Authentication code

A cryptographic checksum based on an approved security function (also known as a message authentication code, MAC).

Authentication, electronic

The process of establishing confidence in user identities electronically presented to an information system.

Authentication header (AH)

An Internet Protocol (IP) device used to provide connectionless integrity and data origin authentication for IP datagrams.

Authentication-header (AH) protocol

IPsec security protocol that can provide integrity protection for packet headers and data through authentication.

Authentication key (WMAN/WiMAX)

An authentication key (AK) is a key exchanged between the BS and SS/MS to authenticate one another prior to the traffic encryption key (TEK) exchange.

Authentication mechanism

A hardware- or software-based mechanism that forces users to prove their identity before accessing data on a device.

Authentication mode

A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.

Authentication period

The maximum acceptable period between any initial authentication process and subsequent re-authentication process during a single terminal session or during the period data are accessed.

Authentication process

The actions involving (1) obtaining an identifier and a personal password from a system user; (2) comparing the entered password with the stored, valid password that is issued to, or selected by, the person associated with that identifier; and (3) authenticating the identity if the entered password and the stored password are the same. Note: If the enciphered password is stored, the entered password must be enciphered and compared with the stored ciphertext, or the ciphertext must be deciphered and compared with the entered password. This is a technical and preventive control.

Authentication protocol

(1) A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has control of a valid token to establish his identity, and optionally, demonstrates to the claimant that he is communicating with the intended verifier. (2) A well-specified message exchange process that verifies possession of a token to remotely authenticate a claimant. (3) Some authentication protocols also generate cryptographic keys that are used to protect an entire session so that the data transferred in the session is cryptographically protected.

Authentication tag

A pair of bit strings associated to data to provide assurance of its authenticity.

Authentication token

Authentication information conveyed during an authentication exchange.

Authenticator

The means used to confirm the identity of a user, processor, or device (e.g., user password or token).

Authenticity

(1) The property that data originated from its purported source. (2) The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication.

Authorization

(1) The privilege granted to an individual by management to access information based upon the individual’s clearance and need-to-know principle. (2) It determines whether a subject is trusted to act for a given purpose (e.g., allowed to read a particular file). (3) The granting or denying of access rights to a user, program, or process. (4) The official management decision to authorize operation of an information system and to explicitly accept the risk to organization operations, assets, or individuals, based on the implementation of an agreed-upon set of security controls. (5) Authorization is the permission to do something with information in a computer, such as read a file. Authorization comes after authentication. This is a management and preventive control.

Authorization boundary

All components of an information system to be authorized for operation. This excludes separately authorized systems, to which the information system is connected. It is same as information system boundary.

Authorization key pairs

Authorization key pairs are used to provide privileges to an entity. The private key is used to establish the “right” to the privilege; the public key is used to determine that the entity actually has the right to the privilege.

Authorization principle

The principle whereby allowable actions are distinguished from those that are not.

Authorization process

The actions involving (1) obtaining an access password from a computer system user (whose identity has already been authenticated, perhaps using a personal password), (2) comparing the access password with the password associated with protected data, and (3) authorizing access to data if the entered password and stored password are the same.

Authorized

A system entity or actor that has been granted the right, permission, or capability to access a system resource.

Automated key transport

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).

Automated password generator

An algorithm that creates random passwords that have no association with a particular user.

Automated security monitoring

The use of automated procedures to ensure that security controls are not circumvented. This is a technical and detective control.

Availability

(1) Ensuring timely and reliable access to and use of information by authorized entities. (2) The ability for authorized entities to access systems as needed.

Avoidance control

The separation of assets from threats or threats from assets so that risk is minimized. Also, resource allocations are separated from resource management.

Awareness (information security)

Activities which seek to focus an individual’s attention on an information security issue or set of issues.

B

B2B

Business-to-business (B2B) is an electronic commerce model involving sales of products and services among businesses (e.g., HP to Costco, EDI, ASP, and exchanges and auctions). Both B2B and B2C e-commerce transactions can take place using m-commerce technology. Reverse auction is practiced in B2B or G2B e-commerce.

B2C

Business-to-consumer (B2C) is an electronic commerce model involving sales of products and services to individual shoppers (e.g., Amazon.com, Barnesandnoble.com, stock trading, and computer software/hardware sales). Both B2B and B2C e-commerce transactions can take place using m-commerce technology.

Backbone

A central network to which other networks connect. It handles network traffic and provides a primary path to or from other networks.

Backdoor

A malicious program that listens for commands on a certain transmission control protocol (TCP) or user datagram protocol (UDP) port. Synonymous with trapdoor.

Backup

A copy of files and programs made to facilitate recovery if necessary. This is an operational and preventive control and ensures the availability goal.

Backup computer facilities

A computer (data) center having hardware and software compatible with the primary computer facility. The backup computer is used only in the case of a major interruption or disaster at the primary computer facility. It provides the ability for continued computer operations, when needed, and should be established by a formal agreement. A duplicate of a hardware system, of software, of data, or of documents intended as replacements in the event of malfunction or disaster.