1、Aerospace series - LOTAR - LOng Term Archiving and Retrieval of digital technical product documentation such as 3D, CAD and PDM dataPart 005: Authentication and VerificationBS EN 9300005:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06EUROPEAN STANDARD NORME EURO
2、PENNE EUROPISCHE NORM EN 9300-005 October 2017 ICS 01.110; 35.240.30; 35.240.60; 49.020 English Version Aerospace series - LOTAR - LOng Term Archiving and Retrieval of digital technical product documentation such as 3D, CAD and PDM data - Part 005: Authentication and Verification Srie arospatiale -
3、LOTAR - Archivage long terme et rcupration des donnes techniques produits numriques telles que CAD 3D et PDM - Partie 005 : Authentification et Vrification Luft- und Raumfahrt - LOTAR - Langzeit-Archivierung und -Bereitstellung digitaler technischer Produktdokumentationen, wie zum Beispiel von 3D-,
4、CAD- und PDM-Daten - Teil 005: Authentifizierung und Verifizierung This European Standard was approved by CEN on 16 July 2017. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard
5、without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any ot
6、her language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic
7、, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EURO
8、PEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 9300-005:2017 EN
9、ational forewordThis British Standard is the UK implementation of EN 9300005:2017.The UK participation in its preparation was entrusted to Technical Committee ACE/1, International and European Aerospace Policy and Processes.A list of organizations represented on this committee can be obtained on req
10、uest to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017ISBN 978 0 580 63780 3ICS 35.240.30; 01.110; 35.240.60; 49.0
11、20Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2017.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN 9300005:2
12、017EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 9300-005 October 2017 ICS 01.110; 35.240.30; 35.240.60; 49.020 English Version Aerospace series - LOTAR - LOng Term Archiving and Retrieval of digital technical product documentation such as 3D, CAD and PDM data - Part 005: Authentication and V
13、erification Srie arospatiale - LOTAR - Archivage long terme et rcupration des donnes techniques produits numriques telles que CAD 3D et PDM - Partie 005 : Authentification et Vrification Luft- und Raumfahrt - LOTAR - Langzeit-Archivierung und -Bereitstellung digitaler technischer Produktdokumentatio
14、nen, wie zum Beispiel von 3D-, CAD- und PDM-Daten - Teil 005: Authentifizierung und Verifizierung This European Standard was approved by CEN on 16 July 2017. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the
15、 status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, Frenc
16、h, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria,
17、Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
18、Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Member
19、s. Ref. No. EN 9300-005:2017 EBS EN 9300005:2017EN 9300-005:2017 (E) 2 Contents Page European foreword . 3 1 Scope 4 2 Normative references 4 3 Terms, definitions and abbreviations . 4 4 Applicability 6 5 Authentication 6 6 Qualification methods . 9 7 Electronic signature 12 (informative) Use cases
20、and recommended solutions for issues of authentication and verification . 16 Figures Figure 1 Check and renew signature document 8 Figure 2 Concept of repair in data preparation / ingest process and retrieval process . 12 Figure 3 Creation and check of electronic signatures 14 Figure 4 Validity of e
21、lectronic signatures 14 Figure 5 Verification period of electronic signatures 15 BS EN 9300005:2017EN 9300-005:2017 (E) 3 European foreword This document (EN 9300-005:2017) has been prepared by the Aerospace and Defence Industries Association of Europe - Standardization (ASD-STAN). After enquiries a
22、nd votes carried out in accordance with the rules of this Association, this Standard has received the approval of the National Associations and the Official Services of the member countries of ASD, prior to its presentation to CEN. This European Standard shall be given the status of a national stand
23、ard, either by publication of an identical text or by endorsement, at the latest by April 2018, and conflicting national standards shall be withdrawn at the latest by April 2018. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN
24、 shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
25、 Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. B
26、S EN 9300005:2017EN 9300-005:2017 (E) 4 1 Scope EN 9300-005 describes the fundamentals and concepts of authentication and verification of the integrity of digital documents and their content during the archiving and retrieval processes. The Data Domain Parts EN 9300-x00 will specify qualification me
27、asures for the content of the document. The fundamentals given in this document cover the requirements, methods and recommendations for their implementation within an archiving system. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document an
28、d are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. EN 9300 (all parts), Aerospace series LOTAR LOng Term Archiving and Retrieval of digital technical
29、product documentation such as 3D, CAD and PDM data 3 Terms, definitions and abbreviations For the purposes of this standard, the terms, definitions and abbreviations given in EN 9300-003 and EN 9300-007 shall apply. 3.1 authentication authentication has to prove: the originality and integrity of a d
30、ocument and its contents; the identity of a user. Authentication of an electronic document establishes that the content is unchanged from to the original information. Information is original if it is demonstrable that the information belongs to the supposed author. Authentication may depend upon one
31、 or more authentication factors. Unlike verification and validation, authentication makes no statement about the quality of data in terms of usability in the archiving process chain of e.g. conversion or reuse. 3.2 asymmetric keys asymmetric keys are pairs of keys, created in one step; they can be u
32、sed in both directions. Encryption with the public key can only be decrypted with the private key; if the encryption is done with the private key, the decryption can only done with the public key; such a key pair can be used for encryption and for signing 3.2.1 public key public key is the part of t
33、he asymmetric key pair that is known to everyone BS EN 9300005:2017EN 9300-005:2017 (E) 5 3.2.2 private key private key is the part of the asymmetric key pair that is only known by the owner of the asymmetric key pair 3.3 electronic document digital representation of a defined and structured amount
34、of information which can be managed as a unit and be exchanged between users and systems; each revision of a given document is a new electronic document Copied and modified from ISO-IEC 82045 3.4 electronic signatures electronic signature is a defined method to sign an object in electronic environme
35、nts; it provides means to authenticate the signatory and the signed object in an unambiguous and safe way by attaching to or logically associating data in electronic form to other electronic objects In EN 9300 it is defined by an encrypted hash code with additional information such as time of creati
36、on and owner of the signature. ASD-STAN LOTAR distinguishes between: engineering signature; time signature. In the context of the EN 9300, an electronic signature shall be: uniquely linked to the signatory; capable of identifying the signatory; created using means that the signatory can maintain: un
37、der their sole control. linked to the data to which it relates in such a manner that: any subsequent change of the data is detectable. Note 1 to entry: This definition complies with that given by: Directive in 1999/93/EC of the European parliament and the council from the 13th of December, 1999 conc
38、erning collective basic conditions of electronic signatures. 3.4.1 engineering signature engineering signature expresses and fixes a volition of the signatory it gives evidence of: the process of testifying quality of data against process / quality requirements by linking the signature owner to the
39、data; the identity of the signatory by usage of appropriate methods of authentication; BS EN 9300005:2017EN 9300-005:2017 (E) 6 the integrity of the data by using appropriate methods protecting the signed object against unauthorized changes. 3.4.2 time signature time signature is created automatical
40、ly as part of a certified process and requires certified hardware; it provides a legal guarantee for time and owner of the data 3.5 hash code hash code is represented by a number calculated by a One-Way-Hash function. It represents the electronic document in a unique way 3.6 signer signer is an enti
41、ty that initially creates the electronic signature; when the signer digitally signs data using the prescribed format, this represents a commitment on behalf of the signing entity about the data being signed 3.7 verifier verifier is an entity that verifies evidence (ISO/IEC 13888-1); within the conte
42、xt of this document this is an entity that validates an electronic signature 3.8 trust center trust center is one or more entities that help to build trust relationships between the signer and verifier; use of some specific technical service provider (TSP) services MAY be mandated by signature polic
43、y. TSP supporting services may provide the following information: user certificates, cross-certificates, time-stamping tokens. 3.9 verification levels in the context of EN 9300 Verification Levels indicate a risk assessment; verification levels here will indicate the maximum acceptable risk for a sp
44、ecific process 4 Applicability Refer to applicability of EN 9300-001, clause 4. 5 Authentication The necessity of authentication and verification of digital information results from the legal requirement of ensuring the authenticity (originality and integrity) of stored data. 5.1 Authentication of U
45、ser The authentication of the user is necessary to ensure only authorised persons initiate controlled processes. The legal status of an engineering signature will be enhanced by means of authentication. BS EN 9300005:2017EN 9300-005:2017 (E) 7 5.1.1 Authentication by means of a PKI (Public Key Infra
46、structure) The application of a PKI is recommended to guarantee the quality of an engineering signature. Advantage: delivers a higher evidential value. Disadvantages: the need to provide an Infrastructure (PKI) with key ring administration; each release of a document creates electronic signatures wi
47、th metadata to manage. NOTE Currently there are different national laws and/or standards defining different security levels for PKI. By applying these levels different legal qualities for documents can be obtained. 5.1.2 Authentication by User Key and Password EN 9300 recommends authentication polic
48、ies based on current business practices for user keys and passwords as the initial user authentication quality level. Advantages: legal recommendations for documentation of the release process are fulfilled; there is no need for a PKI and no additional hardware for identification is required. Disadv
49、antage: the validity in the context of lawsuits is less than under PKI. 5.2 Authentication of Document and Content Applying authentication to a document and its content will improve its evidential weight in the context of legal proceedings. The authenticity of a digital document can be proved with the document hash code. In case of a change of content, a new electronic document must be created and authenticated. 5.2.1 Requirements to Hash Codes For signing and verification a hash code will be used
