ISO/IEC 22460-2:2024

International
Standard
ISO/IEC 22460-2
First edition
Cards and security devices for
2024-04
personal identification — ISO UAS
license and drone/UAS security
module —
Part 2:
Drone/UAS security module
Cartes et dispositifs de sécurité pour l'identification des
personnes — Permis ISO de systèmes d'aéronefs sans équipage
à bord et module de sécurité de drone/système d'aéronefs sans
équipage à bord —
Partie 2: Module de sécurité de drone/système d'aéronefs sans
équipage à bord
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms. 2
5 Overview of a drone security module . 3
5.1 General .3
5.2 Form-factor of a drone security module .3
5.3 Use of a drone security module .3
6 Data format of a drone security module . 4
6.1 General .4
6.2 Drone pilot/operator license .4
6.3 Personal identification data for a drone .4
6.4 Cryptographic key-related data .4
6.5 Other data .5
7 Cryptographic functions of a drone security module . 5
7.1 General .5
7.2 Integrity validation .6
7.2.1 Purpose and general .6
7.2.2 Hash function .6
7.2.3 Digital signature .6
7.3 Authentication .7
7.3.1 Purpose and general .7
7.3.2 Authentication by MAC .8
7.3.3 Authentication by signature .8
7.4 Data encryption .8
7.4.1 Purpose .8
7.4.2 Procedure .8
7.5 Transport layer security (TLS) .9
7.6 Digital signature .10
Annex A (informative) Data examples of a drone security module.11
Annex B (informative) Mutual authentication between a drone security module and a
counterpart entity .12
Annex C (informative) Security applications — Use cases.13
Bibliography .21

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and security devices for personal identification.
A list of all parts in the ISO/IEC 22460 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
The ISO/IEC 22460 series consists of the following parts, under the general title Cards and security devices
for personal identification — UAS license and drone/UAS security module:
1)
— Part 1 : Physical characteristics and basic data sets for UAS licence. Part 1 describes the basic terms for
the ISO/IEC 22460 series, including physical characteristics, basic data element set, visual layout, and
physical security features.
— Part 2 (this document): Drone/UAS security module. This document describes data and cryptographic
functions of the drone/UAS security module. The drone security module does not limit the types of data
contained in this module and the cryptographic functions it provides.
2)
— Part 3 : Logical data structure, access control, authentication and integrity validation for drone license.
Part 3 describes guidelines for the design format and data content of a UAS license with regard to logical
data structure, access control, authentication and integrity validation.
1) Under development. Stage at the time of publication: ISO/IEC DIS 22460-1:2023.
2) Under development. Stage at the time of publication: ISO/IEC AWI 22460-3:2024.

© ISO/IEC 2024 – All rights reserved
v
International Standard ISO/IEC 22460-2:2024(en)
Cards and security devices for personal identification — ISO
UAS license and drone/UAS security module —
Part 2:
Drone/UAS security module
1 Scope
This document specifies cryptographic functions of the drone/unmanned aircraft system (UAS) security
module. The drone/UAS security module is a security device that serves as a container for the drone/UAS
pilot license, drone/UAS operator license, and other personal identification. It provides storage space for
storing optional elements and has the capability of cryptographic functions including integrity validation,
authentication and data encryption.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 21384-4, Unmanned aircraft systems — Part 4: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 21384-4 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— IEC Electropedia: available at http:// www .electropedia .org/
— ISO Online browsing platform: available at http:// www .iso .org/ obp
3.1
drone security module
drone/unmanned aircraft system security module
drone/UAS security module
security device that serves as a container and cryptographic function provider for the drone pilot/operator
license and other personal identification and for drone ID and flight permit ID, as optional elements
3.2
access entity
functional entity that can read, write and update data of the drone security module
3.3
drone security module issuer
authority, company or country issuing a drone security module, which applies a digital signature to a drone
security module and is responsible for the associated key management
3.4
drone security module user
entity that writes data to the drone security module and reads data from the drone security module, but
which cannot write or update data to be issued by the issuing authority

© ISO/IEC 2024 – All rights reserved
3.5
remote control station
control station that provides the facilities for the pilot control or automatic flight of an unmanned aircraft (UA)
3.6
unmanned aircraft
UA
aircraft which is intended to operate with no pilot on board
3.7
unmanned aircraft system
UAS
aircraft and its associated elements which are operated with no pilot on board
3.8
unmanned aircraft system management system
UAS management system
counterpart entity as a system responsible for the identification, authentication, registration, operation,
flight-permit, and other management of an unmanned aircraft (UA)
4 Symbols and abbreviated terms
For the purposes of this document, the following symbols and abbreviated terms apply.
AAD Additional Authentication Data
AES Advanced Encryption Standard
AKA Authentication and Key Agreement
APDU Application Protocol Data Unit
BCD Binary Code Decimal
CA Certification Authority
DER-TLV Distinguished Encoding Rules – Tag Length Value
DH Diffie-Hellman
EC Elliptic Curve
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
ECKA-DH Elliptic Curve Key Agreement Algorithm – Diffie-Hellman
eSIM embedded Subscriber Identity Module
GCM Galois/Counter Mode
HKDF HMAC-based Extract-and-Expand Key Derivation Function
HMAC Keyed-Hashing for Message Authentication Code
IV Initial Vector
KDF Key Derivation Function
MAC Message Authentication Code

© ISO/IEC 2024 – All rights reserved
OID Object identifier
SD Secure Digital
SHA Secure Hash Algorithm
SoC System on Chip
SPI Serial Peripheral Interface
TLS Transport Layer Security
UA Unmanned aircraft
UAS Unmanned aircraft system
USB Universal Serial Bus
USIM Universal Subscriber Identity Module
5 Overview of a drone security module
5.1 General
A drone security module is a security device that serves as a container with personal identification for a drone.
A drone security module can contain the drone pilot/operator license and other personal identification data.
However, these data are not mandatory data that should be included in the drone security module.
A drone security module shall provide storage space for storing optional elements such as user-specific data.
A drone security module shall provide cryptographic functions, including integrity validation, authentication
and data encryption to protect personal identification data.
5.2 Form-factor of a drone security module
The form-factor of a drone security module is not limited to any specific hardware type. A drone security
module is independent of physical interface technology. The physical form-factor of a drone security module
may be, for example, an IC card, a universal subscriber identity module (USIM) card, a micro secure digital
(SD) card, an embedded subscriber identity module (eSIM), or a module in system on chip (SoC).
Transmission protocols used to communicate between the drone security module and its access entity should
be in accordance with ISO/IEC 7816-3 unless specified otherwise. Command-response pairs exchanged at
the interface, namely a command application protocol data unit (APDU) followed by a response APDU in the
opposite direction, should be in accordance with ISO/IEC 7816-4.
Other transmission protocols, such as serial peripheral interface (SPI) and universal serial bus (USB) may
be used between the drone security module and its access entity according to the hardware type of drone
security module.
This document does not limit transmission protocol between drone security module and its access entity.
5.3 Use of a drone security module
A drone security module is issued by a drone security module issuer. A UAS management system, aviation
authorities or a drone service provider may be the drone security module issuer.
A drone security module is used by the drone security module user, e.g. UA, UA operator or UAS management
system (when it is not an issuer). They may read data in the drone security module and write any data to the
drone security module.
© ISO/IEC 2024 – All rights reserved
6 Data format of a drone security module
6.1 General
A drone security module contains data written by the issuer and the user.
There is no mandatory data that shall be issued by the drone security module issuer. Data to be written in
the drone security module can be different according to the regulations of each country.
As shown in Figure 1, a drone security module contains a drone pilot/operator license and other personal
identification data. A drone security module shall provide storage space for storing optional elements such
as user-specific data.
This document does not specify data elements of each data in the drone security module. Detailed data
elements follow each country’s regulations.
NOTE See Annex A for the informative data examples.
The encoding of each data may be:
— packed BCD, if the value of data consists of only N characters;
— in accordance with ISO/IEC 8859-1, if the value of data includes any alphabetical or special characters;
— unpacked BCD, if the value denotes date.
Figure 1 — Drone security module data
6.2 Drone pilot/operator license
A drone pilot/operator license can be contained in the drone security module.
This document does not specify the data elements and format of a drone pilot/operator license.
6.3 Personal identification data for a drone
The personal identification data for a drone can be contained in the drone security module.
This document does not specify the data elements and format of a personal identification data for a drone.
6.4 Cryptographic key-related data
Cryptographic key-related data is required to execute cryptographic functions and can be stored in the
drone security module.
The digital certificate and identifier of a private key is cryptographic key-related data. Security requirements
regarding storage and access of credential information, including private key, are out of scope of this
document. It is the responsibility of the drone security module issuer to ensure that all data stored in the
drone security module is stored securely.

© ISO/IEC 2024 – All rights reserved
A drone security module issuer may define the certificate profile. An example of a certificate profile is shown
in Table 1. These are some of the most common fields in certificates. Other certificates can contain a number
of fields not listed in Table 1.
Table 1 — Example of a certificate profile signed by a drone security module issuer
(X.509 v3 certificate)
Field Field type Value, definition or explanation
Version m 3 (0x2)
Serial number m Non-sequential positive, non-zero integer, minimum containing at
least 63 bits of output from a CSPRNG, maximum 20 octets.
Signature algorithm m Value shall match the OID in signature algorithm.
Issuer m Country name(mandatory): ISO 3166-1 alph2 (e.g. US or KR)
Organization(mandatory): name of root certificate issuer
Validity Not before m The value of not before date shall not be later then issuance date of
drone security module.
See RFC 5280 for data type format.
Not after m The value of not after date shall be later then expiry date of drone
security module.
See RFC 5280 for data type format.
Subject m Country code(mandatory): ISO 3166-1 alph2 (e.g. US or KR)
Organization: name of drone security module signer
Subject pub- Algorithm m OID of public key algorithm (Elliptic curve).
lic key info
Parameters m OID of curve identifier (e.g. P-256).
Public key m Public key shall be encoded in uncompressed form.
Extensions m
Authority key identifier m Same value as subject key identifier of the drone security module CA
certificate.
Subject key identifier m SHA1 value of the value as subject public key bit string.
Certificate signature algo- m ECDSA-with SHA256
rithm
ECDSA-with SHA384
ECDSA-with SHA512
Certificate signature value m Value according to signature algorithm
6.5 Other data
A drone security module shall provide storage space for storing optional elements such as user-specific data.
The use of optional elements is determined by each country’s regulations. Optional elements may or may
not be used. The optional elements are related to users such as UA, UA operator or UAS management system.
7 Cryptographic functions of a drone security module
7.1 General
Cryptographic functions of the drone security module shall be used for security applications if the UA uses a
drone security module to compute cryptographic functions.
A UA may be a user of the drone security module. A UAS management system may be a counterpart entity
that communicates with the UA.
Communication between the UA and the UAS management system is divided into communication between
the drone security module and the access entity of the drone security module, between the access entity and
the UA, and between the UA and the UAS management system through wireless media.

© ISO/IEC 2024 – All rights reserved
A drone security module performs cryptographic functions on the request of a UA or other user of the drone
security module.
Cryptographic functions implemented in the drone security module shall include integrity validation,
authentication, data encryption and digital signature.
In addition, a Transport Layer Security (TLS) and a digital signature for drone flight data can be implemented
in the drone security module according to each aviation authority’s policy.
Each country can use different cryptographic functions for the different security applications based on the
UA category, flight environment and other factors.
7.2 Integrity validation
7.2.1 Purpose and general
The purpose of integrity validation is to confirm that data that is written by a drone security module issuer,
such as a drone pilot/operator license and personal identification data, have not been changed since the
drone security module was issued.
However, a drone pilot/operator license and personal identification are not mandatory data. Therefore, no
integrity validation is required if there is no data issued by the issuer.
Integrity validation is implemented by way of a digital signature over data written by the drone security
module issuer, using a public-private (asymmetric) key pair.
Hash values of data written by the drone security module issuer are calculated and the values are then
digitally signed using a private key and the digital signature is stored in the drone security module.
The public key belonging to the private key used for the digital signature is provided as part of the drone
security module certificate. The drone security module issuer’s CA root certificate is used to sign the drone
security module certificate.
This document does not mandate both methods to obtain and to establish trust in a drone security module
issuer’s CA certificate. It is the responsibility of the person or organization responsible for the counterpart
entity to either obtain or to establish trust, or both, in the drone security module issuer’s CA certificate used
to verify a drone security module certificate. It is the responsibility of a drone security module issuer to
ensure that keys are generated, administered and protected as necessary.
7.2.2 Hash function
A drone security module issuer may use one of the following digest algorithms: SHA-256, SHA-384 or SHA-
512 specified in ISO/IEC 10118-3.
7.2.3 Digital signature
The digital signature value is generated over the concatenation of the hash values of each data written by
the drone security module issuer and the value is stored in the drone security module.
A drone security module issuer may use ECDSA as specified in ANSI X9.62 as a digital signature algorithm.
The elliptic curve domain parameters used to generate the ECDSA key pair may be described explicitly in
the parameters of the public key, i.e. parameters may be of type ECParameters (no named curves, no implicit
parameters) and may include the optional cofactor. ECPoints may be in uncompressed format. The minimum
size for the base point order should be 224 bits.
For example, a digital signature value may be implemented as a SignedData Type, as specified in RFC 5652.
The value may be encoded in DER-TLV format. Table 2 describes an example of SignedData Type.

© ISO/IEC 2024 – All rights reserved
Table 2 — SignedData type
Data element m/o/c Comments
Signed Data m
version m v3
digestAlgorithms m
encapContentInfo m
eContentType m id-icao-mrtd-security-ldsSecurityObject
eContent m The encoded contents of digital signature value.
Certificates o
crls x
signerInfos m
SingerInfo m
Version m
sid m
issuerandSerialNumber c It is recommended that a drone security module issuer support this field
over subjectKeyIdentifier.
subjectKeyIdentifier c
digestAlgorithm m The algorithm identifier of the algorithm used to produce the hash value
over encapsulatedContent and signedAttrs.
signedAttrs o The drone security module issuer may include additional attributes for
inclusion in the signature.
signatureAlgorithm m The algorithm identifier of the algorithm used to produce the signature
value and any associated parameters.
Signature m The result of the signature generation process.
unsignedAttrs o The drone security module issuer may use this field.
Key
m = mandatory (the field shall be present);
x = do not use (the field shall not be populated);
o = optional (the field may be present);
c = choice (the field content is a choice from alternatives).
7.3 Authentication
7.3.1 Purpose and general
The objective of drone security module authentication is to verify whether the drone security module is
what it says it is. Another objective is to prevent cloning of the drone security module and to mitigate the
man-in-the-middle attack.
The drone security module authentication key pair consists of a public and a private key. The drone security
module private key is used to authenticate the drone security module. It is also used to authenticate the
response data contained from the counterpart entity it communicates with. The drone security module
public key is stored in the cryptographic key-related data.
In the security applications between UA and the counterpart entity, the counterpart entity assumes that the
drone security module is authentic if the authentication signature or MAC is correct.
For example, the drone security module authentication key shall be used to authenticating the drone security
module in one of two ways: ECDH-agreed MAC or ECDSA signature. A drone security module may choose

© ISO/IEC 2024 – All rights reserved
either approach, but shall choose only one of the two. A drone security module authentication key shall not
be used to produce both MACs and signatures.
NOTE See Annex B and Annex C for the informative security protocol examples.
This document does not limit the use of any other authentication algorithms. In addition to the drone
security module authentication methods of this document, each country and local authority can choose to
implement commercial authentication methods according to their own security requirements.
7.3.2 Authentication by MAC
To authenticate the drone security module with MAC authentication, the drone security module computes the
MAC with an ephemeral MAC key derived from the drone security module’s private key, SDimKey.Priv, and
the counterpart entity’s public key, EEntityKey.Pub. The drone security module calculates this ephemeral
MAC key, EMacKey, by computing the key derivation function KDF(ECDH(SDimKey.Priv, EEntityKey.Pub)) and
the counterpart entity calculates this EMacKey by performing KDF(ECDH(SDimKey.Pub,
...