Skip to content

ITS Cybersecurity Glossary

Authorization Authority (AA): In European C-ITS, the component that issues short-term Authorization Tickets to ITS stations for signing messages.

Authorization Ticket (AT): A short-lived certificate in the European CCMS used to sign V2X messages while protecting sender privacy.

Backhaul Interface: A network interface that connects ITS field devices, traffic management centers, and backend systems using IP-based communications, typically secured with protocols such as TLS.

Broadcast Interface: A communication interface used to transmit messages to multiple recipients without prior session establishment, commonly used in V2X safety messaging.

Butterfly Key: A final public key created by the Butterfly Key Expander (BKE)

Butterfly Key Expander (BKE): A certificate generation process that is used to derive large numbers of public/private key pairs from a single initial key pair.

Caterpillar Key Pair: An initial asymmetric key pair generated by an ITS Station.

Certificate Authority (CA): An entity within a public key infrastructure that issues and signs digital certificates to bind public keys to identities or permissions.

Certificate Policy Authority (CPA): A governance entity in European C-ITS responsible for defining certificate policies, approving root authorities, and overseeing trust list management.

Certificate Trust List (CTL): A list of trusted Root Certificate Authorities and security authorities used to verify which certificates a system accepts.

Cocoon Key: A derived public key created by a Cocoon Key Expander (CKE) function.

Cooperative ITS Credential Management System (CCMS): The European system for managing certificates, trust lists, and permissions for ITS stations.

Cryptographic Hash: A fixed-length value generated from input data using a one-way function, used to verify data integrity and detect modification.

Digital Signature: A cryptographic mechanism that uses a private key to sign data, allowing others to verify its integrity and origin using the corresponding public key.

Distribution Center (DC): A component in a credential management system that distributes trust lists, certificates, and revocation information to ITS stations.

Elliptic Curve Cryptography (ECC): A form of public-key cryptography based on the mathematics of elliptic curves. It provides equivalent security to traditional algorithms with smaller key sizes, making it efficient for constrained environments.

Elliptic Curve Digital Signature Algorithm (ECDSA): digital signature algorithm based on elliptic curve cryptography. It is used to create and verify signatures that provide authentication and data integrity.

Enrolment Authority (EA): In European C-ITS, the authority that issues Enrolment Credentials proving a device’s legitimacy.

Enrolment Credential (EC): A long-term certificate proving that a device is approved to request operational certificates.

European Certificate Trust List (ECTL): The signed electronic version of a trust list used in European deployments to distribute trusted root and authority information to devices.

Hardware Security Module (HSM): A dedicated hardware component used to securely generate, store, and use cryptographic keys; provides strong protection against key theft or tampering.

Integrity: A security property that ensures data has not been altered or tampered with during transmission or storage.

Intelligent Transport System Application Identifier (ITS-AID): Used to uniquely identify ITS application objects.

ITS Station (ITS-S): A logical entity within an ITS capable of sending, receiving, and processing ITS messages, implemented in vehicles, roadside units, or backend systems.

Lateral Movement: An attacker technique where access gained on one device or network segment is used to move to other connected systems, increasing the impact of a breach.

Local Interface: A device interface used for direct physical or local access to an ITS component for maintenance, configuration, or diagnostics.

Man-in-the-Middle Attack: A threat where an attacker secretly intercepts and possibly alters communication between two parties who believe they are communicating directly with each other.

Message Authentication Code (MAC): A cryptographic value generated using a shared secret key and input data that allows a receiver to verify that the data has not been altered and that it came from a party that possesses the same secret key.

Misbehaviour Authority (MA): An entity within a credential management system that evaluates misbehaviour reports and coordinates actions such as certificate revocation.

Misbehaviour Detection: A set of processes and services that identify and respond to devices that send invalid or malicious messages.

National Transportation Communications for Intelligent Transportation Systems Protocol (NTCIP): A family of standards that define how transportation management systems communicate with field devices using standardized data objects and messaging.

Onboard Unit (OBU): An in-vehicle device that communicates with other vehicles and roadside equipment using secure V2X messages.

Provider Service Identifier (PSID): An identifier in certificates that defines which ITS applications a device is authorized to use.

Pseudonym Certificate: A short-lived certificate in the SCMS that allows vehicles to sign messages without exposing a permanent identity.

Public Key Infrastructure (PKI): A framework of roles, policies, and components used to create, manage, distribute, and revoke digital certificates and cryptographic keys.

Registration Authority (RA): An entity that validates device or user eligibility and processes enrolment requests prior to certificate issuance.

Replay Attack: A type of attack where previously transmitted valid messages are captured and resent to create unauthorized or misleading effects.

Rivest Shamir Adelman (RSA) : A public-key cryptographic algorithm based on the mathematical difficulty of factoring large integers. It is used for encryption, digital signatures, and key exchange.

Root Certificate Authority (Root CA): The highest trust anchor in a PKI that signs subordinate certificates.

Roadside Unit (RSU): A field device mounted along the roadway that exchanges secure messages with vehicles and backend systems.

Secure Boot: A security mechanism that ensures a device only executes trusted and verified firmware during startup.

Security Credential Management System (SCMS): The North American system for managing V2X certificates, permissions, trust lists, and misbehaviour response.

Service Specific Permission (SSP): A field in a certificate that provides detailed constraints on what actions a device may perform within an application.

To-Be-Signed Data (tbsData): A structured data element in IEEE 1609.2 that contains the message payload and metadata over which a digital signature is computed.

Trust Anchor: A trusted root certificate or authority used by an ITS station to validate certificate chains and establish trust in received messages.

Trust List Manager (TLM): An entity responsible for maintaining and publishing trusted certificate authority lists in European C-ITS deployments.

Transport Layer Security (TLS): A cryptographic protocol that provides secure communication over IP networks through encryption, integrity protection, and endpoint authentication.

Trusted Platform Module (TPM): A secure hardware chip embedded in a device that stores keys and measurements used for secure boot and attestation; similar in purpose to an HSM but typically built-in.

X.509 Certificate: A widely used digital certificate format that binds a public key to an identity and is commonly used in TLS and enterprise network security.