1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-23427-0 SANS 19772:2009 Edition 1 ISO/IEC 19772:2009 Edition 1 SOUTH AFRICAN NATIONAL STANDARD Information technology Security techniques
4、Authenticated encryption This national standard is the identical implementation of ISO/IEC 19772:2009 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnical Commission. Published by SABS Standards Division 1 Dr Lategan Road Gro
5、enkloof envelopeback Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS SANS 19772:2009 Edition 1 ISO/IEC 19772:2009 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS TC 71F
6、, Information technology Information security, in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in December 2009. Reference numberISO/IEC 19772:2009(E)ISO/IEC 2009INTERNATIONAL STANDARD ISO/IEC19772Fir
7、st edition2009-02-15Information technology Security techniques Authenticated encryption Technologies de linformation Techniques de scurit Chiffrage authentifi SANS 19772:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 19772:2009(E
8、) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file
9、, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info rel
10、ative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPY
11、RIGHT PROTECTED DOCUMENT ISO/IEC 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address b
12、elow or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2009 All rights reservedSANS 19772:2009This s tandard may only be
13、used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 19772:2009(E) ISO/IEC 2009 All rights reserved iiiContents Page Foreword v Introduction . vi 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Symbols (and abbreviated terms) 3 5 Requirements . 4 6
14、Authenticated encryption mechanism 1 (OCB 2.0) 4 6.1 Introduction 4 6.2 Specific notation 4 6.3 Specific requirements . 5 6.4 Definition of function M2. 5 6.5 Definition of function M3. 5 6.6 Definition of function J . 6 6.7 Encryption procedure . 6 6.8 Decryption procedure . 7 7 Authenticated encry
15、ption mechanism 2 (Key Wrap) . 7 7.1 Introduction 7 7.2 Specific notation 8 7.3 Specific requirements . 8 7.4 Encryption procedure . 8 7.5 Decryption procedure . 9 8 Authenticated encryption mechanism 3 (CCM) . 9 8.1 Introduction 9 8.2 Specific notation 9 8.3 Specific requirements . 10 8.4 Encryptio
16、n procedure . 10 8.5 Decryption procedure . 12 9 Authenticated encryption mechanism 4 (EAX) 13 9.1 Introduction 13 9.2 Specific notation 13 9.3 Specific requirements . 13 9.4 Definition of function M 13 9.5 Encryption procedure . 14 9.6 Decryption procedure . 14 10 Authenticated encryption mechanism
17、 5 (Encrypt-then-MAC) 15 10.1 Introduction 15 10.2 Specific notation 15 10.3 Specific requirements . 15 10.4 Encryption procedure . 16 10.5 Decryption procedure . 16 11 Authenticated encryption mechanism 6 (GCM) . 16 11.1 Introduction 16 11.2 Specific notation 17 11.3 Specific requirements . 17 11.4
18、 Definition of multiplication operation . 18 SANS 19772:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 19772:2009(E) iv ISO/IEC 2009 All rights reserved11.5 Definition of function G 18 11.6 Encryption procedure 18 11.7 Decryption
19、 procedure 19 Annex A (informative) Guidance on use of the mechanisms 20 A.1 Introduction . 20 A.2 Selection of mechanism . 20 A.3 Mechanism 1 (OCB 2.0) 21 A.4 Mechanism 2 (Key Wrap) . 21 A.5 Mechanism 3 (CCM) 21 A.6 Mechanism 4 (EAX). 21 A.7 Mechanism 5 (Encrypt-then-MAC) 22 A.8 Mechanism 6 (GCM) 2
20、2 Annex B (informative) Examples 23 B.1 Introduction . 23 B.2 Mechanism 1 (OCB 2.0) 23 B.3 Mechanism 2 (Key Wrap) . 24 B.4 Mechanism 3 (CCM) 24 B.5 Mechanism 4 (EAX). 25 B.6 Mechanism 5 (Encrypt-then-MAC) 26 B.7 Mechanism 6 (GCM) 26 Annex C (normative) ASN.1 module . 28 C.1 Formal definition . 28 C.
21、2 Use of subsequent object identifiers 28 Bibliography . 29 SANS 19772:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 19772:2009(E) ISO/IEC 2009 All rights reserved vForeword ISO (the International Organization for Standardizatio
22、n) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to de
23、al with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and I
24、EC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the
25、 joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent ri
26、ghts. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 19772 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. SANS 19772:2009This s tandard may only be used and printed by appr
27、oved subscription and freemailing clients of the SABS .ISO/IEC 19772:2009(E) vi ISO/IEC 2009 All rights reservedIntroduction When data is sent from one place to another, it is often necessary to protect it in some way whilst it is in transit, e.g. against eavesdropping or unauthorised modification.
28、Similarly, when data is stored in an environment to which unauthorized parties may have access, it may be necessary to protect it. If the confidentiality of the data needs to be protected, e.g. against eavesdropping, then one solution is to use encryption, as specified in ISO/IEC 18033 and ISO/IEC 1
29、0116. Alternatively, if it is necessary to protect the data against modification, i.e. integrity protection, then Message Authentication Codes (MACs), as specified in ISO/IEC 9797, or digital signatures, as specified in ISO/IEC 9796 and ISO/IEC 14888, can be used. If both confidentiality and integri
30、ty protection are required, then one possibility is to use both encryption and a MAC or signature. Whilst these operations can be combined in many ways, not all combinations of such mechanisms provide the same security guarantees. As a result it is desirable to define in detail exactly how integrity
31、 and confidentiality mechanisms should be combined to provide the optimum level of security. Moreover, in some cases significant efficiency gains can be obtained by defining a single method of processing the data with the objective of providing both confidentiality and integrity protection. In this
32、standard, authenticated encryption mechanisms are defined. These are methods for processing data to provide both integrity and confidentiality protection. They typically involve either a specified combination of a MAC computation and data encryption, or the use of an encryption algorithm in a specia
33、l way such that both integrity and confidentiality protection are provided. The methods specified in this standard have been designed to maximise the level of security and provide efficient processing of data. Some of the techniques defined here have mathematical proofs of security, i.e. rigorous ar
34、guments supporting their soundness. SANS 19772:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .INTERNATIONAL STANDARD ISO/IEC 2009 All rights reserved 1Information technology Security techniques Authenticated encryption 1 Scope This Inter
35、national Standard specifies six methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: data confidentiality, i.e. protection against unauthorized disclosure of data, data integrity, i.e. protection that enables the recipient of dat
36、a to verify that it has not been modified, data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All six methods specified in this International Standard are based on a block cipher algorithm, and require the originator and the
37、recipient of the protected data to share a secret key for this block cipher. Key management is outside the scope of this standard; key management techniques are defined in ISO/IEC 11770. Four of the mechanisms in this standard, namely mechanisms 1, 3, 4 and 6, allow data to be authenticated which is
38、 not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated data) that is integrity-protected but not encrypted. In all cases, the string A
39、may be empty. NOTE Examples of types of data that may need to be sent in unencrypted form, but whose integrity should be protected, include addresses, port numbers, sequence numbers, protocol version numbers, and other network protocol fields that indicate how the plaintext should be handled, forwar
40、ded, or processed. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC
41、 9797-1:1), Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block cipher ISO/IEC 10116, Information technology Security techniques Modes of operation for an n-bit block cipher ISO/IEC 18033-3, Information technology Security techniques Encryp
42、tion algorithms Part 3: Block ciphers 1) To be published. (Revision of ISO/IEC 9797-1:1999)3 Terms and definitions For the purposes of this document, the following terms and definitions apply. SANS 19772:2009This s tandard may only be used and printed by approved subscription and freemailing clients
43、 of the SABS .2 ISO/IEC 2009 All rights reserved 3.1 authenticated encryption (reversible) transformation of data by a cryptographic algorithm to produce ciphertext that cannot be altered by an unauthorized entity without detection, i.e. it provides data confidentiality, data integrity, and data ori
44、gin authentication 3.2 authenticated encryption mechanism cryptographic technique used to protect the confidentiality and guarantee the origin and integrity of data, and which consists of two component processes: an encryption algorithm and a decryption algorithm 3.3 block cipher symmetric encryptio
45、n system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext ISO/IEC 18033-1 3.4 ciphertext data which has been transformed to hide its information content ISO/IEC 10116 3.5 data integrity the pro
46、perty that data has not been altered or destroyed in an unauthorized manner ISO/IEC 9797-1 3.6 decryption reversal of a corresponding encryption ISO/IEC 18033-1 3.7 encryption (reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the information conten
47、t of the data ISO/IEC 18033-1 3.8 encryption system cryptographic technique used to protect the confidentiality of data, and which consists of three component processes: an encryption algorithm, a decryption algorithm, and a method for generating keys ISO/IEC 18033-1 3.9 key sequence of symbols that
48、 controls the operation of a cryptographic transformation (e.g. encipherment, decipherment) ISO/IEC 18033-1 3.10 message authentication code (MAC) string of bits which is the output of a MAC algorithm ISO/IEC 9797-1 3.11 partition process of dividing a string of bits of arbitrary length into a seque
49、nce of blocks, where the length of each block shall be n bits, except for the final block which shall contain r bits, 0 1 Right shift of a block of bits X by one position: the leftmost bit of Y = X1 will always be set to zero. len Function taking a bit-string X as input, and which gives as output the number of bits in X. mod If a and b 0 are integers, then a mod b denotes the unique integer c such that: i) 0 c 0), and gives an n-bit block J(B) as output. The value J(B) is computed as