A (Security Glossary)


absolute security descriptor

A security descriptor structure that contains pointers to the security information associated with an object.

See also security descriptor and self-relative security descriptor.

Abstract Syntax Notation One

(ASN.1) A method used to specify abstract objects that are intended for serial transmission.

access block

A key BLOB that contains the key of the symmetric cipher used to encrypt a file or message. The access block can only be opened with a private key.

access control entry

(ACE) An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

See also access control list, security identifier, and trustee.

access control list

(ACL) A list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.

See also access control entry, discretionary access control list, security descriptor, and system access control list.

access mask

A 32-bit value that specifies the rights that are allowed or denied in an access control entry (ACE). An access mask is also used to request access rights when an object is opened.

See also access control entry.

access token

An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user's groups, and the user's privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.

See also impersonation token, primary token, privilege, process, and security identifier.


See access control entry.


See access control list.

Advanced Encryption Standard

(AES) A cryptographic algorithm specified by the National Institute of Standards and Technology (NIST) to protect sensitive information.


The CryptoAPI algorithm class for data encryption algorithms. Typical data encryption algorithms include RC2 and RC4.


The CryptoAPI algorithm class for hashing algorithms. Typical hashing algorithms include MD2, MD5, SHA-1, and MAC.


The CryptoAPI algorithm class for key exchange algorithms. A typical key exchange algorithm is RSA_KEYX.


The CryptoAPI algorithm class for signature algorithms. A typical digital signature algorithm is RSA_SIGN.


See application protocol data unit.

application protocol data unit

(APDU) A command sequence (an Application Protocol Data Unit) that can be sent by the smart card or returned by the application.

See also reply APDU.

application protocol

A protocol that normally resides on top of the transport layer. For example, HTTP, TELNET, FTP, and SMTP are all application protocols.


See Abstract Syntax Notation One.


American Standard Code for Information Interchange. A coding scheme that assigns numeric values to letters, numbers, punctuation marks, and certain other characters.

asymmetric algorithm

See public key algorithm.

asymmetric key

One of a pair of keys used with an asymmetric cryptographic algorithm. Such an algorithm uses two cryptographic keys: a "public key" for encryption and a "private key" for decryption. In signature and verification, the roles are reversed: the public key is used for verification, and the private key is used for signature generation. The most important feature of such algorithms is that their security does not depend on keeping the public key secret (though it may require some assurance of authenticity of public keys, for example, that they be obtained from a trusted source). Secrecy of the private key is required. Examples of public key algorithms are Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and the Rivest-Shamir-Adleman (RSA) family of algorithms.

ATR string

A sequence of bytes returned from a smart card when it is turned on. These bytes are used to identify the card to the system.


An element of a relative distinguished name (RDN). Some typical attributes include common name, surname, email address, postal address, and country/region name.

attribute BLOB

An encoded representation of the attribute information stored in a certificate request.

Audit security object

A security descriptor that controls access to the audit policy subsystem.


The process for verifying that a user, computer, service, or process is who or what it claims to be.

authentication package

A DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. LSA authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.


A security feature of Internet Explorer. Authenticode allows vendors of downloadable executable code (plug-ins or ActiveX controls, for example) to attach digital certificates to their products to assure end users that the code is from the original developer and has not been altered. Authenticode lets end users decide for themselves whether to accept or reject software components posted on the Internet before downloading begins.