Recent Developments inRecent Developments in ISO/IEC ... · (TR 15446) Protection Profile Registration Procedures (TR 15446) (IS 15292)(IS 15292) Security Evaluation of Biometrics

Recent Developments inRecent Developments in ISO/IEC Security Standardization

Dr. Walter Fumyy

Chairman ISO/IEC JTC 1/SC 27Chief Scientist, Bundesdruckerei GmbH, GermanyChief Scientist, Bundesdruckerei GmbH, Germany

6th ETSI Security Workshop - Sophia Antipolis, January 2011

Agenda

ISO/IEC JTC 1 I f ti T h lISO/IEC JTC 1 – Information Technology

JTC 1/SC 37 – Biometrics

JTC 1/SC 17 – Cards and Personal Identification

JTC 1/SC 27 – IT Security TechniquesScope, organization, work programmeRecent achievements & new projects

ConclusionConclusion

Dr. Walter Fumy I 219.01.2011 I 6th ETSI Security Workshop, Sophia Antipolis, January 2011

ISO/IEC JTC 1 – Information Technology Mission & Principles

JTC 1 develops, maintains, promotes and facilitates IT standardsrequired by global markets meeting business and user requirementsrequired by global markets meeting business and user requirements.

Principles includebusiness-like approach (i.e., cost effective, short development times, market-oriented results, … ); ensuring that user needs including multicultural requirements areensuring that user needs including multicultural requirements, are fully met; actively promoting the use of JTC 1 products and services; recognizing the value of the work of other organizations and the contribution they make to international IT standardization, and complementing existing and forthcoming JTC 1 programs throughcomplementing existing and forthcoming JTC 1 programs through other leading edge activities with the objective of providing the best standards worldwide.


ISO/IEC JTC 1 – Information Technology Security Related Sub-committees

SC 6 Telecommunications and information exchange between systems

SC 7 Software and systems engineering

SC 17 Cards and personal identification

SC 25 Interconnection of information technology equipment

SC 27 IT Security techniques

SC 29 Coding of audio, picture, multimedia and hypermedia information

SC 31 Automatic identification and data capture techniques

SC 32 Data management and interchange

SC 36 Information technology for learning, education and training

SC 37 Biometrics

SC 38 Distributed application platforms and services (DAPS)


SC 37 – BiometricsScope

Standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange amongbeings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks; biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteria to biometric technologies; methodologies for g ; gperformance testing and reporting and cross jurisdictional and societal aspects.Excluded is the work in ISO/IEC JTC 1/SC 17 to apply biometricExcluded is the work in ISO/IEC JTC 1/SC 17 to apply biometric technologies to cards and personal identification.Excluded is the work in ISO/IEC JTC 1/SC 27 for biometric data protections techniques, biometric security testing, evaluations, and evaluations methodologies.


SC 37 – BiometricsKey Facts

Working GroupsWG 1 Harmonized biometric vocabularyWG 1 Harmonized biometric vocabularyWG 2 Biometric technical interfacesWG 3 Biometric data interchange formatsWG 4 Bi t i f ti l hit t d l t d filWG 4 Biometric functional architecture and related profilesWG 5 Biometric testing and reportingWG 6 Cross-Jurisdictional and Societal Aspects of Biometrics

28 participating countries 52 published standards

Technology innovations and new customers’ needs are being addressed in a “second generation” of biometric standards such as the revision of the biometric data interchange formats, new biometric technical interface standards, performance (and conformance) testing methodology standards, and biometric sample quality standards.


SC 17 – Cards and Personal IdentificationKey Facts

Standardization in the area of:a) Identification and related documentsa) Identification and related documents,b) Cards and devices associated with their use in

inter-industry applications and international interchange.

Working GroupsWG 1 Physical characteristics and test methods for ID-cardsWG 3 Id tifi ti d M hi d bl t l d tWG 3 Identification cards - Machine readable travel documentsWG 4 Integrated circuit cards with contactsWG 5 Registration Management Group (RMG)WG 8 Integrated circuit cards without contactsWG 9 Optical memory cards and devicesWG 10 Motor vehicle driver license and related documents WG 11 Application of biometrics to cards and personal identification

33 participating countries


84 published standards

Electronic Displays in IC CardsNew SC 17 Project

f

Personalized materials exclusive

Use of securitymaterials

materials, exclusive material properties, unique

spectrum of display materials

Optical communication Tamperproof optical

data transfer via display, dynamic security feature and watermarks

Password, PIN, address data, visa information,Visible information

dynamic security feature and watermarks

Password, PIN, address data, visa information, card and internet transaction status, 3D photo, video identification

information

Displays in IC cards provide security options at all levels


Displays in IC cards provide security options at all levels

SC 27 – IT Security Techniques Scope

The development of standards for the protection of information and ICT. This includes generic methods techniques and guidelines to addressThis includes generic methods, techniques and guidelines to address both security and privacy aspects, such as

Security requirements capture methodology;M t f i f ti d ICT it i ti l i f tiManagement of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services;C t hi d th it h i i l di b t t li it d tCryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;Security aspects of identity management, biometrics and privacy; Conformance assessment, accreditation and auditing requirements in the area of information security;


Security evaluation criteria and methodology.

SC 27 – IT Security Techniques Organization

ISO/IEC JTC 1/SC 27IT Security techniques

SC 27 Secretariat

DINChair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete

DINMs. K. Passia

Working Group 5Identity

management and privacy

Working Group 4Security controls

and services

Working Group 3Security

evaluation criteria

Working Group 2Cryptography and security mechanisms

Working Group 1Information

security management and privacy

technologiesConvener

Mr. K. RannenbergConvener

Mr. M.-C. Kang

criteria

ConvenerMr. M. Bañón

mechanisms

ConvenerMr. T. Chikazawa

management systemsConvener

Mr. T. Humphreys ggp y

http://www.jtc1sc27.din.de/en


SC 27/WG 1ISMS Family of Standards

27001ISMS Requirements

27000 ISMS Overview and

Vocabulary

27006 Accreditation Requirements

27010 ISMS for Inter-sector

communicationsVocabulary

27002 (pka 17799)Code of Practice

27007 ISMS Auditing Guidance

27011 / ITU-T X.1051Telecom Sector ISMS

Requirements

communications

27003 ISMS Implementation

Guidance

q

27015 Financial and Insurance Sector

ISMS Requirements

TR 27008 ISMS Guide for auditors on

ISMS controls

27004 Information Security Mgt

Measurements

TR 27016Information Security Mgt -Organizational economics

27005 Information SecurityRisk Management


Supporting Guidelines Accreditation Requirements and Auditing Guidelines

Sector Specific Requirements and Guidelines

SC 27/WG 4Security Controls and Services

ICT Readiness for Business Continuity (WD 27031)Unknown or emerging

Cybersecurity (WD 27032)

Network Security (CD 27033 1 WD 27033 2/3/4)

g gsecurity issues

Network Security (CD 27033-1, WD 27033-2/3/4)Application Security (WD 27034-1)

Security Info-Objects for Access Control (TR 15816) K it i15816)

Security of Outsourcing (NP)

TTP Services Security (TR 14516; 15945)

Known security issues

Time Stamping Services (TR 29149)

Information security incident management (27035)

ICT Disaster Recovery Services (24762)

Identification, collection and/or acquisition, and

Security breaches and compromises


Identification, collection and/or acquisition, and preservation of digital evidence (NP)

SC 27/WG 2Cryptography and Security Mechanisms

Cryptographic ProtocolsEntity

Authentication

(IS 9798)

Key Mgt(IS 11770)

Non-Repudiatio

n(IS 13888)

Time Stamping Services(IS 18014)(IS 9798)

Message Signatures

(IS 13888)

SignaturesCheckCryptographic

Techniques

(IS 18014)

Message Authentication Digital SignaturesHash

Functions(IS 10118)

Message Authentication Codes(IS 9797)

Signatures giving Msg Recovery(IS 9796)

Signatures with

Appendix(IS 14888)

Check Character Systems(IS 7064)

qbased on

Elliptic Curves (IS 15946)

Encryption & Parameter EncryptionModes of Operation

Random Bit

Prime Number

Authenticated

Biometric Template yp

Modes of Operation Generationyp

(IS 18033)Operation(IS 10116) Generation

(IS 18031)Generation(IS 18032)

Encryption(IS 19772)

pProtection(NP 24745)


SC 27/WG 3Security Evaluation Criteria

Secure System Engineering Principles and Techniques (NWIP)

Responsible VulnerabilityDisclosure(WD 29147)

Trusted Platform Module(IS 11889)

A Framework forSSE-CMM(IS 21827)

Security Requirements for Cryptographic Modules

(IS 19790)

and Techniques (NWIP) (WD 29147)

a e o oIT SecurityAssurance(TR 15443)Security Assessment of

Operational Systems(TR 19791)

( )

Test Requirements for Cryptographic Modules

(IS 24759)

(IS 19790)

IT Security Evaluation Criteria (CC) (IS 15408)

(TR 19791) (IS 24759)

(IS 15408)

Evaluation Methodology (CEM) (IS 18045)

PP/ STGuide

(TR 15446)

Protection Profile Registration Procedures

(IS 15292)(TR 15446) (IS 15292)

Security Evaluation of Biometrics

Verification of Cryptographic Protocols


(FDIS 19792)(WD 29128)

SC 27/WG 5Identity Management & Privacy Technologies

WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management biometrics and the protectionaddressing security aspects of identity management, biometrics and the protection of personal data. This includes:

Frameworks & ArchitecturesA framework for identity management (ISO/IEC 24760 FCD/WD/WD)A framework for identity management (ISO/IEC 24760, FCD/WD/WD)Privacy framework (ISO/IEC 29100, FCD)Privacy reference architecture (ISO/IEC 29101, CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU T Xeaa CD)Entity authentication assurance framework (ISO/IEC 29115 / ITU-T Xeaa, CD) A framework for access management (ISO/IEC 29146, WD)

Protection ConceptsBiometric information protection (ISO/IEC 24745 FDIS)Biometric information protection (ISO/IEC 24745, FDIS)Requirements for partially anonymous, partially unlinkable authentication(ISO/IEC 29191, CD)

Guidance on Context and AssessmentGuidance on Context and AssessmentAuthentication context for biometrics (ISO/IEC 24761, 2009)Privacy capability assessment framework (ISO/IEC 29190, WD)


SC 27 – IT Security Techniques Recent Achievements

Summary

between November 2009 and October 2010

11 International Standards and Technical Reports h b bli h d (t t l b f bli ti 98)have been published (total number of publications: 98)

13 new projects have been approved(total number of projects: 160)(total number of projects: 160)

5 additional O-members (total 18)(total number of P-members: 41)( )

9 additional liaisons 5 liaisons terminated

(total number of liaisons: 54)


Approved New Projects

ISO/IEC 20004 – Software development and evaluation under ISO/IEC 15408ISO/IEC 15408

ISO/IEC 20008 – Anonymous digital signatures (2 Parts)

ISO/IEC 20009 A tit th ti ti (2 P t )ISO/IEC 20009 – Anonymous entity authentication (2 Parts)

ISO/IEC TR 27016 – Information security management –Organizational economicsOrganizational economics

ISO/IEC 27038 – Specification for digital redaction

ISO/IEC 30104 Ph sical sec rit attacks mitigation techniq es andISO/IEC 30104 – Physical security attacks, mitigation techniques and security requirements


20 Years of ISO/IEC JTC 1/SC 27 Information Security Standardisation

Platinum Book

available from http://www.jtc1sc27.din.de/sbe/sc27berlin

Next SC 27 meetingsApr 11-19, 2011 Singaporep , g p(WGs and Plenary)Oct 10-14, 2011 Nairobi, Kenya(WGs)May 7-15, 2012 Sweden(WGs and Plenary)


Machine Readable Travel DocumentsMajor Contributions from JTC 1 Subcommittees

ICAO TAG-MRTD

ISO/IEC JTC 1/SC 17 ISO/IEC JTC 1/SC 27 ISO/IEC JTC 1/SC 37Cards and Personal Identification IT Security Techniques Biometrics

ISO/IEC 7816

ISO/IEC 9796-2

ISO/IEC 197857816

ISO/IEC 10373

9796-2 19785

ISO/IEC 9797

ISO/IEC 19794

ISO/IEC 11770-2

ISO/IEC 14443


Conclusion

“The good thing about standards is ... there are so many to choose from”there are so many to choose from

Well established security techniques available

Trend from security as an add-on to integrated security solutions (“built in, not bolt on”)

S it k t diff ti tSecurity as a market differentiator

New generation of cryptographic techniques, with lightweight cryptography still in its infancywith lightweight cryptography still in its infancy

Be aware of implementation level attacks, cryptography is typically bypassed notcryptography is typically bypassed, not penetrated


Thank You!Thank You!

[email protected]@