BS-ISO-13491-1-2007.pdf
《BS-ISO-13491-1-2007.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-13491-1-2007.pdf(40页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO 13491-1:2007 Banking Secure cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods ICS 35.040; 35.240.40 ? Licensed Copy: London South Bank University, London South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI B
2、S ISO 13491-1:2007 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2007 BSI 2007 ISBN 978 0 580 56307 2 National foreword This British Standard is the UK implementation of ISO 13491-1:2007. It supersedes BS ISO 13491-1:1998 which i
3、s withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/12, Banking, securities and other financial services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the
4、necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. Amendments issued since publication Amd. No. DateComments Licensed Copy: London South Bank University, London South Bank University
5、, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI Reference number ISO 13491-1:2007(E) INTERNATIONAL STANDARD ISO 13491-1 Second edition 2007-06-15 Banking Secure cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods Banque Dispositifs cryptographiques d
6、e scurit (services aux particuliers) Partie 1: Concepts, exigences et mthodes dvaluation BS ISO 13491-1:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI ii Licensed Copy: London South Bank University, Londo
7、n South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references. 1 3 Terms and definitions. 2 4 Abbreviated terms 4 5 Secure cryptographic device concepts 4 5.1 General. 4 5.2 Attack scenarios. 5
8、5.3 Defence measures 6 6 Requirements for device security characteristics 8 6.1 Introduction. 8 6.2 Physical security requirements for SCDs 8 6.3 Logical security requirements for SCDs 11 7 Requirements for device management. 12 7.1 General. 12 7.2 Life cycle phases 13 7.3 Life cycle protection requ
9、irements. 14 7.4 Life cycle protection methods. 15 7.5 Accountability. 17 7.6 Device management principles of audit and control 18 8 Evaluation methods 20 8.1 General. 20 8.2 Risk assessment. 21 8.3 Informal evaluation method. 22 8.4 Semi-formal evaluation method 24 8.5 Formal evaluation method. 26
10、Annex A (informative) Concepts of security levels for system security 27 Bibliography. 30 BS ISO 13491-1:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI iv Foreword ISO (the International Organization for
11、Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the r
12、ight to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. Internation
13、al Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as
14、 an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. IS
15、O 13491-1 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2, Security management and general banking operations. This second edition cancels and replaces the first edition (ISO 13491-1:1998), which has been technically revised. ISO 13491 consists of the following p
16、arts, under the general title Banking Secure cryptographic devices (retail): Part 1: Concepts, requirements and evaluation methods Part 2: Security compliance checklists for devices used in financial transactions BS ISO 13491-1:2007 Licensed Copy: London South Bank University, London South Bank Univ
17、ersity, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI v Introduction ISO 13491 describes both the physical and logical characteristics and the management of the secure cryptographic devices (SCDs) used to protect messages, cryptographic keys and other sensitive information used in a
18、 retail financial services environment. The security of retail electronic payment systems is largely dependent upon the security of these cryptographic devices. This security is based upon the premise that computer files can be accessed and manipulated, communications lines can be “tapped” and autho
19、rized data or control inputs into system equipment can be replaced with unauthorized inputs. When Personal Identification Numbers (PINs), message authentication codes (MACs), cryptographic keys and other sensitive data are processed, there is a risk of tampering or other compromise to disclose or mo
20、dify such data. The risk of financial loss is reduced through the appropriate use of cryptographic devices that have proper characteristics and are properly managed. BS ISO 13491-1:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Unc
21、ontrolled Copy, (c) BSI blank Licensed Copy: London South Bank University, London South Bank University, Fri Nov 16 07:11:33 GMT+00:00 2007, Uncontrolled Copy, (c) BSI 1 Banking Secure cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods 1 Scope This part of ISO 13491
22、 specifies the requirements for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609 and ISO 11568. This part of ISO 13491 has two primary purposes: to state the requirements concerning both the operational characteristics of SCDs and the management
23、 of such devices throughout all stages of their life cycle, and to standardize the methodology for verifying compliance with those requirements. Appropriate device characteristics are necessary to ensure that the device has the proper operational capabilities and provides adequate protection for the
24、 data it contains. Appropriate device management is necessary to ensure that the device is legitimate, that it has not been modified in an unauthorized manner (e.g. by “bugging”) and that any sensitive data placed within the device (e.g. cryptographic keys) has not been subject to disclosure or chan
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- BS ISO 13491 2007
链接地址:https://www.31doc.com/p-3744222.html