Face it — Information security is at the top of many company’s list of potential liabilities after the recent spate of hacking incidents. And one of the most potent methods of avoiding the loss of essential information (or authentication fraud) is the use of cryptography. This refers to the use of an algorithm (computation procedure) that takes variable inputs (not limited to text, which is normally called encryption) and processes them to produce a an output only available to a partner with a key. So the new 2nd edition for ISO/IEC 24759 supports the recently updated ISO/IEC 19790. The ISO/IEC 19790 defines requirements for 4 levels of security; the ISO/IEC 24759 provides the methods that tests labs use to confirm a specific product meets these requirements. Titled “Information technology – Security techniques – Test requirements for cryptographic modules,” the ISO/IEC 24759 is also used by software vendors to verify their modules prior to submission to a test lab.
When are you going to use these techniques? You’ll do a risk analysis of course, but frequently they’re employed for high value transactions, or when data sensitivity requires care (think of personal identity information, classified government data, or trade secrets). Knowing that the software you use meets the ISO/IEC requirements gives you the assurance you need to confirm that your data is being well protected.
This new update is 134 pages in length. The bulk of the document is taken up with Clause 6, which specifies the methods that test labs use to evaluate any cryptographic module and the information that a vendor must supply to that lab to be evaluated. The layout corresponds to the ISO/IEC 19790 standard with the use of 11 sub-clauses matching the 11 areas of security requirement and 6 sub-clauses paralleling the 6 Annexes as well.
The 11 security requirements are:
- General
- Cryptographic module specification
- Cryptographic module interfaces
- Roles, services and authentication
- Software/Firmware security
- Operation environment
- Physical security
- Non-invasive security
- Sensitive security parameter management
- Self-tests
- Life-cycle assurance
FYI: The 6 Annexes are
- Documentation Requirements
- Cryptographic module security policy
- Approved security functions
- Approved sensitive security parameter generation and establishment methods
- Approved authentication mechanisms
- Approved non-invasive attack mitigation test metrics
As you can see, the two standards are comprehensive in their coverage of the challenges and requirements for the use of cryptography.
For the standards I’ve reviewed here, or any ISO, IEC or ISO/IEC standard you need, go to our webstore at www.document-center.com. Or you can contact our staff by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com). We’ve been working with standards since 1982 and have the depth of knowledge you need to support your conformance documentation requirements. Make Document Center your Standards Experts!
