1、 Reference number ISO/IEC 9798-5:2009(E) ISO/IEC 2009INTERNATIONAL STANDARD ISO/IEC 9798-5 Third edition 2009-12-15 Information technology Security techniques Entity authentication Part 5: Mechanisms using zero-knowledge techniques Technologies de linformation Techniques de scurit Authentification d
2、entit Partie 5: Mcanismes utilisant des techniques divulgation nulle ISO/IEC 9798-5:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are
3、licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details
4、of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relat
5、ing to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including
6、photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in
7、 Switzerland ii ISO/IEC 2009 All rights reservedISO/IEC 9798-5:2009(E) ISO/IEC 2009 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Terms and definitions .1 3 Notation, symbols and abbreviated terms4 4 Mechanisms based on identities .7 4.1 Security requirements for the env
8、ironment7 4.2 Key production 8 4.3 Unilateral authentication exchange.10 5 Mechanisms based on integer factorization.12 5.1 Security requirements for the environment12 5.2 Key production 12 5.3 Unilateral authentication exchange.13 6 Mechanisms based on discrete logarithms with respect to prime numb
9、ers 15 6.1 Security requirements for the environment15 6.2 Key production 15 6.3 Unilateral authentication exchange.16 7 Mechanisms based on discrete logarithms with respect to composite numbers17 7.1 Security requirements for the environment17 7.2 Key production 18 7.3 Unilateral authentication exc
10、hange.19 8 Mechanisms based on asymmetric encryption systems20 8.1 Security requirements for the environment20 8.2 Unilateral authentication exchange.21 8.3 Mutual authentication exchange22 9 Mechanism based on discrete logarithms with respect to elliptic curves 23 9.1 Security requirements for the
11、environment23 9.2 Key production 24 9.3 Unilateral authentication exchange.24 Annex A (normative) Object identifiers 26 Annex B (informative) Principles of zero-knowledge techniques28 Annex C (informative) Guidance on parameter choice and comparison of the mechanisms 31 Annex D (informative) Numeric
12、al examples.41 Bibliography52 ISO/IEC 9798-5:2009(E) iv ISO/IEC 2009 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are member
13、s of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organ
14、izations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC
15、 Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 %
16、of the national bodies casting a vote. ISO/IEC 9798-5 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 9798-5:2004), which has been technically revised. Thi
17、s edition adds a new mechanism based on elliptic curve discrete logarithm. ISO/IEC 9798 consists of the following parts, under the general title Information technology Security techniques Entity authentication: Part 1: General Part 2: Mechanisms using symmetric encipherment algorithms Part 3: Mechan
18、isms using digital signature techniques Part 4: Mechanisms using a cryptographic check function Part 5: Mechanisms using zero-knowledge techniques Part 6: Mechanisms using manual data transfer ISO/IEC 9798-5:2009(E) ISO/IEC 2009 All rights reserved vIntroduction This part of ISO/IEC 9798 specifies a
19、uthentication mechanisms that involve exchanges of information between a claimant and a verifier. In accordance with the types of calculations that need to be performed by the claimant and the verifier, the mechanisms can be classified into the following four main groups (see Annex C). The first gro
20、up (see Clauses 4 and 5) is characterized by the performance of short modular exponentiations. The challenge size needs to be optimized since it has a proportional impact on workloads. The second group (see Clauses 6 and 7 and 8) is characterized by the possibility of a “coupon strategy” for the cla
21、imant. A verifier can authenticate a claimant with very limited computational power. The challenge size has no practical impact on workloads. The third group (see 9.2) is characterized by the possibility of a coupon strategy for the verifier. A verifier with very limited computational power can auth
22、enticate a claimant. The challenge size has no impact on workloads. The fourth group (see 9.3) has no possibility of a coupon strategy. ISO and IEC draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 9798 may involve the use of the following patents and their coun
23、terparts in other countries. US 4 995 082 issued 1991-02-19, Inventor: C.P. Schnorr, US 5 140 634 issued 1992-08-18, Inventors: L.C. Guillou and J-J. Quisquater, EP 0 311 470 issued 1992-12-16, Inventors: L.C. Guillou and J-J. Quisquater, EP 0 666 664 issued 1995-02-02, Inventor: M. Girault, ISO and
24、 IEC take no position concerning the evidence, validity and scope of these patent rights. The holders of these patent rights have assured ISO and IEC that they are willing to negotiate licenses under reasonable and non-discriminatory terms and conditions with applications throughout the world. In th
25、is respect, the statements of the holders of these patent rights are registered with ISO and IEC. Information may be obtained from the companies listed overleaf. RSA Security Inc. Attention General Counsel 174 Middlesex Turnpike Bedford, MA 01730, USA US 4 995 082 France Telecom R mechanisms based o
26、n integer factorization and providing unilateral authentication; mechanisms based on discrete logarithms with respect to numbers that are either prime or composite, and providing unilateral authentication; mechanisms based on asymmetric encryption systems and providing either unilateral authenticati
27、on, or mutual authentication; mechanisms based on discrete logarithms on elliptic curves and providing unilateral authentication. These mechanisms are constructed using the principles of zero-knowledge techniques, but they are not necessarily zero-knowledge according to the strict definition for eve
28、ry choice of parameters. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 accreditation exponent secret number related to the verification exponent and used in the production of private keys 2.2 adaptation parameter public key specific to the
29、modulus and used in the definition of public keys in the GQ2 mechanisms 2.3 asymmetric cryptographic technique cryptographic technique that uses two related operations: a public operation defined by a public data item, and a private operation defined by a private data item (the two operations have t
30、he property that, given the public operation, it is computationally infeasible to derive the private operation) 2.4 asymmetric encryption system system based on asymmetric cryptographic techniques whose public operation is used for encryption and whose private operation is used for decryption ISO/IE
31、C 9798-5:2009(E) 2 ISO/IEC 2009 All rights reserved2.5 asymmetric pair two related data items where the private data item defines a private operation and the public data item defines a public operation 2.6 challenge procedure parameter used in conjunction with secret parameters to produce a response
32、 2.7 claimant entity whose identity can be authenticated, including the functions and the private data necessary to engage in authentication exchanges on behalf of a principal 2.8 coupon pair of pre-computed numbers to be used only once; one is kept secret and the other remains secret until its use
33、by an entity 2.9 claimant parameter public data item, number or bit string, specific to a given claimant within the domain 2.10 decryption reversal of a corresponding encryption NOTE Decryption30and decipherment 24are equivalent terms. 2.11 domain collection of entities operating under a single secu
34、rity policy NOTE For example, public key certificates created either by a single certification authority, or by a collection of certification authorities using the same security policy. 2.12 domain parameter public key, or function, agreed and used by all entities within the domain 2.13 encryption r
35、eversible operation by a cryptographic algorithm converting data into ciphertext, so as to hide the information content of the data NOTE Encryption30and encipherment24are equivalent terms. 2.14 entity authentication corroboration that an entity is the one claimed ISO/IEC 9798-1:1997, definition 3.3.
36、11 2.15 exchange multiplicity parameter number of exchanges of information involved in one instance of an authentication mechanism ISO/IEC 9798-5:2009(E) ISO/IEC 2009 All rights reserved 32.16 hash-function function that maps strings of bits to fixed-length strings of bits, satisfying the following
37、two properties: for a given output, it is computationally infeasible to find an input that maps to this output; it is computationally infeasible to find two distinct inputs that map to the same output ISO/IEC 10118-1:2000, definition 3.5 2.17 identification data set of public data items (an account
38、number, an expiry date and time, a serial number, etc.) assigned to an entity and used to identify it 2.18 mutual authentication entity authentication that provides both entities with assurance of each others identity ISO/IEC 9798-1:1997, definition 3.3.14 2.19 number natural number, i.e. a non-nega
39、tive integer 2.20 pair multiplicity parameter number of asymmetric pairs of numbers involved in one instance of an authentication mechanism 2.21 private key data item of an asymmetric pair, that shall be kept secret and should only be used by a claimant in accordance with an appropriate response for
40、mula, thereby establishing its identity 2.22 procedure parameter transient public data item used in an instance of an authentication mechanism such as a witness, challenge or response 2.23 public key data item of an asymmetric pair, that can be made public and shall be used by every verifier for est
41、ablishing the claimants identity 2.24 random number time variant parameter whose value is unpredictable ISO/IEC 9798-1:1997, definition 3.3.24 2.25 response procedure parameter produced by the claimant, and processed by the verifier for checking the identity of the claimant 2.26 secret parameter num
42、ber or bit string that does not appear in the public domain and is only used by a claimant, e.g. a private key ISO/IEC 9798-5:2009(E) 4 ISO/IEC 2009 All rights reserved2.27 token message consisting of data fields relevant to a particular communication and which contains information that has been pro
43、duced using a cryptographic technique 2.28 unilateral authentication entity authentication that provides one entity with assurance of the others identity but not vice versa ISO/IEC 9798-1:1997, definition 3.3.33 2.29 verification exponent public key used as exponent by the claimant and the verifier
44、2.30 verifier entity including the functions necessary for engaging in authentication exchanges on behalf of an entity requiring an entity authentication 2.31 witness procedure parameter that provides evidence of the claimants identity to the verifier 3 Notation, symbols and abbreviated terms For th
45、e purposes of this document, the following notation, symbols and abbreviated terms apply. (a n) Jacobi symbol of a positive integer a with respect to an odd composite integer n NOTE 1 By definition, the Jacobi symbol of any positive integer a with respect to any odd positive composite integer n is t
46、he product of the Legendre symbols of a with respect to each prime factor of n (repeating the Legendre symbols for the repeated prime factors). The Jacobi symbol 1316can be efficiently computed without knowledge of the prime factors of n. (a p) Legendre symbol of a positive integer a with respect to
47、 an odd prime integer p NOTE 2 By definition, the Legendre symbol of any positive integer a with respect to any odd positive prime integer p is equal to a (p1)/2mod p. This means that (a p) is zero if a is a multiple of p, and either +1 or 1 otherwise, depending on whether or not a is a square modul
48、o p. A bit size of the number A if A is a number (i.e. the unique integer i so that 2i1 A 0, or 0 if A = 0, e.g. 65 537 = 2 16 +1 = 17), or bit length of the bit string A if A is a bit string NOTE 3 The binary representation of a number A as a string of A bits is straightforward. To represent a numb
49、er A as a string of bits with A , A bits set to 0 are appended to the left of the A bits. A the greatest integer that is less than or equal to the real number A B | C bit string resulting from the concatenation of data items B and C in the order specified. In cases where the result of concatenating two or more data items is input to a cryptographic algorithm as part of an authentication mechanism, this result shall be composed so that it
