Glossary

Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits used for keys). 3DES is suitable for bulk data encryption.

Authentication, Authorization, and Accounting server. An AAA server provides authentication, authorization, and accounting services of user network access at the entry points to a network. HP-UX provides AAA servers based on the RADIUS protocol and Diameter Base protocol.

Access Control List. A list or database that defines what resources users or other principals can access, and the type of access allowed.

Advanced Encryption Standard. A symmetric key block encryption algorithm. HP-UX IPSec supports AES with a 128-bit key. AES is suitable for bulk data encryption.

Authentication Header. The AH provides data integrity, system-level authentication and can provide antireplay protection. AH is part of the IPsec protocol suite.

The selective recording of events for the analysis and detection of security breaches. The HP-UX auditing system provides a mechanism to audit users and processes.

The process of verifying the identity of a subject (a user, host, device or other entity in a computer network). Authentication is often a prerequisite to allowing access to resources in a system. Alternatively, the process of verifying the integrity of data, or the identity of the party that sent data.

The process of evaluating access control information and determining if a subject (a user, host, device, or other entity in a computer network) is allowed to perform an operation on a particular resource, or object. Authorization is typically performed after a subject's identity is authenticated.

In the context of RBAC, authorization specifically refers to the pairing of an operation with an object, and is also referred to as permission. See RBAC.

A computer system that protects an internal network from intruders. See also firewall and hardened system.

A method to attack a system by causing process errors, or by causing a process to execute malicious code. This is typically achieved by overflowing an input buffer in the stack. This causes a memory violation or other error that causes the process to terminate, or causes the process to execute malicious code. See also stack buffer overflow attack.

Certificate Authority. A trusted third-party that authenticates users and issues certificates. In addition to establishing trust in the binding between a user's public key and other security-related information in a certificate, the CA digitally signs the certificate information using its private key.

A security certificate associates (or binds) a public key with a principal—a particular person, system, device, or other entity. The security certificate is issued by an entity, in whom users have put their trust, called a Certificate Authority (CA), which guarantees or confirms the identity of the holder (person, device, or other entity) of the corresponding private key. The CA digitally signs the certificate with the CA's private key, so the certificate can be verified using the CA's public key.The most commonly used format for public-key certificates is the International Organization for Standardization (ISO) X.509 standard, Version 3.

A form of authentication where the authenticator sends a random value, the challenge, to the user or principal being authenticated. The user sends back a response based on the challenge value and a shared secret value previously established with the authenticator, such as an MD5 hash value.

Unlike a regular password exchange, the challenge-response dialog varies, so an intruder cannot replay the user's response to gain authentication.

A method restricting the files and directories accessible by a process and users of that process. The process starts in a specified base directory (the root), and cannot access any directories or files above the root directory.

A method of isolating various components of the system from one another. When configured properly, components are an effective method to safeguard the HP-UX system and the data that resides upon it.

A mechanism or set of mechanisms to restrict the access rights of processes.

In the context of RBAC, containment is a combination of mandatory access control and fine-grained privileges. See RBAC.

Certificate Revocation List. Certificates are issued with a specific lifetime, defined by a start date/time and an expiration date/time. However, situations can arise, such as a compromised key value, that necessitate the revocation of the certificate. In this case, the certificate authority can revoke the certificate. This is accomplished by including the certificate's serial number on a CRL updated and published on a regular basis by the CA and made available to certificate users. See CA.

The process of encoding normal data (or cleartext) data so it can only be decoded by holders of specific information.

See DES.

An attack where a system is prevented from responding to network packets so the system cannot service requests. Denial of service attacks may be implemented by flooding a vulnerable system with false requests that consume a large number of resources. Denial of service attacks are often used with host spoofing to keep the spoofed host (the host with the IP address the spoofer is assuming) from participating in the exchange between the spoofer and the system the spoofer is trying to access.

Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. DES is suitable for bulk data encryption.

DES has been cracked (data encoded using DES has been decoded by a third party).

A protocol that provides authentication, authorization, and accounting (AAA) services based on the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with improved reliability, security and infrastructure. See also RADIUS.

A public-key method to generate a symmetric key where two parties can publicly exchange values and generate the same symmetric key. Start with prime p and generator g, which may be publicly known (typically these numbers are from a well-known Diffie-Hellman Group). Each party selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They exchange the public values. Each party then uses its private value and the other party's public value to generate the same symmetric key, (g**a)**b mod p and (g**b)**a mod p, which both evaluate to g**(a*b) mod p for future communication.

The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle or third-party attacks (spoofing) attacks. For example, Diffie-Hellman may be used with certificate or preshared key authentication.

Digital signatures are a variation of keyed hash algorithms that use public/private key pairs. The sender uses its private key and the data as input to create a Digital Signature value.

Extensible Authentication Protocol. A protocol that provides a framework for using multiple authentication methods and protocols, including passwords, Kerberos, and challenge-response protocols.

The process of converting data from a readable format to nonreadable format for privacy. Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.

Encapsulating Security Payload. This is part of the IPsec protocol suite. The ESP provides confidentiality (encryption) and an antireplay service. It should be used with authentication, either with the optional ESP authentication field (authenticated ESP) or nested in an authentication header message. Authenticated ESP also provides data origin authentication and connectionless integrity. When used in tunnel mode, ESP also provides limited traffic flow confidentiality.

An action, such as creating a file, opening a file, or logging in to the system.

A mechanism for screening unwanted objects, or the parameters that specify the objects allowed or denied access. Typically, a filter is used to screen unwanted network packets (a packet filter).

A permission to perform a specific, low-level operation (for example, permission to execute a specific system call).

One or more devices or computer systems used as a barrier to protect a network against unwanted users or harmful, intrusive applications. See also bastion host and hardened system.

A computer system with minimal operating system features, users, and applications that is used as a barrier to protect a network against unwanted users or harmful, intrusive applications. Also referred to as a bastion host.

Hashed Message Authentication Code. See also MAC.

The Internet Key Exchange (IKE) protocol is part of the IPsec protocol suite. IKE is used before the IPsec ESP or AH protocol exchanges to determine which encryption and/or authentication services will be used. IKE also manages the distribution and update of the symmetric (shared) encryption keys used by ESP and AH. See also ESP and AH.

IPSec policies specify the rules according to which data is transferred securely. IPSec policies generally contain packet filter information and an action. The packet filter is used to select a policy for a packet and the action is applied to the packets using the policy

A network authentication protocol designed to provide strong authentication for client or server applications. Kerberos allows users to authenticate themselves without transmitting unencrypted passwords over the network.

The LDAP protocol provides network directory access. LDAP uses a directory structure similar to the OSI X.500 directory service, but stores data as strings and uses the TCP/IP network stack instead of the OSI network stack.

A message authentication code (MAC) is an authentication tag, also called a checksum, derived by application of an authentication algorithm, together with a secret key, to a message. MACs are computed and verified with the same key so they can only be verified by the intended receiver, unlike digital signatures.

Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function to produce a checksum that is appended to the message. An example is the keyed-MD5 method of message authentication.

MACs can also be derived from block ciphers. The data is encrypted in message blocks using DES CBC and the final block in the ciphertext is used as the checksum. The DES-CBC MAC is a widely used US and international standard.

Manually configured cryptographic keys for IPSec. An alternative to using the Internet Key Exchange (IKE) protocol to generate cryptographic keys and other information for IPSec Security Associations (SAs).

Message Digest-5. Authentication algorithm developed by RSA. MD5 generates a 128-bit message digest using a 128-bit key. IPSec truncates the message digest to 96 bits.

Network Address Translation. A method to allow multiple systems in an internal, private network share one public internet IP address. A NAT gateway replaces (translates) internal IP addresses and ports to its public IP address when forwarding packets from the internal network to the public internet and performs the reverse translation for the return path.

A system or network resource such as a system, file, printer, terminal, database record. In the context of authorization, authorization is granted for a subject's operation on an object.

A specific mode of access to one or more objects. For example, writing to a file. In the context of authorization, authorization is granted for a subject's operation on an object.

A key exchange using a secure communication channel that is outside of normal computer communication channels, such as a face-to-face meeting or telephone call.

A filter used to select or restrict network packets. Packet filters specify network packet characteristics. Packet filters typically specify source and destination IP addresses, upper-layer protocols (such as TCP or UDP), and TCP or UDP port numbers. Packet filters may also define other packet fields, such as IPv6 header types, upper-layer message types (for example, ICMP message types), and TCP connection states.

Pluggable Authentication Module. An authentication framework that allows system administrators to configure services for authentication, account management, session management, and password management for HP-UX utilities, such as the system login utility.

With Perfect Forward Secrecy, the exposure of one key permits access only to data protected by that key.

A cryptographic value agreed upon by two systems for encryption or authentication. The key is exchanged prior to computer data communication, typically using an out-of-band key exchange (such as a verbal, face-to-face exchange). See also shared key cryptography.

A person, system, device or other entity.

A permission to perform an action on a computer system.

A cryptographic method using two mathematically related keys (for example, k1 and k2) such that data encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2.

One key must be private (known only to the owner), but the second key can be widely known (public), which makes key distribution easy to manage. Public key encryption is computationally expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is usually used to authenticate data.

Also referred to as asymmetric key cryptography (the two keys are not the same) or public-private key cryptography.

The Remote Authentication Dial-In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a network access device and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access.

The RADIUS protocol provides only the framework for the authentication exchange and can be used with numerous authentication methods.

Role-Based Access Control. An HP-UX mechanism to provide fine-grained access to system resources, commands, and system calls. Users are assigned to roles and users are granted privileges for access according to roles.

A job function, within the context of an organization, with associated semantics regarding the authority and responsibility given to users assigned to the role.

Rivest, Shamir, and Adelman. Public-private key cryptosystem that can be used for privacy (encryption) and authentication (signatures). For encryption, system A can send data encrypted with system B's public key. Only system B's private key can decrypt the data. For authentication, system A sends data with a digital signature, a digest or hash encrypted with system A's private key. To verify the signature, system B uses system A's public key to decrypt the signature and compare the decrypted hash or digest to the digest or hash that it computes for the message.

Simple Authentication and Security Layer. A protocol used to add authentication services to connection-based network applications. The SASL API provides a flexible framework that allows programmers to use a common interface to access multiple authentication services.

Secure Hash Algorithm-1. An authentication algorithm that generates a 160-bit message digest using a 160-bit key.

A structure to provide additional security for user passwords. The shadow password structure (spwd) contains encrypted user passwords and other information used with the passwd structure. The shadow password structure is stored in a file that is usually readable only by privileged users.

A cryptographic method where two parties use the same key (the two parties share the same key) for encrypting or authenticating data. To provide data privacy or authentication, only the two parties can know the key value (the key must be private). Shared key cryptography is more efficient than public-private key cryptography for encrypting data, so it is often used for bulk data encryption. However, distributing or establishing the shared key requires an out-of-band key exchange (such as a face-to-face verbal exchange), Diffie-Hellman exchange, or other mechanism.

Also referred to as private key cryptography or symmetric key cryptography.

Secure Shell. A set of network services that provides secure replacements for remote login, file transfer, and remote command execution. SSH also provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client.

Secure Sockets Layer. A protocol used to encrypt network data. The SSL protocol is above TCP in the data stack. SSL uses public/private keys to authenticate principals and exchange a private (shared) key. SSL then uses the private key to encrypt data.

A method to attack a system by causing a process to execute malicious code. This is typically achieved by overflowing an input buffer in the stack to insert malicious code and then modifying the stack pointer to execute the malicious code. See also buffer overflow attack.

A type of packet filtering that uses upper-layer protocol fields and state information, such as TCP connection states.

A user, host, device or other entity in a computer network. In the context of authorization, the originator of an operation on an object requiring an authorization decision.

In a third-party attack, the attacker intercepts packets between two attacked parties, A and B. A and B assume they are exchanging messages with each other, but are exchanging messages with the third party. The attacker assumes the identity of A to exchange messages with B, and assumes the identity of A to exchange messages with B. Also referred to as man-in-the-middle attack.

Extending a trust relationship through other trusted entities. If A and B both trust C, A and B can trust each other using a transitive trust relationship through C. In a hierarchical structure, A and B can establish a transitive trust relationship if they can establish a chain-of-trust to a common root.

Virtual Private Network. A private network within a public network, such as the global Internet. A VPN is virtual because it uses tunnels to effectively create a separate logical network within a physical network. A VPN is private because outside users cannot see or modify the data being transmitted. VPNs that use host identity authentication also provide protection against IP address spoofing.