1、BS ISO/IEC 11770-6:2016 Information technology Security techniques Key management Part 6: Key derivation BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 11770-6:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/
2、IEC 11770-6:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the neces
3、sary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 85013 4 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard
4、was published under the authority of the Standards Policy and Strategy Committee on 31 October 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 11770-6:2016 Information technology Security techniques Key management Part 6: Key derivation Technologies de lin
5、formation Techniques de scurit Gestion de cls Partie 6: Drivation de cls INTERNATIONAL STANDARD ISO/IEC 11770-6 Reference number ISO/IEC 11770-6:2016(E) First edition 2016-10-01 ISO/IEC 2016 BS ISO/IEC 11770-6:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Publish
6、ed in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permissio
7、n can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 11770-6:2016(E)BS ISO/IEC
8、11770-6:2016ISO/IEC 11770-6:2016(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviations . 3 4.1 Symbols . 3 4.2 Abbreviations . 4 4.3 Notation 4 5 Key derivation techniques 4 5.1 Model . 4 5.2 Types of key derivation function . 5 5.
9、3 Relationship to key management life cycle 6 5.4 Use of a key derivation function . 6 6 One-step key derivation functions . 6 6.1 General . 6 6.2 One-step key derivation function 1 (OKDF1) . 7 6.2.1 General 7 6.2.2 Requirements for use . 7 6.2.3 Operation of function . 7 6.3 One-step key derivation
10、 function 2 (OKDF2) . 8 6.3.1 General 8 6.3.2 Requirements for use . 8 6.3.3 Operation of function . 8 6.4 One-step key derivation function 3 (OKDF3) . 9 6.4.1 General 9 6.4.2 Requirements for use . 9 6.4.3 Operation of function . 9 6.5 One-step key derivation function 4 (OKDF4) . 9 6.5.1 General 9
11、6.5.2 Requirements for use 10 6.5.3 Operation of function 10 6.6 One-step key derivation function 5 (OKDF5) 10 6.6.1 General.10 6.6.2 Requirements for use 11 6.6.3 Operation of function 11 6.7 One-step key derivation function 6 (OKDF6) 11 6.7.1 General.11 6.7.2 Requirements for use 12 6.7.3 Operatio
12、n of function 12 7 Two-step key derivation functions .12 7.1 General 12 7.2 Key extraction function .13 7.2.1 Key extraction function 1 (KTF1) .13 7.3 Key expansion functions 14 7.3.1 Key expansion function 1 (KPF1) .14 7.3.2 Key expansion function 2 (KPF2) .15 7.3.3 Key expansion function 3 (KPF3)
13、.16 7.3.4 Key expansion function 4 (KPF4) .17 7.4 Two-step KDFs .18 7.4.1 Two-step key derivation function 1 (TKDF1) 18 7.4.2 Two-step key derivation function 2 (TKDF2) 18 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 11770-6:2016ISO/IEC 11770-6:2016(E)7.4.3 Two-step key derivation fu
14、nction 3 (TKDF3) 19 7.4.4 Two-step key derivation function 4 (TKDF4) 19 Annex A (normative) Object identifiers .20 Annex B (informative) Guidance on use .21 Bibliography .23 iv ISO/IEC 2016 All rights reservedBS ISO/IEC 11770-6:2016ISO/IEC 11770-6:2016(E) Foreword ISO (the International Organization
15、 for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective
16、 organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information te
17、chnology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types
18、 of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not b
19、e held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is infor
20、mation given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical B
21、arriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. A list of all parts in the ISO/IEC 11770 series can be found on the ISO website. ISO/IEC 2016
22、 All rights reserved vBS ISO/IEC 11770-6:2016ISO/IEC 11770-6:2016(E) Introduction The establishment of shared secret cryptographic keys is a fundamental key management service. It is a prerequisite for the use of a range of symmetric cryptographic techniques, including symmetric encryption for confi
23、dentiality protection, and message authentication codes (MACs) for integrity protection and data origin authentication. Key derivation techniques enable such keys to be generated from pre-existing secrets and have a range of possible applications. Two particularly important applications are as follo
24、ws. First, while two (or more) parties might share secret information, this secret information might not be suitable for immediate use as input to an encryption algorithm or a message authentication code scheme. For example, the initial secret information might not be distributed randomly across the
25、 entire space of possible values, or an unauthorized third party might have partial information about it. A key derivation function (or a key extraction function) can be used to resolve this issue by taking the secret information as input, perhaps together with other non-secret material, and giving
26、a suitable secret key as output. Second, a number of secret keys might be required for different purposes, e.g. for different applications or for input to different cryptographic functions. Again, a key derivation function (or a key expansion function) can be used to meet this requirement by taking
27、secret information, perhaps together with other non-secret material, as input, and giving a secret key, or keys, as output. The secret information might, for example, be shared by two or more parties, and the generated secret keys could then be used to protect data exchanged between these parties vi
28、a untrusted channels; alternatively, the secret information might only be known by a single party, and the generated keys could then be used to protect data stored by that party in untrusted locations. This document is concerned with such key derivation techniques. Two general classes of key derivat
29、ion techniques are specified, namely one-step and two-step functions, both of which can be used to generate either a single key or multiple keys. One-step functions transform the input information into one or more keys in a single operation. Two-step functions first transform the input information i
30、nto a secret MAC key, which is then used in the second step (which can be executed multiple times) to generate one or more secret keys for use in applications. The choice between one-step and two-step functions depends on two main things: the nature of the available secret input to the key derivatio
31、n function, and the way in which the secret input is to be used. For example, if the available secret input is already in the form of a secret key, then a one-step function will normally be appropriate. Also, regardless of the nature of the secret input, if the function is to be used only once with
32、a particular set of secret inputs, then again a one-step function will typically be appropriate. However, if the secret input is not in the form of a secret key, and the same secret input is to be used multiple times to generate one or more keys, then a two-step function is likely to be appropriate,
33、 where the first step is performed once to generate a MAC key and the second step is performed whenever a new key is, or keys are, to be generated from the MAC key. This document defines a range of one-step key derivation functions. It also defines examples of both key extraction functions and key e
34、xpansion functions, where a key extraction function can be combined with a key expansion function to define a two-step key derivation function.vi ISO/IEC 2016 All rights reservedBS ISO/IEC 11770-6:2016Information technology Security techniques Key management Part 6: Key derivation 1 Scope This docum
35、ent specifies key derivation functions, i.e. functions which take secret information and other (public) parameters as input and output one or more “derived” secret keys. Key derivation functions based on MAC algorithms and on hash-functions are specified. 2 Normative references The following documen
36、ts are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 9797 (all
37、parts), Information technology Security techniques Message Authentication Codes (MACs) ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functions 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 11770-1 and the followi
38、ng apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 entropy measure of the disorder, randomness or variabilit
39、y in a closed system Note 1 to entry: The particular measure of entropy that is used in the document is discussed in 5.1. 3.2 hash-function function which maps strings of bits of variable (but usually upper bounded) length to fixed-length strings of bits Note 1 to entry: Cryptographic requirements o
40、n hash-functions employed for the purposes of this document are considered in 6.1. INTERNATIONAL ST ANDARD ISO/IEC 11770-6:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 11770-6:2016ISO/IEC 11770-6:2016(E) 3.3 key derivation function KDF function which takes as input a number of parameters, at
41、 least one of which shall be secret, and which gives as output keys appropriate for the intended algorithm(s) and applications Note 1 to entry: Cryptographic requirements on key derivation functions are specified in 5.1. Note 2 to entry: Key derivation functions are also sometimes known as “key gene
42、rating functions.” 3.4 key expansion function KPF function which takes as input a number of parameters, at least one of which shall be a secret key, and which gives as output keys appropriate for the intended algorithm(s) and applications Note 1 to entry: Cryptographic requirements on key expansion
43、functions are specified in 7.1. Note 2 to entry: All the KPFs specified in this document are based on a MAC algorithm. 3.5 key extraction function KTF function which takes as input a number of parameters, at least one of which shall be secret, and which gives as output a key suitable for use as inpu
44、t to a key expansion function Note 1 to entry: Cryptographic requirements on key extraction functions are specified in 7.1. 3.6 message authentication code MAC string of bits which is the output of a MAC algorithm SOURCE: ISO/IEC 9797-1:2011, 3.9 modified, Note 1 to entry removed 3.7 message authent
45、ication code algorithm MAC algorithm algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits, satisfying the following two properties: for any key and any input string, the function can be computed efficiently; for any fixed key, and given no pr
46、ior knowledge of the key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of a set of input strings and corresponding function values, where the value of the ith input string might have been chosen after observing the value of the first i
47、1 function values (for integers i 1) Note 1 to entry: A MAC algorithm is sometimes called a “cryptographic check function.” Note 2 to entry: Computational feasibility depends on the users specific security requirements and environment. Note 3 to entry: Additional cryptographic requirements for MAC a
48、lgorithms employed for the purposes of this document are specified in 6.1 and 7.1. 3.8 message authentication code key MAC key bit string suitable for use as a key input to a MAC algorithm2 ISO/IEC 2016 All rights reservedBS ISO/IEC 11770-6:2016ISO/IEC 11770-6:2016(E) 3.9 one-step key derivation fun
49、ction OKDF key derivation function which operates in a single stage, in contrast to key derivation functions involving separate key-extraction and key-expansion stages (cf. 3.12) 3.10 salt value used as input to a key derivation function, a key expansion function or a key extraction function, which might not be a secret 3.11 secret information bit string used as input to a KDF or a KTF, which shall be known only to entities which are authorized to agree upon the key or
