Upload
sai-global-apac
View
214
Download
0
Embed Size (px)
Citation preview
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
1/8
AS/NZS ISO/IEC 19790:2006ISO/IEC 19790:2006
Australian/New Zealand Standard
Information technologySecuritytechniquesSecurity requirements forcryptographic modules
AS/NZS
ISO/IEC19790:2006
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
2/8
AS/NZS ISO/IEC 19790:2006
This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 23 June 2006 and onbehalf of the Council of Standards New Zealand on 30 June 2006.This Standard was published on 26 July 2006.
The following are represented on Commit tee IT-012:
Attorney Generals Department
Australian Association of Permanent Building Societies
Australian Bankers Association
Australian Chamber Commerce and Industry
Australian Electrical and Electronic Manufacturers Association
Certification Forum of Australia
Department of DefenceDepartment of Social Welfare, NZ
Government Communications Security Bureau, NZ
Internet Industry Association
NSW Police Service
New Zealand Defence Force
Reserve Bank of Australia
Keeping Standards up-to-date
Standards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.
Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.
Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards NewZealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.
We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.
This Standard was issued in draft form for comment as DR 06207.
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
3/8
AS/NZS ISO/IEC 19790:2006
Australian/New Zealand StandardInformation technologySecuritytechniquesSecurity requirements forcryptographic modules
First published as AS/NZS ISO/IEC 19790:2006.
COPYRIGHT
Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7620 5
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
4/8
ii
PREFACE
This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee
IT-012, Information Systems, Security and Identification.
The objective of this Standard is to provide informative security practitioner with four
increasing, qualitative levels of security requirements intended to cover a wide range of
potential applications and environments. The security requirements cover areas relative to the
design and implementation of a cryptographic module. These areas include cryptographic
module ports and interfaces; roles, services, and authentication; finite state model; physical
security; operation environment; cryptographic key management; self-tests; design assurance;
and mitigation of other attacks.
This Standard is identical with, and has been reproduced from ISO/IEC 19790:2006,
Information technologySecurity techniquesSecurity requirements for cryptographic
modules.
As this Standard is reproduced from an international standard, the following applies:
(a) Its number appears on the cover and title page while the international standard number
appears only on the cover
(b) In the source text this International Standard should read this Australian/New Zealand
Standard.
(c) A full point substitutes for a comma when referring to a decimal marker.
References to International Standards should be replaced by references to Australian or
Australian/New Zealand Standards, as follows:
Reference to International Standard Australian/New Zealand StandardISO/IEC AS ISO/IEC
15408 Information technologySecurity
techniquesEvaluation criteria for
IT security
15408 Information technologySecurity
techniquesEvaluation criteria for
IT security
15408.1 Part 1: Introduction and general
model
15408.1 Part 1: Introduction and general
model
15408.2 Part 2: Security functional
requirements
15408.2 Part 2: Security functional
requirements
15408.3 Part 3: Security assurance
requirements
15408.3 Part 3: Security assurance
requirements
Only international references that have been adopted as Australian or Australian/New ZealandStandards have been listed.
The terms normative and informative have been used in this Standard to define the
application of the annex to which they apply. A normative annex is an integral part of a
Standard, whereas an informative annex is only for information and guidance.
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
5/8
ii i
CONTENTS
Page
1 Scope ......................................................................................................................................................12 Normative references ............................................................................................................................13 Terms and definitions ...........................................................................................................................14 Abbreviated terms .................................................................................................................................95 Cryptographic module security levels ................................................................................................95.1 Security Level 1....................................................................................................................................105.2 Security Level 2....................................................................................................................................105.3 Security Level 3....................................................................................................................................105.4 Security Level 4....................................................................................................................................116 Functional security objectives ...........................................................................................................117 Security requirements.........................................................................................................................127.1 Cryptographic module specification .................................................................................................147.2 Cryptographic module ports and interfaces.....................................................................................157.3 Roles, services, and authentication...................................................................................................167.4 Finite state model ................................................................................................................................187.5 Physical security..................................................................................................................................197.6 Operational environment ....................................................................................................................267.7 Cryptographic key management ........................................................................................................297.8 Self-tests...............................................................................................................................................317.9 Design assurance ................................................................................................................................347.10 Mitigation of other attacks ..................................................................................................................36Annex A (normative) Documentation requirements......................................................................................38Annex B (normative) Cryptographic module security policy .......................................................................42Annex C (normative) Approved protection profiles ......................................................................................44Annex D (informative) Approved security functions .....................................................................................45Annex E (informative) Approved key establishment methods .....................................................................47Annex F (informative) Recommended software development practices.....................................................48Annex G (informative) Examples of mitigation of other attacks ..................................................................50Bibliography ......................................................................................................................................................51
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
6/8
iv
INTRODUCTION
In Information Technology there is an ever-increasing need to use cryptographic mechanisms such as theprotection of data against unauthorised disclosure or manipulation, for entity authentication and for non-repudiation. The security and reliability of such mechanisms are directly dependent on the cryptographicmodules in which they are implemented.
This International Standard provides for four increasing, qualitative levels of security requirements intended tocover a wide range of potential applications and environments. The security requirements cover areas relativeto the design and implementation of a cryptographic module. These areas include cryptographic modulespecification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model;physical security; operational environment; cryptographic key management; self-tests; design assurance; andmitigation of other attacks.
The overall security level of a cryptographic module must be chosen to provide a level of security appropriatefor the security requirements of the application and environment in which the module is to be utilized and forthe security services that the module is to provide. The responsible authority in each organization shouldensure that their computer and telecommunication systems that utilize cryptographic modules provide anacceptable level of security for the given application and environment. Since each authority is responsible forselecting which approved security functions are appropriate for a given application, compliance with thisInternational Standard does not imply either full interoperability or mutual acceptance of compliant products.The importance of security awareness and of making information security a management priority should becommunicated to all concerned.
Information security requirements vary for different applications; organizations should identify their informationresources and determine the sensitivity to and the potential impact of a loss by implementing appropriate
controls. Controls include, but are not limited to
physical and environmental controls;
software development;
backup and contingency plans; and
information and data controls.
These controls are only as effective as the administration of appropriate security policies and procedureswithin the operational environment.
This International Standard will be revised later, if a new work item is approved, in order to improve the linkswith Common Criteria scheme (ISO/IEC 15408).
This International Standard is derived from NIST Federal Information Processing Standard (FIPS) PUB 140-2(see Bibliography [1]).
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
7/8
1AUSTRALIAN/NEW ZEALAND STANDARD
Information technology Security techniques Securityrequirements for cryptographic modules
1 Scope
This International Standard specifies the security requirements for a cryptographic module utilized within asecurity system protecting sensitive information in computer and telecommunication systems. ThisInternational Standard defines four security levels for cryptographic modules to provide for a wide spectrum ofdata sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data) anda diversity of application environments (e.g., a guarded facility, an office, and a completely unprotected
location). Four security levels are specified for each of 10 requirement areas. Each security level offers anincrease in security over the preceding level.
While the security requirements specified in this International Standard are intended to maintain the securityprovided by a cryptographic module, compliance to this International Standard is not sufficient to ensure that aparticular module is secure or that the security provided by the module is sufficient and acceptable to theowner of the information that is being protected.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenceddocument (including any amendments) applies.
ISO/IEC 15408 (all parts), Information technology Security techniques Evaluation criteria for IT security
ISO/IEC 18031, Information technology Security techniques Random bit generation
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1approval authorityany national or international organisation/authority mandated to approve and/or evaluate security functions
3.2approvedISO/IEC approved or approval authority approved
3.3approved mode of operationmode of the cryptographic module that employs only approved security functions
NOTE Not to be confused with a specific mode of an approved security function, e.g., Cipher Block Chaining (CBC)mode.
COPYRIGHT
7/31/2019 As NZS ISO IEC 19790-2006 Information Technology - Security Techniques - Security Requirements for Cryptograp
8/8
This is a free preview. Purchase the entire publication at the link below:
Looking for additional Standards? Visit SAI Global Infostore
Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?
Learn about other SAI Global Services:
LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us
AS/NZS ISO/IEC 19790:2006, Informationtechnology - Security techniques - Securityrequirements for cryptographic modules
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394799&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites