DOI 10.1007/s10559-017-9908-8 Cybernetics and Systems Analysis, Vol. 53, No. 1, January, 2017

STANDARDIZATION IN INFORMATION TECHNOLOGY SECURITY

UDC 681.3

O. M. Fal’

Abstract. The author overviews the international standards developed by SC 27 “IT Security techniques” of the ISO/IEC Joint Technical Committee “Information technologies.” The standards include cryptographic mechanisms, evaluation and testing of products and information systems, countermeasures, and security services. Both published standards and those under development are considered. Keywords: information security incident, confidentiality, business continuity, security assessment, key management, functional services. INTRODUCTION In April, 2015 it was 25 years since the subcommittee on security of information technologies of the Joint Technical Committee on Information Technologies (JTC 1/SC 27 “IT Securities techniques”) was created. In the modern world, which is characterized by the implementation of information technologies in all fields of human activity, security of information represented in various aspects is extremely important. Similar problems were analyzed in the 1990s, when the subcommittee was created. In the beginning, the subcommittee included 18 countries, ISO members. During 25 years, there became 73 members of the subcommittee, among which 52 active members (P-members) and 21 passive members (O-members). More than 150 international standards and technical reports covering various aspects of standardization objects were developed in these years. More than 300 experts from different countries were involved. The subcommittee includes five working groups, namely: — WG1 “Information security management systems;” — WG2 “Cryptography and security mechanisms;” — WG3 “Security assessment, testing, and specification;” — WG4 “Counter-measures and security services;” — WG5 “Management of identification data and privacy ensuring technologies.” The paper [1] overviews the standards in information security management developed in WG1. The present paper is devoted to standardization within the limits of WG2, WG3, and WG4. It is based on the document [2], which can be found on the subcommittee site www.jtc1sc27.din.de. THE STANDARDS DEVELOPED BY WG2 The WG2 road map defines the following directions of standardization: — identification of needs and requirements of the methods and mechanisms providing the security of information technologies; V. M. Glushkov Institute of Cybernetics, National Academy of Sciences of Ukraine, Kyiv, Ukraine, [email protected]. Translated from Kibernetika i Sistemnyi Analiz, No. 1, January–February, 2017, pp. 91–98. Original article submitted April 25, 2016. 78

1060-0396/17/5301-0078 ©2017 Springer Science+Business Media New York

— development of the terminology, common models, and standards to use these methods and mechanisms in security services. Let us consider the standards developed in WG2 for various application fields. Confidentiality ISO/IEC 18033 (six parts). Encryption algorithms. Determines symmetric ciphers (block and continuous) and asymmetric ciphers, including those based on identification data, and homomorphic ciphers. ISO/IEC 29192 (six parts). Lightweight cryptography. Determines cryptographic mechanisms adjusted for their use in devices with restricted computing resources and restricted channel capacity. ISO/IEC 29150. Encryption with signing (Signcryption). Determines the mechanism of simultaneous signing and encrypting, which uses pairs of asymmetric keys of both the sender and receiver. ISO/IEC 19772. Authenticated encryption. Determines the mechanism for simultaneous encryption and authentication of the data and the sender. ISO/IEC 10116. Modes of operation for n-bit block cipher. Determines modes of operation of block ciphers, namely, ECB, CBC, OFB, CFB, and CTR. Monitoring Data Integrity with the Use of Message Authentication, Hash Functions, and Digital Signatures ISO/IEC 10118 (four parts). Hash functions. Determines several types of hash functions, which map bit strings of arbitrary length into strings of fixed length. ISO/IEC 9797 (three parts). Message authentication codes (MACs). Establishes algorithms to calculate message authentication codes for data integrity check. ISO/IEC 9796 (two parts). Digital signature schemes giving message recovery. Determines digital signature mechanisms that provide recovery of the entire message or its part and reduce the load related to data saving or transmission. ISO/IEC 14888 (three parts). Digital signatures with appendix. Determines digital signature mechanisms based on problems of discrete taking of logarithm and factorization of integer numbers. ISO/IEC 20008 (two parts). Anonymous digital signatures. Determines the mechanisms of anonymous digital signature in which the sign is checked with the use of public key of a group of users. ISO/IEC 18370 (two parts). Blind digital signatures. Determines the mechanisms of blind digital signature, which allows obtaining digital signature without providing information about the true message and obtained digital signature. Entity Authentication ISO/IEC 9798 (six parts). Entity authentication. Determines several types of entity authentication mechanisms in which an entity (its reliability is checked) proves that it knows some secret. ISO/IEC 20009 (four parts). Anonymous entity authentication. Determines the mechanisms of anonymous entity authentication in which the checker uses group digital signature scheme based on blind digital signature and weak secrets. Key Management with Random Number and Random Prime Number Generation ISO/IEC 11770 (six parts). Key management. Describes general models on which key management mechanisms are based, determines the main concepts of key management and several types of key derivation mechanisms. ISO/IEC 18031. Random bit generation. Determines the conceptual model for random bit generators used in cryptographic mechanisms. ISO/IEC 18032. Prime number generation. Provides methods of prime number generation applied in cryptographic protocols and algorithms. ISO/IEC 15946 (two parts). Cryptographic techniques based on elliptic curves. Describes the mathematical foundation of elliptic curves and methods of their generation. ISO/IEC 19592 (two parts). Secret sharing. Describes cryptographic schemes of secret sharing. Non-Repudiation ISO/IEC 13888 (three parts). Non-repudiation. Determines provision of non-repudiation services. The purpose of non-repudiation service is to generate, collect, maintain, make available, and validate evidence concerning claimed events or actions applied to resolve disputes about the occurrence or non-occurrence of an event or action. 79

Services of Trusted Third Party ISO/IEC 18014 (four parts). Time-stamping services. Determines time-stamping services, which are provided by means of tokens of time stamps by the concerned parties with additional tracing of time sources. The standards in cryptography are analyzed in detail in [3].

THE STANDARDS DEVELOPED BY WG3 The application domain of WG3 is the development of standards related to specification, assessment, testing, and certification of information systems, components, and products with respect to IT security, including computer networks, distributed systems, biometrics, and related application services. The standards oriented to the following aspects of their application domain were developed. Security Assessment Criteria ISO/IEC 15408 (three parts). Evaluation criteria for IT security. Establishes general concepts and principles of IT security evaluation and determines the general model of the evaluation. ISO/IEC 19790. Security requirements for cryptographic modules. Determines requirements to security of the cryptography modules used for security of nformation in computer and telecommunication systems. Methodology of Criteria Application ISO/IEC 18045. Methodology for IT security evaluation. Determines minimum actions to be executed in evaluating the correspondence to the criteria presented in standard ISO/IEC 15408. ISO/IEC TR 19791. Security assessment of operational systems. The technical report (TR) provides a manual and criteria for security assessment of operational systems. ISO/IEC 19792. Security evaluation of biometrics. Determines entities to be analyzed during security evaluation of biometric systems. Specification of Functional Services and Services of Assurance of Information Systems, Components, and Products ISO/IEC TR 15443 (two parts). A framework for IT security assurance. Provides a manual on choosing a suitable assurance method in determining or implementing a service or a product. ISO/IEC TR 15446. Guide for the production of Protection Profiles and Security Targets. Provides a manual on creating protection profiles and security targets compatible with the requirements of standard ISO/IEC 15408. ISO/IEC TR 19608. Guidance for developing security and privacy functional requirements based on ISO/IEC 15408. The Technical report provides a manual on the development of privacy functional requirements based on the privacy principles outlined in ISO/IEC 29100, using the paradigm described in ISO/IEC 15408-2. ISO/IEC TR 19249. Catalogue of architectural and design principles for secure products, systems, and applications. The technical report provides a catalogue of instructions on the architecture and design related principles in the development of secure products, systems, and applications. Methodology of Testing to Determine the Correspondence of Provided Functional Services and Assurance Services ISO/IEC 24759. Test requirements for cryptographic modules. Determines the methods to be used by test laboratories to test the compliance of cryptographic modules with the requirement of standard ISO/IEC 19790. ISO/IEC 17825. Testing methods for the mitigation of non-invasive attack classes against cryptographic modules. Determines the metrics of tests for the mitigation of non-invasive attacks to determine the compliance with the requirements of standard ISO/IEC 19790 with respect to the third and fourth security levels. ISO/IEC 18367. Cryptographic algorithms and security mechanisms conformance testing. The purpose of this standard is to provide the methods of testing the compliance of cryptographic algorithms and security mechanisms implemented in the cryptographic module.

80

ISO/IEC TR 20540. Guidelines for testing cryptographic modules in their operational environment. The technical report provides guidelines for the audit of the fact that the cryptographic module is properly installed, is configured or operates. ISO/IEC 20543. Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408. Determines assessment methods and requirements to testing random bit generators presented in standard ISO/IEC 18031. Administrative Procedures for Testing, Assessment, Certification, and Accreditation Schemes ISO/IEC 19896. Competence requirements for information security testers and evaluators. Provides the fundamental concepts related to the competence of experts who are in charge of IT products assessment and compliance testing. ISO/IEC 19989. Security evaluation of presentation attack detection for biometrics. Determines supplement to the procedure outlined in ISO/IEC 18045, for the assessment of attack detection, given biometric characteteristics. ISO/IEC 29128. Verification of cryptographic protocols. Establishes technical basis for the proof of stability of the specification of cryptographic protocols. ISO/IEC 29147. Vulnerability disclosure. Provides guidelines on disclosing potential vulnerabilities in products and on-line services. ISO/IEC 30104. Physical security attacks, mitigation techniques, and security requirements. Considers how security assurance can be formulated for products in which the environment requires to support physical security mechanisms. ISO/IEC 30111. Vulnerability handling processes. Provides processes to handle vulnerabilities.

THE STANDARDS DEVELOPED BY WG4 The standards oriented to the following standardization directions are developed: Services of the Trusted Third Party (TTP) ISO/IEC TR 14516. Guidelines for the use and management of TTP services. Clearly defines fundamental services provided by the TTP and mutual duties of the TTP and receiver of its services. ISO/IEC 15945. Specification of TTP services to support the application of digital signatures. Determines services necessary to support the application of digital signatures to make it impossible to refuse from the fact of creating a document. ISO/IEC 29149. Best practice on the provision and use of time-stamping services. Explains how to generate, update, and check tokens of time stamps. Principles of ICT Readiness to Ensure Business Continuity ISO/IEC 27031. Guidelines for ICT readiness for business continuity. Describes the concepts and principles of ICT readiness to ensure business continuity. Cybersecurity ISO/IEC 27032. Guidelines for cybersecurity. Provides guidelines on improving the state of cybersecurity, as well as basic practices on the security for concerned parties in a cyberspace. Security of IT Networks ISO/IEC 27033 (six parts). Network security. Overviews network security, describes threats, methods of design and implementation of security measures for specific scenarios. Provides guidelines on choosing security gateways and on creating virtual protected junctions. ISO/IEC 15816. Security information objects for access control. Defines information security objects. Security of Applications ISO/IEC 27034 (seven parts). Application security. Provides guidelines to help organizations in integrating security issues in the processes used for application management. Introduces definitions, concepts, principles, and processes involved in application security. 81

Management of Information Security Incidents ISO/IEC 27035. Information security incident management. Provides a structured approach to detection, notification, and assessment of information security incidents and response to them. ISO/IEC 27037. Guidelines for the identification, collection, acquisition and preservation of digital evidence. Provides guidelines for the activity related to handling digital evidence that is of legal significance. ISO/IEC 27041. Guidance on assuring suitability and adequacy of incident investigative methods. Provides a guidance suitability and adequacy of methods and processes used to investigate incidents of information security. ISO/IEC 27042. Guidelines for the analysis and interpretation of digital evidence. Provides guidelines on the analysis and interpretation of digital evidence. ISO/IEC 27043. Incident investigation principles and processes. Provides guidelines on the implementation of processes in various incident investigation scenarios using digital evidence. Outsourcing Security ISO/IEC 27036 (four parts). Information security for supplier relationships. Overviews the guidance on security of information and information systems in the context of relationships with suppliers and, in particular, with providers of cloud computing services. Intrusion Detection and Prevention Systems ISO/IEC 27039. Selection, deployment and operation of intrusion detection and prevention systems. Provides guidelines to help organizations in preparing to implement intrusion detection and prevention system. Services of recovery after acts of nature ISO/IEC 27040. Storage security. Provides technical instructions for organizations related to scheduling, design, documenting, and implementation of data storage security. ISO/IEC 27038. Specification for digital redaction. Determines the characteristics of methods to implement digital reduction of digital documents, as well as the requirements to editing software. ISO/IEC 27050. Electronic discovery. Provides requirements and guidance for the activity related to electronic discovery, including identification, saving, collecting, handling, analysis of information stored in electronic media.

CONCLUSIONS The development of standards that take into account latest achievements in scientific studies and technologies is of increasing importance. Modern standards are especially important in information technology security since they increase the trust to devices and systems that implement the requirements and recommendations formulated in these standards. The review of the standards published and being developed in the specialized subcommittee of the Technical Committee on Information Technologies reflects the current state and tendencies in standardization of processes of security of information technologies.

REFERENCES

1. 2. 3.

82

A. M. Fal’, “Standardization in information security management,” Cybern. Syst. Analysis, Vol. 46, No. 3, 512–515 (2010). ISO/IEC JTC 1/SC 27 Standing Document 11, Overview of the Work of SC27. Yu. I. Gorbenko, Construction and Analysis of Systems, Protocols, and Methods of Cryptographic Information Protection. Pt. 1, Methods of Construction and Analysis, Standardization and Application of Cryptographic Systems [in Ukrainian], Fort, Kharkiv (2015).