Skip to navigation

Glossary of Terms

An algorithm is a step-by-step procedure for carrying out a mathematical computation or a transformation of data, usually used in reference to work performed by a computer.
assurance level
See identity authentication assurance level.
asymmetric cryptography
Asymmetric means that two parts of a thing are not similar (not symmetric). In asymmetric cryptography a private key is used for creating a digital signature, and the related public key is used for verifying the signature. Because the keys for each process are different the processes are described as being asymmetric. Asymmetric cryptography is a synonym for public key cryptography (also see).
asymmetric key
In asymmetric cryptography (also see), an asymmetric key is one key of a pair of asymmetric keys (a public key and a private key). See public key cryptography.
Simply put, authentication is verifying identity. Authentication is the process of determining whether someone or something is actually who or what it asserts itself to be. In the context of an access control system, it refers to the process of identifying the individual or system requesting access, by checking the credentials presented against the information stored in the system. Also see identify.
authentication assurance level
See identity authentication assurance level.
Authorization has two meanings: (a) the assignment of access rights to an individual or system in an identity management system or access control system (also see user provisioning) and (b) the decision process by an access control system of determining whether or not access should be granted at the time an access request is made, based upon the rights that have been assigned.
Acronym for certificate authority (or certification authority).
Crypto Application Program Interface
cardholder unique identifier
See digital certificate
certificate authority (also certification authority)
A certificate authority, or CA, is the person or company who issues, revokes and manages digital certificates to subscribers. A CA acts as a trusted "third party" certifying the identity of subscribers to anyone who receives a digitally signed message.
certificate request
A subscriber receives a digital certificate by requesting one from a certificate authority.
certificate revocation list
A list of digital certificates that have been revoked (cancelled) before their expiration date. A certificate revocation list is commonly referred to by its acronym, CRL.
In FIPS 201 the cardholder unique identifier (CHUID) is a standard data model for cardholder identification data.
Card Management System
Common Criteria Certification
Common Criteria Certification: Common Criteria is an international standard for IT security developed jointly by standards bodies in the US, Europe, and Canada. Product certification involves a rigorous evaluation process, including both evaluation of product documentation and testing of the product's security related functions. More information is available at
common user provisioning
Common user provisioning (also called one-step provisioning) means having a single point of employee registration and dismissal (usually in a Human Resources system) with automatic assignment and revocation of both physical and information security privileges.
A credential is generally defined as evidence (usually in printed form) concerning one's right to credit, confidence, authority or privileges. Security systems have two categories of credentials used to verify identity and perform authentication of privileges: physical visual credentials (such as a photo ID badge) and electronic credentials (information stored on a security card or in a computer database). Electronic credentials are also called logical credentials. In the context of FIPS 201, the PIV card is a physical credential-a smart card-with specific information printed on it and specific information encoded in the smart card memory. The data encoded on the PIV card is a logical credential.
Acronym for certificate revocation list.
An arrangement between organizations whereby each organization accepts credentials issued by the other. This requires collaboration with regard to many issues including security, privacy, trust, operating rules, policies and technical standards. The intent of FIPS 201 is to enable cross-credentialing for Federal agencies and their contractors.
cryptographic key
A key is a piece of information that controls the operation of a cryptography algorithm. In encryption, a key specifies the particular transformation to be performed on the data being encrypted or decrypted. The key is used to “lock” the data by encrypting it and “unlock” it by decrypting it. Keys are also used in other cryptographic algorithms, such as digital signatures and other schemes for authentication of information.
Cryptography is the study and practice of protecting information by data encoding and transformation techniques. It includes means of hiding information (such as encryption) and means of proving that information is authentic and has not been altered from its original form (such as digital signatures).
The changing of encrypted information back into readable form using a decryption key.
digital certificate
A digital certificate (sometimes called a digital ID) is the electronic counterpart to a driver license, passport or membership card. It is specially formatted block of data that serves as a form of personal identification that can be verified electronically. A digital certificate is what binds a public key to an identity (a person or system) and is a means of establishing trust in electronic communications. The certificate is issued by a trusted authority (called the certificate authority). This authority stores the digital certificates it publishes in a computer database or network directory, which it makes available online (in a local area network or on the Internet) so that software applications can verify digital signatures as needed. Certificate verification is performed automatically by the software of systems that use digital certificates for information protection (such as e-mail systems).
digital certificate subscriber
The person to whom a digital certificate is issued, usually simply referred to as the “subscriber” in discussions about digital certificates.
digital communications
The use of electronic digital signals (ones and zeros) to send information between electronic devices or systems using wired, wireless (radio) or fiber-optic means of transmission.
digital signature
A digital signature is additional data that is appended to data in transit or storage. It can be checked to verify who the sender is, and to determine whether or not the data has been altered since it was signed. Digital signatures can be used on all types of electronic communications including documents, web pages, e-mail and electronic commerce. Digital signatures are sometimes called public key digital signatures, because the signature is verified using the signer’s public key.
Delegated Path Discovery
Delegated Path Validation
Evaluation Assurance Level
electronic credential
Information stored on a security card or in a computer database as evidence of privileges or authority. Also see credential.
The changing of information into an unreadable form to prevent unauthorized individuals or systems (i.e. those that don’t have a decryption key) from reading the information.
Ethernet is a local-area network (LAN) protocol developed by Xerox Corporation in cooperation with DEC and Intel in 1976. It is one of the most widely implemented LAN standards.
FIPS 201

Federal Information Processing Standard (FIPS) Publication 201, commonly known by the shorter name FIPS 201, is titled: Personal Identity Verification (PIV) of Federal Employees and Contractors. It is both a standard and a specification. FIPS 201 specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems.

The standard contains two major sections. Part one describes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of Homeland Security Presidential Directive 12, including personal identity proofing, registration, and issuance. Part two provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Personal Identity Verification. Similarly, the interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Data Specification for Personal Identity Verification.

This standard does not specify access control policies or requirements for Federal departments and agencies.

Click to read complete standard

See Federal Agency Smart Credential Number.
Federal Bridge Certification Authority (US)
Federal Agency Smart Credential Number
The Federal Agency Smart Credential Number (FASC-N) is one of the data items contained within the CHUID, and uniquely identifies a PIV card. The FASC-N replaces the SEIWG-012 definition, which has been in use for over 10 years.
Federated Identity Management
A number generated by applying a mathematical formula (an algorithm) to a document or sequence of text, used for verifying that the document has not been changed since the original hash value was generated. A hash is significantly shorter that the original text. The hash number is unique to the original document, thus attaching it to a document has negligible impact on the overall size of the document. The algorithm works one-way: it yields the same hash result every time for the same message, and it is not possible in practice for a message to be reconstituted from the hash result. Also, two different messages cannot produce the same hash results. Thus if the sender creates a hash for a document and provides it to the recipient of the document, the recipient (applying the same algorithm) can create a hash value and verify that the hash is identical to the sender’s hash, which means that the document has not been altered. Hashes are used in the creation of digital signatures.
Homeland Security Presidential Directive 12

On August 27, 2004, a Homeland Security Presidential Directive (HSPD) was issued entitled HSPD-12 "Policy for a Common Identification Standard for Federal Employees and Contractors." HSPD-12 establishes the requirement for a mandatory Government-wide standard for secure and reliable forms of identification issued by the Federal Government in order to enhance security, increase Government efficiency, reduce identify fraud, and protect personal privacy, and directed the promulgation of a new Federal standard for secure and reliable identification. This impacts Federal Department and Agency employee and contractors who require long-term access to Federally controlled facilities and information systems. This includes the Department of Defense, Department of State, Armed Forces, Foreign Service, US Postal Service, and all other executive branch components. Government Corporations are encouraged to comply but are not required.

Click to read the complete directive.

See Homeland Security Presidential Directive 12 .
identify (identification)

Within the context of a Personal Identity Verification system defined by FIPS 201, identify means the real-world process of visually and physically verifying an individual’s identity by verifying identification documents and conducting an in-person interview, before registering the person into the identity management system. This initial verification of identity is referred to as identification.

In the context of an access control system, identify means to locate the security system’s stored identity information that is associated with the security card or other credential presented to the system, and in some cases performing additional verification using that information such as checking a PIN, comparing a stored biometric to a captured biometric, or performing human visual verification of identifying characteristics. This is called authentication. Where roles are used to assign system privileges, it may be sufficient to securely identify the role of the person rather than the individual personal identity when performing authentication.

Within the context of a business system or security system, identity generally has one of two meanings. First, it refers to identity information (such as an identifying name or number) that is unique within the system, plus additional information that usually includes one or more of the following: identifying characteristics, which individuals and systems will use to perform an identification; system or organizational role, used to determine the specific rights and authority granted; and the period of time for which the identify information may be relied upon.Oftentimes one particular part of the identity information is referred to as the identity, such as a name or a role within the system. Second, identity can refer to a person, physical object (such as a security smart card), data object (such as a biometric signature on a card) or computer system that is being verified as authentic by the system.
identity assurance level
See identity authentication assurance level.
identity authentication assurance level
There are three identity authentication assurance levels defined in FIPS 201. They express the level of confidence that the cardholder has presented a credential that correctly references the cardholder’s identity. The three levels defined are named Some Confidence, High Confidence, and Very High Confidence. The following terms also have the same meaning and are used interchangeably: PIV authentication levels, PIV assurance levels, identity assurance levels, authentication assurance levels and assurance levels.
identity management
Strictly speaking identity management is the identification of authorized users and their enrollment in a system that is used to manage their identity information. However, the management of identity information is not an end in itself-it is used to facilitate business activities such as physical access control, information systems access control, and workflow automation in accordance with business policies. This identity management is an integrated system of business processes, policies and technologies. Also see identity management system.
identity management system
An identity management system (IDMS) identifies individuals in a system and controls their access to resources within that system by associating user rights and restrictions with each identified individual. The FIPS 201 standard requires that an identity management system be used to manage the identity information required for the Personal Identity Verification process specified in the standard.
Acronym for identity management system.
Internet Engineering Task Force.
Interoperability refers to the ability of a system or a product to work with other systems or products without special effort on the part of the customer. In the context of FIPS 201, it also refers to the ability of different Federal agencies to utilize the same PIV card and PIV management processes so that sufficient trust is established to allow one agency to accept and utilize a PIV card created by another agency.
logical credential
See electronic credential.
National Agency Check
National Agency Check with Written Inquiries
National Institute of Standards and Technology
US governmental standards group that publishes the Federal Information Processing Standards, including FIPS 201.
National Information Assurance Partnership (US)
NIAP Certification:
See Common Criteria Certification
See National Institute of Standards and Technology.
See Online Certificate Status Protocol.
Online Certificate Status Protocol
Online Certificate Status Protocol (OCSP), as defined by the IETF RFC 2560, is a method for systems to verify the status of a digital certificate (to determine whether or not it has been revoked) by sending a status query to a server and receiving a real-time response about the status of the certificate.
Acronym for physical access control system.
PACS 2.2
The short name for a document titled, Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems, Version 2.2, published in July of 2004 by the Physical Access Interagency Interoperability Working Group (PAIIWG) of the Government Smart Card Interagency Advisory Board (GSC-IAB). The document is also commonly referred to as PACS Implementation Guidance Version. 2.2.
PACS Assurance Level
See PACS Assurance Profile.
PACS Assurance Profile
The PACS 2.2 document introduced the term “assurance profiles” and defined high, medium and low assurance profiles. These are similar to but different from the FIPS 201 PIV Identity Authentication Assurance Levels. Some documents refer to these assurance profiles as “PACS assurance levels” or “card assurance levels”.
Permissions is the term commonly used to refer to the access rights provided by information access control systems. In physical access control systems the common term is privileges.
Personal Identity Verification
Personal Identify Verification (PIV) is the term designated in FIPS 201 for the processes and technologies involved in (a) identification: verifying the identity of a Federal employee or contractor at the time of initial identification and enrollment into a Federal agency’s identity management system, and (b) authentication: verifying the identity of the employee or contractor for purposes of physical and information systems access control.
physical credential
A document that contains printed identification information and often contains a photograph, signature, or both as evidence of identity and of one's right to credit, confidence, authority or privileges. Examples of physical credentials are the driver license, passport, and security photo ID badges. See also credential.
Acronym for Personal Identity Verification.
PIV authentication level
See identity authentication assurance level.
PIV card
A smart card that is designed, issued and managed according to the specifications in FIPS 201 and its related technical documents.
PIV identity assurance level
See identity authentication assurance level.
Public Key Enabled
See public key infrastructure.
Public Key Infrastructure Test Suite
private key
The published key of a public/private key pair. See public key cryptography.
Privileges is the term commonly used to refer to the access rights provided by physical access control systems. In information access control systems the common term is permissions.
See user provisioning.
public key cryptography

Public key cryptography is a form of cryptography which generally allows individuals or systems to communicate securely without having prior access to a shared secret key (symmetric key). This is done by using a pair of cryptographic keys, designated as public key and private key, which are related to each other mathematically. What you encode with one key you can decode only with the other key, and vice-versa. Yet you cannot figure out one key if you have the other key. This allows one key to be made public without risking disclosure of the other key that is kept private.

Thus the two cryptographic keys are known as a “public key/private key pair”. Public/private key pairs have a number of uses, including encryption and the computations involved in creating and verifying digital signatures. Public key cryptography is also known as asymmetric cryptography, because a different key is used to decode the information than was used to encode it. Private and public keys are often referred to as asymmetric private keys, asymmetric public keys, or simply asymmetric keys to refer to them both.

public key digital signature
See digital signature.
public key encryption
Encryption using a public/private key pair. See public key cryptography.
public key
The published key of a public/private key pair. See public key cryptography.
public key infrastructure
A public key infrastructure (PKI) is a security management system including hardware, software, people, processes and policies (including certificate authorities and registration authorities) dedicated to the management of digital certificates for the purpose of achieving secure exchange of electronic information. The term PKI is also sometimes used loosely simply as a reference to public key cryptography. Because a digital certificate contains the public key of the subscriber (the person the certificate was issued to), it is somteimes also called a public key certificate or PKI certificate (FIPS 201 uses all three terms).
See registration authority.
Acronym for Role Based Access Control.
registration authority
The registration authority (RA) is the person or company responsible for the identification and authentication of digital certificate subscribers prior to certificates being issued by the certification authority. The registration authority does not sign or issue the certificates (the certificate authority does). The registration authority is responsible for the accuracy of the information contained in a certificate request.
Request For Comment
Role Based Access Control
The basic concept of Role Based Access Control (RBAC) is that within an organization, roles are created for various job functions, and personnel are assigned a specific role. Corresponding roles are created in the access control system, and access privileges are assigned to the roles (as opposed to being assigned directly to personnel). Thus personnel acquire access privileges by being assigned a role. This use of roles facilitates policy-based management of access control that mirrors the actual job requirements of an organization’s personnel.
Signatures and Authentication for Everyone. See SAFE-Biopharma Association..
SEIWG-012 is a Federal standard for security card identification that defines a numerical sequence of 40 digits containing several different numbers such as an “agency code” and a “credential code”. It is named after the group that developed it, the Security Equipment Integration Working Group (SEIWG), a sub-group of the Physical Security Equipment Action Group (PSEAG), which is a DoD organization that coordinates all of the physical security research and development efforts across the armed services. FIPS 201 specifies a new standard that replaces the SEIWG-012, the Federal Agency Smart Credential Number (FASC-N).
Server-based Certificate Validation Protocol
Shared Service Provider
See digital certificate subscriber.
symmetric cryptography
Symmetric means that two parts of a thing are similar. In symmetric cryptography the same key is used for both encrypting and decrypting data Also see asymmetric cryptography.
symmetric key
The single key used for symmetric cryptographic operations. See symmetric cryptography.
TCP/IP is an acronym for Transmission Control Protocol/Internet Protocol, a protocol for communication between computers, used as a standard for transmitting data over networks and the Internet.
user provisioning
Provisioning means to provide users (such as the cardholders in an access control system or the users of a computer-based information system) with two things: (1) a means to authenticate themselves (such as a card and PIN, or name and password), and (2) access privileges. Those two elements combined (a means to authenticate and privileges) are what enable access to protected assets.

Do you have a term to nominate for this glossary or a question about a definition? Please send us a note at .