标准摘要
[中文适用范围]: 本文件提供了可用于支持在组织安全系统内部环境中对加密模块进行规格说明和操作测试的建议和检查清单。这些加密模块具有四个安全级别,ISO/IEC 19790定义了这些级别以适应各种数据敏感度(如低价值管理数据、百万美元资金转账、生命保护数据、个人身份信息以及政府使用的敏感信息)和多样化应用程序环境(如受保护设施、办公室、可移动介质和完全未受保护的位置)。本文件包括:a) 建议执行安全评估以支持加密模块的安装、配置和操作;c) 建议用于识别加密模块的安全漏洞;e) 建议确定加密模块的部署满足组织的安全要求。 b) 对密钥管理系统、身份验证凭据保护以及公钥和关键安全参数在运行环境中的检查建议;d) 有关密码算法策略、安全指南和法规、安全管理要求、每个11个要求领域中的安全级别、安全功能强度等的检查清单。本文件假设加密模块已根据ISO/IEC 19790进行了验证。 它可以与其它建议一起用于操作测试员及其需要时的使用。本文件仅限于加密模块的安全性评估,不包括对运行或应用环境的安全评估。它也不定义组织运营风险识别、评估和接受的技术手段。图1所示的组织认证、部署和运行流程不属于本文件范围。 [外文原描述]: This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an organization's security system. The cryptographic modules have four security levels which ISO/IEC 19790 defines to provide for a wide spectrum of data sensitivity (e.g. low-value administrative data, million-dollar funds transfers, life-protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location). This document includes: a) recommendations to perform secure assessing for cryptographic module installation, configuration and operation; b) recommendations to inspecting the key management system, protection of authentication credentials, and public and critical security parameters in the operational environment; c) recommendations for identifying cryptographic module vulnerabilities; d) checklists for the cryptographic algorithm policy, security guidance and regulation, security manage requirements, security level for each of the 11 requirement areas, the strength of the security function, etc.; and e) recommendations to determine that the cryptographic module's deployment satisfies the security requirements of the organization. This document assumes that the cryptographic module has been validated as conformant with ISO/IEC 19790. It can be used by an operational tester along with other recommendations if needed. This document is limited to the security related to the cryptographic module. It does not include assessing the security of the operational or application environment. It does not define techniques for the identification, assessment and acceptance of the organization's operational risk. The organization's accreditation, deployment and operation processes, shown in Figure 1, is not included to the scope of this document. This document addresses operational testers who perform the operational testing for the cryptographic modules in their operational environment authorizing officials of cryptographic modules.
英文名称Information technology - Security techniques - Testing cryptographic modules in their operational environment