iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 13888-1:2004

(Main)

IT security techniques — Non-repudiation — Part 1: General

IT security techniques — Non-repudiation — Part 1: General

This part of ISO/IEC 13888:2004 serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The goal of the non-repudiation service is to generate, collect, maintain, make available and verify evidence concerning a claimed event or action in order to resolve disputes about the occurrence or non-occurrence of the event or action. There are two main types of evidence, the nature of which depends on cryptographic techniques employed: the secure envelopes generated by an evidence-generating authority using symmetric cryptographic techniques, and digital signatures generated by an evidence generator or an evidence generating authority using asymmetric cryptographic techniques. Non-repudiation mechanisms generic to the various non-repudiation services are described first. The different parts of this International Standard provide non-repudiation mechanisms for the following phases of non-repudiation: evidence generation, transfer, storage, retrieval and verification. The non-repudiation mechanisms are then applied to a selection of specific non-repudiation services such as non-repudiation of origin, non-repudiation of delivery, non-repudiation of submission, and non-repudiation of transport. Non-repudiation mechanisms provide protocols for the exchange of non-repudiation tokens specific to each non-repudiation service. Non-repudiation tokens consist of secure envelopes and/or digital signatures and, optionally, of additional data.

Techniques de sécurité dans les TI — Non-répudiation — Partie 1: Généralités

General Information

Status
Withdrawn
Publication Date
09-Jun-2004
Withdrawal Date
09-Jun-2004
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 2 - Cryptography and security mechanisms
Current Stage
9599 - Withdrawal of International Standard
Completion Date
09-Jul-2009
Ref Project

Relations

Revised
ISO/IEC 13888-1:2009 - Information technology — Security techniques — Non-repudiation — Part 1: General
Effective Date
15-Apr-2008
Revises
ISO/IEC 13888-1:1997 - Information technology — Security techniques — Non-repudiation — Part 1: General
Effective Date
15-Apr-2008

Buy Standard

ISO/IEC 13888-1:2004 - IT security techniques -- Non-repudiationISO/IEC 13888-1:2004 - IT security techniques -- Non-repudiation
PreviousNext
Standard
ISO/IEC 13888-1:2004 - IT security techniques -- Non-repudiation
English language
15 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 13888-1
Second edition
2004-06-01


IT security techniques —
Non-repudiation —
Part 1:
General
Techniques de sécurité dans les TI — Non-répudiation —
Partie 1: Généralités




Reference number
ISO/IEC 13888-1:2004(E)
©
ISO/IEC 2004

---------------------- Page: 1 ----------------------
ISO/IEC 13888-1:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2004 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 13888-1:2004(E)
Contents Page

Foreword.v
Introduction.vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .2
3.1 Definitions from ISO 7498-2.2
3.2 Definitions from ISO/IEC 9594-8.2
3.3 Definitions from ISO/IEC 9797-1.2
3.4 Definitions from ISO/IEC 10118-1.2
3.5 Definitions from ISO/IEC 10181-1.2
3.6 Definitions from ISO/IEC 10181-4.3
3.7 Definitions from ISO/IEC 11770-3.3
3.8 Definitions from ISO/IEC 18014.4
3.9 Definitions unique to this International Standard on non-repudiation .4
4 Symbols (and abbreviated terms).7
5 Organisation of the remaining part of this part of the International Standard.8
6 Requirements.8
7 Generic non-repudiation services .8
7.1 Entities involved in the provision and verification of evidence.8
7.2 Non-repudiation services.9
8 Trusted third party involvement.9
8.1 Evidence generation phase .9
8.2 Evidence transfer, storage and retrieval phase .10
8.3 Evidence verification phase .10
9 Evidence generation and verification mechanisms.10
9.1 Secure envelopes .10
9.2 Digital signatures.11
9.3 Evidence verification mechanism.11
10 Non-repudiation tokens .11
10.1 Generic non-repudiation token .11
10.2 Time-stamping token.12
10.3 Notarization token .12
11 Specific non-repudiation services .13
11.1 Non-repudiation of origin.13
11.2 Non-repudiation of delivery.13
11.3 Non-repudiation of submission .13
11.4 Non-repudiation of transport.14
12 Use of specific non-repudiation tokens in a messaging environment .14

© ISO/IEC 2004 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 13888-1:2004(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 13888-1:2004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 13888-1:1997), which has been technically
revised.
ISO/IEC 13888 consists of the following parts, under the general title IT security techniques —
Non-repudiation:
 Part 1: General
 Part 2: Mechanisms using symmetric techniques
 Part 3: Mechanisms using asymmetric techniques
iv © ISO/IEC 2004 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 13888-1:2004(E)
Introduction

The goal of the non-repudiation service is to generate, collect, maintain, make available and verify evidence concerning a
claimed event or action in order to resolve disputes about the occurrence or non occurrence of the event or action. This part of
ISO/IEC 13888 describes a model for non-repudiation mechanisms providing evidence based on cryptographic check values
generated by using symmetric or asymmetric cryptographic techniques. Non-repudiation mechanisms generic to the various
non-repudiation services are first described and then applied to a selection of specific non-repudiation services such as:
– Non-repudiation of origin,
– Non-repudiation of delivery,
– Non-repudiation of submission,
– Non-repudiation of transport.
Non-repudiation services establish evidence: evidence establishes accountability regarding a particular event or action. The
entity responsible for the action, or associated with the event, with regard to which evidence is generated, is known as the
evidence subject. There are two main types of evidence the nature of which depends on cryptographic techniques employed:
– Secure envelopes generated by an evidence generating authority using symmetric cryptographic techniques,
– Digital signatures generated by an evidence generator or an evidence generating authority using asymmetric cryptographic
techniques.
Non-repudiation mechanisms provide protocols for the exchange of non-repudiation tokens specific to each non-repudiation
service. Non-repudiation tokens consist of secure envelopes and/or digital signatures and, optionally, of additional data. Non-
repudiation tokens may be stored as non-repudiation information that may be used subsequently by disputing parties or by an
adjudicator to arbitrate in disputes.
Depending on the non-repudiation policy in effect for a specific application, and the legal environment within which the
application operates, additional information may be required to complete the non-repudiation information, e.g.,
– Evidence including a trusted time-stamp provided by a time-stamping authority,
– Evidence provided by a notary which provides assurance about data created or the action or event performed by one or
more entities.
Non-repudiation can only be provided within the context of a clearly defined security policy for a particular application and its
legal environment. Non-repudiation policies are described in ISO/IEC 10181-4.

© ISO/IEC 2004 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 13888-1:2004(E)

IT security techniques — Non-repudiation —
Part 1:
General
1 Scope
This part of ISO/IEC 13888 serves as a general model for subsequent parts specifying non-repudiation mechanisms using
cryptographic techniques. This multipart International Standard provides non-repudiation mechanisms for the following phases
of non-repudiation:
– Evidence generation,
– Evidence transfer, storage and retrieval, and
– Evidence verification.
Dispute arbitration is outside the scope of this International Standard.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the
edition cited applies. For undated references, the latest edition of the referenced document (including any amendments)
applies.
ISO 7498-2:1989, Information processing systems – Open Systems Interconnection – Basic Reference Model, Part 2: Security
Architecture.
ISO/IEC 9594-8:2001, Information processing systems – Open Systems Interconnection – The Directory, Part 8: Authentication
Framework.
ISO/IEC 9796 (all parts), Information technology – Security techniques – Digital signature scheme giving message recovery.
ISO/IEC 9797 (all parts), Information technology – Security techniques – Message authentication codes (MACs).
ISO/IEC 9798-1:1997, Information technology – Security techniques – Entity authentication mechanisms – Part 1: General
ISO/IEC 10118 (all parts), Information technology – Security techniques – Hash-functions.
ISO/IEC 10181-1:1996, Information technology – Open Systems Interconnection – Security frameworks for open systems – Part
1: Overview.
ISO/IEC 10181-4:1997, Information technology – Open Systems Interconnection – Security frameworks for open systems – Part
4: Non-repudiation framework.
ISO/IEC 11770-3:1999, Information technology – Security techniques – Key management – Part 3: Mechanisms using
asymmetric techniques.
ISO/IEC 13888-2:1998, Information technology – Security techniques – Non-repudiation – Part 2: Mechanisms using symmetric
techniques
ISO/IEC 13888-3:1997, Information technology – Security techniques – Non-repudiation – Part 3: Mechanisms using
asymmetric techniques
ISO/IEC 14888 (all parts), Information technology – Security techniques – Digital signatures with appendix.
ISO/IEC 18014 (all parts), Information technology – Security techniques – Time-stamping services.

© ISO/IEC 2004 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 13888-1:2004(E)
3 Terms and definitions
3.1 Definitions from ISO 7498-2
3.1.1
Accountability
The property that ensures that the actions of an entity may be traced uniquely to the entity.
3.1.2
Data integrity
The property that data has not been altered or destroyed in an unauthorised manner.
3.1.3
Data origin authentication
The corroboration that the source of data received is as claimed.
3.1.4
Digital signature
Data appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to
prove the source and integrity of the data unit and protect against forgery e.g. by the recipient.
3.1.5
Security policy
The set of criteria for the provision of security services.
3.2 Definitions from ISO/IEC 9594-8
3.2.1
Certification authority
An authority trusted by one or more users to create and assign certificates. Optionally the certification authority may
create the users‘ keys.
3.3 Definitions from ISO/IEC 9797-1
3.3.1
Message Authentication Code (MAC)
The string of bits which is the output of a MAC algorithm.
NOTE – A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2).
3.4 Definitions from ISO/IEC 10118-1
3.4.1
Hash-code
The string of bits that is the output of a hash-function.
3.4.2
Hash-function
A function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:
– It is computationally infeasible to find for a given output an input which maps to this output,
– It is computationally infeasible to find for a given input a second input which maps to the same output.
3.5 Definitions from ISO/IEC 10181-1
3.5.1
Security authority
An entity that is responsible for the definition or enforcement of security policy.
2 © ISO/IEC 2004 — All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 13888-1:2004(E)
3.5.2
Security certificate
A set of security relevant data issued by a security authority or trusted third party, together with security information
which is used to provide the integrity and data origin authentication.
3.5.3
Security token
A set of security relevant data that is protected by integrity and data origin authentication from a source which is not
considered a security authority.
3.5.4
Trust
A relationship between two elements, a set of activities and a security policy in which element x trusts element y if
and only if x has confidence that y will behave in a well defined way (with respect to the activities) that does not vio-
late the given security policy.
3.6 Definitions from ISO/IEC 10181-4
3.6.1
Evidence generator
An entity that produces non-repudiation evidence.
3.6.2
Evidence user
An entity that uses non-repudiation evidence.
3.6.3
Evidence verifier
An entity that verifies non-repudiation evidence.
3.6.4
Non-repudiation service requester
An entity that requests that non-repudiation evidence be generated for a particular event or action.
3.7 Definitions from ISO/IEC 11770-3
3.7.1
Key
A sequence of symbols that controls the operations of a cryptographic transformation (e.g., encipherment,
decipherment, cryptographic check-function computation, signature calculation, or signature verification).
3.7.2
Private key
That key of an entity's asymmetric key pair which can only be used by that entity.
NOTE - In the case of an asymmetric signature system the private key defines the signature transformation. In the case of an asymmetric
encipherment system the private key defines the decipherment transformation.
3.7.3
Public key
That key of an entity's asymmetric key pair which can be made public.
NOTE – In the case of an asymmetric signature scheme the public key defines the verification transformation. In the case of an asymmetric
encipherment system the public key defines the encipherment transformation. A key that is 'publicly known' is not necessarily globally
available. The key may only be available to all members of a pre-specified group.
3.7.4
Public key certificate
The public key information of an entity signed by the certification authority and thereby rendered unforgeable.
© ISO/IEC 2004 — All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 13888-1:2004(E)
3.7.5
Secret key
A key used with symmetric cryptographic techniques and usable only by a set of specified entities.
3.8 Definitions from ISO/IEC 18014
3.8.1
Time-stamp
A time variant parameter which denotes a point in time with respect to a common time reference.
3.8.2
Time-stamping authority
A trusted third party trusted to provide a time-stamping service.
3.9 Definitions unique to this International Standard on non-repudiation
For the use of this multipart International Standard the following definitions apply:
3.9.1
Certificate
An entity's data rendered unforgeable with the private or secret key of a certification authority.
3.9.2
Data storage
A means for storing information from which data is submitted for delivery, or into which data is put by the delivery
authority.
3.9.3
Delivery authority
An authority trusted by the sender to deliver the data from the sender to the receiver, and to provide the sender
with evidence on the submission and transport of data upon request.
3.9.4
Distinguishing identifier
Information which unambiguously distinguishes an entity in the non-repudiation process.
3.9.5
Evidence
Information either by itself, or in conjunction with other information, is used to establish proof about an event or ac-
tion.
NOTE – Evidence does not necessarily prove truth or existence of something (see proof) but contributes to establish proof.
3.9.6
Evidence requester
An entity requesting evidence to be generated either by another entity or by a trusted third party.
3.9.7
Evidence subject
The entity responsible for the action, or associated with the event, with regard to which evidence is generated.
3.9.8
Imprint
A string of bits, either the hash-code of a data string or the data string itself.
3.9.9
Monitor (monitoring authority)
A trusted third party monitoring the actions and events and is trusted to provide evidence about what was
monitored.
4 © ISO/IEC 2004 — All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 13888-1:2004(E)
3.9.10
Non-repudiation exchange
A sequence of one or more transfers of non-repudiation information (NRI) for the purpose of non-repudiation.
3.9.11
Non-repudiation information
A set of information that may consist of the information about an event or action for which evidence is to be
generated and verified, the evidence itself, and the non-repudiation policy in effect.
3.9.12
Non-repudiation of creation
This service is intended to protect against an entity's false denial of having created the content of a message (i.e.,
being responsible for the content of a message).
3.9.13
Non-repudiation of delivery
This service is intended to protect against a recipient's false denial of having received the message and recognised
the content of a message.
3.9.14
Non-repudiation of knowledge
This service is intended to protect against a recipient's false denial of having taken notice of the content of a re-
ceived message.
3.9.15
Non-repudiation of origin
This service is intended to protect against the originator's false denial of having created the content of a message
and of having sent a message.
3.9.16
Non-repudiation of receipt
This service is intended to protect against a recipient's false denial of having received a message.
3.9.17
Non-repudiation of sending
This service is intended to protect against the sender's false denial of having sent a message.
3.9.18
Non-repudiation of submission
This service is intended to provide evidence that a delivery authority has accepted the message for transmission.
3.9.19
Non-repudiation of transport
This service is intended to provide evidence for the message originator that a delivery authority has delivered the
message to the intended recipient.
3.9.20
Non-repudiation policy
A set of criteria for the provision of non-repudiation services. More specifically, a set of rules to be applied for the
generation and verification of evidence and for adjudication.
3.9.21
Non-repudiation token
A special type of security token as defined in ISO/IEC 10181-1 consisting of evidence, and, optionally, of additional
data.
© ISO/IEC 2004 — All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 13888-1:2004(E)
3.9.22
Notarization
The provision of evidence by a notary about the properties of the entities involved in an action or event, and of the
data stored or communicated.
3.9.23
Notarization token
A non-repudiation token generated by a notary.
3.9.24
Notary (notary authority)
A trusted third party trusted to provide evidence about the properties of the entities involved and of the data stored
or communicated, or to extend the lifetime of an existing token beyond its expiry or beyond subsequent revocation.
3.9.25
NRD token
Non-repudiation of delivery token. A data item which allows the originator to establish non-repudiation of delivery
for a message.
3.9.26
NRO token
Non-repudiation of origin token. A data item which allows recipients to establish non-repudiation of origin for a
message.
3.9.27
NRS token
Non-repudiation of submission token. A data item which allows either the originator (sender) or the delivery
authority to establish non-repudiation of submission for a message having been submitted for transmission.
3.9.28
NRT token
Non-repudiation of transport token. A data item which allows either the originator or the delivery authority to
establish non-repudiation of transport for a message.
3.9.29
Originator
The entity that sends a message to the recipient or makes available a message for which non-repudiation services
are to be provided.
3.9.30
Proof
The corroboration that evidence is valid in accordance with the non-repudiation policy in force.
NOTE – Proof is evidence that serves to prove truth or existence of something.
3.9.31
Recipient
The entity that gets (receives or fetches) a message for which non-repudiation services are to be provided.
3.9.32
Redundancy
Any information that is known and can be checked.
3.9.33
Secure envelope (SENV)
A set of data items which is constructed by an entity in such a way that any entity holding the secret key can verify
their integrity and origin. For the purpose of generating evidence, the SENV is constructed and verified by a trusted
third party (TTP) with a secret key known only to the TTP.
6 © ISO/IEC 2004 — All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 13888-1:2004(E)
NOTE – Other International Standards often use the term envelope to denote encrypted objects. For the purpose of this International
Standard, secure envelopes need not generally be encrypted.
3.9.34
Signer
The entity generating a digital signature.
3.9.35
Trusted third party
A security authority, or its agent, trusted by other entities with respect to security related activities (see ISO/IEC
10181-1).
NOTE – In the context of this multipart International Standard, a trusted third party is trusted by the originator, the recipient, and/or the
delivery authority for the purposes of non-repudiation, and by another party such as an adjudicator.
3.9.36
Trusted time-stamp
A time-stamp assured by a time-stamping authority.
3.9.37
Verification key
A value required to verify a cryptographic check value.
3.9.38
Verifier
An entity that verifies evidence.
4 Symbols (and abbreviated terms)
A The distinguishing identifier of entity A.
B The distinguishing identifier of entity B.
CA Certification authority.
CHK (y) The cryptographic check value computed on the data y using the key of entity X.
X
DA The distinguishing identifier of the delivery authority.
f A data item (flag) indicating the kind of non-repudiation service in effect.
i
GNRT Generic non-repudiation token.
H(y) The hash-code of data string y.
Imp(y) The imprint of the data string y, either (1) the hash-code of data string y, or (2) the data string y.
m A message for which evidence is generated.
MAC Message Authentication Code.
NA Notary authority.
NRDT Non-repudiation of delivery token.
NRI Non-repudiation information.
NROT Non-repudiation of origin token.
NRST Non-repudiation of submission token.
NRTT Non-repudiation of transport token.
NT Notarization token.
OSI Open Systems Interconnection.
Pol The distinguishing identifier of the non-repudiation policy (or policies) which apply to evidence.
SENV Secure envelope.
SENV (y) Secure envelope computed on data y using the secret key of entity X.
X
SIG Signed message.
SIG (y) Signed message generated on data y by entity X using its private key.
X
S (y) The signature computed on data y using a signature algorithm and the private key of entity X.
X
text A data item forming a part of the token that may contain additional information, e.g., key identifier and/or the
message identifier.
© ISO/IEC 2004 — All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 13888-1:2004(E)
T Date and time the evidence was generated.
g
T Date and time the event or action took place.
i
TSA The distinguishing identifier of the trusted time-stamping authority.
TST Time-stamping token generated by the TSA.
TTP The distinguishing identifier of the trusted third party.
V (y) The verification operation applied to data y (a secure envelope or a digital signature) by using a verification
X
algorithm and the verification key of entity X.
y||z The result of the concatenation of y and z in that order.
5 Organisation of the remaining part of this part of the International Standard
Non-repudiation services are modelled by first specifying basic requirements in Clause 6 and describing (in Clause 7) the roles
of the entities involved in the provision and verification of evidence. The involvement of trusted third parties in the various
phases of non-repudiation, in particular in the provision and verification of evidence, is described in Clause 8. Evidence
generation and verification mechanisms are described in Clause 9, involving the generation of secure envelopes and digital
signatures based on symmetric and asymmetric cryptographic techniques respectively. Cryptographic check functions common
to both basic mechanisms are derived in order to better represent non-repudiation tokens. In Clause 10 three kinds of tokens
are defined, firstly, the generic non-repudiation token suitable for many non-repudiation services, secondly, the time-stamping
token generated by a trusted time-stamping authority and, thirdly, the notarization token generated by a notary to provide evi-
dence about the properties of the entities involved and of the data stored or communicated. Sp
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security — Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 24761:2019(Main)
Information technology — Security techniques — Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

  • Standard
    75 pages
    English language
    sale 15% off
ISO
ISO/IEC 30111:2019(Main)
Information technology — Security techniques — Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques — Entity authentication — Part 2: Mechanisms using authenticated encryption

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 27008:2019(Main)
Information technology — Security techniques — Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

  • Technical specification
    91 pages
    English language
    sale 15% off
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

  • Standard
    398 pages
    English language
    sale 15% off
ISO
ISO/IEC 29147:2018(Main)
Information technology — Security techniques — Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document are: — developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100; — authors of Protection Profiles that address the protection of PII; and — evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation. This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.

  • Technical specification
    48 pages
    English language
    sale 15% off
ISO
ISO/IEC 27050-2:2018(Main)
Information technology — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.

  • Standard
    9 pages
    English language
    sale 15% off