| Name |
Description |
Abstract |
Status |
Publication date |
Edition |
Number of pages |
Technical committee |
ICS |
| ISO/IEC 15946-1:2008/Cor 1:2009 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General — Technical Corrigendum 1 |
|
Withdrawn |
2009-02 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2008/Cor 2:2014 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General — Technical Corrigendum 2 |
|
Withdrawn |
2014-04 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-1:2016 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General |
ISO/IEC 15946-1:2016 describes the mathematical background and general techniques necessary for implementing the elliptic curve cryptography mechanisms defined in ISO/IEC 15946‑5, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and other ISO/IEC standards.
ISO/IEC 15946-1:2016 does not specify the implementation of the techniques it defines. For example, it does not specify the basis representation to be used when the elliptic curve is defined over a finite field of characteristic two. Thus, interoperability of products complying with ISO/IEC 15946-1:2016 will not be guaranteed.
|
Published |
2016-07 |
Edition : 3 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-2:2002 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 2: Digital signatures |
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-3:2002 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 3: Key establishment |
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2005 |
Information technology — Security techniques — Random bit generation |
ISO/IEC 18031:2005 specifies a conceptual model for a random bit generator for cryptographic purposes, together with the elements of this model.
ISO/IEC 18031:2005 also includes
the description of the main elements required for a non-deterministic random bit generator;the description of the main elements required for a deterministic random bit generator;their characteristics; their security requirements.
Techniques for statistical testing of random bit generators for the purposes of independent verification or validation, and detailed designs for such generators, are outside the scope of ISO/IEC 18031:2005.
|
Withdrawn |
2005-11 |
Edition : 1 |
Number of pages : 124 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2005/Cor 1:2009 |
Information technology — Security techniques — Random bit generation — Technical Corrigendum 1 |
|
Withdrawn |
2009-02 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-4:2004 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 4: Digital signatures giving message recovery |
ISO/IEC 15946-4:2004 specifically addresses the digital signatures giving message recovery based on elliptic curves. The scope of ISO/IEC 15946-4:2004 is restricted to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). The representation of elements of the underlying finite fields (i.e. which basis is used) is outside the scope of ISO/IEC 15946-4:2004.
ISO/IEC 15946-4:2004 specifies:
the digital signatures giving message recovery with each type of redundancy: natural redundancy, added redundancy, or both.the general model for digital signatures giving partial or total message recovery aiming at reducing storage and transmission overhead.
Together with the general model, it provides five mechanisms to realize the digital signatures giving message recovery based on elliptic curves.
The mathematical background and general techniques necessary for implementing the mechanisms are described in ISO/IEC 15946-1.
|
Withdrawn |
2004-10 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2009 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
ISO/IEC 15946 specifies public-key cryptographic techniques based on elliptic curves. They include the establishment of keys for secret-key systems and digital signature mechanisms.
ISO/IEC 15946-5:2009 defines the elliptic curve generation techniques useful for implementing the mechanisms defined in ISO/IEC 9796-3, ISO/IEC 11770-3, ISO/IEC 14888-3, and ISO/IEC 18033-2.
The scope of ISO/IEC 15946-5:2009 is restricted to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). The representation of elements of the underlying finite field (i.e. which basis is used) is outside the scope of ISO/IEC 15946-5:2009. ISO/IEC 15946 does not specify the implementation of the techniques it defines. Interoperability of products complying with ISO/IEC 15946 will not be guaranteed.
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2009/Cor 1:2012 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation — Technical Corrigendum 1 |
|
Withdrawn |
2012-12 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2017 |
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
The ISO/IEC 15946 series specifies public-key cryptographic techniques based on elliptic curves described in ISO/IEC 15946‑1.
ISO/IEC 15946-5:2017 defines elliptic curve generation techniques useful for implementing the elliptic curve based mechanisms defined in ISO/IEC 29192‑4, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3 and ISO/IEC 18033‑2.
ISO/IEC 15946-5:2017 is applicable to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). This document is not applicable to the representation of elements of the underlying finite field (i.e. which basis is used).
The ISO/IEC 15946 series does not specify the implementation of the techniques it defines. Interoperability of products complying with the ISO/IEC 15946 series will not be guaranteed.
|
Withdrawn |
2017-08 |
Edition : 2 |
Number of pages : 30 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 15946-5:2022 |
Information security — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation |
The ISO/IEC 15946 series specifies public-key cryptographic techniques based on elliptic curves described in ISO/IEC 15946-1.
This document defines elliptic curve generation techniques useful for implementing the elliptic curve based mechanisms defined in ISO/IEC 29192‑4, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and ISO/IEC 18033‑5.
This document is applicable to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). This document is not applicable to the representation of elements of the underlying finite field (i.e. which basis is used).
|
Published |
2022-02 |
Edition : 3 |
Number of pages : 35 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 15947:2002 |
Information technology — Security techniques — IT intrusion detection framework |
ISO/IEC TR 15947:2002 defines a framework for detection of intrusions into IT systems. It establishes common definitions for intrusion detection terms and concepts. It describes the methodologies, concepts and relationships among them, addresses possible orderings of intrusion detection tasks and related activities, and attempts to relate these tasks and processes to an organization's or enterprise's procedures to demonstrate the practical integration of intrusion detection within an organization or enterprise security policy.
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 17799:2000 |
Information technology — Code of practice for information security management |
|
Withdrawn |
2000-12 |
Edition : 1 |
Number of pages : 71 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2021 |
Information security — Encryption algorithms — Part 1: General |
This document is general in nature and provides definitions that apply in subsequent parts of the ISO/IEC 18033 series.
It introduces the nature of encryption and describes certain general aspects of its use and properties.
|
Published |
2021-09 |
Edition : 3 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17799:2005 |
Information technology — Security techniques — Code of practice for information security management |
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
security policy;organization of information security;asset management;human resources security;physical and environmental security;communications and operations management;access control;information systems acquisition, development and maintenance;information security incident management;business continuity management;compliance.
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
|
Withdrawn |
2005-06 |
Edition : 2 |
Number of pages : 115 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17799:2005/Cor 1:2007 |
Information technology — Security techniques — Code of practice for information security management — Technical Corrigendum 1 |
|
Withdrawn |
2007-07 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17825:2016 |
Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules |
ISO/IEC 17825:2016 specifies the non-invasive attack mitigation test metrics for determining conformance to the requirements specified in ISO/IEC 19790 for Security Levels 3 and 4. The test metrics are associated with the security functions specified in ISO/IEC 19790. Testing will be conducted at the defined boundary of the cryptographic module and I/O available at its defined boundary.
The test methods used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790 and the test metrics specified in this International Standard for each of the associated security functions specified in ISO/IEC 19790 are specified in ISO/IEC 24759. The test approach employed in this International Standard is an efficient "push-button" approach: the tests are technically sound, repeatable and have moderate costs.
|
Published |
2016-01 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 17825 |
Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules |
|
Under development |
|
Edition : 2 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 17922:2017 |
Information technology — Security techniques — Telebiometric authentication framework using biometric hardware security module |
To prove ownership of an ITU-T X.509 certificate registered individually with the registration authority (RA), a biometric hardware security module has been considered to provide a high-level biometric authentication. ISO/IEC 17922:2017 provides a framework for telebiometric authentication using BHSM.
Within the scope of ISO/IEC 17922:2017, the following issues are addressed:
- telebiometric authentication mechanisms using BHSM in telecommunication network environments; and
- abstract syntax notation one (ASN.1) format and protocols for implementing the mechanisms in the ITU‑T X.509 framework.
|
Published |
2017-09 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-1:2002 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework |
ISO/IEC 18014-1:2002:
1. identifies the objective of a time-stamping authority;
2. describes a general model on which time-stamping services are based;
3. defines time-stamping services;
4. defines the basic protocols of time-stamping;
5. specifies the protocols between the involved entities.
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 19 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-1:2008 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework |
ISO/IEC 18014 specifies time-stamping techniques. It consists of three parts, which include the general notion, models for a time-stamping service, data structures, and protocols.
ISO/IEC 18014-1:2008 describes a framework and defines the basic notion, the data structures, and protocols which are used for any time-stamping technique.
ISO/IEC 18014-1:2008:
identifies the objective of a time-stamping authority;
describes a general model on which time-stamping services are based;
describes a process of generating and verifying time-stamp;
defines the data structures of time-stamp token;
defines the basic protocols of time-stamping;
specifies the protocols between the involved entities.
|
Published |
2008-09 |
Edition : 2 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-1:2008/WD Amd 1 |
Information technology — Security techniques — Time-stamping services — Part 1: Framework — Amendment 1 |
|
Under development |
|
Edition : 2 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 23264-1:2021 |
Information security — Redaction of authentic data — Part 1: General |
This document specifies properties of cryptographic mechanisms to redact authentic data. In particular, it defines the processes involved in those mechanisms, the participating parties, and the cryptographic properties.
|
Published |
2021-03 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2002 |
Information technology — Security techniques — Time-stamping services — Part 2: Mechanisms producing independent tokens |
ISO/IEC 18014-2:2002 describes time-stamping services producing independent tokens. It describes a general model for time-stamping services of this type and the basic components used to construct a time-stamping service of this type, it defines the data structures and protocols used to interact with a time-stamping service of this type, and it describes specific instances of such time-stamping services.
The usage of independent tokens presumes a high trust on the time-stamping authority (TSA).
Three independent mechanisms are currently covered:
Time-stamps using digital signatures
In this mechanism the TSA has an asymmetric key pair, and uses the private key to digitally sign the time-stamp token. Signature verification will use the public key. This mechanism may require the use of a PKI (Public Key Infrastructure).
Time-stamps using message authentication codes
In this mechanism the TSA uses a secret key to digitally bind the time association. The time-stamp token is authenticated using a Message Authentication Code (MAC). When using this mechanism, the TSA is needed to carry out the verification.
Time-stamps using archiving
In this mechanism the TSA returns a time-stamp token that only has reference information to bind the time-stamp to the messageImprint in the time-stamp token. The TSA archives locally enough information to verify that the time-stamp is correct.
|
Withdrawn |
2002-12 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2009 |
Information technology — Security techniques — Time-stamping services — Part 2: Mechanisms producing independent tokens |
ISO/IEC 18014-2:2009 presents a general framework for the provision of time-stamping services.
Time-stamping services may generate, renew and verify time-stamp tokens.
Time-stamp tokens are associations between data and points in time, and are created in a way that aims to provide evidence that the data existed at the associated date and time. In addition, the evidence may be used by non-repudiation services.
ISO/IEC 18014-2:2004 specifies mechanisms that generate independent time-stamps: in order to verify an independent time-stamp token, verifiers do not need access to any other time-stamp tokens. That is, time-stamp tokens are not linked, as is the case for the token types defined in ISO/IEC 18014-3.
|
Withdrawn |
2009-12 |
Edition : 2 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2021 |
Information security — Time-stamping services — Part 2: Mechanisms producing independent tokens |
This document specifies mechanisms that generate, renew, and verify independent time-stamps. In order to verify an independent time-stamp token, time-stamp verifiers do not need access to any other time-stamp tokens. That is, such time-stamp tokens are not linked.
|
Published |
2021-09 |
Edition : 3 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-2:2021/Cor 1 |
Information security — Time-stamping services — Part 2: Mechanisms producing independent tokens — Technical Corrigendum 1 |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-3:2004 |
Information technology — Security techniques — Time-stamping services — Part 3: Mechanisms producing linked tokens |
ISO/IEC 18014-3:2004 describes time-stamping services producing linked tokens, that is, tokens that are cryptographically bound to other tokens produced by these time-stamping services. It describes a general model for time-stamping services of this type and the basic components used to construct a time-stamping service of this type, it defines the data structures and protocols used to interact with a time-stamping service of this type, and it describes specific instances of such time-stamping services.
The usage of linking operations reduces the level of trust required in the time-stamping service. The trustworthiness of linked tokens depends on the integrity of the linking operations carried out by the time-stamping service. The integrity of the linking operations performed by the time-stamping service can be verified algorithmically. A time-stamping service producing linked tokens may publish values derived from the linking operations into widely available media to further bind the issued tokens to widely-witnessed events and provide additional assurance of integrity. A time-stamping service producing linked tokens may also use aggregation operations to bind multiple token requests together, thus providing higher throughput through the use of co-operating processes. Algorithms applicable to linking, aggregation and publishing operations are covered.
|
Withdrawn |
2004-02 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-3:2009 |
Information technology — Security techniques — Time-stamping services — Part 3: Mechanisms producing linked tokens |
ISO/IEC 18014-3:2009
describes a general model for time-stamping services producing linked tokens,
describes the basic components used to construct a time-stamping service producing linked tokens,
defines the data structures used to interact with a time-stamping service producing linked tokens,
describes specific instances of time-stamping services producing linked tokens, and
defines a protocol to be utilized by time-stamping services producing linked tokens for the purpose of extending linked tokens to published values.
|
Published |
2009-12 |
Edition : 2 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18014-4:2015 |
Information technology — Security techniques — Time-stamping services — Part 4: Traceability of time sources |
ISO/IEC 18014:2015
- defines the functionality of the time assessment authority (TAA),
- describes an overall architecture for providing the time to the time-stamping authority (TSA) and to guarantee the correctness of it through the use of the TAA, and
- gives technical guidelines for the TAA to provide, and to provide assurance in, a trusted time source to the TSA.
|
Published |
2015-04 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-1:2006 |
Information technology — Security techniques — IT network security — Part 1: Network security management |
ISO/IEC 18028-1:2006 provides detailed guidance on the security aspects of the management, operation and use of information technology (IT) networks, and their interconnections.
It defines and describes the concepts associated with, and provides management guidance on, network security - including on how to identify and analyse the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas (dealt with in subsequent parts of ISO/IEC 18028). It is relevant to anyone who owns, operates or uses a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or network security, network operation, or who are responsible for an organization's overall security programme and security policy development.
The general objective of ISO/IEC 18028 is to extend the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 17799 by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
|
Withdrawn |
2006-07 |
Edition : 1 |
Number of pages : 59 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 18028-2:2006 |
Information technology — Security techniques — IT network security — Part 2: Network security architecture |
ISO/IEC 18028-2:2006 defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. The objective of ISO/IEC 18028-2:2006 is to serve as a foundation for developing the detailed recommendations for the end-to-end network security.
|
Withdrawn |
2006-02 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-3:2005 |
Information technology — Security techniques — IT network security — Part 3: Securing communications between networks using security gateways |
ISO/IEC 18028-3:2005 provides an overview of security gateways through a description of different architectures.
It outlines the techniques for security gateways to analyse network traffic. The techniques discussed are as follows:
packet filtering,stateful packet inspection,application proxy,network address translation,content analysing and filtering.
Additionally, ISO/IEC 18028-3:2005 provides guidelines for the selection and configuration of security gateways. It gives guidance to choose the right type of architecture for a security gateway, which best meets the security requirements of an organization.
|
Withdrawn |
2005-12 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-4:2005 |
Information technology — Security techniques — IT network security — Part 4: Securing remote access |
The general objectives of ISO/IEC 18028 are to extend the IT security management guidelines provided in ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
ISO/IEC 18028-4:2005 provides guidance for securely using remote access - a method to remotely connect a computer either to another computer or to a network using public networks - and its implication for IT security. In this it introduces the different types of remote access including the protocols in use, discusses the authentication issues related to remote access and provides support when setting up remote access securely. It is intended to help network administrators and technicians who plan to make use of this kind of connection or who already have it in use and need advice on how to set it up securely and operate it securely.
|
Withdrawn |
2005-04 |
Edition : 1 |
Number of pages : 43 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18028-5:2006 |
Information technology — Security techniques — IT network security — Part 5: Securing communications across networks using virtual private networks |
ISO/IEC 18028-5:2006 provides detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections.
ISO/IEC 18028-5:2006 defines techniques for securing inter-network connections that are established using virtual private networks (VPNs). It is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example IT network managers, administrators, engineers, and IT network security officers).
The general objectives of ISO/IEC 18028 are to extend the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 17799, by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations.
The objective of ISO/IEC 18028-5:2006 is to provide support service to different organizations, IT network managers, administrators, technicians, and IT security officers in choosing the appropriate virtual private network solution.
ISO/IEC 18028-5:2006 describes general principals of organization, structure, framework and usage of a virtual private IT networks (VPN). It discusses functional area, used standards and network protocols, the various different types of VPN, their respective requirements, characteristics, and other aspects.
|
Withdrawn |
2006-07 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 23264-2.4 |
Information security — Redaction of authentic data — Part 2: Redactable signature schemes based on asymmetric mechanisms |
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
|
| ISO 4305:2014/Amd 1:2016 |
Mobile cranes — Determination of stability — Amendment 1 |
|
Published |
2016-04 |
Edition : 3 |
Number of pages : 1 |
Technical Committee |
53.020.20
Cranes
|
| ISO/IEC 18031:2011 |
Information technology — Security techniques — Random bit generation |
ISO/IEC 18031:2011 specifies a conceptual model for a random bit generator for cryptographic purposes, together with the elements of this model.
ISO/IEC 18031:2011
specifies the characteristics of the main elements required for a non-deterministic random bit generator,
specifies the characteristics of the main elements required for a deterministic random bit generator,
establishes the security requirements for both the non-deterministic and the deterministic random bit generator.
Where there is a requirement to produce sequences of random numbers from random bit strings, ISO/IEC 18031:2011 gives guidelines on how this can be performed.
Techniques for statistical testing of random bit generators for the purposes of independent verification or validation, and detailed designs for such generators, are outside the scope of ISO/IEC 18031:2011.
|
Published |
2011-11 |
Edition : 2 |
Number of pages : 142 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2011/Amd 1:2017 |
Information technology — Security techniques — Random bit generation — Amendment 1: Deterministic random bit generation |
|
Published |
2017-02 |
Edition : 2 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18031:2011/Cor 1:2014 |
Information technology — Security techniques — Random bit generation — Technical Corrigendum 1 |
|
Published |
2014-10 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 18031.2 |
Information technology — Security techniques — Random bit generation |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18032:2005 |
Information technology — Security techniques — Prime number generation |
ISO/IEC 18032:2005 specifies methods for generating and testing prime numbers. Prime numbers are used in various cryptographic algorithms, mainly in asymmetric encryption algorithms and digital signature algorithms.
Firstly, ISO/IEC 18032:2005 specifies methods for testing whether a given number is prime. The testing methods included in ISO/IEC 18032:2005 can be divided into two groups:
Probabilistic primality tests, which have a small error probability. All probabilistic tests described here may declare a composite to be a prime. One test described here may declare a prime to be composite.Deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.
Secondly, ISO/IEC 18032:2005 specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented.
|
Withdrawn |
2005-01 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18032:2020 |
Information security — Prime number generation |
This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms.
Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups:
— probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime;
— deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.
Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented.
NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one.
Annex A provides error probabilities that are utilized by the Miller-Rabin primality test.
Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met.
Annex C defines primitives utilized by the prime generation and verification methods.
|
Published |
2020-12 |
Edition : 2 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2005 |
Information technology — Security techniques — Encryption algorithms — Part 1: General |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-1:2005 specifies:
terms and definitions used throughout ISO/IEC 18033;the purpose of encryption, the differences between symmetric and asymmetric ciphers, and the key management problems associated with the use of ciphers;the uses and properties of encryption;criteria for the inclusion of encryption algorithms in ISO/IEC 18033.
|
Withdrawn |
2005-02 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2005/Amd 1:2011 |
Information technology — Security techniques — Encryption algorithms — Part 1: General — Amendment 1 |
|
Withdrawn |
2011-03 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-1:2015 |
Information technology — Security techniques — Encryption algorithms — Part 1: General |
ISO/IEC 18033-1:2015 is general in nature, and provides definitions that apply in subsequent parts of this International Standard. The nature of encryption is introduced, and certain general aspects of its use and properties are described. The criteria used to select the algorithms specified in subsequent parts of this International Standard are defined in Annexes A and B.
|
Withdrawn |
2015-08 |
Edition : 2 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO 20347:2004/Cor 2:2006 |
Personal protective equipment — Occupational footwear — Technical Corrigendum 2 |
|
Withdrawn |
2006-05 |
Edition : 1 |
Number of pages : 2 |
Technical Committee |
13.340.50
Leg and foot protection
|
| ISO/IEC 18033-2:2006 |
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers |
ISO/IEC 18033-2:2006 specifies encryption systems (ciphers) for the purpose of data confidentiality. The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm should be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
An asymmetric, i.e. public-key, encryption scheme allows a sender to use a recipient's public key to transmit an encryption of a message to the receiver, who can use his secret key to decrypt the given ciphertext, thereby obtaining the original message.
Such a scheme should be secure in the sense that no information about the message should be leaked to a (resource-bounded) attacker, even if that attacker mounts a so-called 'chosen ciphertext' attack, in which he may obtain decryptions of other ciphertexts. This is the strongest type of attack that has been proposed for a public-key encryption scheme.
ISO/IEC 18033-2:2006 specifies the functional interface of such a scheme, and in addition specifies a number of particular schemes that appear to be secure against chosen ciphertext attack. The different schemes offer different trade-offs between security properties and efficiency.
|
Published |
2006-05 |
Edition : 1 |
Number of pages : 125 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-2:2006/Amd 1:2017 |
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers — Amendment 1: FACE |
|
Published |
2017-11 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-3:2005 specifies block ciphers. A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
ISO/IEC 18033-3:2005 specifies the following algorithms.
64-bit block ciphers: TDEA, MISTY1, CAST-128.128-bit block ciphers: AES, Camellia, SEED.
NOTE The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm is designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
|
Withdrawn |
2005-07 |
Edition : 1 |
Number of pages : 71 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 1:2006 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 1 |
|
Withdrawn |
2006-08 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 2:2007 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 2 |
|
Withdrawn |
2007-09 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2005/Cor 3:2008 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Technical Corrigendum 3: . |
|
Withdrawn |
2008-03 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2010 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers |
ISO/IEC 18033 specifies encryption systems (ciphers) for the purpose of data confidentiality.
ISO/IEC 18033-3:2010 specifies block ciphers. A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
ISO/IEC 18033-3:2010 specifies following algorithms:
64-bit block ciphers: TDEA, MISTY1, CAST-128, HIGHT;
128-bit block ciphers: AES, Camellia, SEED.
NOTE The primary purpose of encryption (or encipherment) techniques is to protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to data (often called plaintext or cleartext) to yield encrypted data (or ciphertext); this process is known as encryption. The encryption algorithm needs to be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Associated with every encryption algorithm is a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext.
|
Published |
2010-12 |
Edition : 2 |
Number of pages : 78 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-3:2010/Amd 1:2021 |
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers — Amendment 1: SM4 |
|
Published |
2021-06 |
Edition : 2 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2009/Cor 1:2013 |
Information technology — Security techniques — Authentication context for biometrics — Technical Corrigendum 1 |
|
Withdrawn |
2013-03 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2005 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers |
ISO/IEC 18033-4:2005 specifies stream cipher algorithms. A stream cipher is an encryption mechanism that uses a keystream to encrypt a plaintext in bitwise or block-wise manner. A stream cipher is technically specified by choosing a keystream generator and a mode of stream ciphers.
ISO/IEC 18033-4:2005 specifies the following ways to generate keystream.
Mechanisms based on a block cipher: OFB, CTR, and CFB modes of block ciphers.Dedicated keystream generators: MUGI and SNOW 2.0.
ISO/IEC 18033-4:2005 specifies the following modes of stream ciphers:
binary-additive output function,MULTI-S01 output function.
There are two types of stream cipher: a synchronous stream cipher, in which the keystream is only generated from the secret key (and an initialization vector) and a self-synchronizing stream cipher, in which the keystream is generated from the secret key and some past ciphertexts (and an initialization vector). Typically the encryption operation is the additive bitwise XOR operation between a keystream and the message. ISO/IEC 18033-4:2005 describes pseudorandom number generators for producing both keystream and output functions for stream ciphers.
|
Withdrawn |
2005-07 |
Edition : 1 |
Number of pages : 43 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2005/Amd 1:2009 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers — Amendment 1: Rabbit and Decim |
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2011 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers |
ISO/IEC 18033-4:2011 specifies output functions to combine a keystream with plaintext, keystream generators for producing keystream, and object identifiers assigned to dedicated keystream generators in accordance with ISO/IEC 9834.
|
Published |
2011-12 |
Edition : 2 |
Number of pages : 92 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-4:2011/Amd 1:2020 |
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers — Amendment 1: ZUC |
|
Published |
2020-08 |
Edition : 2 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-5:2015 |
Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers |
ISO/IEC 18033-5:2015 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conforming systems may use alternative formats for storing and transmitting ciphertexts.
|
Published |
2015-12 |
Edition : 1 |
Number of pages : 36 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-5:2015/Amd 1:2021 |
Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers — Amendment 1: SM9 mechanism |
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-6:2019 |
IT Security techniques — Encryption algorithms — Part 6: Homomorphic encryption |
This document specifies the following mechanisms for homomorphic encryption.
— Exponential ElGamal encryption;
— Paillier encryption.
For each mechanism, this document specifies the process for:
— generating parameters and the keys of the involved entities;
— encrypting data;
— decrypting encrypted data; and
— homomorphically operating on encrypted data.
Annex A defines the object identifiers assigned to the mechanisms specified in this document. Annex B provides numerical examples.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18033-7:2022 |
Information security — Encryption algorithms — Part 7: Tweakable block ciphers |
This document specifies tweakable block ciphers. A tweakable block cipher is a family of n-bit permutations parametrized by a secret key value and a public tweak value. Such primitives are generic tools that can be used as building blocks to construct cryptographic schemes such as encryption, Message Authentication Codes, authenticated encryption, etc.
A total of five different tweakable block ciphers are defined. They are categorized in Table 1.
|
Published |
2022-04 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18043:2006 |
Information technology — Security techniques — Selection, deployment and operations of intrusion detection systems |
ISO/IEC 18043:2006 provides guidance for an organization that decides to include an intrusion detection capability within its IT infrastructure. It is a "how to" for managers and users who want to: understand the benefits and limitations of IDS; develop a strategy and implementation plan for IDS; effectively manage the outputs of an IDS; integrate intrusion detection into the organization's security practices; and understand the legal and privacy issues involved in the deployment of IDS.
ISO/IEC 18043:2006 provides information that will facilitate collaboration among organizations using IDS. The common framework it provides will help make it easier for organizations to exchange information about intrusions that cut across organizational boundaries.
ISO/IEC 18043:2006 provides a brief overview of the intrusion detection process; discusses what an IDS can and cannot do; provides a checklist that helps identify the best IDS features for a specific IT environment; describes various deployment strategies; provides guidance on managing alerts from IDSs; and discusses management and legal considerations.
|
Withdrawn |
2006-06 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 18044:2004 |
Information technology — Security techniques — Information security incident management |
ISO/IEC TR 18044:2004 provides advice and guidance on information security incident management for information security managers and for information system managers.
ISO/IEC TR 18044:2004 provides
information on the benefits to be obtained from and the key issues associated with a good information security incident management approach (to convince senior corporate management and those personnel who will report to and receive feedback from a scheme that the scheme should be introduced and used); information on examples of information security incidents, and an insight into their possible causes;a description of the planning and documentation required to introduce a good structured information security incident management approach; a description of the information security incident management process*.
* Quick, co-ordinated and effective responses to an information security incident require extensive technical and procedural preparations. Information security incident responses may consist of immediate, short- and long-term actions. Any actions undertaken as the response to an incident should be based on previously developed, documented and accepted security incident response procedures and processes, including those for post-response analysis.
|
Withdrawn |
2004-10 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2005 |
Information technology — Security techniques — Methodology for IT security evaluation |
ISO/IEC 18045:2005 is a companion document to ISO/IEC 15408, Information technology --Security techniques -- Evaluation criteria for IT security. ISO/IEC 18045 specifies the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408.
|
Withdrawn |
2005-10 |
Edition : 1 |
Number of pages : 276 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2008 |
Information technology — Security techniques — Methodology for IT security evaluation |
ISO/IEC 18045:2008 is a companion document to ISO/IEC 15408, Information technology - Security techniques - Evaluation criteria for IT security. ISO/IEC 18045:2008 defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. ISO/IEC 18045:2008 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Withdrawn |
2008-08 |
Edition : 2 |
Number of pages : 290 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18045:2022 |
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation |
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
|
Published |
2022-08 |
Edition : 3 |
Number of pages : 423 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18180:2013 |
Information technology — Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 |
ISO/IEC 18180:2013 specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring. ISO/IEC 18180:2013 also defines a data model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.
|
Published |
2013-06 |
Edition : 1 |
Number of pages : 73 |
Technical Committee |
35.030
IT Security
;
35.040.50
Automatic identification and data capture techniques
|
| ISO/IEC 18367:2016 |
Information technology — Security techniques — Cryptographic algorithms and security mechanisms conformance testing |
ISO/IEC 18367:2016 gives guidelines for cryptographic algorithms and security mechanisms conformance testing methods.
Conformance testing assures that an implementation of a cryptographic algorithm or security mechanism is correct whether implemented in hardware, software or firmware. It also confirms that it runs correctly in a specific operating environment. Testing can consist of known-answer or Monte Carlo testing, or a combination of test methods. Testing can be performed on the actual implementation or modelled in a simulation environment.
ISO/IEC 18367:2016 does not include the efficiency of the algorithms or security mechanisms nor the intrinsic performance. This document focuses on the correctness of the implementation.
|
Published |
2016-12 |
Edition : 1 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18370-1:2016 |
Information technology — Security techniques — Blind digital signatures — Part 1: General |
ISO 18370-1:2016 specifies principles, including a general model, a set of entities, a number of processes, and general requirements for blind digital signature mechanisms, as well as the following variants of blind digital signature mechanisms:
- blind signature mechanisms with partial disclosure;
- blind signature mechanisms with selective disclosure;
- traceable blind signature mechanisms.
It also contains terms, definitions, abbreviated terms and figure elements that are used in all parts of ISO/IEC 18370.
See Annex A for a comparison on the blind digital signature mechanisms.
|
Published |
2016-11 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 18370-2:2016 |
Information technology — Security techniques — Blind digital signatures — Part 2: Discrete logarithm based mechanisms |
ISO/IEC 18370-2:2016 specifies blind digital signature mechanisms, together with mechanisms for three variants of blind digital signatures. The variants are blind digital signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms. The security of all the mechanisms in ISO/IEC 18370-2:2016 is based on the discrete logarithm problem.
For each mechanism, ISO/IEC 18370-2:2016 specifies the following:
- the process for generating the keys of the entities involved in these mechanisms;
- the process for producing blind signatures;
- the process for verifying signatures.
ISO/IEC 18370-2:2016 specifies another process specific to blind signature mechanisms with selective disclosure, namely, the following:
- the presentation process.
Furthermore, ISO/IEC 18370-2:2016 specifies other processes specific to traceable blind signature mechanisms, namely, the following:
a) the process for tracing requestors;
b) the process for tracing signatures;
c) the requestor tracing evidence evaluation process (optional);
d) the signature tracing evidence evaluation process (optional).
|
Published |
2016-07 |
Edition : 1 |
Number of pages : 79 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 19249:2017 |
Information technology — Security techniques — Catalogue of architectural and design principles for secure products, systems and applications |
ISO/IEC TS 19249:2017 provides a catalogue of architectural and design principles that can be used in the development of secure products, systems and applications together with guidance on how to use those principles effectively.
ISO/IEC TS 19249:2017 gives guidelines for the development of secure products, systems and applications including a more effective assessment with respect to the security properties they are supposed to implement.
ISO/IEC TS 19249:2017 does not establish any requirements for the evaluation or the assessment process or implementation.
|
Published |
2017-10 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19592-1:2016 |
Information technology — Security techniques — Secret sharing — Part 1: General |
ISO/IEC 19592-1:2016 specifies cryptographic secret sharing schemes and their properties. This document defines the parties involved in a secret sharing scheme, the terminology used in the context of secret sharing schemes, the parameters and the properties of such a scheme.
|
Published |
2016-11 |
Edition : 1 |
Number of pages : 7 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19592-2:2017 |
Information technology — Security techniques — Secret sharing — Part 2: Fundamental mechanisms |
ISO/IEC 19592-2:2017 specifies cryptographic secret sharing schemes.
|
Published |
2017-10 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 19608:2018 |
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408 |
This document provides guidance for:
— selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII);
— the procedure to define both privacy and security functional requirements in a coordinated manner; and
— developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2.
The intended audience for this document are:
— developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100;
— authors of Protection Profiles that address the protection of PII; and
— evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation.
This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.
|
Published |
2018-10 |
Edition : 1 |
Number of pages : 48 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2009 |
Information technology — Security techniques — Authenticated encryption |
ISO/IEC 19772:2009 specifies six methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: data confidentiality, i.e. protection against unauthorized disclosure of data; data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All six methods specified in ISO/IEC 19772:2009 require the originator and the recipient of the protected data to share a secret key. Key management is outside the scope of ISO/IEC 19772:2009; key management techniques are defined in ISO/IEC 11770.
|
Withdrawn |
2009-02 |
Edition : 1 |
Number of pages : 29 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2009/Cor 1:2014 |
Information technology — Security techniques — Authenticated encryption — Technical Corrigendum 1 |
|
Withdrawn |
2014-09 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20897-1:2020 |
Information security, cybersecurity and privacy protection — Physically unclonable functions — Part 1: Security requirements |
This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF.
Amongst PUF use cases, random number generation is out of scope in this document.
|
Published |
2020-12 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19772:2020 |
Information security — Authenticated encryption |
This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives:
— data confidentiality, i.e. protection against unauthorized disclosure of data;
— data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified;
— data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator.
All five methods specified in this document are based on a block cipher algorithm, and require the originator and the recipient of the protected data to share a secret key for this block cipher.
Key management is outside the scope of this document. Key management techniques are defined in ISO/IEC 11770 (all parts).
Four of the mechanisms in this document, namely mechanisms 3, 4, 5 (AAD variant only) and 6, allow data to be authenticated which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated data) that is integrity-protected but not encrypted. In all cases, the string A can be empty.
NOTE Examples of types of data that can need to be sent in unencrypted form, but whose integrity is to be protected, include addresses, port numbers, sequence numbers, protocol version numbers and other network protocol fields that indicate how the plaintext is to be handled, forwarded or processed.
|
Published |
2020-11 |
Edition : 2 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2006 |
Information technology — Security techniques — Security requirements for cryptographic modules |
ISO/IEC 19790:2006 specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems.
ISO/IEC 19790:2006 specifies the following.
Four levels of increasing security for cryptographic modules. Each level offers an increase in security over the preceding level. The following functional security objectives:module specification;ports and interfaces;roles, services and authentication;finite state model;physical security; operational environment;cryptographic key management;self-tests; design assurance;mitigation of other attacks.
ISO/IEC 19790:2006 will be complemented by a future International Standard defining the associated evaluation and test methods.
ISO/IEC 19790:2006 is derived from NIST Federal Information Processing Standard PUB 140-2 May 25, 2001.
|
Withdrawn |
2006-03 |
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2006/Cor 1:2008 |
Information technology — Security techniques — Security requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2008-06 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2012 |
Information technology — Security techniques — Security requirements for cryptographic modules |
ISO/IEC 19790:2012 the security requirements for a cryptographic module utilised within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location). This International Standard specifies four security levels for each of 11 requirement areas with each security level increasing security over the preceding level.
ISO/IEC 19790:2012 specifies security requirements specifically intended to maintain the security provided by a cryptographic module and compliance with this International Standard is not sufficient to ensure that a particular module is secure or that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected.
|
Published |
2012-08 |
Edition : 2 |
Number of pages : 72 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19790:2012/Cor 1:2015 |
Information technology — Security techniques — Security requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2015-10 |
Edition : 2 |
Number of pages : 72 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 19790 |
Information technology — Security techniques — Security requirements for cryptographic modules |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 19791:2006 |
Information technology — Security techniques — Security assessment of operational systems |
ISO/IEC TR 19791:2006 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2006 provides
a definition and model for operational systems;a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;a methodology and process for performing the security evaluation of operational systems;additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2006 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2006.
ISO/IEC TR 19791:2006 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
|
Withdrawn |
2006-05 |
Edition : 1 |
Number of pages : 165 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 19791:2010 |
Information technology — Security techniques — Security assessment of operational systems |
ISO/IEC TR 19791:2010 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408 by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2010 provides:
a definition and model for operational systems;
a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;
a methodology and process for performing the security evaluation of operational systems;
additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2010 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2010.
ISO/IEC TR 19791:2010 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
|
Published |
2010-04 |
Edition : 2 |
Number of pages : 235 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19792:2009 |
Information technology — Security techniques — Security evaluation of biometrics |
ISO/IEC 19792:2009 specifies the subjects to be addressed during a security evaluation of a biometric system.
It covers the biometric-specific aspects and principles to be considered during the security evaluation of a biometric system. It does not address the non-biometric aspects which might form part of the overall security evaluation of a system using biometric technology (e.g. requirements on databases or communication channels).
ISO/IEC 19792:2009 does not aim to define any concrete methodology for the security evaluation of biometric systems but instead focuses on the principal requirements. As such, the requirements in ISO/IEC 19792:2009 are independent of any evaluation or certification scheme and will need to be incorporated into and adapted before being used in the context of a concrete scheme.
ISO/IEC 19792:2009 defines various areas that are important to be considered during a security evaluation of a biometric system.
ISO/IEC 19792:2009 is relevant to both evaluator and developer communities.
It specifies requirements for evaluators and provides guidance on performing a security evaluation of a biometric system.
It serves to inform developers of the requirements for biometric security evaluations to help them prepare for security evaluations.
Although ISO/IEC 19792:2009 is independent of any specific evaluation scheme it could serve as a framework for the development of concrete evaluation and testing methodologies to integrate the requirements for biometric evaluations into existing evaluation and certification schemes.
|
Published |
2009-08 |
Edition : 1 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-10:2017 |
Information technology — Conformance test methods for security service crypto suites — Part 10: Crypto suite AES-128 |
ISO/IEC 19823-10:2017 describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167‑10.
ISO/IEC 19823-10:2017 contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
- parameters that apply directly affecting system functionality and inter-operability;
- protocol including commands and replies;
- nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively related to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑10.
|
Withdrawn |
2017-11 |
Edition : 1 |
Number of pages : 23 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-10:2020 |
Information technology — Conformance test methods for security service crypto suites — Part 10: Crypto suite AES-128 |
This document describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167‑10.
This document contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID Tags and Interrogators defined in the ISO/IEC 15693 series and in the ISO/IEC 18000 series using ISO/IEC 29167‑10.
|
Published |
2020-01 |
Edition : 2 |
Number of pages : 45 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-11:2022 |
Information technology — Conformance test methods for security service crypto suites — Part 11: Crypto suite PRESENT-80 |
This document specifies methods for determining conformance to the security crypto suite defined in ISO/IEC 29167-11.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167-11.
|
Published |
2022-10 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27004:2009 |
Information technology — Security techniques — Information security management — Measurement |
ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
ISO/IEC 27004:2009 is applicable to all types and sizes of organization.
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 55 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 19823-13:2018 |
Information technology — Conformance test methods for security service crypto suites — Part 13: Cryptographic Suite Grain-128A |
ISO/IEC 19823-13:2018 describes test methods for determining the conformance of security crypto suites with the specifications given in ISO/IEC 29167‑13.
ISO/IEC 19823-13:2018 contains conformance tests for all mandatory and optional functions.
The conformance parameters are the following:
- parameters that apply directly affecting system functionality and inter-operability;
- protocol including commands and replies; and
- nominal values and tolerances.
Unless otherwise specified, the tests in this document are applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑13.
|
Published |
2018-04 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-16:2020 |
Information technology — Conformance test methods for security service crypto suites — Part 16: Crypto suite ECDSA-ECDH security services for air interface communications |
This document describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167-16.
This document contains conformance tests for all mandatory and applicable optional functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167-16.
|
Published |
2020-10 |
Edition : 1 |
Number of pages : 21 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-19:2018 |
Information technology — Conformance test methods for security service crypto suites — Part 19: Crypto suite RAMON |
This document describes test methods for determining the conformance of security crypto suites with the specifications given in ISO/IEC 29167‑19.
This document contains conformance tests for all mandatory and optional functions.
The conformance parameters are the following:
— parameters that apply directly, affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are exclusively applicable in relation to RFID tags and interrogators defined in the ISO/IEC 18000 series using a reference to this document.
|
Published |
2018-09 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-21:2019 |
Information technology — Conformance test methods for security service crypto suites — Part 21: Crypto suite SIMON |
This document describes methods for determining conformance to the security crypto suite defined in ISO/IEC 29167‑21.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability,
— protocol including commands and replies,
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167‑21.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19823-22:2019 |
Information technology — Conformance test methods for security service crypto suites — Part 22: Crypto suite SPECK |
This document describes methods for determining conformance to the security crypto suite defined in ISO/IEC 29167‑22.
This document contains conformance tests for all mandatory functions.
The conformance parameters are the following:
— parameters that apply directly affecting system functionality and inter-operability;
— protocol including commands and replies;
— nominal values and tolerances.
Unless otherwise specified, the tests in this document are intended to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000‑ series using ISO/IEC 29167‑22.
|
Published |
2019-05 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19896-1:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 1: Introduction, concepts and general requirements |
ISO/IEC 19896-1:2018 defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.
|
Published |
2018-02 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|