1、BS ISO/IEC 19 77 2:2 00 9 ICS 35.040 NO COP YING WIT HOUT BSI PERM ISS ION EXCEPT AS PERM ITT ED BY COP YRIGHT LAW BRITISH STAN DA RD In fo rm ati on te chno lo gy Se curityt echniq ues A ut hent ifica ti on encrypti on BS ISO/IEC 19772:2009 Incorporating corrigendum September 2014 Information techn
2、ology Security techniques Authenticated encryptionBS ISO/IEC 19772:2009 ISBN 978 0 580 86465 0 Amendments/corrigenda issued since publication Date Comments 30 September 2014 Implementation of ISO/IEC corrigendum September 2014 This British Standard was published under the authority of the Standards
3、Policy and Strategy Committee on 31 July 2009 The British Standards Institution 2014. Published by BSI Standards Limited 2014 National foreword This British Standard is the UK implementation of ISO/IEC 19772:2009, incorporating corrigendum September 2014. The start and finish of text introduced or a
4、ltered by corrigendum is indicated in the text by tags. Text altered by ISO/IEC corrigendum September 2014 is indicated in the text by . The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committe
5、e can be obtained on request to its secretary. The publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations.BS ISO/IEC 19772:2009 Reference n
6、umber ISO/IEC 19772:2009(E) ISO/IEC 2009 INTERNATIONAL STANDARD ISO/IEC 19772 First edition 2009-02-15 Information technology Security techniques Authenticated encryption Technologies de linformation Techniques de scurit Chiffrage authentifi BS ISO/IEC 19772:2009 ISO/IEC 19772:2009(E) PDF disclaimer
7、 ThisP DF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept
8、 therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details oft he software products used to create thisP DF file can be found in the General Info relative to the fil
9、e;t he PDF-creation parameters were optimized for printing. Every care has been taken to ensure that thef ile is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it isf ound, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED
10、DOCUMENT ISO/IEC 2009 All rights reserved. Unless otherwises pecified, no part of this publicationm ay be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs mem
11、ber body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2009 All rights reservedBS ISO/IEC 19772:2009 ISO/IEC 19772:2009(E) ISO/IEC 2009 A
12、ll rights reserved iii Contents Page Foreword. . v Introduction. vi 1S cope1 2N ormative references1 3T erms and definitions. 1 4S ymbols (and abbreviated terms)3 5R equirements.4 6A uthenticated encryption mechanism 1 (OCB 2.0)4 6.1 Introduction4 6.2 Specific notation4 6.3 Specific requirements. 5
13、6.4 Definition of function M 2 .5 6.5 Definition of function M 3 .5 6.6 Definition of function J .6 6.7 Encryption procedure. 6 6.8 Decryption procedure .7 7A uthenticated encryption mechanism 2 (Key Wrap) .7 7.1 Introduction7 7.2 Specific notation8 7.3 Specific requirements. 8 7.4 Encryption proced
14、ure. 8 7.5 Decryption procedure .9 8A uthenticated encryption mechanism 3 (CCM) .9 8.1 Introduction9 8.2 Specific notation9 8.3 Specific requirements. 10 8.4 Encryption procedure. 10 8.5 Decryption procedure .12 9A uthenticated encryption mechanism 4 (EAX) 13 9.1 Introduction13 9.2 Specific notation
15、13 9.3 Specific requirements. 13 9.4 Definition of function M 13 9.5 Encryption procedure. 14 9.6 Decryption procedure .14 10 Authenticated encryption mechanism 5 (Encrypt-then-MAC)15 10.1 Introduction15 10.2 Specific notation15 10.3 Specific requirements. 15 10.4 Encryption procedure. 16 10.5 Decry
16、ption procedure .16 11 Authenticated encryption mechanism 6 (GCM). 16 11.1 Introduction16 11.2 Specific notation17 11.3 Specific requirements. 17 11.4 Definition of multiplication operation. 18 17 17BS ISO/IEC 19772:2009 ISO/IEC 19772:2009(E) iv ISO/IEC 2009 All rights reserved 11.5 Definition of fu
17、nction G 18 11.6 Encryption procedure. . 18 11.7 Decryption procedure 19 AnnexA (i nf orma ti ve ) Guidance on use of the mechanisms 20 A.1I ntroduction. 20 A.2S election of mechanism.2 0 A.3M echanism 1 (OCB 2.0) 21 A.4M echanism 2 (Key Wrap) .2 1 A.5M echanism 3 (CCM) 21 A.6M echanism 4 (EAX). 21
18、A.7M echanism 5 (Encrypt-then-MAC) 22 A.8M echanism 6 (GCM) 22 AnnexB (i nf orma ti ve ) Examples 23 B.1 Introduction. 23 B.2 Mechanism 1 (OCB 2.0) 23 B.3 Mechanism 2 (Key Wrap) .2 4 B.4 Mechanism 3 (CCM) 24 B.5 Mechanism 4 (EAX). 25 B.6 Mechanism 5 (Encrypt-then-MAC). . 26 B.7 Mechanism 6 (GCM) 26
19、AnnexC (n orm ati ve ) ASN.1 module. 28 C.1 Formal definition.2 8 C.2 Use of subsequent object identifiers 28 Bibliography. 29BS ISO/IEC 19772:2009 ISO/IEC 19772:2009(E) ISO/IEC 2009 All rights reserved v Foreword ISO( the International Organization for Standardization) andI EC (the International El
20、ectrotechnical Commission) form the specializeds ystemf or worldwide standardization. National bodies that are memberso f ISOo r IEC participate in the development of InternationalS tandardst hrough technicalc ommittees established byt he respective organization to deal with particular fields of tec
21、hnicala ctivity. ISO and IEC technical committees collaborate in fieldso fm utual interest. Otheri nternationalo rganizations, governmental and non-governmental, in liaison with ISOa nd IEC, also take part in the work.I n the field of information technology, ISO and IEC have establisheda joint techn
22、ical committee, ISO/IECJ TC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. Them ain tasko ft he joint technical committee is to prepare InternationalS tandards. Draft International Standardsa dopted by the joint technical committee are ci
23、rculated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibilityt hats ome of the elements of thisd ocument mayb et he subject ofp atent rights. ISO and IEC shall not be he
24、ld responsible for identifying any or all such patent rights. ISO/IEC1 9772 was prepared by Joint TechnicalC ommittee ISO/IECJ TC 1, Information technology, Subcommittee SC2 7, IT Security techniques.BS ISO/IEC 19772:2009 ISO/IEC 19772:2009(E) vi ISO/IEC 2009 All rights reserved Introduction When da
25、ta is sent from one place to another, it is often necessary to protect it in some way whilst it is in transit, e.g. against eavesdropping or unauthorised modification.S imilarly, when data is stored in ane nvironment to which unauthorized parties may have access, it may be necessaryt o protect it. I
26、f the confidentialityo ft he data needst o be protected, e.g. against eavesdropping, then one solution is to use encryption, as specifiedi n ISO/IEC 18033a nd ISO/IEC 10116. Alternatively, if it is necessaryt o protect the data againstm odification,i .e. integrityp rotection, then Message Authentica
27、tion Codes (MACs), as specified in ISO/IEC 9797, or digitals ignatures, as specifiedi n ISO/IEC 9796 and ISO/IEC 14888, canb e used. If both confidentiality andi ntegrity protection are required, then one possibilityi s to use both encryption and a MAC or signature. Whilst these operationsc an be co
28、mbined in many ways, not allc ombinationso fs uch mechanisms providet he same securityg uarantees. Asa result it isd esirable tod efine in detaile xactly how integritya nd confidentialitym echanismss hould be combined to providet he optimuml evelo fs ecurity. Moreover, in some casess ignificant effi
29、ciency gainsc an be obtained byd efining a single method of processing thed ata with the objective of providing both confidentiality andi ntegrityp rotection. In this standard, authenticated encryption mechanisms are defined. These are methodsf or processing data to provide both integritya nd confid
30、entiality protection. They typicallyi nvolve either a specifiedc ombination of aM AC computationa nd data encryption,o r the use of an encryption algorithmi n a specialw ay such that both integrity and confidentialityp rotection arep rovided. Them ethodss pecified in thiss tandard have been designed
31、 to maximise the levelo fs ecuritya nd provide efficient processing ofd ata. Some of the techniques definedh ere have mathematical proofs of security, i.e. rigorous arguments supportingt heir soundness.BS ISO/IEC 19772:2009 INTERNATIONAL STANDARD ISO/IEC 2009 All rights reserved 1 Information techno
32、logy Security techniques Authenticated encryption 1 Scope This International Standard specifiess ix methodsf or authenticatede ncryption, i.e.d efined wayso fp rocessing a data string with the following security objectives: data confidentiality, i.e.p rotection against unauthorized disclosure of dat
33、a, data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified, data origin authentication, i.e. protection that enables ther ecipient ofd ata to verifyt he identity of the data originator. Alls ix methodss pecified in thisI nternationalS tandard are ba
34、sedo na block cipher algorithm, andr equire the originator and the recipient of the protected data to share a secret keyf or thisb lock cipher. Keym anagement is outside the scope of this standard; keym anagement techniques are defined in ISO/IEC 11770. Four of the mechanisms in thiss tandard, namel
35、y mechanisms 1, 3, 4 and 6, allowd ata to bea uthenticated which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data stringt hat is to be encrypted and integrity-protected, and A (the additional authenticated data) that is
36、 integrity-protected but not encrypted. In all cases, the string A may be empty. NOTE Exampleso f typeso f datat hat mayn eedt ob es ent inu nencrypted form, but whosei ntegrity should be protected, includea ddresses, port numbers, sequence numbers, protocolv ersion numbers, and other network protoc
37、ol fields that indicate how the plaintext should be handled, forwarded, or processed. 2N ormative references Thef ollowing referenced documents are indispensable for the applicationo ft hisd ocument. For dated references, only thee dition cited applies. For undated references, the latest edition of
38、the referenced document (including any amendments) applies. ISO/IEC 9797-1: 1) , Informationt echnology S ecurityt echniques M essage Authentication Codes (MACs) Part 1: Mechanisms usinga block cipher ISO/IEC 10116, Information technology Securityt echniques Modeso f operation for an n-bit blockc ip
39、her ISO/IEC 18033-3, Informationt echnology Securityt echniques Encryption algorithms Part 3: Block ciphers 1) To be published. (Revision of ISO/IEC 9797-1:1999) 3T erms and definitions For the purposes of this document, the following terms and definitions apply. ISO/IEC 19772:2009(E)BS ISO/IEC 1977
40、2:2009 2 I SO/IEC 200 9 Allr ights reserved 3.1 authenticated encryption (reversible) transformation of data by a cryptographic algorithm to produce ciphertext that cannot be altered by an unauthorized entity withoutd etection, i.e. it provides data confidentiality, data integrity, and data origin a
41、uthentication 3.2 authenticated encryption mechanism cryptographic technique usedt o protect the confidentialitya nd guarantee theo rigin andi ntegrityo fd ata, and which consists of two component processes: an encryption algorithm and a decryption algorithm 3.3 block cipher symmetrice ncryptions ys
42、temw ith thep ropertyt hat the encryption algorithm operateso na block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext ISO/IEC 18033-1 3.4 ciphertext data which has been transformed to hide its information content ISO/IEC 10116 3.5 data integrity the property
43、that data has not been altered ord estroyed in an unauthorized manner ISO/IEC 9797-1 3.6 decryption reversal of a corresponding encryption ISO/IEC 18033-1 3.7 encryption (reversible) transformation of data by a cryptographica lgorithm to produce ciphertext, i.e., to hide the information content of t
44、he data ISO/IEC 18033-1 3.8 encryption system cryptographic technique used to protect the confidentialityo fd ata, and which consists of three component processes: ane ncryptiona lgorithm, a decryption algorithm, andam ethod for generatingk eys ISO/IEC 18033-1 3.9 key sequence ofs ymbols that contro
45、ls theo peration of a cryptographict ransformation (e.g. encipherment, decipherment) ISO/IEC 18033-1 3.10 message authentication code (MAC) string of bits which is the output of a MAC algorithm ISO/IEC 9797-1 3.11 partition processo fd ividinga string of bits of arbitraryl ength into a sequence of b
46、locks, where the length ofe ach block shallb e n bits, except for the final block which shall contain r bits, 0 r n 3.12 plaintext unencrypted information ISO/IEC 10116 ISO/IEC 19772:2009(E)BS ISO/IEC 19772:2009 I SO/IEC 2009 Allr ights reserved 3 3.13 secret key key used with symmetric cryptographi
47、c techniques bya specified set of entities ISO/IEC 18033-1 3.14 symmetric encryption system encryption system basedo ns ymmetricc ryptographic techniquest hat uses the same secret keyf or both the encryption and decryptiona lgorithms ISO/IEC 18033-1 4S ymbols (and abbreviated terms) For the purposes
48、 of this document, the following symbols and notation apply: A Additional authenticated data. C Authenticated-encrypted data string. D Data string to which an authenticated encryption mechanism is to be applied. d Block cipher decryption algorithm; d K ( Y)d enotes ther esult of blockc ipher decrypt
49、ing the n-bit block Y using the secret key K. e Block cipher encryption algorithm; e K ( X)d enotes ther esult of blockc ipher encrypting the n-bit block X using the secret key K. K Secret blockc ipher keys hared by theo riginator and recipient of the data to which the authenticated encryption mechanism is to be applied. m Number of blocks in the partitioned version of D. n Block length (in bits) for a block cipher. t Tag length (in bits). 0 i Block of i zero bits. 1 i Block of i on
