M <- 4. Definitions -> O
N
$ name
(I) Synonym for "identifier".
$ naming authority
(O) /U.S. DoD/ An organizational entity responsible for assigning
DNs and for assuring that each DN is meaningful and unique within
its domain. [DoD9]
$ National Computer Security Center (NCSC)
(O) A U.S. DoD organization, housed in NSA, that has
responsibility for encouraging widespread availability of trusted
systems throughout the U.S. Federal Government. It has established
criteria for, and performed evaluations of, computer and network
systems that have a TCB. (See: Rainbow Series, TCSEC.)
$ National Information Assurance Partnership (NIAP)
(N) A joint initiative of NIST and NSA to enhance the quality of
commercial products for information security and increase consumer
confidence in those products through objective evaluation and
testing methods.
Shirey Informational [Page 196]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: NIAP is registered, through the U.S. DoD, as a National
Performance Review Reinvention Laboratory. NIAP functions include
the following:
- Developing tests, test methods, and other tools that developers
and testing laboratories may use to improve and evaluate
security products.
- Collaborating with industry and others on research and testing
programs.
- Using the Common Criteria to develop protection profiles and
associated test sets for security products and systems.
- Cooperating with the NIST National Voluntary Laboratory
Accreditation Program to develop a program to accredit private-
sector laboratories for the testing of information security
products using the Common Criteria.
- Working to establish a formal, international mutual recognition
scheme for a Common Criteria-based evaluation.
$ National Institute of Standards and Technology (NIST)
(N) A U.S. Department of Commerce organization that promotes U.S.
economic growth by working with industry to develop and apply
technology, measurements, and standards. Has primary U.S.
Government responsibility for INFOSEC standards for sensitive
unclassified information. (See: ANSI, DES, DSA, DSS, FIPS, NIAP,
NSA.)
$ National Reliability and Interoperability Council (NRIC)
(N) An advisory committee chartered by the U.S. Federal
Communications Commission (FCC), with participation by network
service providers and vendors, to provide recommendations to the
FCC for assuring reliability, interoperability, robustness, and
security of wireless, wireline, satellite, cable, and public data
communication networks.
$ national security
(O) /U.S. Government/ The national defense or foreign relations of
the United States of America.
$ National Security Agency (NSA)
(N) A U.S. DoD organization that has primary U.S. Government
responsibility for INFOSEC standards for classified information
and for sensitive unclassified information handled by national
security systems. (See: FORTEZZA, KEA, MISSI, national security
system, NIAP, NIST, SKIPJACK.)
$ national security information
(O) /U.S. Government/ Information that has been determined,
pursuant to Executive Order 12958 or any predecessor order, to
require protection against unauthorized disclosure. [C4009]
Shirey Informational [Page 197]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ national security system
(O) /U.S. Government/ Any Government-operated information system
for which the function, operation, or use (a) involves
intelligence activities; (b) involves cryptologic activities
related to national security; (c) involves command and control of
military forces; (d) involves equipment that is an integral part
of a weapon or weapon system; or (e) is critical to the direct
fulfillment of military or intelligence missions and does not
include a system that is to be used for routine administrative and
business applications (including payroll, finance, logistics, and
personnel management applications). [Title 40 U.S.C. Section 1552,
Information Technology Management Reform Act of 1996.] (See: type
2 product.)
$ natural disaster
(I) /threat action/ See: secondary definitions under "corruption"
and "incapacitation".
$ NCSC
(O) See: National Computer Security Center.
$ need to know, need-to-know
(I) The necessity for access to, knowledge of, or possession of
specific information required to carry out official duties.
Usage: The compound "need-to-know" is commonly used as either an
adjective or a noun.
Tutorial: The need-to-know criterion is used in security
procedures that require a custodian of sensitive information,
prior to disclosing the information to someone else, to establish
that the intended recipient has proper authorization to access the
information.
$ network
(I) An information system comprised of a collection of
interconnected nodes. (See: computer network.)
$ Network Hardware Layer
(I) See: Internet Protocol Suite.
$ Network Interface Layer
(I) See: Internet Protocol Suite.
$ Network Layer Security Protocol (NLSP).
(N) An OSI protocol (IS0 11577) for end-to-end encryption services
at the top of OSIRM Layer 3. NLSP is derived from SP3 but is more
complex. (Compare: IPsec.)
Shirey Informational [Page 198]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ Network Substrate Layer
(I) Synonym for "Network Hardware Layer".
$ network weaving
(I) A penetration technique in which an intruder avoids detection
and traceback by using multiple, linked, communication networks to
access and attack a system. [C4009]
$ NIAP
(N) See: National Information Assurance Partnership.
$ nibble
(D) Half of a byte (i.e., usually, 4 bits).
Deprecated Term: To avoid international misunderstanding, IDOCs
SHOULD NOT use this term; instead, state the size of the block
explicitly (e.g., "4-bit block"). (See: Deprecated Usage under
"Green Book".)
$ NIPRNET
(O) The U.S. DoD's common-use Non-Classified Internet Protocol
Router Network; the part of the Internet that is wholly controlled
by the U.S. DoD and is used for official DoD business.
$ NIST
(N) See: National Institute of Standards and Technology.
$ NLSP
(N) See: Network Layer Security Protocol
$ no-lone zone
(I) A room or other space or area to which no person may have
unaccompanied access and that, when occupied, is required to be
occupied by two or more appropriately authorized persons. [C4009]
(See: dual control.)
$ no-PIN ORA (NORA)
(O) /MISSI/ An organizational RA that operates in a mode in which
the ORA performs no card management functions and, therefore, does
not require knowledge of either the SSO PIN or user PIN for an end
user's FORTEZZA PC card.
$ node
(I) A collection of related subsystems located on one or more
computer platforms at a single site. (See: site.)
Shirey Informational [Page 199]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ nonce
(I) A random or non-repeating value that is included in data
exchanged by a protocol, usually for the purpose of guaranteeing
liveness and thus detecting and protecting against replay attacks.
(See: fresh.)
$ non-critical
See: critical.
$ non-repudiation service
1. (I) A security service that provide protection against false
denial of involvement in an association (especially a
communication association that transfers data). (See: repudiation,
time stamp.)
Tutorial: Two separate types of denial are possible -- an entity
can deny that it sent a data object, or it can deny that it
received a data object -- and, therefore, two separate types of
non-repudiation service are possible. (See: non-repudiation with
proof of origin, non-repudiation with proof of receipt.)
2. (D) "Assurance [that] the sender of data is provided with proof
of delivery and the recipient is provided with proof of the
sender's identity, so neither can later deny having processed the
data." [C4009]
Deprecated Definition: IDOCs SHOULD NOT use definition 2 because
it bundles two security services -- non-repudiation with proof of
origin, and non-repudiation with proof of receipt -- that can be
provided independently of each other.
Usage: IDOCs SHOULD distinguish between the technical aspects and
the legal aspects of a non-repudiation service:
- "Technical non-repudiation": Refers to the assurance a relying
party has that if a public key is used to validate a digital
signature, then that signature had to have been made by the
corresponding private signature key. [SP32]
- "Legal non-repudiation": Refers to how well possession or
control of the private signature key can be established. [SP32]
Tutorial: Non-repudiation service does not prevent an entity from
repudiating a communication. Instead, the service provides
evidence that can be stored and later presented to a third party
to resolve disputes that arise if and when a communication is
repudiated by one of the entities involved.
Shirey Informational [Page 200]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Ford describes the six phases of a complete non-repudiation
service and uses "critical action" to refer to the act of
communication that is the subject of the service [For94, For97]:
-------- -------- -------- -------- -------- . --------
Phase 1: Phase 2: Phase 3: Phase 4: Phase 5: . Phase 6:
Request Generate Transfer Verify Retain . Resolve
Service Evidence Evidence Evidence Evidence . Dispute
-------- -------- -------- -------- -------- . --------
Service Critical Evidence Evidence Archive . Evidence
Request => Action => Stored => Is => Evidence . Is
Is Made Occurs For Later Tested In Case . Verified
and Use | ^ Critical . ^
Evidence v | Action Is . |
Is +-------------------+ Repudiated . |
Generated |Verifiable Evidence|------> ... . ----+
+-------------------+
Phase / Explanation
-------------------
1. Request service: Before the critical action, the service
requester asks, either implicitly or explicitly, to have
evidence of the action be generated.
2. Generate evidence: When the critical action occurs, evidence is
generated by a process involving the potential repudiator and
possibly also a trusted third party.
3. Transfer evidence: The evidence is transferred to the requester
or stored by a third party, for later use (if needed).
4. Verify evidence: The entity that holds the evidence tests it to
be sure that it will suffice if a dispute arises.
5. Retain evidence: The evidence is retained for possible future
retrieval and use.
6. Resolve dispute: In this phase, which occurs only if the
critical action is repudiated, the evidence is retrieved from
storage, presented, and verified to resolve the dispute.
$ non-repudiation with proof of origin
(I) A security service that provides the recipient of data with
evidence that proves the origin of the data, and thus protects the
recipient against an attempt by the originator to falsely deny
sending the data. (See: non-repudiation service.)
Tutorial: This service is a strong version of data origin
authentication service. This service can not only verify the
identity of a system entity that is the original source of
received data; it can also provide proof of that identity to a
third party.
Shirey Informational [Page 201]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ non-repudiation with proof of receipt
(I) A security service that provides the originator of data with
evidence that proves the data was received as addressed, and thus
protects the originator against an attempt by the recipient to
falsely deny receiving the data. (See: non-repudiation service.)
$ non-volatile media
(I) Storage media that, once written into, provide stable storage
of information without an external power supply. (Compare:
permanent storage, volatile media.)
$ NORA
(O) See: no-PIN ORA.
$ notarization
(I) Registration of data under the authority or in the care of a
trusted third party, thus making it possible to provide subsequent
assurance of the accuracy of characteristics claimed for the data,
such as content, origin, time of existence, and delivery.
[I7498-2] (See: digital notary.)
$ NRIC
(N) See: Network Reliability and Interoperability Council.
$ NSA
(N) See: National Security Agency
$ null
(N) /encryption/ "Dummy letter, letter symbol, or code group
inserted into an encrypted message to delay or prevent its
decryption or to complete encrypted groups for transmission or
transmission security purposes." [C4009]
$ NULL encryption algorithm
(I) An algorithm [R2410] that is specified as doing nothing to
transform plaintext data; i.e., a no-op. It originated because ESP
always specifies the use of an encryption algorithm for
confidentiality. The NULL encryption algorithm is a convenient way
to represent the option of not applying encryption in ESP (or in
any other context where a no-op is needed). (Compare: null.)
M <- 4. Definitions -> O