Introduction Zdeněk Říha Why do we need standards in IT Security? lCompatibility/interoperability lCommon terminology lEfficiency/costs – no need to reinvent a wheel lRegular updates/follow developments l… l lSecurity Disadvantages lPaid standards lTo cover the development of standards lCompetition among the standardization bodies lAccess to standards (and their drafts) l+ difficult to understand lReduced flexibility lE.g. for small organizations Coverage lFrom high-level management lISMS (information security management system) lE.g. ISO 27000 l lUp to low level crypto lE.g. RSA, PKCS#1 Standards vs. norms lStandards are recommendations l lNorms are authoritative (mandatory) standards l lNormativity depends on: lCountry lTime lField/context lType of company, personal use/business use Standardization bodies lISO lNational SO lÚřad pro technickou normalizaci, metrologii a státní zkušebnictví, ČSN lUNMS SR (Slovakia) lDIN (Germany) lAFNOR (France) lANSI (USA) lCEN – European association lCEN, CENELEC and ETSI - recognized as European Standards (ENs) https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/1-110.png Standardization bodies lNIST: National Institute of Standards and Technology (USA) lETSI European Telecommunications Standards Institute lITU-T (e.g. X.509) lIETF – RFC l lRSA Security (PKCS) l Process lThe full list of status codes of ISO standards lFocus on involvement of stakeholders, not on speed lOften public consultations are needed Versioning (ISO) Versioning (RFCs) lRSA Encryption l l RFC 2315 l l RFC 2437 l l RFC 3447 l l RFC 8017 Versioning (NIST FIPS) lDigital Signature Standard lFIPS 186 (published on 19 May 1994) lFIPS 186-1 (published on 15 Dec 1998) lFIPS 186-2 (published on 27 Jan 2000) lFIPS 186-3 (published June 2009) lFIPS 186-4 (published July 2013) lFIPS 186-5 (draft available from Oct 2019) Versioning lPKCS#1 v1.5 lETSI TS 119 312 V1.4.2 (2022-02) lITU-T X.509 Version/Edition