Glossary of Terms


Generally, the objectives of this chapter are to cover:

• Security related terms

• Server Definitions

Security related terms

---

3DES. Similar to DES.

Application protocol. An application protocol is a protocol that normally layers directly on top of the transport layer (e.g., TCP/IP). Examples include HTTP, TELNET, FTP, and SMTP.

Asymmetric cipher. See Public key cryptography.

ASN.1. Abstract Syntax Notation One.

Authentication. Authentication is the ability of one entity to determine the identity of another entity.

base64. A representation of characters in digital format using a 65 character subset of U.S. ASCII.

BBS. A random number generating algorithm.

BER. Basic encoding Rules used with X509.

Block cipher. A block cipher is an algorithm that operates on plaintext in groups of bits, called blocks. 64 bits is a typical block size.

Bulk cipher. A symmetric encryption algorithm used to encrypt large quantities of data.

Cipher Block Chaining Mode (CBC). CBC is a mode in which every plaintext block encrypted with the block cipher is first eXclusive-OR-ed with the previous ciphertext block (or, in the case of the first block, with the initialization vector).

Certificate. As part of the X.509 protocol (a.k.a. ISO Authentication framework), certificates are assigned by a trusted Certificate Authority and provide verification of a party's identity and may also supply its public key.

Client. The application entity that initiates a connection to a server.

Client write key. The key used to encrypt data written by the client.

Client write MAC secret. The secret data used to authenticate data written by the client.

Connection. A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are peer to peer relationships. The connections are transient. Every connection is associated with one session.

CRL Certificate Revocation List. A certificate that is not valid but still within its expiry date.

Data Encryption Standard (DES). DES is a very widely used symmetric encryption algorithm. DES is a block cipher.

DER. Distinguished Encoding rules used in X509.

DH. A public-key cryptographic algorithm for encrypting and decrypting data.

Digital Signature Standard (DSS). A standard for digital signing, including the Digital Signing Algorithm, approved by the National Institute of Standards and Technology, defined in NIST FIPS PUB 186, "Digital Signature Standard," published May, 1994 by the U.S. Dept. of Commerce.

Digital signatures. Digital signatures utilise public key cryptography and one-way hash functions to produce a signature of the data that can be authenticated, and is difficult to forge or repudiate.

DSA. Digital Signature Algorithm.

Handshake. An initial negotiation between client and server that establishes the parameters of their transactions.

Initialization Vector (IV). When a block cipher is used in CBC mode, the initialisation vector is eXclusive-OR-ed with the first plaintext block prior to encryption.

IDEA. A 64-bit block cipher designed by Xuejia Lai and James Massey.

Message Authentication Code (MAC). A Message Authentication Code is a one-way hash computed from a message and some secret data. Its purpose is to detect if the message has been altered.

Master secret. Secure secret data used for generating encryption keys, MAC secrets, and IVs.

MD5. MD5 is a secure hashing function that converts an arbitrarily long data stream into a digest of fixed size.

MIME. MultiPURPOSE Internet Mail Extension

PBE. Password based encryption

PEM. Privacy enhanced mail

Public Key Infrastructure (PKI). Defines protocols to support online interaction.

Public key cryptography. A class of cryptographic techniques employing two-key ciphers. Messages encrypted with the public key can only be decrypted with the associated private key. Conversely, messages signed with the private key can be verified with the public key.

One-way hash function. A one-way transformation that converts an arbitrary amount of data into a fixed-length hash. It is computationally hard to reverse the transformation or to find collisions. MD5 and SHA are examples of one-way hash functions.

OSI. Open Systems Inter-Connection.

RC2, RC4. Proprietary bulk ciphers from RSA Data Security, Inc. RC2 is block cipher and RC4 is a stream cipher.

RFC. A series of authoritative discussion documents. Requests for Comments.

RSA. A very widely used public-key algorithm that can be used for either encryption or digital signing.

Salt. Non-secret random data used to make export encryption keys resist pre-computation attacks.

Server. The server is the application entity that responds to requests for connections from clients. The server is passive, waiting for requests from clients.

Server write key. The key used to encrypt data written by the server.

Server write MAC secret. The secret data used to authenticate data written by the server.

Session. A SSL session is an association between a client and a server. Sessions are created by the handshake protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.

Session identifier. A session identifier is a value generated by a server that identifies a particular session.

SHA. The Secure Hash Algorithm is defined in FIPS PUB 180-1. It produces a 20-byte output

SSL. Secure sockets layer

Stream cipher. An encryption algorithm that converts a key into a cryptographically-strong keystream, which is then eXclusive-OR-ed with the plaintext.

Symmetric cipher. See Bulk cipher.

TSL. Transport security layer

X690. The ASN.1 specification

X509. An authentication framework based on ASN.1 BER and DER and base64.

Server Definitions

---

API. Application Programming Interface,

ASP. Active Server Pages

Attribute. An attribute is a string value that may be used in conjunction with a set of rules by the router to determine the next action to perform. Attributes are used to populate contexts with information about a message.

Business Logic. Business logic is the 'user' code in the system. Business logic executes tasks such as 'debit account', 'retrieve balance' etc.

Configurable Entity. Is any Service or component that uses Configuration Objects and the Configuration Manager.

Configuration Object. Configuration Objects hold persistent configuration data for services.

Configuration Service. Is a Service that implements a read-write interface to the Configuration Object.

Connection Manager. Describes the process with which iPlanet Trustbase Transaction Manager communicates with external entities. It utilises the following objects to accomplish this task... Protocol Maps, Protocol Analysers, Handlers, Message Readers and Writers.

Connector. The Connector is the main Connection Manager interface. It makes requests external to iPlanet Trustbase Transaction Manager. It takes a iPlanet Trustbase Transaction Manager Message containing the request, and a Destination Object describing the endpoint for the request.

Context. Keeps a record of the current state of a given transaction.

Context Directive. The action components that make up a ruleset.

CORBA. Common Object Request Broker Architecture.

CSS. Cascading Stylesheet.

Destination. Represents the destination of an external request, made by the Connector. An application specifies an implementation of Destination, and a ProtocolMap that can transform the destination into a ProtocolDescriptor for the Connector, which can then make and manage the actual connection.

Directive. The 'action' part of a rule that is executed when the preconditions are true.

DMZ. De-militarised Zone.

DOM. Domain Object Model.

DTD. Data Type Definition or Document Type Definition.

EJB. Enterprise Java Bean.

Environment. A set of contexts that are associated with a particular message.

Host Environment Adaptor. The environment adapter forms the interface between a host such as a web server or application server and iPlanet Trustbase Transaction Manager itself.

HSM. Hardware Security Module.

HTML. HyperText Markup Language.

IDL. Interface Definition Language.

JDBC. Java Database Connectivity.

JWS. Java Web Server.

lastService. An attribute containing the nameof the most recently executed service.

MessageType. An attribute contained within a message which holds the type of a given message. Message types are externally defined by the user.

Message. An internal representation of a request from the user or a response from the server. Messages are routed within the system.

Message Analyser. Provides the logic to identify which message reader or writer to use for a particular message based on the transport and the external format of the content.

Message Log Manager. Instantiates and allows access to Message Loggers. The message loggers are accessed according to which mime type they have registered interest in.

Message Logger. Logs incoming and outgoing messages in their raw unprocessed form. The log can then be later queried and manipulated through the logManager or directly through the back end database engine.

Message Reader. A Message Reader parses the remaining content of a Message from the InputStream, into the Message's content field. Message Readers may be a part of an application, and have specific knowledge of Message types, or they may be general purpose and have general knowledge of Message formats

Message Registry. A section of the tbase.properties file that provides a mapping between a message type and the message readers and writers used to process it.

Message Writer. A Message Writer translates processed Message objects into the clients required presentation protocol, and write the results onto an Output Stream, which is provided by the Protocol Analyser.

NAS. Netscape Application Server

NSK. Non Stop Kernel

OAS. Oracle Application Server.

PKI. Public Key Infrastructure.

Precondition. A precondition is a boolean expression which must be true for its corresponding directive to be executed. Preconditions are expressed in terms of attributes and their values. There are two types of precondition; an assertion that an attribute with a particular name exists and an assertion that the attribute with a given name not only exists but has a specific value.

Private Rule Set Repository. A collection of rule sets that ships with the iPlanet Trustbase Transaction Manager and allows built in services (such as the configuration services) to function.

Protocol Analyser. Provides the logic to identify which protocol handler to use for a particular message type.

Protocol Descriptor. Holds a description of the endpoint, transport and presentation protocols for a connection, in the form of a URL, and the format of the message to be sent, and as a mime type Implements Destination. It can be used with the SimpleProtocolMap for direct Destination addressing.

Protocol Handler. The protocol Handler Component extracts the message type and context ID from the header of a message. There is usually one protocol handler for a particular message class e.g. iPlanet Trustbase Transaction Manager messaging, OFX etc. The protocol handler then routes appropriate protocol to the Message Analyser.

Protocol Map. An application specifies ProtocolMap implementations to map it's Destination implementations to URLs and mime types that the Connector can use to make an actual connection.

Protocol Map Manager. Manages a set of ProtocolMap implementations, selecting an appropriate ProtocolMap to translate a particular Destination implementation into a ProtocolDescriptor.

Public Rule Set Repository. A user configurable collection of user-defined Rule Sets Rules in the private Rule Set Repository take precedence over rules in the public Rule Set Repository.

RMI. Remote Method Invocation.

Role. Role is not set of attributes, it is the name of a particular attribute which the system recognises. There are several such attributes including:

   lastService - the nameof the most recently executed service
   messageType - the type of a given message
   role - a string representing the capacity in which the user is

using the system, e.g. role - operator, role =administrator etc.

Router. The router provides a mechanism for imposing structure and ordering on the execution of services in a secure way which doesn't necessitate code changes.

Rule. A Rule contains three components: a Rule Name, Precondition and Directive. If the precondition is true then the directive is executed.

Rule Name. Every rule has a name. The rule is referred to by its name in the context of a ruleset.

Ruleset. A collection of rules that route messages to one or more services to achieve a given task.

Service. An object implementing business logic. Services are written by the user.

Service Registry. A registry of services! Used to provide a lookup between service names and the classes that implement them.

Session. A session is the container for all of the tasks a user is performing over a period of time.

Skeleton. The server/remote portion of a distributed object under CORBA and RMI. The skeleton is invoked by the Stub. See also Stub.

SP. Service Provider

State. A collection of attributes associated with a task at a given instant in time.

Stub. The client portion of a distributed object using mechanisms such as CORBA or RMI. The Stub is designed to hide the fact that the implementation of it's related object is not locally located. See also Skeleton.

Task. A unit of work at the business level. A ruleset defines how a task will be executed.

TISS. Transport Independent Stub Service

URL. Uniform Resource Locator

X500. Set of Open Standards for directory services. See, for instance, Country code that is defined as an ISO standard http://www.iso.ch and X500 standard http://www.itu.int/itudoc/itu-t/rec/x/x500up/x500.html

XML. Extensible Markup Language

XSL. Extensible Stylesheet Language