1、BRITISH STANDARD BS ISO/IEC 14888-1:2008 Information technology Security techniques Digital signatures with appendix Part 1: General ICS 35.040 BS ISO/IEC 14888-1:2008 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 May 2008 BSI 2008 ISBN
2、978 0 580 54258 9 National foreword This British Standard is the UK implementation of ISO/IEC 14888-1:2008. It supersedes BS ISO/IEC 14888-1:1998 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT Security techniques. A list of organizations r
3、epresented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. Amen
4、dments/corrigenda issued since publication Date Comments Reference number ISO/IEC 14888-1:2008(E)INTERNATIONAL STANDARD ISO/IEC 14888-1 Second edition 2008-04-15 Information technology Security techniques Digital signatures with appendix Part 1: General Technologies de linformation Techniques de scu
5、rit Signatures numriques avec appendice Partie 1: Gnralits BS ISO/IEC 14888-1:2008ii iii Contents Page Foreword iv Introduction v 1 Scope 1 2 Normative references 1 3 Terms and definitions .1 4 Symbols, conventions, and legend for figures.3 4.1 Symbols 3 4.2 Coding convention 4 4.3 Legend for figure
6、s .4 5 General4 6 General model5 7 Options for binding signature mechanism and hash-function.6 8 Key generation.6 9 Signature process7 9.1 General7 9.2 Computing the signature 7 9.3 Constructing the appendix .7 9.4 Constructing the signed message.7 10 Verification process 8 Annex A (informative) On
7、hash-function identifiers 10 Bibliography 11 BS ISO/IEC 14888-1:2008iv Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC p
8、articipate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governm
9、ental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part
10、 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national b
11、odies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 14888-1 was prepared by Joint Technical Committee ISO/IEC JTC 1
12、, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 14888-1:1998), which has been technically revised. ISO/IEC 14888 consists of the following parts, under the general title Information technology Security techniqu
13、es Digital signatures with appendix: Part 1: General Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms BS ISO/IEC 14888-1:2008v Introduction Digital signature mechanisms are asymmetric cryptographic techniques which can be used to provide entity authenticatio
14、n, data origin authentication, data integrity and non-repudiation services. There are two types of digital signature mechanisms: When the verification process needs the message as part of the input, the mechanism is called a “signature mechanism with appendix”. A hash-function is used in the calcula
15、tion of the appendix. When the verification process reveals all or part of the message, the mechanism is called a “signature mechanism giving message recovery”. A hash-function is also used in the generation and verification of these signatures. Signature mechanisms with appendix are specified in IS
16、O/IEC 14888. Signature mechanisms giving message recovery are specified in ISO/IEC 9796. Hash-functions are specified in ISO/IEC 10118. BS ISO/IEC 14888-1:2008 blank1 Information technology Security techniques Digital signatures with appendix Part 1: General 1 Scope ISO/IEC 14888 specifies several d
17、igital signature mechanisms with appendix for messages of arbitrary length. This part of ISO/IEC 14888 contains general principles and requirements for digital signatures with appendix. It also contains definitions and symbols which are used in all parts of ISO/IEC 14888. Various means are available
18、 to obtain a reliable copy of the public verification key, e.g., a public key certificate. Techniques for managing keys and certificates are outside the scope of ISO/IEC 14888. For further information, see ISO/IEC 9594-8 4, ISO/IEC 11770-3 3 and ISO/IEC 15945 5. 2 Normative references The following
19、referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. None. 3 Terms and definitions For the purposes of this document
20、, the following terms and definitions apply. 3.1 appendix string of bits formed by the signature and an optional text field 3.2 collision-resistant hash-function hash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs which map to the same ou
21、tput NOTE Computational feasibility depends on the specific security requirements and environment. ISO/IEC 10118-1 3.3 data element integer, bit string, set of integers or set of bit strings BS ISO/IEC 14888-1:20082 3.4 domain set of entities operating under a single security policy EXAMPLES public
22、key certificates created by a single authority or by a set of authorities using the same security policy 3.5 domain parameter data element which is common to and known by or accessible to all entities within the domain 3.6 hash-code string of bits which is the output of a hash-function ISO/IEC 10118
23、-1 3.7 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: for a given output, it is computationally infeasible to find an input which maps to this output; for a given input, it is computationally infeasible to find a second inp
24、ut which maps to the same output NOTE 1 Computational feasibility depends on the specific security requirements and environment. NOTE 2 This definition of hash-function is referred to as one-way hash-function. ISO/IEC 10118-1 3.8 identification data sequence of data elements, including the distingui
25、shing identifier for an entity, assigned to an entity and used to identify it NOTE The identification data may additionally contain data elements such as identifier of the signature process, identifier of the signature key, validity period of the signature key, restrictions on key usage, associated
26、security policy parameters, key serial number, or domain parameters. 3.9 key pair pair consisting of a signature key and a verification key, i.e., a set of data elements that shall be totally or partially kept secret, to be used only by the signer; a set of data elements that can be totally made pub
27、lic, to be used by any verifier 3.10 message string of bits of any length 3.11 parameter integer, bit string or hash-function 3.12 signature one or more data elements resulting from the signature process BS ISO/IEC 14888-1:20083 3.13 signature key set of private data elements specific to an entity a
28、nd usable only by this entity in the signature process NOTE Sometimes called a private signature key in other standards, e.g. ISO/IEC 9796-2, ISO/IEC 9796-3 and ISO/IEC 9798-3. 3.14 signature process process which takes as inputs the message, the signature key and the domain parameters, and which gi
29、ves as output the signature 3.15 signed message set of data elements consisting of the signature, the part of the message which cannot be recovered from the signature, and an optional text field NOTE In the context of this part of ISO/IEC 14888, the entire message is included in the signed message a
30、nd no part of the message is recovered from the signature. 3.16 verification key set of public data elements which is mathematically related to an entitys signature key and which is used by the verifier in the verification process NOTE Sometimes called a public verification key in other standards, e
31、.g. ISO/IEC 9796-2, ISO/IEC 9796-3 and ISO/IEC 9798-3. 3.17 verification process process which takes as input the signed message, the verification key and the domain parameters, and which gives as output the result of the signature verification: valid or invalid 4 Symbols, conventions, and legend fo
32、r figures 4.1 Symbols Throughout all parts of ISO/IEC 14888 the following symbols are used. H hash-code K randomizer M message R first part of a signature NOTE First part of a signature R is alternatively called a witness. R recomputed first part of a signature S second part of a signature X signatu
33、re key Y verification key BS ISO/IEC 14888-1:20084 Z set of domain parameters signature A mod N the unique integer B from 0 to N 1 so that N divides A B A B (mod N) Integer A is congruent to integer B modulo N, i.e. (A B) mod N = 0. 4.2 Coding convention All integers in all parts of ISO/IEC 14888 ar
34、e written with the most significant digit (or bit, or byte) in the leftmost position. 4.3 Legend for figures The following legend for figures is used in all parts of ISO/IEC 14888. 5 General The mechanisms specified in ISO/IEC 14888 are based upon asymmetric cryptographic techniques. Every asymmetri
35、c digital signature mechanism involves three basic operations. A process for generating pairs of keys, where each pair consists of a signature key and the corresponding verification key. A process using the signature key called the signature process. When, for a given message and signature key, the
36、probability of obtaining the same signature twice is negligible, the operation is probabilistic. procedure principal procedure optional principal procedure data flow optional data flow two data flows of which at least one is mandatory optional data data another optional data flow BS ISO/IEC 14888-1:
37、20085 When, for a given message and signature key, all the signatures are identical, the operation is deterministic. A process using the verification key called the verification process. The verification of a digital signature requires the signers verification key. It is thus essential for a verifie
38、r to be able to associate the correct verification key with the signer, or more precisely, with (parts of) the signers identification data. If this association is somehow inherent in the verification key itself, the scheme is said to be “identity-based”. If not, the association between the correct v
39、erification key with the signers identification data shall be provided by a certificate for the verification key. The scheme is then said to be “certificate-based”. 6 General model A digital signature mechanism with appendix is defined by the specification of the following processes: key generation
40、process; signature process; verification process. In the signature process, the signer computes a digital signature for a given message. The signature, together with an optional text field, forms the appendix, which is appended to the message to form the signed message. Figure 1 Signed message Depen
41、ding on the application, there are different ways of forming the appendix and associating it with the message. The general requirement is that the verifier is able to relate the correct signature to the message. For successful verification it is also essential that, prior to the verification process
42、, the verifier is able to associate the correct verification key with the signature. The optional text field can be used for transmitting the signers identification data or an authenticated copy of the signers verification key to the verifier. In some cases the signers identification data may need t
43、o be part of the message M, so that it is protected by the signature. A digital signature mechanism shall satisfy the following requirements: Given only the verification key and not the signature key it is computationally infeasible to produce any message and a valid signature for this message. The
44、signatures produced by a signer can neither be used for producing any new message and a valid signature for this message nor for recovering the signature key. It is computationally infeasible, even for the signer, to find two different messages with the same signature. NOTE Computational feasibility
45、 depends on the specific security requirements and environment. message M text t signature BS ISO/IEC 14888-1:20086 7 Options for binding signature mechanism and hash-function Use of the signature schemes specified in this standard requires the selection of a collision-resistant hash- function. Ther
46、e shall be a binding between the signature mechanism and the hash-function in use. Without such a binding, an adversary might claim the use of a weak hash-function (and not the actual one) and thereby forge the signature. There are various ways to accomplish this binding. The following options are l
47、isted in order of increasing risk. a) Require a particular hash-function when using a particular signature mechanism. The verification process shall exclusively use that particular hash-function; b) Allow a set of hash-functions and explicitly indicate the hash-function in use in the certificate dom
48、ain parameters. Inside the certificate domain, the verification process shall exclusively use the hash-function indicated in the certificate. Outside the certificate domain, there is a risk arising from certification authorities (CAs) that may not adhere to the users policy. If, for example, an exte
49、rnal CA creates a certificate permitting other hash-functions, then signature forgery problems may arise. In such a case a misled verifier may be in dispute with the CA that produced the other certificate; c) Allow a set of hash-functions and indicate the hash-function in use by some other method, e.g., an indication in the message or a bilateral agreement. The verificati
