to carry out, then the vulnerability may be tolerable. If the perceived benefit to an attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the attacks are well understood and easily made, and if the vulnerable system is employed by a wide range of users, then it is likely that there will be enough motivation for someone to launch an attack.

这并不意味着这些系统有太多缺陷而无法使用。并非所有威胁都会导致攻击,也并非所有攻击都会成功。成功与否取决于脆弱性的程度、攻击的强度以及所使用的任何对策的有效性。如果利用漏洞所需的攻击很难实施,那么该漏洞可能是可以容忍的。如果攻击者感知到的好处很小,那么即使是容易被攻击的漏洞也可以容忍。但是,如果攻击很容易理解和实施,并且易受攻击的系统被广泛的用户使用,那么很可能有足够的动机让某人发起攻击。

$ W3 (D) Synonym for WWW.

$ W3(D)WWW的同义词。

Deprecated Abbreviation: This abbreviation could be confused with W3C; use "WWW" instead.

不推荐使用的缩写:此缩写可能与W3C混淆;改用“WWW”。

$ W3C (N) See: World Wide Web Consortium.

$ W3C(N)见:万维网联盟。

$ war dialer (I) /slang/ A computer program that automatically dials a series of telephone numbers to find lines connected to computer systems, and catalogs those numbers so that a cracker can try to break the systems.

$ 战争拨号程序(I)/俚语/一种计算机程序,它自动拨打一系列电话号码以查找连接到计算机系统的线路,并对这些号码进行编目,以便黑客可以尝试破坏系统。

Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term could confuse international readers.

不推荐使用:使用此术语的IDoc应该为其说明定义,因为此术语可能会使国际读者感到困惑。

$ Wassenaar Arrangement (N) The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a global, multilateral agreement approved by 33 countries in July 1996 to contribute to regional and international security and stability, by promoting information exchange concerning, and greater responsibility in, transfers of arms and dual-use items, thus preventing destabilizing accumulations. (See: International Traffic in Arms Regulations.)

$ 瓦塞纳尔安排(N)《关于常规武器及两用货物和技术出口管制的瓦塞纳尔安排》是一项全球多边协定,于1996年7月获得33个国家的批准,目的是通过促进有关下列方面的信息交流和更大的责任,促进区域和国际安全与稳定:,武器和两用物品的转让,从而防止破坏稳定的积累。(见:国际武器贩运条例。)

Tutorial: The Arrangement began operations in September 1996 with headquarters in Vienna. The participating countries were Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian

教程:该安排于1996年9月开始运作,总部设在维也纳。参与国为阿根廷、澳大利亚、奥地利、比利时、保加利亚、加拿大、捷克共和国、丹麦、芬兰、法国、德国、希腊、匈牙利、爱尔兰、意大利、日本、卢森堡、荷兰、新西兰、挪威、波兰、葡萄牙、大韩民国、罗马尼亚、俄罗斯

Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom, and United States.

联邦、斯洛伐克共和国、西班牙、瑞典、瑞士、土耳其、乌克兰、英国和美国。

Participating countries seek through their national policies to ensure that transfers do not contribute to the development or enhancement of military capabilities that undermine the goals of the arrangement, and are not diverted to support such capabilities. The countries maintain effective export controls for items on the agreed lists, which are reviewed periodically to account for technological developments and experience gained. Through transparency and exchange of views and information, suppliers of arms and dual-use items can develop common understandings of the risks associated with their transfer and assess the scope for coordinating national control policies to combat these risks. Members provide semi-annual notification of arms transfers, covering seven categories derived from the UN Register of Conventional Arms. Members also report transfers or denials of transfers of certain controlled dual-use items. However, the decision to transfer or deny transfer of any item is the sole responsibility of each participating country. All measures undertaken with respect to the arrangement are in accordance with national legislation and policies and are implemented on the basis of national discretion.

参与国通过其国家政策寻求确保转让不会有助于发展或增强破坏《安排》目标的军事能力,也不会被转用于支持这种能力。这些国家对商定清单上的物品保持有效的出口管制,并定期审查这些物品,以说明技术发展和取得的经验。通过透明度和交换意见和信息,武器和两用物品的供应商可以就与武器和两用物品转让有关的风险达成共识,并评估协调国家管制政策以应对这些风险的范围。成员国每半年提供一次武器转让通知,涵盖联合国常规武器登记册中的七个类别。成员国还报告转让或拒绝转让某些受管制的两用物品。然而,转让或拒绝转让任何物品的决定是每个参与国的唯一责任。与该安排有关的所有措施均符合国家立法和政策,并在国家自由裁量权的基础上实施。

$ watermarking See: digital watermarking.

$ 水印参见:数字水印。

$ weak key (I) In the context of a particular cryptographic algorithm, a key value that provides poor security. (See: strong.)

$ 弱密钥(I)在特定加密算法的上下文中,提供较差安全性的密钥值。(见:strong)

Example: The DEA has four "weak keys" [Schn] for which encryption produces the same result as decryption. It also has ten pairs of "semi-weak keys" [Schn] (a.k.a. "dual keys" [FP074]) for which encryption with one key in the pair produces the same result as decryption with the other key.

示例:DEA有四个“弱密钥”[Schn],加密产生与解密相同的结果。它还具有十对“半弱密钥”[Schn](也称为“双密钥”[FP074]),其中一对密钥的加密与另一对密钥的解密产生相同的结果。

$ web, Web 1. (I) /not capitalized/ IDOCs SHOULD NOT capitalize "web" when using the term (usually as an adjective) to refer generically to technology -- such as web browsers, web servers, HTTP, and HTML -- that is used in the Web or similar networks.

$ 网络,网络1。(一) /not capitalized/IDOCs在使用术语(通常作为形容词)泛指web或类似网络中使用的技术(如web浏览器、web服务器、HTTP和HTML)时,不应将“web”大写。

2. (I) /capitalized/ IDOCs SHOULD capitalize "Web" when using the term (as either a noun or an adjective) to refer specifically to the World Wide Web. (Similarly, see: internet.)

2. (一) /capitalized/IDOCs在使用术语(作为名词或形容词)专门指代万维网时,应将“Web”大写。(类似地,请参见:互联网。)

Usage: IDOCs SHOULD NOT use "web" or "Web" in a way that might confuse these definitions with the PGP "web of trust". When using Web as an abbreviation for "World Wide Web", IDOCs SHOULD fully spell out the term at the first instance of usage.

用法:idoc不应以可能将这些定义与PGP“信任网”混淆的方式使用“web”或“web”。当使用Web作为“万维网”的缩写时,IDOCs应在第一次使用时就充分说明该术语。

$ web of trust (D) /PGP/ A PKI architecture in which each certificate user defines their own trust anchor(s) by depending on personal relationships. (See: trust anchor. Compare: hierarchical PKI, mesh PKI.)

$ 信任网(D)/PGP/A PKI体系结构,其中每个证书用户根据个人关系定义自己的信任锚。(请参阅:信任锚。比较:层次PKI、网状PKI。)

Deprecated Usage: IDOCs SHOULD NOT use this term except with reference to PGP. This term mixes concepts in potentially misleading ways; e.g., this architecture does not depend on World Wide Web technology. Instead of this term, IDOCs MAY use "trust-file PKI". (See: web, Web).

不推荐使用:IDOCs不应使用此术语,除非参考PGP。这一术语以潜在误导的方式混合概念;e、 这种架构不依赖于万维网技术。IDOC可以使用“信任文件PKI”来代替该术语。(见:网络,网络)。

Tutorial: This type of architecture does not usually include public repositories of certificates. Instead, each certificate user builds their own, private repository of trusted public keys by making personal judgments about being able to trust certain people to be holding properly certified keys of other people. It is this set of person-to-person relationships from which the architecture gets its name.

教程:这种类型的体系结构通常不包括证书的公共存储库。相反,每个证书用户通过对是否能够信任某些人持有其他人正确认证的密钥做出个人判断,从而构建自己的受信任公钥私有存储库。架构就是从这组人与人之间的关系中得名的。

$ web server (I) A software process that runs on a host computer connected to a network and responds to HTTP requests made by client web browsers.

$ web服务器(I)在连接到网络的主机上运行并响应客户端web浏览器发出的HTTP请求的软件进程。

$ WEP (N) See: Wired Equivalency Protocol.

$ WEP(N)见:有线等效协议。

$ Wired Equivalent Privacy (WEP) (N) A cryptographic protocol that is defined in the IEEE 802.11 standard and encapsulates the packets on wireless LANs. Usage: a.k.a. "Wired Equivalency Protocol".

$ 有线等效隐私(WEP)(N)IEEE 802.11标准中定义的加密协议,用于在无线局域网上封装数据包。用法:又称“有线等效协议”。

Tutorial: The WEP design, which uses RC4 to encrypt both the plain text and a CRC, has been shown to be flawed in multiple ways; and it also has often suffered from flawed implementation and management.

教程:WEP设计使用RC4对纯文本和CRC进行加密,已经证明在多个方面存在缺陷;而且它还经常遭受执行和管理方面的缺陷。

$ wiretapping (I) An attack that intercepts and accesses information contained in a data flow in a communication system. (See: active wiretapping, end-to-end encryption, passive wiretapping, secondary definition under "interception".)

$ 窃听(I)拦截和访问通信系统中数据流中包含的信息的攻击。(参见:主动窃听、端到端加密、被动窃听、“拦截”下的二级定义。)

Usage: Although the term originally referred to making a mechanical connection to an electrical conductor that links two nodes, it is now used to refer to accessing information from any sort of medium used for a link or even from a node, such as a gateway or subnetwork switch.

用法:虽然该术语最初指与连接两个节点的电导体进行机械连接,但现在用于指从用于链接的任何类型的介质,甚至从节点(如网关或子网络交换机)访问信息。

Tutorial: Wiretapping can be characterized according to intent: - "Active wiretapping" attempts to alter the data or otherwise affect the flow. - "Passive wiretapping" only attempts to observe the data flow and gain knowledge of information contained in it.

教程:窃听可以根据意图来描述:-“主动窃听”试图改变数据或以其他方式影响流。-“被动窃听”只是试图观察数据流并了解其中包含的信息。

$ work factor 1a. (I) /COMPUSEC/ The estimated amount of effort or time that can be expected to be expended by a potential intruder to penetrate a system, or defeat a particular countermeasure, when using specified amounts of expertise and resources. (See: brute force, impossible, strength.)

$ 工作系数1a。(一) /COMPUSEC/当使用指定数量的专业知识和资源时,潜在入侵者为穿透系统或击溃特定对策而预计花费的工作量或时间。(参见:蛮力、不可能、力量。)

1b. (I) /cryptography/ The estimated amount of computing power and time needed to break a cryptographic system. (See: brute force, impossible, strength.)

1b。(一) /cryptography/破解密码系统所需的估计计算能力和时间。(参见:蛮力、不可能、力量。)

$ World Wide Web ("the Web", WWW) (N) The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms. (See: web vs. Web, [R2084].)

$ 万维网(“万维网”,WWW)(N)互联网服务器上提供的、由浏览器使用超文本传输协议和其他信息检索机制访问的基于超媒体的全球信息和服务集合。(参见:网络vs.网络[R2084]。)

$ World Wide Web Consortium (W3C) (N) Created in October 1994 to develop and standardize protocols to promote the evolution and interoperability of the Web, and now consisting of hundreds of member organizations (commercial firms, governmental agencies, schools, and others).

$ 万维网联盟(W3C)(N)成立于1994年10月,旨在开发和标准化协议,以促进网络的发展和互操作性,目前由数百个成员组织(商业公司、政府机构、学校等)组成。

Tutorial: W3C Recommendations are developed through a process similar to that of the standards published by other organizations, such as the IETF. The W3 Recommendation Track (i.e., standards track) has four levels of increasing maturity: Working, Candidate Recommendation, Proposed Recommendation, and W3C Recommendation. W3C Recommendations are similar to the standards published by other organizations. (Compare: Internet Standard, ISO.)

教程:W3C建议是通过与其他组织(如IETF)发布的标准类似的过程制定的。W3推荐跟踪(即标准跟踪)有四个日益成熟的级别:工作、候选推荐、建议推荐和W3C推荐。W3C建议与其他组织发布的标准类似。(比较:互联网标准,ISO)

$ worm (I) A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume system resources destructively. (See: mobile code, Morris Worm, virus.)

$ worm(I)可以独立运行的计算机程序,可以将自身的完整工作版本传播到网络上的其他主机上,并可能以破坏性方式消耗系统资源。(参见:手机代码、莫里斯蠕虫、病毒。)

$ wrap 1. (N) To use cryptography to provide data confidentiality service for keying material. (See: encrypt, wrapping algorithm, wrapping key. Compare: seal, shroud.)

$ 包装1。(N) 使用密码学为密钥材料提供数据保密服务。(请参阅:加密、包装算法、包装密钥。比较:密封、护罩。)

2. (D) To use cryptography to provide data confidentiality service for data in general.

2. (D) 使用加密技术为一般数据提供数据保密服务。

Deprecated Usage: IDOCs SHOULD NOT use this term with definition 2 because that duplicates the meaning of the more widely understood "encrypt".

不推荐的用法:IDOCs不应该在定义2中使用这个术语,因为它重复了更广泛理解的“encrypt”的含义。

$ wrapping algorithm (N) An encryption algorithm that is specifically intended for use in encrypting keys. (See: KEK, wrap.)

$ 包装算法(N):专门用于加密密钥的加密算法。(请参见:桶,包装。)

$ wrapping key (N) Synonym for "KEK". (See: encrypt. Compare: seal, shroud.)

$ 包装键(N)是“KEK”的同义词。(请参见:加密。比较:密封、护罩。)

$ write (I) /security model/ A system operation that causes a flow of information from a subject to an object. (See: access mode. Compare: read.)

$ 写入(I)/安全模型/导致信息从主体流向对象的系统操作。(请参阅:访问模式。比较:读取。)

$ WWW (I) See: World Wide Web.

$ WWW(I)见:万维网。

$ X.400 (N) An ITU-T Recommendation [X400] that is one part of a joint ITU-T/ISO multi-part standard (X.400-X.421) that defines the Message Handling Systems. (The ISO equivalent is IS 10021, parts 1-7.) (See: Message Handling Systems.)

$ X.400(N)ITU-T建议[X400],是定义信息处理系统的ITU-T/ISO多部分联合标准(X.400-X.421)的一部分。(ISO等效标准为10021,第1-7部分)(参见:信息处理系统。)

$ X.500 (N) An ITU-T Recommendation [X500] that is one part of a joint ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500 Directory, a conceptual collection of systems that provide distributed directory capabilities for OSI entities, processes, applications, and services. (The ISO equivalent is IS 9594-1 and related standards, IS 9594-x.) (See: directory vs. Directory, X.509.)

$ X.500(N)ITU-T建议[X500],是ITU-T/ISO多部分联合标准(X.500-X.525)的一部分,该标准定义了X.500目录,该目录是为OSI实体、流程、应用程序和服务提供分布式目录功能的系统的概念集合。(ISO等效标准为9594-1,相关标准为9594-x)(参见:目录与目录,x.509。)

Tutorial: The X.500 Directory is structured as a tree (the Directory Information Tree), and information is stored in directory entries. Each entry is a collection of information about one object, and each object has a DN. A directory entry is composed of attributes, each with a type and one or more values. For example, if a PKI uses the Directory to distribute

教程:X.500目录的结构是一棵树(目录信息树),信息存储在目录条目中。每个条目都是关于一个对象的信息集合,每个对象都有一个DN。目录项由属性组成,每个属性都有一个类型和一个或多个值。例如,如果PKI使用目录分发

certificates, then the X.509 public-key certificate of an end user is normally stored as a value of an attribute of type "userCertificate" in the Directory entry that has the DN that is the subject of the certificate.

证书,则最终用户的X.509公钥证书通常作为“userCertificate”类型属性的值存储在目录条目中,该目录条目具有作为证书主题的DN。

$ X.509 (N) An ITU-T Recommendation [X509] that defines a framework to provide and support data origin authentication and peer entity authentication, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs. (The ISO equivalent is IS 9498-4.) (See: X.500.)

$ X.509(N)ITU-T建议[X509],该建议定义了一个框架,以提供和支持数据源身份验证和对等实体身份验证,包括X.509公钥证书、X.509属性证书和X.509 CRL的格式。(ISO等效标准为9498-4)(参见:X.500。)

Tutorial: X.509 describes two "levels" of authentication: "simple authentication" and "strong authentication". It recommends, "While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services."

教程:X.509描述了两个“级别”的身份验证:“简单身份验证”和“强身份验证”。它建议,“虽然简单身份验证为未经授权的访问提供了一些有限的保护,但只应使用强身份验证作为提供安全服务的基础。”

$ X.509 attribute certificate (N) An attribute certificate in the version 1 (v1) format defined by X.509. (The v1 designation for an X.509 attribute certificate is disjoint from the v1 designation for an X.509 public-key certificate, and from the v1 designation for an X.509 CRL.)

$ X.509属性证书(N)X.509定义的版本1(v1)格式的属性证书。(X.509属性证书的v1指定与X.509公钥证书的v1指定和X.509 CRL的v1指定不相交。)

Tutorial: An X.509 attribute certificate has a "subject" field, but the attribute certificate is a separate data structure from that subject's public-key certificate. A subject may have multiple attribute certificates associated with each of its public-key certificates, and an attribute certificate may be issued by a different CA than the one that issued the associated public-key certificate.

教程:X.509属性证书有一个“subject”字段,但属性证书是一个独立于该主题的公钥证书的数据结构。一个主体可以有多个属性证书与其每个公钥证书相关联,并且属性证书可以由不同于颁发相关公钥证书的CA颁发。

An X.509 attribute certificate contains a sequence of data items and has a digital signature that is computed from that sequence. Besides the signature, an attribute certificate contains items 1 through 9 listed below:

X.509属性证书包含一系列数据项,并具有根据该序列计算的数字签名。除签名外,属性证书还包含下列第1项至第9项:

1. version Identifies v1. 2. subject Is one of the following: 2a. baseCertificateID Issuer and serial number of an X.509 public-key certificate. 2b. subjectName DN of the subject. 3. issuer DN of the issuer (the CA who signed). 4. signature OID of algorithm that signed the cert. 5. serialNumber Certificate serial number; an integer assigned by the issuer. 6. attCertValidityPeriod Validity period; a pair of UTCTime values: "not before" and "not after".

1. 版本标识v1。2.主题是以下内容之一:2a。baseCertificateID颁发者和X.509公钥证书的序列号。2b。subjectName主题的DN。3.发行人(签名的CA)的发行人DN。4.签署证书5的算法的签名OID。序列号证书序列号;由颁发者分配的整数。6.attCertValidityPeriod有效期;一对UTCTime值:“不在之前”和“不在之后”。

7. attributes Sequence of attributes describing the subject. 8. issuerUniqueId Optional, when a DN is not sufficient. 9. extensions Optional.

7. 属性描述主题的属性序列。8.当DN不足时,issuerUniqueId可选。9扩展是可选的。

$ X.509 certificate (N) Synonym for "X.509 public-key certificate".

$ X.509证书(N)是“X.509公钥证书”的同义词。

Usage: IDOCs MAY use this term as an abbreviation of "X.509 public-key certificate", but only after using the full term at the first instance. Otherwise, the term is ambiguous, because X.509 specifies both public-key certificates and attribute certificates. (See: X.509 attribute certificate, X.509 public-key certificate.)

用法:IDOCs可以将此术语用作“X.509公钥证书”的缩写,但必须首先使用完整术语。否则,该术语是不明确的,因为X.509同时指定公钥证书和属性证书。(请参阅:X.509属性证书、X.509公钥证书。)

Deprecated Usage: IDOCs SHOULD NOT use this term as an abbreviation of "X.509 attribute certificate", because the term is much more commonly used to mean "X.509 public-key certificate" and, therefore, is likely to be misunderstood.

不推荐使用:IDOCs不应将此术语用作“X.509属性证书”的缩写,因为该术语更常用于表示“X.509公钥证书”,因此可能会被误解。

$ X.509 certificate revocation list (CRL) (N) A CRL in one of the formats defined by X.509 -- version 1 (v1) or version 2 (v2). (The v1 and v2 designations for an X.509 CRL are disjoint from the v1 and v2 designations for an X.509 public-key certificate, and from the v1 designation for an X.509 attribute certificate.) (See: certificate revocation.)

$ X.509证书撤销列表(CRL)(N)采用X.509版本1(v1)或版本2(v2)定义的格式之一的CRL。(X.509 CRL的v1和v2指定与X.509公钥证书的v1和v2指定以及X.509属性证书的v1指定不相交。)(请参阅:证书吊销。)

Usage: IDOCs SHOULD NOT refer to an X.509 CRL as a digital certificate; however, note that an X.509 CRL does meet this Glossary's definition of "digital certificate". That is, like a digital certificate, an X.509 CRL makes an assertion and is signed by a CA. But instead of binding a key or other attributes to a subject, an X.509 CRL asserts that certain previously issued, X.509 certificates have been revoked.

用法:IDOCs不应将X.509CRL称为数字证书;但是,请注意,X.509 CRL确实符合本术语表对“数字证书”的定义。也就是说,与数字证书一样,X.509 CRL做出断言并由CA签名。但是,X.509 CRL不是将密钥或其他属性绑定到主题,而是断言某些以前颁发的X.509证书已被吊销。

Tutorial: An X.509 CRL contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, both v1 and v2 contain items 2 through 6b listed below. Version 2 contains item 1 and may optionally contain 6c and 7.

教程:一个X.509CRL包含一系列数据项,并在该序列上计算数字签名。除签名外,v1和v2均包含下列第2项至第6b项。版本2包含第1项,并且可以选择包含6c和7项。

1. version Optional. If present, identifies v2. 2. signature OID of the algorithm that signed CRL. 3. issuer DN of the issuer (the CA who signed). 4. thisUpdate A UTCTime value. 5. nextUpdate A UTCTime value. 6. revokedCertificates 3-tuples of 6a, 6b, and (optional) 6c: 6a. userCertificate A certificate's serial number. 6b. revocationDate UTCTime value for the revocation date. 6c. crlEntryExtensions Optional.

1. 版本可选。如果存在,则标识v2。2.签名CRL的算法的签名OID。3.发行人(签名的CA)的发行人DN。4.这将更新UTCTime值。5.nextUpdate一个UTCTime值。6.撤销6a、6b和(可选)6c:6a的3元组证书。userCertificate证书的序列号。6b。吊销日期的revocationDate UTCTime值。6c。crlEntryExtensions可选。

7. crlExtensions Optional.

7. CRL是可选的。

$ X.509 public-key certificate (N) A public-key certificate in one of the formats defined by X.509 -- version 1 (v1), version 2 (v2), or version 3 (v3). (The v1 and v2 designations for an X.509 public-key certificate are disjoint from the v1 and v2 designations for an X.509 CRL, and from the v1 designation for an X.509 attribute certificate.)

$ X.509公钥证书(N)采用X.509版本1(v1)、版本2(v2)或版本3(v3)定义的格式之一的公钥证书。(X.509公钥证书的v1和v2指定与X.509 CRL的v1和v2指定以及X.509属性证书的v1指定不相交。)

Tutorial: An X.509 public-key certificate contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, all three versions contain items 1 through 7 listed below. Only v2 and v3 certificates may also contain items 8 and 9, and only v3 may contain item 10.

教程:X.509公钥证书包含一系列数据项,并根据该序列计算数字签名。除签名外,所有三个版本均包含下列第1项至第7项。只有v2和v3证书可以包含第8项和第9项,只有v3可以包含第10项。

1. version Identifies v1, v2, or v3. 2. serialNumber Certificate serial number; an integer assigned by the issuer. 3. signature OID of algorithm that was used to sign the certificate. 4. issuer DN of the issuer (the CA who signed). 5. validity Validity period; a pair of UTCTime values: "not before" and "not after". 6. subject DN of entity who owns the public key. 7. subjectPublicKeyInfo Public key value and algorithm OID. 8. issuerUniqueIdentifier Defined for v2, v3; optional. 9. subjectUniqueIdentifier Defined for v2, v2; optional. 10. extensions Defined only for v3; optional.

1. 版本标识v1、v2或v3。2.序列号证书序列号;由颁发者分配的整数。3.用于对证书进行签名的算法的签名OID。4.发行人(签名的CA)的发行人DN。5.有效期;一对UTCTime值:“不在之前”和“不在之后”。6.拥有公钥的实体的主题DN。7.subjectPublicKeyInfo公钥值和算法OID。8.为v2、v3定义的issuerUniqueIdentifier;可选择的9为v2定义的subjectionIdentifier,v2;可选择的10仅为v3定义的扩展;可选择的

$ X9 (N) See: "Accredited Standards Committee X9" under "ANSI".

$ X9(N)参见“ANSI”下的“认证标准委员会X9”。

$ XML (N) See: Extensible Markup Language.

$ XML(N)参见:可扩展标记语言。

$ XML-Signature. (N) A W3C Recommendation (i.e., approved standard) that specifies XML syntax and processing rules for creating and representing digital signatures (based on asymmetric cryptography) that can be applied to any digital content (i.e., any data object) including other XML material.

$ XML签名。(N) W3C建议(即,批准的标准),指定用于创建和表示数字签名(基于非对称加密)的XML语法和处理规则,可应用于任何数字内容(即任何数据对象),包括其他XML材料。

$ Yellow Book (D) /slang/ Synonym for "Computer Security Requirements: Guidance for Applying the [U.S.] Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments" [CSC3] (See: "first law" under "Courtney's laws".)

$ 黄皮书(D)/俚语/同义词“计算机安全要求:在特定环境中应用[美国]国防部可信计算机系统评估标准的指南”[CSC3](参见“考特尼定律”下的“第一定律”。)

Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for that or any other document. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: Deprecated Usage under "Green Book", Rainbow Series.)

不推荐使用的术语:IDOCs不应将此术语用作该文档或任何其他文档的同义词。取而代之的是,使用文件的全称,或者在后续参考文献中使用常规缩写。(请参阅彩虹系列“绿皮书”下的弃用用法。)

$ zero-knowledge proof (I) /cryptography/ A proof-of-possession protocol whereby a system entity can prove possession of some information to another entity, without revealing any of that information. (See: proof-of-possession protocol.)

$ 零知识证明(I)/密码学/占有证明协议,通过该协议,系统实体可以向另一实体证明拥有某些信息,而无需披露任何此类信息。(参见:占有证明协议。)

$ zeroize 1. (I) Synonym for "erase". (See: sanitize.) Usage: Particularly with regard to erasing keys that are stored in a cryptographic module.

$ 归零1。(一) “擦除”的同义词。(请参阅:清理。)用法:特别是关于擦除存储在加密模块中的密钥。

2. (O) Erase electronically stored data by altering the contents of the data storage so as to prevent the recovery of the data. [FP140]

2. (O) 通过改变数据存储器的内容来擦除以电子方式存储的数据,以防止数据恢复。[FP140]

3. (O) "To remove or eliminate the key from a cryptoequipment or fill device." [C4009]

3. (O) “从加密设备或填充设备中移除或消除密钥。”[C4009]

Usage: The phrase "zeroize the device" normally is used to mean erasing all keys stored in the device, but sometimes means erasing all keying material in the device, or all cryptographic information in the device, or even all sensitive information in the device.

用法:“将设备归零”一词通常用于表示擦除设备中存储的所有密钥,但有时表示擦除设备中的所有密钥材料,或设备中的所有加密信息,甚至设备中的所有敏感信息。

$ zombie (I) /slang/ An Internet host computer that has been surreptitiously penetrated by an intruder that installed malicious daemon software to cause the host to operate as an accomplice in attacking other hosts, particularly in distributed attacks that attempt denial of service through flooding.

$ 僵尸(I)/俚语/一种Internet主机计算机,被安装了恶意守护程序软件的入侵者秘密侵入,导致主机作为共犯攻击其他主机,特别是在试图通过洪水拒绝服务的分布式攻击中。

Deprecated Usage: Other cultures likely use different metaphorical terms (such as "robot") for this concept, and some use this term for different concepts. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. Instead, use "compromised, coopted computer" or other explicitly descriptive terminology. (See: Deprecated Usage under "Green Book".)

不推荐的用法:其他文化可能会对这个概念使用不同的隐喻术语(如“机器人”),有些文化会对不同的概念使用这个术语。因此,为了避免国际上的误解,IDOC不应该使用这个术语。取而代之的是,使用“泄露的、被屏蔽的计算机”或其他明确的描述性术语。(请参阅“绿皮书”下不推荐的用法。)

$ zone of control (O) /EMSEC/ Synonym for "inspectable space". [C4009] (See: TEMPEST.)

$ 控制区(O)/EMSEC/同义词“可检查空间”。[C4009](见:暴风雨)

5. Security Considerations
5. 安全考虑

This document mainly defines security terms and recommends how to use them. It also provides limited tutorial information about security aspects of Internet protocols, but it does not describe in detail the vulnerabilities of, or threats to, specific protocols and does not definitively describe mechanisms that protect specific protocols.

本文档主要定义安全术语并建议如何使用它们。它还提供了有关Internet协议安全方面的有限教程信息,但没有详细描述特定协议的漏洞或威胁,也没有明确描述保护特定协议的机制。

6. Normative Reference
6. 规范性引用文件

[R2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[R2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

7. Informative References
7. 资料性引用

This Glossary focuses on the Internet Standards Process. Therefore, this set of informative references emphasizes international, governmental, and industrial standards documents. Some RFCs that are especially relevant to Internet security are mentioned in Glossary entries in square brackets (e.g., "[R1457]" in the entry for "security label") and are listed here; some other RFCs are mentioned in parentheses (e.g., "(RFC 959)" in the entry for "File Transport Protocol") but are not listed here.

本术语表重点介绍互联网标准过程。因此,这组参考资料强调国际、政府和行业标准文件。一些与互联网安全特别相关的RFC在方括号中的词汇表条目中提到(例如,“安全标签”条目中的“[R1457]”),并在此处列出;括号中提到了一些其他RFC(例如,“文件传输协议”条目中的“(RFC 959)”),但此处未列出。

[A1523] American National Standards Institute, "American National Standard Telecom Glossary", ANSI T1.523-2001.

[A1523]美国国家标准协会,“美国国家标准电信术语表”,ANSI T1.523-2001。

   [A3092]  ---, "American National Standard Data Encryption Algorithm",
            ANSI X3.92-1981, 30 December 1980.
        
   [A3092]  ---, "American National Standard Data Encryption Algorithm",
            ANSI X3.92-1981, 30 December 1980.
        
   [A9009]  ---, "Financial Institution Message Authentication
            (Wholesale)", ANSI X9.9-1986, 15 August 1986.
        
   [A9009]  ---, "Financial Institution Message Authentication
            (Wholesale)", ANSI X9.9-1986, 15 August 1986.
        
   [A9017]  ---, "Financial Institution Key Management (Wholesale)",
            X9.17, 4 April 1985. (Defines procedures for manual and
            automated management of keying material and uses DES to
            provide key management for a variety of operational
            environments.)
        
   [A9017]  ---, "Financial Institution Key Management (Wholesale)",
            X9.17, 4 April 1985. (Defines procedures for manual and
            automated management of keying material and uses DES to
            provide key management for a variety of operational
            environments.)
        
   [A9042]  ---, "Public key Cryptography for the Financial Service
            Industry: Agreement of Symmetric Keys Using Diffie-Hellman
            and MQV Algorithms", X9.42, 29 January 1999. (See: Diffie-
            Hellman-Merkle.)
        
   [A9042]  ---, "Public key Cryptography for the Financial Service
            Industry: Agreement of Symmetric Keys Using Diffie-Hellman
            and MQV Algorithms", X9.42, 29 January 1999. (See: Diffie-
            Hellman-Merkle.)
        
   [A9052]  ---, "Triple Data Encryption Algorithm Modes of Operation",
            X9.52-1998, ANSI approval 9 November 1998.
        
   [A9052]  ---, "Triple Data Encryption Algorithm Modes of Operation",
            X9.52-1998, ANSI approval 9 November 1998.
        
   [A9062]  ---, "Public Key Cryptography for the Financial Services
            Industry: The Elliptic Curve Digital Signature Algorithm
            (ECDSA)", X9.62-1998, ANSI approval 7 January 1999.
        
   [A9062]  ---, "Public Key Cryptography for the Financial Services
            Industry: The Elliptic Curve Digital Signature Algorithm
            (ECDSA)", X9.62-1998, ANSI approval 7 January 1999.
        
   [A9063]  ---, "Public Key Cryptography for the Financial Services
            Industry: Key Agreement and Key Transport Using Elliptic
            Curve Cryptography", X9.63-2001.
        
   [A9063]  ---, "Public Key Cryptography for the Financial Services
            Industry: Key Agreement and Key Transport Using Elliptic
            Curve Cryptography", X9.63-2001.
        

[ACM] Association for Computing Machinery, "Communications of the ACM", July 1998 issue with: M. Yeung, "Digital Watermarking"; N. Memom and P. Wong, "Protecting Digital Media Content"; and S. Craver, B.-L. Yeo, and M. Yeung, "Technical Trials and Legal Tribulations".

[ACM]计算机械协会,“ACM的通信”,1998年7月号,杨先生,“数字水印”;N.Memom和P.Wong,“保护数字媒体内容”;和S.Craver,B-L.Yeo和M.Yeung,“技术审判和法律磨难”。

[Ande] Anderson, J., "Computer Security Technology Planning Study", ESD-TR-73-51, Vols. I and II, USAF Electronics Systems Div., Bedford, MA, October 1972. (Available as AD-758206/772806, National Technical Information Service, Springfield, VA.)

[Ande]Anderson,J.,“计算机安全技术规划研究”,ESD-TR-73-51,卷。1972年10月,马萨诸塞州贝德福德,美国空军电子系统分部,一和二。(可作为AD-758206/772806,弗吉尼亚州斯普林菲尔德国家技术信息服务局提供。)

[ANSI] American National Standards Institute, "Role Based Access Control", Secretariat, Information Technology Industry Council, BSR INCITS 359, DRAFT, 10 November 2003.

[ANSI]美国国家标准协会,“基于角色的访问控制”,信息技术产业理事会秘书处,BSR INCITS 359,草案,2003年11月10日。

[Army] U.S. Army Corps of Engineers, "Electromagnetic Pulse (EMP) and Tempest Protection for Facilities", EP 1110-3-2, 31 December 1990.

[陆军]美国陆军工程兵团,“设施的电磁脉冲(EMP)和暴风雨防护”,EP 1110-3-2,1990年12月31日。

[B1822] Bolt Baranek and Newman Inc., "Appendix H: Interfacing a Host to a Private Line Interface", in "Specifications for the Interconnection of a Host and an IMP", BBN Report No. 1822, revised, December 1983.

[B1822]Bolt Baranek and Newman Inc.“附录H:将主机连接到专用线路接口”,在“主机与IMP互连规范”中,BBN第1822号报告,1983年12月修订。

   [B4799]  ---, "A History of the Arpanet: The First Decade", BBN
            Report No. 4799, April 1981.
        
   [B4799]  ---, "A History of the Arpanet: The First Decade", BBN
            Report No. 4799, April 1981.
        

[Bell] Bell, D. and L. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model", M74-244, The MITRE Corporation, Bedford, MA, May 1973. (Available as AD-771543, National Technical Information Service, Springfield, VA.)

[Bell]Bell,D.和L.LaPadula,“安全计算机系统:数学基础和模型”,M74-244,麻省贝德福德米特尔公司,1973年5月。(可作为AD-771543,弗吉尼亚州斯普林菲尔德国家技术信息服务局提供。)

[Biba] K. Biba, "Integrity Considerations for Secure Computer Systems", ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, April 1977.

[Biba]K.Biba,“安全计算机系统的完整性考虑”,ESD-TR-76-372,美国空军电子系统部,马萨诸塞州贝德福德,1977年4月。

[BN89] Brewer, D. and M. Nash, "The Chinese wall security policy", in "Proceedings of IEEE Symposium on Security and Privacy", May 1989, pp. 205-214.

[BN89]Brewer,D.和M.Nash,“中国墙安全政策”,载于《IEEE安全与隐私研讨会论文集》,1989年5月,第205-214页。

[BS7799] British Standards Institution, "Information Security Management, Part 1: Code of Practice for Information Security Management", BS 7799-1:1999, 15 May 1999.

[BS7799]英国标准协会,“信息安全管理,第1部分:信息安全管理实施规程”,BS 7799-1:1999,1999年5月15日。

            ---, "Information Security Management, Part 2: Specification
            for Information Security Management Systems", BS 7799-
            2:1999, 15 May 1999.
        
            ---, "Information Security Management, Part 2: Specification
            for Information Security Management Systems", BS 7799-
            2:1999, 15 May 1999.
        

[C4009] Committee on National Security Systems (U.S. Government), "National Information Assurance (IA) Glossary", CNSS Instruction No. 4009, revised June 2006.

[C4009]国家安全系统委员会(美国政府),“国家信息保障(IA)术语表”,CNSS第4009号指令,2006年6月修订。

[CCIB] Common Criteria Implementation Board, "Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model", version 2.0, CCIB-98-026, May 1998.

[CCIB]通用标准实施委员会,“信息技术安全评估通用标准,第1部分:简介和通用模型”,2.0版,CCIB-98-026,1998年5月。

[Chau] D. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms", in "Communications of the ACM", vol. 24, no. 2, February 1981, pp. 84-88.

[Chau]D.Chaum,“无法追踪的电子邮件、回信地址和数字笔名”,载于“ACM通信”,第24卷,第2期,1981年2月,第84-88页。

[Cheh] Cheheyl, M., Gasser, M., Huff, G., and J. Millen, "Verifying Security", in "ACM Computing Surveys", vol. 13, no. 3, September 1981, pp. 279-339.

[Cheh]Cheheyl,M.,Gasser,M.,Huff,G.,和J.Millen,“验证安全性”,见“ACM计算调查”,第13卷,第3期,1981年9月,第279-339页。

[Chris] Chrissis, M. et al, 1993. "SW-CMM [Capability Maturity Model for Software Version", Release 3.0, Software Engineering Institute, Carnegie Mellon University, August 1996.

[克里斯]克里斯,M.等人,1993年。“SW-CMM[软件版本的能力成熟度模型”,3.0版,卡内基梅隆大学软件工程研究所,1996年8月。

[CIPSO] Trusted Systems Interoperability Working Group, "Common IP Security Option", version 2.3, 9 March 1993.

[CIPSO]可信系统互操作性工作组,“通用IP安全选项”,版本2.3,1993年3月9日。

[Clark] Clark, D. and D. Wilson, "A Comparison of Commercial and Military computer Security Policies", in "Proceedings of the IEEE Symposium on Security and Privacy", April 1987, pp. 184-194.

[Clark]Clark,D.和D.Wilson,“商用和军用计算机安全政策的比较”,载于《IEEE安全和隐私研讨会论文集》,1987年4月,第184-194页。

[Cons] NSA, "Consistency Instruction Manual for Development of U.S. Government Protection Profiles for Use in Basic Robustness Environments", Release 2.0, 1 March 2004

[Cons]NSA,“用于在基本健壮性环境中使用的美国政府保护配置文件开发的一致性说明手册”,2.0版,2004年3月1日

[CORBA] Object Management Group, Inc., "CORBAservices: Common Object Service Specification", December 1998.

[CORBA]对象管理集团有限公司,“CORBA服务:公共对象服务规范”,1998年12月。

[CSC1] U.S. DoD Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", CSC-STD-001- 83, 15 August 1983. (Superseded by [DoD1].)

[CSC1]美国国防部计算机安全中心,“国防部可信计算机系统评估标准”,CSC-STD-001-831983年8月15日。(被[DoD1]取代)

   [CSC2]   ---, "Department of Defense Password Management Guideline",
            CSC-STD-002-85, 12 April 1985.
        
   [CSC2]   ---, "Department of Defense Password Management Guideline",
            CSC-STD-002-85, 12 April 1985.
        
   [CSC3]   ---, "Computer Security Requirements: Guidance for Applying
            the Department of Defense Trusted Computer System Evaluation
            Criteria in Specific Environments", CSC-STD-003-85, 25 June
            1985.
        
   [CSC3]   ---, "Computer Security Requirements: Guidance for Applying
            the Department of Defense Trusted Computer System Evaluation
            Criteria in Specific Environments", CSC-STD-003-85, 25 June
            1985.
        

[CSOR] U.S. Department of Commerce, "General Procedures for Registering Computer Security Objects", National Institute of Standards Interagency Report 5308, December 1993.

[CSOR]美国商务部,“注册计算机安全对象的一般程序”,国家标准协会机构间报告5308,1993年12月。

[Daem] Daemen, J. and V. Rijmen, "Rijndael, the advanced encryption standard", in "Dr. Dobb's Journal", vol. 26, no. 3, March 2001, pp. 137-139.

[Daem]Daemen,J.和V.Rijmen,“Rijndael,高级加密标准”,载于“Dobb博士期刊”,第26卷,第3期,2001年3月,第137-139页。

[DC6/9] Director of Central Intelligence, "Physical Security Standards for Sensitive Compartmented Information Facilities", DCI Directive 6/9, 18 November 2002.

[DC6/9]中央情报局局长,“敏感分隔信息设施的物理安全标准”,DCI指令6/9,2002年11月18日。

[Denn] Denning, D., "A Lattice Model of Secure Information Flow", in "Communications of the ACM", vol. 19, no. 5, May 1976, pp. 236-243.

[Denng]Denning,D.,“安全信息流的晶格模型”,载于“ACM的通信”,第19卷,第5期,1976年5月,第236-243页。

[Denns] Denning, D. and P. Denning, "Data Security", in "ACM Computing Surveys", vol. 11, no. 3, September 1979, pp. 227- 249.

[Denns]Denning,D.和P.Denning,“数据安全”,摘自《ACM计算调查》,第11卷,第3期,1979年9月,第227-249页。

[DH76] Diffie, W. and M. Hellman, "New Directions in Cryptography", in "IEEE Transactions on Information Theory", vol. IT-22, no. 6, November 1976, pp. 644-654. (See: Diffie-Hellman-Merkle.)

[DH76]Diffie,W.和M.Hellman,“密码学的新方向”,《IEEE信息论交易》,第IT-22卷,第6期,1976年11月,第644-654页。(见Diffie Hellman Merkle)

[DoD1] U.S. DoD, "Department of Defense Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, 26 December 1985. (Supersedes [CSC1].) (Superseded by DoD Directive 8500.1.)

[DoD1]美国国防部,“国防部可信计算机系统评估标准”,国防部5200.28-STD,1985年12月26日。(取代[CSC1]。(被国防部指令8500.1取代。)

   [DoD4]   ---, "NSA Key Recovery Assessment Criteria", 8 June 1998.
        
   [DoD4]   ---, "NSA Key Recovery Assessment Criteria", 8 June 1998.
        
   [DoD5]   ---, Directive 5200.1, "DoD Information Security Program",
            13 December 1996.
        
   [DoD5]   ---, Directive 5200.1, "DoD Information Security Program",
            13 December 1996.
        
   [DoD6]   ---, "Department of Defense Technical Architecture Framework
            for Information Management, Volume 6: Department of Defense
            (DoD) Goal Security Architecture", Defense Information
            Systems Agency, Center for Standards, version 3.0, 15 April
            1996.
        
   [DoD6]   ---, "Department of Defense Technical Architecture Framework
            for Information Management, Volume 6: Department of Defense
            (DoD) Goal Security Architecture", Defense Information
            Systems Agency, Center for Standards, version 3.0, 15 April
            1996.
        
   [DoD7]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 7, 18 December 2002.
            (Superseded by [DoD9].)
        
   [DoD7]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 7, 18 December 2002.
            (Superseded by [DoD9].)
        
   [DoD9]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 9, 9 February 2005.
        
   [DoD9]   ---, "X.509 Certificate Policy for the United States
            Department of Defense", version 9, 9 February 2005.
        
   [DoD10]  ---, "DoD Architecture Framework, Version 1: Deskbook", 9
            February 2004.
        
   [DoD10]  ---, "DoD Architecture Framework, Version 1: Deskbook", 9
            February 2004.
        

[DSG] American Bar Association, "Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Secure Electronic Commerce", Chicago, IL, 1 August 1996. (See: [PAG].)

[DSG]美国律师协会,“数字签名准则:认证机构和安全电子商务的法律基础设施”,伊利诺伊州芝加哥,1996年8月1日。(见:[PAG])

[ElGa] El Gamal, T., "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", in "IEEE Transactions on Information Theory", vol. IT-31, no. 4, 1985, pp. 469- 472.

[ElGa]El Gamal,T.,“基于离散对数的公钥密码系统和签名方案”,载于“IEEE信息论交易”,第IT-31卷,第4期,1985年,第469-472页。

[EMV1] Europay International S.A., MasterCard International Incorporated, and Visa International Service Association, "EMV '96 Integrated Circuit Card Specification for Payment Systems", version 3.1.1, 31 May 1998.

[EMV1]Europay International S.A.,MasterCard International Incorporated和Visa国际服务协会,“支付系统用EMV'96集成电路卡规范”,版本3.1.11998年5月31日。

   [EMV2]   ---, "EMV '96 Integrated Circuit Card Terminal Specification
            for Payment Systems", version 3.1.1, 31 May 1998.
        
   [EMV2]   ---, "EMV '96 Integrated Circuit Card Terminal Specification
            for Payment Systems", version 3.1.1, 31 May 1998.
        
   [EMV3]   ---, "EMV '96 Integrated Circuit Card Application
            Specification for Payment Systems", version 3.1.1, 31 May
            1998.
        
   [EMV3]   ---, "EMV '96 Integrated Circuit Card Application
            Specification for Payment Systems", version 3.1.1, 31 May
            1998.
        

[F1037] U.S. General Services Administration, "Glossary of Telecommunications Terms", FED STD 1037C, 7 August 1996.

[F1037]美国总务管理局,“电信术语表”,联邦标准1037C,1996年8月7日。

[For94] Ford, W., "Computer Communications Security: Principles, Standard Protocols and Techniques", ISBN 0-13-799453-2, 1994.

[For94]Ford,W.,“计算机通信安全:原理、标准协议和技术”,ISBN 0-13-799453-21994。

   [For97]  --- and M. Baum, "Secure Electronic Commerce: Building the
            Infrastructure for Digital Signatures and Encryption", ISBN
            0-13-476342-4, 1994.
        
   [For97]  --- and M. Baum, "Secure Electronic Commerce: Building the
            Infrastructure for Digital Signatures and Encryption", ISBN
            0-13-476342-4, 1994.
        

[FP001] U.S. Department of Commerce, "Code for Information Interchange", Federal Information Processing Standards Publication (FIPS PUB) 1, 1 November 1968.

[FP001]美国商务部,“信息交换规范”,联邦信息处理标准出版物(FIPS PUB)1,1968年11月1日。

   [FP031]  ---, "Guidelines for Automatic Data Processing Physical
            Security and Risk Management", FIPS PUB 31, June 1974.
        
   [FP031]  ---, "Guidelines for Automatic Data Processing Physical
            Security and Risk Management", FIPS PUB 31, June 1974.
        
   [FP039]  ---, "Glossary for Computer Systems Security", FIPS PUB 39,
            15 February 1976.
        
   [FP039]  ---, "Glossary for Computer Systems Security", FIPS PUB 39,
            15 February 1976.
        
   [FP041]  ---, "Computer Security Guidelines for Implementing the
            Privacy Act of 1974", FIPS PUB 41, 30 May 1975.
        
   [FP041]  ---, "Computer Security Guidelines for Implementing the
            Privacy Act of 1974", FIPS PUB 41, 30 May 1975.
        
   [FP046]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.
        
   [FP046]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.
        
   [FP074]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.
        
   [FP074]  ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25
            October 1999.
        
   [FP081]  ---, "DES Modes of Operation", FIPS PUB 81, 2 December 1980.
        
   [FP081]  ---, "DES Modes of Operation", FIPS PUB 81, 2 December 1980.
        
   [FP087]  ---, "Guidelines for ADP Contingency Planning", FIPS PUB 87,
            27 March 1981.
        
   [FP087]  ---, "Guidelines for ADP Contingency Planning", FIPS PUB 87,
            27 March 1981.
        
   [FP102]  ---, "Guideline for Computer Security Certification and
            Accreditation", FIPS PUB 102, 27 September 1983.
        
   [FP102]  ---, "Guideline for Computer Security Certification and
            Accreditation", FIPS PUB 102, 27 September 1983.
        
   [FP113]  ---, "Computer Data Authentication", FIPS PUB 113, 30 May
            1985.
        
   [FP113]  ---, "Computer Data Authentication", FIPS PUB 113, 30 May
            1985.
        
   [FP140]  ---, "Security Requirements for Cryptographic Modules", FIPS
            PUB 140-2, 25 May 2001; with change notice 4, 3 December
            2002.
        
   [FP140]  ---, "Security Requirements for Cryptographic Modules", FIPS
            PUB 140-2, 25 May 2001; with change notice 4, 3 December
            2002.
        
   [FP151]  ---, "Portable Operating System Interface (POSIX) -- System
            Application Program Interface [C Language]", FIPS PUB 151-2,
            12 May 1993
        
   [FP151]  ---, "Portable Operating System Interface (POSIX) -- System
            Application Program Interface [C Language]", FIPS PUB 151-2,
            12 May 1993
        
   [FP180]  ---, "Secure Hash Standard", FIPS PUB 180-2, August 2000;
            with change notice 1, 25 February 2004.
        
   [FP180]  ---, "Secure Hash Standard", FIPS PUB 180-2, August 2000;
            with change notice 1, 25 February 2004.
        
   [FP185]  ---, "Escrowed Encryption Standard", FIPS PUB 185, 9
            February 1994.
        
   [FP185]  ---, "Escrowed Encryption Standard", FIPS PUB 185, 9
            February 1994.
        
   [FP186]  ---, "Digital Signature Standard (DSS)", FIPS PUB 186-2, 27
            June 2000; with change notice 1, 5 October 2001.
        
   [FP186]  ---, "Digital Signature Standard (DSS)", FIPS PUB 186-2, 27
            June 2000; with change notice 1, 5 October 2001.
        
   [FP188]  ---, "Standard Security Label for Information Transfer",
            FIPS PUB 188, 6 September 1994.
        
   [FP188]  ---, "Standard Security Label for Information Transfer",
            FIPS PUB 188, 6 September 1994.
        
   [FP191]  ---, "Guideline for the Analysis of Local Area Network
            Security", FIPS PUB 191, 9 November 1994.
        
   [FP191]  ---, "Guideline for the Analysis of Local Area Network
            Security", FIPS PUB 191, 9 November 1994.
        
   [FP197]  ---, "Advanced Encryption Standard", FIPS PUB 197, 26
            November 2001.
        
   [FP197]  ---, "Advanced Encryption Standard", FIPS PUB 197, 26
            November 2001.
        
   [FP199]  ---, "Standards for Security Categorization of Federal
            Information and Information Systems ", FIPS PUB 199,
            December 2003.
        
   [FP199]  ---, "Standards for Security Categorization of Federal
            Information and Information Systems ", FIPS PUB 199,
            December 2003.
        
   [FPKI]   ---, "Public Key Infrastructure (PKI) Technical
            Specifications: Part A -- Technical Concept of Operations",
            NIST, 4 September 1998.
        
   [FPKI]   ---, "Public Key Infrastructure (PKI) Technical
            Specifications: Part A -- Technical Concept of Operations",
            NIST, 4 September 1998.
        

[Gass] Gasser, M., "Building a Secure Computer System", Van Nostrand Reinhold Company, New York, 1988, ISBN 0-442- 23022-2.

[Gass]Gasser,M.,“建立一个安全的计算机系统”,Van Nostrand Reinhold公司,纽约,1988年,ISBN 0-442-23022-2。

[Gray] Gray, J. and A. Reuter, "Transaction Processing: Concepts and Techniques", Morgan Kaufmann Publishers, Inc., 1993.

[Gray]Gray,J.和A.Reuter,“交易处理:概念和技术”,摩根·考夫曼出版社,1993年。

[Hafn] Hafner, K. and M. Lyon, "Where Wizards Stay Up Late: The Origins of the Internet", Simon & Schuster, New York, 1996.

[Hafn]Hafner,K.和M.Lyon,“巫师们熬夜的地方:互联网的起源”,Simon&Schuster,纽约,1996年。

[Huff] Huff, G., "Trusted Computer Systems -- Glossary", MTR 8201, The MITRE Corporation, March 1981.

[Huff]Huff,G.,“可信计算机系统——术语表”,MTR 8201,米特公司,1981年3月。

[I3166] International Standards Organization, "Codes for the Representation of Names of Countries and Their Subdivisions, Part 1: Country Codes", ISO 3166-1:1997.

[I3166]国际标准组织,“国家及其分支机构名称表示代码,第1部分:国家代码”,ISO 3166-1:1997。

            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 2: Country Subdivision Codes",
            ISO/DIS 3166-2.
        
            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 2: Country Subdivision Codes",
            ISO/DIS 3166-2.
        
            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 3: Codes for Formerly Used Names of
            Countries", ISO/DIS 3166-3.
        
            ---, "Codes for the Representation of Names of Countries and
            Their Subdivisions, Part 3: Codes for Formerly Used Names of
            Countries", ISO/DIS 3166-3.
        
   [I7498-1] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, [Part 1:] Basic Reference
            Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation
            X.200.)
        
   [I7498-1] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, [Part 1:] Basic Reference
            Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation
            X.200.)
        
   [I7498-2] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 2: Security
            Architecture", ISO/IEC 7499-2.
        
   [I7498-2] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 2: Security
            Architecture", ISO/IEC 7499-2.
        
   [I7498-4] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 4: Management
            Framework", ISO/IEC 7498-4.
        
   [I7498-4] ---, "Information Processing Systems -- Open Systems
            Interconnection Reference Model, Part 4: Management
            Framework", ISO/IEC 7498-4.
        
   [I7812]  ---, "Identification cards -- Identification of Issuers,
            Part 1: Numbering System", ISO/IEC 7812-1:1993
        
   [I7812]  ---, "Identification cards -- Identification of Issuers,
            Part 1: Numbering System", ISO/IEC 7812-1:1993
        
            ---, "Identification cards -- Identification of Issuers,
            Part 2: Application and Registration Procedures", ISO/IEC
            7812-2:1993.
        
            ---, "Identification cards -- Identification of Issuers,
            Part 2: Application and Registration Procedures", ISO/IEC
            7812-2:1993.
        
   [I8073]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Transport Protocol Specification", ISO IS
            8073.
        
   [I8073]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Transport Protocol Specification", ISO IS
            8073.
        
   [I8327]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Session Protocol Specification", ISO IS
            8327.
        
   [I8327]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Session Protocol Specification", ISO IS
            8327.
        
   [I8473]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Protocol for Providing the Connectionless
            Network Service", ISO IS 8473.
        
   [I8473]  ---, "Information Processing Systems -- Open Systems
            Interconnection, Protocol for Providing the Connectionless
            Network Service", ISO IS 8473.
        
   [I8802-2] ---, "Information Processing Systems -- Local Area
            Networks, Part 2: Logical Link Control", ISO IS 8802-2.
            (Equivalent to IEEE 802.2.)
        
   [I8802-2] ---, "Information Processing Systems -- Local Area
            Networks, Part 2: Logical Link Control", ISO IS 8802-2.
            (Equivalent to IEEE 802.2.)
        
   [I8802-3] ---, "Information Processing Systems -- Local Area
            Networks, Part 3: Carrier Sense Multiple Access with
            Collision Detection (CSMA/CD) Access Method and Physical
            Layer Specifications", ISO IS 8802-3. (Equivalent to IEEE
            802.3.)
        
   [I8802-3] ---, "Information Processing Systems -- Local Area
            Networks, Part 3: Carrier Sense Multiple Access with
            Collision Detection (CSMA/CD) Access Method and Physical
            Layer Specifications", ISO IS 8802-3. (Equivalent to IEEE
            802.3.)
        
   [I8823]  ---, "Information Processing Systems -- Open Systems
            Interconnection -- Connection-Oriented Presentation Protocol
            Specification", ISO IS 8823.
        
   [I8823]  ---, "Information Processing Systems -- Open Systems
            Interconnection -- Connection-Oriented Presentation Protocol
            Specification", ISO IS 8823.
        

[I9945] "Portable Operating System Interface for Computer Environments", ISO/IEC 9945-1: 1990.

[I9945]“计算机环境的便携式操作系统接口”,ISO/IEC 9945-1:1990。

[IATF] NSA, "Information Assurance Technical Framework", Release 3, NSA, September 2000. (See: IATF.)

[IATF]NSA,“信息保障技术框架”,第3版,NSA,2000年9月。(见IATF)

   [IDSAN]  ---, "Intrusion Detection System Analyzer Protection
            Profile", version 1.1, NSA, 10 December 2001.
        
   [IDSAN]  ---, "Intrusion Detection System Analyzer Protection
            Profile", version 1.1, NSA, 10 December 2001.
        
   [IDSSC]  ---, "Intrusion Detection System Scanner Protection
            Profile", version 1.1, NSA, 10 December 2001.
        
   [IDSSC]  ---, "Intrusion Detection System Scanner Protection
            Profile", version 1.1, NSA, 10 December 2001.
        
   [IDSSE]  ---, "Intrusion Detection System Sensor Protection Profile",
            version 1.1, NSA, 10 December 2001.
        
   [IDSSE]  ---, "Intrusion Detection System Sensor Protection Profile",
            version 1.1, NSA, 10 December 2001.
        
   [IDSSY]  ---, "Intrusion Detection System", version 1.4, NSA, 4
            February 2002.
        
   [IDSSY]  ---, "Intrusion Detection System", version 1.4, NSA, 4
            February 2002.
        

[Ioan] Ioannidis, J. and M. Blaze, "The Architecture and Implementation of Network Layer Security in UNIX", in "UNIX Security IV Symposium", October 1993, pp. 29-39.

[Ioan]Ioannidis,J.和M.Blaze,“UNIX中网络层安全的体系结构和实现”,摘自“UNIX安全IV研讨会”,1993年10月,第29-39页。

[ITSEC] "Information Technology Security Evaluation Criteria (ITSEC): Harmonised Criteria of France, Germany, the Netherlands, and the United Kingdom", version 1.2, U.K. Department of Trade and Industry, June 1991.

[ITSEC] "Information Technology Security Evaluation Criteria (ITSEC): Harmonised Criteria of France, Germany, the Netherlands, and the United Kingdom", version 1.2, U.K. Department of Trade and Industry, June 1991.translate error, please retry

[JP1] U.S. DoD, "Department of Defense Dictionary of Military and Associated Terms", Joint Publication 1-02, as amended through 13 June 2007.

[JP1]美国国防部,“国防部军事和相关术语词典”,联合出版物1-02,经2007年6月13日修订。

[John] Johnson, N. and S. Jajodia, "Exploring Steganography; Seeing the Unseen", in "IEEE Computer", February 1998, pp. 26-34.

[John]Johnson,N.和S.Jajodia,“探索隐写术;看到看不见的”,收录于《IEEE计算机》,1998年2月,第26-34页。

[Kahn] Kahn, D., "The Codebreakers: The Story of Secret Writing", The Macmillan Company, New York, 1967.

卡恩,D.,“密码破坏者:秘密写作的故事”,麦克米伦公司,纽约,1967年。

[Knut] Knuth, D., Chapter 3 ("Random Numbers") of Volume 2 ("Seminumerical Algorithms") of "The Art of Computer Programming", Addison-Wesley, Reading, MA, 1969.

[Knuth]Knuth,D.,第2卷(“半数值算法”)第3章(“随机数”)《计算机编程的艺术》,Addison Wesley,Reading,MA,1969年。

[Kuhn] Kuhn, M. and R. Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in David Aucsmith, ed., "Information Hiding, Second International Workshop, IH'98", Portland, Oregon, USA, 15-17 April 1998, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp. 124-142.

[Kuhn]Kuhn,M.和R.Anderson,“软风暴:利用电磁辐射的隐藏数据传输”,David Aucsmith,ed.,“信息隐藏,第二届国际研讨会,IH'98”,美国俄勒冈州波特兰,1998年4月15日至17日,LNCS 1525,斯普林格·维拉格,ISBN 3-540-65386-4,第124-142页。

[Land] Landwehr, C., "Formal Models for Computer Security", in "ACM Computing Surveys", vol. 13, no. 3, September 1981, pp. 247- 278.

[Land]Landwehr,C.,“计算机安全的正式模型”,载于“ACM计算调查”,第13卷,第3期,1981年9月,第247-278页。

[Larm] Larmouth, J., "ASN.1 Complete", Open System Solutions, 1999 (a freeware book).

[Larm]Larmouth,J.,“ASN.1完整版”,开放系统解决方案,1999年(一本免费书籍)。

[M0404] U.S. Office of Management and Budget, "E-Authentication Guidance for Federal Agencies", Memorandum M-04-04, 16 December 2003.

[M0404]美国管理和预算办公室,“联邦机构电子认证指南”,备忘录M-04-04,2003年12月16日。

[Mene] Menezes, A. et al, "Some Key Agreement Protocols Providing Implicit Authentication", in "The 2nd Workshop on Selected Areas in Cryptography", 1995.

[Mene]Menezes,A.等人,“提供隐式认证的一些密钥协议协议”,在“第二届密码学选定领域研讨会”,1995年。

[Moor] Moore, A. et al, "Attack Modeling for Information Security and Survivability", Carnegie Mellon University / Software Engineering Institute, CMU/SEI-2001-TN-001, March 2001.

[Moor]Moore,A.等人,“信息安全和生存能力的攻击建模”,卡内基梅隆大学/软件工程研究所,CMU/SEI-2001-TN-001,2001年3月。

[Murr] Murray, W., "Courtney's Laws of Security", in "Infosecurity News", March/April 1993, p. 65.

[Murr]Murray,W.,“Courtney的安全法”,载于《信息安全新闻》,1993年3月/4月,第页。65

[N4001] National Security Telecommunications and Information System Security Committee, "Controlled Cryptographic Items", NSTISSI No. 4001, 25 March 1985.

[N4001]国家安全电信和信息系统安全委员会,“受控密码项目”,NSTISI第4001号,1985年3月25日。

   [N4006]  ---, "Controlled Cryptographic Items", NSTISSI No. 4006, 2
            December 1991.
        
   [N4006]  ---, "Controlled Cryptographic Items", NSTISSI No. 4006, 2
            December 1991.
        
   [N7003]  ---, "Protective Distribution Systems", NSTISSI No. 7003, 13
            December 1996.
        
   [N7003]  ---, "Protective Distribution Systems", NSTISSI No. 7003, 13
            December 1996.
        

[NCS01] National Computer Security Center, "A Guide to Understanding Audit in Trusted Systems", NCSC-TG-001, 1 June 1988. (See: Rainbow Series.)

[NCS01]国家计算机安全中心,“可信系统审计理解指南”,NCSC-TG-001,1988年6月1日。(请参阅:彩虹系列。)

   [NCS03]  ---, "Information System Security Policy Guideline", I942-
            TR-003, version 1, July 1994. (See: Rainbow Series.)
        
   [NCS03]  ---, "Information System Security Policy Guideline", I942-
            TR-003, version 1, July 1994. (See: Rainbow Series.)
        
   [NCS04]  ---, "Glossary of Computer Security Terms", NCSC-TG-004,
            version 1, 21 October 1988. (See: Rainbow Series.)
        
   [NCS04]  ---, "Glossary of Computer Security Terms", NCSC-TG-004,
            version 1, 21 October 1988. (See: Rainbow Series.)
        
   [NCS05]  ---, "Trusted Network Interpretation of the Trusted Computer
            System Evaluation Criteria", NCSC-TG-005, version 1, 31 July
            1987. (See: Rainbow Series.)
        
   [NCS05]  ---, "Trusted Network Interpretation of the Trusted Computer
            System Evaluation Criteria", NCSC-TG-005, version 1, 31 July
            1987. (See: Rainbow Series.)
        
   [NCS25]  ---, "A Guide to Understanding Data Remanence in Automated
            Information Systems", NCSC-TG-025, version 2, September
            1991. (See: Rainbow Series.)
        
   [NCS25]  ---, "A Guide to Understanding Data Remanence in Automated
            Information Systems", NCSC-TG-025, version 2, September
            1991. (See: Rainbow Series.)
        

[NCSSG] National Computer Security Center, "COMPUSECese: Computer Security Glossary", NCSC-WA-001-85, Edition 1, 1 October 1985. (See: Rainbow Series.)

[NCSSG]国家计算机安全中心,“计算机安全:计算机安全术语表”,NCSC-WA-001-85,第一版,1985年10月1日。(请参阅:彩虹系列。)

[NRC91] National Research Council, "Computers At Risk: Safe Computing in the Information Age", National Academy Press, 1991.

[NRC91]国家研究委员会,“处于危险中的计算机:信息时代的安全计算”,国家科学院出版社,1991年。

[NRC98] Schneider, F., ed., "Trust in Cyberspace", National Research Council, National Academy of Sciences, 1998.

[NRC98]Schneider,F.,ed.,“网络空间的信任”,国家研究委员会,国家科学院,1998年。

[Padl] Padlipsky, M., "The Elements of Networking Style", 1985, ISBN 0-13-268111-0.

[Padl]Padlipsky,M.,“网络风格的要素”,1985年,ISBN 0-13-268111-0。

[PAG] American Bar Association, "PKI Assessment Guidelines", version 1.0, 10 May 2002. (See: [DSG].)

[PAG]美国律师协会,“PKI评估指南”,1.0版,2002年5月10日。(见[DSG]。)

[Park] Parker, D., "Computer Security Management", ISBN 0-8359- 0905-0, 1981

[Park]Parker,D.,“计算机安全管理”,ISBN 0-8359-0905-01981

[Perr] Perrine, T. et al, "An Overview of the Kernelized Secure Operating System (KSOS)", in "Proceedings of the 7th DoD/NBS Computer Security Conference", 24-26 September 1984.

[Perr]Perrine,T.等人,“内核化安全操作系统(KSOS)概述”,发表于“第七届国防部/国家统计局计算机安全会议论文集”,1984年9月24日至26日。

[PGP] Garfinkel, S.. "PGP: Pretty Good Privacy", O'Reilly & Associates, Inc., Sebastopol, CA, 1995.

[PGP]加芬克尔,S。。“PGP:相当好的隐私”,O'Reilly&Associates,Inc.,加利福尼亚州塞巴斯托波尔,1995年。

[PKCS] Kaliski Jr., B., "An Overview of the PKCS Standards", RSA Data Security, Inc., 3 June 1991.

[PKCS]Kaliski Jr.,B.,“PKCS标准概述”,RSA数据安全公司,1991年6月3日。

[PKC05] RSA Laboratories, "PKCS #5: Password-Based Encryption Standard ", version 1.5, 1 November 1993. (See: RFC 2898.)

[PKC05]RSA实验室,“PKCS#5:基于密码的加密标准”,1.5版,1993年11月1日。(见:RFC 2898。)

   [PKC07]  ---, "PKCS #7: Cryptographic Message Syntax Standard",
            version 1.5, 1 November 1993. (See: RFC 2315.)
        
   [PKC07]  ---, "PKCS #7: Cryptographic Message Syntax Standard",
            version 1.5, 1 November 1993. (See: RFC 2315.)
        
   [PKC10]  ---, "PKCS #10: Certification Request Syntax Standard",
            version 1.0, 1 November 1993.
        
   [PKC10]  ---, "PKCS #10: Certification Request Syntax Standard",
            version 1.0, 1 November 1993.
        
   [PKC11]  ---, "PKCS #11: Cryptographic Token Interface Standard",
            version 1.0, 28 April 1995.
        
   [PKC11]  ---, "PKCS #11: Cryptographic Token Interface Standard",
            version 1.0, 28 April 1995.
        
   [PKC12]  ---, "PKCS #12: Personal Information Exchange Syntax",
            version 1.0, 24 June 1995.
        
   [PKC12]  ---, "PKCS #12: Personal Information Exchange Syntax",
            version 1.0, 24 June 1995.
        

[R1108] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991.

[R1108]Kent,S.,“美国国防部互联网协议的安全选项”,RFC 11081991年11月。

[R1135] Reynolds, J., "The Helminthiasis of the Internet", RFC 1135, December 1989

[R1135]Reynolds,J.,“互联网上的蠕虫病”,RFC 11351989年12月

[R1208] Jacobsen, O. and D. Lynch, "A Glossary of Networking Terms", RFC 1208, March 1991.

[R1208]Jacobsen,O.和D.Lynch,“网络术语表”,RFC 12081991年3月。

[R1281] Pethia, R., Crocker, S., and B. Fraser, "Guidelines for Secure Operation of the Internet", RFC 1281, November 1991.

[R1281]Pethia,R.,Crocker,S.,和B.Fraser,“互联网安全操作指南”,RFC 12811991年11月。

[R1319] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992.

[R1319]Kaliski,B.,“MD2消息摘要算法”,RFC1319,1992年4月。

[R1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.

[R1320]Rivest,R.,“MD4消息摘要算法”,RFC1320,1992年4月。

   [R1321]  ---, "The MD5 Message-Digest Algorithm", RFC 1321, April
            1992.
        
   [R1321]  ---, "The MD5 Message-Digest Algorithm", RFC 1321, April
            1992.
        

[R1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", RFC 1334, October 1992.

[R1334]Lloyd,B.和W.Simpson,“PPP认证协议”,RFC 13341992年10月。

[R1413] St. Johns, M., "Identification Protocol", RFC 1413, February 1993.

[R1413]圣约翰,M.,“识别协议”,RFC 1413,1993年2月。

[R1421] Linn, J., "Privacy Enhancement for Internet Electronic Mail, Part I: Message Encryption and Authentication Procedures", RFC 1421, February 1993.

[R1421]Linn,J.,“互联网电子邮件的隐私增强,第一部分:信息加密和认证程序”,RFC 1421,1993年2月。

[R1422] Kent, S., "Privacy Enhancement for Internet Electronic Mail, Part II: Certificate-Based Key Management", RFC 1422, February 1993.

[R1422]Kent,S.,“互联网电子邮件的隐私增强,第二部分:基于证书的密钥管理”,RFC 1422,1993年2月。

[R1455] Eastlake 3rd, D., "Physical Link Security Type of Service", RFC 1455, May 1993.

[R1455]Eastlake 3rd,D.,“物理链路安全服务类型”,RFC 1455,1993年5月。

[R1457] Housley, R., "Security Label Framework for the Internet", RFC 1457, May 1993.

[R1457]Housley,R.,“互联网安全标签框架”,RFC 1457,1993年5月。

[R1492] Finseth, C., "An Access Control Protocol, Sometimes Called TACACS", RFC 1492, July 1993.

[R1492]Finseth,C.,“访问控制协议,有时称为TACACS”,RFC 1492,1993年7月。

[R1507] Kaufman, C., "DASS: Distributed Authentication Security Service", RFC 1507, September 1993.

[R1507]Kaufman,C.,“DASS:分布式认证安全服务”,RFC1507,1993年9月。

[R1731] Myers, J., "IMAP4 Authentication Mechanisms", RFC 1731, December 1994.

[R1731]迈尔斯,J.,“IMAP4认证机制”,RFC 17311994年12月。

   [R1734]  ---, "POP3 AUTHentication Command", RFC 1734, Dec, 1994.
        
   [R1734]  ---, "POP3 AUTHentication Command", RFC 1734, Dec, 1994.
        

[R1760] Haller, N., "The S/KEY One-Time Password System", RFC 1760, February 1995.

[R1760]Haller,N.,“S/KEY一次性密码系统”,RFC1760,1995年2月。

[R1824] Danisch, H., "The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4)", RFC 1824, August 1995.

[R1824]Danisch,H.,“指数安全系统TESS:用于认证密钥交换的基于身份的加密协议(E.I.S.S.-报告1995/4)”,RFC 1824,1995年8月。

[R1828] Metzger, P. and W. Simpson, "IP Authentication using Keyed MD5", RFC 1828, August 1995.

[R1828]Metzger,P.和W.Simpson,“使用密钥MD5的IP认证”,RFC 1828,1995年8月。

[R1829] Karn, P., Metzger, P., and W. Simpson, "The ESP DES-CBC Transform", RFC 1829, August 1995.

[R1829]Karn,P.,Metzger,P.,和W.Simpson,“ESP DES-CBC转换”,RFC 1829,1995年8月。

[R1848] Crocker, S., Freed, N., Galvin, J., and S. Murphy, "MIME Object Security Services", RFC 1848, October 1995.

[R1848]Crocker,S.,Freed,N.,Galvin,J.,和S.Murphy,“MIME对象安全服务”,RFC 18481995年10月。

[R1851] Karn, P., Metzger, P., and W. Simpson, "The ESP Triple DES Transform", RFC 1851, September 1995.

[R1851]Karn,P.,Metzger,P.,和W.Simpson,“ESP三重DES变换”,RFC 18511995年9月。

[R1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996.

[R1928]Leech,M.,Ganis,M.,Lee,Y.,Kuris,R.,Koblas,D.,和L.Jones,“SOCKS协议版本5”,RFC 19281996年3月。

[R1958] Carpenter, B., "Architectural Principles of the Internet", RFC 1958, June 1996.

[R1958]Carpenter,B.,“互联网的建筑原理”,RFC 19581996年6月。

[R1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996.

[R1983]Malkin,G.,“互联网用户词汇表”,第18财年,RFC 1983年,1996年8月。

[R1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[R1994]辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[R2078] Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2078, January 1997. (Superseded by RFC 2743.)

[R2078]林恩,J.,“通用安全服务应用程序接口,第2版”,RFC 2078,1997年1月。(由RFC 2743取代。)

[R2084] Bossert, G., Cooper, S., and W. Drummond, "Considerations for Web Transaction Security", RFC 2084, January 1997.

[R2084]Bossert,G.,Cooper,S.,和W.Drummond,“Web事务安全的注意事项”,RFC 2084,1997年1月。

[R2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.

[R2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息身份验证的键控哈希”,RFC 2104,1997年2月。

[R2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144, May 1997.

[R2144]Adams,C.,“CAST-128加密算法”,RFC 2144,1997年5月。

[R2179] Gwinn, A., "Network Security For Trade Shows", RFC 2179, July 1997.

[R2179]Gwinn,A.,“贸易展览会的网络安全”,RFC 2179,1997年7月。

[R2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, September 1997.

[R2195]Klensin,J.,Catoe,R.,和P.Krumviede,“简单质询/响应的IMAP/POP授权扩展”,RFC 21951997年9月。

[R2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, September 1997.

[R2196]弗雷泽,B.,《现场安全手册》,第8期,RFC 2196,1997年9月。

[R2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, Sep. 1997.

[R2202]Cheng,P.和R.Glenn,“HMAC-MD5和HMAC-SHA-1的测试案例”,RFC 2202,1997年9月。

[R2222] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997.

[R2222]迈尔斯,J.,“简单认证和安全层(SASL)”,RFC22221997年10月。

[R2289] Haller, N., Metz, C., Nesser, P., and M. Straw, "A One-Time Password System", STD 61, RFC 2289, February 1998.

[R2289]Haller,N.,Metz,C.,Nesser,P.,和M.Straw,“一次性密码系统”,STD 61,RFC 2289,1998年2月。

[R2323] Ramos, A., "IETF Identification and Security Guidelines", RFC 2323, 1 April 1998. (Intended for humorous entertainment -- "please laugh loud and hard" -- and does not contain serious security information.)

[R2323]Ramos,A.,“IETF识别和安全指南”,RFC 23231998年4月1日。(用于幽默娱乐——“请大声大笑”——不包含严肃的安全信息。)

[R2350] Brownlee, N. and E. Guttman, "Expectations for Computer Security Incident Response", BCP 21, RFC 2350, June 1998.

[R2350]Brownlee,N.和E.Guttman,“对计算机安全事件响应的期望”,BCP 21,RFC 23501998年6月。

[R2356] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998.

[R2356]黑山,G.和V.Gupta,“移动IP的Sun跳过防火墙穿越”,RFC 2356,1998年6月。

[R2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.

[R2401]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。

   [R2402]  ---, "IP Authentication Header", RFC 2402, November 1998.
        
   [R2402]  ---, "IP Authentication Header", RFC 2402, November 1998.
        

[R2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH", RFC 2403, November 1998.

[R2403]Madson,C.和R.Glenn,“HMAC-MD5-96在ESP和AH中的使用”,RFC 2403,1998年11月。

   [R2404]  ---, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404,
            November 1998.
        
   [R2404]  ---, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404,
            November 1998.
        

[R2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm With Explicit IV", RFC 2405, November 1998.

[R2405]Madson,C.和N.Doraswamy,“带显式IV的ESP DES-CBC密码算法”,RFC 2405,1998年11月。

[R2406] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.

[R2406]Kent,S.和R.Atkinson,“IP封装安全有效载荷(ESP)”,RFC 2406,1998年11月。

[R2407] Piper, D. "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.

[R2407]Piper,D.“ISAKMP解释的互联网IP安全域”,RFC 2407,1998年11月。

[R2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998.

[R2408]Maughan,D.,Schertler,M.,Schneider,M.,和J.Turner,“互联网安全协会和密钥管理协议(ISAKMP)”,RFC 2408,1998年11月。

[R2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November 1998.

[R2410]Glenn,R.和S.Kent,“空加密算法及其在IPsec中的使用”,RFC 2410,1998年11月。

[R2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November 1998.

[R2412]Orman,H.,“奥克利密钥确定协议”,RFC 2412,1998年11月。

[R2451] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher Algorithms", RFC 2451, November 1998.

[R2451]Pereira,R.和R.Adams,“ESP CBC模式密码算法”,RFC 2451,1998年11月。

[R2504] Guttman, E., Leong, L., and G. Malkin, "Users' Security Handbook", RFC 2504, February 1999.

[R2504]Guttman,E.,Leong,L.和G.Malkin,“用户安全手册”,RFC 2504,1999年2月。

[R2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999.

[R2560]Myers,M.,Ankney,R.,Malpani,A.,Galperin,S.,和C.Adams,“X.509互联网公钥基础设施在线证书状态协议-OCSP”,RFC 25601999年6月。

[R2612] Adams, C. and J. Gilchrist, "The CAST-256 Encryption Algorithm", RFC 2612, June 1999.

[R2612]Adams,C.和J.Gilchrist,“CAST-256加密算法”,RFC2612,1999年6月。

[R2628] Smyslov, V., "Simple Cryptographic Program Interface (Crypto API)", RFC 2628, June 1999.

[R2628]Smyslov,V.,“简单加密程序接口(加密API)”,RFC 26281999年6月。

[R2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999. (See: Diffie-Hellman-Merkle.)

[R2631]Rescorla,E.,“Diffie-Hellman密钥协商方法”,RFC 26311999年6月。(见Diffie Hellman Merkle)

[R2634] Hoffman, P., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.

[R2634]Hoffman,P.,“S/MIME的增强安全服务”,RFC 2634,1999年6月。

[R2635] Hambridge, S. and A. Lunde, "DON'T SPEW: A Set of Guidelines for Mass Unsolicited Mailings and Postings", RFC 2635, June 1999.

[R2635]Hambridge,S.和A.Lunde,“不要吐:大量未经请求的邮件和帖子的一套指南”,RFC 26351999年6月。

[R2660] Rescorla, E. and A. Schiffman, "The Secure HyperText Transfer Protocol", RFC 2660, August 1999.

[R2660]Rescorla,E.和A.Schiffman,“安全超文本传输协议”,RFC 2660,1999年8月。

[R2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000.

[R2743]林恩,J.,“通用安全服务应用程序接口版本2,更新1”,RFC 2743,2000年1月。

[R2773] Housley, R., Yee, P., and W. Nace, "Encryption using KEA and SKIPJACK", RFC 2773, February 2000.

[R2773]Housley,R.,Yee,P.,和W.Nace,“使用KEA和SKIPJACK进行加密”,RFC 27732000年2月。

[R2801] Burdett, D., "Internet Open Trading Protocol - IOTP, Version 1.0", RFC 2801, April 2000.

[R2801]Burdett,D.,“互联网开放交易协议-IOTP,1.0版”,RFC2801,2000年4月。

[R2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.

[R2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。

[R2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[R2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[R3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.

[R3060]Moore,B.,Ellesson,E.,Strassner,J.,和A.Westerinen,“政策核心信息模型——版本1规范”,RFC 3060,2001年2月。

[R3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001.

[R3198]Westerinen,A.,Schnizlein,J.,Strassner,J.,Scherling,M.,Quinn,B.,Herzog,S.,Huynh,A.,Carlson,M.,Perry,J.,和S.Waldbusser,“基于政策的管理术语”,RFC 3198,2001年11月。

[R3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

[R3280]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。

[R3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "Group Domain of Interpretation", RFC 3547, July 2003.

[R3547]Baugher,M.,Weis,B.,Hardjono,T.,和H.Harney,“解释的集团领域”,RFC 3547,2003年7月。

[R3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", RFC 3552, July 2003.

[R3552]Rescorla,E.和B.Korver,“关于安全考虑的RFC文本编写指南”,RFC 3552,2003年7月。

[R3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. Wu, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3647, November 2003.

[R3647]Chokhani,S.,Ford,W.,Sabett,R.,Merrill,C.,和S.Wu,“互联网X.509公钥基础设施证书政策和认证实践框架”,RFC 3647,2003年11月。

[R3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 Public Key Infrastructure: Qualified Certificates Profile", RFC 3739, March 2004.

[R3739]Santesson,S.,Nystrom,M.,和T.Polk,“互联网X.509公钥基础设施:合格证书档案”,RFC 37392004年3月。

[R3740] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004.

[R3740]Hardjono,T.和B.Weis,“多播组安全架构”,RFC 3740,2004年3月。

[R3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

[R3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。

[R3766] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, April 2004.

[R3766]Orman,H.和P.Hoffman,“确定用于交换对称密钥的公钥的强度”,BCP 86,RFC 3766,2004年4月。

[R3820] Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M. Thompson, "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile", RFC 3820, June 2004.

[R3820]Tuecke,S.,Welch,V.,Engert,D.,Pearlman,L.,和M.Thompson,“互联网X.509公钥基础设施(PKI)代理证书配置文件”,RFC 3820,2004年6月。

[R3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004.

[R3851]Ramsdell,B.,“安全/多用途Internet邮件扩展(S/MIME)版本3.1消息规范”,RFC 3851,2004年7月。

[R3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004.

[R3871]Jones,G.“大型互联网服务提供商(ISP)IP网络基础设施的运营安全要求”,RFC 3871,2004年9月。

[R4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.

[R4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。

[R4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.

[R4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 4034,2005年3月。

[R4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.

[R4035]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。

[R4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.

[R4086]伊斯特莱克,D.,3,席勒,J.,和S.克罗克,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。

[R4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005.

[R4120]Neuman,C.,Yu,T.,Hartman,S.,和K.Raeburn,“Kerberos网络身份验证服务(V5)”,RFC 4120,2005年7月。

[R4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. Nicholas, "Internet X.509 Public Key Infrastructure: Certification Path Building", RFC 4158, September 2005.

[R4158]Cooper,M.,Dzambasow,Y.,Hesse,P.,Joseph,S.,和R.Nicholas,“互联网X.509公钥基础设施:认证路径构建”,RFC 4158,2005年9月。

[R4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, September 2005.

[R4210]Adams,C.,Farrell,S.,Kause,T.,和T.Mononen,“互联网X.509公钥基础设施证书管理协议(CMP)”,RFC 42102005年9月。

[R4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.

[R4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。

[R4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005.

[R4302]Kent,S.,“IP认证头”,RFC4302005年12月。

[R4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005.

[R4303]Kent,S.,“IP封装安全有效载荷(ESP)”,RFC 4303,2005年12月。

[R4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.

[R4306]Kaufman,C.,“互联网密钥交换(IKEv2)协议”,RFC4306,2005年12月。

[R4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.

[R4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。

[R4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006.

[R4422]Melnikov,A.和K.Zeilenga,“简单身份验证和安全层(SASL)”,RFC 4422,2006年6月。

[Raym] Raymond, E., ed., "The On-Line Hacker Jargon File", version 4.0.0, 24 July 1996. (See: http://www.catb.org/~esr/jargon for the latest version. Also, "The New Hacker's Dictionary", 3rd edition, MIT Press, September 1996, ISBN 0-262-68092-0.)

[Raym]Raymond,E.,ed.,“在线黑客行话文件”,版本4.0.0,1996年7月24日。(见:http://www.catb.org/~esr/最新版本的行话。另外,“新黑客词典”,第三版,麻省理工学院出版社,1996年9月,ISBN 0-262-68092-0。)

[Roge] Rogers, H., "An Overview of the CANEWARE Program", in "Proceedings of the 10th National Computer Security Conference", NIST and NCSC, September 1987.

[Roge]Rogers,H.,“CANEWARE项目概述”,摘自《第十届全国计算机安全会议记录》,NIST和NCSC,1987年9月。

[RSA78] Rivest, R., A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", in "Communications of the ACM", vol. 21, no. 2, February 1978, pp. 120-126.

[RSA78]Rivest,R.,A.Shamir和L.Adleman,“获取数字签名和公钥密码系统的方法”,载于“ACM通信”,第21卷,第2期,1978年2月,第120-126页。

[RSCG] NSA, "Router Security Configuration Guide: Principles and Guidance for Secure Configuration of IP Routers, with Detailed Instructions for Cisco Systems Routers", version 1.1c, C4-040R-02, 15 December 2005, available at http://www.nsa.gov/snac/routers/C4-040R-02.pdf.

[RSCG]NSA,“路由器安全配置指南:IP路由器安全配置的原则和指南,以及思科系统路由器的详细说明”,版本1.1c,C4-040R-02,2005年12月15日,可在http://www.nsa.gov/snac/routers/C4-040R-02.pdf.

[Russ] Russell, D. et al, Chapter 10 ("TEMPEST") of "Computer Security Basics", ISBN 0-937175-71-4, 1991.

[Russ]Russell,D.等人,《计算机安全基础》第10章(“暴风雨”),ISBN 0-937175-71-41991。

[SAML] Organization for the Advancement of Structured Information Standards (OASIS), "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)", version 1.1, 2 September 2003.

[SAML]结构化信息标准促进组织(OASIS),“OASIS安全断言标记语言(SAML)的断言和协议”,版本1.12003年9月2日。

[Sand] Sandhu, R. et al, "Role-Based Access Control Models", in "IEEE Computer", vol. 29, no. 2, February 1996, pp. 38-47.

[Sand]Sandhu,R.等人,“基于角色的访问控制模型”,载于“IEEE计算机”,第29卷,第2期,1996年2月,第38-47页。

[Schn] Schneier, B., "Applied Cryptography Second Edition", John Wiley & Sons, Inc., New York, 1996.

[Schn]Schneier,B.,“应用密码学第二版”,约翰·威利父子公司,纽约,1996年。

[SDNS3] U.S. DoD, NSA, "Secure Data Network Systems, Security Protocol 3 (SP3)", document SDN.301, Revision 1.5, 15 May 1989.

[SDNS3]美国国防部,国家安全局,“安全数据网络系统,安全协议3(SP3)”,文件SDN.301,修订版1.5,1989年5月15日。

   [SDNS4]  ---, "Secure Data Network Systems, Security Protocol 4
            (SP4)", document SDN.401, Revision 1.2, 12 July 1988.
        
   [SDNS4]  ---, "Secure Data Network Systems, Security Protocol 4
            (SP4)", document SDN.401, Revision 1.2, 12 July 1988.
        
   [SDNS7]  ---, "Secure Data Network Systems, Message Security Protocol
            (MSP)", SDN.701, Revision 4.0, 7 June 1996, with
            "Corrections to Message Security Protocol, SDN.701, Rev 4.0,
            96-06-07", 30 Aug, 1996.
        
   [SDNS7]  ---, "Secure Data Network Systems, Message Security Protocol
            (MSP)", SDN.701, Revision 4.0, 7 June 1996, with
            "Corrections to Message Security Protocol, SDN.701, Rev 4.0,
            96-06-07", 30 Aug, 1996.
        

[SET1] MasterCard and Visa, "SET Secure Electronic Transaction Specification, Book 1: Business Description", version 1.0, 31 May 1997.

[SET1]万事达卡和Visa,“SET安全电子交易规范,第1册:业务描述”,1.0版,1997年5月31日。

   [SET2]   ---, "SET Secure Electronic Transaction Specification, Book
            2: Programmer's Guide", version 1.0, 31 May 1997.
        
   [SET2]   ---, "SET Secure Electronic Transaction Specification, Book
            2: Programmer's Guide", version 1.0, 31 May 1997.
        

[SKEME] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange Mechanism for Internet", in "Proceedings of the 1996 Symposium on Network and Distributed Systems Security".

[SKEME]Krawczyk,H.,“SKEME:一种用于互联网的通用安全密钥交换机制”,发表于“1996年网络和分布式系统安全研讨会论文集”。

[SKIP] "SKIPJACK and KEA Algorithm Specifications", version 2.0, 22 May 1998, and "Clarification to the SKIPJACK Algorithm Specification", 9 May 2002 (available from NIST Computer Security Resource Center).

[跳过]“SKIPJACK和KEA算法规范”,版本2.0,1998年5月22日,以及“SKIPJACK算法规范的澄清”,2002年5月9日(可从NIST计算机安全资源中心获得)。

[SP12] NIST, "An Introduction to Computer Security: The NIST Handbook", Special Publication 800-12.

[SP12]NIST,“计算机安全简介:NIST手册”,特别出版物800-12。

[SP14] Swanson, M. et al (NIST), "Generally Accepted Principles and Practices for Security Information Technology Systems", Special Publication 800-14, September 1996.

[SP14]Swanson,M.等人(NIST),“安全信息技术系统的公认原则和实践”,特别出版物800-141996年9月。

[SP15] Burr, W. et al (NIST), "Minimum Interoperability Specification for PKI Components (MISPC), Version 1", Special Publication 800-15, September 1997.

[SP15]Burr,W.等人(NIST),“PKI组件的最低互操作性规范(MISPC),第1版”,特别出版物800-15,1997年9月。

[SP22] Rukhin, A. et al (NIST), "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications", Special Publication 800-15, 15 May 2001.

[SP22]Rukhin,A.等人(NIST),“用于加密应用的随机数和伪随机数生成器的统计测试套件”,特别出版物800-15,2001年5月15日。

[SP27] Stoneburner, G. et al (NIST), "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)", Special Publication 800-27 Rev A, June 2004.

[SP27]Stoneburner,G.等人(NIST),“信息技术安全的工程原理(实现安全的基线)”,特别出版物800-27 A版,2004年6月。

[SP28] Jansen, W. (NIST), "Guidelines on Active Content and Mobile Code", Special Publication 800-28, October 2001.

[SP28]Jansen,W.(NIST),“活动内容和移动代码指南”,特别出版物800-28,2001年10月。

[SP30] Stoneburner, G. et al (NIST), "Risk Management Guide for Information Technology Systems", Special Publication 800-30, October 2001.

[SP30]Stoneburner,G.等人(NIST),“信息技术系统风险管理指南”,特别出版物800-30,2001年10月。

[SP31] Bace, R. et al (NIST), "Intrusion Detection Systems", Special Publication 800-31.

[SP31]Bace,R.等人(NIST),“入侵检测系统”,特别出版物800-31。

[SP32] Kuhn, D. (NIST), "Introduction to Public Key Technology and the Federal PKI Infrastructure ", Special Publication 800-32, 26 February 2001.

[SP32]Kuhn,D.(NIST),“公钥技术和联邦PKI基础设施介绍”,特别出版物800-32,2001年2月26日。

[SP33] Stoneburner, G. (NIST), "Underlying Technical Models for Information Technology Security", Special Publication 800-33, December 2001.

[SP33]Stoneburner,G.(NIST),“信息技术安全的基础技术模型”,特别出版物800-332001年12月。

[SP37] Ross, R. et al (NIST), "Guide for the Security Certification and Accreditation of Federal Information Systems", Special Publication 800-37, May 2004.

[SP37]Ross,R.等人(NIST),“联邦信息系统安全认证和认可指南”,特别出版物800-37,2004年5月。

[SP38A] Dworkin, M. (NIST), "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", Special Publication 800-38A, 2001 Edition, December 2001.

[SP38A]Dworkin,M.(NIST),“分组密码操作模式的建议:方法和技术”,特别出版物800-38A,2001年版,2001年12月。

   [SP38B]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CMAC Mode for Authentication", Special Publication
            800-38B, May 2005.
        
   [SP38B]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CMAC Mode for Authentication", Special Publication
            800-38B, May 2005.
        
   [SP38C]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CCM Mode for Authentication and Confidentiality",
            Special Publication 800-38C, May 2004.
        
   [SP38C]  ---, "Recommendation for Block Cipher Modes of Operation:
            The CCM Mode for Authentication and Confidentiality",
            Special Publication 800-38C, May 2004.
        

[SP41] Wack, J. et al (NIST), "Guidelines on Firewalls and Firewall Policy", Special Publication 800-41, January 2002.

[SP41]Wack,J.等人(NIST),“防火墙和防火墙政策指南”,特别出版物800-41,2002年1月。

   [SP42]   ---, "Guideline on Network Security Testing", Special
            Publication 800-42, October 2003.
        
   [SP42]   ---, "Guideline on Network Security Testing", Special
            Publication 800-42, October 2003.
        

[SP56] NIST, "Recommendations on Key Establishment Schemes", Draft 2.0, Special Publication 800-63, January 2003.

[SP56]NIST,“关键设施方案建议”,草案2.0,特别出版物800-63,2003年1月。

   [SP57]   ---, "Recommendation for Key Management", Part 1 "General
            Guideline" and Part 2 "Best Practices for Key Management
            Organization", Special Publication 800-57, DRAFT, January
            2003.
        
   [SP57]   ---, "Recommendation for Key Management", Part 1 "General
            Guideline" and Part 2 "Best Practices for Key Management
            Organization", Special Publication 800-57, DRAFT, January
            2003.
        

[SP61] Grance, T. et al (NIST), "Computer Security Incident Handling Guide", Special Publication 800-57, January 2003.

[SP61]Grance,T.等人(NIST),“计算机安全事件处理指南”,特别出版物800-57,2003年1月。

[SP63] Burr, W. et al (NIST), "Electronic Authentication Guideline", Special Publication 800-63, June 2004

[SP63]Burr,W.等人(NIST),“电子认证指南”,特别出版物800-63,2004年6月

[SP67] Barker, W. (NIST), "Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher", Special Publication 800-67, May 2004

[SP67]Barker,W.(NIST),“三重数据加密算法(TDEA)分组密码的建议”,特别出版物800-67,2004年5月

[Stal] Stallings, W., "Local Networks", 1987, ISBN 0-02-415520-9.

[Stallings],W.,“本地网络”,1987年,ISBN 0-02-415520-9。

[Stei] Steiner, J. et al, "Kerberos: An Authentication Service for Open Network Systems", in "Usenix Conference Proceedings", February 1988.

[Stei]Steiner,J.等人,“Kerberos:开放网络系统的身份验证服务”,发表于“Usenix会议记录”,1988年2月。

[Weis] Weissman, C., "Blacker: Security for the DDN: Examples of A1 Security Engineering Trades", in "Symposium on Security and Privacy", IEEE Computer Society Press, May 1992, pp. 286- 292.

[Weis]Weissman,C.,“Blacker:DDN的安全:A1安全工程行业的例子”,载于“安全与隐私研讨会”,IEEE计算机学会出版社,1992年5月,第286-292页。

[X400] International Telecommunications Union -- Telecommunication Standardization Sector (formerly "CCITT"), Recommendation X.400, "Message Handling Services: Message Handling System and Service Overview".

[X400]国际电信联盟——电信标准化部门(原“CCITT”),建议X.400,“信息处理服务:信息处理系统和服务概述”。

   [X419]   ---, "Message Handling Systems: Protocol Specifications",
            ITU-T Recommendation X.419. (Equivalent to ISO 10021-6).
        
   [X419]   ---, "Message Handling Systems: Protocol Specifications",
            ITU-T Recommendation X.419. (Equivalent to ISO 10021-6).
        
   [X420]   ---, "Message Handling Systems: Interpersonal Messaging
            System", ITU-T Recommendation X.420. (Equivalent to ISO
            10021-7.).
        
   [X420]   ---, "Message Handling Systems: Interpersonal Messaging
            System", ITU-T Recommendation X.420. (Equivalent to ISO
            10021-7.).
        
   [X500]   ---, Recommendation X.500, "Information Technology -- Open
            Systems Interconnection -- The Directory: Overview of
            Concepts, Models, and Services". (Equivalent to ISO 9594-1.)
        
   [X500]   ---, Recommendation X.500, "Information Technology -- Open
            Systems Interconnection -- The Directory: Overview of
            Concepts, Models, and Services". (Equivalent to ISO 9594-1.)
        
   [X501]   ---, Recommendation X.501, "Information Technology -- Open
            Systems Interconnection -- The Directory: Models".
        
   [X501]   ---, Recommendation X.501, "Information Technology -- Open
            Systems Interconnection -- The Directory: Models".
        
   [X509]   ---, Recommendation X.509, "Information Technology -- Open
            Systems Interconnection -- The Directory: Authentication
            Framework", COM 7-250-E Revision 1, 23 February 2001.
            (Equivalent to ISO 9594-8.)
        
   [X509]   ---, Recommendation X.509, "Information Technology -- Open
            Systems Interconnection -- The Directory: Authentication
            Framework", COM 7-250-E Revision 1, 23 February 2001.
            (Equivalent to ISO 9594-8.)
        
   [X519]   ---, Recommendation X.519, "Information Technology -- Open
            Systems Interconnection -- The Directory: Protocol
            Specifications".
        
   [X519]   ---, Recommendation X.519, "Information Technology -- Open
            Systems Interconnection -- The Directory: Protocol
            Specifications".
        
   [X520]   ---, Recommendation X.520, "Information Technology -- Open
            Systems Interconnection -- The Directory: Selected Attribute
            Types".
        
   [X520]   ---, Recommendation X.520, "Information Technology -- Open
            Systems Interconnection -- The Directory: Selected Attribute
            Types".
        
   [X680]   ---, Recommendation X.680, "Information Technology --
            Abstract Syntax Notation One (ASN.1) -- Specification of
            Basic Notation", 15 November 1994. (Equivalent to ISO/IEC
            8824-1.)
        
   [X680]   ---, Recommendation X.680, "Information Technology --
            Abstract Syntax Notation One (ASN.1) -- Specification of
            Basic Notation", 15 November 1994. (Equivalent to ISO/IEC
            8824-1.)
        
   [X690]   ---, Recommendation X.690, "Information Technology -- ASN.1
            Encoding Rules -- Specification of Basic Encoding Rules
            (BER), Canonical Encoding Rules (CER) and Distinguished
            Encoding Rules (DER)", 15 November 1994. (Equivalent to
            ISO/IEC 8825-1.)
        
   [X690]   ---, Recommendation X.690, "Information Technology -- ASN.1
            Encoding Rules -- Specification of Basic Encoding Rules
            (BER), Canonical Encoding Rules (CER) and Distinguished
            Encoding Rules (DER)", 15 November 1994. (Equivalent to
            ISO/IEC 8825-1.)
        
7. Acknowledgments
7. 致谢

George Huff had a good idea! [Huff]

乔治·哈夫有个好主意![怒火]

Author's Address

作者地址

Dr. Robert W. Shirey 3516 N. Kensington St. Arlington, Virginia 22207-1328 USA

罗伯特·W·雪莉博士美国弗吉尼亚州阿灵顿肯辛顿大街北3516号22207-1328

   EMail: rwshirey4949@verizon.net
        
   EMail: rwshirey4949@verizon.net
        

Full Copyright Statement

完整版权声明

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78 and at www.rfc-editor.org/copyright.html, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78和www.rfc-editor.org/copyright.html中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。