1、BSI Standards Publication BS ISO/IEC 20009-2:2013 Information technology Security techniques Anonymous entity authentication Part 2: Mechanisms based on signatures using a group public keyBS ISO/IEC 20009-2:2013 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO
2、/IEC 20009-2:2013. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisio
3、ns of a contract. Users are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 73394 9 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published
4、 under the authority of the Standards Policy and Strategy Committee on 31 December 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 20009-2:2013 Information technology Security techniques Anonymous entity authentication Part 2: Mechanisms based on signatures using a group publi
5、c key Technologies de linformation Techniques de scurit - Authentification anonyme dentit Partie 2: Mcanismes fonds sur des signatures numriques utilisant une cl publique de groupe ISO/IEC 2013 INTERNATIONAL STANDARD ISO/IEC 20009-2 First edition 2013-12-01 Reference number ISO/IEC 20009-2:2013(E)BS
6、 ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E)ii ISO/IEC 2013 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, includ
7、ing photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41
8、22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) ISO/IEC 2013 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms
9、. 3 5 General model and requirements. 4 6 Key generation process . 5 7 Mechanisms without an online TTP . 6 7.1 Introduction 6 7.2 Unilateral anonymous authentication 7 7.3 Mutual anonymous authentication . 9 7.4 Unilateral-anonymous mutual authentication .12 7.5 Mutual anonymous authentication with
10、 binding-property 15 7.6 Unilateral-anonymous mutual authentication with binding-property .21 8 Mechanisms involving an online TTP 28 8.1 Introduction .28 8.2 Unilateral anonymous authentication .28 8.3 Mutual anonymous authentication 31 8.4 Unilateral-anonymous mutual authentication .35 9 The group
11、 membership opening process 44 9.1 General 44 9.2 The evidence evaluation process .45 10 The group signature linking process 45 10.1 General 45 10.2 Linking process with opener .45 10.3 Linking process with linking key 46 10.4 Linking process with linking base .46 Annex A (normative) Object identifi
12、ers .47 Annex B (informative) Information on mechanisms with binding-property 49 Bibliography .51BS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for wo
13、rldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate
14、 in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are d
15、rafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an In
16、ternational Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 20009-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 20009 consists of the following parts, under the general
17、 title Information technology Security techniques Anonymous entity authentication: Part 1: General Part 2: Mechanisms based on signatures using a group public key Mechanisms based on blind signatures and Mechanisms based on weak secrets will form the subjects of future Parts 3 and 4, respectively. F
18、urther parts may follow.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) Introduction Anonymous entity authentication is a special type of entity authentication. In an anonymous entity authentication mechanism, given a message that was generated during the authentica
19、tion protocol, an unauthorized entity cannot discover the identifier of the entity being authenticated (the claimant). At the same time, an authorized verifier can obtain assurance that the claimant is authentic. However, even an authorized verifier may not be authorized to learn the identifier of t
20、he entity being authenticated. The anonymous entity authentication mechanisms specified in this part of ISO/IEC 20009 are based on anonymous signatures using a group public key, discussed in ISO/IEC 20008-2. An anonymous signature using a group public key is sometimes simply known as a group signatu
21、re. A group signature has the following properties. Only group members are able to correctly sign messages. The verifier can verify that it is a valid group signature, but cannot discover which group member generated it. Optionally, the signature can be “linked” or “opened”. The anonymous entity aut
22、hentication mechanisms specified in this part of ISO/IEC 20009 involve the following basic operations. An entity (verifier) which wants to authenticate another entity (claimant) interacts with the claimant. The claimant sends a token (and optionally a group public key certificate) to the verifier. T
23、he verifier confirms the validity of the provided token (and optionally the group public key certificate). One of the major differences between a (conventional) entity authentication mechanism based on (conventional) digital signatures and an anonymous entity authentication mechanism based on signat
24、ures using a group public key is the nature of the digital signature scheme used to produce tokens and to provide confirmation of messages that were generated during the authentication protocol. Another difference is that, for an anonymous authentication mechanism, the claimant belongs to a group, a
25、nd authentication is conducted with respect to this group. Authentication mechanisms require associated methods to manage the relationship between an entity and a group; for example, how an entity joins the group, how its activity can be linked, and how it can be later identified must all be specifi
26、ed. Thus, this standard specifies methods for issuing, linking and opening. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of patents. IS
27、O and IEC take no position concerning the evidence, validity and scope of these patent rights. The holders of these patent right have ensured the ISO and IEC that they are willing to negotiate licences either free of charge or under reasonable and non-discriminatory terms and conditions with applica
28、nts throughout the world. In this respect, the statements of the holders of these patent rights are registered with ISO and IEC. Information may be obtained from: Electronics and Telecommunications Research Institute (ETRI) 161, Gajeong-dong, Yuseong-gu, Daejeon, 305-700, KOREA China IWNCOMM Co., LT
29、D. A201,QinFeng Ge, Xian Software Park, No.68 KeJi 2nd Road, Xian Hi-tech Industrial Development Zone, Shaanxi, P.R.China 710075 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall n
30、ot be held responsible for identifying any or all such patent rights. ISO/IEC 2013 All rights reserved vBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) ISO (www.iso.org/patents) and IEC (http:/ /patents.iec.ch) maintain online databases of patents relevant to their standards. Users are encouraged to
31、consult the databases for the most up to date information concerning patents.vi ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-2:2013INTERNATIONAL ST ANDARD ISO/IEC 20009-2:2013(E) Information technology Security techniques Anonymous entity authentication Part 2: Mechanisms based on signatures usi
32、ng a group public key 1 Scope This part of ISO/IEC 20009 specifies anonymous entity authentication mechanisms based on signatures using a group public key in which a verifier verifies a group signature scheme to authenticate the entity with which it is communicating, without knowing this entitys ide
33、ntity. This part of ISO/IEC 20009 provides a general description of an anonymous entity authentication mechanism based on signatures using a group public key; a variety of mechanisms of this type. This part of ISO/IEC 20009 describes the group membership issuing processes; anonymous authentication m
34、echanisms without an online Trusted Third Party (TTP); anonymous authentication mechanisms involving an online TTP. Furthermore, this part of ISO/IEC 20009 also specifies the group membership opening process (optional); the group signature linking process (optional). 2 Normative references The follo
35、wing documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 20008-1,
36、 Information technology Security techniques Anonymous digital signatures Part 1: General ISO/IEC 20008-2, Information technology Security techniques Anonymous digital signature Part 2: Mechanisms using a group public key ISO/IEC 20009-1, Information technology Security techniques Anonymous entity au
37、thentication Part 1: General 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 20008-1, ISO/IEC 20009- 1, and the following apply. ISO/IEC 2013 All rights reserved 1BS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) 3.1 binding-property property pro
38、viding assurance for binding between the messages of a communicating entity 3.2 c e r t i f i c a t i o n a ut h o r it y entity trusted to create and assign public key certificates SOURCE: ISO/IEC 11770-1:2010 3.3 ephemeral key pair asymmetric key pair consisting of an ephemeral public key and an e
39、phemeral private key that are used as a temporary key and are unique for each execution of a cryptographic scheme 3.4 g r o u p p u b l i c k e y c e r t i f i c a t e group public key information of a group signed by the group public key certification authority 3.5 g r o u p p u b l i c k e y c e r
40、 t i f i c a t i o n a u t h o r i t y entity trusted to create and assign group public key certificates 3.6 group public key information information containing at least the groups identifier and group public key, but which can include other static information regarding the group public key certific
41、ation authority, the group, restrictions on key usage, the validity period, or the involved algorithms 3.7 key derivation function function that outputs one or more shared secrets, for use as keys, given shared secrets and other mutually known parameters as input SOURCE: ISO/IEC 11770-3:2008 3.8 loc
42、al linking capability linking capability with a feature that two or more signatures from same anonymous user are linked only by a specific group signature linker with linking key, but other entities cannot link the signatures 3.9 message authentication code (MAC) string of bits which is the output o
43、f a MAC algorithm SOURCE: ISO/IEC 9797-1:2011 3.10 message authentication code (MAC) algorithm algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits satisfying the following two properties: for any key and any input string, the function can be
44、 computed efficiently; for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of the set of input strings and corresponding function values, where the value of the i th input string may
45、have been chosen after observing the value of the first i 1 function values SOURCE: ISO/IEC 9797-1:20112 ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) 3.11 p u b l i c k e y c e r t i f i c a t e public key information of an entity signed by the certification authori
46、ty SOURCE: ISO/IEC 11770-1:2010 3.12 public key information information containing at least the entitys distinguishing identifier and public key, but which can include other static information regarding the certification authority, the entity, restrictions on key usage, the validity period, or the i
47、nvolved algorithms SOURCE: ISO/IEC 11770-1:2010 4 Symbols and abbreviated terms For the purposes of this part of ISO/IEC 20009, the following symbols and abbreviations apply. A, B distinguishing identifier of entity A or B Cert A , Cert B public key certificate of entity A or B Cert G group public k
48、ey certificate of the group G G, G distinguishing identifier of the group G or G G cyclic group of order q in which the decisional Diffie-Hellman (DDH) problem is hard g generator of G gsS XG (m) anonymous signature using a group public key created by entity X applying one of group signature mechani
49、sms specified in ISO/IEC 20008-2 on message-to-be-signed m using the group member signature key S XG kdf key derivation function I G identity of group G which is either G or Cert G I X identity of entity X which is either X or Cert X m message-to-be-signed MAC Message Authentication Code MAC output value of a MAC algorithm mac K (M) MAC algorithm using the secret key K and an arbitrary data string M N X sequence number issued by entity X P A , P B pu
