|
|
Common Criteria (ISO/IEC 15408-1to-3:2005)
|
|
|
Procedural document dealing with the evaluation criteria for IT security. |
|
|
Physical characteristics (ISO/IEC
7810:2003)
|
|
|
|
|
|
Integrated circuit(s) with electrical
contacts (ISO/IEC 7816:2006)
|
|
|
|
|
|
Interface between the card aware applications
and cards, PC/SC Specs. 1.0
|
|
|
|
|
|
Card-resistance allications,
JAVACard
|
|
|
|
|
|
Contactless cards (ISO/IEC 14443:2008)
|
|
|
|
SMI Service |
|
|
|
|
|
|
|
|
Security Assertion Markup
Language, SAML v1.1 (OASIS)
|
|
For CCEB interoperability the Security Ascertion Markup Language
(SAML) v1.1 is mandatory and SAML 2.0 is emerging
|
|
|
|
XKMS (W3C)
|
|
|
|
|
|
|
|
See General Security Key Management and Distribution.
For
CCEB interoperability the mandatory standard is ACP145 (Gateway-to-Gateway
Messaging Protocols) and X.500 (based on CMI authentication framework)
|
Confidentiality |
|
|
|
|
|
|
|
S/MIME with Encrypted Security Service (ESS)
(IETF RFCs 3850:2004, 3851:2004)
|
|
ACP120 replaced by ACP145 |
Messaging System independent encapsulation syntax
supporting signature and confidentiality functions based on DSA.
For CCEB interoperability the standard is S/MIME Version 3 ESS,
application layer data confidentiality or link level encryption
|
|
|
Military Messaging (STANAG 4406 Ed.2)
|
|
ACP120 replaced by ACP145 |
This includes PCT (protected content type). PCT may be used for protection
of data objects in systems.
For CCEB interoperability the mandatory standard
is ACP145
(Gateway-to-Gateway Messaging Protocols)
|
|
|
|
ITU-T X.411:1999
|
|
|
Encryption |
|
|
|
|
|
|
|
TLS v1.2 (IETF RFC 5246:2008)
|
|
SSL excluded in NCSP v.6 |
Used as a transport layer security protocol. |
|
|
|
XML Encryption (W3C)
|
|
|
|
|
Key Wrap Advanced Encryption Standard 128 (AES
128, NIST FIPS 197)
|
Key Wrap Advanced Encryption Standard 256 (AES
256, NIST FIPS 197)
|
|
PKI components and applications should utilise AES for key wrap
functions.
AES 256 should be utilized post 2008 for Root CA and Sub CA PKI
components together with SHA-384 and 512. End entities can still utilize
AES 128 together with SHA-256.
For CCEB interoperability the AES standard is emerging.
|
Integrity |
|
|
|
|
|
|
|
IP ESP (RFC 2406:1998)
|
|
|
Encapsulating Security Payload (ESP) may support integrity and authentication
depending on the use of algorithms
|
|
|
Digital Signature Algorithm 1024 (DSA-1024,
NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Digital Signature Algorithm (original version) not for new systems |
Authentication and integrity algorithm for End Entities as
mandated by the interoperability protocol PCT for implementing digital
signatures for a NATO Public Key Infrastructure (PKI) in the NATO
messaging system. ECDSA 384 is planned for post 2008. Guidance is
provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory. DSA FIPS 186-2 can be used in NATO for
verification purposes only.
|
|
|
RSA 2048 (PKCS#1 v2.1 RSA Cryptography
Standard, RSA Laboratories, June 2002)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
|
Authentication and integrity algorithm for Sub CA and other PKI
components (such as Key Recovery Agents) as mandated by the
interoperability protocol PCT for implementing digital signatures for a
NATO Public Key Infrastructure (PKI) in the NATO messaging system. ECDSA
384 is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory.
|
|
|
Secure Hash Algorithm 256 (SHA-256, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm 384 (SHA-384, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm (SHA-1), NIST FIPS
180-1 replaced by SHA-256
|
Hash algorithm to accompany the DSA and RSA for use in NMS. SHA-384
is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the standard is SHA-1, NIST FIPS 180-1 is
mandatory. SHA-1 can be used in NATO for verification purposes only.
|
Authentication |
|
|
|
|
|
|
|
Radius, IETF RFC 2865:2000 updated by RFC 2868:2000, 3575:2003, 5080:2007
|
Radius and IPv6, IETF RFC 3162:2001
|
|
|
|
|
|
Single sign on (SSO, the Open Group)
|
|
|
|
|
Dir Authentication Framework (ITU-T X.509 v3,
ISO 9594:2001)
|
|
|
|
|
|
Identification of Issuers (ISO 7812:2007)
|
|
|
|
|
|
|
XML Signature (W3C)
|
|
|
|
|
|
XACML v2.0 (OASIS)
|
|
|
Detection |
|
|
|
|
|
Transsec |
|
|
|
|
|