- 1.1 Opinions, Products
- 1.2 Roadmap to the Book
- 1.3 Terminology
- 1.4 Notation
- 1.5 Cryptographically Protected Sessions
- 1.6 Active and Passive Attacks
- 1.7 Legal Issues
- 1.8 Some Network Basics
- 1.9 Names for Humans
- 1.10 Authentication and Authorization
- 1.11 Malware: Viruses, Worms, Trojan Horses
- 1.12 Security Gateway
- 1.13 Denial-of-Service (DoS) Attacks
- 1.14 NAT (Network Address Translation)
This chapter is from the book
This chapter is from the book
This chapter is from the book
1.3 Terminology
Computer science is filled with ill-defined terminology used by different authors in conflicting ways. Some people take terminology very seriously, and once they start to use a certain word in a certain way, are extremely offended if the rest of the world does not follow.
When I use a word, it means just what I choose it to mean—neither more nor less.
—Humpty Dumpty (in Through the Looking Glass)
Some terminology we feel fairly strongly about. We do not use the term hacker to describe the vandals that break into computer systems. These criminals call themselves hackers, and that is how they got the name. But they do not deserve the name. True hackers are master programmers, incorruptibly honest, unmotivated by money, and careful not to harm anyone. The criminals termed “hackers” are not brilliant and accomplished. It is really too bad that they not only steal money, people’s time, and worse, but they’ve also stolen a beautiful word that had been used to describe some remarkable and wonderful people. We instead use words like intruder, bad guy, and impostor.
We grappled with the terms secret key and public key cryptography. Often in the security literature the terms symmetric and asymmetric are used instead of secret and public. When we say secret key, we mean a key that is used both for encryption and decryption. When we say public key, we are referring to a key pair consisting of a public key (used for encryption or signature verification) and a private key (used for decryption or signing). Using the terms public key and private key is occasionally regrettable because both the words public and private start with “p”.
We use the term privacy when referring to the desire to keep communication from being seen by anyone other than the intended recipients. Some people in the security community avoid the term privacy because they feel its meaning has been corrupted to mean the right to know, because in some countries there are laws known as privacy laws that state that citizens have the right to see records kept about them. Privacy also tends to be used when referring to keeping personal information about people from being collected and misused. The security community also avoids the use of the word secrecy, because secret has special meaning within the military context, and they feel it would be confusing to talk about the secrecy of a message that was not actually labeled top secret or secret. The term most commonly used in the security community for keeping communication from being seen is confidentiality. We find that strange because confidential, like secret, is a security label, and the security community should have scorned use of confidential, too. In the first edition, we chose not to use confidentiality because we felt it had too many syllables, and saw no reason not to use privacy. For the second edition we reconsidered this decision, and were about to change all use of privacy to confidentiality until one of us pointed out we’d have to change the book title to something like Network Security: Confidential Communication in a Non-Confidential World, at which point we decided to stick with privacy.
Speaker: Isn’t it terrifying that on the Internet we have no privacy?
Heckler1: You mean confidentiality. Get your terms straight.
Heckler2: Why do security types insist on inventing their own language?
Heckler3: It’s a denial-of-service attack.
—Overheard at gathering of security types
We often refer to things involved in a conversation by name; for instance, Alice and Bob, whether the things are people or computers. This is a convenient way of making descriptions unambiguous with relatively few words, since the pronoun she can be used for Alice, and he can be used for Bob. It also avoids lengthy inter-author arguments about whether to use the politically incorrect he, a confusing she, an awkward he/she or (s)he, an ungrammatical they, an impersonal it, or an awkward rewriting to avoid the problem. We remain slightly worried that people will assume when we’ve named things with human names that we are always referring to people. Assume Alice, Bob, and the rest of the gang may be computers unless we specifically say something like the user Alice, in which case we’re talking about a human.
When we need a name for a bad guy, we usually choose Trudy (since it sounds like intruder) or Eve (since it sounds like eavesdropper) or Mallory (since it sounds like malice). Everyone would assume Alice, Eve, and Trudy are she, and Bob is he. For inclusivity, we wanted at least one of the evil characters to be male, and we chose Mallory as the name of a male evildoer. Mallory can be used for either gender, and is gaining more popularity as a female name, but when we use Mallory we will assume Mallory is male and use the pronoun he.
With a name like yours, you might be any shape, almost.
—Humpty Dumpty to Alice (in Through the Looking Glass)
Occasionally, one of the four of us authors will want to make a personal comment. In that case we use I or me with a subscript. When it’s a comment that we all agree with, or that we managed to slip past me3 (the rest of us are wimpier), we use the term we.