Security terminology

A   B    C    D   E    F   G   H    I   J  K   L   M    N   O    P   Q    R    S    T   U    V    W   X   Y   Z   

A

authentication

Verification that a remote client or server is actually who they claim to be. Authenticating ensures that you trust the remote peer to which you are connecting.

B

C

certificate authority (CA)

A trusted authority that issues and manages security credentials called digital certificates.

cipher

Another term for encryption algorithm.

ciphertext

Encrypted text or data.

cracker

A hacker with malicious intent.

cryptography

The science of keeping data secure. Cryptography allows you to store information or to communicate with other parties while preventing non-involved parties from understanding the stored information or understanding the communication. Encryption transforms understandable text into an unintelligible piece of data (ciphertext). Decrypting restores the understandable text from the unintelligible data. Both processes involve a mathematical formula or algorithm and a secret sequence of data (the key).

There are two types of cryptography:

• Symmetric: Communicating parties share a secret key that they use for both encryption and decryption. Also called shared key cryptography.
• Asymmetric: Each member of a communicating party has two keys: A public key and a private key. The two keys are mathematically related, but it is virtually impossible to derive the private key from the public key. A message that is encrypted with someone's public key can be decrypted only with the associated private key. Alternatively, a server or user can use a private key to "sign" a document and use a public key to decrypt a digital signature. If the hash resulting from the decryption of the signature using the public key matches a real-time hash of the document itself, the signature is considered valid and the document's source is considered verified. Also known as public key cryptography.

D

data confidentiality

Conceals the content of a message, typically by using encryption.

data integrity

Verifies that the contents of a datagram were not changed in transit, either deliberately or due to random errors.

data origin authentication

Verifies that an IP datagram was originated by the claimed sender.

denial of service attack

Also known as DoS attack. Causes a service, such as a Web server, to become unavailable or unusable by overloading a network with useless IP traffic.

digital certificate

A digital document that validates the identity of the certificate's owner, much as a passport does. A trusted party, called a Certificate Authority (CA) issues digital certificates to users and servers. The trust in the CA is the foundation of trust in the certificate as a valid credential. You can use them for the following:

• Identification - shows who is the user.
• Authentication - ensures that the user is who he says that he is.
• Integrity - determines whether the contents of a document have been altered by verifying the sender's digital signature.
• Non-repudiation - guarantees that a user cannot claim to not have performed some action. For example, the user cannot dispute that he authorized an electronic purchase with a credit card.

digital signature

Equivalent to a personal signature on a written document. A digital signature provides proof of the document's origin. The certificate owner "signs" a document by using the private key that is associated with the certificate. The recipient of the document uses the corresponding public key to decrypt the signature, which verifies the sender as the source.

Digital Certificate Manager (DCM)

Allows an iSeries™ to be a local Certificate Authority (CA). You can use DCM to create digital certificates for use by servers or users. You can import digital certificates that other CAs issue. You can also associate a digital certificate with an i5/OS™ user profile. You also use DCM to configure applications to use Secure Sockets Layer (SSL) for secure communications.

distinguished name

The name of the person or server to whom a Certificate Authority (CA) issues a digital certificate. The certificate provides this name to indicate certificate ownership. Depending on the policy of the CA that issues a certificate, the distinguished name can include other authorization information.

Domain Name System (DNS)

The set of data used to identify an individual digital certificate holder. Within a Class 1 Digital Certificate, this will be information such as your name and your e-mail address, and the issuer of the digital certificate (VeriSign, Inc.).

When you attach to the Internet, your Internet client uses a DNS server to determine the IP address for the host system with which you want to communicate.

E

encryption

The process of transforming data into a form that is unreadable by anyone who does not have the correct decrypting method and key. Unauthorized parties can still intercept the information. However, without the correct decrypting method and key, the information is incomprehensible.

Enterprise Identity Mapping (EIM)

EIM is a mechanism for mapping (associating) a person or entity to the appropriate user identities in various registries throughout the enterprise. EIM provides APIs for creating and managing these identity mapping relationships as well as APIs used by applications to query this information.

extranet

A private business network of several cooperating organizations located outside the corporate firewall. An extranet service uses the existing Internet infrastructure, including standard servers, e-mail clients, and Web browsers. This makes an extranet more economical than the creation and maintenance of a proprietary network. It enables trading partners, suppliers, and customers with common interests to use the extended Internet to form both tight business relations and a strong communication bond.

F

firewall

A logical barrier between your internal network and an external network, such as the Internet. A firewall consists of one or more hardware and software systems or partitions. It controls the access and flow of information between secure or trusted systems and insecure or untrusted systems.

G

H

hacker

Any unauthorized person who tries to break into your system.

hypertext links

A way of presenting information online with connections (called hypertext links) between one piece of information (called a hypertext node) and another.

Hypertext Markup Language (HTML)

The language that is used to define hypertext documents. Use HTML to indicate how your document should look (such as highlighting and type style) and how it should be linked to other documents or objects.

Hypertext Transfer Protocol (HTTP)

The standard method for accessing hypertext documents.

I

Internet

The worldwide "network of networks" that are connected to each other. And a suite of cooperating applications that allow computers connected to this "network of networks" to communicate with each other. The Internet provides browsable information, file transfer, remote logon, electronic mail, news, and other services. The Internet is often called "the Net".

Internet client

A program (or user) that uses the Internet to make requests of and to receive results from an Internet server program. Different client programs are available to request different types of Internet services. A Web browser is one type of client program. File transfer protocol (FTP) is another.

Internet host

A computer that is connected to the Internet or an intranet. An Internet host might run more than one Internet server program. For example, the Internet host might run an FTP server to respond to requests from FTP client applications. The same host might run an HTTP server to respond to requests from clients using Web browsers. Server programs typically run in the background (in batch) on the host system.

Internet Key Exchange (IKE) protocol

Provides the automatic negotiation of security associations, as well as the automatic generation and refresh of cryptographic keys as part of virtual private networking (VPN).

Internet name

An alias for an IP address. An IP address is in long numeric form and is difficult to remember, such as 10.5.100.75. You can assign this IP address to an Internet name, such as system1.vnet.ibm.com. An Internet name is also called a fully qualified domain name. When you see an advertisement that says, "Visit our home page", the home page address is the Internet name, not the IP address, because the Internet name is easier to remember. A fully qualified domain name has several parts. For example, system1.vnet.ibm.com has the following parts:

com:

All commercial networks. This part of the domain name is assigned by the Internet authority (an external organization). Different characters are assigned for different kinds of networks (such as com for commercial and edu for educational institutions).

ibm:

The identifier for the organization. This part of the domain name is also assigned by the Internet authority, and it is unique. Only one organization in the world can have the identifier ibm.com.

vnet:

A grouping of systems within ibm.com. This identifier is assigned internally. The administrator of ibm.com can create one or more groupings.

system1:

The name of an Internet host within the vnet.ibm.com group.

Internet server

A program (or set of programs) that accepts requests from corresponding client programs over the Internet and responds to those clients over the Internet. You can think of an Internet server as a site that an Internet client can access or visit. Different server programs support different services, such as the following:

• Browsing (a "home page" and links to other documents and objects).
• File transfer. The client can request, for example, to transfer files from the server to the client. The files might be software updates, product listings, or documents.
• Electronic commerce, such as the ability to request information or order products.

Internet service provider (ISP)

An organization that provides your connection to the Internet in much the same way that your local telephone company provides your connection to worldwide telephone networks.

intranet

An organization's internal network that uses Internet tools, such as a Web browser or FTP.

intrusion detection

A broad term encompassing the detection of many undesirable activities. The objective of an intrusion might be to acquire information that a person is not authorized to have (information theft). The objective might be to cause a business harm by rendering a network, system, or application unusable (denial of service), or it might be to gain unauthorized use of a system as a means for further intrusions elsewhere. Most intrusions follow a pattern of information gathering, attempted access, and then destructive attacks. Some attacks can be detected and neutralized by the target system. Other attacks cannot be effectively neutralized by the target system. Most of the attacks also make use of "spoofed" packets, which are not easily traceable to their true origin. Many attacks now make use of unwitting accomplices, which are machines or networks that are used without authorization to hide the identity of the attacker. For these reasons, detecting information gathering, access attempts, and attack behaviors are vital parts of intrusion detection.

IP address

A unique identifier on a TCP/IP network (the Internet is a very large TCP/IP network). An Internet server typically has an assigned unique IP address. An Internet client might use a temporary but unique IP address that is allocated by the ISP.

IP datagram

A unit of information that is sent across a TCP/IP network. An IP datagram (also called a packet) contains both data and header information, such as the IP addresses of the origin and of the destination machines.

IP filters

Controls what IP traffic to allow into and out of your network by filtering packets according to rules that you define. This protects the secure network from outsiders who use unsophisticated techniques (such as scanning for secure servers) or even the most sophisticated techniques (such as IP address spoofing). You should think of the filtering feature as the base on which the other tools are constructed. It provides the infrastructure in which they operate and denies access to all but the most determined cracker.

IP security (IPSec) protocol

A set of protocols to support secure exchange of packets at the network layer. IPSec is a set of standards that i5/OS and many other systems use to carry out VPNs.

IP spoofing

An attempt to access your system by pretending to be a system (IP address) that you normally trust. The would-be intruder sets up a system with an IP address that you trust. Router manufacturers have worked to build protections into their systems to detect and reject attempts to spoof.

J

K

L

M

N

network address translation (NAT)

Provides a more transparent alternative to the proxy and SOCKS servers. It also simplifies network configuration by enabling networks with incompatible addressing structures to be connected. NAT provides two major functions. NAT provides this protection by allowing you to hide your server's "true" address behind an address that you make available to the public. For example, it can protect a public Web server that you want to operate from within your internal network. NAT also provides a mechanism for internal users to access the Internet while hiding the private internal IP addresses. NAT provides protection when you allow internal users to access Internet services because you can hide their private addresses.

non-repudiation

Provides proof that a transaction occurred, or that you sent or received a message. The use of digital certificates and public key cryptography to "sign" transactions, messages, and documents supports non-repudiation.

O

P

packet

A unit of information that is sent across a TCP/IP network. A packet (also called a datagram) contains both data and header information, such as the IP addresses of the origin and of the destination machines, and includes information about the line protocol, such as Ethernet token-ring, or frame-relay.

proxy server

A TCP/IP application that re-sends requests and responses between clients on your secure internal network and servers on the untrusted network. The proxy server breaks the TCP/IP connection to hide your internal network information (such as internal IP addresses). Hosts outside your network perceive the proxy server as the source of the communication.

public key infrastructure (PKI)

A system of digital certificates, CAs, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

Q

R

replay protection

Ensures that an attacker cannot intercept a datagram and play it back at some later time.

S

Secure Sockets Layer (SSL)

Created by Netscape, SSL is the de facto industry standard for session encryption between clients and servers. SSL uses symmetric key encryption to encrypt the session between a server and client (user). The client and server negotiate this session key during an exchange of digital certificates. A different key is created for each client and server SSL session. Consequently, even if unauthorized users intercept and decrypt a session key (that is unlikely), they cannot use it to eavesdrop on current, future, or past SSL sessions.

single sign-on (SSO):

A form of authentication that enables a user to authenticate once and gain access to the resources of multiple systems or applications. See Enterprise Identity Mapping.

sniffing

The practice of monitoring or eavesdropping on electronic transmissions. Information that is sent across the Internet might pass through many routers before it reaches its destination. Router manufacturers, ISPs, and operating system developers have worked very hard to ensure that sniffing cannot occur on the Internet backbone. Incidents of successful sniffing are becoming increasingly rare. Most occur on private LANs that are connected to the Internet, rather than on the Internet backbone itself. However, you need to be aware of the possibility of sniffing because most TCP/IP transmissions are not encrypted.

SOCKS

A client/server architecture that transports TCP/IP traffic through a secure gateway. A SOCKS server performs many of the same services that a proxy server does.

spoofing

The attackers masquerade as a trusted system to try to persuade you to send secret information to them.

T

TCP/IP

The primary communications protocol that is used on the Internet. TCP/IP stands for Transmission Control Protocol/Internet Protocol. You might also use TCP/IP on your internal network.

Trojan horse

A computer program, command, or script that appears to perform a useful and innocent function. However, it contains hidden functions that use approved authorizations assigned to users when they start the program. For example, it might copy your internal authorization information from your computer and send it back to the originator of the Trojan horse.

U

V

virtual private network (VPN)

An extension of an enterprise's private intranet. You can use it across a public network such as the Internet, creating a secure private connection, essentially through a private "tunnel". VPNs securely convey information across the Internet connecting other users to your system. These include:

• Remote users
• Branch offices
• Business partners and suppliers

W

Web browser

The HTTP client application. A Web browser interprets HTML to display hypertext documents for the user. The user can access a hyperlinked object by clicking on (selecting) an area of the current document. That area is often called a hot spot. Internet Connection Web Explorer, and Netscape Navigator are examples of Web browsers.

World Wide Web (WWW)

A mesh of interconnected servers and clients that use the same standard format for creating documents (HTML) and accessing documents (HTTP). The mesh of links, both from server to server and from document to document, is metaphorically called the Web.

X

Y

Z