International Standards and Conformity Assessment for all electrical, electronic and related technologies

News release – 2009 Number 09

Preventing theft and unauthorized modification of electronic data with new ISO/IEC standard

ISO/IEC 19772, Information technology – Security techniques – Authenticated encryption

 

Geneva, Switzerland, 2009-04-30Security is perhaps one of the greatest concerns of the millions of users that routinely exchange data over the Web or store information in computers which may be accessed by unauthorized parties.

 

Data security

To protect the confidentiality and integrity of data being transferred or stored, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly developed a new standard which defines authenticated encryption mechanisms that provide an optimum level of security.

 

“With the rise of electronic transactions involving sensitive information, such as the transfer of bank data or personal identity information, this standard responds to a growing need for increasingly demanding security requirements.” says Prof. Chris Mitchell, Project Editor of the new ISO/IEC standard.

 

The standard, ISO/IEC 19772, Information technology – Security techniques – Authenticated encryption, specifies six encryption methods (based on a block cipher algorithm) that can be used to ensure:

  • Data confidentiality (protecting against unauthorized disclosure of data)
  • Data integrity (enabling recipients to verify that the data has not been modified)
  • Data origin authentication (helping recipients to verify the identity of the data).

The standard takes the specific security needs of different operations into account. For instance, while encryption may be used to prevent eavesdropping when data is being exchanged, Message Authentication Codes (MACs) or digital signatures are ideal for protecting data from being modified.

 

Some situations may require a combination of operations, but not all combinations will provide the same security guarantees.

 

Prof. Mitchell explains, “It has recently become widely recognized that using encryption on its own (or even combining encryption and MACs in non-optimal ways) can be dangerously weak, as shown by recently demonstrated practical attacks on implementations of widely used security protocols such as IPsec and SSH. There are thus excellent reasons to believe that it is better to rely on a single comprehensive data protection method.”

 

The mechanisms specified in the standard have been designed to maximize the level of security and provide efficient processing of data for optimum results.

 

The standard includes mechanisms that can be applied to ensure the integrity of data even when not encrypted (e.g. to prevent modifications of e-mail addresses, sequence numbers, etc.).

 

“ISO/IEC 19772 will give confidence to users that their data is safe. Not only will it be useful for protecting information, but also for furthering the development of online transactions and e-businesses, and other applications involving sensitive data,” concludes Prof. Mitchell.

 

ISO/IEC 19772 was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information Technology, subcommittee SC 27, IT Security techniques.

 

ISO/IEC 19772, Information technology – Security techniques – Authenticated encryption

 

IEC Contact

Gabriela Ehrlich
Head of Communications
Tel: +41 22 919 02 78
Email: Gabriela Ehrlich

 

ISO Contact

Roger Frost
Manager Communication Services
Tel: + 41 22 749 01 11
Email: Roger Frost