ANSI INCITS ISO IEC 14888-1-2008 Information technology - Security techniques - Digital signatures with appendix - Part 1 General.pdf

1、 INCITS/ISO/IEC 14888-1:20082010 (ISO/IEC 14888-1:2008, IDT) Information technology - Security techniques - Digital signatures with appendix - Part 1: General Reaffirmed as INCITS/ISO/IEC 14888-1:2008 R2015INCITS/ISO/IEC 14888-1:20082010 PDF disclaimer This PDF file may contain embedded typefaces. I

2、n accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Ad

3、obes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized fo

4、r printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technolog

5、y Standards) as an American National Standard. Date of ANSI Approval: 2/22/10 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2010 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyrig

6、ht claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an ele

7、ctronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1101 K Street NW, Suite 610, Washington DC 20005. Printed in the United States of America ii ITIC 2010 All rights reserved ISO/IEC 14888-1:2008(E) ISO/IEC 2008

8、All rights reserved iiiContents Page Foreword iv Introduction v 1 Scope 1 2 Normative references 1 3 Terms and definitions .1 4 Symbols, conventions, and legend for figures.3 4.1 Symbols 3 4.2 Coding convention 4 4.3 Legend for figures .4 5 General4 6 General model5 7 Options for binding signature m

9、echanism and hash-function.6 8 Key generation.6 9 Signature process7 9.1 General7 9.2 Computing the signature 7 9.3 Constructing the appendix .7 9.4 Constructing the signed message.7 10 Verification process 8 Annex A (informative) On hash-function identifiers 10 Bibliography 11 ISO/IEC 14888-1:2008(

10、E) iv ISO/IEC 2008 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of

11、International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in li

12、aison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint te

13、chnical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention i

14、s drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 14888-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcomm

15、ittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 14888-1:1998), which has been technically revised. ISO/IEC 14888 consists of the following parts, under the general title Information technology Security techniques Digital signatures with append

16、ix: Part 1: General Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms ISO/IEC 14888-1:2008(E) ISO/IEC 2008 All rights reserved vIntroduction Digital signature mechanisms are asymmetric cryptographic techniques which can be used to provide entity authenticatio

17、n, data origin authentication, data integrity and non-repudiation services. There are two types of digital signature mechanisms: When the verification process needs the message as part of the input, the mechanism is called a “signature mechanism with appendix”. A hash-function is used in the calcula

18、tion of the appendix. When the verification process reveals all or part of the message, the mechanism is called a “signature mechanism giving message recovery”. A hash-function is also used in the generation and verification of these signatures. Signature mechanisms with appendix are specified in IS

19、O/IEC 14888. Signature mechanisms giving message recovery are specified in ISO/IEC 9796. Hash-functions are specified in ISO/IEC 10118. INTERNATIONAL STANDARD ISO/IEC 14888-1:2008(E) ISO/IEC 2008 All rights reserved 1Information technology Security techniques Digital signatures with appendix Part 1:

20、 General 1 Scope ISO/IEC 14888 specifies several digital signature mechanisms with appendix for messages of arbitrary length. This part of ISO/IEC 14888 contains general principles and requirements for digital signatures with appendix. It also contains definitions and symbols which are used in all p

21、arts of ISO/IEC 14888. Various means are available to obtain a reliable copy of the public verification key, e.g., a public key certificate. Techniques for managing keys and certificates are outside the scope of ISO/IEC 14888. For further information, see ISO/IEC 9594-8 4, ISO/IEC 11770-3 3 and ISO/

22、IEC 15945 5. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. None. 3 Terms

23、 and definitions For the purposes of this document, the following terms and definitions apply. 3.1 appendix string of bits formed by the signature and an optional text field 3.2 collision-resistant hash-function hash-function satisfying the following property: it is computationally infeasible to fin

24、d any two distinct inputs which map to the same output NOTE Computational feasibility depends on the specific security requirements and environment. ISO/IEC 10118-1 3.3 data element integer, bit string, set of integers or set of bit strings ISO/IEC 14888-1:2008(E) 2 ISO/IEC 2008 All rights reserved3

25、.4 domain set of entities operating under a single security policy EXAMPLES public key certificates created by a single authority or by a set of authorities using the same security policy 3.5 domain parameter data element which is common to and known by or accessible to all entities within the domai

26、n 3.6 hash-code string of bits which is the output of a hash-function ISO/IEC 10118-1 3.7 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: for a given output, it is computationally infeasible to find an input which maps to th

27、is output; for a given input, it is computationally infeasible to find a second input which maps to the same output NOTE 1 Computational feasibility depends on the specific security requirements and environment. NOTE 2 This definition of hash-function is referred to as one-way hash-function. ISO/IEC

28、 10118-1 3.8 identification data sequence of data elements, including the distinguishing identifier for an entity, assigned to an entity and used to identify it NOTE The identification data may additionally contain data elements such as identifier of the signature process, identifier of the signatur

29、e key, validity period of the signature key, restrictions on key usage, associated security policy parameters, key serial number, or domain parameters. 3.9 key pair pair consisting of a signature key and a verification key, i.e., a set of data elements that shall be totally or partially kept secret,

30、 to be used only by the signer; a set of data elements that can be totally made public, to be used by any verifier 3.10 message string of bits of any length 3.11 parameter integer, bit string or hash-function 3.12 signature one or more data elements resulting from the signature process ISO/IEC 14888

31、-1:2008(E) ISO/IEC 2008 All rights reserved 33.13 signature key set of private data elements specific to an entity and usable only by this entity in the signature process NOTE Sometimes called a private signature key in other standards, e.g. ISO/IEC 9796-2, ISO/IEC 9796-3 and ISO/IEC 9798-3. 3.14 si

32、gnature process process which takes as inputs the message, the signature key and the domain parameters, and which gives as output the signature 3.15 signed message set of data elements consisting of the signature, the part of the message which cannot be recovered from the signature, and an optional

33、text field NOTE In the context of this part of ISO/IEC 14888, the entire message is included in the signed message and no part of the message is recovered from the signature. 3.16 verification key set of public data elements which is mathematically related to an entitys signature key and which is us

34、ed by the verifier in the verification process NOTE Sometimes called a public verification key in other standards, e.g. ISO/IEC 9796-2, ISO/IEC 9796-3 and ISO/IEC 9798-3. 3.17 verification process process which takes as input the signed message, the verification key and the domain parameters, and wh

35、ich gives as output the result of the signature verification: valid or invalid 4 Symbols, conventions, and legend for figures 4.1 Symbols Throughout all parts of ISO/IEC 14888 the following symbols are used. H hash-code K randomizer M message R first part of a signature NOTE First part of a signatur

36、e R is alternatively called a witness. R recomputed first part of a signature S second part of a signature X signature key Y verification key ISO/IEC 14888-1:2008(E) 4 ISO/IEC 2008 All rights reservedZ set of domain parameters signature A mod N the unique integer B from 0 to N 1 so that N divides A

37、B A B (mod N) Integer A is congruent to integer B modulo N, i.e. (A B) mod N = 0. 4.2 Coding convention All integers in all parts of ISO/IEC 14888 are written with the most significant digit (or bit, or byte) in the leftmost position. 4.3 Legend for figures The following legend for figures is used i

38、n all parts of ISO/IEC 14888. 5 General The mechanisms specified in ISO/IEC 14888 are based upon asymmetric cryptographic techniques. Every asymmetric digital signature mechanism involves three basic operations. A process for generating pairs of keys, where each pair consists of a signature key and

39、the corresponding verification key. A process using the signature key called the signature process. When, for a given message and signature key, the probability of obtaining the same signature twice is negligible, the operation is probabilistic. procedure principal procedure optional principal proce

40、dure data flow optional data flow two data flows of which at least one is mandatory optional data data another optional data flow ISO/IEC 14888-1:2008(E) ISO/IEC 2008 All rights reserved 5 When, for a given message and signature key, all the signatures are identical, the operation is deterministic.

41、A process using the verification key called the verification process. The verification of a digital signature requires the signers verification key. It is thus essential for a verifier to be able to associate the correct verification key with the signer, or more precisely, with (parts of) the signer

42、s identification data. If this association is somehow inherent in the verification key itself, the scheme is said to be “identity-based”. If not, the association between the correct verification key with the signers identification data shall be provided by a certificate for the verification key. The

43、 scheme is then said to be “certificate-based”. 6 General model A digital signature mechanism with appendix is defined by the specification of the following processes: key generation process; signature process; verification process. In the signature process, the signer computes a digital signature f

44、or a given message. The signature, together with an optional text field, forms the appendix, which is appended to the message to form the signed message. Figure 1 Signed message Depending on the application, there are different ways of forming the appendix and associating it with the message. The ge

45、neral requirement is that the verifier is able to relate the correct signature to the message. For successful verification it is also essential that, prior to the verification process, the verifier is able to associate the correct verification key with the signature. The optional text field can be u

46、sed for transmitting the signers identification data or an authenticated copy of the signers verification key to the verifier. In some cases the signers identification data may need to be part of the message M, so that it is protected by the signature. A digital signature mechanism shall satisfy the

47、 following requirements: Given only the verification key and not the signature key it is computationally infeasible to produce any message and a valid signature for this message. The signatures produced by a signer can neither be used for producing any new message and a valid signature for this mess

48、age nor for recovering the signature key. It is computationally infeasible, even for the signer, to find two different messages with the same signature. NOTE Computational feasibility depends on the specific security requirements and environment. message M text t signature ISO/IEC 14888-1:2008(E) 6

49、ISO/IEC 2008 All rights reserved7 Options for binding signature mechanism and hash-function Use of the signature schemes specified in this standard requires the selection of a collision-resistant hash-function. There shall be a binding between the signature mechanism and the hash-function in use. Without such a binding, an adversary might claim the use of a weak hash-function (