SIST EN 9300-005:2017

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Luft- und Raumfahrt - LOTAR - Langzeit-Archivierung und -Bereitstellung digitaler technischer Produktdokumentationen, wie zum Beispiel von 3D-, CAD- und PDM-Daten - Teil 005: Authentifizierung und VerifikationSérie aérospatiale - LOTAR - Archivage long terme et récupération des données techniques produits numériques telles que CAD 3D et PDM - Partie 005 : Authentification et VérificationAerospace series - LOTAR - LOng Term Archiving and Retrieval of digital technical product documentation such as 3D, CAD and PDM data - Part 005: Authentication and Verification49.020Letala in vesoljska vozila na splošnoAircraft and space vehicles in general35.240.30Uporabniške rešitve IT v informatiki, dokumentiranju in založništvuIT applications in information, documentation and publishing01.110L]GHONHTechnical product documentationICS:Ta slovenski standard je istoveten z:EN 9300-005:2017SIST EN 9300-005:2017en,fr,de01-december-2017SIST EN 9300-005:2017SLOVENSKI
STANDARD



SIST EN 9300-005:2017



EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 9300-005
October
t r s y ICS
r sä s s râ
u wä t v rä u râ
u wä t v rä x râ
v {ä r t r English Version
Aerospace series æ LOTAR æ LOng Term Archiving and Retrieval of digital technical product documentation such as
uDá CAD and PDM data æ Part
r r wã Authentication and Verification Série aérospatiale æ LOTAR æ Archivage long terme et récupération des données techniques produits numériques telles que CAD
uD et PDM æ Partie
r r w ã Authentification et Vérification
Luftæ und Raumfahrt æ LOTAR æ LangzeitæArchivierung und æBereitstellung digitaler technischer Produktdokumentationená wie zum Beispiel von
uDæá CADæ und PDMæDaten æ Teil
r r wã Authentifizierung und Verifizierung This European Standard was approved by CEN on
s x July
t r s yä
egulations which stipulate the conditions for giving this European Standard the status of a national standard without any alterationä Upætoædate lists and bibliographical references concerning such national standards may be obtained on application to the CENæCENELEC Management Centre or to any CEN memberä
translation under the responsibility of a CEN member into its own language and notified to the CENæCENELEC Management Centre has the same status as the official versionsä
CEN members are the national standards bodies of Austriaá Belgiumá Bulgariaá Croatiaá Cyprusá Czech Republicá Denmarká Estoniaá Finlandá Former Yugoslav Republic of Macedoniaá Franceá Germanyá Greeceá Hungaryá Icelandá Irelandá Italyá Latviaá Lithuaniaá Luxembourgá Maltaá Netherlandsá Norwayá Polandá Portugalá Romaniaá Serbiaá Slovakiaá Sloveniaá Spainá Swedená Switzerlandá Turkey and United Kingdomä
EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre:
Avenue Marnix 17,
B-1000 Brussels
9
t r s y CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Membersä Refä Noä EN
{ u r ræ r r wã t r s y ESIST EN 9300-005:2017



EN 9300-005:2017 (E) 2 Contents Page European foreword . 3 1 Scope . 4 2 Normative references . 4 3 Terms, definitions and abbreviations . 4 4 Applicability . 6 5 Authentication . 6 6 Qualification methods . 9 7 Electronic signature . 12
(informative)
Use cases and recommended solutions
for issues of authentication and verification . 16
Figures Figure 1 — Check and renew signature document. 8 Figure 2 — Concept of repair in data preparation / ingest process and retrieval process . 12 Figure 3 — Creation and check of electronic signatures . 14 Figure 4 — Validity of electronic signatures . 14 Figure 5 — Verification period of electronic signatures . 15
SIST EN 9300-005:2017



EN 9300-005:2017 (E) 3 European foreword This document (EN 9300-005:2017) has been prepared by the Aerospace and Defence Industries Association of Europe - Standardization (ASD-STAN). After enquiries and votes carried out in accordance with the rules of this Association, this Standard has received the approval of the National Associations and the Official Services of the member countries of ASD, prior to its presentation to CEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by April 2018, and conflicting national standards shall be withdrawn at the latest by April 2018. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. SIST EN 9300-005:2017



EN 9300-005:2017 (E) 4 1 Scope EN 9300-005 describes the fundamentals and concepts of authentication and verification of the integrity of digital documents and their content during the archiving and retrieval processes. The Data Domain Parts EN 9300-x00 will specify qualification measures for the content of the document. The fundamentals given in this document cover the requirements, methods and recommendations for their implementation within an archiving system. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. EN 9300 (all parts), Aerospace series — LOTAR — LOng Term Archiving and Retrieval of digital technical product documentation such as 3D, CAD and PDM data 3 Terms, definitions and abbreviations For the purposes of this standard, the terms, definitions and abbreviations given in EN 9300-003 and EN 9300-007 shall apply. 3.1 authentication authentication has to prove:  the originality and integrity of a document and its contents;  the identity of a user. Authentication of an electronic document establishes that the content is unchanged from to the original information. Information is original if it is demonstrable that the information belongs to the supposed author. Authentication may depend upon one or more authentication factors. Unlike verification and validation, authentication makes no statement about the quality of data in terms of usability in the archiving process chain of e.g. conversion or reuse. 3.2 asymmetric keys asymmetric keys are pairs of keys, created in one step; they can be used in both directions. Encryption with the public key can only be decrypted with the private key; if the encryption is done with the private key, the decryption can only done with the public key; such a key pair can be used for encryption and for signing 3.2.1 public key public key is the part of the asymmetric key pair that is known to everyone SIST EN 9300-005:2017



EN 9300-005:2017 (E) 5 3.2.2 private key private key is the part of the asymmetric key pair that is only known by the owner of the asymmetric key pair 3.3 electronic document digital representation of a defined and structured amount of information which can be managed as a unit and be exchanged between users and systems; each revision of a given document is a new electronic document [Copied and modified from ISO-IEC 82045] 3.4 electronic signatures electronic signature is a defined method to sign an object in electronic environments; it provides means to authenticate the signatory and the signed object in an unambiguous and safe way by attaching to or logically associating data in electronic form to other electronic objects In EN 9300 it is defined by an encrypted hash code with additional information such as time of creation and owner of the signature. ASD-STAN LOTAR distinguishes between:  engineering signature;  time signature. In the context of the EN 9300, an electronic signature shall be:  uniquely linked to the signatory;  capable of identifying the signatory;  created using means that the signatory can maintain:  under their sole control.  linked to the data to which it relates in such a manner that:  any subsequent change of the data is detectable. Note 1 to entry: This definition complies with that given by:  Directive in 1999/93/EC of the European parliament and the council from the 13th of December, 1999 concerning collective basic conditions of electronic signatures. 3.4.1 engineering signature engineering signature expresses and fixes a volition of the signatory it gives evidence of:  the process of testifying quality of data against process / quality requirements by linking the signature owner to the data;  the identity of the signatory by usage of appropriate methods of authentication; SIST EN 9300-005:2017



EN 9300-005:2017 (E) 6  the integrity of the data by using appropriate methods protecting the signed object against unauthorized changes. 3.4.2 time signature time signature is created automatically as part of a certified process and requires certified hardware; it provides a legal guarantee for time and owner of the data 3.5 hash code hash code is represented by a number calculated by a One-Way-Hash function. It represents the electronic document in a unique way 3.6 signer signer is an entity that initially creates the electronic signature; when the signer digitally signs data using the prescribed format, this represents a commitment on behalf of the signing entity about the data being signed 3.7 verifier verifier is an entity that verifies evidence (ISO/IEC 13888-1); within the context of this document this is an entity that validates an electronic signature 3.8 trust center trust center is one or more entities that help to build trust relationships between the signer and verifier; use of some specific technical service provider (TSP) services MAY be mandated by signature policy. TSP supporting services may provide the following information: user certificates, cross-certificates, time-stamping tokens. 3.9 verification levels in the context of EN 9300 Verification Levels indicate a risk assessment; verification levels here will indicate the maximum acceptable risk for a specific process 4 Applicability Refer to applicability of EN 9300-001, clause 4. 5 Authentication The necessity of authentication and verification of digital information results from the legal requirement of ensuring the authenticity (originality and integrity) of stored data. 5.1 Authentication of User The authentication of the user is necessary to ensure only authorised persons initiate controlled processes. The legal status of an engineering signature will be enhanced by means of authentication. SIST EN 9300-005:2017



EN 9300-005:2017 (E) 7 5.1.1 Authentication by means of a PKI (Public Key Infrastructure) The application of a PKI is recommended to guarantee the quality of an engineering signature. Advantage:  delivers a higher evidential value. Disadvantages:  the need to provide an Infrastructure (PKI) with key ring administration;  each release of a document creates electronic signatures with metadata to manage. NOTE Currently there are different national laws and/or standards defining different security levels for PKI. By applying these levels different legal qualities for documents can be obtained.
5.1.2 Authentication by User Key and Password EN 9300 recommends authentication policies based on current business practices for user keys and passwords as the initial user authentication quality level. Advantages:  legal recommendations for documentation of the release process are fulfilled;  there is no need for a PKI and no additional hardware for identification is required. Disadvantage:  the validity in the context of lawsuits is less than under PKI. 5.2 Authentication of Document and Content
Applying authentication to a document and its content will improve its evidential weight in the context of legal proceedings. The authenticity of a digital document can be proved with the document hash code. In case of a change of content, a new electronic document must be created and authenticated. 5.2.1 Requirements to Hash Codes For signing and verification a hash code will be used like a digital finger print. To ensure that no security gaps occur, the hash code must fulfil the following criteria:  it should practically be impossible to find a collision (where two or more different digital documents generate an identical hash code);  creating hash codes shall be an one way function. It should not be possible to find a file that generates a given hash code. NOTE From a theoretical point of view collisions are inevitable. SIST EN 9300-005:2017



EN 9300-005:2017 (E) 8 5.2.2 Usable Hash Functions It is recommended that the practice applied has the highest security level. Its validity depends on the technical development in hardware, cryptography and networking. It is also recommended that hash codes have the maximum lifetime, in order to avoided renewing the hash code after a short period. NOTE 1 See, for example, the recommendations of the German Federal Network Agency (for Electrici
...