To protect the confidentiality and integrity of data being transferred or stored, ISO and the International Electrotechnical Commission (IEC) have jointly developed a new standard which defines authenticated encryption mechanisms that provide an optimum level of security.
“With the rise of electronic transactions involving sensitive information, such as the transfer of bank data or personal identity information, this standard responds to a growing need for increasingly demanding security requirements.” says Prof. Chris Mitchell, Project Editor of the new ISO/IEC standard.
The standard, ISO/IEC 19772, Information technology – Security techniques – Authenticated encryption, specifies six encryption methods (based on a block cipher algorithm) that can be used to ensure:
- Data confidentiality (protecting against unauthorized disclosure of data)
- Data integrity (enabling recipients to verify that the data has not been modified)
- Data origin authentication (helping recipients to verify the identity of the data).
The standard takes the specific security needs of different operations into account. For instance, while encryption may be used to prevent eavesdropping when data is being exchanged, Message Authentication Codes (MACs) or digital signatures are ideal for protecting data from being modified.
Some situations may require a combination of operations, but not all combinations will provide the same security guarantees.
Prof. Mitchell explains, “It has recently become widely recognized that using encryption on its own (or even combining encryption and MACs in non-optimal ways) can be dangerously weak, as shown by recently demonstrated practical attacks on implementations of widely used security protocols such as IPsec and SSH. There are thus excellent reasons to believe that it is better to rely on a single comprehensive data protection method.”
The mechanisms specified in the standard have been designed to maximize the level of security and provide efficient processing of data for optimum results.
The standard includes mechanisms that can be applied to ensure the integrity of data even when not encrypted (e.g. to prevent modifications of e-mail addresses, sequence numbers, etc.).
“ISO/IEC 19772 will give confidence to users that their data is safe. Not only will it be useful for protecting information, but also for furthering the development of online transactions and e-businesses, and other applications involving sensitive data,” concludes Prof. Mitchell.
ISO/IEC 19772 was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information Technology, subcommittee SC 27, IT Security techniques. The standard is available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, price 118 Swiss francs, through the ISO Store or by contacting the Marketing & Communication department (see right-hand column).