Internet Security Glossary, Version 2

$ gateway

(I) An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two- way communication between the networks. (See: bridge, firewall, guard, internetwork, proxy server, router, and subnetwork.)

Tutorial: The networks may differ in any of several aspects, including protocols and security mechanisms. When two computer networks differ in the protocol by which they offer service to hosts, a gateway may translate one protocol into the other or otherwise facilitate interoperation of hosts (see: Internet Protocol). In theory, gateways between computer networks are conceivable at any OSIRM layer. In practice, they usually operate at OSIRM Layer 2 (see: bridge), 3 (see: router), or 7 (see: proxy server).

$ GCA

(O) See: geopolitical certificate authority.

$ GDOI

(O) See: Group Domain of Interpretation.

$ GeldKarte

(O) A smartcard-based, electronic money system that is maintained by the German banking industry, incorporates cryptography, and can be used to make payments via the Internet. (See: IOTP.)

$ GeneralizedTime

(N) The ASN.1 data type "GeneralizedTime" (ISO 8601) contains a calendar date (YYYYMMDD) and a time of day, which is either (a) the local time, (b) the Coordinated Universal Time, or (c) both the local time and an offset that enables Coordinated Universal Time to be calculated. (See: Coordinated Universal Time. Compare: UTCTime.)

$ Generic Security Service Application Program Interface (GSS-API)

(I) An Internet Standard protocol [R2743] that specifies calling conventions by which an application (typically another communication protocol) can obtain authentication, integrity, and confidentiality security services independently of the underlying security mechanisms and technologies, thus enabling the application source code to be ported to different environments. (Compare: EAP, SASL.)

Tutorial: "A GSS-API caller accepts tokens provided to it by its local GSS-API implementation and transfers the tokens to a peer on a remote system; that peer passes the received tokens to its local GSS-API implementation for processing. The security services available through GSS-API in this fashion are implementable (and have been implemented) over a range of underlying mechanisms based on [symmetric] and [asymmetric cryptography]." [R2743]

$ geopolitical certificate authority (GCA)

(O) /SET/ In a SET certification hierarchy, an optional level that is certified by a BCA and that may certify cardholder CAs, merchant CAs, and payment gateway CAs. Using GCAs enables a brand to distribute responsibility for managing certificates to geographic or political regions, so that brand policies can vary between regions as needed.

$ GIG

(O) See: Global Information Grid.

$ Global Information Grid (GIG)

(O) /U.S. DoD/ The GIG is "a globally interconnected, end-to-end set of information capabilities, associated processes and personnel for collecting, processing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel." [IATF] Usage: Formerly referred to as the DII.

$ good engineering practice(s)

(N) A term used to specify or characterize design, implementation, installation, or operating practices for an information system, when a more explicit specification is not possible. Generally understood to refer to the state of the engineering art for commercial systems that have problems and solutions equivalent to the system in question.

$ granularity

1. (N) /access control/ Relative fineness to which an access control mechanism can be adjusted.

2. (N) /data security/ "The size of the smallest protectable unit of information" in a trusted system. [Huff]

$ Green Book

(D) /slang/ Synonym for "Defense Password Management Guideline" [CSC2].

Deprecated Term: Except as an explanatory appositive, IDOCs SHOULD NOT use this term, regardless of the associated definition. Instead, use the full proper name of the document or, in subsequent references, a conventional abbreviation. (See: Rainbow Series.)

Deprecated Usage: To improve international comprehensibility of Internet Standards and the Internet Standards Process, IDOCs SHOULD NOT use "cute" synonyms. No matter how clearly understood or popular a nickname may be in one community, it is likely to cause confusion or offense in others. For example, several other information system standards also are called "the Green Book"; the following are some examples:

Each volume of 1992 ITU-T (known at that time as CCITT) standards.

"PostScript Language Program Design", Adobe Systems, Addison- Wesley, 1988.

IEEE 1003.1 POSIX Operating Systems Interface.

"Smalltalk-80: Bits of History, Words of Advice", Glenn Krasner, Addison-Wesley, 1983.

"X/Open Compatibility Guide".

A particular CD-ROM format developed by Phillips.

$ Group Domain of Interpretation (GDOI)

(I) An ISAKMP/IKE domain of interpretation for group key management; i.e., a phase 2 protocol in ISAKMP. [R3547] (See: secure multicast.)

Tutorial: In this group key management model that extends the ISAKMP standard, the protocol is run between a group member and a "group controller/key server", which establishes security associations [R4301] among authorized group members. The GDOI protocol is itself protected by an ISAKMP phase 1 association.

For example, multicast applications may use ESP to protect their data traffic. GDOI carries the needed security association parameters for ESP. In this way, GDOI supports multicast ESP with group authentication of ESP packets using a shared, group key.

$ group identity

(I) See: secondary definition under "identity".

$ group security association

(I) "A bundling of [security associations] (SAs) that together define how a group communicates securely. The [group SA] may include a registration protocol SA, a rekey protocol SA, and one or more data security protocol SAs." [R3740]

$ GSS-API

(I) See: Generic Security Service Application Program Interface.

$ guard

(I) A computer system that (a) acts as gateway between two information systems operating under different security policies and (b) is trusted to mediate information data transfers between the two. (See: controlled interface, cross-domain solution, domain, filter. Compare: firewall.)

Usage: Frequently understood to mean that one system is operating at a higher security level than the other, and that the gateway's purpose is to prevent unauthorized disclosure of data from the higher system to the lower. However, the purpose might also be to protect the data integrity, availability, or general system integrity of one system from threats posed by connecting to the other system. The mediation may be entirely automated or may involve "reliable human review".

$ guest login

(I) See: anonymous login.

$ GULS

(I) Generic Upper Layer Security service element (ISO 11586), a five-part standard for the exchange of security information and security-transformation functions that protect confidentiality and integrity of application data.

$ Gypsy verification environment

(O) A methodology, language, and integrated set of software tools developed at the University of Texas for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

F <- 4. Definitions -> H