ISO/IEC 27071:2023
(Main)Cybersecurity — Security recommendations for establishing trusted connections between devices and services
Cybersecurity — Security recommendations for establishing trusted connections between devices and services
This document provides a framework and recommendations for establishing trusted connections between devices and services based on hardware security modules. It includes recommendations for components such as: hardware security module, roots of trust, identity, authentication and key establishment, remote attestation, data integrity and authenticity. This document is applicable to scenarios that establish trusted connections between devices and services based on hardware security modules. This document does not address privacy concerns.
Cybersécurité — Recommandations de sécurité pour l'établissement de connexions de confiance entre dispositifs et services
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27071
First edition
2023-07
Cybersecurity — Security
recommendations for establishing
trusted connections between devices
and services
Cybersécurité — Recommandations de sécurité pour l'établissement
de connexions de confiance entre dispositifs et services
Reference number
ISO/IEC 27071:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 27071:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27071:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Terms relating to cloud computing . 1
3.2 Terms relating to cloud computing roles and activities . 2
3.3 Terms relating to security and privacy . 2
3.4 Miscellaneous terms . 4
4 Abbreviated terms . 5
5 Framework and components for establishing a trusted connection .5
5.1 Overview . 5
5.2 Hardware security module . 9
5.3 Root of trust . 9
5.4 Identity . 10
5.5 Authentication and key establishment . 10
5.6 Remote attestation . 10
5.7 Data integrity and authenticity . 10
5.8 Trusted user interface . 10
6 Security recommendations for establishing a trusted connection .10
6.1 Hardware security module . 10
6.2 Root of trust . 11
6.3 Identity . 11
6.4 Authentication and key establishment . 11
6.5 Remote attestation . 11
6.6 Data integrity and authenticity .12
6.7 Trusted user interface . 12
Annex A (informative) Threats .13
Annex B (informative) Solutions for components of a trusted connection .18
Annex C (informative) Example of establishing a trusted connection .23
Bibliography .24
iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 27071:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information Security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27071:2023(E)
Introduction
With the development of the internet of things (IoT), mobile services, cloud computing, big data and
artificial intelligence (AI), it is essential to establish trusted connections between devices and services
in a growing number of scenarios.
Security channels [e.g. secure sockets layer (SSL) or transport layer security (TLS) protocols] are used
between devices and services to protect confidentiality and integrity of data, but it is not enough. It is
essential for the service to distinguish data collected by sensors of the authorized device from those
of other devices or data forged by adversaries. Thus, the service should be able to ensure that the data
comes from the authorized device.
In addition, it is crucial for the device to distinguish the genuine service from unintended services or
malicious services. In this way, it should be able to reliably identify the genuine and intended service, in
particular for cloud services, which may have thousands of such services running.
Identity without a reliable root of trust can be forged, so controls are critical to ensure the utilization
of reliable roots of trust. The requirements for establishing reliable virtualized roots of trust are
described in ISO/IEC 27070.
Mutual authentication between a device and a service is essential for preventing impersonation
attacks. While insufficient in itself, remote attestation between a device and a service is also critical for
protecting the data handling processes and establishing a security channel to prevent interception by
an adversary on the communication network.
Data captured from sensors integrated in the device, input by users, or generated (or processed) by
algorithms in the device should have a label and be digitally signed (or by other crypto mechanisms)
using the device’s particular key designed for this purpose, to protect the integrity and authenticity
of the data. It is possible that services know the parameters of the sensor device which can help it to
process the data. Trusted connections have a strong relationship with hardware security modules
(HSM), trusted computing (TC), public key infrastructure (PKI) and certification authority (CA)
technology. Trusted connection issues can be broken down into several sub-categories such as:
— hardware security modules to establish the reliable root of trust;
— identity of devices and services issued by trusted parties;
— mutual authentication and key establishment between devices and services to establish a security
channel;
— mutual remote attestation (or environment assurance) between devices and services;
— data identity to keep the data integrity and authenticity long term.
This document proposes security recommendations for establishing trusted connections between
devices and services, which would help the related organisations to set up HSM in devices (including
mobile devices, PCs, or IoT devices) and in the infrastructure of cloud services. This document can help
to build a trusted environment. This document can also help trusted third parties (i.e. CA) to issue
certificates to devices and services, and help applications to mitigate against attacks and identify
forged data from the sensors.
v
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27071:2023(E)
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
1 Scope
This document provides a framework and recommendations for establishing trusted connections
between devices and services based on hardware security modules. It includes recommendations
for components such as: hardware security module, roots of trust, identity, authentication and key
establishment, remote attestation, data integrity and authenticity.
This document is applicable to scenarios that establish trusted connections between devices and
services based on hardware security modules.
This document does not address privacy concerns.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27070, Information technology — Security techniques — Requirements for establishing virtualized
roots of trust
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27070 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 Terms relating to cloud computing
3.1.1
cloud computing
paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and
storage equipment.
[SOURCE: ISO/IEC 22123-1:2023, 3.1.1, modified — note 2 to entry has been deleted.]
3.1.2
cloud service
capabilities offered via cloud computing (3.1.1) invoked using a defined interface
[SOURCE: ISO/IEC 22123-1:2023, 3.1.2]
1
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27071:2023(E)
3.2 Terms relating to cloud computing roles and activities
3.2.1
party
natural person or legal person or a group of either, whether or not incorporated, that can assume one or
more roles
[SOURCE: ISO/IEC 22123-1:2023, 3.3.1]
3.2.2
cloud service provider
party (3.2.1) that is acting in a cloud service (3.1.2) provider role
[SOURCE: ISO/IEC 22123-1:2023, 3.3.3]
3.2.3
cloud service user
natural person, or entity acting on their behalf, associated with a cloud service customer (3.2.2) that
uses cloud services (3.1.2)
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 22123-1:2023, 3.3.4]
3.2.4
tenant
cloud service user (3.2.4) sharing access to a set of physical and virtual resources
[SOURCE: ISO/IEC 22123-1:2023, 3.4.2, modified — “one or more” has been deleted from original
definition.]
3.3 Terms relating to security and privacy
3.3.1
availability
property of being accessible and usable on demand by an authorized entity
[SOURCE: ISO/IEC 27000:2018, 3.7]
3.3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO/IEC 27000:2018, 3.10]
3.3.3
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018, 3.36]
3.3.4
hardware security module
HSM
tamper-resistant hardware module which safeguards and manages keys and provides cryptographic
functions
Note 1 to entry: Trusted module is a specific kind of HSM.
2
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27071:2023(E)
3.3.5
trust anchor module
TAM
hardware security module (3.3.4) that acts as the roots of trust (3.3.8)
Note 1 to entry: Trust anchor module is an abstract module that contains one or more hardware security modules.
3.3.6
trusted user interface
TUI
device component with a user interface whose integrity (3.3.3) and authenticity is managed by the trust
anchor module (3.3.5)
3.3.7
identity key
IK
signing key used for authentication and to sign characteristics of the device (or service) environment
(e.g. a digest) in order to prevent forgery and protect the integrity (3.3.3) of the device (or service)
environment characteristics
3.3.8
root of trust
RoT
physical root of trust
component that needs to always behave in the expected manner because its misbehaviour cannot be
detected
Note 1 to entry: The complete set of roots of trust has at least the minimum set of functions to enable a description
of the platform characteristics that affect the trust of the platform.
[SOURCE: ISO/IEC 27070:2021, 3.4, modified — “physical root of trust” has been added as an admitted
term.]
3.3.9
virtualized root of trust
vRoT
security function component established based on the root of trust (3.3.8), which provides similar
function as the root of trust
Note 1 to entry: In practical environments, there can be multiple virtualized roots of trust based on the single
root of trust simultaneously.
3.3.10
root of trust for measurement
computation engine that resets one or more platform configuration registers, makes the initial integrity
(3.3.3) measurement, and extends it into a platform configuration register
Note 1 to entry: A root of trust (3.3.8) that collects device environment characteristics (e.g. firmware integrity
measurements) and puts them in a format suitable for attestation (e.g. trusted platform module platform
configuration registers).
3.3.11
root of trust for storage
component of the root of trust (3.3.8) that provides storing confidential information and measured
values in shielded locations accessed using protected capabilities
3
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27071:2023(E)
3.3.12
root of trust for reporting
component of the root of trust (3.3.8) that reliably provides authenticity and nonrepudiation services
for the purposes of attesting to the origin and integrity (3.3.3) of platform characteristics
Note 1 to entry: A root of trust that uses the device’s (or service’s) identity key (3.3.7) to reliably provide
authenticity and nonrepudiation services for the purposes of attesting to the origin and integrity of device (or
service) environment characteristics.
3.3.13
secure element
SE
tamper-resistant platform capable of securely hosting applications and their confidential and
cryptographic data (for example cryptographic keys) in accordance with the rules and security
requirements set by well-identified trusted authorities
3.3.14
trusted computing
TC
technology protected computer which consistently behaves in expected ways
3.3.15
trusted execution environment
TEE
execution environment that runs alongside but is isolated from the device main operating system
3.3.16
chain of trust
extension of trust from a component [e.g. a root of trust (3.3.8)] to another component accomplished
through the act of measurement and verification of the integrity (3.3.3) and authenticity of the new
component before the system begins execution of the new component
Note 1 to entry: Such an act builds a chain of trust from the old component to the new component, which is now a
trusted component. The old component can be either a root of trust or a trusted component.
3.3.17
trusted environment
TE
execution mode where the functionality is protected by a root of trust (3.3.8) service
Note 1 to entry: A trusted execution environment (3.3.15) is a specific TE.
3.4 Miscellaneous terms
3.4.1
device
physical entity that communicates directly or indirectly with one or more cloud services (3.1.2)
[SOURCE: ISO/IEC 22123-1:2023, 3.13.4, modified — note 1 to entry has been deleted.]
3.4.2
device holder
person possessing and using the device
Note 1 to entry: In some cases, the person who possesses and uses the mobile device is the device holder. But in
cases of Internet of Things, it is probably that sensors (devices) do not have a corresponding device holder.
4
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27071:2023(E)
4 Abbreviated terms
API application programming interface
CA certification authority (in a PKI)
CPU central processing unit
HSM hardware security module
IK identity key
IMC integrity measurement collectors
IMV integrity measurement verifiers
PCR platform configuration register
PKI public key infrastructure
RoT root of trust
REE rich execution environment
RTM root of trust for measurement
RTR root of trust for reporting
RTS root of trust for storage
SE secure element
TAM trust anchor module
TC trusted computing
TCG trusted computing group
TCM trusted cryptography module
TE trusted environment
TEE trusted execution environment
TPM trusted platform module
vRoT virtualized root of trust
5 Framework and components for establishing a trusted connection
5.1 Overview
This clause provides an overview of the framework and components of a trusted connection between a
device and a service based on hardware security modules.
A trusted connection between a device and a service provides the ability to protect confidentiality,
integrity and authenticity of data; prevent identity spoofing by binding the identity of the device (or
service) to a root of trust; and ensure trusted processing of data by remote attestation or environment
assurance. For information on threats on a trusted connection, see Annex A.
5
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27071:2023(E)
Figure 1 describes the parties involved in establishing a trusted connection, including the identity
issuer (e.g. CA), HSM manufacturer, device manufacturer, system integrator, cloud service provider,
tenant, and device holder (it is possible that the party does in some scenarios such as IoT).
The HSM manufacturer produces HSMs. Device manufacturers produce a device. The cloud service
provider runs the cloud service. The cloud service customer possesses the service which has a trusted
connection with the device. In some scenarios, the cloud service customer and cloud service provider
may be the same party. Devices act as the cloud service users (or tenants). Device holder (e.g. the holder
of mobile phone) possesses and uses the device to establish trusted connection with a cloud service.
Key
party (the party does not exist in some
offline or pre-set procedure
scenarios)
ownership party
trusted connection m number of services
Figure 1 — Parties related in trusted connection
There are several scenarios to establish a trusted connection between a device and a service.
Figure 2 shows the framework of a trusted connection for device with both TEE/SE and REE (such as
a mobile device). Applications which are run in a TEE/SE environment and have a root of trust based
on the TAM, can build a trusted connection to service. A trusted user interface (TUI) component is
provided for interaction between the user and the device.
Figure 3 illustrates the framework of a trusted connection for a device with the TE only (such as an
IoT device). To establish a trusted connection between a device (with TE only) and a service, a remote
attestation component may not be required, and the user interface (or trusted user interface, TUI) may
not exist.
6
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27071:2023(E)
Key
data and control flow mandatory component
abstract component
m number of services n number of HSM
NOTE Trusted connection components in the service side are omitted.
Figure 2 — Framework of a trusted connection for a device with TEE/SE and REE
7
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27071:2023(E)
Key
data and control flow mandatory component
abstract component
m number of services n number of HSM
NOTE Trusted connection components in the service side are omitted.
Figure 3 — Framework of a trusted connection for a device with TE only
Figure 4 gives an overview of the components for a trusted connection.
Both the device and the service consist of multiple components. Each of these components performs a
specific task within the trusted connection framework. The components to build a trusted connection
are as follows:
— The HSM component safeguards and manages digital keys and provides cryptographic processing.
A trust anchor module (TAM) is an abstract component that contains one or more HSMs.
— The root of trust component managing RoTs that are anchored in a specific HSM (e.g. TPM/TCM,
TEE/SE) of the TAM.
— The identity component manages identity bound to RoT. Trusted parties (including trusted third
parties) issue identities to RoTs bound to the device (or service).
— The remote attestation component is responsible for remote attestation between the device and the
service in a trusted connection. In some cases, if the device (or service) meets the corresponding
security requirements (e.g. level 3 or greater as specified in ISO/IEC 19790), the remote attestation
component in the device (or service) side is optional.
— The authentication and key establishment component is responsible for building a security channel
between the device and the service based on RoT and IK.
8
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 27071:2023(E)
— The data integrity and authenticity component is responsible for protecting the data integrity and
authenticity by using cryptographic mechanisms with an IK. This component can also provide the
non-repudiation property.
— The TUI component is responsible for the trusted interaction between the user and the device. In
scenarios that do not require trusted interaction, there is no TUI component.
Key
data and control flow mandatory component
optional component abstract component
n number of HSM
Figure 4 — Components of a trusted connection
The solutions for each component in the framework are contained in Annex B. An example of establishing
a trusted connection between a device and a service is provided in Annex C.
5.2 Hardware security module
The hardware security module (HSM) is used for securing cryptographic keys and also provides
cryptographic operations using these keys. The trust anchor module (TAM) is an abstract component
that contains one or several HSM. The HSM provides protection for identities, applications and
transactions by ensuring appropriate security of keys and encryption, decryption and authentication
operations. The HSM has protection features such as physical tamper resistance.
5.3 Root of trust
The root of trust (RoT) is an anchor of trust which is based on HSM components that are inherently
trusted. In a TPM case, there are three types of RoT, as described in ISO/IEC 11889-1:
— root of trust for reporting;
— root of trust for measurement;
9
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 27071:2023(E)
— root of trust for storage.
In implementation, the different types of RoT can be executed by one or several HSM.
5.4 Identity
The identity component manages identities. Identity can be a certificate containing an identifier issued
by a trusted party (including a trusted third party, such as PKI/CA). The identity is bound to the RoT on
a device (or a service). Each RoT (or vRoT) can have an identity issued by a trusted party.
5.5 Authentication and key establishment
The authentication and key establishment component manage security channels between the device
and the service. The device and the service execute a mutual authentication and key establishment
[6]
protocol (such as TLS1.3 ) using identity related keys to establish the security channels.
5.6 Remote attestation
The remote attestation is a method by which a device (or service) authenticates its hardware and
software configuration to a service (or device).
The remote attestation component allows the device (or service) to convince the service (or device)
that the platform has an embedded trustable HSM and the software configuration complies to the
requirement of the service (or device). Anonymous remote attestation can be used in some scenarios
to protect privacy. Usually, in a TPM case, remote attestation uses integrity measurement collectors
(IMCs) to collect and sign device (or service) e
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27071
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2022-07-12 2022-10-04
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27071:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27071:2022(E)
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27071
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
ICS: 35.030
COPYRIGHT PROTECTED DOCUMENT
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO/IEC 2022
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
NOT BE REFERRED TO AS AN INTERNATIONAL
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
IN ADDITION TO THEIR EVALUATION AS
or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/IEC DIS 27071:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
ii
© ISO/IEC 2022 – All rights reserved
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27071:2022(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 General . 1
3.2 Terms relating to cloud computing . 1
3.3 Terms relating to cloud computing roles and activities . 2
3.4 Terms relating to security and privacy . 2
3.5 Miscellaneous terms . 5
4 Symbols and abbreviated terms.5
5 Framework and components for establishing a trusted connection .6
5.1 Overview . 6
5.2 Hardware security module . 10
5.3 Root of trust . 10
5.4 Identity . 10
5.5 Authentication and key establishment . 10
5.6 Remote attestation . 10
5.7 Data integrity and authenticity . 11
5.8 Trusted user interface . 11
6 Security recommendations for establishing a trusted connection .11
6.1 Hardware security module . 11
6.2 Root of trust . 11
6.3 Identity . 11
6.4 Authentication and key establishment .12
6.5 Remote attestation .12
6.6 Data Integrity and authenticity .12
6.7 Trusted user interface . 12
Annex A (informative) Threats .13
Annex B (informative) Solutions for components of a trusted connection .18
Annex C (informative) Example for establishing a trusted connection .23
Bibliography .24
iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27071:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27071 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information Security, cybersecurity and privacy protection.
iv
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27071:2022(E)
Introduction
With the development of the Internet of Things (IoT), Mobile Services, Cloud Computing, Big Data and
Artificial Intelligence (AI), more and more scenarios require trusted connections between devices and
services.
Security channels (e.g. TLS/SSL) are used between devices and services to protect confidentiality and
integrity of data, but it is not enough. The service needs to distinguish data collected by sensors of the
authorised device from those of other devices or data forged by adversaries. So, it should be able to
ensure the data comes from the authorised device.
Conversely, the device also needs to distinguish the genuine service from unintended services or
malicious services. So, it should be able to reliably identify the genuine and intended service, in
particular for cloud services, which may have thousands of such services running.
Identity without a reliable root of trust can be forged, so controls are required to ensure the utilisation
of reliable roots of trust (requirements for establishing reliable virtualized roots of trust as described
in ISO/IEC 27070:2021).
Mutual authentication between a device and a service is needed to prevent impersonation attacks.
While insufficient in itself, remote attestation between a device and a service is also needed to protect
the data handling processes and to establish a security channel to prevent interception by an adversary
on the communication network.
Data captured from sensors integrated in the device, input by users, or generated (or processed) by
algorithms in the device should have a label and be digitally signed (or by other crypto mechanisms)
using the device’s particular key designed for this purpose, to protect the integrity and authenticity
of the data. Services could know the parameters of the sensor device which can help the service with
the processing of the data. Trusted connections have a strong relationship with Hardware Security
Modules (HSM), Trusted Computing (TC), Public Key Infrastructure (PKI) and Certification Authority
(CA) technology and so on. Trusted connection issues can be broken down into several sub-categories
such as:
— Hardware security modules to establish the reliable root of trust
— Identity of devices and services that issued by trusted parties
— Mutual authentication and key establishment between devices and services to estalish security
channel
— Mutual remote attestation(or environment assurance) between devices and services
— Data Identity to keep the data integrity and authenticity for a long term
This document proposes security recommendations for establishing trusted connections between
devices and services, which would help the related organisations to set up HSM in devices (including
mobile devices, PCs, or IoT devices) and in the infrastructure of cloud services. This document can
help to build a trusted environment. This document can also help trusted third parties (CA) to issue
certificates to devices and services and help the applications to mitigate against attacks and identify
forged data from the sensors, etc.
v
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27071:2022(E)
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
1 Scope
This document provides a framework and recommendations for establishing trusted connections
between devices and services based on hardware security modules, including recommendations
for components such as: hardware security module, roots of trust, identity, authentication and key
establishment, remote attestation, data integrity and authenticity.
This document is applicable to establishing trusted connections between devices and services based on
hardware security modules.
This document does not address privacy concerns.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27070:2021, Information technology — Security techniques — Requirements for establishing
virtualized roots of trust
3 Terms and definitions
3.1 General
For the purposes of this document, the terms and definitions given in ISO/IEC 27070:2021 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https:// www .electropedia .org/
— ISO Online browsing platform: available at https:// www .iso .org/ obp/
3.2 Terms relating to cloud computing
3.2.1
cloud computing
paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and
storage equipment.
[SOURCE: ISO/IEC 22123-1:2021, 3.2.1]
1
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DIS 27071:2022(E)
3.2.2
cloud service
one or more capabilities offered via cloud computing (3.2.1) invoked using a defined interface
[SOURCE: ISO/IEC 22123-1:2021, 3.2.2]
3.3 Terms relating to cloud computing roles and activities
3.3.1
party
natural person or legal person, whether or not incorporated, or a group of either that can assume one or
more roles
[SOURCE: ISO/IEC 22123-1:2021, 3.4.1]
3.3.2
cloud service customer
party (3.3.1) which is in a business relationship for the purpose of using cloud services (3.2.2)
Note 1 to entry: A business relationship does not necessarily imply financial agreements.
[SOURCE: 22123-1:2021, 3.4.2]
3.3.3
cloud service provider
party (3.3.1) which makes cloud services (3.2.2) available
[SOURCE: ISO/IEC 22123-1:2021, 3.4.3]
3.3.4
cloud service user
natural person, or entity acting on their behalf, associated with a cloud service customer (3.3.2) that
uses cloud services (3.2.2)
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 22123-1:2021, 3.4.4]
3.3.5
tenant
one or more cloud service users (3.3.4) sharing access to a set of physical and virtual resources
[SOURCE: ISO/IEC 22123-1:2021, 3.5.2]
3.4 Terms relating to security and privacy
3.4.1
availability
property of being accessible and usable upon demand by an authorized entity
[SOURCE: ISO/IEC 22123-1:2021, 3.14.7]
3.4.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[SOURCE: ISO/IEC 22123-1:2021, 3.11.1]
2
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 27071:2022(E)
3.4.3
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 22123-1:2021, 3.11.2]
3.4.4
information security
preservation of confidentiality (3.4.2), integrity (3.4.3) and availability (3.4.1) of information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability
can also be involved.
[SOURCE: ISO/IEC 22123-1:2021, 3.11.3]
3.4.5
remote attestation
RA
process of evaluating integrity measurements generated using a root of trust (3.4.11) for measurement,
storage and reporting to establish trust in a platform remotely
[SOURCE: ISO/IEC 27070:2021]
3.4.6
hardware security module
HSM
tamper-resistant hardware module which safeguards and manages keys and provides cryptographic
functionsNote 1 to entry: Trusted module (3.4.7) is a specific kind of HSM.
3.4.7
trusted module
TM
module for trusted computing providing integrity measurement, integrity report, cryptographic
service, random number generation, secure storage functions and a set of platform configuration
registers
Note 1 to entry: There are several implementations of trusted module, such as TPM, TCM, etc.
[SOURCE: ISO/IEC 27070:2021]
3.4.8
trust anchor module
TAM
one (or more) hardware security modules (3.4.6) that acts as the roots of trust (3.4.11)
3.4.9
trusted user interface
TUI
device component with a user interface whose integrity and authenticity is managed by the trust
anchor module
3.4.10
identity key
IK
signing key used to authentication and sign characteristics of the device (or service) environment (e.g.
a digest) in order to prevent forgery and protect the integrity of the device (or service) environment
characteristics
3
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DIS 27071:2022(E)
3.4.11
root of trust
RoT
component that needs to always behave in the expected manner because its misbehaviour cannot be
detected
Note 1 to entry: The complete set of roots of trust has at least the minimum set of functions to enable a description
of the platform characteristics that affect the trust of the platform.
[SOURCE: ISO/IEC 27070:2021]
3.4.12
physical root of trust
in this document, root of trust (3.4.11) refers to a physical root of trust (3.4.11)
3.4.13
virtualized root of trust
vRoT
security function component established based on the root of trust (3.4.11), which provides similar
function as the root of trust (3.4.11)
Note 1 to entry: In practical environments, there could be multiple virtualized roots of trust based on the single
root of trust (3.4.11) simultaneously
3.4.14
root of trust for measurement
computation engine that resets one or more platform configuration registers, makes the initial integrity
measurement, and extends it into a platform configuration register
Note 1 to entry: A root of trust (3.4.11) that collects device environment characteristics (e.g. firmware integrity
measurements) and puts them in a format suitable for attestation (e.g. TPM Platform Configuration Registers).
3.4.15
root of trust for storage
component of the root of trust (3.4.11) that provides storing confidential information and measured
values in shielded locations accessed using protected capabilities
3.4.16
root of trust for reporting
component of the root of trust (3.4.11) that reliably provides authenticity and nonrepudiation services
for the purposes of attesting to the origin and integrity of platform characteristics
Note 1 to entry: a root of trust (3.4.11) that uses the device’s (or service’s) identity key (3.4.10) to reliably provide
authenticity and nonrepudiation services for the purposes of attesting to the origin and integrity of device (or
service) environment characteristics.
3.4.17
secure element
SE
tamper-resistant platform capable of securely hosting applications and their confidential and
cryptographic data (for example cryptographic keys) in accordance with the rules and security
requirements set by well-identified trusted authorities
3.4.18
trusted computing
TC
a technology protect computer consistently behave in expected ways
Note 1 to entry: Trusted computing is developed and promoted by the Trusted Computing Group (TCG).
4
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 27071:2022(E)
3.4.19
trusted execution environment
TEE
execution environment that runs alongside but isolated from the device main operating system
3.4.20
trusted network connect
TNC
open architecture for network access control, promulgated by the Trusted Network Connect Work
Group (TNC-WG) of the TCG
3.4.21
chain of trust
extension of trust from a component (e.g. a root of trust) to another component accomplished through
the act of measurement and verification of the integrity and authenticity of the new component before
the system begins execution of the new component
Note 1 to entry: Such an act builds a chain of trust from the old component to the new component, which is now a
trusted component. The old component can be either a root of trust or a trusted component.
3.4.22
trusted environment
TE
execution mode where the process/mechanism/functionality is protected/launched by a ROT service
Note 1 to entry: TEE is a specific TE.
3.5 Miscellaneous terms
3.5.1
device
physical entity that communicates directly or indirectly with one or more cloud services (3.2.2)
[SOURCE: ISO/IEC 22123-1:2021, 3.14.4]
3.5.2
device holder
person possesses and using the device
Note 1 to entry: In some cases, the person possesses and using the mobile device is the device holder. But in cases
of IoT, most of the sensors (devices) may not have a corresponding device holder.
4 Symbols and abbreviated terms
CA Certification Authority (in a PKI)
CSP Cloud Service Providers
CPU Central Processing Unit
HSM Hardware Security Module
IK Identity Key
IMC Integrity Measurement Collectors
IMV Integrity Measurement Verifiers
OS Operating System
5
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DIS 27071:2022(E)
PCR Platform Configuration Register
PKI Public Key Infrastructure
RoT Root of Trust
REE Rich Execution Environment
RTM Root of Trust for Measurement
RTR Root of Trust for Reporting
RTS Root of Trust for Storage
SE Secure Element
TAM Trust Anchor Module
TC Trusted Computing
TCG Trusted Computing Group
TCM Trusted Cryptography Module
TE Trusted Environment
TEE Trusted Execution Environment
TM Trusted Module
TNC Trusted Network Connect
TPM Trusted Platform Module
vIK Virtual Identity Key
vRoT Virtualized Root of Trust
5 Framework and components for establishing a trusted connection
5.1 Overview
This clause provides an overview of the framework and components of a trusted connection between a
device and a service based on hardware security modules.
Security channels are used between devices and services to protect confidentiality and integrity of
data, but it is not enough. The service needs to distinguish data collected by sensors of the authorised
device from those of other devices or data forged by adversaries. So, it should be able to ensure the data
comes from the authorised device. Conversely, the device also needs to distinguish the genuine service
from unintended services or malicious services. So, it should be able to reliably identify the genuine and
intended service, in particular for cloud services, which may have thousands of such services running.
Threats on a trusted connection see Annex A. A trusted connection between a device and a service
provides the ability to protect confidentiality, integrity and authenticity of data; provides the ability to
prevent identity spoofing by binding the identity of the device (or service) to root of trust; and provides
the ability to ensure trusted processing of data by remote attestation or environment assurance.
To establish trusted connection between a device and a service faces the risks from several involved
parties. Figure 1 describes the parties involved in establishing a trusted connection, including identity
issuer (e.g. CA), HSM manufacturer, device manufacturer, system integrator, cloud service provider,
tenant, and device holder (may not exist in some scenarios such as IoT).
6
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC DIS 27071:2022(E)
HSM manufacturer produce HSMs. Device manufacturer produce device. Cloud service provider runs
the cloud service. Tenant possesses the service which has a trusted connection with the device. In some
scenarios, Tenant and cloud service provider may be the same party. Device holder possesses and uses
the device (e.g. the holder of mobile phone).
There are several scenarios to establish a trusted connection between a device and a service.
Figure 1 — Parties related in trusted connection
7
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC DIS 27071:2022(E)
Note 1 to entry Trusted connection components in the service side are omitted.
Figure 2 — Framework of a trusted connection for a device with TEE/SE and REE
Note 1 to entry Trusted connection components in the service side are omitted.
Figure 3 — Framework of a trusted connection for a device with TE only
8
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC DIS 27071:2022(E)
Figure 2 gives the framework of a trusted connection for device with both TEE/SE and REE (Such as
a mobile device). Applications run in TEE/SE environment and have a root of trust based on the TAM
can build a trusted connection to service, and a trusted user interface (TUI) component is provided for
interaction between the user and the device.
Figure 3 gives the framework of a trusted connection for device with the TE only (such as IoT device).
In this case, the device may not need remote attestation to the service to build a trusted connection. To
establish trust connection between a device (with TE only) and a service, remote attestation component
may not be required, and user interface (or trusted user interface, TUI) may not exist.
Figure 4 — Components of a trusted connection
Figure 4 gives an overview of the components for a trusted connection.
Both the device and the service consist of multiple components. Each of these components performs a
specific task within the trusted connection framework. The components to build a trusted connection
are list as follows:
— The HSM component safeguards and manages digital keys and provides cryptographic processing.
A trust anchor module (TAM) is an abstract component that contains one or more HSMs.
— The root of trust component responsible for manages RoTs that anchored in a specific HSM (e.g.
TPM/TCM, TEE/SE) of the TAM.
— The identity component manages identity bound to RoT. Trusted parties (including trusted third
parties) issue identities to RoTs bound to the device (or service).
— The remote attestation component is responsible for remote attestation between the device and the
service in a trusted connection. In some cases, if the device (or service) meets the corresponding
security requirements (e.g. ISO/IEC 19790:2012 level 3 or greater), the remote attestation component
in the device (or service) side is optional.
— The authentication and key establishment component is responsible for building a security channel
between the device and the service based on RoT and IK.
— The data integrity and authenticity component is responsible for protect the data integrity and
authenticity by IK using cryptographic mechanisms. Also, this component can provides the non-
repudiation property.
9
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC DIS 27071:2022(E)
— TUI component is responsible for trusted interaction between the user and the device. In scenarios
that do not require trusted interaction, there is no TUI component.
The solutions for each component in framework see Annex B. Example to build a trusted connection
between a device and a service see Annex C.
5.2 Hardwar
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.