INTERVIEW: REPRESENTING LUXEMBOURG AT ISO COMMITTEES

Gaetan Pradel works at INCERT as a Cryptographer. He also represents the Luxembourg National Body during ISO committees and has been a lead editor of the new edition of the two parts of the ISO/IEC 13888 series recently published. Learn more about his work in our interview.

Can you introduce yourself and explain your implication in the domain of standardization?

I am Gaetan Pradel and I work as a cryptographer at INCERT. My official role is Cryptology and IT Security officer, which actually involves several aspects. The first one is the management and advisory services on cryptography-related projects of INCERT, in particular Research and Development ones. The second one is to the fulfilment of my PhD degree in the same domain, which is done in parallel at the Royal Holloway, University of London. Finally, I also represent the Luxembourg National Body at ISO/IEC JTC1 SC27, focusing on Information Security. I endorse different roles in this sub-committee, such as expert in cryptography in the WG2 (Cryptographic and security mechanisms), as well as lead editor or co-editor of several standards.

Please describe the scope of ISO/IEC JTC 1/SC27 and the working group you are part of.

The scope of ISO/IEC JTC1 SC27 is information security. This involves several working groups, focused for example on cryptographic techniques, privacy challenges, management of information systems or evaluation criteria for various types of security hardware. I am personally strongly involved in WG2 and WG3, focused on cryptographic and security mechanisms and on security evaluation testing and specification respectively. For example, WG2 is involved in standardising encryption algorithms, while WG3 is involved in standardising Common Criteria.

What are the recent publications of the working group?

WG2 virtually met lately in September 2020. The publication of three documents has been announced during this meeting. The new edition of two parts of the ISO/IEC 13888 series, which provide new requirements and recommendations on non-repudiation, and the first amendment of ISO/IEC 18033-4 on stream ciphers. I am honoured to have been a lead editor of the new edition of the two parts of the ISO/IEC 13888 series, which are ISO/IEC 13888-1:2020 Information security – Non-repudiation – Part 1: General and ISO/IEC 13888-3:2020 Information security – Non-repudiation – Part 3: Mechanisms using asymmetric techniques. These editions were a joint work with Mr. Tomer Ashur from Belgium National Body and Mr. Grigory Marshalko from Russia National Body.

What are the changes in the recently published standards?

The new editions of the ISO/IEC 13888 series Part 1 and 3 provide valuable insights for the users, including an update of the terms and definitions and a new requirement on used hash functions in this context. Indeed, these parts of the series require now that used hash function in the context of non-repudiation shall be collision-resistant, a crucial property to ensure the security of the various non-repudiation techniques.

How does non-repudiation work and what are its benefits?

Non-repudiation is used to prevent an entity to deny one of its previous actions. For example, it is a required property in digital signatures. Let’s imagine that an entity, e.g. an individual, signs an official document, such as a very important contract with a company. Thanks to non-repudiation techniques, the individual will not be able to deny his/her signature of the document after the signature occurred.

How/Where does INCERT implement non-repudiation in its activities?

INCERT uses non-repudiation in the digital signatures of the electronic travel documents of Luxembourg. Indeed, each Luxembourgish e-Passport, e-ID and e-Residence Permit is signed by INCERT under the authority of the Ministry of the Economy in Luxembourg. For example, when a Luxembourgish citizen presents his/her e-Passport at a border control in any country, the border controller can be ensured that this document has been digitally signed by the Luxembourgish government which cannot deny it.