ANSI INCITS ISO IEC 9798-6-2005 Information technology - Security techniques - Entity authentication - Part 6 Mechanisms using manual data transfer.pdf

1、INCITS/ISO/IEC 9798-6:20052008 (ISO/IEC 9798-6:2005, IDT) Information technology Security techniques Entity authentication Part 6: Mechanisms using manualdata transferINCITS/ISO/IEC 9798-6:20052008(ISO/IEC 9798-6:2005, IDT)INCITS/ISO/IEC 9798-6:20052008 ii ITIC 2008 All rights reserved PDF disclaime

2、r This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accep

3、t therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the fi

4、le; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (

5、InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/2/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council (ITI). All right

6、s reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publicati

7、on may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America iiiContents PageForewordivIn

8、troductionv1 Scope . 12 Normative references . 13 Terms and definitions. 14 Symbols and abbreviated terms . 25 Requirements 36 Mechanisms using a short check-value. 46.1 General. 46.2 Mechanism 1 One device with simple input, one device with simple output 46.2.1 Requirements 46.2.2 Specification of

9、data exchanged. 46.2.3 Manual authentication certificates 56.3 Mechanism 2 Devices with simple input capabilities 66.3.1 Requirements 66.3.2 Specification of data exchanged. 67 Mechanisms using a MAC 77.1 General. 77.2 Mechanism 3 Devices with simple output capabilities 77.2.1 General. 77.2.2 Requir

10、ements 77.2.3 Specification of data exchanged in mechanism 3a. 77.2.4Specification of data exchanged in mechanism 3b97.3 Mechanism 4 One device with simple input, one device with simple output 107.3.1 General. 107.3.2 Requirements 107.3.3 Specification of data exchanged in mechanism 4a. 107.3.4 Spec

11、ification of data exchanged in mechanism 4b 11Annex A (informative) Using manual authentication protocols for the exchange of secret keys . 12A.1 General. 12A.2 Authenticated Diffie-Hellman key agreement 12A.3 Authenticated Diffie-Hellman key agreement using a manual authentication certificate . 12A

12、.3.1 General. 12A.3.2 Stage 1 . 13A.3.3 Stage 2 (initiated by either device at some later time)13A.4 More than two components . 13Annex B (informative) Using manual authentication protocols for the exchange of public keys . 14B.1 General. 14B.2 Requirements 14B.3 Private key generated in device 14B.

13、4 Private key generated externally. 15Annex C (informative) On mechanism security and choices for parameter lengths 16C.1 General. 16C.2 Use of mechanisms 1 and 2. 16C.3 Use of mechanisms 3 and 4. 17Annex D (informative) A method for generating short check-values 18D.1 General . 18Bibliography . 20I

14、NCITS/ISO/IEC 9798-6:20052008 ITIC 2008 All rights reservediv ForewordISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that are members ofISO or IEC participate i

15、n the development of International Standards through technical committeesestablished by the respective organization to deal with particular fields of technical activity. ISO and IECtechnical committees collaborate in fields of mutual interest. Other international organizations, governmentaland non-g

16、overnmental, in liaison with ISO and IEC, also take part in the work. In the field of informationtechnology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task

17、of the joint technical committee is to prepare International Standards. Draft InternationalStandards adopted by the joint technical committee are circulated to national bodies for voting. Publication asan International Standard requires approval by at least 75 % of the national bodies casting a vote

18、.Attention is drawn to the possibility that some of the elements of this document may be the subject of patentrights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 9798-6 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology

19、,Subcommittee SC 27, IT Security techniques.ISO/IEC 9798 consists of the following parts, under the general title Information technology Securitytechniques Entity authentication: Part 1: General Part 2: Mechanisms using symmetric encipherment algorithms Part 3: Mechanisms using digital signature tec

20、hniques Part 4: Mechanisms using a cryptographic check function Part 5: Mechanisms using zero-knowledge techniques Part 6: Mechanisms using manual data transferINCITS/ISO/IEC 9798-6:20052008 ITIC 2008 All rights reservedvIntroductionWithin networks of communicating devices it is often necessary for

21、two devices to perform an entityauthentication procedure using a channel which may be subject to both passive and active attacks, wherean active attack may include a malicious third party introducing data into the channel and/or modifying, deletingor repeating data legitimately sent on the channel.

22、Other parts of this International Standard describe entityauthentication mechanisms applicable when the two devices share a secret key, or where one device has anauthenticated copy of a public key for the other device.In this part of ISO/IEC 9798, entity authentication mechanisms, referred to as man

23、ual authenticationmechanisms, are specified where there is no such assumption of pre-established keying relationships.Instead entity authentication is achieved by manually transferring short data strings from one device to theother, or by manually comparing short data strings output by the two devic

24、es.For the purposes of this part of ISO/IEC 9798, the meaning of the term entity authentication is different to themeaning applied in other parts of ISO/IEC 9798. Instead of one device verifying that the other device has aclaimed identity (and vice versa), both devices in possession of a user verify

25、 that they correctly share a datastring with the other device at the time of execution of the mechanism. Of course, this data string couldcontain identifiers for one or both of the devices.As described in informative annexes A and B, a manual authentication mechanism may be used as the basisfor secr

26、et key establishment or reliable exchange of public keys. A manual authentication mechanism couldalso be used for reliable exchange of other secret or public security parameters, including security policystatements or timestamps.INCITS/ISO/IEC 9798-6:20052008 ITIC 2008 All rights reservedAMERICAN NA

27、TIONAL STANDARD INCITS/ISO/IEC 9798-6:200520081Information technology Security techniques Entityauthentication 1 ScopeThis part of ISO/IEC 9798 specifies four entity authentication mechanisms based on manual data transferbetween authenticating devices. As described in Annexes A and B, these mechanis

28、ms may be used tosupport key management functions; guidance on secure choice of parameters for the mechanisms is providedin Annex C.Such mechanisms may be appropriate in a variety of circumstances. One such application occurs in personalnetworks, where the owner of two personal devices capable of wi

29、reless communications wishes them toperform an entity authentication procedure as part of the process of preparing them for use in the network.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For datedreferences, only the edition cited

30、applies. For undated references, the latest edition of the referenceddocument (including any amendments) applies.ISO/IEC 9798-1:1997, Information technology Security techniques Entity authentication Part 1: General3 Terms and definitionsFor the purposes of this document, the terms and definitions gi

31、ven in ISO/IEC 9798-1 and the followingapply.3.1check-valuestring of bits, computed as the output of a check-value function, sent from the data originator to data recipientthat enables the recipient of data to check its correctness3.2check-value functionfunction f which maps strings of bits and a sh

32、ort secret key, i.e. a key that can readily be entered into or readfrom a user device, to fixed-length strings of bits, satisfying the following properties: for any key k and any input string d, the function f(d, k) can be computed efficiently; it shall be computationally infeasible to find a pair o

33、f data strings (d, d) for which the number of keyswhich satisfy f(d, k) = f(d, k) is more than a small fraction of the possible set of keys.NOTE 1 In practice, a short key would typically contain 4-6 digits or alphanumeric characters.Part 6:Mechanisms using manual data transferNOTE 2 In practice, se

34、curity is maximized if the set of possible outputs from the check-value function is the same sizeas the set of possible keys. ITIC 2008 All rights reserved2 3.3data origin authenticationcorroboration that the source of data received is as claimedISO 7498-23.4manual authentication certificatecombinat

35、ion of a secret key and a check value generated by one of the two devices engaging in manualauthentication, with the property that, when entered into the other device, these values can be used tocomplete the manual authentication process at some later time3.5Message Authentication CodeMACstring of b

36、its which is the output of a MAC algorithmISO/IEC 9797-13.6Message Authentication Code algorithmMAC algorithmalgorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits,satisfying the following properties: for any key and any input string the functi

37、on can be computed efficiently; for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute thefunction value on any new input string, even given knowledge of the set of input strings andcorresponding function values, where the value of the ith input strin

38、g may have been chosen afterobserving the value of the first i-1 function values.ISO/IEC 9797-13.7manual entity authenticationprocess achieving entity authentication between two devices using a combination of message exchanges viaa (potentially insecure) communications channel and the manual transfe

39、r of limited amounts of data betweenthe devices3.8simple input interfaceinterface for a device that shall allow the user to indicate to the device the successful or unsuccessfulcompletion of a procedure, e.g. as could be implemented as a pair of buttons or a single button which is eitherpressed or n

40、ot within a certain time interval3.9simple output interfaceinterface for a device that shall allow the device to indicate to the user the successful or unsuccessfulcompletion of a procedure, e.g. as could be implemented by red and green lights or as single light which is litin different ways to indi

41、cate success or failure4 Symbols and abbreviated termsA, B Labels used for the two devices engaging in a manual entity authentication mechanismD Data string whose value is established between devices A and B as the result of performinga manual entity authentication mechanismINCITS/ISO/IEC 9798-6:200

42、52008 ITIC 2008 All rights reserved3IA, IBDistinguishing identifiers of A and B respectively.K (Short) secret key used with a check-value function in mechanisms 1 and 2KA, KAi, KB, KBiRandom MAC keys used in mechanisms 3 and 4MAC Message Authentication CodeR (Short) random bit-string used in mechani

43、sms 3 and 45 RequirementsThe authentication mechanisms specified in this part of ISO/IEC 9798 have the following requirements.a) The pair of devices performing the manual authentication procedure shall be connected via acommunications link (e.g. a wireless link). No security assumptions are made reg

44、arding this link; that is,the mechanisms are designed to operate securely even in an environment where an attacker can monitorand change data transferred on this link.b) The pair of devices performing the manual authentication procedure shall both have a user interfacecapable of data input and data

45、output.c) The user data input interface for a device shall, at minimum, be capable of indicating successful orunsuccessful completion of a procedure (e.g. as could be implemented by using either two buttons or asingle button which is either pressed or not within a certain time interval); such a mean

46、s of data input isreferred to below as a simple input interface. By contrast, a standard input interface shall provide meansfor the input of a short string of symbols, e.g. a numeric, hexadecimal or alphanumeric keypad. Unlessexplicitly stated otherwise, it is necessary that every device has a stand

47、ard means of data input.d) The user data output interface for a device shall, at minimum, be capable of indicating either success orfailure of an authentication procedure (e.g. as could be implemented by means of red and green lights);such a means of data output is referred to below as a simple outp

48、ut interface. By contrast, a standardoutput interface shall provide means for the output of a short string of symbols, e.g. a numeric,hexadecimal or alphanumeric display. Unless explicitly stated otherwise, it is necessary that every devicehas a standard means of data output.e) For mechanisms 1 and

49、2, the two devices performing the entity authentication procedure shall haveagreed on the use of a specific check-value function, and shall have the means to implement thisfunction.NOTE Guidance on appropriate choices for check-value functions and lengths for check-values and random keysfor use in mechanisms 1 and 2 is provided in Annex C. A construction for an unconditionally secure check-valuefunction suitable for use with mechanisms 1 and 2 is given in Annex D.f) For mechanisms 3 and 4, the t