Skip to main content

3.2 Definitions and Abbreviations

For the purposes of the present document, the following abbreviations apply.

3.2.1 Definitions

AnonymityIn case of market requirements, an anonymous identity is required during ownership transfer. EU data privacy or Germany Privacy Regulations may apply.
ApplicationApplications (also called end-user programs) are software programs designed to perform a group of coordinated functions or tasks that may vary by installation or model. Examples of IoT applications include a web browser, sensor management, or actuator controller. This contrasts with system software, which executes the operating software of the main processor in the device.
AuthenticationAuthentication is the process of recognising an identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are checked with those in the device or within an authentication service.
AuthenticationAuthentication is the process of recognising an identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are checked with those in the device or within an authentication service.
BootThe initial process used by the device when turned on that prepares the system for operation (normally contains low-level Secure Boot steps).
ConsumerAn end user, and not necessarily a purchaser, in the distribution chain of a good or service who make personal use an IoT device and/or service.
DeploymentThe placing of the product into customer trial or service.
EncryptedData secured using a recognised algorithm and protected keys, so as to be meaningful, only if decoded, and decodable only by those with access to the relevant algorithm and keys.
EnterpriseAn organisation in business for commercial or not-for-profit purposes that share information technology resources.
FirmwareComputer programs and data stored in hardware – typically in read only memory(ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs.
IoT Product ClassClass of network products that all implement a common set of IoTSF defined functions for that particular IoT product.
Interactive AccountInteractive accounts include non-personal accounts such as root, admin, service, batch, super user or privilege accounts that permit system configuration changes.
Mutual AuthenticationMutual authentication refers to a security process or technology in which two entities in a communications link verify the origin and integrity of each other before any sensitive data is sent over the connection.
In a network, the client authenticates the server and vice-versa. It is a default mode of authentication in some protocols, such as:
SSH (see https://tools.ietf.org/html/rfc4250) and optional in others, such as TLS (see https://tools.ietf.org/html/rfc8446).
NonceNonce is an abbreviation of the term "number used once”. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications messages cannot be reused in replay attacks.
Operating SystemAn operating system (OS) is system software that manages device hardware and software resources and provides common services for software programs.
On boardingThe method to register a device into its service or solution to enable device registration [ref 16]1, configuration and data transfer.
Ownership TransferIn case a device is transferred through a supply chain and changes owner, this method ensures a reliable and secure transfer of ownership.
Personal InformationPersonal Information is defined by the EU General Data Protection Regulation (GDPR): https://ec.europa.eu/info/law/law-topic/data-protection_en.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified,directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Other jurisdictions may have different definitions.
Secure BootProcess that ensures a device only starts software that is trusted by the OEM.
Secure ProtocolThe method of exchanging information that ensures protection and reliability of the data (usually though cryptographic techniques).
SoftwareUnless otherwise explicitly stated, for the purposes of this document the term software also includes any firmware elements in the product.
Strong AuthenticationA procedure based on the use of two or more of the following elements, categorised as knowledge, ownership and inherence:  
i) Something only the user or device knows, e.g. static password, code, personal identification number;  
ii)Something only the user or device possesses, e.g. token, smart card, mobile phone;  
iii) Something the user or device is, e.g. biometric characteristic, such as a fingerprint.
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data defined other examples include NIST Special Publication 800-63B see [ref 26]2 and European Central Bank: Recommendations For The Security Of Internet Payments http://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf?95e6bba1ef875877ad3c35cf3b12399c
Supply Chain of TrustWhere an IoT system uses device or service components with more than one source, all sources demonstrate assurance with the relevant requirements of this framework. This will lead to the Devices and services in an IoT system exhibiting the following attributes:
- Engender robust Root of Trust and secure identities
- Safeguard application code at source Inhibit grey-manufacturing and protect IP
- Ensure only valid applications are programmed
- Integrate robust key structures for ownership delegation
- Enable lifecycle updates and patching
Tamper EvidentThe enclosure of the product has measures to ensure that any unauthorised attempt to open it leaves evidence of the attempt, for example, labelling across a product’s enclosure joint that fragments when the joint is disturbed.
Tamper ResistantThe enclosure of the product has measures to prevent its unauthorised opening. Typically, with specialist fasteners or other features that require the use of specialist tooling, unique to the product.

3.2.2 Acronyms

CoAP     Constrained Application Protocol
DDoS     Distributed Denial of Service
DTLS     Datagram Transport Layer Security
EAL     Evaluation Assurance Level
ERP     Effective Radiated Power
HTML     Hypertext Markup Language
HTTP     Hypertext Transfer Protocol
IP     Internet Protocol
MD     Message Digest
MQTT     Message Queue Telemetry Transport - ISO standard ISO/IEC PRF 20922
OEM     Original Equipment Manufacturer
PRNG     Pseudo Random Number Generator
ROT     Root Of Trust
SHA     Secure Hash Algorithm
SSH     Secure Socket Shell
TRNG     True Random Number Generator
TBC     To Be Confirmed
TBD     To Be Determined
TCP     Transmission Control Protocol
TLS     Transport Layer Security
T3P     Trusted Third Party
UDP     User Datagram Protocol
URL     Uniform Resource Locator
WPS     Wi-Fi Protected Setup

Footnotes

  1. Example of IoT application ID registry and possible privacy profile registry

  2. NIST SP800-63b Revision 1” NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management” June 2017 [https://pages.nist.gov/800-63-3/sp800-63b.html]