https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

Return to RFC 4949 Internet Security Glossary Definitions, RFC 4949 Internet Security Glossary, RFC 4949 Internet Security Glossary Bibliography, Cybersecurity, Awesome Security

---

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OAKLEY

(I) A key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman-Merkle algorithm and designed to be a compatible component of ISAKMP. [R2412]

Tutorial: OAKLEY establishes a shared key with an assigned identifier and associated authenticated identities for parties;

Shirey Informational Page 202]

RFC 4949 Internet Security Glossary, Version 2 August 2007

i.e., OAKLEY provides authentication service to ensure the entities of each other's id[[entity, even if the Diffie-Hellman- Merkle exchange is threatened by active wiretapping. Also, it provides public-key forward secrecy for the shared key and supports key updates, incorporation of keys distributed by out-of- band mechanisms, and user-defined abstract group structures for use with Diffie-Hellman-Merkle.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• object

(I) /formal model/ Trusted-system modeling usage: A system component that contains or receives information. (See: Bell- LaPadula model, object reuse, trusted system.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• object identifier (OID)

1. (N) An official, globally unique name for a thing, written as a sequence of integers (which are formed and assigned as defined in the ASN.1 standard) and used to reference the thing in abstract specifications and during negotiation of security services in a protocol.

2. (O) “A value (distinguishable from all other such values) [that] is associated with an object.” [X680]

Tutorial: Objects named by OIDs are leaves of the object identifier tree (which is similar to but different from the X.500 Directory Information Tree). Each arc (i.e., each branch of the tree) is labeled with a non-negative integer. An OID is the sequence of integers on the path leading from the root of the tree to a named object.

The OID tree has three arcs immediately below the root: {0} for use by ITU-T, {1} for use by ISO, and {2} for use by both jointly. Below ITU-T are four arcs, where {0 0} is for ITU-T recommendations. Below {0 0} are 26 arcs, one for each series of recommendations starting with the letters A to Z, and below these are arcs for each recommendation. Thus, the OID for ITU-T Recommendation X.509 is {0 0 24 509}. Below ISO are four arcs, where {1 0 }is for ISO standards, and below these are arcs for each ISO standard. Thus, the OID for ISO/IEC 9594-8 (the ISO number for X.509) is {1 0 9594 8}.

ANSI registers organization names below the branch {joint-iso- ccitt(2) country(16) US(840) organization(1) gov(101) csor(3)}. The NIST CSOR records PKI objects below the branch {joint-iso-itu- t(2) country(16) us(840) organization (1) gov(101) csor(3)}. The U.S. DoD registers INFOSEC objects below the branch {joint-iso- itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1)}.

Shirey Informational Page 203]

RFC 4949 Internet Security Glossary, Version 2 August 2007

The IETF's Public-Key Infrastructure (pkix) Working Group registers PKI objects below the branch {iso(1) identified- organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7)}. [R3280]

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• object reuse

(N) /COMPUSEC/ Reassignment and reuse of an area of a storage medium (e.g., random-access memory, floppy disk, magnetic tape) that once contained sensitive data objects. Before being reassigned for use by a new subject, the area needs to be erased or, in some cases, purged. [NCS04] (See: object.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• obstruction

(I) A type of threat action that interrupts delivery of system services by hindering system operations. (See: disruption.)

Tutorial: This type of threat action includes the following subtypes: - “Interference”: Disruption of system operations by blocking communication of user data or control information. (See: jamming.) - “Overload”: Hindrance of system operation by placing excess burden on the performance capabilities of a system component. (See: flooding.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OCSP

(I) See: Online Certificate Status Protocol.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• octet

(I) A data unit of eight bits. (Compare: byte.)

Usage: This term is used in networking (especially in OSI standards) in preference to “byte”, because some systems use “byte” for data storage units of a size other than eight bits.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OFB

(N) See: output feedback.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• off-line attack

(I) See: secondary definition under “attack”.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• ohnosecond

(D) That minuscule fraction of time in which you realize that your private key has been compromised.

Deprecated Usage: IDOCs SHOULD NOT use this term; it is a joke for English speakers. (See: Deprecated Usage under “Green Book”.)

Shirey Informational Page 204]

RFC 4949 Internet Security Glossary, Version 2 August 2007

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OID

(N) See: object identifier.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• Online Certificate Status Protocol (OCSP)

(I) An Internet protocol [R2560] used by a client to obtain from a server the validity status and other information about a digital certificate. (Mentioned in [X509] but not specified there.)

Tutorial: In some applications, such as those involving high-value commercial transactions, it may be necessary either (a) to obtain certificate revocation status that is timelier than is possible with CRLs or (b) to obtain other kinds of status information. OCSP may be used to determine the current revocation status of a digital certificate, in lieu of or as a supplement to checking against a periodic CRL. An OCSP client issues a status request to an OCSP server and suspends acceptance of the certificate in question until the server provides a response.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• one-time pad

1. (N) A manual encryption system in the form of a paper pad for one-time use.

2. (I) An encryption algorithm in which the key is a random sequence of symbols and each symbol is used for encryption only one time – i.e., used to encrypt only one plaintext symbol and thus produce only one ciphertext symbol – and a copy of the key is used similarly for decryption.

Tutorial: To ensure one-time use, the copy of the key used for encryption is destroyed after use, as is the copy used for decryption. This is the only encryption algorithm that is truly unbreakable, even given unlimited resources for cryptanalysis [Schn], but key management costs and synchronization problems make it impractical except in special situations.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• one-time password, One-Time Password (OTP)

1. (I) /not capitalized/ A “one-time password” is a simple authentication technique in which each password is used only once as authentication information that verifies an id[[entity. This technique counters the threat of a replay attack that uses passwords captured by wiretapping.

2. (I) /capitalized/ “One-Time Password” is an Internet protocol [R2289] that is based on S/KEY and uses a cryptographic hash function to generate one-time passwords for use as authentication information in system login and in other processes that need protection against replay attacks.

Shirey Informational Page 205]

RFC 4949 Internet Security Glossary, Version 2 August 2007

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• one-way encryption

(I) Irreversible transformation of plain text to cipher text, such that the plain text cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known. (See: brute force, encryption.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• one-way function

(I) “A (mathematical) function, f, [that] is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult.” [X509]

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for “cryptographic hash”.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• onion routing

(I) A system that can be used to provide both (a) data confidentiality and (b) traffic-flow confidentiality for network packets, and also provide © anonymity for the source of the packets.

Tutorial: The source, instead of sending a packet directly to the intended destination, sends it to an “onion routing proxy” that builds an anonymous connection through several other “onion routers” to the destination. The proxy defines a route through the “onion routing network” by encapsulating the original payload in a layered data packet called an “onion”, in which each layer defines the next hop in the route and each layer is also encrypted. Along the route, each onion router that receives the onion peels off one layer; decrypts that layer and reads from it the address of the next onion router on the route; pads the remaining onion to some constant size; and sends the padded onion to that next router.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• open security environment

(O) /U.S. DoD/ A system environment that meets at least one of the following two conditions: (a) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (b) Configuration control does not provide sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. [NCS04] (See: “first law” under “Courtney's laws”. Compare: closed security environment.)

Shirey Informational Page 206]

RFC 4949 Internet Security Glossary, Version 2 August 2007

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• open storage

(N) /U.S. Government/ “Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel.” [C4009]

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• Open Systems Interconnection (OSI) Reference Model (OSIRM)

(N) A joint ISO/ITU-T standard [I7498-1] for a seven-layer, architectural communication framework for interconnection of computers in networks. (See: OSIRM Security Architecture. Compare: Internet Protocol Suite.)

Tutorial: OSIRM-based standards include communication protocols that are mostly incompatible with the IPS, but also include security models, such as X.509, that are used in the Internet.

The OSIRM layers, from highest to lowest, are (7) Application, (6) Presentation, (5) Session, (4) Transport, (3) Network, (2) Data Link, and (1) Physical.

Usage: This Glossary refers to OSIRM layers by number to avoid confusing them with IPS layers, which are referred to by name.

Some unknown person described how the OSIRM layers correspond to the seven deadly sins:

7. Wrath: Application is always angry with the mess it sees below itself. (Hey! Who is it to be pointing fingers?) 6. Sloth: Presentation is too lazy to do anything productive by itself. 5. Lust: Session is always craving and demanding what truly belongs to Application's functionality. 4. Avarice: Transport wants all of the end-to-end functionality. (Of course, it deserves it, but life isn't fair.) 3. Gluttony: (Connection-Oriented) Network is overweight and overbearing after trying too often to eat Transport's lunch. 2. Envy: Poor Data Link is always starved for attention. (With Asynchronous Transfer Mode, maybe now it is feeling less neglected.) 1. Pride: Physical has managed to avoid much of the controversy, and nearly all of the embarrassment, suffered by the others.

John G. Fletcher described how the OSIRM layers correspond to Snow White's dwarf friends:

7. Doc: Application acts as if it is in charge, but sometimes muddles its syntax.

Shirey Informational Page 207]

RFC 4949 Internet Security Glossary, Version 2 August 2007

6. Sleepy: Presentation is indolent, being guilty of the sin of Sloth. 5. Dopey: Session is confused because its charter is not very clear. 4. Grumpy: Transport is irritated because Network has encroached on Transport's turf. 3. Happy: Network smiles for the same reason that Transport is irritated. 2. Sneezy: Data Link makes loud noises in the hope of attracting attention. 1. Bashful: Physical quietly does its work, unnoticed by the others.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• operational integrity

(I) Synonym for “system integrity”; this synonym emphasizes the actual performance of system functions rather than just the ability to perform them.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• operational security

1. (I) System capabilities, or performance of system functions, that are needed either (a) to securely manage a system or (b) to manage security features of a system. (Compare: operations security (OPSEC).)

Usage: IDOCs that use this term SHOULD state a definition because (a) the definition provided here is general and vague and (b) the term could easily be confused with “operations security”, which is a different concept.

Tutorial: For example, in the context of an Internet service provider, the term could refer to capabilities to manage network devices in the event of attacks, simplify troubleshooting, keep track of events that affect system integrity, help analyze sources of attacks, and provide administrators with control over network addresses and protocols to help mitigate the most common attacks and exploits. [R3871]

2. (D) Synonym for “administrative security”.

Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym for “administrative security”. Any type of security may affect system operations; therefore, the term may be misleading. Instead, use “administrative security”, “communication security”, “computer security”, “emanations security”, “personnel security”, “physical security”, or whatever specific type is meant. (See: security architecture. Compare: operational integrity, OPSEC.)

Shirey Informational Page 208]

RFC 4949 Internet Security Glossary, Version 2 August 2007

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• operations security (OPSEC)

(I) A process to identify, control, and protect evidence of the planning and execution of sensitive activities and operations, and thereby prevent potential adversaries from gaining knowledge of capabilities and intentions. (See: communications cover. Compare: operational security.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• operator

(I) A person who has been authorized to direct selected functions of a system. (Compare: manager, user.)

Usage: IDOCs that use this term SHOULD state a definition for it because a system operator may or may not be treated as a “user”.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OPSEC

1. (I) Abbreviation for “operations security”.

2. (D) Abbreviation for “operational security”.

Deprecated Usage: IDOCs SHOULD NOT use this abbreviation for “operational security” (as defined in this Glossary), because its use for “operations security” has been well established for many years, particular in the military community.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• ORA

See: organizational registration authority.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• Orange Book

(D) /slang/ Synonym for “Trusted Computer System Evaluation Criteria” [CSC1, DoD1].

Deprecated Usage: IDOCs SHOULD NOT use this term as a synonym for “Trusted Computer System Evaluation Criteria” [CSC1, DoD1]. Instead, use the full, proper name of the document or, in subsequent references, the abbreviation “TCSEC”. (See: Deprecated Usage under “Green Book”.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• organizational certificate

1. (I) An X.509 public-key certificate in which the “subject” field contains the name of an institution or set (e.g., a business, government, school, labor union, club, ethnic group, nationality, system, or group of individuals playing the same role), rather than the name of an individual person or device. (Compare: persona certificate, role certificate.)

Tutorial: Such a certificate might be issued for one of the following purposes:

Shirey Informational Page 209]

RFC 4949 Internet Security Glossary, Version 2 August 2007

- To enable an individual to prove membership in the organization. - To enable an individual to represent the organization, i.e., to act in its name and with its powers or permissions.

2. (O) /MISSI/ A type of MISSI X.509 public-key certificate that is issued to support organizational message handling for the U.S. DoD's Defense Message System.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• organizational registration authority (ORA)

1. (I) /PKI/ An RA for an organization.

2. (O) /MISSI/ An end entity that (a) assists a PCA, CA, or SCA to register other end entities, by gathering, verifying, and entering data and forwarding it to the signing authority and (b) may also assist with card management functions. An ORA is a local administrative authority, and the term refers both to the role and to the person who plays that role. An ORA does not sign certificates, CRLs, or CKLs. (See: no-PIN ORA, SSO-PIN ORA, user- PIN ORA.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• origin authentication

(D) Synonym for “data origin authentication”. (See: authentication, data origin authentication.)

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the internationally standardized term “data origin authentication” and also could be confused with “peer entity authentication.”

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• origin authenticity

(D) Synonym for “data origin authentication”. (See: authenticity, data origin authentication.)

Deprecated Term: IDOCs SHOULD NOT use this term; it suggests careless use of the internationally standardized term “data origin authentication” and mixes concepts in a potentially misleading way.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OSI, OSIRM

(N) See: Open Systems Interconnection Reference Model.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OSIRM Security Architecture

(N) The part of the OSIRM [I7498-2] that specifies the security services and security mechanisms that can be applied to protect communications between two systems. (See: security architecture.)

Shirey Informational Page 210]

RFC 4949 Internet Security Glossary, Version 2 August 2007

Tutorial: This part of the OSIRM includes an allocation of security services to protocol layers. The following table shows which security services (see definitions in this Glossary) are permitted by the OSIRM in each of its layers. (Also, an application process that operates above the Application Layer may itself provide security services.) Similarly, the table suggests which services are suitable for each IPS layer. However, explaining and justifying these allocations is beyond the scope of this Glossary.

Legend for Table Entries: O = Yes, [I7498-2] permits the service in this OSIRM layer. I = Yes, the service can be incorporated in this IPS layer.

• = This layer subsumed by Application Layer in IPS.

IPS Protocol Layers +—————————————–+

 |[[Network]]| [[Net]] |In-| Trans |  [[Application]]  |
 |  H/W  |Inter|ter| -[[port]] ||
 | |-[[face]]|[[net]]| ||

OSIRM Protocol Layers +—————————————–+

 |  1  |  2  |  3  |  4  |  5  |  6  |  7  |

Confidentiality +—————————————–+ - Datagram| O I | O I | O I | O I | | O * | O I | - Selective Field | | |I | | | O * | O I | - Traffic Flow | O| | O| | | | O| – Full |I | | | | | | | – Partial | |I |I | | | |I | Integrity +—————————————–+ - Datagram|I |I | O I | O I | | | O I | - Selective Field | | |I | | | | O I | - Stream | | | O I | O I | | | O I | Authentication+—————————————–+ - Peer Entity| |I | O I | O I | | | O I | - Data Origin| |I | O I | O I | | | O I | Access Control+—————————————–+ - type as appropriate | |I | O I | O I | | | O I | Non-Repudiation +—————————————–+ - of Origin | | | | | | | O I | - of Receipt | | | | | | | O I |

 +-----------------------------------------+

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OTAR

(N) See: over-the-air rekeying.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• OTP

(I) See: One-Time Password.

Shirey Informational Page 211]

RFC 4949 Internet Security Glossary, Version 2 August 2007

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• out-of-band

(I) /adjective, adverb/ Information transfer using a channel or method that is outside (i.e., separate from or different from) the main channel or normal method.

Tutorial: Out-of-band mechanisms are often used to distribute shared secrets (e.g., a symmetric key) or other sensitive information items (e.g., a root key) that are needed to initialize or otherwise enable the operation of cryptography or other security mechanisms. Example: Using postal mail to distribute printed or magnetic media containing symmetric cryptographic keys for use in Internet encryption devices. (See: key distribution.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• output feedback (OFB)

(N) A block cipher mode that modifies ECB mode to operate on plaintext segments of variable length less than or equal to the block length. [FP081] (See: block cipher, [SP38A].)

Tutorial: This mode operates by directly using the algorithm's previously generated output block as the algorithm's next input block (i.e., by “feeding back” the output block) and combining (exclusive OR-ing) the output block with the next plaintext segment (of block length or less) to form the next ciphertext segment.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• outside attack

(I) See: secondary definition under “attack”. Compare: outsider.)

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• outsider

(I) A user (usually a person) that accesses a system from a position that is outside the system's security perimeter. (Compare: authorized user, insider, unauthorized user.)

Tutorial: The actions performed by an outsider in accessing the system may be either authorized or unauthorized; i.e., an outsider may act either as an authorized user or as an unauthorized user.

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• over-the-air rekeying (OTAR)

(N) Changing a key in a remote cryptographic device by sending a new key directly to the device via a channel that the device is protecting. [C4009]

([[Fair Use]] [[Source]]: [[RFC 4949])

---

• overload

(I) /threat action/ See: secondary definition under “obstruction”.

---

Fair Use Sources:

• RFC 4949 Internet Security Glossary