Skip to content.
|Networking government in New Zealand.

Appendix A - Definitions

This appendix contains the full set of definitions used in all of the authentication standards.

Authentication standards definitions
Activation data
Normally a password or biometric that is used to authenticate to a hardware or software token or a hardware device before they may be used. Software tokens (in particular any related cryptographic keys or secrets) are normally protected under a key generated using the activation data.
Ageny
Any government organisation that applies any of the standards within this suite.
Anonymous service
A service that does not require the user to be identified or require protection of a user's identity. For example, access to publicly available online publications.
Attributed identity
The attributes of a person's identity that are present from birth, for example, birth name and date and place of birth.
Authentication
Process of establishing, to the required level of confidence, the identity of one or more parties to a transaction. Consists of identity management (establishing who you are) and logon management (confirming who you are).
Authentication key
Method used by an individual to authenticate his or her identity over the Internet. Examples of authentication keys include passwords, one-time passwords, software tokens, hardware tokens and biometrics. Authentication keys are also referred to as keys.
Authentication protocol
Predefined data formats and methods for the messages that are exchanged during the authentication process. The authentication process verifies that the customer has control of an authentication key to authenticate that customer remotely.
Benchmark
Evaluate or check processes by comparing with a standard point of reference.
Biographical information
Record of the events that occur during a person's lifetime, for example, birth registration, employment history, and marriage or civil union registration.
Biometric information
Physical and behavioural attributes of a person, for example, their facial features, DNA profile, retina, iris, voice and fingerprints.
Biometric recognition
The process of matching an input biometric to stored biometric information. In particular, biometric recognition refers to comparing the biometric input from an individual to the stored biometric template about that individual. Examples of biometrics include face images, fingerprint images, iris images, retinal scans, etc.
Biometrics
In the context of customer authentication, biometrics refers to a physical characteristic or behavioural pattern of a person. Examples include fingerprints, thumbprints, hand geometry iris patterns, speech patterns, face geometry, keyboard-typing patterns.
Business processes
A series of steps followed to achieve a given outcome. A process has several key characteristics, including specific measures that determine if it is done correctly, and which enable it to be repeated multiple times; it consumes resources such as time, money and/or energy; and it responds to quality control mechanisms that can help the process be done more efficiently.
Brute force guessing attacks
Where an attacker tries to guess a specific customer's password by trying every possible valid password (i.e. passwords that are made up from combinations from the set of valid password characters).
Common password attacks
Where an attacker tries commonly used passwords (such as obvious variations of 'password', 'logon', etc.) against all the usernames they know or can guess.
Consequence
Outcome or impact of an event.

NOTE -

(1) There can be more than one consequence from one event.

(2) Consequences can range from positive to negative.

(3) Consequences can be expressed qualitatively or quantitatively.

(4) Consequences are considered in relation to the achievement of objectives.
Cryptographic keys
Protected values (in terms of their confidentiality and integrity) that are used in cryptographic operations.
Cryptographic operations
Special algorithms and protocols that may be used in the authentication process.
Customer
Person who claims some identity, which undergoes the authentication process. The identity claim may be based on a username.
Customer fraud attacks
Where the customer deliberately compromises their authentication key or computing environment to enable them to deny subsequent authentication events.
Customer Information Quality v3.0 Specifications (CIQ v3.0)
The CIQ v3.0 Specifications are XML-based OASIS standards that define a vocabulary to represent customer data, including identity related data. CIQ v3.0 includes: eXtensible Name and Address Language (xNAL), eXtensible Party Information Language (xPIL) and eXtensible Party Relationship Language (xPRL). XNAL itself comprises eXtensible Name Language (xNL), and eXtensible Address Language (xAL).

NOTE - CIQ v3.0 is scheduled for public release mid-2006.
Dictionary attacks
Where an attacker tries every word from a collection, called a dictionary, against a username to find a legitimate password. The collection may be hashed or encrypted, depending on the way in which passwords are stored.
Discrepancy
Situations where an individual has supplied identity-related documents or information that may have an inconsistency requiring further investigation.
Eavesdropper attacks
Where an attacker obtains information from an authentication exchange and recovers data, such as authentication key values or cultural information, which then may be used to authenticate.
e-GIF
E-government Interoperability Framework - a collection of policies and standards endorsed for New Zealand government information technology (IT) systems.
Electronic verification
Verification of the accuracy of information through electronic checks of information records such as electronic databases.
Evaluation
Systematic review of business processes to ensure they are still effective and appropriate.
Event
Occurrence of a particular set of circumstances.

NOTE -


(1) The event can be certain or uncertain.

(2) The event can be a single occurrence or a series of occurrences.
Evidence of identity (EOI)
The types of evidence that, when combined, provide confidence that an individual is who they say they are.
Evidence of identity (EOI) process
Process by which an agency establishes confidence in an individual's identity.
Evidence of identity process risks
Any risk created through an EOI process.
Exceptions/exception case
Individuals (or a group of individuals) who, for genuine reasons, are unable to meet the EOI requirements set out in this standard.
eXtensible Markup Language (XML)
XML is a simple, very flexible text format derived from SGML. Originally designed to meet the challenges of large-scale electronic publishing, XML is also playing an increasingly important role in the exchange of a wide variety of data on the Web and elsewhere.
eXtensible Stylesheet Language (XSL)
XSL is a language for expressing stylesheets. Designers use an XSL stylesheet to express their intentions about how that structured content should be presented, i.e. how the source content should be styled, laid out, and paginated onto some presentation medium.

[edited from http://www.w3.org/TR/xsl/]
Factors of authentication
The three ways in which an entity may be authenticated: by something they know, have or are. One, two, or three-factor authentication uses one, two, or three of the factors of authentication, respectively. Multi-factor authentication is either two-factor or three-factor authentication.
False identities
Situations where a person uses an identity that is not their own (in some cases, this can be for legitimate reasons).
Frequency
A measure of the number of occurrences per unit of time.
Government Logon Service (GLS)
An all-of-government shared service that provides ongoing re-confirmation of online identity to participating agencies to the desired level of confidence.
Hardware token
Specialised hardware device that protects cryptographic keys and performs cryptographic operations. Use of the hardware token normally requires entry of activation data such as a password or biometric.
Identification
Process of associating identity data with a particular person.
Identity
A set of attributes and/or data linked to an individual person.
Identity data/information
Data/information pertaining to an individual's identity.
Identity manipulation
Alteration of one or more elements of identity (e.g. name, date of birth) to dishonestly obtain an advantage.
Identity - misuse and abuse
Gaining money, goods, services, other benefits or the avoidance of obligations through the use of a false or stolen identity.
Identity-related risk
Any risk for a particular service that results from an individual's identity being incorrectly attributed.
Identity theft
Theft or assumption of a pre-existing identity (or significant part thereof), with or without consent, and whether, in the case of an individual, the person is alive or dead.
Identity Verification Service (IVS)
An all-of-government shared service that provides individuals with the option to verify their identity authoritatively, online, and in real-time with participating agencies to a passport-level of confidence.
Initial password
Password that is issued to the customer and used only for the first authentication.
Insider attacks
Where verifiers or systems managers deliberately compromise the authentication system or steal authentication keys or related data.
Internal controls
Any policies, procedures, techniques and mechanisms put in place to minimise process failure and help ensure that actions are taken to address risks.
Key logger attacks
Malicious code or hardware attacks that capture the keystrokes of a customer with the intention of obtaining any password typed in by the customer.
Likelihood
Used as a general description of probability or frequency.

NOTE - Can be expressed qualitatively or quantitatively.
Low Risk Category
Services in this category have been assessed as having a low level of identity-related risk.
Malicious code attacks
Attacks that are generally aimed at the customer's computing environment. They vary in their sophistication from simple keystroke loggers to advanced Trojan programs that can gain control of the customer's computer. Malicious code attacks may also be aimed at verifier systems.
Man-in-the-middle attacks
Where an attacker inserts him/herself between the customer and the verifier in an authentication exchange. The attacker attempts to authenticate to both parties by posing as the customer to the verifier and the verifier to the customer.
Monitor / monitoring
To check, supervise, observe critically or measure the progress of an activity, action or system on a regular basis in order to identify change from the performance level required or expected.
Mutual authentication
Where both entities authenticate to each other (the authentication is normally based on the same or closely similar methods).
OASIS
Organisation for the Advancement of Structured Information Standards (OASIS) is a not-for-profit international consortium that drives the development, convergence and adoption of e-business standards.
One-time password
One-time password systems utilise a series of passwords in the authentication process. Each password of the series is called a one-time password, as they are all distinct (or at least distinct with a very high probability). Many methods are based on a static shared base secret that is used to generate the distinct authentication secrets. Other common methods use collections of passwords that are distributed to customers.
Online service
Service that an agency offers through an interactive online delivery channel.
Password
Static secret, usually composed of keyboard characters, which is used as the authentication key.
Phishing attacks
Social engineering attacks that use forged web pages, emails, or other electronic communications to convince the customer to reveal their password or other sensitive information to the attacker.
Pre-knowledge guessing attacks
Where an attacker tries to guess a specific customer's password, using knowledge of the customer's personal details, preferences, etc.
Primary data source
The original (i.e. issuing) source of identity data/information.
Primary documents
Those that can be used as part of a process for establishing an individual's identity (e.g. Birth Certificate, Community Services Card, New Zealand Citizenship Certificate).
Proof of possession protocol
An authentication protocol where a customer proves to a verifier that they control an authentication key (e.g. a cryptographic key or a password).
Pseudonymous service
A service that does not require a person to be uniquely identified but requires that the service agency be able to respond to the user. For example, to 'recognise' the person when he/she accesses the service on return visits.
Replay attacks
Where the attacker records the data of a successful authentication and replays this information to attempt to falsely authenticate to the verifier.
Reset password
Password that is issued to the customer, following identity verification procedures, when the customer has forgotten his/her password or been locked out from the authentication system.
Risk
The chance of something happening that will have an impact on objectives.

NOTE -

(1) A risk is often specified in terms of an event or circumstances and consequences that may flow from it.

(2) Risk is measured in terms of a combination of the consequence of the event and their likelihood.
Risk profiling
The process of gathering data on characteristics (e.g. customer behaviours) in order to identify categories of risk.
Security Assertion Markup Language (SAML)
An XML-based standard that defines messages for communicating a range of security-related statements about individual parties, including their authentication.
Service
An activity conducted between a customer and a government agency, in accordance with the functions for which that agency is accountable.
Service user
Person interacting with agencies to access services over the Internet.
Session hijacking attacks
Where the attacker takes over (hijacks) a session following successful authentication.
Shoulder surfing attacks
Social engineering attacks where the attacker covertly observes the password when the customer enters it.
Social engineering attacks
Attacks that are aimed at obtaining authentication keys or data by fooling the customer into using an insecure authentication protocol, or into loading malicious code onto the customer's computer. Attacks may also be aimed at the verification process, for example by trying to trick help desk staff into accepting a false story.
Software token
A software token is essentially software implementation of a hardware token: a specialised piece of software that protects cryptographic keys and performs cryptographic operations. Use of the software token normally requires entry of activation data such as a password or biometric. In this case, cryptographic keys are protected using a key derived from the activation data. (The term digital certificate is often incorrectly used in place of software token.)
Strong password
Password that is resistant to brute force guessing, common password, dictionary, and pre-knowledge guessing attacks.
Supporting documents
Those that can be used to assist in establishing an individual's identity, where an individual is unable to provide 'primary' documents (e.g. bank statement, student ID card, utility account).
Transport Layer Security (TLS)
Like the Secure Sockets Layer (SSL) protocol, which it supersedes, TLS provides a cryptographically protected channel for web browser exchanges. TLS is defined by the Internet Engineering Task Force. TLS is similar to the older Secure Socket Layer (SSL) protocol and is effectively SSL version 3.1.
Trusted referee
A person who is asked to confirm the accuracy of identity information supplied by an individual and who confirms that, to their knowledge, the information corresponds to that individual.

The two key elements that should exist for a person to be a trusted referee are:

  • They have personal knowledge of the individual being identified
  • They are trusted by the agency according to the agency's own criteria of sufficient trust.
Username
Construction of alphanumeric characters that is used to identify a customer within the authentication system (the username is used to identify the customer, or rather their authentication key, to the verifier as part of the authentication process).
Verifier
Entity that performs the procedures for verifying the claim of identity for customers. The verifier and the service provider may be separate entities.
Verifier impersonation attacks
Where the attacker impersonates the verifier to the customer to obtain authentication keys or data, which then may be used to authenticate falsely to the verifier.
XML Linking Language (XLink)
XLink allows elements to be inserted into XML documents in order to create and describe links between resources.
XML Metadata Interchange (XMI)
XML Metadata Interchange is an open information interchange model that allows developers who work with object technology to exchange programming data over the Internet in a standardised way.
XML Path Language (XPath)
XPath is a language for addressing parts of an XML document, designed to be used by both XSLT and XPointer.
XSL Transformations (XSLT)
XSLT is a language for transforming XML documents into other XML documents. XSLT is designed for use as part of XSL (defined above). XSL specifies the styling of an XML document by using XSLT to describe how the document is transformed into another XML document that uses the formatting vocabulary.


[Edited from http://www.w3.org/TR/xslt]

[ Previous ]