| |
|
|
Community Security Requirements Statement abstract, v1.1 (NATO:2010) |
|
Used in profile: AMN
|
| |
|
Common Criteria (ISO/IEC 15408-1:2009, -2 to-3:2008) |
|
|
Procedural document dealing with the evaluation criteria for IT security.
Guidance on the use of Common Criteria within NATO is provided with AC/322-D(2010)0043.
|
| |
|
Physical characteristics (ISO/IEC
7810:2003)
|
|
|
|
| |
|
Integrated circuit(s) with electrical
contacts (ISO/IEC 7816:2006)
|
|
|
Base profile, consisting of parts 1-5) |
| |
|
Interface between the card aware applications
and cards, PC/SC Specs. v.2.0.1.9:2005
|
|
|
|
| |
|
Card-resistance allications,
JAVACARDkit v.2.2.2:2006
|
|
|
|
| |
|
Contactless cards (ISO/IEC 14443:2008) |
|
|
Base profile, consisting of parts 1 - 3. |
| SMI Service |
|
|
|
|
|
| |
|
Web-Services Security Profile (WSS), v1.0 (OASIS) |
|
|
Used in Profile: AMN |
| |
|
|
WS Security Policy, v1.3:2009 (OASIS) |
|
|
| |
|
Security Assertion Markup Language, SAML v2.0 (OASIS)
|
|
|
For CCEB interoperability the Security Ascertion Markup Language
(SAML) v1.1 is mandatory and SAML 2.0 is emerging
|
| |
|
XKMS 2.0 (W3C):2005 |
|
|
Used in Profiles: AMN, tactESB |
| |
|
|
|
|
See General Security Key Management and Distribution.
For
CCEB interoperability the mandatory standard is ACP145(A) (Messaging Services Between Nations) and X.500 (based
on CMI authentication framework)
|
| Confidentiality |
|
|
|
|
|
| |
|
S/MIME with Encrypted Security Service (ESS)
(IETF RFCs 3850:2004, 3851:2004)
|
|
ACP120 replaced by ACP145 |
Messaging System independent encapsulation syntax
supporting signature and confidentiality functions based on DSA.
For CCEB interoperability the standard is S/MIME Version 3 ESS,
application layer data confidentiality or link level encryption
|
| |
|
|
ITU-T X.411:1999 |
|
|
| |
|
|
SCIP Signalling Plan, SCIP-210 rev.3.3:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Minimum Requuirements for SCIP, SCIP-214 rev.1.1:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Cryptography Specification for SCIP, SCIP-231 rev.1.3:2008 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
XML Confidentiality Label Syntax 1.0 (NATO RTG-031) |
|
Used in Profiles: AMN
|
| |
|
|
SOAP Message Security 1.1:2004 (OASIS) |
|
|
| |
|
|
Username Token Profile, v1.1:2004 (OASIS) |
|
|
| |
|
|
X.509 Certificate Token Profile, v1.1:2004 (OASIS) |
|
|
| |
|
|
NATO PKI (NPKI) Certificate Policy, rev.2 (NATO:2008) |
|
Used in Profile: AMN
|
| |
|
|
Kerberos Token Profile 1.1:2006 (OASIS) |
|
|
| |
|
SAML Token Profile 1.1:2006 (OASIS) |
|
|
|
| |
|
|
SOAP Messages with Attachments (SwA) Profile 1.1:2006 (OASIS) |
|
|
| |
|
WS-Security Utility 1.0:2001 (OASIS) |
|
|
|
| |
|
|
WS-Trust 1.4:2007 (OASIS) |
|
|
| Encryption |
|
|
|
|
|
| |
|
TLS v1.2 (IETF RFC 5246:2008) |
|
SSL excluded in NCSP v.6 |
Used as a transport layer security protocol.
Used in Profiles: AMN (v1.1), tactESB
|
| |
|
|
XML Encryption (W3C):2008 |
|
Used in Profile: tactESB |
| |
|
Key Wrap Advanced Encryption Standard 128 (AES 128, NIST FIPS 197:2002) |
Key Wrap Advanced Encryption Standard 256 (AES 256, NIST FIPS 197) |
|
PKI components and applications should utilise AES for key wrap
functions.
AES 256 should be utilized post 2008 for Root CA and Sub CA PKI
components together with SHA-384 and 512. End entities can still utilize
AES 128 together with SHA-256.
For CCEB interoperability AES 128 is emerging.
|
| Integrity |
|
|
|
|
|
| |
|
IP ESP (RFC 4303:2005) |
|
|
Encapsulating Security Payload (ESP) may support integrity and authentication
depending on the use of algorithms
|
| |
|
Digital Signature Algorithm 1024 (DSA-1024,
NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Digital Signature Algorithm (original version) not for new systems |
Authentication and integrity algorithm for End Entities as
mandated by the interoperability protocol PCT for implementing digital
signatures for a NATO Public Key Infrastructure (PKI) in the NATO
messaging system. ECDSA 384 is planned for post 2008. Guidance is
provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory. DSA FIPS 186-2 can be used in NATO for
verification purposes only.
|
| |
|
RSA 2048 (PKCS#1 v2.1 RSA Cryptography
Standard, RSA Laboratories, June 2002)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
|
Authentication and integrity algorithm for Sub CA and other PKI
components (such as Key Recovery Agents) as mandated by the
interoperability protocol PCT for implementing digital signatures for a
NATO Public Key Infrastructure (PKI) in the NATO messaging system. ECDSA
384 is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory.
|
| |
|
Secure Hash Algorithm 256 (SHA-256, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm 384 (SHA-384, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm (SHA-1), NIST FIPS
180-1 replaced by SHA-256
|
Hash algorithm to accompany the DSA and RSA for use in NMS. SHA-384
is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the standard is SHA-1, NIST FIPS 180-1 is
mandatory. SHA-1 can be used in NATO for verification purposes only.
|
| Authentication |
|
|
|
|
|
| |
|
Radius, IETF RFC 2865:2006 updated by RFC 2868:2000, 3575:2003, 5080:2007 |
Radius and IPv6, IETF RFC 3162:2001 |
|
|
| |
|
|
Kerberos v.5, IETF RFC 1510:1993 |
|
Used in Profile: AMN
|
| |
|
|
The Kerberos v5 Simple Authentication and Security Layer (SASL) Mechanism, IETF RFC 4752:2006 |
|
|
| |
|
|
Single sign on (SSO, the Open Group) |
|
|
| |
|
Public-key and attribute certificate frameworks, X.509 v3:2005 (ITU-T) |
|
|
Used in Profiles: AMN, tactESB |
| |
|
|
X.509 Public Key Infrastructure Certificate and CRL Profile (IETF RFC 5280:2008) |
|
|
| |
|
Identification of Issuers (ISO 7812:2007) |
|
|
Base profile consisting of parts 1 - 2. |
| |
|
XML Signature (W3C):2008 |
|
|
|
| |
|
XACML v2.0:2008 (OASIS) |
XACML v3.0:2010 (OASIS) |
|
Used in Profiles: AMN, tactESB |
| |
|
|
DOD EBTS 1.2 (DoD: 2000) |
|
Used in Profile: AMN
|
| |
|
|
DOD EBTS 2.0 (DoD: 2000) |
|
Used in Profile: AMN
|
| |
|
|
Data Format for the Interchange of Fingerprint,
Facial, and Scar Mark and Tattoo (SMT) Information (ANSI: 2008) |
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 2 (ISO 19794-2:2007) |
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 5: Face Image Data 8ISO 19794-5) |
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 6: Iris Image Data (ISO 19794-6) |
|
Used in Profile: AMN
|
| Detection |
|
|
|
|
|
| Transsec |
|
|
|
|
|
