Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

Services financiers — Dispositifs cryptographiques de sécurité (services aux particuliers) — Partie 1: Concepts et exigences

General Information

Status
Published
Publication Date
16-Jul-2024
Current Stage
6060 - International Standard published
Start Date
17-Jul-2024
Due Date
20-Jul-2024
Completion Date
17-Jul-2024
Ref Project

Relations

Buy Standard

Standard
ISO 13491-1:2024 - Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements Released:17. 07. 2024
English language
27 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO 13491-1
Fourth edition
Financial services — Secure
2024-07
cryptographic devices (retail) —
Part 1:
Concepts and requirements
Services financiers — Dispositifs cryptographiques de sécurité
(services aux particuliers) —
Partie 1: Concepts et exigences
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Secure cryptographic device concepts . 5
5.1 General .5
5.2 Hardware management devices .5
5.3 Secure cryptographic device types .6
5.3.1 General types .6
5.3.2 Secure cryptographic device components .6
5.3.3 Hardware security module .7
5.3.4 Key loading devices .10
5.4 Attack scenarios .10
5.4.1 General .10
5.4.2 Penetration .10
5.4.3 Monitoring .10
5.4.4 Manipulation .11
5.4.5 Modification . . .11
5.4.6 Substitution.11
5.5 Defence measures .11
5.5.1 General .11
5.5.2 Device characteristics . 12
5.5.3 Device management . 12
5.5.4 Environment . 13
6 Requirements for device security characteristics .13
6.1 General . 13
6.2 Physical security requirements for secure cryptographic devices . 13
6.3 Tamper-evident requirements .14
6.3.1 General .14
6.3.2 Substitution.14
6.3.3 Penetration .14
6.3.4 Modification . . .14
6.3.5 Monitoring .14
6.4 Tamper-resistant requirements . .14
6.4.1 General .14
6.4.2 Penetration .14
6.4.3 Modification . . . 15
6.4.4 Monitoring . 15
6.4.5 Substitution or removal . 15
6.5 Tamper-responsive requirements . 15
6.5.1 General . 15
6.5.2 Penetration . 15
6.5.3 Modification . . . 15
6.6 Logical security requirements for SCDs and HMDs .16
6.6.1 General .16
6.6.2 Dual control .16
6.6.3 Unique key per device .16
6.6.4 Assurance of genuine device . .16
6.6.5 Design of functions .16
6.6.6 Use of cryptographic keys .17
6.6.7 Sensitive device states .17

iii
6.6.8 Multiple cryptographic relationships .17
6.6.9 Secure device software authentication.17
7 Requirements for device management . 17
7.1 General .17
7.2 Life cycle phases .18
7.3 Life cycle protection requirements .19
7.3.1 General .19
7.3.2 Manufacturing phase . 20
7.3.3 Post-manufacturing phase. 20
7.3.4 Commissioning (initial financial key loading) phase . 20
7.3.5 Inactive operational phase . 20
7.3.6 Active operational phase (use) .21
7.3.7 Decommissioning (post-use) phase.21
7.3.8 Repair phase .21
7.3.9 Destruction phase . 22
7.4 Life cycle protection methods . 22
7.4.1 Manufacturing .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.