| |
|
|
Community Security Requirements Statement abstract, v1.1 (NATO:2010) |
|
Used in profile: AMN
|
| |
|
Common Criteria (ISO/IEC 15408-1:2009, -2 to-3:2008) |
|
|
Procedural document dealing with the evaluation criteria for IT security.
Guidance on the use of Common Criteria within NATO is provided with AC/322-D(2010)0043.
|
| |
|
Physical characteristics (ISO/IEC
7810:2003)
|
|
|
|
| |
|
Integrated circuit(s) with electrical
contacts (ISO/IEC 7816:2006)
|
|
|
Base profile, consisting of parts 1-5) |
| |
|
Interface between the card aware applications
and cards, PC/SC Specs. v.2.0.1.9:2005
|
|
|
|
| |
|
Card-resistance allications,
JAVACARDkit v.2.2.2:2006
|
|
|
|
| |
|
Contactless cards (ISO/IEC 14443:2008) |
|
|
Base profile, consisting of parts 1 - 3. |
| SMI Service |
|
|
|
|
|
| |
|
Web-Services Security Profile (WSS), v1.0 (OASIS) |
|
|
Used in Profile: AMN |
| |
|
|
WS Security Policy, v1.3:2009 (OASIS) |
|
Used in Profile: CES |
| |
|
Security Assertion Markup Language, SAML v2.0 (OASIS)
|
|
|
For CCEB interoperability the Security Ascertion Markup Language
(SAML) v1.1 is mandatory and SAML 2.0 is emerging
Used in Profile: CES (v2.0)
|
| |
|
XKMS 2.0 (W3C):2005 |
|
|
Used in Profiles: AMN, tactESB |
| |
|
|
|
|
See General Security Key Management and Distribution.
For
CCEB interoperability the mandatory standard is ACP145(A) (Messaging Services Between Nations) and X.500
(based on CMI authentication framework)
|
| Confidentiality |
|
|
|
|
|
| |
|
S/MIME with Encrypted Security Service (ESS)
(IETF RFCs 3850:2004, 3851:2004)
|
|
ACP120 replaced by ACP145 |
Messaging System independent encapsulation syntax
supporting signature and confidentiality functions based on DSA.
For CCEB interoperability the standard is S/MIME Version 3 ESS,
application layer data confidentiality or link level encryption
|
| |
|
|
ITU-T X.411:1999 |
|
|
| |
|
|
SCIP Key Management Plan, SCIP-120 rev.1.0:2010 (IICWG) |
|
|
| |
|
|
SCIP X.509 Key Management Plan, SCIP-121 rev.0.8:2012 (IICWG) |
|
|
| |
|
|
SCIP Signalling Plan, SCIP-210 rev.3.5:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
SCIP Mulitimedia Option-Specific MERs for SCIP Devices, SCIP-213 rev.1.0:2012 (IICWG) |
|
|
| |
|
|
Generic Packet Data Option, SCIP-213.1 rev.1.0:2010 (IICWG) |
|
|
| |
|
|
Network Specific MERs for SCIP Devices, SCIP-214 rev.1.2:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
SCIP over the PSTN, SCIP-214.1 rev.1.0:2008 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
SCIP over RTP, SCIP-214.2 rev.1.0:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
U.S. SCIP/IP Implementation Standard and MER Publication, SCIP-215 rev.2.2:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Minimum Essential Requirements (MER) for V.150.1 Gateways Publication, SCIP-216 rev.2.2:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Mimimum Implementation Profile (MIP), SCIP-221 rev.3.0:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Cryptography Specification for SCIP, SCIP-231 rev.1.3:2008 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
SCIP Cryptography Specification - Main Module, SCIP-233 rev.1.1:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Universal Call Setup Encryption (CSE) Key Material Format and Fill Specification, SCIP-233.106 rev.1.1:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
MERCATOR Call Setup Encryption (CSE) Key Material Format and Fill Specification , SCIP-233.110 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
MERCATOR Call Setup Encryption (CSE) Specification, SCIP-233.202 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
ECDH Key Agreement and TEK Derivation, SCIP-233 rev.1.1:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
MERCATOR ECDH Key Agreement and TEK Derivation Specification, SCIP-233.308 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Interoperable Terminal Priority (TP) Community of Interest (COI) Specification, SCIP-233.350 rev.1.0:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Application State Vector Processing Specification, SCIP-233.401 rev.1.2:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Point-to-Point Cryptographic Verification w/Signature, SCIP-233.444 rev.1.0:2011 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
MERCATOR Point-to-Point Cryptographic Verification w/Signature Specification , SCIP-233.445 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Secure MELP(e) Voice, SCIP-233.501 rev.1.1:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Secure Almost Full Bandwidth (AFB) Data, SCIP-233.518 rev.1.0:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Secure Full Bandwidth (FB) Data, SCIP-233.519 rev.1.0:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Secure Packet Data, SCIP-233.531 rev.1.0:2010 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Secure Messaging Processing Specification, SCIP-233.547 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
Galois/Counter Mode (GCM) Data Integrity Specification, SCIP-233.562 rev.0.1:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
MERCATOR Encryption Algorithm Specification, SCIP-233.604 rev.1.0:2012 (IICWG) |
|
For CCEB interoperability the SCIP standard is mandatory |
| |
|
|
NATO XML Labelling version 1.0 (Ref:-NC3A Technical Note 1455 "NATO Profile for the 'Binding of Metadata to Data Objects'
- version 1.0"; and - NC3A Technical Note 1456, "NATO Profile for the 'XML Confidentiality Label Syntax' - version 1.0".) |
|
Used in Profiles: AMN, CES, tactESB
|
| |
|
SOAP Message Security 1.1:2004 (OASIS) |
|
|
Used in Profile: CES |
| |
|
|
Username Token Profile, v1.1:2004 (OASIS) |
|
Used in Profile: CES |
| |
|
|
X.509 Certificate Token Profile, v1.1:2004 (OASIS) |
|
Used in Profiles: CES, tactESB |
| |
|
|
NATO PKI (NPKI) Certificate Policy, rev.2 (NATO:2008) |
|
Used in Profile: AMN
|
| |
|
|
Kerberos Token Profile 1.1:2006 (OASIS) |
|
Used in Profile: CES |
| |
|
SAML Token Profile 1.1:2006 (OASIS) |
|
|
Used in Profile: CES |
| |
|
|
SOAP Messages with Attachments (SwA) Profile 1.1:2006 (OASIS) |
|
Used in Profile: CES |
| |
|
WS-Security Utility 1.0:2001 (OASIS) |
|
|
Used in Profile: CES |
| |
|
|
WS-Trust 1.4:2007 (OASIS) |
|
Used in Profile: CES |
| |
|
Basic Security Profile Version 1.1:2010 (WS-I) |
|
|
Used in Profile: AMN |
| Encryption |
|
|
|
|
|
| |
|
TLS v1.2 (IETF RFC 5246:2008) |
|
SSL excluded in NCSP v.6 |
Used as a transport layer security protocol.
Used in Profiles: AMN (v1.1), CES, tactESB
|
| |
|
SSH v.2 (IETF RFC 4250-4256:2006) |
|
|
|
| |
|
|
XML Encryption (W3C):2008 |
|
Used in Profile: tactESB |
| |
|
Key Wrap Advanced Encryption Standard 128 (AES 128, NIST FIPS 197:2002)
|
Key Wrap Advanced Encryption Standard 256 (AES 256, NIST FIPS 197)
|
|
PKI components and applications should utilise AES for key wrap
functions.
AES 256 should be utilized post 2008 for Root CA and Sub CA PKI
components together with SHA-384 and 512. End entities can still utilize
AES 128 together with SHA-256.
For CCEB interoperability AES 128 is emerging.
|
| Integrity |
|
|
|
|
|
| |
|
IP ESP (RFC 4303:2005) |
|
|
Encapsulating Security Payload (ESP) may support integrity and authentication
depending on the use of algorithms
|
| |
|
|
NINE ISpec v1.0.3 (NATO) |
|
|
| |
|
Digital Signature Algorithm 1024 (DSA-1024,
NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
Digital Signature Algorithm (original version) not for new systems |
Authentication and integrity algorithm for End Entities as
mandated by the interoperability protocol PCT for implementing digital
signatures for a NATO Public Key Infrastructure (PKI) in the NATO
messaging system. ECDSA 384 is planned for post 2008. Guidance is
provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory. DSA FIPS 186-2 can be used in NATO for
verification purposes only.
|
| |
|
RSA 2048 (PKCS#1 v2.1 RSA Cryptography
Standard, RSA Laboratories, June 2002)
|
Elliptic Curve Digital Signature Algorithm
(ECDSA 384, NIST FIPS 186-2 with Change Notice 1, Oct 2001)
|
|
Authentication and integrity algorithm for Sub CA and other PKI
components (such as Key Recovery Agents) as mandated by the
interoperability protocol PCT for implementing digital signatures for a
NATO Public Key Infrastructure (PKI) in the NATO messaging system. ECDSA
384 is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the Digital Signature Algorithm (DSA) NIST
FIPS 186-2 is mandatory.
|
| |
|
Secure Hash Algorithm 256 (SHA-256, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm 384 (SHA-384, NIST FIPS
180-2 with Change Notice 1, Feb 2004)
|
Secure Hash Algorithm (SHA-1), NIST FIPS
180-1 replaced by SHA-256
|
Hash algorithm to accompany the DSA and RSA for use in NMS. SHA-384
is planned for post 2008. Guidance is provided in AC/322-D(2004)0035.
For CCEB interoperability the standard is SHA-1, NIST FIPS 180-1 is
mandatory. SHA-1 can be used in NATO for verification purposes only.
|
| |
|
XML Encryption Syntax and Processing, W3C:2002 |
|
|
Used in Profile: CES |
| Authentication |
|
|
|
|
|
| |
|
Radius, IETF RFC 2865:2006 updated by RFC 2868:2000, 3575:2003, 5080:2007 |
Radius and IPv6, IETF RFC 3162:2001 |
|
|
| |
|
|
Kerberos v.5, IETF RFC 1510:1993 |
|
Used in Profile: AMN
|
| |
|
|
The Kerberos v5 Simple Authentication and Security Layer (SASL) Mechanism, IETF RFC 4752:2006 |
|
Used in Profile: CES |
| |
|
|
Single sign on (SSO, the Open Group) |
|
|
| |
|
Public-key and attribute certificate frameworks, X.509 v3:2005 (ITU-T) |
|
|
Used in Profiles: AMN, CES, tactESB |
| |
|
|
X.509 Public Key Infrastructure Certificate and CRL Profile (IETF RFC 5280:2008) |
|
|
| |
|
Identification of Issuers (ISO 7812:2007) |
|
|
Base profile consisting of parts 1 - 2. |
| |
|
XML Signature (W3C):2008 |
|
|
|
| |
|
XACML v2.0:2008 (OASIS) |
XACML v3.0:2010 (OASIS) |
|
Used in Profiles: AMN, CES, tactESB |
| |
|
|
DOD EBTS 1.2 (DoD: 2000) |
|
Used in Profile: AMN
|
| |
|
|
DOD EBTS 2.0 (DoD: 2000) |
|
Used in Profile: AMN
|
| |
|
|
Data Format for the Interchange of Fingerprint,
Facial, and Scar Mark and Tattoo (SMT) Information (ANSI: 2008)
|
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 2 (ISO 19794-2:2007) |
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 5: Face Image Data 8ISO 19794-5) |
|
Used in Profile: AMN
|
| |
|
|
Biometric data interchange formats -- Part 6: Iris Image Data (ISO 19794-6) |
|
Used in Profile: AMN
|
| Detection |
|
|
|
|
|
| Transsec |
|
|
|
|
|