1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 337
Выбрать главу

Protocol entity

Entity that follows a set of rules and formats (semantic and syntactic) that determines the communication behavior of other entities.

Protocol governance

A protocol is a set of rules and formats, semantic and syntactic, permitting information systems to exchange data related to security functions. Organizations use several protocols for specific purposes (such as, encryption and authentication mechanisms) in various systems. Some protocols are compatible with each other while others are not, similar to negative interactions from prescription drugs. Protocol governance requires selecting the right protocols for the right purpose and at the right time to minimize their incompatibility and ineffectiveness (that is, not providing privacy and not protecting IT assets). It also requires a constant and ongoing monitoring to determine the best time for a protocol’s eventual replacement or substitution with a better one.

In addition to selecting standard protocols that were approved by the standard setting bodies, protocols must be operationally-efficient and security-effective. Examples include (1) DES, which is weak in security and AES, which is strong in security, and (2) WEP, which is weak in security and WPA, which is strong in security.

Protocol machine

A finite state machine that implements a particular protocol.

Protocol run

An instance of the exchange of messages between a claimant and a verifier in a defined authentication protocol that results in the authentication (or authentication failure) of the claimant.

Protocol tunneling

A method used to ensure confidentiality and integrity of data transmitted over the Internet, by encrypting data packets, sending them in packets across the Internet, and decrypting them at the destination address.

Proxy

(1) A program that receives a request from a client, and then sends a request on the client’s behalf to the desired destination. (2) An agent that acts on behalf of a requester to relay a message between a requester agent and a provider agent. The proxy appears to the provider agent Web service to be the requester. (3) An application or device acting on behalf of another in responding to protocol requests. (4) A proxy is an application that “breaks” the connection between client and server. (5) An intermediary device or program that provides communication and other services between a client and server. The proxy accepts certain types of traffic entering or leaving a network, processes it, and forwards it. This effectively closes the straight path between the internal and external networks, making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network.

Proxy agent

A proxy agent is a software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it to between the interfaces of the device.

Proxy server

A server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. A device or product that provides network protection at the application level by using custom programs for each protected application. These programs can act as both a client and server and are proxies to the actual application. Proxy servers are available for common Internet services; for example, a hypertext transfer protocol (HTTP) proxy used for Web access and a simple mail transfer protocol (SMTP) proxy used for e-mail. Proxy servers are also called application gateway firewall or proxy gateway.

Pseudonym

A subscriber name that has been chosen by the subscriber that is not verified as meaningful by identity proofing.

Pseudorandom number generator (PRNG)

An algorithm that produces a sequence of bits that are uniquely determined from an initial value called a “seed.” The output of the PRNG “appears” to be random, i.e., the output is statistically indistinguishable from random values. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.

Public key

(1) The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data. (2) A cryptographic key used with a public key cryptographic algorithm, that is uniquely associated with an entity and that may be made public. It is the key in a matched key pair of private-key and public-key that is made public, for example, posted in a public directory. In an asymmetric (public) key crypto-system, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used to (i) verify a digital signature that is signed by the corresponding private key, (ii) encrypt data that can be decrypted by the corresponding private key, or (iii) compute a piece of common shared data. (3) The public key is used to verify a digital signature. (4) The public key is mathematically linked with a corresponding private key.

Public key certificate

A set of data that unambiguously identifies an entity, contains the entity’s public key, and is digitally signed by a trusted third party (certification authority, CA). A digital document issued and digitally signed by the private key of a CA that binds the name of a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. A subscriber is an individual or business entity that has contracted with a CA to receive a digital certificate verifying an identity for digitally signing electronic messages.

Public key (asymmetric) cryptographic algorithm

A cryptographic algorithm that uses two related keys (a public key and a private key). The two keys have the property that deriving the private key from the public key is computationally infeasible. Public key cryptography uses “key pairs,” a public key and a mathematically related private key. Given the public key, it is infeasible to find the private key. The private key is kept secret, whereas the public key may be shared with others. A message encrypted with the public key can only be decrypted with the private key. A message can be digitally signed with the private key, and anyone can verify the signature with the public key. Public key cryptography is used to perform (1) digital signatures, (2) secure transmission or exchange of secret keys, and/or (3) encryption and decryption. Cryptography that uses separate keys for encryption and decryption; also known as asymmetric cryptography.

Public key cryptography (reversible)

An asymmetric cryptographic algorithm where data encrypted using the public key can only be decrypted using the private key and, conversely, data encrypted using the private key can only be decrypted using the public key.

Public key cryptography standard (PKCS)

The PKCS is used to derive a symmetric encryption key from a password, which can be guessed relatively easily.

Public key infrastructure (PKI)

(1) A framework that is established to issue, maintain, and revoke public key certificates. (2) A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. (3) An architecture that is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys. (4) The PKI includes the hierarchy of certificate authorities (CAs) that allow for the deployment of digital certificates that support encryption, digital signatures, and authentication to meet business needs and security requirements.

~ 337 ~