Secure storage units - Classification for high security locks according to their resistance to unauthorized opening - Distributed systems

This European Standard specifies requirements and testing procedures for high security locks used in distributed systems, which are mainly used in secure storage units. A distributed system, as per the definition of this European Standard, is a system with components connected by a transmission system, wired or wireless. Also, a token represents a distributed system as of a transmission distance of 15 cm or more.
The present standard responded to the state of the art requirements for distributed systems when it was written down.
However it is mandatory that the standard has to be revised with a relatively high frequency of 3 years or less, as the research in the area of cryptography and relevant attacks evolve with high speed as well as the referenced standards. As the general regulations of EN 1300 don’t require such a high frequency of updating, it is recommended to separate the standards.

Wertbehältnisse - Klassifizierung von Hochsicherheitsschlössern nach ihrem Widerstandswert gegen unbefugtes Öffnen - Verteilte Systeme

Dieses Dokument gilt für verteilte Systeme (VS), d.h. für Hochsicherheitsschlösser mit Komponenten, die über ein drahtgebundenes oder drahtloses Übertragungssystem verbunden sind, um festgelegte Bedienvorgänge unter Nutzung unterschiedlicher, individuell festgelegter Zugriffsmöglichkeiten auszuführen.
Produkte, die auf Basis dieses Dokuments geprüft werden, entsprechen dem zum Zeitpunkt der Prüfung allgemein anerkannten Stand der Technik. Aufgrund der kurzen Innovationszyklen im Bereich elektronischer und insbesondere informationstechnischer Anwendungen werden auch die zum Zeitpunkt der Produktentwicklung aktuellen technischen Möglichkeiten bei der Realisierung berücksichtigt.
Verteilte Systeme können u.a. zur Betätigung von Hochsicherheitsschlössern (HSS) von Wertbehältnissen (Wertschutzschränke und Wertschutzräume) eingesetzt werden.
Hochsicherheitsschlösser (HSS) werden in einem VS als Sperreinheit eingesetzt.
Dieses Dokument gilt nicht für autonom betriebene HSS, die nicht Teil eines verteilten Systems sind. Für diese autonomen HSS ist nur die EN 1300 anwendbar.
Da sich sowohl die Forschung im Bereich der Kryptographie und relevanter Angriffe als auch in Bezug genommene Normen sehr schnell entwickeln, erfolgt eine Überarbeitung dieser Norm alle drei Jahre.

Unités de stockage en lieu sûr - Classification des serrures haute sécurité en fonction de leur résistance à l'effraction - Systèmes répartis

Le présent document s'applique aux Systèmes répartis (DS), c'est-à-dire aux serrures haute sécurité dont les composants possèdent une connexion filaire ou non filaire via un système de transmission afin d'exécuter des états exploitables fixes en utilisant différentes possibilités d'accès fixées individuellement.
Les produits qui sont destinés à être soumis à l'essai sur la base du présent document sont conformes à l'état de l'art généralement reconnu au moment de l'essai. En raison de la brièveté des cycles d'innovation dans le domaine des applications électroniques et, plus particulièrement, des technologies de l'information, les possibilités techniques disponibles au moment du développement du produit sont également prises en compte lors de la mise en oeuvre.
Les Systèmes répartis peuvent être utilisés, par exemple, pour actionner des serrures haute sécurité d'unités de stockage en lieu sûr (coffres-forts et chambres fortes).
Les Serrures haute sécurité (HSL) sont utilisées dans les DS en tant qu'unité de verrouillage.
Le présent document ne s'applique pas aux HSL autonomes, qui ne font pas partie d'un système réparti. Pour ces HSL autonomes, seule l'EN 1300 s'applique.
La présente norme sera révisée tous les 3 ans, car la recherche dans le domaine de la cryptographie et les effractions correspondantes évoluent très rapidement, ainsi que les normes de référence.

Varnostne shranjevalne enote - Klasifikacija visoko varnostnih ključavnic po odpornosti proti nepooblaščenemu odpiranju - Porazdeljeni sistemi

Ta evropski standard določa zahteve in preskusne postopke za visoko varnostne ključavnice v porazdeljenih sistemih, ki se uporabljajo zlasti v varnostnih shranjevalnih enotah. Porazdeljeni sistem je v skladu z opredelitvijo v tem evropskem standardu sistem, katerega elementi so povezani prek žičnega ali brezžičnega prenosnega sistema. Poleg tega žeton predstavlja porazdeljeni sistem s prenosno razdaljo 15 cm ali več.
Pri pripravi tega standarda so se upoštevale najnovejše zahteve za porazdeljene sisteme.
Ta standard, pa tudi standarde, na katere se sklicuje, je treba kljub temu posodabljati razmeroma pogosto oziroma vsaj vsake 3 leta, saj raziskave na področju kriptografije in zadevni napadi napredujejo zelo hitro. Ker splošni predpisi iz standarda EN 1300 ne zahtevajo tako pogostega posodabljanja, naj se standardi ločijo.

General Information

Status
Published
Public Enquiry End Date
19-May-2021
Publication Date
08-Sep-2022
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
22-Aug-2022
Due Date
27-Oct-2022
Completion Date
09-Sep-2022

Buy Standard

Standard
EN 17646:2022
English language
28 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN 17646:2021
English language
27 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN 17646:2022
01-oktober-2022
Varnostne shranjevalne enote - Klasifikacija visoko varnostnih ključavnic po
odpornosti proti nepooblaščenemu odpiranju - Porazdeljeni sistemi
Secure storage units - Classification for high security locks according to their resistance
to unauthorized opening - Distributed systems
Wertbehältnisse - Klassifizierung von Hochsicherheitsschlössern nach ihrem
Widerstandswert gegen unbefugtes Öffnen - Verteilte Systeme
Unités de stockage en lieu sûr - Classification des serrures haute sécurité en fonction de
leur résistance à l'effraction - Systèmes répartis
Ta slovenski standard je istoveten z: EN 17646:2022
ICS:
13.310 Varstvo pred kriminalom Protection against crime
SIST EN 17646:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 17646:2022

---------------------- Page: 2 ----------------------
SIST EN 17646:2022


EN 17646
EUROPEAN STANDARD

NORME EUROPÉENNE

August 2022
EUROPÄISCHE NORM
ICS 13.310
English Version

Secure storage units - Classification for high security locks
according to their resistance to unauthorized opening -
Distributed systems
Unités de stockage en lieu sûr - Classification des Wertbehältnisse - Klassifizierung von
serrures haute sécurité en fonction de leur résistance à Hochsicherheitsschlössern nach ihrem
l'effraction - Systèmes répartis Widerstandswert gegen unbefugtes Öffnen - Verteilte
Systeme
This European Standard was approved by CEN on 27 June 2022.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 17646:2022 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Symbols and abbreviations . 8
5 Classification. 8
6 Requirements . 8
6.1 General. 8
6.1.1 General. 8
6.1.2 Construction . 9
6.2 System administration . 10
6.2.1 Administrative procedures . 10
6.2.2 Confirmation of remotely initiated security relevant operating procedures . 10
6.2.3 Information processing system as central operation/administration instance . 11
6.2.4 Authentication of components . 11
6.2.5 Software and firmware . 11
6.2.6 Administration interfaces. 13
6.2.7 Authentication of users. 13
6.2.8 Indication of the blocking status . 14
6.2.9 Recording events . 15
6.2.10 Data traffic in the secured state . 17
6.2.11 Detection of manipulations . 17
6.2.12 Indication of blocking times . 17
6.2.13 Resistance to spying . 17
6.3 Information security . 19
6.3.1 General protection aims . 19
6.3.2 Requirements on cryptography . 19
6.3.3 Other information security measures . 22
6.4 Security requirements . 22
6.4.1 Negative impact by power supply . 22
6.4.2 Resistance against electrical and electromagnetic influences . 22
6.4.3 Resistance against physical environmental influences . 23
6.4.4 Temperature resistance . 23
6.4.5 Reliability . 23
6.5 Extraneous components . 23
6.5.1 Use of extraneous components . 23
6.5.2 Additional components . 23
7 Technical documentation . 23
7.1 General. 23
7.2 Required technical documentation . 23
7.3 Operating instruction . 25
8 Test samples . 26
9 Marking . 26
2

---------------------- Page: 4 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
Annex A (normative) Determination of burglary resistance due to design requirements . 27
A.1 General . 27
A.2 Electronic HSL as a part of a distributed system . 27
Bibliography . 28

3

---------------------- Page: 5 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
European foreword
This document (EN 17646:2022) has been prepared by Technical Committee CEN/TC 263 “Secure
storage of cash, valuables and data media”, the secretariat of which is held by BSI.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2023, and conflicting national standards shall
be withdrawn at the latest by February 2023.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4

---------------------- Page: 6 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
1 Scope
This document is applicable to Distributed Systems (DS), i.e. high security locks with components which
have a wired or wireless connection via a transmission system in order to execute fixed operating
conditions using different individually fixed access possibilities.
Products which are to be tested on the basis of this document comply with the generally recognized state
of the art at the time of testing. Due to the short innovation cycles in the field of electronic and, in
particular, information technology applications, the technical possibilities available at the time of product
development should also be taken into account during implementation.
Distributed systems can be used, for example, to operate high security locks of secure storage units (safes
and strongrooms).
High security locks (HSL) are used in DS as locking unit.
This document does not apply for stand-alone HSL, which are not part of a distributed system. For these
stand-alone HSL EN 1300 is applicable only.
The document will be revised with a frequency of 3 years as the research in the area of cryptography and
relevant attacks evolve with high speed as well as the referenced standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 1300, Secure storage units - Classification for high security locks according to their resistance to
unauthorized opening
EN 1143-1, Secure storage units - Requirements, classification and methods of test for resistance to
burglary - Part 1: Safes, ATM safes, strongroom doors and strongrooms
EN 1143-2, Secure storage units - Requirements, classification and methods of tests for resistance to
burglary - Part 2: Deposit systems
EN ISO/IEC 27001, Information technology - Security techniques - Information security management
systems - Requirements (ISO/IEC 27001)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 1300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
remote input unit
rIU
additional component which allows information to be entered from a remote location and is intended for
exclusive use in a distributed system
Note 1 to entry: Input units (IU) are defined in EN 1300.
5

---------------------- Page: 7 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
3.2
condition as supplied
status of a DS or a component of a DS before the first customer-specific modification has been carried out
except for software/firmware updates, which can remain in effect
3.3
authenticity
quality that ensures, for example, that a communication partner is who they claim to be; for authentic
information it is ensured that it was created by the specified source
3.4
authentication factor
category of credential (knowledge factors (e.g. a password), possession factors (e.g. a card) or inherence
factors (e.g. biometric characteristics)) that is intended to verify that an entity requesting an access is
who they are declared to be
3.5
authorized user
person who is identified by input of the required information as being authorized for a certain action
3.6
independent component
component of a DS that has an active influence on the data processing as well as the security state of the
DS and that is absolutely necessary for the intended use of the DS
3.7
extraneous component
EC
component of a DS which is not manufactured especially for the DS but is used in the DS as a functional
unit
Note 1 to entry: For example, public components of a transmission path or office computers may be used as
extraneous components.
3.8
data processing unit
DPU
system for processing, managing and/or storing of information
Note 1 to entry: In order to minimize the risk of unauthorized access to security relevant information by third
parties, it is strongly recommended that a DPU is used exclusively within the direct sphere of influence of the
operator.
3.9
communication path
CP
transmission path for the exchange of information between the remote input unit and the processing unit
including the intermediary stored data processing units
3.10
authentication of components
coupling of two communication partners by using unique identification features
6

---------------------- Page: 8 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
3.11
security-relevant information
codes (e. g. opening, recognized, duress, parallel codes, cryptographic keys), authentication information
(e. g. passwords), data on software/firmware updates
3.12
locking device
LD
component which directly or indirectly allows the physical lock (locking) of further components, e. g. a
door or a boltwork
3.13
monitoring entry
stored information on a defined event within the DS with the indication of:
— causing event;
— time/date of event;
— triggering operator/triggering component
3.14
distributed system
DS
components operating as a unit, locally separated and aimed at the systematic implementation of a
common aim
Note 1 to entry: The exchange of information between the components can be wired or wireless.
3.15
deliberate action
conscious action of a person to confirm a status change
Note 1 to entry: A deliberate action may be, for example, the pushing of an operating button, the input of a
(confirmation) code or the turning of a handle.
3.16
access-secured area
area of a secure storage unit which, due to the physical properties, is not accessible when the product is
closed and not accessible trace-free in the open state
Note 1 to entry: For example, this can be the inside of a safe door that has a mechanical cover even when the door
is open.
3.17
two factor authentication
method for authenticating a user, service or component by means of two different authentication factor
types
Note 1 to entry: Examples of authentication factors can be found in the corresponding definition.
7

---------------------- Page: 9 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
4 Symbols and abbreviations
For the purposes of this document, the following symbols and abbreviations apply.
ANSSI: Agence nationale de la sécurité des systèmes d'information (National
Cybersecurity Agency of France)
BSI (DE): Bundesamt für Sicherheit in der Informationstechnik (German Federal Office
for Information Security)
CP: communication path
DPU: data processing unit
DS: distributed system
EC: extraneous component
ENISA: European Union Agency for Network and Information Security
HSL: high security lock
IU: input unit
LD: locking device
NIST: National Institute of Standards and Technology
PU: processing unit
rIU: remote input unit
5 Classification
Distributed systems are divided into four classes A (DS), B (DS), C (DS) and D (DS). For DS of class A (DS)
the lowest requirements are applicable, for those of class D (DS) the highest requirements are applicable.
For an approved distributed system, the component with the lowest classification relating to LD, PU, IU
and rIU determines the class of the entire distributed system.
6 Requirements
6.1 General
6.1.1 General
For HSL operated in distributed systems according to this document, the requirements of EN 1300 apply
in principle. The classification level achieved by an HSL according to EN 1300 determines the maximum
possible class for this document (see Table 1). For the components inside of the secure storage unit
Annex A is applicable.
Table 1 — Connection between EN 1300 and this document
The requirements of the following classes
Classes of this document
of EN 1300 shall be fulfilled
A (DS) A, B, C or D
B (DS) B, C or D
C (DS) C or D
D (DS) D
8

---------------------- Page: 10 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)

In case of conflicting requirements between EN 1300 and this document, this document prevails. Where
possible and applicable, reference is made to the corresponding clauses of EN 1300.
This document specifies requirements for independent components (see 6.2 to 6.4) and extraneous
components (see 6.5).
This document refers to the term state of the art. The state of the art shall be based on recommendations
of relevant publications of accepted organizations like European Union Agency for Network and
Information Security (ENISA), the German Federal Office for Information Security (BSI), the French
National Agency for Information Systems Security (ANSSI) or the National Institute of Standards and
Technology (NIST).
6.1.2 Construction
DS have a basic structure consisting of a processing unit (PU), a locking device (LD), an input unit (IU) as
well as the communication paths (CP) which could be public or local networks and, if applicable, a data
processing unit (DPU) or a remote input unit (rIU) or both. It is possible that these components exist
more than once in the system. The structure is not predefined in detail, but is based on the representation
in Figure 1.

Key
1 secure storage unit
2 access-secured area
3 local area
4 network
5 remote area
Figure 1 — Principle of a distributed system
Independent components with the exception of the IU, the rIU and the DPU, shall be located in the access
secured area of the DS.
The arrangement of the components shall be such that unauthorized access to these components can be
detected (e.g. by breaking a seal) even when the safe-storage space is properly opened.
9

---------------------- Page: 11 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
6.2 System administration
6.2.1 Administrative procedures
Configuration and service activities around the DS such as:
— initialization;
— configuration (e.g. integration of new components);
— setting up a time slot;
— setting the opening delay;
— administration of users;
— administration of user rights;
— back-up (and if applicable restoring);
— reset of hardware, if applicable;
shall be performed exclusively by authorized users (according to 6.2.7).
If an HSL also provides product-specific functions through which data can be accessed at any location of
the DS, these functions may also only be performed by authorized users (according to 6.2.7).
All configuration and service activities mentioned above as well as any additional product-specific
functions shall generate a monitoring entry in accordance with the requirements of 6.2.9.
System-wide, the entry of codes is only permitted via specially designed and protected components (IU
or rIU according to 6.2.11).
6.2.2 Confirmation of remotely initiated security relevant operating procedures
The following security-relevant operating procedures shall (if remotely initiated) be confirmed by means
of a deliberate action from an authorized user at the IU:
— authentication of components;
— unlocking the HSL;
— configuring hardware during initial commissioning;
— modifying hardware after initial commissioning;
— resetting the system to the condition as supplied.
For the following security-relevant operations it is sufficient if the deliberate action from an authorized
user within the DS is performed on one lock for this lock as well as for further locks of the same or a lower
class:
— changing the user code;
— activating new users.
The deliberate action shall generate an event entry according to 6.2.9.
10

---------------------- Page: 12 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
The aforementioned requirements and the resulting deliberate action shall be documented in the
operating instructions.
For installing software/firmware updates the requirements of 6.2.5.3 apply.
6.2.3 Information processing system as central operation/administration instance
In principle, one or more DPUs can be used to transfer operating and administration procedures to the
DS. This can be useful, for example, when administrating a large number of safes with a small number of
rIUs or when controlling the DS from a central point. In this case, the DPU shall meet the following
requirements:
Cryptographic algorithms as described in 6.3.1 and 6.3.2 shall be used to process or store information.
Users shall be authenticated in accordance with the requirements of 6.2.7.
The software shall be used and administrated in accordance with the requirements of 6.2.5.
Codes may only be entered on a DPU by authorized users and shall only be entered in conjunction with
an rIU.
The DPU shall provide an authenticated person (such as an administrative user) the ability to create a
representation of the entire network of the DS.
NOTE The representation of the network refers to all independent components of the DS.
The manufacturer shall describe the implementation of all requirements in the technical documentation.
6.2.4 Authentication of components
All independent components (see 3.6) of a DS shall be able to authenticate each other. The exchange of
authentication information shall be in accordance with the requirements for cryptography set out in 6.3.1
and 6.3.2.
The process of authentication shall be implemented using methods, which are state of the art.
For communication between two communicating components it is required that these components have
been successfully authenticated and have been authorized for data exchange.
For example, a local input unit (IU) shall successfully authenticate itself with the processing unit (PU), it
does not need to authenticate itself with another input unit connected to another processing unit.
If the authentication process can be managed by a user (e.g. (re-)initialization, modification or resetting
of a component authentication), this should only be possible for authorized users.
The process of the authentication is to be described by the manufacturer.
NOTE The authentication of the components can be closely related to the securing of the transmitted data (by
encryption). However, authentication has a fundamentally different protection goal. While the encryption of the
data secures their confidentiality, a positive authentication ensures the authenticity of a component. It is also
possible to achieve further security profits through the combination of authentication and encryption functions.
Thus, for example, the signing, integrity protection and falsification protection of data transmissions can be
achieved. Furthermore, firmware and software can be verified for authenticity and integrity and secure boot
functionality can be supported.
6.2.5 Software and firmware
6.2.5.1 General
The secure system configuration of DS components has a special significance with regard to information
security. It is therefore important that the manufacturer checks it for errors and weak points before it is
used.
11

---------------------- Page: 13 ----------------------
SIST EN 17646:2022
EN 17646:2022 (E)
The configuration and the underlying software of IP-supported DS components shall not have any
vulnerabilities in a “system vulnerability scan” according to the Common Vulnerabilities and Exposures
database (CVE – cve.mitre.org).
6.2.5.2 Obtaining software and firmware
The software/firmware shall only be obtained from a source within the direct sphere of influence of the
manufacturer.
If the software/firmware is transmitted via public networks, it shall be encrypted using state-of-the-art
security and testing mechanisms and checked for integrity. Additionally, the software can be transmitted
in a signed way.
6.2.5.3 Software and firmware updates
The software/firmware of DS components shall be updateable (not applicable for extraneous
components, see 3.7).
DS-wide at least one mechanism shall be available through which updates can be checked and the
software/firmware of the individual components can be updated automatically or manually.
If updates are available, one or more messages shall be displayed to the operator of the DS until these
have been taken into account. The manufacturer shall describe the types of a message in the technical
documentation.
NOTE 1 An update message can, for example, be received centrally by an authorized user (e.g. an administrator)
or can also be sent decentrally to each component affected by the update.
Remote updates shall be transmitted in encrypted form (according to 6.3.1 and 6.3.2) and can be signed
additionally. An asymmetrical encryption method with individual key pairs for each communication
partner (within the DS) would be preferable.
If only symmetric encryption methods are used, it shall be ensured that an individual key is used by two
communication participants. This key shall be unique system-wide and shall be transmitted to both
communication partners in a secure way (according to 6.3.2.5).
The manufacturer shall describe in the technical documentation which procedure it uses to secure the
updates and how the keys are transmitted to the communication participants.
NOTE 2 The use of asymmetric encryption methods is taken into account, for example, when using public-key
infrastructures.
Each update no matter if for a single lock or for the entire distributed system shall be initiated by the
input/transmission of a recognized code (e.g. input on IU or rIU) or password (e.g. input on DPU) and in
addition, the installation shall be confirmed by the entry of a recognized code at least at one local input
unit. The number of possible incorrect entries of these authorization codes, which are processed by the
DS in immediate succession, shall be limited in accordance with 6.2.7.6. Updates shall not delete or change
any codes or passwords.
Updates may enforce code or password changes in a separate process.
Before updates are activated, their authenticity and integrity shall be confirmed (e.g. using a hash
procedure or signature mechanism).
EXAMPLE The activation can be confirmed, for example, by
...

SLOVENSKI STANDARD
oSIST prEN 17646:2021
01-maj-2021
Varnostne shranjevalne enote - Klasifikacija visoko varnostnih ključavnic po
odpornosti proti nepooblaščenemu odpiranju - Porazdeljeni sistemi
Secure storage units — Classification for high security locks according to their resistance
to unauthorized opening — distributed systems
Wertbehältnisse - Klassifizierung von Hochsicherheitsschlössern nach ihrem
Widerstandswert gegen unbefugtes Öffnen - Verteilte Systeme
Unités de stockage en lieu sûr - Classification des serrures haute sécurité en fonction de
leur résistance à l'effraction - Systèmes répartis
Ta slovenski standard je istoveten z: prEN 17646
ICS:
13.310 Varstvo pred kriminalom Protection against crime
oSIST prEN 17646:2021 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17646:2021

---------------------- Page: 2 ----------------------
oSIST prEN 17646:2021


DRAFT
EUROPEAN STANDARD
prEN 17646
NORME EUROPÉENNE

EUROPÄISCHE NORM

March 2021
ICS 13.310
English Version

Secure storage units - Classification for high security locks
according to their resistance to unauthorized opening -
distributed systems
Unités de stockage en lieu sûr -¿ Classification des Wertbehältnisse - Klassifizierung von
serrures haute sécurité en fonction de leur résistance à Hochsicherheitsschlössern nach ihrem
l'effraction ¿- Systèmes répartis Widerstandswert gegen unbefugtes Öffnen - Verteilte
Systeme
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 263.

If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.


EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 17646:2021 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Symbols and abbreviations . 8
5 Classification . 8
6 Requirements . 8
6.1 General . 8
6.1.1 General . 8
6.1.2 Construction . 9
6.2 System administration . 10
6.2.1 Administrative procedures . 10
6.2.2 Confirmation of remotely initiated security relevant operating procedures . 10
6.2.3 Information processing system as central operation/administration instance . 11
6.2.4 Authentication of components . 11
6.2.5 Software and firmware . 11
6.2.6 Administration interfaces . 13
6.2.7 Authentication of users . 13
6.2.8 Indication of the blocking status . 14
6.2.9 Recording events . 15
6.2.10 Data traffic in the secured state . 16
6.2.11 Detection of manipulations . 16
6.2.12 Indication of blocking times . 16
6.2.13 Resistance to spying . 17
6.3 Information security . 18
6.3.1 General protection aims . 18
6.3.2 Requirements on cryptography . 18
6.3.3 Other information security measures . 21
6.4 Security requirements . 21
6.4.1 Negative impacts by power supply . 21
6.4.2 Resistance against electrical and electromagnetic influences . 21
6.4.3 Resistance against physical environmental influences . 22
6.4.4 Temperature resistance . 22
6.4.5 Reliability . 22
6.5 Extraneous components . 22
6.5.1 Use of extraneous components . 22
6.5.2 Additional components . 22
7 Technical documentation . 22
7.1 General . 22
7.2 Required technical documentation . 22
7.3 Operating instructions . 24
8 Test samples . 25
9 Marking . 25
Annex A (normative) Determination of burglary resistance due to design requirements . 26
A.1 General . 26
2

---------------------- Page: 4 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
A.2 Electronic HSL as a part of a distributed system . 26
Bibliography . 27

3

---------------------- Page: 5 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
European foreword
This document (prEN 17646:2021) has been prepared by Technical Committee CEN/TC 263 “Secure
storage of cash, valuables and data media”, the secretariat of which is held by BSI.
This document is currently submitted to the CEN Enquiry.
4

---------------------- Page: 6 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
1 Scope
This document is applicable to Distributed Systems (DS), i.e. high security locks with components which
have a wired or wireless connection via a transmission system in order to execute fixed operating
conditions using different individually fixed access possibilities.
Products which are to be tested on the basis of this document comply with the generally recognized state
of the art at the time of testing. Due to the short innovation cycles in the field of electronic and, in
particular, information technology applications, the technical possibilities available at the time of product
development are also taken into account during implementation.
Distributed Systems can be used, for example, to operate high security locks of secure storage units (safes
and strongrooms).
High security locks (HSL) are used in DS as locking unit.
This document does not apply for stand-alone HSL, which are not part of a distributed system. For these
stand-alone HSL EN 1300 is applicable only.
The standard will be revised with a frequency of 3 years as the research in the area of cryptography and
relevant attacks evolve with high speed as well as the referenced standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN 1300, Secure storage units - Classification for high security locks according to their resistance to
unauthorized opening
EN 1143-1, Secure storage units - Requirements, classification and methods of test for resistance to burglary
- Part 1: Safes, ATM safes, strongroom doors and strongrooms
EN 1143-2, Secure storage units - Requirements, classification and methods of tests for resistance to
burglary - Part 2: Deposit systems
EN ISO/IEC 27001, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply / the terms and definitions
given in EN 1300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
remote input unit
rIU
additional component which allows information to be entered from a remote location and is intended for
exclusive use in a Distributed System
Note 1 to entry: Input units (IU) are defined in EN 1300.
5

---------------------- Page: 7 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
3.2
condition as supplied
status of a DS or a component of a DS before the first customer-specific modification has been carried out
except for software/firmware updates, which can remain in effect
3.3
authenticity
quality that ensures, for example, that a communication partner is who he claims to be; for authentic
information it is ensured that it was created by the specified source
3.4
authentication factor
category of credential (knowledge factors (e.g. a password), possession factors (e.g. a card) or inherence
factors (e.g. biometric characteristics)) that is intended to verify that an entity requesting an access is
who they are declared to be
3.5
authorized user
person who is identified by input of the required information as being authorized for a certain action
3.6
independent component
component of a DS that has an active influence on the data processing as well as the security state of the
DS and that is absolutely necessary for the intended use of the DS
3.7
extraneous component
EC
component of a DS which is not manufactured especially for the DS but is used in the DS as a functional
unit
Note 1 to entry: For example, public components of a transmission path or office computers may be used as
extraneous components
3.8
data processing unit
DPU
system for processing, managing and/or storing of information
Note 1 to entry: In order to minimize the risk of unauthorized access to security relevant information by third
parties, it is strongly recommended that a DPU is used exclusively within the direct sphere of influence of the
operator.
3.9
communication path
CP
transmission path for the exchange of information between the remote input unit and the processing unit
including the intermediary stored data processing units
3.10
authentication of components
coupling of two communication partners by using unique identification features
6

---------------------- Page: 8 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
3.11
security-relevant information
codes (e. g. opening, recognized, duress, parallel codes, cryptographic keys), authentication information
(e. g. passwords), data on software/firmware updates
3.12
locking device
LD
component which directly or indirectly allows the physical lock (locking) of further components, e. g. a
door or a boltwork
3.13
monitoring entry
stored information on a defined event within the DS with the indication of
— Causing event
— Time/date of event
— Triggering operator/triggering component
3.14
distributed system
DS
components operating as a unit, locally separated and aimed at the systematic implementation of a
common aim
Note 1 to entry: The exchange of information between the components can be wired or wireless
3.15
deliberate action
conscious action of a person to confirm a status change
Note 1 to entry: A deliberate action may be, for example, the pushing of an operating button, the input of a
(confirmation) code or the turning of a handle
3.16
access-secured area
area of a secure storage unit which, due to the physical properties, is not accessible when the product is
closed and not accessible trace-free in the open state
Note 1 to entry: For example, this can be the inside of a safe door that has a mechanical cover even when the door
is open.
3.17
two factor authentication
method for authenticating a user, service or component by means of two different authentication factor
types
Note 1 to entry: Examples of authentication factors can be found in the corresponding definition
7

---------------------- Page: 9 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
4 Symbols and abbreviations
ANSSI: Agence nationale de la sécurité des systèmes d'information (National Cybersecurity Agency
of France)
BSI (DE): Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for
Information Security)
CP: communication path
DPU: data processing unit
DS: distributed system
EC: extraneous component
ENISA: European Union Agency for Network and Information Security
HSL: high security lock
IAS: intruder alarm system
IU: input unit
LD: locking device
NIST: Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways
PU: processing unit
rIU: remote input unit
5 Classification
Distributed Systems are divided into four classes A (DS), B (DS), C (DS) and D (DS). For DS of class A (DS)
the lowest requirements are applicable, for those of class D (DS) the highest requirements are applicable.
For an approved Distributed System, the component with the lowest classification relating to LD, PU, IU
and rIU determines the class of the entire Distributed System.
6 Requirements
6.1 General
6.1.1 General
For HSL operated in distributed systems according to this document, the requirements of EN 1300 apply
in principle. The EN 1300 classification level achieved by an HSL determines the maximum classification
level possible for this standard (see Table 1).
Table 1 — Connection between EN 1300 and this document
Classes of this document The requirements of the following classes of
EN 1300 shall be fulfilled
A (DS) A, B, C or D
B (DS) B, C or D
C (DS) C or D
D (DS) D
8

---------------------- Page: 10 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
In case of conflicting requirements between EN 1300 and this document, this document prevails. Where
possible and applicable, reference is made to the corresponding clauses of EN 1300.
This document specifies requirements for independent components (see 6.2 to 6.4) and extraneous
components (see 6.5). As far as possible and applicable, reference is made to the clauses of EN 1300.
This document refers to the term state of the art. With state of the art, a method validated by accepted
organizations like European Union Agency for Network and Information Security (ENISA), the German
Federal Office for Information Security (BSI), the French National Agency for Information Systems
Security (ANSSI) or the Federal Network Agency for Electricity, Gas, Telecommunications, Post and
Railways (NIST) is meant.
6.1.2 Construction
DS have a basic structure consisting of a processing unit (PU), a locking device (LD), an input unit (IU) as
well as the communication paths (CP) which could be through public or local networks and, if applicable,
a data processing unit (DPU) or a remote input unit (rIU) or both. It is possible that these components
exist more than once in the system. The structure is not predefined in detail, but is based on the
representation in Figure 1.

Key
1 Secure storage unit
2 Access-secured area
3 Local area
4 Network
5 Remote area
Figure 1 — Principle of a Distributed System
Independent components with the exception of the IU, the rIU and the DPU, shall be located in the access
secured area of the DS.
The arrangement of the components shall be such that unauthorized access to these components can be
detected (e.g. by breaking a seal) even when the safe-storage space is properly opened.
9

---------------------- Page: 11 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
6.2 System administration
6.2.1 Administrative procedures
Configuration and service activities around the DS such as
— initialization;
— configuration (e.g. integration of new components)
— setting up a time slot
— setting the opening delay
— administration of users
— administration of user rights
— back-up (and if applicable restoring)
— reset of hardware, if applicable
shall be performed exclusively by authorized users (according to 6.2.7).
If an HSL also provides product-specific functions through which data can be accessed at any location of
the DS, these functions may also only be performed by authorized users (according to 6.2.7).
All configuration and service activities mentioned above as well as any additional product-specific
functions shall generate a monitoring entry in accordance with the requirements of 6.2.9.
System-wide, the entry of codes is only permitted via specially designed and protected components (IU
or rIU according to 6.2.11).
6.2.2 Confirmation of remotely initiated security relevant operating procedures
The following security-relevant operating procedures shall (if remotely initiated) be confirmed by means
of a deliberate action from an authorized user at the IU:
— pairing of components;
— unlocking the HSL;
— configuring hardware during initial commissioning;
— modifying hardware after initial commissioning;
— resetting the system to the condition as supplied.
For the following security-relevant operations it is sufficient if the deliberate action from an authorized
user within the DS is performed on one lock for this lock as well as for further locks of the same or a lower
class:
— changing the user code;
— activating new users.
The deliberate action shall generate an event entry according to 6.2.9.
10

---------------------- Page: 12 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
The aforementioned requirements and the resulting deliberate action shall be documented in the
operating instructions.
For installing software/firmware updates the requirements of 6.2.5.3 apply.
6.2.3 Information processing system as central operation/administration instance
In principle, one or more DPUs can be used to transfer operating and administration procedures to the
DS. This can be useful, for example, when administrating a large number of safes with a small number of
rIUs or when controlling the DS from a central point. In this case, the DPU shall meet the following
requirements:
Cryptographic algorithms as described in 6.3.1 and 6.3.2 shall be used to process or store information.
Users shall be authenticated in accordance with the requirements of 6.2.7.
The software shall be used and administrated in accordance with the requirements of 6.2.5.
Codes may only be entered on a DPU by authorized users and shall only be entered in conjunction with
an rIU.
The DPU shall provide an authenticated person (such as an administrative user) the ability to create a
representation of the entire network of the DS.
NOTE The representation of the network refers to all independent components of the DS.
The manufacturer shall describe the implementation of all requirements in the technical documentation.
6.2.4 Authentication of components
All independent components (see 3.6) of a DS shall be able to authenticate each other. The exchange of
authentication information shall be in accordance with the requirements for cryptography set out in 6.3.1
and 6.3.2.
The process of authentication shall be implemented using methods, which are state of the art.
For communication between components it is required that these components have been successfully
authenticated and have been authorized for data exchange.
If the authentication process can be managed by a user (e.g. (re-)initialization, modification or resetting
of a component authentication), this should only be possible for authorized users.
The process of the authentication is to be described by the manufacturer.
NOTE The authentication of the components can be closely related to the securing of the transmitted data (by
encryption). However, authentication has a fundamentally different protection goal. While the encryption of the
data secures their confidentiality, a positive authentication ensures the authenticity of a component. It is also
possible to achieve further security profits through the combination of authentication and encryption functions.
Thus, for example, the signing, integrity protection and falsification protection of data transmissions can be
achieved. Furthermore, firmware and software can be verified for authenticity and integrity and secure boot
functionality can be supported.
6.2.5 Software and firmware
6.2.5.1 General
The secure system configuration of DS components has a special significance with regard to information
security. It is therefore important that the manufacturer checks it for errors and weak points before it is
used.
The configuration and the underlying software of IP-supported DS components shall not have any
vulnerabilities in a “system vulnerability scan” according to the Common Vulnerabilities and Exposures
database (CVE – cve.mitre.org).
11

---------------------- Page: 13 ----------------------
oSIST prEN 17646:2021
prEN 17646:2021 (E)
6.2.5.2 Obtaining software and firmware
The software/firmware shall only be obtained from a source within the direct sphere of influence of the
manufacturer.
If the software/firmware is transmitted via public networks, it shall be encrypted using state-of-the-art
security and testing mechanisms and checked for integrity. Additionally, the software can be transmitted
in a signed way.
6.2.5.3 Software and firmware updates
The software/firmware of DS components shall be updateable (not applicable for extraneous
components, see 3.7).
DS-wide at least one mechanism shall be available through which updates can be checked and the
software/firmware of the individual components can be updated automatically or manually.
If updates are available, one or more messages shall be displayed to the operator of the DS until these
have been taken into account. The manufacturer shall describe the types of a message in the technical
documentation.
NOTE 1 An update message can, for example, be received centrally by an authorized user (e.g. an administrator)
or can also be sent decentrally to each component affected by the update.
Remote updates shall be transmitted in encrypted form (according to 6.3.1 and 6.3.2) and can be signed
additionally. An asymmetrical encryption method with individual key pairs for each communication
partner (within the DS) would be preferable.
If only symmetric encryption methods are used, it shall be ensured that an individual key is used by two
communication participants. This key shall be unique system-wide and shall be transmitted to both
communication partners in a secure way (according to 6.3.2.5).
The manufacturer shall describe in the technical documentation which procedure he uses to secure the
updates and how the keys are transmitted to the communication participants.
NOTE 2 The use of asymmetric encryption methods is taken into account, for example, when using public-key
infrastructures.
Each update no matter if for a single lock or for the entire distributed system shall be initiated by the
input/transmission of a recognized code (e.g. input on IU or rIU) or password (e.g. input on DPU) and in
addition, the installation shall be confirmed by the entry of a recognized code at least at one local input
unit. The number of possible incorrect entries of these authorization codes, which are processed by the
DS in immediate succession, shall be limited in accordance with Clause 6.2.7.6. Updates shall not delete
or change any codes or passwords.
Updates may enforce code or password changes in a separate process
Before updates are activated, their authenticity and integrity shall be confirmed (e.g. using a hash
procedure or signature mechanism).
EXAMPLE The activation can be confirmed, for example, by entering a special code or – after a corresponding
query or hint – by re-entering the previously used code.
Any intervention in the firmware/software shall trigger a monitoring entry in accordance with 6.2.9.
The manufacturer shall list all necessary measures for carrying out an update in the operating
instructions.
Updates shall be identified by a unique version number and be clearly identifiable.
12

---------------------- Page: 14 ----------------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.