PROTECTION+FOR+YOU+PC+SOFTWARE+AND+MORE

=Personal identifiers= who you are: that's things that are more biometric.. like your fingerprints, eyes for retinal scan

what you have: things that you would carry like a swipe card, a dongle

what you know: things you have memorized like your password, PIN number, family information.

=**TrueCrypt**= is a [|software application] used for [|on-the-fly encryption] (OTFE). It is distributed without cost and the source code is available. It can create a virtual encrypted disk within a file or encrypt a [|partition] or (under [|MS Windows] except [|Windows 2000]) the entire [|storage device] ([|pre-boot authentication]).

=**Symmetric-key algorithms**=

are a class of [|algorithms] for [|cryptography] that use trivially related, often identical, [|cryptographic keys] for both decryption and encryption etc. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transformation to go between the two keys. The keys, in practice, represent a [|shared secret] between two or more parties that can be used to maintain a private information link. Other terms for symmetric-key encryption are **secret-key**, **single-key**, **shared-key**, **one-key**, and **private-key** encryption. Use of the last and first terms can create ambiguity with similar terminology used in [|public-key cryptography].

Types of symmetric-key algorithms
Symmetric-key algorithms can be divided into [|stream ciphers] and [|block ciphers]. Stream ciphers encrypt the bytes of the message one at a time, and block ciphers take a number of bytes and encrypt them as a single unit. Blocks of 64 bits have been commonly used; the [|Advanced Encryption Standard] algorithm approved by [|NIST] in December 2001 uses 128-bit blocks.now we are using 256 bit block .. Some examples of popular and well-respected symmetric algorithms include [|Twofish], [|Serpent], [|AES] ([|Rijndael]), [|Blowfish], [|CAST5], [|RC4], [|TDES], and [|IDEA]

=CIPHER= n [|cryptography], a **cipher** (or **cypher**) is an [|algorithm] for performing [|encryption] or [|decryption] — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is **encipherment**. In non-technical usage, a “cipher” is the same thing as a “[|code]”; however, the concepts are distinct in cryptography. In [|classical cryptography], ciphers were distinguished from codes. Codes operated by substituting according to a large [|codebook] which linked a random string of characters or numbers to a word or phrase. For example, “UQJHSE” could be the code for “Proceed to the following coordinates”. When using a cipher the original information is known as [|plaintext], and the encrypted form as **[|ciphertext]**. The ciphertext message contains all the information of the plaintext message, but is not in a format readable by a human or computer without the proper mechanism to decrypt it; it should resemble random gibberish to those not intended to read it. The operation of a cipher usually depends on a piece of auxiliary information, called a [|key] or, in traditional [|NSA] parlance, a **cryptovariable.** The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message. Without knowledge of the key, it should be difficult, if not nearly impossible, to decrypt the resulting ciphertext into readable plaintext.

=**ciphertext**= is the result of the process (known as [|encryption]) of transforming [|information] (referred to as [|plaintext]) using an algorithm (called [|cipher]) to make it unreadable [|[][|1][[[]|]]] to anyone except those possessing special knowledge, usually referred to as a [|key]. This result is also known as **encrypted** information. The process to read ciphertext is known as [|decryption]

=The **Data Encryption Standard** (**DES**= ) is a [|block cipher] (a form of [|shared secret] [|encryption]) that was selected by the [|National Bureau of Standards] as an official [|Federal Information Processing Standard] (FIPS) for the [|United States] in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a [|symmetric-key algorithm] that uses a 56-bit key. The [|algorithm] was initially controversial with [|classified] design elements, a relatively short [|key length], and suspicions about a [|National Security Agency] (NSA) [|backdoor]. DES consequently came under intense academic scrutiny which motivated the modern understanding of [|block ciphers] and their [|cryptanalysis]. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; in January, 1999, [|distributed.net] and the [|Electronic Frontier Foundation] collaborated to publicly break a DES key in 22 hours and 15 minutes (see [|chronology]). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice. The algorithm is believed to be practically secure in the form of [|Triple DES], although there are theoretical attacks. In recent years, the cipher has been superseded by the [|Advanced Encryption Standard] (AES). Furthermore, DES has been withdrawn as a standard by the [|National Institute of Standards and Technology] (formerly the National Bureau of Standards).

=Pretty Good Privacy (PGP)= is a [|data encryption] and decryption [|computer program] that provides [|cryptographic] [|privacy] and [|authentication] for data communication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was created by [|Philip Zimmermann] in 1991. PGP and similar products follow the [|OpenPGP] standard ([|RFC 4880]) for encrypting and decrypting data.

How PGP encryption works
PGP [|encryption] uses a serial combination of [|hashing], [|data compression], [|symmetric-key cryptography], and, finally, [|public-key cryptography]; each step uses one of several supported [|algorithms]. Each public key is bound to a user name and/or an [|e-mail] address. The first version of this system was generally known as a [|web of trust] to contrast with the [|X.509] system which uses a hierarchical approach based on [|certificate authority] and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.

=**Public Key Infrastructure** (**PKI**)= is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.[|[][|1][[[]|]]] In [|cryptography], a **PKI** is an arrangement that binds [|public keys] with respective user identities by means of a [|certificate authority] (**CA**). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (**RA**). For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgetable in [|public key certificates] issued by the CA. The term [|trusted third party] (**TTP**) may also be used for [|certificate authority] (**CA**). The term PKI is sometimes erroneously used to denote [|public key algorithms], which do not require the use of a CA.



=**virtual private network** (**VPN**)= is a [|computer network] that uses a public telecommunication infrastructure such as the [|Internet] to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization. It [|encapsulates] [|data transfers] between two or more [|networked devices] which are not on the same [|private network] so as to keep the transferred data private from other devices on one or more intervening [|local] or [|wide area networks]. There are many different classifications, implementations, and uses for VPNs.

=A **rainbow table**= is a [|lookup table] offering a [|time-memory tradeoff] used in recovering the [|plaintext] [|password] from a password hash generated by a [|hash function], often a [|cryptographic hash function]. A common application is to make attacks against hashed passwords feasible. A [|salt] is often employed with hashed passwords to make this attack more difficult, often infeasible. Rainbow tables are a refinement of an earlier, simpler algorithm by [|Martin Hellman][|[][|1][[[]|]]] that used the inversion of hashes by looking up precomputed hash chains.

Rainbow tables
Rainbow tables effectively solve the problem of collisions with ordinary hash chains by replacing the single reduction function R with a sequence of related reduction functions R1 through R//k//. This way, in order for two chains to collide and merge, they must hit the same value //on the same iteration//. Consequently, the final values in each chain will be identical. A final postprocessing pass can sort the chains in the table and remove any "duplicate" chains that have the same final value as other chains. New chains are then generated to fill out the table. These chains are not //collision-free// (they may overlap briefly) but they will not merge, drastically reducing the overall number of collisions. This changes how lookup is done: because the hash value of interest may be found at any location in the chain, it's necessary to generate //k// different chains. The first chain assumes the hash value is in the last hash position and just applies R//k//; the next chain assumes the hash value is in the second-to-last hash position and applies R//k//−1, then H, then R//k//; and so on until the last chain, which applies all the reduction functions, alternating with H. This creates a new way of producing a false alarm: if we "guess" the position of the hash value wrong, we may needlessly evaluate a chain. Although rainbow tables have to follow more chains, they make up for this by having fewer tables: simple hash chain tables cannot grow beyond a certain size without rapidly becoming inefficient due to merging chains; to deal with this, they maintain multiple tables, and each lookup must search through each table. Rainbow tables can achieve similar performance with tables that are //k// times larger, allowing them to perform a factor of //k// fewer lookups.

Example
We have a hash (//re3xes//) and we want to find one password that produces that hash.
 * 1) Starting from the hash ("re3xes"), one computes the last reduction used in the table and checks whether the password appears in the last column of the table (step 1).
 * 2) If the test fails (//rambo// doesn't appear in the table), one computes a chain with the two last reductions (these two reductions are represented at step 2) Note: If this new test fails again, one continues with 3 reductions, 4 reductions, etc. until the password is found. If no chain contains the password, then the attack has failed.
 * 3) If this test is positive (step 3, //linux23// appears at the end of the chain and in the table), the password is retrieved at the beginning of the chain that produces //linux23//. Here we find //passwd// at the beginning of the corresponding chain stored in the table.
 * 4) At this point (step 4), one generates a chain and compares at each iteration the hash with the target hash. The test is valid and we find the hash //re3xes// in the chain. The current password (//culture//) is the one that produced the whole chain: the attack is successful

=DMZ ZONES GREEN YELLOW RED= In [|computer security], a **DMZ**, or **demilitarized zone** is a physical or logical [|subnetwork] that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a **DMZ** by information technology professionals. It is sometimes referred to as a **perimeter network**. The purpose of a DMZ is to add an additional layer of security to an organization's [|local area network] (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Dual firewalls
A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. The first firewall handles a much larger amount of traffic than the second firewall. Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.) The practice of using different firewalls from different vendors is sometimes described as either "[|defense in depth]" or (from an opposing viewpoint) "[|security through obscurity]".

=**Port Address Translation (PAT)**= is a feature of a [|network] device that translates [|TCP] or [|UDP] communications made between hosts on a private network and hosts on a public network. It allows a single public [|IP address] to be used by many hosts on a private network, which is usually a Local Area Network or [|LAN]. A PAT device transparently modifies IP [|packets] as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single [|host], (the PAT device) on the public network.

Relationship between NAT and PAT
PAT is a subset of NAT, and is closely related to the concept of [|Network Address Translation]. PAT is also known as NAT Overload. In PAT there is generally only one publicly exposed IP address and multiple private hosts connecting through the exposed address. Incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs. In PAT, both the sender's private [|IP] and port number are modified; the PAT device chooses the port numbers which will be seen by hosts on the public network. In this way, PAT operates at layer 3 (network) and 4 (transport) of the [|OSI model], whereas basic NAT only operates at layer 3.

An Analogy of PAT
A PAT device is similar to the receptionist at an office that has one public telephone number. Outbound phone calls made from the office all appear to come from the same telephone number. However, incoming calls have to be transferred to the correct private extension by an operator asking the caller who they'd like to speak with; private extensions cannot be dialed directly from outside.

Examples of PAT
A host at IP address 192.168.0.2 on the private network may ask for a connection to a remote host on the public network. The initial packet is given the address 192.168.0.2:15345. The PAT device (which we assume has a public IP of 1.2.3.4) may arbitrarily translate this source address:port pair to 1.2.3.4:16529, making an entry in its internal table that port 16529 being used for a connection by 192.168.0.2 on the private network. When a packet is received from the public network by the PAT device for address 1.2.3.4:16529 the packet is forwarded to 192.168.0.2:15345.

[[|edit]] Advantages of PAT
In addition to the advantages provided by NAT:
 * PAT allows many internal hosts to share a single external IP address.
 * Users who do not require support for inbound connections [|do not consume public IP addresses].

[[|edit]] Disadvantages of PAT

 * Scalability - An implementation that only tracks ports can be quickly depleted by internal applications that use multiple simultaneous connections (such as an [|HTTP] request for a web page with many embedded objects). This problem can be mitigated by tracking the destination IP address in addition to the port (thus sharing a single local port with many remote hosts), at the expense of implementation complexity and CPU/memory resources of the translation device.
 * Firewall complexity - Because the internal addresses are all disguised behind one publicly-accessible address, it is impossible for external hosts to initiate a connection to a particular internal host without special configuration on the firewall to forward connections to a particular port. Applications such as [|VOIP], [|videoconferencing], and other peer-to-peer applications must use [|NAT traversal] techniques to function.

=**Biometrics**= comprises methods for uniquely recognizing humans based upon one or more [|intrinsic] physical or behavioral [|traits]. In [|computer science], in particular, biometrics is used as a form of [|identity access management] and [|access control]. It is also used to identify individuals in groups that are under [|surveillance]. Biometric characteristics can be divided in two main classes [//[|citation needed]//] : Strictly speaking, //voice// is also a physiological trait because every person has a different [|vocal tract], but voice recognition is mainly based on the study of the way a person speaks, commonly classified as behavioral
 * **Physiological** are related to the shape of the body. Examples include, but are not limited to [|fingerprint], [|face recognition], [|DNA], [|Palm print], hand geometry, [|iris recognition], which has largely replaced [|retina], and odour/scent.
 * **Behavioral** are related to the behavior of a person. Examples include, but are not limited to [|typing rhythm], [|gait], and [|voice]. Some researchers[|[][|1][[[]|]]] have coined the term **behaviometrics** for this class of biometrics.

=**Computer forensics**= (sometimes //computer forensic science//[|[][|1][[[]|]]]) is a branch of [|digital forensic science] pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to explain the current state of a //digital artifact//; such as a computer system, storage medium (e.g. [|hard disk] or [|CD-ROM]), an electronic document (e.g. an email message or JPEG image).[|[][|2][[[]|]]] The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events.

Volatile data
When seizing evidence, if the machine is still active, any information stored solely in [|RAM] that is not recovered before powering down may be lost.[|[][|5][[[]|]]] RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate. The length of time for which data recovery is possible is increased by low temperatures and higher cell voltages. Holding unpowered RAM below −60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.[|[][|7][[[]|]]]

[[|edit]] Techniques
Cross-drive analysisA forensic technique that correlates information found on multiple [|hard drives]. The technique, which is still being researched, can be used for identifying social networks and for performing [|anomaly detection].[|[][|8][[[]|]]][|[][|9][[[]|]]]Live analysisThe examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with [|Encrypting File Systems], for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.[|[][|10][[[]|]]]Deleted filesA common technique used in computer forensics is the [|recovery of deleted files]. Most modern forensic software have their own tools for recovering or carving out deleted data.[|[][|11][[[]|]]]

[[|edit]] Analysis tools
A number of open source and commercial tools exist for computer forensics investigation: Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review. [//[|citation needed]//]
 * [|EnCase]
 * [|FTK]
 * [|PTK Forensics]
 * [|The Sleuth Kit]
 * [|The Coroner's Toolkit]
 * [|COFEE]
 * [|Selective file dumper]

[[|edit]] Certifications
There are several computer forensics certifications available. Many state laws in the United States require computer forensic expert witnesses to have a professional certification or a private investigator's license. [//[|citation needed]//]

[[|edit]] Common certifications

 * The GIAC Certified Forensic Analyst (GCFA) certification from the [|Global Information Assurance Certification] organization.[|[][|12][[[]|]]] There are currently over 2100 GCFA certified individuals.[|[][|13][[[]|]]]
 * The Certified Computer Examiner (CCE) certification governed by the [|International Society of Forensic Computer Examiners]. Presently there are over 1000 active CCEs representing 28 different countries

=IDS= An **Intrusion Detection System (IDS)** is a device or [|software application] that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[|[][|1][[[]|]]] Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.[|[][|1][[[]|]]] Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.[|[][|1][[[]|]]] In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.[|[][|1][[[]|]]] IDPSs have become a necessary addition to the security infrastructure of nearly every organization.[|[][|1][[[]|]]] IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports.[|[][|1][[[]|]]] Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.[|[][|1][[[]|]]] They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content

=CIA= The **Parkerian hexad** is a set of six elements of information security proposed by [|Donn B. Parker] in 2002. The term was coined by [|M. E. Kabay]. The Parkerian hexad adds three additional attributes to the three classic security attributes of the [|CIA triad] (confidentiality, integrity, availability).
 * Confidentiality
 * Possession or Control
 * Integrity
 * Authenticity
 * Availability
 * Utility

Confidentiality
[|Confidentiality] is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a [|credit card] [|transaction] on the Internet requires the [|credit card number] to be transmitted from the buyer to the merchant and from the merchant to a [|transaction processing] network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a [|laptop computer] containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Confidentiality is necessary (but not sufficient) for maintaining the [|privacy] of the people whose personal information a system holds. [//[|citation needed]//]

Integrity
In information security, integrity means that data cannot be modified without authorization. This is not the same thing as [|referential integrity] in [|databases]. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a [|computer virus] [|infects] a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mis-type someone's address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.

Availability
For any information system to serve its purpose, the information must be [|available] when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. [|High availability] systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing [|denial-of-service attacks].

Authenticity
In computing, [|e-Business] and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.

Non-repudiation
In law, [|non-repudiation] implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. [|Electronic commerce] uses technology such as [|digital signatures] and encryption to establish authenticity and non-repudiation.

=A **firewall**= is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria. Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially [|intranets]. All messages entering or leaving the intranet pass through the firewall, which inspects each message and blocks those that do not meet the specified security criteria.



=POLYMORPHISM= In [|computer science], **polymorphism** is a [|programming language] feature that allows values of different [|data types] to be handled using a uniform interface. The concept of parametric polymorphism applies to both data types and [|functions]. A function that can evaluate to or be applied to values of different types is known as a //polymorphic function.// A data type that can appear to be of a generalized type (e.g., a [|list] with elements of arbitrary type) is designated //polymorphic data type// like the generalized type from which such specializations are made. There are two fundamentally different kinds of polymorphism, originally informally described by [|Christopher Strachey] in 1967. If the function denotes different and potentially heterogeneous implementations depending on a limited range of individually specified types and combinations, it is called **ad-hoc polymorphism**. Ad-hoc polymorphism is supported in many languages using [|function] and [|method overloading]. If all code is written without mention of any specific type and thus can be used transparently with any number of new types, it is called **parametric polymorphism**. [|John C. Reynolds] (and later [|Jean-Yves Girard]) formally developed this notion of polymorphism as an extension to the lambda calculus (called the [|polymorphic lambda calculus], or [|System F]). Parametric polymorphism is widely supported in [|statically typed] [|functional programming languages]. In the object-oriented programming community, programming using parametric polymorphism is often called //[|generic programming]//

=**Microsoft Baseline Security Analyzer** **MBSA**= is a software tool released by [|Microsoft] to determine [|security] state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as [|Internet Explorer], [|IIS] [|web server], and products [|Microsoft SQL Server], and [|Microsoft Office] macro settings. Security updates are determined by the current version of MBSA using the [|Windows Update Agent] present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. An example of a VA might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

=**Wireshark**= is a [|free and open-source] [|packet analyzer]. It is used for [|network] troubleshooting, analysis, software and [|communications protocol] development, and education. Originally named **Ethereal**, in May 2006 the project was renamed Wireshark due to trademark issues. Wireshark is [|cross-platform], using the [|GTK+] [|widget toolkit] to implement its user interface, and using [|pcap] to capture packets; it runs on various [|Unix-like] [|operating systems] including [|Linux], [|Mac OS X], [|BSD], and [|Solaris], and on [|Microsoft Windows]. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are [|free software], released under the terms of the [|GNU General Public License]. There is also a malicious rogue anti-spyware program called Wireshark Antivirus that reports false information. This is in no way related to the [|packet analyzer] program, Wireshark, and the two should not be confused.

=**Transport Layer Security** (**TLS**) and its predecessor, **Secure Sockets Layer** (**SSL**)= , are [|cryptographic protocols] that provide [|security] for communications over networks such as the [|Internet]. TLS and SSL encrypt the segments of network connections at the [|Application Layer] to ensure secure end-to-end transit at the [|Transport Layer]. TLS is also the name of a working group of the [|Internet Engineering Task Force],[|[][|1][[[]|]]] but in this article TLS refers to the protocol, not the working group. Several versions of the protocols are in widespread use in applications like [|web browsing], [|electronic mail], [|Internet faxing], [|instant messaging] and [|voice-over-IP (VoIP)]. TLS is an [|IETF] [|standards track] protocol, last updated in [|RFC 5246], that was based on the earlier SSL specifications developed by [|Netscape] Corporation.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent [|eavesdropping] and [|tampering]. TLS provides endpoint [|authentication] and [|communications confidentiality] over the [|Internet] using [|cryptography]. TLS provides [|RSA] security with 1024 and 2048 bit strengths. In typical end-user/browser usage, TLS authentication is //unilateral//: only the server is //authenticated// (the client knows the server's identity), but not //vice versa// (the client remains unauthenticated or anonymous). TLS also supports the more secure //bilateral// connection mode (typically used in enterprise applications), in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's [|certificate]). This is known as [|mutual authentication], or 2SSL. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Unless, that is, [|TLS-PSK], the [|Secure Remote Password] (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates. Typically, the key information and certificates necessary for TLS are handled in the form of [|X.509] certificates, which define required fields and data formats. SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between [|peers].

=Authorization certificate=

In [|computer security], an **attribute certificate** (AC) is a [|digital] document containing attributes associated to the holder by the issuer. When the associated attributes are mainly used for authorization purpose, AC is called **authorization certificate**. AC is standardized in [|X.509]. [|RFC 3281] further specifies the usage of AC for authorization purpose in the Internet. AC is the complement of [|public key certificate] (PKC). While PKC is issued by a [|CA] and is used as a proof of identity of its holder like a [|passport], AC is issued by [|AA] and is used to characterize or entitle its holder like a [|visa]. Because identity information seldom changes and has a long validity time while attribute information frequently changes or has a short validity time, separate certificates with different security rigours, validity times and issuers are necessary.

Comparison of attribute and public key certificates
AC is similar to PKC except that AC contains no [|public key] because an AC verifier is under the control of the AC issuer, and therefore, trusts the issuer directly by having the public key of the issuer preinstalled. This means that once the AC issuer's [|private key] is compromised, the issuer has to generate a new [|key pair] and replaces the old public key in all verifiers under its control with the new one. In addition to the absence of a public key, AC does not refer to the holder directly using identity information like in PKC but indirectly using the PKC. This means that the verification of an AC requires the presence of the PKC that is referred as the AC holder in the AC. Similar to PKC, AC can be chained to delegate attributions. For example, an authorization certificate issued for Alice authorizes her to use a particular service. Alice can delegate this privilege to her assistant Bob by issuing an AC for Bob's PKC. When Bob wants to use the service, he presents his PKC and a chain of ACs starting from his own AC issued by Alice and then Alice's AC issued by the issuer that the service trusts. In this way, the service can verify that Alice has delegated her privilege to Bob and that Alice has been authorized to use the service by the issuer that controls the service. [|RFC 3281], however, does not recommend the use of AC chains because the complexity in administering and processing the chain is not worth the effort and there is little use of AC in the Internet.

Usage
To use a service or a resource that the issuer of an AC controls, a user presents both the PKC and the AC to a part of the service or resource that functions as an AC verifier. The verifier will first check the identity of the user using the PKC, for example, by asking the user to decrypt a message encrypted by the user's public key in the PKC. If the authentication is successful, the verifier will use the preinstalled public key of the AC issuer to check the validity of the presented AC. If the AC is valid, the verifier will check whether or not the PKC specified in the AC matches the presented PKC. If it matches, the verifier will check the validity period of the AC. If the AC is still valid, the verifier can perform additional checks before offering the user a particular level of service or resource usage in accordance to the attributes contained in the AC. For example, a software developer that already has a [|PKC] wants to deploy its software in a computing device employing [|DRM] like [|iPad] where software can only be run in the device after the software has been approved by the device manufacturer. The software developer signs the software with the [|private key] of the PKC and sends the signed software to the device manufacturer for approval. After authenticating the developer using the PKC and reviewing the software, the manufacturer may decide to issue an AC granting the software the basic capability to install itself and be executed as well as an additional capability to use the Wi-Fi device following the [|principle of least privilege]. In this example, the AC does not refer to the PKC of the developer as the holder but to the software, for example, by storing the developer's signature of the software in the holder field of the AC. When the software is put into the computing device, the device will verify the integrity of the software using the developer's PKC before checking the validity of the AC and granting the software access to the device functionalities.

=RBAC= In computer systems security, **role-based access control** (**RBAC**)[|[][|1][[[]|]]][|[][|2][[[]|]]] is an approach to restricting system access to authorized users. It is a newer alternative approach to [|mandatory access control] (MAC) and [|discretionary access control] (DAC). RBAC is sometimes referred to as role-based security. Within an organization, [|roles] are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user; this simplifies common operations, such as adding a user, or changing a user's department. Three primary rules are defined for RBAC: 1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

=A **digital signature** or **digital signature scheme**= is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering. Digital signatures are often used to implement [|electronic signatures], a broader term that refers to any electronic data that carries the intent of a signature,[|[][|1][[[]|]]] but not all electronic signatures use digital signatures.[|[][|2][[[]|]]][|[][|3][[[]|]]][|[][|4][[[]|]]] In some countries, including the United States, India, and members of the [|European Union], electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused. Digital signatures employ a type of [|asymmetric cryptography]. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide [|non-repudiation], meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a [|bitstring]: examples include [|electronic mail], [|contracts], or a message sent via some other [|cryptographic protocol].

=**Encryption**= is the process of transforming [|information] (referred to as [|plaintext]) using an [|algorithm] (called [|cipher]) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a [|key]. The result of the process is **encrypted** information (in cryptography, referred to as [|ciphertext]). In many contexts, the word **encryption** also implicitly refers to the reverse process, **decryption** (e.g. “[|software for encryption]” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many kinds of civilian systems. For example, the [|Computer Security Institute] reported that in 2007, 71% of companies surveyed utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage.[|[][|1][[[]|]]] Encryption can be used to protect data "at rest", such as files on [|computers] and storage devices (e.g. [|USB flash drives]). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail. [|Digital rights management] systems which prevent unauthorized use or reproduction of copyrighted material and protect software against [|reverse engineering] (see also [|copy protection]) are another somewhat different example of using encryption on data at rest. Encryption is also used to protect data in transit, for example data being transferred via [|networks] (e.g. the [|Internet], [|e-commerce]), [|mobile telephones], [|wireless microphones], [|wireless intercom] systems, [|Bluetooth] devices and bank [|automatic teller machines]. There have been numerous reports of data in transit being intercepted in recent years.[|[][|2][[[]|]]] Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks. Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a [|message authentication code] (MAC) or a [|digital signature]. Standards and [|cryptographic software] and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption. See, e.g., [|traffic analysis], [|TEMPEST], or [|Trojan horse].

=SaaS=

SaaS was initially widely deployed for sales force automation and [|Customer Relationship Management] (CRM). Now it has become commonplace for many business tasks, including computerized billing, [|invoicing], [|human resource management], financials, [|content management], collaboration, document management, and service desk management
 * Software as a service** (**SaaS**, typically pronounced [sæs]), sometimes referred to as "software on demand," is software that is [|deployed] over the internet and/or is deployed to run behind a firewall on a local area network or personal computer. With SaaS, a [|provider] licenses an application to customers either as a [|service] on demand, through a subscription, in a "pay-as-you-go" model, or (increasingly) at no charge.
 * Advantages**
 * Pay per use
 * Instant scalability
 * Security
 * Reliability
 * APIs

=**Shields Up**=
 * **Shields Up** is an online [|port] scanning service created by [|Steve Gibson] of [|Gibson Research Corporation] and hosted at [|grc.com]. The purpose of this utility is to alert the users of any ports that have been opened through their [|firewalls] or through their [|NAT routers]. The utility can scan the most common [|file sharing] ports, as well as all [|service ports] (1-1056), and user defined ports, in sets of 64.