Results for area 1.3 Authentication and security
systematic detection, identification, and evaluation of threats
process by which personal information (PI) is irreversibly altered in such a way that an Individual or a legal entity can no longer be identified directly or indirectly either by the controller alone or in collaboration with any other party
personal information that has been subject to a process of anonymisation and that by any means can no longer be used to identify an Individual or legal entity
preservation of confidentiality, integrity, availability, authenticity, accountability, non-repudiation and reliability of information
set of rules that regulate how to handle security threats or define the appropriate security level
characterization of security requirements
family of functions and their inverse functions that is parameterized by cryptographic keys
NOTE 1 to entry The functions map bit strings of a fixed length to bit strings of the same length.
certificate public key information of an entity signed by the certification authority and therefore rendered unforgeable
NOTE A public key certificate also specifies the role of the entity for which the public key information is provided, e.g. manufacturer or registration authority.
ST set of security requirements and specifications to be used as the basis for evaluation of an identified TOE
may be an actual instantiation of equipment performing a conformance test process ‘live’, using ‘live’ equipment or may be equipment/systems that simulate behaviour of equipment at the point being tested in order to stimulate or observe the behaviour resultant from the stimulation and note the result of that stimulation
decryption reversal of a corresponding reversible encipherment
mechanism which is used to detect whether a data unit has been modified (either accidentally or intentionally)
electronic “identification card” that establishes user credentials when doing business or other transactions
NOTE 1 to entry This is issued by a certification authority: contains name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting messages and digital signatures), and the
digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
statement made by the supplier or an implementor of a DUT which contains or references all of the information (in addition to that given in the implementation conformance statement) related to the DUT and its testing environment, which will enable the test laboratory to run an appropriate test suite against the DUT
document, in the form of a questionnaire, which when completed for an IUT becomes an implementation extra information for testing
document, in the form of a questionnaire, which when completed for an implementation or system becomes an implementation conformance statement
string of bits which is the output of a hash-function
confidential authentication information, usually composed of a string of characters
information from a system user identifying suspicious behaviour from another system user that can be
characterized as misbehaviour
systematic process of determining how individuals, procedures, systems or programs have met formally agreed objectives and requirements
potential cause of an unwanted information security incident, which may result in harm
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: a) for a given output, it is computationally infeasible to find an input which maps to this output; and b) for a given output, it is computationally infeasible to find a second input which maps to the same output
NOTE Computational feasibility depends on the specific security requirements and environment.
conditions which result in a data subject being identified, directly or indirectly, on the basis of a given set of PI
rights of an invididual to have access to personal data held about the individual and ability to challenge and correct such data
hierarchy of “certification authorities” to allow individuals and organizations to identify each other for the purpose of doing business electronically
conformity evaluation by observation and judgement accompanied, as appropriate, by measurement, testing, or gauging
encipherment of data within or at the source end system, with the corresponding decipherment occurring only within or at the destination end system
cryptographic keys and associated material, either a secret key for a symmetric algorithm, or a private key for an asymmetric algorithm, and the associated public key or certificate
verification flag indicating whether the data value has been cross verified from one or more additional sources
tests which are performed in a laboratory under specified conditions
act of providing false or misleading data, operating in such a fashion as to impede other service recipients, or to operate outside of their authorized scope
NOTE 1 to entry This includes suspicious behaviour as in wrong message types or frequencies, invalid logins and
unauthorized access, or incorrect signed or encrypted messages, etc., either purposeful or unintended.
prevention of misuse of computer data: legal safeguards to prevent misuse of information stored on computers, particularly information about individual people
právo a povinnosti jednotlivců a organizací týkající se sběru, užití, držení, prozrazení a disponování s osobními údaji+S377
indicator whether the use of data is restricted or not
limits to the purposes which personal data can be used
authorization granted to do something (to the ‘Core System’), permissions are granted to system service recipients and operators determining what actions they are allowed to take when interacting with the ‘Core System’
any data or information related to an individual or legal entity or an association of person or individuals by which the individual or legal entity or association of persons could be identified
NOTE 1 to entry The EU-Dir 95/48/EC names in its Art 2 lit. (a) the personal information as “personal data” and defines it as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
policy of openness about developments, practices and policies with respect to personal data
<WS-SecurityPolicy> collection of (one or more) claims
reference to Cryptomaterial allowing that Cryptomaterial to be used in cryptographic operations, i.e. sign, verify, encrypt, decrypt
statement of user need, typically expressed in a single-sentence form to assist with later verification of compliance
security requirements to assure confidence in the implementation of functional requirements
statement made by the supplier of an implementation or system claimed to conform to a given specification, stating which capabilities have been implemented
information security product or system for the subject of security evaluation
examination that a product, process, or service is in conformity with the system specification
admittance, entry, permit to use the road network and/or associated infrastructure (bridges, tunnels etc.)
access key for a system operator
algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity
prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner
signed list indicating a set of certificates that are no longer considered valid by the certificate issuer
certificate of conformity granted to a product that meets a minimum set of regulatory, technical and safety requirements, generally, by regulation required before certain products are allowed to be sold
NOTE 1 to entry Often called ‘Homologation’ approval based on conformity testing on the basis of one or more specimens of a product representative of the production
any freely given specific and informed written indication of his wishes by which the data subject signifies his agreements to personal data relating to him being processed
right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
private key which defines the private decipherment transformation
private key which defines the private signature transformation
purposes for which personal data are collected
individual's or legal entity's (data subject) explicitly or implicitly freely given agreement to the processing of its PI in the course of which the data subject has been in advance completely informed about the purpose, the legal basis and the third parties, receiving data subject’s PI, and all these in a comprehensible form
key of an entity's asymmetric key pair which should only be used by that entity
NOTE In the case of an asymmetric signature system the private key defines the signature transformation. In the case of an asymmetric encipherment system the private key defines the decipherment transformation.
Encryption Key Control generation, distribution, storage, application and deletion of encryption keys
nature of a test, either basic or conditional
NOTE 1 to entry A test labelled “conditional” is performed if, and only if, it is applicable to a feature identified in the specification of the system or component, whereas a test labelled “basic” indicates a highly recommended test as part of a foundation for meaningful evaluation.
support system that enables trusted communications among ITS components and protects data from unauthorized access
key that is used with a symmetric cryptographic algorithm
NOTE 1 Possession of a secret key is restricted (usually to two entities).
NOTE 2 For ERI, there can be only one entity or several entities, depending on the key management policy.
test that is performed under real-life conditions
description of test purpose, unique test case identifier, test inputs, test execution conditions, test steps, and the results required to pass the test
kind of test, such as inspection, simulation, lab test, and field test
<WS-SecurityPolicy> description of a token requirement
NOTE 1 to entry Token assertions defined within a security binding are used to satisfy protection requirements.
masquerade which involves use of previous transmitted messages
key of an entity's asymmetric key pair which can be made public
NOTE In the case of an asymmetric signature system the public key defines the verification transformation. In the case of an asymmetric encipherment system the public key defines the encipherment transformation. A key that is “publicly” known is not necessarily globally available. The key is only made available to all members of a pre-specified group.
cryptographic key that can be obtained and used by anyone to encrypt messages intended for a
particular recipient, such that the encrypted messages can be deciphered only by using a second key that is known only to the recipient (the private key)
public key which defines the public verification transformation
public key which defines the public encipherment transformation
data item chosen at random and sent by the verifier to the claimant, which is used by the claimant, in conjunction with secret information held by the claimant, to generate a response which is sent to the verifier
EXAMPLE In ISO 24534-4 the term challenge is also used in case an ERT does not have enabled encryption capabilities and the challenge is merely copied without any secret information applied.
set of elements, security policy, security authority and set of security-relevant activities in which the set of elements are subject to the security policy for the specified activities, and the security policy is administered by the security authority for the security domain
functional entity providing confidentiality, integrity, authentication, guaranteed in-order delivery, and replay protection on the datagrams that are passed over it
gateway providing bidirectional means for security and access control
data source governing what access to resources is permissible by peer Applications
verification process determining that a product of each phase of the system life cycle development process fulfils all the requirements specified in the previous phase
implementation of one or more OS1 protocols in an adjacent user/provider relationship, being that part of a real open system which is to be studied by testing
testing the extent to which an IUT is a conforming implementation
procedure designed to measure characteristics of a component or system in specified conditions
instructions for the setup, execution, and evaluation of results for a given test case
third party that carries out the test
a combination of equipment and processes which is able to perform conformance tests according to ISO/TS 13143-1
operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
acceptable standard of accuracy of personal data