Previous section.
DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group
Glossary
This Glossary is intended to assist understanding and is not a substantive
part of this specification.
access
The interaction of a subject with an object. See
Subjects and Objects, Privilege and Authorisation
.
access control list (ACL)
The matrix of pairs of subjects and objects, whose entries consist of the
subjects' permissions to the objects. See
Access Control Lists (ACLs)
,
Subjects and Objects, Privilege and Authorisation
and
Access Control Lists (ACLs)
.
access determination algorithm
The algorithm in an ACL manager that determines whether the server should
grant or deny access. See
ACL Managers, Permissions, Access Determination Algorithms
.
ACL manager
A module within an RPC server that interprets ACLs. See
ACL Managers, Permissions, Access Determination Algorithms
.
a priori trusted entity
One of a small number of objects whose trust is assumed. See
Untrusted Environments: A Priori Trust and Trust Chains
.
asserted
Sent to the server without authentication. See
Privilege (Authorisation) Service (PS)
.
assured service
The state of being available and obtainable for use when needed. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
attribute
A security aspect of a computer installation that must be protected. Security
attributes studied in this specification include authenticity,
confidentiality and integrity. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
attribute encoding type
A specifier of the data format (integer, string, uuid) of an attribute value.
See
Attribute Encodings
.
attribute instance
An attribute type uuid and value created according to the attribute type's
semantics and attached to a registry object. Also called attribute
or ERA.
See
Access Control for Attribute Types
.
attribute schema
A collection of attribute type definitions or schema entries. Also called
a schema. See
Attribute Schema
.
attribute set
An attribute instance with encoding type attr_set. Its value is a list
of attribute type UUIDs that identify member attributes of this set.
Attribute sets are created for the purpose of efficient queries of
related attributes. See
Attribute Sets
.
attribute type
The description of the identifiers (such as name and UUID) and semantics
(such as encoding type and access control parameters) of instances of
this type. See
Access Control for Attribute Types
and
Well-Known Attribute Types
.
attribute type UUID
A DCE UUID that uniquely identifies an attribute type. Also called
attribute type ID or attribute ID. See
Schema Entries
and
Well-Known Attribute Types
.
attribute value
The data in an attribute instance.
authenticity
The state of genuinely representing reality, of actually representing that
which is alleged to be represented. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
authorisation
The state of being granted privilege to access an object. See
Subjects and Objects, Privilege and Authorisation
.
authorisation data
The portion of a Kerberos ticket that contains data necessary for
authorisation decisions. It is sometimes abbreviated Auth_Data
or A_D.
authority
An entity that is trusted to know the secrets of objects other than itself.
See
Untrusted Environments: A Priori Trust and Trust Chains
.
call chain
The chain of operations (RPC calls) leading from an initiator to the
final target.
cell
The unit of partition of the network TCB.
For security purposes, a cell is an instance of the three security
services, termed the RS/KDS/PS triple, of the security environment.
As such, each instance defines a separate cell.
See
DCE Security Model
.
cell principal
A ticket that is targeted to a KDS server principal. See
Kerberos Key Distribution (Authentication) Service (KDS)
.
certify
To convince a subject of the security of a credential. See
Untrusted Environments: A Priori Trust and Trust Chains
.
Certification of login is an optional process undertaken to thwart a type of
multi-prong attack described in
Further Discussion of Certification
.
client
An object acts as a client when it sends an RPC to another object.
compromised
Said of a resource whose security attributes are not adequately protected.
See
Security Attributes: Authenticity, Integrity, Confidentiality
.
confidentiality
The state of being intrinsically unimpaired. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
container object
An object that contains other objects. See
Object Types, ACL Types, and ACL Inheritance
.
credential
An object containing security information about a subject. See
Untrusted Environments: A Priori Trust and Trust Chains
.
cryptography
The science of using secrets to implement security mechanisms.
Cryptanalysis
is the art of analysing cryptographic mechanisms. The two together are
cryptology.
See
Distributed Security: Secrets and Cryptology
.
data encryption standard (DES)
An encryption/decryption algorithm in use since the late 1970's and generally
considered secure. See
Data Encryption Standard (DES)
.
current login context
The login context automatically inherited by child processes. See
Login Facility and Security Client Daemon (SCD)
.
decode/decrypt
The inverse process of encoding or encryption, respectively. See
Encoding/Decoding and Encryption/Decryption of Messages
.
denial of service
The state of being unavailable or unobtainable for use when needed. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
delegation
The projection of an initiator's identity to another identity in a
manner permitting the other identity to operate on behalf of the
initiator.
delegate restrictions
Limits placed upon who may act as an intermediary for a particular
identity. See
intermediary.
delegation token
A checksum over the extended PAC (EPAC) data, encrypted in the PS's key,
placed in the A_D field of a PTGT by the priveledge server when
enabling delegation and when generating a new delegation chain or
impersonated identity. See
impersonation
for the context in which this identity is used.
delegation type
Either traced delegation or impersonation (only one of
which is valid for a given login context).
direct requestor
The client that operates directly on a given target. See
target.
distributed environment
An environment in which the notion of communication is an explicit model
primitive. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
distributed time service (DTS)
A secure source of time information which is part of the network TCB. See
Integration with Time Services
.
domain
The scope of a security policy. See
Policy versus Service versus Mechanism
.
encode
To semantically represent a message by an utterance, where the mapping between
message and utterance is secret. See
Encoding/Decoding and Encryption/Decryption of Messages
.
encrypt
To syntactically represent a message by an utterance, where the mapping
between message and utterance is secret. Typically, the encoding of the
message is not secret. See
Encoding/Decoding and Encryption/Decryption of Messages
.
endianness
An attribute of bit-sequences and byte-sequences on a machine architecture
that determines whether the most significant element of the sequence occurs at
the high address or at the low address. See
Integer Representations (Endianness)
.
EPAC
An Extended PAC available in DCE 1.1 and newer versions, that can contain
specified ERAs in addition to the principal's identity and group
memberships. A delegation chain is expressed by concatenating the EPACs
fro the series of principals involved in an operation. See
Privilege (Authorisation) Service (PS)
.
environment_set
A set of attributes known to the server; a "well-known" ERA.
The use of the term environment in this document is intended to
represent aspects of a login session that are associated with a
client principal but whose values are derived from the point of
entry the client uses for access. These "environment attributes"
can have static values, in which case the value is specified by an
administrator when defining a point of entry for a host machine and
stored in an ERA. Or thay can be dynamic, in which case their value is
derived at the time of the specific login attempt and assigned
to an ERA through the login process.
ERA
Extended Registry Attribute, an attribute (user defined) in the DCE
Security Registry (Registry database). It is attached to a registry object,
and created using the interfaces defined in this specification.
(Also called attribute.)
Each ERA has a schema entry that is the data dictionary entry
defining the attribute type. Instances of the attribute containing
values can be attached to principal, group, organisation or policy nodes
in the Registry database.
See
Extended Registry Attribute Facility
.
ERA Database
The portion of the Registry database that contains ertended registry
attribute information, including schema entries and attribute instances.
See
Extended Registry Attribute Facility
.
final target
The last object in a call chain.
helpstring
A human-readable string explaining the semantics of a permission in greater
detail than does the
printstring.
See
ACL Managers, Permissions, Access Determination Algorithms
.
home cell
The cell in whose registry a given principal's security information is held.
See
DCE Security Model
.
insecure
Said of a resource whose security attributes are not adequately protected.
See
Security Attributes: Authenticity, Integrity, Confidentiality
.
integrity
The state of being unimpaired. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
item
An element of the registry datastore. See
Registration Service (RS) and RS Editors
.
immediate target
The object upon which a client performs an operation directly.
impersonation
Transmission of an initiator's identity such that the identities of
participants in a call chain are not preserved.
initiator
The initial client in a call chain.
integrator
A person responsible for porting applications. This person is familiar
with both the application to be proted and with the site into which
the application is being added. This role involves modifying and
recompiling source code.
intermediary
A server acting on behalf of an initiator, via delegation or impersonation,
making requests to another target server.
intermediate service
See intermediary.
Kerckhoffs´ Doctrine
The idea that the entire algorithm need not be secret, provided a key is. See
Key-based Security: Kerckhoffs' Doctrine
.
key
A parameter to an encryption algorithm that suffices to make encryption secure
even if the algorithm is not secret. See
Key-based Security: Kerckhoffs' Doctrine
.
derived key
A key used for encryption based upon user input, usually a password
and a "confounder" or "salt".
strong key
A key that is random and which uses the full key size. These keys are
more difficult to break by an intruder.
key management facility
A module that manages long-term cryptographic keys. See
Key Management Facility
.
login
A procedure that obtains and validates a login name to provide context for
subsequent operations.
This specification does not specify a login program or login command, but
Login Facility and Security Client Daemon (SCD)
does list the typical behaviour of such a program or command.
login_set
A set of attributes known to a server, a "well-known" ERA.
This set of attributes consists of client specific information
derived from the identity of a client. These login attributes
can have static values, in which case the value is specified by the
administrator when defining a user and stored in an ERA. Or they can
be dynamic, in which case their values is derived at the time of
the specific login attempt and assigned to an ERA through
the login process.
message
Data in communication. See
Encoding/Decoding and Encryption/Decryption of Messages
.
multi-prong attack
A security attack consisting of a counterfeit login and, simultaneously,
malicious RPC servers masquerading as KDS, PS, RS and SCD servers. Defeated
by certifying the login, as described in
Further Discussion of Certification
.
multi-valued attribute
A collection of attribute instances of hte same attribute type attached
to a single registry object. See
Unknown Intercell Action Attribute
and
The use_defaults Algorithm
.
name-based authorisation
A primitive authorisation alternative specified in
Name-based versus PAC-based Authorisation
but whose use is discouraged.
network login context
The information necessary for a subject to become a client. See
Login Facility and Security Client Daemon (SCD)
.
network TCB
Three trusted network services: a Registry, a Key Distribution Service, and a
Privilege Service. See
DCE Security Model
.
object
The passive aspect of entities whose security attributes are to be protected.
See
Subjects and Objects, Privilege and Authorisation
.
PAC
Privilege Attribute Certificate; the portion of a principal's DCE 1.0
security credentials that provides information about the principal's
identity (UUID) and privileges (group memberships). See
Privilege (Authorisation) Service (PS)
.
pickle
A representation of a data type suitable for storage in the absence of a
communications context. See
(IDL/NDR) Pickles
.
policy
Requirements or rules an organisation places on the security attributes of its
assets. See
Policy versus Service versus Mechanism
.
policy object
The registry data node, with the well-known name "policy" (under
the Security junction point, usually /.:/sec), representing
registry-wide policy information. Attributes related to cell-wide
security policy should be created on the policy object. See
Schema Entries
.
printstring
A human-readable string identifying a permission. See
ACL Managers, Permissions, Access Determination Algorithms
.
privilege attribute
That portion of a client's credentials a server uses in access control
decisions. See
Privilege (Authorisation) Service (PS)
.
privilege attribute certificate (PAC)
A certificate specifying the attributes of a client that a server uses to
grant or deny access to its protected objects. See
DCE Security Model
.
quota
The maximum total number of PGO items plus accounts that may be added to the
registry datastore. See
The rs_pgo RPC Interface
PTGT
Privilege Ticket Granting Ticket.
realm
The scope of a security policy.
From the strict perspective of security, a cell is also known as
a realm in that it is the security domain of the network TCB.
See
Policy versus Service versus Mechanism
.
reference monitor
A trusted subject or entity that mediates all access to a protected object.
See
Untrusted Environments: A Priori Trust and Trust Chains
.
registry object
A data node in the Registry database. Registry object are of the object
types: principal, group, org, directory, policy, replist (replica list),
and attr_schema. There are many nodes of the principal, group, org and
directory types. There is only one node each for the policy, replist
and attr_schema types. See
Extended Registry Attribute Facility
.
replay attack
A security attack consisting of a retransmission of an intercepted message for
the purpose of claiming to be the original sender. Thwarted by use of
timestamps, as described in
Integration with Time Services
.
schema
See attribute schema.
schema entry
A record containing the identifiers and characteristics of an attribute
type. A schema entry is essentially an attribute type definition. See
Schema Entries
.
schema object
The Registry data node, with the well-known name "xattrschema" (under
the Security junction point, typically /.:/sec), containing the
attribute schema information. Also called the attribute schema object.
See
Attribute Schema
.
secret
The smallest object whose security is considered tantamount to the security of
larger objects by means of trust chains. See
Untrusted Environments: A Priori Trust and Trust Chains
.
secure
Said of a resource whose security attributes are adequately protected. See
Security Attributes: Authenticity, Integrity, Confidentiality
.
service
A tool available to enforce a security policy. See
Policy versus Service versus Mechanism
.
session
An interaction between an identified client and a server for a finite time,
subject to discrete authentication. See
DCE Security Model
.
signature
A keyed cryptographic checksum of a message. See
Message Digests 4 and 5 (MD4, MD5)
.
simple object
An object that does not contain other objects. See
Object Types, ACL Types, and ACL Inheritance
.
site administrator
A person responsible for maintaining user accounts and installing
new software packages. This role does not involve any source
code modification.
strength
An algorithm's resistance to cryptanalysis. See
Key-based Security: Kerckhoffs' Doctrine
.
subject
The active aspect of entities that interact with objects. See
Subjects and Objects, Privilege and Authorisation
.
target
Any object that is downstream in a call chain from a given target.
target restrictions
A bound upon the set of targets to whom the client's identity
may be projected.
ticket
A credential certificate representing the authenticated identity of a client.
See
DCE Security Model
.
traced delegation
A form of delegation that preserves the identities of each participant
in a call chain.
transit path
The ordered sequence of KDS servers that vouch for a ticket. See
Kerberos Key Distribution (Authentication) Service (KDS)
.
trigger
A remote operation, associated with an attribute type, that is executed
when attributes of that type are either queried or updated.
See
Attribute Triggers
.
trigger type
A classification, either "query" or "update", on a trigger that
identifies on which attribute operation the trigger will be invoked.
See
Trigger Binding
.
trust
Said of a subject that believes an object is secure. See
Knowledge versus Belief; Trust
.
trusted computing base
The fundamental core set of hardware and software that must be trusted.
This set is abbreviated (TCB) in this document, and is also referred
to as the network TCB.
See
Untrusted Environments: A Priori Trust and Trust Chains
.
validated login
A login context whose information has been decrypted and is trusted by the
associated principal or account. See
Login Facility and Security Client Daemon (SCD)
.
weak password
Users typically choose passwords which are derived from words and this
makes attacks on passwords easier to break than randomly generated
passwords. Not to be confused with weak key which is a term used
to refer to specific keys and how they are modified by the DES
algorithm for encryption.
Please note that the html version of this specification
may contain formatting aberrations. The definitive version
is available as an electronic publication on CD-ROM
from The Open Group.