| Name |
Description |
Abstract |
Status |
Publication date |
Edition |
Number of pages |
Technical committee |
ICS |
| ISO/IEC 18014-1:2008/WD Amd 1 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework — Amendment 1 |
|
Under development |
|
Edition : 2 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2002 |
Information technology — Security techniques — Time-stamping services — Part 2: Mechanisms producing independent tokens |
ISO/IEC 18014-2:2002 describes time-stamping services producing independent tokens. It describes a general model for time-stamping services of this type and the basic components used to construct a time-stamping service of this type, it defines the data structures and protocols used to interact with a time-stamping service of this type, and it describes specific instances of such time-stamping services.
The usage of independent tokens presumes a high trust on the time-stamping authority (TSA).
Three independent mechanisms are currently covered:
Time-stamps using digital signatures
In this mechanism the TSA has an asymmetric key pair, and uses the private key to digitally sign the time-stamp token. Signature verification will use the public key. This mechanism may require the use of a PKI (Public Key Infrastructure).
Time-stamps using message authentication codes
In this mechanism the TSA uses a secret key to digitally bind the time association. The time-stamp token is authenticated using a Message Authentication Code (MAC). When using this mechanism, the TSA is needed to carry out the verification.
Time-stamps using archiving
In this mechanism the TSA returns a time-stamp token that only has reference information to bind the time-stamp to the messageImprint in the time-stamp token. The TSA archives locally enough information to verify that the time-stamp is correct.
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2009 |
Information technology — Security techniques — Time-stamping services — Part 2: Mechanisms producing independent tokens |
ISO/IEC 18014-2:2009 presents a general framework for the provision of time-stamping services.
Time-stamping services may generate, renew and verify time-stamp tokens.
Time-stamp tokens are associations between data and points in time, and are created in a way that aims to provide evidence that the data existed at the associated date and time. In addition, the evidence may be used by non-repudiation services.
ISO/IEC 18014-2:2004 specifies mechanisms that generate independent time-stamps: in order to verify an independent time-stamp token, verifiers do not need access to any other time-stamp tokens. That is, time-stamp tokens are not linked, as is the case for the token types defined in ISO/IEC 18014-3.
|
Withdrawn |
2009-12 |
Edition : 2 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2021 |
Information security — Time-stamping services — Part 2: Mechanisms producing independent tokens |
This document specifies mechanisms that generate, renew, and verify independent time-stamps. In order to verify an independent time-stamp token, time-stamp verifiers do not need access to any other time-stamp tokens. That is, such time-stamp tokens are not linked.
|
Published |
2021-09 |
Edition : 3 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2021/Cor 1 |
Information security — Time-stamping services — Part 2: Mechanisms producing independent tokens — Technical Corrigendum 1 |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-3:2004 |
Information technology — Security techniques — Time-stamping services — Part 3: Mechanisms producing linked tokens |
ISO/IEC 18014-3:2004 describes time-stamping services producing linked tokens, that is, tokens that are cryptographically bound to other tokens produced by these time-stamping services. It describes a general model for time-stamping services of this type and the basic components used to construct a time-stamping service of this type, it defines the data structures and protocols used to interact with a time-stamping service of this type, and it describes specific instances of such time-stamping services.
The usage of linking operations reduces the level of trust required in the time-stamping service. The trustworthiness of linked tokens depends on the integrity of the linking operations carried out by the time-stamping service. The integrity of the linking operations performed by the time-stamping service can be verified algorithmically. A time-stamping service producing linked tokens may publish values derived from the linking operations into widely available media to further bind the issued tokens to widely-witnessed events and provide additional assurance of integrity. A time-stamping service producing linked tokens may also use aggregation operations to bind multiple token requests together, thus providing higher throughput through the use of co-operating processes. Algorithms applicable to linking, aggregation and publishing operations are covered.
|
Withdrawn |
2004-02 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-5:2015/Amd 1:2021 |
Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers — Amendment 1: SM9 mechanism |
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-3:2009 |
Information technology — Security techniques — Time-stamping services — Part 3: Mechanisms producing linked tokens |
ISO/IEC 18014-3:2009
describes a general model for time-stamping services producing linked tokens,
describes the basic components used to construct a time-stamping service producing linked tokens,
defines the data structures used to interact with a time-stamping service producing linked tokens,
describes specific instances of time-stamping services producing linked tokens, and
defines a protocol to be utilized by time-stamping services producing linked tokens for the purpose of extending linked tokens to published values.
|
Published |
2009-12 |
Edition : 2 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-4:2015 |
Information technology — Security techniques — Time-stamping services — Part 4: Traceability of time sources |
ISO/IEC 18014:2015
- defines the functionality of the time assessment authority (TAA),
- describes an overall architecture for providing the time to the time-stamping authority (TSA) and to guarantee the correctness of it through the use of the TAA, and
- gives technical guidelines for the TAA to provide, and to provide assurance in, a trusted time source to the TSA.
|
Published |
2015-04 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-1:2006 |
Information technology — Security techniques — IT network security — Part 1: Network security management |
ISO/IEC 18028-1:2006 provides detailed guidance on the security aspects of the management, operation and use of information technology (IT) networks, and their interconnections.
It defines and describes the concepts associated with, and provides management guidance on, network security - including on how to identify and analyse the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028). It is relevant to anyone who owns, operates or uses a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or network security, network operation, or who are responsible for an organization's overall security programme and security policy development.
The general objective of ISO/IEC 18028 is to extend the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 17799 by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
|
Withdrawn |
2006-07 |
Edition : 1 |
Number of pages : 59 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 18028-2:2006 |
Information technology — Security techniques — IT network security — Part 2: Network security architecture |
ISO/IEC 18028-2:2006 defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. The objective of ISO/IEC 18028-2:2006 is to serve as a foundation for developing the detailed recommendations for the end-to-end network security.
|
Withdrawn |
2006-02 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-3:2005 |
Information technology — Security techniques — IT network security — Part 3: Securing communications between networks using security gateways |
ISO/IEC 18028-3:2005 provides an overview of security gateways through a description of different architectures.
It outlines the techniques for security gateways to analyse network traffic. The techniques discussed are as follows:
packet filtering,stateful packet inspection,application proxy,network address translation,content analysing and filtering.
Additionally, ISO/IEC 18028-3:2005 provides guidelines for the selection and configuration of security gateways. It gives guidance to choose the right type of architecture for a security gateway, which best meets the security requirements of an organization.
|
Withdrawn |
2005-12 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-4:2005 |
Information technology — Security techniques — IT network security — Part 4: Securing remote access |
The general objectives of ISO/IEC 18028 are to extend the IT security management guidelines provided in ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
ISO/IEC 18028-4:2005 provides guidance for securely using remote access - a method to remotely connect a computer either to another computer or to a network using public networks - and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication issues related to remote access and provides support when setting up remote access securely. It is intended to help network administrators and technicians who plan to make use of this kind of connection or who already have it in use and need advice on how to set it up securely and operate it securely.
|
Withdrawn |
2005-04 |
Edition : 1 |
Number of pages : 43 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-7:2022 |
Information security — Encryption algorithms — Part 7: Tweakable block ciphers |
This document specifies tweakable block ciphers. A tweakable block cipher is a family of n-bit permutations parametrized by a secret key value and a public tweak value. Such primitives are generic tools that can be used as building blocks to construct cryptographic schemes such as encryption, Message Authentication Codes, authenticated encryption, etc.
A total of five different tweakable block ciphers are defined. They are categorized in Table 1.
|
Published |
2022-04 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-5:2006 |
Information technology — Security techniques — IT network security — Part 5: Securing communications across networks using virtual private networks |
ISO/IEC 18028-5:2006 provides detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections.
ISO/IEC 18028-5:2006 defines techniques for securing inter-network connections that are established using virtual private networks (VPNs). It is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example IT network managers, administrators, engineers, and IT network security officers).
The general objectives of ISO/IEC 18028 are to extend the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 17799, by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
The objective of ISO/IEC 18028-5:2006 is to provide support service to different organizations, IT network managers, administrators, technicians, and IT security officers in choosing the appropriate virtual private network solution.
ISO/IEC 18028-5:2006 describes general principals of organization, structure, framework and usage of a virtual private IT networks (VPN). It discusses functional area, used standards and network protocols, the various different types of VPN, their respective requirements, characteristics, and other aspects.
|
Withdrawn |
2006-07 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2005 |
Information technology — Security techniques — Random bit generation |
ISO/IEC 18031:2005 specifies a conceptual model for a random bit generator for cryptographic purposes, together with the elements of this model.
ISO/IEC 18031:2005 also includes
the description of the main elements required for a non-deterministic random bit generator;the description of the main elements required for a deterministic random bit generator;their characteristics; their security requirements.
Techniques for statistical testing of random bit generators for the purposes of independent verification or validation, and detailed designs for such generators, are outside the scope of ISO/IEC 18031:2005.
|
Withdrawn |
2005-11 |
Edition : 1 |
Number of pages : 124 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2005/Cor 1:2009 |
Information technology — Security techniques — Random bit generation — Technical Corrigendum 1 |
|
Withdrawn |
2009-02 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2011 |
Information technology — Security techniques — Random bit generation |
ISO/IEC 18031:2011 specifies a conceptual model for a random bit generator for cryptographic purposes, together with the elements of this model.
ISO/IEC 18031:2011
specifies the characteristics of the main elements required for a non-deterministic random bit generator,
specifies the characteristics of the main elements required for a deterministic random bit generator,
establishes the security requirements for both the non-deterministic and the deterministic random bit generator.
Where there is a requirement to produce sequences of random numbers from random bit strings, ISO/IEC 18031:2011 gives guidelines on how this can be performed.
Techniques for statistical testing of random bit generators for the purposes of independent verification or validation, and detailed designs for such generators, are outside the scope of ISO/IEC 18031:2011.
|
Published |
2011-11 |
Edition : 2 |
Number of pages : 142 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2011/Amd 1:2017 |
Information technology — Security techniques — Random bit generation — Amendment 1: Deterministic random bit generation |
|
Published |
2017-02 |
Edition : 2 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2011/Cor 1:2014 |
Information technology — Security techniques — Random bit generation — Technical Corrigendum 1 |
|
Published |
2014-10 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 18031.2 |
Information technology — Security techniques — Random bit generation |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18032:2005 |
Information technology — Security techniques — Prime number generation |
ISO/IEC 18032:2005 specifies methods for generating and testing prime numbers. Prime numbers are used in various cryptographic algorithms, mainly in asymmetric encryption algorithms and digital signature algorithms.
Firstly, ISO/IEC 18032:2005 specifies methods for testing whether a given number is prime. The testing methods included in ISO/IEC 18032:2005 can be divided into two groups:
Probabilistic primality tests, which have a small error probability. All probabilistic tests described here may declare a composite to be a prime. One test described here may declare a prime to be composite.Deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.
Secondly, ISO/IEC 18032:2005 specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented.
|
Withdrawn |
2005-01 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19896-2:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers |
This document provides the minimum requirements for the knowledge, skills and effectiveness requirements of individuals performing testing activities for a conformance scheme using ISO/IEC 19790 and ISO/IEC 24759.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18032:2020 |
Information security — Prime number generation |
This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms.
Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups:
— probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime;
— deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.
Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented.
NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one.
Annex A provides error probabilities that are utilized by the Miller-Rabin primality test.
Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met.
Annex C defines primitives utilized by the prime generation and verification methods.
|
Published |
2020-12 |
Edition : 2 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2005 |
Information technology — Security techniques — Encryption algorithms — Part 1: General |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-1:2005 specifies:
terms and definitions used throughout ISO/IEC 18033;the purpose of encryption, the differences between symmetric and asymmetric ciphers, and the key management problems associated with the use of ciphers;the uses and properties of encryption;criteria for the inclusion of encryption algorithms in ISO/IEC 18033.
|
Withdrawn |
2005-02 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2005/Amd 1:2011 |
Information technology — Security techniques — Encryption algorithms — Part 1: General — Amendment 1 |
|
Withdrawn |
2011-03 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2015 |
Information technology — Security techniques — Encryption algorithms — Part 1: General |
ISO/IEC 18033-1:2015 is general in nature, and provides definitions that apply in subsequent parts of this International Standard. The nature of encryption is introduced, and certain general aspects of its use and properties are described. The criteria used to select the algorithms specified in subsequent parts of this International Standard are defined in Annexes A and B.
|
Withdrawn |
2015-08 |
Edition : 2 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2021 |
Information security — Encryption algorithms — Part 1: General |
This document is general in nature and provides definitions that apply in subsequent parts of the ISO/IEC 18033 series.
It introduces the nature of encryption and describes certain general aspects of its use and properties.
|
Published |
2021-09 |
Edition : 3 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-2:2006 |
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers |
ISO/IEC 18033-2:2006 specifies encryption systems (ciphers) for the purpose of data confidentiality. The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm should be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
An asymmetric, i.e. public-key, encryption scheme allows a sender to use a recipient's public key to transmit an encryption of a message to the receiver, who can use his secret key to decrypt the given ciphertext, thereby obtaining the original message.
Such a scheme should be secure in the sense that no information about the message should be leaked to a (resource-bounded) attacker, even if that attacker mounts a so-called 'chosen ciphertext' attack, in which he may obtain decryptions of other ciphertexts. This is the strongest type of attack that has been proposed for a public-key encryption scheme.
ISO/IEC 18033-2:2006 specifies the functional interface of such a scheme, and in addition specifies a number of particular schemes that appear to be secure against chosen ciphertext attack. The different schemes offer different trade-offs between security properties and efficiency.
|
Published |
2006-05 |
Edition : 1 |
Number of pages : 125 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-2:2006/Amd 1:2017 |
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers — Amendment 1: FACE |
|
Published |
2017-11 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-6:2019 |
IT Security techniques — Encryption algorithms — Part 6: Homomorphic encryption |
This document specifies the following mechanisms for homomorphic encryption.
— Exponential ElGamal encryption;
— Paillier encryption.
For each mechanism, this document specifies the process for:
— generating parameters and the keys of the involved entities;
— encrypting data;
— decrypting encrypted data; and
— homomorphically operating on encrypted data.
Annex A defines the object identifiers assigned to the mechanisms specified in this document. Annex B provides numerical examples.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-3:2005 specifies block ciphers. A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
ISO/IEC 18033-3:2005 specifies the following algorithms.
64-bit block ciphers: TDEA, MISTY1, CAST-128.128-bit block ciphers: AES, Camellia, SEED.
NOTE The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm is designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
|
Withdrawn |
2005-07 |
Edition : 1 |
Number of pages : 71 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 1:2006 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 1 |
|
Withdrawn |
2006-08 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 2:2007 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 2 |
|
Withdrawn |
2007-09 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 3:2008 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 3: . |
|
Withdrawn |
2008-03 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2010 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-3:2010 specifies block ciphers. A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
ISO/IEC 18033-3:2010 specifies following algorithms:
64-bit block ciphers: TDEA, MISTY1, CAST-128, HIGHT;
128-bit block ciphers: AES, Camellia, SEED.
NOTE The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm needs to be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
|
Published |
2010-12 |
Edition : 2 |
Number of pages : 78 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2010/Amd 1:2021 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Amendment 1: SM4 |
|
Published |
2021-06 |
Edition : 2 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2005 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers |
ISO/IEC 18033-4:2005 specifies stream cipher algorithms. A stream cipher is an encryption mechanism that uses a keystream to encrypt a plaintext in bitwise or block-wise manner. A stream cipher is technically specified by choosing a keystream generator and a mode of stream ciphers.
ISO/IEC 18033-4:2005 specifies the following ways to generate keystream.
Mechanisms based on a block cipher: OFB, CTR, and CFB modes of block ciphers.Dedicated keystream generators: MUGI and SNOW 2.0.
ISO/IEC 18033-4:2005 specifies the following modes of stream ciphers:
binary-additive output function,MULTI-S01 output function.
There are two types of stream cipher: a synchronous stream cipher, in which the keystream is only generated from the secret key (and an initialization vector) and a self-synchronizing stream cipher, in which the keystream is generated from the secret key and some past ciphertexts (and an initialization vector). Typically the encryption operation is the additive bitwise XOR operation between a keystream and the message. ISO/IEC 18033-4:2005 describes pseudorandom number generators for producing both keystream and output functions for stream ciphers.
|
Withdrawn |
2005-07 |
Edition : 1 |
Number of pages : 43 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2005/Amd 1:2009 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers — Amendment 1: Rabbit and Decim |
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2011 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers |
ISO/IEC 18033-4:2011 specifies output functions to combine a keystream with plaintext, keystream generators for producing keystream, and object identifiers assigned to dedicated keystream generators in accordance with ISO/IEC 9834.
|
Published |
2011-12 |
Edition : 2 |
Number of pages : 92 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2011/Amd 1:2020 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers — Amendment 1: ZUC |
|
Published |
2020-08 |
Edition : 2 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18043:2006 |
Information technology — Security techniques — Selection, deployment and operations of intrusion detection systems |
ISO/IEC 18043:2006 provides guidance for an organization that decides to include an intrusion detection capability within its IT infrastructure. It is a "how to" for managers and users who want to: understand the benefits and limitations of IDS; develop a strategy and implementation plan for IDS; effectively manage the outputs of an IDS; integrate intrusion detection into the organization's security practices; and understand the legal and privacy issues involved in the deployment of IDS.
ISO/IEC 18043:2006 provides information that will facilitate collaboration among organizations using IDS. The common framework it provides will help make it easier for organizations to exchange information about intrusions that cut across organizational boundaries.
ISO/IEC 18043:2006 provides a brief overview of the intrusion detection process; discusses what an IDS can and cannot do; provides a checklist that helps identify the best IDS features for a specific IT environment; describes various deployment strategies; provides guidance on managing alerts from IDSs; and discusses management and legal considerations.
|
Withdrawn |
2006-06 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 18044:2004 |
Information technology — Security techniques — Information security incident management |
ISO/IEC TR 18044:2004 provides advice and guidance on information security incident management for information security managers and for information system managers.
ISO/IEC TR 18044:2004 provides
information on the benefits to be obtained from and the key issues associated with a good information security incident management approach (to convince senior corporate management and those personnel who will report to and receive feedback from a scheme that the scheme should be introduced and used); information on examples of information security incidents, and an insight into their possible causes;a description of the planning and documentation required to introduce a good structured information security incident management approach; a description of the information security incident management process*.
* Quick, co-ordinated and effective responses to an information security incident require extensive technical and procedural preparations. Information security incident responses may consist of immediate, short- and long-term actions. Any actions undertaken as the response to an incident should be based on previously developed, documented and accepted security incident response procedures and processes, including those for post-response analysis.
|
Withdrawn |
2004-10 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2005 |
Information technology — Security techniques — Methodology for IT security evaluation |
ISO/IEC 18045:2005 is a companion document to ISO/IEC 15408, Information technology --Security techniques -- Evaluation criteria for IT security. ISO/IEC 18045 specifies the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408.
|
Withdrawn |
2005-10 |
Edition : 1 |
Number of pages : 276 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2008 |
Information technology — Security techniques — Methodology for IT security evaluation |
ISO/IEC 18045:2008 is a companion document to ISO/IEC 15408, Information technology - Security techniques - Evaluation criteria for IT security. ISO/IEC 18045:2008 defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. ISO/IEC 18045:2008 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Withdrawn |
2008-08 |
Edition : 2 |
Number of pages : 290 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation |
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
|
Published |
2022-08 |
Edition : 3 |
Number of pages : 423 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18180:2013 |
Information technology — Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 |
ISO/IEC 18180:2013 specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring. ISO/IEC 18180:2013 also defines a data model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.
|
Published |
2013-06 |
Edition : 1 |
Number of pages : 73 |
Technical Committee |
35.030
IT Security
;
35.040.50
Automatic identification and data capture techniques
|
| ISO/IEC 19896-3:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators |
This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC 18045.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18367:2016 |
Information technology — Security techniques — Cryptographic algorithms and security mechanisms conformance testing |
ISO/IEC 18367:2016 gives guidelines for cryptographic algorithms and security mechanisms conformance testing methods.
Conformance testing assures that an implementation of a cryptographic algorithm or security mechanism is correct whether implemented in hardware, software or firmware. It also confirms that it runs correctly in a specific operating environment. Testing can consist of known-answer or Monte Carlo testing, or a combination of test methods. Testing can be performed on the actual implementation or modelled in a simulation environment.
ISO/IEC 18367:2016 does not include the efficiency of the algorithms or security mechanisms nor the intrinsic performance. This document focuses on the correctness of the implementation.
|
Published |
2016-12 |
Edition : 1 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18370-1:2016 |
Information technology — Security techniques — Blind digital signatures — Part 1: General |
ISO 18370-1:2016 specifies principles, including a general model, a set of entities, a number of processes, and general requirements for blind digital signature mechanisms, as well as the following variants of blind digital signature mechanisms:
- blind signature mechanisms with partial disclosure;
- blind signature mechanisms with selective disclosure;
- traceable blind signature mechanisms.
It also contains terms, definitions, abbreviated terms and figure elements that are used in all parts of ISO/IEC 18370.
See Annex A for a comparison on the blind digital signature mechanisms.
|
Published |
2016-11 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18370-2:2016 |
Information technology — Security techniques — Blind digital signatures — Part 2: Discrete logarithm based mechanisms |
ISO/IEC 18370-2:2016 specifies blind digital signature mechanisms, together with mechanisms for three variants of blind digital signatures. The variants are blind digital signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms. The security of all the mechanisms in ISO/IEC 18370-2:2016 is based on the discrete logarithm problem.
For each mechanism, ISO/IEC 18370-2:2016 specifies the following:
- the process for generating the keys of the entities involved in these mechanisms;
- the process for producing blind signatures;
- the process for verifying signatures.
ISO/IEC 18370-2:2016 specifies another process specific to blind signature mechanisms with selective disclosure, namely, the following:
- the presentation process.
Furthermore, ISO/IEC 18370-2:2016 specifies other processes specific to traceable blind signature mechanisms, namely, the following:
a) the process for tracing requestors;
b) the process for tracing signatures;
c) the requestor tracing evidence evaluation process (optional);
d) the signature tracing evidence evaluation process (optional).
|
Published |
2016-07 |
Edition : 1 |
Number of pages : 79 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 19249:2017 |
Information technology — Security techniques — Catalogue of architectural and design principles for secure products, systems and applications |
ISO/IEC TS 19249:2017 provides a catalogue of architectural and design principles that can be used in the development of secure products, systems and applications together with guidance on how to use those principles effectively.
ISO/IEC TS 19249:2017 gives guidelines for the development of secure products, systems and applications including a more effective assessment with respect to the security properties they are supposed to implement.
ISO/IEC TS 19249:2017 does not establish any requirements for the evaluation or the assessment process or implementation.
|
Published |
2017-10 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19592-1:2016 |
Information technology — Security techniques — Secret sharing — Part 1: General |
ISO/IEC 19592-1:2016 specifies cryptographic secret sharing schemes and their properties. This document defines the parties involved in a secret sharing scheme, the terminology used in the context of secret sharing schemes, the parameters and the properties of such a scheme.
|
Published |
2016-11 |
Edition : 1 |
Number of pages : 7 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19592-2:2017 |
Information technology — Security techniques — Secret sharing — Part 2: Fundamental mechanisms |
ISO/IEC 19592-2:2017 specifies cryptographic secret sharing schemes.
|
Published |
2017-10 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 19608:2018 |
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408 |
This document provides guidance for:
— selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII);
— the procedure to define both privacy and security functional requirements in a coordinated manner; and
— developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2.
The intended audience for this document are:
— developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100;
— authors of Protection Profiles that address the protection of PII; and
— evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation.
This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.
|
Published |
2018-10 |
Edition : 1 |
Number of pages : 48 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2009 |
Information technology — Security techniques — Authenticated encryption |
ISO/IEC 19772:2009 specifies six methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: data confidentiality, i.e. protection against unauthorized disclosure of data; data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All six methods specified in ISO/IEC 19772:2009 require the originator and the recipient of the protected data to share a secret key. Key management is outside the scope of ISO/IEC 19772:2009; key management techniques are defined in ISO/IEC 11770.
|
Withdrawn |
2009-02 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2009/Cor 1:2014 |
Information technology — Security techniques — Authenticated encryption — Technical Corrigendum 1 |
|
Withdrawn |
2014-09 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2020 |
Information security — Authenticated encryption |
This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives:
— data confidentiality, i.e. protection against unauthorized disclosure of data;
— data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified;
— data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator.
All five methods specified in this document are based on a block cipher algorithm, and require the originator and the recipient of the protected data to share a secret key for this block cipher.
Key management is outside the scope of this document. Key management techniques are defined in ISO/IEC 11770 (all parts).
Four of the mechanisms in this document, namely mechanisms 3, 4, 5 (AAD variant only) and 6, allow data to be authenticated which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated data) that is integrity-protected but not encrypted. In all cases, the string A can be empty.
NOTE Examples of types of data that can need to be sent in unencrypted form, but whose integrity is to be protected, include addresses, port numbers, sequence numbers, protocol version numbers and other network protocol fields that indicate how the plaintext is to be handled, forwarded or processed.
|
Published |
2020-11 |
Edition : 2 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2006 |
Information technology — Security techniques — Security requirements for cryptographic modules |
ISO/IEC 19790:2006 specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems.
ISO/IEC 19790:2006 specifies the following.
Four levels of increasing security for cryptographic modules. Each level offers an increase in security over the preceding level. The following functional security objectives:module specification;ports and interfaces;roles, services and authentication;finite state model;physical security; operational environment;cryptographic key management;self-tests; design assurance;mitigation of other attacks.
ISO/IEC 19790:2006 will be complemented by a future International Standard defining the associated evaluation and test methods.
ISO/IEC 19790:2006 is derived from NIST Federal Information Processing Standard PUB 140-2 May 25, 2001.
|
Withdrawn |
2006-03 |
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2006/Cor 1:2008 |
Information technology — Security techniques — Security requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2008-06 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2012 |
Information technology — Security techniques — Security requirements for cryptographic modules |
ISO/IEC 19790:2012 the security requirements for a cryptographic module utilised within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location). This International Standard specifies four security levels for each of 11 requirement areas with each security level increasing security over the preceding level.
ISO/IEC 19790:2012 specifies security requirements specifically intended to maintain the security provided by a cryptographic module and compliance with this International Standard is not sufficient to ensure that a particular module is secure or that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected.
|
Published |
2012-08 |
Edition : 2 |
Number of pages : 72 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2012/Cor 1:2015 |
Information technology — Security techniques — Security requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2015-10 |
Edition : 2 |
Number of pages : 72 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 19790 |
Information technology — Security techniques — Security requirements for cryptographic modules |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 23264-2.4 |
Information security — Redaction of authentic data — Part 2: Redactable signature schemes based on asymmetric mechanisms |
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 19791:2006 |
Information technology — Security techniques — Security assessment of operational systems |
ISO/IEC TR 19791:2006 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2006 provides
a definition and model for operational systems;a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;a methodology and process for performing the security evaluation of operational systems;additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2006 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2006.
ISO/IEC TR 19791:2006 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
|
Withdrawn |
2006-05 |
Edition : 1 |
Number of pages : 165 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 19791:2010 |
Information technology — Security techniques — Security assessment of operational systems |
ISO/IEC TR 19791:2010 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408 by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2010 provides:
a definition and model for operational systems;
a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;
a methodology and process for performing the security evaluation of operational systems;
additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2010 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2010.
ISO/IEC TR 19791:2010 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
|
Published |
2010-04 |
Edition : 2 |
Number of pages : 235 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19792:2009 |
Information technology — Security techniques — Security evaluation of biometrics |
ISO/IEC 19792:2009 specifies the subjects to be addressed during a security evaluation of a biometric system.
It covers the biometric-specific aspects and principles to be considered during the security evaluation of a biometric system. It does not address the non-biometric aspects which might form part of the overall security evaluation of a system using biometric technology (e.g. requirements on databases or communication channels).
ISO/IEC 19792:2009 does not aim to define any concrete methodology for the security evaluation of biometric systems but instead focuses on the principal requirements. As such, the requirements in ISO/IEC 19792:2009 are independent of any evaluation or certification scheme and will need to be incorporated into and adapted before being used in the context of a concrete scheme.
ISO/IEC 19792:2009 defines various areas that are important to be considered during a security evaluation of a biometric system.
ISO/IEC 19792:2009 is relevant to both evaluator and developer communities.
It specifies requirements for evaluators and provides guidance on performing a security evaluation of a biometric system.
It serves to inform developers of the requirements for biometric security evaluations to help them prepare for security evaluations.
Although ISO/IEC 19792:2009 is independent of any specific evaluation scheme it could serve as a framework for the development of concrete evaluation and testing methodologies to integrate the requirements for biometric evaluations into existing evaluation and certification schemes.
|
Published |
2009-08 |
Edition : 1 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-10:2017 |
Information technology — Conformance test methods for security service crypto suites — Part 10: Crypto suite AES-128 |
ISO/IEC 19823-10:2017 describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167‑10.
ISO/IEC 19823-10:2017 contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
- parameters that apply directly affecting system functionality and inter-operability;
- protocol including commands and replies;
- nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively related to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑10.
|
Withdrawn |
2017-11 |
Edition : 1 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-10:2020 |
Information technology — Conformance test methods for security service crypto suites — Part 10: Crypto suite AES-128 |
This document describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167‑10.
This document contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID Tags and Interrogators defined in the ISO/IEC 15693 series and in the ISO/IEC 18000 series using ISO/IEC 29167‑10.
|
Published |
2020-01 |
Edition : 2 |
Number of pages : 45 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-11:2022 |
Information technology — Conformance test methods for security service crypto suites — Part 11: Crypto suite PRESENT-80 |
This document specifies methods for determining conformance to the security crypto suite defined in ISO/IEC 29167-11.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167-11.
|
Published |
2022-10 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-13:2018 |
Information technology — Conformance test methods for security service crypto suites — Part 13: Cryptographic Suite Grain-128A |
ISO/IEC 19823-13:2018 describes test methods for determining the conformance of security crypto suites with the specifications given in ISO/IEC 29167‑13.
ISO/IEC 19823-13:2018 contains conformance tests for all mandatory and optional functions.
The conformance parameters are the following:
- parameters that apply directly affecting system functionality and inter-operability;
- protocol including commands and replies; and
- nominal values and tolerances.
Unless otherwise specified, the tests in this document are applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑13.
|
Published |
2018-04 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-16:2020 |
Information technology — Conformance test methods for security service crypto suites — Part 16: Crypto suite ECDSA-ECDH security services for air interface communications |
This document describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167-16.
This document contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167-16.
|
Published |
2020-10 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-19:2018 |
Information technology — Conformance test methods for security service crypto suites — Part 19: Crypto suite RAMON |
This document describes test methods for determining the conformance of security crypto suites with the specifications given in ISO/IEC 29167‑19.
This document contains conformance tests for all mandatory and optional functions.
The conformance parameters are the following:
— parameters that apply directly, affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are exclusively applicable in relation to RFID tags and interrogators defined in the ISO/IEC 18000 series using a reference to this document.
|
Published |
2018-09 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-21:2019 |
Information technology — Conformance test methods for security service crypto suites — Part 21: Crypto suite SIMON |
This document describes methods for determining conformance to the security crypto suite defined in ISO/IEC 29167‑21.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability,
— protocol including commands and replies,
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑21.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-22:2019 |
Information technology — Conformance test methods for security service crypto suites — Part 22: Crypto suite SPECK |
This document describes methods for determining conformance to the security crypto suite defined in ISO/IEC 29167‑22.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000‑ series using ISO/IEC 29167‑22.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19896-1:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 1: Introduction, concepts and general requirements |
ISO/IEC 19896-1:2018 defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.
|
Published |
2018-02 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2009/Cor 1:2013 |
Information technology — Security techniques — Authentication context for biometrics — Technical Corrigendum 1 |
|
Withdrawn |
2013-03 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-1:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 1: Framework |
For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies:
— extended security functional components to SFR Classes in ISO/IEC 15408-2;
— supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3.
This document introduces the general framework for the security evaluation of biometric systems, including extended security functional components, and supplementary activities to methodology, which is additional evaluation activities and guidance/recommendations for an evaluator to handle those activities. The supplementary evaluation activities are developed in this document while the detailed recommendations are developed in ISO/IEC 19989-2 (for biometric recognition aspects) and in ISO/IEC 19989-3 (for presentation attack detection aspects). This document is applicable only to TOEs for single biometric characteristic type. However, the selection of a characteristic from multiple characteristics in SFRs is allowed.
|
Published |
2020-09 |
Edition : 1 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-2:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 2: Biometric recognition performance |
For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series.
It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1.
The evaluation of presentation attack detection techniques is out of the scope of this document except for presentation from impostor attempts under the policy of the intended use following the TOE guidance documentation.
|
Published |
2020-10 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-3:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 3: Presentation attack detection |
For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1.
This document is applicable only to TOEs for single biometric characteristic type but for the selection of a characteristic from multiple characteristics.
|
Published |
2020-09 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 20004:2012 |
Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 |
ISO/IEC TR 20004:2012 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation.
ISO/IEC TR 20004:2012 leverages the Common Weakness Enumeration (CWE) and the Common Attack Pattern Enumeration and Classification (CAPEC) to support the method of scoping and implementing ISO/IEC 18045:2008(E) vulnerability analysis activities.
ISO/IEC TR 20004:2012 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Withdrawn |
2012-08 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 20004:2015 |
Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 |
ISO/IEC TR 20004:2015 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. This Technical Report leverages publicly available information security resources to support the method of scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Report currently uses the common weakness enumeration (CWE) and the common attack pattern enumeration and classification (CAPEC), but does not preclude the use of any other appropriate resources. Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods, including those that fall outside the scope of the activities outlined in ISO/IEC 18045.
ISO/IEC TR 20004:2015 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Published |
2015-12 |
Edition : 2 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-1:2013 |
Information technology — Security techniques — Anonymous digital signatures — Part 1: General |
ISO/IEC 20008-1:2013 specifies principles, including a general model, a set of entities, a number of processes, and general requirements for the following two categories of anonymous digital signature mechanisms:
signature mechanisms using a group public key, and
signature mechanisms using multiple public keys.
|
Published |
2013-12 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20897-1:2020 |
Information security, cybersecurity and privacy protection — Physically unclonable functions — Part 1: Security requirements |
This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF.
Amongst PUF use cases, random number generation is out of scope in this document.
|
Published |
2020-12 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key |
ISO/IEC 20008-2:2013 specifies anonymous digital signature mechanisms, in which a verifier makes use of a group public key to verify a digital signature.
It provides
a general description of an anonymous digital signature mechanism using a group public key;
a variety of mechanisms that provide such anonymous digital signatures.
For each mechanism, ISO/IEC 20008-2:2013 specifies
the process for generating group member signature keys and a group public key;
the process for producing signatures;
the process for verifying signatures;
the process for opening signatures (if the mechanism supports opening);
the process for linking signatures (if the mechanism supports linking);
the process for revoking group members.
|
Published |
2013-11 |
Edition : 1 |
Number of pages : 85 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013/Amd 1:2021 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 1 |
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013/Amd 2 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2 |
|
Under development |
2023-04 |
Edition : 1 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 20008-3 |
Information technology — Security techniques — Anonymous digital signatures — Part 3: Mechanisms using multiple public keys |
|
Under development |
|
Edition : 2 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-1:2013 |
Information technology — Security techniques — Anonymous entity authentication — Part 1: General |
ISO/IEC 20009-1:2013 specifies a model, requirements and constraints for anonymous entity authentication mechanisms that allow the legitimacy of an entity to be corroborated.
|
Published |
2013-08 |
Edition : 1 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-2:2013 |
Information technology — Security techniques — Anonymous entity authentication — Part 2: Mechanisms based on signatures using a group public key |
ISO/IEC 20009-2:2013 specifies anonymous entity authentication mechanisms based on signatures using a group public key in which a verifier verifies a group signature scheme to authenticate the entity with which it is communicating, without knowing this entity's identity.
ISO/IEC 20009-2:2013 provides:
a general description of an anonymous entity authentication mechanism based on signatures using a group public key;
a variety of mechanisms of this type.
ISO/IEC 20009-2:2013 describes:
the group membership issuing processes;
anonymous authentication mechanisms without an online Trusted Third Party (TTP);
anonymous authentication mechanisms involving an online TTP.
Furthermore, ISO/IEC 20009-2:2013 also specifies:
the group membership opening process (optional);
the group signature linking process (optional).
|
Published |
2013-12 |
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-3:2022 |
Information security — Anonymous entity authentication — Part 3: Mechanisms based on blind signatures |
This document provides general descriptions and specifications of anonymous entity authentication mechanisms based on blind digital signatures.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-4:2017 |
Information technology — Security techniques — Anonymous entity authentication — Part 4: Mechanisms based on weak secrets |
ISO/IEC 20009-4:2017 specifies anonymous entity authentication mechanisms based on weak secrets. The precise operation of each mechanism is specified, together with details of all inputs and outputs. This document is applicable to situations in which the server only verifies that the user belongs to a certain user group without obtaining any information that can be used to identify the user later on.
|
Published |
2017-08 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20085-1:2019 |
IT Security techniques — Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules — Part 1: Test tools and techniques |
This document provides specifications for non-invasive attack test tools and provides information about how to operate such tools. The purpose of the test tools is the collection of signals (i.e. side-channel leakage) and their analysis as a non-invasive attack on a cryptographic module implementation under test (IUT).
|
Published |
2019-10 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20085-2:2020 |
IT Security techniques — Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules — Part 2: Test calibration methods and apparatus |
This document specifies the test calibration methods and apparatus used when calibrating test tools for cryptographic modules under ISO/IEC 19790 and ISO/IEC 24759 against the test metrics defined in ISO/IEC 17825 for mitigation of non-invasive attack classes.
|
Published |
2020-03 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO 10191:1995/Amd 1:1998 |
Passenger car tyres — Verifying tyre capabilities — Laboratory test methods — Amendment 1 |
|
Withdrawn |
1998-09 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
83.160.10
Road vehicle tyres
|
| ISO/IEC 20243-1:2018 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations |
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products.
The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.
|
Published |
2018-02 |
Edition : 1 |
Number of pages : 32 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC DIS 20243-1 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations |
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products.
The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.
|
Under development |
|
Edition : 2 |
Number of pages : 29 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC 20243-2:2018 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 2: Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018 |
ISO/IEC 20243-2:2018 specifies the procedures to be utilized by an assessor when conducting a conformity assessment to the mandatory requirements in the Open Trusted Technology Provider? Standard (O-TTPS).1
These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity of assessments against the O-TTPS. Though the primary audience for this document is the assessor, an Information Technology (IT) provider who is undergoing assessment or preparing for assessment, may also find this document useful.
|
Published |
2018-01 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC DIS 20243-2 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 2: Assessment procedures for the O-TTPS |
ISO/IEC 20243-2:2018 specifies the procedures to be utilized by an assessor when conducting a conformity assessment to the mandatory requirements in the Open Trusted Technology Provider? Standard (O-TTPS).1
These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity of assessments against the O-TTPS. Though the primary audience for this document is the assessor, an Information Technology (IT) provider who is undergoing assessment or preparing for assessment, may also find this document useful.
|
Under development |
|
Edition : 2 |
Number of pages : 44 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC 20243:2015 |
Information Technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products |
ISO/IEC 20243:2015 ? the Open Trusted Technology Provider Standard (O-TTPS) ? and the normative terminology that should be understood in relation to specific requirements and recommendations found in Chapter 4 of this document.
|
Withdrawn |
2015-09 |
Edition : 1 |
Number of pages : 32 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|