1、BS ISO/IEC 10118-1:2016 Information technology Security techniques Hash- functions Part 1: General BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 10118-1:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 10
2、118-1:2016. It supersedes BS ISO/IEC 10118-1:1994 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This p
3、ublication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 83838 5 ICS 35.040 Compliance with a British Standard cannot confer imm
4、unity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 10118-1:2016 Information technology Security techniques Hash-
5、functions Part 1: General Technologies de linformation Techniques de scurit Fonctions de hachage Partie 1: Gnralits INTERNATIONAL STANDARD ISO/IEC 10118-1 Reference number ISO/IEC 10118-1:2016(E) Third edition 2016-10-15 ISO/IEC 2016 BS ISO/IEC 10118-1:2016ii ISO/IEC 2016 All rights reserved COPYRIG
6、HT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet,
7、without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www
8、.iso.org ISO/IEC 10118-1:2016(E)BS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E)Foreword iv 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms . 2 4.1 General symbols . 2 4.2 Symbols specific to this document . 3 4.3 Coding conventions . 3 5 Requirements
9、3 6 General model for hash-functions 3 6.1 General . 3 6.2 Hashing operation 4 6.2.1 General 4 6.2.2 Step 1 (padding) . 4 6.2.3 Step 2 (splitting) 4 6.2.4 Step 3 (iteration) 4 6.2.5 Step 4 (output transformation) . 4 6.3 Use of the general model 5 Annex A (normative) Padding methods 6 Annex B (norma
10、tive) Criteria for submission of hash-functions for possible inclusion in ISO/IEC 10118 (all parts) 7 Annex C (informative) Security considerations .10 Bibliography .12 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) Foreword ISO (the International Or
11、ganization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the
12、respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of info
13、rmation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the diffe
14、rent types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC s
15、hall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this documen
16、t is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the T
17、echnical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 10118-1:2000),
18、which has been technically revised. A list of all parts in the ISO/IEC 10118 series can be found on the ISO website.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 10118-1:2016INTERNATIONAL ST ANDARD ISO/IEC 10118-1:2016(E) Information technology Security techniques Hash- functions Part 1: General 1 S
19、cope ISO/IEC 10118 (all parts) specifies hash-functions and is therefore applicable to the provision of authentication, integrity and non-repudiation services. Hash-functions map strings of bits of variable (but usually upper bounded) length to fixed-length strings of bits, using a specified algorit
20、hm. They can be used for reducing a message to a short imprint for input to a digital signature mechanism, and committing the user to a given string of bits without revealing this string. NOTE The hash-functions specified in ISO/IEC 10118 (all parts) do not involve the use of secret keys. However, t
21、hese hash-functions may be used, in conjunction with secret keys, to build message authentication codes. Message Authentication Codes (MACs) provide data origin authentication as well as message integrity. Techniques for computing a MAC using a hash-function are specified in ISO/IEC 9797-2 1 . This
22、document contains definitions, symbols, abbreviations and requirements that are common to all the other parts of ISO/IEC 10118. The criteria used to select the algorithms specified in subsequent parts of ISO/IEC 10118 are defined in Annex B of this document. 2 Normative references There are no norma
23、tive references in this document. 3 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/
24、 ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 collision-resistant hash-function hash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs which map to the same output Note 1 to entry: Computational feasibility depends
25、on the specific security requirements and environment. Refer to Annex C. 3.2 data string data string of bits which is the input to a hash-function ISO/IEC 2016 All rights reserved 1BS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) 3.3 hash-code string of bits which is the output of a hash-function Note
26、 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning as hash-code. Modification Detection Code, Manipulation Detection Code, digest, hash-result, hash-value and imprint are some examples. 3.4 hash-function function which maps strings of bits o
27、f variable (but usually upper bounded) length to fixed-length strings of bits, satisfying the following two properties: for a given output, it is computationally infeasible to find an input which maps to this output; for a given input, it is computationally infeasible to find a second input which ma
28、ps to the same output Note 1 to entry: Computational feasibility depends on the specific security requirements and environment. Refer to Annex C. 3.5 initializing value value used in defining the starting point of a hash-function Note 1 to entry: The literature on this subject contains a variety of
29、terms that have the same or similar meaning as initializing value. Initialization vector and starting value are examples. 3.6 output transformation transformation or mapping of the output of the iteration stage to obtain the hash-code 3.7 padding appending extra bits to a data string 3.8 round-funct
30、ion function that transforms two binary strings of lengths L 1and L 2to a binary string of length L 2 that is used iteratively as part of a hash-function, where it combines a data string of length L 1with the previous output of length L 2or the initializing value Note 1 to entry: The literature on t
31、his subject contains a variety of terms that have the same or similar meaning as round-function. Compression function and iterative function are some examples. 4 Symbols and abbreviated terms 4.1 General symbols For ISO/IEC 10118 (all parts), the following symbols and abbreviations are used: a byte
32、D data a block derived from the data string D after the padding process h hash-function2 ISO/IEC 2016 All rights reservedBS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) H hash-code a string of L 2 bits which is used in the hashing operation to store an intermediate result initializing value L 1 lengt
33、h (in bits) of the first of the two input strings to the round-function L 2 length (in bits) of the second of the two input strings to the round-function, the output string from the round-function, and of the initializing value length (in bits) of a string of bits X round-function (phi) T an output
34、transformation function, e.g. truncation | concatenation of strings of bits X and Y in the indicated order exclusive-or of strings of bits X and Y (where = ) 4.2 S ymbols specific t o this document For the purpose of this document, the following symbol applies: q number of blocks in the data string
35、after the padding and splitting process 4.3 Coding conventions In contexts where the terms “most significant bit/byte” and “least significant bit/byte” have a meaning (e.g. where strings of bits/bytes are treated as numerical values), the leftmost bits/bytes of a block shall be the most significant.
36、 5 Requirements The use of a hash-function requires that the parties involved shall operate upon precisely the same bit string, even though the representation of the data may be different in each entitys environment. This may require one or more of the entities to convert the data into an agreed bit
37、-string representation prior to applying a hash-function. Some of the hash-functions specified in ISO/IEC 10118 (all parts) require padding, so that the data string is of the required length. Several padding methods are presented in Annex A of this document; additional padding methods may be specifi
38、ed in each part of ISO/IEC 10118 where padding is needed. 6 General model for hash-functions 6.1 General The hash-functions specified in ISO/IEC 10118 (all parts) require the use of a round-function . In subsequent parts of ISO/IEC 10118, several alternatives for the function are specified. The hash
39、-functions which are specified in subsequent parts of ISO/IEC 10118 provide hash-codes of length , where is less than or equal to the value of L 2for the round-function being used. ISO/IEC 2016 All rights reserved 3BS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) 6.2 Hashing operation 6.2.1 General Le
40、t be a round-function and be an initializing value of length L 2 . For the hash-functions specified in subsequent parts of ISO/IEC 10118, the value of the shall be fixed for a given hash-function . The hash-code H of the data D shall be calculated using the following four steps. 6.2.2 Step 1 (paddin
41、g) The data string D is padded in order to ensure that its length is an integer multiple of L 1 . See Annex A for more information. 6.2.3 Step 2 (splitting) The padded version of the data string D is split into L 1 -bit blocks , where D 1represents the first L 1bits of the padded version of D , D 2r
42、epresents the next L 1bits, and so on. The padding and splitting processes are illustrated in Figure 1. Figure 1 Padding and splitting processes NOTE Sometimes, it is more efficient to have the splitting occur before the padding. The padding is then done on the last block. 6.2.4 Step 3 (iteration) L
43、et be the L 1 -bit blocks of the data after padding and splitting. Let H 0be a bit string equal to . The L 2 -bit strings are calculated iteratively in the following way. for i from 1 to q : 1 . 6.2.5 Step 4 (output transformation) The hash-code H is derived by performing a transformation T on , the
44、 output of step 3, to obtain the bits of the final hash-code. EXAMPLE The transformation T may be a truncation operation.4 ISO/IEC 2016 All rights reservedBS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) 6.3 Use of the general model In subsequent parts of ISO/IEC 10118, examples of hash-functions base
45、d on the general model are specified. Specification of an individual hash-function will in each case require the following to be defined: parameters LL , ; the padding method; the initializing value ; the round-function ; the output transformation T . Practical use of a hash-function defined using t
46、he general model will also require the choice of the parameter . ISO/IEC 2016 All rights reserved 5BS ISO/IEC 10118-1:2016ISO/IEC 10118-1:2016(E) Annex A (normative) Padding methods A.1 General The calculation of a hash-code, as specified in other parts of ISO/IEC 10118, may require the selection of
47、 a padding method. The padding method will always output a padded data string whose length (in bits) is a multiple of L 1 . Two methods are presented in this annex. The padding bits (if any) need not be stored or transmitted with the data. The verifier shall know whether or not the padding bits have
48、 been stored or transmitted, and which padding method is in use. A.2 Method 1 The data for which the hash-code is to be calculated is appended with a single “1” bit. The resulting data are then appended with as few (possibly zero) “0” bits as are necessary to obtain the required length. NOTE Method
49、1 always requires the addition of at least one padding bit. A.3 Method 2 This padding method requires the selection of a parameter r (where r L 1 ), e.g. r = 64, and a method for encoding the bit length of the data D , i.e. , as a bit string of length r . The choice for r will limit the length of D ,
