Embed Size (px)
Citation preview
Recent Developments in ISO Security Standardization and JTC 1/SC 27
Walter Fumy, SC 27 Chairman Walter Fumy, SC 27 Chairman
9th ETSI Security WorkshopSophia Antipolis, January 2014
• ISO Level
• Alignment of Management System Standards (MSS)
• New Security Coordination Initiative
• SC 27 Level
Agenda
2
• WG 1: New editions of ISO/IEC 27001 & ISO/IEC 27002
• WG 2: Advanced Crypto Techniques, Intentional Weaknesses in Crypto Standards?
• WG 3, WG 4, WG 5 (⇒ Session 4)
• Collaboration with ETSI
• ISO 9001 Quality systems - Model for quality assurance in design/development, production, installation and servicing was published in December 1987
• Since then the range of ISO management system standards expanded from environment (1996) through to security (2000) and business continuity (2012)
• Many companies use more than one management system standard
• In order to make this easier, ISO has decided that all MSSs should have the same structure and contain many of the same terms and definitions. This
ISO Management System Standards (MSS)
3
same structure and contain many of the same terms and definitions. This will make it easier and cheaper to use the standards, and help auditors.
• All ISO's management system standards are based on the principle of continual improvement (aka PDCA).
• Audits are a vital part of ISO's management system approach as they enable an organization to check how far their achievements meet their objectives
• ISO 19011:2011 provides specific guidance on internal and external management system audits
• Accredited ISO MSS certifications approach 1.5 million per year
• ISO does not perform certification – organizations looking to get certified to an ISO standard must contact an independent certification body
• The ISO Survey counts certificates issued by certification bodies that have been accredited by members of the International Accreditation Forum (IAF)
ISO Survey 2012
4
• The ISO Survey 2012 shows a significant increase in certificates for ISO 27001 (information security, +13%), ISO 22000 (food safety management, +20%) and for energy management (ISO 50001, +332%)
• at least 19.577 ISO/IEC 27001:2005 certificates issued in 103 countries• top three countries for the number of certificates: Japan, UK and India• top three for growth in 2012: Romania, Japan and China
http://www.iso.org/iso/home/standards/certification/iso-survey.htm
All ISO technical work, including the development of standards, is carried out under the overall management of the Technical Management Board (TMB).
ISO/TMB*) has produced Annex SL with the objective of delivering consistent and compatible MSSs.
Annex SL (previously ISO Guide 83) defines the framework for a generic ISO management system standard
• All new ISO MSS have to adhere to this framework and all current ISO MSS will migrate at their next revision
Annex SLof the Consolidated ISO Supplement of the ISO/IEC Directives
5
at their next revision
• In future all ISO MSS should be consistent and compatible - they should all have the same look and feel
• For management system auditors, it will mean that for all audits there will be a core set of generic requirements that need to be addressed, no matter which discipline.
• This could be the beginning of the end of the conflicts, duplication, confusion and misunderstanding from different ISO MSS
• MSS writers can concentrate their development efforts on the discipline-specific requirements of their MSS.
*) via its Joint Technical Coordination Group on MSS
Published
• ISO 22301:2012, Societal security – Business continuity management systems –Requirements (deviation on definition of “Risk”)
• ISO 22313:2012, Societal security – Business continuity management systems –Guidance
• ISO 39001:2012, Road-traffic safety management systems – Requirements with guidance for use
ISO MSS use of Annex SLCurrent status of harmonization (Examples)
6
• ISO/IEC 27001:2013, Information technology – Security techniques –Information security management systems – Requirements
Under development / in revision
• ISO 34001, Security management system – Requirements
• ISO 14001, Environmental management systems – Requirements with guidance for use
• ISO 9001, Quality management systems – Requirements
716.12.2012 Intern/Vertraulich
Source: ISO Security Forum, October 2013
816.12.2012 Intern/Vertraulich https://www.iso.org/obp/ui/Source: ISO Security Forum, October 2013
Establishment of a Joint Technical Coordination Group for the security sector (JTCG-Security)with terms of reference to include
• Share experiences, challenges, opportunities for collaboration and harmonization across work items and harmonize existing projects where appropriate
• Harmonize terms and definitions, including the definition of "security"
• Identify gaps in security standardization activities and resulting opportunities
• Avoid overlap and duplication
ISO Security Forum, October 2013Recommendation to the Technical Management Board (TMB)
9
• Review the TC/SC structure and scopes and propose modifications as appropriate for TMB approval
• Provide advice to ISO committees and groups on security-related issues
• Promote ISO security-related activities (communications function)
• Develop a vision for security-related activities, and organize a bi-annual (depending on length of term) security conference
• …
JTC 1/SC 27 – IT Security TechniquesMission & Scope
SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:
• Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security;
10
information security;
• Cryptographic mechanisms;
• Security evaluation criteria and methodology;
• Security services;
• Security aspects of identity management, biometrics and privacy.
JTC 1/SC 27 – IT Security Techniques Organization
ISO/IEC JTC 1/SC 27
IT Security techniques
Chair: Mr. W. Fumy Vice-Chair: Ms. M. De Soete
SC 27 Secretariat
DIN
Ms. K. Passia
Working Group 5
Identity management and privacy technologies
Convener
Mr. K. Rannenberg
Working Group 4
Security controls and services
Convener
Mr. J. Amsenga
Working Group 3
Security evaluation, testing and specification
Convener
Mr. M. Bañón
Working Group 2
Cryptography and security
mechanisms
Convener
Mr. T. Chikazawa
Working Group 1
Information security
management systems
Convener
Mr. T. Humphreys
http://www.jtc1sc27.din.de/en
Projects Facts & Figures
Projects
• Total no of projects: 206
• No of active projects: 79 (11 new projects in 2013)
• Published standards: 130 (22 publications in 2013)
Standing Documents
• SD6 Glossary of IT Security terminology (http://www.jtc1sc27.din.de/sbe/SD6)
• SD7 Catalogue of SC 27 Projects and Standards (http://www.jtc1sc27.din.de/sbe/SD7
12
• SD7 Catalogue of SC 27 Projects and Standards (http://www.jtc1sc27.din.de/sbe/SD7
• SD11 Overview of SC 27 (http://www.jtc1sc27.din.de/sbe/SD11)
• SD12 Assessment of cryptographic algorithms and key lengths (http://www.jtc1sc27.din.de/sbe/SD12 )
More information
• http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/iso_technical_committee.htm?commid=45306
• ISO/IEC TR 15443: Security assurance framework — Part 1: Introduction and concepts (2nd ed.)— Part 2: Analysis (2nd ed.)
• ISO/IEC 27000: Information security management systems – Overview and vocabulary (3rd
ed.)
• ISO/IEC 27001: Information security management systems – Requirements (2nd ed.)
• ISO/IEC 27002: Code of practice for information security management (2nd ed.)
• ITU-T Recommendation X.1054 | ISO/IEC 27014: Governance of information security
Recent Publications (1/2)
13
• ISO/IEC TR 27015: Information security management guidelines for financial services
• ISO/IEC TR 27019: Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy industry
• ISO/IEC 27033: Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
• ISO/IEC 27036: Information security for supplier relationships — Part 1: Overview and concepts— Part 3: Guidelines for information and communication technology supply chain security
• ISO/IEC 27037: Guidelines for identification, collection, acquisition and preservation of digital evidence
• ISO/IEC 20008: Anonymous digital signatures — Part 1: General— Part 2: Mechanisms using a group public key
• ISO/IEC 20009: Anonymous entity authentication — Part 1: General— Part 2: Mechanisms based on signatures using a group public key
• ISO/IEC 29192: Lightweight cryptography
Recent Publications (2/2)
14
• ISO/IEC 29192: Lightweight cryptography — Part 4: Mechanisms using asymmetric techniques
• ISO/IEC 29101: Privacy architecture framework
• ISO/IEC 29115: Entity authentication assurance framework
• ISO/IEC 29191: Requirements for partially anonymous, partially unlinkable authentication
• ISO/IEC 30111: Vulnerability handling processes
ISO/IEC 27001ISMS Requirements
• ISO/IEC 27001:2013 is a certification and auditable standard
• based on a mandatory risk based approach
• aims at achieving effective information security through continual improvement process (PDCA model)
• uses the same management systems process model as ISO 9001 (QMS) and ISO 14001 model as ISO 9001 (QMS) and ISO 14001 (EMS)
• aligned with Annex SL
• ISO/IEC 27001:2005 was a revised version of BS 7799 Part 2:2002
• 2nd edition of ISO/IEC 27001:2013-10-01
• ISO/IEC 27001:2013 takes into account the experiences of users who have implemented, or sought certification to ISO/IEC 27001:2005
• provides a more flexible, streamlined approach, which should lead to a more effective risk management
• improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities
ISO/IEC 27001:2013Major benefits of the new edition
16
• ISO/IEC 27001:2013 fits the new high-level structure used in all ISO management system standards (Annex SL)
• integration with other management systems becomes an easy option
ISO/IEC 27002Code of practice for information security management
ISO/IEC 27002 is a catalogue of best practices, not a certification or auditable standard
• based on BS 7799-1:1999
• 1st edition ISO/IEC 17799:2000
• 2nd edition ISO/IEC 17799:2005
• renumbered as
Security policies
Organisation of information security
Asset management
Human resources security
Access control
Cryptography• renumbered as ISO/IEC 27002:2005 in 2007
• 3rd edition of ISO/IEC 27002published 2013-10-01
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=45306
Physical & environmental security
Communications security
Systems acquisition, development & maintenance
Business continuity management
Compliance
Security incident management
Cryptography
Operations security
Supplier relationships
SC 27/WG 1ISMS Family of Standards
IS 27001ISMS Requirements
IS 27000 ISMS Overview and vocabulary
IS 27002Code of practice
IS 27006 Accreditation requirements
IS 27007 ISMS Auditing guidelines
IS 27011 / ITU-T X.1051Telecom sector ISMS guidelines
based on 27002
IS 27010 ISMS for inter-sector communications
IS 27003 ISMS Implementation guidance
IS 27004 Information security mgt
measurement
IS 27005 Information securityrisk management
Supporting GuidelinesAccreditation Requirements and
Auditing GuidelinesSector Specific Requirements and
Guidelines
based on 27002
TR 27015 ISMS guidelines for financial
and services
TR 27008 ISMS Guide for auditors on
ISMS controls
WD 27009Use and application of 27001 for
sector-specific 3rd party certifications
TR 27019Energy industry ISMS
guidelines based on 27002
CD 27017Code of practice for cloud computing
services based on 27002
Cryptographic Protocols
SC 27/WG 2Cryptography and Security Mechanisms
Entity Authenticat
ion (IS 9798)
Key Mgt(IS 11770)
Message Signatures
Non-Repudiation(IS 13888)
Signatures Check
ECC Techniques(IS 15946)
Time Stamping Services
(IS 18014)
Message Authentication Digital Signatures
Encryption & Modes of Operation
Parameter GenerationEncryption(IS 18033)
Modes of Operation(IS 10116)
Hash Functions(IS 10118)
Message Authentication Codes(IS 9797)
Signatures giving Msg Recovery(IS 9796)
Signatures with
Appendix(IS 14888)
Check Character Systems(IS 7064)
(IS 15946)
Lightweight Crypto
(IS 29192)
Random Bit Generation(IS 18031)
Prime Number
Generation(IS 18032)
Authenticated
Encryption(IS 19772)
Biometric Template Protection(IS 24745)
ISO/IEC 29192 - Lightweight Cryptography
ISO/IEC 29192-1: General, 1st edition 2012
ISO/IEC 29192-2: Block ciphers, 1st edition 2012
• 64-bit block cipher PRESENT (key size 80 or 128 bits)
• 128-bit block cipher CLEFIA (key size 128, 192 or 256 bits)
ISO/IEC 29192-3: Stream ciphers, 1st edition 2012
• Enocoro (key size 80 or 128 bits)
20
• Enocoro (key size 80 or 128 bits)
• Trivium (key size 80 bits)
ISO/IEC 29192-4: Mechanisms using asymmetric techniques, 1st edition 2013
• identification scheme cryptoGPS
• authentication and key exchange mechanism ALIKE(Authenticated Lightweight Key Exchange – pka SPAKE)
• ID-based signature scheme IBS
ISO/IEC 29192-5: Hash-functions, WD
ISO/IEC 18033 – Encryption algorithms– Part 5: Identity-based ciphers (status: CD)
ISO/IEC 18370 – Blind digital signatures– Part 1: General (WD)– Part 2: Discrete logarithm based mechanisms (WD)
ISO/IEC 20008 – Anonymous digital signatures – Part 1: General, 2013– Part 2: Mechanisms using a group public key, 2013
Advanced Crypto @ SC 27/WG 2 also includes
21
ISO/IEC 20009 – Anonymous entity authentication– Part 1: General, 2013– Part 2: Mechanisms based on signatures using a group public key, 2013– Part 3: Mechanisms based on blind signatures (WD)– Part 4: Mechanisms based on weak secrets (WD)
WG 2 Study Periods include
• Homomorphic encryption schemes
• Homomorphic secret sharing schemes
• Broadcast encryption
21
In recent weeks there has been much discussion in both the press and in academic circles regarding intentional weaknesses in crypto standards.
• “The agency has influenced the international standards upon which encryption systems rely”
• “NSA has been introducing weaknesses into
Intentional Weaknesses in Crypto Standards?Discussion in the Media
22
• “NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document [provided by Edward Snowdon].It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. ‘Eventually, NSA became the sole editor,’ the document states.”
18.10.2013
To deal with encryption, agencies may
• work with security product vendors to subvert the underlying cryptography, e.g.
• make the random number generator less random, thus reducing effective key lengths
• implant backdoors which leak the key somehow
Dealing with Encryption
23
• work with standards bodies to promote weakalgorithms
• leverage secret mathematical breakthroughs
• construct quantum computers
• …
• NIST Special Publication 800-90:2006 includes four different algorithms called “deterministic random bit generators,” or DRBGs.
• Documents provided by Edward Snowden indicate the NSA played a crucial role in writing NIST SP 800-90.
• Possible weaknesses were identified in one of the algorithms specified, the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) scheme.
• NIST has recommended that Dual_EC_DRBG should not be used, see http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf
Dual_EC_DRBGFlawed Deterministic Random Bit Generation
24
http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf “Concern has been expressed about one of the DRBG algorithms in SP 800-90/90A and ANS X9.82: the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm. This algorithm includes default elliptic curve points for three elliptic curves […], recent community commentary has called into question the trustworthiness of these default elliptic curve points.”
• Dual_EC_DRBG is also specified in ANS X9.82 and in the current (2011) edition of ISO/IEC 18031: Random bit generation.
• Dual_EC_DRBG is included in many cryptographic libraries (e.g., offered by Microsoft, Cisco, Symantec and RSA).
ISO/IEC 18031
• Cautionary note on the use of Dual_EC_DRBGhttp://isotc.iso.org/livelink/livelink/open/16315553
• Study Period initiated to carefully review the security issues for Dual_EC_DRBG and to revise ISO/IEC 18031 as appropriate. The Study Period will further analyse if other mechanisms in this standard are affected.
General
Way Forward
25
General
• Always ensure a sufficient amount of independent cryptographic research.
• Fight a general mistrust in NIST proposals – do not forget NIST has done a great job with cryptographic competitions, both a decade ago with the AES and recently with SHA-3.
• ISO can (and should) play a vital role in the restoration of trust in cryptography and cryptographic security, because ISO provides an open, free and independent framework for assessing security of cryptographic mechanisms.
20+3 Years of SC 27
… and the tour continues
• April 7-15, 2014 Hong Kong, China(WGs and Plenary)
• Oct 20-24, 2014 Mexico City, Mexico(WGs)
• May 4-12, 2015 Kuching, Malaysia
26
• May 4-12, 2015 Kuching, Malaysia(WGs and Plenary)
• Oct 26-30, 2015 Jaipur, India(WGs)
https://en.wikipedia.org/wiki/ISO/IEC_JTC_1/SC_27
• April 2013: Joint security workshop between ETSI and SC 27 to explore areas of mutual interest and future collaboration.
• Workshop identified 12 specific areas for potential collaboration and recommended to establish/continue collaborative dialogues and/or liaisons to further cooperative working.
Collaboration with ETSI
ETSI SC 27 Topic
TC M2M WG 2 use of SC27 standards
TC M2M WG 5 privacy and identity management
TC ESI WG 4 trust services
TC ITS WG 3 trusted platforms
TC ITS WG 1 ISO/IEC 27009 for Trust Services
TC ITS WG 5 use of privacy and identity
27
• Next coordination meeting: tonightTC ITS WG 5 use of privacy and identity
management frameworks
TC NTECH
WG 3 design for assurance
TC NTECH
WG 5 privacy
MTS WG 3 Cat C Liaison
ISG ISI WG 4 continued collaborative dialogue
ISG ISI WG 1 information security indicators and measurements
SAGE WG 2 cryptographic algorithms
