430 likes | 655 Views
양 수 미. 정보보호 관련 표준. 차례. IETF 표준 ISO/IEC JTC1 표준 SC27 SC27 이외 ITU-T 표준. IETF 표준. IETF (Internet Engineering Task Force) 의 IESG (Internet Engineering Steering Group) 내의 Security Area 에서 제정한 표준들로 여러 Working Group 에서 연구 / 제정된다 .
E N D
양 수 미 정보보호 관련 표준
차례 • IETF 표준 • ISO/IEC JTC1 표준 • SC27 • SC27 이외 • ITU-T 표준
IETF 표준 • IETF (Internet Engineering Task Force)의 IESG (Internet Engineering Steering Group) 내의 Security Area에서 제정한 표준들로 여러 Working Group에서 연구/제정된다. • It is established to support internet protocol engineering and development tool at 1986 under the ISOC( internet society).
IETF (Internet Engineering Task Force) 의 주요한 목표는 인터넷의 운영상, 기술상의 문제점을 해결하기 위하여 프로토콜 및 구조에 대한 표준을 제안하고 개발 하는 것
Internet standards and RFCs • The Internet society • IAB (Internet Architecture Board) : responsible for defining the overall architecture of the Internet, providing guidance and broad direction to the IETF • IETF (Internet Engineering Task Force) : The protocol engineering and development arm of the Internet ,비영리 단체인 IAB(Internet Archetecture Board)의 하위 조직. TCP/IP와 인터넷에 관한 정책과 표준안 작성을 담당 • IESG (Internet Engineering Steering Group) : responsible for technical management of IETF activities and the Internet standards process Henric Johnson
IETF 표준화 과정 • Standard development stages • Internet drafts : they are on working documents for RFC(request for comments), register on directory during 6M. • Proposed standard : implement and test protocol( 6M-2Y) • Draft standard : at least 2 independent and interoperated products, need more field test on different wide environments( 4M-2Y) • Internet standard : successfully implemented operated protocol
GENERAL area • APPLICATIONS area • INTERNET area • OPERATIONS and MANAGEMENT area • REAL-TIME APPLICATIONS and INFRASTRUCTURE area • ROUTING area • SECURITY area • TRANSPORT area
Working Groups-1 • BTNS : IPsec/IKE(Internet Key Exchange) 관련 • DKIM : Domain Keys Identified Mail • EMU : EAP(Extensible Authentication Protocol) Method 관련 • HOKEY : 무선 Handover Keying • ISMS : SNMP 보안 관련, 인증.. • KEYPROV : 대칭키 관련 • KITTEN:GSS(Generic Security Services)-API개발 • KRB-WG : Kerberos 관련
Working Groups-2 • LTANS : Long-Term Archive와 공증서비스 • MSEC : Multicast 보안 • NEA: Network Endpoint Assessment • PKIX : 공개키 기반구조 (X.509) • SASL : SimpleAuthentication and Security Layer • SMIME : S/MIME 메일 보안 • SYSLOG: 네트워크이벤트 로깅 보안 관련 • TLS : Transport Layer Security
차례 • IETF 표준 • ISO/IEC JTC1 표준 • SC27 • SC27 이외 • ITU-T 표준
ISO/IEC JTC1 표준 • ISO( International Organizaton for Standardization)/ IEC(International Electronical Commission)JTC(Joint Technical Committee) 1 • A combined organization ( ISO/TC97 : information processing system fields and IEC/TC 83 : information equipments) • 정보처리시스템에 대한 국제표준화 활동과 정보기기에 대한 국제표준화 활동을 통합하여 구성된 정보기술분야의 국제표준화 활동을 위한 공동기술위원회 • SC20( data cryptographic techniques) was expended into SC27( security techniques).
ISO/IEC JTC1 표준 • Standard development stages • Preliminary stage : preliminary work item (PWI) • Proposal stage : new work item proposal ( NP) • Preparatory stage : working drafts (WD) • Committee stage : committee drafts (CD) • Enquire stage : enquire drafts i.e. draft international standard (ISO) (DIS), committee draft for vote(IEC) (CDV) • Approval stage : final draft international standard (FDIS) • Publication stage : international standard(ISO,IEC,ISO/IEC)
ISO/IEC JTC1 표준 • SC27 : IT Security techniques • IT 보안에 관한 일반적인 방법과 기술에 대한 표준을 주로 연구/제정한다. • 응용에 보안 메커니즘을 삽입하는 것을 제외한 정보기술 보안을 위한 일반적 방법과 기술에 대한 표준화 • 암호화 알고리즘의 표준화, 정보기술 시스템 보안 서비스를 위한 일반적 요구 명세, 보안 기술 및 메커니즘 개발, 문서 및 표준을 지원하는 관리 개발을 포함 • SC27이외
ISO/IEC 13335-1:2004 • Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management • ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security.
ISO/IEC 27002:2005(2007) • BS 7799:1999으로부터 발전 -> 17799 -> 27002 • 12 main sections • Risk assessment • Security policy - management direction • Organization of information security - governance of information security • Asset management - inventory and classification of information assets • Human resources security - security aspects for employees joining, moving and leaving an organization • Physical and environmental security - protection of the computer facilities • Communications and operations management - management of technical security controls in systems and networks • Access control - restriction of access rights to networks, systems, applications, functions and data • Information systems acquisition, development and maintenance - building security into applications • Information security incident management - anticipating and responding appropriately to information security breaches • Business continuity management - protecting, maintaining and recovering business-critical processes and systems • Compliance - ensuring conformance with information security policies, standards, laws and regulations
차례 • IETF 표준 • ISO/IEC JTC1 표준 • SC27 • SC27 이외 • ITU-T 표준
ITU-T 표준 • ITU-T(International Telecommunication Union-Telecommunication Standardization Sector) 통신표준을 정했던 국제적인 기관인 CCITT(Consultative Committee for International Telegraph and Telephone)가 개칭한 단체. 디지털전송을 위한 표준과 아날로그 전송을 위한 인터페이스 표준을 정의
ITU-T 표준 • SG 2, 3, 5, 9, 11, 12, 13, 15, 16, 17, TSAG(Telecommunication Standardization Advisory Group) • SG 17 : Security, languages and telecommunication software • 국내에서는 한국정보통신기술협회 (TTA : Telecommunication Technology Association) : 민간단체 성격의 정보통신표준제정기관이담당 • TC10 : security committee( IT security management, crypto technology, system security group)
ITU-T SG17 주요 내용 • NGN(Next Generation Network) Security Framework • Multimedia • Security Frameworks Guidelines • Security Management • Awareness • Secure Communication Services
기타 • ECMA(European computer manufacturers association) • establish for data processing standard in Europe at 1961 • TC 17( include communication), TC 36(IT security).TC 32( communication, network and interoperability, security) • ETSI(European telecommunication standards institute) • establish for communication/information/broadcasting standards in Europe at 1988 • Standard process • Inception : start development of standard • Conception : define concept • Drafting : propose standard • Adoption ; adopt standard • Promotion ; implement standard • TC sec is security standard technical committee-> OGG(Operational Co-ordination Group)
기타 • 인터넷보안기술포럼 (ISTF : Information Security Technology Forum) : 인터넷 보안기술분야의 민간업체들이 중심이 되어 구성된 포럼으로 시장수요를 반영한 사실(de-facto) 표준을 개발 • Establish at 2000 for public internet security standard • Network, PKI, mobile group.
NIST • NIST (National Institute of Standards and Technology) • To establish at 1901, named NBS(national bureau of standards) and then renamed NIST at 1988 under DoC(Department of Commerce). • 10 research laboratories • Building and fire researchChemical science and technologyElectronics and electrical engineeringInformation technologyManufacturing engineeringMaterials science and engineeringNanoscale science and technologyNeutron researchPhysicsTechnology services
NIST • information technology lab. : 6 research areas • Advanced Network Technologies • Computer Security • Information Access • Mathematical & Computational Sciences • Software & Systems • Statistical Engineering
NIST • 암호화 기술 • 첨단 인증 기술 • 공개키 기반 구조 • 인터네트워킹 보안 • 평가 기준 및 제도 • 보안 관리 및 지원 • 컴퓨터 보안 자원 정보 센터
ANSI • ANSI(American national standards institute) • To establish a non-profit organization at 1918. • Have three characteristics : don’t develop standards, ANS is used all industries, ANS is voluntary. • Major fields : all technical fields ( accreditation인정서, patent,etc) contribute ISO, IEC ANSI certifies other standard organizations of USA
정보보호 평가기준 • ITSEC(Information Technology Security Evaluation Criteria) : 유럽 • TCSEC(Trusted Computer System Evaluation Criteria) : 미국1) D(Minimal Protection : 최소한의 보호) 2) C1(Discretionary Security Protection : 임의적 접근보호) 3) C2(Controlled Access Protection : 통제된 접근보호) 4) B1(Labeled Security Protection : 레이블된 보호) 5) B2(Structured Protection : 구조적 보호) 6) B3(Security Domain : 보안 영역) 7) A1(Verified Design : 검증된 설계) • K Series : 한국 K1~ 7 • 국제공통평가기준 CC(Common Criteria) : EAL 1 ~ 7