Recent Developments inRecent Developments in ISO/IEC ... · (TR 15446) Protection Profile Registration Procedures (TR 15446) (IS 15292)(IS 15292) Security Evaluation of Biometrics
Post on 27-Mar-2021
5 Views
Preview:
Transcript
Recent Developments inRecent Developments in ISO/IEC Security Standardization
Dr. Walter Fumyy
Chairman ISO/IEC JTC 1/SC 27Chief Scientist, Bundesdruckerei GmbH, GermanyChief Scientist, Bundesdruckerei GmbH, Germany
6th ETSI Security Workshop - Sophia Antipolis, January 2011
Agenda
ISO/IEC JTC 1 I f ti T h lISO/IEC JTC 1 – Information Technology
JTC 1/SC 37 – Biometrics
JTC 1/SC 17 – Cards and Personal Identification
JTC 1/SC 27 – IT Security TechniquesScope, organization, work programmeRecent achievements & new projects
ConclusionConclusion
Dr. Walter Fumy I 219.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
ISO/IEC JTC 1 – Information Technology Mission & Principles
JTC 1 develops, maintains, promotes and facilitates IT standardsrequired by global markets meeting business and user requirementsrequired by global markets meeting business and user requirements.
Principles includebusiness-like approach (i.e., cost effective, short development times, market-oriented results, … ); ensuring that user needs including multicultural requirements areensuring that user needs including multicultural requirements, are fully met; actively promoting the use of JTC 1 products and services; recognizing the value of the work of other organizations and the contribution they make to international IT standardization, and complementing existing and forthcoming JTC 1 programs throughcomplementing existing and forthcoming JTC 1 programs through other leading edge activities with the objective of providing the best standards worldwide.
Dr. Walter Fumy I 319.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
ISO/IEC JTC 1 – Information Technology Security Related Sub-committees
SC 6 Telecommunications and information exchange between systems
SC 7 Software and systems engineering
SC 17 Cards and personal identification
SC 25 Interconnection of information technology equipment
SC 27 IT Security techniques
SC 29 Coding of audio, picture, multimedia and hypermedia information
SC 31 Automatic identification and data capture techniques
SC 32 Data management and interchange
SC 36 Information technology for learning, education and training
SC 37 Biometrics
SC 38 Distributed application platforms and services (DAPS)
Dr. Walter Fumy I 419.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 37 – BiometricsScope
Standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange amongbeings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks; biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteria to biometric technologies; methodologies for g ; gperformance testing and reporting and cross jurisdictional and societal aspects.Excluded is the work in ISO/IEC JTC 1/SC 17 to apply biometricExcluded is the work in ISO/IEC JTC 1/SC 17 to apply biometric technologies to cards and personal identification.Excluded is the work in ISO/IEC JTC 1/SC 27 for biometric data protections techniques, biometric security testing, evaluations, and evaluations methodologies.
Dr. Walter Fumy I 519.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 37 – BiometricsKey Facts
Working GroupsWG 1 Harmonized biometric vocabularyWG 1 Harmonized biometric vocabularyWG 2 Biometric technical interfacesWG 3 Biometric data interchange formatsWG 4 Bi t i f ti l hit t d l t d filWG 4 Biometric functional architecture and related profilesWG 5 Biometric testing and reportingWG 6 Cross-Jurisdictional and Societal Aspects of Biometrics
28 participating countries 52 published standards
Technology innovations and new customers’ needs are being addressed in a “second generation” of biometric standards such as the revision of the biometric data interchange formats, new biometric technical interface standards, performance (and conformance) testing methodology standards, and biometric sample quality standards.
Dr. Walter Fumy I 619.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 17 – Cards and Personal IdentificationKey Facts
Standardization in the area of:a) Identification and related documentsa) Identification and related documents,b) Cards and devices associated with their use in
inter-industry applications and international interchange.
Working GroupsWG 1 Physical characteristics and test methods for ID-cardsWG 3 Id tifi ti d M hi d bl t l d tWG 3 Identification cards - Machine readable travel documentsWG 4 Integrated circuit cards with contactsWG 5 Registration Management Group (RMG)WG 8 Integrated circuit cards without contactsWG 9 Optical memory cards and devicesWG 10 Motor vehicle driver license and related documents WG 11 Application of biometrics to cards and personal identification
33 participating countries
Dr. Walter Fumy I 719.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
84 published standards
Electronic Displays in IC CardsNew SC 17 Project
f
Personalized materials exclusive
Use of securitymaterials
materials, exclusive material properties, unique
spectrum of display materials
Optical communication Tamperproof optical
data transfer via display, dynamic security feature and watermarks
Password, PIN, address data, visa information,Visible information
dynamic security feature and watermarks
Password, PIN, address data, visa information, card and internet transaction status, 3D photo, video identification
information
Displays in IC cards provide security options at all levels
Dr. Walter Fumy I 819.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Displays in IC cards provide security options at all levels
SC 27 – IT Security Techniques Scope
The development of standards for the protection of information and ICT. This includes generic methods techniques and guidelines to addressThis includes generic methods, techniques and guidelines to address both security and privacy aspects, such as
Security requirements capture methodology;M t f i f ti d ICT it i ti l i f tiManagement of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services;C t hi d th it h i i l di b t t li it d tCryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;Security aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditing requirements in the area of information security;
Dr. Walter Fumy I 919.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Security evaluation criteria and methodology.
SC 27 – IT Security Techniques Organization
ISO/IEC JTC 1/SC 27IT Security techniques
SC 27 Secretariat
DINChair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete
DINMs. K. Passia
Working Group 5Identity
management and privacy
Working Group 4Security controls
and services
Working Group 3Security
evaluation criteria
Working Group 2Cryptography and security mechanisms
Working Group 1Information
security management and privacy
technologiesConvener
Mr. K. RannenbergConvener
Mr. M.-C. Kang
criteria
ConvenerMr. M. Bañón
mechanisms
ConvenerMr. T. Chikazawa
management systemsConvener
Mr. T. Humphreys ggp y
http://www.jtc1sc27.din.de/en
Dr. Walter Fumy I 1019.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 27/WG 1ISMS Family of Standards
27001ISMS Requirements
27000 ISMS Overview and
Vocabulary
27006 Accreditation Requirements
27010 ISMS for Inter-sector
communicationsVocabulary
27002 (pka 17799)Code of Practice
27007 ISMS Auditing Guidance
27011 / ITU-T X.1051Telecom Sector ISMS
Requirements
communications
27003 ISMS Implementation
Guidance
q
27015 Financial and Insurance Sector
ISMS Requirements
TR 27008 ISMS Guide for auditors on
ISMS controls
27004 Information Security Mgt
Measurements
TR 27016Information Security Mgt -Organizational economics
27005 Information SecurityRisk Management
Dr. Walter Fumy I 1119.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Supporting Guidelines Accreditation Requirements and Auditing Guidelines
Sector Specific Requirements and Guidelines
SC 27/WG 4Security Controls and Services
ICT Readiness for Business Continuity (WD 27031)Unknown or emerging
Cybersecurity (WD 27032)
Network Security (CD 27033 1 WD 27033 2/3/4)
g gsecurity issues
Network Security (CD 27033-1, WD 27033-2/3/4)Application Security (WD 27034-1)
Security Info-Objects for Access Control (TR 15816) K it i15816)
Security of Outsourcing (NP)
TTP Services Security (TR 14516; 15945)
Known security issues
Time Stamping Services (TR 29149)
Information security incident management (27035)
ICT Disaster Recovery Services (24762)
Identification, collection and/or acquisition, and
Security breaches and compromises
Dr. Walter Fumy I 1219.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Identification, collection and/or acquisition, and preservation of digital evidence (NP)
SC 27/WG 2Cryptography and Security Mechanisms
Cryptographic ProtocolsEntity
Authentication
(IS 9798)
Key Mgt(IS 11770)
Non-Repudiatio
n(IS 13888)
Time Stamping Services(IS 18014)(IS 9798)
Message Signatures
(IS 13888)
SignaturesCheckCryptographic
Techniques
(IS 18014)
Message Authentication Digital SignaturesHash
Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving Msg Recovery(IS 9796)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
qbased on
Elliptic Curves (IS 15946)
Encryption & Parameter EncryptionModes of Operation
Random Bit
Prime Number
Authenticated
Biometric Template yp
Modes of Operation Generationyp
(IS 18033)Operation(IS 10116) Generation
(IS 18031)Generation(IS 18032)
Encryption(IS 19772)
pProtection(NP 24745)
Dr. Walter Fumy I 1319.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 27/WG 3Security Evaluation Criteria
Secure System Engineering Principles and Techniques (NWIP)
Responsible VulnerabilityDisclosure(WD 29147)
Trusted Platform Module(IS 11889)
A Framework forSSE-CMM(IS 21827)
Security Requirements for Cryptographic Modules
(IS 19790)
and Techniques (NWIP) (WD 29147)
a e o oIT SecurityAssurance(TR 15443)Security Assessment of
Operational Systems(TR 19791)
( )
Test Requirements for Cryptographic Modules
(IS 24759)
(IS 19790)
IT Security Evaluation Criteria (CC) (IS 15408)
(TR 19791) (IS 24759)
(IS 15408)
Evaluation Methodology (CEM) (IS 18045)
PP/ STGuide
(TR 15446)
Protection Profile Registration Procedures
(IS 15292)(TR 15446) (IS 15292)
Security Evaluation of Biometrics
Verification of Cryptographic Protocols
Dr. Walter Fumy I 1419.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
(FDIS 19792)(WD 29128)
SC 27/WG 5Identity Management & Privacy Technologies
WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management biometrics and the protectionaddressing security aspects of identity management, biometrics and the protection of personal data. This includes:
Frameworks & ArchitecturesA framework for identity management (ISO/IEC 24760 FCD/WD/WD)A framework for identity management (ISO/IEC 24760, FCD/WD/WD)Privacy framework (ISO/IEC 29100, FCD)Privacy reference architecture (ISO/IEC 29101, CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU T Xeaa CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU-T Xeaa, CD) A framework for access management (ISO/IEC 29146, WD)
Protection ConceptsBiometric information protection (ISO/IEC 24745 FDIS)Biometric information protection (ISO/IEC 24745, FDIS)Requirements for partially anonymous, partially unlinkable authentication(ISO/IEC 29191, CD)
Guidance on Context and AssessmentGuidance on Context and AssessmentAuthentication context for biometrics (ISO/IEC 24761, 2009)Privacy capability assessment framework (ISO/IEC 29190, WD)
Dr. Walter Fumy I 1519.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
SC 27 – IT Security Techniques Recent Achievements
Summary
between November 2009 and October 2010
11 International Standards and Technical Reports h b bli h d (t t l b f bli ti 98)have been published (total number of publications: 98)
13 new projects have been approved(total number of projects: 160)(total number of projects: 160)
5 additional O-members (total 18)(total number of P-members: 41)( )
9 additional liaisons 5 liaisons terminated
(total number of liaisons: 54)
Dr. Walter Fumy I 1619.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Approved New Projects
ISO/IEC 20004 – Software development and evaluation under ISO/IEC 15408ISO/IEC 15408
ISO/IEC 20008 – Anonymous digital signatures (2 Parts)
ISO/IEC 20009 A tit th ti ti (2 P t )ISO/IEC 20009 – Anonymous entity authentication (2 Parts)
ISO/IEC TR 27016 – Information security management –Organizational economicsOrganizational economics
ISO/IEC 27038 – Specification for digital redaction
ISO/IEC 30104 Ph sical sec rit attacks mitigation techniq es andISO/IEC 30104 – Physical security attacks, mitigation techniques and security requirements
Dr. Walter Fumy I 1719.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
20 Years of ISO/IEC JTC 1/SC 27 Information Security Standardisation
Platinum Book
available from http://www.jtc1sc27.din.de/sbe/sc27berlin
Next SC 27 meetingsApr 11-19, 2011 Singaporep , g p(WGs and Plenary)Oct 10-14, 2011 Nairobi, Kenya(WGs)May 7-15, 2012 Sweden(WGs and Plenary)
Dr. Walter Fumy I 1819.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Machine Readable Travel DocumentsMajor Contributions from JTC 1 Subcommittees
ICAO TAG-MRTD
ISO/IEC JTC 1/SC 17 ISO/IEC JTC 1/SC 27 ISO/IEC JTC 1/SC 37Cards and Personal Identification IT Security Techniques Biometrics
ISO/IEC 7816
ISO/IEC 9796-2
ISO/IEC 197857816
ISO/IEC 10373
9796-2 19785
ISO/IEC 9797
ISO/IEC 19794
ISO/IEC 11770-2
ISO/IEC 14443
Dr. Walter Fumy I 1919.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Conclusion
“The good thing about standards is ... there are so many to choose from”there are so many to choose from
Well established security techniques available
Trend from security as an add-on to integrated security solutions (“built in, not bolt on”)
S it k t diff ti tSecurity as a market differentiator
New generation of cryptographic techniques, with lightweight cryptography still in its infancywith lightweight cryptography still in its infancy
Be aware of implementation level attacks, cryptography is typically bypassed notcryptography is typically bypassed, not penetrated
Dr. Walter Fumy I 2019.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011
Thank You!Thank You!
Walter.Fumy@bdr.dey@
top related