Appendix A - Technical Protection References

The following references may be useful in determining and evaluating the protection and/or tamper resistance features of hardware tokens, software tokens and one-time password devices.

Ant Allan, Authentication Tokens: Overview, Gartner Research. DPRO-104977 (www.gartner.com)

Contains tables of:

• relevant authentication algorithms and protocols from the ISO/IEC standards, ANSI standards, FIPS publications, IETF standards and ITU-T standards
• hardware token standards: ISO/IEC Identification Cards standards, RSA Lab’s PKCS Cryptographic Tokens and PC/SC specifications
• vendors’ authentication tokens.

ISO/IEC JTC 1/SC 27 and TC 68/SC 2*

ISO/IEC 15408 series. Information Technology - Security Techniques - Evaluation Criteria for IT Security:

• Part 1: Introduction and General Model (ISO/IEC 15408-1:2005)
• Part 2: Security and Functional Requirements (ISO/IEC 15408-1:2005)
• Part 3: Security Assurance Requirements (ISO/IEC 15408-3:2005).ISO/IEC 15443 series.

Information Technology – Security Techniques – A Framework for IT Security Assurance:

• Part 1: Overview and Framework (ISO/IEC TR 15443-1:2005)
• Part 2: Assurance Methods (ISO/IEC TR 15443-2:2005)
• Part 3: WD TR 15443-3.

ISO/IEC 18045:2005. Information technology - Security Techniques - Methodology for IT Security Evaluation.

ISO/IEC FDIS 19790. Information Technology - Security Techniques - Security Requirements for Cryptographic Modules. (This standard has been derived from NIST Federal Information Processing Standard PUB 140-2)

ISO/IEC 21827:2002. Information Technology - Systems Security Engineering - Capability Maturity Model.

ISO/IEC NP 24745. Information Technology - Biometric Template Protection.

ISO/IEC NP 24759. Information Technology - Security Techniques – Requirements for Cryptographic Modules.

ISO/IEC NP 24761. Biometric Authentication Context.

ISO 13491 series. Banking - Secure Cryptographic Devices (retail):

• Part 1: Concepts, Requirements and Evaluation Methods (ISO 13491-1:1998 / ISO/CD 13491-1)
• Part 2: Security Compliance Checklists for Devices used in Financial Transactions (ISO 13491-2:2005).

ISO 19092 series. Financial Services - Biometrics:·

• Part 1: Security Framework (ISO/DIS 19092-1)
• Part 2: Cryptographic Techniques (ISO/CD 19092-2).

*The full list of ISO/IEC standards for JTC 1/SC 27 and TC 68/SC 2 should be reviewed for new publications.

Common Criteria Protection Profiles.

Common Criteria (www.commoncriteriaportal.org)

• Protection Profile – Secure Signature – Creation Device Type 1, Type 2, and Type 3. April 2002.
• Public Key Infrastructure and Key Management Infrastructure Token (Medium Robustness) PP. March 2002.
• Smart Card IC Platform PP. July 2001.
• Smart Card IC with Multi-Application Secure Platform. January 2001.
• Smart Card Integrated Circuit with Embedded Software. July 1999.
• Smart Card User Group – Smart Card Protection Profile. October 2001.
• U.S. Government Biometric Verification Mode Protection Profile for Medium Robustness Environments. November 2003.

Communications Electronics Security Group ( www.cesg.gov.uk)

• Biometric Device Protection Profile (BDPP). UK Government Biometrics Working Group. Draft Issue 0.82. 5 September 2001.
• Best Practices in Testing and Reporting Performance of Biometric Devices, Version 1.0, 12 January 2000.

Other

Security Requirements for Cryptographic Modules. Federal Information Processing Standards PUB 140-2. 25 May 2001. (Note ISO/IEC 19790:2006 is derived from this standard)

Information Technology Security Evaluation Criteria (ITSEC), Harmonized Criteria of France – Germany – the Netherlands – the United Kingdom, Version 1.1, January 1991.

Department of Defense, Department of Defense Trusted Computer Eyetem Evaluation Criteria, DOD 5200.28-STD, December 1985.