ANSI ASC X9 X9.73-2017 Cryptographic Message Syntax - ASN.1 and XML.pdf

1、 American National Standard for Financial Services ANSI X9.73-2017 Cryptographic Message Syntax ASN.1 and XML Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: September 28, 2017 American National Standards Institute American National Standards, Technical Re

2、ports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membership agreements is prohibited without express written permission of the Accredited Standards Committee X9, Inc. For additional info

3、rmation, please contact ASC X9, Inc., 1212 West Street, Suite 200, Annapolis, MD 21401. This page left intentionally blank ANSI X9.73-2017 ASC X9, Inc. 2017 All rights reserved iii Contents Page Foreword . v Introduction vi 1 Scope 1 2 Normative references 2 3 Terms and definitions . 2 4 Symbols and

4、 abbreviated terms 7 5 Application . 8 6 Message schema . 9 6.1 XML namespace. 9 6.2 Transfer formats 9 6.3 Content type . 10 6.3.1 Content . 10 6.3.2 Identification 11 6.3.3 Encapsulation 11 6.4 Signed data 12 6.4.1 Schema definition 12 6.4.2 Signer information . 14 6.4.3 Signed attribute types . 1

5、6 6.4.4 Unsigned attributes . 25 6.4.5 Detached signatures . 26 6.4.6 Signature process . 26 6.5 Enveloped data 27 6.6 Authenticated data 29 6.6.1 Techniques . 29 6.6.2 MAC and HMAC creation 32 6.6.3 MAC and HMAC verification . 32 6.7 Digested data . 33 6.8 Encrypted data . 34 6.9 Named key encrypte

6、d data . 35 6.10 Signcrypted data 36 6.10.1 Schema definition 36 6.10.2 Processing modes . 38 7 Key management processing . 45 7.1 General . 45 7.2 Key transport . 46 7.3 Key agreement . 46 7.3.1 Operations and procedures 46 7.3.2 Key control . 46 7.3.3 Message components and processing . 48 7.4 Sym

7、metric key encryption key . 48 7.5 Password-based encryption . 48 7.6 Other key management techniques . 49 8 S/MIME formatting . 51 Annex A (normative) Abstract Schema 52 ANSI X9.73-2017 iv ASC X9, Inc. 2017 All rights reserved A.1 General 52 A.2 Information object identifiers .52 A.3 CMS schema spe

8、cification .55 A.4 CKM schema specification .64 A.5 Key agreement schema specification .66 A.6 Password-based encryption schema specification .67 A.7 CKM-Header schema specification 68 A.8 TokenizationManifest specification .73 A.9 Signcryption .75 A.10 Database Encryption Key Management 78 Annex B

9、(normative) SOAP security extensions .81 B.1 Security tokens 81 B.2 SOAP processing model .81 B.3 Attaching CMS security tokens 82 B.4 Extension syntax .82 Annex C (informative) UNIversal Financial Industry (UNIFI) 84 C.1 Overview .84 C.2 Content .85 Annex D (informative) Dynamic Symmetric Key Manag

10、ement Framework 87 D.1 Description .87 D.1.1 CKM administration .87 D.1.2 Token distribution .94 D.1.3 Secure channels 95 Annex E (informative) Database Encryption Key Management .96 E.1 Introduction 96 E.2 Single Server Initial Data Encryption Key .96 E.3 Single Server Change Data Encryption Key .9

11、7 E.4 Multiple Data Encryption Keys with Single Server.99 E.5 Multiple Data Encryption Keys with Multiple Servers 100 E.6 Multiple HMAC Keys with Multiple Servers .102 Bibliography 105 ANSI X9.73-2017 ASC X9, Inc. 2017 All rights reserved v Foreword Approval of an American National Standard requires

12、 verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially af

13、fected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary;

14、their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will

15、in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretation should be addressed to

16、 the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or withdraw this s

17、tandard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards 275 West Street, Suite 107 Annapolis, MD 21401 USA X9 Online http:/www.x9.org Copyright 2010-2017 ASC X9, Inc. All rights reserved. No part of this pu

18、blication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the United States of America. ANSI X9.73-2017 vi ASC X9, Inc. 2017 All rights reserved Introduction Financial business practices have changed with

19、the introduction of computer and network-based technologies. Increased reliance on electronic transactions has heightened the need to manage the security of information and communications technology. Huge amounts in funds and securities are transferred daily by electronic communication mechanisms co

20、ntrolled by security practices based on business policies. The high value or sheer volume of such transactions within an open environment exposes the financial community to the risk of potentially severe consequences from accidental or deliberate disclosure, alteration, substitution, or destruction

21、of data. This risk is compounded by interconnected networks, and the increased number and sophistication of malicious adversaries. When financial transactions involve systemically important payment systems, these consequences may adversely affect national and global financial markets. This standard

22、defines a cryptographic message syntax that can be used to protect financial transactions and other information from the threats described above. The syntax is easily extensible in design to allow the use of any cryptographic algorithm defined in current or future standards appropriate for use by th

23、e financial services. The cryptographic syntax is suitable for the protection of the identity and rights management information critical for secure access control. The syntax provides support for data confidentiality, data integrity, data origin authentication, and non-repudiation services needed to

24、 provide strong, mutual authentication. These services can be applied to prevent innovative types of fraud such as phishing that are aimed at identity impersonation and theft, and which threaten the interests of financial institutions and their customers, the merchants, consumers and other actors of

25、 commerce. Flexibility of key management techniques is provided through support for a variety of key establishment mechanisms, including key exchange, key agreement, password-based encryption and constructive key management. These techniques can be employed to mitigate risks, and to help financial i

26、nstitutions meet the legal and regulatory requirements of protecting sensitive business information, and the personal information of their customers and employees. Use of this widely deployed syntax will lead to quick market acceptance in the financial community, lower costs due to economy of scale,

27、 and interoperability with a large number of existing standards and applications. NOTE The users attention is called to the possibility that compliance with this standard may require use of an invention covered by patent rights. By publication of this standard, no position is taken with respect to t

28、he validity of this claim or of any patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to grant a license under these rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtain such a license. Details may be o

29、btained from the standards developer. Suggestions for the improvement or revision of this standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401 USA. This standa

30、rd was processed and approved for submittal to ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of the standard does not necessarily imply that all the committee members voted for its approval. At the time this standard was approved, the X9 committee had the f

31、ollowing members: ANSI X9.73-2017 ASC X9, Inc. 2017 All rights reserved vii Roy DeCicco, X9 Chair Angela Hendershott, X9 Vice Chair Steve Stevens, Executive Director Janet Busch, Program Manager Organization Represented Representative ACI Worldwide . Doug Grote American Bankers Association . Diane P

32、oole American Express Company . David Moore Bank of America . Daniel Welch Bank of New York Mellon . Arthur Sutton Blackhawk Network . Anthony Redondo Bloomberg LP Corby Dear Capital One . Marie LaQuerre Citigroup, Inc. . Karla McKenna CLS Bank Ram Komarraju Conexxus, Inc. . Gray Taylor CUSIP Servic

33、e Bureau Gerard Faulkner Delap LLP Andrea Beatty Delap LLP .Darlene Kargel Deluxe Corporation . Angela Hendershott Diebold Nixdorf Bruce Chapa Discover Financial Services Michelle Zhang eCurrency . David Wen Federal Reserve Bank Mary Hughes First Data Corporation . Lisa Curry FIS . Stephen Gibson-Sa

34、xty Fiserv . Dan Otten FIX Protocol Ltd - FPL Jim Northey Futurex . Ryan Smith Gilbarco . Bruce Welch Harland Clarke John McCleary Hewlett Packard Terence Spies IBM Corporation Todd Arnold Independent Community Bankers of America . Cary Whaley Ingenico Rob Martin ISARA Corporation . Alexander Trusko

35、vsky ISITC . Jason Brasile ITS, Inc. (SHAZAM Networks) Manish Nathwani J.P. Morgan Chase Roy DeCicco KPMG LLP Mark Lundin MagTek, Inc. . Mimi Hart MasterCard Europe Sprl . Mark Kamers NACHA The Electronic Payments Association Priscilla Holland National Security Agency . Paul Timmel Nautilus Hyosung

36、. Joe Militello NCR Corporation David Norris Office of Financial Research, U.S. Treasury Department Thomas Brown Jr. PCI Security Standards Council . Troy Leach RouteOne Chris Irving RouteOne . Jenna Wolfe SWIFT/Pan Americas Karin DeRidder SWIFT/Pan Americas Frank Vandriessche ANSI X9.73-2017 viii A

37、SC X9, Inc. 2017 All rights reserved Symcor Inc. Debbi Fitzpatrick TECSEC Incorporated Ed Scheidt The Clearing House Sharon Jablon U.S. Bank . John King U.S. Commodity Futures Trading Commission (CFTC) . Robert Stowsky USDA Food and Nutrition Service . Kathy Ottobre Vantiv LLC John Hall VeriFone, In

38、c. . Dave Faoro VISA Kim Wagner Wayne Fueling Systems . Steven Bowles Wells Fargo Bank. Mark Schaffer At the time this standard was approved, the X9F subcommittee on Data and Information Security had the following members: Dave Faoro, X9F Chair Steven Bowles, X9F Vice Chair Organization Represented

39、Representative ACI Worldwide . Doug Grote ACI Worldwide . Dan Kinney ACI Worldwide . Julie Samson American Bankers Association . Tom Judd American Express Company Farid Hatefi American Express Company . John Timar American Express Company . Kevin Welsh Bank of America Amanda Adams Bank of America .

40、Peter Capraro Bank of America . Andi Coleman Bank of America Lawrence LaBella Bank of America . Will Robinson Bank of America Michael Smith Bank of America Daniel Welch BlackBerry Limited Daniel Brown Blackhawk Network . Vijay Bolina Blackhawk Network Anthony Redondo Bloomberg LP . Erik Anderson Blo

41、omberg LP . Corby Dear Capital One . Marie LaQuerre Capital One .Johnny Lee Cipherithm Scott Spiker comForte 21 GmbH . Thomas Gloerfeld comForte 21 GmbH Henning Horst Communications Security Establishment Jonathan Hammell Communications Security Establishment . David Smith Conexxus, Inc. Alan Thiema

42、nn ANSI X9.73-2017 ASC X9, Inc. 2017 All rights reserved ix CUSIP Service Bureau Scott Preiss Delap LLP Andrea Beatty Delap LLP David Buchanan Delap LLP Darlene Kargel Deluxe Corporation . Angela Hendershott Deluxe Corporation . Margiore Romay Deluxe Corporation Andy Vo Diebold Nixdorf Christoph Bru

43、echer Diebold Nixdorf . Andrea Carozzi Diebold Nixdorf . Bruce Chapa Diebold Nixdorf . Michael Nolte Diebold Nixdorf . Michael Ott Diebold Nixdorf . Dave Phister Discover Financial Services Cheryl Mish Discover Financial Services . Diana Pauliks Discover Financial Services . Jordan Schaefer eCurrenc

44、y . David Wen Federal Reserve Bank Patrick Adler Federal Reserve Bank Guy Berg Federal Reserve Bank Marianne Crowe Federal Reserve Bank Amanda Dorphy Federal Reserve Bank . Mary Hughes Federal Reserve Bank Heather Hultquist Federal Reserve Bank . Janet LaFrence Federal Reserve Bank Susan Pandy Feder

45、al Reserve Bank . Patti Ritter Federal Reserve Bank . Daniel Rozycki First Data Corporation . Annmarie Corrigan First Data Corporation Lisa Curry First National Bank of Omaha Kristi White FIS Chelsea Lopez FIS . John Soares FIS . Sunny Wear Fiserv . Bud Beattie Fiserv . Dan Otten Futurex. Ryan Smith

46、 GEOBRIDGE Corporation Donna Gem GEOBRIDGE Corporation . Jason Way Gilbarco Scott Turner Gilbarco . Bruce Welch Harland Clarke . Joseph Filer Heartland Payment Systems Scott Meeker Hewlett Packard Luther Martin Hewlett Packard Terence Spies IBM Corporation . Todd Arnold Independent Community Bankers

47、 of America Cary Whaley Ingenico . Rob Martin ANSI X9.73-2017 x ASC X9, Inc. 2017 All rights reserved ISARA Corporation Mike Brown ISARA Corporation Alexander Truskovsky ITS, Inc. (SHAZAM Networks) . Manish Nathwani J.P. Morgan Chase. Bruce Geller J.P. Morgan Chase Kathleen Krupa J.P. Morgan Chase J

48、ackie Pagn J.P. Morgan Chase. Darryl Scott K3DES LLC . Azie Amini KPMG LLP . Mark Lundin MagTek, Inc Jeff Duncan MagTek, Inc Mimi Hart MasterCard Europe Sprl . Mark Kamers MasterCard Europe Sprl Joshua Knopp MasterCard Europe Sprl Larry Newell MasterCard Europe Sprl Adam Sommer MasterCard Europe Spr

49、l Michael Ward National Institute of Standards and Technology (NIST) . Elaine Barker National Institute of Standards and Technology (NIST) Lily Chen National Institute of Standards and Technology (NIST) . Paul Grassi National Security Agency Mike Boyle National Security Agency Paul Timmel Nautilus Hyosung Joe Militello Nautilus Hyosung . Jay Shin NCR Corporation . Tanika Eng NCR Corporation Charlie Harrow NCR Corporation .David Norris Onboard Security Mark Etzel Onboard Security Virendra Kumar Onboard Security William Whyte Onboard Security Lee Wilson O