ISO 19772:2009 for Data Security

Security is perhaps one of the greatest concerns of millions of users that routinely exchange data over the Internet or store information in computers which may be accessed by unauthorized parties.

To protect the confidentiality and integrity of data being transferred or stored, ISO and the International Electrotechnical Commission (IEC) jointly developed a new standard that defines authenticated encryption mechanisms that provide an optimum level of security.

ISO 19772:2009, Information technology – Security techniques – Authenticated encryption, specifies six encryption methods (based on a block cipher algorithm) that can be used to ensure:

  • Data confidentiality (protecting against unauthorized disclosure of data)
  • Data integrity (enabling recipients to verify that the data has not been modified)
  • Data origin authentication (helping recipients to verify the identity of the data originator).

The standard takes the specific security needs of different operations into account. For instance, while encryption may be used to prevent eavesdropping when data is being exchanged, message authentication codes or digital signatures are ideal for protecting data from being modified.

The mechanisms specified in the standard have been designed to maximize the level of security and provide efficient processing of data for optimum results. The mechanisms can be applied to ensure the integrity of data even when not encrypted (e.g., to prevent modifications of e-mail addresses, sequence numbers, etc.).

ISO 19772 is expected to give users confidence that their data is safe. Not only will it be useful for protecting information, but also for furthering the development of online transactions and e-businesses, and other applications involving sensitive data.

All six encryption methods specified in ISO 19772 require the originator and the recipient of the protected data to share a secret key. Key management is outside the scope of the ISO 19772 standard. Key management techniques are defined in the ISO 11770 standards family:

ISO 11770-1:1996
Information technology – Security techniques – Key management – Part 1: Framework

ISO 11770-2:2008
Information technology – Security techniques – Key management – Part 2: Mechanisms using symmetric techniques 

ISO 11770-3:2008
Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques 

ISO 11770-4:2006
Information technology – Security techniques – Key management – Part 4: Mechanisms based on weak secrets