| Name |
Description |
Abstract |
Status |
Publication date |
Edition |
Number of pages |
Technical committee |
ICS |
| ISO/IEC 11770-3:2021/WD Amd 1 |
Information security — Key management — Part 3: Mechanisms using asymmetric techniques — Amendment 1 |
|
Under development |
|
Edition : 4 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-4:2006 |
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets |
ISO/IEC 11770-4:2006 defines key establishment mechanisms based on weak secrets, i.e., secrets that can be readily memorized by a human, and hence secrets that will be chosen from a relatively small set of possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys based on a weak secret derived from a memorized password, while preventing off-line brute-force attacks associated with the weak secret. More specifically, these mechanisms are designed to achieve one of the following three goals.
Balanced password-authenticated key agreement: Establish one or more shared secret keys between two entities that share a common weak secret. In a balanced password-authenticated key agreement mechanism, the shared secret keys are the result of a data exchange between the two entities, the shared secret keys are established if and only if the two entities have used the same weak secret, and neither of the two entities can predetermine the values of the shared secret keys.Augmented password-authenticated key agreement: Establish one or more shared secret keys between two entities A and B, where A has a weak secret and B has verification data derived from a one-way function of A's weak secret. In an augmented password-authenticated key agreement mechanism, the shared secret keys are the result of a data exchange between the two entities, the shared secret keys are established if and only if the two entities have used the weak secret and the corresponding verification data, and neither of the two entities can predetermine the values of the shared secret keys. Password-authenticated key retrieval: Establish one or more secret keys for an entity, A, associated with another entity, B, where A has a weak secret and B has a strong secret associated with A's weak secret. In an authenticated key retrieval mechanism, the secret keys, retrievable by A (not necessarily derivable by B), are the result of a data exchange between the two entities, and the secret keys are established if and only if the two entities have used the weak secret and the associated strong secret. However, although B's strong secret is associated with A's weak secret, the strong secret does not (in itself) contain sufficient information to permit either the weak secret or the secret keys established in the mechanism to be determined.
|
Withdrawn |
2006-05 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-4:2006/Cor 1:2009 |
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets — Technical Corrigendum 1 |
|
Withdrawn |
2009-09 |
Edition : 1 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-4:2017 |
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets |
ISO/IEC 11770-4:2017 defines key establishment mechanisms based on weak secrets, i.e. secrets that can be readily memorized by a human, and hence, secrets that will be chosen from a relatively small set of possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys based on a weak secret derived from a memorized password, while preventing offline brute-force attacks associated with the weak secret. ISO/IEC 11770-4:2017 is not applicable to the following aspects of key management:
- life-cycle management of weak secrets, strong secrets, and established secret keys;
- mechanisms to store, archive, delete, destroy, etc. weak secrets, strong secrets, and established secret keys.
|
Published |
2017-11 |
Edition : 2 |
Number of pages : 48 |
Technical Committee |
35.030
IT Security
|
| ISO 1959:1973 |
Textile floor coverings — Determination of measured surface pile density and measured pile fibre volume ratio |
|
Withdrawn |
1973-12 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
97.150
Floor coverings
|
| ISO/IEC 11770-4:2017/Amd 1:2019 |
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets — Amendment 1: Unbalanced Password-Authenticated Key Agreement with Identity-Based Cryptosystems (UPAKA-IBC) |
|
Published |
2019-09 |
Edition : 2 |
Number of pages : 15 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-4:2017/Amd 2:2021 |
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets — Amendment 2: Leakage-resilient password-authenticated key agreement with additional stored secrets |
|
Published |
2021-02 |
Edition : 2 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-5:2011 |
Information technology — Security techniques — Key management — Part 5: Group key management |
ISO/IEC 11770-5:2011 specifies key establishment mechanisms for multiple entities to provide procedures for handling cryptographic keying material used in symmetric or asymmetric cryptographic algorithms according to the security policy in force.
It defines the symmetric key based key establishment mechanisms for multiple entities with a key distribution centre (KDC), and defines symmetric key establishment mechanisms based on general tree based structure with both individual rekeying and batched rekeying. It also defines key establishment mechanisms based on key chain with both unlimited forward key chain and limited forward key chain. Both key establishment mechanisms can be combined by applications.
ISO/IEC 11770-5:2011 also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established.
|
Withdrawn |
2011-12 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-5:2020 |
Information security — Key management — Part 5: Group key management |
This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines:
— symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and
— symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying.
It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group forward and backward secrecy.
This document also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established.
This document does not specify information that has no relation with key establishment mechanisms, nor does it specify other messages such as error messages. The explicit format of messages is not within the scope of this document.
This document does not specify the means to be used to establish the initial secret keys required to be shared between each entity and the KDC, nor key lifecycle management. This document also does not explicitly address the issue of interdomain key management.
|
Published |
2020-11 |
Edition : 2 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-6:2016 |
Information technology — Security techniques — Key management — Part 6: Key derivation |
ISO/IEC 11770-6:2016 specifies key derivation functions, i.e. functions which take secret information and other (public) parameters as input and output one or more "derived" secret keys. Key derivation functions based on MAC algorithms and on hash-functions are specified.
|
Published |
2016-10 |
Edition : 1 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11770-7:2021 |
Information security — Key management — Part 7: Cross-domain password-based authenticated key exchange |
This document specifies mechanisms for cross-domain password-based authenticated key exchange, all of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols let two communicating entities establish a shared session key using just the login passwords that they share with their respective domain authentication servers. The authentication servers, assumed to be part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that certify key materials that the users can subsequently use to exchange and agree on as a session key.
This document does not specify the means to be used to establish a shared password between an entity and its corresponding domain server. This document also does not define the implementation of a PKI and the means for two distinct domain servers to exchange or verify their respective public key certificates.
|
Published |
2021-07 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-1:2009 |
Information technology — Trusted Platform Module — Part 1: Overview |
ISO/IEC 11889 defines the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general. ISO/IEC 11889-1:2009 is an overview of the TPM. It describes the TPM and how it fits into the trusted platform. ISO/IEC 11889-1:2009 describes trusted platform concepts such as the trust boundary, transitive trust, integrity measurement, and integrity reporting.
|
Published |
2009-05 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13335-1:2004 |
Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management |
ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security.
|
Withdrawn |
2004-11 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 11889-1:2015 |
Information technology — Trusted platform module library — Part 1: Architecture |
ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements.
ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases.
TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.
|
Published |
2015-08 |
Edition : 2 |
Number of pages : 257 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-2:2009 |
Information technology — Trusted Platform Module — Part 2: Design principles |
ISO/IEC 11889 defines the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general. ISO/IEC 11889-2:2009 defines the principles of TPM operation. These include base operating modes, cryptographic algorithms and key sizes for the algorithms, basic interoperability requirements, basic protocols and the use of the protocols, and use of TPM resources.
|
Published |
2009-05 |
Edition : 1 |
Number of pages : 143 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-2:2015 |
Information technology — Trusted Platform Module Library — Part 2: Structures |
ISO/IEC 11889-2:2015 contains the definitions of the constants, flags, structure, and union definitions used to communicate with the TPM. Values defined in ISO/IEC 11889-2:2015 are used by the TPM commands defined in ISO/IEC 11899-3 and by the functions in ISO/IEC 11889-4.
|
Published |
2015-08 |
Edition : 2 |
Number of pages : 159 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-3:2009 |
Information technology — Trusted Platform Module — Part 3: Structures |
ISO/IEC 11889 defines the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general. ISO/IEC 11889-3:2009 defines the structures and constants that enable the interoperability between TPM implementations.
|
Published |
2009-05 |
Edition : 1 |
Number of pages : 188 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-3:2015 |
Information technology — Trusted Platform Module Library — Part 3: Commands |
ISO/IEC 11889 contains the definitions of the Trusted Platform Module (TPM) commands. These commands make use of the constants, flags, structures, and union definitions defined in ISO/IEC 11889-2.
The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this ISO/IEC 11889-3:2015 is normative but does not fully describe the behavior of a TPM. The combination of this ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is sufficient to fully describe the required behavior of a TPM.
ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is written to define the behavior of a compliant TPM. In some cases it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in this part of ISO/IEC 11889 would be compliant.
|
Published |
2015-08 |
Edition : 2 |
Number of pages : 457 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-4:2009 |
Information technology — Trusted Platform Module — Part 4: Commands |
ISO/IEC 11889 defines the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general. ISO/IEC 11889-4:2009 defines the commands, actions of the commands, and the parameters to the commands that provide the TPM functionality.
|
Published |
2009-05 |
Edition : 1 |
Number of pages : 237 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 11889-4:2015 |
Information technology — Trusted Platform Module Library — Part 4: Supporting Routines |
ISO/IEC 11889-4:2015 contains C code that describes the algorithms and methods used by the command code in ISO/IEC 11889-3. The code in ISO/IEC 11889-4:2015 augments ISO/IEC 11889-2 and ISO/IEC 11889-3 to provide a complete description of a TPM, including the supporting framework for the code that performs the command actions.
Any code in ISO/IEC 11889-4:2015 may be replaced by code that provides similar results when interfacing to the action code in ISO/IEC 11889-3. The behavior of code in this ISO/IEC 11889-4:2015 that is not included in an annex is normative, as observed at the interfaces with ISO/IEC 11889-3 code. Code in an annex is provided for completeness, that is, to allow a full implementation of ISO/IEC 11889 from the provided code.
The code in ISO/IEC 11889-3 and this ISO/IEC 11889-4:2015 is written to define the behavior of a compliant TPM. In some cases (e.g., firmware update), it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in ISO/IEC 11889-3 would be compliant.
The code in ISO/IEC 11889-3 and this ISO/IEC 11889-4:2015 is not written to meet any particular level of conformance nor does ISO/IEC 11889 require that a TPM meet any particular level of conformance.
|
Published |
2015-08 |
Edition : 2 |
Number of pages : 556 |
Technical Committee |
35.030
IT Security
|
| ISO 2094:1973 |
Textile floor coverings — Determination of thickness loss under dynamic loading |
|
Withdrawn |
1973-12 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
97.150
Floor coverings
|
| ISO/IEC TR 13335-1:1996 |
Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security |
Presents the basic management concepts and models which are essential for an introduction into the management of IT security. These concepts and models are further discussed and developed in the remaining parts to provide more detailed guidance.
|
Withdrawn |
1996-12 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC TR 13335-2:1997 |
Information technology — Guidelines for the management of IT Security — Part 2: Managing and planning IT Security |
|
Withdrawn |
1997-12 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC TR 13335-3:1998 |
Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security |
|
Withdrawn |
1998-06 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC TR 13335-4:2000 |
Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards |
|
Withdrawn |
2000-03 |
Edition : 1 |
Number of pages : 61 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC TR 13335-5:2001 |
Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security |
|
Withdrawn |
2001-11 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 13888-1:1997 |
Information technology — Security techniques — Non-repudiation — Part 1: General |
|
Withdrawn |
1997-11 |
Edition : 1 |
Number of pages : 10 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-1:2004 |
IT security techniques — Non-repudiation — Part 1: General |
This part of ISO/IEC 13888:2004 serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The goal of the non-repudiation service is to generate, collect, maintain, make available and verify evidence concerning a claimed event or action in order to resolve disputes about the occurrence or non-occurrence of the event or action. There are two main types of evidence, the nature of which depends on cryptographic techniques employed: the secure envelopes generated by an evidence-generating authority using symmetric cryptographic techniques, and digital signatures generated by an evidence generator or an evidence generating authority using asymmetric cryptographic techniques.
Non-repudiation mechanisms generic to the various non-repudiation services are described first. The different parts of this International Standard provide non-repudiation mechanisms for the following phases of non-repudiation: evidence generation, transfer, storage, retrieval and verification. The non-repudiation mechanisms are then applied to a selection of specific non-repudiation services such as non-repudiation of origin, non-repudiation of delivery, non-repudiation of submission, and non-repudiation of transport. Non-repudiation mechanisms provide protocols for the exchange of non-repudiation tokens specific to each non-repudiation service. Non-repudiation tokens consist of secure envelopes and/or digital signatures and, optionally, of additional data.
|
Withdrawn |
2004-06 |
Edition : 2 |
Number of pages : 15 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-1:2009 |
Information technology — Security techniques — Non-repudiation — Part 1: General |
ISO/IEC 13888 is concerned with non-repudiation. ISO/IEC 13888-1:2009 is a general part which defines a model for non-repudiation mechanisms providing evidence based on cryptographic check values generated using symmetric or asymmetric cryptographic techniques. Non-repudiation mechanisms provide protocols for the exchange of non-repudiation tokens for non-repudiation services. Specific and additional non-repudiation services are described.
|
Withdrawn |
2009-07 |
Edition : 3 |
Number of pages : 19 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-1:2020 |
Information security — Non-repudiation — Part 1: General |
This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques.
The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation:
— evidence generation;
— evidence transfer, storage and retrieval; and
— evidence verification.
Dispute arbitration is outside the scope of the ISO/IEC 13888 series.
|
Published |
2020-09 |
Edition : 4 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-2:1998 |
Information technology — Security techniques — Non-repudiation — Part 2: Mechanisms using symmetric techniques |
|
Withdrawn |
1998-04 |
Edition : 1 |
Number of pages : 10 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2008/Cor 2:2014 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General — Technical Corrigendum 2 |
|
Withdrawn |
2014-04 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-2:2010 |
Information technology — Security techniques — Non-repudiation — Part 2: Mechanisms using symmetric techniques |
The goal of the non-repudiation service is to generate, collect, maintain, make available and validate evidence concerning a claimed event or action in order to resolve disputes about the occurrence or non-occurrence of the event or action. ISO/IEC 13888-2:2010 provides descriptions of generic structures that can be used for non-repudiation services, and of some specific communication-related mechanisms which can be used to provide non-repudiation of origin (NRO) and non-repudiation of delivery (NRD). Other non-repudiation services can be built using the generic structures described in ISO/IEC 13888-2:2010 in order to meet the requirements defined by the security policy.
ISO/IEC 13888-2:2010 relies on the existence of a trusted third party (TTP) to prevent fraudulent repudiation or accusation. Usually, an online TTP is needed.
Non-repudiation can only be provided within the context of a clearly defined security policy for a particular application and its legal environment. Non-repudiation policies are defined in ISO/IEC 10181-4.
|
Published |
2010-12 |
Edition : 2 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-2:2010/Cor 1:2012 |
Information technology — Security techniques — Non-repudiation — Part 2: Mechanisms using symmetric techniques — Technical Corrigendum 1 |
|
Published |
2012-12 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-3:1997 |
Information technology — Security techniques — Non-repudiation — Part 3: Mechanisms using asymmetric techniques |
|
Withdrawn |
1997-11 |
Edition : 1 |
Number of pages : 7 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-3:2009 |
Information technology — Security techniques — Non-repudiation — Part 3: Mechanisms using asymmetric techniques |
ISO/IEC 13888-3:2009 specifies mechanisms for the provision of specific, communication related, non-repudiation services using asymmetric cryptographic techniques.
|
Withdrawn |
2009-12 |
Edition : 2 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 13888-3:2020 |
Information security — Non-repudiation — Part 3: Mechanisms using asymmetric techniques |
This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.
|
Published |
2020-09 |
Edition : 3 |
Number of pages : 13 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 14516:2002 |
Information technology — Security techniques — Guidelines for the use and management of Trusted Third Party services |
Associated with the provision and operation of a Trusted Third Party (TTP) are a number of security-related issues for
which general guidance is necessary to assist business entities, developers and providers of systems and services, etc.
This includes guidance on issues regarding the roles, positions and relationships of TTPs and the entities using TTP
services, the generic security requirements, who should provide what type of security, what the possible security
solutions are, and the operational use and management of TTP service security.
This Recommendation | Technical Report provides guidance for the use and management of TTPs, a clear definition of
the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and
entities using their services. It is intended primarily for system managers, developers, TTP operators and enterprise users
to select those TTP services needed for particular requirements, their subsequent management, use and operational
deployment, and the establishment of a Security Policy within a TTP. It is not intended to be used as a basis for a formal
assessment of a TTP or a comparison of TTPs.
This Recommendation | Technical Report identifies different major categories of TTP services including: time stamping,
non-repudiation, key management, certificate management, and electronic notary public. Each of these major categories
consists of several services which logically belong together.
|
Published |
2002-06 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-1:1998 |
Information technology — Security techniques — Digital signatures with appendix — Part 1: General |
|
Withdrawn |
1998-12 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-1:2008 |
Information technology — Security techniques — Digital signatures with appendix — Part 1: General |
There are two types of digital signature mechanism:
When the verification process needs the message as part of the input, the mechanism is called "signature mechanism with appendix". A hash-function is in used in the calculation of the appendix.
When the verification process reveals all or part of the message, the mechanism is called a "signature mechanism giving message recovery". A hash-function is also used in the generation and verification of these signatures.
ISO/IEC 14888 specifies digital signatures with appendix. ISO/IEC 14888-1:2008 specifies general principles and requirements for digital signatures with appendix. ISO/IEC 14888-2 addresses digital signatures based on integer factoring, and ISO/IEC 14888-3 addresses digital signatures based on discrete logarithm.
Signature mechanisms giving message recovery are specified in ISO/IEC 9796. Hash-functions are specified in ISO/IEC 10118.
|
Published |
2008-04 |
Edition : 2 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-2:1999 |
Information technology — Security techniques — Digital signatures with appendix — Part 2: Identity-based mechanisms |
|
Withdrawn |
1999-12 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-2:2008 |
Information technology — Security techniques — Digital signatures with appendix — Part 2: Integer factorization based mechanisms |
ISO/IEC 14888 specifies digital signature with appendix. As no part of the message is recovered from the signature (the recoverable part of the message is empty), the signed message consists of the signature and the whole message.
NOTE ISO/IEC 9796 specifies digital signature giving message recovery. As all or part of the message is recovered from the signature, the recoverable part of the message is not empty. The signed message consists of either the signature only (when the non-recoverable part of the message is empty), or both the signature and the non-recoverable part.
ISO/IEC 14888-2:2008 specifies digital signatures with appendix whose security is based on the difficulty of factoring the modulus in use. For each signature scheme, it specifies:
the relationships and constraints between all the data elements required for signing and verifying;
a signature mechanism, i.e. how to produce a signature of a message with the data elements required for signing;
a verification mechanism, i.e. how to verify a signature of a message with the data elements required for verifying.
The title of ISO/IEC 14888-2 has changed from Identity-based mechanisms (first edition) to Integer factorization based mechanisms (second edition).
ISO/IEC 14888-2:2008 includes the identity-based scheme specified in ISO/IEC 14888-2:1999, namely the GQ1 scheme. This scheme has been revised due to the withdrawal of ISO/IEC 9796:1991 in 1999.
Among the certificate-based schemes specified in ISO/IEC 14888-3:1998, it includes all the schemes based on the difficulty of factoring the modulus in use, namely, the RSA, RW and ESIGN schemes. These schemes have been revised due to the withdrawal of ISO/IEC 9796:1991 in 1999.
It takes into account ISO/IEC 14888-3:1998/Cor.1:2001, technical corrigendum of the ESIGN scheme.
It includes a format mechanism, namely the PSS mechanism, also specified in ISO/IEC 9796-2:2002, and details of how to use it in each of the RSA, RW, GQ1 and ESIGN schemes.
It includes new certificate-based schemes that use no format mechanism, namely, the GQ2, GPS1 and GPS2 schemes.
For each scheme and its options, as needed, it provides an object identifier.
|
Published |
2008-04 |
Edition : 2 |
Number of pages : 66 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-2:2008/Cor 1:2015 |
Information technology — Security techniques — Digital signatures with appendix — Part 2: Integer factorization based mechanisms — Technical Corrigendum 1: To ISO/IEC 14888-2:2008 |
|
Published |
2015-10 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:1998 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Certificate-based mechanisms |
|
Withdrawn |
1998-12 |
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:1998/Cor 1:2001 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Certificate-based mechanisms — Technical Corrigendum 1 |
|
Withdrawn |
2001-09 |
Edition : 1 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2006 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms |
ISO/IEC 14888-3:2006 specifies digital signature mechanisms with appendix whose security is based on the discrete logarithm problem. It provides a general description of a digital signature with appendix mechanism, and a variety of mechanisms that provide digital signatures with appendix.
For each mechanism, ISO/IEC 14888-3:2006 specifies the process of generating keys, the process of producing signatures, and the process of verifying signatures.
The verification of a digital signature requires the signing entity's verification key. It is thus essential for a verifier to be able to associate the correct verification key with the signing entity, or more precisely, with (parts of) the signing entity's identification data. This association may be provided by another means that is not covered in ISO/IEC 14888-3:2006. Whatever the nature of such means, the scheme is then said to be 'certificate-based'. If not, the association between the correct verification key and the signing entity's identification data is somehow inherent in the verification key itself. In such a case, the scheme is said to be 'identity-based'. Depending on the two different ways of checking the correctness of the verification keys, the digital signature mechanisms specified in ISO/IEC 14888-3:2006 are categorized in two groups: certificate-based and identity-based.
|
Withdrawn |
2006-11 |
Edition : 2 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2006/Amd 1:2010 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Amendment 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm |
|
Withdrawn |
2010-06 |
Edition : 2 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2006/Cor 1:2007 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Technical Corrigendum 1 |
|
Withdrawn |
2007-09 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2006/Amd 2:2012 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Amendment 2: Optimizing hash inputs |
|
Withdrawn |
2012-07 |
Edition : 2 |
Number of pages : 4 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2006/Cor 2:2009 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Technical Corrigendum 2 |
|
Withdrawn |
2009-02 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2016 |
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms |
ISO/IEC 14888-3:2016 specifies digital signature mechanisms with appendix whose security is based on the discrete logarithm problem.
ISO/IEC 14888-3:2016 provides
- a general description of a digital signature with appendix mechanism, and
- a variety of mechanisms that provide digital signatures with appendix.
For each mechanism, this part of ISO/IEC 14888 specifies
- the process of generating a pair of keys,
- the process of producing signatures, and
- the process of verifying signatures.
|
Withdrawn |
2016-03 |
Edition : 3 |
Number of pages : 131 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 14888-3:2018 |
IT Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms |
This document specifies digital signature mechanisms with appendix whose security is based on the discrete logarithm problem.
This document provides
— a general description of a digital signature with appendix mechanism, and
— a variety of mechanisms that provide digital signatures with appendix.
For each mechanism, this document specifies
— the process of generating a pair of keys,
— the process of producing signatures, and
— the process of verifying signatures.
Annex A defines object identifiers assigned to the digital signature mechanisms specified in this document, and defines algorithm parameter structures.
Annex B defines conversion functions of FE2I, I2FE, FE2BS, BS2I, I2BS, I2OS and OS2I used in this document.
Annex D defines how to generate DSA domain parameters.
|
Published |
2018-11 |
Edition : 4 |
Number of pages : 155 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 14888-4.2 |
Information technology — Security techniques — Digital signatures with appendix — Part 4: Stateful hash-based mechanisms |
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15292:2001 |
Information technology - Security techniques - Protection Profile registration procedures |
|
Withdrawn |
2001-12 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-1:1999 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
|
Withdrawn |
1999-12 |
Edition : 1 |
Number of pages : 53 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-1:2005 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
ISO/IEC 15408-1:2005 defines two forms for expressing IT security functional and assurance requirements. The protection profile (PP) construct allows creation of generalized reusable sets of these security requirements. The PP can be used by prospective consumers for specification and identification of products with IT security features which will meet their needs. The security target (ST) expresses the security requirements and specifies the security functions for a particular product or system to be evaluated, called the target of evaluation (TOE). The ST is used by evaluators as the basis for evaluations conducted in accordance with ISO/IEC 15408.
|
Withdrawn |
2005-10 |
Edition : 2 |
Number of pages : 41 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-1:2009 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
It provides an overview of all parts of ISO/IEC 15408. It describes the various parts of ISO/IEC 15408; defines the terms and abbreviations to be used in all parts ISO/IEC 15408; establishes the core concept of a Target of Evaluation (TOE); the evaluation context; and describes the audience to which the evaluation criteria are addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
It defines the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations.
The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described.
ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
General information about the evaluation methodology is given in ISO/IEC 18045 and the scope of evaluation schemes is provided.
|
Withdrawn |
2009-12 |
Edition : 3 |
Number of pages : 64 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-1:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model |
This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
— the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
— a description of the organization of security components throughout the model;
— the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
— general information about the evaluation methods given in ISO/IEC 18045;
— guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
— general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
— information in regard to the scope of evaluation schemes.
|
Published |
2022-08 |
Edition : 4 |
Number of pages : 142 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-2:1999 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements |
|
Withdrawn |
1999-12 |
Edition : 1 |
Number of pages : 343 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 23264-1:2021 |
Information security — Redaction of authentic data — Part 1: General |
This document specifies properties of cryptographic mechanisms to redact authentic data. In particular, it defines the processes involved in those mechanisms, the participating parties, and the cryptographic properties.
|
Published |
2021-03 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-2:2005 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements |
ISO/IEC 15408-2:2005 defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products and systems.
|
Withdrawn |
2005-10 |
Edition : 2 |
Number of pages : 227 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-2:2008 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components |
ISO/IEC 15408-2:2008 defines the content and presentation of the security functional requirements to be assessed in a security evaluation using ISO/IEC 15408. It contains a comprehensive catalogue of predefined security functional components that will meet most common security needs of the marketplace. These are organized using a hierarchical structure of classes, families and components, and supported by comprehensive user notes.
ISO/IEC 15408-2:2008 also provides guidance on the specification of customized security requirements where no suitable predefined security functional components exist.
|
Withdrawn |
2008-08 |
Edition : 3 |
Number of pages : 218 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-2:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components |
This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that meets the common security functionality requirements of many IT products.
|
Published |
2022-08 |
Edition : 4 |
Number of pages : 273 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-3:1999 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements |
|
Withdrawn |
1999-12 |
Edition : 1 |
Number of pages : 213 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-3:2005 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements |
ISO/IEC 15408-3:2005 defines the assurance requirements of ISO/IEC 15408. It includes the evaluation assurance levels (EALs) that define a scale for measuring assurance, the individual assurance components from which the assurance levels are composed, and the criteria for evaluation of protection profiles and security targets.
|
Withdrawn |
2005-10 |
Edition : 2 |
Number of pages : 149 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-3:2008 |
Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components |
ISO/IEC 15408-3:2008 defines the assurance requirements of the evaluation criteria. It includes the evaluation assurance levels that define a scale for measuring assurance for component targets of evaluation (TOEs), the composed assurance packages that define a scale for measuring assurance for composed TOEs, the individual assurance components from which the assurance levels and packages are composed, and the criteria for evaluation of protection profiles and security targets.
ISO/IEC 15408-3:2008 defines the content and presentation of the assurance requirements in the form of assurance classes, families and components and provides guidance on the organization of new assurance requirements. The assurance components within the assurance families are presented in a hierarchical order.
|
Withdrawn |
2008-08 |
Edition : 3 |
Number of pages : 174 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-3:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components |
This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
|
Published |
2022-08 |
Edition : 4 |
Number of pages : 189 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-4:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities |
This document provides a standardized framework for specifying objective, repeatable and reproducible evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation activities. These aspects are a matter for those originating the evaluation methods and evaluation activities in their particular area of interest.
|
Published |
2022-08 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15408-5:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 5: Pre-defined packages of security requirements |
This document provides packages of security assurance and security functional requirements that have been identified as useful in support of common usage by stakeholders.
EXAMPLE Examples of provided packages include the evaluation assurance levels (EAL) and the composed assurance packages (CAPs).
This document presents:
— evaluation assurance level (EAL) family of packages that specify pre-defined sets of security assurance components that may be referenced in PPs and STs and which specify appropriate security assurances to be provided during an evaluation of a target of evaluation (TOE);
— composition assurance (CAP) family of packages that specify sets of security assurance components used for specifying appropriate security assurances to be provided during an evaluation of composed TOEs;
— composite product (COMP) package that specifies a set of security assurance components used for specifying appropriate security assurances to be provided during an evaluation of a composite product TOEs;
— protection profile assurance (PPA) family of packages that specify sets of security assurance components used for specifying appropriate security assurances to be provided during a protection profile evaluation;
— security target assurance (STA) family of packages that specify sets of security assurance components used for specifying appropriate security assurances to be provided during a security target evaluation.
The users of this document can include consumers, developers, and evaluators of secure IT products.
|
Published |
2022-08 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15443-1:2005 |
Information technology — Security techniques — A framework for IT security assurance — Part 1: Overview and framework |
ISO/IEC TR 15443 is a multi-part type 3 Technical Report to guide the IT security professional in the selection of an appropriate assurance method when specifying, selecting, or deploying a security service, product, or environmental factor such as an organization or personnel (known as a deliverable). The aim is to understand the assurance type and amount required to achieve confidence that the deliverable satisfies the stated IT security assurance requirements and consequently its security policy.
ISO/IEC TR 15443-1:2005 describes the fundamentals of security assurance and its relation to other security concepts. This is to clarify why security assurance is required and dispel common misconceptions such as that increased assurance is gained by increasing the strength of a security mechanism. The framework includes a categorization of assurance types and a generic lifecycle model to identify the appropriate assurance types required for the deliverable with respect to the deliverable's lifecycle. The model also demonstrates how security assurance must be managed throughout the deliverable's lifecycle requiring assurance decisions to be made by several assurance authorities for the lifecycle stage relevant to their organization (i.e. developer, standards, consumer). The framework has been developed to be general enough to accommodate different assurance types and map into any lifecycle approach so as not to dictate any particular design. Advanced security assurance concepts, such as combining security assurance methods, are addressed briefly as they are to be addressed in later parts of ISO/IEC TR 15443.
ISO/IEC TR 15443 targets IT security managers and other security professionals responsible for developing a security assurance program, engineering security into a deliverable, determining the security assurance of their deliverable, entering an assurance assessment audit (e.g. ISO 9000, SSE-CMM (ISO/IEC 21827), ISO/IEC 15408-3), or other assurance activities.
|
Withdrawn |
2005-02 |
Edition : 1 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15443-1:2012 |
Information technology — Security techniques — Security assurance framework — Part 1: Introduction and concepts |
ISO/IEC TR 15443-1:2012 defines terms and establishes an extensive and organised set of concepts and their relationships for understanding IT security assurance, thereby establishing a basis for shared understanding of the concepts and principles central to ISO/IEC TR 15443 across its user communities. It provides information fundamental to users of ISO/IEC TR 15443-2.
|
Published |
2012-11 |
Edition : 2 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15443-2:2005 |
Information technology — Security techniques — A framework for IT security assurance — Part 2: Assurance methods |
ISO/IEC TR 15443-2:2005 describes a variety of IT security assurance methods and approaches and relates them to the IT security assurance framework in ISO/IEC TR 15443-1. The emphasis is to identify qualitative properties of the assurance methods and elements that contribute to assurance, and where possible, to define assurance ratings. This material is intended for IT security professionals for the understanding of how to obtain assurance in a given life-cycle stage of a product or service.
The objective is to describe and categorize assurance methods and approaches in a manner enabling a review of their comparable and synergetic properties. This will facilitate selection of the appropriate assurance method or and possible combination of assurance methods for a given IT security product, system, or service and its specific environment.
|
Withdrawn |
2005-09 |
Edition : 1 |
Number of pages : 66 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15443-2:2012 |
Information technology — Security techniques — Security assurance framework — Part 2: Analysis |
ISO/IEC TR 15443-2:2012 builds on the concepts presented in ISO/IEC TR 15443-1. It provides a discussion of the attributes of security assurance conformity assessment methods that contribute towards making assurance claims and providing assurance evidence to fulfil meeting the assurance requirements for a deliverable.
ISO/IEC TR 15443-2:2012 proposes criteria for comparing and analysing different SACA methods. The reader is cautioned that the methods used as examples in ISO/IEC TR 15443-2:2012 are considered to represent popularly used methods at the time of its writing. New methods may appear, and modification or withdrawal of the methods cited may occur. It is intended that the criteria can be used to describe and compare any SACA method whatever its provenance.
|
Published |
2012-11 |
Edition : 2 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15443-3:2007 |
Information technology — Security techniques — A framework for IT security assurance — Part 3: Analysis of assurance methods |
ISO/IEC TR 15443-3:2007 provides general guidance to an assurance authority in the choice of the appropriate type of international communications techology (ICT) assurance methods and to lay the framework for the analysis of specific assurance methods for specific environments.
ISO/IEC TR 15443-3:2007 will allow the user to match specific assurance requirements and/or typical assurance situations with the general characteristics offered by available assurance methods.
The guidance of ISO/IEC TR 15443-3:2007 is applicable to the development, implementation and operation of ICT product and ICT systems with security requirements.
The advice given in ISO/IEC TR 15443-3:2007 will be qualitative and summary, and the user may need to analyse which methods presented in ISO/IEC TR 15443-2 will suit best his specific deliverables and organisational security requirements.
|
Withdrawn |
2007-12 |
Edition : 1 |
Number of pages : 63 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15446:2004 |
Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets |
ISO/IEC TR 15446:2004 provides guidance relating to the construction of Protection Profiles (PPs) and Security Targets (STs) that are intended to be compliant with ISO/IEC 15408 (the "Common Criteria").
ISO/IEC TR 15446:2004 gives suggestions on how to develop each section of a PP or ST. It is supported by an annex that contains generic examples of each type of PP and ST component, and by other annexes that contain detailed worked examples.
ISO/IEC TR 15446:2004 is primarily aimed at those who are involved in the development of PPs and STs. However, it is also likely to be useful to evaluators of PPs and STs and to those who are responsible for monitoring PP and ST evaluation. It may also be of interest to consumers and users of PPs and STs who wish to understand what guidance the PP/ST author used, and which parts of the PP or ST are of principal interest.
|
Withdrawn |
2004-07 |
Edition : 1 |
Number of pages : 125 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15446:2009 |
Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets |
ISO/IEC TR15446:2009 provides guidance relating to the construction of Protection Profiles (PPs) and Security Targets (STs) that are intended to be compliant with the third edition of ISO/IEC 15408. It is also applicable to PPs and STs compliant with Common Criteria Version 3.1, a technically identical standard published by the Common Criteria Management Board, a consortium of governmental organizations involved in IT security evaluation and certification.
ISO/IEC TR15446:2009 is not intended as an introduction to evaluation using ISO/IEC 15408. Readers who seek such an introduction should consult ISO/IEC 15408-1.
ISO/IEC TR15446:2009 does not deal with associated tasks beyond PP and ST specifications such as PP registration and the handling of protected intellectual property.
|
Withdrawn |
2009-03 |
Edition : 2 |
Number of pages : 81 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15446:2017 |
Information technology — Security techniques — Guidance for the production of protection profiles and security targets |
ISO/IEC TR 15446 provides guidance relating to the construction of Protection Profiles (PPs) and Security Targets (STs) that are intended to be compliant with the third edition of ISO/IEC 15408 (all parts). It is also applicable to PPs and STs compliant with Common Criteria Version 3.1 Revision 4[6], a technically identical standard published by the Common Criteria Management Board, a consortium of governmental organizations involved in IT security evaluation and certification.
NOTE ISO/IEC TR 15446 is not intended as an introduction to evaluation using ISO/IEC 15408 (all parts). Readers who seek such an introduction can read ISO/IEC 15408‑1.
ISO/IEC TR 15446 does not deal with associated tasks beyond PP and ST specification such as PP registration and the handling of protected intellectual property.
|
Published |
2017-10 |
Edition : 3 |
Number of pages : 79 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15816:2002 |
Information technology — Security techniques — Security information objects for access control |
The scope of this Recommendation | International Standard is:
a) the definition of guidelines for specifying the abstract syntax of generic and specific Security Information
Objects (SIOs) for Access Control;
b) the specification of generic SIOs for Access Control;
c) the specification of specific SIOs for Access Control.
The scope of this Recommendation | International Standard covers only the "statics" of SIOs through syntactic
definitions in terms of ASN.1 descriptions and additional semantic explanations. It does not cover the "dynamics" of
SIOs, for example rules relating to their creation and deletion. The dynamics of SIOs are a local implementation issue.
|
Published |
2002-02 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15945:2002 |
Information technology — Security techniques — Specification of TTP services to support the application of digital signatures |
This Recommendation | International Standard will define those TTP services needed to support the application of digital
signatures for the purpose of non-repudiation of creation of documents.
This Recommendation | International Standard will also define interfaces and protocols to enable interoperability
between entities associated with these TTP services.
Definitions of technical services and protocols are required to allow for the implementation of TTP services and related
commercial applications.
This Recommendation | International Standard focuses on:
? implementation and interoperability;
? service specifications; and
? technical requirements.
This Recommendation | International Standard does not describe the management of TTPs or other organizational,
operational or personal issues. Those topics are mainly covered in ITU-T Rec. X.842 | ISO/IEC TR 14516, Information
technology ? Security techniques ? Guidelines on the use and management of Trusted Third Party services.
NOTE 1 ? Because interoperability is the main issue of this Recommendation | International Standard, the following restrictions
hold:
i) Only those services which may be offered by a TTP, either to end entities or to another TTP, are covered in this
Recommendation | International Standard.
ii) Only those services which may be requested and/or delivered by means of standardizable digital messages are
covered.
iii) Only those services for which widely acceptable standardized messages can be agreed upon at the time this
Recommendation | International Standard is published are specified in detail.
Further services will be specified in separate documents when widely acceptable standardized messages are available for them. In
particular, time stamping services will be defined in a separate document.
NOTE 2 ? The data structures and messages in this Recommendation | International Standard will be specified in accordance to
RFC documents, RFC 2510 and RFC 2511 (for certificate management services) and to RFC 2560 (for OCSP services). The
certificate request format also allows interoperability with PKCS#10. See Annex C for references to the documents mentioned in
this Note.
NOTE 3 ? Other standardization efforts for TTP services in specific environments and applications, like SET or EDIFACT, exist.
These are outside of the scope of this Recommendation | International Standard.
NOTE 4 ? This Recommendation | International Standard defines technical specifications for services. These specifications are
independent of policies, specific legal regulations, and organizational models (which, for example, might define how duties and
responsibilities are shared between Certification Authorities and Registration Authorities). Of course, the policy of TTPs offering
the services described in this Recommendation | International Standard will need to specify how legal regulations and the other
aspects mentioned before will be fulfilled by the TTP. In particular, the policy has to specify how the validity of digital signatures
and certificates is determined.
|
Published |
2002-02 |
Edition : 1 |
Number of pages : 53 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2002 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General |
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2008 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General |
ISO/IEC 15946 specifies public-key cryptographic techniques based on elliptic curves. It consists of five parts and includes the establishment of keys for symmetric cryptographic techniques, and digital signature mechanisms.
ISO/IEC 15946-1:2008 specifically addresses the general techniques based on elliptic curves. It describes the mathematical background and specifies the general techniques necessary for implementing mechanisms based on elliptic curves defined over finite fields or pairings based on elliptic curves.
ISO/IEC 15946-1:2008 specifies
conventional functions,
elliptic curves over any finite field such as a prime field and an extension field with characteristic two or three together with coordinates,
pairings over an elliptic curve.
|
Withdrawn |
2008-04 |
Edition : 2 |
Number of pages : 30 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2008/Cor 1:2009 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General — Technical Corrigendum 1 |
|
Withdrawn |
2009-02 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2016 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General |
ISO/IEC 15946-1:2016 describes the mathematical background and general techniques necessary for implementing the elliptic curve cryptography mechanisms defined in ISO/IEC 15946‑5, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and other ISO/IEC standards.
ISO/IEC 15946-1:2016 does not specify the implementation of the techniques it defines. For example, it does not specify the basis representation to be used when the elliptic curve is defined over a finite field of characteristic two. Thus, interoperability of products complying with ISO/IEC 15946-1:2016 will not be guaranteed.
|
Published |
2016-07 |
Edition : 3 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-2:2002 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 2: Digital signatures |
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-3:2002 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 3: Key establishment |
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-4:2004 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 4: Digital signatures giving message recovery |
ISO/IEC 15946-4:2004 specifically addresses the digital signatures giving message recovery based on elliptic curves. The scope of ISO/IEC 15946-4:2004 is restricted to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). The representation of elements of the underlying finite fields (i.e. which basis is used) is outside the scope of ISO/IEC 15946-4:2004.
ISO/IEC 15946-4:2004 specifies:
the digital signatures giving message recovery with each type of redundancy: natural redundancy, added redundancy, or both.the general model for digital signatures giving partial or total message recovery aiming at reducing storage and transmission overhead.
Together with the general model, it provides five mechanisms to realize the digital signatures giving message recovery based on elliptic curves.
The mathematical background and general techniques necessary for implementing the mechanisms are described in ISO/IEC 15946-1.
|
Withdrawn |
2004-10 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2009 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
ISO/IEC 15946 specifies public-key cryptographic techniques based on elliptic curves. They include the establishment of keys for secret-key systems and digital signature mechanisms.
ISO/IEC 15946-5:2009 defines the elliptic curve generation techniques useful for implementing the mechanisms defined in ISO/IEC 9796-3, ISO/IEC 11770-3, ISO/IEC 14888-3, and ISO/IEC 18033-2.
The scope of ISO/IEC 15946-5:2009 is restricted to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). The representation of elements of the underlying finite field (i.e. which basis is used) is outside the scope of ISO/IEC 15946-5:2009. ISO/IEC 15946 does not specify the implementation of the techniques it defines. Interoperability of products complying with ISO/IEC 15946 will not be guaranteed.
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2009/Cor 1:2012 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation — Technical Corrigendum 1 |
|
Withdrawn |
2012-12 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2017 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
The ISO/IEC 15946 series specifies public-key cryptographic techniques based on elliptic curves described in ISO/IEC 15946‑1.
ISO/IEC 15946-5:2017 defines elliptic curve generation techniques useful for implementing the elliptic curve based mechanisms defined in ISO/IEC 29192‑4, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3 and ISO/IEC 18033‑2.
ISO/IEC 15946-5:2017 is applicable to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). This document is not applicable to the representation of elements of the underlying finite field (i.e. which basis is used).
The ISO/IEC 15946 series does not specify the implementation of the techniques it defines. Interoperability of products complying with the ISO/IEC 15946 series will not be guaranteed.
|
Withdrawn |
2017-08 |
Edition : 2 |
Number of pages : 30 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2022 |
Information security — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
The ISO/IEC 15946 series specifies public-key cryptographic techniques based on elliptic curves described in ISO/IEC 15946-1.
This document defines elliptic curve generation techniques useful for implementing the elliptic curve based mechanisms defined in ISO/IEC 29192‑4, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and ISO/IEC 18033‑5.
This document is applicable to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). This document is not applicable to the representation of elements of the underlying finite field (i.e. which basis is used).
|
Published |
2022-02 |
Edition : 3 |
Number of pages : 35 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15947:2002 |
Information technology — Security techniques — IT intrusion detection framework |
ISO/IEC TR 15947:2002 defines a framework for detection of intrusions into IT systems. It establishes common definitions for intrusion detection terms and concepts. It describes the methodologies, concepts and relationships among them, addresses possible orderings of intrusion detection tasks and related activities, and attempts to relate these tasks and processes to an organization's or enterprise's procedures to demonstrate the practical integration of intrusion detection within an organization or enterprise security policy.
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 17799:2000 |
Information technology — Code of practice for information security management |
|
Withdrawn |
2000-12 |
Edition : 1 |
Number of pages : 71 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17799:2005 |
Information technology — Security techniques — Code of practice for information security management |
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
security policy;organization of information security;asset management;human resources security;physical and environmental security;communications and operations management;access control;information systems acquisition, development and maintenance;information security incident management;business continuity management;compliance.
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
|
Withdrawn |
2005-06 |
Edition : 2 |
Number of pages : 115 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17799:2005/Cor 1:2007 |
Information technology — Security techniques — Code of practice for information security management — Technical Corrigendum 1 |
|
Withdrawn |
2007-07 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17825:2016 |
Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules |
ISO/IEC 17825:2016 specifies the non-invasive attack mitigation test metrics for determining conformance to the requirements specified in ISO/IEC 19790 for Security Levels 3 and 4. The test metrics are associated with the security functions specified in ISO/IEC 19790. Testing will be conducted at the defined boundary of the cryptographic module and I/O available at its defined boundary.
The test methods used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790 and the test metrics specified in this International Standard for each of the associated security functions specified in ISO/IEC 19790 are specified in ISO/IEC 24759. The test approach employed in this International Standard is an efficient "push-button" approach: the tests are technically sound, repeatable and have moderate costs.
|
Published |
2016-01 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 17825 |
Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules |
|
Under development |
|
Edition : 2 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17922:2017 |
Information technology — Security techniques — Telebiometric authentication framework using biometric hardware security module |
To prove ownership of an ITU-T X.509 certificate registered individually with the registration authority (RA), a biometric hardware security module has been considered to provide a high-level biometric authentication. ISO/IEC 17922:2017 provides a framework for telebiometric authentication using BHSM.
Within the scope of ISO/IEC 17922:2017, the following issues are addressed:
- telebiometric authentication mechanisms using BHSM in telecommunication network environments; and
- abstract syntax notation one (ASN.1) format and protocols for implementing the mechanisms in the ITU‑T X.509 framework.
|
Published |
2017-09 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-1:2002 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework |
ISO/IEC 18014-1:2002:
1. identifies the objective of a time-stamping authority;
2. describes a general model on which time-stamping services are based;
3. defines time-stamping services;
4. defines the basic protocols of time-stamping;
5. specifies the protocols between the involved entities.
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 19 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-5:2015 |
Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers |
ISO/IEC 18033-5:2015 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conforming systems may use alternative formats for storing and transmitting ciphertexts.
|
Published |
2015-12 |
Edition : 1 |
Number of pages : 36 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-1:2008 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework |
ISO/IEC 18014 specifies time-stamping techniques. It consists of three parts, which include the general notion, models for a time-stamping service, data structures, and protocols.
ISO/IEC 18014-1:2008 describes a framework and defines the basic notion, the data structures, and protocols which are used for any time-stamping technique.
ISO/IEC 18014-1:2008:
identifies the objective of a time-stamping authority;
describes a general model on which time-stamping services are based;
describes a process of generating and verifying time-stamp;
defines the data structures of time-stamp token;
defines the basic protocols of time-stamping;
specifies the protocols between the involved entities.
|
Published |
2008-09 |
Edition : 2 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|