【正文】 raveling across the work. Digital certificate. A digital certificate is a data structure that contains the public key of a public/private key pair and identification information and is signed by the private key of the issuing certification authority (CA). The certificate binds the public key to the security principal (that is, users and puters). The information included includes the name of the owner of the certificate, the uses of the certificate (authentication, data encryption, smart card logon, and so on), and the origin of the certificate (which CA or CA hierarchy Service Management Function 7 created it). The certificate is digitally signed by the CA’s private key. To check the authenticity of the certificate, the public key of the CA can be used. Identification. Any mechanism used to uniquely identify a user or a set of privileges on a system. Identification can be likened to a key. Access control can be likened to a lock. Both the key and lock must match, or ―fit,‖ in order to gain access. Integrity. Data integrity mechanisms ensure that data is not garbled, modified, or lost during transmission across a work. Data integrity mechanisms also help to ensure that the data is from the intended sender, and not from an impostor. Data integrity mechanisms include checksums and digital signatures. Nonrepudiation. Nonrepudiation is the security concept that applies to proving the transmission of a particular message. If a system does technical nonrepudiation, then the sender of a message cannot later deny having sent the message, and the receiver of a message cannot later deny having received the message. Furthermore, if the message contains contractual information, the presence of a digital signature with the message can often be used to assert that the contractual information was not improperly altered. Public key infrastructure (PKI). The term generally used to describe the laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. Standards for PKI are still evolving, even though they are being widely implemented as a necessary element of electronic merce. Virtual private work (VPN). The extension of a private work that enpasses encapsulated, encrypted, and authenticated links across shared or public works. VPN connections can provide remote access and routed connections to private works over the Inter. 4 Processes and Activities This chapter provides a detailed discussion of the processes and activities that occur in the Security Administration SMF. Process Flow Summary Security management processes revolve around the six main security tes and their activities, as well as Auditing (important for disclosing security breaches). These are listed below ? Identification ? Authentication ? Biometric authentication systems ? Smart card authentication systems ? Password authentication systems ? Web access authentication ? Access control ? Authorized usage warning ? Accountability and shared user Ids ? Account lockout ? Settings to limit unauthorized session use and systems access ? Setting privileges and permission on objects ? Rolebased access control and delegation of authority ? Confidentiality ? Private key encryption ? Public key encryption and PKI ? Virtual private works ? File system confidentiality ? Integrity ? Nonrepudiation ? Auditing ? Planning auditing ? Implementing auditing ? Testing auditing 10 Security Administration Identification Identification is the mechanism by which the system asks the user, ―Who are you?‖ Users identify themselves to the system by means of a user ID (also referred to as a user, or logon, name). User IDs must be unique (that is, no two users in a system can have the same user ID). To ensure that user IDs are unique, it is important to develop a logonnaming standard that clearly addresses all name characteristics. This is especially important if the system limits user ID length to eight characters, although this consideration is not an issue with Microsoft Windows174。 operating systems. Issues in naming conventions arise when people have: ? Hyphenated last names. ? Last names that contain de, de la, van, van der, and so forth. ? A name identical to another user who is already on the system. A welldefined naming convention has the following characteristics: ? User IDs are easy for users to remember. ? User IDs are easy for administrators to create. ? Administrators can easily determine the owner of any user ID. Following are some suggestions for creating standard user IDs: ? Use first initial plus last name. For example, Lori Kane would have user ID lkane. ? For users who have elements in their last names, such as de, de la, van, van de and so on, retain the full last name, but remove the spaces. ? If user IDs are limited to eight characters, truncate the last name at eight characters. For example, Ariane Berthier would now have user ID aberthie). ? If two or more users have identical user IDs, replace the last character with a number. For example, if Ariane Berthier joins the pany first, her eightcharacter user ID would be aberthie. If a user with a similar first and last name joins the pany, the user ID would be aberthie1. If another user with a similar name joined the pany, that individual’s user ID would be aberthie2, and so forth. Many anizations use a fourdigit identifier at the end of logon names because this method often eliminates the possibility of duplicate IDs. The following number sequences might be used: ? Office phone extension. These four digits should be a number that is easy for the