3.2 Definitions and Abbreviations
For the purposes of the present document, the following abbreviations apply.
3.2.1 Definitions
| Anonymity | In case of market requirements, an anonymous identity is required during ownership transfer. EU data privacy or Germany Privacy Regulations may apply. |
|---|---|
| Application | Applications (also called end-user programs) are software programs designed to perform a group of coordinated functions or tasks that may vary by installation or model. Examples of IoT applications include a web browser, sensor management, or actuator controller. This contrasts with system software, which executes the operating software of the main processor in the device. |
| Authentication | Authentication is the process of recognising an identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are checked with those in the device or within an authentication service. |
| Boot | The initial process used by the device when turned on that prepares the system for operation (normally contains low-level Secure Boot steps). |
| Consumer | An end user, and not necessarily a purchaser, in the distribution chain of a good or service who make personal use an IoT device and/or service. |
| Deployment | The placing of the product into customer trial or service. |
| Encrypted | Data secured using a recognised algorithm and protected keys, so as to be meaningful, only if decoded, and decodable only by those with access to the relevant algorithm and keys. |
| Enterprise | An organisation in business for commercial or not-for-profit purposes that share information technology resources. |
| Firmware | Computer programs and data stored in hardware – typically in read only memory (ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs. |
| IoT Product Class | Class of network products that all implement a common set of IoTSF defined functions for that particular IoT product. |
| Interactive Account | Interactive accounts include non-personal accounts such as root, admin, service, batch, super user or privilege accounts that permit system configuration changes. |
| Mutual Authentication | Mutual authentication refers to a security process or technology in which two entities in a communications link verify the origin and integrity of each other before any sensitive data is sent over the connection. In a network, the client authenticates the server and vice-versa. It is a default mode of authentication in some protocols, such as: SSH (see https://tools.ietf.org/html/rfc4250) and optional in others, such as TLS (see https://tools.ietf.org/html/rfc8446). |
| Nonce | Nonce is an abbreviation of the term "number used once”. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications messages cannot be reused in replay attacks. |
| Operating System | An operating system (OS) is system software that manages device hardware and software resources and provides common services for software programs. |
| On boarding | The method to register a device into its service or solution to enable device registration [NIST.SP.1800-36]2, configuration and data transfer. |
| Ownership Transfer | In case a device is transferred through a supply chain and changes owner, this method ensures a reliable and secure transfer of ownership. |
| Personal Information | Personal Information is defined by the EU General Data Protection Regulation (GDPR): https://ec.europa.eu/info/law/law-topic/data-protection_en. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Other jurisdictions may have different definitions. |
| Secure Boot | Process that ensures a device only starts software that is trusted by the OEM. |
| Secure Protocol | The method of exchanging information that ensures protection and reliability of the data (usually though cryptographic techniques). |
| Software | Unless otherwise explicitly stated, for the purposes of this document the term software also includes any firmware elements in the product. |
| Strong Authentication | A procedure based on the use of two or more of the following elements, categorised as knowledge, ownership and inherence:
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data defined other examples include NIST Special Publication 800-63B see [NIST.SP.800-63B]1 and European Central Bank: Recommendations For The Security Of Internet Payments http://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf?95e6bba1ef875877ad3c35cf3b12399c |
| Supply Chain of Trust | Where an IoT system uses device or service components with more than one source, all sources demonstrate assurance with the relevant requirements of this framework. This will lead to the Devices and services in an IoT system exhibiting the following attributes:
|
| Tamper Evident | The enclosure of the product has measures to ensure that any unauthorised attempt to open it leaves evidence of the attempt, for example, labelling across a product’s enclosure joint that fragments when the joint is disturbed. |
| Tamper Resistant | The enclosure of the product has measures to prevent its unauthorised opening. Typically, with specialist fasteners or other features that require the use of specialist tooling, unique to the product. |
3.2.2 Acronyms
- CoAP
- Constrained Application Protocol
- DDoS
- Distributed Denial of Service
- DTLS
- Datagram Transport Layer Security
- EAL
- Evaluation Assurance Level
- ERP
- Effective Radiated Power
- HTML
- Hypertext Markup Language
- HTTP
- Hypertext Transfer Protocol
- IoT
- Internet of Things
- IP
- Internet Protocol
- MD
- Message Digest
- MQTT
- Message Queue Telemetry Transport – ISO standard ISO/IEC PRF 20922
- OEM
- Original Equipment Manufacturer
- OWASP
- Open Web Application Security Project
- PRNG
- Pseudo Random Number Generator
- RoT
- Root Of Trust
- SBoM
- Software Bill of Materials
- SHA
- Secure Hash Algorithm
- SSH
- Secure Socket Shell
- TRNG
- True Random Number Generator
- TBC
- To Be Confirmed
- TBD
- To Be Determined
- TCP
- Transmission Control Protocol
- TLS
- Transport Layer Security
- T3P
- Trusted Third Party
- UDP
- User Datagram Protocol
- URL
- Uniform Resource Locator
- WPS
- Wi‑Fi Protected Setup
- Revision 1 "NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management" June 2017 https://pages.nist.gov/800-63-3/sp800-63b.html ↩︎
- NIST SP 1800-36 "Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management", May 2024, https://csrc.nist.gov/pubs/sp/1800/36/ipd. ↩︎