5. Security Considerations
This document mainly defines security terms and recommends how to use them. It also provides limited tutorial information about security aspects of Internet protocols, but it does not describe in detail the vulnerabilities of, or threats to, specific protocols and does not definitively describe mechanisms that protect specific protocols.6. Normative Reference
[R2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.7. Informative References
This Glossary focuses on the Internet Standards Process. Therefore, this set of informative references emphasizes international, governmental, and industrial standards documents. Some RFCs that are especially relevant to Internet security are mentioned in Glossary entries in square brackets (e.g., "[R1457]" in the entry for "security label") and are listed here; some other RFCs are mentioned in parentheses (e.g., "(RFC 959)" in the entry for "File Transport Protocol") but are not listed here. [A1523] American National Standards Institute, "American National Standard Telecom Glossary", ANSI T1.523-2001. [A3092] ---, "American National Standard Data Encryption Algorithm", ANSI X3.92-1981, 30 December 1980. [A9009] ---, "Financial Institution Message Authentication (Wholesale)", ANSI X9.9-1986, 15 August 1986. [A9017] ---, "Financial Institution Key Management (Wholesale)", X9.17, 4 April 1985. (Defines procedures for manual and automated management of keying material and uses DES to provide key management for a variety of operational environments.) [A9042] ---, "Public key Cryptography for the Financial Service Industry: Agreement of Symmetric Keys Using Diffie-Hellman and MQV Algorithms", X9.42, 29 January 1999. (See: Diffie- Hellman-Merkle.) [A9052] ---, "Triple Data Encryption Algorithm Modes of Operation", X9.52-1998, ANSI approval 9 November 1998.
[A9062] ---, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", X9.62-1998, ANSI approval 7 January 1999. [A9063] ---, "Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography", X9.63-2001. [ACM] Association for Computing Machinery, "Communications of the ACM", July 1998 issue with: M. Yeung, "Digital Watermarking"; N. Memom and P. Wong, "Protecting Digital Media Content"; and S. Craver, B.-L. Yeo, and M. Yeung, "Technical Trials and Legal Tribulations". [Ande] Anderson, J., "Computer Security Technology Planning Study", ESD-TR-73-51, Vols. I and II, USAF Electronics Systems Div., Bedford, MA, October 1972. (Available as AD-758206/772806, National Technical Information Service, Springfield, VA.) [ANSI] American National Standards Institute, "Role Based Access Control", Secretariat, Information Technology Industry Council, BSR INCITS 359, DRAFT, 10 November 2003. [Army] U.S. Army Corps of Engineers, "Electromagnetic Pulse (EMP) and Tempest Protection for Facilities", EP 1110-3-2, 31 December 1990. [B1822] Bolt Baranek and Newman Inc., "Appendix H: Interfacing a Host to a Private Line Interface", in "Specifications for the Interconnection of a Host and an IMP", BBN Report No. 1822, revised, December 1983. [B4799] ---, "A History of the Arpanet: The First Decade", BBN Report No. 4799, April 1981. [Bell] Bell, D. and L. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model", M74-244, The MITRE Corporation, Bedford, MA, May 1973. (Available as AD-771543, National Technical Information Service, Springfield, VA.) [Biba] K. Biba, "Integrity Considerations for Secure Computer Systems", ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, April 1977. [BN89] Brewer, D. and M. Nash, "The Chinese wall security policy", in "Proceedings of IEEE Symposium on Security and Privacy", May 1989, pp. 205-214.
[BS7799] British Standards Institution, "Information Security Management, Part 1: Code of Practice for Information Security Management", BS 7799-1:1999, 15 May 1999. ---, "Information Security Management, Part 2: Specification for Information Security Management Systems", BS 7799- 2:1999, 15 May 1999. [C4009] Committee on National Security Systems (U.S. Government), "National Information Assurance (IA) Glossary", CNSS Instruction No. 4009, revised June 2006. [CCIB] Common Criteria Implementation Board, "Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model", version 2.0, CCIB-98-026, May 1998. [Chau] D. Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms", in "Communications of the ACM", vol. 24, no. 2, February 1981, pp. 84-88. [Cheh] Cheheyl, M., Gasser, M., Huff, G., and J. Millen, "Verifying Security", in "ACM Computing Surveys", vol. 13, no. 3, September 1981, pp. 279-339. [Chris] Chrissis, M. et al, 1993. "SW-CMM [Capability Maturity Model for Software Version", Release 3.0, Software Engineering Institute, Carnegie Mellon University, August 1996. [CIPSO] Trusted Systems Interoperability Working Group, "Common IP Security Option", version 2.3, 9 March 1993. [Clark] Clark, D. and D. Wilson, "A Comparison of Commercial and Military computer Security Policies", in "Proceedings of the IEEE Symposium on Security and Privacy", April 1987, pp. 184-194. [Cons] NSA, "Consistency Instruction Manual for Development of U.S. Government Protection Profiles for Use in Basic Robustness Environments", Release 2.0, 1 March 2004 [CORBA] Object Management Group, Inc., "CORBAservices: Common Object Service Specification", December 1998. [CSC1] U.S. DoD Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", CSC-STD-001- 83, 15 August 1983. (Superseded by [DoD1].)
[CSC2] ---, "Department of Defense Password Management Guideline", CSC-STD-002-85, 12 April 1985. [CSC3] ---, "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments", CSC-STD-003-85, 25 June 1985. [CSOR] U.S. Department of Commerce, "General Procedures for Registering Computer Security Objects", National Institute of Standards Interagency Report 5308, December 1993. [Daem] Daemen, J. and V. Rijmen, "Rijndael, the advanced encryption standard", in "Dr. Dobb's Journal", vol. 26, no. 3, March 2001, pp. 137-139. [DC6/9] Director of Central Intelligence, "Physical Security Standards for Sensitive Compartmented Information Facilities", DCI Directive 6/9, 18 November 2002. [Denn] Denning, D., "A Lattice Model of Secure Information Flow", in "Communications of the ACM", vol. 19, no. 5, May 1976, pp. 236-243. [Denns] Denning, D. and P. Denning, "Data Security", in "ACM Computing Surveys", vol. 11, no. 3, September 1979, pp. 227- 249. [DH76] Diffie, W. and M. Hellman, "New Directions in Cryptography", in "IEEE Transactions on Information Theory", vol. IT-22, no. 6, November 1976, pp. 644-654. (See: Diffie-Hellman- Merkle.) [DoD1] U.S. DoD, "Department of Defense Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, 26 December 1985. (Supersedes [CSC1].) (Superseded by DoD Directive 8500.1.) [DoD4] ---, "NSA Key Recovery Assessment Criteria", 8 June 1998. [DoD5] ---, Directive 5200.1, "DoD Information Security Program", 13 December 1996. [DoD6] ---, "Department of Defense Technical Architecture Framework for Information Management, Volume 6: Department of Defense (DoD) Goal Security Architecture", Defense Information Systems Agency, Center for Standards, version 3.0, 15 April 1996.
[DoD7] ---, "X.509 Certificate Policy for the United States Department of Defense", version 7, 18 December 2002. (Superseded by [DoD9].) [DoD9] ---, "X.509 Certificate Policy for the United States Department of Defense", version 9, 9 February 2005. [DoD10] ---, "DoD Architecture Framework, Version 1: Deskbook", 9 February 2004. [DSG] American Bar Association, "Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Secure Electronic Commerce", Chicago, IL, 1 August 1996. (See: [PAG].) [ElGa] El Gamal, T., "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", in "IEEE Transactions on Information Theory", vol. IT-31, no. 4, 1985, pp. 469- 472. [EMV1] Europay International S.A., MasterCard International Incorporated, and Visa International Service Association, "EMV '96 Integrated Circuit Card Specification for Payment Systems", version 3.1.1, 31 May 1998. [EMV2] ---, "EMV '96 Integrated Circuit Card Terminal Specification for Payment Systems", version 3.1.1, 31 May 1998. [EMV3] ---, "EMV '96 Integrated Circuit Card Application Specification for Payment Systems", version 3.1.1, 31 May 1998. [F1037] U.S. General Services Administration, "Glossary of Telecommunications Terms", FED STD 1037C, 7 August 1996. [For94] Ford, W., "Computer Communications Security: Principles, Standard Protocols and Techniques", ISBN 0-13-799453-2, 1994. [For97] --- and M. Baum, "Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption", ISBN 0-13-476342-4, 1994. [FP001] U.S. Department of Commerce, "Code for Information Interchange", Federal Information Processing Standards Publication (FIPS PUB) 1, 1 November 1968.
[FP031] ---, "Guidelines for Automatic Data Processing Physical Security and Risk Management", FIPS PUB 31, June 1974. [FP039] ---, "Glossary for Computer Systems Security", FIPS PUB 39, 15 February 1976. [FP041] ---, "Computer Security Guidelines for Implementing the Privacy Act of 1974", FIPS PUB 41, 30 May 1975. [FP046] ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25 October 1999. [FP074] ---, "Data Encryption Standard (DES)", FIPS PUB 46-3, 25 October 1999. [FP081] ---, "DES Modes of Operation", FIPS PUB 81, 2 December 1980. [FP087] ---, "Guidelines for ADP Contingency Planning", FIPS PUB 87, 27 March 1981. [FP102] ---, "Guideline for Computer Security Certification and Accreditation", FIPS PUB 102, 27 September 1983. [FP113] ---, "Computer Data Authentication", FIPS PUB 113, 30 May 1985. [FP140] ---, "Security Requirements for Cryptographic Modules", FIPS PUB 140-2, 25 May 2001; with change notice 4, 3 December 2002. [FP151] ---, "Portable Operating System Interface (POSIX) -- System Application Program Interface [C Language]", FIPS PUB 151-2, 12 May 1993 [FP180] ---, "Secure Hash Standard", FIPS PUB 180-2, August 2000; with change notice 1, 25 February 2004. [FP185] ---, "Escrowed Encryption Standard", FIPS PUB 185, 9 February 1994. [FP186] ---, "Digital Signature Standard (DSS)", FIPS PUB 186-2, 27 June 2000; with change notice 1, 5 October 2001. [FP188] ---, "Standard Security Label for Information Transfer", FIPS PUB 188, 6 September 1994. [FP191] ---, "Guideline for the Analysis of Local Area Network Security", FIPS PUB 191, 9 November 1994.
[FP197] ---, "Advanced Encryption Standard", FIPS PUB 197, 26 November 2001. [FP199] ---, "Standards for Security Categorization of Federal Information and Information Systems ", FIPS PUB 199, December 2003. [FPKI] ---, "Public Key Infrastructure (PKI) Technical Specifications: Part A -- Technical Concept of Operations", NIST, 4 September 1998. [Gass] Gasser, M., "Building a Secure Computer System", Van Nostrand Reinhold Company, New York, 1988, ISBN 0-442- 23022-2. [Gray] Gray, J. and A. Reuter, "Transaction Processing: Concepts and Techniques", Morgan Kaufmann Publishers, Inc., 1993. [Hafn] Hafner, K. and M. Lyon, "Where Wizards Stay Up Late: The Origins of the Internet", Simon & Schuster, New York, 1996. [Huff] Huff, G., "Trusted Computer Systems -- Glossary", MTR 8201, The MITRE Corporation, March 1981. [I3166] International Standards Organization, "Codes for the Representation of Names of Countries and Their Subdivisions, Part 1: Country Codes", ISO 3166-1:1997. ---, "Codes for the Representation of Names of Countries and Their Subdivisions, Part 2: Country Subdivision Codes", ISO/DIS 3166-2. ---, "Codes for the Representation of Names of Countries and Their Subdivisions, Part 3: Codes for Formerly Used Names of Countries", ISO/DIS 3166-3. [I7498-1] ---, "Information Processing Systems -- Open Systems Interconnection Reference Model, [Part 1:] Basic Reference Model", ISO/IEC 7498-1. (Equivalent to ITU-T Recommendation X.200.) [I7498-2] ---, "Information Processing Systems -- Open Systems Interconnection Reference Model, Part 2: Security Architecture", ISO/IEC 7499-2. [I7498-4] ---, "Information Processing Systems -- Open Systems Interconnection Reference Model, Part 4: Management Framework", ISO/IEC 7498-4.
[I7812] ---, "Identification cards -- Identification of Issuers, Part 1: Numbering System", ISO/IEC 7812-1:1993 ---, "Identification cards -- Identification of Issuers, Part 2: Application and Registration Procedures", ISO/IEC 7812-2:1993. [I8073] ---, "Information Processing Systems -- Open Systems Interconnection, Transport Protocol Specification", ISO IS 8073. [I8327] ---, "Information Processing Systems -- Open Systems Interconnection, Session Protocol Specification", ISO IS 8327. [I8473] ---, "Information Processing Systems -- Open Systems Interconnection, Protocol for Providing the Connectionless Network Service", ISO IS 8473. [I8802-2] ---, "Information Processing Systems -- Local Area Networks, Part 2: Logical Link Control", ISO IS 8802-2. (Equivalent to IEEE 802.2.) [I8802-3] ---, "Information Processing Systems -- Local Area Networks, Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications", ISO IS 8802-3. (Equivalent to IEEE 802.3.) [I8823] ---, "Information Processing Systems -- Open Systems Interconnection -- Connection-Oriented Presentation Protocol Specification", ISO IS 8823. [I9945] "Portable Operating System Interface for Computer Environments", ISO/IEC 9945-1: 1990. [IATF] NSA, "Information Assurance Technical Framework", Release 3, NSA, September 2000. (See: IATF.) [IDSAN] ---, "Intrusion Detection System Analyzer Protection Profile", version 1.1, NSA, 10 December 2001. [IDSSC] ---, "Intrusion Detection System Scanner Protection Profile", version 1.1, NSA, 10 December 2001. [IDSSE] ---, "Intrusion Detection System Sensor Protection Profile", version 1.1, NSA, 10 December 2001.
[IDSSY] ---, "Intrusion Detection System", version 1.4, NSA, 4 February 2002. [Ioan] Ioannidis, J. and M. Blaze, "The Architecture and Implementation of Network Layer Security in UNIX", in "UNIX Security IV Symposium", October 1993, pp. 29-39. [ITSEC] "Information Technology Security Evaluation Criteria (ITSEC): Harmonised Criteria of France, Germany, the Netherlands, and the United Kingdom", version 1.2, U.K. Department of Trade and Industry, June 1991. [JP1] U.S. DoD, "Department of Defense Dictionary of Military and Associated Terms", Joint Publication 1-02, as amended through 13 June 2007. [John] Johnson, N. and S. Jajodia, "Exploring Steganography; Seeing the Unseen", in "IEEE Computer", February 1998, pp. 26-34. [Kahn] Kahn, D., "The Codebreakers: The Story of Secret Writing", The Macmillan Company, New York, 1967. [Knut] Knuth, D., Chapter 3 ("Random Numbers") of Volume 2 ("Seminumerical Algorithms") of "The Art of Computer Programming", Addison-Wesley, Reading, MA, 1969. [Kuhn] Kuhn, M. and R. Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in David Aucsmith, ed., "Information Hiding, Second International Workshop, IH'98", Portland, Oregon, USA, 15-17 April 1998, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp. 124-142. [Land] Landwehr, C., "Formal Models for Computer Security", in "ACM Computing Surveys", vol. 13, no. 3, September 1981, pp. 247- 278. [Larm] Larmouth, J., "ASN.1 Complete", Open System Solutions, 1999 (a freeware book). [M0404] U.S. Office of Management and Budget, "E-Authentication Guidance for Federal Agencies", Memorandum M-04-04, 16 December 2003. [Mene] Menezes, A. et al, "Some Key Agreement Protocols Providing Implicit Authentication", in "The 2nd Workshop on Selected Areas in Cryptography", 1995.
[Moor] Moore, A. et al, "Attack Modeling for Information Security and Survivability", Carnegie Mellon University / Software Engineering Institute, CMU/SEI-2001-TN-001, March 2001. [Murr] Murray, W., "Courtney's Laws of Security", in "Infosecurity News", March/April 1993, p. 65. [N4001] National Security Telecommunications and Information System Security Committee, "Controlled Cryptographic Items", NSTISSI No. 4001, 25 March 1985. [N4006] ---, "Controlled Cryptographic Items", NSTISSI No. 4006, 2 December 1991. [N7003] ---, "Protective Distribution Systems", NSTISSI No. 7003, 13 December 1996. [NCS01] National Computer Security Center, "A Guide to Understanding Audit in Trusted Systems", NCSC-TG-001, 1 June 1988. (See: Rainbow Series.) [NCS03] ---, "Information System Security Policy Guideline", I942- TR-003, version 1, July 1994. (See: Rainbow Series.) [NCS04] ---, "Glossary of Computer Security Terms", NCSC-TG-004, version 1, 21 October 1988. (See: Rainbow Series.) [NCS05] ---, "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria", NCSC-TG-005, version 1, 31 July 1987. (See: Rainbow Series.) [NCS25] ---, "A Guide to Understanding Data Remanence in Automated Information Systems", NCSC-TG-025, version 2, September 1991. (See: Rainbow Series.) [NCSSG] National Computer Security Center, "COMPUSECese: Computer Security Glossary", NCSC-WA-001-85, Edition 1, 1 October 1985. (See: Rainbow Series.) [NRC91] National Research Council, "Computers At Risk: Safe Computing in the Information Age", National Academy Press, 1991. [NRC98] Schneider, F., ed., "Trust in Cyberspace", National Research Council, National Academy of Sciences, 1998. [Padl] Padlipsky, M., "The Elements of Networking Style", 1985, ISBN 0-13-268111-0.
[PAG] American Bar Association, "PKI Assessment Guidelines", version 1.0, 10 May 2002. (See: [DSG].) [Park] Parker, D., "Computer Security Management", ISBN 0-8359- 0905-0, 1981 [Perr] Perrine, T. et al, "An Overview of the Kernelized Secure Operating System (KSOS)", in "Proceedings of the 7th DoD/NBS Computer Security Conference", 24-26 September 1984. [PGP] Garfinkel, S.. "PGP: Pretty Good Privacy", O'Reilly & Associates, Inc., Sebastopol, CA, 1995. [PKCS] Kaliski Jr., B., "An Overview of the PKCS Standards", RSA Data Security, Inc., 3 June 1991. [PKC05] RSA Laboratories, "PKCS #5: Password-Based Encryption Standard ", version 1.5, 1 November 1993. (See: RFC 2898.) [PKC07] ---, "PKCS #7: Cryptographic Message Syntax Standard", version 1.5, 1 November 1993. (See: RFC 2315.) [PKC10] ---, "PKCS #10: Certification Request Syntax Standard", version 1.0, 1 November 1993. [PKC11] ---, "PKCS #11: Cryptographic Token Interface Standard", version 1.0, 28 April 1995. [PKC12] ---, "PKCS #12: Personal Information Exchange Syntax", version 1.0, 24 June 1995. [R1108] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [R1135] Reynolds, J., "The Helminthiasis of the Internet", RFC 1135, December 1989 [R1208] Jacobsen, O. and D. Lynch, "A Glossary of Networking Terms", RFC 1208, March 1991. [R1281] Pethia, R., Crocker, S., and B. Fraser, "Guidelines for Secure Operation of the Internet", RFC 1281, November 1991. [R1319] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992. [R1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.
[R1321] ---, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [R1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", RFC 1334, October 1992. [R1413] St. Johns, M., "Identification Protocol", RFC 1413, February 1993. [R1421] Linn, J., "Privacy Enhancement for Internet Electronic Mail, Part I: Message Encryption and Authentication Procedures", RFC 1421, February 1993. [R1422] Kent, S., "Privacy Enhancement for Internet Electronic Mail, Part II: Certificate-Based Key Management", RFC 1422, February 1993. [R1455] Eastlake 3rd, D., "Physical Link Security Type of Service", RFC 1455, May 1993. [R1457] Housley, R., "Security Label Framework for the Internet", RFC 1457, May 1993. [R1492] Finseth, C., "An Access Control Protocol, Sometimes Called TACACS", RFC 1492, July 1993. [R1507] Kaufman, C., "DASS: Distributed Authentication Security Service", RFC 1507, September 1993. [R1731] Myers, J., "IMAP4 Authentication Mechanisms", RFC 1731, December 1994. [R1734] ---, "POP3 AUTHentication Command", RFC 1734, Dec, 1994. [R1760] Haller, N., "The S/KEY One-Time Password System", RFC 1760, February 1995. [R1824] Danisch, H., "The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key- Exchange (E.I.S.S.-Report 1995/4)", RFC 1824, August 1995. [R1828] Metzger, P. and W. Simpson, "IP Authentication using Keyed MD5", RFC 1828, August 1995. [R1829] Karn, P., Metzger, P., and W. Simpson, "The ESP DES-CBC Transform", RFC 1829, August 1995.
[R1848] Crocker, S., Freed, N., Galvin, J., and S. Murphy, "MIME Object Security Services", RFC 1848, October 1995. [R1851] Karn, P., Metzger, P., and W. Simpson, "The ESP Triple DES Transform", RFC 1851, September 1995. [R1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996. [R1958] Carpenter, B., "Architectural Principles of the Internet", RFC 1958, June 1996. [R1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996. [R1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996. [R2078] Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2078, January 1997. (Superseded by RFC 2743.) [R2084] Bossert, G., Cooper, S., and W. Drummond, "Considerations for Web Transaction Security", RFC 2084, January 1997. [R2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [R2144] Adams, C., "The CAST-128 Encryption Algorithm", RFC 2144, May 1997. [R2179] Gwinn, A., "Network Security For Trade Shows", RFC 2179, July 1997. [R2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, September 1997. [R2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, September 1997. [R2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC- SHA-1", RFC 2202, Sep. 1997. [R2222] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997.
[R2289] Haller, N., Metz, C., Nesser, P., and M. Straw, "A One-Time Password System", STD 61, RFC 2289, February 1998. [R2323] Ramos, A., "IETF Identification and Security Guidelines", RFC 2323, 1 April 1998. (Intended for humorous entertainment -- "please laugh loud and hard" -- and does not contain serious security information.) [R2350] Brownlee, N. and E. Guttman, "Expectations for Computer Security Incident Response", BCP 21, RFC 2350, June 1998. [R2356] Montenegro, G. and V. Gupta, "Sun's SKIP Firewall Traversal for Mobile IP", RFC 2356, June 1998. [R2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [R2402] ---, "IP Authentication Header", RFC 2402, November 1998. [R2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH", RFC 2403, November 1998. [R2404] ---, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998. [R2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm With Explicit IV", RFC 2405, November 1998. [R2406] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [R2407] Piper, D. "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [R2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [R2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and Its Use With IPsec", RFC 2410, November 1998. [R2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November 1998. [R2451] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher Algorithms", RFC 2451, November 1998.
[R2504] Guttman, E., Leong, L., and G. Malkin, "Users' Security Handbook", RFC 2504, February 1999. [R2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999. [R2612] Adams, C. and J. Gilchrist, "The CAST-256 Encryption Algorithm", RFC 2612, June 1999. [R2628] Smyslov, V., "Simple Cryptographic Program Interface (Crypto API)", RFC 2628, June 1999. [R2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999. (See: Diffie-Hellman-Merkle.) [R2634] Hoffman, P., "Enhanced Security Services for S/MIME", RFC 2634, June 1999. [R2635] Hambridge, S. and A. Lunde, "DON'T SPEW: A Set of Guidelines for Mass Unsolicited Mailings and Postings", RFC 2635, June 1999. [R2660] Rescorla, E. and A. Schiffman, "The Secure HyperText Transfer Protocol", RFC 2660, August 1999. [R2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000. [R2773] Housley, R., Yee, P., and W. Nace, "Encryption using KEA and SKIPJACK", RFC 2773, February 2000. [R2801] Burdett, D., "Internet Open Trading Protocol - IOTP, Version 1.0", RFC 2801, April 2000. [R2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [R2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [R3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.
[R3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001. [R3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [R3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "Group Domain of Interpretation", RFC 3547, July 2003. [R3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", RFC 3552, July 2003. [R3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S. Wu, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3647, November 2003. [R3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 Public Key Infrastructure: Qualified Certificates Profile", RFC 3739, March 2004. [R3740] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004. [R3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [R3766] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, April 2004. [R3820] Tuecke, S., Welch, V., Engert, D., Pearlman, L., and M. Thompson, "Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile", RFC 3820, June 2004. [R3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004. [R3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004.
[R4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005. [R4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [R4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. [R4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005. [R4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005. [R4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. Nicholas, "Internet X.509 Public Key Infrastructure: Certification Path Building", RFC 4158, September 2005. [R4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, September 2005. [R4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [R4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [R4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [R4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [R4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [R4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006.
[Raym] Raymond, E., ed., "The On-Line Hacker Jargon File", version 4.0.0, 24 July 1996. (See: http://www.catb.org/~esr/jargon for the latest version. Also, "The New Hacker's Dictionary", 3rd edition, MIT Press, September 1996, ISBN 0-262-68092-0.) [Roge] Rogers, H., "An Overview of the CANEWARE Program", in "Proceedings of the 10th National Computer Security Conference", NIST and NCSC, September 1987. [RSA78] Rivest, R., A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", in "Communications of the ACM", vol. 21, no. 2, February 1978, pp. 120-126. [RSCG] NSA, "Router Security Configuration Guide: Principles and Guidance for Secure Configuration of IP Routers, with Detailed Instructions for Cisco Systems Routers", version 1.1c, C4-040R-02, 15 December 2005, available at http://www.nsa.gov/snac/routers/C4-040R-02.pdf. [Russ] Russell, D. et al, Chapter 10 ("TEMPEST") of "Computer Security Basics", ISBN 0-937175-71-4, 1991. [SAML] Organization for the Advancement of Structured Information Standards (OASIS), "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)", version 1.1, 2 September 2003. [Sand] Sandhu, R. et al, "Role-Based Access Control Models", in "IEEE Computer", vol. 29, no. 2, February 1996, pp. 38-47. [Schn] Schneier, B., "Applied Cryptography Second Edition", John Wiley & Sons, Inc., New York, 1996. [SDNS3] U.S. DoD, NSA, "Secure Data Network Systems, Security Protocol 3 (SP3)", document SDN.301, Revision 1.5, 15 May 1989. [SDNS4] ---, "Secure Data Network Systems, Security Protocol 4 (SP4)", document SDN.401, Revision 1.2, 12 July 1988. [SDNS7] ---, "Secure Data Network Systems, Message Security Protocol (MSP)", SDN.701, Revision 4.0, 7 June 1996, with "Corrections to Message Security Protocol, SDN.701, Rev 4.0, 96-06-07", 30 Aug, 1996.
[SET1] MasterCard and Visa, "SET Secure Electronic Transaction Specification, Book 1: Business Description", version 1.0, 31 May 1997. [SET2] ---, "SET Secure Electronic Transaction Specification, Book 2: Programmer's Guide", version 1.0, 31 May 1997. [SKEME] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange Mechanism for Internet", in "Proceedings of the 1996 Symposium on Network and Distributed Systems Security". [SKIP] "SKIPJACK and KEA Algorithm Specifications", version 2.0, 22 May 1998, and "Clarification to the SKIPJACK Algorithm Specification", 9 May 2002 (available from NIST Computer Security Resource Center). [SP12] NIST, "An Introduction to Computer Security: The NIST Handbook", Special Publication 800-12. [SP14] Swanson, M. et al (NIST), "Generally Accepted Principles and Practices for Security Information Technology Systems", Special Publication 800-14, September 1996. [SP15] Burr, W. et al (NIST), "Minimum Interoperability Specification for PKI Components (MISPC), Version 1", Special Publication 800-15, September 1997. [SP22] Rukhin, A. et al (NIST), "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications", Special Publication 800-15, 15 May 2001. [SP27] Stoneburner, G. et al (NIST), "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)", Special Publication 800-27 Rev A, June 2004. [SP28] Jansen, W. (NIST), "Guidelines on Active Content and Mobile Code", Special Publication 800-28, October 2001. [SP30] Stoneburner, G. et al (NIST), "Risk Management Guide for Information Technology Systems", Special Publication 800-30, October 2001. [SP31] Bace, R. et al (NIST), "Intrusion Detection Systems", Special Publication 800-31. [SP32] Kuhn, D. (NIST), "Introduction to Public Key Technology and the Federal PKI Infrastructure ", Special Publication 800-32, 26 February 2001.
[SP33] Stoneburner, G. (NIST), "Underlying Technical Models for Information Technology Security", Special Publication 800-33, December 2001. [SP37] Ross, R. et al (NIST), "Guide for the Security Certification and Accreditation of Federal Information Systems", Special Publication 800-37, May 2004. [SP38A] Dworkin, M. (NIST), "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", Special Publication 800-38A, 2001 Edition, December 2001. [SP38B] ---, "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication", Special Publication 800-38B, May 2005. [SP38C] ---, "Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality", Special Publication 800-38C, May 2004. [SP41] Wack, J. et al (NIST), "Guidelines on Firewalls and Firewall Policy", Special Publication 800-41, January 2002. [SP42] ---, "Guideline on Network Security Testing", Special Publication 800-42, October 2003. [SP56] NIST, "Recommendations on Key Establishment Schemes", Draft 2.0, Special Publication 800-63, January 2003. [SP57] ---, "Recommendation for Key Management", Part 1 "General Guideline" and Part 2 "Best Practices for Key Management Organization", Special Publication 800-57, DRAFT, January 2003. [SP61] Grance, T. et al (NIST), "Computer Security Incident Handling Guide", Special Publication 800-57, January 2003. [SP63] Burr, W. et al (NIST), "Electronic Authentication Guideline", Special Publication 800-63, June 2004 [SP67] Barker, W. (NIST), "Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher", Special Publication 800-67, May 2004 [Stal] Stallings, W., "Local Networks", 1987, ISBN 0-02-415520-9.
[Stei] Steiner, J. et al, "Kerberos: An Authentication Service for Open Network Systems", in "Usenix Conference Proceedings", February 1988. [Weis] Weissman, C., "Blacker: Security for the DDN: Examples of A1 Security Engineering Trades", in "Symposium on Security and Privacy", IEEE Computer Society Press, May 1992, pp. 286- 292. [X400] International Telecommunications Union -- Telecommunication Standardization Sector (formerly "CCITT"), Recommendation X.400, "Message Handling Services: Message Handling System and Service Overview". [X419] ---, "Message Handling Systems: Protocol Specifications", ITU-T Recommendation X.419. (Equivalent to ISO 10021-6). [X420] ---, "Message Handling Systems: Interpersonal Messaging System", ITU-T Recommendation X.420. (Equivalent to ISO 10021-7.). [X500] ---, Recommendation X.500, "Information Technology -- Open Systems Interconnection -- The Directory: Overview of Concepts, Models, and Services". (Equivalent to ISO 9594-1.) [X501] ---, Recommendation X.501, "Information Technology -- Open Systems Interconnection -- The Directory: Models". [X509] ---, Recommendation X.509, "Information Technology -- Open Systems Interconnection -- The Directory: Authentication Framework", COM 7-250-E Revision 1, 23 February 2001. (Equivalent to ISO 9594-8.) [X519] ---, Recommendation X.519, "Information Technology -- Open Systems Interconnection -- The Directory: Protocol Specifications". [X520] ---, Recommendation X.520, "Information Technology -- Open Systems Interconnection -- The Directory: Selected Attribute Types". [X680] ---, Recommendation X.680, "Information Technology -- Abstract Syntax Notation One (ASN.1) -- Specification of Basic Notation", 15 November 1994. (Equivalent to ISO/IEC 8824-1.)
[X690] ---, Recommendation X.690, "Information Technology -- ASN.1 Encoding Rules -- Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", 15 November 1994. (Equivalent to ISO/IEC 8825-1.)8. Acknowledgments
George Huff had a good idea! [Huff]Author's Address
Dr. Robert W. Shirey 3516 N. Kensington St. Arlington, Virginia 22207-1328 USA EMail: rwshirey4949@verizon.net
Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78 and at www.rfc-editor.org/copyright.html, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.