G <- 4. Definitions -> I
H
$ H field
(D) See: Deprecated Usage under "Handling Restrictions field".
$ hack
1a. (I) /verb/ To work on something, especially to program a
computer. (See: hacker.)
1b. (I) /verb/ To do some kind of mischief, especially to play a
prank on, or penetrate, a system. (See: hacker, cracker.)
2. (I) /noun/ An item of completed work, or a solution for a
problem, that is non-generalizable, i.e., is very specific to the
application area or problem being solved.
Tutorial: Often, the application area or problem involves computer
programming or other use of a computer. Characterizing something
as a hack can be a compliment, such as when the solution is
minimal and elegant; or it can be derogatory, such as when the
solution fixes the problem but leaves the system in an
unmaintainable state.
See [Raym] for several other meanings of this term and also
definitions of several derivative terms.
$ hacker
1. (I) Someone with a strong interest in computers, who enjoys
learning about them, programming them, and experimenting and
otherwise working with them. (See: hack. Compare: adversary,
cracker, intruder.)
Usage: This first definition is the original meaning of the term
(circa 1960); it then had a neutral or positive connotation of
"someone who figures things out and makes something cool happen".
Shirey Informational [Page 138]
RFC 4949 Internet Security Glossary, Version 2 August 2007
2. (O) "An individual who spends an inordinate amount of time
working on computer systems for other than professional purposes."
[NCSSG]
3. (D) Synonym for "cracker".
Deprecated Usage: Today, the term is frequently (mis)used
(especially by journalists) with definition 3.
$ handle
1. (I) /verb/ Perform processing operations on data, such as
receive and transmit, collect and disseminate, create and delete,
store and retrieve, read and write, and compare. (See: access.)
2. (I) /noun/ An online pseudonym, particularly one used by a
cracker; derived from citizens' band radio culture.
$ handling restriction
(I) A type of access control other than (a) the rule-based
protections of mandatory access control and (b) the identity-based
protections of discretionary access control; usually involves
administrative security.
$ Handling Restrictions field
(I) A 16-bit field that specifies a control and release marking in
the security option (option type 130) of IP's datagram header
format. The valid field values are alphanumeric digraphs assigned
by the U.S. Government, as specified in RFC 791.
Deprecated Abbreviation: IDOCs SHOULD NOT use the abbreviation "H
field" because it is potentially ambiguous. Instead, use "Handling
Restrictions field".
$ handshake
(I) Protocol dialogue between two systems for identifying and
authenticating themselves to each other, or for synchronizing
their operations with each other.
$ Handshake Protocol
(I) /TLS/ The TLS Handshake Protocol consists of three parts
(i.e., subprotocols) that enable peer entities to agree upon
security parameters for the record layer, authenticate themselves
to each other, instantiate negotiated security parameters, and
report error conditions to each other. [R4346]
Shirey Informational [Page 139]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ harden
(I) To protect a system by configuring it to operate in a way that
eliminates or mitigates known vulnerabilities. Example: [RSCG].
(See: default account.)
$ hardware
(I) The material physical components of an information system.
(See: firmware, software.)
$ hardware error
(I) /threat action/ See: secondary definitions under "corruption",
"exposure", and "incapacitation".
$ hardware token
See: token.
$ hash code
(D) Synonym for "hash result" or "hash function".
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts
in a potentially misleading way. A hash result is not a "code",
and a hash function does not "encode" in any sense defined by this
glossary. (See: hash value, message digest.)
$ hash function
1. (I) A function H that maps an arbitrary, variable-length bit
string, s, into a fixed-length string, h = H(s) (called the "hash
result"). For most computing applications, it is desirable that
given a string s with H(s) = h, any change to s that creates a
different string s' will result in an unpredictable hash result
H(s') that is, with high probability, not equal to H(s).
2. (O) "A (mathematical) function which maps values from a large
(possibly very large) domain into a smaller range. A 'good' hash
function is such that the results of applying the function to a
(large) set of values in the domain will be evenly distributed
(and apparently at random) over the range." [X509]
Tutorial: A hash function operates on variable-length input (e.g.,
a message or a file) and outputs a fixed-length output, which
typically is much shorter than most input values. If the algorithm
is "good" as described in the "O" definition, then the hash
function may be a candidate for use in a security mechanism to
detect accidental changes in data, but not necessarily for a
mechanism to detect changes made by active wiretapping. (See:
Tutorial under "checksum".)
Shirey Informational [Page 140]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Security mechanisms require a "cryptographic hash function" (e.g.,
MD2, MD4, MD5, SHA-1, Snefru), i.e., a good hash function that
also has the one-way property and one of the two collision-free
properties:
- "One-way property": Given H and a hash result h = H(s), it is
hard (i.e., computationally infeasible, "impossible") to find
s. (Of course, given H and an input s, it must be relatively
easy to compute the hash result H(s).)
- "Weakly collision-free property": Given H and an input s, it is
hard (i.e., computationally infeasible, "impossible") to find a
different input, s', such that H(s) = H(s').
- "Strongly collision-free property": Given H, it is hard to find
any pair of inputs s and s' such that H(s) = H(s').
If H produces a hash result N bits long, then to find an s' where
H(s') = H(s) for a specific given s, the amount of computation
required is O(2**n); i.e., it is necessary to try on the order of
2 to the power n values of s' before finding a collision. However,
to simply find any pair of values s and s' that collide, the
amount of computation required is only O(2**(n/2)); i.e., after
computing H(s) for 2 to the power n/2 randomly chosen values of s,
the probability is greater than 1/2 that two of those values have
the same hash result. (See: birthday attack.)
$ hash result
1. (I) The output of a hash function. (See: hash code, hash value.
Compare: hash value.)
2. (O) "The output produced by a hash function upon processing a
message" (where "message" is broadly defined as "a digital
representation of data"). [DSG]
Usage: IDOCs SHOULD avoid the unusual usage of "message" that is
seen in the "O" definition.
$ hash value
(D) Synonym for "hash result".
Deprecated Term: IDOCs SHOULD NOT use this term for the output of
a hash function; the term could easily be confused with "hashed
value", which means the input to a hash function. (See: hash code,
hash result, message digest.)
$ HDM
(O) See: Hierarchical Development Methodology.
Shirey Informational [Page 141]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ Hierarchical Development Methodology (HDM)
(O) A methodology, language, and integrated set of software tools
developed at SRI International for specifying, coding, and
verifying software to produce correct and reliable programs.
[Cheh]
$ hierarchical PKI
(I) A PKI architecture based on a certification hierarchy.
(Compare: mesh PKI, trust-file PKI.)
$ hierarchy management
(I) The process of generating configuration data and issuing
public-key certificates to build and operate a certification
hierarchy. (See: certificate management.)
$ hierarchy of trust
(D) Synonym for "certification hierarchy".
Deprecated Term: IDOCs SHOULD NOT use this term; it mixes concepts
in a potentially misleading way. (See: certification hierarchy,
trust, web of trust.)
$ high-assurance guard
(O) "An oxymoron," said Lt. Gen. William H. Campbell, former U.S.
Army chief information officer, speaking at an Armed Forces
Communications and Electronics Association conference.
Usage: IDOCs that use this term SHOULD state a definition for it
because the term mixes concepts and could easily be misunderstood.
$ hijack attack
(I) A form of active wiretapping in which the attacker seizes
control of a previously established communication association.
(See: man-in-the-middle attack, pagejacking, piggyback attack.)
$ HIPAA
(N) Health Information Portability and Accountability Act of 1996,
a U.S. law (Public Law 104-191) that is intended to protect the
privacy of patients' medical records and other health information
in all forms, and mandates security for that information,
including for its electronic storage and transmission.
$ HMAC
(I) A keyed hash [R2104] that can be based on any iterated
cryptographic hash (e.g., MD5 or SHA-1), so that the cryptographic
strength of HMAC depends on the properties of the selected
cryptographic hash. (See: [R2202, R2403, R2404].)
Shirey Informational [Page 142]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Derivation: Hash-based MAC. (Compare: CMAC.)
Tutorial: Assume that H is a generic cryptographic hash in which a
function is iterated on data blocks of length B bytes. L is the
length of the of hash result of H. K is a secret key of length L
<= K <= B. The values IPAD and OPAD are fixed strings used as
inner and outer padding and defined as follows: IPAD = the byte
0x36 repeated B times, and OPAD = the byte 0x5C repeated B times.
HMAC is computed by H(K XOR OPAD, H(K XOR IPAD, inputdata)).
HMAC has the following goals:
- To use available cryptographic hash functions without
modification, particularly functions that perform well in
software and for which software is freely and widely available.
- To preserve the original performance of the selected hash
without significant degradation.
- To use and handle keys in a simple way.
- To have a well-understood cryptographic analysis of the
strength of the mechanism based on reasonable assumptions about
the underlying hash function.
- To enable easy replacement of the hash function in case a
faster or stronger hash is found or required.
$ honey pot
(N) A system (e.g., a web server) or system resource (e.g., a file
on a server) that is designed to be attractive to potential
crackers and intruders, like honey is attractive to bears. (See:
entrapment.)
Usage: It is likely that other cultures use different metaphors
for this concept. Therefore, to avoid international
misunderstanding, an IDOC SHOULD NOT use this term without
providing a definition for it. (See: Deprecated Usage under "Green
Book".)
$ host
1. (I) /general/ A computer that is attached to a communication
subnetwork or internetwork and can use services provided by the
network to exchange data with other attached systems. (See: end
system. Compare: server.)
2. (I) /IPS/ A networked computer that does not forward IP packets
that are not addressed to the computer itself. (Compare: router.)
Derivation: As viewed by its users, a host "entertains" them,
providing Application-Layer services or access to other computers
attached to the network. However, even though some traditional
peripheral service devices, such as printers, can now be
Shirey Informational [Page 143]
RFC 4949 Internet Security Glossary, Version 2 August 2007
independently connected to networks, they are not usually called
hosts.
$ HTML
(I) See: Hypertext Markup Language.
$ HTTP
(I) See: Hypertext Transfer Protocol.
$ https
(I) When used in the first part of a URL (the part that precedes
the colon and specifies an access scheme or protocol), this term
specifies the use of HTTP enhanced by a security mechanism, which
is usually SSL. (Compare: S-HTTP.)
$ human error
(I) /threat action/ See: secondary definitions under "corruption",
"exposure", and "incapacitation".
$ hybrid encryption
(I) An application of cryptography that combines two or more
encryption algorithms, particularly a combination of symmetric and
asymmetric encryption. Examples: digital envelope, MSP, PEM, PGP.
(Compare: superencryption.)
Tutorial: Asymmetric algorithms require more computation than
equivalently strong symmetric ones. Thus, asymmetric encryption is
not normally used for data confidentiality except to distribute a
symmetric key in a hybrid encryption scheme, where the symmetric
key is usually very short (in terms of bits) compared to the data
file it protects. (See: bulk key.)
$ hyperlink
(I) In hypertext or hypermedia, an information object (such as a
word, a phrase, or an image, which usually is highlighted by color
or underscoring) that points (i.e., indicates how to connect) to
related information that is located elsewhere and can be retrieved
by activating the link (e.g., by selecting the object with a mouse
pointer and then clicking).
$ hypermedia
(I) A generalization of hypertext; any media that contain
hyperlinks that point to material in the same or another data
object.
Shirey Informational [Page 144]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ hypertext
(I) A computer document, or part of a document, that contains
hyperlinks to other documents; i.e., text that contains active
pointers to other text. Usually written in HTML and accessed using
a web browser. (See: hypermedia.)
$ Hypertext Markup Language (HTML)
(I) A platform-independent system of syntax and semantics (RFC
1866) for adding characters to data files (particularly text
files) to represent the data's structure and to point to related
data, thus creating hypertext for use in the World Wide Web and
other applications. (Compare: XML.)
$ Hypertext Transfer Protocol (HTTP)
(I) A TCP-based, Application-Layer, client-server, Internet
protocol (RFC 2616) that is used to carry data requests and
responses in the World Wide Web. (See: hypertext.)
G <- 4. Definitions -> I