ISO/IEC 19772 Standard Addresses Theft, Unauthorized Modification of Electronic Data
May 18, 2009 // Published as a news service by IHS
To help protect the confidentiality and integrity of personal data being transferred or stored, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly developed ISO/IEC 19772, a standard which defines authenticated encryption mechanisms that are designed to provide an optimum level of security.
"With the rise of electronic transactions involving sensitive information, such as the transfer of bank data or personal identity information, this standard responds to a growing need for increasingly demanding security requirements," said Chris Mitchell, project editor of the ISO/IEC standard.
ISO/IEC 19772 - Information technology - Security techniques - Authenticated encryption specifies six encryption methods based on a block cipher algorithm that can be used to ensure:
- Data confidentiality (protecting against unauthorized disclosure of data).
- Data integrity (enabling recipients to verify that the data has not been modified).
- Data origin authentication (helping recipients to verify the identity of the data).
The standard takes the specific security needs of different operations into account. For instance, while encryption may be used to prevent eavesdropping when data is being exchanged, message authentication codes (MACs) or digital signatures can help protect data from being modified.
Some situations may require a combination of operations but not all combinations will provide the same security guarantees, according to the IEC.
"It has recently become widely recognized that using encryption on its own (or even combining encryption and MACs in non-optimal ways) can be dangerously weak, as shown by recently demonstrated practical attacks on implementations of widely used security protocols such as IPsec [Internet protocol security] and SSH [Secure Shell]. There are thus excellent reasons to believe that it is better to rely on a single comprehensive data protection method," said Mitchell.
The mechanisms specified in the standard were designed to maximize the level of security and provide efficient processing of data for optimum results, according to IEC.
The standard includes mechanisms that can be applied to ensure the integrity of data even when not encrypted such as to prevent modifications of e-mail addresses and sequence numbers.
ISO/IEC 19772 was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information Technology, Subcommittee SC 27, IT Security techniques.
Source: International Electrotechnical Commission (IEC).