Network Working Group R. Shirey
Request for Comments: 4949 August 2007
FYI: 36
Obsoletes: 2828
Category: Informational
Network Working Group R. Shirey
Request for Comments: 4949 August 2007
FYI: 36
Obsoletes: 2828
Category: Informational
Internet Security Glossary, Version 2
互联网安全词汇表,第2版
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
RFC Editor Note
RFC编辑说明
This document is both a major revision and a major expansion of the Security Glossary in RFC 2828. This revised Glossary is an extensive reference that should help the Internet community to improve the clarity of documentation and discussion in an important area of Internet technology. However, readers should be aware of the following:
本文档是RFC 2828中安全术语表的主要修订和主要扩展。本修订词汇表是一份广泛的参考资料,应有助于互联网社区提高互联网技术一个重要领域的文档和讨论的清晰度。但是,读者应注意以下几点:
(1) The recommendations and some particular interpretations in definitions are those of the author, not an official IETF position. The IETF has not taken a formal position either for or against recommendations made by this Glossary, and the use of RFC 2119 language (e.g., SHOULD NOT) in the Glossary must be understood as unofficial. In other words, the usage rules, wording interpretations, and other recommendations that the Glossary offers are personal opinions of the Glossary's author. Readers must judge for themselves whether or not to follow his recommendations, based on their own knowledge combined with the reasoning presented in the Glossary.
(1) 定义中的建议和某些特定解释是作者的建议和解释,而不是IETF的官方立场。IETF尚未采取正式立场支持或反对本术语表提出的建议,术语表中使用RFC 2119语言(如不应)必须理解为非官方。换句话说,术语表提供的使用规则、措辞解释和其他建议是术语表作者的个人意见。读者必须根据自己的知识,结合词汇表中的推理,自行判断是否遵循他的建议。
(2) The glossary is rich in the history of early network security work, but it may be somewhat incomplete in describing recent security work, which has been developing rapidly.
(2) 该词汇表丰富了早期网络安全工作的历史,但在描述最近迅速发展的安全工作时可能有些不完整。
Abstract
摘要
This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.
本术语表提供信息系统安全术语的定义、缩写和解释。334页的条目为提高互联网标准过程(RFC 2026)中产生的书面材料的可理解性提供了建议。这些建议遵循的原则是,此类文字应(a)在提及相同概念时使用相同的术语或定义;(b) 使用最简单的词典意义上的术语;(c) 使用公开出版物中已经确立的术语;和(d)避免使用有利于特定供应商或有利于特定技术或机制的条款,而不是使用已经存在或可以开发的其他竞争技术。
Table of Contents
目录
1. Introduction ....................................................3
2. Format of Entries ...............................................4
2.1. Order of Entries ...........................................4
2.2. Capitalization and Abbreviations ...........................5
2.3. Support for Automated Searching ............................5
2.4. Definition Type and Context ................................5
2.5. Explanatory Notes ..........................................6
2.6. Cross-References ...........................................6
2.7. Trademarks .................................................6
2.8. The New Punctuation ........................................6
3. Types of Entries ................................................7
3.1. Type "I": Recommended Definitions of Internet Origin .......7
3.2. Type "N": Recommended Definitions of Non-Internet Origin ...8
3.3. Type "O": Other Terms and Definitions To Be Noted ..........8
3.4. Type "D": Deprecated Terms and Definitions .................8
3.5. Definition Substitutions ...................................8
4. Definitions .....................................................9
5. Security Considerations .......................................343
6. Normative Reference ...........................................343
7. Informative References ........................................343
8. Acknowledgments ...............................................364
1. Introduction ....................................................3
2. Format of Entries ...............................................4
2.1. Order of Entries ...........................................4
2.2. Capitalization and Abbreviations ...........................5
2.3. Support for Automated Searching ............................5
2.4. Definition Type and Context ................................5
2.5. Explanatory Notes ..........................................6
2.6. Cross-References ...........................................6
2.7. Trademarks .................................................6
2.8. The New Punctuation ........................................6
3. Types of Entries ................................................7
3.1. Type "I": Recommended Definitions of Internet Origin .......7
3.2. Type "N": Recommended Definitions of Non-Internet Origin ...8
3.3. Type "O": Other Terms and Definitions To Be Noted ..........8
3.4. Type "D": Deprecated Terms and Definitions .................8
3.5. Definition Substitutions ...................................8
4. Definitions .....................................................9
5. Security Considerations .......................................343
6. Normative Reference ...........................................343
7. Informative References ........................................343
8. Acknowledgments ...............................................364
This Glossary is *not* an Internet Standard, and its recommendations represent only the opinions of its author. However, this Glossary gives reasons for its recommendations -- especially for the SHOULD NOTs -- so that readers can judge for themselves what to do.
本术语表*不是*互联网标准,其建议仅代表其作者的意见。然而,这个词汇表给出了建议的理由——特别是不应该这样做的理由——以便读者能够自己判断该做什么。
This Glossary provides an internally consistent and self-contained set of terms, abbreviations, and definitions -- supported by explanations, recommendations, and references -- for terminology that concerns information system security. The intent of this Glossary is to improve the comprehensibility of written materials that are generated in the Internet Standards Process (RFC 2026) -- i.e., RFCs, Internet-Drafts, and other items of discourse -- which are referred to here as IDOCs. A few non-security, networking terms are included to make the Glossary self-contained, but more complete glossaries of such terms are available elsewhere [A1523, F1037, R1208, R1983].
本术语表提供了一组内部一致且自包含的术语、缩写和定义,并提供了与信息系统安全相关的术语的解释、建议和参考。本词汇表旨在提高互联网标准过程(RFC 2026)中产生的书面材料的可理解性,即RFC、互联网草案和其他话语项目,此处称为IDOC。为了使术语表更加完整,还包括了一些非安全性的网络术语,但在其他地方可以找到更完整的此类术语表[A1523、F1037、R1208、R1983]。
This Glossary supports the goals of the Internet Standards Process:
本术语表支持互联网标准过程的目标:
o Clear, Concise, Easily Understood Documentation
o 清晰、简洁、易于理解的文档
This Glossary seeks to improve comprehensibility of security-related content of IDOCs. That requires wording to be clear and understandable, and requires the set of security-related terms and definitions to be consistent and self-supporting. Also, terminology needs to be uniform across all IDOCs; i.e., the same term or definition needs to be used whenever and wherever the same concept is mentioned. Harmonization of existing IDOCs need not be done immediately, but it is desirable to correct and standardize terminology when new versions are issued in the normal course of standards development and evolution.
本词汇表旨在提高IDOCs安全相关内容的可理解性。这要求措辞清晰易懂,并要求一套与安全相关的术语和定义保持一致和自我支持。此外,所有IDOC的术语都需要统一;i、 例如,无论何时何地提及相同的概念,都需要使用相同的术语或定义。不需要立即对现有的IDOC进行协调,但在标准开发和演变的正常过程中发布新版本时,需要纠正和标准化术语。
o Technical Excellence
o 技术卓越
Just as Internet Standard (STD) protocols should operate effectively, IDOCs should use terminology accurately, precisely, and unambiguously to enable standards to be implemented correctly.
正如互联网标准(STD)协议应该有效运行一样,IDOC应该准确、准确、明确地使用术语,以使标准能够正确实施。
o Prior Implementation and Testing
o 预先实施和测试
Just as STD protocols require demonstrated experience and stability before adoption, IDOCs need to use well-established language; and the robustness principle for protocols -- "be liberal in what you accept, and conservative in what you send" -- is also applicable to the language used in IDOCs that describe protocols. Using terms in their plainest, dictionary sense (when appropriate) helps to make them more easily understood by
正如STD协议在采用前需要证明经验和稳定性,IDOC需要使用成熟的语言;协议的健壮性原则——“接受的内容要自由,发送的内容要保守”——也适用于描述协议的IDoc中使用的语言。使用最简单的、词典意义上的术语(在适当的时候)有助于让读者更容易理解
international readers. IDOCs need to avoid using private, newly invented terms in place of generally accepted terms from open publications. IDOCs need to avoid substituting new definitions that conflict with established ones. IDOCs need to avoid using "cute" synonyms (e.g., "Green Book"), because no matter how popular a nickname may be in one community, it is likely to cause confusion in another.
国际读者。IDoc需要避免使用私人的、新发明的术语来代替公开出版物中普遍接受的术语。IDoc需要避免替换与现有定义冲突的新定义。idoc需要避免使用“可爱”的同义词(例如,“绿皮书”),因为无论一个昵称在一个社区中多么流行,它都可能在另一个社区中引起混淆。
However, although this Glossary strives for plain, internationally understood English language, its terms and definitions are biased toward English as used in the United States of America (U.S.). Also, with regard to terminology used by national governments and in national defense areas, the glossary addresses only U.S. usage.
然而,尽管本词汇表力求使用通俗易懂的国际英语,但其术语和定义偏向于美国(U.S.)使用的英语。此外,关于国家政府和国防领域使用的术语,术语表仅涉及美国的用法。
o Openness, Fairness, and Timeliness
o 公开、公平和及时性
IDOCs need to avoid using proprietary and trademarked terms for purposes other than referring to those particular systems. IDOCs also need to avoid terms that either favor a particular vendor or favor a particular security technology or mechanism over other, competing techniques that already exist or might be developed in the future. The set of terminology used across the set of IDOCs needs to be flexible and adaptable as the state of Internet security art evolves.
IDoc需要避免将专有和商标术语用于特定系统以外的目的。idoc还需要避免使用有利于特定供应商或特定安全技术或机制的术语,而不是使用已经存在或将来可能开发的其他竞争性技术。随着互联网安全技术的发展,IDOC中使用的术语集需要具有灵活性和适应性。
In support of those goals, this Glossary offers guidance by marking terms and definitions as being either endorsed or deprecated for use in IDOCs. The key words "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are intended to be interpreted the same way as in an Internet Standard (i.e., as specified in RFC 2119 [R2119]). Other glossaries (e.g., [Raym]) list additional terms that deal with Internet security but have not been included in this Glossary because they are not appropriate for IDOCs.
为了支持这些目标,本术语表通过将术语和定义标记为已认可或已弃用以在IDOCs中使用来提供指导。关键词“应该”、“不应该”、“建议”、“可能”和“可选”的解释方式与互联网标准中的解释方式相同(即,如RFC 2119[R2119]中的规定)。其他词汇表(例如,[Raym])列出了涉及互联网安全的其他术语,但由于这些术语不适用于IDOC,因此未包含在本词汇表中。
Section 4 presents Glossary entries in the following manner:
第4节以以下方式介绍术语表条目:
Entries are sorted in lexicographic order, without regard to capitalization. Numeric digits are treated as preceding alphabetic characters, and special characters are treated as preceding digits. Blanks are treated as preceding non-blank characters, except that a hyphen or slash between the parts of a multiword entry (e.g., "RED/BLACK separation") is treated like a blank.
条目按字典顺序排序,不考虑大小写。数字被视为前面的字母字符,特殊字符被视为前面的数字。空白字符被视为前面的非空白字符,但多字条目各部分之间的连字符或斜杠(例如,“红/黑分隔”)被视为空白字符。
If an entry has multiple definitions (e.g., "domain"), they are numbered beginning with "1", and any of those multiple definitions that are RECOMMENDED for use in IDOCs are presented before other definitions for that entry. If definitions are closely related (e.g., "threat"), they are denoted by adding letters to a number, such as "1a" and "1b".
如果一个条目有多个定义(例如,“域”),则它们以“1”开头编号,并且建议在IDoc中使用的任何多个定义都会在该条目的其他定义之前显示。如果定义密切相关(例如,“威胁”),则通过在数字上添加字母来表示,如“1a”和“1b”。
Entries that are proper nouns are capitalized (e.g., "Data Encryption Algorithm"), as are other words derived from proper nouns (e.g., "Caesar cipher"). All other entries are not capitalized (e.g., "certification authority"). Each acronym or other abbreviation that appears in this Glossary, either as an entry or in a definition or explanation, is defined in this Glossary, except items of common English usage, such as "a.k.a.", "e.g.", "etc.", "i.e.", "vol.", "pp.", and "U.S.".
专有名词条目大写(例如,“数据加密算法”),从专有名词派生的其他单词大写(例如,“凯撒密码”)。所有其他条目均不大写(例如,“认证机构”)。本词汇表中出现的每个首字母缩略词或其他缩写词,无论是作为词条还是定义或解释,均在本词汇表中定义,但常见英语用法的项目除外,如“a.k.a.”、“e.g.”、“等”、“i.e.”、“vol.”、“pp.”和“U.S.”。
Each entry is preceded by a dollar sign ($) and a space. This makes it possible to find the defining entry for an item "X" by searching for the character string "$ X", without stopping at other entries in which "X" is used in explanations.
每个条目前面都有一个美元符号($)和一个空格。这使得可以通过搜索字符串“$X”来查找项目“X”的定义条目,而无需在解释中使用“X”的其他条目处停止。
Each entry is preceded by a character -- I, N, O, or D -- enclosed in parentheses, to indicate the type of definition (as is explained further in Section 3): - "I" for a RECOMMENDED term or definition of Internet origin. - "N" if RECOMMENDED but not of Internet origin. - "O" for a term or definition that is NOT recommended for use in IDOCs but is something that authors of Internet documents should know about. - "D" for a term or definition that is deprecated and SHOULD NOT be used in Internet documents.
每个条目前面都有一个字符——I、N、O或D——用括号括起来,以表示定义的类型(如第3节中进一步解释的):“I”表示推荐的术语或互联网来源的定义。-“N”如果推荐,但不是来自互联网。-“O”表示一个术语或定义,该术语或定义不建议在IDOC中使用,但互联网文档的作者应该知道。-“D”表示已弃用且不应在Internet文档中使用的术语或定义。
If a definition is valid only in a specific context (e.g., "baggage"), that context is shown immediately following the definition type and is enclosed by a pair of slash symbols (/). If the definition is valid only for specific parts of speech, that is shown in the same way (e.g., "archive").
如果定义仅在特定上下文(例如“baggage”)中有效,则该上下文将紧跟在定义类型之后显示,并由一对斜杠符号(/)括起。如果定义仅对特定词类有效,则以相同方式显示(例如,“存档”)。
Some entries have explanatory text that is introduced by one or more of the following keywords: - Deprecated Abbreviation (e.g., "AA") - Deprecated Definition (e.g., "digital certification") - Deprecated Usage (e.g., "authenticate") - Deprecated Term (e.g., "certificate authority") - Pronunciation (e.g., "*-property") - Derivation (e.g., "discretionary access control") - Tutorial (e.g., "accreditation") - Example (e.g., "back door") - Usage (e.g., "access")
一些条目具有解释性文本,由以下一个或多个关键字引入:-不推荐的缩写(例如,“AA”)-不推荐的定义(例如,“数字认证”)-不推荐的用法(例如,“认证”)-不推荐的术语(例如,“证书颁发机构”)-发音(例如“*-属性”)-派生(例如。,“自主访问控制”)-教程(如“认证”)-示例(如“后门”)-用法(如“访问”)
Explanatory text in this Glossary MAY be reused in IDOCs. However, this text is not intended to authoritatively supersede text of an IDOC in which the Glossary entry is already used.
本术语表中的解释性文本可在IDOCs中重复使用。但是,本文本并不打算权威性地取代已经使用词汇表条目的IDOC文本。
Some entries contain a parenthetical remark of the form "(See: X.)", where X is a list of other, related terms. Some entries contain a remark of the form "(Compare: X)", where X is a list of terms that either are antonyms of the entry or differ in some other manner worth noting.
有些条目包含形式为“(见:X.)”的附加注释,其中X是其他相关术语的列表。有些条目包含形式为“(比较:X)”的备注,其中X是条目的反义词或以其他值得注意的方式不同的术语列表。
All servicemarks and trademarks that appear in this Glossary are used in an editorial fashion and to the benefit of the mark owner, without any intention of infringement.
本术语表中出现的所有服务商标和商标均以编辑方式使用,并符合商标所有者的利益,无任何侵权意图。
This Glossary uses the "new" or "logical" punctuation style favored by computer programmers, as described by Raymond [Raym]: Programmers use pairs of quotation marks the same way they use pairs of parentheses, i.e., as balanced delimiters. For example, if "Alice sends" is a phrase, and so are "Bill receives" and "Eve listens", then a programmer would write the following sentence:
本术语表使用计算机程序员喜欢的“新”或“逻辑”标点符号样式,如Raymond[Raym]所述:程序员使用引号对的方式与使用括号对的方式相同,即作为平衡分隔符。例如,如果“Alice sends”是一个短语,“Bill receives”和“Eve listens”也是一个短语,那么程序员将编写以下句子:
"Alice sends", "Bill receives", and "Eve listens".
“爱丽丝发送”、“比尔接收”和“伊芙倾听”。
According to standard American usage, the punctuation in that sentence is incorrect; the continuation commas and the final period should go inside the string quotes, like this:
根据美国的标准用法,那个句子中的标点符号不正确;连续逗号和最后一个句点应位于字符串引号内,如下所示:
"Alice sends," "Bill receives," and "Eve listens."
“爱丽丝发送”、“比尔接收”和“伊芙倾听。”
However, a programmer would not include a character in a literal string if the character did not belong there, because that could cause an error. For example, suppose a sentence in a draft of a tutorial on the vi editing language looked like this:
但是,如果某个字符不属于文本字符串,程序员将不会在该字符串中包含该字符,因为这可能会导致错误。例如,假设vi编辑语言教程草稿中的一句话如下所示:
Then delete one line from the file by typing "dd".
然后通过键入“dd”从文件中删除一行。
A book editor following standard usage might change the sentence to look like this:
遵循标准用法的图书编辑可能会将句子更改为:
Then delete one line from the file by typing "dd."
然后通过键入“dd”从文件中删除一行
However, in the vi language, the dot character repeats the last command accepted. So, if a reader entered "dd.", two lines would be deleted instead of one.
但是,在vi语言中,点字符重复接受的最后一个命令。因此,如果读卡器输入“dd.”,将删除两行而不是一行。
Similarly, use of standard American punctuation might cause misunderstanding in entries in this Glossary. Thus, the new punctuation is used here, and we recommend it for IDOCs.
同样,使用标准的美国标点符号可能会导致本词汇表中条目的误解。因此,这里使用了新的标点符号,我们建议IDOCs使用它。
Each entry in this Glossary is marked as type I, N, O, or D:
本术语表中的每个条目都标记为I、N、O或D类:
The marking "I" indicates two things: - Origin: "I" (as opposed to "N") means either that the Internet Standards Process or Internet community is authoritative for the definition *or* that the term is sufficiently generic that this Glossary can freely state a definition without contradicting a non-Internet authority (e.g., "attack"). - Recommendation: "I" (as opposed to "O") means that the term and definition are RECOMMENDED for use in IDOCs. However, some "I" entries may be accompanied by a "Usage" note that states a limitation (e.g., "certification"), and IDOCs SHOULD NOT use the defined term outside that limited context.
标记“I”表示两件事:-来源:“I”(与“N”相对)表示互联网标准流程或互联网社区对定义具有权威性*或*该术语具有足够的通用性,因此本术语表可以自由陈述定义,而不会与非互联网权威相抵触(例如,“攻击”)。-建议:“I”(与“O”相对)表示建议在IDOC中使用该术语和定义。但是,一些“I”条目可能会附带一个“用法”注释,说明限制(例如,“认证”),IDOC不应在该限制上下文之外使用定义的术语。
Many "I" entries are proper nouns (e.g., "Internet Protocol") for which the definition is intended only to provide basic information; i.e., the authoritative definition of such terms is found elsewhere. For a proper noun described as an "Internet protocol", please refer to the current edition of "Internet Official Protocol Standards" (Standard 1) for the standardization status of the protocol.
许多“I”条目是专有名词(例如,“互联网协议”),其定义仅用于提供基本信息;i、 例如,此类术语的权威定义可在其他地方找到。对于被描述为“互联网协议”的专有名词,请参考当前版本的“互联网官方协议标准”(标准1),了解协议的标准化状态。
The marking "N" indicates two things: - Origin: "N" (as opposed to "I") means that the entry has a non-Internet basis or origin. - Recommendation: "N" (as opposed to "O") means that the term and definition are RECOMMENDED for use in IDOCs, if they are needed at all in IDOCs. Many of these entries are accompanied by a label that states a context (e.g., "package") or a note that states a limitation (e.g., "data integrity"), and IDOCs SHOULD NOT use the defined term outside that context or limit. Some of the contexts are rarely if ever expected to occur in an IDOC (e.g., "baggage"). In those cases, the listing exists to make Internet authors aware of the non-Internet usage so that they can avoid conflicts with non-Internet documents.
标记“N”表示两件事:-来源:“N”(与“I”相对)表示条目具有非互联网基础或来源。-建议:“N”(与“O”相对)是指建议在IDOC中使用该术语和定义,前提是IDOC中需要这些术语和定义。其中许多条目都附有一个说明上下文的标签(例如,“包”)或一个说明限制的注释(例如,“数据完整性”),IDOC不应在该上下文或限制之外使用定义的术语。有些上下文很少出现在IDOC中(如“baggage”)。在这些情况下,该清单的存在是为了让互联网作者了解非互联网使用情况,从而避免与非互联网文档发生冲突。
The marking "O" means that the definition is of non-Internet origin and SHOULD NOT be used in IDOCs *except* in cases where the term is specifically identified as non-Internet.
标记“O”表示该定义来源于非互联网,不应在IDOCs*中使用,除非该术语被明确标识为非互联网。
For example, an IDOC might mention "BCA" (see: brand certification authority) or "baggage" as an example of some concept; in that case, the document should specifically say "SET(trademark) BCA" or "SET(trademark) baggage" and include the definition of the term.
例如,IDOC可能会提到“BCA”(参见:品牌认证机构)或“baggage”作为某些概念的示例;在这种情况下,文件应特别注明“SET(商标)BCA”或“SET(商标)行李”,并包括该术语的定义。
If this Glossary recommends that a term or definition SHOULD NOT be used in IDOCs, then the entry is marked as type "D", and an explanatory note -- "Deprecated Term", "Deprecated Abbreviation", "Deprecated Definition", or "Deprecated Usage" -- is provided.
如果本术语表建议在IDOCs中不使用术语或定义,则条目将标记为类型“D”,并提供解释性说明——“不推荐使用的术语”、“不推荐使用的缩写”、“不推荐使用的定义”或“不推荐使用的用法”。
Some terms have a definition published by a non-Internet authority -- a government (e.g., "object reuse"), an industry (e.g., "Secure Data Exchange"), a national authority (e.g., "Data Encryption Standard"), or an international body (e.g., "data confidentiality") -- that is suitable for use in IDOCs. In those cases, this Glossary marks the definition "N", recommending its use in Internet documents.
一些术语的定义由非互联网机构发布——政府(如“对象重用”)、行业(如“安全数据交换”)、国家机构(如“数据加密标准”)或国际机构(如“数据保密”)——适合在IDOC中使用。在这些情况下,本术语表将定义标记为“N”,建议在互联网文档中使用。
Other such terms have definitions that are inadequate or inappropriate for IDOCs. For example, a definition might be outdated or too narrow, or it might need clarification by substituting more careful wording (e.g., "authentication exchange") or explanations, using other terms that are defined in this Glossary. In those cases,
其他此类术语的定义不适用于IDOC。例如,一个定义可能已经过时或过于狭窄,或者可能需要通过使用本术语表中定义的其他术语替换更仔细的措辞(例如,“身份验证交换”)或解释来进行澄清。在这些情况下,
this Glossary marks the entry "O", and provides an "I" or "N" entry that precedes, and is intended to supersede, the "O" entry.
本术语表对条目“O”进行了标记,并在“O”条目之前提供了一个“I”或“N”条目,旨在取代“O”条目。
In some cases where this Glossary provides a definition to supersede an "O" definition, the substitute is intended to subsume the meaning of the "O" entry and not conflict with it. For the term "security service", for example, the "O" definition deals narrowly with only communication services provided by layers in the OSIRM and is inadequate for the full range of IDOC usage, while the new "I" definition provided by this Glossary can be used in more situations and for more kinds of service. However, the "O" definition is also listed so that IDOC authors will be aware of the context in which the term is used more narrowly.
在某些情况下,如果本术语表提供了一个取代“O”定义的定义,则替换词旨在包含“O”条目的含义,而不是与之冲突。例如,就术语“安全服务”而言,“O”定义仅狭隘地涉及OSIRM中各层提供的通信服务,不适合IDOC的全部使用,而本术语表提供的新“I”定义可用于更多情况和更多种类的服务。然而,也列出了“O”的定义,以便IDOC的作者了解该术语使用范围更窄的上下文。
When making substitutions, this Glossary attempts to avoid contradicting any non-Internet authority. Still, terminology differs between authorities such as the American Bar Association, OSI, SET, the U.S. DoD, and other authorities; and this Glossary probably is not exactly aligned with any of them.
在进行替换时,本术语表试图避免与任何非互联网权威相矛盾。尽管如此,美国律师协会、OSI、SET、美国国防部等机构和其他机构的术语仍有所不同;这个术语表可能与它们中的任何一个都不完全一致。
$ *-property (N) Synonym for "confinement property" in the context of the Bell-LaPadula model. Pronunciation: star property.
$ *-属性(N)是贝尔-拉帕杜拉模型中“限制属性”的同义词。发音:星级酒店。
$ 3DES (N) See: Triple Data Encryption Algorithm.
$ 3DES(N)参见:三重数据加密算法。
$ A1 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria". (Compare: beyond A1.)
$ A1计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。(比较:超出A1。)
$ AA (D) See: Deprecated Usage under "attribute authority".
$ AA(D)参见“属性权限”下的不推荐用法。
$ ABA Guidelines (N) "American Bar Association (ABA) Digital Signature Guidelines" [DSG], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.
$ 美国律师协会指南(N)“美国律师协会(ABA)数字签名指南”[DSG],在电子商务中使用数字签名和数字证书的法律原则框架。
$ Abstract Syntax Notation One (ASN.1) (N) A standard for describing data objects. [Larm, X680] (See: CMS.)
$ 抽象语法符号1(ASN.1)(N)描述数据对象的标准。[Larm,X680](参见:CMS)
Usage: IDOCs SHOULD use the term "ASN.1" narrowly to describe the notation or language called "Abstract Syntax Notation One". IDOCs MAY use the term more broadly to encompass the notation, its
用法:IDOCs应该狭义地使用术语“ASN.1”来描述称为“抽象语法符号1”的符号或语言。IDOCs可能会更广泛地使用该术语来包含符号,即
associated encoding rules (see: BER), and software tools that assist in its use, when the context makes this meaning clear.
相关的编码规则(请参阅:BER)和软件工具,当上下文明确了这一含义时,可帮助使用。
Tutorial: OSIRM defines computer network functionality in layers. Protocols and data objects at higher layers are abstractly defined to be implemented using protocols and data objects from lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define those transfers concretely as strings of bits. Syntax is needed to specify data formats of abstract objects, and encoding rules are needed to transform abstract objects into bit strings at lower layers. OSI standards use ASN.1 for those specifications and use various encoding rules for those transformations. (See: BER.)
教程:OSIRM在层中定义计算机网络功能。高层的协议和数据对象被抽象定义为使用下层的协议和数据对象来实现。上层可以定义计算机之间抽象对象的传输,下层可以将这些传输具体定义为位串。语法需要指定抽象对象的数据格式,编码规则需要在较低层将抽象对象转换为位字符串。OSI标准对这些规范使用ASN.1,并对这些转换使用各种编码规则。(见:BER)
In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is "certificateRevocationList".
在ASN.1中,正式名称是不带空格的,名称中的单独单词是通过大写每个单词的第一个字母来表示的,第一个单词除外。例如,CRL的名称是“CertificatereJournalist”。
$ ACC (I) See: access control center.
$ ACC(一)见:门禁中心。
$ acceptable risk (I) A risk that is understood and tolerated by a system's user, operator, owner, or accreditor, usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. (See: adequate security, risk, "second law" under "Courtney's laws".)
$ 可接受风险(I)系统用户、运营商、所有者或认证机构理解和容忍的风险,通常是因为针对相关漏洞实施有效对策的成本或难度超过了损失预期。(参见:充分的安全、风险、“考特尼定律”下的“第二定律”。)
$ access 1a. (I) The ability and means to communicate with or otherwise interact with a system to use system resources either to handle information or to gain knowledge of the information the system contains. (Compare: handle.)
$ 通道1a。(一) 与系统通信或以其他方式与系统交互以使用系统资源来处理信息或获取系统包含的信息的能力和方法。(比较:句柄。)
Usage: The definition is intended to include all types of communication with a system, including one-way communication in either direction. In actual practice, however, passive users might be treated as not having "access" and, therefore, be exempt from most requirements of the system's security policy. (See: "passive user" under "user".)
用法:该定义旨在包括与系统的所有类型的通信,包括任一方向的单向通信。然而,在实际操作中,被动用户可能被视为没有“访问权”,因此可以免除系统安全策略的大多数要求。(请参阅“用户”下的“被动用户”。)
1b. (O) "Opportunity to make use of an information system (IS) resource." [C4009]
1b。(O) “利用信息系统(IS)资源的机会。”[C4009]
2. (O) /formal model/ "A specific type of interaction between a subject and an object that results in the flow of information from one to the other." [NCS04]
2. (O) /formal model/“主体和客体之间的一种特定类型的交互,导致信息从一个流向另一个。”[NCS04]
$ Access Certificate for Electronic Services (ACES) (O) A PKI operated by the U.S. Government's General Services Administration in cooperation with industry partners. (See: CAM.)
$ 电子服务访问证书(ACES)(O)由美国政府总务管理局与行业合作伙伴合作运营的PKI。(请参阅:CAM。)
$ access control 1. (I) Protection of system resources against unauthorized access.
$ 访问控制1。(一) 保护系统资源,防止未经授权的访问。
2. (I) A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy. (See: access, access control service, computer security, discretionary access control, mandatory access control, role-based access control.)
2. (一) 一种过程,通过该过程,系统资源的使用根据安全策略进行管理,并且根据该策略,只有授权实体(用户、程序、进程或其他系统)才允许使用系统资源。(请参阅:访问、访问控制服务、计算机安全、自主访问控制、强制访问控制、基于角色的访问控制。)
3. (I) /formal model/ Limitations on interactions between subjects and objects in an information system.
3. (一) /形式模型/信息系统中主体和对象之间交互的限制。
4. (O) "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner." [I7498-2]
4. (O) “防止未经授权使用资源,包括防止以未经授权的方式使用资源。”[I7498-2]
5. (O) /U.S. Government/ A system using physical, electronic, or human controls to identify or admit personnel with properly authorized access to a SCIF.
5. (O) /美国政府/A使用物理、电子或人工控制来识别或接纳有权访问SCIF的人员的系统。
$ access control center (ACC) (I) A computer that maintains a database (possibly in the form of an access control matrix) defining the security policy for an access control service, and that acts as a server for clients requesting access control decisions.
$ 访问控制中心(ACC)(I)维护数据库(可能以访问控制矩阵的形式)的计算机,该数据库定义访问控制服务的安全策略,并充当请求访问控制决策的客户端的服务器。
Tutorial: An ACC is sometimes used in conjunction with a key center to implement access control in a key-distribution system for symmetric cryptography. (See: BLACKER, Kerberos.)
教程:ACC有时与密钥中心结合使用,以实现对称加密密钥分发系统中的访问控制。(请参阅:BLACKER,Kerberos。)
$ access control list (ACL) (I) /information system/ A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity. (Compare: access control matrix, access list, access profile, capability list.)
$ 访问控制列表(ACL)(I)/信息系统/通过列举允许访问资源的系统实体并隐式或显式说明授予每个实体的访问模式,实现系统资源访问控制的机制。(比较:访问控制矩阵、访问列表、访问配置文件、能力列表。)
$ access control matrix (I) A rectangular array of cells, with one row per subject and one column per object. The entry in a cell -- that is, the entry for a particular subject-object pair -- indicates the access mode that the subject is permitted to exercise on the object. Each column is
$ 访问控制矩阵(I)单元格的矩形阵列,每个主题一行,每个对象一列。单元格中的条目(即特定的subject-object对的条目)表示允许主体在对象上执行的访问模式。每列都是
equivalent to an "access control list" for the object; and each row is equivalent to an "access profile" for the subject.
相当于对象的“访问控制列表”;每一行相当于主题的“访问配置文件”。
$ access control service (I) A security service that protects against a system entity using a system resource in a way not authorized by the system's security policy. (See: access control, discretionary access control, identity-based security policy, mandatory access control, rule-based security policy.)
$ 访问控制服务(I)防止系统实体以未经系统安全策略授权的方式使用系统资源的安全服务。(请参阅:访问控制、自主访问控制、基于身份的安全策略、强制访问控制、基于规则的安全策略。)
Tutorial: This service includes protecting against use of a resource in an unauthorized manner by an entity (i.e., a principal) that is authorized to use the resource in some other manner. (See: insider.) The two basic mechanisms for implementing this service are ACLs and tickets.
教程:此服务包括防止被授权以其他方式使用资源的实体(即主体)以未经授权的方式使用资源。(请参阅:insider。)实现此服务的两种基本机制是ACL和票证。
$ access level 1. (D) Synonym for the hierarchical "classification level" in a security level. [C4009] (See: security level.)
$ 访问级别1。(D) 安全级别中分层“分类级别”的同义词。[C4009](请参阅:安全级别。)
2. (D) Synonym for "clearance level".
2. (D) “清除水平”的同义词。
Deprecated Definitions: IDOCs SHOULD NOT use this term with these definitions because they duplicate the meaning of more specific terms. Any IDOC that uses this term SHOULD provide a specific definition for it because access control may be based on many attributes other than classification level and clearance level.
不推荐使用的定义:IDoc不应将此术语与这些定义一起使用,因为它们重复了更具体术语的含义。任何使用该术语的IDOC都应该为其提供一个特定的定义,因为访问控制可能基于除分类级别和清除级别之外的许多属性。
$ access list (I) /physical security/ Roster of persons who are authorized to enter a controlled area. (Compare: access control list.)
$ 有权进入控制区的人员名单(I)/人身安全/名册。(比较:访问控制列表。)
$ access mode (I) A distinct type of data processing operation (e.g., read, write, append, or execute, or a combination of operations) that a subject can potentially perform on an object in an information system. [Huff] (See: read, write.)
$ 访问模式(I)主体可能对信息系统中的对象执行的不同类型的数据处理操作(例如,读取、写入、附加或执行,或操作组合)。[Huff](参见:读、写)
$ access policy (I) A kind of "security policy". (See: access, access control.)
$ 访问策略(I)一种“安全策略”。(请参见:访问,访问控制。)
$ access profile (O) Synonym for "capability list".
$ 访问配置文件(O)是“能力列表”的同义词。
Usage: IDOCs that use this term SHOULD state a definition for it because the definition is not widely known.
用法:使用这个术语的IDoc应该为它声明一个定义,因为这个定义并不广为人知。
$ access right (I) Synonym for "authorization"; emphasizes the possession of the authorization by a system entity.
$ 访问权(I)“授权”的同义词;强调系统实体拥有授权。
$ accountability (I) The property of a system or system resource that ensures that the actions of a system entity may be traced uniquely to that entity, which can then be held responsible for its actions. [Huff] (See: audit service.)
$ 责任(I)系统或系统资源的属性,确保系统实体的行为可以唯一地追溯到该实体,然后该实体可以对其行为负责。[Huff](请参阅:审计服务。)
Tutorial: Accountability (a.k.a. individual accountability) typically requires a system ability to positively associate the identity of a user with the time, method, and mode of the user's access to the system. This ability supports detection and subsequent investigation of security breaches. Individual persons who are system users are held accountable for their actions after being notified of the rules of behavior for using the system and the penalties associated with violating those rules.
教程:责任制(也称为个人责任制)通常要求系统能够将用户身份与用户访问系统的时间、方法和模式积极关联。此功能支持对安全漏洞的检测和后续调查。作为系统用户的个人在被告知使用系统的行为规则以及与违反这些规则相关的处罚后,应对其行为负责。
$ accounting See: COMSEC accounting.
$ 会计见:通信安全会计。
$ accounting legend code (ALC) (O) /U.S. Government/ Numeric system used to indicate the minimum accounting controls required for items of COMSEC material within the CMCS. [C4009] (See: COMSEC accounting.)
$ 会计图例代码(ALC)(O)/美国政府/数字系统,用于指示CMCS内通信安全材料项目所需的最低会计控制。[C4009](参见:通信安全会计)
$ accreditation (N) An administrative action by which a designated authority declares that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. [FP102, SP37] (See: certification.)
$ 认证(N):一种行政行为,指定机构通过该行为宣布信息系统已获准在特定的安全配置下运行,并具有一套规定的安全措施。[FP102,SP37](参见:认证。)
Tutorial: An accreditation is usually based on a technical certification of the system's security mechanisms. To accredit a system, the approving authority must determine that any residual risk is an acceptable risk. Although the terms "certification" and "accreditation" are used more in the U.S. DoD and other U.S. Government agencies than in commercial organizations, the concepts apply any place where managers are required to deal with and accept responsibility for security risks. For example, the American Bar Association is developing accreditation criteria for CAs.
教程:认证通常基于系统安全机制的技术认证。要认证系统,审批机构必须确定任何剩余风险都是可接受的风险。虽然“认证”和“认可”这两个术语在美国国防部和其他美国政府机构中的使用比在商业组织中的使用要多,但这些概念适用于要求管理人员处理和承担安全风险责任的任何地方。例如,美国律师协会正在为CAs制定认证标准。
$ accreditation boundary (O) Synonym for "security perimeter". [C4009]
$ 认证边界(O)是“安全边界”的同义词。[C4009]
$ accreditor (N) A management official who has been designated to have the formal authority to "accredit" an information system, i.e., to authorize the operation of, and the processing of sensitive data in, the system and to accept the residual risk associated with the system. (See: accreditation, residual risk.)
$ 授权人(N):被指定具有正式授权对信息系统进行“授权”的管理人员,即授权对系统中的敏感数据进行操作和处理,并接受与系统相关的剩余风险。(参见:认证,剩余风险。)
$ ACES (O) See: Access Certificate for Electronic Services.
$ ACES(O)见:电子服务准入证书。
$ ACL (I) See: access control list.
$ ACL(I)见:访问控制列表。
$ acquirer 1. (O) /SET/ "The financial institution that establishes an account with a merchant and processes payment card authorizations and payments." [SET1]
$ 收单机构1。(O) /SET/“与商户建立账户并处理支付卡授权和支付的金融机构。”[SET1]
2. (O) /SET/ "The institution (or its agent) that acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system." [SET2]
2. (O) /SET/“从卡接受人处获取与交易有关的财务数据并将该数据导入交换系统的机构(或其代理人)。[SET2]
$ activation data (N) Secret data, other than keys, that is required to access a cryptographic module. (See: CIK. Compare: initialization value.)
$ 激活数据(N)访问加密模块所需的除密钥以外的机密数据。(请参见:CIK.Compare:初始化值。)
$ active attack (I) See: secondary definition under "attack".
$ 主动攻击(I)见“攻击”下的二级定义。
$ active content 1a. (I) Executable software that is bound to a document or other data file and that executes automatically when a user accesses the file, without explicit initiation by the user. (Compare: mobile code.)
$ 活性成分1a。(一) 绑定到文档或其他数据文件并在用户访问该文件时自动执行的可执行软件,无需用户明确启动。(比较:移动代码。)
Tutorial: Active content can be mobile code when its associated file is transferred across a network.
教程:通过网络传输相关文件时,活动内容可以是移动代码。
1b. (O) "Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. [This technology enables] mobile code associated with a document to execute as the document is rendered." [SP28]
1b。(O) “无需用户干预即可在计算机平台上自动执行或触发操作的电子文档。[该技术使]与文档相关联的移动代码能够在呈现文档时执行。”[SP28]
$ active user (I) See: secondary definition under "system user".
$ 活动用户(I)参见“系统用户”下的二级定义。
$ active wiretapping (I) A wiretapping attack that attempts to alter data being communicated or otherwise affect data flow. (See: wiretapping. Compare: active attack, passive wiretapping.)
$ 主动窃听(I)试图改变正在通信的数据或以其他方式影响数据流的窃听攻击。(请参阅:窃听。比较:主动攻击和被动窃听。)
$ add-on security (N) The retrofitting of protection mechanisms, implemented by hardware or software, in an information system after the system has become operational. [FP039] (Compare: baked-in security.)
$ 附加安全性(N):在信息系统开始运行后,通过硬件或软件对保护机制进行改造。[FP039](比较:安全烘焙。)
$ adequate security (O) /U.S. DoD/ "Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information." (See: acceptable risk, residual risk.)
$ 充分安全(O)/美国国防部/“与信息丢失、误用或未经授权访问或修改造成的危害风险和程度相称的安全。”(参见:可接受风险,剩余风险。)
$ administrative security 1. (I) Management procedures and constraints to prevent unauthorized access to a system. (See: "third law" under "Courtney's laws", manager, operational security, procedural security, security architecture. Compare: technical security.)
$ 行政安全1。(一) 防止未经授权访问系统的管理程序和限制。(参见“科特尼定律”下的“第三定律”,运营安全、程序安全、安全架构经理。比较:技术安全。)
Examples: Clear delineation and separation of duties; configuration control.
例如:职责的明确划分和分离;配置控制。
Usage: Administrative security is usually understood to consist of methods and mechanisms that are implemented and executed primarily by people, rather than by automated systems.
用法:管理安全性通常被理解为由主要由人而不是由自动化系统实现和执行的方法和机制组成。
2. (O) "The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data." [FP039]
2. (O) “为为敏感数据提供可接受的保护水平而建立的管理约束、操作程序、问责程序和补充控制。”[FP039]
$ administrator 1. (O) /Common Criteria/ A person that is responsible for configuring, maintaining, and administering the TOE in a correct manner for maximum security. (See: administrative security.)
$ 管理员1。(O) /Common Criteria/负责以正确的方式配置、维护和管理TOE以实现最大安全性的人员。(请参阅:管理安全。)
2. (O) /ITSEC/ A person in contact with the TOE, who is responsible for maintaining its operational capability.
2. (O) /ITSEC/与TOE接触的人员,负责维持其操作能力。
$ Advanced Encryption Standard (AES) (N) A U.S. Government standard [FP197] (the successor to DES) that (a) specifies "the AES algorithm", which is a symmetric block cipher that is based on Rijndael and uses key sizes of 128, 192, or 256 bits to operate on a 128-bit block, and (b) states policy for using that algorithm to protect unclassified, sensitive data.
$ 高级加密标准(AES)(N)美国政府标准[FP197](DES的继承者),其中(A)规定了“AES算法”,这是一种基于Rijndael的对称分组密码,使用128、192或256位密钥大小对128位块进行操作,并且(b)规定了使用该算法保护未分类数据的策略,敏感数据。
Tutorial: Rijndael was designed to handle additional block sizes and key lengths that were not adopted in the AES. Rijndael was selected by NIST through a public competition that was held to find a successor to the DEA; the other finalists were MARS, RC6, Serpent, and Twofish.
教程:Rijndael设计用于处理AES中未采用的额外块大小和键长度。Rijndael是NIST通过公开竞争选出的,该竞争旨在寻找DEA的继任者;其他入围者是MARS、RC6、Serpent和Twofish。
$ adversary 1. (I) An entity that attacks a system. (Compare: cracker, intruder, hacker.)
$ 对手1。(一) 攻击系统的实体。(比较:黑客、入侵者、黑客。)
2. (I) An entity that is a threat to a system.
2. (一) 对系统构成威胁的实体。
$ AES (N) See: Advanced Encryption Standard.
$ AES(N)参见:高级加密标准。
$ Affirm (O) A formal methodology, language, and integrated set of software tools developed at the University of Southern California's Information Sciences Institute for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]
$ 肯定(o)在南加州大学信息科学研究所开发的用于指定、编码和验证软件以产生正确和可靠程序的正式方法、语言和成套软件工具。[车]
$ aggregation (I) A circumstance in which a collection of information items is required to be classified at a higher security level than any of the items is classified individually. (See: classification.)
$ 聚合(I)一种情况,在这种情况下,信息项集合需要在比单独分类的任何信息项更高的安全级别上进行分类。(见:分类。)
$ AH (I) See: Authentication Header
$ AH(I)参见:认证头
$ air gap (I) An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control). (See: sneaker net. Compare: gateway.)
$ 气隙(I)两个系统之间的接口,其中(a)它们没有物理连接,(b)任何逻辑连接都不是自动的(即,数据仅在人工控制下通过接口传输)。(参见:运动鞋网。比较:网关。)
Example: Computer A and computer B are on opposite sides of a room. To move data from A to B, a person carries a disk across the room. If A and B operate in different security domains, then moving data across the air gap may involve an upgrade or downgrade operation.
示例:计算机A和计算机B位于房间的两侧。要将数据从A移动到B,一个人携带一张磁盘穿过房间。如果A和B在不同的安全域中运行,那么跨气隙移动数据可能涉及升级或降级操作。
$ ALC (O) See: accounting legend code.
$ ALC(O)参见:会计图例代码。
$ algorithm (I) A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer. (See: cryptographic algorithm.)
$ 算法(I)用于解决问题或计算过程的一组有限的分步指令,特别是可以由计算机实现的指令。(请参阅:加密算法。)
$ alias (I) A name that an entity uses in place of its real name, usually for the purpose of either anonymity or masquerade.
$ 别名(I)实体用以代替真实姓名的名称,通常用于匿名或伪装。
$ Alice and Bob (I) The parties that are most often called upon to illustrate the operation of bipartite security protocols. These and other dramatis personae are listed by Schneier [Schn].
$ Alice和Bob(I)最常被要求说明双边安全协议操作的各方。Schneier[Schn]列出了这些和其他戏剧人物。
$ American National Standards Institute (ANSI) (N) A private, not-for-profit association that administers U.S. private-sector voluntary standards.
$ 美国国家标准协会(ANSI)(N):一个管理美国私营部门自愿性标准的非营利私人协会。
Tutorial: ANSI has approximately 1,000 member organizations, including equipment users, manufacturers, and others. These include commercial firms, governmental agencies, and other institutions and international entities.
教程:ANSI有大约1000个成员组织,包括设备用户、制造商和其他组织。其中包括商业公司、政府机构以及其他机构和国际实体。
ANSI is the sole U.S. representative to (a) ISO and (b) (via the U.S. National Committee) the International Electrotechnical Commission (IEC), which are the two major, non-treaty, international standards organizations.
ANSI是(a)ISO和(b)(通过美国国家委员会)国际电工委员会(IEC)的唯一美国代表,这两个主要的非条约国际标准组织。
ANSI provides a forum for ANSI-accredited standards development groups. Among those groups, the following are especially relevant to Internet security: - International Committee for Information Technology Standardization (INCITS) (formerly X3): Primary U.S. focus of standardization in information and communications technologies, encompassing storage, processing, transfer, display, management, organization, and retrieval of information. Example: [A3092]. - Accredited Standards Committee X9: Develops, establishes, maintains, and promotes standards for the financial services industry. Example: [A9009]. - Alliance for Telecommunications Industry Solutions (ATIS): Develops standards, specifications, guidelines, requirements, technical reports, industry processes, and verification tests for interoperability and reliability of telecommunications networks, equipment, and software. Example: [A1523].
ANSI为ANSI认证的标准开发小组提供了一个论坛。在这些群体中,以下群体与互联网安全特别相关:-国际信息技术标准化委员会(INCITS)(前身为X3):美国信息和通信技术标准化的主要重点,包括存储、处理、传输、显示、管理、组织,和信息检索。示例:[A3092]。-认可标准委员会X9:为金融服务行业制定、建立、维护和推广标准。示例:[A9009]。-电信行业解决方案联盟(ATIS):为电信网络、设备和软件的互操作性和可靠性制定标准、规范、指南、要求、技术报告、行业流程和验证测试。示例:[A1523]。
$ American Standard Code for Information Interchange (ASCII) (N) A scheme that encodes 128 specified characters -- the numbers 0-9, the letters a-z and A-Z, some basic punctuation symbols, some control codes that originated with Teletype machines, and a blank space -- into the 7-bit binary integers. Forms the basis of the character set representations used in most computers and many Internet standards. [FP001] (See: code.)
$ 美国信息交换标准代码(ASCII)(N)一种将128个指定字符(数字0-9、字母A-z和A-z、一些基本标点符号、一些源自电传打字机的控制代码和一个空格)编码为7位二进制整数的方案。构成大多数计算机和许多Internet标准中使用的字符集表示的基础。[FP001](见:代码)
$ Anderson report (O) A 1972 study of computer security that was written by James P. Anderson for the U.S. Air Force [Ande].
$ 安德森报告(O):一份1972年的计算机安全研究报告,由詹姆斯·安德森为美国空军[Ande]撰写。
Tutorial: Anderson collaborated with a panel of experts to study Air Force requirements for multilevel security. The study recommended research and development that was urgently needed to provide secure information processing for command and control systems and support systems. The report introduced the reference monitor concept and provided development impetus for computer and network security technology. However, many of the security problems that the 1972 report called "current" still plague information systems today.
教程:安德森与专家小组合作,研究空军对多级安全的要求。这项研究建议进行迫切需要的研究和开发,以便为指挥和控制系统及支助系统提供安全的信息处理。该报告介绍了参考监视器的概念,并为计算机和网络安全技术提供了发展动力。然而,1972年报告称之为“当前”的许多安全问题至今仍困扰着信息系统。
$ anomaly detection (I) An intrusion detection method that searches for activity that is different from the normal behavior of system entities and system resources. (See: IDS. Compare: misuse detection.)
$ 异常检测(I)一种入侵检测方法,用于搜索与系统实体和系统资源的正常行为不同的活动。(请参阅:IDS.Compare:误用检测。)
$ anonymity (I) The condition of an identity being unknown or concealed. (See: alias, anonymizer, anonymous credential, anonymous login, identity, onion routing, persona certificate. Compare: privacy.)
$ 匿名性(I)身份未知或隐藏的情况。(请参阅:别名、匿名者、匿名凭据、匿名登录、身份、洋葱路由、角色证书。比较:隐私。)
Tutorial: An application may require security services that maintain anonymity of users or other system entities, perhaps to preserve their privacy or hide them from attack. To hide an entity's real name, an alias may be used; for example, a financial institution may assign account numbers. Parties to transactions can thus remain relatively anonymous, but can also accept the transactions as legitimate. Real names of the parties cannot be easily determined by observers of the transactions, but an authorized third party may be able to map an alias to a real name, such as by presenting the institution with a court order. In other applications, anonymous entities may be completely untraceable.
教程:应用程序可能需要维护用户或其他系统实体匿名性的安全服务,可能是为了保护他们的隐私或隐藏他们免受攻击。为了隐藏实体的真实名称,可以使用别名;例如,金融机构可能会分配账号。因此,交易各方可以保持相对匿名,但也可以将交易视为合法。交易观察员无法轻易确定当事人的真实姓名,但经授权的第三方可以将别名映射为真实姓名,例如向机构提交法院命令。在其他应用程序中,匿名实体可能完全不可追踪。
$ anonymizer (I) An internetwork service, usually provided via a proxy server, that provides anonymity and privacy for clients. That is, the service enables a client to access servers (a) without allowing
$ 匿名者(I)通常通过代理服务器提供的互联网服务,为客户提供匿名性和隐私。也就是说,该服务允许客户端访问服务器(a),而不允许
anyone to gather information about which servers the client accesses and (b) without allowing the accessed servers to gather information about the client, such as its IP address.
任何人都可以收集有关客户端访问哪些服务器的信息,并且(b)不允许被访问的服务器收集有关客户端的信息,例如其IP地址。
$ anonymous credential (D) /U.S. Government/ A credential that (a) can be used to authenticate a person as having a specific attribute or being a member of a specific group (e.g., military veterans or U.S. citizens) but (b) does not reveal the individual identity of the person that presents the credential. [M0404] (See: anonymity.)
$ 匿名凭证(D)/美国政府/一种凭证,该凭证(A)可用于认证具有特定属性的人员或特定群体的成员(如退伍军人或美国公民),但(b)不显示出示凭证人员的个人身份。[M0404](参见:匿名。)
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. For example, when the credential is an X.509 certificate, the term could be misunderstood to mean that the certificate was signed by a CA that has a persona certificate. Instead, use "attribute certificate", "organizational certificate", or "persona certificate" depending on what is meant, and provide additional explanations as needed.
不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。例如,当凭证是X.509证书时,该术语可能会被误解为该证书是由具有角色证书的CA签署的。相反,使用“属性证书”、“组织证书”或“角色证书”取决于其含义,并根据需要提供其他解释。
$ anonymous login (I) An access control feature (actually, an access control vulnerability) in many Internet hosts that enables users to gain access to general-purpose or public services and resources of a host (such as allowing any user to transfer data using FTP) without having a pre-established, identity-specific account (i.e., user name and password). (See: anonymity.)
$ 匿名登录(I)许多Internet主机中的一种访问控制功能(实际上是一种访问控制漏洞),使用户能够访问主机的通用或公共服务和资源(例如,允许任何用户使用FTP传输数据),而无需预设特定于身份的帐户(即用户名和密码)。(请参阅:匿名。)
Tutorial: This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions. A user logs in using a special, publicly known user name (e.g., "anonymous", "guest", or "ftp"). To use the public login name, the user is not required to know a secret password and may not be required to input anything at all except the name. In other cases, to complete the normal sequence of steps in a login protocol, the system may require the user to input a matching, publicly known password (such as "anonymous") or may ask the user for an e-mail address or some other arbitrary character string.
教程:与所有用户都是已知的、预先注册的、对其行为负责的实体相比,此功能使系统面临更多的威胁。用户使用特殊的、公开的用户名(例如,“匿名”、“来宾”或“ftp”)登录。要使用公共登录名,用户无需知道密码,也无需输入除名称以外的任何内容。在其他情况下,为了完成登录协议中的正常步骤序列,系统可能要求用户输入匹配的公开密码(例如“匿名”),或者可能要求用户输入电子邮件地址或其他任意字符串。
$ ANSI (N) See: American National Standards Institute.
$ ANSI(N)见:美国国家标准协会。
$ anti-jam (N) "Measures ensuring that transmitted information can be received despite deliberate jamming attempts." [C4009] (See: electronic security, frequency hopping, jam, spread spectrum.)
$ 抗干扰(N)“确保在故意干扰的情况下仍能接收传输信息的措施。”[C4009](见:电子安全、跳频、干扰、扩频。)
$ apex trust anchor (N) The trust anchor that is superior to all other trust anchors in a particular system or context. (See: trust anchor, top CA.)
$ 顶点信任锚(N)在特定系统或上下文中优于所有其他信任锚的信任锚。(请参阅:信任锚,顶部CA)
$ API (I) See: application programming interface.
$ API(I)见:应用程序编程接口。
$ APOP (I) See: POP3 APOP.
$ APOP(I)见:POP3 APOP。
$ Application Layer See: Internet Protocol Suite, OSIRM.
$ 应用层请参阅:互联网协议套件,OSIRM。
$ application program (I) A computer program that performs a specific function directly for a user (as opposed to a program that is part of a computer operating system and exists to perform functions in support of application programs).
$ 应用程序(I)直接为用户执行特定功能的计算机程序(与作为计算机操作系统的一部分并用于执行支持应用程序的功能的程序相反)。
$ architecture (I) See: security architecture, system architecture.
$ 架构(I)参见:安全架构、系统架构。
$ archive 1a. (I) /noun/ A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (Compare: backup, repository.)
$ 档案1a。(一) /noon/A出于历史和其他目的(如支持审核服务、可用性服务或系统完整性服务)而存储相对较长时间的数据集合。(比较:备份、存储库。)
1b. (I) /verb/ To store data in such a way as to create an archive. (Compare: back up.)
1b。(一) /verb/以创建存档的方式存储数据。(比较:备份。)
Tutorial: A digital signature may need to be verified many years after the signing occurs. The CA -- the one that issued the certificate containing the public key needed to verify that signature -- may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates.
教程:数字签名可能需要在签名发生多年后进行验证。CA(颁发包含验证该签名所需公钥的证书的CA)可能不会保持那么长时间的运行。因此,每个CA都需要长期存储所需的信息,以验证向其颁发证书的人的签名。
$ ARPANET (I) Advanced Research Projects Agency (ARPA) Network, a pioneer packet-switched network that (a) was designed, implemented, operated, and maintained by BBN from January 1969 until July 1975 under contract to the U.S. Government; (b) led to the development of today's Internet; and (c) was decommissioned in June 1990. [B4799, Hafn]
$ ARPANET(I)高级研究计划署(ARPA)网络,一个先锋分组交换网络,根据与美国政府签订的合同,BBN于1969年1月至1975年7月设计、实施、运营和维护;(b) 导致了当今互联网的发展;(c)于1990年6月退役。[B4799,哈芬]
$ ASCII (N) See: American Standard Code for Information Interchange.
$ ASCII(N)参见:美国信息交换标准代码。
$ ASN.1 (N) See: Abstract Syntax Notation One.
$ ASN.1(N)见:抽象语法符号一。
$ asset (I) A system resource that is (a) required to be protected by an information system's security policy, (b) intended to be protected by a countermeasure, or (c) required for a system's mission.
$ 资产(I)(A)需要由信息系统安全策略保护的系统资源,(b)打算由对策保护的系统资源,或(c)系统任务所需的系统资源。
$ association (I) A cooperative relationship between system entities, usually for the purpose of transferring information between them. (See: security association.)
$ 关联(I)系统实体之间的合作关系,通常用于在它们之间传输信息。(见:安全协会。)
$ assurance See: security assurance.
$ 保证见:安全保证。
$ assurance level (N) A rank on a hierarchical scale that judges the confidence someone can have that a TOE adequately fulfills stated security requirements. (See: assurance, certificate policy, EAL, TCSEC.)
$ 保证水平(N):等级等级评定中的一个等级,用于判断某人对某个脚趾能够充分满足规定的安全要求的信心。(参见:保证、证书政策、EAL、TCSEC。)
Example: U.S. Government guidance [M0404] describes four assurance levels for identity authentication, where each level "describes the [U.S. Federal Government] agency's degree of certainty that the user has presented [a credential] that refers to [the user's] identity." In that guidance, assurance is defined as (a) "the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued" and (b) "the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued."
示例:美国政府指南[M0404]描述了身份验证的四个保证级别,其中每个级别“描述了[美国联邦政府]机构对用户已提交[用户]身份的[凭证]的确定程度。”在该指南中,保证定义为(a)“用于确定证书颁发给的个人身份的审查过程的置信度”和(b)“使用证书的个人是证书颁发给的个人的置信度。”
The four levels are described as follows: - Level 1: Little or no confidence in the asserted identity. - Level 2: Some confidence in the asserted identity. - Level 3: High confidence in the asserted identity. - Level 4: Very high confidence in the asserted identity.
四个级别的描述如下:-级别1:对断言的身份几乎没有信心或没有信心。-第2级:对断言的身份有一定的信心。-第3级:对断言的身份高度信任。-第4级:对所声称的身份非常信任。
Standards for determining these levels are provided in a NIST publication [SP12]. However, as noted there, an assurance level is "a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases, virtually impossible -- to know exactly how secure a system is."
NIST出版物[SP12]中提供了确定这些水平的标准。然而,正如文中所指出的,保证水平是“一种置信度,而不是系统实际安全程度的真实衡量标准。这种区分是必要的,因为准确地知道系统的安全程度是极其困难的,在许多情况下,几乎是不可能的。”
$ asymmetric cryptography (I) A modern branch of cryptography (popularly known as "public-key cryptography") in which the algorithms use a pair of keys (a public key and a private key) and use a different component of the pair for each of two counterpart cryptographic operations (e.g.,
$ 非对称密码学(I)密码学的一个现代分支(通常称为“公钥密码学”),其中算法使用一对密钥(公钥和私钥),并为两个对应的加密操作(例如。,
encryption and decryption, or signature creation and signature verification). (See: key pair, symmetric cryptography.)
加密和解密,或签名创建和签名验证)。(请参阅:密钥对,对称加密。)
Tutorial: Asymmetric algorithms have key management advantages over equivalently strong symmetric ones. First, one key of the pair need not be known by anyone but its owner; so it can more easily be kept secret. Second, although the other key is shared by all entities that use the algorithm, that key need not be kept secret from other, non-using entities; thus, the key-distribution part of key management can be done more easily.
教程:非对称算法比等价的强对称算法具有密钥管理优势。首先,这对钥匙中的一把不需要任何人知道,只有它的主人知道;所以它更容易被保密。第二,尽管其他密钥由使用该算法的所有实体共享,但该密钥不需要对其他非使用实体保密;因此,可以更容易地完成密钥管理的密钥分发部分。
Asymmetric cryptography can be used to create algorithms for encryption, digital signature, and key agreement: - In an asymmetric encryption algorithm (e.g., "RSA"), when Alice wants to ensure confidentiality for data she sends to Bob, she encrypts the data with a public key provided by Bob. Only Bob has the matching private key that is needed to decrypt the data. (Compare: seal.) - In an asymmetric digital signature algorithm (e.g., "DSA"), when Alice wants to ensure data integrity or provide authentication for data she sends to Bob, she uses her private key to sign the data (i.e., create a digital signature based on the data). To verify the signature, Bob uses the matching public key that Alice has provided. - In an asymmetric key-agreement algorithm (e.g., "Diffie-Hellman-Merkle"), Alice and Bob each send their own public key to the other party. Then each uses their own private key and the other's public key to compute the new key value.
非对称加密可用于创建加密、数字签名和密钥协商的算法:-在非对称加密算法(如“RSA”)中,当Alice希望确保发送给Bob的数据的机密性时,她使用Bob提供的公钥对数据进行加密。只有Bob具有解密数据所需的匹配私钥。(比较:seal.)-在非对称数字签名算法(例如,“DSA”)中,当Alice希望确保数据完整性或为发送给Bob的数据提供身份验证时,她使用私钥对数据进行签名(即,基于数据创建数字签名)。为了验证签名,Bob使用Alice提供的匹配公钥。-在非对称密钥协商算法(例如,“Diffie-Hellman-Merkle”)中,Alice和Bob各自向另一方发送自己的公钥。然后,每一方使用自己的私钥和另一方的公钥来计算新的密钥值。
$ asymmetric key (I) A cryptographic key that is used in an asymmetric cryptographic algorithm. (See: asymmetric cryptography, private key, public key.)
$ 非对称密钥(I)非对称加密算法中使用的加密密钥。(请参阅:非对称加密、私钥、公钥。)
$ ATIS (N) See: "Alliance for Telecommunications Industry Solutions" under "ANSI".
$ ATI(N)参见“ANSI”下的“电信行业解决方案联盟”。
$ attack 1. (I) An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.)
$ 攻击1。(一) 实体试图逃避安全服务并违反系统安全策略的故意行为。也就是说,对系统安全的实际攻击源自智能威胁。(请参阅:渗透、违规、漏洞。)
2. (I) A method or technique used in an assault (e.g., masquerade). (See: blind attack, distributed attack.)
2. (一) 在攻击中使用的方法或技巧(如伪装)。(请参阅:盲攻击、分布式攻击。)
Tutorial: Attacks can be characterized according to intent: - An "active attack" attempts to alter system resources or affect their operation. - A "passive attack" attempts to learn or make use of information from a system but does not affect system resources of that system. (See: wiretapping.)
教程:攻击可以根据意图来描述:-“主动攻击”试图改变系统资源或影响其操作。-“被动攻击”试图从系统中学习或利用信息,但不影响该系统的系统资源。(请参阅:窃听。)
The object of a passive attack might be to obtain data that is needed for an off-line attack. - An "off-line attack" is one in which the attacker obtains data from the target system and then analyzes the data on a different system of the attacker's own choosing, possibly in preparation for a second stage of attack on the target.
被动攻击的目标可能是获取离线攻击所需的数据。-“离线攻击”是指攻击者从目标系统获取数据,然后在攻击者自己选择的不同系统上分析数据,可能是为了准备对目标进行第二阶段攻击。
Attacks can be characterized according to point of initiation: - An "inside attack" is one that is initiated by an entity inside the security perimeter (an "insider"), i.e., an entity that is authorized to access system resources but uses them in a way not approved by the party that granted the authorization. - An "outside attack" is initiated from outside the security perimeter, by an unauthorized or illegitimate user of the system (an "outsider"). In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments. Attacks can be characterized according to method of delivery: - In a "direct attack", the attacker addresses attacking packets to the intended victim(s). - In an "indirect attack", the attacker addresses packets to a third party, and the packets either have the address(es) of the intended victim(s) as their source address(es) or indicate the intended victim(s) in some other way. The third party responds by sending one or more attacking packets to the intended victims. The attacker can use third parties as attack amplifiers by providing a broadcast address as the victim address (e.g., "smurf attack"). (See: reflector attack. Compare: reflection attack, replay attack.)
攻击可以根据发起点进行描述:-“内部攻击”是指由安全边界内的实体(“内部人”)发起的攻击,即被授权访问系统资源但以未经授权方批准的方式使用这些资源的实体。-“外部攻击”是由系统的未经授权或非法用户(“外部人员”)从安全外围发起的。在互联网上,潜在的外部攻击者包括业余恶作剧者、有组织犯罪分子、国际恐怖分子和敌对政府。攻击可以根据传递方法进行描述:-在“直接攻击”中,攻击者将攻击数据包发送给目标受害者在“间接攻击”中,攻击者向第三方发送数据包地址,数据包的源地址为目标受害者的地址,或者以其他方式指示目标受害者。第三方通过向目标受害者发送一个或多个攻击包进行响应。攻击者可以通过提供广播地址作为受害者地址(例如,“蓝精灵攻击”)将第三方用作攻击放大器。(请参阅:反射攻击。比较:反射攻击、重放攻击。)
The term "attack" relates to some other basic security terms as shown in the following diagram:
术语“攻击”涉及一些其他基本安全术语,如下图所示:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<==================||<========= | |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<=================>||<========> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<==================||<========= | |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<=================>||<========> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
$ attack potential (I) The perceived likelihood of success should an attack be launched, expressed in terms of the attacker's ability (i.e., expertise and resources) and motivation. (Compare: threat, risk.)
$ 攻击可能性(I)攻击成功的感知可能性,以攻击者的能力(即专业知识和资源)和动机表示。(比较:威胁、风险。)
$ attack sensing, warning, and response (I) A set of security services that cooperate with audit service to detect and react to indications of threat actions, including both inside and outside attacks. (See: indicator.)
$ 攻击感知、警告和响应(I)一组安全服务,与审计服务合作,以检测和响应威胁行动的迹象,包括内部和外部攻击。(见:指标。)
$ attack tree (I) A branching, hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specified way. [Moor]
$ 攻击树(I)一种分支、分层的数据结构,表示一组潜在的方法,以实现以特定方式渗透或破坏系统安全的事件。[摩尔]
Tutorial: Attack trees are special cases of fault trees. The security incident that is the goal of the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are iteratively and incrementally represented as branches and subnodes of the tree. Each subnode defines a subgoal, and each subgoal may have its own set of further subgoals, etc. The final nodes on the paths outward from the root, i.e., the leaf nodes, represent different ways to initiate an attack. Each node other than a leaf is either an AND-node or an OR-node. To achieve the goal represented by an AND-node, the subgoals represented by all of that node's subnodes must be achieved; and for an OR-node, at least one of the subgoals must be achieved. Branches can be labeled with values representing difficulty, cost, or other attack attributes, so that alternative attacks can be compared.
教程:攻击树是故障树的特例。作为攻击目标的安全事件表示为树的根节点,攻击者达到该目标的方式以迭代和增量的方式表示为树的分支和子节点。每个子节点定义一个子目标,每个子目标可能有自己的一组其他子目标等。从根向外的路径上的最终节点,即叶节点,表示发起攻击的不同方式。除叶以外的每个节点都是AND节点或or节点。要实现由AND节点表示的目标,必须实现由该节点的所有子节点表示的子目标;对于OR节点,必须至少实现一个子目标。分支可以用表示难度、成本或其他攻击属性的值进行标记,以便比较备选攻击。
$ attribute (N) Information of a particular type concerning an identifiable system entity or object. An "attribute type" is the component of an attribute that indicates the class of information given by the attribute; and an "attribute value" is a particular instance of the class of information indicated by an attribute type. (See: attribute certificate.)
$ 属性(N)与可识别系统实体或对象有关的特定类型的信息。“属性类型”是一个属性的组成部分,表示该属性给出的信息类别;“属性值”是由属性类型指示的信息类的特定实例。(请参阅:属性证书。)
$ attribute authority (AA) 1. (N) A CA that issues attribute certificates.
$ 属性权限(AA)1。(N) 颁发属性证书的CA。
2. (O) "An authority [that] assigns privileges by issuing attribute certificates." [X509]
2. (O) “通过颁发属性证书来分配权限的机构。”[X509]
Deprecated Usage: The abbreviation "AA" SHOULD NOT be used in an IDOC unless it is first defined in the IDOC.
不推荐使用:除非IDOC中首先定义了缩写“AA”,否则不应在IDOC中使用缩写“AA”。
$ attribute certificate 1. (I) A digital certificate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identifier of another certificate that is a public-key certificate. (See: capability token.)
$ 属性证书1。(一) 一种数字证书,它将一组描述性数据项(公钥除外)直接绑定到使用者名称或另一证书(公钥证书)的标识符上。(请参阅:功能令牌。)
2. (O) "A data structure, digitally signed by an [a]ttribute [a]uthority, that binds some attribute values with identification information about its holder." [X509]
2. (O) “一种数据结构,由[A]属性[A]权限进行数字签名,将某些属性值与其持有者的标识信息绑定在一起。”[X509]
Tutorial: A public-key certificate binds a subject name to a public key value, along with information needed to perform certain cryptographic functions using that key. Other attributes of a subject, such as a security clearance, may be certified in a separate kind of digital certificate, called an attribute certificate. A subject may have multiple attribute certificates associated with its name or with each of its public-key certificates.
教程:公钥证书将使用者名称绑定到公钥值,以及使用该密钥执行某些加密功能所需的信息。主体的其他属性,例如安全许可,可以在称为属性证书的单独类型的数字证书中进行认证。一个主题可以有多个属性证书与其名称或每个公钥证书相关联。
An attribute certificate might be issued to a subject in the following situations: - Different lifetimes: When the lifetime of an attribute binding is shorter than that of the related public-key certificate, or when it is desirable not to need to revoke a subject's public key just to revoke an attribute. - Different authorities: When the authority responsible for the attributes is different than the one that issues the public-key certificate for the subject. (There is no requirement that an attribute certificate be issued by the same CA that issued the associated public-key certificate.)
属性证书可能在以下情况下颁发给主题:-不同的生存期:当属性绑定的生存期短于相关公钥证书的生存期时,或者不需要仅为了撤销属性而撤销主题的公钥时。-不同权限:当负责属性的权限不同于为主题颁发公钥证书的权限时。(不要求属性证书由颁发相关公钥证书的同一CA颁发。)
$ audit See: security audit.
$ 审计参见:安全审计。
$ audit log (I) Synonym for "security audit trail".
$ 审核日志(I)“安全审核跟踪”的同义词。
$ audit service (I) A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them. (See: security audit.)
$ 审计服务(I)一种安全服务,记录建立系统事件责任和导致系统事件的系统实体行为责任所需的信息。(请参阅:安全审计。)
$ audit trail (I) See: security audit trail.
$ 审计跟踪(I)参见:安全审计跟踪。
$ AUTH (I) See: POP3 AUTH.
$ AUTH(I)参见:POP3 AUTH。
$ authenticate (I) Verify (i.e., establish the truth of) an attribute value claimed by or for a system entity or system resource. (See: authentication, validate vs. verify, "relationship between data integrity service and authentication services" under "data integrity service".)
$ 验证(I)验证(即,确定)系统实体或系统资源声明的属性值。(请参阅“数据完整性服务”下的“身份验证、验证与验证”、“数据完整性服务与身份验证服务之间的关系”。)
Deprecated Usage: In general English usage, this term is used with the meaning "to prove genuine" (e.g., an art expert authenticates a Michelangelo painting); but IDOCs should restrict usage as follows: - IDOCs SHOULD NOT use this term to refer to proving or checking that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. Instead, use "verify". - IDOCs SHOULD NOT use this term to refer to proving the truth or accuracy of a fact or value such as a digital signature. Instead, use "verify". - IDOCs SHOULD NOT use this term to refer to establishing the soundness or correctness of a construct, such as a digital certificate. Instead, use "validate".
不推荐的用法:在一般英语用法中,该术语的含义是“证明真实”(例如,艺术专家鉴定米开朗基罗的绘画);但IDOCs应按以下方式限制使用:-IDOCs不应使用此术语来证明或检查数据未被更改、销毁或以未经授权或意外的方式丢失。相反,请使用“验证”。-IDOCs不应使用此术语来指证明事实或价值(如数字签名)的真实性或准确性。相反,请使用“验证”。-IDOCs不应使用此术语来指建立结构(如数字证书)的可靠性或正确性。相反,使用“验证”。
$ authentication (I) The process of verifying a claim that a system entity or system resource has a certain attribute value. (See: attribute, authenticate, authentication exchange, authentication information, credential, data origin authentication, peer entity authentication, "relationship between data integrity service and authentication services" under "data integrity service", simple authentication, strong authentication, verification, X.509.)
$ 认证(I)验证系统实体或系统资源具有特定属性值的声明的过程。(请参阅:属性、身份验证、身份验证交换、身份验证信息、凭证、数据源身份验证、对等实体身份验证、“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”、简单身份验证、强身份验证、验证,X.509。)
Tutorial: Security services frequently depend on authentication of the identity of users, but authentication may involve any type of attribute that is recognized by a system. A claim may be made by a subject about itself (e.g., at login, a user typically asserts its identity) or a claim may be made on behalf of a subject or object by some other system entity (e.g., a user may claim that a data object originates from a specific source, or that a data object is classified at a specific security level).
教程:安全服务通常依赖于用户身份的身份验证,但身份验证可能涉及系统识别的任何类型的属性。主体可以就其自身提出声明(例如,在登录时,用户通常声明其身份),或者其他系统实体可以代表主体或对象提出声明(例如,用户可以声明数据对象源自特定源,或者数据对象在特定安全级别上被分类)。
An authentication process consists of two basic steps: - Identification step: Presenting the claimed attribute value (e.g., a user identifier) to the authentication subsystem. - Verification step: Presenting or generating authentication information (e.g., a value signed with a private key) that acts as evidence to prove the binding between the attribute and that for which it is claimed. (See: verification.)
身份验证过程包括两个基本步骤:-标识步骤:向身份验证子系统呈现声明的属性值(例如,用户标识符)。-验证步骤:显示或生成身份验证信息(例如,使用私钥签名的值),该信息用作证明属性与声明属性之间绑定的证据。(见:核查。)
$ authentication code (D) Synonym for a checksum based on cryptography. (Compare: Data Authentication Code, Message Authentication Code.)
$ 身份验证码(D)是基于密码学的校验和的同义词。(比较:数据身份验证代码、消息身份验证代码。)
Deprecated Term: IDOCs SHOULD NOT use this uncapitalized term as a synonym for any kind of checksum, regardless of whether or not the checksum is cryptographic. Instead, use "checksum", "Data Authentication Code", "error detection code", "hash", "keyed hash", "Message Authentication Code", "protected checksum", or some other recommended term, depending on what is meant.
不推荐使用的术语:IDOCs不应将此未大写术语用作任何类型校验和的同义词,无论校验和是否为加密的。相反,使用“校验和”、“数据验证码”、“错误检测码”、“散列”、“密钥散列”、“消息验证码”、“受保护校验和”或其他一些推荐术语,具体取决于其含义。
The term mixes concepts in a potentially misleading way. The word "authentication" is misleading because the checksum may be used to perform a data integrity function rather than a data origin authentication function.
该术语以一种潜在误导的方式混合了各种概念。“身份验证”一词具有误导性,因为校验和可用于执行数据完整性功能,而不是数据源身份验证功能。
$ authentication exchange 1. (I) A mechanism to verify the identity of an entity by means of information exchange.
$ 身份验证exchange 1。(一) 通过信息交换验证实体身份的机制。
2. (O) "A mechanism intended to ensure the identity of an entity by means of information exchange." [I7498-2]
2. (O) “旨在通过信息交换确保实体身份的机制。”[I7498-2]
$ Authentication Header (AH) (I) An Internet protocol [R2402, R4302] designed to provide connectionless data integrity service and connectionless data origin authentication service for IP datagrams, and (optionally) to provide partial sequence integrity and protection against replay attacks. (See: IPsec. Compare: ESP.)
$ 认证头(AH)(I)互联网协议[R2402,R4302],旨在为IP数据报提供无连接数据完整性服务和无连接数据源认证服务,以及(可选)提供部分序列完整性和防止重放攻击。(请参阅:IPsec。比较:ESP)
Tutorial: Replay protection may be selected by the receiver when a security association is established. AH authenticates the upper-layer PDU that is carried as an IP SDU, and also authenticates as much of the IP PCI (i.e., the IP header) as possible. However, some IP header fields may change in transit, and the value of these fields, when the packet arrives at the receiver, may not be predictable by the sender. Thus, the values of such fields cannot be protected end-to-end by AH; protection of the IP header by AH is only partial when such fields are present.
教程:当建立安全关联时,接收方可以选择重播保护。AH认证作为IP SDU携带的上层PDU,并且还认证尽可能多的IP PCI(即,IP报头)。然而,一些IP报头字段可能在传输过程中发生变化,并且当数据包到达接收方时,发送方可能无法预测这些字段的值。因此,AH不能端到端地保护这些字段的值;仅当存在此类字段时,AH对IP报头的保护才是部分的。
AH may be used alone, or in combination with the ESP, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. ESP can provide nearly the same security services as AH, and ESP can also provide data confidentiality service. The main difference between authentication services provided by ESP and AH is the extent of the coverage; ESP does not protect IP header fields unless they are encapsulated by AH.
AH可单独使用,或与ESP结合使用,或与隧道嵌套使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP可以提供与AH几乎相同的安全服务,ESP还可以提供数据保密服务。ESP和AH提供的认证服务的主要区别在于覆盖范围;ESP不保护IP头字段,除非它们由AH封装。
$ authentication information (I) Information used to verify an identity claimed by or for an entity. (See: authentication, credential, user. Compare: identification information.)
$ 身份验证信息(I)用于验证实体声明的身份或为实体声明的身份的信息。(请参阅:身份验证、凭据、用户。比较:标识信息。)
Tutorial: Authentication information may exist as, or be derived from, one of the following: (a) Something the entity knows (see: password); (b) something the entity possesses (see: token); (c) something the entity is (see: biometric authentication).
教程:身份验证信息可能作为以下信息之一存在,或来源于以下信息之一:(a)实体知道的信息(请参阅:密码);(b) 实体拥有的东西(参见:令牌);(c) 实体是什么(参见:生物特征认证)。
$ authentication service (I) A security service that verifies an identity claimed by or for an entity. (See: authentication.)
$ 身份验证服务(I)验证实体声明的身份或为实体声明的身份的安全服务。(请参阅:身份验证。)
Tutorial: In a network, there are two general forms of authentication service: data origin authentication service and peer entity authentication service.
教程:在网络中,有两种常见的身份验证服务形式:数据源身份验证服务和对等实体身份验证服务。
$ authenticity (I) The property of being genuine and able to be verified and be trusted. (See: authenticate, authentication, validate vs. verify.)
$ 真实性(I)真实、可验证和可信任的属性。(请参阅:身份验证、身份验证、验证与验证。)
$ authority (D) /PKI/ "An entity [that is] responsible for the issuance of certificates." [X509]
$ 管理局(D)/PKI/“负责颁发证书的实体。”[X509]
Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for attribute authority, certification authority, registration authority, or similar terms; the shortened form may cause confusion. Instead, use the full term at the first instance of usage and then, if it is necessary to shorten text, use AA, CA, RA, and other abbreviations defined in this Glossary.
不推荐使用:IDOCs不应将此术语用作属性颁发机构、证书颁发机构、注册机构或类似术语的同义词;缩写形式可能会引起混淆。相反,在第一次使用时使用完整术语,如果需要缩短文本,则使用AA、CA、RA和本词汇表中定义的其他缩写。
$ authority certificate (D) "A certificate issued to an authority (e.g. either to a certification authority or to an attribute authority)." [X509] (See: authority.)
$ 颁发机构证书(D)“颁发给颁发机构的证书(例如,颁发给证书颁发机构或属性颁发机构)。”[X509](请参阅:颁发机构。)
Deprecated Term: IDOCs SHOULD NOT use this term because it is ambiguous. Instead, use the full term "certification authority certificate", "attribute authority certificate", "registration authority certificate", etc. at the first instance of usage and then, if it is necessary to shorten text, use AA, CA, RA, and other abbreviations defined in this Glossary.
不推荐使用的术语:IDOCs不应使用此术语,因为它不明确。相反,在第一次使用时应使用完整术语“认证机构证书”、“属性机构证书”、“注册机构证书”等,如果需要缩短文本,则使用AA、CA、RA和本词汇表中定义的其他缩写。
$ Authority Information Access extension (I) The private extension defined by PKIX for X.509 certificates to indicate "how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data." [R3280] (See: private extension.)
$ 权限信息访问扩展(I)PKIX为X.509证书定义的专用扩展,用于指示“如何访问证书颁发者的CA信息和服务(扩展出现在其中)。信息和服务可能包括在线验证服务和CA策略数据。”[R3280](请参阅:专用扩展。)
$ authorization 1a. (I) An approval that is granted to a system entity to access a system resource. (Compare: permission, privilege.)
$ 授权1a。(一) 授予系统实体访问系统资源的批准。(比较:权限、特权。)
Usage: Some synonyms are "permission" and "privilege". Specific terms are preferred in certain contexts: - /PKI/ "Authorization" SHOULD be used, to align with "certification authority" in the standard [X509]. - /role-based access control/ "Permission" SHOULD be used, to align with the standard [ANSI]. - /computer operating systems/ "Privilege" SHOULD be used, to align with the literature. (See: privileged process, privileged user.)
用法:有些同义词是“权限”和“特权”。特定上下文中首选特定术语:-/PKI/“授权”应使用,以与标准[X509]中的“认证机构”保持一致/应使用基于角色的访问控制/权限,以符合标准[ANSI]。-/应使用计算机操作系统/特权,以与文献保持一致。(请参阅:特权进程,特权用户。)
Tutorial: The semantics and granularity of authorizations depend on the application and implementation (see: "first law" under "Courtney's laws"). An authorization may specify a particular access mode -- such as read, write, or execute -- for one or more system resources.
教程:授权的语义和粒度取决于应用程序和实现(请参阅“考特尼定律”下的“第一定律”)。授权可以为一个或多个系统资源指定特定的访问模式,如读、写或执行。
1b. (I) A process for granting approval to a system entity to access a system resource.
1b。(一) 一种批准系统实体访问系统资源的过程。
2. (O) /SET/ "The process by which a properly appointed person or persons grants permission to perform some action on behalf of an organization. This process assesses transaction risk, confirms that a given transaction does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit. (When a merchant obtains authorization, payment for the authorized amount is guaranteed -- provided, of course, that the merchant followed the rules associated with the authorization process.)" [SET2]
2. (O) /SET/“一个或多个适当任命的人员授权代表组织执行某些操作的过程。此过程评估交易风险,确认给定交易不会使账户持有人的债务超过账户的信用限额,并保留指定的信用额度。(当商户获得授权时,保证支付授权金额——当然,前提是商户遵守与授权流程相关的规则。)“[SET2]
$ authorization credential (I) See: /access control/ under "credential".
$ 授权凭证(I)请参见“凭证”下的:/access control/。
$ authorize (I) Grant an authorization to a system entity.
$ 授权(I)向系统实体授予授权。
$ authorized user (I) /access control/ A system entity that accesses a system resource for which the entity has received an authorization. (Compare: insider, outsider, unauthorized user.)
$ 授权用户(I)/访问控制/访问实体已收到授权的系统资源的系统实体。(比较:内部人、外部人、未授权用户。)
Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.
不推荐的用法:使用此术语的IDoc应说明其定义,因为该术语有多种用途,很容易被误解。
$ automated information system See: information system.
$ 自动化信息系统见:信息系统。
$ availability 1. (I) The property of a system or a system resource being accessible, or usable or operational upon demand, by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. (See: critical, denial of service. Compare: precedence, reliability, survivability.)
$ 可用性1。(一) 根据系统性能规范,授权系统实体可访问、可用或按需操作的系统或系统资源的属性;i、 例如,如果系统在用户请求时根据系统设计提供服务,则系统可用。(请参阅:关键,拒绝服务。比较:优先级,可靠性,生存能力。)
2. (O) "The property of being accessible and usable upon demand by an authorized entity." [I7498-2]
2. (O) “经授权实体要求可访问和使用的财产。”[I7498-2]
3. (D) "Timely, reliable access to data and information services for authorized users." [C4009]
3. (D) “授权用户及时、可靠地访问数据和信息服务。”[C4009]
Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3; the definition mixes "availability" with "reliability", which is a different property. (See: reliability.)
不推荐使用的定义:IDOC不应使用定义为3的术语;该定义将“可用性”与“可靠性”混为一谈,后者是一种不同的属性。(见:可靠性。)
Tutorial: Availability requirements can be specified by quantitative metrics, but sometimes are stated qualitatively, such as in the following: - "Flexible tolerance for delay" may mean that brief system outages do not endanger mission accomplishment, but extended outages may endanger the mission. - "Minimum tolerance for delay" may mean that mission accomplishment requires the system to provide requested services in a short time.
教程:可用性要求可以通过定量指标来规定,但有时是定性的,如以下内容:-“灵活的延迟容忍度”可能意味着短暂的系统中断不会危及任务完成,但延长的中断可能危及任务。-“最小延迟容忍度”可能意味着完成任务需要系统在短时间内提供所需服务。
$ availability service (I) A security service that protects a system to ensure its availability.
$ 可用性服务(I)保护系统以确保其可用性的安全服务。
Tutorial: This service addresses the security concerns raised by denial-of-service attacks. It depends on proper management and control of system resources, and thus depends on access control service and other security services.
教程:此服务解决拒绝服务攻击引起的安全问题。它依赖于对系统资源的适当管理和控制,因此依赖于访问控制服务和其他安全服务。
$ avoidance (I) See: secondary definition under "security".
$ 避免(I)见“担保”下的第二定义。
$ B1, B2, or B3 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".
$ B1、B2或B3计算机系统(O)/TCSEC/请参阅“可信计算机系统评估标准”下的教程。
$ back door 1. (I) /COMPUSEC/ A computer system feature -- which may be (a) an unintentional flaw, (b) a mechanism deliberately installed by the system's creator, or (c) a mechanism surreptitiously installed by an intruder -- that provides access to a system resource by other than the usual procedure and usually is hidden or otherwise not well-known. (See: maintenance hook. Compare: Trojan Horse.)
$ 后门1。(一) /COMPUSEC/一种计算机系统功能,它可能是(A)无意中的缺陷,(b)系统创建者故意安装的机制,或(c)入侵者秘密安装的机制,提供对系统资源的访问,而不是通常的过程,通常是隐藏的或不为人所知的。(请参阅:维护挂钩。比较:特洛伊木马。)
Example: A way to access a computer other than through a normal login. Such an access path is not necessarily designed with malicious intent; operating systems sometimes are shipped by the manufacturer with hidden accounts intended for use by field service technicians or the vendor's maintenance programmers.
示例:通过普通登录以外的方式访问计算机。这种访问路径不一定是恶意设计的;操作系统有时由制造商提供,带有隐藏帐户,供现场服务技术人员或供应商的维护程序员使用。
2. (I) /cryptography/ A feature of a cryptographic system that makes it easily possible to break or circumvent the protection that the system is designed to provide.
2. (一) /cryptography/cryptography(密码术)/密码系统的一种功能,可轻易破坏或绕过系统设计提供的保护。
Example: A feature that makes it possible to decrypt cipher text much more quickly than by brute-force cryptanalysis, without having prior knowledge of the decryption key.
示例:这项功能使解密密文的速度比暴力密码分析快得多,而无需事先了解解密密钥。
$ back up (I) /verb/ Create a reserve copy of data or, more generally, provide alternate means to perform system functions despite loss of system resources. (See: contingency plan. Compare: archive.)
$ 备份(I)/动词/创建数据的保留副本,或者更一般地说,提供替代方法,以在系统资源丢失的情况下执行系统功能。(参见:应急计划。比较:存档。)
$ backup (I) /noun or adjective/ Refers to alternate means of performing system functions despite loss of system resources. (See: contingency plan).
$ 备份(I)/名词或形容词/指在系统资源丢失的情况下执行系统功能的替代方法。(见:应急计划)。
Example: A reserve copy of data, preferably one that is stored separately from the original, for use if the original becomes lost or damaged. (Compare: archive.)
示例:数据的保留副本,最好与原件分开存储,以便在原件丢失或损坏时使用。(比较:存档。)
$ bagbiter (D) /slang/ "An entity, such as a program or a computer, that fails to work or that works in a remarkably clumsy manner. A person who has caused some trouble, inadvertently or otherwise, typically by failing to program the computer properly." [NCSSG] (See: flaw.)
$ bagbiter(D)/俚语/“一种实体,如程序或计算机,无法工作或工作异常笨拙。通常由于未能正确编程而在无意中或其他方面造成一些麻烦的人。”[NCSSG](见:缺陷。)
Deprecated Term: It is likely that other cultures use different metaphors for these concepts. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)
不推荐使用的术语:其他文化可能对这些概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)
$ baggage (O) /SET/ An "opaque encrypted tuple, which is included in a SET message but appended as external data to the PKCS encapsulated data. This avoids superencryption of the previously encrypted tuple, but guarantees linkage with the PKCS portion of the message." [SET2]
$ baggage(O)/SET/一个“不透明的加密元组,包含在SET消息中,但作为外部数据附加到PKCS封装的数据中。这避免了对先前加密的元组进行超级加密,但保证了与消息的PKCS部分的链接。”[SET2]
Deprecated Usage: IDOCs SHOULD NOT use this term to describe a data element, except in the form "SET(trademark) baggage" with the meaning given above.
不推荐使用:IDOCs不应使用此术语来描述数据元素,除非以具有上述含义的“SET(商标)baggage”形式出现。
$ baked-in security (D) The inclusion of security mechanisms in an information system beginning at an early point in the system's lifecycle, i.e., during the design phase, or at least early in the implementation phase. (Compare: add-on security.)
$ 烘焙式安全(D)从系统生命周期的早期开始,即在设计阶段,或至少在实施阶段的早期,在信息系统中包含安全机制。(比较:附加安全性。)
Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term (unless they also provide a definition like this one). (See: Deprecated Usage under "Green Book".)
不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际误解,IDOC不应该使用这个术语(除非他们也提供了这样的定义)。(请参阅“绿皮书”下不推荐的用法。)
$ bandwidth (I) The total width of the frequency band that is available to or used by a communication channel; usually expressed in Hertz (Hz). (RFC 3753) (Compare: channel capacity.)
$ 带宽(I)通信信道可用或使用的频带总宽度;通常以赫兹(Hz)表示。(RFC 3753)(比较:信道容量)
$ bank identification number (BIN) 1. (O) The digits of a credit card number that identify the issuing bank. (See: primary account number.)
$ 银行识别号(BIN)1。(O) 识别发卡行的信用卡号的数字。(请参阅:主帐号。)
2. (O) /SET/ The first six digits of a primary account number.
2. (O) /SET/主帐号的前六位数字。
$ Basic Encoding Rules (BER) (I) A standard for representing ASN.1 data types as strings of octets. [X690] (See: Distinguished Encoding Rules.)
$ 基本编码规则(BER)(I)将ASN.1数据类型表示为八位字节字符串的标准。[X690](请参阅:区分编码规则。)
Deprecated Usage: Sometimes incorrectly treated as part of ASN.1. However, ASN.1 properly refers only to a syntax description language, and not to the encoding rules for the language.
不推荐使用:有时被错误地视为ASN.1的一部分。但是,ASN.1只正确地引用语法描述语言,而不是该语言的编码规则。
$ Basic Security Option (I) See: secondary definition under "IPSO".
$ 基本安全备选办法(I)见“国际公共部门会计准则”下的二级定义。
$ bastion host (I) A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few) in the network that can be directly accessed from networks on the other side of the firewall. (See: firewall.)
$ 堡垒主机(I)在受防火墙保护的网络中(或是防火墙的一部分),是网络中唯一可以从防火墙另一端的网络直接访问的主机(或少数主机中的一个)。(请参阅:防火墙。)
Tutorial: Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher-layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.
教程:防火墙中的过滤路由器通常将来自外部网络的流量限制为仅到达一台主机,即堡垒主机,该主机通常是防火墙的一部分。由于只有这一台主机可以被直接攻击,因此只有这一台主机需要得到非常有力的保护,因此可以更轻松、更便宜地维护安全性。然而,为了允许合法的内部和外部用户通过防火墙访问应用程序资源,更高层的协议和服务需要由堡垒主机中继和转发。某些服务(如DNS和SMTP)内置了转发功能;其他服务(如TELNET和FTP)需要在bastion主机上安装代理服务器。
$ BBN Technologies Corp. (BBN) (O) The research-and-development company (originally called Bolt Baranek and Newman, Inc.) that built the ARPANET.
$ BBN Technologies Corp.(BBN)(O)建造ARPANET的研发公司(原名为Bolt Baranek and Newman,Inc.)。
$ BCA (O) See: brand certification authority.
$ BCA(O)见:品牌认证机构。
$ BCR (O) See: BLACK/Crypto/RED.
$ BCR(O)见:黑色/加密/红色。
$ BCI (O) See: brand CRL identifier.
$ BCI(O)见:品牌CRL标识符。
$ Bell-LaPadula model (N) A formal, mathematical, state-transition model of confidentiality policy for multilevel-secure computer systems [Bell]. (Compare: Biba model, Brewer-Nash model.)
$ Bell-LaPadula模型(N)多级安全计算机系统保密策略的形式化、数学、状态转移模型[Bell]。(比较:Biba模型、Brewer-Nash模型。)
Tutorial: The model, devised by David Bell and Leonard LaPadula at The MITRE Corporation in 1973, characterizes computer system elements as subjects and objects. To determine whether or not a subject is authorized for a particular access mode on an object, the clearance of the subject is compared to the classification of the object. The model defines the notion of a "secure state", in which the only permitted access modes of subjects to objects are in accordance with a specified security policy. It is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system is secure. In this model, a multilevel-secure system satisfies several rules, including the "confinement property" (a.k.a. the "*-property"), the "simple security property", and the "tranquility property".
教程:该模型由米特公司的大卫·贝尔和莱纳德·拉帕杜拉于1973年设计,将计算机系统元素描述为主体和客体。为了确定主体是否被授权使用对象上的特定访问模式,将主体的清除与对象的分类进行比较。该模型定义了“安全状态”的概念,其中主体对对象的唯一允许访问模式符合指定的安全策略。证明了每个状态转换都通过从一个安全状态转移到另一个安全状态来保持安全性,从而证明了系统是安全的。在该模型中,多级安全系统满足多个规则,包括“限制属性”(也称“*”属性)、“简单安全属性”和“宁静属性”。
$ benign 1. (N) /COMSEC/ "Condition of cryptographic data [such] that [the data] cannot be compromised by human access [to the data]." [C4009]
$ 良性1。(N) /COMSEC/“加密数据的状态[使[数据]不会被[数据]的人工访问所破坏]。”[C4009]
2. (O) /COMPUSEC/ See: secondary definition under "trust".
2. (O) /COMPUSEC/请参阅“信任”下的辅助定义。
$ benign fill (N) Process by which keying material is generated, distributed, and placed into an ECU without exposure to any human or other system entity, except the cryptographic module that consumes and uses the material. (See: benign.)
$ 良性填充(N)过程,通过该过程生成、分发密钥材料,并将其放入ECU中,而不暴露于任何人类或其他系统实体,消费和使用该材料的加密模块除外。(见:良性)
$ BER (I) See: Basic Encoding Rules.
$ BER(I)参见:基本编码规则。
$ beyond A1 1. (O) /formal/ A level of security assurance that is beyond the highest level (level A1) of criteria specified by the TCSEC. (See: Tutorial under "Trusted Computer System Evaluation Criteria".)
$ 超越A1 1。(O) /正式/超出TCSEC规定的最高标准(A1级)的安全保证级别。(请参阅“受信任的计算机系统评估标准”下的教程。)
2. (O) /informal/ A level of trust so high that it is beyond state-of-the-art technology; i.e., it cannot be provided or verified by currently available assurance methods, and especially not by currently available formal methods.
2. (O) /非正式/高度信任,超越最先进的技术;i、 例如,目前可用的保证方法无法提供或验证,尤其是目前可用的正式方法无法提供或验证。
$ Biba integrity (N) Synonym for "source integrity".
$ Biba integrity(N)是“源完整性”的同义词。
$ Biba model (N) A formal, mathematical, state-transition model of integrity policy for multilevel-secure computer systems [Biba]. (See: source integrity. Compare: Bell-LaPadula model.)
$ Biba模型(N):多级安全计算机系统完整性策略的形式化、数学、状态转移模型[Biba]。(参见:源完整性。比较:Bell-LaPadula模型。)
Tutorial: This model for integrity control is analogous to the Bell-LaPadula model for confidentiality control. Each subject and object is assigned an integrity level and, to determine whether or not a subject is authorized for a particular access mode on an object, the integrity level of the subject is compared to that of the object. The model prohibits the changing of information in an object by a subject with a lesser or incomparable level. The rules of the Biba model are duals of the corresponding rules in the Bell-LaPadula model.
教程:此完整性控制模型类似于贝尔-拉帕杜拉保密性控制模型。每个主体和对象都被分配一个完整性级别,为了确定主体是否被授权使用对象上的特定访问模式,将主体的完整性级别与对象的完整性级别进行比较。该模型禁止具有较低或不可比级别的主体更改对象中的信息。Biba模型的规则是Bell-LaPadula模型中相应规则的对偶。
$ billet (N) "A personnel position or assignment that may be filled by one person." [JCP1] (Compare: principal, role, user.)
$ (N)“可由一人担任的人员职位或任务。”[JCP1](比较:负责人、角色、用户。)
Tutorial: In an organization, a "billet" is a populational position, of which there is exactly one instance; but a "role" is functional position, of which there can be multiple instances. System entities are in one-to-one relationships with their billets, but may be in many-to-one and one-to-many relationships with their roles.
教程:在一个组织中,“方坯”是一个人口位置,其中只有一个实例;但“角色”是功能位置,可以有多个实例。系统实体与其坯料处于一对一关系中,但可能与其角色处于多对一和一对多关系中。
$ BIN (O) See: bank identification number.
$ 银行标识代码(O)见:银行标识代码。
$ bind (I) To inseparably associate by applying some security mechanism.
$ 绑定(I)通过应用某种安全机制进行不可分割的关联。
Example: A CA creates a public-key certificate by using a digital signature to bind together (a) a subject name, (b) a public key, and usually (c) some additional data items (e.g., "X.509 public-key certificate").
示例:CA通过使用数字签名将(A)使用者名称、(b)公钥和通常(c)一些附加数据项(例如,“X.509公钥证书”)绑定在一起,从而创建公钥证书。
$ biometric authentication (I) A method of generating authentication information for a person by digitizing measurements of a physical or behavioral
$ 生物特征认证(I)通过数字化物理或行为特征的测量值,为个人生成认证信息的方法
characteristic, such as a fingerprint, hand shape, retina pattern, voiceprint, handwriting style, or face.
特征,如指纹、手形、视网膜图案、声纹、笔迹或脸。
$ birthday attack (I) A class of attacks against cryptographic functions, including both encryption functions and hash functions. The attacks take advantage of a statistical property: Given a cryptographic function having an N-bit output, the probability is greater than 1/2 that for 2**(N/2) randomly chosen inputs, the function will produce at least two outputs that are identical. (See: Tutorial under "hash function".)
$ 生日攻击(I)针对加密函数的一类攻击,包括加密函数和哈希函数。这些攻击利用了统计特性:给定一个具有N位输出的加密函数,其概率大于1/2,即对于2**(N/2)个随机选择的输入,该函数将产生至少两个相同的输出。(请参阅“哈希函数”下的教程。)
Derivation: From the somewhat surprising fact (often called the "birthday paradox") that although there are 365 days in a year, the probability is greater than 1/2 that two of more people share the same birthday in any randomly chosen group of 23 people.
推导:从一个有些令人惊讶的事实(通常被称为“生日悖论”)得出,尽管一年中有365天,但在随机选择的23人组中,多人中有两人共享同一个生日的概率大于1/2。
Birthday attacks enable an adversary to find two inputs for which a cryptographic function produces the same cipher text (or find two inputs for which a hash functions produces the same hash result) much faster than a brute-force attack can; and a clever adversary can use such a capability to create considerable mischief. However, no birthday attack can enable an adversary to decrypt a given cipher text (or find a hash input that results in a given hash result) any faster than a brute-force attack can.
生日攻击使对手能够比暴力攻击更快地找到加密函数产生相同密文的两个输入(或找到哈希函数产生相同哈希结果的两个输入);聪明的对手可以利用这种能力制造相当大的伤害。但是,任何生日攻击都不能使对手比暴力攻击更快地解密给定的密文(或找到导致给定哈希结果的哈希输入)。
$ bit (I) A contraction of the term "binary digit"; the smallest unit of information storage, which has two possible states or values. The values usually are represented by the symbols "0" (zero) and "1" (one). (See: block, byte, nibble, word.)
$ 位(I)术语“二进制数字”的缩写;信息存储的最小单位,有两种可能的状态或值。值通常由符号“0”(零)和“1”(一)表示。(请参阅:块、字节、半字节、字。)
$ bit string (I) A sequence of bits, each of which is either "0" or "1".
$ 位串(I)一个位序列,每个位都是“0”或“1”。
$ BLACK 1. (N) Designation for data that consists only of cipher text, and for information system equipment items or facilities that handle only cipher text. Example: "BLACK key". (See: BCR, color change, RED/BLACK separation. Compare: RED.)
$ 黑色1。(N) 仅由密文组成的数据以及仅处理密文的信息系统设备项或设施的名称。示例:“黑键”。(参见:BCR、颜色变化、红/黑分离。比较:红色。)
2. (O) /U.S. Government/ "Designation applied to information systems, and to associated areas, circuits, components, and equipment, in which national security information is encrypted or is not processed." [C4009]
2. (O) /U.S.Government/“适用于国家安全信息加密或未处理的信息系统以及相关区域、电路、组件和设备的名称。”[C4009]
3. (D) Any data that can be disclosed without harm.
3. (D) 任何可以在不造成损害的情况下披露的数据。
Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3 because the definition is ambiguous with regard to whether or not the data is protected.
不推荐使用的定义:IDOCs不应使用定义为3的术语,因为该定义在数据是否受保护方面不明确。
$ BLACK/Crypto/RED (BCR) (N) An experimental, end-to-end, network packet encryption system developed in a working prototype form by BBN and the Collins Radio division of Rockwell Corporation in the 1975-1980 time frame for the U.S. DoD. BCR was the first network security system to support TCP/IP traffic, and it incorporated the first DES chips that were validated by the U.S. National Bureau of Standards (now called NIST). BCR also was the first to use a KDC and an ACC to manage connections.
$ BLACK/Crypto/RED(BCR)(N)一种实验性的端到端网络数据包加密系统,由BBN和罗克韦尔公司柯林斯无线电部门在1975-1980年的时间框架内为美国国防部以工作原型形式开发。BCR是第一个支持TCP/IP通信的网络安全系统,它包含了第一个经美国国家标准局(现称NIST)验证的DES芯片。BCR也是第一个使用KDC和ACC来管理连接的公司。
$ BLACK key (N) A key that is protected with a key-encrypting key and that must be decrypted before use. (See: BLACK. Compare: RED key.)
$ 黑密钥(N):受密钥加密密钥保护且在使用前必须解密的密钥。(请参见:黑色。比较:红色键。)
$ BLACKER (O) An end-to-end encryption system for computer data networks that was developed by the U.S. DoD in the 1980s to provide host-to-host data confidentiality service for datagrams at OSIRM Layer 3. [Weis] (Compare: CANEWARE, IPsec.)
$ BLACKER(O):一种用于计算机数据网络的端到端加密系统,由美国国防部在20世纪80年代开发,为OSIRM第3层的数据报提供主机到主机的数据保密服务。[Weis](比较:CANEWARE、IPsec)
Tutorial: Each user host connects to its own bump-in-the-wire encryption device called a BLACKER Front End (BFE, TSEC/KI-111), through which the host connects to the subnetwork. The system also includes two types of centralized devices: one or more KDCs connect to the subnetwork and communicate with assigned sets of BFEs, and one or more ACCs connect to the subnetwork and communicate with assigned KDCs. BLACKER uses only symmetric encryption. A KDC distributes session keys to BFE pairs as authorized by an ACC. Each ACC maintains a database for a set of BFEs, and the database determines which pairs from that set (i.e., which pairs of user hosts behind the BFEs) are authorized to communicate and at what security levels.
教程:每个用户主机都连接到称为BLACKER Front End(BFE,TSEC/KI-111)的有线加密设备中自己的凸起,主机通过该凸起连接到子网。该系统还包括两种类型的集中式设备:一个或多个KDC连接到子网并与指定的BFE集通信,以及一个或多个ACC连接到子网并与指定的KDC通信。BLACKER只使用对称加密。KDC将会话密钥分发给ACC授权的BFE对。每个ACC为一组BFE维护一个数据库,该数据库确定该组中的哪些对(即BFE后面的哪些用户主机对)被授权通信以及处于何种安全级别。
The BLACKER system is MLS in three ways: (a) The BFEs form a security perimeter around a subnetwork, separating user hosts from the subnetwork, so that the subnetwork can operate at a different security level (possibly a lower, less expensive level) than the hosts. (b) The BLACKER components are trusted to separate datagrams of different security levels, so that each datagram of a given security level can be received only by a host that is authorized for that security level; and thus BLACKER can separate host communities that operate at different security levels. (c) The host side of a BFE is itself MLS and can recognize a security label on each packet, so that an MLS user host can be authorized
较黑的系统在三个方面是MLS:(a)BFE围绕子网形成安全周界,将用户主机与子网分开,以便子网可以在不同于主机的安全级别(可能更低、更便宜的级别)下运行。(b) 更黑的组件被信任来分离不同安全级别的数据报,以便给定安全级别的每个数据报只能由授权该安全级别的主机接收;因此BLACKER可以分离以不同安全级别运行的主机社区。(c) BFE的主机端本身就是MLS,可以识别每个数据包上的安全标签,因此可以授权MLS用户主机
to successively transmit datagrams that are labeled with different security levels.
连续传输标有不同安全级别的数据报。
$ blind attack (I) A type of network-based attack method that does not require the attacking entity to receive data traffic from the attacked entity; i.e., the attacker does not need to "see" data packets sent by the victim. Example: SYN flood.
$ 盲攻击(I)一种基于网络的攻击方法,不要求攻击实体从被攻击实体接收数据流量;i、 例如,攻击者不需要“查看”受害者发送的数据包。示例:synflood。
Tutorial: If an attack method is blind, the attacker's packets can carry (a) a false IP source address (making it difficult for the victim to find the attacker) and (b) a different address on every packet (making it difficult for the victim to block the attack). If the attacker needs to receive traffic from the victim, the attacker must either (c) reveal its own IP address to the victim (which enables the victim to find the attacker or block the attack by filtering) or (d) provide a false address and also subvert network routing mechanisms to divert the returning packets to the attacker (which makes the attack more complex, more difficult, or more expensive). [R3552]
教程:如果攻击方法是盲的,攻击者的数据包可能携带(a)错误的IP源地址(使受害者难以找到攻击者)和(b)每个数据包上的不同地址(使受害者难以阻止攻击)。如果攻击者需要接收来自受害者的流量,则攻击者必须(c)向受害者透露自己的IP地址(这使受害者能够找到攻击者或通过过滤阻止攻击)或(d)提供虚假地址,并破坏网络路由机制,以将返回的数据包转移给攻击者(这使得攻击更复杂、更困难或更昂贵)。[R3552]
$ block (I) A bit string or bit vector of finite length. (See: bit, block cipher. Compare: byte, word.)
$ 块(I)有限长度的位字符串或位向量。(请参阅:位,分组密码。比较:字节,字。)
Usage: An "N-bit block" contains N bits, which usually are numbered from left to right as 1, 2, 3, ..., N.
用法:“N位块”包含N位,通常从左到右编号为1、2、3、…、N。
$ block cipher (I) An encryption algorithm that breaks plain text into fixed-size segments and uses the same key to transform each plaintext segment into a fixed-size segment of cipher text. Examples: AES, Blowfish, DEA, IDEA, RC2, and SKIPJACK. (See: block, mode. Compare: stream cipher.)
$ 分组密码(I)一种加密算法,它将明文分成固定大小的段,并使用相同的密钥将每个明文段转换成固定大小的密文段。示例:AES、河豚、DEA、IDEA、RC2和SKIPJACK。(请参阅:块,模式。比较:流密码。)
Tutorial: A block cipher can be adapted to have a different external interface, such as that of a stream cipher, by using a mode of cryptographic operation to package the basic algorithm. (See: CBC, CCM, CFB, CMAC, CTR, DEA, ECB, OFB.)
教程:通过使用加密操作模式打包基本算法,可以调整分组密码以具有不同的外部接口,例如流密码的外部接口。(参见:CBC、CCM、CFB、CMAC、CTR、DEA、ECB、OFB。)
$ Blowfish (N) A symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA. [Schn] (See: Twofish.)
$ Blowfish(N):一种具有可变长度密钥(32至448位)的对称分组密码,由Bruce Schneier于1993年设计,作为DES或IDEA的无专利、无许可证、免版税的替代品。[Schn](见:双鱼)
$ brain-damaged (D) /slang/ "Obviously wrong: extremely poorly designed. Calling something brain-damaged is very extreme. The word implies that the thing is completely unusable, and that its failure to work is due to poor design, not accident." [NCSSG] (See: flaw.)
$ 脑损伤(D)/俚语/“显然是错误的:设计极为糟糕。将某事物称为脑损伤是非常极端的。该词暗示该事物完全无法使用,其失效是由于设计不当,而非意外。”[NCSSG](见:缺陷。)
Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)
不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)
$ brand 1. (I) A distinctive mark or name that identifies a product or business entity.
$ 品牌1。(一) 标识产品或商业实体的独特标记或名称。
2. (O) /SET/ The name of a payment card. (See: BCA.)
2. (O) /SET/支付卡的名称。(见:BCA)
Tutorial: Financial institutions and other companies have founded payment card brands, protect and advertise the brands, establish and enforce rules for use and acceptance of their payment cards, and provide networks to interconnect the financial institutions. These brands combine the roles of issuer and acquirer in interactions with cardholders and merchants. [SET1]
教程:金融机构和其他公司已经建立了支付卡品牌,保护和宣传了这些品牌,制定并实施了使用和接受其支付卡的规则,并提供了连接金融机构的网络。这些品牌结合了发卡机构和收单机构在与持卡人和商户互动中的角色。[SET1]
$ brand certification authority (BCA) (O) /SET/ A CA owned by a payment card brand, such as MasterCard, Visa, or American Express. [SET2] (See: certification hierarchy, SET.)
$ 品牌认证机构(BCA)(O)/SET/A支付卡品牌(如万事达卡、Visa卡或美国运通卡)拥有的CA。[SET2](请参阅:证书层次结构,集合。)
$ brand CRL identifier (BCI) (O) /SET/ A digitally signed list, issued by a BCA, of the names of CAs for which CRLs need to be processed when verifying signatures in SET messages. [SET2]
$ 品牌CRL标识符(BCI)(O)/SET/BCA发布的数字签名列表,在验证SET消息中的签名时,需要为其处理CRL的CA名称。[SET2]
$ break (I) /cryptography/ To successfully perform cryptanalysis and thus succeed in decrypting data or performing some other cryptographic function, without initially having knowledge of the key that the function requires. (See: penetrate, strength, work factor.)
$ break(I)/cryptography/成功执行密码分析,从而成功解密数据或执行其他加密功能,而最初不知道该功能所需的密钥。(参见:穿透力、强度、功系数。)
Usage: This term applies to encrypted data or, more generally, to a cryptographic algorithm or cryptographic system. Also, while the most common use is to refer to completely breaking an algorithm, the term is also used when a method is found that substantially reduces the work factor.
用法:该术语适用于加密数据,或者更一般地,适用于加密算法或加密系统。此外,虽然最常见的用法是指完全破坏一个算法,但当发现一种方法可以大大降低工作系数时,也会使用该术语。
$ Brewer-Nash model (N) A security model [BN89] to enforce the Chinese wall policy. (Compare: Bell-LaPadula model, Clark-Wilson model.)
$ Brewer-Nash模型(N)一种安全模型[BN89],用于实施中国墙政策。(比较:贝尔-拉帕杜拉模型、克拉克-威尔逊模型。)
Tutorial: All proprietary information in the set of commercial firms F(1), F(2), ..., F(N) is categorized into mutually exclusive conflict-of-interest classes I(1), I(2), ..., I(M) that apply across all firms. Each firm belongs to exactly one class. The Brewer-Nash model has the following mandatory rules: - Brewer-Nash Read Rule: Subject S can read information object O from firm F(i) only if either (a) O is from the same firm as some object previously read by S *or* (b) O belongs to a class I(i) from which S has not previously read any object. (See: object, subject.) - Brewer-Nash Write Rule: Subject S can write information object O to firm F(i) only if (a) S can read O by the Brewer-Nash Read Rule *and* (b) no object can be read by S from a different firm F(j), no matter whether F(j) belongs to the same class as F(i) or to a different class.
教程:商业公司F(1),F(2),…,F(N)集合中的所有专有信息被归类为相互排斥的利益冲突类别I(1),I(2),…,I(M),适用于所有公司。每家公司只属于一个类别。Brewer-Nash模型具有以下强制性规则:-Brewer-Nash读取规则:主体S可以从公司F(i)读取信息对象O,前提是(a)O与S*以前读取的某个对象来自同一公司,或者*(b)O属于S以前没有从中读取任何对象的类i(i)。(参见:对象,主体。)-布鲁尔-纳什写入规则:主体S可以将信息对象O写入公司F(i),前提是(a)S可以通过布鲁尔-纳什读取规则*读取O,并且*(b)S不能从不同的公司F(j)读取对象,无论F(j)属于与F(i)相同的类别还是属于不同的类别。
$ bridge (I) A gateway for traffic flowing at OSIRM Layer 2 between two networks (usually two LANs). (Compare: bridge CA, router.)
$ 网桥(I)两个网络(通常是两个局域网)之间OSIRM第2层流量的网关。(比较:网桥CA、路由器。)
$ bridge CA (I) A PKI consisting of only a CA that cross-certifies with CAs of some other PKIs. (See: cross-certification. Compare: bridge.)
$ 桥接CA(I)仅由一个CA组成的PKI,该CA与一些其他PKI的CA交叉认证。(请参阅:交叉认证。比较:桥接。)
Tutorial: A bridge CA functions as a hub that enables a certificate user in any of the PKIs that attach to the bridge, to validate certificates issued in the other attached PKIs.
教程:网桥CA起到集线器的作用,使连接到网桥的任何PKI中的证书用户能够验证在其他连接的PKI中颁发的证书。
For example, a bridge CA (BCA) CA1
could cross-certify with four ^
PKIs that have the roots CA1, |
CA2, CA3, and CA4. The cross- v
certificates that the roots CA2 <-> BCA <-> CA3
exchange with the BCA enable an ^
end entity EE1 certified under |
under CA1 in PK1 to construct v
a certification path needed to CA4
validate the certificate of
end entity EE2 under CA2, CA1 -> BCA -> CA2 -> EE2
or vice versa. CA2 -> BCA -> CA1 -> EE1
For example, a bridge CA (BCA) CA1
could cross-certify with four ^
PKIs that have the roots CA1, |
CA2, CA3, and CA4. The cross- v
certificates that the roots CA2 <-> BCA <-> CA3
exchange with the BCA enable an ^
end entity EE1 certified under |
under CA1 in PK1 to construct v
a certification path needed to CA4
validate the certificate of
end entity EE2 under CA2, CA1 -> BCA -> CA2 -> EE2
or vice versa. CA2 -> BCA -> CA1 -> EE1
$ British Standard 7799 (N) Part 1 of the standard is a code of practice for how to secure an information system. Part 2 specifies the management framework, objectives, and control requirements for information security management systems. [BS7799] (See: ISO 17799.)
$ 英国标准7799(N)本标准的第1部分是关于如何保护信息系统的实施规程。第2部分规定了信息安全管理系统的管理框架、目标和控制要求。[BS7799](见:ISO 17799)
$ browser (I) A client computer program that can retrieve and display information from servers on the World Wide Web. Examples: Netscape Navigator and Microsoft Internet Explorer.
$ 浏览器(I)一种客户端计算机程序,可从万维网上的服务器检索和显示信息。示例:Netscape Navigator和Microsoft Internet Explorer。
$ brute force (I) A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries a large number of possible solutions to the problem. (See: impossible, strength, work factor.)
$ 暴力(I)一种密码分析技术或其他类型的攻击方法,涉及一个穷举过程,尝试大量可能的问题解决方案。(参见:不可能、强度、工作系数。)
Tutorial: In some cases, brute force involves trying all of the possibilities. For example, for cipher text where the analyst already knows the decryption algorithm, a brute-force technique for finding matching plain text is to decrypt the message with every possible key. In other cases, brute force involves trying a large number of possibilities but substantially fewer than all of them. For example, given a hash function that produces an N-bit hash result, the probability is greater than 1/2 that the analyst will find two inputs that have the same hash result after trying only 2**(N/2) randomly chosen inputs. (See: birthday attack.)
教程:在某些情况下,暴力包括尝试所有的可能性。例如,对于分析人员已经知道解密算法的密文,查找匹配纯文本的蛮力技术是使用每个可能的密钥解密消息。在其他情况下,暴力包括尝试大量的可能性,但比所有可能性都少。例如,给定一个产生N位散列结果的散列函数,分析员在仅尝试2**(N/2)个随机选择的输入后,找到具有相同散列结果的两个输入的概率大于1/2。(见:生日攻击。)
$ BS7799 (N) See: British Standard 7799.
$ BS7799(N)参见:英国标准7799。
$ buffer overflow (I) Any attack technique that exploits a vulnerability resulting from computer software or hardware that does not check for exceeding the bounds of a storage area when data is written into a sequence of storage locations beginning in that area.
$ 缓冲区溢出(I)利用计算机软件或硬件产生的漏洞进行攻击的任何攻击技术,当数据写入从该区域开始的存储位置序列时,该漏洞未检查是否超出存储区域的边界。
Tutorial: By causing a normal system operation to write data beyond the bounds of a storage area, the attacker seeks to either disrupt system operation or cause the system to execute malicious software inserted by the attacker.
教程:通过使正常系统操作将数据写入存储区域边界之外,攻击者试图中断系统操作或使系统执行攻击者插入的恶意软件。
$ buffer zone (I) A neutral internetwork segment used to connect other segments that each operate under a different security policy.
$ 缓冲区(I)一个中立的网络网段,用于连接在不同安全策略下运行的其他网段。
Tutorial: To connect a private network to the Internet or some other relatively public network, one could construct a small, separate, isolated LAN and connect it to both the private network and the public network; one or both of the connections would implement a firewall to limit the traffic that could pass through the buffer zone.
教程:要将专用网络连接到Internet或其他相对公用的网络,可以构建一个小型、独立、隔离的LAN,并将其连接到专用网络和公用网络;一个或两个连接将实现防火墙,以限制可能通过缓冲区的流量。
$ bulk encryption 1. (I) Encryption of multiple channels by aggregating them into a single transfer path and then encrypting that path. (See: channel.)
$ 批量加密1。(一) 通过将多个通道聚合到单个传输路径中,然后对该路径进行加密,对多个通道进行加密。(请参阅:频道。)
2. (O) "Simultaneous encryption of all channels of a multichannel telecommunications link." [C4009] (Compare: bulk keying material.)
2. (O) “同时加密多信道电信链路的所有信道。”[C4009](比较:批量密钥材料。)
Usage: The use of "simultaneous" in definition 2 could be interpreted to mean that multiple channels are encrypted separately but at the same time. However, the common meaning of the term is that multiple data flows are combined into a single stream and then that stream is encrypted as a whole.
用法:定义2中“同时”的使用可以解释为多个通道分别加密,但同时加密。然而,该术语的共同含义是将多个数据流组合成单个流,然后将该流作为一个整体进行加密。
$ bulk key (D) In a few published descriptions of hybrid encryption for SSH, Windows 2000, and other applications, this term refers to a symmetric key that (a) is used to encrypt a relatively large amount of data and (b) is itself encrypted with a public key. (Compare: bulk keying material, session key.)
$ 大容量密钥(D)在为SSH、Windows 2000和其他应用程序发布的一些混合加密描述中,该术语指(a)用于加密相对大量数据的对称密钥,以及(b)本身使用公钥加密的对称密钥。(比较:批量关键点材质、会话关键点。)
Example: To send a large file to Bob, Alice (a) generates a symmetric key and uses it to encrypt the file (i.e., encrypt the bulk of the information that is to be sent) and then (b) encrypts that symmetric key (the "bulk key") with Bob's public key.
示例:要向Bob发送一个大文件,Alice(a)生成一个对称密钥并使用它加密文件(即加密要发送的大部分信息),然后(b)使用Bob的公钥加密该对称密钥(“批量密钥”)。
Deprecated Term: IDOCs SHOULD NOT use this term or definition; the term is not well-established and could be confused with the established term "bulk keying material". Instead, use "symmetric key" and carefully explain how the key is applied.
不推荐使用的术语:IDOC不应使用此术语或定义;该术语的定义不明确,可能与已确定的术语“批量键控材料”混淆。相反,请使用“对称密钥”,并仔细解释如何应用该密钥。
$ bulk keying material (N) Refers to handling keying material in large quantities, e.g., as a dataset that contains many items of keying material. (See: type 0. Compare: bulk key, bulk encryption.)
$ 批量键控材料(N)是指大量处理键控材料,例如,作为包含许多键控材料项的数据集。(请参见:键入0。比较:批量密钥、批量加密。)
$ bump-in-the-stack (I) An implementation approach that places a network security mechanism inside the system that is to be protected. (Compare: bump-in-the-wire.)
$ 堆栈中的bump(I)一种将网络安全机制置于要保护的系统内的实现方法。(比较:导线中的凹凸。)
Example: IPsec can be implemented inboard, in the protocol stack of an existing system or existing system design, by placing a new layer between the existing IP layer and the OSIRM Layer 3 drivers. Source code access for the existing stack is not required, but the system that contains the stack does need to be modified [R4301].
示例:通过在现有IP层和OSIRM第3层驱动程序之间放置一个新层,IPsec可以在现有系统或现有系统设计的协议栈中内置实现。不需要对现有堆栈进行源代码访问,但需要修改包含该堆栈的系统[R4301]。
$ bump-in-the-wire (I) An implementation approach that places a network security mechanism outside of the system that is to be protected. (Compare: bump-in-the-stack.)
$ 线路中断(I)将网络安全机制置于受保护系统之外的一种实现方法。(比较:堆栈中的凹凸。)
Example: IPsec can be implemented outboard, in a physically separate device, so that the system that receives the IPsec protection does not need to be modified at all [R4301]. Military-grade link encryption has mainly been implemented as bump-in-the-wire devices.
示例:IPsec可以在物理上独立的设备中实现,因此接收IPsec保护的系统根本不需要修改[R4301]。军用级链路加密主要作为有线设备中的bump实现。
$ business-case analysis (N) An extended form of cost-benefit analysis that considers factors beyond financial metrics, including security factors such as the requirement for security services, their technical and programmatic feasibility, their qualitative benefits, and associated risks. (See: risk analysis.)
$ 业务案例分析(N):成本效益分析的一种扩展形式,它考虑财务指标以外的因素,包括安全因素,如安全服务的要求、其技术和规划可行性、其质量效益和相关风险。(参见:风险分析。)
$ byte (I) A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and, today, usually means eight bits. (Compare: octet.)
$ 字节(I)计算机存储的基本单位;计算机体系结构中最小的可寻址单元。通常包含一个字符的信息,今天通常表示八位。(比较:八位组。)
Usage: Understood to be larger than a "bit", but smaller than a "word". Although "byte" almost always means "octet" today, some computer architectures have had bytes in other sizes (e.g., six bits, nine bits). Therefore, an STD SHOULD state the number of bits in a byte where the term is first used in the STD.
用法:理解为大于一个“位”,但小于一个“字”。虽然“字节”在今天几乎总是意味着“八位字节”,但一些计算机架构有其他大小的字节(例如,六位、九位)。因此,STD应说明STD中首次使用术语的字节中的位数。
$ C field (D) See: Compartments field.
$ C字段(D)参见:隔间字段。
$ C1 or C2 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".
$ C1或C2计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。
$ CA (I) See: certification authority.
$ CA(I)见:认证机构。
$ CA certificate (D) "A [digital] certificate for one CA issued by another CA." [X509]
$ CA证书(D)“一个CA由另一个CA颁发的[数字]证书”[X509]
Deprecated Definition: IDOCs SHOULD NOT use the term with this definition; the definition is ambiguous with regard to how the certificate is constructed and how it is intended to be used. IDOCs that use this term SHOULD provide a technical definition for it. (See: certificate profile.)
不推荐使用的定义:IDoc不应使用此定义的术语;该定义在如何构造证书以及如何使用证书方面模棱两可。使用该术语的IDoc应提供该术语的技术定义。(请参阅:证书配置文件。)
Tutorial: There is no single, obvious choice for a technical definition of this term. Different PKIs can use different certificate profiles, and X.509 provides several choices of how to issue certificates to CAs. For example, one possible definition is the following: A v3 X.509 public-key certificate that has a "basicConstraints" extension containing a "cA" value of "TRUE". That would specifically indicate that "the certified public key may be used to verify certificate signatures", i.e., that the private key may be used by a CA.
教程:对于这个术语的技术定义,没有单一的、明显的选择。不同的PKI可以使用不同的证书配置文件,X.509提供了几种向CA颁发证书的方法。例如,一个可能的定义如下:v3 X.509公钥证书,其“basicConstraints”扩展名包含“cA”值“TRUE”。这将明确表示“经认证的公钥可用于验证证书签名”,即,私钥可由CA使用。
However, there also are other ways to indicate such usage. The certificate may have a "key Usage" extension that indicates the purposes for which the public key may be used, and one of the values that X.509 defines for that extension is "keyCertSign", to indicate that the certificate may be used for verifying a CA's signature on certificates. If "keyCertSign" is present in a certificate that also has a "basicConstraints" extension, then "cA" is set to "TRUE" in that extension. Alternatively, a CA could be issued a certificate in which "keyCertSign" is asserted without "basicConstraints" being present; and an entity that acts as a CA could be issued a certificate with "keyUsage" set to other values, either with or without "keyCertSign".
然而,也有其他方式表明这种用法。证书可能有一个“密钥使用”扩展,该扩展指示公钥可用于的目的,X.509为该扩展定义的值之一是“keyCertSign”,以指示证书可用于验证证书上CA的签名。如果“keyCertSign”出现在同时具有“basicConstraints”扩展名的证书中,则该扩展名中的“cA”设置为“TRUE”。或者,CA可以被颁发一个证书,其中“keyCertSign”被断言,而“basicConstraints”不存在;作为CA的实体可以被颁发一个证书,该证书的“keyUsage”设置为其他值,无论是否带有“keyCertSign”。
$ CA domain (N) /PKI/ A security policy domain that "consists of a CA and its subjects [i.e., the entities named in the certificates issued by the CA]. Sometimes referred to as a PKI domain." [PAG] (See: domain.)
$ CA域(N)/PKI/一种安全策略域,“由CA及其主题[即CA颁发的证书中命名的实体]组成”。有时称为PKI域。“[PAG](请参阅:域。)
$ Caesar cipher
(I) A cipher that is defined for an alphabet of N characters,
A(1), A(2), ..., A(N), and creates cipher text by replacing each
plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]
$ Caesar cipher
(I) A cipher that is defined for an alphabet of N characters,
A(1), A(2), ..., A(N), and creates cipher text by replacing each
plaintext character A(i) by A(i+K, mod N) for some 0<K<N+1. [Schn]
Examples: (a) During the Gallic wars, Julius Caesar used a cipher with K=3. In a Caesar cipher with K=3 for the English alphabet, A is replaced by D, B by E, C by F, ..., W by Z, X by A, Y by B, Z
例子:(a)在高卢战争期间,朱利叶斯·凯撒使用了一个K=3的密码。在英语字母表中K=3的凯撒密码中,a被D替换,B被E替换,C被F替换,…,W被Z替换,X被a替换,Y被B替换,Z替换
by C. (b) UNIX systems sometimes include "ROT13" software that implements a Caesar cipher with K=13 (i.e., ROTate by 13).
C.(b)UNIX系统有时包括“ROT13”软件,该软件实现了K=13的凯撒密码(即,按13旋转)。
$ call back (I) An authentication technique for terminals that remotely access a computer via telephone lines; the host system disconnects the caller and then reconnects on a telephone number that was previously authorized for that terminal.
$ 回拨(I)用于通过电话线远程访问计算机的终端的认证技术;主机系统断开呼叫者的连接,然后重新连接先前为该终端授权的电话号码。
$ CAM (O) See: Certificate Arbitrator Module.
$ CAM(O)请参阅:证书仲裁器模块。
$ CANEWARE (O) An end-to-end encryption system for computer data networks that was developed by the U.S. DoD in the 1980s to provide host-to-host data confidentiality service for datagrams in OSIRM Layer 3. [Roge] (Compare: BLACKER, IPsec.)
$ CANEWARE(O):一种用于计算机数据网络的端到端加密系统,由美国国防部在20世纪80年代开发,用于为OSIRM第3层中的数据报提供主机到主机的数据保密服务。[Roge](比较:BLACKER,IPsec)
Tutorial: Each user host connects to its own bump-in-the-wire encryption device called a CANEWARE Front End (CFE), through which the host connects to the subnetwork. CANEWARE uses symmetric encryption for CFE-to-CFE traffic, but also uses FIREFLY to establish those session keys. The public-key certificates issued by the FIREFLY system include credentials for mandatory access control. For discretionary access control, the system also includes one or more centralized CANEWARE Control Processors (CCPs) that connect to the subnetwork, maintain a database for discretionary access control authorizations, and communicate those authorizations to assigned sets of CFEs.
教程:每个用户主机都连接到称为CANEWARE前端(CFE)的有线加密设备中自己的凸点,主机通过该凸点连接到子网络。CANEWARE对CFE-to-CFE通信使用对称加密,但也使用FIREFLY建立这些会话密钥。FIREFLY系统颁发的公钥证书包括用于强制访问控制的凭据。对于自主访问控制,系统还包括一个或多个集中式CANEWARE控制处理器(CCP),这些处理器连接到子网,维护自主访问控制授权数据库,并将这些授权传递给指定的CFE集。
The CANEWARE system is MLS in only two of the three ways that BLACKER is MLS: (a) Like BLACKER BFEs, CFEs form a security perimeter around a subnetwork, separating user hosts from the subnetwork, so that the subnetwork can operate at a different security level than the hosts. (b) Like BLACKER, the CANEWARE components are trusted to separate datagrams of different security levels, so that each datagram of a given security level can be received only by a host that is authorized for that security level; and thus CANEWARE can separate host communities that operate at different security levels. (c) Unlike a BFE, the host side of a CFE is not MLS, and treats all packets received from a user host as being at the same mandatory security level.
CANEWARE系统在三种方式中只有两种是MLS,BLACKER是MLS:(a)与BLACKER BFE一样,CFE在子网周围形成一个安全周界,将用户主机与子网分开,因此子网可以在不同于主机的安全级别上运行。(b) 与BLACKER一样,CANEWARE组件被信任来分离不同安全级别的数据报,因此给定安全级别的每个数据报只能由授权该安全级别的主机接收;因此,CANEWARE可以分离以不同安全级别运行的主机社区。(c) 与BFE不同,CFE的主机端不是MLS,并且将从用户主机接收的所有数据包视为处于相同的强制安全级别。
$ capability list (I) /information system/ A mechanism that implements access control for a system entity by enumerating the system resources that the entity is permitted to access and, either implicitly or explicitly, the access modes granted for each resource. (Compare:
$ 能力列表(I)/信息系统/通过枚举允许实体访问的系统资源以及隐式或显式为每个资源授予的访问模式,实现系统实体访问控制的机制。(比较:
access control list, access control matrix, access profile, capability token.)
访问控制列表、访问控制矩阵、访问配置文件、功能令牌。)
$ capability token (I) A token (usually an unforgeable data object) that gives the bearer or holder the right to access a system resource. Possession of the token is accepted by a system as proof that the holder has been authorized to access the resource indicated by the token. (See: attribute certificate, capability list, credential, digital certificate, ticket, token.)
$ 能力令牌(I)一种令牌(通常是不可伪造的数据对象),赋予承载者或持有者访问系统资源的权利。系统接受对令牌的拥有作为持有者已被授权访问令牌指示的资源的证据。(请参阅:属性证书、能力列表、凭证、数字证书、票证、令牌。)
$ Capability Maturity Model (CMM) (N) Method for judging the maturity of software processes in an organization and for identifying crucial practices needed to increase process maturity. [Chris] (Compare: Common Criteria.)
$ 能力成熟度模型(CMM)(N)用于判断组织中软件过程的成熟度并识别提高过程成熟度所需的关键实践的方法。[Chris](比较:通用标准。)
Tutorial: The CMM does not specify security evaluation criteria (see: assurance level), but its use may improve security assurance. The CMM describes principles and practices that can improve software processes in terms of evolving from ad hoc processes to disciplined processes. The CMM has five levels: - Initial: Software processes are ad hoc or chaotic, and few are well-defined. Success depends on individual effort and heroics. - Repeatable: Basic project management processes are established to track cost, schedule, and functionality. Necessary process discipline is in place to repeat earlier successes on projects with similar applications. - Defined: Software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. Each project uses an approved, tailored version of the organization's standard process for developing and maintaining software. - Managed: Detailed measures of software process and product quality are collected. Both software process and products are quantitatively understood and controlled. - Optimizing: Continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
教程:CMM没有指定安全评估标准(请参阅:保证级别),但它的使用可能会改进安全保证。CMM描述了可以改进软件过程的原则和实践,这些原则和实践从即席过程演变为规范过程。CMM有五个级别:-初始:软件过程是临时的或混乱的,很少有定义良好的。成功取决于个人的努力和英雄气概可重复:建立基本项目管理流程以跟踪成本、进度和功能。必要的工艺规程已到位,以在具有类似应用的项目上重复先前的成功。-定义:对管理和工程活动的软件过程进行记录、标准化,并将其集成到组织的标准软件过程中。每个项目都使用经批准、定制的组织标准流程版本来开发和维护软件。-管理:收集软件过程和产品质量的详细度量。软件过程和产品都是定量理解和控制的。-优化:持续的流程改进是通过流程的定量反馈以及创新理念和技术的试验实现的。
$ CAPI (I) See: cryptographic application programming interface.
$ CAPI(I)见:加密应用程序编程接口。
$ CAPSTONE (N) An integrated microcircuit (in MYK-8x series manufactured by Mykotronx, Inc.) that implements SKIPJACK, KEA, DSA, SHA, and basic mathematical functions needed to support asymmetric cryptography; has a non-deterministic random number generator; and supports key escrow. (See: FORTEZZA. Compare: CLIPPER.)
$ CAPSTONE(N)集成微电路(Mykotronx,Inc.制造的MYK-8x系列),实现SKIPJACK、KEA、DSA、SHA以及支持非对称加密所需的基本数学函数;具有非确定性随机数生成器;并支持密钥托管。(参见:FORTEZZA。比较:CLIPPER。)
$ card See: cryptographic card, FORTEZZA, payment card, PC card, smart card, token.
$ 卡片见:加密卡,FORTEZZA,支付卡,PC卡,智能卡,代币。
$ card backup See: token backup.
$ 卡备份请参阅:令牌备份。
$ card copy See: token copy.
$ 卡副本见:令牌副本。
$ card restore See: token restore.
$ 卡还原请参阅:令牌还原。
$ cardholder 1. (I) An entity to whom or to which a card has been issued.
$ 持卡人1。(一) 向其或向其发放信用卡的实体。
Usage: Usually refers to a living human being, but might refer (a) to a position (see: billet, role) in an organization or (b) to an automated process. (Compare: user.)
用法:通常指一个活着的人,但可能指(a)一个组织中的职位(参见:角色),或(b)一个自动化流程。(比较:用户。)
2. (O) /SET/ "The holder of a valid payment card account and user of software supporting electronic commerce." [SET2] A cardholder is issued a payment card by an issuer. SET ensures that in the cardholder's interactions with merchants, the payment card account information remains confidential. [SET1]
2. (O) /SET/“有效支付卡账户的持有人和支持电子商务的软件的用户。”[SET2]发卡机构向持卡人发放支付卡。SET确保在持卡人与商户的互动中,支付卡账户信息保持机密。[SET1]
$ cardholder certificate (O) /SET/ A digital certificate that is issued to a cardholder upon approval of the cardholder's issuing financial institution and that is transmitted to merchants with purchase requests and encrypted payment instructions, carrying assurance that the account number has been validated by the issuing financial institution and cannot be altered by a third party. [SET1]
$ 持卡人证书(O)/SET/经持卡人的发卡金融机构批准后向持卡人颁发的数字证书,通过购买请求和加密支付指令传输给商户,保证账号已由发行金融机构验证,且第三方不得更改。[SET1]
$ cardholder certification authority (CCA) (O) /SET/ A CA responsible for issuing digital certificates to cardholders and operated on behalf of a payment card brand, an issuer, or another party according to brand rules. A CCA maintains relationships with card issuers to allow for the verification of cardholder accounts. A CCA does not issue a CRL but does distribute CRLs issued by root CAs, brand CAs, geopolitical CAs, and payment gateway CAs. [SET2]
$ 持卡人认证机构(CCA)(O)/SET/A CA负责向持卡人颁发数字证书,并根据品牌规则代表支付卡品牌、发卡机构或另一方运营。CCA与发卡机构保持关系,以便对持卡人账户进行验证。CCA不发行CRL,但发行根CA、品牌CA、地缘政治CA和支付网关CA发行的CRL。[SET2]
$ CAST (N) A design procedure for symmetric encryption algorithms, and a resulting family of algorithms, invented by Carlisle Adams (C.A.) and Stafford Tavares (S.T.). [R2144, R2612]
$ CAST(N)对称加密算法的设计过程,以及由此产生的算法系列,由Carlisle Adams(C.A.)和Stafford Tavares(S.T.)发明。[R2144,R2612]
$ category (I) A grouping of sensitive information items to which a non-hierarchical restrictive security label is applied to increase protection of the data. (See: formal access approval. Compare: compartment, classification.)
$ 类别(I)敏感信息项的分组,其中应用了非分层限制性安全标签,以加强对数据的保护。(参见:正式访问批准。比较:隔间,分类。)
$ CAW (N) See: certification authority workstation.
$ CAW(N)参见:证书颁发机构工作站。
$ CBC (N) See: cipher block chaining.
$ CBC(N)参见:密码块链接。
$ CCA (O) See: cardholder certification authority.
$ CCA(O)见:持卡人认证机构。
$ CCEP (O) See: Commercial COMSEC Endorsement Program.
$ CCEP(O)见:商业通信安全认可计划。
$ CCI (O) See: Controlled Cryptographic Item.
$ CCI(O)参见:受控加密项。
$ CCITT (N) Acronym for French translation of International Telephone and Telegraph Consultative Committee. Now renamed ITU-T.
$ CCITT(N)国际电话电报咨询委员会法语翻译的首字母缩写。现更名为ITU-T。
$ CCM (N) See: Counter with Cipher Block Chaining-Message Authentication Code.
$ CCM(N)请参阅:带有密码块链接消息认证码的计数器。
$ CERIAS (O) Purdue University's Center for Education and Research in Information Assurance and Security, which includes faculty from multiple schools and departments and takes a multidisciplinary approach to security problems ranging from technical to ethical, legal, educational, communicational, linguistic, and economic.
$ CERIAS(O)普渡大学信息保障和安全教育与研究中心,包括来自多个学校和部门的教员,对安全问题采取多学科方法,从技术到道德、法律、教育、通信、语言和经济。
$ CERT (I) See: computer emergency response team.
$ 证书(I)见:计算机应急响应小组。
$ certificate 1. (I) /general English/ A document that attests to the truth of something or the ownership of something.
$ 证书1。(一) /通用英语/证明某物真实性或所有权的文件。
2. (I) /general security/ See: capability token, digital certificate.
2. (一) /general security/请参阅:功能令牌、数字证书。
3. (I) /PKI/ See: attribute certificate, public-key certificate.
3. (一) /PKI/请参阅:属性证书、公钥证书。
$ Certificate Arbitrator Module (CAM) (O) An open-source software module that is designed to be integrated with an application for routing, replying to, and otherwise managing and meditating certificate validation requests between that application and the CAs in the ACES PKI.
$ 证书仲裁模块(CAM)(O):一种开源软件模块,设计用于与应用程序集成,用于路由、回复、管理和考虑该应用程序与ACES PKI中的CAs之间的证书验证请求。
$ certificate authority (D) Synonym for "certification authority".
$ 证书颁发机构(D)“证书颁发机构”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the term "certification authority", which is preferred in PKI standards (e.g., [X509, R3280]).
不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用术语“证书颁发机构”,这在PKI标准中是首选(例如,[X509,R3280])。
$ certificate chain (D) Synonym for "certification path". (See: trust chain.)
$ 证书链(D)是“证书路径”的同义词。(请参阅:信任链。)
Deprecated Term: IDOCs SHOULD NOT use this term; it duplicates the meaning of a standardized term. Instead, use "certification path".
不推荐使用的术语:IDoc不应使用此术语;它重复了标准化术语的含义。相反,请使用“认证路径”。
$ certificate chain validation (D) Synonym for "certificate validation" or "path validation".
$ 证书链验证(D)“证书验证”或“路径验证”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it duplicates the meaning of standardized terms and mixes concepts in a potentially misleading way. Instead, use "certificate validation" or "path validation", depending on what is meant. (See: validate vs. verify.)
不推荐使用的术语:IDoc不应使用此术语;它复制了标准化术语的含义,并以潜在误导的方式混合了概念。相反,使用“证书验证”或“路径验证”,具体取决于其含义。(请参见:验证与验证。)
$ certificate creation (I) The act or process by which a CA sets the values of a digital certificate's data fields and signs it. (See: issue.)
$ 证书创建(I)CA设置数字证书数据字段的值并对其签名的行为或过程。(见:问题)
$ certificate expiration (I) The event that occurs when a certificate ceases to be valid because its assigned lifetime has been exceeded. (See: certificate revocation, expire.)
$ 证书过期(I)证书因其分配的生存期已超过而停止有效时发生的事件。(请参阅:证书吊销,过期。)
Tutorial: The assigned lifetime of an X.509 certificate is stated in the certificate itself. (See: validity period.)
教程:X.509证书的指定生存期在证书本身中说明。(见:有效期。)
$ certificate extension (I) See: extension.
$ 证书扩展(I)参见:扩展。
$ certificate holder (D) Synonym for the "subject" of a digital certificate. (Compare: certificate owner, certificate user.)
$ 证书持有人(D)数字证书“主体”的同义词。(比较:证书所有者、证书用户。)
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for the subject of a digital certificate; the term is potentially ambiguous. For example, the term could be misunderstood as referring to a system entity or component, such as a repository, that simply has possession of a copy of the certificate.
不推荐使用的定义:IDOCs不应将此术语用作数字证书主题的同义词;这一术语可能模棱两可。例如,该术语可能被误解为指仅拥有证书副本的系统实体或组件,如存储库。
$ certificate management (I) The functions that a CA may perform during the lifecycle of a digital certificate, including the following: - Acquire and verify data items to bind into the certificate. - Encode and sign the certificate. - Store the certificate in a directory or repository. - Renew, rekey, and update the certificate. - Revoke the certificate and issue a CRL. (See: archive management, certificate management, key management, security architecture, token management.)
$ 证书管理(I)CA在数字证书生命周期内可能执行的功能,包括:-获取和验证要绑定到证书中的数据项。-对证书进行编码和签名。-将证书存储在目录或存储库中。-续订、重新设置密钥并更新证书。-吊销证书并颁发CRL。(请参阅:归档管理、证书管理、密钥管理、安全体系结构、令牌管理。)
$ certificate management authority (CMA) (D) /U.S. DoD/ Used to mean either a CA or an RA. [DoD7, SP32]
$ 证书管理机构(CMA)(D)/美国国防部/用于指CA或RA。[DoD7,SP32]
Deprecated Term: IDOCs SHOULD NOT use this term because it is potentially ambiguous, such as in a context involving ICRLs. Instead, use CA, RA, or both, depending on what is meant.
不推荐使用的术语:IDOCs不应使用此术语,因为它可能不明确,例如在涉及ICRL的上下文中。相反,使用CA、RA或两者,具体取决于其含义。
$ certificate owner (D) Synonym for the "subject" of a digital certificate. (Compare: certificate holder, certificate user.)
$ 证书所有者(D)是数字证书“主体”的同义词。(比较:证书持有人、证书用户。)
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for the subject of a digital certificate; the term is potentially ambiguous. For example, the term could refer to a system entity, such as a corporation, that has purchased a certificate to operate equipment, such as a Web server.
不推荐使用的定义:IDOCs不应将此术语用作数字证书主题的同义词;这一术语可能模棱两可。例如,该术语可指已购买证书以操作设备(如Web服务器)的系统实体(如公司)。
$ certificate path (D) Synonym for "certification path".
$ 证书路径(D)是“证书路径”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of "certification path", which is preferred in PKI standards (e.g., [X509, R3280]).
不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用“认证路径”,这是PKI标准(例如[X509,R3280])中的首选。
$ certificate policy (I) "A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (Compare: CPS, security policy.)
$ 证书策略(I)“一组命名规则,指示证书对具有通用安全要求的特定社区和/或应用程序类别的适用性。”[X509](比较:CPS,安全策略。)
Example: U.S. DoD's certificate policy [DoD7] defined four classes (i.e., assurance levels) for X.509 public-key certificates and defines the applicability of those classes. (See: class 2.)
示例:美国国防部的证书政策[DoD7]为X.509公钥证书定义了四个类别(即保证级别),并定义了这些类别的适用性。(见第2类)
Tutorial: A certificate policy can help a certificate user to decide whether a certificate should be trusted in a particular application. "For example, a particular certificate policy might indicate applicability of a type of certificate for the authentication of electronic data interchange transactions for the trading of goods within a given price range." [R3647]
教程:证书策略可以帮助证书用户决定在特定应用程序中是否应信任证书。“例如,特定的证书政策可能表明一种证书类型适用于在给定价格范围内进行商品交易的电子数据交换交易的认证。”[R3647]
A v3 X.509 public-key certificate may have a "certificatePolicies" extension that lists certificate policies, recognized by the issuing CA, that apply to the certificate and govern its use. Each policy is denoted by an object identifier and may optionally have certificate policy qualifiers. (See: certificate profile.)
v3 X.509公钥证书可能具有“CertificatePolicys”扩展,该扩展列出了由颁发CA识别的证书策略,这些策略应用于证书并管理其使用。每个策略由对象标识符表示,并且可以选择具有证书策略限定符。(请参阅:证书配置文件。)
Each SET certificate specifies at least one certificate policy, that of the SET root CA. SET uses certificate policy qualifiers to point to the actual policy statement and to add qualifying policies to the root policy. (See: SET qualifier.)
每个集合证书指定至少一个证书策略,即集合根CA的证书策略。集合使用证书策略限定符指向实际的策略语句,并将限定策略添加到根策略。(请参见:设置限定符。)
$ certificate policy qualifier (I) Information that pertains to a certificate policy and is included in a "certificatePolicies" extension in a v3 X.509 public-key certificate.
$ 证书策略限定符(I)与证书策略相关的信息,包含在v3 X.509公钥证书的“CertificatePolicys”扩展中。
$ certificate profile (I) A specification (e.g., [DoD7, R3280]) of the format and semantics of public-key certificates or attribute certificates, constructed for use in a specific application context by selecting from among options offered by a broader standard. (Compare: protection profile.)
$ 证书配置文件(I)公钥证书或属性证书的格式和语义规范(如[DoD7,R3280]),通过从更广泛的标准提供的选项中进行选择,构建用于特定应用程序上下文。(比较:保护配置文件。)
$ certificate reactivation (I) The act or process by which a digital certificate, that a CA has designated for revocation but not yet listed on a CRL, is returned to the valid state.
$ 证书重新激活(I)CA指定要撤销但尚未在CRL上列出的数字证书返回到有效状态的行为或过程。
$ certificate rekey 1. (I) The act or process by which an existing public-key certificate has its key value changed by issuing a new certificate with a different (usually new) public key. (See: certificate renewal, certificate update, rekey.)
$ 证书密钥1。(一) 通过使用不同(通常是新的)公钥颁发新证书来更改现有公钥证书的密钥值的行为或过程。(请参阅:证书续订、证书更新、重新密钥。)
Tutorial: For an X.509 public-key certificate, the essence of rekey is that the subject stays the same and a new public key is bound to that subject. Other changes are made, and the old
教程:对于X.509公钥证书,重新密钥的本质是主体保持不变,并且新的公钥绑定到该主体。进行了其他更改,旧的
certificate is revoked, only as required by the PKI and CPS in support of the rekey. If changes go beyond that, the process is a "certificate update".
只有在PKI和CPS要求支持重新密钥时,证书才会被吊销。如果更改超出此范围,则该过程为“证书更新”。
2. (O) /MISSI/ The act or process by which a MISSI CA creates a new X.509 public-key certificate that is identical to the old one, except the new one has (a) a new, different KEA key or (b) a new, different DSS key or (c) new, different KEA and DSS keys. The new certificate also has a different serial number and may have a different validity period. A new key creation date and maximum key lifetime period are assigned to each newly generated key. If a new KEA key is generated, that key is assigned a new KMID. The old certificate remains valid until it expires, but may not be further renewed, rekeyed, or updated.
2. (O) /MISSI/MISSI CA创建与旧X.509公钥证书相同的新X.509公钥证书的行为或过程,但新证书具有(a)新的不同KEA密钥或(b)新的不同DSS密钥或(c)新的不同KEA和DSS密钥除外。新证书还具有不同的序列号,并且可能具有不同的有效期。为每个新生成的密钥分配一个新密钥创建日期和最大密钥生存期。如果生成了新的KEA密钥,则会为该密钥分配一个新的KMID。旧证书在到期前保持有效,但不能进一步续订、重新键入或更新。
$ certificate renewal (I) The act or process by which the validity of the binding asserted by an existing public-key certificate is extended in time by issuing a new certificate. (See: certificate rekey, certificate update.)
$ 证书续期(I)通过颁发新证书来及时延长现有公钥证书声明的绑定有效性的行为或过程。(请参阅:证书密钥更新、证书更新。)
Tutorial: For an X.509 public-key certificate, this term means that the validity period is extended (and, of course, a new serial number is assigned) but the binding of the public key to the subject and to other data items stays the same. The other data items are changed, and the old certificate is revoked, only as required by the PKI and CPS to support the renewal. If changes go beyond that, the process is a "certificate rekey" or "certificate update".
教程:对于X.509公钥证书,该术语表示有效期延长(当然,还指定了新的序列号),但公钥与主题和其他数据项的绑定保持不变。仅当PKI和CPS要求支持续订时,才会更改其他数据项,并吊销旧证书。如果更改超出此范围,则流程为“证书重新密钥”或“证书更新”。
$ certificate request (D) Synonym for "certification request".
$ 证书申请(D)“证书申请”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the term "certification request", which is preferred in PKI standards (e.g., see PKCS #10).
不推荐使用的术语:IDoc不应使用此术语;它建议不小心使用术语“认证请求”,这是PKI标准中的首选(例如,见PKCS#10)。
$ certificate revocation (I) The event that occurs when a CA declares that a previously valid digital certificate issued by that CA has become invalid; usually stated with an effective date.
$ 证书撤销(I)CA声明该CA颁发的以前有效的数字证书已失效时发生的事件;通常注明生效日期。
Tutorial: In X.509, a revocation is announced to potential certificate users by issuing a CRL that mentions the certificate. Revocation and listing on a CRL is only necessary prior to the certificate's scheduled expiration.
教程:在X.509中,通过发布提及证书的CRL向潜在证书用户宣布撤销。只有在证书计划到期之前,才需要撤销并在CRL上列出。
$ certificate revocation list (CRL) 1. (I) A data structure that enumerates digital certificates that have been invalidated by their issuer prior to when they were scheduled to expire. (See: certificate expiration, delta CRL, X.509 certificate revocation list.)
$ 证书吊销列表(CRL)1。(一) 一种数据结构,枚举在计划到期之前已由其颁发者失效的数字证书。(请参阅:证书到期、delta CRL、X.509证书吊销列表。)
2. (O) "A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. In addition to the generic term CRL, some specific CRL types are defined for CRLs that cover particular scopes." [X509]
2. (O) “一个签名列表,指示证书颁发者不再认为有效的一组证书。除了通用术语CRL外,还为覆盖特定范围的CRL定义了一些特定的CRL类型。”[X509]
$ certificate revocation tree (N) A mechanism for distributing notices of certificate revocations; uses a tree of hash results that is signed by the tree's issuer. Offers an alternative to issuing a CRL, but is not supported in X.509. (See: certificate status responder.)
$ 证书撤销树(N)分发证书撤销通知的机制;使用由树的颁发者签名的哈希结果树。提供了发布CRL的替代方案,但在X.509中不受支持。(请参阅:证书状态响应程序。)
$ certificate serial number 1. (I) An integer value that (a) is associated with, and may be carried in, a digital certificate; (b) is assigned to the certificate by the certificate's issuer; and (c) is unique among all the certificates produced by that issuer.
$ 证书序列号1。(一) (a)与数字证书相关联并且可以携带在数字证书中的整数值;(b) 由证书的颁发者分配给证书;和(c)在该发行人生产的所有证书中是唯一的。
2. (O) "An integer value, unique within the issuing CA, [that] is unambiguously associated with a certificate issued by that CA." [X509]
2. (O) “一个整数值,在颁发CA内唯一,[该值]与该CA颁发的证书明确关联。”[X509]
$ certificate status authority (D) /U.S. DoD/ "A trusted entity that provides on-line verification to a Relying Party of a subject certificate's trustworthiness [should instead say 'validity'], and may also provide additional attribute information for the subject certificate." [DoD7]
$ 证书状态管理局(D)/美国国防部/“向依赖方提供主体证书可信度在线验证的受信任实体[应改为说‘有效性’],还可以提供主体证书的附加属性信息。”[DoD7]
Deprecated Term: IDOCs SHOULD NOT use this term because it is not widely accepted; instead, use "certificate status responder" or "OCSP server", or otherwise explain what is meant.
不推荐使用的术语:IDOCs不应使用此术语,因为它未被广泛接受;相反,请使用“证书状态响应器”或“OCSP服务器”,或解释其含义。
$ certificate status responder (N) /FPKI/ A trusted online server that acts for a CA to provide authenticated certificate status information to certificate users [FPKI]. Offers an alternative to issuing a CR. (See: certificate revocation tree, OCSP.)
$ 证书状态响应程序(N)/FPKI/一个受信任的在线服务器,它代表CA向证书用户提供经过身份验证的证书状态信息[FPKI]。提供了颁发CR的替代方案。(请参阅:证书吊销树,OCSP。)
$ certificate update (I) The act or process by which non-key data items bound in an existing public-key certificate, especially authorizations granted
$ 证书更新(I)将非密钥数据项绑定到现有公钥证书中的行为或过程,尤其是授予的授权
to the subject, are changed by issuing a new certificate. (See: certificate rekey, certificate renewal.)
对于主题,通过颁发新证书进行更改。(请参阅:证书重新注册、证书续订。)
Usage: For an X.509 public-key certificate, the essence of this process is that fundamental changes are made in the data that is bound to the public key, such that it is necessary to revoke the old certificate. (Otherwise, the process is only a "certificate rekey" or "certificate renewal".)
用法:对于X.509公钥证书,此过程的实质是对绑定到公钥的数据进行根本性更改,因此有必要撤销旧证书。(否则,该过程仅为“证书重新密钥”或“证书续订”。)
$ certificate user 1. (I) A system entity that depends on the validity of information (such as another entity's public key value) provided by a digital certificate. (See: relying party. Compare: /digital certificate/ subject.)
$ 证书用户1。(一) 依赖于数字证书提供的信息(如另一实体的公钥值)的有效性的系统实体。(请参阅:依赖方。比较:/digital certificate/主题。)
Usage: The depending entity may be a human being or an organization, or a device or process controlled by a human or organization. (See: user.)
用法:依赖实体可以是人或组织,也可以是由人或组织控制的设备或过程。(请参阅:用户。)
2. (O) "An entity that needs to know, with certainty, the public key of another entity." [X509]
2. (O) “需要确切了解另一实体公钥的实体。”[X509]
3. (D) Synonym for "subject" of a digital certificate.
3. (D) 数字证书“主题”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 3; the term could be confused with one of the other two definitions given above.
不推荐使用的定义:IDOC不应将此术语与定义3一起使用;该术语可能与上面给出的另外两个定义之一混淆。
$ certificate validation 1. (I) An act or process by which a certificate user establishes that the assertions made by a digital certificate can be trusted. (See: valid certificate, validate vs. verify.)
$ 证书验证1。(一) 一种行为或过程,证书用户通过该行为或过程确定数字证书所作的断言是可信的。(请参阅:有效证书、验证与验证。)
2. (O) "The process of ensuring that a certificate was valid at a given time, including possibly the construction and processing of a certification path [R4158], and ensuring that all certificates in that path were valid (i.e. were not expired or revoked) at that given time." [X509]
2. (O) “确保证书在给定时间有效的过程,可能包括构建和处理证书路径[R4158],并确保该路径中的所有证书在给定时间有效(即未过期或吊销)。[X509]
Tutorial: To validate a certificate, a certificate user checks that the certificate is properly formed and signed and is currently in force: - Checks the syntax and semantics: Parses the certificate's syntax and interprets its semantics, applying rules specified for and by its data fields, such as for critical extensions in an X.509 certificate.
教程:要验证证书,证书用户将检查证书的格式和签名是否正确以及当前是否有效:-检查语法和语义:解析证书的语法并解释其语义,应用其数据字段指定的规则,例如X.509证书中的关键扩展。
- Checks the signature: Uses the issuer's public key to verify the digital signature of the CA who issued the certificate in question. If the verifier obtains the issuer's public key from the issuer's own public-key certificate, that certificate should be validated, too. That validation may lead to yet another certificate to be validated, and so on. Thus, in general, certificate validation involves discovering and validating a certification path. - Checks currency and revocation: Verifies that the certificate is currently in force by checking that the current date and time are within the validity period (if that is specified in the certificate) and that the certificate is not listed on a CRL or otherwise announced as invalid. (The CRLs also must be checked by a similar validation process.)
- 检查签名:使用颁发者的公钥验证颁发证书的CA的数字签名。如果验证器从颁发者自己的公钥证书中获得颁发者的公钥,则该证书也应进行验证。该验证可能会导致另一个证书被验证,等等。因此,一般来说,证书验证涉及发现和验证证书路径检查货币和吊销:通过检查当前日期和时间是否在有效期内(如果证书中指定)以及证书是否未列在CRL上或以其他方式宣布为无效,验证证书当前是否有效。(CRL还必须通过类似的验证过程进行检查。)
$ certification 1. (I) /information system/ Comprehensive evaluation (usually made in support of an accreditation action) of an information system's technical security features and other safeguards to establish the extent to which the system's design and implementation meet a set of specified security requirements. [C4009, FP102, SP37] (See: accreditation. Compare: evaluation.)
$ 证书1。(一) /信息系统/对信息系统的技术安全功能和其他保障措施进行综合评估(通常是为了支持认证行动),以确定系统的设计和实施在多大程度上满足一系列特定的安全要求。[C4009、FP102、SP37](参见:认证。比较:评估。)
2. (I) /digital certificate/ The act or process of vouching for the truth and accuracy of the binding between data items in a certificate. (See: certify.)
2. (一) /数字证书/证明证书中数据项之间绑定的真实性和准确性的行为或过程。(见:证明)
3. (I) /PKI/ The act or process of vouching for the ownership of a public key by issuing a public-key certificate that binds the key to the name of the entity that possesses the matching private key. Besides binding a key with a name, a public-key certificate may bind those items with other restrictive or explanatory data items. (See: X.509 public-key certificate.)
3. (一) /PKI/通过颁发公钥证书,将公钥绑定到拥有匹配私钥的实体的名称,从而证明公钥所有权的行为或过程。除了使用名称绑定密钥外,公钥证书还可以将这些项与其他限制性或解释性数据项绑定。(请参阅:X.509公钥证书。)
4. (O) /SET/ "The process of ascertaining that a set of requirements or criteria has been fulfilled and attesting to that fact to others, usually with some written instrument. A system that has been inspected and evaluated as fully compliant with the SET protocol by duly authorized parties and process would be said to have been certified compliant." [SET2]
4. (O) /SET/“确定一套要求或标准已得到满足并向其他人证明该事实的过程,通常使用一些书面文书。经正式授权方检查和评估为完全符合SET协议的系统和过程将被视为已被证明符合要求。”[SET2]
$ certification authority (CA) 1. (I) An entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.
$ 核证机关(CA)1。(一) 颁发数字证书(特别是X.509证书)并为证书中的数据项之间的绑定提供担保的实体。
2. (O) "An authority trusted by one or more users to create and assign certificates. Optionally the certification authority may create the user's keys." [X509]
2. (O) “一个或多个用户信任的用于创建和分配证书的机构。证书颁发机构也可以创建用户的密钥。”[X509]
Tutorial: Certificate users depend on the validity of information provided by a certificate. Thus, a CA should be someone that certificate users trust and that usually holds an official position created and granted power by a government, a corporation, or some other organization. A CA is responsible for managing the life cycle of certificates (see: certificate management) and, depending on the type of certificate and the CPS that applies, may be responsible for the lifecycle of key pairs associated with the certificates (see: key management).
教程:证书用户取决于证书提供的信息的有效性。因此,CA应该是证书用户信任的人,通常担任由政府、公司或其他组织创建和授予权力的官方职位。CA负责管理证书的生命周期(请参阅:证书管理),并根据证书的类型和适用的CP,负责与证书相关联的密钥对的生命周期(请参阅:密钥管理)。
$ certification authority workstation (CAW) (N) A computer system that enables a CA to issue digital certificates and supports other certificate management functions as required.
$ 证书颁发机构工作站(CAW)(N)一种计算机系统,使CA能够颁发数字证书,并根据需要支持其他证书管理功能。
$ certification hierarchy 1. (I) A tree-structured (loop-free) topology of relationships between CAs and the entities to whom the CAs issue public-key certificates. (See: hierarchical PKI, hierarchy management.)
$ 认证层次结构1。(一) CA与CA向其颁发公钥证书的实体之间关系的树结构(无循环)拓扑。(请参阅:分层PKI,分层管理。)
Tutorial: In this structure, one CA is the top CA, the highest level of the hierarchy. (See: root, top CA.) The top CA may issue public-key certificates to one or more additional CAs that form the second-highest level. Each of these CAs may issue certificates to more CAs at the third-highest level, and so on. The CAs at the second-lowest level issue certificates only to non-CA entities that form the lowest level (see: end entity). Thus, all certification paths begin at the top CA and descend through zero or more levels of other CAs. All certificate users base path validations on the top CA's public key.
教程:在此结构中,一个CA是顶级CA,即层次结构的最高级别。(请参阅:root,top CA。)顶级CA可以向构成第二高级别的一个或多个附加CA颁发公钥证书。这些CA中的每一个都可以向第三高级别的更多CA颁发证书,以此类推。处于第二最低级别的CA仅向构成最低级别的非CA实体颁发证书(请参阅:end entity)。因此,所有认证路径都从顶部CA开始,然后下降到其他CA的零个或多个级别。所有证书用户都基于顶级CA的公钥进行路径验证。
2. (I) /PEM/ A certification hierarchy for PEM has three levels of CAs [R1422]: - The highest level is the "Internet Policy Registration Authority". - A CA at the second-highest level is a "policy certification authority". - A CA at the third-highest level is a "certification authority".
2. (一) /PEM/PEM的认证层次结构有三个级别的CA[R1422]:-最高级别是“Internet策略注册机构”。-第二高级别的CA是“策略证书颁发机构”——第三高级别的CA是“证书颁发机构”。
3. (O) /MISSI/ A certification hierarchy for MISSI has three or four levels of CAs: - A CA at the highest level, the top CA, is a "policy approving authority".
3. (O) /MISSI/A MISSI的认证层次结构有三到四个CA级别:-最高级别的CA,即顶级CA,是“策略批准机构”。
- A CA at the second-highest level is a "policy creation authority". - A CA at the third-highest level is a local authority called a "certification authority". - A CA at the fourth-highest (optional) level is a "subordinate certification authority".
- 第二高级别的CA是“策略创建机构”。-第三高级别的CA是一个称为“认证机构”的地方机构第四高级别(可选)的CA是“下级证书颁发机构”。
4. (O) /SET/ A certification hierarchy for SET has three or four levels of CAs: - The highest level is a "SET root CA". - A CA at the second-highest level is a "brand certification authority". - A CA at the third-highest (optional) level is a "geopolitical certification authority". - A CA at the fourth-highest level is a "cardholder CA", a "merchant CA", or a "payment gateway CA".
4. (O) /SET/SET的证书层次结构有三个或四个CA级别:-最高级别是“集合根CA”。-第二高级别的CA是“品牌认证机构”——第三高(可选)级别的CA是“地缘政治认证机构”——第四高级别的CA是“持卡人CA”、“商户CA”或“支付网关CA”。
$ certification path 1. (I) A linked sequence of one or more public-key certificates, or one or more public-key certificates and one attribute certificate, that enables a certificate user to verify the signature on the last certificate in the path, and thus enables the user to obtain (from that last certificate) a certified public key, or certified attributes, of the system entity that is the subject of that last certificate. (See: trust anchor, certificate validation, valid certificate.)
$ 认证路径1。(一) 一个或多个公钥证书或一个或多个公钥证书和一个属性证书的链接序列,使证书用户能够验证路径中最后一个证书上的签名,从而使用户能够(从该最后一个证书)获得经认证的公钥或经认证的属性,作为最后一个证书主题的系统实体的。(请参阅:信任锚、证书验证、有效证书。)
2. (O) "An ordered sequence of certificates of objects in the [X.500 Directory Information Tree] which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path." [R3647, X509]
2. (O) [X.500目录信息树]中对象的有序证书序列,可与路径中初始对象的公钥一起处理,以获得路径中最终对象的公钥。“[R3647,X509]
Tutorial: The list is "linked" in the sense that the digital signature of each certificate (except possibly the first) is verified by the public key contained in the preceding certificate; i.e., the private key used to sign a certificate and the public key contained in the preceding certificate form a key pair that has previously been bound to the authority that signed.
教程:列表是“链接”的,因为每个证书(第一个证书除外)的数字签名都是由前一个证书中包含的公钥验证的;i、 例如,用于签署证书的私钥和前一证书中包含的公钥形成了一对密钥,该密钥先前已绑定到签署证书的机构。
The path is the "list of certificates needed to [enable] a particular user to obtain the public key [or attributes] of another [user]." [X509] Here, the word "particular" points out that a certification path that can be validated by one certificate user might not be able to be validated by another. That is because either the first certificate needs to be a trusted certificate or the signature on the first certificate needs to be verifiable by a trusted key (e.g., a root key), but such trust is established only
路径是“特定用户获得另一[用户]的公钥[或属性]所需的证书列表”。[X509]这里,“特定”一词指出,可以由一个证书用户验证的证书路径可能无法由另一个证书用户验证。这是因为第一个证书需要是受信任的证书,或者第一个证书上的签名需要可由受信任的密钥(例如,根密钥)验证,但是这种信任仅建立
relative to a "particular" (i.e., specific) user, not absolutely for all users.
相对于“特定”(即特定)用户,并非绝对适用于所有用户。
$ certification policy (D) Synonym for either "certificate policy" or "certification practice statement".
$ 认证政策(D)“认证政策”或“认证实践声明”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; that would be duplicative and would mix concepts in a potentially misleading way. Instead, use either "certificate policy" or "certification practice statement", depending on what is meant.
不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这将是重复的,并将以一种潜在误导的方式混合概念。相反,使用“证书政策”或“认证实践声明”,具体取决于其含义。
$ certification practice statement (CPS) (I) "A statement of the practices which a certification authority employs in issuing certificates." [DSG, R3647] (See: certificate policy.)
$ 认证惯例声明(CPS)(I)“认证机构在颁发证书时采用的惯例声明。”[DSG,R3647](见:证书政策。)
Tutorial: A CPS is a published security policy that can help a certificate user to decide whether a certificate issued by a particular CA can be trusted enough to use in a particular application. A CPS may be (a) a declaration by a CA of the details of the system and practices it uses in its certificate management operations, (b) part of a contract between the CA and an entity to whom a certificate is issued, (c) a statute or regulation applicable to the CA, or (d) a combination of these types involving multiple documents. [DSG]
教程:CPS是一种已发布的安全策略,它可以帮助证书用户确定特定CA颁发的证书是否足够可信,以便在特定应用程序中使用。CPS可以是(A)CA对其证书管理操作中使用的系统和实践细节的声明,(b)CA与证书颁发给的实体之间的合同的一部分,(c)适用于CA的法规或条例,或(d)涉及多个文件的这些类型的组合。[DSG]
A CPS is usually more detailed and procedurally oriented than a certificate policy. A CPS applies to a particular CA or CA community, while a certificate policy applies across CAs or communities. A CA with its single CPS may support multiple certificate policies, which may be used for different application purposes or by different user communities. On the other hand, multiple CAs, each with a different CPS, may support the same certificate policy. [R3647]
CPS通常比证书策略更详细,更面向过程。CPS适用于特定CA或CA社区,而证书策略适用于整个CA或社区。具有单个CP的CA可能支持多个证书策略,这些策略可用于不同的应用程序目的或由不同的用户社区使用。另一方面,多个CA(每个CA具有不同的CP)可能支持相同的证书策略。[R3647]
$ certification request (I) An algorithm-independent transaction format (e.g., PKCS #10, RFC 4211) that contains a DN, and a public key or, optionally, a set of attributes, collectively signed by the entity requesting certification, and sent to a CA, which transforms the request to an X.509 public-key certificate or another type of certificate.
$ 认证请求(I)一种独立于算法的事务格式(如PKCS#10、RFC 4211),其中包含一个DN、一个公钥或一组属性,由请求认证的实体共同签名,并发送给CA,CA将请求转换为X.509公钥证书或其他类型的证书。
$ certify 1. (I) Issue a digital certificate and thus vouch for the truth, accuracy, and binding between data items in the certificate (e.g., "X.509 public-key certificate"), such as the identity of the
$ 证明1。(一) 颁发数字证书,从而保证证书中数据项(例如,“X.509公钥证书”)之间的真实性、准确性和绑定性,例如
certificate's subject and the ownership of a public key. (See: certification.)
证书的主题和公钥的所有权。(见:认证。)
Usage: To "certify a public key" means to issue a public-key certificate that vouches for the binding between the certificate's subject and the key.
用法:“认证公钥”是指颁发公钥证书,以证明证书主题与密钥之间的绑定。
2. (I) The act by which a CA uses measures to verify the truth, accuracy, and binding between data items in a digital certificate.
2. (一) CA使用措施验证数字证书中数据项之间的真实性、准确性和绑定的行为。
Tutorial: A description of the measures used for verification should be included in the CA's CPS.
教程:CA的CPS中应包含用于验证的措施说明。
$ CFB (N) See: cipher feedback.
$ CFB(N)参见:密码反馈。
$ chain (D) See: trust chain.
$ 链(D)参见:信任链。
$ Challenge Handshake Authentication Protocol (CHAP) (I) A peer entity authentication method (employed by PPP and other protocols, e.g., RFC 3720) that uses a randomly generated challenge and requires a matching response that depends on a cryptographic hash of some combination of the challenge and a secret key. [R1994] (See: challenge-response, PAP.)
$ 质询握手认证协议(CHAP)(I)对等实体认证方法(由PPP和其他协议使用,例如RFC 3720),该方法使用随机生成的质询,并需要取决于质询和密钥的某种组合的密码散列的匹配响应。[R1994](参见:质询响应,PAP。)
$ challenge-response (I) An authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge. In a computer system, the authentication information is usually a value that is required to be computed in response to an unpredictable challenge value, but it might be just a password.
$ 质询响应(I)通过要求提供正确的身份验证信息以响应质询来验证身份的身份验证过程。在计算机系统中,身份验证信息通常是响应不可预测的质询值而需要计算的值,但它可能只是一个密码。
$ Challenge-Response Authentication Mechanism (CRAM) (I) /IMAP4/ A mechanism [R2195], intended for use with IMAP4 AUTHENTICATE, by which an IMAP4 client uses a keyed hash [R2104] to authenticate itself to an IMAP4 server. (See: POP3 APOP.)
$ 质询-响应身份验证机制(CRAM)(I)/IMAP4/A机制[R2195],用于IMAP4身份验证,通过该机制,IMAP4客户端使用密钥哈希[R2104]向IMAP4服务器进行身份验证。(参见:POP3 APOP。)
Tutorial: The server includes a unique time stamp in its ready response to the client. The client replies with the client's name and the hash result of applying MD5 to a string formed from concatenating the time stamp with a shared secret that is known only to the client and the server.
教程:服务器在其对客户端的就绪响应中包含一个唯一的时间戳。客户机使用客户机的名称和将MD5应用于字符串的哈希结果进行回复,该字符串是通过将时间戳与只有客户机和服务器才知道的共享秘密连接而形成的。
$ channel 1. (I) An information transfer path within a system. (See: covert channel.)
$ 第一频道。(一) 系统内的信息传输路径。(请参阅:隐蔽通道。)
2. (O) "A subdivision of the physical medium allowing possibly shared independent uses of the medium." (RFC 3753)
2. (O) “物理介质的一个细分,允许可能共享的独立介质使用。”(RFC 3753)
$ channel capacity (I) The total capacity of a link to carry information; usually expressed in bits per second. (RFC 3753) (Compare: bandwidth.)
$ 信道容量(I)链路承载信息的总容量;通常以每秒比特数表示。(RFC 3753)(比较:带宽)
Tutorial: Within a given bandwidth, the theoretical maximum channel capacity is given by Shannon's Law. The actual channel capacity is determined by the bandwidth, the coding system used, and the signal-to-noise ratio.
教程:在给定带宽内,理论最大信道容量由香农定律给出。实际信道容量由带宽、使用的编码系统和信噪比决定。
$ CHAP (I) See: Challenge Handshake Authentication Protocol.
$ 第(I)章见:质询握手认证协议。
$ checksum (I) A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data. (See: cyclic redundancy check, data integrity service, error detection code, hash, keyed hash, parity bit, protected checksum.)
$ 校验和(I)(A)由依赖于数据对象内容的函数计算的值,以及(b)与对象一起存储或传输的值,用于检测数据中的变化。(请参阅:循环冗余校验、数据完整性服务、错误检测代码、哈希、键控哈希、奇偶校验位、受保护校验和。)
Tutorial: To gain confidence that a data object has not been changed, an entity that later uses the data can independently recompute the checksum value and compare the result with the value that was stored or transmitted with the object.
教程:为了确保数据对象未被更改,以后使用数据的实体可以独立地重新计算校验和值,并将结果与对象存储或传输的值进行比较。
Computer systems and networks use checksums (and other mechanisms) to detect accidental changes in data. However, active wiretapping that changes data could also change an accompanying checksum to match the changed data. Thus, some checksum functions by themselves are not good countermeasures for active attacks. To protect against active attacks, the checksum function needs to be well-chosen (see: cryptographic hash), and the checksum result needs to be cryptographically protected (see: digital signature, keyed hash).
计算机系统和网络使用校验和(和其他机制)来检测数据中的意外变化。但是,更改数据的主动窃听也可能会更改附带的校验和,以匹配更改的数据。因此,某些校验和函数本身并不是主动攻击的良好对策。为了防止主动攻击,需要正确选择校验和函数(请参阅:加密散列),并且校验和结果需要加密保护(请参阅:数字签名,密钥散列)。
$ Chinese wall policy (I) A security policy to prevent conflict of interest caused by an entity (e.g., a consultant) interacting with competing firms. (See: Brewer-Nash model.)
$ 中国墙政策(I)防止实体(如顾问)与竞争公司互动造成利益冲突的安全政策。(参见:布鲁尔-纳什模型。)
Tutorial: All information is categorized into mutually exclusive
conflict-of-interest classes I(1), I(2), ..., I(M), and each firm
F(1), F(2), ..., F(N) belongs to exactly one class. The policy
states that if a consultant has access to class I(i) information
from a firm in that class, then the consultant may not access
information from another firm in that same class, but may access
Tutorial: All information is categorized into mutually exclusive
conflict-of-interest classes I(1), I(2), ..., I(M), and each firm
F(1), F(2), ..., F(N) belongs to exactly one class. The policy
states that if a consultant has access to class I(i) information
from a firm in that class, then the consultant may not access
information from another firm in that same class, but may access
information from another firm that is in a different class. Thus, the policy creates a barrier to communication between firms that are in the same conflict-of-interest class. Brewer and Nash modeled enforcement of this policy [BN89], including dealing with policy violations that could occur because two or more consultants work for the same firm.
来自不同类别的另一家公司的信息。因此,该政策对处于同一利益冲突类别的公司之间的沟通造成了障碍。Brewer和Nash对该政策的执行进行了建模[BN89],包括处理由于两名或多名顾问为同一家公司工作而可能发生的违反政策行为。
$ chosen-ciphertext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of plain text that corresponds to cipher text selected (i.e., dictated) by the analyst.
$ 选择密文攻击(I)一种密码分析技术,分析员试图根据与分析员选择(即口述)的密文相对应的纯文本知识确定密钥。
$ chosen-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of cipher text that corresponds to plain text selected (i.e., dictated) by the analyst.
$ 选择明文攻击(I)一种密码分析技术,分析员试图根据密码文本的知识确定密钥,密码文本对应于分析员选择(即口述)的明文。
$ CIAC (O) See: Computer Incident Advisory Capability.
$ CIAC(O)见:计算机事故咨询能力。
$ CIK (N) See: cryptographic ignition key.
$ CIK(N)参见:加密点火钥匙。
$ cipher (I) A cryptographic algorithm for encryption and decryption.
$ 密码(I)用于加密和解密的加密算法。
$ cipher block chaining (CBC) (N) A block cipher mode that enhances ECB mode by chaining together blocks of cipher text it produces. [FP081] (See: block cipher, [R1829], [R2405], [R2451], [SP38A].)
$ 密码分组链接(CBC)(N)一种分组密码模式,它通过将产生的密文块链接在一起来增强ECB模式。[FP081](参见:分组密码[R1829]、[R2405]、[R2451]、[SP38A]。)
Tutorial: This mode operates by combining (exclusive OR-ing) the algorithm's ciphertext output block with the next plaintext block to form the next input block for the algorithm.
教程:此模式通过将算法的密文输出块与下一个明文块组合(异或)来操作,以形成算法的下一个输入块。
$ cipher feedback (CFB) (N) A block cipher mode that enhances ECB mode by chaining together the blocks of cipher text it produces and operating on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)
$ 密码反馈(CFB)(N)一种分组密码模式,通过将其产生的密文块链接在一起,并对长度小于或等于块长度的明文段进行操作,从而增强ECB模式。[FP081](参见:分组密码[SP38A]。)
Tutorial: This mode operates by using the previously generated ciphertext segment as the algorithm's input (i.e., by "feeding back" the cipher text) to generate an output block, and then combining (exclusive OR-ing) that output block with the next plaintext segment (block length or less) to form the next ciphertext segment.
教程:此模式通过使用先前生成的密文段作为算法的输入(即,通过“反馈”密文)生成输出块,然后将该输出块与下一个明文段(块长度或更短)组合(异或)形成下一个密文段。
$ cipher text 1. (I) /noun/ Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available. (See: ciphertext. Compare: clear text, plain text.)
$ 密文1。(一) /noon/通过加密转换的数据,其语义信息内容(即其含义)不再可理解或直接可用。(请参阅:密文。比较:明文和纯文本。)
2. (O) "Data produced through the use of encipherment. The semantic content of the resulting data is not available." [I7498-2]
2. (O) “通过使用加密产生的数据。结果数据的语义内容不可用。”[I7498-2]
$ ciphertext 1. (O) /noun/ Synonym for "cipher text" [I7498-2].
$ 密文1。(O) /名词/同义词“密文”[I7498-2]。
2. (I) /adjective/ Referring to cipher text. Usage: Commonly used instead of "cipher-text". (Compare: cleartext, plaintext.)
2. (一) /形容词/指密文。用法:常用代替“密文”。(比较:明文、明文。)
$ ciphertext auto-key (CTAK) (D) "Cryptographic logic that uses previous cipher text to generate a key stream." [C4009, A1523] (See: KAK.)
$ 密文自动密钥(CTAK)(D)“使用以前的密文生成密钥流的加密逻辑。”[C4009,A1523](参见:KAK.)
Deprecated Term: IDOCs SHOULD NOT use this term; it is neither well-known nor precisely defined. Instead, use terms associated with modes that are defined in standards, such as CBC, CFB, and OFB.
不推荐使用的术语:IDoc不应使用此术语;它既不是众所周知的,也不是精确定义的。相反,使用与标准中定义的模式相关的术语,如CBC、CFB和OFB。
$ ciphertext-only attack (I) A cryptanalysis technique in which the analyst tries to determine the key solely from knowledge of intercepted cipher text (although the analyst may also know other clues, such as the cryptographic algorithm, the language in which the plain text was written, the subject matter of the plain text, and some probable plaintext words.)
$ 纯密文攻击(I)一种密码分析技术,分析人员试图仅从截获密文的知识中确定密钥(尽管分析员可能还知道其他线索,例如加密算法、明文的编写语言、明文的主题以及一些可能的明文单词。)
$ ciphony (O) The process of encrypting audio information.
$ 加密(O)对音频信息进行加密的过程。
$ CIPSO (I) See: Common IP Security Option.
$ CIPSO(I)见:通用IP安全选项。
$ CKL (I) See: compromised key list.
$ CKL(I)见:泄露密钥列表。
$ Clark-Wilson model (N) A security model [Clark] to maintain data integrity in the commercial world. (Compare: Bell-LaPadula model.)
$ Clark Wilson模型(N)一种在商业领域维护数据完整性的安全模型[Clark]。(比较:Bell-LaPadula模型。)
$ class 2, 3, 4, 5 (O) /U.S. DoD/ Assurance levels for PKIs, and for X.509 public-key certificates issued by a PKI. [DoD7] (See: "first law" under "Courtney's laws".) - "Class 2": Intended for applications handling unclassified, low-value data in minimally or moderately protected environments. - "Class 3": Intended for applications handling unclassified, medium-value data in moderately protected environments, or handling unclassified or high-value data in highly protected environments, and for discretionary access control of classified data in highly protected environments. - "Class 4": Intended for applications handling unclassified, high-value data in minimally protected environments. - "Class 5": Intended for applications handling classified data in minimally protected environments, and for authentication of material that would affect the security of classified systems.
$ PKI和PKI颁发的X.509公钥证书的第2、3、4、5(O)类/美国国防部/保证级别。[DoD7](参见“考特尼定律”下的“第一定律”)-“第2类”:适用于在最低或适度保护的环境中处理非机密、低价值数据的应用程序。-“3级”:适用于在中度保护环境中处理非机密、中等价值数据的应用程序,或在高度保护环境中处理非机密或高价值数据的应用程序,以及在高度保护环境中对机密数据进行自主访问控制的应用程序。-“4级”:适用于在最低保护环境中处理非机密、高价值数据的应用程序。-“5级”:用于在最低保护环境中处理机密数据的应用程序,以及用于对可能影响机密系统安全性的材料进行认证。
The environments are defined as follows:
- "Highly protected environment": Networks that are protected
either with encryption devices approved by NSA for protection
of classified data or via physical isolation, and that are
certified for processing system-high classified data, where
exposure of unencrypted data is limited to U.S. citizens
holding appropriate security clearances.
- "Moderately protected environment":
-- Physically isolated unclassified, unencrypted networks in
which access is restricted based on legitimate need.
-- Networks protected by NSA-approved, type 1 encryption,
accessible by U.S.-authorized foreign nationals.
- "Minimally protected environments": Unencrypted networks
connected to either the Internet or NIPRNET, either directly or
via a firewall.
The environments are defined as follows:
- "Highly protected environment": Networks that are protected
either with encryption devices approved by NSA for protection
of classified data or via physical isolation, and that are
certified for processing system-high classified data, where
exposure of unencrypted data is limited to U.S. citizens
holding appropriate security clearances.
- "Moderately protected environment":
-- Physically isolated unclassified, unencrypted networks in
which access is restricted based on legitimate need.
-- Networks protected by NSA-approved, type 1 encryption,
accessible by U.S.-authorized foreign nationals.
- "Minimally protected environments": Unencrypted networks
connected to either the Internet or NIPRNET, either directly or
via a firewall.
$ Class A1, B3, B2, B1, C2, or C1 computer system (O) /TCSEC/ See: Tutorial under "Trusted Computer System Evaluation Criteria".
$ A1类、B3类、B2类、B1类、C2类或C1类计算机系统(O)/TCSEC/参见“可信计算机系统评估标准”下的教程。
$ classification 1. (I) A grouping of classified information to which a hierarchical, restrictive security label is applied to increase protection of the data from unauthorized disclosure. (See: aggregation, classified, data confidentiality service. Compare: category, compartment.)
$ 第1类。(一) 一组机密信息,对其应用分层的、限制性的安全标签,以加强对数据的保护,防止未经授权的泄露。(请参阅:聚合、分类、数据保密服务。比较:类别、隔间。)
2. (I) An authorized process by which information is determined to be classified and assigned to a security level. (Compare: declassification.)
2. (一) 一种经过授权的过程,通过该过程,信息被确定为机密信息并分配给安全级别。(比较:解密。)
Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)
用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)
$ classification label (I) A security label that tells the degree of harm that will result from unauthorized disclosure of the labeled data, and may also tell what countermeasures are required to be applied to protect the data from unauthorized disclosure. Example: IPSO. (See: classified, data confidentiality service. Compare: integrity label.)
$ 分类标签(I)一种安全标签,说明未经授权披露标签数据将造成的危害程度,还可能说明需要采取哪些对策来保护数据不被未经授权披露。例如:IPSO。(请参阅:机密数据保密服务。比较:完整性标签。)
Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)
用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)
$ classification level (I) A hierarchical level of protection (against unauthorized disclosure) that is required to be applied to certain classified data. (See: classified. Compare: security level.)
$ 分类级别(I)要求应用于某些机密数据的分层保护级别(防止未经授权的披露)。(请参阅:已分类。比较:安全级别。)
Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)
用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)
$ classified 1. (I) Refers to information (stored or conveyed, in any form) that is formally required by a security policy to receive data confidentiality service and to be marked with a security label (which, in some cases, might be implicit) to indicate its protected status. (See: classify, collateral information, SAP, security level. Compare: unclassified.)
$ 第1类。(一) 指安全策略正式要求的信息(以任何形式存储或传输),以接收数据保密服务,并用安全标签(在某些情况下可能是隐式的)标记以指示其受保护状态。(请参阅:分类、辅助信息、SAP、安全级别。比较:未分类。)
Usage: Usually understood to involve data confidentiality, but IDOCs SHOULD make this clear when data also is sensitive in other ways and SHOULD use other terms for those other sensitivity concepts. (See: sensitive information, data integrity.)
用法:通常理解为涉及数据机密性,但IDOCs应在数据以其他方式敏感时明确这一点,并应使用其他术语来表示其他敏感概念。(请参阅:敏感信息、数据完整性。)
Mainly used by national governments, especially by the military, but the underlying concept also applies outside of governments.
主要用于国家政府,特别是军队,但基本概念也适用于政府以外的部门。
2. (O) /U.S. Government/ "Information that has been determined pursuant to Executive Order 12958 or any predecessor Order, or by the Atomic Energy Act of 1954, as amended, to require protection
2. (O) /U.S.Government/“根据12958号行政命令或任何先前命令或经修订的1954年《原子能法》确定需要保护的信息
against unauthorized disclosure and is marked to indicate its classified status." [C4009]
防止未经授权的披露,并标记以表明其保密状态。”[C4009]
$ classify (I) To officially designate an information item or type of information as being classified and assigned to a specific security level. (See: classified, declassify, security level.)
$ 分类(I)将信息项或信息类型正式指定为已分类并分配给特定安全级别。(请参阅:机密、解密、安全级别。)
$ clean system (I) A computer system in which the operating system and application system software and files have been freshly installed from trusted software distribution media. (Compare: secure state.)
$ clean system(I)一种计算机系统,其中操作系统和应用系统软件及文件是从受信任的软件分发介质新安装的。(比较:安全状态。)
$ clear (D) /verb/ Synonym for "erase". [C4009]
$ 清除(D)/动词/同义词“擦除”。[C4009]
Deprecated Definition: IDOCs SHOULD NOT use the term with this definition; that could be confused with "clear text" in which information is directly recoverable.
不推荐使用的定义:IDoc不应使用此定义的术语;这可能与“明文”相混淆,在“明文”中,信息可以直接恢复。
$ clear text 1. (I) /noun/ Data in which the semantic information content (i.e., the meaning) is intelligible or is directly available, i.e., not encrypted. (See: cleartext, in the clear. Compare: cipher text, plain text.)
$ 明文1。(一) /名词/语义信息内容(即含义)可理解或直接可用(即未加密)的数据。(请参见:明文,在明文中。比较:密文,纯文本。)
2. (O) /noun/ "Intelligible data, the semantic content of which is available." [I7498-2]
2. (O) /noun/“可理解的数据,其语义内容可用。”[I7498-2]
3. (D) /noun/ Synonym for "plain text".
3. (D) /noun/纯文本的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "plain text", because the plain text that is input to an encryption operation may itself be cipher text that was output from a previous encryption operation. (See: superencryption.)
不推荐使用的定义:IDOCs不应将此术语用作“纯文本”的同义词,因为输入到加密操作的纯文本本身可能是先前加密操作输出的密码文本。(请参阅:超级加密。)
$ clearance See: security clearance.
$ 许可见:安全许可。
$ clearance level (I) The security level of information to which a security clearance authorizes a person to have access.
$ 许可级别(I)安全许可授权人员访问的信息的安全级别。
$ cleartext 1. (O) /noun/ Synonym for "clear text" [I7498-2].
$ 明文1。(O) /名词/同义词“明文”[I7498-2]。
2. (I) /adjective/ Referring to clear text. Usage: Commonly used instead of "clear-text". (Compare: ciphertext, plaintext.)
2. (一) /形容词/指明文。用法:常用而非“明文”。(比较:密文、明文。)
3. (D) /adjective/ Synonym for "plaintext".
3. (D) /形容词/同义词“明文”。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "plaintext", because the plaintext data that is input to an encryption operation may itself be ciphertext data that was output from a previous encryption operation. (See: superencryption.)
不推荐使用的定义:IDOC不应将此术语用作“明文”的同义词,因为输入到加密操作的明文数据本身可能是先前加密操作输出的密文数据。(请参阅:超级加密。)
$ CLEF (N) See: commercially licensed evaluation facility.
$ CLEF(N)见:商业许可评估机构。
$ client (I) A system entity that requests and uses a service provided by another system entity, called a "server". (See: server.)
$ 客户端(I)请求并使用另一个系统实体(称为“服务器”)提供的服务的系统实体。(请参阅:服务器。)
Tutorial: Usually, it is understood that the client and server are automated components of the system, and the client makes the request on behalf of a human user. In some cases, the server may itself be a client of some other server.
教程:通常情况下,客户机和服务器是系统的自动化组件,客户机代表人类用户发出请求。在某些情况下,服务器本身可能是其他服务器的客户端。
$ client-server system (I) A distributed system in which one or more entities, called clients, request a specific service from one or more other entities, called servers, that provide the service to the clients.
$ 客户机-服务器系统(I)一个分布式系统,其中一个或多个实体(称为客户机)向向客户机提供服务的一个或多个其他实体(称为服务器)请求特定服务。
Example: The Word Wide Web, in which component servers provide information that is requested by component clients called "browsers".
示例:WordWideWeb,其中组件服务器提供组件客户端(称为“浏览器”)请求的信息。
$ CLIPPER (N) An integrated microcircuit (in MYK-7x series manufactured by Mykotronx, Inc.) that implements SKIPJACK, has a non-deterministic random number generator, and supports key escrow. (See: Escrowed Encryption Standard. Compare: CLIPPER.)
$ CLIPPER(N)一种集成微电路(MYK-7x系列,由Mykotronx,Inc.制造),实现SKIPJACK,具有非确定性随机数生成器,并支持密钥托管。(请参阅:托管加密标准。比较:CLIPPER。)
Tutorial: The chip was mainly intended for protecting telecommunications over the public switched network. The key escrow scheme for the chip involves a SKIPJACK key that is common to all chips and that protects the unique serial number of the chip, and a second SKIPJACK key unique to the chip that protects all data encrypted by the chip. The second key is escrowed as split key components held by NIST and the U.S. Treasury Department.
教程:该芯片主要用于保护公共交换网络上的电信。芯片的密钥托管方案包括一个对所有芯片通用且保护芯片唯一序列号的SKIPJACK密钥,以及一个对芯片唯一且保护芯片加密的所有数据的SKIPJACK密钥。第二个关键部分由NIST和美国财政部托管为拆分关键部分。
$ closed security environment (O) /U.S. DoD/ A system environment that meets both of the following conditions: (a) Application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced
$ 满足以下两个条件的封闭安全环境(O)/美国国防部/A系统环境:(A)应用程序开发人员(包括维护人员)有足够的许可和授权,以提供一个可接受的假设,即他们没有引入
malicious logic. (b) Configuration control provides sufficient assurance that system applications and the equipment they run on are protected against the introduction of malicious logic prior to and during the operation of applications. [NCS04] (See: "first law" under "Courtney's laws". Compare: open security environment.)
恶意逻辑。(b) 配置控制提供了充分的保证,系统应用程序及其运行的设备在应用程序运行之前和运行期间受到保护,防止引入恶意逻辑。[NCS04](参见“考特尼定律”下的“第一定律”。比较:开放安全环境。)
$ CMA (D) See: certificate management authority.
$ CMA(D)参见:证书管理机构。
$ CMAC (N) A message authentication code [SP38B] that is based on a symmetric block cipher. (See: block cipher.)
$ CMAC(N)基于对称分组密码的消息身份验证码[SP38B]。(请参阅:分组密码。)
Derivation: Cipher-based MAC. (Compare: HMAC.)
派生:基于密码的MAC。(比较:HMAC)
Tutorial: Because CMAC is based on approved, symmetric-key block ciphers, such as AES, CMAC can be considered a mode of operation for those block ciphers. (See: mode of operation.)
教程:因为CMAC是基于认可的对称密钥分组密码,例如AES,CMAC可以被认为是这些分组密码的一种操作模式。(请参阅:操作模式。)
$ CMCS (O) See: COMSEC Material Control System.
$ CMCS(O)见:通信安全材料控制系统。
$ CMM (N) See: Capability Maturity Model.
$ CMM(N)参见:能力成熟度模型。
$ CMS (I) See: Cryptographic Message Syntax.
$ CMS(I)见:加密消息语法。
$ code 1. (I) A system of symbols used to represent information, which might originally have some other representation. Examples: ASCII, BER, country code, Morse code. (See: encode, object code, source code.)
$ 代码1。(一) 一种用于表示信息的符号系统,最初可能有其他表示形式。示例:ASCII、BER、国家代码、摩尔斯电码。(请参见:编码、目标代码、源代码。)
Deprecated Abbreviation: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as an abbreviation of "country code", "cyclic redundancy code", "Data Authentication Code", "error detection code", or "Message Authentication Code". To avoid misunderstanding, use the fully qualified term in these other cases, at least at the point of first usage.
不推荐使用的缩写:为避免与定义1混淆,IDOC不应使用“代码”作为“国家代码”、“循环冗余代码”、“数据身份验证代码”、“错误检测代码”或“消息身份验证代码”的缩写。为避免误解,在其他情况下,至少在首次使用时,使用完全限定术语。
2. (I) /cryptography/ An encryption algorithm based on substitution; i.e., a system for providing data confidentiality by using arbitrary groups (called "code groups") of letters, numbers, or symbols to represent units of plain text of varying length. (See: codebook, cryptography.)
2. (一) /加密/基于替换的加密算法;i、 例如,通过使用字母、数字或符号的任意组(称为“代码组”)来表示不同长度的纯文本单位,从而提供数据保密性的系统。(请参阅:代码本,密码学。)
Deprecated Usage: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as a synonym for any of the following terms: (a) "cipher", "hash", or other words that mean "a cryptographic algorithm"; (b) "cipher text"; or (c) "encrypt", "hash", or other words that refer to applying a cryptographic algorithm.
不推荐使用:为避免与定义1混淆,IDOC不应将“code”用作以下任何术语的同义词:(a)“cipher”、“hash”或其他表示“加密算法”的词语;(b) “密文”;或(c)“加密”、“哈希”或其他指应用加密算法的词语。
3. (I) An algorithm based on substitution, but used to shorten messages rather than to conceal their content.
3. (一) 一种基于替换的算法,但用于缩短消息而不是隐藏其内容。
4. (I) /computer programming/ To write computer software. (See: object code, source code.)
4. (一) /计算机编程/编写计算机软件。(请参见:目标代码,源代码。)
Deprecated Abbreviation: To avoid confusion with definition 1, IDOCs SHOULD NOT use "code" as an abbreviation of "object code" or "source code". To avoid misunderstanding, use the fully qualified term in these other cases, at least at the point of first usage.
不推荐使用的缩写:为避免与定义1混淆,IDOC不应使用“代码”作为“目标代码”或“源代码”的缩写。为避免误解,在其他情况下,至少在首次使用时,使用完全限定术语。
$ code book 1. (I) Document containing a systematically arranged list of plaintext units and their ciphertext equivalents. [C4009]
$ 代码手册1。(一) 包含系统排列的明文单元及其密文等价物列表的文件。[C4009]
2. (I) An encryption algorithm that uses a word substitution technique. [C4009] (See: code, ECB.)
2. (一) 一种使用字替换技术的加密算法。[C4009](见:欧洲中央银行代码)
$ code signing (I) A security mechanism that uses a digital signature to provide data integrity and data origin authentication for software that is being distributed for use. (See: mobile code, trusted distribution.)
$ 代码签名(I)一种安全机制,使用数字签名为正在分发使用的软件提供数据完整性和数据源身份验证。(请参阅:移动代码,可信分发。)
Tutorial: In some cases, the signature on a software module may imply some assertion that the signer makes about the software. For example, a signature may imply that the software has been designed, developed, or tested according to some criterion.
教程:在某些情况下,软件模块上的签名可能意味着签名者对软件的某些断言。例如,签名可能意味着软件是根据某种标准设计、开发或测试的。
$ code word (O) /U.S. Government/ A single word that is used as a security label (usually applied to classified information) but which itself has a classified meaning. (See: classified, /U.S. Government/ security label.)
$ 代码词(O)/美国政府/用作安全标签的单个词(通常用于机密信息),但其本身具有机密含义。(请参阅:分类/美国政府/安全标签。)
$ COI (I) See: community of interest.
$ COI(I)见:利益共同体。
$ cold start (N) /cryptographic module/ A procedure for initially keying cryptographic equipment. [C4009]
$ 冷启动(N)/加密模块/用于初始键入加密设备的程序。[C4009]
$ collateral information (O) /U.S. Government/ Information that is classified but is not required to be protected by an SAP. (See: /U.S. Government/ classified.)
$ 附属信息(O)/美国政府/已分类但不需要SAP保护的信息。(见:/美国政府/机密文件)
$ color change (I) In a system being operated in periods-processing mode, the act of purging all information from one processing period and then changing over to the next processing period. (See: BLACK, RED.)
$ 颜色变化(I)在周期处理模式下运行的系统中,清除一个处理周期中的所有信息,然后切换到下一个处理周期的行为。(参见:黑色、红色。)
$ Commercial COMSEC Evaluation Program (CCEP) (O) "Relationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product." [C4009]
$ 商业通信安全评估计划(CCEP)(O)“NSA与行业之间的关系,其中NSA提供通信安全专业知识(即标准、算法、评估和指导),行业提供设计、开发和生产能力,以生产1类或2类产品。”[C4009]
$ commercially licensed evaluation facility (CLEF) (N) An organization that has official approval to evaluate the security of products and systems under the Common Criteria, ITSEC, or some other standard. (Compare: KLIF.)
$ 商业许可评估机构(CLEF)(N):获得官方批准,根据通用标准、ITSEC或其他标准评估产品和系统安全性的组织。(比较:KLIF。)
$ Committee on National Security Systems (CNSS) (O) /U.S. Government/ A Government, interagency, standing committee of the President's Critical Infrastructure Protection Board. The CNSS is chaired by the Secretary of Defense and provides a forum for the discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems. The Secretary of Defense and the Director of Central Intelligence are responsible for developing and overseeing the implementation of Government-wide policies, principles, standards, and guidelines for the security of systems that handle national security information.
$ 国家安全系统委员会(CNSS)(O)/美国政府/A政府、跨机构、总统关键基础设施保护委员会常务委员会。CNSS由国防部长担任主席,为讨论政策问题提供论坛,制定国家政策,并发布国家安全系统安全的方向、操作程序和指南。国防部长和中央情报局局长负责制定和监督政府范围内有关处理国家安全信息系统安全的政策、原则、标准和指南的实施。
$ Common Criteria for Information Technology Security (N) A standard for evaluating information technology (IT) products and systems. It states requirements for security functions and for assurance measures. [CCIB] (See: CLEF, EAL, packages, protection profile, security target, TOE. Compare: CMM.)
$ 信息技术安全通用标准(N)评估信息技术(IT)产品和系统的标准。它规定了安全功能和保证措施的要求。[CCIB](参见:CLEF、EAL、包、保护配置文件、安全目标、TOE。比较:CMM。)
Tutorial: Canada, France, Germany, the Netherlands, the United Kingdom, and the United States (NIST and NSA) began developing this standard in 1993, based on the European ITSEC, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), and the U.S. "Federal Criteria for Information Technology Security" and its precursor, the TCSEC. Work was done in cooperation with ISO/IEC Joint Technical Committee 1 (Information Technology),
教程:加拿大、法国、德国、荷兰、英国和美国(NIST和NSA)于1993年开始根据欧洲ITSEC、加拿大可信计算机产品评估标准(CTCPEC)和美国“信息技术安全联邦标准”及其前身TCSEC制定本标准。工作是与ISO/IEC联合技术委员会1(信息技术)合作完成的,
Subcommittee 27 (Security Techniques), Working Group 3 (Security Criteria). Version 2.0 of the Criteria has been issued as ISO's International Standard 15408. The U.S. Government intends this standard to supersede both the TCSEC and FIPS PUB 140. (See: NIAP.)
第27小组委员会(安全技术),第3工作组(安全标准)。标准的2.0版已作为ISO的国际标准15408发布。美国政府打算用本标准取代TCSEC和FIPS PUB 140。(见:NIAP)
The standard addresses data confidentiality, data integrity, and availability and may apply to other aspects of security. It focuses on threats to information arising from human activities, malicious or otherwise, but may apply to non-human threats. It applies to security measures implemented in hardware, firmware, or software. It does not apply to (a) administrative security not related directly to technical security, (b) technical physical aspects of security such as electromagnetic emanation control, (c) evaluation methodology or administrative and legal framework under which the criteria may be applied, (d) procedures for use of evaluation results, or (e) assessment of inherent qualities of cryptographic algorithms.
该标准涉及数据保密性、数据完整性和可用性,并可能适用于安全的其他方面。它侧重于人类活动(恶意或其他)对信息造成的威胁,但可能适用于非人类威胁。它适用于在硬件、固件或软件中实施的安全措施。它不适用于(a)与技术安全不直接相关的行政安全,(b)安全的技术物理方面,如电磁辐射控制,(c)适用标准的评估方法或行政和法律框架,(d)评估结果的使用程序,或(e)密码算法固有质量的评估。
Part 1, Introduction and General Model, defines general concepts and principles of IT security evaluation; presents a general model of evaluation; and defines constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems.
第一部分,引言和一般模型,定义了IT安全评估的一般概念和原则;提出了评价的一般模型;并定义用于表达IT安全目标、选择和定义IT安全需求以及为产品和系统编写高级规范的结构。
Part 2, Security Functional Requirements, contains a catalog of well-defined and well-understood functional requirement statements that are intended to be used as a standard way of expressing the security requirements for IT products and systems.
第2部分“安全功能需求”包含一系列定义明确且易于理解的功能需求声明,这些功能需求声明旨在用作表示IT产品和系统安全需求的标准方式。
Part 3, Security Assurance Requirements, contains a catalog of assurance components for use as a standard way of expressing such requirements for IT products and systems, and defines evaluation criteria for protection profiles and security targets.
第3部分“安全保证要求”包含一个保证组件目录,用作表示IT产品和系统此类要求的标准方式,并定义了保护配置文件和安全目标的评估标准。
$ Common IP Security Option (CIPSO) (I) See: secondary definition under "IPSO".
$ 通用IP安全选项(CIPSO)(I)见“IPSO”下的二级定义。
$ common name (N) A character string that (a) may be a part of the X.500 DN of a Directory object ("commonName" attribute), (b) is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization), and (c) conforms to the naming conventions of the country or culture with which it is associated. [X520] (See: "subject" and "issuer" under "X.509 public-key certificate".)
$ common name(N)(A)可能是目录对象的X.500 DN的一部分(“commonName”属性),(b)是一个(可能不明确的)名称,通过该名称,对象在某些有限范围内(如组织)是众所周知的,(c)符合与其关联的国家或文化的命名约定。[X520](参见“X.509公钥证书”下的“主体”和“颁发者”。)
Examples: "Dr. Albert Einstein", "The United Nations", and "12-th Floor Laser Printer".
例如:“阿尔伯特·爱因斯坦博士”、“联合国”和“第12层激光打印机”。
$ communications cover (N) "Concealing or altering of characteristic communications patterns to hide information that could be of value to an adversary." [C4009] (See: operations security, traffic-flow confidentiality, TRANSEC.)
$ 通信内容包括(N)“隐藏或改变特征通信模式,以隐藏可能对敌方有价值的信息。”[C4009](参见:作战安全、交通流保密、TRANSEC。)
$ communication security (COMSEC) (I) Measures that implement and assure security services in a communication system, particularly those that provide data confidentiality and data integrity and that authenticate communicating entities.
$ 通信安全(COMSEC)(I)在通信系统中实施和确保安全服务的措施,特别是提供数据机密性和数据完整性以及认证通信实体的措施。
Usage: COMSEC is usually understood to include (a) cryptography and its related algorithms and key management methods and processes, devices that implement those algorithms and processes, and the lifecycle management of the devices and keying material. Also, COMSEC is sometimes more broadly understood as further including (b) traffic-flow confidentiality, (c) TRANSEC, and (d) steganography [Kahn]. (See: cryptology, signal security.)
用法:通信安全通常被理解为包括(a)加密及其相关算法和密钥管理方法和流程、实施这些算法和流程的设备以及设备和密钥材料的生命周期管理。此外,通信安全有时被更广泛地理解为进一步包括(b)交通流机密性,(c)TRANSEC和(d)隐写术[Kahn]。(参见:密码学,信号安全。)
$ community of interest (COI) 1. (I) A set of entities that operate under a common security policy. (Compare: domain.)
$ 利益共同体(COI)1。(一) 在通用安全策略下运行的一组实体。(比较:域。)
2. (I) A set of entities that exchange information collaboratively for some purpose.
2. (一) 为某种目的协同交换信息的一组实体。
$ community risk (N) Probability that a particular vulnerability will be exploited within an interacting population and adversely affect some members of that population. [C4009] (See: Morris worm, risk.)
$ 社区风险(N):特定脆弱性在相互作用的人群中被利用并对该人群中的某些成员产生不利影响的概率。[C4009](参见:莫里斯蠕虫,风险)
$ community string (I) A community name in the form of an octet string that serves as a cleartext password in SNMP version 1 (RFC 1157) and version 2 (RFC 1901). (See: password, Simple Network Management Protocol.)
$ 社区字符串(I)以八位字节字符串形式表示的社区名称,在SNMP版本1(RFC 1157)和版本2(RFC 1901)中用作明文密码。(请参阅:密码,简单网络管理协议。)
Tutorial: The SNMPv1 and SNMPv2 protocols have been declared "historic" and have been replaced by the more secure SNMPv3 standard (RFCs 3410-3418), which does not use cleartext passwords.
教程:SNMPv1和SNMPv2协议已被宣布为“历史”协议,并被更安全的SNMPv3标准(RFCs 3410-3418)所取代,该标准不使用明文密码。
$ compartment 1. (I) A grouping of sensitive information items that require special access controls beyond those normally provided for the basic classification level of the information. (See: compartmented security mode. Compare: category, classification.)
$ 1舱。(一) 需要特殊访问控制的一组敏感信息项,超出了通常为信息基本分类级别提供的访问控制。(请参阅:分隔安全模式。比较:类别、分类。)
Usage: The term is usually understood to include the special handling procedures to be used for the information.
用法:该术语通常被理解为包括用于信息的特殊处理程序。
2. (I) Synonym for "category".
2. (一) “类别”的同义词。
Deprecated Usage: This Glossary defines "category" with a slightly narrower meaning than "compartment". That is, a security label is assigned to a category because the data owner needs to handle the data as a compartment. However, a compartment could receive special protection in a system without being assigned a category label.
不推荐使用的用法:本术语表对“类别”的定义比“隔间”的含义略窄。也就是说,安全标签被分配给一个类别,因为数据所有者需要将数据作为一个分区来处理。但是,隔室可以在系统中接受特殊保护,而无需指定类别标签。
$ compartmented security mode (N) A mode of system operation wherein all users having access to the system have the necessary security clearance for the single, hierarchical classification level of all data handled by the system, but some users do not have the clearance for a non-hierarchical category of some data handled by the system. (See: category, /system operation/ under "mode", protection level, security clearance.)
$ 分区安全模式(N):一种系统操作模式,其中所有访问系统的用户都对系统处理的所有数据的单一层次分类级别具有必要的安全许可,但一些用户对系统处理的某些数据的非层次分类没有许可。(请参阅:类别/系统操作/在“模式”下、保护级别、安全许可。)
Usage: Usually abbreviated as "compartmented mode". This term was defined in U.S. Government policy on system accreditation. In this mode, a system may handle (a) a single hierarchical classification level and (b) multiple non-hierarchical categories within that level.
用法:通常缩写为“分隔模式”。该术语的定义见美国政府系统认证政策。在此模式下,系统可以处理(a)单个层次分类级别和(b)该级别内的多个非层次分类。
$ Compartments field (I) A 16-bit field (the "C field") that specifies compartment values in the security option (option type 130) of version 4 IP's datagram header format. The valid field values are assigned by the U.S. Government, as specified in RFC 791.
$ 隔间字段(I)一个16位字段(“C字段”),用于指定版本4 IP数据报报头格式的安全选项(选项类型130)中的隔间值。根据RFC 791的规定,有效字段值由美国政府指定。
Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "C field"; the abbreviation is potentially ambiguous. Instead, use "Compartments field".
不推荐使用的缩写:IDOC不应使用缩写“C字段”;缩写可能有歧义。相反,使用“隔间字段”。
$ component See: system component.
$ 组件请参见:系统组件。
$ compression (I) A process that encodes information in a way that minimizes the number of resulting code symbols and thus reduces storage space or transmission time.
$ 压缩(I)一种编码信息的过程,其编码方式可使产生的代码符号数量最小化,从而减少存储空间或传输时间。
Tutorial: A data compression algorithm may be "lossless", i.e., retain all information that was encoded in the data, so that decompression can recover all the information; or an algorithm may be "lossy". Text usually needs to be compressed losslessly, but images are often compressed with lossy schemes.
教程:数据压缩算法可能是“无损的”,即保留数据中编码的所有信息,以便解压缩可以恢复所有信息;或者算法可能是“有损的”。文本通常需要进行无损压缩,但图像通常使用有损压缩方案进行压缩。
Not all schemes that encode information losslessly for machine processing are efficient in terms of minimizing the number of output bits. For example, ASCII encoding is lossless, but ASCII data can often be losslessly reencoded in fewer bits with other schemes. These more efficient schemes take advantage of some sort of inherent imbalance, redundancy, or repetition in the data, such as by replacing a character string in which all characters are the same by a shorter string consisting of only the single character and a character count.
并非所有为机器处理而无损编码信息的方案在最小化输出比特数方面都是有效的。例如,ASCII编码是无损的,但使用其他方案,ASCII数据通常可以以较少的位无损地重新编码。这些更有效的方案利用了数据中某种固有的不平衡、冗余或重复,例如,将所有字符都相同的字符串替换为仅由单个字符和字符计数组成的较短字符串。
Lossless compression schemes cannot effectively reduce the number of bits in cipher text produced by a strong encryption algorithm, because the cipher text is essentially a pseudorandom bit string that does not contain patterns susceptible to reencoding. Therefore, protocols that offer both encryption and compression services (e.g., SSL) need to perform the compression operation before the encryption operation.
无损压缩方案无法有效减少强加密算法产生的密文中的位数,因为密文本质上是一个伪随机位字符串,不包含易重新编码的模式。因此,同时提供加密和压缩服务(例如SSL)的协议需要在加密操作之前执行压缩操作。
$ compromise See: data compromise, security compromise.
$ 危害见:数据危害,安全危害。
$ compromise recovery (I) The process of regaining a secure state for a system after detecting that the system has experienced a security compromise.
$ 折衷恢复(I)在检测到系统发生安全折衷后,恢复系统安全状态的过程。
$ compromised key list (CKL) (N) /MISSI/ A list that identifies keys for which unauthorized disclosure or alteration may have occurred. (See: compromise.)
$ 泄露密钥列表(CKL)(N)/MSI/A识别可能发生未经授权泄露或更改的密钥的列表。(见:妥协。)
Tutorial: A CKL is issued by a CA, like a CRL is issued. But a CKL lists only KMIDs, not subjects that hold the keys, and not certificates in which the keys are bound.
教程:CKL由CA发布,就像CRL被发布一样。但是CKL只列出KMID,不列出持有密钥的主题,也不列出绑定密钥的证书。
$ COMPUSEC (I) See: computer security.
$ 计算机安全(I)见:计算机安全。
$ computer emergency response team (CERT) (I) An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. (See: CSIRT, security incident.)
$ 计算机应急响应团队(CERT)(I)一个研究计算机和网络信息安全的组织,旨在为攻击受害者提供事件响应服务,发布有关漏洞和威胁的警报,并提供其他信息以帮助提高计算机和网络安全性。(参见:CSIRT,安全事件)
Examples: CERT Coordination Center at Carnegie Mellon University (sometimes called "the" CERT); CIAC.
例如:卡内基梅隆大学CERT协调中心(有时称为“CERT”);中情局。
$ Computer Incident Advisory Capability (CIAC) (O) The centralized CSIRT of the U.S. Department of Energy; a member of FIRST.
$ 计算机事故咨询能力(CIAC)(O)美国能源部的中央CSIRT;第一委员会的成员。
$ computer network (I) A collection of host computers together with the subnetwork or internetwork through which they can exchange data.
$ 计算机网络(I)主机与子网或互联网络的集合,通过它们可以交换数据。
Usage: This definition is intended to cover systems of all sizes and types, ranging from the complex Internet to a simple system composed of a personal computer dialing in as a remote terminal of another computer.
用法:此定义旨在涵盖所有大小和类型的系统,从复杂的Internet到由个人计算机作为另一台计算机的远程终端拨号组成的简单系统。
$ computer platform (I) A combination of computer hardware and an operating system (which may consist of software, firmware, or both) for that hardware. (Compare: computer system.)
$ 计算机平台(I)计算机硬件和用于该硬件的操作系统(可能包括软件、固件或两者)的组合。(比较:计算机系统。)
$ computer security (COMPUSEC) 1. (I) Measures to implement and assure security services in a computer system, particularly those that assure access control service.
$ 计算机安全(计算机安全)1。(一) 在计算机系统中实施和保证安全服务的措施,特别是保证访问控制服务的措施。
Usage: Usually refers to internal controls (functions, features, and technical characteristics) that are implemented in software (especially in operating systems); sometimes refers to internal controls implemented in hardware; rarely used to refer to external controls.
用法:通常指在软件(尤其是操作系统)中实现的内部控制(功能、特性和技术特性);有时指在硬件中实施的内部控制;很少用于指外部控制。
2. (O) "The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)." [SP12]
2. (O) “为实现保护信息系统资源(包括硬件、软件、固件、信息/数据和电信)的完整性、可用性和机密性的适用目标而对自动化信息系统提供的保护。”[SP12]
$ computer security incident response team (CSIRT) (I) An organization "that coordinates and supports the response to security incidents that involve sites within a defined constituency." [R2350] (See: CERT, FIRST, security incident.)
$ 计算机安全事件响应团队(CSIRT)(I)“协调和支持对涉及指定选区内站点的安全事件的响应的组织。”[R2350](见:CERT,第一,安全事件。)
Tutorial: To be considered a CSIRT, an organization must do as follows: (a) Provide a (secure) channel for receiving reports about suspected security incidents. (b) Provide assistance to members of its constituency in handling the incidents. (c) Disseminate incident-related information to its constituency and other involved parties.
教程:要被视为CSIRT,组织必须做到以下几点:(a)提供一个(安全的)渠道来接收可疑安全事件的报告。(b) 协助其选区成员处理事件。(c) 向其选区和其他相关方传播事件相关信息。
$ computer security object (I) The definition or representation of a resource, tool, or mechanism used to maintain a condition of security in computerized environments. Includes many items referred to in standards that are either selected or defined by separate user communities. [CSOR] (See: object identifier, Computer Security Objects Register.)
$ 计算机安全对象(I)用于在计算机化环境中维护安全条件的资源、工具或机制的定义或表示。包括标准中提及的许多项目,这些项目由单独的用户社区选择或定义。[CSOR](请参阅:对象标识符,计算机安全对象寄存器。)
$ Computer Security Objects Register (CSOR) (N) A service operated by NIST is establishing a catalog for computer security objects to provide stable object definitions identified by unique names. The use of this register will enable the unambiguous specification of security parameters and algorithms to be used in secure data exchanges. (See: object identifier.)
$ 计算机安全对象注册(CSOR)(N)NIST运营的一项服务正在为计算机安全对象建立目录,以提供由唯一名称标识的稳定对象定义。该寄存器的使用将使安全数据交换中使用的安全参数和算法的明确规范成为可能。(请参见:对象标识符。)
Tutorial: The CSOR follows registration guidelines established by the international standards community and ANSI. Those guidelines establish minimum responsibilities for registration authorities and assign the top branches of an international registration hierarchy. Under that international registration hierarchy, the CSOR is responsible for the allocation of unique identifiers under the branch: {joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3)}.
教程:CSOR遵循国际标准协会和ANSI制定的注册指南。这些准则规定了登记机关的最低责任,并指定了国际登记层级的最高分支机构。根据这一国际注册层级,CSOR负责分配分支机构下的唯一标识符:{联合iso ccitt(2)国家(16)美国(840)组织(1)政府(101)CSOR(3)}。
$ computer system (I) Synonym for "information system", or a component thereof. (Compare: computer platform.)
$ 计算机系统(I)“信息系统”或其组成部分的同义词。(比较:计算机平台。)
$ Computers At Risk (O) The 1991 report [NRC91] of the System Security Study Committee, sponsored by the U.S. National Academy of Sciences and supported by the Defense Advanced Research Projects Agency of the U.S. DoD. It made many recommendations for industry and governments to improve computer security and trustworthiness. Some of the most important recommendations (e.g., establishing an
$ 风险计算机(O)系统安全研究委员会1991年的报告[NRC91],由美国国家科学院赞助,美国国防部国防高级研究计划局支持。它为业界和政府提出了许多建议,以提高计算机的安全性和可靠性。一些最重要的建议(例如,建立
Information Security Foundation chartered by the U.S. Government) have not been implemented at all, and others (e.g., codifying Generally Accepted System Security Principles similar to accounting principles) have been implemented but not widely adopted [SP14, SP27].
美国政府特许的信息安全基金会根本没有实施,而其他(例如,编纂普遍接受的类似于会计原则的系统安全原则)已经实施,但未被广泛采用[SP14,SP27 ]。
$ COMSEC (I) See: communication security.
$ 通信安全(I)见:通信安全。
$ COMSEC account (O) /U.S. Government/ "Administrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material." [C4009] (See: COMSEC custodian.)
$ 通信安全账户(O)/美国政府/“由账号标识的行政实体,用于维护通信安全材料的责任、保管和控制。”[C4009](见:通信安全保管人。)
$ COMSEC accounting (O) /U.S. Government/ The process of creating, collecting, and maintaining data records that describe the status and custody of designated items of COMSEC material. (See: accounting legend code.)
$ 通信安全会计(O)/美国政府/创建、收集和维护描述通信安全材料指定项目状态和保管的数据记录的过程。(请参阅:会计图例代码。)
Tutorial: Almost any secure information system needs to record a security audit trail, but a system that manages COMSEC material needs to record additional data about the status and custody of COMSEC items. - COMSEC tracking: The process of automatically collecting, recording, and managing information that describes the status of designated items of COMSEC material at all times during each product's lifecycle. - COMSEC controlling: The process of supplementing tracking data with custody data, which consists of explicit acknowledgements of system entities that they (a) have received specific COMSEC items and (b) are responsible for preventing exposure of those items.
教程:几乎任何安全信息系统都需要记录安全审计跟踪,但管理通信安全材料的系统需要记录有关通信安全项目状态和保管的附加数据。-通信安全跟踪:自动收集、记录和管理信息的过程,这些信息描述了在每个产品的生命周期中,通信安全材料指定项目的状态。-通信安全控制:用保管数据补充跟踪数据的过程,包括明确确认系统实体(a)已收到特定通信安全项目,以及(b)负责防止这些项目暴露。
For example, a key management system that serves a large customer base needs to record tracking data for the same reasons that a national parcel delivery system does, i.e., to answer the question "Where is that thing now?". If keys are encrypted immediately upon generation and handled only in BLACK form between the point of generation and the point of use, then tracking may be all that is needed. However, in cases where keys are handled at least partly in RED form and are potentially subject to exposure, then tracking needs to be supplemented by controlling.
例如,为大型客户群提供服务的关键管理系统需要记录跟踪数据,原因与国家包裹递送系统相同,即回答“该东西现在在哪里?”。如果密钥在生成时立即加密,并且在生成点和使用点之间仅以黑色形式进行处理,则可能只需要跟踪。但是,如果钥匙至少部分以红色形式处理,并且可能会暴露,则需要通过控制来补充跟踪。
Data that is used purely for tracking need be retained only temporarily, until an item's status changes. Data that is used for controlling is retained indefinitely to ensure accountability and support compromise recovery.
纯粹用于跟踪的数据只需暂时保留,直到项目状态发生变化。用于控制的数据将无限期保留,以确保问责制并支持恢复。
$ COMSEC boundary (N) "Definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage." [C4009] (Compare: cryptographic boundary.)
$ 通信安全边界(N)“可定义的边界,包括执行关键通信安全功能的所有硬件、固件和软件组件,如密钥生成、密钥处理和存储。”[C4009](比较:加密边界。)
$ COMSEC custodian (O) /U.S. Government/ "Individual designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding, and destruction of COMSEC material assigned to a COMSEC account." [C4009]
$ 通信安全托管人(O)/美国政府/“经适当授权指定负责接收、转移、核算、保护和销毁分配给通信安全账户的通信安全材料的个人。”[C4009]
$ COMSEC material (N) /U.S. Government/ Items designed to secure or authenticate communications or information in general; these items include (but are not limited to) keys; equipment, devices, documents, firmware, and software that embodies or describes cryptographic logic; and other items that perform COMSEC functions. [C4009] (Compare: keying material.)
$ 通信安全材料(N)/美国政府/设计用于保护或认证通信或信息的物品;这些项目包括(但不限于)钥匙;包含或描述加密逻辑的设备、装置、文件、固件和软件;以及执行通信安全功能的其他项目。[C4009](比较:键控材质。)
$ COMSEC Material Control System (CMCS) (O) /U.S. Government/ "Logistics and accounting system through which COMSEC material marked 'CRYPTO' is distributed, controlled, and safeguarded." [C4009] (See: COMSEC account, COMSEC custodian.)
$ 通信安全物资控制系统(CMCS)(O)/美国政府/“分配、控制和保护标有“加密”的通信安全物资的物流和会计系统。”[C4009](见:通信安全账户,通信安全保管人。)
$ confidentiality See: data confidentiality.
$ 机密性见:数据机密性。
$ concealment system (O) "A method of achieving confidentiality in which sensitive information is hidden by embedding it in irrelevant data." [NCS04] (Compare: steganography.)
$ 隐藏系统(O)“一种实现机密性的方法,通过将敏感信息嵌入无关数据中来隐藏它。”[NCS04](比较:隐写术。)
$ configuration control (I) The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system. (See: administrative security, harden, trusted distribution.)
$ 配置控制(I)在系统的整个开发和运行寿命期间,对硬件、固件、软件和文档的更改进行调节的过程。(请参阅:管理安全、强化、可信分发。)
Tutorial: Configuration control helps protect against unauthorized or malicious alteration of a system and thus provides assurance of system integrity. (See: malicious logic.)
教程:配置控制有助于防止未经授权或恶意更改系统,从而保证系统完整性。(请参阅:恶意逻辑。)
$ confinement property (N) /formal model/ Property of a system whereby a subject has write access to an object only if the classification of the object dominates the clearance of the subject. (See: *-property, Bell-LaPadula model.)
$ 限制属性(N)/系统的正式模型/属性,根据该系统,仅当对象的分类支配对象的清除时,对象才具有对对象的写访问权限。(见:*-物业,贝尔-拉帕杜拉模型)
$ constraint (I) /access control/ A limitation on the function of an identity, role, or privilege. (See: rule-based access control.)
$ 约束(I)/访问控制/对身份、角色或权限功能的限制。(请参阅:基于规则的访问控制。)
Tutorial: In effect, a constraint is a form of security policy and may be either static or dynamic: - "Static constraint": A constraint that must be satisfied at the time the policy is defined, and then continues to be satisfied until the constraint is removed. - "Dynamic constraint": A constraint that may be defined to apply at various times that the identity, role, or other object of the constraint is active in the system.
教程:实际上,约束是安全策略的一种形式,可以是静态的,也可以是动态的:-“静态约束”:定义策略时必须满足的约束,然后继续满足,直到约束被删除。-“动态约束”:可定义为在约束的标识、角色或其他对象在系统中处于活动状态时应用的约束。
$ content filter (I) /World Wide Web/ Application software used to prevent access to certain Web servers, such as by parents who do not want their children to access pornography. (See: filter, guard.)
$ 内容过滤器(I)/万维网/用于阻止访问某些Web服务器的应用程序软件,例如不希望孩子访问色情内容的家长。(请参阅:过滤器、防护装置。)
Tutorial: The filter is usually browser-based, but could be part of an intermediate cache server. The two basic content filtering techniques are (a) to block a specified list of URLs and (b) to block material that contains specified words and phrases.
教程:过滤器通常基于浏览器,但也可以是中间缓存服务器的一部分。两种基本的内容过滤技术是(a)阻止指定的URL列表和(b)阻止包含指定单词和短语的材料。
$ contingency plan (I) A plan for emergency response, backup operations, and post-disaster recovery in a system as part of a security program to ensure availability of critical system resources and facilitate continuity of operations in a crisis. [NCS04] (See: availability.)
$ 应急计划(I)作为安全计划一部分的系统应急响应、备份操作和灾后恢复计划,以确保关键系统资源的可用性,并促进危机中操作的连续性。[NCS04](见:可用性)
$ control zone (O) "The space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient physical and technical control to preclude an unauthorized entry or compromise." [NCSSG] (Compare: inspectable space, TEMPEST zone.)
$ 控制区(O)“周围处理敏感信息的设备受到充分的物理和技术控制,以防止未经授权的进入或破坏的空间,以英尺半径表示。”[NCSSG](比较:可检查空间,风暴区。)
$ controlled access protection (O) /TCSEC/ The level of evaluation criteria for a C2 computer system.
$ 受控访问保护(O)/TCSEC/指挥与控制计算机系统的评估标准等级。
Tutorial: The major features of the C2 level are individual accountability, audit, access control, and object reuse.
教程:C2级别的主要功能是个人责任、审计、访问控制和对象重用。
$ controlled cryptographic item (CCI) (O) /U.S. Government/ "Secure telecommunications or information handling equipment, or associated cryptographic component, that is unclassified but governed by a special set of control requirements." [C4009] (Compare: EUCI.)
$ 受控密码项目(CCI)(O)/美国政府/“未分类但受特殊控制要求约束的安全电信或信息处理设备或相关密码组件。”[C4009](比较:EUCI.)
Tutorial: This category of equipment was established in 1985 to promote broad use of secure equipment for protecting both classified and unclassified information in the national interest. CCI equipment uses a classified cryptographic logic, but the hardware or firmware embodiment of that logic is unclassified. Drawings, software implementations, and other descriptions of that logic remain classified. [N4001]
教程:这类设备成立于1985年,旨在促进安全设备的广泛使用,以保护国家利益中的机密和非机密信息。CCI设备使用分类密码逻辑,但该逻辑的硬件或固件实施例未分类。图纸、软件实现和该逻辑的其他描述仍然是保密的。[N4001]
$ controlled interface (I) A mechanism that facilitates the adjudication of the different security policies of interconnected systems. (See: domain, guard.)
$ 受控接口(I)一种有助于判定互联系统不同安全策略的机制。(请参阅:域、保护。)
$ controlled security mode (D) /U.S. DoD/ A mode of system operation wherein (a) two or more security levels of information are allowed to be handled concurrently within the same system when some users having access to the system have neither a security clearance nor need-to-know for some of the data handled by the system, but (b) separation of the users and the classified material on the basis, respectively, of clearance and classification level are not dependent only on operating system control (like they are in multilevel security mode). (See: /system operation/ under "mode", protection level.)
$ 受控安全模式(D)/U.S.DoD/A系统运行模式,其中(A)允许在同一系统内同时处理两个或两个以上的安全级别的信息,当一些访问系统的用户既没有安全许可,也不需要知道系统处理的某些数据时,但是(b)分别基于清除和分类级别的用户和分类材料的分离不仅仅取决于操作系统控制(就像在多级安全模式下一样)。(请参阅:/系统操作/在“模式”下,保护级别。)
Deprecated Term: IDOCs SHOULD NOT use this term. It was defined in a U.S. Government policy regarding system accreditation and was subsumed by "partitioned security mode" in a later policy. Both terms were dropped in still later policies.
不推荐使用的术语:IDOCs不应使用此术语。它在美国政府关于系统认证的政策中定义,并在后来的政策中被“分区安全模式”所包含。这两个术语在后来的政策中都被删除了。
Tutorial: Controlled mode was intended to encourage ingenuity in meeting data confidentiality requirements in ways less restrictive than "dedicated security mode" and "system-high security mode", but at a level of risk lower than that generally associated with true "multilevel security mode". This was intended to be accomplished by implementation of explicit augmenting measures to reduce or remove a substantial measure of system software vulnerability together with specific limitation of the security clearance levels of users having concurrent access to the system.
教程:受控模式旨在鼓励以比“专用安全模式”和“系统高安全模式”限制性更小的方式满足数据保密要求的独创性,但风险水平低于通常与真正的“多级安全模式”相关的风险水平。这是通过实施明确的增强措施来实现的,以减少或消除系统软件漏洞的实质性措施,以及对同时访问系统的用户的安全许可级别的具体限制。
$ controlling authority (O) /U.S. Government/ "Official responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet." [C4009, N4006]
$ 控制机构(O)/美国政府/“负责指导加密网操作以及管理分配给加密网的密钥材料的操作使用和控制的官员。”[C4009,N4006]
$ cookie 1. (I) /HTTP/ Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.
$ 曲奇1。(一) /HTTP/HTTP服务器和浏览器(服务器的客户端)之间交换的数据,用于在客户端存储状态信息,并在以后检索以供服务器使用。
Tutorial: An HTTP server, when sending data to a client, may send along a cookie, which the client retains after the HTTP connection closes. A server can use this mechanism to maintain persistent client-side state information for HTTP-based applications, retrieving the state information in later connections. A cookie may include a description of the range of URLs for which the state is valid. Future requests made by the client in that range will also send the current value of the cookie to the server. Cookies can be used to generate profiles of web usage habits, and thus may infringe on personal privacy.
教程:HTTP服务器在向客户端发送数据时,可能会发送一个cookie,该cookie在HTTP连接关闭后由客户端保留。服务器可以使用此机制为基于HTTP的应用程序维护持久的客户端状态信息,并在以后的连接中检索状态信息。cookie可能包括状态有效的URL范围的描述。客户端在该范围内发出的未来请求也会将cookie的当前值发送到服务器。Cookie可用于生成web使用习惯的配置文件,因此可能侵犯个人隐私。
2. (I) /IPsec/ Data objects exchanged by ISAKMP to prevent certain denial-of-service attacks during the establishment of a security association.
2. (一) /IPsec/由ISAKMP交换的数据对象,用于在建立安全关联期间防止某些拒绝服务攻击。
3. (D) /access control/ Synonym for "capability token" or "ticket".
3. (D) /访问控制/同义词“能力令牌”或“票证”。
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 3; that would duplicate the meaning of better-established terms and mix concepts in a potentially misleading way.
不推荐使用的定义:IDOC不应将此术语与定义3一起使用;这将重复更好的术语的含义,并以潜在误导的方式混合概念。
$ Coordinated Universal Time (UTC) (N) UTC is derived from International Atomic Time (TAI) by adding a number of leap seconds. The International Bureau of Weights and Measures computes TAI once each month by averaging data from many laboratories. (See: GeneralizedTime, UTCTime.)
$ 协调世界时(UTC)(N)UTC是通过添加闰秒数从国际原子时(TAI)派生出来的。国际度量衡局每月通过对来自多个实验室的数据进行平均来计算TAI。(请参见:一般化时间,UTCTime。)
$ correction (I) /security/ A system change made to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence. (See: secondary definition under "security".)
$ 纠正(I)/安全性/为消除或降低安全违规或威胁后果再次发生的风险而进行的系统变更。(见“安全”下的第二个定义)
$ correctness (I) "The property of a system that is guaranteed as the result of formal verification activities." [Huff] (See: correctness proof, verification.)
$ 正确性(I)“作为正式验证活动的结果而得到保证的系统属性。”[Huff](参见:正确性证明,验证。)
$ correctness integrity (I) The property that the information represented by data is accurate and consistent. (Compare: data integrity, source integrity.)
$ 正确性和完整性(I)数据所代表的信息是准确和一致的。(比较:数据完整性、源完整性。)
Tutorial: IDOCs SHOULD NOT use this term without providing a definition; the term is neither well-known nor precisely defined. Data integrity refers to the constancy of data values, and source integrity refers to confidence in data values. However,
教程:IDOCs不应该在没有定义的情况下使用这个术语;这个术语既不广为人知,也没有精确的定义。数据完整性指数据值的恒定性,源完整性指数据值的可信度。然而
correctness integrity refers to confidence in the underlying information that data values represent, and this property is closely related to issues of accountability and error handling.
正确性完整性是指对数据值所表示的底层信息的信心,该属性与责任和错误处理问题密切相关。
$ correctness proof (I) A mathematical proof of consistency between a specification for system security and the implementation of that specification. (See: correctness, formal specification.)
$ 正确性证明(I)系统安全规范与该规范实施之间一致性的数学证明。(参见:正确性,正式规范。)
$ corruption (I) A type of threat action that undesirably alters system operation by adversely modifying system functions or data. (See: disruption.)
$ 腐败(I)一种威胁行为,通过对系统功能或数据进行不利修改,不希望改变系统运行。(见:中断。)
Usage: This type of threat action includes the following subtypes: - "Tampering": /corruption/ Deliberately altering a system's logic, data, or control information to interrupt or prevent correct operation of system functions. (See: misuse, main entry for "tampering".) - "Malicious logic": /corruption/ Any hardware, firmware, or software (e.g., a computer virus) intentionally introduced into a system to modify system functions or data. (See: incapacitation, main entry for "malicious logic", masquerade, misuse.) - "Human error": /corruption/ Human action or inaction that unintentionally results in the alteration of system functions or data. - "Hardware or software error": /corruption/ Error that results in the alteration of system functions or data. - "Natural disaster": /corruption/ Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data. [FP031 Section 2]
用法:此类威胁操作包括以下子类型:-“篡改”:/损坏/故意更改系统的逻辑、数据或控制信息,以中断或阻止系统功能的正确运行。(请参阅:误用,“篡改”的主要条目)-“恶意逻辑”:/损坏/故意引入系统以修改系统功能或数据的任何硬件、固件或软件(如计算机病毒)。(参见:丧失能力,主要条目为“恶意逻辑”、伪装、误用。)-“人为错误”:/腐败/人为行为或不行为无意中导致系统功能或数据的更改。-“硬件或软件错误”:/损坏/导致系统功能或数据更改的错误。-“自然灾害”:/腐败/任何改变系统功能或数据的“天灾”(如闪电引起的电涌)。[FP031第2节]
$ counter 1. (N) /noun/ See: counter mode.
$ 柜台1。(N) /名词/参见:计数器模式。
2. (I) /verb/ See: countermeasure.
2. (一) /动词/见:对策。
$ counter-countermeasure (I) An action, device, procedure, or technique used by an attacker to offset a defensive countermeasure.
$ 反对策(I)攻击者用来抵消防御对策的行动、设备、程序或技术。
Tutorial: For every countermeasure devised to protect computers and networks, some cracker probably will be able to devise a counter-countermeasure. Thus, systems must use "defense in depth".
教程:对于每一个为保护计算机和网络而设计的对策,一些破解者可能会设计出一个反对策。因此,系统必须使用“纵深防御”。
$ counter mode (CTR) (N) A block cipher mode that enhances ECB mode by ensuring that each encrypted block is different from every other block encrypted under the same key. [SP38A] (See: block cipher.)
$ 计数器模式(CTR)(N)一种分组密码模式,通过确保每个加密块与在同一密钥下加密的每个其他块不同,从而增强ECB模式。[SP38A](参见:分组密码。)
Tutorial: This mode operates by first encrypting a generated sequence of blocks, called "counters", that are separate from the input sequence of plaintext blocks which the mode is intended to protect. The resulting sequence of encrypted counters is exclusive-ORed with the sequence of plaintext blocks to produce the final ciphertext output blocks. The sequence of counters must have the property that each counter is different from every other counter for all of the plain text that is encrypted under the same key.
教程:该模式首先对生成的块序列(称为“计数器”)进行加密,这些块与模式要保护的明文块的输入序列分开。生成的加密计数器序列与明文块序列进行异或运算,以生成最终的密文输出块。计数器序列必须具有以下属性:对于在同一密钥下加密的所有纯文本,每个计数器都不同于其他计数器。
$ Counter with Cipher Block Chaining-Message Authentication Code (CCM) (N) A block cipher mode [SP38C] that provides both data confidentiality and data origin authentication, by combining the techniques of CTR and a CBC-based message authentication code. (See: block cipher.)
$ 带有密码分组链接消息认证码(CCM)的计数器(N)通过结合CTR技术和基于CBC的消息认证码,提供数据机密性和数据源认证的分组密码模式[SP38C]。(请参阅:分组密码。)
$ countermeasure (I) An action, device, procedure, or technique that meets or opposes (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
$ 对策(I)通过消除或防止威胁、漏洞或攻击,通过最小化其可能造成的伤害,或通过发现和报告以采取纠正措施,满足或对抗(即反击)威胁、漏洞或攻击的行动、装置、程序或技术。
Tutorial: In an Internet protocol, a countermeasure may take the form of a protocol feature, a component function, or a usage constraint.
教程:在Internet协议中,对策可能采用协议功能、组件功能或使用限制的形式。
$ country code (I) An identifier that is defined for a nation by ISO. [I3166]
$ 国家代码(I)ISO为国家定义的标识符。[I3166]
Tutorial: For each nation, ISO Standard 3166 defines a unique two-character alphabetic code, a unique three-character alphabetic code, and a three-digit code. Among many uses of these codes, the two-character codes are used as top-level domain names.
教程:对于每个国家,ISO标准3166定义了唯一的两字符字母代码、唯一的三字符字母代码和三位数代码。在这些代码的许多用途中,两个字符的代码被用作顶级域名。
$ Courtney's laws (N) Principles for managing system security that were stated by Robert H. Courtney, Jr.
$ 小罗伯特·H·考特尼(Robert H.Courtney,Jr。
Tutorial: Bill Murray codified Courtney's laws as follows: [Murr]
- Courtney's first law: You cannot say anything interesting
(i.e., significant) about the security of a system except in
the context of a particular application and environment.
- Courtney's second law: Never spend more money eliminating a
security exposure than tolerating it will cost you. (See:
acceptable risk, risk analysis.)
-- First corollary: Perfect security has infinite cost.
-- Second corollary: There is no such thing as zero risk.
- Courtney's third law: There are no technical solutions to
management problems, but there are management solutions to
technical problems.
Tutorial: Bill Murray codified Courtney's laws as follows: [Murr]
- Courtney's first law: You cannot say anything interesting
(i.e., significant) about the security of a system except in
the context of a particular application and environment.
- Courtney's second law: Never spend more money eliminating a
security exposure than tolerating it will cost you. (See:
acceptable risk, risk analysis.)
-- First corollary: Perfect security has infinite cost.
-- Second corollary: There is no such thing as zero risk.
- Courtney's third law: There are no technical solutions to
management problems, but there are management solutions to
technical problems.
$ covert action (I) An operation that is planned and executed in a way that conceals the identity of the operator.
$ 隐蔽行动(I)以隐藏操作员身份的方式计划和执行的操作。
$ covert channel 1. (I) An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations. (See: covert storage channel, covert timing channel, out-of-band, tunnel.)
$ 隐蔽通道1。(一) 一种非故意或未经授权的系统内通道,使两个合作实体能够以违反系统安全策略但不超过实体访问权限的方式传输信息。(请参阅:隐蔽存储通道、隐蔽定时通道、带外通道、通道。)
2. (O) "A communications channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy." [NCS04]
2. (O) “允许两个协作进程以违反系统安全策略的方式传输信息的通信通道。”[NCS04]
Tutorial: The cooperating entities can be either two insiders or an insider and an outsider. Of course, an outsider has no access authorization at all. A covert channel is a system feature that the system architects neither designed nor intended for information transfer.
教程:合作实体可以是两个内部人,也可以是一个内部人和一个外部人。当然,局外人根本没有访问权限。隐蔽通道是系统架构师既没有设计也没有打算用于信息传输的系统功能。
$ covert storage channel (I) A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity. (See: covert channel.)
$ 隐蔽存储通道(I)一种系统功能,使一个系统实体能够通过直接或间接写入存储位置向另一个实体发送信息,该存储位置随后由第二个实体直接或间接读取。(请参阅:隐蔽通道。)
$ covert timing channel (I) A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity. (See: covert channel.)
$ 隐蔽定时信道(I)一种系统特性,使一个系统实体能够通过调制其自身对系统资源的使用来向另一个系统实体发送信息,从而影响第二实体观察到的系统响应时间。(请参阅:隐蔽通道。)
$ CPS (I) See: certification practice statement.
$ CPS(I)见:认证实践声明。
$ cracker (I) Someone who tries to break the security of, and gain unauthorized access to, someone else's system, often with malicious intent. (See: adversary, intruder, packet monkey, script kiddy. Compare: hacker.)
$ 破解者(I)试图破坏他人系统的安全性并获得未经授权的访问权限的人,通常带有恶意意图。(参见:敌手、入侵者、包猴、脚本小子。比较:黑客。)
Usage: Was sometimes spelled "kracker". [NCSSG]
用法:有时拼写为“kracker”。[NCSSG]
$ CRAM (I) See: Challenge-Response Authentication Mechanism.
$ CRAM(I)See:质询-响应认证机制。
$ CRC (I) See: cyclic redundancy check.
$ CRC(I)见:循环冗余校验。
$ credential 1. (I) /authentication/ "identifier credential": A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system. Example: X.509 public-key certificate. (See: anonymous credential.)
$ 凭证1。(一) /authentication/“identifier credential”:一种数据对象,是标识符和身份验证信息单元之间关联的可移植表示,可用于验证试图访问系统的实体声明的身份。示例:X.509公钥证书。(请参阅:匿名凭据。)
2. (I) /access control/ "authorization credential": A data object that is a portable representation of the association between an identifier and one or more access authorizations, and that can be presented for use in verifying those authorizations for an entity that attempts such access. Example: X.509 attribute certificate. (See: capability token, ticket.)
2. (一) /access control/“authorization credential”:一种数据对象,它是标识符与一个或多个访问授权之间关联的可移植表示,可用于验证尝试访问的实体的这些授权。示例:X.509属性证书。(请参阅:功能令牌、票据。)
3. (D) /OSIRM/ "Data that is transferred to establish the claimed identity of an entity." [I7498-2]
3. (D) /OSIRM/“为确定实体的声明身份而传输的数据。”[I7498-2]
Deprecated Definition: IDOCs SHOULD NOT use the term with definition 3. As explained in the tutorial below, an authentication process can involve the transfer of multiple data objects, and not all of those are credentials.
不推荐使用的定义:IDOCs不应使用定义为3的术语。正如下面的教程中所解释的,身份验证过程可能涉及多个数据对象的传输,而不是所有这些都是凭据。
4. (D) /U.S. Government/ "An object that is verified when presented to the verifier in an authentication transaction." [M0404]
4. (D) /U.S.Government/“在身份验证事务中提交给验证者时被验证的对象。”[M0404]
Deprecated Definition: IDOCs SHOULD NOT use the term with definition 4; it mixes concepts in a potentially misleading way. For example, in an authentication process, it is the identity that is "verified", not the credential; the credential is "validated". (See: validate vs. verify.)
不推荐使用的定义:IDOC不应使用定义为4的术语;它以一种潜在误导的方式混合概念。例如,在认证过程中,“验证”的是身份,而不是凭证;凭证已“验证”。(请参见:验证与验证。)
Tutorial: In general English, "credentials" are evidence or testimonials that (a) support a claim of identity or authorization and (b) usually are intended to be used more than once (i.e., a credential's life is long compared to the time needed for one use). Some examples are a policeman's badge, an automobile driver's license, and a national passport. An authentication or access control process that uses a badge, license, or passport is outwardly simple: the holder just shows the thing.
教程:在普通英语中,“凭证”是指(a)支持身份或授权声明的证据或证明,(b)通常用于多次使用(即,凭证的使用寿命比一次使用所需的时间长)。例如警察徽章、汽车驾驶执照和国家护照。使用徽章、许可证或护照的身份验证或访问控制过程表面上很简单:持有者只需出示物品。
The problem with adopting this term in Internet security is that an automated process for authentication or access control usually requires multiple steps using multiple data objects, and it might not be immediately obvious which of those objects should get the name "credential".
在Internet安全中采用此术语的问题在于,身份验证或访问控制的自动化过程通常需要使用多个数据对象执行多个步骤,并且可能无法立即确定哪些对象应获得名称“凭据”。
For example, if the verification step in a user authentication process employs public-key technology, then the process involves at least three data items: (a) the user's private key, (b) a signed value -- signed with that private key and passed to the system, perhaps in response to a challenge from the system -- and (c) the user's public-key certificate, which is validated by the system and provides the public key needed to verify the signature. - Private key: The private key is *not* a credential, because it is never transferred or presented. Instead, the private key is "authentication information", which is associated with the user's identifier for a specified period of time and can be used in multiple authentications during that time. - Signed value: The signed value is *not* a credential; the signed value is only ephemeral, not long lasting. The OSIRM definition could be interpreted to call the signed value a credential, but that would conflict with general English. - Certificate: The user's certificate *is* a credential. It can be "transferred" or "presented" to any person or process that needs it at any time. A public-key certificate may be used as an "identity credential", and an attribute certificate may be used as an "authorization credential".
例如,如果用户身份验证过程中的验证步骤采用公钥技术,那么该过程至少涉及三个数据项:(a)用户的私钥,(b)签名值——用该私钥签名并传递给系统,可能是为了响应系统的质询——和(c)用户的公钥证书,由系统验证,并提供验证签名所需的公钥。-私钥:私钥*不是*凭证,因为它从未被传输或呈现。相反,私钥是“身份验证信息”,它在指定的时间段内与用户的标识符相关联,并可在该时间段内用于多次身份验证。-签名值:签名值*不是*凭证;符号值只是短暂的,而不是持久的。OSIRM定义可以解释为将签名值称为凭证,但这与通用英语冲突。-证书:用户的证书*是*凭证。它可以在任何时候“转移”或“呈现”给任何需要它的人或流程。公钥证书可用作“身份凭证”,属性证书可用作“授权凭证”。
$ critical 1. (I) /system resource/ A condition of a system resource such that denial of access to, or lack of availability of, that resource would jeopardize a system user's ability to perform a primary function or would result in other serious consequences, such as human injury or loss of life. (See: availability, precedence. Compare: sensitive.)
$ 关键1。(一) /系统资源/系统资源的一种状况,即拒绝访问或缺少该资源将危及系统用户执行主要功能的能力,或导致其他严重后果,如人身伤害或生命损失。(请参阅:可用性,优先级。比较:敏感。)
2. (N) /extension/ An indication that an application is not permitted to ignore an extension. [X509]
2. (N) /extension/表示不允许应用程序忽略扩展。[X509]
Tutorial: Each extension of an X.509 certificate or CRL is flagged as either "critical" or "non-critical". In a certificate, if a computer program does not recognize an extension's type (i.e., does not implement its semantics), then if the extension is critical, the program is required to treat the certificate as invalid; but if the extension is non-critical, the program is permitted to ignore the extension.
教程:X.509证书或CRL的每个扩展都标记为“关键”或“非关键”。在证书中,如果计算机程序不识别扩展的类型(即,不实现其语义),则如果扩展是关键的,则程序需要将证书视为无效;但如果扩展是非关键的,则允许程序忽略扩展。
In a CRL, if a program does not recognize a critical extension that is associated with a specific certificate, the program is required to assume that the listed certificate has been revoked and is no longer valid, and then take whatever action is required by local policy.
在CRL中,如果程序不识别与特定证书关联的关键扩展,则程序需要假定列出的证书已被吊销且不再有效,然后采取本地策略要求的任何操作。
When a program does not recognize a critical extension that is associated with the CRL as a whole, the program is required to assume that all listed certificates have been revoked and are no longer valid. However, since failing to process the extension may mean that the list has not been completed, the program cannot assume that other certificates are valid, and the program needs to take whatever action is therefore required by local policy.
当程序无法识别与CRL整体关联的关键扩展时,程序需要假定所有列出的证书已被吊销且不再有效。但是,由于未能处理扩展可能意味着列表尚未完成,因此程序不能假定其他证书有效,因此程序需要采取本地政策要求的任何措施。
$ critical information infrastructure (I) Those systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety.
$ 关键信息基础设施(I)对一个国家至关重要的系统,这些系统的失效或破坏将对国家安全、经济或公共卫生和安全产生不利影响。
$ CRL (I) See: certificate revocation list.
$ CRL(I)见:证书撤销清单。
$ CRL distribution point (I) See: distribution point.
$ CRL配送点(I)见:配送点。
$ CRL extension (I) See: extension.
$ CRL分机(I)见:分机。
$ cross-certificate (I) A public-key certificate issued by a CA in one PKI to a CA in another PKI. (See: cross-certification.)
$ 交叉证书(I)由一个PKI中的CA向另一个PKI中的CA颁发的公钥证书。(请参阅:交叉认证。)
$ cross-certification (I) The act or process by which a CA in one PKI issues a public-key certificate to a CA in another PKI. [X509] (See: bridge CA.)
$ 交叉认证(I)一个PKI中的CA向另一个PKI中的CA颁发公钥证书的行为或过程。[X509](见:桥梁CA)
Tutorial: X.509 says that a CA (say, CA1) may issue a "cross-certificate" in which the subject is another CA (say, CA2). X.509 calls CA2 the "subject CA" and calls CA1 an "intermediate CA", but
教程:X.509说CA(比如,CA1)可以颁发一个“交叉证书”,其中主体是另一个CA(比如,CA2)。X.509将CA2称为“主体CA”,将CA1称为“中间CA”,但
this Glossary deprecates those terms. (See: intermediate CA, subject CA).
本术语表不支持这些术语。(参见:中级CA,受试者CA)。
Cross-certification of CA2 by CA1 appears similar to certification of a subordinate CA by a superior CA, but cross-certification involves a different concept. The "subordinate CA" concept applies when both CAs are in the same PKI, i.e., when either (a) CA1 and CA2 are under the same root or (b) CA1 is itself a root. The "cross-certification" concept applies in other cases:
CA1对CA2的交叉认证似乎类似于上级CA对下级CA的认证,但交叉认证涉及不同的概念。当两个CA位于同一个PKI中时,即(a)CA1和CA2在同一根下或(b)CA1本身是根时,“从属CA”概念适用。“交叉认证”概念适用于其他情况:
First, cross-certification applies when two CAs are in different PKIs, i.e., when CA1 and CA2 are under different roots, or perhaps are both roots themselves. Issuing the cross-certificate enables end entities certified under CA1 in PK1 to construct the certification paths needed to validate the certificates of end entities certified under CA2 in PKI2. Sometimes, a pair of cross-certificates is issued -- by CA1 to CA2, and by CA2 to CA1 -- so that an end entity in either PKI can validate certificates issued in the other PKI.
首先,当两个CA位于不同的PKI中时,即当CA1和CA2位于不同的根下,或者可能都是根本身时,交叉认证适用。颁发交叉证书使根据PK1中的CA1认证的终端实体能够构造验证根据PK2中的CA2认证的终端实体的证书所需的认证路径。有时,通过CA1到CA2和CA2到CA1颁发一对交叉证书,以便任何一个PKI中的最终实体都可以验证在另一个PKI中颁发的证书。
Second, X.509 says that two CAs in some complex, multi-CA PKI can cross-certify one another to shorten the certification paths constructed by end entities. Whether or not a CA may perform this or any other form of cross-certification, and how such certificates may be used by end entities, should be addressed by the local certificate policy and CPS.
其次,X.509指出,在一些复杂的多CA PKI中,两个CA可以相互交叉认证,以缩短由终端实体构建的认证路径。CA是否可以执行此交叉认证或任何其他形式的交叉认证,以及最终实体如何使用此类证书,应由本地证书政策和CP解决。
$ cross-domain solution 1. (D) Synonym for "guard".
$ 跨域解决方案1。(D) “守卫”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "guard"; this term unnecessarily (and verbosely) duplicates the meaning of the long-established "guard".
不推荐使用的术语:IDOCs不应将此术语用作“guard”的同义词;这一术语不必要地(和详细地)重复了由来已久的“警卫”的含义。
2. (O) /U.S. Government/ A process or subsystem that provides a capability (which could be either manual or automated) to access two or more differing security domains in a system, or to transfer information between such domains. (See: domain, guard.)
2. (O) /U.S.Government/提供访问系统中两个或多个不同安全域或在这些域之间传输信息能力(可手动或自动)的过程或子系统。(请参阅:域、保护。)
$ cryptanalysis 1. (I) The mathematical science that deals with analysis of a cryptographic system to gain knowledge needed to break or circumvent the protection that the system is designed to provide. (See: cryptology, secondary definition under "intrusion".)
$ 密码分析1。(一) 一门数学科学,处理对密码系统的分析,以获得打破或绕过该系统设计提供的保护所需的知识。(参见:密码学,“入侵”下的二级定义。)
2. (O) "The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext." [I7498-2]
2. (O) “对密码系统和/或其输入和输出进行分析,以得出机密变量和/或敏感数据,包括明文。”[I7498-2]
Tutorial: Definition 2 states the traditional goal of cryptanalysis, i.e., convert cipher text to plain text (which usually is clear text) without knowing the key; but that definition applies only to encryption systems. Today, the term is used with reference to all kinds of cryptographic algorithms and key management, and definition 1 reflects that. In all cases, however, a cryptanalyst tries to uncover or reproduce someone else's sensitive data, such as clear text, a key, or an algorithm. The basic cryptanalytic attacks on encryption systems are ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext; and these generalize to the other kinds of cryptography.
教程:定义2说明了密码分析的传统目标,即在不知道密钥的情况下将密文转换为纯文本(通常是明文);但该定义仅适用于加密系统。今天,这个术语被用来指代各种密码算法和密钥管理,定义1反映了这一点。然而,在所有情况下,密码分析师都会试图发现或复制其他人的敏感数据,如明文、密钥或算法。对加密系统的基本密码分析攻击只有密文、已知明文、选择明文和选择密文;这也推广到了其他类型的密码学。
$ crypto, CRYPTO 1. (N) A prefix ("crypto-") that means "cryptographic".
$ 加密,加密1。(N) 表示“加密”的前缀(“加密-”)。
Usage: IDOCs MAY use this prefix when it is part of a term listed in this Glossary. Otherwise, IDOCs SHOULD NOT use this prefix; instead, use the unabbreviated adjective, "cryptographic".
用法:当此前缀是本词汇表中所列术语的一部分时,IDOCs可以使用此前缀。否则,IDOC不应使用此前缀;相反,使用未加修饰的形容词“加密”。
2. (D) In lower case, "crypto" is an abbreviation for the adjective "cryptographic", or for the nouns "cryptography" or "cryptographic component".
2. (D) 在小写字母中,“crypto”是形容词“cryptographic”或名词“cryptographic”或“cryptocomponent”的缩写。
Deprecated Abbreviation: IDOCs SHOULD NOT use this abbreviation because it could easily be misunderstood in some technical sense.
不推荐使用的缩写:IDOCs不应该使用这个缩写,因为它很容易在某种技术意义上被误解。
3. (O) /U.S. Government/ In upper case, "CRYPTO" is a marking or designator that identifies "COMSEC keying material used to secure or authenticate telecommunications carrying classified or sensitive U.S. Government or U.S. Government-derived information." [C4009] (See: security label, security marking.)
3. (O) /U.S.Government/大写,“CRYPTO”是一个标记或指示符,用于标识“用于保护或认证携带机密或敏感美国政府或美国政府衍生信息的电信的通信安全密钥材料”。[C4009](参见:安全标签,安全标记。)
$ cryptographic (I) An adjective that refers to cryptography.
$ 密码学(I)指密码学的形容词。
$ cryptographic algorithm (I) An algorithm that uses the science of cryptography, including (a) encryption algorithms, (b) cryptographic hash algorithms, (c) digital signature algorithms, and (d) key-agreement algorithms.
$ 加密算法(I)使用密码学的算法,包括(a)加密算法,(b)加密哈希算法,(c)数字签名算法和(d)密钥协商算法。
$ cryptographic application programming interface (CAPI) (I) The source code formats and procedures through which an application program accesses cryptographic services, which are defined abstractly compared to their actual implementation. Example, see: PKCS #11, [R2628].
$ 加密应用程序编程接口(CAPI)(I)应用程序访问加密服务所通过的源代码格式和过程,这些服务是根据实际实现抽象定义的。例如,见:PKCS#11,[R2628]。
$ cryptographic association (I) A security association that involves the use of cryptography to provide security services for data exchanged by the associated entities. (See: ISAKMP.)
$ 加密关联(I)涉及使用加密技术为关联实体交换的数据提供安全服务的安全关联。(见:ISAKMP)
$ cryptographic boundary (I) See: secondary definition under "cryptographic module".
$ 加密边界(I)参见“加密模块”下的二级定义。
$ cryptographic card (I) A cryptographic token in the form of a smart card or a PC card.
$ 加密卡(I)智能卡或PC卡形式的加密令牌。
$ cryptographic component (I) A generic term for any system component that involves cryptography. (See: cryptographic module.)
$ 加密组件(I)涉及加密的任何系统组件的通用术语。(请参阅:加密模块。)
$ cryptographic hash (I) See: secondary definition under "hash function".
$ 加密散列(I)参见“散列函数”下的二级定义。
$ cryptographic ignition key (CIK) 1. (N) A physical (usually electronic) token used to store, transport, and protect cryptographic keys and activation data. (Compare: dongle, fill device.)
$ cryptographic ignition key (CIK) 1. (N) A physical (usually electronic) token used to store, transport, and protect cryptographic keys and activation data. (Compare: dongle, fill device.)translate error, please retry
Tutorial: A key-encrypting key could be divided (see: split key) between a CIK and a cryptographic module, so that it would be necessary to combine the two to regenerate the key, use it to decrypt other keys and data contained in the module, and thus activate the module.
教程:密钥加密密钥可以在CIK和加密模块之间分割(请参见:分割密钥),因此有必要将两者结合起来重新生成密钥,使用它解密模块中包含的其他密钥和数据,从而激活模块。
2. (O) "Device or electronic key used to unlock the secure mode of cryptographic equipment." [C4009] Usage: Abbreviated as "crypto-ignition key".
2. (O) “用于解锁加密设备安全模式的设备或电子钥匙。”[C4009]用法:缩写为“加密点火钥匙”。
$ cryptographic key (I) See: key. Usage: Usually shortened to just "key".
$ 加密密钥(I)参见:密钥。用法:通常缩写为“key”。
$ Cryptographic Message Syntax (CMS) (I) An encapsulation syntax (RFC 3852) for digital signatures, hashes, and encryption of arbitrary messages.
$ 加密消息语法(CMS)(I)用于数字签名、哈希和任意消息加密的封装语法(RFC 3852)。
Tutorial: CMS derives from PKCS #7. CMS values are specified with ASN.1 and use BER encoding. The syntax permits multiple encapsulation with nesting, permits arbitrary attributes to be signed along with message content, and supports a variety of architectures for digital certificate-based key management.
教程:CMS源于PKCS#7。CMS值由ASN.1指定,并使用BER编码。该语法允许使用嵌套进行多次封装,允许随消息内容一起签名任意属性,并支持各种基于数字证书的密钥管理体系结构。
$ cryptographic module (I) A set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the module's "cryptographic boundary", which is an explicitly defined contiguous perimeter that establishes the physical bounds of the module. [FP140]
$ 加密模块(I)一组硬件、软件、固件或其组合,实现加密逻辑或过程,包括加密算法,并包含在模块的“加密边界”内,该边界是明确定义的连续边界,用于建立模块的物理边界。[FP140]
$ cryptographic system 1. (I) A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.
$ 密码系统1。(一) 一组密码算法和密钥管理过程,支持在某些应用程序上下文中使用这些算法。
Usage: IDOCs SHOULD use definition 1 because it covers a wider range of algorithms than definition 2.
用法:IDOCs应该使用定义1,因为它比定义2涵盖更广泛的算法范围。
2. (O) "A collection of transformations from plain text into cipher text and vice versa [which would exclude digital signature, cryptographic hash, and key-agreement algorithms], the particular transformation(s) to be used being selected by keys. The transformations are normally defined by a mathematical algorithm." [X509]
2. (O) “从纯文本到密文的转换集合,反之亦然[不包括数字签名、加密哈希和密钥协商算法],要使用的特定转换由密钥选择。这些转换通常由数学算法定义。”[X509]
$ cryptographic token 1. (I) A portable, user-controlled, physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions. (See: cryptographic card, token.)
$ 加密令牌1。(一) 一种便携式、用户控制的物理设备(如智能卡或PCMCIA卡),用于存储加密信息,并可能执行加密功能。(请参阅:加密卡、令牌。)
Tutorial: A smart token might implement some set of cryptographic algorithms and might incorporate related key management functions, such as a random number generator. A smart cryptographic token may contain a cryptographic module or may not be explicitly designed that way.
教程:智能令牌可能实现一些加密算法集,并可能包含相关的密钥管理功能,如随机数生成器。智能加密令牌可以包含加密模块,也可以不以这种方式显式设计。
$ cryptography 1. (I) The mathematical science that deals with transforming data to render its meaning unintelligible (i.e., to hide its semantic content), prevent its undetected alteration, or prevent its unauthorized use. If the transformation is reversible, cryptography also deals with restoring encrypted data to intelligible form. (See: cryptology, steganography.)
$ 密码学1。(一) 处理转换数据以使其含义无法理解(即隐藏其语义内容)、防止其未被检测到的更改或防止其未经授权的使用的数学科学。如果转换是可逆的,密码学还处理将加密数据恢复为可理解形式的问题。(参见:密码学、隐写术。)
2. (O) "The discipline which embodies principles, means, and
methods for the transformation of data in order to hide its
information content, prevent its undetected modification and/or
prevent its unauthorized use.... Cryptography determines the
methods used in encipherment and decipherment." [I7498-2]
2. (O) "The discipline which embodies principles, means, and
methods for the transformation of data in order to hide its
information content, prevent its undetected modification and/or
prevent its unauthorized use.... Cryptography determines the
methods used in encipherment and decipherment." [I7498-2]
Tutorial: Comprehensive coverage of applied cryptographic protocols and algorithms is provided by Schneier [Schn]. Businesses and governments use cryptography to make data incomprehensible to outsiders; to make data incomprehensible to both outsiders and insiders, the data is sent to lawyers for a rewrite.
教程:Schneier[Schn]全面介绍了应用的加密协议和算法。企业和政府使用加密技术使外部人士无法理解数据;为了让外部人士和内部人士都无法理解数据,数据被发送给律师进行重写。
$ Cryptoki (N) A CAPI defined in PKCS #11. Pronunciation: "CRYPTO-key". Derivation: Abbreviation of "cryptographic token interface".
$ Cryptoki(N)PKCS#11中定义的CAPI。发音:“加密密钥”。派生词:“加密令牌接口”的缩写。
$ cryptology (I) The science of secret communication, which includes both cryptography and cryptanalysis.
$ 密码学(I)保密通信科学,包括密码学和密码分析。
Tutorial: Sometimes the term is used more broadly to denote activity that includes both rendering signals secure (see: signal security) and extracting information from signals (see: signal intelligence) [Kahn].
教程:有时该术语更广泛地用于表示活动,包括呈现安全信号(参见:信号安全)和从信号中提取信息(参见:信号智能)[Kahn]。
$ cryptonet (I) A network (i.e., a communicating set) of system entities that share a secret cryptographic key for a symmetric algorithm. (See: controlling authority.)
$ cryptonet(I)系统实体的网络(即通信集),共享对称算法的密钥。(见:控制机构。)
(O) "Stations holding a common key." [C4009]
(O) “持有公用钥匙的电台。”[C4009]
$ cryptoperiod (I) The time span during which a particular key value is authorized to be used in a cryptographic system. (See: key management.)
$ 密码周期(I)特定密钥值被授权在密码系统中使用的时间跨度。(请参阅:密钥管理。)
Usage: This term is long-established in COMPUSEC usage. In the context of certificates and public keys, "key lifetime" and "validity period" are often used instead.
用法:这个术语在COMPUSEC的用法中由来已久。在证书和公钥的上下文中,通常使用“密钥生存期”和“有效期”。
Tutorial: A cryptoperiod is usually stated in terms of calendar or clock time, but sometimes is stated in terms of the maximum amount of data permitted to be processed by a cryptographic algorithm using the key. Specifying a cryptoperiod involves a tradeoff between the cost of rekeying and the risk of successful cryptoanalysis.
教程:加密周期通常以日历或时钟时间表示,但有时以使用密钥的加密算法允许处理的最大数据量表示。指定加密周期需要在密钥更新成本和成功密码分析风险之间进行权衡。
$ cryptosystem (I) Contraction of "cryptographic system".
$ 密码系统(I)“密码系统”的缩写。
$ cryptovariable (D) Synonym for "key".
$ 加密变量(D)是“密钥”的同义词。
Deprecated Usage: In contemporary COMSEC usage, the term "key" has replaced the term "cryptovariable".
不推荐使用:在当代通信安全使用中,术语“密钥”已取代术语“加密变量”。
$ CSIRT (I) See: computer security incident response team.
$ CSIRT(I)见:计算机安全事件响应小组。
$ CSOR (N) See: Computer Security Objects Register.
$ CSOR(N)参见:计算机安全对象寄存器。
$ CTAK (D) See: ciphertext auto-key.
$ CTAK(D)参见:密文自动密钥。
$ CTR (N) See: counter mode.
$ CTR(N)参见:计数器模式。
$ cut-and-paste attack (I) An active attack on the data integrity of cipher text, effected by replacing sections of cipher text with other cipher text, such that the result appears to decrypt correctly but actually decrypts to plain text that is forged to the satisfaction of the attacker.
$ 剪切粘贴攻击(I)对密文数据完整性的主动攻击,通过将密文部分替换为其他密文来实现,从而使结果看起来正确解密,但实际上解密为伪造的纯文本,使攻击者满意。
$ cyclic redundancy check (CRC) (I) A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected. Sometimes called "cyclic redundancy code".
$ 循环冗余校验(CRC)(I)一种校验和算法,它不是加密散列,但用于实现数据完整性服务,其中预期会对数据进行意外更改。有时称为“循环冗余码”。
$ DAC (N) See: Data Authentication Code, discretionary access control.
$ DAC(N)参见:数据认证码,自主访问控制。
Deprecated Usage: IDOCs that use this term SHOULD state a definition for it because this abbreviation is ambiguous.
不推荐使用:使用此术语的IDoc应说明其定义,因为此缩写不明确。
$ daemon (I) A computer program that is not invoked explicitly but waits until a specified condition occurs, and then runs with no associated user (principal), usually for an administrative purpose. (See: zombie.)
$ daemon(I)一种计算机程序,通常出于管理目的,它不被显式调用,而是等待指定的条件发生,然后在没有相关用户(主体)的情况下运行。(见:僵尸。)
$ dangling threat (O) A threat to a system for which there is no corresponding vulnerability and, therefore, no implied risk.
$ 悬空威胁(O)对系统的威胁,该系统没有相应的漏洞,因此没有隐含风险。
$ dangling vulnerability (O) A vulnerability of a system for which there is no corresponding threat and, therefore, no implied risk.
$ 悬空漏洞(O)系统中没有相应威胁,因此没有隐含风险的漏洞。
$ DASS (I) See: Distributed Authentication Security Service.
$ DASS(I)见:分布式身份验证安全服务。
$ data (I) Information in a specific representation, usually as a sequence of symbols that have meaning.
$ 数据(I)特定表示形式的信息,通常作为具有意义的符号序列。
Usage: Refers to both (a) representations that can be recognized, processed, or produced by a computer or other type of machine, and (b) representations that can be handled by a human.
用法:指(a)可由计算机或其他类型机器识别、处理或生成的表示,以及(b)可由人类处理的表示。
$ Data Authentication Algorithm, data authentication algorithm 1. (N) /capitalized/ The ANSI standard for a keyed hash function that is equivalent to DES cipher block chaining with IV = 0. [A9009]
$ 数据认证算法,数据认证算法1。(N) /capitalized/键控哈希函数的ANSI标准,相当于IV=0的DES密码块链接。[A9009]
2. (D) /not capitalized/ Synonym for some kind of "checksum".
2. (D) /未大写/某种“校验和”的同义词。
Deprecated Term: IDOCs SHOULD NOT use the uncapitalized form "data authentication algorithm" as a synonym for any kind of checksum, regardless of whether or not the checksum is based on a hash. Instead, use "checksum", "Data Authentication Code", "error detection code", "hash", "keyed hash", "Message Authentication Code", "protected checksum", or some other specific term, depending on what is meant.
不推荐使用的术语:IDOCs不应使用非资本主义形式的“数据认证算法”作为任何类型校验和的同义词,无论校验和是否基于散列。相反,使用“校验和”、“数据验证码”、“错误检测码”、“散列”、“密钥散列”、“消息验证码”、“受保护校验和”或其他特定术语,具体取决于其含义。
The uncapitalized term can be confused with the Data Authentication Code and also mixes concepts in a potentially misleading way. The word "authentication" is misleading because the checksum may be used to perform a data integrity function rather than a data origin authentication function.
未资本化的术语可能与数据认证代码混淆,也可能以潜在误导的方式混淆概念。“身份验证”一词具有误导性,因为校验和可用于执行数据完整性功能,而不是数据源身份验证功能。
$ Data Authentication Code, data authentication code 1. (N) /capitalized/ A specific U.S. Government standard [FP113] for a checksum that is computed by the Data Authentication Algorithm. Usage: a.k.a. Message Authentication Code [A9009].) (See: DAC.)
$ 数据认证码,数据认证码1。(N) /capitalized/由数据认证算法计算的校验和的特定美国政府标准[FP113]。用法:a.k.a.消息身份验证代码[A9009]。(请参阅:DAC。)
2. (D) /not capitalized/ Synonym for some kind of "checksum".
2. (D) /未大写/某种“校验和”的同义词。
Deprecated Term: IDOCs SHOULD NOT use the uncapitalized form "data authentication code" as a synonym for any kind of checksum, regardless of whether or not the checksum is based on the Data Authentication Algorithm. The uncapitalized term can be confused with the Data Authentication Code and also mixes concepts in a potentially misleading way (see: authentication code).
不推荐使用的术语:IDOCs不应使用未大写形式的“数据身份验证代码”作为任何类型校验和的同义词,无论校验和是否基于数据身份验证算法。未资本化的术语可能与数据身份验证代码混淆,也可能以潜在误导的方式混淆概念(请参阅:身份验证代码)。
$ data compromise 1. (I) A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information might have occurred. (Compare: security compromise, security incident.)
$ 数据泄露1。(一) 一种安全事件,其中信息可能会被未经授权的访问,从而可能会发生未经授权的信息披露、更改或使用。(比较:安全隐患、安全事故。)
2. (O) /U.S. DoD/ A "compromise" is a "communication or physical transfer of information to an unauthorized recipient." [DoD5]
2. (O) /U.S.DoD/A“妥协”是指“向未经授权的接收者通信或物理传输信息。”[DoD5]
3. (O) /U.S. Government/ "Type of [security] incident where information is disclosed to unauthorized individuals or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred." [C4009]
3. (O) /U.S.Government/“向未经授权的个人披露信息或违反系统安全政策的[安全]事件类型,其中可能发生未经授权的故意或无意披露、修改、破坏或丢失对象的事件。”[C4009]
$ data confidentiality 1. (I) The property that data is not disclosed to system entities unless they have been authorized to know the data. (See: Bell-LaPadula model, classification, data confidentiality service, secret. Compare: privacy.)
$ 数据保密1。(一) 不向系统实体披露数据的属性,除非系统实体被授权了解数据。(参见:贝尔-拉帕杜拉模型、分类、数据保密服务、机密。比较:隐私。)
2. (D) "The property that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e., to any unauthorized system entity]." [I7498-2].
2. (D) “未向未经授权的个人、实体或进程[即任何未经授权的系统实体]提供或披露信息的财产。”[I7498-2]。
Deprecated Definition: The phrase "made available" might be interpreted to mean that the data could be altered, and that would confuse this term with the concept of "data integrity".
不推荐使用的定义:“可用”一词可能被解释为意味着数据可能会被更改,这将使该术语与“数据完整性”概念混淆。
$ data confidentiality service (I) A security service that protects data against unauthorized disclosure. (See: access control, data confidentiality, datagram confidentiality service, flow control, inference control.)
$ 数据保密服务(I)保护数据免受未经授权披露的安全服务。(请参阅:访问控制、数据保密、数据报保密服务、流控制、推理控制。)
Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "privacy", which is a different concept.
不推荐使用:IDOCs不应将此术语用作“隐私”的同义词,这是一个不同的概念。
$ Data Encryption Algorithm (DEA) (N) A symmetric block cipher, defined in the U.S. Government's DES. DEA uses a 64-bit key, of which 56 bits are independently chosen and 8 are parity bits, and maps a 64-bit block into another 64-bit block. [FP046] (See: AES, symmetric cryptography.)
$ 数据加密算法(DEA)(N):美国政府DES中定义的对称分组密码。DEA使用一个64位密钥,其中56位是独立选择的,8位是奇偶校验位,并将一个64位块映射到另一个64位块。[FP046](参见:AES,对称加密。)
Usage: This algorithm is usually referred to as "DES". The algorithm has also been adopted in standards outside the Government (e.g., [A3092]).
用法:此算法通常称为“DES”。该算法也被政府以外的标准所采用(例如[A3092])。
$ data encryption key (DEK) (I) A cryptographic key that is used to encipher application data. (Compare: key-encrypting key.)
$ 数据加密密钥(DEK)(I)用于加密应用程序数据的加密密钥。(比较:密钥加密密钥。)
$ Data Encryption Standard (DES) (N) A U.S. Government standard [FP046] that specifies the DEA and states policy for using the algorithm to protect unclassified, sensitive data. (See: AES.)
$ 数据加密标准(DES)(N)美国政府标准[FP046],规定了DEA和使用算法保护未分类敏感数据的州政策。(见:AES)
$ data integrity 1. (I) The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. (See: data integrity service. Compare: correctness integrity, source integrity.)
$ 数据完整性1。(一) 未经授权或意外地更改、销毁或丢失数据的属性。(请参阅:数据完整性服务。比较:正确性完整性、源完整性。)
2. (O) "The property that information has not been modified or destroyed in an unauthorized manner." [I7498-2]
2. (O) “未以未经授权的方式修改或销毁信息的财产。”[I7498-2]
Usage: Deals with (a) constancy of and confidence in data values, and not with either (b) information that the values represent (see: correctness integrity) or (c) the trustworthiness of the source of the values (see: source integrity).
用法:处理(a)数据值的恒定性和可信度,而不是(b)值所代表的信息(参见:正确性完整性)或(c)值源的可信度(参见:源完整性)。
$ data integrity service (I) A security service that protects against unauthorized changes to data, including both intentional change or destruction and accidental change or loss, by ensuring that changes to data are detectable. (See: data integrity, checksum, datagram integrity service.)
$ 数据完整性服务(I)一种安全服务,通过确保可检测到数据更改,防止未经授权的数据更改,包括故意更改或破坏以及意外更改或丢失。(请参阅:数据完整性、校验和、数据报完整性服务。)
Tutorial: A data integrity service can only detect a change and report it to an appropriate system entity; changes cannot be prevented unless the system is perfect (error-free) and no malicious user has access. However, a system that offers data integrity service might also attempt to correct and recover from changes.
教程:数据完整性服务只能检测更改并将其报告给适当的系统实体;除非系统完美(无错误)且没有恶意用户可以访问,否则无法阻止更改。但是,提供数据完整性服务的系统也可能尝试更正更改并从更改中恢复。
The ability of this service to detect changes is limited by the technology of the mechanisms used to implement the service. For example, if the mechanism were a one-bit parity check across each entire SDU, then changes to an odd number of bits in an SDU would be detected, but changes to an even number of bits would not.
此服务检测更改的能力受到用于实现该服务的机制技术的限制。例如,如果该机制是跨整个SDU的一位奇偶校验,则将检测到SDU中奇数位数的更改,但不会检测到偶数位数的更改。
Relationship between data integrity service and authentication services: Although data integrity service is defined separately from data origin authentication service and peer entity authentication service, it is closely related to them. Authentication services depend, by definition, on companion data integrity services. Data origin authentication service provides
数据完整性服务和身份验证服务之间的关系:虽然数据完整性服务与数据源身份验证服务和对等实体身份验证服务分开定义,但它与它们密切相关。根据定义,身份验证服务依赖于配套的数据完整性服务。数据源身份验证服务提供
verification that the identity of the original source of a received data unit is as claimed; there can be no such verification if the data unit has been altered. Peer entity authentication service provides verification that the identity of a peer entity in a current association is as claimed; there can be no such verification if the claimed identity has been altered.
验证所接收数据单元的原始源的身份是否如所声称的那样;如果数据单元已更改,则无法进行此类验证。对等实体认证服务验证当前关联中的对等实体的身份是否如声明的那样;如果声称的身份已被更改,则无法进行此类验证。
$ data origin authentication (I) "The corroboration that the source of data received is as claimed." [I7498-2] (See: authentication.)
$ 数据来源认证(I)“所接收数据来源与所声称的一致的确证。”[I7498-2](见:认证。)
$ data origin authentication service (I) A security service that verifies the identity of a system entity that is claimed to be the original source of received data. (See: authentication, authentication service.)
$ 数据源身份验证服务(I)验证声称是接收数据原始源的系统实体身份的安全服务。(请参阅:身份验证、身份验证服务。)
Tutorial: This service is provided to any system entity that receives or holds the data. Unlike peer entity authentication service, this service is independent of any association between the originator and the recipient, and the data in question may have originated at any time in the past.
教程:此服务提供给接收或保存数据的任何系统实体。与对等实体身份验证服务不同,此服务独立于发端人和接收方之间的任何关联,并且所涉及的数据可能在过去的任何时间产生。
A digital signature mechanism can be used to provide this service, because someone who does not know the private key cannot forge the correct signature. However, by using the signer's public key, anyone can verify the origin of correctly signed data.
数字签名机制可用于提供此服务,因为不知道私钥的人无法伪造正确的签名。但是,通过使用签名者的公钥,任何人都可以验证正确签名数据的来源。
This service is usually bundled with connectionless data integrity service. (See: "relationship between data integrity service and authentication services" under "data integrity service".
此服务通常与无连接数据完整性服务捆绑在一起。(请参阅“数据完整性服务”下的“数据完整性服务和身份验证服务之间的关系”。
$ data owner (N) The organization that has the final statutory and operational authority for specified information.
$ 数据所有者(N):对特定信息拥有最终法定和操作权限的组织。
$ data privacy (D) Synonym for "data confidentiality".
$ 数据隐私(D)“数据机密性”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. Instead, use either "data confidentiality" or "privacy" or both, depending on what is meant.
不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。取而代之的是,使用“数据机密性”或“隐私性”或两者兼用,具体取决于其含义。
$ data recovery 1. (I) /cryptanalysis/ A process for learning, from some cipher text, the plain text that was previously encrypted to produce the cipher text. (See: recovery.)
$ 数据恢复1。(一) /Cryptoanalysis/Cryptoanalysis从某些密文中学习先前加密以生成密文的纯文本的过程。(见:恢复。)
2. (I) /system integrity/ The process of restoring information following damage or destruction.
2. (一) /系统完整性/损坏或破坏后恢复信息的过程。
$ data security (I) The protection of data from disclosure, alteration, destruction, or loss that either is accidental or is intentional but unauthorized.
$ 数据安全(I)保护数据免受意外或故意但未经授权的披露、更改、破坏或丢失。
Tutorial: Both data confidentiality service and data integrity service are needed to achieve data security.
教程:实现数据安全性需要数据机密性服务和数据完整性服务。
$ datagram (I) "A self-contained, independent entity of data [i.e., a packet] carrying sufficient information to be routed from the source [computer] to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." [R1983] Example: A PDU of IP.
$ 数据报(I)“一种自包含、独立的数据实体[即,数据包],承载足够的信息,可从源[计算机]路由到目标计算机,而不依赖该源和目标计算机以及传输网络之间的早期交换。”[R1983]示例:IP的PDU。
$ datagram confidentiality service (I) A data confidentiality service that preserves the confidentiality of data in a single, independent, packet; i.e., the service applies to datagrams one-at-a-time. Example: ESP. (See: data confidentiality.)
$ 数据报保密服务(I)一种数据保密服务,在单个独立数据包中保护数据的机密性;i、 例如,该服务一次一个地应用于数据报。示例:ESP(请参阅:数据机密性)
Usage: When a protocol is said to provide data confidentiality service, this is usually understood to mean that only the SDU is protected in each packet. IDOCs that use the term to mean that the entire PDU is protected should include a highlighted definition.
用法:当一个协议被称为提供数据保密服务时,这通常被理解为在每个数据包中只有SDU受到保护。使用该术语表示整个PDU受保护的IDoc应包括突出显示的定义。
Tutorial: This basic form of network confidentiality service suffices for protecting the data in a stream of packets in both connectionless and connection-oriented protocols. Except perhaps for traffic flow confidentiality, nothing further is needed to protect the confidentiality of data carried by a packet stream. The OSIRM distinguishes between connection confidentiality and connectionless confidentiality. The IPS need not make that distinction, because those services are just instances of the same service (i.e., datagram confidentiality) being offered in two different protocol contexts. (For data integrity service, however, additional effort is needed to protect a stream, and the IPS does need to distinguish between "datagram integrity service" and "stream integrity service".)
教程:这种基本形式的网络保密服务足以在无连接和面向连接的协议中保护数据包流中的数据。也许除了业务流机密性之外,不需要进一步保护分组流所携带的数据的机密性。OSIRM区分连接机密性和无连接机密性。IP不需要做出这种区分,因为这些服务只是在两个不同协议上下文中提供的相同服务(即数据报机密性)的实例。(然而,对于数据完整性服务,需要额外的努力来保护流,IPS确实需要区分“数据报完整性服务”和“流完整性服务”。)
$ datagram integrity service (I) A data integrity service that preserves the integrity of data in a single, independent, packet; i.e., the service applies to datagrams one-at-a-time. (See: data integrity. Compare: stream integrity service.)
$ 数据报完整性服务(I)在单个独立数据包中保持数据完整性的数据完整性服务;i、 例如,该服务一次一个地应用于数据报。(请参阅:数据完整性。比较:流完整性服务。)
Tutorial: The ability to provide appropriate data integrity is important in many Internet security situations, and so there are different kinds of data integrity services suited to different applications. This service is the simplest kind; it is suitable for connectionless data transfers.
教程:在许多互联网安全情况下,提供适当的数据完整性的能力非常重要,因此有适合不同应用程序的不同类型的数据完整性服务。这种服务是最简单的;它适用于无连接的数据传输。
Datagram integrity service usually is designed only to attempt to detect changes to the SDU in each packet, but it might also attempt to detect changes to some or all of the PCI in each packet (see: selective field integrity). In contrast to this simple, one-at-a-time service, some security situations demand a more complex service that also attempts to detect deleted, inserted, or reordered datagrams within a stream of datagrams (see: stream integrity service).
数据报完整性服务通常设计为仅尝试检测每个数据包中SDU的更改,但也可能尝试检测每个数据包中部分或全部PCI的更改(请参阅:选择性字段完整性)。与此简单的一次一个服务不同,某些安全情况需要更复杂的服务,该服务还尝试检测数据报流中已删除、插入或重新排序的数据报(请参阅:流完整性服务)。
$ DEA (N) See: Data Encryption Algorithm.
$ DEA(N)参见:数据加密算法。
$ deception (I) A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. (See: authentication.)
$ 欺诈(I)可能导致授权实体接收虚假数据并相信其真实性的情况或事件。(请参阅:身份验证。)
Tutorial: This is a type of threat consequence, and it can be caused by the following types of threat actions: masquerade, falsification, and repudiation.
教程:这是一种威胁后果,可能由以下类型的威胁行为引起:伪装、伪造和否认。
$ decipher (D) Synonym for "decrypt".
$ 解密(D)“解密”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "decrypt". However, see usage note under "encryption".
不推荐使用的定义:IDOCs不应将此术语用作“解密”的同义词。但是,请参见“加密”下的用法说明。
$ decipherment (D) Synonym for "decryption".
$ 解密(D)“解密”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "decryption". However, see the Usage note under "encryption".
不推荐使用的定义:IDOCs不应将此术语用作“解密”的同义词。但是,请参见“加密”下的用法说明。
$ declassification (I) An authorized process by which information is declassified. (Compare: classification.)
$ 解密(I)信息解密的授权过程。(比较:分类。)
$ declassify (I) To officially remove the security level designation of a classified information item or information type, such that the information is no longer classified (i.e., becomes unclassified). (See: classified, classify, security level. Compare: downgrade.)
$ 解密(I)正式删除保密信息项或信息类型的安全级别指定,使信息不再保密(即变得不保密)。(请参阅:分类、分类、安全级别。比较:降级。)
$ decode 1. (I) Convert encoded data back to its original form of representation. (Compare: decrypt.)
$ 解码1。(一) 将编码数据转换回其原始表示形式。(比较:解密。)
2. (D) Synonym for "decrypt".
2. (D) “解密”的同义词。
Deprecated Definition: Encoding is not usually meant to conceal meaning. Therefore, IDOCs SHOULD NOT use this term as a synonym for "decrypt", because that would mix concepts in a potentially misleading way.
不推荐使用的定义:编码通常不是为了隐藏含义。因此,IDOCs不应该使用这个术语作为“decrypt”的同义词,因为这会以潜在误导的方式混合概念。
$ decrypt (I) Cryptographically restore cipher text to the plaintext form it had before encryption.
$ 解密(I)以加密方式将密文恢复为加密前的明文形式。
$ decryption (I) See: secondary definition under "encryption".
$ 解密(I)见“加密”下的第二定义。
$ dedicated security mode (I) A mode of system operation wherein all users having access to the system possess, for all data handled by the system, both (a) all necessary authorizations (i.e., security clearance and formal access approval) and (b) a need-to-know. (See: /system operation/ under "mode", formal access approval, need to know, protection level, security clearance.)
$ 专用安全模式(I)一种系统操作模式,其中所有访问系统的用户都拥有系统处理的所有数据(A)所有必要的授权(即安全许可和正式访问批准)和(b)需要知道。(参见:/系统操作/在“模式”下,正式访问批准,需要知道,保护级别,安全许可。)
Usage: Usually abbreviated as "dedicated mode". This mode was defined in U.S. Government policy on system accreditation, but the term is also used outside the Government. In this mode, the system may handle either (a) a single classification level or category of information or (b) a range of levels and categories.
用法:通常缩写为“专用模式”。这种模式在美国政府的系统认证政策中有定义,但该术语也在政府之外使用。在此模式下,系统可以处理(a)单个分类级别或信息类别,或(b)一系列级别和类别。
$ default account (I) A system login account (usually accessed with a user identifier and password) that has been predefined in a manufactured system to permit initial access when the system is first put into service. (See: harden.)
$ 默认帐户(I)在制造系统中预定义的系统登录帐户(通常使用用户标识符和密码访问),以便在系统首次投入使用时允许初始访问。(请参见:硬化。)
Tutorial: A default account becomes a serious vulnerability if not properly administered. Sometimes, the default identifier and password are well-known because they are the same in each copy of the system. In any case, when a system is put into service, any default password should immediately be changed or the default account should be disabled.
教程:如果管理不当,默认帐户将成为严重漏洞。有时,默认标识符和密码是众所周知的,因为它们在系统的每个副本中都是相同的。在任何情况下,当系统投入使用时,应立即更改任何默认密码或禁用默认帐户。
$ defense in depth (N) "The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial
$ 纵深防御(N)“相互支持的防御阵地的选址,旨在吸收并逐渐削弱攻击,防止初始攻击
observations of the whole position by the enemy, and [enable] the commander to maneuver the reserve." [JP1]
敌方对整个阵地的观察,并[使]指挥官能够操纵预备队。”[JP1]
Tutorial: In information systems, defense in depth means constructing a system's security architecture with layered and complementary security mechanisms and countermeasures, so that if one security mechanism is defeated, one or more other mechanisms (which are "behind" or "beneath" the first mechanism) still provide protection.
教程:在信息系统中,纵深防御意味着构建具有分层和互补安全机制和对策的系统安全架构,以便在一个安全机制失败时,一个或多个其他机制(在第一个机制的“后面”或“下面”)仍能提供保护。
This architectural concept is appealing because it aligns with traditional warfare doctrine, which applies defense in depth to physical, geospatial structures; but applying the concept to logical, cyberspace structures of computer networks is more difficult. The concept assumes that networks have a spatial or topological representation. It also assumes that there can be implemented -- from the "outer perimeter" of a network, through its various "layers" of components, to its "center" (i.e., to the subscriber application systems supported by the network) -- a varied series of countermeasures that together provide adequate protection. However, it is more difficult to map the topology of networks and make certain that no path exists by which an attacker could bypass all defensive layers.
这一建筑概念之所以吸引人,是因为它与传统战争理论相一致,传统战争理论将纵深防御应用于物理、地理空间结构;但将这一概念应用于计算机网络的逻辑、网络空间结构则更为困难。该概念假设网络具有空间或拓扑表示。它还假设可以实施一系列不同的对策,从网络的“外围”,通过其不同的“层”组件,到其“中心”(即,到网络支持的用户应用系统),共同提供充分的保护。然而,更难的是映射网络拓扑并确保不存在攻击者可以绕过所有防御层的路径。
$ Defense Information Infrastructure (DII) (O) /U.S. DoD/ The U.S. DoD's shared, interconnected system of computers, communications, data, applications, security, people, training, and support structures, serving information needs worldwide. (See: DISN.) Usage: Has evolved to be called the GIG.
$ 国防信息基础设施(DII)(O)/美国国防部/美国国防部的共享互联系统,包括计算机、通信、数据、应用、安全、人员、培训和支持结构,服务于全球信息需求。用法:已演变为GIG。
Tutorial: The DII connects mission support, command and control, and intelligence computers and users through voice, data, imagery, video, and multimedia services, and provides information processing and value-added services to subscribers over the DISN. Users' own data and application software are not considered part of the DII.
教程:DII通过语音、数据、图像、视频和多媒体服务连接任务支持、指挥和控制以及情报计算机和用户,并通过DISN向用户提供信息处理和增值服务。用户自己的数据和应用软件不被视为DII的一部分。
$ Defense Information Systems Network (DISN) (O) /U.S. DoD/ The U.S. DoD's consolidated, worldwide, enterprise level telecommunications infrastructure that provides end-to-end information transfer for supporting military operations; a part of the DII. (Compare: GIG.)
$ 国防信息系统网络(DISN)(O)/美国国防部/美国国防部的综合全球企业级电信基础设施,为支持军事行动提供端到端信息传输;DII的一部分。(比较:GIG)
$ degauss 1a. (N) Apply a magnetic field to permanently remove data from a magnetic storage medium, such as a tape or disk [NCS25]. (Compare: erase, purge, sanitize.)
$ 消磁1a。(N) 施加磁场以从磁带或磁盘等磁性存储介质中永久删除数据[NCS25]。(比较:擦除、清除、消毒。)
1b. (N) Reduce magnetic flux density to zero by applying a reversing magnetic field. (See: magnetic remanence.)
1b。(N) 通过施加反向磁场将磁通密度降至零。(参见:剩磁。)
$ degausser (N) An electrical device that can degauss magnetic storage media.
$ 消磁器(N):一种可以对磁性存储介质进行消磁的电气设备。
$ DEK (I) See: data encryption key.
$ DEK(I)见:数据加密密钥。
$ delay (I) /packet/ See: secondary definition under "stream integrity service".
$ 延迟(I)/数据包/见“流完整性服务”下的二级定义。
$ deletion (I) /packet/ See: secondary definition under "stream integrity service".
$ 删除(I)/数据包/见“流完整性服务”下的二级定义。
$ deliberate exposure (I) /threat action/ See: secondary definition under "exposure".
$ 故意暴露(I)/威胁行动/见“暴露”下的二级定义。
$ delta CRL (I) A partial CRL that only contains entries for certificates that have been revoked since the issuance of a prior, base CRL [X509]. This method can be used to partition CRLs that become too large and unwieldy. (Compare: CRL distribution point.)
$ 增量CRL(I)部分CRL,仅包含自发布以前的基本CRL[X509]以来已撤销的证书的条目。此方法可用于对变得过大和不实用的CRL进行分区。(比较:CRL分布点。)
$ demilitarized zone (DMZ) (D) Synonym for "buffer zone".
$ 非军事区(DMZ)(D)是“缓冲区”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term because it mixes concepts in a potentially misleading way. (See: Deprecated Usage under "Green Book".)
不推荐使用的术语:IDOCs不应该使用这个术语,因为它以一种潜在误导的方式混合了概念。(请参阅“绿皮书”下不推荐的用法。)
$ denial of service (I) The prevention of authorized access to a system resource or the delaying of system operations and functions. (See: availability, critical, flooding.)
$ 拒绝服务(I)阻止对系统资源的授权访问或延迟系统操作和功能。(请参阅:可用性、关键性、泛洪。)
Tutorial: A denial-of-service attack can prevent the normal conduct of business on the Internet. There are four types of solutions to this security problem: - Awareness: Maintaining cognizance of security threats and vulnerabilities. (See: CERT.) - Detection: Finding attacks on end systems and subnetworks. (See: intrusion detection.) - Prevention: Following defensive practices on network-connected systems. (See: [R2827].)
Tutorial: A denial-of-service attack can prevent the normal conduct of business on the Internet. There are four types of solutions to this security problem: - Awareness: Maintaining cognizance of security threats and vulnerabilities. (See: CERT.) - Detection: Finding attacks on end systems and subnetworks. (See: intrusion detection.) - Prevention: Following defensive practices on network-connected systems. (See: [R2827].)translate error, please retry
- Response: Reacting effectively when attacks occur. (See: CSIRT, contingency plan.)
- 响应:在发生攻击时有效地作出反应。(参见:CSIRT,应急计划。)
$ DES (N) See: Data Encryption Standard.
$ DES(N)见:数据加密标准。
$ designated approving authority (DAA) (O) /U.S. Government/ Synonym for "accreditor".
$ 指定审批机构(DAA)(O)/美国政府/同义词“认证人”。
$ detection (I) See: secondary definition under "security".
$ 检测(I)见“安全”下的二级定义。
$ deterrence (I) See: secondary definition under "security".
$ 威慑(一)见“安全”下的第二个定义。
$ dictionary attack (I) An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list.
$ 字典攻击(I)一种使用蛮力技术的攻击,即连续尝试某个大型、详尽列表中的所有单词。
Examples: Attack an authentication service by trying all possible passwords. Attack an encryption service by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup.
示例:通过尝试所有可能的密码来攻击身份验证服务。通过使用所有可能的密钥加密某些已知的明文短语来攻击加密服务,以便通过查找获得包含该短语的任何给定加密消息的密钥。
$ Diffie-Hellman $ Diffie-Hellman-Merkle (N) A key-agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman [DH76, R2631].
$ Diffie-Hellman$Diffie-Hellman-Merkle(N)一种密钥协商算法,由Whitfield Diffie和Martin Hellman于1976年发布[DH76,R2631]。
Usage: The algorithm is most often called "Diffie-Hellman". However, in the November 1978 issue of "IEEE Communications Magazine", Hellman wrote that the algorithm "is a public key distribution system, a concept developed by [Ralph C.] Merkle, and hence should be called 'Diffie-Hellman-Merkle' ... to recognize Merkle's equal contribution to the invention of public key cryptography."
用法:该算法通常被称为“Diffie-Hellman”。然而,在1978年11月发行的《IEEE通信杂志》中,Hellman写道,该算法“是一个公钥分发系统,是由[Ralph C.]Merkle提出的一个概念,因此应称为“Diffie Hellman Merkle”……以承认Merkle对公钥密码术的发明做出了同等贡献。”
Tutorial: Diffie-Hellman-Merkle does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.
教程:Diffie Hellman Merkle负责密钥建立,而不是加密。但是,它生成的密钥可用于加密、进一步的密钥管理操作或任何其他加密。
The algorithm is described in [R2631] and [Schn]. In brief, Alice and Bob together pick large integers that satisfy certain mathematical conditions, and then use the integers to each separately compute a public-private key pair. They send each other their public key. Each person uses their own private key and the
[R2631]和[Schn]中描述了该算法。简言之,Alice和Bob一起选择满足特定数学条件的大整数,然后使用这些整数分别计算一个公私密钥对。他们互相发送公钥。每个人都使用自己的私钥和
other person's public key to compute a key, k, that, because of the mathematics of the algorithm, is the same for each of them. Passive wiretapping cannot learn the shared k, because k is not transmitted, and neither are the private keys needed to compute k.
另一个人的公钥,用于计算一个密钥k,由于算法的数学性,该密钥对于每个人都是相同的。被动窃听无法学习共享k,因为k不被传输,计算k所需的私钥也不被传输。
The difficulty of breaking Diffie-Hellman-Merkle is considered to be equal to the difficulty of computing discrete logarithms modulo a large prime. However, without additional mechanisms to authenticate each party to the other, a protocol based on the algorithm may be vulnerable to a man-in-the-middle attack.
打破Diffie-Hellman-Merkle的困难被认为等于计算大素数模的离散对数的困难。然而,如果没有额外的机制来向另一方验证每一方,基于该算法的协议可能容易受到中间人攻击。
$ digest See: message digest.
$ 摘要请参阅:消息摘要。
$ digital certificate (I) A certificate document in the form of a digital data object (a data object used by a computer) to which is appended a computed digital signature value that depends on the data object. (See: attribute certificate, public-key certificate.)
$ 数字证书(I)数字数据对象(计算机使用的数据对象)形式的证书文档,其附加了依赖于该数据对象的计算数字签名值。(请参阅:属性证书、公钥证书。)
Deprecated Usage: IDOCs SHOULD NOT use this term to refer to a signed CRL or CKL. Although the recommended definition can be interpreted to include other signed items, the security community does not use the term with those meanings.
不推荐使用:IDOCs不应使用此术语来指代已签名的CRL或CKL。虽然建议的定义可以解释为包括其他签名项,但安全社区不使用具有这些含义的术语。
$ digital certification (D) Synonym for "certification".
$ 数字认证(D)“认证”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this definition unless the context is not sufficient to distinguish between digital certification and another kind of certification, in which case it would be better to use "public-key certification" or another phrase that indicates what is being certified.
不推荐使用的定义:IDOC不应使用此定义,除非上下文不足以区分数字认证和其他类型的认证,在这种情况下,最好使用“公钥认证”或指示认证内容的其他短语。
$ digital document (I) An electronic data object that represents information originally written in a non-electronic, non-magnetic medium (usually ink on paper) or is an analogue of a document of that type.
$ 数字文档(I)一种电子数据对象,表示最初在非电子、非磁性介质(通常为纸张上的墨水)中写入的信息,或类似于该类型文档的信息。
$ digital envelope (I) A combination of (a) encrypted content data (of any kind) intended for a recipient and (b) the content encryption key in an encrypted form that has been prepared for the use of the recipient.
$ 数字信封(I)(A)为收件人准备的加密内容数据(任何类型)和(b)为收件人准备的加密形式的内容加密密钥的组合。
Usage: In IDOCs, the term SHOULD be defined at the point of first use because, although the term is defined in PKCS #7 and used in S/MIME, it is not widely known.
用法:在IDOCs中,应在首次使用时定义该术语,因为尽管该术语在PKCS#7中定义并在S/MIME中使用,但并不广为人知。
Tutorial: Digital enveloping is not simply a synonym for implementing data confidentiality with encryption; digital enveloping is a hybrid encryption scheme to "seal" a message or other data, by encrypting the data and sending both it and a protected form of the key to the intended recipient, so that no one other than the intended recipient can "open" the message. In PKCS #7, it means first encrypting the data using a symmetric encryption algorithm and a secret key, and then encrypting the secret key using an asymmetric encryption algorithm and the public key of the intended recipient. In S/MIME, additional methods are defined for encrypting the content encryption key.
教程:数字信封不仅仅是用加密实现数据机密性的同义词;数字信封是一种混合加密方案,通过加密数据并将其和受保护的密钥形式发送给预期收件人,“密封”邮件或其他数据,以便除预期收件人以外的任何人都无法“打开”邮件。在PKCS#7中,这意味着首先使用对称加密算法和密钥对数据进行加密,然后使用非对称加密算法和预期收件人的公钥对密钥进行加密。在S/MIME中,定义了用于加密内容加密密钥的其他方法。
$ Digital ID(service mark) (D) Synonym for "digital certificate".
$ 数字标识(服务标志)(D)“数字证书”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term. It is a service mark of a commercial firm, and it unnecessarily duplicates the meaning of a better-established term. (See: credential.)
不推荐使用的术语:IDOCs不应使用此术语。它是一个商业公司的服务标志,不必要地重复了一个更好的术语的含义。(请参阅:凭证。)
$ digital key (D) Synonym for an input parameter of a cryptographic algorithm or other process. (See: key.)
$ 数字密钥(D)是密码算法或其他过程的输入参数的同义词。(请参阅:键。)
Deprecated Usage: The adjective "digital" need not be used with "key" or "cryptographic key", unless the context is insufficient to distinguish the digital key from another kind of key, such as a metal key for a door lock.
不推荐使用:形容词“digital”不必与“key”或“cryptographic key”一起使用,除非上下文不足以区分数字钥匙和其他钥匙,例如门锁的金属钥匙。
$ digital notary (I) An electronic functionary analogous to a notary public. Provides a trusted timestamp for a digital document, so that someone can later prove that the document existed at that point in time; verifies the signature(s) on a signed document before applying the stamp. (See: notarization.)
$ 数字公证人(I)类似于公证人的电子工作人员。为数字文档提供可信的时间戳,以便稍后有人可以证明该文档在该时间点存在;在加盖印章之前,验证已签名文档上的签名。(见:公证)
$ digital signature 1. (I) A value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity. (See: data origin authentication service, data integrity service, signer. Compare: digitized signature, electronic signature.)
$ 数字签名1。(一) 用加密算法计算的一种值,它与数据对象相关联,数据的任何接收者都可以使用签名来验证数据的来源和完整性。(请参阅:数据源身份验证服务、数据完整性服务、签名者。比较:数字签名、电子签名。)
2. (O) "Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient." [I7498-2]
2. (O) “附加到数据单元的数据或数据单元的加密转换,允许数据单元的接收者证明数据单元的来源和完整性,并防止伪造(例如由接收者伪造)。[I7498-2]
Tutorial: A digital signature should have these properties: - Be capable of being verified. (See: validate vs. verify.) - Be bound to the signed data object in such a way that if the data is changed, then when an attempt is made to verify the signature, it will be seen as not authentic. (In some schemes, the signature is appended to the signed object as stated by definition 2, but in other it, schemes is not.) - Uniquely identify a system entity as being the signer. - Be under the signer's sole control, so that it cannot be created by any other entity.
教程:数字签名应该具有以下属性:-能够被验证。(请参阅:验证vs.验证)-绑定到已签名的数据对象时,如果数据发生更改,则在尝试验证签名时,签名将被视为不真实。(在某些方案中,如定义2所述,签名被附加到签名对象,但在另一些方案中,签名不是。)-唯一地将系统实体标识为签名者。-由签字人单独控制,因此不能由任何其他实体创建。
To achieve these properties, the data object is first input to a hash function, and then the hash result is cryptographically transformed using a private key of the signer. The final resulting value is called the digital signature of the data object. The signature value is a protected checksum, because the properties of a cryptographic hash ensure that if the data object is changed, the digital signature will no longer match it. The digital signature is unforgeable because one cannot be certain of correctly creating or changing the signature without knowing the private key of the supposed signer.
为了实现这些属性,首先将数据对象输入到哈希函数,然后使用签名者的私钥对哈希结果进行加密转换。最终的结果值称为数据对象的数字签名。签名值是受保护的校验和,因为加密散列的属性确保如果数据对象发生更改,数字签名将不再匹配它。数字签名是不可伪造的,因为在不知道假定签名人的私钥的情况下,无法确定是否正确创建或更改签名。
Some digital signature schemes use an asymmetric encryption algorithm (e.g., "RSA") to transform the hash result. Thus, when Alice needs to sign a message to send to Bob, she can use her private key to encrypt the hash result. Bob receives both the message and the digital signature. Bob can use Alice's public key to decrypt the signature, and then compare the plaintext result to the hash result that he computes by hashing the message himself. If the values are equal, Bob accepts the message because he is certain that it is from Alice and has arrived unchanged. If the values are not equal, Bob rejects the message because either the message or the signature was altered in transit.
一些数字签名方案使用非对称加密算法(例如,“RSA”)来转换哈希结果。因此,当Alice需要对发送给Bob的消息进行签名时,她可以使用私钥对哈希结果进行加密。Bob接收消息和数字签名。Bob可以使用Alice的公钥对签名进行解密,然后将明文结果与他自己对消息进行散列计算的散列结果进行比较。如果值相等,Bob接受该消息,因为他确定该消息来自Alice,并且没有更改。如果值不相等,Bob将拒绝该消息,因为消息或签名在传输过程中被更改。
Other digital signature schemes (e.g., "DSS") transform the hash result with an algorithm (e.g., "DSA", "El Gamal") that cannot be directly used to encrypt data. Such a scheme creates a signature value from the hash and provides a way to verify the signature value, but does not provide a way to recover the hash result from the signature value. In some countries, such a scheme may improve exportability and avoid other legal constraints on usage. Alice sends the signature value to Bob along with both the message and its hash result. The algorithm enables Bob to use Alice's public
其他数字签名方案(例如,“DSS”)使用无法直接用于加密数据的算法(例如,“DSA”、“El Gamal”)转换哈希结果。这样的方案从散列创建签名值,并提供验证签名值的方法,但不提供从签名值恢复散列结果的方法。在一些国家,这样的计划可以提高出口能力,并避免对使用的其他法律限制。Alice将签名值连同消息及其哈希结果一起发送给Bob。该算法使Bob能够使用Alice的公共
signature key and the signature value to verify the hash result he receives. Then, as before, he compares that hash result she sent to the one that he computes by hashing the message himself.
签名密钥和签名值,以验证他收到的哈希结果。然后,像以前一样,他将她发送的散列结果与他自己对消息进行散列计算的结果进行比较。
$ Digital Signature Algorithm (DSA) (N) An asymmetric cryptographic algorithm for a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. (See: DSS.)
$ 数字签名算法(DSA)(N)以一对大数字的形式对数字签名进行非对称加密的算法。签名使用规则和参数进行计算,以便验证签名者的身份和签名数据的完整性。(见:DSS)
$ Digital Signature Standard (DSS) (N) The U.S. Government standard [FP186] that specifies the DSA.
$ 数字签名标准(DSS)(N)规定数字签名的美国政府标准[FP186]。
$ digital watermarking (I) Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data -- text, graphics, images, video, or audio -- and for detecting or extracting the marks later.
$ 数字水印(I)在数字数据(文本、图形、图像、视频或音频)中以位的形式不可分割地嵌入不引人注目的标记或标签,并在以后检测或提取标记的计算技术。
Tutorial: A "digital watermark", i.e., the set of embedded bits, is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. [ACM]
教程:“数字水印”,即嵌入位的集合,有时是隐藏的,通常是不可察觉的,并且总是为了不引人注目。根据所使用的特定技术,数字水印可以帮助证明所有权、控制复制、跟踪分发、确保数据完整性以及执行其他保护知识产权的功能。[ACM]
$ digitized signature (D) Denotes various forms of digitized images of handwritten signatures. (Compare: digital signature).
$ 数字签名(D)表示手写签名的各种形式的数字化图像。(比较:数字签名)。
Deprecated Term: IDOCs SHOULD NOT use this term without including this definition. This term suggests careless use of "digital signature", which is the term standardized by [I7498-2]. (See: electronic signature.)
不推荐使用的术语:IDOCs不应在不包含此定义的情况下使用此术语。这一术语表示不小心使用了“数字签名”,这是[I7498-2]标准化的术语。(见:电子签名。)
$ DII (O) See: Defense Information Infrastructure.
$ DII(O)见:国防信息基础设施。
$ direct attack (I) See: secondary definition under "attack". (Compare: indirect attack.)
$ 直接攻击(I)见“攻击”下的二级定义。(比较:间接攻击。)
$ directory, Directory 1. (I) /not capitalized/ Refers generically to a database server or other system that stores and provides access to values of descriptive or operational data items that are associated with the components of a system. (Compare: repository.)
$ 目录,目录1。(一) /未大写/泛指存储并提供对与系统组件相关的描述性或操作性数据项值的访问的数据库服务器或其他系统。(比较:存储库。)
2. (N) /capitalized/ Refers specifically to the X.500 Directory. (See: DN, X.500.)
2. (N) /capitalized/专门指X.500目录。(见:DN,X.500)
$ Directory Access Protocol (DAP) (N) An OSI protocol [X519] for communication between a Directory User Agent (a type of X.500 client) and a Directory System Agent (a type of X.500 server). (See: LDAP.)
$ 目录访问协议(DAP)(N)用于目录用户代理(一种X.500客户端)和目录系统代理(一种X.500服务器)之间通信的OSI协议[X519]。(请参阅:LDAP。)
$ disaster plan (O) Synonym for "contingency plan".
$ 灾难计划(O)是“应急计划”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; instead, for consistency and neutrality of language, IDOCs SHOULD use "contingency plan".
不推荐使用的术语:IDoc不应使用此术语;相反,为了语言的一致性和中立性,IDOC应该使用“应急计划”。
$ disclosure See: unauthorized disclosure. Compare: exposure.
$ 披露见:未经授权的披露。比较:曝光。
$ discretionary access control 1a. (I) An access control service that (a) enforces a security policy based on the identity of system entities and the authorizations associated with the identities and (b) incorporates a concept of ownership in which access rights for a system resource may be granted and revoked by the entity that owns the resource. (See: access control list, DAC, identity-based security policy, mandatory access control.)
$ 自主访问控制1a。(一) 一种访问控制服务,其(a)基于系统实体的身份和与该身份相关联的授权强制执行安全策略,以及(b)包含所有权概念,其中系统资源的访问权可由拥有该资源的实体授予和撤销。(请参阅:访问控制列表、DAC、基于身份的安全策略、强制访问控制。)
Derivation: This service is termed "discretionary" because an entity can be granted access rights to a resource such that the entity can by its own volition enable other entities to access the resource.
派生:这项服务被称为“自主”服务,因为一个实体可以被授予对资源的访问权,这样该实体就可以根据自己的意愿使其他实体访问该资源。
1b. (O) /formal model/ "A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject." [DoD1]
1b。(O) /formal model/“一种基于对象和/或对象所属群体的身份限制对象访问的方法。控制是自由裁量的,即具有特定访问权限的对象能够将该权限(可能间接)传递给任何其他主体。”[DoD1]
$ DISN (O) See: Defense Information Systems Network (DISN).
$ 国防信息系统网络(DISN)见:国防信息系统网络(DISN)。
$ disruption (I) A circumstance or event that interrupts or prevents the correct operation of system services and functions. (See: availability, critical, system integrity, threat consequence.)
$ 中断(I)中断或阻止系统服务和功能正确运行的情况或事件。(请参阅:可用性、关键性、系统完整性、威胁后果。)
Tutorial: Disruption is a type of threat consequence; it can be caused by the following types of threat actions: incapacitation, corruption, and obstruction.
教程:中断是一种威胁后果;它可能由以下类型的威胁行为引起:丧失能力、腐败和阻碍。
$ Distinguished Encoding Rules (DER) (N) A subset of the Basic Encoding Rules that always provides only one way to encode any data structure defined by ASN.1. [X690].
$ 可分辨编码规则(DER)(N)基本编码规则的子集,它始终只提供一种方法来编码ASN.1定义的任何数据结构。[X690]。
Tutorial: For a data structure defined abstractly in ASN.1, BER often provides for encoding the structure into an octet string in more than one way, so that two separate BER implementations can legitimately produce different octet strings for the same ASN.1 definition. However, some applications require all encodings of a structure to be the same, so that encodings can be compared for equality. Therefore, DER is used in applications in which unique encoding is needed, such as when a digital signature is computed on a structure defined by ASN.1.
教程:对于ASN.1中抽象定义的数据结构,BER通常以多种方式将结构编码为八位字符串,因此两个单独的BER实现可以合法地为同一ASN.1定义生成不同的八位字符串。然而,有些应用程序要求一个结构的所有编码都相同,这样就可以比较编码是否相等。因此,DER用于需要唯一编码的应用中,例如在ASN.1定义的结构上计算数字签名时。
$ distinguished name (DN) (N) An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (Compare: domain name, identity, naming authority.)
$ 可分辨名称(DN)(N)唯一表示X.500目录信息树(DIT)中对象的标识符[X501]。(比较:域名、身份、命名机构。)
Tutorial: A DN is a set of attribute values that identify the path leading from the base of the DIT to the object that is named. An X.509 public-key certificate or CRL contains a DN that identifies its issuer, and an X.509 attribute certificate contains a DN or other form of name that identifies its subject.
教程:DN是一组属性值,用于标识从DIT底部到命名对象的路径。X.509公钥证书或CRL包含标识其颁发者的DN,X.509属性证书包含标识其主题的DN或其他形式的名称。
$ distributed attack 1a. (I) An attack that is implemented with distributed computing. (See: zombie.)
$ 分布式攻击1a。(一) 一种通过分布式计算实现的攻击。(见:僵尸。)
1b. (I) An attack that deploys multiple threat agents.
1b。(一) 部署多个威胁代理的攻击。
$ Distributed Authentication Security Service (DASS) (I) An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.
$ 分布式身份验证安全服务(DASS)(I)一种实验性互联网协议[R1507],它使用加密机制在分布式环境中提供强大的相互身份验证服务。
$ distributed computing (I) A technique that disperses a single, logically related set of tasks among a group of geographically separate yet cooperating computers. (See: distributed attack.)
$ 分布式计算(I)一种技术,它将一组逻辑上相关的任务分散在一组地理上独立但相互协作的计算机中。(请参阅:分布式攻击。)
$ distribution point (I) An X.500 Directory entry or other information source that is named in a v3 X.509 public-key certificate extension as a location from which to obtain a CRL that may list the certificate.
$ 分发点(I)v3 X.509公钥证书扩展名中指定的X.500目录项或其他信息源,作为获取可能列出证书的CRL的位置。
Tutorial: A v3 X.509 public-key certificate may have a "cRLDistributionPoints" extension that names places to get CRLs on which the certificate might be listed. (See: certificate profile.) A CRL obtained from a distribution point may (a) cover either all reasons for which a certificate might be revoked or only some of the reasons, (b) be issued by either the authority that signed the certificate or some other authority, and (c) contain revocation entries for only a subset of the full set of certificates issued by one CA or (d) contain revocation entries for multiple CAs.
教程:v3 X.509公钥证书可能有一个“cRLDistributionPoints”扩展名,该扩展名指定了获取证书可能列出的CRL的位置。(参见:证书简介。)从分发点获得的CRL可能(A)涵盖证书可能被撤销的所有原因,或仅包括部分原因,(b)由签署证书的机构或其他机构颁发,以及(c)仅包含一个CA颁发的全套证书的子集的吊销条目,或(d)包含多个CA的吊销条目。
$ DKIM (I) See: Domain Keys Identified Mail.
$ DKIM(I)见:域密钥识别邮件。
$ DMZ (D) See: demilitarized zone.
$ 非军事区(D)见:非军事区。
$ DN (N) See: distinguished name.
$ DN(N)参见:可分辨名称。
$ DNS (I) See: Domain Name System.
$ DNS(一)见:域名系统。
$ doctrine See: security doctrine.
$ 原则见:安全原则。
$ DoD (N) Department of Defense.
$ 国防部(N)国防部。
Usage: To avoid international misunderstanding, IDOCs SHOULD use this abbreviation only with a national qualifier (e.g., U.S. DoD).
用法:为避免国际误解,IDOC应仅在国家限定词(如美国国防部)中使用此缩写。
$ DOI (I) See: Domain of Interpretation.
$ 内政部(一)见:解释领域。
$ domain 1a. (I) /general security/ An environment or context that (a) includes a set of system resources and a set of system entities that have the right to access the resources and (b) usually is defined by a security policy, security model, or security architecture. (See: CA domain, domain of interpretation, security perimeter. Compare: COI, enclave.)
$ 域1a。(一) /通用安全性/一种环境或上下文(a)包括一组系统资源和一组有权访问资源的系统实体,以及(b)通常由安全策略、安全模型或安全体系结构定义。(参见:CA域、解释域、安全周界。比较:COI、enclave。)
Tutorial: A "controlled interface" or "guard" is required to transfer information between network domains that operate under different security policies.
教程:在不同安全策略下运行的网络域之间传输信息需要“受控接口”或“防护”。
1b. (O) /security policy/ A set of users, their information objects, and a common security policy. [DoD6, SP33]
1b。(O) /security policy/一组用户、他们的信息对象和通用安全策略。[DoD6,SP33]
1c. (O) /security policy/ A system or collection of systems that (a) belongs to a community of interest that implements a consistent security policy and (b) is administered by a single authority.
1c。(O) /security policy/A系统或系统集合,其(A)属于实施一致安全策略的利益团体,且(b)由单一机构管理。
2. (O) /COMPUSEC/ An operating state or mode of a set of computer hardware.
2. (O) /COMPUSEC/一组计算机硬件的操作状态或模式。
Tutorial: Most computers have at least two hardware operating modes [Gass]: - "Privileged" mode: a.k.a. "executive", "master", "system", "kernel", or "supervisor" mode. In this mode, software can execute all machine instructions and access all storage locations. - "Unprivileged" mode: a.k.a. "user", "application", or "problem" mode. In this mode, software is restricted to a subset of the instructions and a subset of the storage locations.
教程:大多数计算机至少有两种硬件操作模式[Gass]:-“特权”模式:也称为“执行”、“主控”、“系统”、“内核”或“监控”模式。在此模式下,软件可以执行所有机器指令并访问所有存储位置。-“非特权”模式:又称“用户”、“应用程序”或“问题”模式。在此模式下,软件仅限于指令子集和存储位置子集。
3. (O) "A distinct scope within which certain common characteristics are exhibited and common rules are observed." [CORBA]
3. (O) “展示某些共同特征和遵守共同规则的独特范围。”[CORBA]
4. (O) /MISSI/ The domain of a MISSI CA is the set of MISSI users whose certificates are signed by the CA.
4. (O) /MISSI/MISSI CA的域是其证书由CA签名的一组MISSI用户。
5. (I) /Internet/ That part of the tree-structured name space of the DNS that is at or below the name that specifies the domain. A domain is a subdomain of another domain if it is contained within that domain. For example, D.C.B.A is a subdomain of C.B.A
5. (一) /Internet/DNS的树状结构名称空间中位于或低于指定域的名称的部分。如果一个域包含在另一个域中,则该域是该域的子域。例如,D.C.B.A是C.B.A的子域
6. (O) /OSI/ An administrative partition of a complex distributed OSI system.
6. (O) /OSI/复杂分布式OSI系统的管理分区。
$ Domain Keys Identified Mail (DKIM) (I) A protocol, which is being specified by the IETF working group of the same name, to provide data integrity and domain-level (see: DNS, domain name) data origin authentication for Internet mail messages. (Compare: PEM.)
$ 域密钥识别邮件(DKIM)(I)IETF同名工作组指定的一种协议,用于为Internet邮件消息提供数据完整性和域级(请参阅:DNS,域名)数据源身份验证。(比较:PEM)
Tutorial: DKIM employs asymmetric cryptography to create a digital signature for an Internet email message's body and selected
教程:DKIM使用非对称加密技术为Internet电子邮件正文和选定内容创建数字签名
headers (see RFC 1822), and the signature is then carried in a header of the message. A recipient of the message can verify the signature and, thereby, authenticate the identity of the originating domain and the integrity of the signed content, by using a public key belonging to the domain. The key can be obtained from the DNS.
消息头(参见RFC1822),然后签名被携带在消息头中。消息的接收者可以通过使用属于该域的公钥来验证签名,从而认证发起域的身份和签名内容的完整性。可以从DNS获取密钥。
$ domain name (I) The style of identifier that is defined for subtrees in the Internet DNS -- i.e., a sequence of case-insensitive ASCII labels separated by dots (e.g., "bbn.com") -- and also is used in other types of Internet identifiers, such as host names (e.g., "rosslyn.bbn.com"), mailbox names (e.g., "rshirey@bbn.com") and URLs (e.g., "http://www.rosslyn.bbn.com/foo"). (See: domain. Compare: DN.)
$ 域名(I)为Internet DNS中的子树定义的标识符样式——即,由点分隔的不区分大小写的ASCII标签序列(例如,“bbn.com”)——也用于其他类型的Internet标识符,如主机名(例如,“rosslyn.bbn.com”)、邮箱名(例如rshirey@bbn.com)和URL(例如。,"http://www.rosslyn.bbn.com/foo)(请参阅:域。比较:DN。)
Tutorial: The name space of the DNS is a tree structure in which each node and leaf holds records describing a resource. Each node has a label. The domain name of a node is the list of labels on the path from the node to the root of the tree. The labels in a domain name are printed or read left to right, from the most specific (lowest, farthest from the root) to the least specific (highest, closest to the root), but the root's label is the null string. (See: country code.)
教程:DNS的名称空间是一个树结构,其中每个节点和叶都保存描述资源的记录。每个节点都有一个标签。节点的域名是从节点到树根的路径上的标签列表。域名中的标签从左到右打印或读取,从最特定的(最低,离根最远)到最不特定的(最高,离根最近),但根的标签是空字符串。(请参阅:国家代码。)
$ Domain Name System (DNS) (I) The main Internet operations database, which is distributed over a collection of servers and used by client software for purposes such as (a) translating a domain name-style host name into an IP address (e.g., "rosslyn.bbn.com" translates to "192.1.7.10") and (b) locating a host that accepts mail for a given mailbox address. (RFC 1034) (See: domain name.)
$ 域名系统(DNS)(I)主要的互联网操作数据库,分布在一组服务器上,由客户端软件用于(a)将域名样式的主机名转换为IP地址(例如,“rosslyn.bbn.com”转换为“192.1.7.10”)和(b)查找接受给定邮箱地址邮件的主机。(RFC1034)(见:域名)
Tutorial: The DNS has three major components: - Domain name space and resource records: Specifications for the tree-structured domain name space, and data associated with the names. - Name servers: Programs that hold information about a subset of the tree's structure and data holdings, and also hold pointers to other name servers that can provide information from any part of the tree. - Resolvers: Programs that extract information from name servers in response to client requests; typically, system routines directly accessible to user programs.
教程:DNS有三个主要组件:-域名空间和资源记录:树状结构域名空间的规范,以及与名称相关的数据。-名称服务器:保存有关树的结构和数据的子集信息的程序,还保存指向其他名称服务器的指针,这些名称服务器可以提供来自树的任何部分的信息。-解析程序:根据客户端请求从名称服务器提取信息的程序;通常,用户程序可以直接访问系统例程。
Extensions to the DNS [R4033, R4034, R4035] support (a) key distribution for public keys needed for the DNS and for other protocols, (b) data origin authentication service and data
DNS的扩展[R4033、R4034、R4035]支持(a)DNS和其他协议所需公钥的密钥分发,(b)数据源身份验证服务和数据
integrity service for resource records, (c) data origin authentication service for transactions between resolvers and servers, and (d) access control of records.
资源记录的完整性服务,(c)解析程序和服务器之间事务的数据源身份验证服务,以及(d)记录的访问控制。
$ domain of interpretation (DOI) (I) /IPsec/ A DOI for ISAKMP or IKE defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes. Example: See [R2407].
$ ISAKMP或IKE的解释域(DOI)(I)/IPsec/A DOI定义了有效负载格式、交换类型和命名安全相关信息(如安全策略或加密算法和模式)的约定。示例:请参见[R2407]。
Derivation: The DOI concept is based on work by the TSIG's CIPSO Working Group.
推导:内政部概念基于TSIG的CIPSO工作组的工作。
$ dominate (I) Security level A is said to "dominate" security level B if the (hierarchical) classification level of A is greater (higher) than or equal to that of B, and A's (nonhierarchical) categories include (as a subset) all of B's categories. (See: lattice, lattice model.)
$ 主导(I)如果A的(分层)分类级别大于(高于)或等于B的分类级别,且A的(非分层)类别包括(作为子集)B的所有类别,则称A的安全级别为“主导”安全级别B。(请参见:晶格,晶格模型。)
$ dongle (I) A portable, physical, usually electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)
$ 加密狗(I):一种便携式物理设备,通常是电子设备,需要连接到计算机上才能运行特定的软件程序。(请参阅:令牌。)
Tutorial: A dongle is essentially a physical key used for copy protection of software; that is, the program will not run unless the matching dongle is attached. When the software runs, it periodically queries the dongle and quits if the dongle does not reply with the proper authentication information. Dongles were originally constructed as an EPROM (erasable programmable read-only memory) to be connected to a serial input-output port of a personal computer.
教程:加密狗本质上是用于软件拷贝保护的物理密钥;也就是说,除非连接了匹配的加密狗,否则程序不会运行。当软件运行时,它会定期查询加密狗,如果加密狗没有使用正确的身份验证信息进行回复,它就会退出。加密狗最初被构造为一个EPROM(可擦除可编程只读存储器),连接到个人计算机的串行输入输出端口。
$ downgrade (I) /data security/ Reduce the security level of data (especially the classification level) without changing the information content of the data. (Compare: downgrade.)
$ 降级(I)/数据安全性/在不改变数据信息内容的情况下降低数据的安全级别(尤其是分类级别)。(比较:降级。)
$ downgrade attack (I) A type of man-in-the-middle attack in which the attacker can cause two parties, at the time they negotiate a security association, to agree on a lower level of protection than the highest level that could have been supported by both of them. (Compare: downgrade.)
$ 降级攻击(I)一种中间人攻击类型,在这种攻击中,攻击者可以使双方在协商安全关联时,就低于双方可能支持的最高级别的保护级别达成一致。(比较:降级。)
$ draft RFC (D) A preliminary, temporary version of a document that is intended to become an RFC. (Compare: Internet-Draft.)
$ RFC草案(D):旨在成为RFC的文件的初步、临时版本。(比较:互联网草稿。)
Deprecated Term: IDOCs SHOULD NOT use this term. The RFC series is archival in nature and consists only of documents in permanent form. A document that is intended to become an RFC usually needs to be published first as an Internet-Draft (RFC 2026). (See: "Draft Standard" under "Internet Standard".)
不推荐使用的术语:IDOCs不应使用此术语。RFC系列本质上是存档的,只包含永久形式的文档。打算成为RFC的文件通常需要首先作为互联网草案(RFC 2026)发布。(参见“互联网标准”下的“标准草案”。)
$ Draft Standard (I) See: secondary definition under "Internet Standard".
$ 标准草案(I)见“互联网标准”下的二级定义。
$ DSA (N) See: Digital Signature Algorithm.
$ DSA(N)参见:数字签名算法。
$ DSS (N) See: Digital Signature Standard.
$ DSS(N)参见:数字签名标准。
$ dual control (I) A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. (See: no-lone zone, separation of duties, split knowledge.)
$ 双重控制(I)一种程序,使用两个或多个实体(通常是人员)协同工作来保护系统资源,这样,任何单独行动的实体都无法访问该资源。(参见:无单独区域、职责分离、知识分离。)
$ dual signature (O) /SET/ A single digital signature that protects two separate messages by including the hash results for both sets in a single encrypted value. [SET2]
$ 双重签名(O)/SET/一种单一数字签名,通过在单个加密值中包含两个集合的哈希结果来保护两个单独的消息。[SET2]
Deprecated Usage: IDOCs SHOULD NOT use this term except when qualified as "SET(trademark) dual signature" with this definition.
不推荐使用:IDOCs不应使用此术语,除非符合此定义的“集(商标)双重签名”。
Tutorial: Generated by hashing each message separately, concatenating the two hash results, and then hashing that value and encrypting the result with the signer's private key. Done to reduce the number of encryption operations and to enable verification of data integrity without complete disclosure of the data.
教程:分别对每条消息进行散列,连接两个散列结果,然后对该值进行散列,并使用签名者的私钥对结果进行加密。这样做是为了减少加密操作的数量,并在不完全披露数据的情况下验证数据的完整性。
$ dual-use certificate (O) A certificate that is intended for use with both digital signature and data encryption services. [SP32]
$ 两用证书(O)用于数字签名和数据加密服务的证书。[SP32]
Usage: IDOCs that use this term SHOULD state a definition for it by identifying the intended uses of the certificate, because there are more than just these two uses mentioned in the NIST publication. A v3 X.509 public-key certificate may have a "key
用法:使用该术语的IDOC应通过确定证书的预期用途来说明其定义,因为NIST出版物中提到的不仅仅是这两种用途。v3 X.509公钥证书可能具有“密钥”
Usage" extension, which indicates the purposes for which the public key may be used. (See: certificate profile.)
“用法”扩展名,指示公钥可用于的目的。(请参阅:证书配置文件。)
$ duty (I) An attribute of a role that obligates an entity playing the role to perform one or more tasks, which usually are essential for the functioning of the system. [Sand] (Compare authorization, privilege. See: role, billet.)
$ 职责(I)角色的一种属性,该属性要求扮演角色的实体执行一项或多项任务,这些任务通常对系统的运行至关重要。[Sand](比较授权和特权。请参阅:角色和权限。)
$ e-cash (O) Electronic cash; money that is in the form of data and can be used as a payment mechanism on the Internet. (See: IOTP.)
$ 电子现金(O)电子现金;以数据形式存在并可在互联网上用作支付机制的货币。(见:IOTP)
Usage: IDOCs that use this term SHOULD state a definition for it because many different types of electronic cash have been devised with a variety of security mechanisms.
用法:使用此术语的IDoc应说明其定义,因为许多不同类型的电子现金都设计了各种安全机制。
$ EAP (I) See: Extensible Authentication Protocol.
$ EAP(I)见:可扩展认证协议。
$ EAL (O) See: evaluation assurance level.
$ EAL(O)见:评估保证水平。
$ Easter egg (O) "Hidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes is entered. Easter eggs are typically used to display the credits for the development team and [are] intended to be non-threatening" [SP28], but Easter eggs have the potential to contain malicious code.
$ 复活节彩蛋(O)“应用程序中的隐藏功能,当输入一组未记录且通常复杂的命令和击键时,该功能将被激活。复活节彩蛋通常用于显示开发团队的积分,[被]设计为非威胁性”[SP28],但是复活节彩蛋有可能包含恶意代码。
Deprecated Usage: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term. (See: Deprecated Usage under "Green Book".)
不推荐的用法:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。(请参阅“绿皮书”下不推荐的用法。)
$ eavesdropping (I) Passive wiretapping done secretly, i.e., without the knowledge of the originator or the intended recipients of the communication.
$ 窃听(I)秘密进行的被动窃听,即在通信发端人或预期接收人不知情的情况下进行。
$ ECB (N) See: electronic codebook.
$ 欧洲央行(N)见:电子码本。
$ ECDSA (N) See: Elliptic Curve Digital Signature Algorithm.
$ ECDSA(N)参见:椭圆曲线数字签名算法。
$ economy of alternatives (I) The principle that a security mechanism should be designed to minimize the number of alternative ways of achieving a service. (Compare: economy of mechanism.)
$ 替代方案的经济性(I)安全机制的设计原则应尽量减少实现服务的替代方法的数量。(比较:机制的经济性。)
$ economy of mechanism (I) The principle that a security mechanism should be designed to be as simple as possible, so that (a) the mechanism can be correctly implemented and (b) it can be verified that the operation of the mechanism enforces the system's security policy. (Compare: economy of alternatives, least privilege.)
$ 机制的经济性(I)安全机制应设计为尽可能简单的原则,以便(a)机制能够正确实施,以及(b)能够验证机制的运行是否强制执行系统的安全策略。(比较:替代方案的经济性,最低特权。)
$ ECU (N) See: end cryptographic unit.
$ ECU(N)参见:结束加密单元。
$ EDI (I) See: electronic data interchange.
$ 电子数据交换(一)见:电子数据交换。
$ EDIFACT (N) See: secondary definition under "electronic data interchange".
$ EDIFACT(N)见“电子数据交换”下的二级定义。
$ EE (D) Abbreviation of "end entity" and other terms.
$ EE(D)“最终实体”和其他术语的缩写。
Deprecated Abbreviation: IDOCs SHOULD NOT use this abbreviation; there could be confusion among "end entity", "end-to-end encryption", "escrowed encryption standard", and other terms.
不推荐使用的缩写:IDOCs不应使用此缩写;“端实体”、“端到端加密”、“托管加密标准”和其他术语之间可能存在混淆。
$ EES (O) See: Escrowed Encryption Standard.
$ EES(O)参见:托管加密标准。
$ effective key length (O) "A measure of strength of a cryptographic algorithm, regardless of actual key length." [IATF] (See: work factor.)
$ 有效密钥长度(O)“密码算法强度的度量,与实际密钥长度无关。”[IATF](参见:工作系数。)
$ effectiveness (O) /ITSEC/ A property of a TOE representing how well it provides security in the context of its actual or proposed operational use.
$ 有效性(O)/ITSEC/TOE的一种属性,表示TOE在实际或拟议的操作使用中提供安全性的程度。
$ El Gamal algorithm (N) An algorithm for asymmetric cryptography, invented in 1985 by Taher El Gamal, that is based on the difficulty of calculating discrete logarithms and can be used for both encryption and digital signatures. [ElGa]
$ El-Gamal算法(N):Taher El-Gamal于1985年发明的一种非对称加密算法,该算法基于计算离散对数的困难,可用于加密和数字签名。[ElGa]
$ electronic codebook (ECB) (N) A block cipher mode in which a plaintext block is used directly as input to the encryption algorithm and the resultant output block is used directly as cipher text [FP081]. (See: block cipher, [SP38A].)
$ 电子码本(ECB)(N)一种分组密码模式,其中明文块直接用作加密算法的输入,而生成的输出块直接用作密文[FP081]。(参见:分组密码[SP38A]。)
$ electronic commerce 1. (I) Business conducted through paperless exchanges of information, using electronic data interchange, electronic funds transfer (EFT), electronic mail, computer bulletin boards, facsimile, and other paperless technologies.
$ 电子商务1。(一) 通过无纸信息交换、电子数据交换、电子资金转账(EFT)、电子邮件、计算机公告板、传真和其他无纸技术开展的业务。
2. (O) /SET/ "The exchange of goods and services for payment between the cardholder and merchant when some or all of the transaction is performed via electronic communication." [SET2]
2. (O) /SET/“当部分或全部交易通过电子通信进行时,持卡人和商户之间为支付而交换商品和服务。”[SET2]
$ electronic data interchange (EDI) (I) Computer-to-computer exchange, between trading partners, of business data in standardized document formats.
$ 电子数据交换(EDI)(I)贸易伙伴之间以标准文件格式进行的商业数据的计算机对计算机交换。
Tutorial: EDI formats have been standardized primarily by ANSI X12 and by EDIFACT (EDI for Administration, Commerce, and Transportation), which is an international, UN-sponsored standard primarily used in Europe and Asia. X12 and EDIFACT are aligning to create a single, global EDI standard.
教程:EDI格式主要由ANSI X12和EDIFACT(用于行政、商业和运输的EDI)标准化,这是一种主要在欧洲和亚洲使用的联合国赞助的国际标准。X12和EDIFACT正在联合起来创建一个单一的全球EDI标准。
$ Electronic Key Management System (EKMS) (O) "Interoperable collection of systems developed by ... the U.S. Government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic keying material and the management of other types of COMSEC material." [C4009]
$ 电子钥匙管理系统(EKMS)(O)“……美国政府开发的可互操作的系统集合,用于自动规划、订购、生成、分发、存储、填充、使用和销毁电子钥匙材料以及管理其他类型的通信安全材料。”[C4009]
$ electronic signature (D) Synonym for "digital signature" or "digitized signature".
$ 电子签名(D)“数字签名”或“数字签名”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; there is no current consensus on its definition. Instead, use "digital signature", if that is what was intended
不推荐使用的术语:IDoc不应使用此术语;目前还没有就其定义达成共识。相反,如果打算使用“数字签名”,请使用“数字签名”
$ electronic wallet (D) A secure container to hold, in digitized form, some sensitive data objects that belong to the owner, such as electronic money, authentication material, and various types of personal information. (See: IOTP.)
$ 电子钱包(D):一种安全的容器,以数字化形式存放属于所有者的一些敏感数据对象,如电子货币、身份验证材料和各种类型的个人信息。(见:IOTP)
Deprecated Term: IDOCs SHOULD NOT use this term. There is no current consensus on its definition; and some uses and definitions
不推荐使用的术语:IDOCs不应使用此术语。目前还没有就其定义达成共识;以及一些用法和定义
may be proprietary. Meanings range from virtual wallets implemented by data structures to physical wallets implemented by cryptographic tokens. (See: Deprecated Usage under "Green Book".)
可能是专有的。含义从数据结构实现的虚拟钱包到加密令牌实现的物理钱包。(请参阅“绿皮书”下不推荐的用法。)
$ elliptic curve cryptography (ECC) (I) A type of asymmetric cryptography based on mathematics of groups that are defined by the points on a curve, where the curve is defined by a quadratic equation in a finite field. [Schn]
$ 椭圆曲线密码术(ECC)(I)一种基于由曲线上的点定义的群的数学的非对称密码术,其中曲线由有限域中的二次方程定义。[施恩]
Tutorial: ECC is based on mathematics different than that originally used to define the Diffie-Hellman-Merkle algorithm and the DSA, but ECC can be used to define an algorithm for key agreement that is an analog of Diffie-Hellman-Merkle [A9063] and an algorithm for digital signature that is an analog of DSA [A9062]. The mathematical problem upon which ECC is based is believed to be more difficult than the problem upon which Diffie-Hellman-Merkle is based and, therefore, that keys for ECC can be shorter for a comparable level of security. (See: ECDSA.)
教程:ECC基于不同于最初用于定义Diffie-Hellman-Merkle算法和DSA的数学,但ECC可用于定义类似Diffie-Hellman-Merkle[A9063]的密钥协商算法和类似DSA[A9062]的数字签名算法。ECC所基于的数学问题被认为比Diffie-Hellman-Merkle所基于的问题更难,因此,ECC的密钥可以更短,以达到相当的安全级别。(见:ECDSA)
$ Elliptic Curve Digital Signature Algorithm (ECDSA) (N) A standard [A9062] that is the analog, in elliptic curve cryptography, of the Digital Signature Algorithm.
$ 椭圆曲线数字签名算法(ECDSA)(N)标准[A9062],在椭圆曲线密码学中模拟数字签名算法。
$ emanation (I) A signal (e.g., electromagnetic or acoustic) that is emitted by a system (e.g., through radiation or conductance) as a consequence (i.e., byproduct) of the system's operation, and that may contain information. (See: emanations security.)
$ 发射(I)系统(例如通过辐射或电导)作为系统运行的结果(即副产品)发射的信号(例如电磁或声学),可能包含信息。(见:放射安全。)
$ emanations analysis (I) /threat action/ See: secondary definition under "interception".
$ 辐射分析(I)/威胁行动/见“拦截”下的二级定义。
$ emanations security (EMSEC) (I) Physical security measures to protect against data compromise that could occur because of emanations that might be received and read by an unauthorized party. (See: emanation, TEMPEST.)
$ 放射安全(EMSEC)(I)物理安全措施,以防止因未经授权方接收和读取放射而可能发生的数据泄露。(见:放射,暴风雨。)
Usage: Refers either to preventing or limiting emanations from a system and to preventing or limiting the ability of unauthorized parties to receive the emissions.
用途:指防止或限制系统排放,以及防止或限制未经授权方接收排放的能力。
$ embedded cryptography (N) "Cryptography engineered into an equipment or system whose basic function is not cryptographic." [C4009]
$ 嵌入式加密技术(N)“设计成基本功能不是加密的设备或系统的加密技术。”[C4009]
$ emergency plan (D) Synonym for "contingency plan".
$ 应急计划(D)“应急计划”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term. Instead, for neutrality and consistency of language, use "contingency plan".
不推荐使用的术语:IDOCs不应使用此术语。相反,为了语言的中立性和一致性,使用“应急计划”。
$ emergency response (O) An urgent response to a fire, flood, civil commotion, natural disaster, bomb threat, or other serious situation, with the intent of protecting lives, limiting damage to property, and minimizing disruption of system operations. [FP087] (See: availability, CERT, emergency plan.)
$ 应急响应(O)对火灾、洪水、内乱、自然灾害、炸弹威胁或其他严重情况的紧急响应,旨在保护生命、限制财产损失并最大限度地减少系统运行中断。[FP087](见:可用性、证书、应急计划)
$ EMSEC (I) See: emanations security.
$ EMSEC(I)见:辐射安全。
$ EMV (N) Abbreviation of "Europay, MasterCard, Visa". Refers to a specification for smart cards that are used as payment cards, and for related terminals and applications. [EMV1, EMV2, EMV3]
$ EMV(N)“Europay、万事达卡、Visa”的缩写。指用作支付卡的智能卡以及相关终端和应用程序的规范。[EMV1、EMV2、EMV3]
$ Encapsulating Security Payload (ESP) (I) An Internet protocol [R2406, R4303] designed to provide data confidentiality service and other security services for IP datagrams. (See: IPsec. Compare: AH.)
$ 封装安全有效载荷(ESP)(I)互联网协议[R2406,R4303],旨在为IP数据报提供数据保密服务和其他安全服务。(请参阅:IPsec。比较:AH)
Tutorial: ESP may be used alone, or in combination with AH, or in a nested fashion with tunneling. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a host and a gateway. The ESP header is encapsulated by the IP header, and the ESP header encapsulates either the upper-layer protocol header (transport mode) or an IP header (tunnel mode). ESP can provide data confidentiality service, data origin authentication service, connectionless data integrity service, an anti-replay service, and limited traffic-flow confidentiality. The set of services depends on the placement of the implementation and on options selected when the security association is established.
教程:ESP可以单独使用,也可以与AH结合使用,或者以嵌套方式与隧道结合使用。可以在一对通信主机之间、一对通信安全网关之间或主机与网关之间提供安全服务。ESP报头由IP报头封装,ESP报头封装上层协议报头(传输模式)或IP报头(隧道模式)。ESP可以提供数据保密服务、数据源身份验证服务、无连接数据完整性服务、防重放服务和有限流量保密性。服务集取决于实现的位置以及在建立安全关联时选择的选项。
$ encipher (D) Synonym for "encrypt".
$ Encrypher(D)“encrypt”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encrypt". However, see Usage note under "encryption".
不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词。但是,请参见“加密”下的用法说明。
$ encipherment (D) Synonym for "encryption".
$ 加密(D)“加密”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encryption". However, see Usage note under "encryption".
不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词。但是,请参见“加密”下的用法说明。
$ enclave 1. (I) A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter. (Compare: domain.)
$ 飞地1。(一) 在同一安全域中运行的一组系统资源,它们共享单个、公共、连续安全外围的保护。(比较:域。)
2. (D) /U.S. Government/ "Collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security." [C4009]
2. (D) /U.S.Government/“由一个或多个内部网络连接的计算环境的集合,在单一机构和安全政策的控制下,包括人员和物理安全。”[C4009]
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2 because the definition applies to what is usually called a "security domain". That is, a security domain is a set of one or more security enclaves.
不推荐使用的定义:IDOCs不应将此术语与定义2一起使用,因为该定义适用于通常称为“安全域”的内容。也就是说,安全域是一个或多个安全飞地的集合。
$ encode 1. (I) Use a system of symbols to represent information, which might originally have some other representation. Example: Morse code. (See: ASCII, BER.) (See: code, decode.)
$ 编码1。(一) 使用符号系统来表示信息,这些信息最初可能具有其他表示形式。例子:摩尔斯电码。(参见:ASCII,BER。)(参见:编码,解码。)
2. (D) Synonym for "encrypt".
2. (D) “加密”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for "encrypt"; encoding is not always meant to conceal meaning.
不推荐使用的定义:IDOCs不应将此术语用作“加密”的同义词;编码并不总是为了隐藏意义。
$ encrypt (I) Cryptographically transform data to produce cipher text. (See: encryption. Compare: seal.)
$ 加密(I)以加密方式转换数据以生成密文。(请参见:加密。比较:密封。)
$ encryption 1. (I) Cryptographic transformation of data (called "plain text") into a different form (called "cipher text") that conceals the data's original meaning and prevents the original form from being used. The corresponding reverse process is "decryption", a transformation that restores encrypted data to its original form. (See: cryptography.)
$ 加密1。(一) 将数据(称为“纯文本”)加密转换为另一种形式(称为“密文”),以隐藏数据的原始含义并防止原始形式被使用。相应的反向过程是“解密”,一种将加密数据恢复为原始形式的转换。(请参阅:密码学。)
2. (O) "The cryptographic transformation of data to produce ciphertext." [I7498-2]
2. (O) “对数据进行加密转换以产生密文。”[I7498-2]
Usage: For this concept, IDOCs SHOULD use the verb "to encrypt" (and related variations: encryption, decrypt, and decryption). However, because of cultural biases involving human burial, some international documents (particularly ISO and CCITT standards) avoid "to encrypt" and instead use the verb "to encipher" (and related variations: encipherment, decipher, decipherment).
用法:对于这个概念,idoc应该使用动词“to encrypt”(以及相关变体:encrypt、decrypt和decryption)。然而,由于涉及人类埋葬的文化偏见,一些国际文件(特别是ISO和CCITT标准)避免使用“加密”,而是使用动词“加密”(以及相关变体:加密、解密、解密)。
Tutorial: Usually, the plaintext input to an encryption operation is clear text. But in some cases, the plain text may be cipher text that was output from another encryption operation. (See: superencryption.)
教程:通常,加密操作的明文输入是明文。但在某些情况下,纯文本可能是另一个加密操作输出的密文。(请参阅:超级加密。)
Encryption and decryption involve a mathematical algorithm for transforming data. Besides the data to be transformed, the algorithm has one or more inputs that are control parameters: (a) a key that varies the transformation and, in some cases, (b) an IV that establishes the starting state of the algorithm.
加密和解密涉及转换数据的数学算法。除了要转换的数据外,算法还有一个或多个作为控制参数的输入:(a)改变转换的键,在某些情况下,(b)建立算法启动状态的IV。
$ encryption certificate (I) A public-key certificate that contains a public key that is intended to be used for encrypting data, rather than for verifying digital signatures or performing other cryptographic functions.
$ 加密证书(I)包含公钥的公钥证书,用于加密数据,而不是验证数字签名或执行其他加密功能。
Tutorial: A v3 X.509 public-key certificate may have a "keyUsage" extension that indicates the purpose for which the certified public key is intended. (See: certificate profile.)
教程:v3 X.509公钥证书可能有一个“keyUsage”扩展名,用于指示认证公钥的用途。(请参阅:证书配置文件。)
$ end cryptographic unit (ECU) 1. (N) Final destination device into which a key is loaded for operational use.
$ 结束加密单元(ECU)1。(N) 将密钥加载到其中以供操作使用的最终目标设备。
2. (N) A device that (a) performs cryptographic functions, (b) typically is part of a larger system for which the device provides security services, and (c), from the viewpoint of a supporting security infrastructure such as a key management system, is the lowest level of identifiable component with which a management transaction can be conducted
2. (N) 设备(A)执行加密功能,(b)通常是设备提供安全服务的较大系统的一部分,并且(c)从诸如密钥管理系统之类的支持安全基础设施的观点来看,是可用于执行管理事务的最低级别的可识别组件
$ end entity 1. (I) A system entity that is the subject of a public-key certificate and that is using, or is permitted and able to use, the matching private key only for purposes other than signing a digital certificate; i.e., an entity that is not a CA.
$ 结束实体1。(一) 作为公钥证书主体的系统实体,且仅出于签署数字证书以外的目的使用或允许并能够使用匹配私钥;i、 例如,不是CA的实体。
2. (O) "A certificate subject [that] uses its public [sic] key for purposes other than signing certificates." [X509]
2. (O) “将其公钥[sic]用于证书签名以外的目的的证书主体。”[X509]
Deprecated Definition: IDOCs SHOULD NOT use definition 2, which is misleading and incomplete. First, that definition should have said "private key" rather than "public key" because certificates are not usefully signed with a public key. Second, the X.509 definition is ambiguous regarding whether an end entity may or may not use the private key to sign a certificate, i.e., whether the subject may be a CA. The intent of X.509's authors was that an end entity certificate is not valid for use in verifying a signature
不推荐使用的定义:IDOCs不应使用定义2,因为它具有误导性且不完整。首先,该定义应该说是“私钥”而不是“公钥”,因为证书不是用公钥有效地签名的。其次,X.509的定义对于终端实体是否可以使用私钥签署证书(即,主体是否是CA)是不明确的。X.509作者的意图是终端实体证书在验证签名时无效
on an X.509 certificate or X.509 CRL. Thus, it would have been better for the X.509 definition to have said "only for purposes other than signing certificates".
在X.509证书或X.509 CRL上。因此,如果X.509定义中说“仅用于签署证书以外的目的”,则更好。
Usage: Despite the problems in the X.509 definition, the term itself is useful in describing applications of asymmetric cryptography. The way the term is used in X.509 implies that it was meant to be defined, as we have done here, relative to roles that an entity (which is associated with an OSI end system) is playing or is permitted to play in applications of asymmetric cryptography other than the PKI that supports applications.
用法:尽管X.509定义中存在问题,但该术语本身在描述非对称加密的应用时很有用。X.509中使用该术语的方式意味着,正如我们在这里所做的那样,该术语的定义与实体(与OSI终端系统关联)正在或允许在非对称加密应用程序中扮演的角色有关,而不是支持应用程序的PKI。
Tutorial: Whether a subject can play both CA and non-CA roles, with either the same or different certificates, is a matter of policy. (See: CPS.) A v3 X.509 public-key certificate may have a "basicConstraints" extension containing a "cA" value that specifically "indicates whether or not the public key may be used to verify certificate signatures". (See: certificate profile.)
教程:主题是否可以使用相同或不同的证书同时扮演CA和非CA角色是一个政策问题。(请参阅:CPS。)v3 X.509公钥证书可能有一个“basicConstraints”扩展,其中包含一个“cA”值,该值专门“指示公钥是否可用于验证证书签名”。(请参阅:证书配置文件。)
$ end system (N) /OSIRM/ A computer that implements all seven layers of the OSIRM and may attach to a subnetwork. Usage: In the IPS context, an end system is called a "host".
$ 终端系统(N)/OSIRM/实现所有七层OSIRM并可连接到子网络的计算机。用法:在IPS上下文中,终端系统称为“主机”。
$ end-to-end encryption (I) Continuous protection of data that flows between two points in a network, effected by encrypting data when it leaves its source, keeping it encrypted while it passes through any intermediate computers (such as routers), and decrypting it only when it arrives at the intended final destination. (See: wiretapping. Compare: link encryption.)
$ 端到端加密(I)对网络中两点之间流动的数据的连续保护,通过在数据离开源时加密数据、在数据通过任何中间计算机(如路由器)时保持加密以及仅在数据到达预定最终目的地时解密来实现。(请参见:窃听。比较:链接加密。)
Examples: A few are BLACKER, CANEWARE, IPLI, IPsec, PLI, SDNS, SILS, SSH, SSL, TLS.
示例:一些是Black、CANEWARE、IPLI、IPsec、PLI、SDN、SILS、SSH、SSL、TLS。
Tutorial: When two points are separated by multiple communication links that are connected by one or more intermediate relays, end-to-end encryption enables the source and destination systems to protect their communications without depending on the intermediate systems to provide the protection.
教程:当两个点被由一个或多个中间继电器连接的多个通信链路分隔时,端到端加密使源系统和目标系统能够保护其通信,而无需依赖中间系统来提供保护。
$ end user 1. (I) /information system/ A system entity, usually a human individual, that makes use of system resources, primarily for application purposes as opposed to system management purposes.
$ 最终用户1。(一) /信息系统/利用系统资源的系统实体,通常是个人,主要用于应用目的而非系统管理目的。
2. (D) /PKI/ Synonym for "end entity".
2. (D) /PKI/是“最终实体”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use "end user" as a synonym for "end entity", because that would mix concepts in a potentially misleading way.
不推荐使用的定义:IDOCs不应使用“最终用户”作为“最终实体”的同义词,因为这会以潜在误导的方式混合概念。
$ endorsed-for-unclassified cryptographic item (EUCI) (O) /U.S. Government/ "Unclassified cryptographic equipment that embodies a U.S. Government classified cryptographic logic and is endorsed by NSA for the protection of national security information." [C4009] (Compare: CCI, type 2 product.)
$ 为非保密密码项目(EUCI)(O)/美国政府/背书“包含美国政府保密密码逻辑并由NSA背书用于保护国家安全信息的非保密密码设备”。[C4009](比较:CCI,2类产品。)
$ entity See: system entity.
$ 实体请参见:系统实体。
$ entrapment (I) "The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit." [FP039] (See: honey pot.)
$ 诱捕(I)“故意在系统中植入明显的缺陷,以检测企图的渗透或混淆入侵者利用哪些缺陷。”[FP039](见:蜜罐)
$ entropy 1. (I) An information-theoretic measure (usually stated as a number of bits) of the amount of uncertainty that an attacker faces to determine the value of a secret. [SP63] (See: strength.)
$ 熵1。(一) 攻击者在确定秘密价值时所面临的不确定性量的信息论度量(通常以位数表示)。[SP63](见:强度)
Example: If a password is said to contain at least 20 bits of entropy, that means that it must be as hard to find the password as to guess a 20-bit random number.
例如:如果一个密码至少包含20位的熵,这意味着找到密码一定和猜测一个20位的随机数一样困难。
2. (I) An information-theoretic measure (usually stated as a number of bits) of the amount of information in a message; i.e., the minimum number of bits needed to encode all possible meanings of that message. [Schn] (See: uncertainty.)
2. (一) 消息中信息量的信息论度量(通常表示为位数);i、 例如,对该消息的所有可能含义进行编码所需的最小位数。[Schn](见:不确定性)
$ ephemeral (I) /adjective/ Refers to a cryptographic key or other cryptographic parameter or data object that is short-lived, temporary, or used one time. (See: session key. Compare: static.)
$ 短暂的(I)/形容词/指的是一个密码密钥或其他密码参数或数据对象,它是短暂的、临时的或一次性使用的。(请参阅:会话密钥。比较:静态。)
$ erase 1. (I) Delete stored data. (See: sanitize, zeroize.)
$ 删除1。(一) 删除存储的数据。(请参见:消毒、归零。)
2. (O) /U.S. Government/ Delete magnetically stored data in such a way that the data cannot be recovered by ordinary means, but might be recoverable by laboratory methods. [C4009] (Compare: /U.S. Government/ purge.)
2. (O) /U.S.Government/删除磁存储数据时,应确保数据无法通过普通方式恢复,但可以通过实验室方法恢复。[C4009](比较:/U.S.政府/清除)
$ error detection code (I) A checksum designed to detect, but not correct, accidental (i.e., unintentional) changes in data.
$ 错误检测代码(I)一种校验和,用于检测但不纠正数据中的意外(即无意)更改。
$ Escrowed Encryption Standard (EES) (N) A U.S. Government standard [FP185] that specifies how to use a symmetric encryption algorithm (SKIPJACK) and create a Law Enforcement Access Field (LEAF) for implementing part of a key escrow system that enables decryption of telecommunications when interception is lawfully authorized.
$ 托管加密标准(EES)(N)美国政府标准[FP185],规定如何使用对称加密算法(SKIPJACK)并创建执法访问字段(LEAF),以实现密钥托管系统的一部分,该系统在合法授权拦截时能够对电信进行解密。
Tutorial: Both SKIPJACK and the LEAF are intended for use in equipment used to encrypt and decrypt sensitive, unclassified, telecommunications data.
教程:SKIPJACK和LEAF都适用于加密和解密敏感、非机密电信数据的设备。
$ ESP (I) See: Encapsulating Security Payload.
$ ESP(I)见:封装安全有效负载。
$ Estelle (N) A language (ISO 9074-1989) for formal specification of computer network protocols.
$ Estelle(N):一种用于计算机网络协议形式规范的语言(ISO 9074-1989)。
$ ETSI (N) See: European Telecommunication Standards Institute.
$ ETSI(N)见:欧洲电信标准协会。
$ EUCI (O) See: endorsed-for-unclassified cryptographic item.
$ EUCI(O)见:未分类密码项目背书。
$ European Telecommunication Standards Institute (ETSI) (N) An independent, non-profit organization, based in France, that is officially recognized by the European Commission and responsible for standardization of information and communication technologies within Europe.
$ 欧洲电信标准协会(ETSI)(N):一个独立的非营利组织,总部设在法国,经欧盟委员会正式认可,负责欧洲内部信息和通信技术的标准化。
Tutorial: ETSI maintains the standards for a number of security algorithms, including encryption algorithms for mobile telephone systems in Europe.
教程:ETSI维护许多安全算法的标准,包括欧洲移动电话系统的加密算法。
$ evaluated system (I) A system that has been evaluated against security criteria (for example, against the TCSEC or against a profile based on the Common Criteria).
$ 评估系统(I)根据安全标准(例如,根据TCSEC或基于通用标准的概要文件)进行评估的系统。
$ evaluation (I) Assessment of an information system against defined security criteria (for example, against the TCSEC or against a profile based on the Common Criteria). (Compare: certification.)
$ 评估(I)根据定义的安全标准(例如,根据TCSEC或基于通用标准的概要文件)对信息系统进行评估。(比较:认证。)
$ evaluation assurance level (EAL) (N) A predefined package of assurance components that represents a point on the Common Criteria's scale for rating confidence in the security of information technology products and systems.
$ 评估保证级别(EAL)(N)一个预定义的保证组件包,代表信息技术产品和系统安全性的通用标准等级上的一个点。
Tutorial: The Common Criteria defines a scale of seven, hierarchically ordered EALs for rating a TOE. From highest to lowest, they are as follows: - EAL7. Formally verified design and tested. - EAL6. Semiformally verified design and tested. - EAL5. Semiformally designed and tested. - EAL4. Methodically designed, tested, and reviewed. - EAL3. Methodically tested and checked. - EAL2. Structurally tested. - EAL1. Functionally tested.
教程:通用标准定义了七个等级的EAL,用于对脚趾进行评级。从最高到最低,它们如下:-EAL7。正式验证设计和测试。-EAL6。半正式验证设计和测试。-EAL5。半正式设计和测试。-EAL4。系统地设计、测试和审查。-EAL3。系统地测试和检查。-EAL2。结构测试。-EAL1。功能测试。
An EAL is a consistent, baseline set of requirements. The increase in assurance from EAL to EAL is accomplished by substituting higher assurance components (i.e., criteria of increasing rigor, scope, or depth) from seven assurance classes: (a) configuration management, (b) delivery and operation, (c) development, (d) guidance documents, (e) lifecycle support, (f) tests, and (g) vulnerability assessment.
EAL是一组一致的基线需求。从EAL到EAL的保证增加是通过从七个保证级别(a)配置管理,(b)交付和运行,(c)开发,(d)指导文件,(e)生命周期支持,(f)测试和(g)中替换更高的保证组件(即,增加严格性、范围或深度的标准)来实现的脆弱性评估。
The EALs were developed with the goal of preserving concepts of assurance that were adopted from earlier criteria, so that results of previous evaluations would remain relevant. For example, EALs levels 2-7 are generally equivalent to the assurance portions of the TCSEC C2-A1 scale. However, this equivalency should be used with caution. The levels do not derive assurance in the same manner, and exact mappings do not exist.
制定EAL的目的是保留从早期标准中采用的保证概念,以便先前评估的结果保持相关性。例如,EALs等级2-7通常相当于TCSEC C2-A1等级的保证部分。但是,应谨慎使用这种等效性。级别不以相同的方式派生保证,并且不存在精确的映射。
$ expire (I) /credential/ Cease to be valid (i.e., change from being valid to being invalid) because its assigned lifetime has been exceeded. (See: certificate expiration.)
$ 过期(I)/凭证/不再有效(即从有效更改为无效),因为已超过其分配的生存期。(请参阅:证书到期。)
$ exposure (I) A type of threat action whereby sensitive data is directly released to an unauthorized entity. (See: unauthorized disclosure.)
$ 暴露(I)一种威胁行为,即敏感数据直接发布给未经授权的实体。(请参阅:未经授权的披露。)
Usage: This type of threat action includes the following subtypes: - "Deliberate Exposure": Intentional release of sensitive data to an unauthorized entity. - "Scavenging": Searching through data residue in a system to gain unauthorized knowledge of sensitive data. - "Human error": /exposure/ Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data. (Compare: corruption, incapacitation.) - "Hardware or software error": /exposure/ System failure that unintentionally results in an entity gaining unauthorized
用法:这种类型的威胁行为包括以下子类型:-“故意暴露”:故意向未经授权的实体发布敏感数据。-“清除”:搜索系统中的数据残留,以获得未经授权的敏感数据信息。-“人为错误”:/暴露/人为行为或不作为,无意中导致实体获得未经授权的敏感数据知识。(比较:腐败、丧失能力):“硬件或软件错误”:/暴露/系统故障,无意中导致实体获得未经授权的许可
knowledge of sensitive data. (Compare: corruption, incapacitation.)
敏感数据知识。(比较:腐败、无能。)
$ Extended Security Option (I) See: secondary definition under "IPSO".
$ 扩展安全选项(I)见“IPSO”下的二级定义。
$ Extensible Authentication Protocol (EAP) (I) An extension framework for PPP that supports multiple, optional authentication mechanisms, including cleartext passwords, challenge-response, and arbitrary dialog sequences. [R3748] (Compare: GSS-API, SASL.)
$ 可扩展身份验证协议(EAP)(I)PPP的扩展框架,支持多种可选身份验证机制,包括明文密码、质询响应和任意对话序列。[R3748](比较:GSS-API和SASL。)
Tutorial: EAP typically runs directly over IPS data link protocols or OSIRM Layer 2 protocols, i.e., without requiring IP. Originally, EAP was developed for use in PPP, by a host or router that connects to a network server via switched circuits or dial-up lines. Today, EAP's domain of applicability includes other areas of network access control; it is used in wired and wireless LANs with IEEE 802.1X, and in IPsec with IKEv2. EAP is conceptually related to other authentication mechanism frameworks, such as SASL and GSS-API.
教程:EAP通常直接在IPS数据链路协议或OSIRM第2层协议上运行,即不需要IP。最初,EAP是为PPP开发的,由主机或路由器通过交换电路或拨号线路连接到网络服务器。今天,EAP的适用范围包括网络访问控制的其他领域;它用于具有IEEE 802.1X的有线和无线局域网,以及具有IKEv2的IPsec。EAP在概念上与其他身份验证机制框架相关,如SASL和GSS-API。
$ Extensible Markup Language (XML) (N) A version of Standard Generalized Markup Language (ISO 8879) that separately represents a document's content and its structure. XML was designed by W3C for use on the World Wide Web.
$ 可扩展标记语言(XML)(N):标准通用标记语言(ISO 8879)的一个版本,分别表示文档的内容及其结构。XML由W3C设计用于万维网。
$ extension (I) /protocol/ A data item or a mechanism that is defined in a protocol to extend the protocol's basic or original functionality.
$ 扩展(I)/协议/协议中定义的数据项或机制,用于扩展协议的基本或原始功能。
Tutorial: Many protocols have extension mechanisms, and the use of these extension is usually optional. IP and X.509 are two examples of protocols that have optional extensions. In IP version 4, extensions are called "options", and some of the options have security purposes (see: IPSO).
教程:许多协议都有扩展机制,这些扩展的使用通常是可选的。IP和X.509是具有可选扩展的协议的两个示例。在IP版本4中,扩展称为“选项”,其中一些选项具有安全性目的(请参阅:IPSO)。
In X.509, certificate and CRL formats can be extended to provide methods for associating additional attributes with subjects and public keys and for managing a certification hierarchy: - A "certificate extension": X.509 defines standard extensions that may be included in v3 certificates to provide additional key and security policy information, subject and issuer attributes, and certification path constraints. - A "CRL extension": X.509 defines extensions that may be included in v2 CRLs to provide additional issuer key and name information, revocation reasons and constraints, and information about distribution points and delta CRLs.
在X.509中,可以扩展证书和CRL格式,以提供将附加属性与主题和公钥关联以及管理证书层次结构的方法:-“证书扩展”:X.509定义了v3证书中可能包含的标准扩展,以提供附加密钥和安全策略信息,主题和颁发者属性,以及认证路径约束。-“CRL扩展”:X.509定义了可能包含在v2 CRL中的扩展,以提供额外的颁发者密钥和名称信息、撤销原因和约束,以及有关分发点和增量CRL的信息。
- A "private extension": Additional extensions, each named by an OID, can be locally defined as needed by applications or communities. (See: Authority Information Access extension, SET private extensions.)
- “私有扩展”:附加扩展,每个扩展由OID命名,可以根据应用程序或社区的需要在本地定义。(请参见:权限信息访问扩展,设置专用扩展。)
$ external controls (I) /COMPUSEC/ Refers to administrative security, personnel security, and physical security. (Compare: internal controls.)
$ 外部控制(I)/COMPUSEC/指管理安全、人员安全和物理安全。(比较:内部控制。)
$ extranet (I) A computer network that an organization uses for application data traffic between the organization and its business partners. (Compare: intranet.)
$ 外部网(I)一个组织用于组织与其业务伙伴之间的应用程序数据通信的计算机网络。(比较:内部网。)
Tutorial: An extranet can be implemented securely, either on the Internet or using Internet technology, by constructing the extranet as a VPN.
教程:通过将外联网构建为VPN,可以在Internet上或使用Internet技术安全地实现外联网。
$ extraction resistance (O) Ability of cryptographic equipment to resist efforts to extract keying material directly from the equipment (as opposed to gaining knowledge of keying material by cryptanalysis). [C4009]
$ 抗提取能力(O):加密设备抵抗直接从设备中提取密钥材料的能力(与通过密码分析获取密钥材料的知识相反)。[C4009]
$ extrusion detection (I) Monitoring for unauthorized transfers of sensitive information and other communications that originate inside a system's security perimeter and are directed toward the outside; i.e., roughly the opposite of "intrusion detection".
$ 挤出检测(I)监控敏感信息和其他通信的未经授权传输,这些信息和通信源自系统的安全周界内部,并指向外部;i、 与“入侵检测”大致相反。
$ fail-safe 1. (I) Synonym for "fail-secure".
$ 故障安全1。(一) “故障保护”的同义词。
2. (I) A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise). (See: failure control.)
2. (一) 系统功能的一种终止模式,当系统发生故障或检测到故障(但故障仍可能导致安全隐患)时,可防止对指定的系统资源和系统实体(即指定的数据、属性和寿命)造成损坏。(请参阅:故障控制。)
Tutorial: Definitions 1 and 2 are opposing design alternatives. Therefore, IDOCs SHOULD NOT use this term without providing a definition for it. If definition 1 is intended, IDOCs can avoid ambiguity by using "fail-secure" instead.
教程:定义1和定义2是相反的设计方案。因此,IDOCs不应该在没有定义的情况下使用这个术语。如果打算使用定义1,IDOCs可以通过使用“故障保护”来避免歧义。
$ fail-secure (I) A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). (See: failure control. Compare: fail-safe.)
$ 故障保护(I)当系统发生故障或检测到故障时(但故障仍可能导致某些系统资源或系统实体损坏),系统功能终止的一种模式,可防止失去安全状态。(请参阅:故障控制。比较:故障安全。)
$ fail-soft (I) Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system. (See: failure control.)
$ 故障软(I)当系统发生故障或检测到故障时,选择性终止受影响的非必要系统功能。(请参阅:故障控制。)
$ failure control (I) A methodology used to provide fail-safe, fail-secure or fail-soft termination and recovery of system functions. [FP039]
$ 故障控制(I)用于提供系统功能的故障安全、故障安全或故障软终止和恢复的方法。[FP039]
$ fairness (I) A property of an access protocol for a system resource whereby the resource is made equitably or impartially available to all eligible users. (RFC 3753)
$ 公平性(I)系统资源访问协议的一种属性,通过该属性,所有合格用户都可以公平或公正地使用该资源。(RFC 3753)
Tutorial: Fairness can be used to defend against some types of denial-of-service attacks on a system connected to a network. However, this technique assumes that the system can properly receive and process inputs from the network. Therefore, the technique can mitigate flooding but is ineffective against jamming.
教程:公平性可用于防御连接到网络的系统上的某些类型的拒绝服务攻击。然而,这种技术假设系统能够正确地接收和处理来自网络的输入。因此,该技术可以缓解洪水,但对干扰无效。
$ falsification (I) A type of threat action whereby false data deceives an authorized entity. (See: active wiretapping, deception.)
$ 伪造(I)虚假数据欺骗授权实体的一种威胁行为。(参见:主动窃听、欺骗。)
Usage: This type of threat action includes the following subtypes: - "Substitution": Altering or replacing valid data with false data that serves to deceive an authorized entity. - "Insertion": Introducing false data that serves to deceive an authorized entity.
用法:此类威胁行为包括以下子类型:-“替换”:用虚假数据更改或替换有效数据,以欺骗授权实体。-“插入”:引入虚假数据以欺骗授权实体。
$ fault tree (I) A branching, hierarchical data structure that is used to represent events and to determine the various combinations of component failures and human acts that could result in a specified undesirable system event. (See: attack tree, flaw hypothesis methodology.)
$ 故障树(I)一种分支、分层数据结构,用于表示事件,并确定可能导致特定不良系统事件的组件故障和人为行为的各种组合。(参见:攻击树,缺陷假设方法。)
Tutorial: "Fault-tree analysis" is a technique in which an undesired state of a system is specified and the system is studied in the context of its environment and operation to find all credible ways in which the event could occur. The specified fault event is represented as the root of the tree. The remainder of the tree represents AND or OR combinations of subevents, and sequential combinations of subevents, that could cause the root event to occur. The main purpose of a fault-tree analysis is to calculate the probability of the root event, using statistics or other analytical methods and incorporating actual or predicted
教程:“故障树分析”是一种技术,其中规定了系统的非期望状态,并在其环境和运行的背景下对系统进行研究,以找到事件可能发生的所有可信方式。指定的故障事件表示为树的根。树的其余部分表示可能导致根事件发生的子事件和/或子事件组合,以及子事件的顺序组合。故障树分析的主要目的是使用统计或其他分析方法,结合实际或预测的故障,计算根事件的概率
quantitative reliability and maintainability data. When the root event is a security violation, and some of the subevents are deliberate acts intended to achieve the root event, then the fault tree is an attack tree.
定量可靠性和可维护性数据。如果根事件是安全违规,并且某些子事件是有意实现根事件的故意行为,那么故障树就是攻击树。
$ FEAL (O) A family of symmetric block ciphers that was developed in Japan; uses a 64-bit block, keys of either 64 or 128 bits, and a variable number of rounds; and has been successfully attacked by cryptanalysts. [Schn]
$ FEAL(O)一个在日本发展起来的对称分组密码家族;使用64位块、64位或128位密钥以及可变轮数;并且被密码分析人员成功攻击。[施恩]
$ Federal Information Processing Standards (FIPS) (N) The Federal Information Processing Standards Publication (FIPS PUB) series issued by NIST under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987 (Public Law 100-235) as technical guidelines for U.S. Government procurements of information processing system equipment and services. (See: "[FPxxx]" items in Section 7, Informative References.)
$ 联邦信息处理标准(FIPS)(N)NIST根据《1949年联邦财产和行政服务法》第111(d)节的规定发布的联邦信息处理标准出版物(FIPS PUB)系列,经1987年《计算机安全法》(公法100-235)修订作为美国政府采购信息处理系统设备和服务的技术指南。(见第7节“参考资料”中的“[FPxxx]”项。)
$ Federal Public-key Infrastructure (FPKI) (O) A PKI being planned to establish facilities, specifications, and policies needed by the U.S. Government to use public-key certificates in systems involving unclassified but sensitive applications and interactions between Federal agencies as well as with entities of state and local governments, the business community, and the public. [FPKI]
$ 联邦公钥基础设施(FPKI)(O)计划建立美国政府所需的设施、规范和政策的PKI,以在涉及非保密但敏感应用程序的系统中使用公钥证书,以及联邦机构之间以及与州和地方政府实体之间的交互,商界和公众。[FPKI]
$ Federal Standard 1027 (N) An U.S. Government document defining emanation, anti-tamper, security fault analysis, and manual key management criteria for DES encryption devices, primary for OSIRM Layer 2. Was renamed "FIPS PUB 140" when responsibility for protecting unclassified, sensitive information was transferred from NSA to NIST, and has since been superseded by newer versions of that standard [FP140].
$ 联邦标准1027(N)美国政府文件,定义DES加密设备的发射、防篡改、安全故障分析和手动密钥管理标准,主要用于OSIRM第2层。当保护非机密敏感信息的责任从NSA转移到NIST时,更名为“FIPS PUB 140”,此后被该标准的更新版本取代[FP140]。
$ File Transfer Protocol (FTP) (I) A TCP-based, Application-Layer, Internet Standard protocol (RFC 959) for moving data files from one computer to another.
$ 文件传输协议(FTP)(I)基于TCP的应用层互联网标准协议(RFC 959),用于将数据文件从一台计算机移动到另一台计算机。
$ fill device (N) /COMSEC/ A device used to transfer or store keying material in electronic form or to insert keying material into cryptographic equipment.
$ 填充装置(N)/COMSEC/用于以电子形式传输或存储密钥材料或将密钥材料插入加密设备的装置。
$ filter 1. (I) /noun/ Synonym for "guard". (Compare: content filter, filtering router.)
$ 过滤器1。(一) /名词/同义词“警卫”。(比较:内容过滤器、过滤路由器。)
2. (I) /verb/ To process a flow of data and selectively block passage or permit passage of individual data items according to a security policy.
2. (一) /verb/处理数据流,并根据安全策略有选择地阻止或允许单个数据项的通过。
$ filtering router (I) An internetwork router that selectively prevents the passage of data packets according to a security policy. (See: guard.)
$ 过滤路由器(I)根据安全策略有选择地防止数据包通过的网络间路由器。(请参阅:防护罩。)
Tutorial: A router usually has two or more physical connections to networks or other systems; and when the router receives a packet on one of those connections, it forwards the packet on a second connection. A filtering router does the same; but it first decides, according to some security policy, whether the packet should be forwarded at all. The policy is implemented by rules (packet filters) loaded into the router. The rules mostly involve values of data packet control fields (especially IP source and destination addresses and TCP port numbers) [R2179]. A filtering router may be used alone as a simple firewall or be used as a component of a more complex firewall.
教程:路由器通常与网络或其他系统有两个或多个物理连接;当路由器在其中一个连接上接收到数据包时,它会在第二个连接上转发该数据包。过滤路由器也这样做;但它首先根据一些安全策略决定是否应该转发数据包。该策略由加载到路由器中的规则(包过滤器)实现。这些规则主要涉及数据包控制字段的值(尤其是IP源和目标地址以及TCP端口号)[R2179]。过滤路由器可以单独用作简单防火墙,也可以用作更复杂防火墙的组件。
$ financial institution (N) "An establishment responsible for facilitating customer-initiated transactions or transmission of funds for the extension of credit or the custody, loan, exchange, or issuance of money." [SET2]
$ 金融机构(N)“负责促进客户发起的交易或资金传输的机构,用于扩展信贷或保管、贷款、交换或发行货币。”[SET2]
$ fingerprint 1. (I) A pattern of curves formed by the ridges on a fingertip. (See: biometric authentication. Compare: thumbprint.)
$ 指纹1。(一) 由指尖上的脊线形成的曲线图案。(请参阅:生物特征认证。比较:指纹。)
2. (D) /PGP/ A hash result ("key fingerprint") used to authenticate a public key or other data. [PGP]
2. (D) /PGP/用于验证公钥或其他数据的哈希结果(“密钥指纹”)。[PGP]
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2, and SHOULD NOT use this term as a synonym for "hash result" of *any* kind. Either use would mix concepts in a potentially misleading way.
不推荐使用的定义:IDOCs不应将此术语与定义2一起使用,也不应将此术语用作*任何*类型的“哈希结果”的同义词。这两种用法都会以潜在误导的方式混淆概念。
$ FIPS (N) See: Federal Information Processing Standards.
$ FIPS(N)参见:联邦信息处理标准。
$ FIPS PUB 140 (N) The U.S. Government standard [FP140] for security requirements to be met by a cryptographic module when the module is used to protect unclassified information in computer and communication systems. (See: Common Criteria, FIPS, Federal Standard 1027.)
$ FIPS PUB 140(N)美国政府标准[FP140],当密码模块用于保护计算机和通信系统中的非保密信息时,密码模块应满足安全要求。(见:通用标准、FIPS、联邦标准1027。)
Tutorial: The standard specifies four increasing levels (from "Level 1" to "Level 4") of requirements to cover a wide range of potential applications and environments. The requirements address basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference and electromagnetic compatibility (EMI/EMC), and self-testing. NIST and the Canadian Communication Security Establishment jointly certify modules.
教程:该标准规定了四个不断增加的需求级别(从“级别1”到“级别4”),以涵盖广泛的潜在应用和环境。这些要求涉及基本设计和文档、模块接口、授权角色和服务、物理安全、软件安全、操作系统安全、密钥管理、加密算法、电磁干扰和电磁兼容性(EMI/EMC)以及自检。NIST和加拿大通信安全机构共同认证模块。
$ FIREFLY (O) /U.S. Government/ "Key management protocol based on public-key cryptography." [C4009]
$ FIREFLY(O)/美国政府/“基于公钥加密的密钥管理协议。”[C4009]
$ firewall 1. (I) An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). (See: guard, security gateway.)
$ 防火墙1。(一) 一种网络间网关,用于限制与一个已连接网络(称为“防火墙内”的网络)之间的数据通信流量,从而保护该网络的系统资源免受来自另一个网络(称为“防火墙外”的网络)的威胁。(请参阅:警卫,安全网关。)
2. (O) A device or system that controls the flow of traffic between networks using differing security postures. [SP41]
2. (O) 一种设备或系统,使用不同的安全姿态控制网络之间的流量。[SP41]
Tutorial: A firewall typically protects a smaller, secure network (such as a corporate LAN, or even just one host) from a larger network (such as the Internet). The firewall is installed at the point where the networks connect, and the firewall applies policy rules to control traffic that flows in and out of the protected network.
教程:防火墙通常保护较小、安全的网络(如公司局域网,甚至仅一台主机)免受较大网络(如Internet)的攻击。防火墙安装在网络连接点,防火墙应用策略规则来控制进出受保护网络的流量。
A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts, all connected to a small, dedicated LAN (see: buffer zone) between the two routers. The external router blocks attacks that use IP to break security (IP address spoofing, source routing, packet fragments), while proxy servers block attacks that would exploit a vulnerability in a higher-layer protocol or service. The internal router blocks traffic from leaving the protected network except through the proxy servers. The difficult part is defining criteria by which packets are denied passage through the firewall, because a firewall not only needs to keep unauthorized traffic (i.e., intruders) out, but usually also needs to let authorized traffic pass both in and out.
防火墙并不总是一台计算机。例如,防火墙可能由一对过滤路由器和一台或多台运行在一台或多台堡垒主机上的一台或多台代理服务器组成,所有这些都连接到两台路由器之间的小型专用LAN(请参阅:缓冲区)。外部路由器阻止使用IP破坏安全性的攻击(IP地址欺骗、源路由、数据包碎片),而代理服务器阻止利用更高层协议或服务中的漏洞进行攻击。内部路由器阻止流量离开受保护的网络,除非通过代理服务器。困难的部分是定义拒绝数据包通过防火墙的标准,因为防火墙不仅需要阻止未经授权的流量(即入侵者),而且通常还需要允许授权的流量进出。
$ firmware (I) Computer programs and data stored in hardware -- typically in read-only memory (ROM) or programmable read-only memory (PROM) -- such that the programs and data cannot be dynamically written or modified during execution of the programs. (See: hardware, software.)
$ 固件(I)存储在硬件中的计算机程序和数据——通常存储在只读存储器(ROM)或可编程只读存储器(PROM)中——使得程序和数据在程序执行期间不能动态写入或修改。(请参阅:硬件、软件。)
$ FIRST (N) See: Forum of Incident Response and Security Teams.
$ 第一(N)见:事件响应和安全团队论坛。
$ flaw 1. (I) An error in the design, implementation, or operation of an information system. A flaw may result in a vulnerability. (Compare: vulnerability.)
$ 缺陷1。(一) 信息系统设计、实施或操作中的错误。缺陷可能会导致漏洞。(比较:漏洞。)
2. (D) "An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed." [NCSSG] (Compare: vulnerability. See: brain-damaged.)
2. (D) “在允许绕过保护机制的系统中,由于疏忽、疏忽或疏忽造成的错误。”[NCSSG](比较:脆弱性。参见:大脑受损。)
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 2; not every flaw is a vulnerability.
不推荐使用的定义:IDOC不应将此术语与定义2一起使用;并非每个缺陷都是漏洞。
$ flaw hypothesis methodology (I) An evaluation or attack technique in which specifications and documentation for a system are analyzed to hypothesize flaws in the system. The list of hypothetical flaws is prioritized on the basis of the estimated probability that a flaw exists and, assuming it does, on the ease of exploiting it and the extent of control or compromise it would provide. The prioritized list is used to direct a penetration test or attack against the system. [NCS04] (See: fault tree, flaw.)
$ 缺陷假设方法(I)一种评估或攻击技术,其中对系统的规范和文档进行分析,以假设系统中存在缺陷。假设缺陷列表根据缺陷存在的估计概率和(假设存在)利用缺陷的难易程度以及控制或妥协的程度进行优先排序。优先列表用于指导针对系统的渗透测试或攻击。[NCS04](参见:故障树、缺陷)
$ flooding 1. (I) An attack that attempts to cause a failure in a system by providing more input than the system can process properly. (See: denial of service, fairness. Compare: jamming.)
$ 洪水1。(一) 试图通过提供超出系统正常处理范围的输入而导致系统故障的一种攻击。(请参阅:拒绝服务,公平性。比较:干扰。)
Tutorial: Flooding uses "overload" as a type of "obstruction" intended to cause "disruption".
教程:洪水使用“过载”作为一种“障碍物”,旨在造成“破坏”。
2. (I) The process of delivering data or control messages to every node of a network. (RFC 3753)
2. (一) 向网络的每个节点传送数据或控制信息的过程。(RFC 3753)
$ flow analysis (I) An analysis performed on a nonprocedural, formal, system specification that locates potential flows of information between system variables. By assigning security levels to the variables, the analysis can find some types of covert channels. [Huff]
$ 流程分析(I)对非程序、正式的系统规范进行的分析,确定系统变量之间的潜在信息流。通过为变量分配安全级别,分析可以发现某些类型的隐蔽通道。[怒火]
$ flow control 1. (I) /data security/ A procedure or technique to ensure that information transfers within a system are not made from one security level to another security level, and especially not from a higher level to a lower level. [Denns] (See: covert channel, confinement property, information flow policy, simple security property.)
$ 流量控制1。(一) /数据安全性/确保系统内的信息传输不会从一个安全级别传输到另一个安全级别,特别是不会从较高级别传输到较低级别的程序或技术。[Denns](请参阅:隐蔽通道、限制属性、信息流策略、简单安全属性。)
2. (O) /data security/ "A concept requiring that information transfers within a system be controlled so that information in certain types of objects cannot, via any channel within the system, flow to certain other types of objects." [NCSSG]
2. (O) /data security/“一种概念,要求控制系统内的信息传输,使某些类型对象中的信息不能通过系统内的任何通道流向某些其他类型的对象。”[NCSSG]
$ For Official Use Only (FOUO) (O) /U.S. DoD/ A U.S. Government designation for information that has not been given a security classification pursuant to the criteria of an Executive Order dealing with national security, but which may be withheld from the public because disclosure would cause a foreseeable harm to an interest protected by one of the exemptions stated in the Freedom of Information Act (Section 552 of title 5, United States Code). (See: security label, security marking. Compare: classified.)
$ 仅供官方使用(FOUO)(O)/美国国防部/美国政府指定,用于未根据涉及国家安全的行政命令标准进行安全分类的信息,但由于披露会对受《信息自由法》(美国法典第5编第552节)所述豁免之一保护的利益造成可预见的损害,因此可能会对公众隐瞒。(参见:安全标签、安全标记。比较:分类。)
$ formal (I) Expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts. [CCIB] (Compare: informal, semiformal.)
$ 形式(I)用受限语法语言表示,语义定义基于成熟的数学概念。[CCIB](比较:非正式、半正式。)
$ formal access approval (O) /U.S. Government/ Documented approval by a data owner to allow access to a particular category of information in a system. (See: category.)
$ 正式访问批准(O)/美国政府/数据所有者书面批准,允许访问系统中特定类别的信息。(请参阅:类别。)
$ Formal Development Methodology (O) See: Ina Jo.
$ 正式开发方法(O)见:Ina Jo。
$ formal model (I) A security model that is formal. Example: Bell-LaPadula model. [Land] (See: formal, security model.)
$ 形式模型(I)形式化的安全模型。示例:贝尔-拉帕杜拉模型。[土地](见:正式的安全模型。)
$ formal proof (I) "A complete and convincing mathematical argument, presenting the full logical justification for each step in the proof, for the truth of a theorem or set of theorems." [NCSSG]
$ 形式证明(I)“一个完整且令人信服的数学论证,为证明中的每一步提供完整的逻辑证明,证明一个定理或一组定理的真理。”[NCSSG]
$ formal specification (I) A precise description of the (intended) behavior of a system, usually written in a mathematical language, sometimes for the
$ 形式规范(I)系统(预期)行为的精确描述,通常用数学语言编写,有时用于
purpose of supporting formal verification through a correctness proof. [Huff] (See: Affirm, Gypsy, HDM, Ina Jo.) (See: formal.)
通过正确性证明支持形式验证的目的。[Huff](参见:确认、吉普赛、HDM、Ina Jo)(参见:正式)
Tutorial: A formal specification can be written at any level of detail but is usually a top-level specification.
教程:正式规范可以在任何详细级别编写,但通常是顶级规范。
$ formal top-level specification (I) "A top-level specification that is written in a formal mathematical language to allow theorems showing the correspondence of the system specification to its formal requirements to be hypothesized and formally proven." [NCS04] (See: formal specification.)
$ 正式顶层规范(I)“以正式数学语言编写的顶层规范,允许假设和正式证明表明系统规范与其正式需求对应关系的定理。”[NCS04](见:正式规范。)
$ formulary (I) A technique for enabling a decision to grant or deny access to be made dynamically at the time the access is attempted, rather than earlier when an access control list or ticket is created.
$ 公式集(I)一种技术,用于在尝试访问时,而不是在创建访问控制列表或票证之前,动态做出授予或拒绝访问的决定。
$ FORTEZZA(trademark) (O) A registered trademark of NSA, used for a family of interoperable security products that implement a NIST/NSA-approved suite of cryptographic algorithms for digital signature, hash, encryption, and key exchange. The products include a PC card (which contains a CAPSTONE chip), and compatible serial port modems, server boards, and software implementations.
$ FORTEZZA(商标)(O)NSA的注册商标,用于实现NIST/NSA批准的用于数字签名、哈希、加密和密钥交换的加密算法套件的可互操作安全产品系列。这些产品包括一个PC卡(包含一个CAPSTONE芯片)、兼容的串行端口调制解调器、服务器板和软件实现。
$ Forum of Incident Response and Security Teams (FIRST) (N) An international consortium of CSIRTs (e.g., CIAC) that work together to handle computer security incidents and promote preventive activities. (See: CSIRT, security incident.)
$ 事件响应和安全团队论坛(第一)(N)CSIRT的国际联盟(如CIAC),共同处理计算机安全事件并促进预防活动。(参见:CSIRT,安全事件)
Tutorial: FIRST was founded in 1990 and, as of July 2004, had more than 100 members spanning the globe. Its mission includes: - Provide members with technical information, tools, methods, assistance, and guidance. - Coordinate proactive liaison activities and analytical support. - Encourage development of quality products and services. - Improve national and international information security for governments, private industry, academia, and the individual. - Enhance the image and status of the CSIRT community.
教程:FIRST成立于1990年,截至2004年7月,在全球拥有100多名会员。其任务包括:-为成员提供技术信息、工具、方法、协助和指导。-协调主动联络活动和分析支持。-鼓励开发优质产品和服务。-改善政府、私营企业、学术界和个人的国家和国际信息安全。-提升CSIRT社区的形象和地位。
$ forward secrecy (I) See: perfect forward secrecy.
$ 前向保密(I)见:完美前向保密。
$ FOUO (O) See: For Official Use Only.
$ FOUO(O)见:仅供官方使用。
$ FPKI (O) See: Federal Public-Key Infrastructure.
$ FPKI(O)见:联邦公钥基础设施。
$ fraggle attack (D) /slang/ A synonym for "smurf attack".
$ 脆弱攻击(D)/俚语/蓝精灵攻击的同义词。
Deprecated Term: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, IDOCs SHOULD NOT use this term.
不推荐使用的术语:其他文化可能对此概念使用不同的隐喻。因此,为了避免国际上的误解,IDOC不应该使用这个术语。
Derivation: The Fraggles are a fictional race of small humanoids (represented as hand puppets in a children's television series, "Fraggle Rock") that live underground.
起源:Fraggles是一个虚构的小型人形种族(在儿童电视剧《Fraggle Rock》中表现为手木偶),生活在地下。
$ frequency hopping (N) Repeated switching of frequencies during radio transmission according to a specified algorithm. [C4009] (See: spread spectrum.)
$ 跳频(N):根据指定的算法在无线电传输过程中重复切换频率。[C4009](参见:扩频。)
Tutorial: Frequency hopping is a TRANSEC technique to minimize the potential for unauthorized interception or jamming.
教程:跳频是一种TRANSEC技术,可以最大限度地降低未经授权的拦截或干扰的可能性。
$ fresh (I) Recently generated; not replayed from some earlier interaction of the protocol.
$ 新的(I)最近产生的;未从协议的某些早期交互中重播。
Usage: Describes data contained in a PDU that is received and processed for the first time. (See: liveness, nonce, replay attack.)
用法:描述首次接收和处理的PDU中包含的数据。(请参阅:活跃度、暂时性、重放攻击。)
$ FTP (I) See: File Transfer Protocol.
$ FTP(I)见:文件传输协议。
$ gateway (I) An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks. (See: bridge, firewall, guard, internetwork, proxy server, router, and subnetwork.)
$ 网关(I)连接到两个(或多个)功能相似但实现方式不同的计算机网络的中间系统(接口、中继),可实现网络之间的单向或双向通信。(请参阅:网桥、防火墙、防护、互联网、代理服务器、路由器和子网络。)
Tutorial: The networks may differ in any of several aspects, including protocols and security mechanisms. When two computer networks differ in the protocol by which they offer service to hosts, a gateway may translate one protocol into the other or otherwise facilitate interoperation of hosts (see: Internet Protocol). In theory, gateways between computer networks are conceivable at any OSIRM layer. In practice, they usually operate
教程:网络可能在几个方面有所不同,包括协议和安全机制。当两个计算机网络向主机提供服务的协议不同时,网关可将一个协议转换为另一个协议,或以其他方式促进主机的互操作(请参阅:Internet协议)。理论上,计算机网络之间的网关在任何OSIRM层都是可以想象的。在实践中,它们通常会运行
at OSIRM Layer 2 (see: bridge), 3 (see: router), or 7 (see: proxy server).
在OSIRM第2层(请参阅:网桥)、第3层(请参阅:路由器)或第7层(请参阅:代理服务器)。
$ GCA (O) See: geopolitical certificate authority.
$ GCA(O)见:地缘政治证书管理局。
$ GDOI (O) See: Group Domain of Interpretation.
$ GDOI(O)见:集团解释领域。
$ GeldKarte (O) A smartcard-based, electronic money system that is maintained by the German banking industry, incorporates cryptography, and can be used to make payments via the Internet. (See: IOTP.)
$ Geldkart(O)是一种基于智能卡的电子货币系统,由德国银行业维护,采用加密技术,可用于通过互联网进行支付。(见:IOTP)
$ GeneralizedTime (N) The ASN.1 data type "GeneralizedTime" (ISO 8601) contains a calendar date (YYYYMMDD) and a time of day, which is either (a) the local time, (b) the Coordinated Universal Time, or (c) both the local time and an offset that enables Coordinated Universal Time to be calculated. (See: Coordinated Universal Time. Compare: UTCTime.)
$ 泛化时间(N)ASN.1数据类型“泛化时间”(ISO 8601)包含日历日期(YYYYMMDD)和一天中的某个时间,即(a)本地时间,(b)协调世界时间,或(c)本地时间和允许计算协调世界时间的偏移量。(参见:协调世界时。比较:UTCTime。)
$ Generic Security Service Application Program Interface (GSS-API) (I) An Internet Standard protocol [R2743] that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies, thus enabling the application source code to be ported to different environments. (Compare: EAP, SASL.)
$ 通用安全服务应用程序接口(GSS-API)(I)一种互联网标准协议[R2743],规定了应用程序(通常是另一种通信协议)可通过其获得身份验证、完整性、,保密性和安全性服务独立于底层安全机制和技术,从而使应用程序源代码能够移植到不同的环境。(比较:EAP、SASL)
Tutorial: "A GSS-API caller accepts tokens provided to it by its local GSS-API implementation and transfers the tokens to a peer on a remote system; that peer passes the received tokens to its local GSS-API implementation for processing. The security services available through GSS-API in this fashion are implementable (and have been implemented) over a range of underlying mechanisms based on [symmetric] and [asymmetric cryptography]." [R2743]
教程:“GSS-API调用方接受其本地GSS-API实现提供给它的令牌,并将令牌传输给远程系统上的对等方;该对等方将接收到的令牌传递给其本地GSS-API实现进行处理。通过GSS-API以这种方式提供的安全服务是可实现的(并且已经实现)基于[对称]和[非对称加密]的一系列底层机制
$ geopolitical certificate authority (GCA) (O) /SET/ In a SET certification hierarchy, an optional level that is certified by a BCA and that may certify cardholder CAs, merchant CAs, and payment gateway CAs. Using GCAs enables a brand to distribute responsibility for managing certificates to geographic or political regions, so that brand policies can vary between regions as needed.
$ 地缘政治证书颁发机构(GCA)(O)/SET/在SET认证层次结构中,由BCA认证的可选级别,可认证持卡人CA、商户CA和支付网关CA。使用GCAs使品牌能够将管理证书的责任分配给地理或政治区域,以便品牌策略可以根据需要在不同区域之间变化。
$ GIG (O) See: Global Information Grid.
$ 全球信息栅格(GIG)见:全球信息栅格。
$ Global Information Grid (GIG) (O) /U.S. DoD/ The GIG is "a globally interconnected, end-to-end set of information capabilities, associated processes and personnel for collecting, processing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel." [IATF] Usage: Formerly referred to as the DII.
$ 全球信息网格(GIG)(O)/美国国防部/全球信息网格是“一组全球互联、端到端的信息能力、相关流程和人员,用于收集、处理、存储、传播和管理作战人员、决策者和支持人员所需的信息。”[IATF]用法:以前称为DII。
$ good engineering practice(s) (N) A term used to specify or characterize design, implementation, installation, or operating practices for an information system, when a more explicit specification is not possible. Generally understood to refer to the state of the engineering art for commercial systems that have problems and solutions equivalent to the system in question.
$ 良好工程实践(N):当无法制定更明确的规范时,用于指定或描述信息系统的设计、实施、安装或操作实践的术语。一般理解为指商业系统的工程技术水平,其问题和解决方案相当于所讨论的系统。
$ granularity 1. (N) /access control/ Relative fineness to which an access control mechanism can be adjusted.
$ 粒度1。(N) /访问控制/访问控制机制可调整的相对精细度。
2. (N) /data security/ "The size of the smallest protectable unit of information" in a trusted system. [Huff]
2. (N) /data security/“受信任系统中可保护的最小信息单元的大小”。[怒火]
$ Green Book (D) /slang/ Synonym for "Defense Password Management Guideline" [CSC2].
$ 绿皮书(D)/俚语/同义词“国防密码管理指南”[CSC2]。
Deprecated Term: Except as an explanatory appositive, IDOCs SHOULD NOT use this term, regardless of the associated definition. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: Rainbow Series.)
不推荐使用的术语:除了作为解释性同位语外,IDOCs不应使用该术语,无论相关定义如何。取而代之的是,使用文件的全称,或者在后续参考文献中使用常规缩写。(请参阅:彩虹系列。)
Deprecated Usage: To improve international comprehensibility of Internet Standards and the Internet Standards Process, IDOCs SHOULD NOT use "cute" synonyms. No matter how clearly understood or popular a nickname may be in one community, it is likely to cause confusion or offense in others. For example, several other information system standards also are called "the Green Book"; the following are some examples: - Each volume of 1992 ITU-T (known at that time as CCITT) standards. - "PostScript Language Program Design", Adobe Systems, Addison-Wesley, 1988. - IEEE 1003.1 POSIX Operating Systems Interface.
不推荐使用:为了提高互联网标准和互联网标准过程的国际可理解性,IDOC不应使用“可爱”同义词。无论一个昵称在一个社区中被理解得多么清楚或多么流行,它都有可能在其他社区引起混乱或冒犯。例如,其他一些信息系统标准也被称为“绿皮书”;以下是一些示例:-1992年ITU-T(当时称为CCITT)标准的每一卷。-“PostScript语言程序设计”,AdobeSystems,Addison-Wesley,1988年IEEE 1003.1 POSIX操作系统接口。
- "Smalltalk-80: Bits of History, Words of Advice", Glenn Krasner, Addison-Wesley, 1983. - "X/Open Compatibility Guide". - A particular CD-ROM format developed by Phillips.
- “Smalltalk-80:历史的点滴,忠告的话语”,格伦·克拉斯纳,艾迪生·韦斯利,1983年“X/Open兼容性指南”——菲利普斯开发的一种特殊的CD-ROM格式。
$ Group Domain of Interpretation (GDOI) (I) An ISAKMP/IKE domain of interpretation for group key management; i.e., a phase 2 protocol in ISAKMP. [R3547] (See: secure multicast.)
$ 集团解释域(GDOI)(I)用于集团密钥管理的ISAKMP/IKE解释域;i、 例如,ISAKMP中的第2阶段协议。[R3547](请参阅:安全多播。)
Tutorial: In this group key management model that extends the ISAKMP standard, the protocol is run between a group member and a "group controller/key server", which establishes security associations [R4301] among authorized group members. The GDOI protocol is itself protected by an ISAKMP phase 1 association.
教程:在此扩展ISAKMP标准的组密钥管理模型中,协议在组成员和“组控制器/密钥服务器”之间运行,该服务器在授权组成员之间建立安全关联[R4301]。GDOI协议本身受ISAKMP第1阶段关联的保护。
For example, multicast applications may use ESP to protect their data traffic. GDOI carries the needed security association parameters for ESP. In this way, GDOI supports multicast ESP with group authentication of ESP packets using a shared, group key.
例如,多播应用程序可以使用ESP来保护其数据流量。GDOI携带ESP所需的安全关联参数。通过这种方式,GDOI支持使用共享组密钥对ESP数据包进行组身份验证的多播ESP。
$ group identity (I) See: secondary definition under "identity".
$ 集团标识(I)见“标识”下的二级定义。
$ group security association (I) "A bundling of [security associations] (SAs) that together define how a group communicates securely. The [group SA] may include a registration protocol SA, a rekey protocol SA, and one or more data security protocol SAs." [R3740]
$ 组安全关联(I)“[安全关联](SA)的捆绑,共同定义组如何安全通信。[组SA]可能包括注册协议SA、密钥更新协议SA和一个或多个数据安全协议SA。”[R3740]
$ GSS-API (I) See: Generic Security Service Application Program Interface.
$ GSS-API(I)见:通用安全服务应用程序接口。
$ guard (I) A computer system that (a) acts as gateway between two information systems operating under different security policies and (b) is trusted to mediate information data transfers between the two. (See: controlled interface, cross-domain solution, domain, filter. Compare: firewall.)
$ guard(I)一种计算机系统,它(A)充当两个在不同安全策略下运行的信息系统之间的网关,并且(b)受信任在两个系统之间进行信息数据传输。(请参阅:受控接口、跨域解决方案、域、筛选器。比较:防火墙。)
Usage: Frequently understood to mean that one system is operating at a higher security level than the other, and that the gateway's purpose is to prevent unauthorized disclosure of data from the higher system to the lower. However, the purpose might also be to protect the data integrity, availability, or general system integrity of one system from threats posed by connecting to the other system. The mediation may be entirely automated or may involve "reliable human review".
用法:通常理解为一个系统的安全级别高于另一个系统,网关的目的是防止未经授权将数据从较高的系统泄露给较低的系统。但是,其目的也可能是保护一个系统的数据完整性、可用性或一般系统完整性,使其免受连接到另一个系统所造成的威胁。调解可能完全自动化,也可能涉及“可靠的人工审查”。
$ guest login (I) See: anonymous login.
$ 来宾登录(I)见:匿名登录。
$ GULS (I) Generic Upper Layer Security service element (ISO 11586), a five-part standard for the exchange of security information and security-transformation functions that protect confidentiality and integrity of application data.
$ GULS(I)通用上层安全服务元素(ISO 11586),由五部分组成的标准,用于交换安全信息和安全转换功能,以保护应用程序数据的机密性和完整性。
$ Gypsy verification environment (O) A methodology, language, and integrated set of software tools developed at the University of Texas for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]
$ 吉普赛验证环境(O)一种在德克萨斯大学开发的方法、语言和成套软件工具,用于指定、编码和验证软件以产生正确和可靠的程序。[车]
$ H field (D) See: Deprecated Usage under "Handling Restrictions field".
$ H字段(D)请参阅“处理限制字段”下的不推荐使用。
$ hack 1a. (I) /verb/ To work on something, especially to program a computer. (See: hacker.)
$ 黑客1a。(一) /动词/做某事,尤指为计算机编程。(见:黑客)
1b. (I) /verb/ To do some kind of mischief, especially to play a prank on, or penetrate, a system. (See: hacker, cracker.)
1b。(一) 做某种恶作剧,尤指恶作剧或渗透系统。(请参阅:黑客、黑客。)
2. (I) /noun/ An item of completed work, or a solution for a problem, that is non-generalizable, i.e., is very specific to the application area or problem being solved.
2. (一) /noon/完成的工作项目或问题的解决方案,不可概括,即非常特定于所解决的应用领域或问题。
Tutorial: Often, the application area or problem involves computer programming or other use of a computer. Characterizing something as a hack can be a compliment, such as when the solution is minimal and elegant; or it can be derogatory, such as when the solution fixes the problem but leaves the system in an unmaintainable state.
教程:通常,应用领域或问题涉及计算机编程或计算机的其他使用。将某物描述为黑客可以是一种恭维,例如当解决方案是最小且优雅的;或者它可能是贬义的,例如当解决方案修复了问题,但使系统处于无法维护的状态时。
See [Raym] for several other meanings of this term and also definitions of several derivative terms.
有关该术语的其他含义以及几个衍生术语的定义,请参见[Raym]。
$ hacker 1. (I) Someone with a strong interest in computers, who enjoys learning about them, programming them, and experimenting and otherwise working with them. (See: hack. Compare: adversary, cracker, intruder.)
$ 黑客1。(一) 对计算机有浓厚兴趣的人,他们喜欢学习计算机、编程、实验和使用计算机。(参见:黑客。比较:敌手、黑客、入侵者。)
Usage: This first definition is the original meaning of the term (circa 1960); it then had a neutral or positive connotation of "someone who figures things out and makes something cool happen".
用法:第一个定义是该术语的原始含义(约1960年);然后,它有一个中性或积极的内涵,即“一个能把事情弄明白并让一些很酷的事情发生的人”。
2. (O) "An individual who spends an inordinate amount of time working on computer systems for other than professional purposes." [NCSSG]
2. (O) “在计算机系统上花费过多时间而非出于专业目的的个人。”[NCSSG]
3. (D) Synonym for "cracker".
3. (D) “饼干”的同义词。
Deprecated Usage: Today, the term is frequently (mis)used (especially by journalists) with definition 3.
不推荐的用法:今天,这个词经常(误用)(尤其是记者)在定义3中使用。
$ handle 1. (I) /verb/ Perform processing operations on data, such as receive and transmit, collect and disseminate, create and delete, store and retrieve, read and write, and compare. (See: access.)
$ 处理1。(一) /verb/对数据执行处理操作,如接收和发送、收集和分发、创建和删除、存储和检索、读和写以及比较。(请参阅:访问。)
2. (I) /noun/ An online pseudonym, particularly one used by a cracker; derived from citizens' band radio culture.
2. (一) /名词/网上的笔名,尤指黑客使用的;源自市民的波段无线电文化。
$ handling restriction (I) A type of access control other than (a) the rule-based protections of mandatory access control and (b) the identity-based protections of discretionary access control; usually involves administrative security.
$ 处理限制(I)除(A)基于规则的强制访问控制保护和(b)基于身份的自主访问控制保护以外的一种访问控制;通常涉及管理安全。
$ Handling Restrictions field (I) A 16-bit field that specifies a control and release marking in the security option (option type 130) of IP's datagram header format. The valid field values are alphanumeric digraphs assigned by the U.S. Government, as specified in RFC 791.
$ 处理限制字段(I)一个16位字段,指定IP数据报报头格式的安全选项(选项类型130)中的控制和释放标记。根据RFC 791的规定,有效字段值为美国政府指定的字母数字有向图。
Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "H field" because it is potentially ambiguous. Instead, use "Handling Restrictions field".
不推荐使用的缩写:IDOCs不应使用缩写“H字段”,因为它可能不明确。相反,请使用“处理限制字段”。
$ handshake (I) Protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other.
$ 握手(I)两个系统之间的协议对话,用于相互识别和验证自身,或用于使其操作同步。
$ Handshake Protocol (I) /TLS/ The TLS Handshake Protocol consists of three parts (i.e., subprotocols) that enable peer entities to agree upon security parameters for the record layer, authenticate themselves to each other, instantiate negotiated security parameters, and report error conditions to each other. [R4346]
$ 握手协议(I)/TLS/TLS握手协议由三个部分(即子协议)组成,使对等实体能够就记录层的安全参数达成一致,彼此进行身份验证,实例化协商的安全参数,并相互报告错误情况。[R4346]
$ harden (I) To protect a system by configuring it to operate in a way that eliminates or mitigates known vulnerabilities. Example: [RSCG]. (See: default account.)
$ 强化(I)通过配置系统以消除或缓解已知漏洞的方式运行来保护系统。示例:[RSCG]。(请参阅:默认帐户。)
$ hardware (I) The material physical components of an information system. (See: firmware, software.)
$ 硬件(I)信息系统的重要物理组件。(请参阅:固件、软件。)
$ hardware error (I) /threat action/ See: secondary definitions under "corruption", "exposure", and "incapacitation".
$ 硬件错误(I)/威胁行动/见“腐败”、“暴露”和“丧失能力”下的二级定义。
$ hardware token See: token.
$ 硬件令牌请参阅:令牌。
$ hash code (D) Synonym for "hash result" or "hash function".
$ 哈希代码(D)“哈希结果”或“哈希函数”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. A hash result is not a "code", and a hash function does not "encode" in any sense defined by this glossary. (See: hash value, message digest.)
不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。散列结果不是“代码”,散列函数也不是本术语表定义的任何意义上的“编码”。(请参阅:哈希值,消息摘要。)
$ hash function 1. (I) A function H that maps an arbitrary, variable-length bit string, s, into a fixed-length string, h = H(s) (called the "hash result"). For most computing applications, it is desirable that given a string s with H(s) = h, any change to s that creates a different string s' will result in an unpredictable hash result H(s') that is, with high probability, not equal to H(s).
$ 散列函数1。(一) 一种函数H,它将任意可变长度的位字符串s映射为固定长度的字符串H=H(s)(称为“哈希结果”)。对于大多数计算应用程序,理想的情况是给定一个H(s)=H的字符串s,对s的任何更改都会产生一个不可预测的散列结果H(s'),即高概率不等于H(s)。
2. (O) "A (mathematical) function which maps values from a large (possibly very large) domain into a smaller range. A 'good' hash function is such that the results of applying the function to a (large) set of values in the domain will be evenly distributed (and apparently at random) over the range." [X509]
2. (O) “将大(可能非常大)域中的值映射到较小范围的(数学)函数。“良好”哈希函数是指将函数应用于域中的(大)值集的结果将均匀分布(显然是随机分布)在该范围内。”[X509]
Tutorial: A hash function operates on variable-length input (e.g., a message or a file) and outputs a fixed-length output, which typically is much shorter than most input values. If the algorithm is "good" as described in the "O" definition, then the hash function may be a candidate for use in a security mechanism to detect accidental changes in data, but not necessarily for a mechanism to detect changes made by active wiretapping. (See: Tutorial under "checksum".)
教程:哈希函数对可变长度输入(例如,消息或文件)进行操作,并输出固定长度的输出,通常比大多数输入值短得多。如果如“O”定义中所描述的算法是“好的”,则散列函数可以是在安全机制中用于检测数据中的意外变化的候选函数,但不一定是用于检测由活动窃听进行的变化的机制的候选函数。(请参阅“校验和”下的教程。)
Security mechanisms require a "cryptographic hash function" (e.g., MD2, MD4, MD5, SHA-1, Snefru), i.e., a good hash function that also has the one-way property and one of the two collision-free properties: - "One-way property": Given H and a hash result h = H(s), it is hard (i.e., computationally infeasible, "impossible") to find s. (Of course, given H and an input s, it must be relatively easy to compute the hash result H(s).) - "Weakly collision-free property": Given H and an input s, it is hard (i.e., computationally infeasible, "impossible") to find a different input, s', such that H(s) = H(s'). - "Strongly collision-free property": Given H, it is hard to find any pair of inputs s and s' such that H(s) = H(s').
安全机制需要一个“加密散列函数”(例如,MD2、MD4、MD5、SHA-1、Snefru),即一个好的散列函数,它也具有单向属性和两个无冲突属性中的一个:-“单向属性”:给定H和散列结果H=H(s),很难(即,计算上不可行,“不可能”)找到s。(当然,给定H和输入s,计算散列结果H(s)必须相对容易。”—“弱无冲突属性”:给定H和输入s,很难(即,计算上不可行,“不可能”)找到不同的输入s',使得H(s)=H(s')。-“强无碰撞特性”:给定H,很难找到任何一对输入s和s',使得H(s)=H(s')。
If H produces a hash result N bits long, then to find an s' where H(s') = H(s) for a specific given s, the amount of computation required is O(2**n); i.e., it is necessary to try on the order of 2 to the power n values of s' before finding a collision. However, to simply find any pair of values s and s' that collide, the amount of computation required is only O(2**(n/2)); i.e., after computing H(s) for 2 to the power n/2 randomly chosen values of s, the probability is greater than 1/2 that two of those values have the same hash result. (See: birthday attack.)
如果H产生一个N比特长的散列结果,那么为了找到一个s',其中H(s')=H(s),对于特定的给定s,所需的计算量是O(2**N);i、 例如,在发现碰撞之前,有必要尝试s'的幂n值的2阶。然而,为了简单地找到碰撞的任何一对值s和s’,所需的计算量仅为O(2**(n/2));i、 例如,在将2的H(s)计算为随机选择的s的n/2的幂之后,这些值中的两个具有相同散列结果的概率大于1/2。(见:生日攻击。)
$ hash result 1. (I) The output of a hash function. (See: hash code, hash value. Compare: hash value.)
$ 散列结果1。(一) 散列函数的输出。(请参阅:哈希代码、哈希值。比较:哈希值。)
2. (O) "The output produced by a hash function upon processing a message" (where "message" is broadly defined as "a digital representation of data"). [DSG]
2. (O) “哈希函数在处理消息时产生的输出”(其中“消息”广义上定义为“数据的数字表示”)。[DSG]
Usage: IDOCs SHOULD avoid the unusual usage of "message" that is seen in the "O" definition.
用法:idoc应该避免在“O”定义中看到的“message”的异常用法。
$ hash value (D) Synonym for "hash result".
$ 哈希值(D)是“哈希结果”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term for the output of a hash function; the term could easily be confused with "hashed value", which means the input to a hash function. (See: hash code, hash result, message digest.)
不推荐使用的术语:IDOCs不应将此术语用于哈希函数的输出;这个术语很容易与“散列值”混淆,即散列函数的输入。(请参阅:哈希代码、哈希结果、消息摘要。)
$ HDM (O) See: Hierarchical Development Methodology.
$ HDM(O)参见:分层开发方法。
$ Hierarchical Development Methodology (HDM) (O) A methodology, language, and integrated set of software tools developed at SRI International for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]
$ 分层开发方法(HDM)(O)SRI International开发的一套方法、语言和综合软件工具,用于指定、编码和验证软件,以生成正确可靠的程序。[车]
$ hierarchical PKI (I) A PKI architecture based on a certification hierarchy. (Compare: mesh PKI, trust-file PKI.)
$ 层次式PKI(I)基于证书层次结构的PKI体系结构。(比较:网状PKI、信任文件PKI。)
$ hierarchy management (I) The process of generating configuration data and issuing public-key certificates to build and operate a certification hierarchy. (See: certificate management.)
$ 层次结构管理(I)生成配置数据和颁发公钥证书以建立和运行证书层次结构的过程。(请参阅:证书管理。)
$ hierarchy of trust (D) Synonym for "certification hierarchy".
$ 信任层次结构(D)“认证层次结构”的同义词。
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts in a potentially misleading way. (See: certification hierarchy, trust, web of trust.)
不推荐使用的术语:IDoc不应使用此术语;它以一种潜在误导的方式混合概念。(请参阅:证书层次结构、信任、信任网。)
$ high-assurance guard (O) "An oxymoron," said Lt. Gen. William H. Campbell, former U.S. Army chief information officer, speaking at an Armed Forces Communications and Electronics Association conference.
$ 前美国陆军首席信息官威廉·H·坎贝尔中将在美国武装部队通信和电子协会的一次会议上说:“这是一个自相矛盾的说法。”。
Usage: IDOCs that use this term SHOULD state a definition for it because the term mixes concepts and could easily be misunderstood.
用法:使用这个术语的IDoc应该为它声明一个定义,因为这个术语混合了概念,很容易被误解。
$ hijack attack (I) A form of active wiretapping in which the attacker seizes control of a previously established communication association. (See: man-in-the-middle attack, pagejacking, piggyback attack.)
$ 劫持攻击(I)一种主动窃听形式,其中攻击者夺取了先前建立的通信关联的控制权。(参见:中间人攻击、页面劫持、背驮攻击。)
$ HIPAA (N) Health Information Portability and Accountability Act of 1996, a U.S. law (Public Law 104-191) that is intended to protect the privacy of patients' medical records and other health information in all forms, and mandates security for that information, including for its electronic storage and transmission.
$ 《1996年HIPAA(N)健康信息可移植性和责任法案》,一项美国法律(公法104-191),旨在保护患者医疗记录和其他各种形式健康信息的隐私,并要求对该信息进行安全保护,包括其电子存储和传输。
$ HMAC (I) A keyed hash [R2104] that can be based on any iterated cryptographic hash (e.g., MD5 or SHA-1), so that the cryptographic strength of HMAC depends on the properties of the selected cryptographic hash. (See: [R2202, R2403, R2404].)
$ HMAC(I)可基于任何迭代加密散列(例如,MD5或SHA-1)的键控散列[R2104],因此HMAC的加密强度取决于所选加密散列的属性。(参见:[R2202、R2403、R2404])
Derivation: Hash-based MAC. (Compare: CMAC.)
派生:基于哈希的MAC。(比较:CMAC。)
Tutorial: Assume that H is a generic cryptographic hash in which a function is iterated on data blocks of length B bytes. L is the length of the of hash result of H. K is a secret key of length L <= K <= B. The values IPAD and OPAD are fixed strings used as inner and outer padding and defined as follows: IPAD = the byte 0x36 repeated B times, and OPAD = the byte 0x5C repeated B times. HMAC is computed by H(K XOR OPAD, H(K XOR IPAD, inputdata)).
教程:假设H是一个通用加密哈希,其中函数在长度为B字节的数据块上迭代。L是H的散列结果的长度。K是长度为L<=K<=B的密钥。值IPAD和OPAD是用作内部和外部填充的固定字符串,定义如下:IPAD=字节0x36重复B次,OPAD=字节0x5C重复B次。HMAC由H(kxor OPAD,H(kxor IPAD,inputdata))计算。
HMAC has the following goals: - To use available cryptographic hash functions without modification, particularly functions that perform well in software and for which software is freely and widely available. - To preserve the original performance of the selected hash without significant degradation. - To use and handle keys in a simple way. - To have a well-understood cryptographic analysis of the strength of the mechanism based on reasonable assumptions about the underlying hash function. - To enable easy replacement of the hash function in case a faster or stronger hash is found or required.
HMAC有以下目标:-不经修改地使用可用的加密哈希函数,特别是在软件中性能良好且软件可自由广泛使用的函数。-以保持所选哈希的原始性能而不会显著降级。-以简单的方式使用和处理按键。-基于对底层哈希函数的合理假设,对机制的强度进行充分理解的密码分析。-在发现或需要更快或更强的散列时,可以轻松替换散列函数。
$ honey pot (N) A system (e.g., a web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears. (See: entrapment.)
$ 蜜罐(honey pot)(N)一种系统(如web服务器)或系统资源(如服务器上的文件),旨在吸引潜在的黑客和入侵者,如蜂蜜吸引熊。(见:诱捕。)
Usage: It is likely that other cultures use different metaphors for this concept. Therefore, to avoid international misunderstanding, an IDOC SHOULD NOT use this term without providing a definition for it. (See: Deprecated Usage under "Green Book".)
用法:其他文化可能对此概念使用不同的隐喻。因此,为避免国际误解,IDOC不应在未提供定义的情况下使用该术语。(请参阅“绿皮书”下不推荐的用法。)
$ host 1. (I) /general/ A computer that is attached to a communication subnetwork or internetwork and can use services provided by the network to exchange data with other attached systems. (See: end system. Compare: server.)
$ 主持人1。(一) /general/连接到通信子网或互联网络的计算机,可以使用网络提供的服务与其他连接的系统交换数据。(请参见:结束系统。比较:服务器。)
2. (I) /IPS/ A networked computer that does not forward IP packets that are not addressed to the computer itself. (Compare: router.)
2. (一) /IPS/不转发未寻址到计算机本身的IP数据包的网络计算机。(比较:路由器。)
Derivation: As viewed by its users, a host "entertains" them, providing Application-Layer services or access to other computers attached to the network. However, even though some traditional peripheral service devices, such as printers, can now be
派生:在用户看来,主机“招待”他们,提供应用层服务或访问连接到网络的其他计算机。然而,即使一些传统的外围服务设备,如打印机,现在可以
independently connected to networks, they are not usually called hosts.
它们独立连接到网络,通常不称为主机。
$ HTML (I) See: Hypertext Markup Language.
$ HTML(I)见:超文本标记语言。
$ HTTP (I) See: Hypertext Transfer Protocol.
$ HTTP(I)参见:超文本传输协议。
$ https (I) When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. (Compare: S-HTTP.)
$ https(I)当用于URL的第一部分(冒号之前的部分并指定访问方案或协议)时,该术语指定使用通过安全机制(通常为SSL)增强的HTTP。(比较:S-HTTP。)
$ human error (I) /threat action/ See: secondary definitions under "corruption", "exposure", and "incapacitation".
$ 人为错误(I)/威胁行动/见“腐败”、“暴露”和“丧失行为能力”下的二级定义。
$ hybrid encryption (I) An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. Examples: digital envelope, MSP, PEM, PGP. (Compare: superencryption.)
$ 混合加密(I)结合两种或两种以上加密算法的加密应用,尤其是对称和非对称加密的组合。示例:数字信封、MSP、PEM、PGP。(比较:超级加密。)
Tutorial: Asymmetric algorithms require more computation than equivalently strong symmetric ones. Thus, asymmetric encryption is not normally used for data confidentiality except to distribute a symmetric key in a hybrid encryption scheme, where the symmetric key is usually very short (in terms of bits) compared to the data file it protects. (See: bulk key.)
教程:非对称算法比等价的强对称算法需要更多的计算。因此,非对称加密通常不用于数据保密,除非在混合加密方案中分发对称密钥,其中对称密钥通常比其保护的数据文件短(以位计)。(请参阅:批量密钥。)
$ hyperlink (I) In hypertext or hypermedia, an information object (such as a word, a phrase, or an image, which usually is highlighted by color or underscoring) that points (i.e., indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link (e.g., by selecting the object with a mouse pointer and then clicking).
$ 超链接(I)在超文本或超媒体中,一种信息对象(如单词、短语或图像,通常以颜色或下划线突出显示),它指向(即指示如何连接)位于别处的相关信息,并可通过激活链接检索(例如,用鼠标指针选择对象,然后单击)。
$ hypermedia (I) A generalization of hypertext; any media that contain hyperlinks that point to material in the same or another data object.
$ 超媒体(I)超文本的泛化;包含指向同一或另一数据对象中的材质的超链接的任何媒体。
$ hypertext (I) A computer document, or part of a document, that contains hyperlinks to other documents; i.e., text that contains active pointers to other text. Usually written in HTML and accessed using a web browser. (See: hypermedia.)
$ 超文本(I)包含指向其他文件超链接的计算机文件或文件的一部分;i、 例如,包含指向其他文本的活动指针的文本。通常用HTML编写并使用web浏览器访问。(请参阅:超媒体。)
$ Hypertext Markup Language (HTML) (I) A platform-independent system of syntax and semantics (RFC 1866) for adding characters to data files (particularly text files) to represent the data's structure and to point to related data, thus creating hypertext for use in the World Wide Web and other applications. (Compare: XML.)
$ 超文本标记语言(HTML)(I)一种独立于平台的语法和语义系统(RFC 1866),用于向数据文件(尤其是文本文件)添加字符,以表示数据的结构并指向相关数据,从而创建超文本,供万维网和其他应用程序使用。(比较:XML。)
$ Hypertext Transfer Protocol (HTTP) (I) A TCP-based, Application-Layer, client-server, Internet protocol (RFC 2616) that is used to carry data requests and responses in the World Wide Web. (See: hypertext.)
$ 超文本传输协议(HTTP)(I)基于TCP的应用层、客户机-服务器、互联网协议(RFC 2616),用于在万维网中传输数据请求和响应。(请参阅:超文本。)
$ IAB (I) See: Internet Architecture Board.
$ IAB(I)见:互联网架构委员会。
$ IANA (I) See: Internet Assigned Numbers Authority.
$ IANA(I)见:互联网分配号码管理局。
$ IATF (O) See: Information Assurance Technical Framework.
$ IATF(O)见:信息保障技术框架。
$ ICANN (I) See: Internet Corporation for Assigned Names and Numbers.
$ ICANN(I)见:互联网名称和号码分配公司。
$ ICMP (I) See: Internet Control Message Protocol.
$ ICMP(I)见:互联网控制消息协议。
$ ICMP flood (I) A denial-of-service attack that sends a host more ICMP echo request ("ping") packets than the protocol implementation can handle. (See: flooding, smurf.)
$ ICMP洪泛(I)一种拒绝服务攻击,它向主机发送的ICMP回显请求(“ping”)数据包超过协议实现所能处理的数量。(见:洪水,蓝精灵)
$ ICRL (N) See: indirect certificate revocation list.
$ ICRL(N)参见:间接证书撤销列表。
$ IDEA (N) See: International Data Encryption Algorithm.
$ IDEA(N)见:国际数据加密算法。
$ identification (I) An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities. (See: authentication.)
$ 识别(I)向系统提供标识符的行为或过程,以便系统能够识别系统实体并将其与其他实体区分开来。(请参阅:身份验证。)
$ identification information (D) Synonym for "identifier"; synonym for "authentication information". (See: authentication, identifying information.)
$ 识别信息(D)“标识符”的同义词;“身份验证信息”的同义词。(请参阅:身份验证,识别信息。)
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; this term (a) is not as precise as they are and (b) mixes concepts in a potentially misleading way. Instead, use "identifier" or "authentication information", depending on what is meant.
不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这个术语(a)并不像它们那样精确,(b)以一种潜在的误导方式混合了概念。相反,使用“标识符”或“身份验证信息”,具体取决于其含义。
$ Identification Protocol (I) A client-server Internet protocol [R1413] for learning the identity of a user of a particular TCP connection.
$ 识别协议(I)用于了解特定TCP连接用户身份的客户机-服务器互联网协议[R1413]。
Tutorial: Given a TCP port number pair, the server returns a character string that identifies the owner of that connection on the server's system. The protocol does not provide an authentication service and is not intended for authorization or access control. At best, it provides additional auditing information with respect to TCP.
教程:给定TCP端口号对,服务器返回一个字符串,该字符串标识服务器系统上该连接的所有者。该协议不提供身份验证服务,也不用于授权或访问控制。充其量,它提供了有关TCP的额外审计信息。
$ identifier (I) A data object -- often, a printable, non-blank character string -- that definitively represents a specific identity of a system entity, distinguishing that identity from all others. (Compare: identity.)
$ 标识符(I)一个数据对象——通常是一个可打印的非空字符串——它最终表示系统实体的特定标识,将该标识与所有其他标识区分开来。(比较:标识。)
Tutorial: Identifiers for system entities must be assigned very carefully, because authenticated identities are the basis for other security services, such as access control service.
教程:必须非常小心地分配系统实体的标识符,因为经过身份验证的标识是其他安全服务(如访问控制服务)的基础。
$ identifier credential 1. (I) See: /authentication/ under "credential".
$ 标识符凭据1。(一) 请参阅“凭证”下的:/authentication/。
2. (D) Synonym for "signature certificate".
2. (D) “签名证书”的同义词。
Usage: IDOCs that use this term SHOULD state a definition for it because the term is used in many ways and could easily be misunderstood.
用法:使用此术语的IDoc应说明其定义,因为该术语的使用方式多种多样,很容易被误解。
$ identifying information (D) Synonym for "identifier"; synonym for "authentication information". (See: authentication, identification information.)
$ 识别信息(D)“标识符”的同义词;“身份验证信息”的同义词。(请参阅:身份验证、标识信息。)
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for either of those terms; this term (a) is not as precise as they are and (b) mixes concepts in a potentially misleading way. Instead,
不推荐使用的术语:IDOCs不应将此术语用作这些术语的同义词;这个术语(a)并不像它们那样精确,(b)以一种潜在的误导方式混合了概念。相反
use "identifier" or "authentication information", depending on what is meant.
根据含义使用“标识符”或“身份验证信息”。
$ identity (I) The collective aspect of a set of attribute values (i.e., a set of characteristics) by which a system user or other system entity is recognizable or known. (See: authenticate, registration. Compare: identifier.)
$ 标识(I)一组属性值(即一组特征)的集合方面,通过该集合,系统用户或其他系统实体是可识别或已知的。(请参阅:验证、注册。比较:标识符。)
Usage: An IDOC MAY apply this term to either a single entity or a set of entities. If an IDOC involves both meanings, the IDOC SHOULD use the following terms and definitions to avoid ambiguity: - "Singular identity": An identity that is registered for an entity that is one person or one process. - "Shared identity": An identity that is registered for an entity that is a set of singular entities (1) in which each member is authorized to assume the identity individually and (2) for which the registering system maintains a record of the singular entities that comprise the set. In this case, we would expect each member entity to be registered with a singular identity before becoming associated with the shared identity. - "Group identity": An identity that is registered for an entity (1) that is a set of entities (2) for which the registering system does not maintain a record of singular entities that comprise the set.
用法:IDOC可以将此术语应用于单个实体或一组实体。如果IDOC同时包含两种含义,IDOC应使用以下术语和定义以避免歧义:-“单一身份”:为一个人或一个过程的实体注册的身份。-“共享身份”:为一个实体注册的身份,该实体是一组单一实体(1),其中每个成员都有权单独使用该身份,以及(2)注册系统维护组成该集合的单一实体的记录。在这种情况下,我们希望每个成员实体在与共享身份关联之前都以单一身份注册。-“集团身份”:为一个实体(1)注册的身份,该实体(1)是一组实体(2),注册系统不维护组成该组实体的单一实体的记录。
Tutorial: When security services are based on identities, two properties are desirable for the set of attributes used to define identities: - The set should be sufficient to distinguish each entity from all other entities, i.e., to represent each entity uniquely. - The set should be sufficient to distinguish each identity from any other identities of the same entity.
教程:当安全服务基于标识时,用于定义标识的属性集需要两个属性:-该属性集应足以将每个实体与所有其他实体区分开来,即唯一地表示每个实体。-该集合应足以将每个标识与同一实体的任何其他标识区分开来。
The second property is needed if a system permits an entity to register two or more concurrent identities. Having two or more identities for the same entity implies that the entity has two separate justifications for registration. In that case, the set of attributes used for identities must be sufficient to represent multiple identities for a single entity.
如果系统允许实体注册两个或多个并发身份,则需要第二个属性。同一实体拥有两个或多个身份意味着该实体有两个单独的注册理由。在这种情况下,用于标识的属性集必须足以表示单个实体的多个标识。
Having two or more identities registered for the same entity is different from concurrently associating two different identifiers with the same identity, and also is different from a single identity concurrently accessing the system in two different roles. (See: principal, role-based access control.)
为同一实体注册两个或多个标识不同于将两个不同标识符与同一标识同时关联,也不同于以两个不同角色同时访问系统的单个标识。(请参阅:主体,基于角色的访问控制。)
When an identity of a user is being registered in a system, the system may require presentation of evidence that proves the identity's authenticity (i.e., that the user has the right to claim or use the identity) and its eligibility (i.e., that the identity is qualified to be registered and needs to be registered).
当用户的身份正在系统中注册时,系统可能要求出示证明该身份的真实性(即,用户有权要求或使用该身份)及其资格(即,该身份有资格注册且需要注册)的证据。
The following diagram illustrates how this term relates to some other terms in a PKI system: authentication information, identifier, identifier credential, registration, registered user, subscriber, and user.
下图说明了该术语与PKI系统中的其他一些术语的关系:身份验证信息、标识符、标识符凭证、注册、注册用户、订户和用户。
Relationships: === one-to-one, ==> one-to-many, <=> many-to-many.
+- - - - - - - - - - - - - - - - - - - - - - - - - - +
| PKI System |
+ - - - - + | +------------------+ +-------------------------+ |
| User, | | |Subscriber, i.e., | | Identity of Subscriber | |
|i.e., one| | | Registered User, | | is system-unique | |
| of the | | | is system-unique | | +---------------------+ | |
|following| | | +--------------+ | | | Subscriber | | |
| | | | | User's core | | | | Identity's | | |
| +-----+ |===| | Registration | |==>| | Registration data | | |
| |human| | | | | data, i.e., | | | |+-------------------+| | |
| |being| | | | | an entity's | | | || same core data || | |
| +-----+ | | | |distinguishing|========|for all Identities || | |
| or | | | | attribute | | | || of the same User || | |
| +-----+ | | | | values | | +===|+-------------------+| | |
| |auto-| | | | +--------------+ | | | +---------------------+ | |
| |mated| | | +------------------+ | +------------|------------+ |
| |pro- | | | | +=======+ | |
| |cess | | | +-------v----|----------------------|------------+ |
| +-----+ | | | +----------v---+ +------------v----------+ | |
| or | | | |Authentication|<===>|Identifier of Identity | | |
|+-------+| | | | Information | | is system-unique | | |
|| a set || | | +--------------+ +-----------------------+ | |
|| of || | | Identifier Credential that associates unit of | |
|| either|| | | Authentication Information with the Identifier | |
|+-------+| | +------------------------------------------------+ |
+ - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - -+
Relationships: === one-to-one, ==> one-to-many, <=> many-to-many.
+- - - - - - - - - - - - - - - - - - - - - - - - - - +
| PKI System |
+ - - - - + | +------------------+ +-------------------------+ |
| User, | | |Subscriber, i.e., | | Identity of Subscriber | |
|i.e., one| | | Registered User, | | is system-unique | |
| of the | | | is system-unique | | +---------------------+ | |
|following| | | +--------------+ | | | Subscriber | | |
| | | | | User's core | | | | Identity's | | |
| +-----+ |===| | Registration | |==>| | Registration data | | |
| |human| | | | | data, i.e., | | | |+-------------------+| | |
| |being| | | | | an entity's | | | || same core data || | |
| +-----+ | | | |distinguishing|========|for all Identities || | |
| or | | | | attribute | | | || of the same User || | |
| +-----+ | | | | values | | +===|+-------------------+| | |
| |auto-| | | | +--------------+ | | | +---------------------+ | |
| |mated| | | +------------------+ | +------------|------------+ |
| |pro- | | | | +=======+ | |
| |cess | | | +-------v----|----------------------|------------+ |
| +-----+ | | | +----------v---+ +------------v----------+ | |
| or | | | |Authentication|<===>|Identifier of Identity | | |
|+-------+| | | | Information | | is system-unique | | |
|| a set || | | +--------------+ +-----------------------+ | |
|| of || | | Identifier Credential that associates unit of | |
|| either|| | | Authentication Information with the Identifier | |
|+-------+| | +------------------------------------------------+ |
+ - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - -+
$ identity-based security policy (I) "A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed." [I7498-2] (See: rule-based security policy.)
$ 基于身份的安全策略(I)“基于用户、一组用户或代表用户和被访问资源/对象的实体的身份和/或属性的安全策略。”[I7498-2](请参阅:基于规则的安全策略。)
$ identity proofing (I) A process that vets and verifies the information that is used to establish the identity of a system entity. (See: registration.)
$ 身份验证(I)审查和验证用于确定系统实体身份的信息的过程。(见:注册。)
$ IDOC (I) An abbreviation used in this Glossary to refer to a document or other item of written material that is generated in the Internet Standards Process (RFC 2026), i.e., an RFC, an Internet-Draft, or some other item of discourse.
$ IDOC(I)本词汇表中使用的缩写词,指在互联网标准过程(RFC 2026)中生成的文件或其他书面材料,即RFC、互联网草案或其他一些论述项目。
Deprecated Usage: This abbreviation SHOULD NOT be used in an IDOC unless it is first defined in the IDOC because the abbreviation was invented for this Glossary and is not widely known.
不推荐使用:除非IDOC中首先定义了该缩写,否则不应在IDOC中使用该缩写,因为该缩写是为本词汇表而发明的,并不广为人知。
$ IDS (I) See: intrusion detection system.
$ IDS(一)见:入侵检测系统。
$ IEEE (N) See: Institute of Electrical and Electronics Engineers, Inc.
$ IEEE(N)见:电气和电子工程师协会。
$ IEEE 802.10 (N) An IEEE committee developing security standards for LANs. (See: SILS.)
$ IEEE 802.10(N)IEEE为局域网制定安全标准的委员会。(见:SILS)
$ IEEE P1363 (N) An IEEE working group, Standard for Public-Key Cryptography, engaged in developing a comprehensive reference standard for asymmetric cryptography. Covers discrete logarithm (e.g., DSA), elliptic curve, and integer factorization (e.g., RSA); and covers key agreement, digital signature, and encryption.
$ IEEE P1363(N)IEEE公开密钥加密标准工作组,致力于开发非对称加密的综合参考标准。包括离散对数(如DSA)、椭圆曲线和整数因式分解(如RSA);包括密钥协议、数字签名和加密。
$ IESG (I) See: Internet Engineering Steering Group.
$ IESG(I)见:互联网工程指导小组。
$ IETF (I) See: Internet Engineering Task Force.
$ IETF(I)见:互联网工程任务组。
$ IKE (I) See: IPsec Key Exchange.
$ IKE(I)参见:IPsec密钥交换。
$ IMAP4 (I) See: Internet Message Access Protocol, version 4.
$ IMAP4(I)见:互联网信息访问协议,第4版。
$ IMAP4 AUTHENTICATE (I) An IMAP4 command (better described as a transaction type, or subprotocol) by which an IMAP4 client optionally proposes a mechanism to an IMAP4 server to authenticate the client to the server and provide other security services. (See: POP3.)
$ IMAP4 AUTHENTICATE(I)IMAP4命令(更好地描述为事务类型或子程序),通过该命令,IMAP4客户端可选地向IMAP4服务器提出一种机制,以向服务器验证客户端并提供其他安全服务。(见:POP3。)
Tutorial: If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms that are used by IMAP4 AUTHENTICATE -- including Kerberos, GSS-API, and S/Key -- are described in [R1731].
教程:如果服务器接受该建议,则该命令后面将执行质询-响应身份验证协议,并(可选)协商后续POP3交互的保护机制。IMAP4身份验证使用的安全机制(包括Kerberos、GSS-API和S/Key)在[R1731]中进行了描述。
$ impossible (O) Cannot be done in any reasonable amount of time. (See: break, brute force, strength, work factor.)
$ 不可能(O)不能在任何合理的时间内完成。(参见:断裂、强力、强度、功系数。)
$ in the clear (I) Not encrypted. (See: clear text.)
$ 在clear(I)中,未加密。(请参阅:明文。)
$ Ina Jo (O) A methodology, language, and integrated set of software tools developed at the System Development Corporation for specifying, coding, and verifying software to produce correct and reliable programs. Usage: a.k.a. the Formal Development Methodology. [Cheh]
$ Ina Jo(O):由系统开发公司开发的一套方法、语言和集成的软件工具,用于指定、编码和验证软件,以生成正确可靠的程序。用法:又称正式开发方法。[车]
$ incapacitation (I) A type of threat action that prevents or interrupts system operation by disabling a system component. (See: disruption.)
$ 失效(I)一种通过禁用系统组件来阻止或中断系统运行的威胁行为。(见:中断。)
Usage: This type of threat action includes the following subtypes: - "Malicious logic": In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb) intentionally introduced into a system to destroy system functions or resources. (See: corruption, main entry for "malicious logic", masquerade, misuse.) - "Physical destruction": Deliberate destruction of a system component to interrupt or prevent system operation. - "Human error": /incapacitation/ Action or inaction that unintentionally disables a system component. (See: corruption, exposure.) - "Hardware or software error": /incapacitation/ Error that unintentionally causes failure of a system component and leads to disruption of system operation. (See: corruption, exposure.) - "Natural disaster": /incapacitation/ Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component. [FP031 Section 2]
用法:这种类型的威胁行为包括以下子类型:-“恶意逻辑”:在丧失能力的情况下,故意引入系统以破坏系统功能或资源的任何硬件、固件或软件(如逻辑炸弹)。(请参阅:损坏、“恶意逻辑”、伪装、误用的主要条目。)-“物理破坏”:故意破坏系统组件以中断或阻止系统运行。-“人为错误”:/无能力/无意中禁用系统组件的操作或不操作。(请参阅:损坏、暴露)-“硬件或软件错误”:/失效/无意中导致系统组件故障并导致系统操作中断的错误。(参见:腐败、暴露)-“自然灾害”:/丧失能力/任何导致系统组件失效的“天灾”(如火灾、洪水、地震、闪电或风)。[FP031第2节]
$ incident See: security incident.
$ 事件见:安全事件。
$ INCITS (N) See: "International Committee for Information Technology Standardization" under "ANSI".
$ INCITS(N)见“ANSI”下的“国际信息技术标准化委员会”。
$ indicator (N) An action -- either specific, generalized, or theoretical -- that an adversary might be expected to take in preparation for an attack. [C4009] (See: "attack sensing, warning, and response". Compare: message indicator.)
$ 指标(N)一种行动——具体的、概括的或理论上的——对手为准备攻击而可能采取的行动。[C4009](请参阅:“攻击感知、警告和响应”。比较:消息指示器。)
$ indirect attack (I) See: secondary definition under "attack". Compare: direct attack.
$ 间接攻击(I)见“攻击”下的第二定义。比较:直接攻击。
$ indirect certificate revocation list (ICRL) (N) In X.509, a CRL that may contain certificate revocation notifications for certificates issued by CAs other than the issuer (i.e., signer) of the ICRL.
$ 间接证书撤销列表(ICRL)(N)X.509中的一种CRL,其中可能包含由CA(而非ICRL的颁发者(即签名者))颁发的证书的证书撤销通知。
$ indistinguishability (I) An attribute of an encryption algorithm that is a formalization of the notion that the encryption of some string is indistinguishable from the encryption of an equal-length string of nonsense. (Compare: semantic security.)
$ 不可区分性(I)加密算法的一个属性,它是某种字符串加密与等长无意义字符串加密不可区分这一概念的形式化。(比较:语义安全性。)
$ inference 1. (I) A type of threat action that reasons from characteristics or byproducts of communication and thereby indirectly accesses sensitive data, but not necessarily the data contained in the communication. (See: traffic analysis, signal analysis.)
$ 推论1。(一) 一种威胁行为,由通信的特征或副产品引起,从而间接访问敏感数据,但不一定访问通信中包含的数据。(参见:交通分析、信号分析。)
2. (I) A type of threat action that indirectly gains unauthorized access to sensitive information in a database management system by correlating query responses with information that is already known.
2. (一) 一种威胁行为,通过将查询响应与已知信息关联起来,间接获得对数据库管理系统中敏感信息的未经授权访问。
$ inference control (I) Protection of data confidentiality against inference attack. (See: traffic-flow confidentiality.)
$ 推理控制(I)针对推理攻击保护数据机密性。(请参阅:交通流保密。)
Tutorial: A database management system containing N records about individuals may be required to provide statistical summaries about subsets of the population, while not revealing sensitive information about a single individual. An attacker may try to obtain sensitive information about an individual by isolating a desired record at the intersection of a set of overlapping queries. A system can attempt to prevent this by restricting the size and overlap of query sets, distorting responses by rounding or otherwise perturbing database values, and limiting queries to random samples. However, these techniques may be impractical to implement or use, and no technique is totally effective. For example, restricting the minimum size of a query set -- that is,
教程:可能需要一个包含N条个人记录的数据库管理系统,以提供关于人口子集的统计摘要,同时不披露关于单个个人的敏感信息。攻击者可能试图通过在一组重叠查询的交叉点隔离所需记录来获取有关个人的敏感信息。系统可以通过限制查询集的大小和重叠,通过舍入或以其他方式干扰数据库值来扭曲响应,以及将查询限制为随机样本来尝试防止这种情况。然而,这些技术可能无法实现或使用,并且没有一种技术是完全有效的。例如,限制查询集的最小大小--即,
not responding to queries for which there are fewer than K or more than N-K records that satisfy the query -- usually cannot prevent unauthorized disclosure. An attacker can pad small query sets with extra records, and then remove the effect of the extra records. The formula for identifying the extra records is called the "tracker". [Denns]
不响应满足查询的记录少于K条或多于N-K条的查询通常无法防止未经授权的泄露。攻击者可以用额外记录填充小查询集,然后删除额外记录的影响。识别额外记录的公式称为“跟踪器”。[丹尼斯]
$ INFOCON (O) See: information operations condition
$ 信息大会(O)见:信息操作条件
$ informal (N) Expressed in natural language. [CCIB] (Compare: formal, semiformal.)
$ 非正式的(N)用自然语言表达。[CCIB](比较:正式、半正式。)
$ information 1. (I) Facts and ideas, which can be represented (encoded) as various forms of data.
$ 信息1。(一) 事实和想法,可以表示(编码)为各种形式的数据。
2. (I) Knowledge -- e.g., data, instructions -- in any medium or form that can be communicated between system entities.
2. (一) 系统实体之间可以交流的任何媒介或形式的知识,例如数据、指令。
Tutorial: Internet security could be defined simply as protecting information in the Internet. However, the perceived need to use different protective measures for different types of information (e.g., authentication information, classified information, collateral information, national security information, personal information, protocol control information, sensitive compartmented information, sensitive information) has led to the diversity of terminology listed in this Glossary.
教程:Internet安全可以简单地定义为保护Internet中的信息。然而,对于不同类型的信息(例如,认证信息、机密信息、辅助信息、国家安全信息、个人信息、协议控制信息、敏感分隔信息、敏感信息)使用不同保护措施的感知需求这导致了本词汇表中所列术语的多样性。
$ information assurance (N) /U.S. Government/ "Measures that protect and defend information and information systems by ensuring their availability integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities." [C4009]
$ 信息保证(N)/美国政府/“通过确保信息和信息系统的可用性、完整性、身份验证、机密性和不可否认性来保护和保护信息和信息系统的措施。这些措施包括通过整合保护、检测和反应能力来恢复信息系统。”[C4009]
$ Information Assurance Technical Framework (IATF) (O) A publicly available document [IATF], developed through a collaborative effort by organizations in the U.S. Government and industry, and issued by NSA. Intended for security managers and system security engineers as a tutorial and reference document about security problems in information systems and networks, to improve awareness of tradeoffs among available technology solutions and of desired characteristics of security approaches for particular problems. (See: ISO 17799, [SP14].)
$ 信息保障技术框架(IATF)(O):一份公开的文件[IATF],由美国政府和行业组织合作开发,由NSA发布。面向安全管理人员和系统安全工程师,作为信息系统和网络安全问题的教程和参考文件,以提高对可用技术解决方案之间的权衡以及对特定问题的安全方法所需特性的认识。(见:ISO 17799[SP14]。)
$ information domain (O) See: secondary definition under "domain".
$ 信息领域(O)见“领域”下的二级定义。
$ information domain security policy (O) See: secondary definition under "domain".
$ 信息域安全策略(O)请参阅“域”下的二级定义。
$ information flow policy (N) /formal model/ A triple consisting of a set of security levels (or their equivalent security labels), a binary operator that maps each pair of security levels into a security level, and a binary relation on the set that selects a set of pairs of levels such that information is permitted to flow from an object of the first level to an object of the second level. (See: flow control, lattice model.)
$ 信息流策略(N)/正式模型/由一组安全级别(或其等效安全标签)组成的三元组,一个将每对安全级别映射到一个安全级别的二进制运算符,以及所述集合上的二元关系,所述二元关系选择一组成对的层级,从而允许信息从第一层级的对象流向第二层级的对象。(请参见:流控制,晶格模型。)
$ information operations condition (INFOCON) (O) /U.S. DoD/ A comprehensive defense posture and response based on the status of information systems, military operations, and intelligence assessments of adversary capabilities and intent. (See: threat)
$ 信息作战条件(INFOCON)(O)/美国国防部/基于信息系统状态、军事行动和敌方能力和意图的情报评估的综合防御态势和反应。(见:威胁)
Derivation: From DEFCON, i.e., defense condition.
推导:来自DEFCON,即防御条件。
Tutorial: The U.S. DoD defines five INFOCON levels: NORMAL (normal activity), ALPHA (increased risk of attack), BRAVO (specific risk of attack), CHARLIE (limited attack), and DELTA (general attack).
教程:美国国防部定义了五个信息控制级别:正常(正常活动)、ALPHA(增加攻击风险)、BRAVO(特定攻击风险)、CHARLIE(有限攻击)和DELTA(一般攻击)。
$ information security (INFOSEC) (N) Measures that implement and assure security services in information systems, including in computer systems (see: COMPUSEC) and in communication systems (see: COMSEC).
$ 信息安全(INFOSEC)(N)在信息系统中实施和确保安全服务的措施,包括在计算机系统(见:COMPUSEC)和通信系统(见:COMSEC)中。
$ information system (I) An organized assembly of computing and communication resources and procedures -- i.e., equipment and services, together with their supporting infrastructure, facilities, and personnel -- that create, collect, record, process, store, transport, retrieve, display, disseminate, control, or dispose of information to accomplish a specified set of functions. (See: system entity, system resource. Compare: computer platform.)
$ 信息系统(I)计算和通信资源和程序的有组织的集合,即设备和服务及其支持基础设施、设施和人员,用于创建、收集、记录、处理、存储、运输、检索、显示、传播、控制、,或处理信息以完成指定的一组功能。(请参阅:系统实体、系统资源。比较:计算机平台。)
$ Information Technology Security Evaluation Criteria (ITSEC) (N) A Standard [ITSEC] jointly developed by France, Germany, the Netherlands, and the United Kingdom for use in the European Union; accommodates a wider range of security assurance and functionality combinations than the TCSEC. Superseded by the Common Criteria.
$ 信息技术安全评估标准(ITSEC)(N)由法国、德国、荷兰和英国联合制定的供欧盟使用的标准[ITSEC];与TCSEC相比,它提供了更广泛的安全保证和功能组合。被共同标准取代。
$ INFOSEC (I) See: information security.
$ 信息安全(一)见:信息安全。
$ ingress filtering (I) A method [R2827] for countering attacks that use packets with false IP source addresses, by blocking such packets at the boundary between connected networks.
$ 入口过滤(I)一种方法[R2827],用于通过在连接的网络之间的边界处阻止使用具有虚假IP源地址的数据包的攻击。
Tutorial: Suppose network A of an internet service provider (ISP) includes a filtering router that is connected to customer network B, and an attacker in B at IP source address "foo" attempts to send packets with false source address "bar" into A. The false address may be either fixed or randomly changing, and it may either be unreachable or be a forged address that legitimately exists within either B or some other network C. In ingress filtering, the ISP's router blocks all inbound packet that arrive from B with a source address that is not within the range of legitimately advertised addresses for B. This method does not prevent all attacks that can originate from B, but the actual source of such attacks can be more easily traced because the originating network is known.
教程:假设internet服务提供商(ISP)的网络A包含一个连接到客户网络B的过滤路由器,B中IP源地址为“foo”的攻击者试图将假源地址为“bar”的数据包发送到A。假地址可能是固定的,也可能是随机变化的,它可能是不可访问的,或者是合法存在于B或其他网络C中的伪造地址。在入口过滤中,ISP的路由器阻止从B到达的所有入站数据包,这些数据包的源地址不在合法公布的B地址范围内。这种方法不能阻止所有可能源于B的攻击,但由于源网络已知,因此可以更容易地追踪此类攻击的实际源。
$ initialization value (IV) (I) /cryptography/ An input parameter that sets the starting state of a cryptographic algorithm or mode. (Compare: activation data.)
$ 初始化值(IV)(I)/加密/设置加密算法或模式的启动状态的输入参数。(比较:激活数据。)
Tutorial: An IV can be used to synchronize one cryptographic process with another; e.g., CBC, CFB, and OFB use IVs. An IV also can be used to introduce cryptographic variance (see: salt) besides that provided by a key.
教程:IV可用于同步一个加密进程与另一个加密进程;e、 g、CBC、CFB和OFB使用IVs。除了密钥提供的密码差异外,IV还可以用于引入密码差异(参见:salt)。
$ initialization vector (D) /cryptography/ Synonym for "initialization value".
$ 初始化向量(D)/密码学/同义词“初始化值”。
Deprecated Term: To avoid international misunderstanding, IDOCs SHOULD NOT use this term in the context of cryptography because most dictionary definitions of "vector" includes a concept of direction or magnitude, which are irrelevant to cryptographic use.
不推荐使用的术语:为避免国际误解,IDOC不应在加密上下文中使用此术语,因为大多数字典中对“向量”的定义都包含方向或大小的概念,这与加密使用无关。
$ insertion 1. (I) /packet/ See: secondary definition under "stream integrity service".
$ 插入1。(一) /packet/请参阅“流完整性服务”下的二级定义。
2. (I) /threat action/ See: secondary definition under "falsification".
2. (一) /威胁行动/见“伪造”下的二级定义。
$ inside attack (I) See: secondary definition under "attack". Compare: insider.
$ 内部攻击(I)见“攻击”下的二级定义。比较:内幕人士。
$ insider 1. (I) A user (usually a person) that accesses a system from a position that is inside the system's security perimeter. (Compare: authorized user, outsider, unauthorized user.)
$ 内幕人士1。(一) 从系统安全边界内的位置访问系统的用户(通常是个人)。(比较:授权用户、外部用户、未授权用户。)
Tutorial: An insider has been assigned a role that has more privileges to access system resources than do some other types of users, or can access those resources without being constrained by some access controls that are applied to outside users. For example, a salesclerk is an insider who has access to the cash register, but a store customer is an outsider.
教程:已为内部人员分配了一个角色,该角色具有比其他类型用户更多的访问系统资源的权限,或者可以访问这些资源,而不受应用于外部用户的某些访问控制的约束。例如,售货员是可以使用收银机的内部人员,而商店客户是外部人员。
The actions performed by an insider in accessing the system may be either authorized or unauthorized; i.e., an insider may act either as an authorized user or as an unauthorized user.
内幕人士在访问系统时所采取的行动可能是授权的,也可能是未经授权的;i、 例如,内幕人士可以作为授权用户或未授权用户。
2. (O) A person with authorized physical access to the system. Example: In this sense, an office janitor is an insider, but a burglar or casual visitor is not. [NRC98]
2. (O) 有权实际访问系统的人员。从这个意义上讲,办公室清洁工是内幕人士,而窃贼或临时访客则不是。[NRC98]
3. (O) A person with an organizational status that causes the system or members of the organization to view access requests as being authorized. Example: In this sense, a purchasing agent is an insider but a vendor is not. [NRC98]
3. (O) 具有组织状态的人员,使系统或组织成员将访问请求视为已授权。从这个意义上讲,采购代理是内部人,而供应商不是。[NRC98]
$ inspectable space (O) /EMSEC/ "Three-dimensional space surrounding equipment that process classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists." [C4009] (Compare: control zone, TEMPEST zone.)
$ 可检查空间(O)/EMSEC/“处理机密和/或敏感信息的设备周围的三维空间,在这些信息中,TEMPEST利用被认为是不可行的,或者存在识别和/或消除潜在TEMPEST利用的法律授权。”[C4009](比较:控制区、TEMPEST区。)
$ Institute of Electrical and Electronics Engineers, Inc. (IEEE) (N) The IEEE is a not-for-profit association of approximately 300,000 individual members in 150 countries. The IEEE produces nearly one third of the world's published literature in electrical engineering, computers, and control technology; holds hundreds of major, annual conferences; and maintains more than 800 active standards, with many more under development. (See: SILS.)
$ 电气和电子工程师协会(IEEE)(N)IEEE是一个非营利协会,在150个国家拥有约300000名个人会员。IEEE出版的电气工程、计算机和控制技术文献占世界出版文献的近三分之一;举办数百场大型年会;并保持800多个现行标准,还有更多标准正在开发中。(见:SILS)
$ integrity See: data integrity, datagram integrity service, correctness integrity, source integrity, stream integrity service, system integrity.
$ 完整性请参阅:数据完整性、数据报完整性服务、正确性完整性、源完整性、流完整性服务、系统完整性。
$ integrity check (D) A computation that is part of a mechanism to provide data integrity service or data origin authentication service. (Compare: checksum.)
$ 完整性检查(D)作为提供数据完整性服务或数据源身份验证服务的机制的一部分的计算。(比较:校验和。)
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for "cryptographic hash" or "protected checksum". This term unnecessarily duplicates the meaning of other, well-established terms; this term only mentions integrity, even though the intended service may be data origin authentication; and not every checksum is cryptographically protected.
不推荐使用的术语:IDOCs不应将此术语用作“加密哈希”或“受保护校验和”的同义词。该术语不必要地重复了其他公认术语的含义;该术语仅提及完整性,即使预期服务可能是数据源身份验证;并不是每个校验和都受到加密保护。
$ integrity label (I) A security label that tells the degree of confidence that may be placed in the data, and may also tell what countermeasures are required to be applied to protect the data from alteration and destruction. (See: integrity. Compare: classification label.)
$ 完整性标签(I)一种安全标签,说明数据中可能存在的置信度,还可以说明需要采取哪些措施来保护数据不受更改和破坏。(请参阅:完整性。比较:分类标签。)
$ intelligent threat (I) A circumstance in which an adversary has the technical and operational ability to detect and exploit a vulnerability and also has the demonstrated, presumed, or inferred intent to do so. (See: threat.)
$ 智能威胁(I)对手具有检测和利用漏洞的技术和操作能力,并且具有已证明、假定或推断的意图的情况。(见:威胁。)
$ interception (I) A type of threat action whereby an unauthorized entity directly accesses sensitive data while the data is traveling between authorized sources and destinations. (See: unauthorized disclosure.)
$ 拦截(I)一种威胁行为,未经授权的实体在数据在授权源和目标之间传输时直接访问敏感数据。(请参阅:未经授权的披露。)
Usage: This type of threat action includes the following subtypes: - "Theft": Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic tape or disk, that holds the data. - "Wiretapping (passive)": Monitoring and recording data that is flowing between two points in a communication system. (See: wiretapping.) - "Emanations analysis": Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but was not intended to communicate the data. (See: emanation.)
用法:这种类型的威胁行为包括以下子类型:-“盗窃”:通过窃取存储数据的物理介质(如磁带或磁盘)来访问敏感数据。-“窃听(被动)”:监控和记录通信系统中两点之间的数据流。(见:窃听)-“辐射分析”:通过监测和解析系统发出的信号,获取有关传输数据的直接信息,该信号包含数据,但并非用于传输数据。(见:放射。)
$ interference (I) /threat action/ See: secondary definition under "obstruction".
$ 干扰(I)/威胁行动/见“障碍”下的二级定义。
$ intermediate CA (D) The CA that issues a cross-certificate to another CA. [X509] (See: cross-certification.)
$ 中间CA(D)向另一CA颁发交叉证书的CA。[X509](请参阅:交叉证书。)
Deprecated Term: IDOCs SHOULD NOT use this term because it is not widely known and mixes concepts in a potentially misleading way. For example, suppose that end entity 1 ("EE1) is in one PKI ("PKI1"), end entity 2 ("EE2) is in another PKI ("PKI2"), and the root in PKI1 ("CA1") cross-certifies the root CA in PKI2 ("CA2"). Then, if EE1 constructs the certification path CA1-to-CA2-to-EE2 to validate a certificate of EE2, conventional English usage would describe CA2 as being in the "intermediate" position in that path, not CA1.
不推荐使用的术语:IDOCs不应该使用这个术语,因为它并不广为人知,并且以潜在误导的方式混合了概念。例如,假设终端实体1(“EE1”)在一个PKI(“PKI1”)中,终端实体2(“EE2”)在另一个PKI(“PKI2”)中,并且PKI1(“CA1”)中的根交叉认证PKI2(“CA2”)中的根CA。然后,如果EE1构建了认证路径CA1-to-CA2-to-EE2来验证EE2的证书,传统的英语用法会将CA2描述为在该路径中处于“中间”位置,而不是CA1。
$ internal controls (I) /COMPUSEC/ Functions, features, and technical characteristics of computer hardware and software, especially of operating systems. Includes mechanisms to regulate the operation of a computer system with regard to access control, flow control, and inference control. (Compare: external controls.)
$ 内部控制(I)/COMPUSEC/计算机硬件和软件的功能、特征和技术特征,尤其是操作系统。包括在访问控制、流控制和推理控制方面调节计算机系统操作的机制。(比较:外部控件。)
$ International Data Encryption Algorithm (IDEA) (N) A patented, symmetric block cipher that uses a 128-bit key and operates on 64-bit blocks. [Schn] (See: symmetric cryptography.)
$ 国际数据加密算法(IDEA)(N):一种获得专利的对称分组密码,使用128位密钥,在64位块上运行。[Schn](请参阅:对称加密。)
$ International Standard (N) See: secondary definition under "ISO".
$ 国际标准(N)见“ISO”下的二级定义。
$ International Traffic in Arms Regulations (ITAR) (O) Rules issued by the U.S. State Department, by authority of the Arms Export Control Act (22 U.S.C. 2778), to control export and import of defense articles and defense services, including information security systems, such as cryptographic systems, and TEMPEST suppression technology. (See: type 1 product, Wassenaar Arrangement.)
$ 美国国务院根据《武器出口管制法》(22 U.S.C.2778)的授权发布的《国际武器贸易条例》(ITAR)(O)规则,用于控制国防用品和国防服务的进出口,包括信息安全系统,如密码系统和风暴抑制技术。(见:1类产品,瓦森纳安排)
$ internet, Internet 1. (I) /not capitalized/ Abbreviation of "internetwork".
$ 互联网,互联网1。(一) /未大写/是“internetwork”的缩写。
2. (I) /capitalized/ The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB (RFC 2026) and (b) the name and address spaces managed by the ICANN. (See: Internet Layer, Internet Protocol Suite.)
2. (一) /capitalized/互联网是由商业、政府、教育和其他计算机网络组成的单一、互联的全球系统,共享(a)IAB(RFC 2026)指定的协议套件和(b)ICANN管理的名称和地址空间。(请参阅:Internet层,Internet协议套件。)
Usage: Use with definite article ("the") when using as a noun. For example, say "My LAN is small, but the Internet is large." Don't say "My LAN is small, but Internet is large."
用法:用作名词时与定冠词(“the”)连用。例如,说“我的局域网很小,但互联网很大。”不要说“我的局域网很小,但互联网很大。”
$ Internet Architecture Board (IAB) (I) A technical advisory group of the ISOC, chartered by the ISOC Trustees to provide oversight of Internet architecture and protocols and, in the context of Internet Standards, a body to which decisions of the IESG may be appealed. Responsible for approving appointments to the IESG from among nominees submitted by the IETF nominating committee. (RFC 2026)
$ 互联网体系结构委员会(IAB)(I)互联网体系结构委员会的一个技术咨询小组,由互联网体系结构委员会受托人特许,负责监督互联网体系结构和协议,并在互联网标准的背景下,对互联网体系结构和协议进行监督。互联网体系结构委员会是一个可以对IESG的决定提出上诉的机构。负责从IETF提名委员会提交的提名人中批准IESG的任命。(RFC 2026)
$ Internet Assigned Numbers Authority (IANA) (I) From the early days of the Internet, the IANA was chartered by the ISOC and the U.S. Government's Federal Network Council to be the central coordination, allocation, and registration body for parameters for Internet protocols. Superseded by ICANN.
$ 互联网分配号码管理局(IANA)(I)从互联网诞生之初,IANA就被ISOC和美国政府联邦网络委员会特许成为互联网协议参数的中央协调、分配和注册机构。被ICANN取代。
$ Internet Control Message Protocol (ICMP) (I) An Internet Standard protocol (RFC 792) that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.
$ Internet控制消息协议(ICMP)(I)一种Internet标准协议(RFC 792),用于报告IP数据报处理期间的错误情况,并交换有关IP网络状态的其他信息。
$ Internet Corporation for Assigned Names and Numbers (ICANN) (I) The non-profit, private corporation that has assumed responsibility for the IP address space allocation, protocol parameter assignment, DNS management, and root server system management functions formerly performed under U.S. Government contract by IANA and other entities.
$ 互联网名称和号码分配公司(ICANN)(I)负责IP地址空间分配、协议参数分配、DNS管理和根服务器系统管理功能的非营利私人公司,以前由IANA和其他实体根据美国政府合同执行。
Tutorial: The IPS, as defined by the IETF and the IESG, contains numerous parameters, such as Internet addresses, domain names, autonomous system numbers, protocol numbers, port numbers, management information base OIDs, including private enterprise numbers, and many others. The Internet community requires that the values used in these parameter fields be assigned uniquely. ICANN makes those assignments as requested and maintains a registry of the current values.
教程:IETF和IESG定义的IPS包含许多参数,如互联网地址、域名、自治系统号、协议号、端口号、管理信息库OID(包括私有企业号)和许多其他参数。Internet社区要求对这些参数字段中使用的值进行唯一分配。ICANN根据要求进行这些分配,并维护当前值的注册表。
ICANN was formed in October 1998, by a coalition of the Internet's business, technical, and academic communities. The U.S. Government designated ICANN to serve as the global consensus entity with responsibility for coordinating four key functions for the Internet: allocation of IP address space, assignment of protocol parameters, management of the DNS, and management of the DNS root server system.
ICANN成立于1998年10月,由互联网的商业、技术和学术团体组成。美国政府指定ICANN作为全球共识实体,负责协调互联网的四项关键功能:IP地址空间分配、协议参数分配、DNS管理和DNS根服务器系统管理。
$ Internet-Draft (I) A working document of the IETF, its areas, and its working groups. (RFC 2026) (Compare: RFC.)
$ 互联网草案(I)IETF及其领域和工作组的工作文件。(RFC 2026)(比较:RFC.)
Usage: The term is customarily hyphenated when used either as a adjective or a noun, even though the latter is not standard English punctuation.
用法:当用作形容词或名词时,该术语通常使用连字符,即使后者不是标准的英语标点符号。
Tutorial: An Internet-Draft is not an archival document like an RFC is. Instead, an Internet-Draft is a preliminary or working document that is valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use an Internet-Draft as reference material or to cite it other than as a "work in progress". Although most of the Internet-Drafts are produced by the IETF, any interested organization may request to have its working documents published as Internet-Drafts.
教程:互联网草稿不像RFC那样是存档文档。相反,互联网草案是一份最长有效期为六个月的初步文件或工作文件,可随时由其他文件更新、替换或作废。使用互联网草案作为参考材料或引用它而不是作为“正在进行的工作”是不合适的。尽管大多数互联网草稿由IETF制作,但任何感兴趣的组织都可以要求将其工作文件作为互联网草稿发布。
$ Internet Engineering Steering Group (IESG) (I) The part of the ISOC responsible for technical management of IETF activities and administration of the Internet Standards Process according to procedures approved by the ISOC Trustees. Directly responsible for actions along the "standards track", including final approval of specifications as Internet Standards. Composed of IETF Area Directors and the IETF chairperson, who also chairs the IESG. (RFC 2026)
$ 互联网工程指导小组(IESG)(I)ISOC的一部分,负责IETF活动的技术管理,并根据ISOC受托人批准的程序管理互联网标准过程。直接负责“标准轨道”上的行动,包括最终批准作为互联网标准的规范。由IETF区域总监和IETF主席组成,IETF主席也担任IESG主席。(RFC 2026)
$ Internet Engineering Task Force (IETF) (I) A self-organized group of people who make contributions to the development of Internet technology. The principal body engaged in developing Internet Standards, although not itself a part of the ISOC. Composed of Working Groups, which are arranged into Areas (such as the Security Area), each coordinated by one or more Area Directors. Nominations to the IAB and the IESG are made by a committee selected at random from regular IETF meeting attendees who have volunteered. (RFCs 2026, 3935) [R2323]
$ 互联网工程任务组(IETF)(I)为互联网技术的发展做出贡献的自组织团队。参与制定互联网标准的主体机构,尽管其本身不是ISOC的一部分。由工作组组成,工作组分为多个区域(如安全区域),每个区域由一名或多名区域主管协调。IAB和IESG的提名由一个委员会进行,该委员会从自愿参加IETF定期会议的与会者中随机选出。(RFCs 20263935)[R2323]
$ Internet Key Exchange (IKE) (I) An Internet, IPsec, key-establishment protocol [R4306] for putting in place authenticated keying material (a) for use with ISAKMP and (b) for other security associations, such as in AH and ESP.
$ 互联网密钥交换(IKE)(I)互联网、IPsec、密钥建立协议[R4306],用于放置经过身份验证的密钥材料(a)用于ISAKMP,以及(b)用于其他安全关联,如AH和ESP。
Tutorial: IKE is based on three earlier protocol designs: ISAKMP, OAKLEY, and SKEME.
教程:IKE基于三种早期的协议设计:ISAKMP、OAKLEY和SKEME。
$ Internet Layer (I) See: Internet Protocol Suite.
$ 互联网层(I)见:互联网协议套件。
$ Internet Message Access Protocol, version 4 (IMAP4) (I) An Internet protocol (RFC 2060) by which a client workstation can dynamically access a mailbox on a server host to manipulate
$ Internet消息访问协议,版本4(IMAP4)(I)一种Internet协议(RFC 2060),通过该协议,客户端工作站可以动态访问服务器主机上的邮箱以进行操作
and retrieve mail messages that the server has received and is holding for the client. (See: POP3.)
和检索服务器已接收并为客户端保留的邮件消息。(见:POP3。)
Tutorial: IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: IMAP4 AUTHENTICATE.)
教程:IMAP4提供了一些机制,可以选择向服务器验证客户端,并提供其他安全服务。(请参阅:IMAP4验证。)
$ Internet Open Trading Protocol (IOTP) (I) An Internet protocol [R2801] proposed as a general framework for Internet commerce, able to encapsulate transactions of various proprietary payment systems (e.g., GeldKarte, Mondex, SET, Visa Cash). Provides optional security services by incorporating various Internet security mechanisms (e.g., MD5) and protocols (e.g., TLS).
$ 互联网开放交易协议(IOTP)(I)互联网协议[R2801]被提议作为互联网商务的通用框架,能够封装各种专有支付系统(如Geldkart、Mondex、SET、Visa Cash)的交易。通过整合各种互联网安全机制(如MD5)和协议(如TLS),提供可选的安全服务。
$ Internet Policy Registration Authority (IPRA) (I) An X.509-compliant CA that is the top CA of the Internet certification hierarchy operated under the auspices of the ISOC [R1422]. (See: /PEM/ under "certification hierarchy".)
$ 互联网政策注册机构(IPRA)(I)一个符合X.509标准的CA,它是在ISOC[R1422]主持下运行的互联网认证体系的顶级CA。(请参阅“认证层次结构”下的:/PEM/。)
$ Internet Private Line Interface (IPLI) (O) A successor to the PLI, updated to use TCP/IP and newer military-grade COMSEC equipment (TSEC/KG-84). The IPLI was a portable, modular system that was developed for use in tactical, packet-radio networks. (See: end-to-end encryption.)
$ 互联网专用线路接口(IPLI)(O)是PLI的继任者,更新为使用TCP/IP和更新的军用级通信安全设备(TSEC/KG-84)。IPLI是一种便携式模块化系统,开发用于战术分组无线电网络。(请参阅:端到端加密。)
$ Internet Protocol (IP) (I) An Internet Standard, Internet-Layer protocol that moves datagrams (discrete sets of bits) from one computer to another across an internetwork but does not provide reliable delivery, flow control, sequencing, or other end-to-end services that TCP provides. IP version 4 (IPv4) is specified in RFC 791, and IP version 6 (IPv6) is specified in RFC 2460. (See: IP address, TCP/IP.)
$ 互联网协议(IP)(I)一种互联网标准、互联网层协议,通过互联网将数据报(离散的比特集)从一台计算机移动到另一台计算机,但不提供可靠的传输、流量控制、排序或TCP提供的其他端到端服务。RFC 791中指定了IP版本4(IPv4),RFC 2460中指定了IP版本6(IPv6)。(请参阅:IP地址,TCP/IP。)
Tutorial: If IP were used in an OSIRM stack, IP would be placed at the top of Layer 3, above other Layer 3 protocols in the stack.
教程:如果在OSIRM堆栈中使用IP,IP将位于第3层的顶部,位于堆栈中其他第3层协议的上方。
In any IPS stack, IP is always present in the Internet Layer and is always placed at the top of that layer, on top of any other protocols that are used in that layer. In some sense, IP is the only protocol specified for the IPS Internet Layer; other protocols used there, such as AH and ESP, are just IP variations.
在任何IP协议栈中,IP始终存在于Internet层中,并且始终位于该层的顶部,位于该层中使用的任何其他协议的顶部。在某种意义上,IP是为IPS Internet层指定的唯一协议;那里使用的其他协议,如AH和ESP,只是IP的变体。
$ Internet Protocol security See: IP Security Protocol.
$ Internet协议安全请参阅:IP安全协议。
$ Internet Protocol Security Option (IPSO) (I) Refers to one of three types of IP security options, which are fields that may be added to an IP datagram for carrying security information about the datagram. (Compare: IPsec.)
$ 互联网协议安全选项(IPSO)(I)是指三种类型的IP安全选项之一,它们是可添加到IP数据报的字段,用于承载关于数据报的安全信息。(比较:IPsec。)
Deprecated Usage: IDOCs SHOULD NOT use this term without a
modifier to indicate which of the following three types is meant:
- "DoD Basic Security Option" (IP option type 130): Defined for
use on U.S. DoD common-use data networks. Identifies the DoD
classification level at which the datagram is to be protected
and the protection authorities whose rules apply to the
datagram. (A "protection authority" is a National Access
Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of
Energy) or Special Access Program that specifies protection
rules for transmission and processing of the information
contained in the datagram.) [R1108]
- "DoD Extended Security Option" (IP option type 133): Permits
additional security labeling information, beyond that present
in the Basic Security Option, to be supplied in the datagram to
meet the needs of registered authorities. [R1108]
- "Common IP Security Option" (CIPSO) (IP option type 134):
Designed by TSIG to carry hierarchic and non-hierarchic
security labels. (Formerly called "Commercial IP Security
Option"; a version 2.3 draft was published 9 March 1993 as an
Internet-Draft but did not advance to RFC form.) [CIPSO]
Deprecated Usage: IDOCs SHOULD NOT use this term without a
modifier to indicate which of the following three types is meant:
- "DoD Basic Security Option" (IP option type 130): Defined for
use on U.S. DoD common-use data networks. Identifies the DoD
classification level at which the datagram is to be protected
and the protection authorities whose rules apply to the
datagram. (A "protection authority" is a National Access
Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of
Energy) or Special Access Program that specifies protection
rules for transmission and processing of the information
contained in the datagram.) [R1108]
- "DoD Extended Security Option" (IP option type 133): Permits
additional security labeling information, beyond that present
in the Basic Security Option, to be supplied in the datagram to
meet the needs of registered authorities. [R1108]
- "Common IP Security Option" (CIPSO) (IP option type 134):
Designed by TSIG to carry hierarchic and non-hierarchic
security labels. (Formerly called "Commercial IP Security
Option"; a version 2.3 draft was published 9 March 1993 as an
Internet-Draft but did not advance to RFC form.) [CIPSO]
$ Internet Protocol Suite (IPS) (I) The set of network communication protocols that are specified by the IETF, and approved as Internet Standards by the IESG, within the oversight of the IAB. (See: OSIRM Security Architecture. Compare: OSIRM.)
$ 互联网协议套件(IPS)(I)由IETF指定并由IESG批准为互联网标准的一组网络通信协议,由IAB监督。(请参阅:OSIRM安全体系结构。比较:OSIRM。)
Usage: This set of protocols is popularly known as "TCP/IP" because TCP and IP are its most basic and important components.
用法:这组协议通常被称为“TCP/IP”,因为TCP和IP是其最基本和最重要的组件。
For clarity, this Glossary refers to IPS protocol layers by name and capitalizes those names, and refers to OSIRM protocol layers by number.
为清楚起见,本术语表按名称引用IPS协议层并将这些名称大写,并按编号引用OSIRM协议层。
Tutorial: The IPS does have architectural principles [R1958], but there is no Internet Standard that defines a layered IPS reference model like the OSIRM. Still, Internet community literature has referred (inconsistently) to IPS layers since early in the Internet's development [Padl].
教程:IPS确实有体系结构原则[R1958],但没有像OSIRM那样定义分层IPS参考模型的互联网标准。尽管如此,自互联网发展早期[Padl]起,互联网社区文献就(不一致地)提到了IPS层。
This Glossary treats the IPS as having five protocol layers -- Application, Transport, Internet, Network Interface, and Network Hardware (or Network Substrate) -- which are illustrated in the following diagram:
本术语表将IP视为具有五个协议层——应用程序、传输、Internet、网络接口和网络硬件(或网络基板)——如下图所示:
OSIRM Layers Examples IPS Layers Examples
------------------ --------------- --------------- --------------
Message Format: P2 [X420] Message Format: ARPA (RFC 822)
+----------------+ +-------------+
|7.Application | P1 [X419] | Application | SMTP (RFC 821)
+----------------+ - - - - - - | |
|6.Presentation | [I8823] | |
+----------------+ - - - - - - | |
|5.Session | [I8327] +-------------+
+----------------+ - - - - - - | Transport | TCP (RFC 793)
|4.Transport | TP4 [I8073] | |
+----------------+ - - - - - - +-------------+
|3.Network | CLNP [I8473] | Internet | IP (RFC 791)
| | +-------------+
| | | Network | IP over IEEE
+----------------+ - - - - - - | Interface | 802 (RFC 1042)
|2.Data Link | +-------------+
| | LLC [I8802-2] - Network - The IPS does
| | MAC [I8802-3] - Hardware - not include
+----------------+ - (or Network - standards for
|1.Physical | Baseband - Substrate) - this layer.
+----------------+ Signaling [Stal] + - - - - - - +
OSIRM Layers Examples IPS Layers Examples
------------------ --------------- --------------- --------------
Message Format: P2 [X420] Message Format: ARPA (RFC 822)
+----------------+ +-------------+
|7.Application | P1 [X419] | Application | SMTP (RFC 821)
+----------------+ - - - - - - | |
|6.Presentation | [I8823] | |
+----------------+ - - - - - - | |
|5.Session | [I8327] +-------------+
+----------------+ - - - - - - | Transport | TCP (RFC 793)
|4.Transport | TP4 [I8073] | |
+----------------+ - - - - - - +-------------+
|3.Network | CLNP [I8473] | Internet | IP (RFC 791)
| | +-------------+
| | | Network | IP over IEEE
+----------------+ - - - - - - | Interface | 802 (RFC 1042)
|2.Data Link | +-------------+
| | LLC [I8802-2] - Network - The IPS does
| | MAC [I8802-3] - Hardware - not include
+----------------+ - (or Network - standards for
|1.Physical | Baseband - Substrate) - this layer.
+----------------+ Signaling [Stal] + - - - - - - +
The diagram approximates how the five IPS layers align with the seven OSIRM layers, and it offers examples of protocol stacks that provide roughly equivalent electronic mail service over a private LAN that uses baseband signaling.
该图大致描述了五个IPS层如何与七个OSIRM层对齐,并提供了协议栈的示例,这些协议栈通过使用基带信令的专用LAN提供大致等效的电子邮件服务。
- IPS Application Layer: The user runs an application program. The program selects the data transport service it needs -- either a sequence of data messages or a continuous stream of data -- and hands application data to the Transport Layer for delivery.
- IPS应用层:用户运行应用程序。程序选择它需要的数据传输服务——一系列数据消息或连续的数据流——并将应用程序数据交给传输层进行传输。
- IPS Transport Layer: This layer divides application data into packets, adds a destination address to each, and communicates them end-to-end -- from one application program to another -- optionally regulating the flow and ensuring reliable (error-free and sequenced) delivery.
- IPS传输层:该层将应用程序数据分为多个数据包,为每个数据包添加一个目的地地址,并端到端地进行通信(从一个应用程序到另一个应用程序),可以选择调节流量并确保可靠(无错误且有序)交付。
- IPS Internet Layer: This layer carries transport packets in IP datagrams. It moves each datagram independently, from its source computer to its addressed destination computer, routing
- IPS互联网层:该层承载IP数据报中的传输包。它独立地将每个数据报从其源计算机移动到其寻址的目标计算机(路由)
the datagram through a sequence of networks and relays and selecting appropriate network interfaces en route.
数据报通过一系列网络和中继,并在途中选择适当的网络接口。
- IPS Network Interface Layer: This layer accepts datagrams for transmission over a specific network. This layer specifies interface conventions for carrying IP over OSIRM Layer 3 protocols and over Media Access Control sublayer protocols of OSIRM Layer 2. An example is IP over IEEE 802 (RFD 1042).
- IPS网络接口层:该层接受通过特定网络传输的数据报。该层指定通过OSIRM第3层协议和OSIRM第2层的媒体访问控制子层协议承载IP的接口约定。一个例子是IEEE802上的IP(RFD1042)。
- IPS Network Hardware Layer: This layer consists of specific, physical communication media. However, the IPS does not specify its own peer-to-peer protocols in this layer. Instead, the layering conventions specified by the Network Interface Layer use Layer 2 and Layer 3 protocols that are specified by bodies other than the IETF. That is, the IPS addresses *inter*-network functions and does not address *intra*-network functions.
- IPS网络硬件层:该层由特定的物理通信媒体组成。但是,IPS在此层中没有指定自己的对等协议。相反,网络接口层指定的分层约定使用IETF以外的机构指定的第2层和第3层协议。也就是说,IP地址*内部*网络功能,而不地址*内部*网络功能。
The two models are most dissimilar in the upper layers, where the IPS model does not include Session and Presentation layers. However, this omission causes fewer functional differences between the models than might be imagined, and the differences have relatively few security implications:
这两个模型在上层最为不同,IPS模型不包括会话层和表示层。然而,这种省略导致模型之间的功能差异比想象的要小,并且这些差异对安全的影响相对较小:
- Formal separation of OSIRM Layers 5, 6, and 7 is not needed in implementations; the functions of these layers sometimes are mixed in a single software unit, even in protocols in the OSI suite.
- 实现中不需要OSIRM第5、6和7层的正式分离;这些层的功能有时混合在单个软件单元中,甚至在OSI套件中的协议中也是如此。
- Some OSIRM Layer 5 services -- for example, connection termination -- are built into TCP, and the remaining Layer 5 and 6 functions are built into IPS Application-Layer protocols where needed.
- 一些OSIRM第5层服务(例如,连接终止)内置于TCP中,其余第5层和第6层功能在需要时内置于IPS应用层协议中。
- The OSIRM does not place any security services in Layer 5 (see: OSIRM Security Architecture).
- OSIRM没有在第5层中放置任何安全服务(请参阅:OSIRM安全体系结构)。
- The lack of an explicit Presentation Layer in the IPS sometimes makes it simpler to implement security in IPS applications. For example, a primary function of Layer 6 is to convert data between internal and external forms, using a transfer syntax to unambiguously encode data for transmission. If an OSIRM application encrypts data to protect against disclosure during transmission, the transfer encoding must be done before the encryption. If an application does encryption, as is done in OSI message handling and directory service protocols, then Layer 6 functions must be replicated in Layer 7. [X400, X500].
- IPS中缺乏明确的表示层,这使得在IPS应用程序中实现安全性变得更加简单。例如,第6层的主要功能是在内部和外部表单之间转换数据,使用传输语法对数据进行明确编码以进行传输。如果OSIRM应用程序对数据进行加密以防止传输过程中的泄露,则必须在加密之前进行传输编码。如果应用程序进行加密,就像OSI消息处理和目录服务协议中所做的那样,那么第6层功能必须在第7层中复制。[X400,X500]。
The two models are most alike at the top of OSIRM Layer 3, where the OSI Connectionless Network Layer Protocol (CLNP) and the IPS IP are quite similar. Connection-oriented security services offered in OSIRM Layer 3 are inapplicable in the IPS, because the IPS Internet Layer lacks the explicit, connection-oriented service offered in the OSIRM.
这两个模型在OSIRM第3层的顶部最为相似,OSI无连接网络层协议(CLNP)和IPS IP非常相似。OSIRM第3层中提供的面向连接的安全服务不适用于IPS,因为IPS Internet层缺少OSIRM中提供的明确的、面向连接的服务。
$ Internet Security Association and Key Management Protocol (ISAKMP) (I) An Internet IPsec protocol [R2408] to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.
$ 互联网安全关联和密钥管理协议(ISAKMP)(I)互联网IPsec协议[R2408],用于协商、建立、修改和删除安全关联,以及交换密钥生成和认证数据,与任何特定密钥生成技术、密钥建立协议、加密算法的细节无关,或身份验证机制。
Tutorial: ISAKMP supports negotiation of security associations for protocols at all IPS layers. By centralizing management of security associations, ISAKMP reduces duplicated functionality within each protocol. ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once. Strong authentication is required on ISAKMP exchanges, and a digital signature algorithm based on asymmetric cryptography is used within ISAKMP's authentication component.
教程:ISAKMP支持所有IPS层协议的安全关联协商。通过集中管理安全关联,ISAKMP减少了每个协议中重复的功能。ISAKMP还可以通过一次协商整个服务堆栈来减少连接设置时间。ISAKMP交换需要强身份验证,并且在ISAKMP的身份验证组件中使用了基于非对称加密的数字签名算法。
ISAKMP negotiations are conducted in two "phases": - "Phase 1 negotiation". A phase 1 negotiation establishes a security association to be used by ISAKMP to protect its own protocol operations. - "Phase 2 negotiation". A phase 2 negotiation (which is protected by a security association that was established by a phase 1 negotiation) establishes a security association to be used to protect the operations of a protocol other than ISAKMP, such as ESP.
ISAKMP谈判分为两个“阶段”:“第一阶段谈判”。第1阶段协商建立一个安全关联,由ISAKMP用于保护其自身的协议操作。-“第二阶段谈判”。第2阶段协商(由第1阶段协商建立的安全关联保护)建立安全关联,用于保护除ISAKMP以外的协议(如ESP)的操作。
$ Internet Society (ISOC) (I) A professional society concerned with Internet development (including technical Internet Standards); with how the Internet is and can be used; and with social, political, and technical issues that result. The ISOC Board of Trustees approves appointments to the IAB from among nominees submitted by the IETF nominating committee. (RFC 2026)
$ 互联网协会(ISOC)(I)一个关注互联网发展(包括互联网技术标准)的专业协会;互联网是如何使用的;以及由此产生的社会、政治和技术问题。ISOC董事会从IETF提名委员会提交的提名人中批准IAB的任命。(RFC 2026)
$ Internet Standard (I) A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet. (RFC 2026) (Compare: RFC.)
$ 互联网标准(I)由IESG批准并作为RFC发布的规范,其稳定且易于理解,具有技术能力,具有多个独立且可互操作的实施方案,具有丰富的运营经验,得到了公众的大力支持,并且在互联网的部分或所有部分都非常有用。(RFC 2026)(比较:RFC.)
Tutorial: The "Internet Standards Process" is an activity of the ISOC and is organized and managed by the IAB and the IESG. The process is concerned with all protocols, procedures, and conventions used in or by the Internet, whether or not they are part of the IPS. The "Internet Standards Track" has three levels of increasing maturity: Proposed Standard, Draft Standard, and Standard. (Compare: ISO, W3C.)
教程:“互联网标准流程”是ISOC的一项活动,由IAB和IESG组织和管理。该过程涉及互联网中使用或由互联网使用的所有协议、程序和约定,无论它们是否是IP的一部分。“互联网标准轨道”有三个日益成熟的层次:建议标准、草案标准和标准。(比较:ISO、W3C。)
$ internetwork (I) A system of interconnected networks; a network of networks. Usually shortened to "internet". (See: internet, Internet.)
$ 互联网络(I)互联网络系统;网络的网络。通常简称为“互联网”。(请参阅:internet,internet。)
Tutorial: An internet can be built using OSIRM Layer 3 gateways to implement connections between a set of similar subnetworks. With dissimilar subnetworks, i.e., subnetworks that differ in the Layer 3 protocol service they offer, an internet can be built by implementing a uniform internetwork protocol (e.g., IP) that operates at the top of Layer 3 and hides the underlying subnetworks' heterogeneity from hosts that use communication services provided by the internet. (See: router.)
教程:可以使用OSIRM第3层网关构建internet,以实现一组类似子网之间的连接。对于不同的子网,即它们提供的第3层协议服务不同的子网,可以通过实现在第3层顶部运行的统一互联网协议(如IP)来构建互联网,并对使用互联网提供的通信服务的主机隐藏底层子网的异构性。(请参阅:路由器。)
$ intranet (I) A computer network, especially one based on Internet technology, that an organization uses for its own internal (and usually private) purposes and that is closed to outsiders. (See: extranet, VPN.)
$ 内联网(I)一种计算机网络,特别是基于互联网技术的网络,一个组织为了自己的内部(通常是私人)目的而使用,并且对外部开放。(请参阅:外部网、VPN。)
$ intruder (I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (See: intrusion. Compare: adversary, cracker, hacker.)
$ 入侵者(I)未经授权而获取或试图获取对系统或系统资源访问权限的实体。(请参阅:入侵。比较:敌手、黑客、黑客。)
$ intrusion 1. (I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so. (See: IDS.)
$ 入侵1。(一) 构成安全事件的一种安全事件或多个安全事件的组合,其中入侵者未经授权获取或试图获取对系统或系统资源的访问权。(请参阅:IDS。)
2. (I) A type of threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's security protections. (See: unauthorized disclosure.)
2. (一) 一种威胁行为,未经授权的实体通过绕过系统的安全保护来访问敏感数据。(请参阅:未经授权的披露。)
Usage: This type of threat action includes the following subtypes: - "Trespass": Gaining physical access to sensitive data by circumventing a system's protections. - "Penetration": Gaining logical access to sensitive data by circumventing a system's protections.
用法:这种类型的威胁操作包括以下子类型:-“主动变更”:通过绕过系统保护获得对敏感数据的物理访问。-“渗透”:通过绕过系统保护,获得对敏感数据的逻辑访问。
- "Reverse engineering": Acquiring sensitive data by disassembling and analyzing the design of a system component. - "Cryptanalysis": Transforming encrypted data into plain text without having prior knowledge of encryption parameters or processes. (See: main entry for "cryptanalysis".)
- “逆向工程”:通过分解和分析系统组件的设计来获取敏感数据。-“密码分析”:将加密数据转换为纯文本,而无需事先了解加密参数或过程。(请参阅“密码分析”的主条目。)
$ intrusion detection (I) Sensing and analyzing system events for the purpose of noticing (i.e., becoming aware of) attempts to access system resources in an unauthorized manner. (See: anomaly detection, IDS, misuse detection. Compare: extrusion detection.) [IDSAN, IDSSC, IDSSE, IDSSY]
$ 入侵检测(I)感应和分析系统事件,以发现(即意识到)以未经授权的方式访问系统资源的企图。(请参阅:异常检测、IDS、误用检测。比较:挤出检测。)[IDSAN、IDSSC、IDSSE、IDSSY]
Usage: This includes the following subtypes: - "Active detection": Real-time or near-real-time analysis of system event data to detect current intrusions, which result in an immediate protective response. - "Passive detection": Off-line analysis of audit data to detect past intrusions, which are reported to the system security officer for corrective action. (Compare: security audit.)
用法:包括以下子类型:-“主动检测”:实时或近实时分析系统事件数据,以检测当前入侵,从而产生即时保护响应。-“被动检测”:对审计数据进行离线分析,以检测过去的入侵,并将其报告给系统安全官员以采取纠正措施。(比较:安全审计。)
$ intrusion detection system (IDS) 1. (N) A process or subsystem, implemented in software or hardware, that automates the tasks of (a) monitoring events that occur in a computer network and (b) analyzing them for signs of security problems. [SP31] (See: intrusion detection.)
$ 入侵检测系统(IDS)1。(N) 一种用软件或硬件实现的过程或子系统,它自动执行以下任务:(A)监视计算机网络中发生的事件,以及(b)分析这些事件是否有安全问题的迹象。[SP31](请参阅:入侵检测。)
2. (N) A security alarm system to detect unauthorized entry. [DC6/9].
2. (N) 用于检测未经授权进入的安全报警系统。[DC6/9]。
Tutorial: Active intrusion detection processes can be either host-based or network-based: - "Host-based": Intrusion detection components -- traffic sensors and analyzers -- run directly on the hosts that they are intended to protect. - "Network-based": Sensors are placed on subnetwork components, and analysis components run either on subnetwork components or hosts.
教程:主动入侵检测过程可以是基于主机的,也可以是基于网络的:-“基于主机的”:入侵检测组件--流量传感器和分析仪--直接在它们要保护的主机上运行。-“基于网络”:传感器放置在子网络组件上,分析组件在子网络组件或主机上运行。
$ invalidity date (N) An X.509 CRL entry extension that "indicates the date at which it is known or suspected that the [revoked certificate's private key] was compromised or that the certificate should otherwise be considered invalid." [X509].
$ 无效日期(N)X.509 CRL条目扩展,“表示已知或怀疑[已撤销证书的私钥]被泄露的日期,或该证书应被视为无效的日期。”[X509]。
Tutorial: This date may be earlier than the revocation date in the CRL entry, and may even be earlier than the date of issue of earlier CRLs. However, the invalidity date is not, by itself,
教程:此日期可能早于CRL条目中的撤销日期,甚至可能早于早期CRL的发布日期。然而,失效日期本身并不是,
sufficient for purposes of non-repudiation service. For example, to fraudulently repudiate a validly generated signature, a private key holder may falsely claim that the key was compromised at some time in the past.
足以提供不可抵赖服务。例如,为了欺诈性地拒绝有效生成的签名,私钥持有人可能会错误地声称密钥在过去某个时间被泄露。
$ IOTP (I) See: Internet Open Trading Protocol.
$ IOTP(I)见:互联网开放交易协议。
$ IP (I) See: Internet Protocol.
$ IP(I)见:互联网协议。
$ IP address (I) A computer's internetwork address that is assigned for use by IP and other protocols.
$ IP地址(I)分配给IP和其他协议使用的计算机网络间地址。
Tutorial: An IP version 4 address (RFC 791) has four 8-bit parts and is written as a series of four decimal numbers separated by periods. Example: The address of the host named "rosslyn.bbn.com" is 192.1.7.10.
教程:IP版本4地址(RFC 791)有四个8位部分,由四个小数点组成,以句点分隔。示例:名为“rosslyn.bbn.com”的主机的地址是192.1.7.10。
An IP version 6 address (RFC 2373) has eight 16-bit parts and is written as eight hexadecimal numbers separated by colons. Examples: 1080:0:0:0:8:800:200C:417A and FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.
IP版本6地址(RFC 2373)有八个16位部分,由八个十六进制数字组成,用冒号分隔。示例:1080:0:0:0:8:800:200C:417A和FEDC:BA98:7654:3210:FEDC:BA98:7654:3210。
$ IP Security Option (I) See: Internet Protocol Security Option.
$ IP安全选项(I)请参阅:Internet协议安全选项。
$ IP Security Protocol (IPsec) 1a. (I) The name of the IETF working group that is specifying an architecture [R2401, R4301] and set of protocols to provide security services for IP traffic. (See: AH, ESP, IKE, SAD, SPD. Compare: IPSO.)
$ IP安全协议(IPsec)1a。(一) 指定体系结构[R2401,R4301]和协议集以提供IP通信安全服务的IETF工作组的名称。(参见:啊,ESP,IKE,SAD,SPD。比较:IPSO。)
1b. (I) A collective name for the IP security architecture [R4301] and associated set of protocols (primarily AH, ESP, and IKE).
1b。(一) IP安全体系结构[R4301]和相关协议集(主要是AH、ESP和IKE)的统称。
Usage: In IDOCs that use the abbreviation "IPsec", the letters "IP" SHOULD be in uppercase, and the letters "sec" SHOULD NOT.
用法:在使用缩写“IPsec”的IDOC中,字母“IP”应为大写,字母“sec”不应为大写。
Tutorial: The security services provided by IPsec include access control service, connectionless data integrity service, data origin authentication service, protection against replays (detection of the arrival of duplicate datagrams, within a constrained window), data confidentiality service, and limited traffic-flow confidentiality. IPsec specifies (a) security protocols (AH and ESP), (b) security associations (what they are, how they work, how they are managed, and associated processing),
教程:IPsec提供的安全服务包括访问控制服务、无连接数据完整性服务、数据源身份验证服务、防止重播(在受约束的窗口内检测重复数据报的到达)、数据保密服务和有限的流量保密性。IPsec指定(a)安全协议(AH和ESP),(b)安全关联(它们是什么、如何工作、如何管理以及相关处理),
(c) key management (IKE), and (d) algorithms for authentication and encryption. Implementation of IPsec is optional for IP version 4, but mandatory for IP version 6. (See: transport mode, tunnel mode.)
(c) 密钥管理(IKE)和(d)认证和加密算法。IPsec的实现对于IP版本4是可选的,但是对于IP版本6是强制性的。(请参见:传输模式、隧道模式。)
$ IPLI (I) See: Internet Private Line Interface.
$ IPLI(I)见:互联网专线接口。
$ IPRA (I) See: Internet Policy Registration Authority.
$ IPRA(I)见:互联网政策注册机构。
$ IPS (I) See: Internet Protocol Suite.
$ IPS(I)见:互联网协议套件。
$ IPsec (I) See: IP Security Protocol.
$ IPsec(I)见:IP安全协议。
$ IPSO (I) See: Internet Protocol Security Option.
$ IPSO(I)见:互联网协议安全选项。
$ ISAKMP (I) See: Internet Security Association and Key Management Protocol.
$ ISAKMP(I)参见:互联网安全关联和密钥管理协议。
$ ISO (I) International Organization for Standardization, a voluntary, non-treaty, non-governmental organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations. (Compare: ANSI, IETF, ITU-T, W3C.)
$ ISO(I)国际标准化组织,一个自愿、非条约、非政府组织,成立于1947年,有投票权的成员是参与国的指定标准机构和无投票权的观察员组织。(比较:ANSI、IETF、ITU-T、W3C。)
Tutorial: Legally, ISO is a Swiss, non-profit, private organization. ISO and the IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in developing international standards through ISO and IEC technical committees that deal with particular fields of activity. Other international governmental and non-governmental organizations, in liaison with ISO and IEC, also take part. (ANSI is the U.S. voting member of ISO. ISO is a class D member of ITU-T.)
教程:从法律上讲,ISO是一个瑞士的非营利私人组织。ISO和IEC(国际电工委员会)形成了全球标准化的专门体系。作为ISO或IEC成员的国家机构通过处理特定活动领域的ISO和IEC技术委员会参与制定国际标准。与ISO和IEC联络的其他国际政府和非政府组织也参加了会议。(ANSI是ISO的美国投票成员。ISO是ITU-T的D级成员。)
The ISO standards development process has four levels of increasing maturity: Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), and International Standard (IS). (Compare: "Internet Standards Track" under "Internet Standard".) In information technology, ISO and IEC have a joint technical committee, ISO/IEC JTC 1. DISs adopted by JTC 1 are
ISO标准开发过程有四个日益成熟的层次:工作草案(WD)、委员会草案(CD)、国际标准草案(DIS)和国际标准(IS)。(比较“互联网标准”下的“互联网标准轨道”。)在信息技术领域,ISO和IEC有一个联合技术委员会,即ISO/IEC JTC 1。JTC 1采用的DIS为
circulated to national bodies for voting, and publication as an IS requires approval by at least 75% of the national bodies casting a vote.
分发给国家机构进行投票,并作为IS发布需要至少75%的投票国家机构的批准。
$ ISO 17799 (N) An International Standard that is a code of practice, derived from Part 1 of British Standard 7799, for managing the security of information systems in an organization. This standard does not provide definitive or specific material on any security topic. It provides general guidance on a wide variety of topics, but typically does not go into depth. (See: IATF, [SP14].)
$ ISO 17799(N)源自英国标准7799第1部分的一种国际标准,是一种实践规范,用于管理组织中信息系统的安全性。本标准不提供任何安全主题的最终或特定材料。它提供了广泛主题的一般指导,但通常不深入。(参见:IATF,[SP14]。)
$ ISOC (I) See: Internet Society.
$ ISOC(I)见:互联网协会。
$ issue (I) /PKI/ Generate and sign a digital certificate (or a CRL) and, usually, distribute it and make it available to potential certificate users (or CRL users). (See: certificate creation.)
$ 颁发(I)/PKI/生成并签署数字证书(或CRL),通常分发该证书并将其提供给潜在的证书用户(或CRL用户)。(请参阅:证书创建。)
Usage: The term "issuing" is usually understood to refer not only to creating a digital certificate (or a CRL) but also to making it available to potential users, such as by storing it in a repository or other directory or otherwise publishing it. However, the ABA [DSG] explicitly limits this term to the creation process and excludes any related publishing or distribution process.
用法:术语“颁发”通常理解为不仅指创建数字证书(或CRL),还指使其可供潜在用户使用,例如将其存储在存储库或其他目录中或以其他方式发布。然而,ABA[DSG]明确将该术语限制在创建过程中,并排除任何相关的发布或分发过程。
$ issuer 1. (I) /certificate, CRL/ The CA that signs a digital certificate or CRL.
$ 发行人1。(一) /certificate,CRL/签署数字证书或CRL的CA。
Tutorial: An X.509 certificate always includes the issuer's name. The name may include a common name value.
教程:X.509证书始终包含颁发者的名称。该名称可能包括通用名称值。
2. (O) /payment card, SET/ "The financial institution or its agent that issues the unique primary account number to the cardholder for the payment card brand." [SET2]
2. (O) /支付卡,SET/“为支付卡品牌向持卡人发放唯一主账号的金融机构或其代理机构。”[SET2]
Tutorial: The institution that establishes the account for a cardholder and issues the payment card also guarantees payment for authorized transactions that use the card in accordance with card brand regulations and local legislation. [SET1]
教程:为持卡人建立账户并发行支付卡的机构还保证根据卡品牌法规和当地法律对使用该卡的授权交易进行支付。[SET1]
$ ITAR (O) See: International Traffic in Arms Regulations.
$ ITAR(O)见:国际武器贩运条例。
$ ITSEC (N) See: Information Technology System Evaluation Criteria.
$ ITSEC(N)见:信息技术系统评估标准。
$ ITU-T (N) International Telecommunications Union, Telecommunication Standardization Sector (formerly "CCITT"), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called "Recommendations". (See: X.400, X.500.)
$ ITU-T(N)国际电信联盟,电信标准化部门(前身为“CCITT”),一个联合国条约组织,主要由成员国的邮政、电话和电报部门组成,发布称为“建议”的标准。(见:X.400、X.500)
Tutorial: The Department of State represents the United States. ITU-T works on many kinds of communication systems. ITU-T cooperates with ISO on communication protocol standards, and many Recommendations in that area are also published as an ISO standard with an ISO name and number.
教程:国务院代表美国。ITU-T适用于多种通信系统。ITU-T在通信协议标准方面与ISO合作,该领域的许多建议也以ISO名称和编号的ISO标准发布。
$ IV (I) See: initialization value.
$ IV(I)见:初始化值。
$ jamming (N) An attack that attempts to interfere with the reception of broadcast communications. (See: anti-jam, denial of service. Compare: flooding.)
$ 干扰(N)试图干扰广播通信接收的攻击。(请参阅:抗干扰、拒绝服务。比较:泛洪。)
Tutorial: Jamming uses "interference" as a type of "obstruction" intended to cause "disruption". Jamming a broadcast signal is typically done by broadcasting a second signal that receivers cannot separate from the first one. Jamming is mainly thought of in the context of wireless communication, but also can be done in some wired technologies, such as LANs that use contention techniques to share a broadcast medium.
教程:干扰使用“干扰”作为一种“障碍物”,旨在造成“干扰”。干扰广播信号通常是通过广播接收机无法与第一个信号分离的第二个信号来实现的。干扰主要是在无线通信环境中考虑的,但也可以在一些有线技术中进行,例如使用争用技术共享广播媒体的局域网。
$ KAK (D) See: key-auto-key. (Compare: KEK.)
$ KAK(D)参见:钥匙自动钥匙。(比较:KEK)
$ KDC (I) See: Key Distribution Center.
$ KDC(一)见:钥匙配送中心。
$ KEA (N) See: Key Exchange Algorithm.
$ KEA(N)参见:密钥交换算法。
$ KEK (I) See: key-encrypting key. (Compare: KAK.)
$ KEK(I)参见:密钥加密密钥。(比较:KAK。)
$ Kerberos (I) A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography (DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. [R4120, Stei] (See: realm.)
$ Kerberos(I)麻省理工学院开发的一种系统,依靠密码和对称加密(DES)实现分布在客户机-服务器网络环境中的基于票据的对等实体身份验证服务和访问控制服务。[R4120,Stei](参见:领域)
Tutorial: Kerberos was originally developed by Project Athena and is named for the mythical three-headed dog that guards Hades. The system architecture includes authentication servers and ticket-granting servers that function as an ACC and a KDC.
教程:Kerberos最初是由雅典娜项目开发的,以守护地狱的神秘三头狗命名。系统架构包括身份验证服务器和票据授予服务器,它们作为ACC和KDC运行。
RFC 4556 describes extensions to the Kerberos specification that modify the initial authentication exchange between a client and the KDC. The extensions employ public-key cryptography to enable the client and KDC to mutually authenticate and establish shared, symmetric keys that are used to complete the exchange. (See: PKINIT.)
RFC4556描述了对Kerberos规范的扩展,这些扩展修改了客户端和KDC之间的初始身份验证交换。这些扩展采用公钥加密技术,使客户机和KDC能够相互验证并建立用于完成交换的共享对称密钥。(见:PKINIT)
$ kernel (I) A small, trusted part of a system that provides services on which the other parts of the system depend. (See: security kernel.)
$ 内核(I)系统的一个小的、可信任的部分,它提供系统其他部分所依赖的服务。(请参阅:安全内核。)
$ Kernelized Secure Operating System (KSOS) (O) An MLS computer operating system, designed to be a provably secure replacement for UNIX Version 6, and consisting of a security kernel, non-kernel security-related utility programs, and optional UNIX application development and support environments. [Perr]
$ 内核化安全操作系统(KSOS)(O):一种MLS计算机操作系统,旨在作为UNIX版本6的可证明安全的替代品,由安全内核、非内核安全相关实用程序以及可选的UNIX应用程序开发和支持环境组成。[佩尔]
Tutorial: KSOS-6 was the implementation on a SCOMP. KSOS-11 was the implementation by Ford Aerospace and Communications Corporation on the DEC PDP-11/45 and PDP-11/70 computers.
教程:KSOS-6是SCOMP上的实现。KSOS-11是福特航空航天通信公司在DEC PDP-11/45和PDP-11/70计算机上实施的。
$ key 1a. (I) /cryptography/ An input parameter used to vary a transformation function performed by a cryptographic algorithm. (See: private key, public key, storage key, symmetric key, traffic key. Compare: initialization value.)
$ 图例1a。(一) /cryptography/用于改变加密算法执行的转换函数的输入参数。(请参阅:私钥、公钥、存储密钥、对称密钥、流量密钥。比较:初始化值。)
1b. (O) /cryptography/ Used in singular form as a collective noun referring to keys or keying material. Example: A fill device can be used transfer key between two cryptographic devices.
1b。(O) /cryptography/以单数形式用作一个集合名词,指密钥或密钥材料。示例:可以使用填充设备在两个加密设备之间传输密钥。
2. (I) /anti-jam/ An input parameter used to vary a process that determines patterns for an anti-jam measure. (See: frequency hopping, spread spectrum.)
2. (一) /anti-jam/一个输入参数,用于改变确定防干扰措施模式的流程。(参见:跳频、扩频。)
Tutorial: A key is usually specified as a sequence of bits or other symbols. If a key value needs to be kept secret, the sequence of symbols that comprise it should be random, or at least pseudorandom, because that makes the key harder for an adversary to guess. (See: brute-force attack, cryptanalysis, strength.)
教程:键通常指定为位序列或其他符号。如果一个密钥值需要保密,那么组成它的符号序列应该是随机的,或者至少是伪随机的,因为这使得密钥更难被对手猜到。(参见:暴力攻击、密码分析、力量。)
$ key agreement (algorithm or protocol) 1. (I) A key establishment method (especially one involving asymmetric cryptography) by which two or more entities, without prior arrangement except a public exchange of data (such as public keys), each can generate the same key value. That is, the method does not send a secret from one entity to the other; instead, both entities, without prior arrangement except a public exchange of data, can compute the same secret value, but that value cannot be computed by other, unauthorized entities. (See: Diffie-Hellman-Merkle, key establishment, KEA, MQV. Compare: key transport.)
$ 密钥协议(算法或协议)1。(一) 一种密钥建立方法(特别是涉及非对称加密的方法),通过这种方法,两个或多个实体,除公开数据交换(如公钥)外,无需事先安排,都可以生成相同的密钥值。即,该方法不将秘密从一个实体发送到另一个实体;相反,两个实体在没有事先安排的情况下(除了公开数据交换),都可以计算相同的秘密值,但该值不能由其他未经授权的实体计算。(参见:Diffie Hellman Merkle,密钥建立,KEA,MQV。比较:密钥传输。)
2. (O) "A method for negotiating a key value on line without transferring the key, even in an encrypted form, e.g., the Diffie-Hellman technique." [X509] (See: Diffie-Hellman-Merkle.)
2. (O) “一种在线协商密钥值而不传输密钥的方法,即使是加密形式,例如Diffie-Hellman技术。”[X509](参见:Diffie-Hellman-Merkle。)
3. (O) "The procedure whereby two different parties generate shared symmetric keys such that any of the shared symmetric keys is a function of the information contributed by all legitimate participants, so that no party [alone] can predetermine the value of the key." [A9042]
3. (O) “两个不同方生成共享对称密钥的过程,使得任何共享对称密钥都是所有合法参与者提供的信息的函数,因此任何一方[单独]都不能预先确定密钥的值。”[A9042]
Example: A message originator and the intended recipient can each use their own private key and the other's public key with the Diffie-Hellman-Merkle algorithm to first compute a shared secret value and, from that value, derive a session key to encrypt the message.
示例:消息发起人和预期收件人可以各自使用自己的私钥和另一方的公钥以及Diffie-Hellman-Merkle算法,首先计算共享密钥值,并从该值派生会话密钥以加密消息。
$ key authentication (N) "The assurance of the legitimate participants in a key agreement [i.e., in a key-agreement protocol] that no non-legitimate party possesses the shared symmetric key." [A9042]
$ 密钥认证(N)“密钥协议[即密钥协议协议]的合法参与者保证非合法方不拥有共享对称密钥。”[A9042]
$ key-auto-key (KAK) (D) "Cryptographic logic [i.e., a mode of operation] using previous key to produce key." [C4009, A1523] (See: CTAK, /cryptographic operation/ under "mode".)
$ 密钥自动密钥(KAK)(D)“使用先前密钥生成密钥的加密逻辑[即操作模式]”[C4009,A1523](参见:CTAK,/Cryptographic operation/在“模式”下)
Deprecated Term: IDOCs SHOULD NOT use this term; it is neither well-known nor precisely defined. Instead, use terms associated with modes that are defined in standards, such as CBC, CFB, and OFB.
不推荐使用的术语:IDoc不应使用此术语;它既不是众所周知的,也不是精确定义的。相反,使用与标准中定义的模式相关的术语,如CBC、CFB和OFB。
$ key center (I) A centralized, key-distribution process (used in symmetric cryptography), usually a separate computer system, that uses master keys (i.e., KEKs) to encrypt and distribute session keys needed by a community of users.
$ 密钥中心(I):一个集中的密钥分发过程(用于对称加密),通常是一个独立的计算机系统,使用主密钥(即KEK)加密和分发用户社区所需的会话密钥。
Tutorial: An ANSI standard [A9017] defines two types of key center: "key distribution center" and "key translation center".
教程:ANSI标准[A9017]定义了两种类型的密钥中心:“密钥分发中心”和“密钥翻译中心”。
$ key confirmation (N) "The assurance [provided to] the legitimate participants in a key establishment protocol that the [parties that are intended to share] the symmetric key actually possess the shared symmetric key." [A9042]
$ 密钥确认(N)“向密钥建立协议的合法参与者提供的保证,即[打算共享]对称密钥的各方实际拥有共享对称密钥。”[A9042]
$ key distribution (I) A process that delivers a cryptographic key from the location where it is generated to the locations where it is used in a cryptographic algorithm. (See: key establishment, key management.)
$ 密钥分发(I)将加密密钥从生成位置传递到加密算法中使用的位置的过程。(参见:密钥建立、密钥管理。)
$ key distribution center (KDC) 1. (I) A type of key center (used in symmetric cryptography) that implements a key-distribution protocol to provide keys (usually, session keys) to two (or more) entities that wish to communicate securely. (Compare: key translation center.)
$ 密钥分发中心(KDC)1。(一) 一种密钥中心(用于对称加密),它实现密钥分发协议,为两个(或更多)希望安全通信的实体提供密钥(通常是会话密钥)。(比较:关键翻译中心。)
2. (N) "COMSEC facility generating and distributing key in electrical form." [C4009]
2. (N) “通信安全设施以电子形式生成和分配密钥。”[C4009]
Tutorial: A KDC distributes keys to Alice and Bob, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the KDC, and (c) may not be able to generate or acquire keys by themselves. Alice requests the keys from the KDC. The KDC generates or acquires the keys and makes two identical sets. The KDC encrypts one set in the KEK it shares with Alice, and sends that encrypted set to Alice. The KDC encrypts the second set in the KEK it shares with Bob, and either (a) sends that encrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although the latter option is not supported in the ANSI standard [A9017]).
教程:KDC将密钥分发给Alice和Bob,他们(A)希望彼此通信但当前不共享密钥,(b)每个人都与KDC共享一个KEK,以及(c)可能无法自行生成或获取密钥。Alice向KDC请求密钥。KDC生成或获取密钥,并生成两个相同的集合。KDC加密它与Alice共享的KEK中的一个集,并将该加密集发送给Alice。KDC加密与Bob共享的KEK中的第二个集,并且(a)将该加密集发送给Alice,让她转发给Bob,或者(b)直接发送给Bob(尽管ANSI标准[A9017]不支持后一个选项)。
$ key encapsulation (N) A key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation typically permits direct retrieval of a secret key used to provide data confidentiality. (Compare: key escrow.)
$ 密钥封装(N)一种密钥恢复技术,用于通过使用另一密钥对加密密钥进行加密并确保只有称为“恢复代理”的特定第三方可以执行解密操作以检索存储的密钥来存储加密密钥的知识。密钥封装通常允许直接检索用于提供数据机密性的密钥。(比较:密钥托管。)
$ key-encrypting key (KEK) (I) A cryptographic key that (a) is used to encrypt other keys (either DEKs or other TEKs) for transmission or storage but (b) (usually) is not used to encrypt application data. Usage: Sometimes called "key-encryption key".
$ 密钥加密密钥(KEK)(I)(A)用于加密用于传输或存储的其他密钥(DEK或其他TEK),但(b)(通常)不用于加密应用程序数据的加密密钥。用法:有时称为“密钥加密密钥”。
$ key escrow (N) A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances. (Compare: key encapsulation.)
$ 密钥托管(N)一种密钥恢复技术,用于将加密密钥或其部分的知识存储在一个或多个第三方(称为“托管代理”)的托管下,以便在特定情况下恢复和使用密钥。(比较:键封装。)
Tutorial: Key escrow is typically implemented with split knowledge techniques. For example, the Escrowed Encryption Standard [FP185] entrusts two components of a device-unique split key to separate escrow agents. The agents provide the components only to someone legally authorized to conduct electronic surveillance of telecommunications encrypted by that specific device. The components are used to reconstruct the device-unique key, and it is used to obtain the session key needed to decrypt communications.
教程:密钥托管通常使用分割知识技术实现。例如,托管加密标准[FP185]将设备唯一分割密钥的两个组件委托给单独的托管代理。代理商仅向合法授权的人员提供组件,以便对由该特定设备加密的电信进行电子监控。这些组件用于重建设备唯一密钥,并用于获取解密通信所需的会话密钥。
$ key establishment (algorithm or protocol) 1. (I) A procedure that combines the key-generation and key-distribution steps needed to set up or install a secure communication association.
$ 密钥建立(算法或协议)1。(一) 一种结合密钥生成和密钥分发步骤的过程,用于建立或安装安全通信关联。
2. (I) A procedure that results in keying material being shared among two or more system entities. [A9042, SP56]
2. (一) 导致在两个或多个系统实体之间共享关键帧材质的过程。[A9042,SP56]
Tutorial: The two basic techniques for key establishment are "key agreement" and "key transport".
教程:密钥建立的两个基本技术是“密钥协议”和“密钥传输”。
$ Key Exchange Algorithm (KEA) (N) A key-agreement method [SKIP, R2773] that is based on the Diffie-Hellman-Merkle algorithm and uses 1024-bit asymmetric keys. (See: CAPSTONE, CLIPPER, FORTEZZA, SKIPJACK.)
$ 密钥交换算法(KEA)(N)一种基于Diffie-Hellman-Merkle算法并使用1024位非对称密钥的密钥协商方法[SKIP,R2773]。(见:顶石、克利伯、福特扎、SKIPJACK)
Tutorial: KEA was developed by NSA and formerly classified at the U.S. DoD "Secret" level. On 23 June 1998, the NSA announced that KEA had been declassified.
教程:KEA是由NSA开发的,以前是美国国防部的“机密”级别。1998年6月23日,国家安全局宣布KEA已解密。
$ key generation (I) A process that creates the sequence of symbols that comprise a cryptographic key. (See: key management.)
$ 密钥生成(I)创建包含加密密钥的符号序列的过程。(请参阅:密钥管理。)
$ key generator 1. (I) An algorithm that uses mathematical rules to deterministically produce a pseudorandom sequence of cryptographic key values.
$ 钥匙生成器1。(一) 一种算法,它使用数学规则来确定地产生密码键值的伪随机序列。
2. (I) An encryption device that incorporates a key-generation mechanism and applies the key to plain text to produce cipher text
2. (一) 一种加密装置,包含密钥生成机制,并将密钥应用于纯文本以生成密文
(e.g., by exclusive OR-ing (a) a bit-string representation of the key with (b) a bit-string representation of the plaintext).
(例如,通过将(a)密钥的位字符串表示与(b)明文的位字符串表示进行异或运算)。
$ key length (I) The number of symbols (usually stated as a number of bits) needed to be able to represent any of the possible values of a cryptographic key. (See: key space.)
$ 密钥长度(I)能够表示加密密钥的任何可能值所需的符号数(通常表示为比特数)。(请参见:键空间。)
$ key lifetime 1. (D) Synonym for "cryptoperiod".
$ 密钥生命周期1。(D) “加密周期”的同义词。
Deprecated Definition: IDOCs SHOULD NOT use this term with definition 1 because a key's cryptoperiod may be only a part of the key's lifetime. A key could be generated at some time prior to when its cryptoperiod begins and might not be destroyed (i.e., zeroized) until some time after its cryptoperiod ends.
不推荐使用的定义:IDOCs不应在定义1中使用此术语,因为密钥的加密周期可能只是密钥生命周期的一部分。密钥可以在其密码周期开始之前的某个时间生成,并且在其密码周期结束后的某个时间之前可能不会被销毁(即,归零)。
2. (O) /MISSI/ An attribute of a MISSI key pair that specifies a time span that bounds the validity period of any MISSI X.509 public-key certificate that contains the public component of the pair. (See: cryptoperiod.)
2. (O) /misi/misi密钥对的一种属性,指定一个时间跨度,该时间跨度限定了包含该密钥对的公共组件的任何misi X.509公钥证书的有效期。(请参阅:加密周期。)
$ key loader (N) Synonym for "fill device".
$ 钥匙加载器(N)是“加注装置”的同义词。
$ key loading and initialization facility (KLIF) (N) A place where ECU hardware is activated after being fabricated. (Compare: CLEF.)
$ 钥匙加载和初始化设施(KLIF)(N)制造后激活ECU硬件的地方。(比较:谱号。)
Tutorial: Before going to its KLIF, an ECU is not ready to be fielded, usually because it is not yet able to receive DEKs. The KLIF employs trusted processes to complete the ECU by installing needed data such as KEKs, seed values, and, in some cases, cryptographic software. After KLIF processing, the ECU is ready for deployment.
教程:在去KLIF之前,ECU还没有准备好部署,通常是因为它还不能接收DEK。KLIF通过安装所需的数据(如KEK、种子值,在某些情况下还包括加密软件),采用可信的过程来完成ECU。KLIF处理后,ECU准备展开。
$ key management 1a. (I) The process of handling keying material during its life cycle in a cryptographic system; and the supervision and control of that process. (See: key distribution, key escrow, keying material, public-key infrastructure.)
$ 密钥管理1a。(一) 在密码系统的生命周期内处理密钥材料的过程;以及对该过程的监督和控制。(请参阅:密钥分发、密钥托管、密钥材料、公钥基础设施。)
Usage: Usually understood to include ordering, generating, storing, archiving, escrowing, distributing, loading, destroying, auditing, and accounting for the material.
用法:通常理解为包括材料的订购、生成、存储、归档、托管、分发、加载、销毁、审核和核算。
1b. (O) /NIST/ "The activities involving the handling of cryptographic keys and other related security parameters (e.g.,
1b。(O) /NIST/“涉及处理加密密钥和其他相关安全参数的活动(例如。,
IVs, counters) during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving." [FP140, SP57]
在密钥的整个生命周期内,包括密钥的生成、存储、分发、输入和使用、删除或销毁以及存档。”[FP140,SP57]
2. (O) /OSIRM/ "The generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy." [I7498-2]
2. (O) /OSIRM/“根据安全策略生成、存储、分发、删除、存档和应用密钥。”[I7498-2]
$ Key Management Protocol (KMP) (N) A protocol to establish a shared symmetric key between a pair (or a group) of users. (One version of KMP was developed by SDNS, and another by SILS.) Superseded by ISAKMP and IKE.
$ 密钥管理协议(KMP)(N)在一对(或一组)用户之间建立共享对称密钥的协议。(一个版本的KMP由SDNS开发,另一个由SILS开发)被ISAKMP和IKE取代。
$ key material (D) Synonym for "keying material".
$ 关键材料(D)“关键材料”的同义词。
Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for "keying material".
不推荐使用:IDOCs不应将此术语用作“键控材料”的同义词。
$ key pair (I) A set of mathematically related keys -- a public key and a private key -- that are used for asymmetric cryptography and are generated in a way that makes it computationally infeasible to derive the private key from knowledge of the public key. (See: Diffie-Hellman-Merkle, RSA.)
$ 密钥对(I)一组数学上相关的密钥——公钥和私钥——用于非对称加密,其生成方式使得从公钥知识中导出私钥在计算上不可行。(见:Diffie Hellman Merkle,RSA)
Tutorial: A key pair's owner discloses the public key to other system entities so they can use the key to (a) encrypt data, (b) verify a digital signature, or (c) generate a key with a key-agreement algorithm. The matching private key is kept secret by the owner, who uses it to (a') decrypt data, (b') generate a digital signature, or (c') generate a key with a key-agreement algorithm.
教程:密钥对的所有者向其他系统实体公开公钥,以便他们可以使用该密钥(A)加密数据,(b)验证数字签名,或(c)使用密钥协商算法生成密钥。匹配的私钥由所有者保密,所有者使用私钥(a')解密数据,(b')生成数字签名,或(c')使用密钥协商算法生成密钥。
$ key recovery 1. (I) /cryptanalysis/ A process for learning the value of a cryptographic key that was previously used to perform some cryptographic operation. (See: cryptanalysis, recovery.)
$ 密钥恢复1。(一) /CryptoAnalysis/CryptoAnalysis用于学习以前用于执行某些加密操作的加密密钥的值的过程。(请参阅:密码分析,恢复。)
2. (I) /backup/ Techniques that provide an intentional, alternate means to access the key used for data confidentiality service in an encrypted association. [DoD4] (Compare: recovery.)
2. (一) /backup/提供一种有意的替代方法来访问加密关联中用于数据保密服务的密钥的技术。[DoD4](比较:恢复。)
Tutorial: It is assumed that the cryptographic system includes a primary means of obtaining the key through a key-establishment algorithm or protocol. For the secondary means, there are two classes of key recovery techniques: key encapsulation and key escrow.
教程:假设加密系统包括通过密钥建立算法或协议获取密钥的主要方法。对于第二种方法,有两类密钥恢复技术:密钥封装和密钥托管。
$ key space (I) The range of possible values of a cryptographic key; or the number of distinct transformations supported by a particular cryptographic algorithm. (See: key length.)
$ 密钥空间(I)加密密钥的可能值的范围;或者特定加密算法支持的不同转换的数量。(请参见:键长度。)
$ key translation center (I) A type of key center that implements a key-distribution protocol (based on symmetric cryptography) to convey keys between two (or more) parties who wish to communicate securely. (Compare: key distribution center.)
$ 密钥转换中心(I)一种密钥中心,它实现密钥分发协议(基于对称密码),以便在希望安全通信的两(或更多)方之间传输密钥。(比较:关键配送中心。)
Tutorial: A key translation center transfers keys for future communication between Bob and Alice, who (a) wish to communicate with each other but do not currently share keys, (b) each share a KEK with the center, and (c) have the ability to generate or acquire keys by themselves. Alice generates or acquires a set of keys for communication with Bob. Alice encrypts the set in the KEK she shares with the center and sends the encrypted set to the center. The center decrypts the set, reencrypts the set in the KEK it shares with Bob, and either (a) sends that reencrypted set to Alice for her to forward to Bob or (b) sends it directly to Bob (although direct distribution is not supported in the ANSI standard [A9017]).
教程:钥匙翻译中心为Bob和Alice之间的未来通信传输钥匙,他们(A)希望彼此通信,但目前不共享钥匙,(b)每个人与中心共享一个KEK,以及(c)能够自行生成或获取钥匙。Alice生成或获取一组用于与Bob通信的密钥。Alice对她与中心共享的桶中的集进行加密,并将加密集发送到中心。中心解密该集,在与Bob共享的KEK中重新加密该集,然后(a)将重新加密的集发送给Alice,让她转发给Bob,或者(b)直接发送给Bob(尽管ANSI标准[A9017]不支持直接分发)。
$ key transport (algorithm or protocol) 1. (I) A key establishment method by which a secret key is generated by a system entity in a communication association and securely sent to another entity in the association. (Compare: key agreement.)
$ 密钥传输(算法或协议)1。(一) 一种密钥建立方法,通过该方法,保密密钥由通信关联中的系统实体生成,并安全地发送给该关联中的另一实体。(比较:关键协议。)
Tutorial: Either (a) one entity generates a secret key and securely sends it to the other entity, or (b) each entity generates a secret value and securely sends it to the other entity, where the two values are combined to form a secret key. For example, a message originator can generate a random session key and then use the RSA algorithm to encrypt that key with the public key of the intended recipient.
教程:要么(a)一个实体生成一个密钥并安全地发送给另一个实体,要么(b)每个实体生成一个秘密值并安全地发送给另一个实体,其中两个值组合在一起形成一个密钥。例如,消息发起人可以生成一个随机会话密钥,然后使用RSA算法使用预期收件人的公钥加密该密钥。
2. (O) "The procedure to send a symmetric key from one party to other parties. As a result, all legitimate participants share a common symmetric key in such a way that the symmetric key is determined entirely by one party." [A9042]
2. (O) “从一方向另一方发送对称密钥的过程。因此,所有合法参与者共享一个公共对称密钥,使得对称密钥完全由一方确定。”[A9042]
$ key update 1. (I) Derive a new key from an existing key. (Compare: rekey.)
$ 密钥更新1。(一) 从现有密钥派生新密钥。(比较:重新设置。)
2. (O) Irreversible cryptographic process that modifies a key to produce a new key. [C4009]
2. (O) 修改密钥以产生新密钥的不可逆加密过程。[C4009]
$ key validation 1. (I) "The procedure for the receiver of a public key to check that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks." [A9042] (See: weak key)
$ 关键验证1。(一) “公钥接收者检查密钥是否符合该密钥的算术要求,以阻止某些类型的攻击的过程。”[A9042](参见:弱密钥)
2. (D) Synonym for "certificate validation".
2. (D) “证书验证”的同义词。
Deprecated Usage: IDOCs SHOULD NOT use the term as a synonym for "certificate validation"; that would unnecessarily duplicate the meaning of the latter term and mix concepts in a potentially misleading way. In validating an X.509 public-key certificate, the public key contained in the certificate is normally treated as an opaque data object.
不推荐使用:IDOCs不应将该术语用作“证书验证”的同义词;这将不必要地重复后一术语的含义,并以潜在误导的方式混淆概念。在验证X.509公钥证书时,证书中包含的公钥通常被视为不透明数据对象。
$ keyed hash (I) A cryptographic hash (e.g., [R1828]) in which the mapping to a hash result is varied by a second input parameter that is a cryptographic key. (See: checksum.)
$ 键控散列(I)加密散列(例如,[R1828]),其中到散列结果的映射由作为加密密钥的第二输入参数改变。(请参阅:校验和。)
Tutorial: If the input data object is changed, a new, corresponding hash result cannot be correctly computed without knowledge of the secret key. Thus, the secret key protects the hash result so it can be used as a checksum even when there is a threat of an active attack on the data. There are two basic types of keyed hash: - A function based on a keyed encryption algorithm. Example: Data Authentication Code. - A function based on a keyless hash that is enhanced by combining (e.g., by concatenating) the input data object parameter with a key parameter before mapping to the hash result. Example: HMAC.
教程:如果更改了输入数据对象,则在不知道密钥的情况下,无法正确计算新的相应哈希结果。因此,密钥保护散列结果,因此即使在数据受到主动攻击的威胁时,也可以将其用作校验和。密钥散列有两种基本类型:-基于密钥加密算法的函数。示例:数据身份验证代码。-一种基于无键散列的函数,在映射到散列结果之前,通过将输入数据对象参数与键参数组合(例如,通过连接)来增强该函数。例如:HMAC。
$ keying material 1. (I) Data that is needed to establish and maintain a cryptographic security association, such as keys, key pairs, and IVs.
$ 键控材料1。(一) 建立和维护加密安全关联所需的数据,如密钥、密钥对和IVs。
2. (O) "Key, code, or authentication information in physical or magnetic form." [C4009] (Compare: COMSEC material.)
2. (O) “物理或磁性形式的密钥、代码或身份验证信息。”[C4009](比较:通信安全资料。)
$ keying material identifier (KMID) 1. (I) An identifier assigned to an item of keying material.
$ 键入物料标识符(KMID)1。(一) 分配给键控材料项的标识符。
2. (O) /MISSI/ A 64-bit identifier that is assigned to a key pair when the public key is bound in a MISSI X.509 public-key certificate.
2. (O) /misi/当公钥绑定到misi X.509公钥证书中时分配给密钥对的64位标识符。
$ Khafre (N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]
$ Khafre(N):一种获得专利的对称分组密码,由Ralph C.Merkle设计,作为DES的插件替代。[施恩]
Tutorial: Khafre was designed for efficient encryption of small amounts of data. However, because Khafre does not precompute tables used for encryption, it is slower than Khufu for large amounts of data.
教程:Khafre是为有效加密少量数据而设计的。但是,由于Khafre不预计算用于加密的表,因此对于大量数据,它比Khufu慢。
$ Khufu (N) A patented, symmetric block cipher designed by Ralph C. Merkle as a plug-in replacement for DES. [Schn]
$ Khufu(N):一种获得专利的对称分组密码,由Ralph C.Merkle设计,作为DES的插件替代。[施恩]
Tutorial: Khufu was designed for fast encryption of large amounts of data. However, because Khufu precomputes tables used in encryption, it is less efficient than Khafre for small amounts of data.
教程:胡夫是为快速加密大量数据而设计的。然而,由于Khufu预先计算加密中使用的表,因此对于少量数据,它的效率不如Khafre。
$ KLIF (N) See: key loading and initialization facility.
$ KLIF(N)参见:密钥加载和初始化设施。
$ KMID (I) See: keying material identifier.
$ KMID(I)见:键入材料标识符。
$ known-plaintext attack (I) A cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as knowing the cryptographic algorithm).
$ 已知明文攻击(I)一种密码分析技术,分析员试图根据一些明文-密文对的知识确定密钥(尽管分析员也可能有其他线索,例如知道密码算法)。
$ kracker (O) Old spelling for "cracker".
$ 克拉克(O)是“饼干”的老拼法。
$ KSOS, KSOS-6, KSOS-11 (O) See: Kernelized Secure Operating System.
$ KSOS,KSOS-6,KSOS-11(O)参见:内核化安全操作系统。
$ L2F (N) See: Layer 2 Forwarding Protocol.
$ L2F(N)参见:第2层转发协议。
$ L2TP (N) See: Layer 2 Tunneling Protocol.
$ L2TP(N)参见:第2层隧道协议。
$ label See: time stamp, security label.
$ 标签见:时间戳、安全标签。
$ laboratory attack (O) "Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media." [C4009]
$ 实验室攻击(O)“在实验室环境中使用复杂的信号恢复设备从数据存储介质中恢复信息。”[C4009]
$ LAN (I) Abbreviation for "local area network" [R1983]. (See: [FP191].)
$ LAN(I)“局域网”的缩写[R1983]。(见:[FP191])
$ land attack (I) A denial-of-service attack that sends an IP packet that (a) has the same address in both the Source Address and Destination Address fields and (b) contains a TCP SYN packet that has the same port number in both the Source Port and Destination Port fields.
$ 陆地攻击(I)一种拒绝服务攻击,它发送一个IP数据包,该IP数据包(A)在源地址和目标地址字段中具有相同的地址,并且(b)包含一个在源端口和目标端口字段中具有相同端口号的TCP SYN数据包。
Derivation: This single-packet attack was named for "land", the program originally published by the cracker who invented this exploit. Perhaps that name was chosen because the inventor thought of multi-packet (i.e., flooding) attacks as arriving by sea.
派生:这一单包攻击以“land”命名,该程序最初由发明此漏洞的破解者发布。选择这个名称可能是因为发明家认为多包(即洪水)攻击是通过海上到达的。
$ Language of Temporal Ordering Specification (LOTOS) (N) A language (ISO 8807-1990) for formal specification of computer network protocols; describes the order in which events occur.
$ 时间顺序规范语言(LOTOS)(N)计算机网络协议形式规范的语言(ISO 8807-1990);描述事件发生的顺序。
$ lattice (I) A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.
$ 格(I)有限集及其元素上的偏序,使得每对元素都有一个最小上界和一个最大下界。
Example: A lattice is formed by a finite set S of security levels -- i.e., a set S of all ordered pairs (x,c), where x is one of a finite set X of hierarchically ordered classification levels X(1), non-hierarchical categories C(1), ..., C(M) -- together with the "dominate" relation. Security level (x,c) is said to "dominate" (x',c') if and only if (a) x is greater (higher) than or equal to x' and (b) c includes at least all of the elements of c'. (See: dominate, lattice model.)
示例:晶格由安全级别的有限集合S(即,所有有序对(x,c)的集合S)以及“支配”关系构成,其中x是分层有序分类级别x(1)、非分层类别c(1),…,c(M)的有限集合x之一。当且仅当(a)x大于(高于)或等于x’且(b)c至少包括c’的所有元素时,安全级别(x,c)称为“支配”(x',c’)。(请参见:控制,晶格模型。)
Tutorial: Lattices are used in some branches of cryptography, both as a basis for hard computational problems upon which cryptographic algorithms can be defined, and also as a basis for attacks on cryptographic algorithms.
教程:格在密码学的一些分支中使用,既可以作为定义密码算法的硬计算问题的基础,也可以作为攻击密码算法的基础。
$ lattice model 1. (I) A description of the semantic structure formed by a finite set of security levels, such as those used in military organizations. (See: dominate, lattice, security model.)
$ 晶格模型1。(一) 由一组有限的安全级别(如军事组织中使用的安全级别)形成的语义结构的描述。(请参见:支配、晶格、安全模型。)
2. (I) /formal model/ A model for flow control in a system, based on the lattice that is formed by the finite security levels in a system and their partial ordering. [Denn]
2. (一) /形式模型/系统中的流量控制模型,基于由系统中的有限安全级别及其偏序形成的晶格。[丹尼]
$ Law Enforcement Access Field (LEAF) (N) A data item that is automatically embedded in data encrypted by devices (e.g., CLIPPER chip) that implement the Escrowed Encryption Standard.
$ 执法访问字段(LEAF)(N)自动嵌入由实施托管加密标准的设备(如CLIPPER芯片)加密的数据中的数据项。
$ Layer 1, 2, 3, 4, 5, 6, 7 (N) See: OSIRM.
$ 第1、2、3、4、5、6、7(N)层见:OSIRM。
$ Layer 2 Forwarding Protocol (L2F) (N) An Internet protocol (originally developed by Cisco