ISO 13491-1:2007 银行业 安全加密装置（零售） 第1部分：概念、要求和评定方法

标准编号：ISO 13491-1:2007

中文名称：银行业 安全加密装置（零售） 第1部分：概念、要求和评定方法

英文名称：Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation methods

发布日期：2007-06

标准范围

ISO 13491-1:20 07规定了基于ISO 9564、ISO 16609和ISO 11568中定义的加密过程的安全加密设备(SCD)的要求。ISO 13491-1:20 07有两个主要目的:说明有关SCD的操作特性和此类设备在其生命周期所有阶段的管理的要求，以及使验证是否符合这些要求的方法标准化。适当的设备特性对于确保设备具有适当的操作能力并为其包含的数据提供足够的保护是必要的。适当的设备管理是必要的，以确保设备是合法的，它没有被未经授权的方式修改（例如，通过“窃听”），以及放置在设备中的任何敏感数据（例如。g.加密密钥）尚未被披露或更改。绝对安全实际上是无法实现的。加密安全性取决于SCD的每个生命周期阶段以及适当的管理程序和安全加密特性的互补组合。这些管理程序实施预防措施，以减少违反SCD安全的机会。如果设备特性无法防止或检测到安全危害，这些旨在高概率检测到对敏感或机密数据的任何未授权访问。附录A提供了ISO 13491-1:20 07中描述的适用于SCDs的安全级别概念的信息性说明。

ISO 13491-1:2007 specifies the requirements for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609 and ISO 11568.ISO 13491-1:2007 has two primary purposes:

• to state the requirements concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle, and
• to standardize the methodology for verifying compliance with those requirements.

Appropriate device characteristics are necessary to ensure that the device has the proper operational capabilities and provides adequate protection for the data it contains. Appropriate device management is necessary to ensure that the device is legitimate, that it has not been modified in an unauthorized manner (e.g. by “bugging”) and that any sensitive data placed within the device (e.g. cryptographic keys) has not been subject to disclosure or change.Absolute security is not achievable in practical terms. Cryptographic security depends upon each life cycle phase of the SCD and the complementary combination of appropriate management procedures and secure cryptographic characteristics. These management procedures implement preventive measures to reduce the opportunity for a breach of SCD security. These aim for a high probability of detection of any unauthorized access to sensitive or confidential data, should device characteristics fail to prevent or detect the security compromise.Annex A provides an informative illustration of the concepts of security levels described in ISO 13491-1:2007 as being applicable to SCDs.

标准预览图