---

Glossary

• access control entry  

  See ACE.



• access control list  

  See ACL.



• access permissions  

  See permissions.



• access rights  

  See permissions.



• ACE  

  Abbreviation for access control entry. An ACE is a component of an ACL that associates a user or group with a set of permissions and specifies whether each permission is allowed or denied. See also ACL.



• ACL  

  Abbreviation for access control list. A set of permissions associated with a user or group. An ACL consists of an ordered list of ACEs.



• admin group  

  A group with special administrative privileges. For example, only members of the admin group can open locked system preferences or install software. See also wheel group.



• administrator  

  A member of the admin group.



• AES encryption  

  Abbreviation for Advanced Encryption Standard encryption. A Federal Information Processing Standard (FIPS), described in FIPS publication 197. AES has been adopted by the U.S. government for the protection of sensitive, non-classified information. The algorithm was developed by Dr. Joan Daemen and Dr. Vincent Rijmen and was named the Rijndael algorithm. It is a symmetric-key algorithm that can use key sizes of 128, 192, or 256 bits. Apple has adopted the 128-bit version of AES for FileVault. There are approximately 3.4 x 10**38 possible 128-bit keys.



• AFP  

  Abbreviation for Apple Filing Protocol. The principal file-sharing protocol in Mac OS 9 systems, used by AppleShare servers and clients.



• algorithm  

  A sequence of actions to accomplish some task. In cryptography, refers to a sequence of actions, usually mathematical calculations, performed on data to encrypt or decrypt it.



• anchor certificate  

  A digital certificate trusted to be valid, which can then be used to verify other certificates. Anchor certificates can include root certificates, cross certified certificates (that is, certificates signed with more than one certificate chain), and locally defined sources of trust.



• asymmetric keys  

  A pair of related but dissimilar keys, one used for encrypting and the other used for decrypting a message or other data. See also public key cryptography. Compare symmetric keys.



• authentication  

  The process by which a person or other entity (such as a server) proves that it is who (or what) it says it is. Compare authorization; identification.



• authentication server  

  A server that has access to a store of authentication information and that can authenticate users. For example, an authentication server might verify a user’s identity by prompting the user for a name and password and comparing that information to the names and passwords in a database. In Kerberos authentication, the authentication server also looks up the user’s private key, generates a session key, and creates a ticket-granting ticket (TGT). See also ticket-granting server.



• authorization  

  The process by which an entity such as a user or a server gets the right to perform a privileged operation. (Authorization can also refer to the right itself, as in “Bob has the authorization to run that program.”) Authorization usually involves first authenticating the entity and then determining whether it has the appropriate permissions. Compare authentication.



• Authorization Services  

  A Mac OS X API that applications can use to restrict access to files or services.



• BSD  

  Berkeley Software Distribution. BSD is a form of the UNIX operating system and provides the basis for the Mac OS X file system, including file access permissions.



• CA  

  See certification authority (CA).



• CDSA  

  Abbreviation for Common Data Security Architecture. An open software standard for a security infrastructure that provides a wide array of security services, including fine-grained access permissions, authentication of users, encryption, and secure data storage. CDSA has a standard application programming interface, called CSSM. In addition, Mac OS X includes its own security APIs that call the CDSA API for you. See also CDSA plug-in.



• CDSA plug-in  

  A software module that connects to CDSA through a standard interface and that implements or extends CDSA security services for a particular operating system and hardware environment.



• certificate  

  See digital certificate.



• Certificate Assistant  

  A utility available through the Keychain Access Utility that can be used to create certificates and keys, request certificates from a certificate authority, and evaluate certificates.



• certificate authority  

  See certification authority (CA).



• certificate chain  

  A sequence of related digital certificates that are used to verify the validity of a digital certificate. Each certificate is digitally signed using the certificate of its certification authority (CA). This creates a chain of certificates ending in an anchor certificate.



• certificate extension  

  A data field in a digital certificate containing information such as allowable uses for the certificate.



• Certificate, Key, and Trust Services  

  An API you can use to create, manage, and read certificates; add certificates to a keychain; create encryption keys; and manage trust policies. In iPhone OS, you can also use this API to encrypt, decrypt, and sign data.



• certificate subject  

  The entity associated with the public key that is in the certificate.



• certification authority (CA)  

  The issuer of a digital certificate. In order for the digital certificate to be trusted, the certification authority must be a trusted organization that authenticates an applicant before issuing a certificate.



• CFHTTP  

  An API that you can use to create, serialize, deserialize, and manage HTTP protocol messages, including secure HTTPS messages. This component lets you add authentication information to a message. CFHTTP is a component of CFNetwork and is built on top of CFStream.



• CFNetServices  

  An API that allows you to use Bonjour. Bonjour enables applications to discover services that are available on the network and find all access information (such as name and IP address) needed to use each service. CFNetServices is a component of CFNetwork. This component has no security features.



• CFNetwork  

  A high-level API used for creating, sending, and receiving serialized messages over a network. CFNetwork is built on top of Secure Transport, and so can use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) secure networking protocols.



• CFStream  

  An API that creates and manages the read and write streams that CFHTTP depends on. CFStream is a component of CFNetwork and is built on top of Secure Transport. You can specify a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol version to encrypt and decrypt the data stream.



• CIFS  

  Acronym for Common Internet File System. A file-sharing protocol used widely on Windows and UNIX systems. CIFS is an extension of the SMB protocol. CIFS has been given to the Internet Engineering Task Force (IETF), making it an Internet standard. Unlike SMB, CIFS runs only over TCP/IP. See also Samba.



• ciphertext  

  Text or other data that has been encrypted. Compare plaintext.



• code signing  

  The addition of a digital signature to an application or block of code.



• credentials  

  Data that can be used to identify, authenticate, or authorize an entity. For example, a user name and password constitute authentication credentials. A Kerberos ticket, consisting of an encrypted session key and other information, is an identification credential. In Kerberos version 5 and later, tickets can also carry authorization information.



• cryptographic hash function  

  An algorithm that takes any amount of data and transforms it into a fixed-size output value. For a cryptographic hash function to be useful for security, it has to be extremely difficult or impossible to reconstruct the original data from the hash value, and it must be extremely unlikely that the same output value could result from any other input data. See also message digest.



• cryptographic hashing  

  The process whereby data is transformed using a cryptographic hash function.



• CSSM  

  Abbreviation for Common Security Services Manager. A public application programming interface for CDSA. CSSM also defines an interface for plug-ins that implement security services for a particular operating system and hardware environment.



• decryption  

  The transformation of ciphertext back into the original plaintext. Compare encryption. See also asymmetric keys; symmetric keys.



• Diffie-Hellman key exchange  

  A protocol that provides a way for two ends of a communication session to generate symmetric private keys through the exchange of public keys.



• digest  

  See message digest.



• digital certificate  

  A collection of data used to verify the identity of the holder or sender of the certificate. A digital certificate must conform to some standard in order for the recipient to be able to interpret it. Mac OS X and iPhone OS support the X.509 standard for digital certificates. See also certificate chain.



• digital ID  

  See digital certificate.



• digital signature  

  A way to ensure the integrity of a message or other data using public key cryptography. To create a digital signature, the signer generates a message digest of the data and then uses a private key to encrypt the digest. The signature includes the encrypted digest and identifies the signer. Anyone wanting to verify the signature uses the signer’s digital certificate, which contains the public key needed to decrypt the digest and specifies the algorithm used to create the digest.



• encryption  

  The transformation of data into a form in which it cannot be made sense of without the use of some key. Such transformed data is referred to as ciphertext. Use of a key to reverse this process and return the data to its original (or plaintext) form is called decryption.



• EGID  

  Abbreviation for Effective Group ID. See GID.



• EUID  

  Abbreviation for Effective User ID. See UID.



• file GID  

  The GID associated with a file system object. Each file system object has a user ID (the file UID, commonly referred to as the file’s owner), a group ID (the file GID, commonly referred to as the file’s group), and three sets of permission bits, known as owner, group, and other permissions. The first set of bits controls access to the object by the owner, the second controls access by members of the group, and the third controls access by everyone else. See also process GID.



• file’s group  

  See file GID.



• file’s owner  

  See file UID.



• file UID  

  The UID of a file system object, used to determine the object’s permissions. Each file system object has a user ID (the file UID, commonly referred to as the file’s owner), a group ID (the file GID, commonly referred to as the file’s group), and three sets of permission bits, known as owner, group, and other permissions. The first set of bits controls access to the object by the owner (any process whose effective UID is equal to the file UID); the second controls access by members of the group; and the third controls access by everyone else.



• GID  

  Abbreviation for group ID, a unique identifier for a collection of users. In BSD, each user can belong to one or more groups. Each file system object has an associated GID that is used to determine the object’s permissions. Each process has an associated group list. See also process GID.



• group  

  See GID.



• group list  

  The list of groups to which the owner of a process belongs plus any additional groups added to the list programatically (for example, using the setgid command). If the file GID of a file system object matches the GID of any group in the group list, that group has group permissions for the object. See also file UID.



• GSS-API  

  Generic Security Service Application Program Interface; an open-source API that can be used to adapt an application to use Kerberos.



• hash algorithm  

  See cryptographic hash function.



• identification  

  The process by which a process verifies that a person or entity is the same one it communicated with previously. Identification is in general faster than authentication and does not require interaction with the user. In Kerberos, for example, the authentication server authenticates a user and issues a credential (called a ticket-granting ticket), which can be used later for identification so that reauthentication is not necessary.



• identity  

  A digital certificate together with an associated private key.



• KDC  

  See key distribution center (KDC).



• kerberized service  

  A service that has been configured to accept Kerberos tickets for identification.



• Kerberos  

  An industry-standard protocol created by the Massachusetts Institute of Technology (MIT) to provide authentication over a network. It is a symmetric-key, server-based protocol and is used widely in Macintosh, Windows, and UNIX networks.



• Kerberos ticket  

  A credential used to identify a user who has been previously authenticated so that reauthentication is not needed. In Kerberos, the Kerberos key distribution center (KDC) issues the user a ticket-granting ticket (TGT) when they first authenticate. Thereafter, when they need to access a secure server, they present the ticket-granting ticket to the KDC and are issued a ticket, which they present to the secure server as identification. See also authentication; identification.



• Kerberos Ticket Viewer  

  A utility available through the Keychain Access utility that shows any Kerberos tickets in use on the system and enables the user to renew or destroy a ticket or change a ticket’s password



• key  

  A piece of secret information required to decode an encrypted message. In modern cryptographic methods, it is usually a lengthy integer.



• keychain  

  A database in Mac OS X and iPhone OS used to store encrypted passwords, private keys, and other secrets. It is also used to store certificates and other non-secret information that is used in cryptography and authentication. The Keychain Manager and Keychain Services are public APIs that can be used to manipulate data in the keychain, and the Keychain Access utility is an application that can be used for the same purpose.



• Keychain Access  

  A Mac OS X utility that enables users to view and modify the data stored in the keychain.



• Keychain Manager  

  An API for securely storing small amounts of data on the keychain, kept for compatibility with older versions of the operating system. New code should use Keychain Services instead.



• Keychain Services  

  An API for securely storing small amounts of data on the keychain.



• key distribution center (KDC)  

  A Kerberos term referring to the sum of two separate software processes: the ticket-granting server and the authentication server.



• LDAP  

  Acronym for Lightweight Directory Access Protocol. A standard client-server protocol for accessing online directory services.



• level of trust  

  The confidence you can have in the validity of a certificate, based on the certificates in its certificate chain and on the certificate extensions the certificate contains. The level of trust for a certificate is used together with the trust policy to answer the question “Should I trust this certificate for this action?”



• Mach  

  The lowest level of the Mac OS X and iPhone OS kernels. Mach provides such basic services and abstractions as threads, tasks, ports, interprocess communication, scheduling, address space management, virtual memory, and timers.



• man-in-the-middle attack  

  An attack on a communication channel in which the attacker can intercept messages going between two parties without the communicating parties’ knowledge. Typically, the man in the middle substitutes messages and even cryptographic keys to impersonate one party to the other.



• message digest  

  The result of applying a cryptographic hash function to a message or other data. A cryptographically secure message digest cannot be transformed back into the original message and cannot (or is very unlikely to) be created from a different input. Message digests are used to ensure that a message has not been corrupted or altered. For example, they are used for this purpose in digital signatures. The digital signature includes a digest of the original message, and the recipient prepares their own digest of the received message. If the two digests are identical, then the recipient can be confident that the message has not been altered or corrupted.



• MIME  

  Acronym for Multipurpose Internet Mail Extensions. A standard for transmitting formatted text, hypertext, graphics, and audio in electronic mail messages over the Internet.



• Movie Toolbox Access Keys  

  A QuickTime API that can be used to add password protection to QuickTime data.



• NFS  

  Abbreviation for Network File System. The main file-sharing protocol used by UNIX systems.



• nobody  

  A special user with very little access. To prevent someone running as root or as an administrator on one system from gaining control over another system through a network connection, such users are often mapped to the nobody user on the remote system.



• one-time pad authentication  

  A form of shared secret authentication in which both parties have an identical list of pairs of numbers, words, or symbols and each pair is used only once.



• owner  

  See UID.



• permissions  

  The type of access allowed to a file or directory (read, write, execute, traverse, and so forth). Which permissions are possible and which users or groups are granted specific permissions depend on the operating system. See also ACL; authorization; UID.



• PKI  

  See public key infrastructure (PKI).



• PKINIT  

  A protocol that defines the use of public key cryptography for initial authentication in Kerberos.



• plaintext  

  Ordinary, unencrypted data. Compare ciphertext.



• plug-in  

  A code module that uses a standard interface to implement certain features of a program or extend the program. See also CDSA plug-in.



• port  

  In Mach, a port is an endpoint of a communication channel between a client who requests a service and a server who provides the service. Mach ports are unidirectional; a reply to a service request must use a second port. See also port right.



• port right  

  In Mach, a specification of which task can send to or receive from a particular port.



• port right name  

  A small integer used to identify a Mach port right. Each process has a port right namespace, which maps port right names to their corresponding port rights. A port right name is meaningful only within that task’s port right namespace.



• private key  

  A cryptographic key that must be kept secret. Whereas a pair of identical private keys can be used as symmetric keys, asymmetric keys consist of one private key and one public key.



• privileged operation  

  An operation that requires special rights or permissions; for example, changing a locked system preference.



• process GID  

  The GID of a process. Each process has three group IDs: the real group ID (RGID), effective group ID (EGID), and saved group ID (SGID). The RGID is always inherited from the user or process who executes the process. The EGID is the first GID in the group list. The SGID is used by BSD to enable a privileged process to switch in and out of privileged mode.



• process UID  

  The UID of a process. Each process has three user IDs: the real user ID (RUID), effective user ID (EUID), and saved user ID (SUID). The RUID is always inherited from the user or process who executes the process. The EUID is normally the same as the RUID but can differ in special circumstances. It is the EUID that BSD checks to determine permissions. The SUID is used by BSD to enable a privileged process to switch in and out of privileged mode.



• pseudorandom number  

  A number generated by an algorithm that produces a series of numbers with no discernible pattern. It should be impossible or nearly impossible to deduce the algorithm from such a series. However, unlike a truly random number generator, a pseudorandom number generator always produces the same series if the algorithm is given the same starting value or values.



• public key  

  A cryptographic key that can be shared or made public without compromising the cryptographic method. See also public key cryptography.



• public key certificate  

  See digital certificate.



• public key cryptography  

  A cryptographic method using asymmetric keys in which one key is made public while the other (the private key) is kept secure. Data encrypted with one key must be decrypted with the other. If the public key is used to encrypt the data, only the holder of the private key can decrypt it; therefore the data is secure from unauthorized use. If the private key is used to encrypt the data, anyone with the public key can decrypt it. Because only the holder of the private key could have encrypted it, however, such data can be used for authentication. See also digital certificate; digital signature.



• public key infrastructure (PKI)  

  As defined by the X.509 standard, a PKI is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates that are based on public key cryptography.



• quantum computer  

  A computer in which the logic gates are based on quantum phenomena such as electron spin rather than mechanical or conventional electronic components. Because of the superposition of quantum states (a consequence of the Heisenberg Uncertainty Principle), a properly designed quantum computer can in principle perform simultaneously certain types of calculations that require a huge number of sequential operations in a classic computer. Consequently, factoring large numbers should be several orders of magnitude faster on a quantum computer than on present-day supercomputers. Because the strength of most modern cryptographic methods depends on the difficulty of making such calculations, a practical quantum computer would break most cryptographic schemes in common use. Although small proof-of-concept quantum computers have been constructed, no such machine capable of solving practical problems has yet been demonstrated.



• Randomization Services  

  An iPhone OS API that produces cryptographically secure pseudorandom numbers.



• realm  

  A subset of a large network served by its own Kerberos authentication server and ticket-granting server.



• RGID  

  Abbreviation for Real Group ID. See GID.



• root certificate  

  A certificate that can be verified without recourse to another certificate. Rather than being signed by a further certification authority (CA), a root certificate is verified using the widely available public key of the CA that issued the root certificate. Compare anchor certificate.



• root certification authority  

  The owner of the root certificate.



• root user  

  The user on a UNIX system with a UID of 0. A process running with an EUID of 0 is said to be running as root. The root user owns many of the primary system processes and has unlimited access to the file system objects on the devices attached to the computer.



• RSA encryption  

  A system of public key cryptography, named for its inventors: Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm takes two large prime numbers, finds their product, and then derives asymmetric keys from the prime numbers and their product. Because the public key includes the product, the private key could be derived from the public key if the product could be factored. No easy method for factoring products of large prime numbers is currently known, but it has not been mathematically proven that no such method is possible. Therefore, the discovery of a fast way to factor such numbers, or the development of quantum computers, would break RSA.



• RUID  

  Abbreviation for Real User ID. See UID.



• Samba  

  Software that implements SMB/CIFS on a UNIX server.



• sandboxing  

  A system feature that provides fine-grained control of the ability of processes to access system resources, therefore limiting the amount of damage that can be done by a malicious hacker that gains control of an application.



• secret key  

  A cryptographic key that cannot be made public without compromising the security of the cryptographic method. In symmetric key cryptography, the secret key is used both to encrypt and decrypt the data. In asymmetric key cryptography, the secret key is paired with a public key. Whichever one is used to encrypt the data, the other is used to decrypt it. See also public key; public key cryptography.



• Secure Sockets Layer (SSL)  

  A protocol that provides secure communication over a TCP/IP connection such as the Internet. It uses digital certificates for authentication and digital signatures to ensure message integrity, and can use public key cryptography to ensure data privacy. An SSL service negotiates a secure session between two communicating endpoints. SSL is built into all major browsers and web servers. SSL has been superseded by Transport Layer Security (TLS).



• secure storage  

  Storage of encrypted data on disk or another medium that persists when the power is turned off.



• Secure Transport  

  The Mac OS X and iPhone implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS), used to create secure connections over TCP/IP connections such as the Internet. On Mac OS X, Secure Transport includes an API that is independent of the underlying transport protocol. The CFNetwork and URL Loading System APIs use the services of Secure Transport.



• Security Agent  

  In Mac OS X, a process used by the Security Server to communicate with the user through dialogs and other user interface elements.



• Security Objective-C API  

  A Mac OS X API providing a set of Objective-C methods that are wrappers for the Authentication Services functions plus a set of classes that display security-related UI elements.



• Security Server  

  A daemon running in Mac OS X and iPhone OS that implements security protocols for such purposes as encryption, decryption, and authorization computation. The use of the Security Server to perform actions with cryptographic keys allows the keys to be maintained in a separate address space from the client application, keeping them more secure. In Mac OS X, the Security Server uses a process called the Security Agent to communicate with the user through dialogs and other user interface elements.



• session key  

  A cryptographic key calculated or issued for use only for the duration of a specific communication session. Session keys are used, for example, by the Diffie-Hellman key exchange and Kerberos protocols.



• SGID  

  Abbreviation for Saved Group ID. See GID.



• shared secret authentication  

  An authentication method based on a secret known to only the two parties involved. Verification of passwords is a commonly used shared secret authentication method.



• single signon  

  A feature of a security system whereby users provide authentication credentials (such as user ID and password) only once, after which they can access additional services without reauthenticating. See also authentication; ticket.



• smart card  

  A plastic card similar in size to a credit card that has memory and a microprocessor embedded in it. A smart card can store and process information, including passwords, certificates, and keys. A smart card normally requires a personal identification number (PIN) or biometric measurement (such as a fingerprint) before releasing information and can carry out its own authentication evaluation. Smart cards can exchange information with a personal computer through a smart card reader.



• SMB  

  Abbreviation for Server Message Block. A file-sharing protocol used on Windows and UNIX systems. SMB can also be used to share printers and has calls to authenticate users. It runs over several different types of networks, including TCP/IP. For most purposes, SMB has been superseded by CIFS. See also Samba.



• SMB/CIFS  

  Abbreviation for Server Message Block/Common Internet File System. See CIFS; SMB. See also Samba.



• S-MIME  

  Acronym for Secure Multipurpose Internet Mail Extensions. A specification that adds digital signature authentication and encryption to electronic mail messages in MIME format.



• SSL  

  See Secure Sockets Layer (SSL).



• strength  

  A measure of the amount of effort required to break a security system. For example, the strength of RSA encryption is believed to be related to the difficulty of factoring the product of two large prime numbers.



• SUID  

  See UID.



• superuser  

  The root user.



• symmetric keys  

  A pair of identical keys used to encrypt and decrypt data. See also private key. Compare asymmetric keys.



• TGT  

  See ticket-granting ticket (TGT).



• ticket  

  A credential that a user can use to prove their identity. See also Kerberos ticket; authentication; identification.



• ticket-granting server  

  In Kerberos, the server that issues a ticket when presented with a ticket-granting ticket (TGT). See also key distribution center (KDC).



• ticket-granting ticket (TGT)  

  In Kerberos, a credential presented to the ticket-granting server in order to obtain a ticket. The ticket can then be used to gain access to a secure server. The use of TGTs and tickets enable the single signon feature, whereby the user need authenticate only once, after which they can access additional services without reauthenticating (by reentering their password, for example). See also authentication; identification.



• time-based authentication  

  A form of shared secret authentication in which the secret is changed periodically in a way known only to the two parties involved.



• TLS  

  See Transport Layer Security (TLS).



• Transport Layer Security (TLS)  

  A protocol that provides secure communication over a TCP/IP connection such as the Internet. It uses digital certificates for authentication and digital signatures to ensure message integrity, and can use public key cryptography to ensure data privacy. A TLS service negotiates a secure session between two communicating endpoints. TLS is built into recent versions of all major browsers and web servers. TLS is the successor to SSL. Although the TLS and SSL protocols are not interoperable, Secure Transport can back down to SSL 3.0 if a TLS session cannot be negotiated.



• trust  

  See level of trust.



• trust policy  

  A set of rules that specify the appropriate uses for a certificate that has a specific level of trust. For example, the trust policy for a browser might state that if a certificate has an SSL certificate extension, but the certificate has expired, the user should be prompted for permission before a secure session is opened with a web server.



• UID  

  Abbreviation for user ID. In BSD, the UID is a unique attribute of a user account that is used to identify the user. Each file system object and each process has an associated UID. See also file UID; GID; UUID.



• URL Loading System  

  An API that you can use to access the contents of http://, https://, and ftp:// URLs. Because https:// websites use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to protect data transfers, you can use the URL Loading System as a secure transport API. The URL Loading System is layered on top of CFNetwork.



• UUID  

  Abbreviation for Universally Unique Identifier. A type of UID or GID that is unique across all systems and all networks.



• WebDAV  

  Acronym for Web-based Distributed Authoring and Versioning. An extension of HTTP that allows collaborative file management on the web.



• wheel group  

  In BSD, a special group, membership in which confers on users the ability to become the root user by using the su utility on the command line. Users who are not in the wheel group can’t become the root user, even if they have the correct password. In Mac OS X, starting with version 10.3, the admin group is used for this purpose rather than the wheel group.



• X.509  

  A standard for digital certificates promulgated by the International Telecommunication Union (ITU). The X.509 ITU standard is widely used on the Internet and throughout the information technology industry for designing secure applications based on a public key infrastructure (PKI).

---