The following references may be useful in determining and evaluating the protection and/or tamper resistance features of hardware tokens, software tokens and one-time password devices.
Ant Allan, Authentication Tokens: Overview, Gartner Research. DPRO-104977 (www.gartner.com)
Contains tables of:
relevant authentication algorithms and protocols from the ISO/IEC standards, ANSI standards, FIPS publications, IETF standards and ITU-T standards
hardware token standards: ISO/IEC Identification Cards standards, RSA Lab’s PKCS Cryptographic Tokens and PC/SC specifications
vendors’ authentication tokens.
ISO/IEC JTC 1/SC 27 and TC 68/SC 2*
ISO/IEC 15408 series. Information Technology - Security Techniques - Evaluation Criteria for IT Security:
Part 1: Introduction and General Model (ISO/IEC 15408-1:2005)
Part 2: Security and Functional Requirements (ISO/IEC 15408-1:2005)
Part 3: Security Assurance Requirements (ISO/IEC 15408-3:2005).ISO/IEC 15443 series.
Information Technology – Security Techniques – A Framework for IT Security Assurance:
Part 1: Overview and Framework (ISO/IEC TR 15443-1:2005)
Part 2: Assurance Methods (ISO/IEC TR 15443-2:2005)
Part 3: WD TR 15443-3.
ISO/IEC 18045:2005. Information technology - Security Techniques - Methodology for IT Security Evaluation.
ISO/IEC FDIS 19790. Information Technology - Security Techniques - Security Requirements for Cryptographic Modules. (This standard has been derived from NIST Federal Information Processing Standard PUB 140-2)
ISO/IEC 21827:2002. Information Technology - Systems Security Engineering - Capability Maturity Model.
ISO/IEC NP 24745. Information Technology - Biometric Template Protection.
ISO/IEC NP 24759. Information Technology - Security Techniques – Requirements for Cryptographic Modules.
ISO/IEC NP 24761. Biometric Authentication Context.
ISO 13491 series. Banking - Secure Cryptographic Devices (retail):
Part 1: Concepts, Requirements and Evaluation Methods (ISO 13491-1:1998 / ISO/CD 13491-1)
Part 2: Security Compliance Checklists for Devices used in Financial Transactions (ISO 13491-2:2005).
ISO 19092 series. Financial Services - Biometrics:
Part 1: Security Framework (ISO/DIS 19092-1)
Part 2: Cryptographic Techniques (ISO/CD 19092-2).
*The full list of ISO/IEC standards for JTC 1/SC 27 and TC 68/SC 2 should be reviewed for new publications.
Common Criteria Protection Profiles.
Common Criteria (www.commoncriteriaportal.org)
Protection Profile – Secure Signature – Creation Device Type 1, Type 2, and Type 3. April 2002.
Public Key Infrastructure and Key Management Infrastructure Token (Medium Robustness) PP. March 2002.
Smart Card IC Platform PP. July 2001.
Smart Card IC with Multi-Application Secure Platform. January 2001.
Smart Card Integrated Circuit with Embedded Software. July 1999.
Smart Card User Group – Smart Card Protection Profile. October 2001.
U.S. Government Biometric Verification Mode Protection Profile for Medium Robustness Environments. November 2003.
Communications Electronics Security Group (www.cesg.gov.uk)
Biometric Device Protection Profile (BDPP). UK Government Biometrics Working Group. Draft Issue 0.82. 5 September 2001.
Best Practices in Testing and Reporting Performance of Biometric Devices, Version 1.0, 12 January 2000.
Other
Security Requirements for Cryptographic Modules. Federal Information Processing Standards PUB 140-2. 25 May 2001. (Note ISO/IEC 19790:2006 is derived from this standard)
Information Technology Security Evaluation Criteria (ITSEC), Harmonized Criteria of France – Germany – the Netherlands – the United Kingdom, Version 1.1, January 1991.
Department of Defense, Department of Defense Trusted Computer Eyetem Evaluation Criteria, DOD 5200.28-STD, December 1985.