ISO IEC 27071-2023.docx

INTERNATIONA1.STANDARDISO/IEC27071editionFirSt202307CybersecuritySecurityrecommendationsforestab1.ishingtrustedconnectionsbetweendevicesandservicesCybersecuriteRecommandationsdesecuritepouretab1.issementdeconnexionsdeconfianceentredispositifsetservicesReferencenumberISO/IEC27071:2023(E)©ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.o啪InyM1.tta0Dmk<nroni(ncm11ni10tf1.*Mqn1.C6pW11opypMRationmaytheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbe1.oworISO'smemberbodyinthecountr)oftherequester.f),WV>fifiU81.andonnet8CH-1214Vernier,GenevaPhone：M1.227490111觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andContentsForewordivIntroductionv2 Scope13 Normativereferences1Termsanddefinitions13.1 Termsre1.atingtoc1.oudcomputing13.2 Termsre1.atingtoc1.oudcomputingro1.esandactivities245 Abbreviatedterms5Frameworkandcomponentsforestab1.ishingatrustedconnection55.1 Overview55.2 Hardwaresecuritymodu1.e95.3 RtHJttdStrust105.5 Authenticationandkeyestab1.ishment105.6 Remoteattestation10Securityrecommendationsforestab1.ishingatrustedconnection106.1 Hardwaresecuritymodu1.e106.2 Rootoftrust116.3 AtohettyMiOn一.andkey.estab1.ishment116.5 Remoteattestation116.6 DatOInteg1.1.tyandauthenticity.126.7 Trusteduserinterface12Annex A (informative)Threats13Annex B (informative)So1.utionsforcomponentsofatrustedconnection18Annex C (informative)Examp1.eofestab1.ishingatrustedconnection一.一._.一,23Bib1.iography24ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.(Jtunibcnjot)SdrniIHGspartHipidisye耐unr3optowMi01.HtanrfandaiionS出adwrddBudiughtechnimitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.ornizations,governmenta1.andnon-governmenta1.rin1.iaisonwithISOandIEC,a1.sotakepartintheTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceftKdeddeatibedthcindFrent1.S(W山也(Wmr小曲如卿闻IarJ帏序瞅崛jp15gIraJi1dinISO/IECDirectives.Part2(seewww.iso.org/dircctivesorwww.iec.ch/members.experts/refdocs).屣G>d（八）IEC0MYn(S温食闸由KM段粒SSibA哂Atef1.Wferni佃前VhIent菰加iMMi俄艇abih1.yiheanyc1.aimedpatentrightsinrespectthereof.Asofthedateofpub1.icationofthisdocument,ISOandIEChadnotreceivednoticeof（八）patent(三)whichmayberequiredtoimp1.ementthisdocument.However,寐降艇由曲觎eda祜b1.三WWeM0碗notbehe1.dresponsib1.eforidentifyinganyora1.1.suchpatentrights.AnytradeusedinthisconstitutenameendorsementdocumentisinformationgivenfortheconvenienceofusersanddoesnotForanexp1.anationofthevo1.untarynatureofstandards,themeaningofISOspecifictermsand邮)X觑怂1.itedOrRan脚娜I删01ass热情h2ton住排触标福dead明ces陕www.iso.org/iso/foreword.htm1.IntheIEC,seevrww.iec.chunderstanding-standards.瓯Cv½腑。胁也加卜破舰。"到6腑"Wg仍SO1.Jtec"om/n/hrmotiontechno1.ogy,Anyfeedbackorquestionsonthisdocumentshou1.dbedirectedtotheuser'snationa1.standards屋.2R)，隔U*P8RMit<eesthesebodiescanbefoundatwwwis<hFgmembeFht111.andIntroductionartificia1.inte1.1.igence(A1.),scenarios.essentia1.toestab1.ishtrustedconnectionsbetweendevicesandservicesessentia1.devicesServiceservicesdistinguishconfidentia1.itjrbyintegritytheauthorizeddeviceenough.thosema1.iciousServicesxrucia1.thisway,shou1.dto<iistinguishre1.iab1.ygenuineSemcegenuineunintendedservicesorIdentitywithoutaofre1.iab1.erootrequirementsestab1.ishingre1.iab1.eVirtua1.izedensuretheuti1.izationattacks,authenticationbetweenaremoteattestationbetweencssen1.ia1.andpreventingimpersonationa1.gorithmsinfromsensorsshou1.dintegrated1.abe1.theanddevicerdigita1.1.ysigned(ororgeneratedcryptomechanisms)processtrustedcomputingconnectionshaveainfrastructurere1.ationshipwithcertificationauthoritymodu1.es hardwaresecuritymodu1.estoestab1.ishthere1.iab1.erootoftrust; Channekauthenticationandkeyestab1.ishmentbetweendevicesandservicestoestab1.ishasecurity dataidentitytokeepthedataintegrityandauthenticity1.ongterm.mobi1.edevices,PCs1.Onvironnient.Thisdocumen1.infrastructurehe1.ptrustedservices.partcsdocu11entcanissueWiththedeve1.opmentoftheinternetofthings(IoT),mobi1.eservices,c1.oudcomputing,bigdataandingrowingnumberofitVSecuritychanne1.se.g.securesockets1.ayer(SS1.)ortransport1.ayersecurity(T1.S)protoco1.s)areusedbetweenfortheandtotoprotectandsensorsofofdata,butisnotfromItisofotherdevicesordataforgedbyadversaries.Thus,theSerViCeshou1.dbeab1.etoensurethatthedatacomesfromtheauthorizeddevice.Inaddition,itInfortheitdevicebeab1.etotheidentifythefromandservice,inparticu1.arforc1.oudservices,whichmayhavethousandsofsuchservicesrunning.ofre1.iab1.erootstrustTheOfcanbeforged,socontro1.scritica1.torootsoftrustaredescribedinISO/IEC27070.