SECURITY STANDARDS

ICAO

ICAO MRTD

International standards bodies - ISO, ITU-T, ETSI

ISO

ISO conformity assessment

ISO 27K and BS 7799 related

BS 7799 Part 1 'Code of practice for information security management' evolved into ISO 17799 and into ISO 27002, Part 2 'ISMS specifications' was further extended into the 2700X family

ISO 15408 Common Criteria (and related)

Security evaluation standards

NATO

Security techniques

ISO Biometrics

ISO blockchain and DLT standards

ISO TC 307 blockchain and distributed ledger technology - Chairperson (until end 2019): Mr Craig Dunn

Blockchain: distributed ledger system with confirmed blocks organized in an append-only, sequential chain using cryptographic links. Consensus: agreement among nodes that a transaction is valid and that there is a consistent set and ordering of the transactions stored in the distributed ledger. Distributed ledger: ledger that is shared and synchronized in a distributed manner

Structure

Standards and work in progress

Other

ISO crypto standards

Refer to crypto-timestamping

Hashing and MAC

Encryption

Authentication

Trusted Platform Module

The TPM is a security chip connected to the CPU that provides isolated storage of encryption keys and of Platform Configuration Registers (PCRs). These PCRs hold hash values, which can only be updated by extending them. An extension consists of appending the current register value to the input, hashing it and storing the resulting hash in the register. The registers are complemented by a 'measurement log' which consists of a list of items that have been executed. Replaying the log should result in the same value as stored in the register. This can be used to record the boot process of a platform by 'extending' every piece of code to be executed into a register before the code is loaded. The first item loaded, the bootloader, cannot be measured in this way and is therefore referred to as the 'root of trust for measurement'. Remote attestation allows a platform to report the measurements collected during boot.

Signing

Basics
Long term signature
Blind signature
Anonymous signatures

Other

Management

Assurance and testing

Biometric protection

Authenticated encryption

Generation

ISO smart card standards

Also CEN and ETSI/3GPP are very influencial in this field.

ISO other standards

Identity

Other

ISO other standards - TTP and related

ISO other standards - healthcare

ISO other standards - transport and vehicle related

ISO other standards - IT governance

ISO other standards - devices

ISA - International Society of Automation

ITU-T

EU standards and related matters

Europe's Standard Development Organisations are CEN, CENELEC and ETSI. Regarding security standards, there is the SOG-IS group.

CEN

CENELEC

ETSI

EU standards were particularly successful in mobile communication such as GSM. These standards were originally driven through CEPT (European Conference on Post and Telecommunications Administrations). In 1988, ETSI took over, and in 2001 GSM standardisation was transferred to the global 3GPP. For an an overview ref to ETSI security workshop and their whitepapers such as "ETSI White Paper No. 1 Security for ICT - the Work of ETSI" by Charles Brookson and Dionisio Zumerle (January 2006). Areas covered by ETSI:

ETSI ESI

ETSI activities on electronic signatures are coordinated by Technical Committee (TC) Electronic Signatures and Infrastructures (ESI), chaired by Ricardo Genghini. The ESI TC ongoing and past activities are available, together with the drafts. In 2013, EU e-signature standardisation mandate m460 was given from the EC to CEN and ETSI to establish a rationalised framework for electronic signature standardisation.

ETSI M460 STFs

ETSI other STFs ETSI TR and TS (selection)

As explained in ETSI TR 119 000, following domains are addressed regarding trust services: Key standards include: CEN Standards for remote signing systems: ETSI standards related to remote signature: ETSI standards related to certificates ETSI standards related to EU trust services: ETSI standards related to Electronic Registered Delivery Services (ERDS) and AS4, the CEF eDelivery message exchange protocol, based on OASIS ebMS. ETSI standards related to the new USIM - the SSP ETSI blockchain and DLT

SOG-IS

Aim

Coordinate the standardisation of Common Criteria protection profiles and certification policies between European Certification Bodies in order to have a common position in the fast growing international CCRA group. Coordinate the development of protection profiles whenever the European commission launches a directive that should be implemented in national laws as far as IT-security is involved

Selected EU Member States participate in SOG-IS - Senior Officials Group Information Systems Security. The SOG-IS agreement was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria. SOG-IS participants subscribe to the MRA, the Mutual Recognition Agreement of Information Technology Security Certificates. Participants are: More info:

Other

GSMA

Standards from consortia

Global de-facto standards and related matters

Emerging: BS 1008:2208 Evidential weight and legal admissibility of electronic information

IETF

Other

US standards and related matters