NSTISS NATIONAL MANAGER
NATIONAL SECURITY 5 June 1992
TELECOMMUNICATIONS
AND INFORMATION
SYSTEMS SECURITY
FOREWORD
l. National Security Telecommunications and Information
Systems Security Instruction (NSTISSI) No. 4009, "National
Information Systems Security (INFOSEC) Glossary," provides
standard definitions for many of the specialized terms relating
to the disciplines of communications security (COMSEC) and
automated information systems security (AISS), sometimes
referred to as computer security (COMPUSEC). In general,
communications and data management terms that do not relate
closely to telecommunications and automated information systems
security are outside the scope of this document and are not
included.
2. The definitions contained in this glossary are
prescriptive for all elements of the U.S. Government and for its
contractors with respect to national security systems.
3. This document is divided into three sections: Section I
contains terms and definitions, Section II is a list of commonly
used abbreviations and acronym expansions, and Section III
contains applicable references. In the definitions section,
explanatory information is presented in notes following the
definitions with which they are associated. Such notes are not
part of the definitions to which they relate.
4. This document supersedes NCSC-9, "National
Communications Security (COMSEC) Glossary," dated l September
1982.
5. Representatives of the National Security
Telecommunications and Information Systems Security Committee
may obtain additional copies of this instruction from:
Executive Secretariat
National Security Telecommunications and
Information Systems Security Committee (NSTISSC)
National Security Agency
Fort George G. Meade, MD 20755-6000
6. U.S. Government contractors are to contact their appropriate
government agency or Contracting Officer Representative regarding
distribution of this document.
7. Readers are encuraged to review this glossary and suggest
additions, deletions, or changes at any time. Recommendations for
revising the document may be sent to the Executive Secretariat at the
above address, via the appropriate NSTISSC representative.
J. M. McConnell
Vice Admiral, U.S. Navy
�
NSTISSI No. 4009
SECTION I
TERMS AND DEFINITIONS
A
access (COMSEC) Capability and opportunity to
gain knowledge of or to alter information
or material.
(AIS) Ability and means to communicate
with (i.e. input to or receive output
from), or otherwise make use of any
information, resource, or component in an
AIS.
NOTE: An individual does not have
"access~ if the proper authority or a
physical, technical, or procedural
measure prevents them from obtaining
knowledge or having an opportunity to
alter information, material, resources,
or components.
access control Process of limiting access to the
resources of an AIS only to authorized
users, programs, processes, or other
systems.
access control list Mechanism implementing discretionary
access control in an AIS that identifies
the users who may access an object and
the type of access to the object that a
user is permitted.
access control mechanism Security safeguards designed to detect
and prevent unauthorized access, and to
permit authorized access in an AIS.
� NSTISSI No. 4009
access level Hierarchical portion of the security
level used to identify the sensitivity of
AIS data and the clearance or
authorization of users.
NOTE: Access level, in conjunction with
the non-hierarchical categories, forms
the sensitivity label of an object. See
category.
access list (COMSEC) Roster of persons authorized
admittance to a controlled area.
(AIS) Compilation of users, programs,
and/or processes and the access levels
and types to which each is authorized.
access period Segment of time, generally expressed in
days or weeks, during which access rights
prevail.
access port Logical or physical identifier a computer
uses to distinguish different terminal
input/output data streams or the physical
connection for attaching an external
device.
access type Privilege to perform an action on a
program or file.
NOTE: Read, write, execute, append,
modify, delete, and create are examples
of access types.
accessible space Area within which the user is aware of
all persons entering and leaving, which
denies the opportunity for concealed
TEMPEST surveillance, and which
delineates the closest point of potential
tempest intercept from a vehicle.
accountability (COMSEC) Principle that an individual is
responsible for safeguarding and
controlling of COMSEC equipment, keying
material, and information entrusted to
his/her care and is answerable to proper
authority for the loss or misuse of that
equipment or information.
2
�
NSTISSI No. 4009
accountability (AIS) Property that allows auditing of
activities on an AIS to be traced to
persons who may then be held responsible
for their actions.
accounting legend Numeric code used to indicate the
code minimum accounting controls required for
items of accountable COMSEC material
within the COMSEC Material Control
System.
NOTE: National-level accounting legend
codes are:
ALC-l - continuously accountable by
serial number.
ALC-2 - continuously accountable by
quantity.
ALC-4 - report of initial receipt
required. After acknowledging receipt,
users may control in accordance with
Service, department, or agency
directives.
accounting number Number assigned to an item of COMSEC
material to facilitate its control.
accreditation Formal declaration by a designated
approving authority that an AIS is
approved to operate in a particular
security mode using a prescribed set of
safeguards.
accreditation authority Synonymous with designated approving
authority.
add-on security Incorporation of new hardware, software,
or firmware safeguards in an operational
AIS.
adversary Person or organization that must be
denied access to critical information.
3
�
NSTISSI No. 4009
alternate COMSEC Person designated by proper authority to
custodian perform the duties of the COMSEC
custodian during the temporary absence of
the COMSEC custodian.
anti-jam Measures to ensure that intended
transmitted information can be received
despite deliberate jamming attempts.
anti-spoof Measures to prevent an opponent's
participation in a telecommunications
network or operation/control of a
cryptographic or COMSEC system.
assembly Group of parts, elements, subassemblies,
or circuits that are removable items of
COMSEC equipment.
assurance Measure of confidence that the security
features and architecture of an AIS
accurately mediate and enforce the
security policy.
attack Act of trying to defeat AIS safeguards.
audit Independent review and examination of
records and activities to assess the
adequacy of system controls, to ensure
compliance with established policies and
operational procedures, and to recommend
necessary changes in controls, policies,
or procedures.
audit trail Chronological record of system activities
to enable the reconstruction and
examination of the sequence of events
and/or changes in an event.
NOTE: Audit trail may apple to
information in an AIS, to message routing
in a communications system, or to the
transfer of COMSEC material.
4
�
NSTISSI No. 4009
authenticate Verify the identity of a user, user
device, or other entity, or the integrity
of data stored, transmitted, or otherwise
exposed to unauthorized modification in
an automated information system, or
establish the validity of a transmitted
message.
authentication Security measure designed to establish
the validity of a transmission, message,
or originator, or a means of verifying an
individual's eligibility to receive
specific categories of information.
authentication system Cryptosystem or process used for
authentication.
authenticator Means used to confirm the identity or
eligibility of a station, originator, or
individual.
authorization Access rights granted to a user, program,
or process.
authorized vendor Manufacturer of existing COMSEC equipment
who is authorized to produce quantities
in excess of contractual requirements for
direct sale to eligible buyers.
Authorized Vendor Program in which a vendor, producing a
Program COMSEC product under contract to the
National Security Agency, is authorized
to produce that product in numbers
exceeding the contracted requirements for
direct marketing and sale to eligible
buyers.
NOTE: Eligible buyers are typically U.S.
Government organizations or U.S.
Government contractors. Products
approved for marketing and sale through
the Authorized Vendor Program are placed
on the Endorsed Cryptographic Products
List.
5
�
NSTISSI No. 4009
auto-manual system Programmable, hand-held crypto-equipment
used to perform encoding and decoding
functions.
automated information Any equipment or interconnected system
systems or subsystems of equipment that is used
in the automatic acquisition, storage,
manipulation, management, movement,
control, display, switching, interchange,
transmission or reception of data and
includes computer software, firmware, and
hardware.
NOTE: Included are computers, word
processing systems, networks, or other
electronic information handling systems,
and associated equipment.
automated information Synonymous with computer security.
systems security
automated security Use of automated procedures to ensure
monitoring security controls for an AIS are not
circumvented.
automatic remote Procedure to rekey a distant crypto-
rekeying equipment electronically without specific
actions by the receiving terminal
operator.
availability of data Data that is in the place, at the time,
and in the form needed by the user.
6
�
NSTISSI No. 4009
B
backdoor Synonymous with trap door.
Bell-La Padula Formal-state transition model of a
security model computer security policy that describes a
formal set of access controls based on
information sensitivity and subject
authorizations. (See star (*) property
and simple security property.)
benign Condition of cryptographic data such that
it cannot be compromised by human access
to the data.
NOTE: The term benign may be used to
modify a variety of COMSEC-related terms,
(e.g., key, data, storage, fill, and key
distribution techniques).
benign environment Nonhostile environment that may be
protected from external hostile elements
by physical, personnel, and procedural
security countermeasures.
beyond Al Level of trust employed by the DoD
Trusted Computer System Evaluation
Criteria that was beyond the state-of-
the-art technology at the time the
criteria was developed.
NOTE: As defined in the "Orange Book,"
beyond Al includes all the Al-level
features, plus others not required at the
Al level.
binding Process of associating a specific
communications terminal with a specific
cryptographic key or associating two
related elements of information.
bit error rate Ratio between the number of bits
incorrectly received and the total number
of bits transmitted in a
telecommunications system.
7
�
NSTISSI No. 4009
BLACK Designation applied to telecommunications
and automated information systems, and to
associated areas, circuits, components,
and equipment, in which only unclassified
signals are processed.
NOTE: Encrypted signals are
unclassified.
BLACK key Encrypted key. (See RED key.)
brevity list List containing words and phrases used to
shorten messages.
browsing Act of searching through AIS storage to
locate or acquire information, without
necessarily knowing the existence or
format of information being sought.
bulk encryption Simultaneous encryption of all channels
of a multichannel telecommunications
trunk.
8
�
NSTISSI No. 4009
C
call back Procedure for identifying a remote AIS
terminal, whereby the host system
disconnects the caller and then dials the
authorized telephone number of the remote
terminal to re-establish the connection.
call sign cipher Cryptosystem used to encipher/decipher
call signs, address groups, and address
indicating groups.
canister Type of protective package used to
contain and dispense key in punched or
printed tape form.
capability Unforgeable ticket that provides
incontestable proof that the presenter is
authorized access to the object named in
the ticket.
capability-based AIS in which access to protected objects
system is granted if the subject possesses a
capability for the object.
category Restrictive label that has been applied
to both classified and unclassified data,
thereby increasing the requirement for
protection of, and restricting the access
to, the data.
NOTE: Examples include sensitive
compartmented information, proprietary
information, and North Atlantic Treaty
Organization information. Individuals
are granted access to special category
information only after being granted
formal access authorization.
CCI assembly Device embodying a cryptographic logic or
other COMSEC design that the National
Security Agency has approved as a
controlled cryptographic item and
performs the entire COMSEC function, but
is dependent upon the host equipment to
operate.
9
�
NSTISSI No. 4009
CCI component Device embodying a cryptographic logic or
other COMSEC design, which the National
Security Agency has approved as a
controlled cryptographic item, that does
not perform the entire COMSEC function
and is dependent upon the host equipment
or assembly to complete and operate the
COMSEC function.
CCI equipment Telecommunications or information
handling equipment that embodies a
controlled cryptographic item component
or controlled cryptographic item assembly
and performs the entire COMSEC function
without dependence on a host equipment to
operate.
central office of Office of a federal department or agency
record that keeps records of accountable COMSEC
material held by elements subject to its
oversight.
certificate of action Statement attached to a COMSEC audit
statement report by which a COMSEC custodian
certifies that all actions have been
completed.
certification Comprehensive evaluation of the technical
and nontechnical security features of an
AIS and other safeguards, made in support
of the accreditation process, to
establish the extent to which a
particular design and implementation
meets a set of specified security
requirements.
certified TEMPEST U.S. Government or U.S. Government
technical authority contractor employee designated to review
the TEMPEST countermeasures programs of a
federal department or agency.
challenge and reply Prearranged procedure in which
authentication one communicator requests authentication
of another and the latter establishes
his/her validity with a correct reply.
10
�
NSTISSI No. 4009
checksum Value computed, via some parity or
hashing algorithm, on information
requiring protection against error or
manipulation.
NOTE: Checksums are stored or
transmitted with data and are intended to
detect data integrity problems.
check word Cipher text generated by a cryptographic
logic to detect failures in the
cryptography.
cipher Cryptographic system in which units of
plain text are substituted according to a
predetermined key.
cipher text Enciphered information.
cipher text auto-key Cryptographic logic which uses previous
cipher text to generate a key stream.
ciphony Process of enciphering audio information,
resulting in encrypted speech.
classified information National security information that has
been classified pursuant to Executive
Order 12356.
clearing Removal of data from an AIS, its storage
devices, and other peripheral devices
with storage capacity, in such a way that
the data may not be reconstructed using
normal system capabilities (i.e., through
the keyboard).
NOTE: An AIS need not be disconnected
from any external network before clearing
takes place. Clearing enables a product
to be reused within, but not outside of,
a secure facility. It does not produce a
declassified product by itself, but may
be the first step in the declassification
process. See purge.
Il
�
NSTISSI No. 4009
closed security Environment that provides sufficient
environment assurance that applications and equipment
are protected against the introduction of
malicious logic prior to or during the
operation of a system.
NOTE: Closed security is predicated upon
a system's developers, operators, and
maintenance personnel having sufficient
clearances, authorization, and
configuration control.
code System of communication in which
arbitrary groups of letters, numbers, or
symbols represent units of plain text of
varying length.
NOTE: Codes may or may not provide
security. Common uses include: (a)
converting information into a form
suitable for communications or
encryption, (b) reducing the length of
time required to transmit information,
(c) describing the instructions which
control the operation of a computer, and
(d) converting plain text to meaningless
combinations of letters or numbers and
vice versa.
code book Book or other document containing plain
text and code equivalents in a systematic
arrangement, or a technique of machine
encryption using a word substitution
technique.
code group Group of letters, numbers, or both in a
code system used to represent a plain
text word, phrase, or sentence.
code vocabulary Set of plain text words, numerals,
phrases, or sentences for which code
equivalents are assigned in a code
system.
cold start Procedure for initially keying crypto-
equipment.
12
�
NSTISSI No. 4009
command authority Individual responsible for the
appointment of user representatives for a
department, agency, or organization and
their key ordering privileges.
Commercial COMSEC Relationship between the National
Endorsement Program Security Agency and industry, in which
the National Security Agency provides the
COMSEC expertise (i.e., standards,
algorithms, evaluations, and guidance)
and industry provides design,
development, and production capabilities
to produce a type l or type 2 product.
NOTE: Products developed under the
Commercial COMSEC Endorsement Program may
include modules, subsystems, equipment,
systems, and ancillary devices.
common fill device One of a family of devices developed to
read-in, transfer, or store key.
NOTE: KYK-l3 Electronic Transfer Device,
KYX-l5 Net Control Device, and KOI-l8
General Purpose Tape Reader are examples
of common fill devices.
communications cover Concealing or altering of characteristic
communications patterns to hide
information that could be of value to an
adversary.
communications Deliberate transmission, retransmission,
deception or alteration of communications to
mislead an adversary's interpretation of
the communications. (See imitative
communications deception and manipulative
communications deception.)
13
�
NSTISSI No. 4009
communications Analytic model of communications
profile associated with an organization or
activity.
NOTE: The model is prepared from a
systematic examination of communications
content and patterns, the functions they
reflect, and the communications security
measures applied.
communications Measures and controls taken to deny
security unauthorized persons information derived
from telecommunications and ensure the
authenticity of such telecommunications.
NOTE: Communications security includes
cryptosecurity, transmission security,
emission security, and physical security
of COMSEC material.
compartmented mode AIS security mode of operation wherein
each user with direct or indirect access
to the system, its peripherals, remote
terminals, or remote hosts has all of the
following:
a. Valid security clearance for the most
restricted information processed in the
system.
b. Formal access approval and signed
non-disclosure agreements for that
information to which a user is to have
access.
c. Valid need-to-know for information to
which a user is to have access.
14
�
NSTISSI No. 4009
compromise Disclosure of information or data to
unauthorized persons, or a violation of
the security policy of a system in which
unauthorized intentional or unintentional
disclosure, modification, destruction, or
loss of an object may have occurred.
compromising Unintentional signals that, if
emanations intercepted and analyzed, would disclose
the information transmitted, received,
handled, or otherwise processed by
telecommunications or automated
information systems equipment. (See
TEMPEST.)
computer abuse Intentional or reckless misuse,
alteration, disruption, or destruction of
data processing resources.
computer Use of a crypto-algorithm program
cryptography stored in software or firmware, by a
general purpose computer to authenticate
or encrypt/decrypt data for storage or
transmission.
computer security Measures and controls that ensure
confidentiality, integrity, and
availability of the information processed
and stored by a computer.
computer security Any event in which a computer system is
incident attacked, intruded into, or threatened
with an attack or intrusion.
computer security Device designed to provide limited
subsystem computer security features in a larger
system environment.
Computer Security Program that focuses on technical
Technical vulnerabilities in commercially
Vulnerability available hardware, firmware and
Reporting Program software products acquired by DoD.
NOTE: The Computer Security Technical
Vulnerability Reporting Program provides
for reporting, cataloging, and discrete
dissemination of technical vulnerability
and corrective-measure information on a
need-to-know basis.
15
�
NSTISSI No. 4009
COMSEC account Administrative entity, identified by an
account number, used to maintain
accountability, custody and control of
COMSEC material.
COMSEC account audit Examination of the holdings, records, and
procedures of a COMSEC account to ensure
that all accountable COMSEC material is
properly handled and safeguarded.
COMSEC aid COMSEC material, other than an equipment
or device, that assists in securing
telecommunications and which is required
in the production, operation, or
maintenance of COMSEC systems and their
components.
NOTE: COMSEC keying material, callsign/
frequency systems, and supporting
documentation, such as operating and
maintenance manuals, are examples of
COMSEC aids.
COMSEC boundary Definable perimeter within a
telecommunications equipment or system
within which all hardware, firmware, and
software components that perform critical
COMSEC functions are located.
NOTE: Key generation and key handling
and storage are critical COMSEC
functions.
COMSEC chip set Collection of National Security Agency
approved microchips furnished to a
manufacturer to secure or protect
telecommunications equipment. (See
secure communications and protected
communications.)
16
�
NSTISSI No. 4009
COMSEC control Set of instructions or routines for
program a computer that controls or affects the
externally performed functions of key
generation, key distribution, message
encryption/decryption, or authentication.
COMSEC custodian Person designated by proper authority to
be responsible for the receipt, transfer,
accounting, safeguarding and destruction
of COMSEC material assigned to a COMSEC
account.
NOTE: The term COMSEC manager is
replacing the term COMSEC custodian.
These terms are not synonymous, since the
responsibilities of the COMSEC manager
extend beyond the functions required for
effective operation of a COMSEC account.
COMSEC end item Equipment or combination of components
ready for its intended use in a COMSEC
application.
COMSEC equipment Equipment designed to provide security to
telecommunications by converting
information to a form unintelligible to
an unauthorized interceptor and,
subsequently, by reconverting such
information to its original form for
authorized recipients; also, equipment
designed specifically to aid in, or as an
essential element of, the conversion
process.
NOTE: COMSEC equipment includes crypto-
equipment, crypto-ancillary equipment,
cryptoproduction equipment, and
authentication equipment.
COMSEC facility Space employed primarily for the purpose
of generating, storing, repairing, or
using COMSEC material.
COMSEC incident Occurrence that potentially jeopardizes
the security of COMSEC material or the
secure electrical transmission of
national security information.
17
�
NSTISSI No. 4009
COMSEC insecurity COMSEC incident that has been
investigated, evaluated, and determined
to jeopardize the security of COMSEC
material or the secure transmission of
information.
COMSEC manager Person who manages the COMSEC resources
of a command or activity. (See the note
following the definition for COMSEC
custodian.)
COMSEC material Item designed to secure or authenticate
telecommunications.
NOTE: COMSEC material includes, but is
not limited to, key, equipment, devices,
documents, firmware or software that
embodies or describes cryptographic logic
and other items that perform COMSEC
functions.
COMSEC Material Logistics and accounting system
Control System through which COMSEC material
marked "CRYPTO" is distributed,
controlled, and safeguarded.
NOTE: Included are the COMSEC central
offices of record, cryptologistic depots,
and COMSEC accounts. COMSEC material
other than key may be handled through the
COMSEC Material Control System.
COMSEC modification Electrical, mechanical, or software
change to a National Security Agency
approved COMSEC end item.
NOTE: Categories of COMSEC modifications
are: mandatory, optional, special
mission mandatory, special mission
optional, human safety mandatory, and
repair actions.
COMSEC module Removable component that performs COMSEC
functions in a telecommunications
equipment or system.
18
�
NSTISSI No. 4009
COMSEC monitoring Act of listening to, copying, or
recording transmissions of one's own
official telecommunications to provide
material for analysis, so that the degree
of security being provided to those
transmissions may be determined.
COMSEC profile Statement of the COMSEC measures and
materials used to protect a given
operation, system, or organization.
COMSEC survey Organized collection of COMSEC and
communications data relative to a given
operation, system, or organization.
COMSEC system data Information required by a COMSEC
equipment or system to enable it to
properly handle and control key.
COMSEC training Teaching of hands-on skills relating to
COMSEC accounting, the use of COMSEC
aids, or the installation, use,
maintenance, and repair of COMSEC
equipment.
confidentiality Assurance that information is not
disclosed to unauthorized entities or
processes.
configuration control Process of controlling modifications to a
telecommunications or automated
information systems hardware, firmware,
software, and documentation to ensure the
system is protected against improper
modifications prior to, during, and after
system implementation.
configuration management Management of security features and
assurances through control of changes
made to hardware, software, firmware,
documentation, test, test fixtures and
test documentation of an automated
information system, throughout the
development and operational life of a
system.
confinement property Synonymous with star (*) property.
19
�
NSTISSI No. 4009
contingency key Key held for use under specific
operational conditions or in support of
specific contingency plans.
contingency plan Plan maintained for emergency response,
backup operations, and post-disaster
recovery for an AIS, as a part of its
security program, that will ensure the
availability of critical resources and
facilitate the continuity of operations
in an emergency situation.
controlled access Log-in procedures, audit of security
protection relevant events, and resource isolation
as prescribed for class C2 in the Orange
Book.
controlled Secure telecommunications or information
cryptographic item handling equipment, or associated
cryptographic component, that is
unclassified but governed by a special
set of control requirements.
NOTE: Such items are marked "CONTROLLED
CRYPT0GRAPHIC ITEM" or, where space is
limited, "CCI."
controlled sharing Condition which exists when access
control is applied to all users and
components of an AIS.
controlled space Three-dimensional space surrounding
telecommunications and automated
information systems equipment, within
which unauthorized persons are denied
unrestricted access and are either
escorted by authorized persons or are
under continuous physical or electronic
surveillance.
controlling Official responsible for directing
authority the operation of a cryptonet and for
managing the operational use and control
of keying material assigned to the
cryptonet.
20
�
NSTISSI No. 4009
cooperative key Electronically exchanging functions of
generation locally generated, random components,
from which both terminals of a secure
circuit construct traffic encryption key
or key encryption key for use on that
circuit.
cooperative remote Synonymous with manual remote
rekeying rekeying.
cost-benefit analysis Assessment of the costs of providing
protection or security to a
telecommunications or AIS versus risk and
cost associated with asset loss or
damage.
countermeasure Action, device, procedure, technique, or
other measure that reduces the
vulnerability of an AIS.
covert channel Unintended and/or unauthorized
communications path that can be used to
transfer information in a manner that
violates an AIS security policy. (See
overt channel and exploitable channel.)
covert storage Covert channel that involves the
channel direct or indirect writing to a storage
location by one process and the direct or
indirect reading of the storage location
by another process.
NOTE: Covert storage channels typically
involve a finite resource (e.g., sectors
on a disk) that is shared by two subjects
at different security levels.
covert timing Covert channel in which one
channel process signals information to another
process by modulating its own use of
system resources (e.g., central
processing unit time) in such a way that
this manipulation affects the real
response time observed by the second
process.
21
�
NSTISSI No. 4009
credentials Information passed from one entity to
another, that is used to establish the
sending entity's access rights.
cryptanalysis Operations performed in converting
encryped messages to plain text without
initial knowledge of the crypto-algorithm
and/or key employed in the encryption.
CRYPTO Marking or designator identifying COMSEC
keying material used to secure or
authenticate telecommunication carrying
classified or sensitive U.S. Government
or U.S. Government-derived information.
NOTE: When written in all upper case
letters, CRYPTO has the meaning stated
above. When written in lower case as a
prefix, crypto and crypt are
abreviations for cryptographic.
crypto-alarm Circuit or device which detects failures
or aberrations in the logic or operation
of crypto-equipment.
NOTE: Crypto-alarm may inhibit
transmission or may provide a visible
and/or audible alarm.
crypto-algorithm well-defined procedure or sequence of
rules or steps used to produce cipher
text from plain text and vice versa.
crypto-ancillary Equipment designed specifically to
equipment facilitate efficient or reliable
operation of crypto-equipment, but that
does not perform cryptographic functions
crypto-equipment Equipment that embodies a cryptographic
logic.
cryptographic Pertaining to, or concerned with,
cryptography.
22
�
NSTISSI No. 4009
cryptographic Hardware or firmware embodiment of the
component cryptographic logic.
NOTE: Cryptographic component may be a
modular assembly, a printed wiring
assembly, a microcircuit, or a
combination of these items.
cryptographic Function used to set the state of
initialization a cryptographic logic prior to key
generation, encryption, or other
operating mode.
cryptographic logic Well-defined procedure or sequence of
rules or steps used to produce cipher
text from plain text, and vice versa, or
to produce a key stream, plus delays,
alarms, and checks which are essential to
effective performance of the
cryptographic process. (See crypto-
algorithm.)
cryptographic Function which randomly determines the
randomization transmit state of a cryptographic logic.
cryptography Principles, means, and methods for
rendering plain information
unintelligible and for restoring
encrypted information to intelligible
form.
crypto-ignition key Device or electronic key used to unlock
the secure mode of crypto-equipment.
cryptonet Stations that hold a specific key for
use.
NOTE: Activities that hold key for other
than use, such as cryptologistic depots,
are not cryptonet members for that key.
Controlling authorities are defacto
members of the cryptonets they control.
23
�
NSTISSI No. 4009
cryptoperiod Time span during which each key setting
remains in effect.
cryptosecurity Component of communications security that
results from the provision of technically
sound cryptosystems and their proper use.
cryptosynchronization Process by which a receiving decrypting
cryptographic logic attains the same
internal state as the transmitting
encrypting logic.
cryptosystem Associated COMSEC items interacting to
provide a single means of encryption or
decryption.
cryptosystem Process of establishing the
assessment exploitability of a cryptosystem,
normally by reviewing transmitted traffic
protected or secured by the system under
study.
cryptosystem Process of determining vulnerabilities
evaluation of a cryptosystem.
cryptosystem review Examination of a cryptosystem by the
controlling authority to ensure its
adequacy of design and content, continued
need, and proper distribution.
cryptosystem survey Management technique in which actual
holders of a cryptosystem express
opinions on the system's suitability and
provide usage information for technical
evaluations.
24
�
NSTISSI No. 4009
D
data encryption Cryptographic algorithm, designed for
standard the protection of unclassified data and
published by the National Institute of
Standards and Technology in Federal
Information Processing Standard
Publication 46.
data flow control Synonymous with information flow control.
data integrity Condition that exists when data is
unchanged from its source and has not
been accidentally or maliciously
modified, altered, or destroyed.
data origin Corroboration that the source of data is
authentication as claimed.
data security Protection of data from unauthorized
(accidental or intentional) modification,
destruction, or disclosure.
decertification Revocation of the certification of an AIS
item or equipment for cause.
decipher Convert enciphered text to the equivalent
plain text by means of a cipher system.
decode Convert encoded text to its equivalent
plain text by means of a code.
decrypt Generic term encompassing decode and
decipher.
dedicated mode AIS security mode of operation wherein
each user, with direct or indirect access
to the system, its peripherals, remote
terminals, or remote hosts, has all of
the following:
a. Valid security clearance for all
information within the system.
25
�
NSTISSI No. 4009
b. Formal access approval and signed
non-disclosure agreements for all the
information stored and/or processed
(including all compartments,
subcompartments, and/or special access
programs).
c. Valid need-to-know for all
information contained within the AIS.
NOTE: When in the dedicated security
mode, a system is specifically and
exclusively dedicated to and controlled
for the processing of one particular type
or classification of information, either
for full-time operation or for a
specified period of time.
default classification Temporary classification reflecting the
highest classification being processed in
an AIS.
NOTE: Default classification is included
in the caution statement affixed to the
object.
degauss Destroy information contained in magnetic
media by subjecting that media to high-
intensity alternating magnetic fields,
following which the magnetic fields
slowly decrease.
delegated development Information systems security program
program in which the Director, National Security
Agency, delegates the development and/or
production of the entire telecommunica-
tions product, including the information
systems security portion, to a lead
department or agency.
denial of service Result of any action or series of actions
that prevents any part of a
telecommunications or AIS from
functioning.
26
�
NSTISSI No. 4009
descriptive top-level Top-level specification that is
specification written in a natural language (e.g.,
English), an informal design notation, or
a combination of the two.
NOTE: Descriptive top-level
specification, required for a class B2
and B3 AIS, completely and accurately
describes a trusted computing base.
See formal top-level specification.
designated approving Official with the authority to formally
authority assume responsibility for operating an
AIS or network at an acceptable level of
risk.
design controlled Part or subassembly for a COMSEC
spare part equipment or device with a National
Security Agency controlled design.
dial back Synonymous with call back.
digital signature Synonymous with electronic signature.
direct shipment Shipment of COMSEC material directly from
the National Security Agency to user
COMSEC accounts.
discretionary access Means of restricting access to
control objects based on the identity and need-
to-know of users and/or groups to which
the object belongs.
NOTE: Controls are discretionary in the
sense that a subject with a certain
access permission is capable of passing
that permission (directly or indirectly)
to any other subject. See mandatory
access control.
27
�
NSTISSI No. 4009
DoD Trusted Computer Document containing basic requirements
System Evaluation and evaluation classes for assessing
Criteria degrees of effectiveness of hardware and
software security controls built into
AIS.
NOTE: This document, DoD 5200.28 STD,
is frequently referred to as the Orange
Book.
domain Unique context (e.g., access control
parameters) in which a program is
operating; in effect, the set of objects
that a subject has the ability to access.
dominate Term used to compare AIS security levels.
NOTE: Security level S1 is said to
dominate security level S2 if the
hierarchical classification of S1 is
greater than, or equal to, that of S2 and
the non-hierarchical categories of S1
include all those of S2 as a subset.
drop accountability Procedure under which a COMSEC account
custodian initially receipts for COMSEC
material, and then provides no further
accounting for it to its central office
of record.
NOTE: Local accountability of the COMSEC
material may continue to be required.
See also accounting legend code, ALC-3
and ALC-4.
dummy group Textual group having the appearance of a
valid code or cipher group which has no
plain text significance.
28
�
NSTISSI No. 4009
E
electronically Key produced only in non-physical
generated key form.
NOTE: Electronically generated key
stored magnetically (e.g., on a floppy
disc) is not considered hard copy key.
electronic signature Process that operates on a message to
assure message source authenticity and
integrity, and source non-repudiation.
electronic security Protection resulting from all measures
designed to deny unauthorized persons
information of value which might be
derived from the interception and
analysis of non-communications
electromagnetic radiations, such as
radar.
element Removable item of COMSEC equipment,
assembly, or subassembly which normally
consists of a single piece or group of
replaceable parts.
embedded computer Computer system that is an integral part
of a larger system or subsystem that
performs or controls a function, either
in whole or in part.
embedded cryptography Cryptography which is engineered into an
equipment or system the basic function of
which is not cryptographic.
NOTE: Components comprising the
cryptographic module are inside the
equipment or system add share host device
power and housing. The cryptographic
function may be dispersed or identifiable
as a separate module within the host.
29
�
NSTISSI No. 4009
embedded cryptographic Cryptosystem that performs or controls
system a function, either in whole or in part,
as an integral element of a larger system
or subsystem.
emission security Protection resulting from all measures
taken to deny unauthorized persons
information of value which might be
derived from intercept and analysis of
compromising emanations from crypto-
equipment, AIS, and telecommunications
systems.
encipher Convert plain text to equivalent cipher
text by means of a cipher.
encode Convert plain text to equivalent cipher
text by means of a code.
encrypt Generic term encompassing encipher and
encode.
end-item accounting Accounting for all the accountable
components of a COMSEC equipment
configuration by a single short title.
endorsed DES Unclassified equipment that embodies
equipment unclassified data encryption standard
cryptographic logic and has been endorsed
by the National Security Agency for the
protection of national security
information.
endorsed for unclassified Unclassified cryptographic equipment
cryptographic item that embodies a U.S. Government
classified cryptographic logic and is
endorsed by the National Security Agency
for the protection of national security
information. (See type 2 product.)
30
�
NSTISSI No. 4009
endorsement National Security Agency approval of a
commercially-developed telecommunications
or automated information systems
protection equipment or system for
safeguarding national security
information.
end-to-end encryption Encryption of information at its origin,
and decryption at its intended
destination, without any intermediate
decryption.
end-to-end security Safeguarding information in a secure
telecommunications system by
cryptographic or protected distribution
system means from point of origin to
point of destination.
entrapment Deliberate planting of apparent flaws in
an AIS for the purpose of detecting
attempted penetrations.
environment Procedures, conditions, and objects that
affect the development, operation, and
maintenance of an AIS.
erasure Process intended to render stored data
irretrievable by normal means.
executive state One of several states in which an AIS may
operate, and the only one in which
certain privileged instructions may be
executed.
NOTE: Such privileged instructions
cannot be executed when the system is
operating in other (e.g., user) states.
exercise key Key intended to safeguard transmissions
associated with exercises.
exploitable channel Covert channel that is intended to
violate the security policy governing an
AIS and is useable or detectable by
subjects external to the trusted
computing base. (See covert channel.)
31
�
NSTISSI No. 4009
exploratory development Assembly of preliminary circuits or parts
model in line with commercial practice to
investigate, test, or evaluate the
soundness of a concept, device, circuit,
equipment, or system in a "breadboard" or
rough experimental form, without regard
to eventual overall physical form or
layout.
extraction resistance Capability of a crypto-equipment or a
secure telecommunications system or
equipment to resist efforts to extract
key.
32
�
NSTISSI No. 4009
F
fail safe Pertaining to the automatic protection of
programs and/or processing systems to
maintain safety when a hardware or
software failure is detected in a system.
fail soft Pertaining to the selective termination
of affected nonessential processing when
a hardware or software failure is
determined to be imminent in an AIS.
failure access Unauthorized and usually inadvertent
access to data resulting from a hardware
or software failure in an AIS.
failure control Methodology used to detect and provide
fail safe or fail soft recovery from
hardware and software failures in an AIS.
fetch protection AIS-provided restriction to prevent a
program from accessing data in another
user's segment of storage.
fielded equipment COMSEC end-item shipped to the user
subsequent to first article testing on
the initial production contract.
file protection Aggregate of all processes and procedures
established in an AIS designed to inhibit
unauthorized access, contamination,
elimination, modification, or destruction
of a file or any of its contents.
file security Means by which access to computer files
is limited to authorized users only.
fill device COMSEC item used to transfer or store key
in electronic form or to insert key into
a crypto-equipment.
FIREFLY Key management protocol based on public
key cryptography.
33
�
NSTISSI No. 4009
fixed COMSEC facility COMSEC facility that is located in an
immobile structure or aboard a ship.
flaw Error of commission, omission, or
oversight in an AIS that may allow
protection mechanisms to be bypassed.
flaw hypothesis System analysis and penetration
methodology technique in which the specification and
documentation for an AIS are analyzed and
then flaws in the system are
hypothesized.
NOTE: List of hypothesized flaws is
prioritized on the basis of the estimated
probability that a flaw exists and,
assuming a flaw does exist, on the ease
of exploiting it, and on the extent of
control or compromise it would provide.
The prioritized list is used to perform
penetration testing of a system.
formal access Documented approval by a data
approval owner to allow access to a particular
category of information.
formal proof Complete and convincing mathematical
argument, presenting the full logical
justification for each proof step, for
the truth of a theorem or set of
theorems.
NOTE: In computer security, these formal
proofs provide A1, and beyond A1
assurance under the DoD Trusted Computer
System Evaluation Criteria.
formal security policy Mathematically precise statement of a
model security policy.
NOTE: Such a model must define a secure
state, an initial state, and how the
model represents changes in state. The
model must be shown to be secure by
proving that the initial state is secure
and that all possible subsequent states
remain secure.
34
�
NSTISSI No. 4009
formal top-level Top-level specification that is written
specification in a formal mathematical language to
allow theorems, showing the correspon-
dence of the system specification to its
formal requirements, to be hypothesized
and formally proven.
NOTE: Formal top-level specification,
required for a class A1 AIS, completely
and accurately describes the trusted
computing base. See descriptive top-
level specification.
formal verification Process of using formal proofs to
demonstrate the consistency between
formal specification of a system and
formal security policy model (design
verification) or between formal
specification and its high-level program
implementation (implementation
verification).
frequency hopping Repeated switching of frequencies during
radio transmission according to a
specified algorithm, to minimize
unauthorized interception or jamming of
telecommunications.
front-end security Security filter, which could be
filter implemented in hardware or software, that
is logically separated from the remainder
of an AIS to protect the integrity of the
system.
full maintenance Complete diagnostic repair, modification,
and overhaul of information systems
security equipment, including repair of
defective assemblies by piece part
replacement. (See limited maintenance.)
functional testing Segment of security tasting in which
advertised security mechanisms of an AIS
are tested under operational conditions.
35
�
NSTISSI No. 4009
G
granularity Relative fineness or coarseness to which
an access control mechanism can be
adjusted.
NOTE: Protection at the file level is
considered coarse granularity, whereas
protection at the field level is
considered to be a finer granularity.
guard Processor that provides a filter between
two disparate systems operating at
different security levels or between a
user terminal and a data base to remove
data for which the user is not authorized
access.
36
�
NSTISSI No. 4009
H
handshaking procedures Dialogue between two entities (e.g., a
user and a computer, a computer and
another computer, or a program and
another program) for the purpose of
identifying and authenticating these
entities to one another.
hard copy key Physical keying material, such as printed
key lists, punched or printed key tapes,
or programmable, read-only memories.
hardwired key Key that is permanently installed.
hashing Iterative process that computes a value
(referred to as a hashword) from a
particular data unit in a manner that,
when a hashword is protected,
manipulation of the data is detectable.
hashword Synonymous with checksum.
high risk environment Specific location or geographic area
where there are insufficient friendly
security forces to ensure the
safeguarding of information systems
security equipment.
hostile cognizant agent Person, authorized access to national
security information, who intentionally
makes that information available to an
intelligence service or other group, the
goals of which are inimical to the
interests of the United States Government
or its allies.
host to front-end Set of conventions governing the
protocol format and control of data that is passed
from a host to a front-end machine.
37
�
NSTISSI No. 4009
I
identification Process that enables recognition of an
entity by an AIS.
NOTE: This is generally accomplished by
the use of unique machine-readable user
names.
imitative communications Introduction of deceptive messages or
deception signals into an adversary's
telecommunications signals. See
communications deception and manipulative
communications deception.
impersonation Synonymous with spoofing.
implant Electronic device or component
modification to electronic equipment that
is designed to gain unauthorized
interception of information-bearing
energy via technical means.
inadvertent Accidental exposure of information
disclosure to a person not authorized access.
incomplete parameter AIS design flaw that results when
checking all parameters have not been fully
anticipated for accuracy and consistency,
thus making the system vulnerable to
penetration.
individual accountability Ability to associate positively the
identity of a user with the time, method,
and degree of access to an AIS.
information flow Procedure to ensure that information
control transfers within an AIS are not made from
a higher security level object to an
object of a lower security level.
38
�
NSTISSI No. 4009
information label Piece of information that accurately and
completely represents the sensitivity of
the data in a subject or object.
NOTE: Information label consists of a
security label as well as other required
security markings (e.g., codewords,
dissemination control markings, and
handling caveats), to be used for data
information security labeling purposes.
information system Any telecommunications and/or computer
related equipment or interconnected
system or subsystems of equipment that is
used in the acquisition, storage,
manipulation, management, movement,
control, display, switching, interchange,
transmission, or reception of voice
and/or data, and includes software,
firmware, and hardware.
information systems The protection of information systems
security (INFOSEC) against unauthorized access to or
modification of information, whether in
storage, processing or transit, and
against the denial of service to
authorized users or the provision of
service to unauthorized users, including
those measures necessary to detect,
document, and counter such threats.
information system Person responsible to the designated
security officer approving authority who ensures that
security of an information system is
implemented through its design,
development, operation, maintenance, and
secure disposal stages.
information systems Item (chip, module, assembly, or
security product equipment), technique, or service that
performs or relates to information
systems security.
initialize Setting the state of a cryptographic
logic prior to key generation,
encryption, or other operating mode.
integrity check value Checksum that is capable of detecting
malicious modification of an AIS.
39
�
NSTISSI No. 4009
interim approval Temporary authorization granted by a
designated approving authority for an AIS
to process classified information and
information governed by 10 U.S.C. Section
2315 or 44 U.S.C. 3502(2) in its
operational environment based on
preliminary results of a security
evaluation of the system.
internet private line Network cryptographic unit that
interface provides secure connections, singularly
or in simultaneous multiple connections,
between a host and a predetermined set of
corresponding hosts.
internet protocol Standard protocol for transmission of
data from source to destinations in
packet-switched communications networks
and interconnected systems of such
networks.
40
�
NSTISSI No. 4009
K
key Information (usually a sequence of random
or pseudorandom binary digits) used
initially to set up and periodically
change the operations performed in
crypto-equipment for the purpose of
encrypting or decrypting electronic
signals, for determining electronic
counter-countermeasures patterns (e.g.,
frequency hopping or spread spectrum), or
for producing other key.
NOTE: "Key" has replaced the terms
"variable," "key(ing) variable," and
"cryptovariable.'
key-auto-key Cryptographic logic which uses previous
key to produce key.
key card Paper card, containing a pattern of
punched holes, which establishes the key
for a specific cryptonet at a specific
time.
key encryption key Key that encrypts or decrypts other key
for transmission or storage.
key list Printed series of key settings for a
specific cryptonet.
NOTE: Key lists may be produced in list,
pad, or printed tape format.
key management Process by which key is generated,
stored, protected, transferred, loaded,
used, and destroyed.
key production key Key that is used to initialize a
keystream generator for the production of
other electronically generated key.
41
�
NSTISSI No. 4009
key stream Sequence of symbols (or their electrical
or mechanical equivalents) produced in a
machine or auto-manual cryptosystem to
combine with plain text to produce cipher
text, control transmission security
processes, or produce key.
key tag Identification information associated
with certain types of electronic key.
key tape Punched or magnetic tape containing key.
NOTE: Printed key in tape form is
referred to as a key list.
key updating Irreversible cryptographic process for
modifying key automatically or manually.
keying material Key, code, or authentication information
in physical or magnetic form.
42
�
NSTISSI No. 4009
L
least privilege Principle that requires that each subject
be granted the most restrictive set of
privileges needed for the performance of
authorized tasks.
NOTE: Application of this principle
limits the damage that can result from
accident, error, or unauthorized use of
an AIS.
limited access Synonymous with access control.
limited maintenance COMSEC maintenance restricted to fault
isolation, removal, and replacement of
plug-in assemblies.
NOTE: Soldering or unsoldering usually
is prohibited in limited maintenance.
See full maintenance.
line conduction Unintentional signals or noise induced or
conducted on a telecommunications or
automated information system signal,
power, control, indicator, or other
external interface line.
link encryption Encryption of data in individual links of
a telecommunications system.
list-oriented Computer protection in which each
protected object has a list of all
subjects authorized to access it. (See
also ticket-oriented.);
lock and key Protection system that involves
protection system matching a key or password with a
specific access requirement.
logic bomb Resident computer program that triggers
an unauthorized act when particular
states of an AIS are realized.
43
�
NSTISSI No. 4009
logical completeness Means for assessing the effectiveness
measure and degree to which a set of security and
access control mechanisms meets the
requirements of security specifications.
long title Descriptive title of a COMSEC item.
low probability of Result of measures used to hide or
detection disguise intentional electromagnetic
transmissions.
low probability of Result of measures to prevent the
intercept intercept of intentional electromagnetic
transmissions.
44
�
NSTISSI No. 4009
M
machine cryptosystem Cryptosystem in which cryptographic
processes are performed by crypto-
equipment.
magnetic remanence Magnetic representation of residual
information that remains on a magnetic
medium after the medium has been erased
or overwritten.
NOTE: Magnetic remanence refers to data
remaining on magnetic storage media after
removal of the power or after degaussing.
maintenance hook Special instructions in software to allow
easy maintenance and additional feature
development.
NOTE: Maintenance hooks are not clearly
defined during access for design
specification. Since maintenance hooks
frequently allow entry into the code at
unusual points or without the usual
checks, they are a serious security risk
if they are not removed prior to live
implementation. Maintenance hooks are
special types of trap doors.
maintenance key Key intended only for off-the-air in-shop
use.
malicious logic Hardware, software, or firmware that is
intentionally included in an AIS for an
unauthorized purpose.
NOTE: Trojan horse is a form of
malicious logic.
45
�
NSTISSI No. 4009
mandatory access Means of restricting access to objects
control based on the sensitivity (as represented
by a label) of the information contained
in the objects and the formal
authorization (i.e., clearance) of
subjects to access information of such
sensitivity. (See discretionary access
control.)
mandatory Change to a COMSEC end item that the
modification National Security Agency requires to be
completed and reported by a specified
date.
NOTE: This type of modification should
not be confused with modifications that
are optional to the National Security
Agency, but have been adjudged mandatory
by a given department or agency. The
latter modification may have an
installation deadline established and
controlled solely by the user's
headquarters.
manipulative Alteration or simulation of friendly
communications telecommunications for the purpose
deception of deception.
NOTE: Manipulative communications
deception may involve establishment of
bogus communications structures,
transmission of deception messages, and
expansion or creation of communications
schedules on existing structures to
display an artificial volume of messages.
See communications deception and
imitative communications deception.
manual cryptosystem Cryptosystem in which the cryptographic
processes are performed manually without
the use of crypto-equipment or auto-
manual devices.
manual remote Procedure by which a distant crypto-
rekeying equipment is rekeyed electrically, with
specific actions required by the
receiving terminal operator.
46
�
NSTISSI No. 4009
masquerading Synonymous with spoofing.
master crypto-ignition Crypto-ignition key that is able to
key initialize crypto-ignition key, when
interacting with its associated crypto-
equipment.
material symbol Communications circuit identifier used
for key card resupply purposes.
memory bounds Limits in the range of storage addresses
for a protected region in the memory of
an AIS.
message authentication Data element associated with an
code authenticated message which allows a
receiver to verify the integrity of the
message.
message externals Non-textual (outside the message text)
characteristics of transmitted messages.
message indicator Sequence of bits transmitted over a
telecommunications system for the purpose
of crypto-equipment synchronization.
NOTE: Some off-line cryptosystems, such
as the KL-5l and one-time pad systems,
employ message indicators to establish
decryption starting points.
mimicking Synonymous with spoof ing.
mobile COMSEC facility COMSEC facility that can be readily moved
from one location to another.
mode of operation Description of the conditions under which
an AIS operates, based on the sensitivity
of data processed and the clearance
levels and authorizations of the users.
NOTE: Five modes of operation are
authorized for an AIS processing
information and for networks transmitting
information. See compartmented mode,
dedicated mode, multilevel mode,
partitioned security mode, and system-
high mode.
47
�
NSTISSI No. 4009
multilevel device Device that is trusted to properly
maintain and separate data of different
security levels.
multilevel mode AIS security mode of operation wherein
all the following statements are
satisfied concerning the users who have
direct or indirect access to the system,
its peripherals, remote terminals, or
remote hosts:
a. Some users do not have a valid
security clearance for all the
information processed in the AIS.
b. All users have the proper security
clearance and appropriate formal access
approval for that information to which
they have access.
c. All users have a valid need-to-know
only for information to which they have
access.
multilevel security Concept of processing information with
different classifications and categories
that simultaneously permits access by
users with different security clearances,
but prevents users from obtaining access
to information for which they lack
authorization.
mutual suspicion Condition in which two entities need to
rely upon each other to perform a
service, yet neither entity trusts the
other to properly protect shared data.
48
�
NSTISSI No. 4009
N
national security Information that has been determined,
information pursuant to Executive Order 12356 or any
predecessor order, to require protection
against unauthorized disclosure, and that
is so designated.
national security Telecommunications and automated infor-
systems mation systems operated by the U.S.
Government, its contractors, or its
agents, that contain classified
information or, as set forth in 10 U.S.C.
Section 2315, that involves intelligence
activities, involves cryptologic
activities related to national security,
involves command and control of military
forces, involves equipment that is an
integral part of a weapon or weapon
system, or involves equipment that is
critical to the direct fulfillment of
military or intelligence missions.
need-to-know Access to, or knowledge or possession of,
specific information required to carry
out official duties.
net control station Terminal in a secure telecommunications
net responsible for distributing key in
electronic form to the members of the
net.
network front end Device that implements the needed
security-related protocols to allow a
computer system to be attached to a
network.
network reference Access control concept that refers to
monitor an abstract machine that mediates all
access to objects within a network by
subjects within the network. See
reference monitor.
49
�
NSTISSI No. 4009
network security Protection of networks and their services
from unauthorized modification,
destruction, or disclosure, and
provision of assurance that the network
performs its critical functions correctly
and there are no harmful side-effects.
NOTE: Network security includes
providing for data integrity.
network security Individual formally appointed by a
officer designated approving authority to ensure
that the provisions of all applicable
directives are implemented throughout the
life cycle of an automated information
system network. See information system
security officer.
network system System that is implemented with a
collection of interconnected network
components.
NOTE: A network system is based on a
coherent security architecture and
design.
network trusted Totality of protection mechanisms
computing base within a network system, including
hardware, firmware, and software, the
combination of which is responsible for
enforcing a security policy. See trusted
computing base.
no-lone zone Area, room, or space which, when manned,
must be occupied by two or more
appropriately cleared individuals who
remain within sight of each other. (See
two person integrity.)
noncooperative Synonymous with automatic remote
remote rekeying rekeying.
50
�
NSTISSI No. 4009
non-repudiation Method by which the sender of data is
provided with proof of delivery and the
recipient is assured of the sender's
identity, so that neither can later deny
having processed the data.
non-secret encryption Synonymous with public key cryptography.
null Dummy letter, letter symbol, or code
group inserted in an encrypted message to
delay or prevent its decryption or to
complete encrypted groups for transmis-
sion or transmission security purposes.
51
�
NSTISSI No. 4009
O
object Passive entity that contains or receives
information.
NOTE: Access to an object implies access
to the information it contains. Examples
of objects are: records, blocks, pages,
segments, files, directories, directory
trees and programs, as well as bits,
bytes, words, fields, processors, video
displays, keyboards, clocks, printers,
and network nodes.
object reuse Reassignment of a storage medium (e.g.,
page frame, disk sector, magnetic tape)
that contained one or more objects, after
ensuring that no residual data remained
on the storage medium.
off-line cryptosystem Cryptosystem in which encryption and
decryption are performed independently of
the transmission and reception functions.
one-part code Code in which plain text elements and
their accompanying code groups are
arranged in alphabetical, numerical, or
other systematic order, so that one
listing serves for both encoding and
decoding.
NOTE: One-part codes are normally small
codes that are used to pass small volumes
of low-sensitivity information.
one-time Cryptosystem employing key which is
cryptosystem used only once.
one-time pad Manual one-time cryptosystem produced in
pad form.
one-time tape Punched paper tape used to provide key
streams on a one-time basis in certain
machine cryptosystems.
52
�
NSTISSI No. 4009
on-line cryptosystem Cryptosystem in which encryption and
decryption are performed in association
with the transmitting and receiving
functions.
open security Environment that does not provide
environment sufficient assurance that applications
and equipment are protected against the
introduction of malicious logic prior to
or during the operation of a system.
open storage Storage of classified information within
an accredited facility, but not in
General Services Adminstration approved
secure containers, while the facility is
unoccupied by authorized personnel.
operational data Protection of data from either
security accidental or unauthorized intentional
modification, destruction, or disclosure
during input, processing, or output
operations.
operational key Key intended for use on-the-air for
protection of operational information or
for the production or secure electrical
transmission of key streams.
operational waiver Authority for continued use of unmodified
COMSEC end-items, pending the completion
of a mandatory modification.
operations code Code composed largely of words and
phrases which are suitable for general
communications use.
operations security Process denying to potential adversaries
information about capabilities and/or
intentions by identifying, controlling
and protecting generally unclassified
evidence of the planning and execution of
sensitive activities.
53
�
NSTISSI No. 4009
optional modification National Security Agency approved
modification that is not required for
universal implementation by all holders
of a COMSEC end-item.
NOTE: This class of modification
requires all of the engineering/
doctrinal control of mandatory
modification, but is usually not related
to security, safety, TEMPEST, or
reliability.
Orange Book Synonymous with DoD Trusted Computer
System Evaluation Criteria.
organizational Limited maintenance performed by a
maintenance user organization.
overt channel Communications path within a computer
system or network that is designed for
the authorized transfer of data. (See
covert channel.)
over-the-air key Providing electronic key via
distribution over-the-air rekeying, over-the-air key
transfer, or cooperative key generation.
over-the-air key transfer Electronically distributing key without
changing traffic encryption key used on
the secured communications path over
which the transfer is accomplished.
over-the-air rekeying Changing traffic encryption key or
transmission security key in remote
crypto-equipment by sending new key
directly to the remote crypto-equipment
over the communications path it secures.
overwrite procedure Process which removes or destroys data
recorded on an AIS storage medium by
writing patterns of data over, or on top
of, the data stored on the medium.
54
�
NSTISSI No. 4009
P
parity Set of bits used to determine whether a
block of data (key or data stored in
computers) has been intentionally or
unintentionally altered.
partitioned security mode AIS security mode of operation wherein
all personnel have the clearance, but not
necessarily formal access approval and
need-to-know, for all information handled
by an AIS.
NOTE: This security mode encompasses the
compartmented mode and applies to non-
intelligence DoD organizations and DoD
contractors.
passphrase Sequence of characters, longer than the
acceptable length of a password, that is
transformed by a password system into a
virtual password of acceptable length.
password Protected/private character string used
to authenticate an identity or to
authorize access to data.
penetration Unauthorized act of bypassing the
security mechanisms of a cryptographic
system or AIS.
penetration testing Security testing in which evaluators
attempt to circumvent the security
features of an AIS based on their
understanding of the system design and
implementation.
per-call key Unique traffic encryption key generated
automatically by certain secure
telecommunications systems to secure
single voice or data transmissions.
(See cooperative key generation.)
55
�
NSTISSI No. 4009
periods processing Processing of various levels of
classified and unclassified information
at distinctly different times.
NOTE: Under periods processing, the
system must be purged of all information
from one processing period before
transitioning to the next when there are
different users with differing
authorizations.
permuter Device used in a crypto-equipment to
change the order in which the contents of
a shift register are used in various
nonlinear combining circuits.
plain text Unencrypted information.
positive control Generic term referring to a sealed
material authenticator system, permissive action
link, coded switch system, positive
enable system, or nuclear command and
control documents, material or devices.
preproduction model Version of a crypto-equipment that
employs standard parts and is in final
mechanical and electrical form suitable
for complete evaluation of form, design,
and performance.
NOTE: Preproduction models are often
referred to as E-model equipment.
print suppression Eliminating the display of characters in
order to preserve their secrecy.
NOTE: An example of print suppression is
not displaying the characters of a
password as it is keyed at she input
terminal.
privacy system Commercial encryption system that affords
telecommunications limited protection to
deter a casual listener, but cannot
withstand a technically competent
cryptanalytic attack.
56
�
NSTISSI No. 4009
production model Crypto-equipment in its final mechanical
and electrical form of production design
made by use of production tools, jigs,
fixtures, and methods using standard
parts.
profile Detailed security description of the
physical structure, equipment component,
location, relationships, and general
operating environment of an AIS.
proprietary information Material and information relating to or
associated with a company's products,
business or activities, including but not
limited to: financial information; data
or statements; trade secrets; product
research and development; existing and
future product designs and performance
specifications; marketing plans or
techniques; schematics; client lists;
computer programs; processes; and know-
how that have been clearly identified and
properly marked as proprietary
information, trade secrets or company
confidential information.
NOTE: Trade secrets constitute the whole
or any portion or phase of any technical
information, design process, procedure,
formula or improvement that is not
generally available to the public, that a
company considers company confidential
and that could give or gives an advantage
over competitors who do not know or use
the trade secret.
protected Telecommunications deriving their
communications protection through use of type 2 products
or data encryption standard equipment.
(See secure communications.)
protected distribution Wireline or fiber-optic telecommuni-
system cations system that includes terminals
and adequate acoustic, electrical,
electromagnetic, and physical safeguards
to permit its use for the unencrypted
transmission of classified information.
57
�
NSTISSI No. 4009
protection equipment Type 2 product or data encryption
standard equipment that the National
Security Agency has endorsed to meet
applicable standards for the protection
of telecommunications or automated
information systems containing national
security information.
protection philosophy Informal description of the overall
design of an AIS that delineates each of
the protection mechanisms employed.
NOTE: Combination, appropriate to the
evaluation class, of formal and informal
techniques used to show the mechanisms
are adequate to enforce the security
policy.
protection ring One of a hierarchy of privileged modes of
an AIS that gives certain access rights
to user programs and processes authorized
to operate in a given mode.
protective packaging Packaging techniques for COMSEC material
which discourage penetration, reveal that
a penetration has occurred or was
attempted, or inhibit viewing or copying
of keying material prior to the time it
is exposed for use.
protective technologies Special tamper-evident features and
materials employed for the purpose of
detecting tampering and deterring
attempts to compromise, modify,
penetrate, extract, or substitute
information processing equipment and
keying material.
58
�
NSTISSI No. 4009
protective Any penetration of information system
technology/package security protective technology or
incident packaging, such as a crack, cut, or tear.
protocol Set of rules and formats, semantic and
syntactic, that permits entities to
exchange information.
public cryptography Body of cryptographic and related
knowledge, study, techniques, and
applications that is, or intended to be,
in the public domain.
public key Type of cryptography in which the
cryptography encryption process is publicly available
and unprotected, but in which a part of
the decryption key is protected so that
only a party with knowledge of both parts
of the decryption process can decrypt the
cipher text.
NOTE: Commonly called non-secret
encryption in professional cryptologic
circles. FIREFLY is an application of
public key cryptography.
purge Removal of data from an AIS, its storage
devices, or other peripheral devices with
storage capacity in such a way that the
data may not be reconstructed.
NOTE: An AIS must be disconnected from
any external network before a purge. See
clearing.
59
�
NSTISSI No. 4009
Q
QUADRANT Short name referring to technology which
provides tamper-resistant protection to
crypto-equipment.
R
randomizer Analog or digital source of
unpredictable, unbiased, and usually
independent bits.
NOTE: Randomizers can be used for
several different functions, including
key generation or to provide a starting
state for a key generator.
read Fundamental operation in an AIS that
results only in the flow of information
from an object to a subject. (See
access type.)
read access Permission to read information in an
AIS.
real-time reaction Immediate response to a penetration
attempt that is detected and diagnosed
in time to prevent access.
recovery procedures A