ISO/IEC 27071

Information technology — Security techniques — Security guidelines for establishing trusted connections between device and service [Draft]

Introduction

The standard aims to provide trustworthy authentication between distributed devices (like sensors and other IoT devices) and cloud-based communications using Public Key Infrastructures and Hardware Security Modules.

Scope and objectives

In this standard, an architecture for trusted connections between devices and services is outlined, including recommendations for HSMs, establishing roots of trust, identity, authentication, and key attestation, and providing data integrity and authentication.

The content

A 30-page document.

The standard’s status

Currently, the standard is at the 4th Working Draft stage.

In 2023, it is scheduled for publication.

Commentary

The following scenario illustrates why mutual authentication is needed. Suppose your electric car keeps detailed technical information about the places it has been driven to, the way it has been driven, how much battery power it has, and so on. In exchange for a warranty extension, driving tips, or warning of issues requiring a service visit, you agree to share information with the vehicle manufacturer regularly through a 4G or 5G connection to a car monitoring app. What is the manufacturer’s method for determining that the data uploaded by your car is your car, not an altered or cloned version? How can the car monitor app ensure that it is being monitored by its manufacturer, not by some naughty hacker searching for your movements and habits for blackmail or kidnap, or by an insurance agent checking your driving record to conclude your risk profile?