ANSI-X9.49-1998.pdf
《ANSI-X9.49-1998.pdf》由会员分享,可在线阅读,更多相关《ANSI-X9.49-1998.pdf(96页珍藏版)》请在三一文库上搜索。
1、ANS X9.49-1998 American National Standard for Financial Services X9.49 -1998 Secure Remote Access to Financial Services For the Financial Industry Secretariat: American Bankers Association Approved: November 9, 1998 American National Standards Institute Copyright American National Standards Institut
2、e Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:49:13 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers Association X9.49-1998 American National Standard Approval of an American
3、National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by
4、directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards
5、 is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not d
6、evelop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretat
7、ions should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm,
8、 revise, or withdraw this standard no later than five years from the date of approval. Published by American Bankers Association 1120 Connecticut Ave., NW Washington, DC 20036 USA Customer Service Center 1(800) 338-0626 or 1(202) 663-5087 Fax 1(202) 663-7543, E-mail X9 Online http:/www.x9.org Copyr
9、ight 1998 by American Bankers Association All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Printed in the United States of America Copyright American National Standards I
10、nstitute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:49:13 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers Association X9.49-1998 CONTENTS Foreward i American National Standa
11、rds Institutei 1.Introduction1 1.1Scope1 1.2 Purpose1 1.3 How to use this document1 2.Definitions and Common Abbreviations3 2.1Definitions3 2.2ANSI References5 2.3US Government References6 2.4ISO References7 3.Risk Analysis7 3.1Introduction7 3.2Risk Level Analysis8 3.3Environmental Considerations in
12、 the Risk Assessment9 3.4Cryptographic Considerations in the Risk Assessment11 3.5Optional Modifications11 3.6Alternate Risk Assessment Methodologies12 4.Data Confidentiality12 4.1Introduction12 4.2Confidentiality Risk Analysis13 4.3Minimum Security Requirements for Confidentiality14 5.Integrity15 5
13、.1Introduction15 5.2Integrity Check Value15 5.3Integrity Check Value Schemes15 5.4MAC for Data Integrity16 5.5Digital Signature for Data Integrity16 5.6Data Integrity Risk Analysis17 5.7Security Requirements for Integrity19 6.IDENTITY AUTHENTICATION19 6.1Introduction19 6.2Authentication Model19 6.3C
14、redentials and Identity Factors20 6.4Identity Authentication Process21 6.4.1The Authentication Process21 6.4.2Basic Attributes of Credentials22 6.4.3Entity Authentication via Credentials22 6.5 Options for Identity Authentication23 6.6Entity Access Control23 Copyright American National Standards Inst
15、itute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:49:13 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers Association X9.49-1998 6.7Credentials And Identity Factor Characterist
16、ics23 6.7.1Knowledge Credentials23 6.7.2Knowledge Factor24 6.7.3Minimum Authentication Criteria24 6.7.4Possession Credentials25 6.7.5Possession Identity Factor25 6.7.6Minimum Authentication Criteria26 6.7.7Biometric Credentials26 6.7.8Biometric Identity Factor27 6.7.9Minimum Authentication Criteria2
17、7 6.8Authentication Risk Analysis27 6.8.1Risk Questionnaires27 6.8.2Minimum Security Requirements29 6.9Credentials Management29 6.9.1Credential Life Cycle29 6.9.2Policies and Procedures29 7.Message Non-repudiation and Proof of Origin33 7.1Introduction33 7.1.1Rationale for Cryptographic Non-Repudiati
18、on33 7.1.2The Generation of Digital Signatures33 7.1.3Certification of Keys33 7.2Repudiation Risk Analysis34 7.3Security Requirements for Non-Repudiation35 8.Key Management36 9.Security of Remote Financial Service Data and Processes38 9.1Financial Service Security Responsibilities39 9.2User Authenti
19、cation to the Remote Access Device39 9.3Data Confidentiality on the Remote Access Device39 9.4Data Integrity on the Remote Access Device39 Annex A: Risk Analysis41 A.1 Introduction41 A.2 System Risk Assessment41 A.3 Business Risk Questionnaire44 A.4 Risk Assessment45 Annex B: Relevant ANSI Standards
20、53 Annex C: Synchronous Key Techniques59 Annex D: Authentication Schemes63 Annex E: Security Considerations65 E.1 Cryptographic Hardware65 E.2 Environmental Vulnerability67 Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User
21、=OConnor, Maurice Not for Resale, 04/29/2007 13:49:13 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers Association X9.49-1998 Annex F: Risk Assessment Examples70 F.1 Game Scenario70 F.1.2 Transactions72 F.2 Risk Assessment75 F.3 Security Requirements79 Annex
22、 G: Registration Process81 G.1 Credential Application82 G.2 Credential Validation83 G.3 Service Preparation and Notification83 G.4 Service Verification84 TABLES Table 1 Data Confidentiality Requirements13 Table 2 Data Integrity Requirements .18 Table 3 Credential and Identity Factor Examples.21 Tabl
23、e 4 Authentication Security Requirements.28 Table 5 Non-Repudiation Requirements35 Table A 1 Risk Assessment Model.41 Table A 2 Security Requirements Matrix.52 Table E 1 Cryptographic Hardware Considerations .66 Table F 1 Data Elements .71 Table F 2 Environmental Risk Factors.79 Table F 3 Example Se
24、curity Requirements.79 FIGURES Figure 1 Digital Signature17 Figure 2 Authentication Model.20 Figure 3 Authentication Flow.20 Figure C 1 Synchronous Data Flow59 Figure C 2 Time Synchronous Authentication.60 Figure C 3 Time Synchronous Key Management 61 Figure E 1 Access Connection.67 Figure F 1 Conne
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- ANSI X9 49 1998
链接地址:https://www.31doc.com/p-3729383.html