An assault conducted by an intentional threat source that attempts to alter a system, its resources, its data, and/or its operations. It can also be an assault that steals information without altering it.
Advanced Encryption Standard (AES)
A cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. See Symmetric Encryption. (FIPS PUB 197: the official AES standard)
AES is based on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers with different key and block sizes.
Asymmetric Encryption
Cryptography in which a pair of keys is used to encrypt and decrypt a message. The sender of the message encrypts the message with the recipient’s Public Key. The recipient then decrypts the message with his/her Private Key. (Also see Public Key Cryptography). The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with “Symmetric Encryption” which relies on the same key to perform both.
Authentication
A process of verifying the identity or other attributes of an entity (e.g. Machine-to-Machine end point). For example, a system or piece of software is who it says it is. Used as a prerequisite to allowing access to information or resources (i.e. Authorization).
Authorization
The granting of rights, including the ability to access specific information or resources.
B
Birthday Attack
A brute-force attack that exploits probability of collisions. It can be carried out in a form of traditional brute force attack, but not necessarily. This attack gets its name from the surprising fact that the probability of two or more people in a group of 23 sharing the same birthday (month and day) is greater than 1/2.
Brute Force Attack
This attack requires trying all (or a large fraction of all) possible values until the right value is found; also called an Exhaustive Search.
C
Certificate
Is an electronic credential created/issued by a Certificate Authority (CA). It is used to verify and authenticate the identity of an individual or a device in the case of Machine-to-Machine. Its primary function is to attest that a public key is bound to the individual or device. It is a digital representation of information which at least: (1) identifies the CA issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber’s public key, (4) identifies its operational period, and (5) is digitally signed by the CA issuing it or is cryptographically bound using ECQV.
Certificate Authority (CA)
A trusted third party whose purpose is to sign certificates for entities (e.g. Machine-to-Machine end points) it has authenticated using secure means. Other entities can check the signature to verify that a CA has authenticated the bearer of a certificate. See Public Key Infrastructure (PKI). TrustPoint Innovation Technologies, Ltd. is a CA.
Certificate Chain
The Certificate Chain is a list of certificates that are used to authenticate an entity. The chain begins with the certificate of that entity. Each certificate in the chain is signed by the entity that is identified by the next certificate in the chain. The chain terminates with a Root CA Certificate. See Public Key Infrastructure (PKI) for more information.
Certificate Policy
A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.
Certificate Revocation
The action a Certificate Authority (CA) takes when it declares that a previously valid digital certificate issued by that CA has become invalid. It is usually stated with an effective date.
Certificate Revocation List (CRL)
A list of certificates that have been revoked by the Certificate Authority before their expiration date.
Certificate Serial Number
A number that is associated with and included in a certificate. It is assigned to the certificate by the Certificate Authority and is unique among all the certificates produced by that entity.
Challenge-Response
An authentication process that verifies an identity by requiring correct authentication information to be provided in response to a challenge. Using an NFC Tag as an example, a Smartphone sends a random challenge to the NFC Tag and the tag must send back to the phone the correct response.
Ciphertext
Data (i.e. plaintext) that has been transformed by encryption so its meaning is no longer intelligible or directly available. Ciphertext can be decrypted back to plaintext using a cryptographic algorithm and key. See Decryption.
Conduit
A Conduit is a logical grouping of communication assets that protects the security of the channels it contains. Refer to ISA99/62443 Standard on Industrial Automation and Control Systems Security for further information.
Confidentiality
Information can only be understood by anyone for whom it was intended.
Cryptographic Algorithm
Algorithm providing cryptographic functionality such as hashing, digital signature, key agreement etc.
Cryptography
The use of mathematical techniques to provide security services, such as confidentiality, data integrity and authentication. Transforms (encrypts) information (plaintext) into an intermediate form (ciphertext) which secures information in storage or transit.
Cybersecurity
Where information and systems are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
D
Data Integrity
Data is complete, intact, and trusted and has not been modified in an unauthorized or accidental manner.
Decryption
The process of converting ciphertext to plaintext using a cryptographic algorithm and key.
Denial of Service
An attack that prevents or impairs the authorized use of information, system resources or services.
A Digital Signature is a type of electronic signature that cannot be forged. It provides verification to the recipient (e.g. Machine-to-Machine end point) that the information signed came from the entity identified as the sender, and that it has not been altered since it was signed. It is created using a Private Key. See Signature Generation.
Digital Signature Algorithm (DSA)
Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS), specified in FIPS 186-4, 2013.
DSA Certificate
A DSA Certificate is a digital Certificate where the signature of the Certificate Authority is made using the Digital Signature Algorithm (DSA), or where the Public Key of the entity is a DSA public key.
Since the Digital Signature Algorithm depends for its security on the Discrete Logarithm problem in finite fields, the public keys (of the Certificate Authority or the public key of the entity) are quite large when compared with Elliptic Curve Cryptography. Because the DSA works on a subgroup of this larger group, a DSA signature, for example the signature of the Certificate Authority, is itself roughly the same size as an ECDSA Signature.
Distributed Denial of Service
A Denial of Service technique that uses numerous systems to overwhelm the target, preventing it from providing service.
E
Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography (ECC) is a public-key encryption method based on the algebraic structure of elliptic curves over finite fields.
The security of ECC systems is based on the elliptic curve discrete logarithm problem, rather than the integer factorization problem or the discrete log problem in a finite field. This difference allows ECC systems to start out smaller and scale more efficiently as the bit size of the matching symmetric key increases. This means that significantly smaller parameters can be used in ECC than that with RSA and DSA to obtain the same level of security. Thus, ECC based solutions are ideally suited for Machine-to-Machine environments.
Elliptic Curve Digital Signature Algorithm (ECDSA)
The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography. The bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits. For example, at a security level of 80 bits the size of a DSA public key is at least 1024 bits, whereas the size of an ECDSA public key would be 160 bits. On the other hand, the signature size is the same for both DSA and ECDSA.
Encryption
The process of converting data into a cipher or code in order to prevent unauthorized access. Encryption obscures data so that a specific algorithm and key are required to interpret the cipher or code. The purpose of encryption is to prevent unauthorized access to data while it is either in storage or being transmitted. Also see Asymmetric Encryption and Symmetric Encryption.
End-Entity Certificate
A particular type of certificate that may not be used to sign child certificates. It is the last certificate in a chain.
F-H
FIPS
Federal Information Processing Standards.
Hardware Security Module (HSM)
It is a hardware-based security device used by a Certificate Authority to generate, store and protect cryptographic keys. It also performs crypto operations with these keys.
I-J
Implicit Certificate
Implicit certificates are based on Elliptic Curve Cryptography (ECC). The public key and digital signature are super imposed in implicit certificates which allow the recipient to extract and verify the public key of the other party from the signature portion. Since it is not necessary to transmit both the signature and the public key, there is a 50% reduction in the number of bits required compared to a conventional certificate (e.g. RSA Certificate).
Industrial Control System
An information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets. The connection of the end points are often referred to as Machine-to-Machine Communications.
Internet of Things (IoT)
The term Internet of Things (IoT) is used to denote advanced connectivity of devices, systems and services that goes beyond Machine-to-Machine Communications and covers a variety of protocols, domains and applications. It refers to the connection of such systems and sensors to the broader Internet, as well as the use of general Internet technologies.
ISA99/62443 Standard
The ISA99 series of standards, known as the ISA-62443, addresses the subject of cyber security for industrial automation and control systems. The standards describe the basic concepts and models related to cyber security, as well as the elements contained in cyber security management systems for use in the industrial automation and control systems environment. They also provide guidance on how to meet the requirements described for each element.
K-L
Key Agreement
A key-establishment protocol for establishing a shared secret key between two or more parties in such a way that none of them can predetermine the value of that key and another party observing the protocol exchange cannot determine the value of the key. The secret key is a result of information contributed by the participants.
Key Management Infrastructure
The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of all cryptographic material, including Private Keys, Public Keys, and Certificates.
Key Pair
Two mathematically related keys (i.e., a Public Key and its corresponding Private Key) having the property that one key can be used to encrypt a message that can only be decrypted using the other key. The Public Key is used to encrypt plaintext or to verify a Digital Signature; whereas the Private Key is used to decrypt ciphertext or to create a Digital Signature.
Key Store
This is where the Private Key is stored. The key store should have a strong level of security including password protection, which is not shared with anyone.
M
Machine-to-Machine Communication
Machine-to-Machine (M2M) Communications refers to technologies that allow both wireless and wired systems to communicate with other devices of the same type. M2M is a broad term as it does not pinpoint specific wireless or wired networking, information and communications technology.
Machine-to-Machine (M2M) Certificate
The Machine-to-Machine (M2M) Certificate is a Digital Certificate specifically designed for securing M2M environments where there is limited memory and constrained processing. This certificate format has been adopted by the NFC Forum because it is well suited for the constrained NFC environment (e.g. limited memory and bandwidth). The Standards for Efficient Cryptography Group (SECG) has also recognized this certificate format.
Message
The data that is signed. Also known as “Signed Data” during the signature verification and validation process.
N-O
Near Field Communications (NFC)
Near Field Communication (NFC) is a short-range wireless technology that allows a device to collect and interpret data from another closely located (i.e. 10mm/4 inches) NFC device or tag.
NFC Data Exchange Format (NDEF)
The NFC Data Exchange Format (NDEF) is a standardized data format that can be used to exchange information between any compatible NFC device and another NFC device or tag. The data format consists of NDEF Messages and NDEF Records. The standard is maintained by the NFC Forum.
NFC Forum
“The NFC Forum is a non-profit industry association whose membership draws from all parts of the NFC ecosystem. Working within the framework of the NFC Forum, member organizations share development, application, and marketing expertise to develop the best possible solutions for advancing the use of Near Field Communication, enhancing the lives of consumers worldwide and advancing members’ business objectives.” – Source: The NFC Forum Website.
The NFC Forum Glossary
The NFC Forum has a detail Glossary that specifically addresses NFC definitions, acronyms and abbreviations.
NDEF Message
An NDEF Message is the basic “transportation” mechanism for NDEF records, with each message containing one or more NDEF Records.
NDEF Record
An NDEF Record contains a specific payload, and has a formal structure that identifies the contents and size of the record.
Non-repudiation
A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the Signatory).
P-Q
Passive Attack
An assault that attempts to learn or make use of information from a system, but does not attempt to alter the system, its resources, its data, or its operations.
PKCS 10
An encoding format used for Certificate Signing Requests. Described in detail by RFC2986.
Privacy Enhanced Mail (PEM) Encoding
An encoding format that is often used to wrap a PKCS 10 data blob. It adds human readable headers around encoded data. The payload is typically untouched.
Private Key
The Private Key is the secret part of a cryptographic key pair that is used with a public key algorithm. The Private Key is known only to its owner. Private Keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding Public Key.
Public Key
The non-secret part of a cryptographic key pair that is used with a public key algorithm. The Public Key can be made available to everyone. Public Keys are typically used to verify digital signatures or decrypt data that has been encrypted with the corresponding Private Key.
Public Key Cryptography
A form of cryptography in which a cryptographic system or algorithms use two uniquely and mathematically linked keys: a Public Key and a Private Key (a key pair). The Public Key is used to encrypt plaintext or to verify a Digital Signature; whereas the Private Key is used to decrypt ciphertext or to create a Digital Signature. See Asymmetric Encryption.
Public Key Infrastructure (PKI)
A framework and services for generating, producing, distributing, controlling, accounting for, and revoking public key certificates. See Certificate Authority.
R
Root Certificate
The certificate of the original trusted signer or Certificate Authority (CA) that certifies the authenticity of the end user/entity (or of intermediate signers). TrustPoint Innovation Technologies, Ltd. is such a CA.
RSA
RSA (Rivest, Shamir, Adleman): A public key algorithm invented in 1976 by three MIT mathematicians, Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, which bases its security on the difficulty of factoring large integers.
RSA Certificate
An RSA Certificate is a digital Certificate where the signature of the Certificate Authority is made using the Rivest-Shamir-Adleman algorithm, or where the public key of the entity is an RSA public key.
Since the RSA algorithm depends for its security on the difficulty of the factoring problem, the public keys and signatures made using RSA are quite large when compared with Elliptic Curve Cryptography. (See Public Key Strength Comparison Table in About ECC section).
S
Security Zone
Security Zone is a grouping of logical or physical assets that share common security requirements. Refer to ISA99/62443 Standard on Industrial Automation and Control Systems Security for further information.
Self-Signed Certificate
A certificate that is constructed like a Digital Certificate, but is signed by its subject. Caution should be taken when using a Self-Signed Certificate to authenticate a Public Key to other parties.
Signatory
The entity that generates a digital signature on data using a Private Key.
The (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).
Signature Verification
The process of using a digital signature algorithm and a public key to verify a digital signature on data.
Signed Data
The data or message upon which a digital signature has been computed. Also, see “Message”.
Subscriber
An entity that has applied for and received a certificate from a Certificate Authority.
Signature RTD
The Signature RTD specifies the format used when signing single or multiple NDEF Records. Digital signing of NDEF data is a trustworthy method for providing information about the origin of NDEF data in an NFC Forum Tag and NFC Forum Device. It provides users with the ability to verify the authenticity and integrity of data within the NDEF Message.
Signed Certificate
A certificate that is signed using a key maintained by a Certificate Authority. Before issuing a certificate, the Certificate Authority evaluates a certificate requestor to determine that the requestor is the certificate holder referenced in the certificate.
Spoofing Attack
A Spoofing Attack is a situation in which a person or program successfully masquerades as another by falsifying data and gains entry into a secure system.
Standards for Efficient Cryptography Group (SECG)
An international consortium that develops commercial standards for efficient and interoperable cryptography based on Elliptic Curve Cryptography (ECC).
Supervisory Control and Data Acquisition (SCADA) System
Type of loosely coupled distributed monitoring and control system commonly associated with electric power transmission and distribution systems, oil and gas pipelines, and water and sewage systems.
Symmetric Encryption
A form of cryptography in which the same key is used to both encrypt and decrypt the message. Requires a separate secure channel to exchange keys. An example of Symmetric Encryption is the Advanced Encryption Standard (AES).
T – Z
Trust Store
A collection of certificates that your software trusts. These certificates are associated with servers with which you make connections. Typically one would add TrustPoint’s Root Certificate to one’s Trust Store.
X.509 Certificate
An X.509 certificate is a digital certificate that uses the accepted international X.509 Public Key Infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.
An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Standard information in an X.509 certificate includes:
Version – which X.509 version applies to the certificate (which indicates what data the certificate must include)
Serial Number – the identity creating the certificate must assign it a serial number that distinguishes it from other certificates
Algorithm Information – the algorithm used by the issuer to sign the certificate
Issuer distinguished name – the name of the entity issuing the certificate (usually a certificate authority)
Validity Period of the certificate – start/end date and time
Subject Distinguished Name – the name of the identity the certificate is issued to
Subject Public Key Information – the public key associated with the identity
Extensions (optional)
Zone
A Zone is a logical and /or physical grouping of physical, informational, and application assets sharing common security requirements. Refer to ISA99/62443 Standard on Industrial Automation and Control Systems Security for further information.