For the purposes of this document, the terms and definitions given in OPC 10000-1as well as the following apply.

A limit on the circumstances under which an operation, such as a read, write or a call, can be performed on a Node.

Note 1 to entry: Operations can only be performed on a Nodeif the Clienthas the necessary Permissionsand has satisfied all of the AccessRestrictions.

A digitally signed document that asserts that the subject is entitled to access a Resource.

Note 1 to entry: The document includes the name of the subject and the Resourcebeing accessed.

individual installation of a program running on one computer.

Note 1to entry: There can be several ApplicationInstancesof the same application running at the same time on several computers or possibly the same computer.

Certificateof an individual ApplicationInstancethat has been installed in an individual host.

Note 1to entry: Different installations of one software product would have different ApplicationInstanceCertificates. The use of an ApplicationInstanceCertificatefor uses outside of what is described in the specification could greatly reduce the security provided by the ApplicationInstanceCertificate and should be discouraged.

Note 2 to entry: also written as ApplicationInstance Certificate

Cryptographymethod that uses a pair of keys, one that is designated the Private Keyand kept secret, the other called the Public Keythat is generally made available.

Note 1to entry:  ‘Asymmetric Cryptography, also known as "public-key cryptography". In an Asymmetric Encryption algorithm when an entity “A” requires Confidentialityfor data sent to entity “B”, then entity “A” encrypts the data with a Public Key provided by entity “B”. Only entity “B” has the matching Private Key that is needed to decrypt the data. In an asymmetric Digital Signature algorithm when an entity “A” requires message Integrity or to provide Authenticationfor data sent to entity “B”, entity A uses its Private Key to sign the data. To verify the signature, entity B uses the matching Public Key that entity A has provided. In an asymmetric key agreement algorithm, entity A and entity B each send their own Public Key to the other entity. Then each uses their own Private Key and the other's Public Key to compute the new key value.’ according to IS Glossary.

the mechanism used by Asymmetric Cryptographyfor encrypting data with the Public Keyof an entity and for decrypting data with the associated Private Key

the mechanism used by Asymmetric Cryptographyfor signing data with the Private Keyof an entity and for verifying the data’s signature with the associated Public Key

security objective that assures that any actions or activities in a system can be recorded

the tracking of actions and activities in the system, including security related activities where Auditrecords can be used to review and verify system operations

The process that assures that the identity of an entity such as a Client, Server, Publisheror user can be verified

the ability to grant access to a system resource

Note 1to entry:  Authorizationof access to resources should be based on the need-to-know principle. It is important that access is restricted in a system.

A Serverwhich validates a request to access a Resourcereturns an AccessTokenthat grants access to the Resource

Note 1 to entry: The AuthorizationServiceis also called STS (Security Token Service) in other standards.

security objective that assures that the system is running normally. That is, no services have been compromised in such a way to become unavailable or severely degraded

entity that can issue Certificates, also known as a CA

Note 1to entry: The Certificatecertifies the ownership of a Public Keyby the named subject of the Certificate. This allows others (relying parties) to rely upon signatures or assertions made by the Private Keythat corresponds to the Public Keythat is certified. In this model of trust relationships, a CA is a trusted third partythat is trusted by both the subject (owner) of the Certificateand the party relying upon the Certificate. CA s are characteristic of many Public Key infrastructure(PKI) schemes

persistent location where Certificates and Certificaterevocation lists (CRLs) are stored

Note 1to entry: It may be a disk resident file structure or on Windows platforms it may be a Windows registry location.

A statement in an AccessTokenthat asserts information about the subject which the Authorization Serviceknows to be true.

Note 1 to entry: Claimscan include username, email, and Rolesgranted to the subject.

security objective that assures the protection of data from being read by unintended parties

transforming clear, meaningful information into an enciphered, unintelligible form using an algorithm and a key

program designed by an organization to maintain the security of the entire organization’s assets to an established level of Confidentiality, Integrity, and Availability, whether they are on the business side or the industrial automation and control systems side of the organization

value computed with a cryptographic algorithm and appended to data in such a way that any recipient of the data can use the signature to verify the data’s origin and Integrity

algorithm for which it is computationally infeasible to find either a data object that maps to a given hash result (the "one-way" property) or two data objects that map to the same hash result (the "collision-free" property), see IS Glossary

MACthat has been generated using an iterative Hash Function

security objective that assures that information has not been modified or destroyed in an unauthorized manner, see IS Glossary

A Serverwhich verifies credentials provided by a Security Principaland returns a token which can be passed to an associated Authorization Service.

protocol used for establishing a secure communication path between two entities in an unsecured environment whereby both entities apply a specific algorithm to securely exchange secret keys that are used for securing the communication between them

Note 1to entry: A typical example of aKey Exchange Algorithmis the SSL Handshake Protocol specified in SSL/TLS.

short piece of data that results from an algorithm that uses a secret key (see Symmetric Cryptography) to hash a Messagewhereby the receiver of the Messagecan check against alteration of the Messageby computing a MACthat should be identical using the same Messageand secret key

Digital Signatureused to ensure the Integrityof Messages that are sent between two entities

Note 1to entry: There are several ways to generate and verify Message Signatureshowever they can be categorized as symmetric (See Clause 3.1.40) and asymmetric (See Clause 3.1.5) approaches.

strong and substantial evidence of the identity of the signer of a Messageand of Message Integrity, sufficient to prevent a party from successfully denying the original submission or delivery of the Messageand the Integrityof its contents

random number that is used once typically by algorithms that generate security keys

The right to execute an operation, such as a read, write or a call, on a Node.

the secret component of a pair of cryptographic keys used for Asymmetric Cryptography

Note 1to entry: Public Keyand Private Keyare always generated as a pair. If either is updated the other must also be updated

the publicly-disclosed component of a pair of cryptographic keys used for Asymmetric Cryptography, see IS Glossary

Note 1to entry: Public Keyand Private Keyare always generated as a pair. If either is updated the other must also be updated

the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Certificatesbased on Asymmetric Cryptography

Note 1to entry: The core PKI functions are to register users and issue their public-key Certificates, to revoke Certificateswhen required, and to archive data needed to validate Certificatesat a much later time. Key pairs for data Confidentialitymay be generated by a Certificateauthority (CA); it is a good idea to require a Private Keyowner to generate their own key pair as it improves security because the Private Keywould never be transmitted according to IS Glossary. See PKIand X509 PKIfor more details on Public KeyInfrastructures.

A secured entity which an application needs to access.

Note 1 to entry: A Resourceis usually a Server.

algorithm for Asymmetric Cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman, see IS Glossary

A function assumed by a Clientwhen it accesses a Server.

Note 1 to entry: A Rolemay refer to a specific job function such as operator or engineer.

A Claimrepresenting a subset of a Resource.

Note 1 to entry: A Scopemay indicate a set Nodesmanaged by a Server.

A Serverthat accepts AccessTokensissued by the Authorization Serviceand returns security keys that can be used to access the specified Resource.

Note 1 to entry: The keys are typically used for cryptography operations such as encrypting or decrypting messages sent on a PubSubstream.

in OPC UA, a communication path established between an OPC UA Clientand Serverthat have authenticated each other using certain OPC UA services and for which security parameters have been negotiated and applied

branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification), see IS Glossary

the mechanism usedby Symmetric Cryptographyfor encrypting and decrypting data with a cryptographic key shared by two entities

Publisher(s)and Subscriber(s) that utilize a shared security context

Note 1 to entry: This context may include share keys.

the mechanism used by Symmetric Cryptographyfor signing data with a cryptographickeyshared by two entities

Note 1to entry: The signature is then validated by generating the signature for the data again and comparing these two signatures. If they are the same then the signature is valid, otherwise either the key or the data is different from the two entities.

list of Certificates that an OPC UA Application has been configured to trust

standard protocol for creating Secure Channels over IP based networks

Certificatein one of the formats defined by X.509 v1, 2, or 3

Note 1to entry: An X.509 Certificatecontains a sequence of data items and has a Digital Signaturecomputed on that sequence. OPC UA only uses V3.