Oracle9i Application Server Security Guide Release 2 (9.0.2) Part Number A90146-01 |
|
The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.
The percentage or amount of scheduled time that a computing system provides application service.
Also called a digital certificate. An ITU x.509 v3 standard data structure that securely binds an identity to a public key.
A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.
A trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.
Data that has been encrypted. Cipher text is unreadable until it has been converted to plain text (decrypted) with a key. See decryption.
A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
See plaintext.
The art of protecting information by transforming it (encrypting) into an unreadable format (ciphertext). See encryption.
The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).
Data Encryption Standard. A commonly used symmetric key encryption method that uses a 56-bit key.
This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. Oracle Advanced Security uses the Diffie-Hellman key negotiation algorithm to generate session keys.
See certificate.
See wallet.
A hierarchical tree-like stucture consisting of the DNs of the directory entries. See distinguished name (DN).
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root.
The process of disguising a message thereby rendering it unreadable to any but the intended recipient. Encryption is performed by translating data into secret code. There are two main types of encryption: public-key encryption (or asymmetric-key encryption) and symmetric-key encryption. See symmetric-key cryptography.
In the context of a directory service, entries are the building blocks of a directory. An entry is a collection of information about an object in the directory. Each entry is composed of a set of attributes that describe one particular trait of the object. For example, if a directory entry describes a person, that entry can have attributes such as first name, last name, telephone number, or e-mail address.
The ability to reconfigure a computing system to utilize an alternate active component when a similar component fails.
The ability of a computing system to withstand faults and errors while continuing to provide the required services.
A second running computing system that is ready to pick up application processing in the event that the primary computing system fails. That is, the secondary system takes over the processing at the point where the original computing system stopped and the secondary system continues the processing.
A password or a table needed to decipher encoded data.
A public key and its associated private key.
See Lightweight Directory Access Protocol (LDAP)
The set of standards for formatting an input file for any of the LDAP command-line utilities.
See LDAP Data Interchange Format (LDIF)
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient--all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication.
A hashing algorithm intended for use on 32-bit machines to create digital signatures. MD5 is a one-way hash function, meaning that it converts a message into a fixed string of digits that form a message digest.
Representation of text as a string of single digits. It is created using a formula called a one-way hash function.
See fault tolerance.
An algorithm that turns a message into a single string of digits. "One way" means that it is almost impossible to derive the original message from the string of digits. The calculated message digest can be compared with the message digest that is decrypted with a public key to verify that the message has not been tampered with.
An Oracle product that enables two or more computers that run an Oracle database server or Oracle tools, such as Designer/2000 to exchange data through a third-party network. Oracle Net supports distributed processing and distributed databases. Oracle Net is an open system because it is independent of the communication protocol, and users can interface Oracle Net to many network environments.
Defines Oracle application types that a certificate supports.
Privacy-Enhanced Electronic Mail. An encryption technique that provides encryption, authentication, message integrity, and key management.
Pretty Good Privacy. An encryption technique that is based on public key cryptography. The PGP encryption package is free.
A public-key encryption standard (PKCS). RSA Data Security, Inc., PKCS #12 is an industry standard for storing and transferring personal authentication credentials--typically in a format called a wallet.
Public Key Infrastructure. The basis for managing public keys used to provide encryption.
Also called cleartext. Unencrypted data in ASCII format.
In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. See public/private key pair.
In public-key cryptography, this key is made public to all. It is primarily used for encryption but can be used for verifying signatures. See public/private key pair.
Encryption method that uses two different random numbers (keys). See public key and public-key encryption.
The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.
A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data encrypted with a private key cannot be decrypted with the same private key.
The leftmost component in a directory entry's distinguished name (DN). See distinguished name (DN).
The ability of a computing system to operate without failing. Reliability is measured by mean-time-between-failures (MTBF).
Duplicate or extra computing components that protect a computing system.
A public-key encryption technology developed by RSA Data Security. The RSA algorithm is based on the fact that it is laborious to factor very large numbers. This makes it mathematically unfeasible, because of the computing power and time required to decode an RSA key.
A measure of how well the software or hardware product is able to adapt to future business needs.
An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
A PKCS #12-format wallet that contains a single user certificate and its associated private key. The public key is embedded in the certificate.
The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication.
Encryption method that uses the same random number (key) in conjunction with a mathematical formula to encode and decode data.
A trusted certificate, sometimes called a root key certificate, is a third party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all of its higher level certificates verified again.
Also called a digital wallet. A wallet is a data structure used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A wallet resource locator (WRL) provides all the necessary information to locate the wallet.
A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet.
Public keys can be formed in various data formats. The X.509 v3 format is one such popular format.
|
Copyright © 2002 Oracle Corporation. All Rights Reserved. |
|