Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

201

202

203

204

205

206

207

208

209

210

certificate A security certificate associates (or binds) a public key with a principal—a particular person, system,

device, or other entity. The security certificate is issued by an entity, in whom users have put their

trust, called a Certificate Authority (CA), which guarantees or confirms the identity of the holder

(person, device, or other entity) of the corresponding private key. The CA digitally signs the certificate

with the CA's private key, so the certificate can be verified using the CA's public key.The most

commonly used format for public-key certificates is the International Organization for Standardization

(ISO) X.509 standard, Version 3.

Certificate

Authority

See CA.

Certificate

Revocation List

See CRL.

challenge-response authentication

A form of authentication where the authenticator sends a random value, the challenge, to the user

or principal being authenticated. The user sends back a response based on the challenge value

and a shared secret value previously established with the authenticator, such as an MD5 hash

value.

Unlike a regular password exchange, the challenge-response dialog varies, so an intruder cannot

replay the user's response to gain authentication.

chroot jail A method restricting the files and directories accessible by a process and users of that process. The

process starts in a specified base directory (the root), and cannot access any directories or files

above the root directory.

compartments A method of isolating various components of the system from one another. When configured

properly, components are an effective method to safeguard the HP-UX system and the data that

resides upon it.

containment A mechanism or set of mechanisms to restrict the access rights of processes.

In the context of RBAC, containment is a combination of mandatory access control and fine-grained

privileges. See RBAC.

CRL Certificate Revocation List. Certificates are issued with a specific lifetime, defined by a start date/time

and an expiration date/time. However, situations can arise, such as a compromised key value,

that necessitate the revocation of the certificate. In this case, the certificate authority can revoke the

certificate. This is accomplished by including the certificate's serial number on a CRL updated and

published on a regular basis by the CA and made available to certificate users. See CA.

cryptography The process of encoding normal data (or cleartext) data so it can only be decoded by holders of

specific information.

Data

Encryption

Standard

See DES.

denial of

service attack

An attack where a system is prevented from responding to network packets so the system cannot

service requests. Denial of service attacks may be implemented by flooding a vulnerable system

with false requests that consume a large number of resources. Denial of service attacks are often

used with host spoofing to keep the spoofed host (the host with the IP address the spoofer is assuming)

from participating in the exchange between the spoofer and the system the spoofer is trying to

access.

DES Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. DES is suitable

for bulk data encryption.

DES has been cracked (data encoded using DES has been decoded by a third party).

206 Glossary