DCE 1.1: Authentication and Security Services

DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group

Glossary

This Glossary is intended to assist understanding and is not a substantive part of this specification.

access

The interaction of a subject with an object. See Subjects and Objects, Privilege and Authorisation .

access control list (ACL)

The matrix of pairs of subjects and objects, whose entries consist of the subjects' permissions to the objects. See Access Control Lists (ACLs) , Subjects and Objects, Privilege and Authorisation and Access Control Lists (ACLs) .

access determination algorithm

The algorithm in an ACL manager that determines whether the server should grant or deny access. See ACL Managers, Permissions, Access Determination Algorithms .

ACL manager

A module within an RPC server that interprets ACLs. See ACL Managers, Permissions, Access Determination Algorithms .

a priori trusted entity

One of a small number of objects whose trust is assumed. See Untrusted Environments: A Priori Trust and Trust Chains .

asserted

Sent to the server without authentication. See Privilege (Authorisation) Service (PS) .

assured service

The state of being available and obtainable for use when needed. See Security Attributes: Authenticity, Integrity, Confidentiality .

attribute

A security aspect of a computer installation that must be protected. Security attributes studied in this specification include authenticity, confidentiality and integrity. See Security Attributes: Authenticity, Integrity, Confidentiality .

attribute encoding type

A specifier of the data format (integer, string, uuid) of an attribute value. See Attribute Encodings .

attribute instance

An attribute type uuid and value created according to the attribute type's semantics and attached to a registry object. Also called attribute or ERA. See Access Control for Attribute Types .

attribute schema

A collection of attribute type definitions or schema entries. Also called a schema. See Attribute Schema .

attribute set

An attribute instance with encoding type attr_set. Its value is a list of attribute type UUIDs that identify member attributes of this set. Attribute sets are created for the purpose of efficient queries of related attributes. See Attribute Sets .

attribute type

The description of the identifiers (such as name and UUID) and semantics (such as encoding type and access control parameters) of instances of this type. See Access Control for Attribute Types and Well-Known Attribute Types .

attribute type UUID

A DCE UUID that uniquely identifies an attribute type. Also called attribute type ID or attribute ID. See Schema Entries and Well-Known Attribute Types .

attribute value

The data in an attribute instance.

authenticity

The state of genuinely representing reality, of actually representing that which is alleged to be represented. See Security Attributes: Authenticity, Integrity, Confidentiality .

authorisation

The state of being granted privilege to access an object. See Subjects and Objects, Privilege and Authorisation .

authorisation data

The portion of a Kerberos ticket that contains data necessary for authorisation decisions. It is sometimes abbreviated Auth_Data or A_D.

authority

An entity that is trusted to know the secrets of objects other than itself. See Untrusted Environments: A Priori Trust and Trust Chains .

call chain

The chain of operations (RPC calls) leading from an initiator to the final target.

cell

The unit of partition of the network TCB. For security purposes, a cell is an instance of the three security services, termed the RS/KDS/PS triple, of the security environment. As such, each instance defines a separate cell. See DCE Security Model .

cell principal

A ticket that is targeted to a KDS server principal. See Kerberos Key Distribution (Authentication) Service (KDS) .

certify

To convince a subject of the security of a credential. See Untrusted Environments: A Priori Trust and Trust Chains . Certification of login is an optional process undertaken to thwart a type of multi-prong attack described in Further Discussion of Certification .

client

An object acts as a client when it sends an RPC to another object.

compromised

Said of a resource whose security attributes are not adequately protected. See Security Attributes: Authenticity, Integrity, Confidentiality .

confidentiality

The state of being intrinsically unimpaired. See Security Attributes: Authenticity, Integrity, Confidentiality .

container object

An object that contains other objects. See Object Types, ACL Types, and ACL Inheritance .

credential

An object containing security information about a subject. See Untrusted Environments: A Priori Trust and Trust Chains .

cryptography

The science of using secrets to implement security mechanisms. Cryptanalysis is the art of analysing cryptographic mechanisms. The two together are cryptology. See Distributed Security: Secrets and Cryptology .

data encryption standard (DES)

An encryption/decryption algorithm in use since the late 1970's and generally considered secure. See Data Encryption Standard (DES) .

current login context

The login context automatically inherited by child processes. See Login Facility and Security Client Daemon (SCD) .

decode/decrypt

The inverse process of encoding or encryption, respectively. See Encoding/Decoding and Encryption/Decryption of Messages .

denial of service

The state of being unavailable or unobtainable for use when needed. See Security Attributes: Authenticity, Integrity, Confidentiality .

delegation

The projection of an initiator's identity to another identity in a manner permitting the other identity to operate on behalf of the initiator.

delegate restrictions

Limits placed upon who may act as an intermediary for a particular identity. See intermediary.

delegation token

A checksum over the extended PAC (EPAC) data, encrypted in the PS's key, placed in the A_D field of a PTGT by the priveledge server when enabling delegation and when generating a new delegation chain or impersonated identity. See impersonation for the context in which this identity is used.

delegation type

Either traced delegation or impersonation (only one of which is valid for a given login context).

direct requestor

The client that operates directly on a given target. See target.

distributed environment

An environment in which the notion of communication is an explicit model primitive. See Security Attributes: Authenticity, Integrity, Confidentiality .

distributed time service (DTS)

A secure source of time information which is part of the network TCB. See Integration with Time Services .

domain

The scope of a security policy. See Policy versus Service versus Mechanism .

encode

To semantically represent a message by an utterance, where the mapping between message and utterance is secret. See Encoding/Decoding and Encryption/Decryption of Messages .

encrypt

To syntactically represent a message by an utterance, where the mapping between message and utterance is secret. Typically, the encoding of the message is not secret. See Encoding/Decoding and Encryption/Decryption of Messages .

endianness

An attribute of bit-sequences and byte-sequences on a machine architecture that determines whether the most significant element of the sequence occurs at the high address or at the low address. See Integer Representations (Endianness) .

EPAC

An Extended PAC available in DCE 1.1 and newer versions, that can contain specified ERAs in addition to the principal's identity and group memberships. A delegation chain is expressed by concatenating the EPACs fro the series of principals involved in an operation. See Privilege (Authorisation) Service (PS) .

environment_set

A set of attributes known to the server; a "well-known" ERA. The use of the term environment in this document is intended to represent aspects of a login session that are associated with a client principal but whose values are derived from the point of entry the client uses for access. These "environment attributes" can have static values, in which case the value is specified by an administrator when defining a point of entry for a host machine and stored in an ERA. Or thay can be dynamic, in which case their value is derived at the time of the specific login attempt and assigned to an ERA through the login process.

ERA

Extended Registry Attribute, an attribute (user defined) in the DCE Security Registry (Registry database). It is attached to a registry object, and created using the interfaces defined in this specification. (Also called attribute.) Each ERA has a schema entry that is the data dictionary entry defining the attribute type. Instances of the attribute containing values can be attached to principal, group, organisation or policy nodes in the Registry database. See Extended Registry Attribute Facility .

ERA Database

The portion of the Registry database that contains ertended registry attribute information, including schema entries and attribute instances. See Extended Registry Attribute Facility .

final target

The last object in a call chain.

helpstring

A human-readable string explaining the semantics of a permission in greater detail than does the printstring. See ACL Managers, Permissions, Access Determination Algorithms .

home cell

The cell in whose registry a given principal's security information is held. See DCE Security Model .

insecure

Said of a resource whose security attributes are not adequately protected. See Security Attributes: Authenticity, Integrity, Confidentiality .

integrity

The state of being unimpaired. See Security Attributes: Authenticity, Integrity, Confidentiality .

item

An element of the registry datastore. See Registration Service (RS) and RS Editors .

immediate target

The object upon which a client performs an operation directly.

impersonation

Transmission of an initiator's identity such that the identities of participants in a call chain are not preserved.

initiator

The initial client in a call chain.

integrator

A person responsible for porting applications. This person is familiar with both the application to be proted and with the site into which the application is being added. This role involves modifying and recompiling source code.

intermediary

A server acting on behalf of an initiator, via delegation or impersonation, making requests to another target server.

intermediate service

See intermediary.

Kerckhoffs´ Doctrine

The idea that the entire algorithm need not be secret, provided a key is. See Key-based Security: Kerckhoffs' Doctrine .

key

A parameter to an encryption algorithm that suffices to make encryption secure even if the algorithm is not secret. See Key-based Security: Kerckhoffs' Doctrine .

derived key

A key used for encryption based upon user input, usually a password and a "confounder" or "salt".

strong key

A key that is random and which uses the full key size. These keys are more difficult to break by an intruder.

key management facility

A module that manages long-term cryptographic keys. See Key Management Facility .

login

A procedure that obtains and validates a login name to provide context for subsequent operations. This specification does not specify a login program or login command, but Login Facility and Security Client Daemon (SCD) does list the typical behaviour of such a program or command.

login_set

A set of attributes known to a server, a "well-known" ERA. This set of attributes consists of client specific information derived from the identity of a client. These login attributes can have static values, in which case the value is specified by the administrator when defining a user and stored in an ERA. Or they can be dynamic, in which case their values is derived at the time of the specific login attempt and assigned to an ERA through the login process.

message

Data in communication. See Encoding/Decoding and Encryption/Decryption of Messages .

multi-prong attack

A security attack consisting of a counterfeit login and, simultaneously, malicious RPC servers masquerading as KDS, PS, RS and SCD servers. Defeated by certifying the login, as described in Further Discussion of Certification .

multi-valued attribute

A collection of attribute instances of hte same attribute type attached to a single registry object. See Unknown Intercell Action Attribute and The use_defaults Algorithm .

name-based authorisation

A primitive authorisation alternative specified in Name-based versus PAC-based Authorisation but whose use is discouraged.

network login context

The information necessary for a subject to become a client. See Login Facility and Security Client Daemon (SCD) .

network TCB

Three trusted network services: a Registry, a Key Distribution Service, and a Privilege Service. See DCE Security Model .

object

The passive aspect of entities whose security attributes are to be protected. See Subjects and Objects, Privilege and Authorisation .

PAC

Privilege Attribute Certificate; the portion of a principal's DCE 1.0 security credentials that provides information about the principal's identity (UUID) and privileges (group memberships). See Privilege (Authorisation) Service (PS) .

pickle

A representation of a data type suitable for storage in the absence of a communications context. See (IDL/NDR) Pickles .

policy

Requirements or rules an organisation places on the security attributes of its assets. See Policy versus Service versus Mechanism .

policy object

The registry data node, with the well-known name "policy" (under the Security junction point, usually /.:/sec), representing registry-wide policy information. Attributes related to cell-wide security policy should be created on the policy object. See Schema Entries .

printstring

A human-readable string identifying a permission. See ACL Managers, Permissions, Access Determination Algorithms .

privilege attribute

That portion of a client's credentials a server uses in access control decisions. See Privilege (Authorisation) Service (PS) .

privilege attribute certificate (PAC)

A certificate specifying the attributes of a client that a server uses to grant or deny access to its protected objects. See DCE Security Model .

quota

The maximum total number of PGO items plus accounts that may be added to the registry datastore. See The rs_pgo RPC Interface

PTGT

Privilege Ticket Granting Ticket.

realm

The scope of a security policy. From the strict perspective of security, a cell is also known as a realm in that it is the security domain of the network TCB. See Policy versus Service versus Mechanism .

reference monitor

A trusted subject or entity that mediates all access to a protected object. See Untrusted Environments: A Priori Trust and Trust Chains .

registry object

A data node in the Registry database. Registry object are of the object types: principal, group, org, directory, policy, replist (replica list), and attr_schema. There are many nodes of the principal, group, org and directory types. There is only one node each for the policy, replist and attr_schema types. See Extended Registry Attribute Facility .

replay attack

A security attack consisting of a retransmission of an intercepted message for the purpose of claiming to be the original sender. Thwarted by use of timestamps, as described in Integration with Time Services .

schema

See attribute schema.

schema entry

A record containing the identifiers and characteristics of an attribute type. A schema entry is essentially an attribute type definition. See Schema Entries .

schema object

The Registry data node, with the well-known name "xattrschema" (under the Security junction point, typically /.:/sec), containing the attribute schema information. Also called the attribute schema object. See Attribute Schema .

secret

The smallest object whose security is considered tantamount to the security of larger objects by means of trust chains. See Untrusted Environments: A Priori Trust and Trust Chains .

secure

Said of a resource whose security attributes are adequately protected. See Security Attributes: Authenticity, Integrity, Confidentiality .

service

A tool available to enforce a security policy. See Policy versus Service versus Mechanism .

session

An interaction between an identified client and a server for a finite time, subject to discrete authentication. See DCE Security Model .

signature

A keyed cryptographic checksum of a message. See Message Digests 4 and 5 (MD4, MD5) .

simple object

An object that does not contain other objects. See Object Types, ACL Types, and ACL Inheritance .

site administrator

A person responsible for maintaining user accounts and installing new software packages. This role does not involve any source code modification.

strength

An algorithm's resistance to cryptanalysis. See Key-based Security: Kerckhoffs' Doctrine .

subject

The active aspect of entities that interact with objects. See Subjects and Objects, Privilege and Authorisation .

target

Any object that is downstream in a call chain from a given target.

target restrictions

A bound upon the set of targets to whom the client's identity may be projected.

ticket

A credential certificate representing the authenticated identity of a client. See DCE Security Model .

traced delegation

A form of delegation that preserves the identities of each participant in a call chain.

transit path

The ordered sequence of KDS servers that vouch for a ticket. See Kerberos Key Distribution (Authentication) Service (KDS) .

trigger

A remote operation, associated with an attribute type, that is executed when attributes of that type are either queried or updated. See Attribute Triggers .

trigger type

A classification, either "query" or "update", on a trigger that identifies on which attribute operation the trigger will be invoked. See Trigger Binding .

trust

Said of a subject that believes an object is secure. See Knowledge versus Belief; Trust .

trusted computing base

The fundamental core set of hardware and software that must be trusted. This set is abbreviated (TCB) in this document, and is also referred to as the network TCB. See Untrusted Environments: A Priori Trust and Trust Chains .

validated login

A login context whose information has been decrypted and is trusted by the associated principal or account. See Login Facility and Security Client Daemon (SCD) .

weak password

Users typically choose passwords which are derived from words and this makes attacks on passwords easier to break than randomly generated passwords. Not to be confused with weak key which is a term used to refer to specific keys and how they are modified by the DES algorithm for encryption. Please note that the html version of this specification may contain formatting aberrations. The definitive version is available as an electronic publication on CD-ROM from The Open Group.

Contents

Index