Object identifier

A specialized formatted number that is registered with an internationally recognized standards organization. It is the unique alphanumeric or numeric identifier registered under the ISO registration standard to reference a specific object or object class.

Object reuse

The reassignment and reuse of a storage medium (e.g., page frame, disk sector, and magnetic tape) that once contained one or more objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the object(s) previously contained in the media.

Off-card

Refers to data that is not stored within the personal identity verification (PIV) card or to a computation that is not performed by the integrated circuit chip of the PIV card.

Off-line attack

An attack where the attacker obtains some data (typically by eavesdropping on an authentication protocol run or by penetrating a system and stealing security files) that he can analyze in a system of his own choosing.

Off-line cracking

Off-line cracking occurs when a cryptographic token is exposed using analytical methods outside the electronic authentication mechanism (e.g., differential power analysis on stolen hardware cryptographic token and dictionary attacks on software PKI token). Countermeasures include using a token with a high entropy token secret and locking up the token after a number of repeated failed activation attempts. .

Off-line cryptosystem

A cryptographic system in which encryption and decryption are performed independently of the transmission and reception functions.

Off-line storage

Data storage on media physically removed from the computer system and stored elsewhere (e.g., a magnetic tape or a disk).

Offsite storage

A location remote from the primary computer facility where backup programs, data files, forms, and documentation, including a contingency plan, are stored. These are used at backup computer facilities during a disaster or major interruption at the primary computer facility.

On-access scanning

Configuring a security tool to perform real-time scans of each file for malware as the file is downloaded, opened, or executed.

On-card

Refers to data that is stored within the personal identity verification (PIV) card or to a computation that is performed by the integrated circuit chip of the PIV card.

On-demand scanning

Allowing users to launch security tool scans for malware on a computer as desired.

One-time password generator

Password is changed after each use and is useful when the password is not adequately protected from compromise during login. (For example, the communication line is suspected of being tapped.) This is a technical and preventive control.

One-way hash algorithm

Hash algorithms that map arbitrarily long inputs into a fixed-size output such that it is very difficult (computationally infeasible) to find two different hash inputs that produce the same output. Such algorithms are an essential part of the process of producing fixed-size digital signatures that can both authenticate the signer and provide for data integrity checking (detection of input modification after signature).

Online attack

An attack against an authentication protocol where the attacker either assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.

Online certificate status protocol (OCSP)

An online protocol used to determine the status of a public key certificate between a certificate authority (CA) and relying parties. OCSP responders should be capable of processing both signed and unsigned requests and should be capable of processing requests that either include or exclude the name of the relying party making the request. OCSP responders should support at least one algorithm such as RSA with padding or ECDSA for digitally signing response messages.

Online guessing attack

An attack in which an attacker performs repeated logon trials by guessing possible values of the token authenticator. Examples of attacks include dictionary attacks to guess passwords or guessing of secret tokens. A countermeasure is to use tokens that generate high entropy authenticators.

Open design

The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design allows for open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.

Open Pretty Good Privacy (OpenPGP)

A protocol defined in IETF RFC 2440 and 3156 for encrypting messages and creating certificates using public key cryptography. Most mail clients do not support OpenPGP by default; instead, third-party plug-ins can be used in conjunction with the mail clients. OpenPGP uses a “Web of trust” model for key management, which relies on users for management and control, making it unsuitable for medium- to large-scale implementations.

Open security environment (OSE)

An environment that includes systems in which one of the following conditions holds true: (1) application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic and (2) configuration control does not provide sufficient assurance that applications are protected against the introduction of malicious logic prior to and during the operation of application systems.

Open system interconnection (OSI)

A reference model of how messages should be transmitted between any two end-points of a telecommunication network. The process of communication is divided into seven layers, with each layer adding its own set of special, related functions. The seven layers are the application layer, presentation, session, transport, network, data link, and physical layer. Most telecommunication products tend to describe themselves in relation to the OSI reference model. This model is a single reference view of communication that provides a common ground for education and discussion.

Open systems

Vendor-independent systems designed to readily connect with other vendors’ products. To be an open system, it should conform to a set of standards determined from a consensus of interested participants rather than just one or two vendors. Open systems allow interoperability among products from different vendors. Major benefits include portability, scalability, and interoperability.

Open Web application security project (OWASP)

A project dedicated to enabling organizations to develop, purchase, and maintain applications that can be secured and trusted. In 2010, OWASP published a list of Top 10 application security risks. These include injection; cross-site scripting; broken authentication and session management; insecure direct object references; cross-site request forgery; security misconfiguration; insecure cryptographic storage; failure to restrict URL access; insufficient transport layer protection; and unvalidated redirects and forwards.

Operating system (OS)

The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (e.g., Web server and mail server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.