ISO/IEC FDIS 27071

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27071
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2022-07-12 2022-10-04
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27071:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27071:2022(E)
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27071
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
Cybersecurity — Security recommendations for
establishing trusted connections between devices and
services
ICS: 35.030
COPYRIGHT PROTECTED DOCUMENT
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO/IEC 2022
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

3.1 General ........................................................................................................................................................................................................... 1

3.2 Terms relating to cloud computing ...................................................................................................................................... 1

3.3 Terms relating to cloud computing roles and activities .................................................................................... 2

3.4 Terms relating to security and privacy ............................................................................................................................ 2

3.5 Miscellaneous terms .......................................................................................................................................................................... 5

4 Symbols and abbreviated terms..........................................................................................................................................................5

5 Framework and components for establishing a trusted connection ...........................................................6

5.1 Overview ...................................................................................................................................................................................................... 6

5.2 Hardware security module ...................................................................................................................................................... 10

5.3 Root of trust ........................................................................................................................................................................................... 10

5.4 Identity ....................................................................................................................................................................................................... 10

5.5 Authentication and key establishment .......................................................................................................................... 10

5.6 Remote attestation .......................................................................................................................................................................... 10

5.7 Data integrity and authenticity ............................................................................................................................................ 11

5.8 Trusted user interface .................................................................................................................................................................. 11

6 Security recommendations for establishing a trusted connection ............................................................11

6.1 Hardware security module ...................................................................................................................................................... 11

6.2 Root of trust ........................................................................................................................................................................................... 11

6.3 Identity ....................................................................................................................................................................................................... 11

6.4 Authentication and key establishment ..........................................................................................................................12

6.5 Remote attestation ..........................................................................................................................................................................12

6.6 Data Integrity and authenticity ............................................................................................................................................12

6.7 Trusted user interface .................................................................................................................................................................. 12

Annex A (informative) Threats ...............................................................................................................................................................................13

Annex B (informative) Solutions for components of a trusted connection .............................................................18

Annex C (informative) Example for establishing a trusted connection ......................................................................23

Bibliography .............................................................................................................................................................................................................................24

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27071 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

With the development of the Internet of Things (IoT), Mobile Services, Cloud Computing, Big Data and

Artificial Intelligence (AI), more and more scenarios require trusted connections between devices and

Security channels (e.g. TLS/SSL) are used between devices and services to protect confidentiality and

integrity of data, but it is not enough. The service needs to distinguish data collected by sensors of the

authorised device from those of other devices or data forged by adversaries. So, it should be able to

Conversely, the device also needs to distinguish the genuine service from unintended services or

malicious services. So, it should be able to reliably identify the genuine and intended service, in

particular for cloud services, which may have thousands of such services running.

Identity without a reliable root of trust can be forged, so controls are required to ensure the utilisation

of reliable roots of trust (requirements for establishing reliable virtualized roots of trust as described

Mutual authentication between a device and a service is needed to prevent impersonation attacks.

While insufficient in itself, remote attestation between a device and a service is also needed to protect

the data handling processes and to establish a security channel to prevent interception by an adversary

Data captured from sensors integrated in the device, input by users, or generated (or processed) by

algorithms in the device should have a label and be digitally signed (or by other crypto mechanisms)

using the device’s particular key designed for this purpose, to protect the integrity and authenticity

of the data. Services could know the parameters of the sensor device which can help the service with

the processing of the data. Trusted connections have a strong relationship with Hardware Security

Modules (HSM), Trusted Computing (TC), Public Key Infrastructure (PKI) and Certification Authority

(CA) technology and so on. Trusted connection issues can be broken down into several sub-categories

— Mutual authentication and key establishment between devices and services to estalish security

— Mutual remote attestation(or environment assurance) between devices and services

This document proposes security recommendations for establishing trusted connections between

devices and services, which would help the related organisations to set up HSM in devices (including

mobile devices, PCs, or IoT devices) and in the infrastructure of cloud services. This document can

help to build a trusted environment. This document can also help trusted third parties (CA) to issue

certificates to devices and services and help the applications to mitigate against attacks and identify

This document provides a framework and recommendations for establishing trusted connections

between devices and services based on hardware security modules, including recommendations

for components such as: hardware security module, roots of trust, identity, authentication and key

This document is applicable to establishing trusted connections between devices and services based on

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27070:2021, Information technology — Security techniques — Requirements for establishing

For the purposes of this document, the terms and definitions given in ISO/IEC 27070:2021 and the

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual

Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and

one or more capabilities offered via cloud computing (3.2.1) invoked using a defined interface

natural person or legal person, whether or not incorporated, or a group of either that can assume one or

party (3.3.1) which is in a business relationship for the purpose of using cloud services (3.2.2)

Note 1 to entry: A business relationship does not necessarily imply financial agreements.

natural person, or entity acting on their behalf, associated with a cloud service customer (3.3.2) that

one or more cloud service users (3.3.4) sharing access to a set of physical and virtual resources

property that information is not made available or disclosed to unauthorized individuals, entities, or

preservation of confidentiality (3.4.2), integrity (3.4.3) and availability (3.4.1) of information

Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability

process of evaluating integrity measurements generated using a root of trust (3.4.11) for measurement,

tamper-resistant hardware module which safeguards and manages keys and provides cryptographic

module for trusted computing providing integrity measurement, integrity report, cryptographic

service, random number generation, secure storage functions and a set of platform configuration

Note 1 to entry: There are several implementations of trusted module, such as TPM, TCM, etc.

one (or more) hardware security modules (3.4.6) that acts as the roots of trust (3.4.11)

device component with a user interface whose integrity and authenticity is managed by the trust

signing key used to authentication and sign characteristics of the device (or service) environment (e.g.

a digest) in order to prevent forgery and protect the integrity of the device (or service) environment

component that needs to always behave in the expected manner because its misbehaviour cannot be

Note 1 to entry: The complete set of roots of trust has at least the minimum set of functions to enable a description

in this document, root of trust (3.4.11) refers to a physical root of trust (3.4.11)

security function component established based on the root of trust (3.4.11), which provides similar

Note 1 to entry: In practical environments, there could be multiple virtualized roots of trust based on the single

computation engine that resets one or more platform configuration registers, makes the initial integrity

Note 1 to entry: A root of trust (3.4.11) that collects device environment characteristics (e.g. firmware integrity

measurements) and puts them in a format suitable for attestation (e.g. TPM Platform Configuration Registers).

component of the root of trust (3.4.11) that provides storing confidential information and measured

component of the root of trust (3.4.11) that reliably provides authenticity and nonrepudiation services

for the purposes of attesting to the origin and integrity of platform characteristics

Note 1 to entry: a root of trust (3.4.11) that uses the device’s (or service’s) identity key (3.4.10) to reliably provide

authenticity and nonrepudiation services for the purposes of attesting to the origin and integrity of device (or

tamper-resistant platform capable of securely hosting applications and their confidential and

cryptographic data (for example cryptographic keys) in accordance with the rules and security

Note 1 to entry: Trusted computing is developed and promoted by the Trusted Computing Group (TCG).

execution environment that runs alongside but isolated from the device main operating system

open architecture for network access control, promulgated by the Trusted Network Connect Work

extension of trust from a component (e.g. a root of trust) to another component accomplished through

the act of measurement and verification of the integrity and authenticity of the new component before

Note 1 to entry: Such an act builds a chain of trust from the old component to the new component, which is now a

trusted component. The old component can be either a root of trust or a trusted component.

execution mode where the process/mechanism/functionality is protected/launched by a ROT service

physical entity that communicates directly or indirectly with one or more cloud services (3.2.2)

Note 1 to entry: In some cases, the person possesses and using the mobile device is the device holder. But in cases

of IoT, most of the sensors (devices) may not have a corresponding device holder.

This clause provides an overview of the framework and components of a trusted connection between a

Security channels are used between devices and services to protect confidentiality and integrity of

data, but it is not enough. The service needs to distinguish data collected by sensors of the authorised

device from those of other devices or data forged by adversaries. So, it should be able to ensure the data

comes from the authorised device. Conversely, the device also needs to distinguish the genuine service

from unintended services or malicious services. So, it should be able to reliably identify the genuine and

intended service, in particular for cloud services, which may have thousands of such services running.

Threats on a trusted connection see Annex A. A trusted connection between a device and a service

provides the ability to protect confidentiality, integrity and authenticity of data; provides the ability to

prevent identity spoofing by binding the identity of the device (or service) to root of trust; and provides

the ability to ensure trusted processing of data by remote attestation or environment assurance.

To establish trusted connection between a device and a service faces the risks from several involved

parties. Figure 1 describes the parties involved in establishing a trusted connection, including identity

issuer (e.g. CA), HSM manufacturer, device manufacturer, system integrator, cloud service provider,

HSM manufacturer produce HSMs. Device manufacturer produce device. Cloud service provider runs

the cloud service. Tenant possesses the service which has a trusted connection with the device. In some

scenarios, Tenant and cloud service provider may be the same party. Device holder possesses and uses

There are several scenarios to establish a trusted connection between a device and a service.

Figure 2 gives the framework of a trusted connection for device with both TEE/SE and REE (Such as

a mobile device). Applications run in TEE/SE environment and have a root of trust based on the TAM

can build a trusted connection to service, and a trusted user interface (TUI) component is provided for

Figure 3 gives the framework of a trusted connection for device with the TE only (such as IoT device).

In this case, the device may not need remote attestation to the service to build a trusted connection. To

establish trust connection between a device (with TE only) and a service, remote attestation component

may not be required, and user interface (or trusted user interface, TUI) may not exist.

Both the device and the service consist of multiple components. Each of these components performs a

specific task within the trusted connection framework. The components to build a trusted connection

— The HSM component safeguards and manages digital keys and provides cryptographic processing.

A trust anchor module (TAM) is an abstract component that contains one or more HSMs.

— The root of trust component responsible for manages RoTs that anchored in a specific HSM (e.g.

— The identity component manages identity bound to RoT. Trusted parties (including trusted third

— The remote attestation component is responsible for remote attestation between the device and the

service in a trusted connection. In some cases, if the device (or service) meets the corresponding

security requirements (e.g. ISO/IEC 19790:2012 level 3 or greater), the remote attestation component

— The authentication and key establishment component is responsible for building a security channel

— The data integrity and authenticity component is responsible for protect the data integrity and

authenticity by IK using cryptographic mechanisms. Also, this component can provides the non-

— TUI component is responsible for trusted interaction between the user and the device. In scenarios

The solutions for each component in framework see Annex B. Example to build a trusted connection