chapter15.html
Appendix E - Glossary of Terms
| Term | Meaning |
|---|---|
|
Access Control |
This is how authorised privileges are provided to an individual. It is the mechanism that controls at a low level, what actions an individual can perform, or will be performed on their behalf. Authorisation gives permission for an activity; Access Control conducts the activity. |
|
Assertion |
A statement or premise that is taken as being correct or true. |
|
Attribute |
An individual piece of information. |
|
Authenticate |
To give legal validity to, to render valid, to establish the validity of. |
|
Authentication or |
The process of initially establishing that a person is genuinely who they say they are, and the process of establishing an authenticated online session between a government agency and an authenticated individual |
|
Authentication Strength |
See Key Strength. |
|
Authorisation |
Whereas authentication is used to establish the identity of a party to a transaction, authorisation is used to determine what privileges that party will enjoy. With typical online applications, individuals are authorised to view/change information related to themselves and conduct transactions such as purchases, using their own resources. |
|
Biometric |
In the context of authentication, biometric refer to a physical characteristic of a person. For example, fingerprint, voice, DNA or physical appearance, such as facial image. |
|
Brute Force Attack |
A technique used by Internet Hackers to attempt access to a protected system. This attack requires trying all (or a large fraction of all) possible values till the right value is found; also called an exhaustive search. |
|
Cabinet Policy and Principles |
For the purposes of this document, this refers to the April 2002, Cabinet approved policy and implementation principles (the authentication principles) for online authentication and for the development a consistent approach to government authentication [CAB Min (02) 12/2A] refers. |
|
Client or Individual |
A person seeking to access a government service online. |
|
Component |
A components can be either hardware, software or a process that delivers a piece of functionality within a system. Related components can be grouped together to form a 'subsystem'. |
|
Digital Certificate |
A digital certificate is an electronic means of establishing your credentials when doing business or other transactions on the Internet. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. |
|
Digital Signing |
Refers to an attempt to mimic the offline act of a person applying their signature to a paper document. Involves applying a mathematical algorithm, usually stored on and as part of the users private key, to the contents of a body of text. This results in an encrypted version of the document (this is referred to as the 'digitally signed' document) that can only be decrypted by applying the users public key. |
|
Directory |
Directories provide a hierarchical storage of information (as opposed to relational schema or designs, such as databases). The de facto standard for directories is LDAP V3. Directories are use d to provide a quick and efficient storage for information about people, services and applications. |
|
e-GIF |
E-government Interoperability Framework - a collection of policies and standards endorsed for New Zealand government information technology (IT) systems. |
|
E-government Unit [EGU] |
The New Zealand E-government Unit was established in July 2000 in the State Services Commission. The E-government Unit is working with government agencies to achieve the Government's vision for e-government. |
|
Entropy |
A measure of randomness or lack of organisation in a situation. A totally entropic situation is unpredictable. |
|
Evidence of Identity [EOI] |
See Identification |
|
Evidence of Identity Framework |
The Evidence of Identity Framework is being developed as a best practice guide for establishing the identity of individuals who wish to transact with government agencies. The framework is being developed by a cross agency working party. |
|
Evidence of Identity strength |
EOI strength is the level of confidence an agency requires in any identity information provided by the user. For example, a utility bill with the users name and address, or the users passport and confirmation of the details from a third party. |
|
Functional Equivalence |
For the purposes of this document, Functional Equivalence refers to the Cabinet and Policy Principles definition in that authentication requirements should be similar to those that apply to existing transaction except where the online nature of the transaction significantly changes the level of risk. |
|
Government Agency |
A blanket term that includes departments, Crown entities, and any organisation within the State sector. Service agencies and the Authentication Agency are government agencies. |
|
Granularity |
Refers to the 'level of detail' of any given subject. For example, if a subject is referred to as 'fine granularity' it is considered to be defined to a high level of detail. |
|
Hacker |
A person who understand the "ins and outs" of computers, networks, and the Internet in general. They term generally refers to a person who has intent to access a computer system without authorisation. |
|
Human Factor |
For the purposes of this document, 'Human Factor' relates to the issues related to Internet security and the influence of human behaviour on any security mitigation technique. |
|
Identification Evidence of Identity [EOI] |
The process of associating identity data with a particular person. |
|
Identity fraud |
To use the identity of a person without their express consent, for a purpose that the person is not aware of, and/or does not approve of. Generally for an illegal activity. |
|
Identity Management System |
A vendor solution package that combines the features of a Directory Server with software (typically web-based application) to facilitate the provisioning of individuals in an authentication system. The principle features of these products are to provide support for self-registration of users and support for automatically dealing with lost passwords. |
|
IMS |
Refer to Identity Management System. |
|
Information Sharing |
For the purposes of this document, Information Sharing relates to the sharing of individual personal information between multiple agencies. This is often deemed to be information matching and usually requires enabling legislation in order for agencies to operate this process. |
|
Key |
A method used by an individual to authenticate their identity across the Internet. Examples of a 'Key' include username/password combinations, digital certificates and tokens. |
|
Key Strength |
Key strength refers to the level of confidence that can be attributed to the presentation of any particular Key type. For instance username/memorised password is considered the weakest form of authentication. The use of a PIN/physical token is considered stronger. Service Agencies might set a minimum "key strength", then use this attribute to see if a Client's Key is suitable for the service. |
|
LDAP |
Refer to Lightweight Directory Access Protocol |
|
Legal Liability |
The phrase that summarises where the responsibility will lie if/when failures/frauds in the system occur. |
|
Liberty Alliance Project |
A group that promotes open technical specifications that support a range of network identity-based interactions. For further information, refer to http://www.projectliberty.org |
|
Lightweight Directory Access Protocol |
A set of protocols used to access a hierarchical directory of information on a directory server. LDAP is considered to be lightweight because it is based on a simplified version of X.500 directories. Directories may contain phone numbers, electronic mail addresses, Public Key's, computer names and addresses, or any other information that can be conveniently arranged hierarchically. |
|
Man-in-the-middle attack [MITM] |
A technique used by Internet hackers. It results in the hacker 'positioning' themselves between the user and the system they are transacting with. This allows them to monitor communications and obtain information transferred between the parties. |
|
Multi-factor Authentication |
This is combining two or more authentication techniques together to form a stronger or more reliable level of authentication. This usually involves combining two or more of the following types: Secret - something the person knows Token - something the person has Biometric - something the person is. |
|
Non-repudiation |
The inability of a person or agency to legally repudiate (deny) its participation with an action or a piece of information. |
|
OASIS |
Refer to Organisation for the Advancement of Structured Information Standards |
|
Online |
For the purposes of this document, this refers to transaction made across the Internet or across a network of computers. |
|
Online Authentication |
The online process of an individual establishing that they are genuinely who they say they are, and the process of establishing an authenticated online session between a government agency and an authenticated individual. |
|
Organisation for the Advancement of Structured Information Standards [OASIS] |
OASIS was founded in 1993 under the name SGML Open as a consortium of vendors and users devoted to developing guidelines for interoperability among products that support the Standard Generalized Markup Language (SGML). OASIS changed its name in 1998 to reflect an expanded scope of technical work, including the Extensible Markup Language (XML) and other related standards, in particular SAML. Refer to website for further information: |
|
Person |
An individual human being; man, woman, or child. |
|
Personal Information |
Information about an identifiable individual. |
|
PIA - Privacy Impact Assessment |
A formal process to identify and assess privacy implications - in this case of an online authentication solution for government. |
|
PIN |
Personal Identification Number - a PIN is usually a form of shared secret or password in the form of a series of numbers. Usually used in combination with other forms of authentication techniques. |
|
Privacy |
The proper handling of personal information throughout its entire lifecycle, consistent with the requirements of the Privacy Act 1993. It can also mean the right of an individual not to be identified. |
|
Pseudonym |
An arbitrary name chosen by an individual to identify themselves, e.g. a username. |
|
Pseudonymous Transaction |
A transaction where the party who initiated the process does not provide any identity information. |
|
Repudiation |
The rejection or renunciation of a duty or obligation - usually arising from a disputed transaction. A party to a transaction later claims the transaction or part of the transaction did not take place. |
|
Role |
The actions and activities assigned to or required or expected of a person or an entity. |
|
SAML |
Security Assertion Markup Language - an XML-based framework for exchanging security information. |
|
Secure Socket Layer [SSL] |
A protocol developed for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Also referred to as HTTPS. |
|
Service Agency |
Government agency or agent responsible for delivering a service to a client - not the Authentication Agency. |
|
SIGS |
Security In the Government Sector manual - the minimum standards for Government security. [http://www.security.govt.nz/sigs/index.html] |
|
Single Sign-on |
The act of signing on once (providing a UserID and Password) thereby achieving access to multiple systems or e-services without having to re-establish the identity of the person. |
|
SQL Injection |
SQL injection is the name for a general class of attacks that can allow nefarious users to retrieve data, alter server settings, or even take over your server if you're not careful. SQL injection is not a SQL Server problem, but a problem with improperly written applications. |
|
SSL |
Refer to Secure Socket Layer |
|
State Services Commission |
The Office of State Services Commissioner is central to New Zealand's politically neutral, professional and permanent Public Service. The Commissioner has two separate roles: As the holder of a statutory office the Commissioner acts independently in a range of matters to do with the operation of the Public Service and State sector; and As Chief Executive of the State Services Commission, the department that supports the Commissioner in the performance of this role, the Commissioner is responsible to the Minister of State Services for the Commission's capability and performance. |
|
Technology Neutrality |
For the purposes of this document, Technology Neutrality refers to the Cabinet and Policy Principles definition in that agency are to ensure a range of technology options are considered, and as far as possible to avoid 'vendor capture'. |
|
Token |
A physical device used in the authentication of an individual. A type of 'Key', usually held in the possession of the individual. Examples include USB tokens or smart cards. |
|
Transaction Strength |
This is the level of confidence an agency requires in an online transaction. For example, a low strength transaction may only require an acknowledgement via email that a service request has been received, a high strength online transaction may require many of the factors related to non-repudiation of a transaction. |
|
Transport Layer Security [TLS] |
The successor protocol to Secure Socket Layer [SSL], created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3. |
|
Trust Levels |
The Transaction Trust Levels (the 'Trust Levels') were developed to provide guidance to those agencies considering providing a service online by enabling them to categorise transactions on a consistent basis. This was intended to ensure that transactions of a similar type are implemented using similar authentication solutions. |
|
Unique Identifier |
For the purposes of this document, the definition of Unique Identifier is the interpretation as set out in the Privacy Act 1993. "Unique Identifier" means an identifier - That is assigned to an individual by an agency for the purposes of the operations of the agency; and That uniquely identifies that individual in relation to that agency; - But, for the avoidance of doubt, does not include an individual's name used to identify that individual. |
|
Username / Userid |
A construction of letters and numbers that, in conjunction with a password, uniquely identifies a person |
|
Verification (of a key) |
A process to confirm whether a key is appropriate to be used |
|
xNAL |
NZ e-Government extensible name and address language For further information refer to 'xNAL Guidelines' |
[ Previous ]