For the purposes of this document, the terms and definitions given in OPC 10000-1 and the following apply.

limit on the circumstances under which an operation, such as a read, write or a call, can be performed on a Node

Note 1 to entry: Operations can only be performed on a Node if the Client has the necessary Permissions and has satisfied all of the AccessRestrictions.

digitally signed document that asserts that the subject is entitled to access a Resource

Note 1 to entry: The document includes the name of the subject and the Resource being accessed.

individual installation of a program running on one computer

Note 1 to entry: There can be several ApplicationInstances of the same application running at the same time on several computers or possibly the same computer.

Certificate of an individual ApplicationInstance that has been installed in an individual host

Note 1 to entry: Different installations of one software product would have different ApplicationInstanceCertificates. The use of an ApplicationInstanceCertificate for uses outside of what is described in the specification could greatly reduce the security provided by the ApplicationInstanceCertificate and should be discouraged.

Note 2 to entry: also written as ApplicationInstance Certificate

Cryptography method that uses a pair of keys, one that is designated the Private Key and kept secret, the other called the Public Key that is generally made available

Note 1 to entry:  ‘"Asymmetric Cryptography". Is an Asymmetric Encryption algorithm when an entity “A” requires Confidentiality for data sent to entity “B”, then entity “A” encrypts the data with a Public Key provided by entity “B”. Only entity “B” has the matching Private Key that is needed to decrypt the data. In an asymmetric Digital Signature algorithm when an entity “A” requires message Integrity or to provide Authentication for data sent to entity “B”, entity A uses its Private Key to sign the data. To verify the signature, entity B uses the matching Public Key that entity A has provided. In an asymmetric key agreement algorithm, entity A and entity B each send their own Public Key to the other entity. Then each uses their own Private Key and the other's Public Key to compute the new key value.’ according to IS Glossary.

Note 2 to entry: Asymmetric Cryptography is also known as Public Key Cryptography. Public key Cryptography originally was based on RSA which has been extended to include ECC.

mechanism used by Asymmetric Cryptography for encrypting data with the Public Key of an entity and for decrypting data with the associated Private Key

mechanism used by Asymmetric Cryptography for signing data with the Private Key of an entity and for verifying the data’s signature with the associated Public Key

security objective that assures that any actions or activities in a system can be recorded

tracking of actions and activities in the system, including security related activities where Audit records can be used to review and verify system operations

encryption scheme which simultaneously assures the data confidentiality and authenticity

Note 1 to entry: AuthenticatedEncryption algorithms could allow for associated data to be signed but not encrypted.

process that assures that the identity of an entity such as a Client, Server, Publisher or user can be verified

tability to grant access to a system resource

Note 1 to entry:  Authorization of access to resources should be based on the need-to-know principle. It is important that access is restricted in a system.

Server which validates a request to access a Resource returns an AccessToken that grants access to the Resource

Note 1 to entry: The AuthorizationService is also called STS (Security Token Service) in other standards.

security objective that assures that the system is running normally. That is, no services have been compromised in such a way to become unavailable or severely degraded

entity that can issue Certificates, also known as a CA

Note 1 to entry: The Certificate certifies the ownership of a Public Key by the named subject of the Certificate. This allows others (relying parties) to rely upon signatures or assertions made by the Private Key that corresponds to the Public Key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the Certificate and the party relying upon the Certificate. CA s are characteristic of many Public Key infrastructure (PKI) schemes

persistent location where Certificates and Certificate revocation lists (CRLs) are stored

Note 1 to entry: It could be a disk resident file structure or on Windows platforms it could be a Windows registry location.

statement in an AccessToken that asserts information about the subject which the Authorization Service knows to be true

Note 1 to entry: Claims can include username, email, and Roles granted to the subject.

security objective that assures the protection of data from being read by unintended parties

transforming clear, meaningful information into an enciphered, unintelligible form using an algorithm and a key

program designed by an organization to maintain the security of the entire organization’s assets to an established level of Confidentiality, Integrity, and Availability, whether they are on the business side or the industrial automation and control systems side of the organization

mechanism for negotiating a shared secret between two parties that can be used for secret communication for exchanging data over a network

Note 1 to entry: Elliptic Curve Cryptography (ECC) requires the use of a Diffie Hellman Key Exchange.

value computed with a cryptographic algorithm and appended to data in such a way that any recipient of the data can use the signature to verify the data’s origin and Integrity

Asymmetric Cryptography method that uses a pair of keys calculated from the mathematical structure of elliptic curves over finite fields

Note to entry: ECC is a family of algorithms that support Digital Signatures but not encryption.

algorithm for which it is computationally infeasible to find either a data object that maps to a given hash result (the "one-way" property) or two data objects that map to the same hash result (the "collision-free" property), see IS Glossary

MAC that has been generated using an iterative Hash Function

security objective that assures that information has not been modified or destroyed in an unauthorized manner, see IS Glossary

Server which verifies credentials provided by a Security Principal and returns a token which can be passed to an associated Authorization Service

protocol used for establishing a secure communication path between two entities in an unsecured environment whereby both entities apply a specific algorithm to securely exchange secret keys that are used for securing the communication between them

Note 1 to entry: A typical example of a Key Exchange Algorithm is the Handshake Protocol specified in TLS.

short piece of data that results from an algorithm that uses a secret key (see Symmetric Cryptography) to hash a Message whereby the receiver of the Message can check against alteration of the Message by computing a MAC that should be identical using the same Message and secret key

Digital Signature used to ensure the Integrity of Messages that are sent between two entities

Note 1 to entry: There are several ways to generate and verify Message Signatures however they can be categorized as symmetric (see Clause 3.1.44) and asymmetric (See Clause 3.1.5) approaches.

ability to prove the occurrence of a claimed event or action and its originating entities

Note 1 to entry: The purpose of non-repudiation is to resolve disputes about the occurrence or non-occurrence of the event or action and involvement of entities in the event.

Note 2 to entry: This definition comes from ISA/IEC 62443 and could be different from the definition used in other industries.

random number that is used once typically by algorithms that generate security keys

right to execute an operation, such as a read, write or a call, on a Node

secret component of a pair of cryptographic keys used for Asymmetric Cryptography

Note 1 to entry: Public Key and Private Key are always generated as a pair. If either is updated the other is also updated

publicly-disclosed component of a pair of cryptographic keys used for Asymmetric Cryptography, see IS Glossary

Note 1 to entry: Public Key and Private Key are always generated as a pair. If either is updated the other must also be updated

set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Certificates based on Asymmetric Cryptography

Note 1 to entry: The core PKI functions are to register users and issue their public-key Certificates, to revoke Certificates when required, and to archive data needed to validate Certificates at a much later time. Key pairs for data Confidentiality could be generated by a Certificate authority (CA); it is a good idea to require a Private Key owner to generate their own key pair as it improves security because the Private Key would never be transmitted according to IS Glossary. See PKI and X509 PKI for more details on Public Key Infrastructures.

secured entity which an application needs to access

Note 1 to entry: A Resource is usually a Server.

algorithm for Asymmetric Cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman, see IS Glossary

Note 1 to entry: RSA is an Asymmetric Cryptography algorithm that supports encryption and Digital Signatures and is based on factoring of a large integer which is in turn based on two or more prime factors.

function assumed by a Client when it accesses a Server

Note 1 to entry: A Role could refer to a specific job function such as operator or engineer.

Claim representing a subset of a Resource

Note 1 to entry: A Scope could indicate a set Nodes managed by a Server.

communication channel that ensures the confidentiality and/or integrity of all messages exchanged between a Client and a Server

Note 1 to entry: If the security policy is None, then confidentiality and integrity are not ensured.

Publisher(s) and Subscriber(s) that utilize a shared security context

Note 1 to entry: This context could include share keys.

Server that accepts AccessTokens issued by the Authorization Service and returns security keys that can be used to access the specified Resource

Note 1 to entry: The keys are typically used for cryptography operations such as encrypting or decrypting messages sent on a PubSub stream.

branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification), see IS Glossary

mechanism used by Symmetric Cryptography for encrypting and decrypting data with a cryptographic key shared by two entities

shared key used by Symmetric Cryptography for encrypting and decrypting data

mechanism used by Symmetric Cryptography for signing data with a cryptographic key shared by two entities

Note 1 to entry: The signature is then validated by generating the signature for the data again and comparing these two signatures. If they are the same then the signature is valid, otherwise either the key or the data is different from the two entities.

list of Certificates that an OPC UA Application has been configured to trust

standard protocol for creating SecureChannels over IP based networks

encryption scheme which assures confidentiality, but not authenticity

Note 1 to entry: UnauthenticatedEncryption algorithms are all Symmetric Encryption algorithms that are not AuthenticatedEncryption algorithms.

Certificate in one of the formats defined by X.509 v1, 2, or 3

Note 1 to entry: An X.509 Certificate contains a sequence of data items and has a Digital Signature computed on that sequence. OPC UA only uses V3.

AESAdvanced Encryption Standard

CA Certificate Authority

CRLCertificate Revocation List

CSMSCyber Security Management System

DNSDomain Name System

DSADigital Signature Algorithm

ECCElliptic Curve Cryptography

ECDHElliptic Curve Diffie-Hellman

ECDSAElliptic Curve Digital Signature Algorithm

HMACHash-based Message Authentication Code

JSONJavaScript Object Notation

JWTJSON Web Token

MACMedia Access Control

NISTNational Institute of Standard and Technology

PKIPublic Key Infrastructure

RSARivest, Shamir, Adleman, public key algorithm for signing or encryption,

SHASecure Hash Algorithm (Multiple versions exist SHA1, SHA256,…)

SKSSecurity Key Server

SSLSecure Sockets Layer

TLSTransport Layer Security

UA Unified Architecture

UACPUnified Architecture Connection Protocol

UADPUnified Architecture Datagram Protocol

URIUniform Resource Identifier

USBUniversal Serial Bus

XMLExtensible Mark-up Language

The figures in this document do not use any special conventions. Any conventions used in a particular figure are explained for that figure.