ANSI X9.44-2007 Key Establishment Using Integer Factorization Cryptography《使用整数因数分解密码系统的密钥确定》.pdf

1、i ASC X9 Inc., 2007 all rights reserved American National Standard for Financial Services ANSI X9.442007 Public-Key Cryptography for the Financial Services Industry Key Establishment Using Integer Factorization Cryptography Accredited Standards Committee X9, Incorporated Financial Industry Standards

2、 Date Approved: August 24, 2007 American National Standards Institute Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.44- 2007 ii ASC X9 Inc., 2007 all rights reservedCo

3、ntents Page Foreword. vii Introduction . viii 1 Scope . 1 2 Normative references . 2 3 Terms and definitions. 2 4 Symbols and abbreviated terms . 7 5 Overview and organization 14 5.1 General. 14 5.2 Compatibility modes. 15 5.3 Organization 15 6 Security levels. 16 7 Data conversion primitives 17 7.1

4、 Overview 17 7.2 Integer to Octet String Primitive (I2OSP) 17 7.3 Octet String to Integer Primitive (OS2IP) . 18 8 Components from other X9 sources. 19 8.1 Overview 19 8.2 Random number (bit) generators (RNGs) 19 8.3 Prime number generators 19 8.4 Primality testing methods 19 8.5 Hash functions 20 8

5、.6 Message authentication codes 20 8.7 Symmetric key-wrapping schemes. 22 8.8 Signature schemes with appendix 22 9 Additional components 23 9.1 Overview 23 9.2 Mask generation functions 23 9.2.1 Overview 23 9.2.2 MGF1 23 9.3 Key derivation functions 24 9.3.1 Overview 24 9.3.2 KDF2/KDF3 25 10 Public-

6、key components . 27 10.1 Overview 27 10.2 RSA key pairs 27 10.3 RSA key pair generators 28 10.3.1 RSAKPG1 family: RSA key pair generation with a fixed public exponent 29 10.3.2 RSAKPG2: RSA key pair generation with a random public exponent 32 10.4 RSA key pair validation 35 10.4.1 Overview 35 10.4.2

7、 RSAKPV1: RSA Key Pair Validation with a Fixed Exponent 36 10.4.3 RSAKPV2: RSA Key Pair Validation with a Random Exponent . 39 10.5 Partial public-key validation and plausibility tests . 43 10.5.1 Overview 43 Copyright American National Standards Institute Provided by IHS under license with ANSI Not

8、 for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.442007 ASC X9 Inc., 2007 all rights reserved iii10.5.2 Plausible Size Tests 44 10.5.3 Plausible size and value tests44 10.6 Encryption and decryption primitives.46 10.6.1 Overview.46 10.6.2 RSAEP 46 10.6.3 RSADP

9、47 10.7 Asymmetric encryption schemes 49 10.7.1 Overview.49 10.7.2 RSAES-OAEP.49 10.7.3 RSAES-KEM-KWS .56 10.8 Secret-value encapsulation scheme .60 10.8.1 Overview.60 10.8.2 RSASVES161 11 Key management considerations for public and private keys .63 11.1 Overview.63 11.2 Public-key distribution63 1

10、1.3 Assurance of possession of the private key associated with the public key.63 11.4 Key usage.63 11.5 Assurances of key pair and public-key validity .64 11.5.1 Owner assurances of key pair validity 64 11.5.2 User assurances of public-key validity .66 12 Key confirmation .67 12.1 Overview.67 12.2 O

11、peration68 12.3 MAC data 68 13 Key agreement schemes 69 13.1 Overview.69 13.2 KAS1 family: Key agreement based on secret-value encapsulation .70 13.2.1 Overview.70 13.2.2 Common components.70 13.2.3 kas1-basic 72 13.2.4 kas1-responder-confirmation.74 13.2.5 kas1-bilateral-confirmation.76 13.2.6 kas1

12、-bilateral-confirmation-initiator-authentication 79 14 Key transport schemes.82 14.1 Overview.82 14.2 KTS1 family: Key transport based on asymmetric encryption.82 14.2.1 Overview.82 14.2.2 Common components.82 14.2.3 kts1-basic .84 14.2.4 kts1-receiver-confirmation .86 Annex A (normative) Compatibil

13、ity Components 89 A.1 Overview.89 A.2 US-ASCII to Octet String Primitive (ASC2OSP)89 A.3 PRF-TLS89 A.4 RSA Signature Primitive (RSASP) .91 A.5 RSA Verification Primitive (RSAVP) 91 A.6 RSAES-PKCS1-v1_592 A.6.1 Overview.92 A.6.2 Encryption operation 92 A.6.3 Decryption operation 93 A.7 RSASVES-TLS95

14、Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.44- 2007 iv ASC X9 Inc., 2007 all rights reservedA.7.1 Overview 95 A.7.2 Generation operation 95 A.7.3 Recovery operation

15、 96 A.8 RSASSA-TLS. 98 A.8.1 Overview 98 A.8.2 Signature operation 98 A.8.3 Verification operation. 99 Annex B (normative) ASN.1 Syntax 101 B.1 Overview 101 B.2 Useful types and definitions 101 B.3 Components from other X9 sources. 102 B.3.1 Overview 102 B.3.2 Hash functions 102 B.3.3 Message authen

16、tication codes 104 B.3.4 Symmetric key-wrapping schemes. 105 B.3.5 Signature schemes with appendix 106 B.4 Additional components 106 B.4.1 Overview 106 B.4.2 MGF1 106 B.4.3 KDF2. 107 B.4.4 KDF3. 107 B.5 Public-key components . 107 B.5.1 Overview 107 B.5.2 Public and private keys 107 B.5.3 RSAES-OAEP

17、 109 B.5.4 RSAES-KEM-KWS. 110 B.5.5 RSASVES1. 111 B.6 Key establishment schemes 111 B.6.1 Overview 111 B.6.2 KAS1 family. 112 B.6.3 KTS1 family . 116 B.7 Compatibility components. 118 B.7.1 Overview 118 B.7.2 PRF-TLS. 118 B.7.3 RSAES-PKCS1-v1_5 . 118 B.7.4 RSASVES-TLS. 119 B.7.5 RSASSA-TLS. 119 B.8

18、ASN.1 module 119 Annex C (informative) Security Considerations 132 C.1 Overview 132 C.2 RSA Problem. 132 C.3 Integer factoring 134 C.4 RSA key pairs 135 C.4.1 Overview 135 C.4.2 Key size 135 C.4.3 Prime factors . 135 C.4.4 Public exponent 136 C.4.5 Private exponent. 137 C.4.6 Private-key representat

19、ion. 137 C.5 Public-key techniques 137 C.5.1 Encryption and decryption primitives 137 C.5.2 Asymmetric encryption schemes . 137 C.5.3 Secret-value encapsulation schemes. 138 C.5.4 Signature schemes with appendix 139 C.6 Key establishment schemes 139 C.6.1 KAS1 family. 141 Copyright American National

20、 Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.442007 ASC X9 Inc., 2007 all rights reserved vC.6.2 KTS1 family 142 C.7 Side-channel attacks.142 C.8 Hash Functions143 Annex D (informative) Assuran

21、ce of Validity for RSA Public Keys 144 D.1 Introduction144 D.2 Assurance through validation144 D.3 Motivations for checking public keys .145 D.4 Relying on other parties .146 D.5 Full public-key validation147 Annex E (informative) TLS Profile of KAS1 Family149 E.1 Overview.149 E.2 TLS handshake with

22、 server authentication 149 E.3 TLS handshake with mutual authentication .152 E.4 Summary of TLS messages153 E.5 Recommended enhancements.154 E.6 Assurance of public-key validity in TLS .155 Annex F (informative) ANS X9.73 and S/MIME CMS Profile of KTS1 Family.156 F.1 Overview.156 F.2 kts1-basic para

23、meters.156 F.3 Summary of protocol fields156 F.4 Recommended enhancements.157 Annex G (informative) Supporting Algorithms.159 G.1 Greatest common divisor .159 G.2 Least common multiple 160 G.3 Modular inverse .160 G.4 Prime factor recovery162 G.5 Enhanced Miller-Rabin Provable Compositeness / Probab

24、ilistic Primality Test163 Annex H (informative) Examples .165 H.1 Example values for rsakpg1-basic 165 H.2 Example values for rsakpg1-prime-factor.167 H.3 Example Values for RSAkpg1-crt.169 H.4 Example values for RSAEP 172 H.5 Example values for RSADP 174 H.6 Example values for RSAES-OAEP.Encrypt 17

25、6 Inputs: 176 Outputs 177 Support Values .178 H.7 Example values for RSAES-KEM-KWS.Encrypt.179 Inputs: 179 Outputs:.180 H.8 Example values for KAS1-basic.181 Step 1 - Initiator.181 Step 2 - Responder.184 Step 3 Initiator186 Support Values .186 H.9 Example values for KTS1-basic .186 Step 1 - Sender18

26、6 Step 2 Responder 188 Support Values .189 Bibliography191 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.44- 2007 vi ASC X9 Inc., 2007 all rights reservedFigures Figur

27、e 1: RSAES-OAEP encryption operation. 53 Figure 2: RSAES-OAEP decryption operation. 56 Figure 3: RSAES-KEM-KWS encryption operation . 58 Figure 4: RSAES-KEM-KWS decryption operation . 60 Figure 5: kas1-basic scheme. 74 Figure 6: kas1-responder-confirmation scheme 76 Figure 7: kas1-bilateral-confirma

28、tion scheme 78 Figure 8: kas1-bilateral-confirmation-initiator-authentication scheme . 81 Figure 9: kts1-basic scheme 85 Figure 10: kts1-receiver-confirmation scheme. 88 Figure E.1: TLS handshake with server authentication, as a profile of kas1-bilateral-confirmation 152 Figure E.2: TLS handshake wi

29、th mutual authentication, as a profile of kas1-bilateral-confirmation-initiator-authentication . 153 Tables Table 1: Recommended algorithms and minimum key sizes. . 17 Table C.1: Corresponding RSA and symmetric key sizes based on GNFS running time. 134 Table C.2: Security assurances provided by the

30、key establishment schemes 140 Table E.1: TLS with server authentication as a profile of KAS1 150 Table E.2: Additional elements in TLS with mutual authentication, as a profile of KAS1 152 Table E.3: Proposed enhancements to TLS profile. 155 Table F.1: ANS X9.73 and S/MIME CMS KeyTransRecipientInfo a

31、s a profile of kts1-basic 157 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.442007 ASC X9 Inc., 2007 all rights reserved viiForeword Approval of an American National S

32、tandard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly a

33、nd materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is comple

34、tely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop sta

35、ndards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretation should

36、 be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or

37、 withdraw this standard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards P.O. Box 4035 Annapolis, MD 21403 USA X9 Online http:/www.x9.org Copyright 2007 ASC X9, Inc. All rights reserved. No part of this publ

38、ication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the United States of America. Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction o

39、r networking permitted without license from IHS-,-,-ANSI X9.44- 2007 viii ASC X9 Inc., 2007 all rights reservedIntroduction This Standard specifies key establishment schemes using public-key cryptography based on the integer factorization problem. Two types of key establishment schemes are specified

40、. In the first type, key transport, one party selects keying material and conveys it to the other party with cryptographic protection. In the second, key agreement, both parties actively share in the establishment of the keying material. The keying material may consist of one or more individual keys

41、 used to provide other cryptographic services that are outside the scope of this Standard, e.g. data confidentiality, data integrity, or symmetric-key-based key establishment. NOTE The users attention is called to the possibility that compliance with this standard may require use of an invention cov

42、ered by patent rights. By publication of this Standard, no position is taken with respect to the validity of this claim or of any patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to grant a license under these rights on reasonable and nondiscrim

43、inatory terms and conditions to applicants desiring to obtain such a license. Details may be obtained from the standards developer. Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc.,

44、Financial Industry Standards, P.O. Box 4035, Annapolis, MD 21403 USA. This Standard was processed and approved for submittal to ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for

45、 its approval. The X9 committee had the following members: James Shaffer, X9 Chairman Vincent DeSantis, X9 Vice-Chairman Cynthia Fuller, Executive Director Susan Yashinskie, Managing Director Organization Represented Representative ACI Worldwide James Shaffer American Bamkers Association C. Diane Po

46、ole American Financial Services Association Mark Zalewski American Express Company John Allen Bank of America Daniel Welch Certicom Corporation Daniel Brown Citigroup, Inc. Mike Halpern Clarke American Checks Inc. John W. McCleary CUSIP Service Bureau James Taylor Deluxe Corporation John FitzPatrick

47、 Diebold, Inc. Bruce Chapa Discover Financial Services Katie Howser Federal Reserve Bank Dexter Holt First Data Corporation Elizabeth Lynn Fiserv Skip Smith FSTC, Financial Services Consortium Daniel Schutzer Hewlett Packard Larry Hines Hypercom Scott SpikerCopyright American National Standards Inst

48、itute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSI X9.442007 ASC X9 Inc., 2007 all rights reserved ixIBM Corporation Todd Arnold Ingenico John SpenceIntuit, Inc. Jana Hocker iStream Imaging Bank of Kenney Ken Biel JP Morgan Chase a set of rules which, if followed, will give a prescribed result. 3.2 Algorithm Identifier A unique identifier for a given encryption or hash algorithm, together with any required parameters. The unique identifier is an ASN.1 object identifier 3.3 Authentication The act of det