An Introduction to ISO 13888

How do you know that a message comes from the person whose name is upon the message, without having been altered or corrupted in the process? The answer for the ISO was to create ISO standard 13888.

ISO 13888 creates a non-repudiation scheme for verifying where messages originated and were unaltered from creation to reception. ISO standard 13888 covers the processes for verifying the sender of a message and tracking messages as they are routed from sender to recipient.

Non-repudiation is when someone or something is challenged on the validity of a claim. With regard to information technology, non-repudiation refers to services that verify the source of data or messages, so that messages are not spoofed or come from someone other than the name signed to the message.

Non-repudiation also checks the integrity of the message, such that no one has added additional information or malicious software hidden in an attachment that was not on the original message. This email verification process reduces the risk of someone receiving an email purporting to come from a legitimate organization but is in fact a phishing email or has had the contents altered.

Non-repudiation services that are ISO 13888 compliant must provide proof of who created the content in a message. ISO 13888 compliant non-repudiation services verify the identity of the sender has the ability to identify the origin of all messages, generates records that messages that were sent were received by a delivery authority and that messages were sent to the recipient.

Services that comply with ISO 13888 create records that the messages were received by the recipient and can generate records that the recipient received and opened the message. The non-repudiation service must retain logs of all these transactions that can be audited if necessary.

Non-repudiation services offers readers some protection from spoofing of emails as well a legally sound way of proving email notifications were sent but not received.

ISO standard 13338 covers digital certificates created with both symmetric and asymmetric encryption. ISO 13338 is broken into three separate parts, with each part relevant to different types of digital certificates used to confirm a sender’s identity.

ISO 13888-1 gives the general model used for handling digital certificates. ISO 13888-1 allows for two different types of evidence to verify the identity of a sender and the integrity of the message. Secure envelopes are created by symmetric cryptographic generators. Digital signatures are created by asymmetric generators. Users themselves can create digital signatures through tools like Lotus Notes.

ISO 13888-2 outlines the methods used to resolve disputes between symmetric certificates. These symmetric certificates may be generated using stream ciphers or block ciphers.

ISO 13888-3 outlines the methods used to resolve disputes between asymmetric certificates. Asymmetric encryption relies on different keys for encrypting messages. A public key is used to encrypt the message, but a private key is used to decrypt it. Asymmetric encryption systems do not need trusted third party verification of a message’s origin.

Non-repudiation of origin or NRO means that someone cannot deny sending an email that they sent. When there is NRO, someone cannot send an email promising to buy an item at a specified price and then say it was generated by a hacker. The non-repudiation of origin proves the person generated the message because it has his or her digital signature, has a time stamp, was recorded on the company’s network as coming from that person and sent to the recipient.

Non-repudiation of delivery or NRD prevents someone from saying, “I never got that message.” ISO 13888 compliant mail services will record the receipt of a message by the mail server and routing it to the intended recipient. An ISO 13888 compliant system will log when the message bounces, such as when the email account to which the message was sent no longer exists. It will also document when the person received it and generally capture if and when the message was read.

A trusted third party or TTP will verify the certificates used during encryption. An example of this is certificate authorities or certification authorities, called CA for short. While a person may not trust an email from joesmith.com, the certificate authority used to create the digital certificate and public key from the person verifies that the message is probably legitimate.

ISO 10181-4 deals with non-repudiation of digital certificates on open systems. This standard is for non-repudiation policies within a greater information security policy. Financial and medical records are held to a higher standard than other types of information.

ISO 15782-1 describes the standards for certificate management for financial services like banks. ISO 17090-3 outlines the public key infrastructure and certification authority to be used in sending health information.