Oracle Advanced Security Administrator's Guide
Release 8.1.5






Prev Next



The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.


Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles.


A certificate is created when an entity's public key is signed by a trusted identity, that is, a certificate authority. This certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.

A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.

certificate authority

A trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.

certificate chain

An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates.


A mechanism that computes a value for a message packet, based on the data it contains, and passes it along with the data to authenticate that the data has not been tampered with. The recipient of the data recomputes the cryptographic checksum and compares it with the cryptographic checksum passed with the data; if they match, it is "probabilistic" proof the data was not tampered with during transmission. The important property of a cryptographic checksum is that, without knowing the secret key, a malicious interceptor has only an infinitesimally small chance of being able to construct an altered message with a valid corresponding checksum.

cipher suite

In SSL, a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.


A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy).


A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).


Common Object Request Broker Architecture. An architecture that enables pieces of programs, called objects, to communicate with one another regardless of the programming language in which they are written or the operating system on which they are running. CORBA was developed by an industry consortium known as the Object Management Group (OMG).


The act of writing and deciphering secret code resulting in secure messages.


The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).


The U.S. Data Encryption Standard.

digital signature

A digital signature is created when a public key algorithm is used to sign the sender's message with the sender's private key. The digital signature assures that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.


The process of disguising a message in order to hide its substance.


The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol.


The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer.


The combination of the public key and any other public information for an entity. The public information may include user identification data such as, for example, an e-mail address.

initial ticket

In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket. An initial ticket is retrieved by running the kinit program and providing a password.


The guarantee that the contents of the message received were not altered from the contents of the original message sent.


Internet Inter-ORB Protocol. A protocol developed by the Object Management Group (OMG) to implement CORBA solutions over the World Wide Web. IIOP enables browsers and servers to exchange integers, arrays, and more complex objects, unlike HTTP, which supports only transmission of text.


Key Distribution Center/Ticket Granting Service. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service.

The KDC/TGS is a trusted third party that must run on a secure host. It creates ticket-granting tickets and service tickets. The KDC and TGS are usually the same entity.


A network authentication service developed under Massachusetts Institute of Technology's Project Athena that strengthens security in distributed environments. Kerberos is a trusted third-party authentication system that relies on shared secrets and assumes that the third party is secure. It provides single sign-on capabilities and database link authentication (MIT Kerberos only) for users, provides centralized password storage, and enhances PC security.


An instantiation or location of a service. This is an arbitrary string, but the host machine name for a service is typically specified.


An arbitrary name of a Kerberos service object.


An algorithm that assures data integrity by generating a unique, 128-bit cryptographic message digest value from the contents of a file. If as little as a single bit value in the file is modified, the MD5 checksum for the file will change. Forgery of a file in a way that will cause MD5 to generate the same result as that for the original file is considered extremely difficult.

message authentication code

Also known as data authentication code (DAC). A checksumming with the addition of a secret key. Only someone with the key can verify the cryptographic checksum.

message digest

See checksumming.


An Oracle product that enables two or more computers that run the Oracle server or Oracle tools such as Designer/2000 to exchange data through a third-party network. Net8 supports distributed processing and distributed database capability. Net8 is an "open system" because it is independent of the communication protocol, and users can interface Net8 to many network environments.

network authentication service

A means for authenticating clients to servers, servers to servers, and users to both clients and servers in distributed environments. A network authentication service is a repository for storing information about users and the services on different servers to which they have access, as well as information about clients and servers on the network. An authentication server can be a physically separate machine, or it can be a facility co-located on another server within the system. To ensure availability, some authentication services may be replicated to avoid a single point of failure.


A Kerberos object, consisting of kservice/kinstance@REALM. See also kservice, kinstance, and realm. A uniquely-identified client or server.

public-key encryption

The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using the recipient's private key.

public/private key pair

A mathematically related set of two numbers where one is called the private key and the other is called the public key. Public keys are typically made widely available, while a private key is available only to the owner. Data encrypted with a public key can be decrypted with its associated private key and vice versa. However, data encrypted with a public key cannot be decrypted with the same public key.


A Kerberos object. A set of clients and servers operating under a single key distribution center/ticket-granting service (KDC/TGS). kservices that are in different realms but that have the same name are unique.

Secure Hash Algorithm

An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.


A network resource used by clients; for example, an Oracle database server.

service name

For Kerberos-based authentication, the kservice portion of a service principal.

service table

In Kerberos authentication, a service table is a list of service principals that exist on a kinstance. This information must be extracted from Kerberos and copied to the Oracle server machine before Kerberos can be used by Oracle.

session key

A key shared by at least two parties (usually a client and a server).


A provider of a service.

service principal

See principal.

service ticket

Trusted information used to authenticate the client. A ticket-granting ticket is also known as the initial ticket, is obtained by directly or indirectly running kinit and providing a password, and is used by the client to ask for service tickets. A "service ticket" is used by a client to authenticate to a service.


See Secure Hash Algorithm.


A plastic card (like a credit card) with an embedded integrated circuit for storing information, including such information as user names and passwords. A smartcard is read by a hardware device at any client or server.

A smartcard can generate random numbers which can be used as one-time use passwords. In this case, smartcards are synchronized with a service on the server so that the server expects the same password generated by the smart card.


A piece of information that helps identify who the owner is. See service ticket.

token card

A device for providing improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user types into the token card. The token card then provides another number (cryptographically-derived from the challenge), which the user then offers to the server.

trusted certificate

A third party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates.


See trusted certificate.


An abstraction used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A wallet resource locator (WRL) provides all the necessary information to locate the wallet.

Wallet Resource Locator

A directory path that provides all the necessary information to locate a particular wallet.


See Wallet Resource Locator.


The public keys can be signed in various data formats. The X.509 format from ISO is one such popular format.


Copyright © 1999 Oracle Corporation.

All Rights Reserved.