1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 9798-6:2010 Information technology Security techniques Entity authentication Part 6: Mechanisms using manual data transferBS ISO/IEC 9798-6:2010 BRITISH STANDARD Na
2、tional foreword This British Standard is the UK implementation of ISO/IEC 9798-6:2010. It supersedes BS ISO/IEC 9798-6:2005 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this c
3、ommittee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. BSI 2010 ISBN 978 0 580 68073 1 ICS 35.040 Compliance with a British Standard cannot confer immunity from
4、legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2010. Amendments issued since publication Date Text affectedBS ISO/IEC 9798-6:2010Reference number ISO/IEC 9798-6:2010(E) ISO/IEC 2010INTERNATIONAL STANDARD ISO/IE
5、C 9798-6 Second edition 2010-12-01 Information technology Security techniques Entity authentication Part 6: Mechanisms using manual data transfer Technologies de linformation Techniques de scurit Authentification dentit Partie 6: Mcanismes utilisant un transfert manuel de donnes BS ISO/IEC 9798-6:20
6、10 ISO/IEC 9798-6:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing.
7、In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found
8、 in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the a
9、ddress given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from eit
10、her ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2010 All rights reservedBS ISO/IEC 9798-6:
11、2010 ISO/IEC 9798-6:2010(E) ISO/IEC 2010 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Normative references1 3 Terms and definitions .1 4 Symbols and abbreviated terms 3 5 Overall requirements.4 6 Mechanisms using a short check-value5 6.1 General .5 6.2 Mechanism 1 One d
12、evice with simple input, one device with simple output 5 6.3 Mechanism 2 Devices with simple input capabilities.7 7 Mechanisms using a manual transfer of a short digest-value or a short key.8 7.1 General .8 7.2 Mechanism 3 One device with simple input, one device with simple output 8 7.3 Mechanism 4
13、 One device with simple input, one device with simple output 10 7.4 Mechanism 5 Devices with simple input capabilities.11 7.5 Mechanism 6 Devices with simple input capabilities.13 8 Mechanisms using a MAC 15 8.1 General .15 8.2 Mechanism 7 Devices with simple output capabilities.15 8.3 Mechanism 8 O
14、ne device with simple input, one device with simple output 18 Annex A (normative) ASN.1 modules .20 Annex B (informative) Using manual authentication protocols for the exchange of secret keys21 Annex C (informative) Using manual authentication protocols for the exchange of public keys23 Annex D (inf
15、ormative) On mechanism security and choices for parameter lengths.25 Annex E (informative) A method for generating short check-values 28 Annex F (informative) Comparative analysis in security and efficiency of mechanisms 18 .30 Annex G (informative) Methods for generating short digest-values .33 Bib
16、liography34 BS ISO/IEC 9798-6:2010 ISO/IEC 9798-6:2010(E) iv ISO/IEC 2010 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are m
17、embers of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
18、organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the IS
19、O/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least
20、75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 9798-6 was prepared by Joint Technical Co
21、mmittee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 9798-6:2005), to which a new Clause 7 has been added to provide four new mechanisms. It also incorporates the Technical Corrigendum ISO/IEC 9
22、798-6:2005/Cor.1:2009. Implementations conformant to the first edition will be conformant to the second edition. ISO/IEC 9798 consists of the following parts, under the general title Information technology Security techniques Entity authentication: Part 1: General Part 2: Mechanisms using symmetric
23、encipherment algorithms Part 3: Mechanisms using digital signature techniques Part 4: Mechanisms using a cryptographic check function Part 5: Mechanisms using zero-knowledge techniques Part 6: Mechanisms using manual data transfer BS ISO/IEC 9798-6:2010 ISO/IEC 9798-6:2010(E) ISO/IEC 2010 All rights
24、 reserved vIntroduction Within networks of communicating devices it is often necessary for two devices to perform an entity authentication procedure using a channel which may be subject to both passive and active attacks, where an active attack can include a malicious third party introducing data in
25、to the channel and/or modifying, deleting or repeating data legitimately sent on the channel. Other parts of ISO/IEC 9798 specify entity authentication mechanisms applicable when the two devices share a secret key, or where one device has an authenticated copy of a public key for the other device. I
26、n this part of ISO/IEC 9798, entity authentication mechanisms where there is no such assumption of pre- established keying relationships, referred to as manual authentication mechanisms, are specified. Instead entity authentication is achieved by manually transferring short data strings from one dev
27、ice to the other, or by manually comparing short data strings output by the two devices. For the purposes of this part of ISO/IEC 9798, the meaning of the term entity authentication is different from the meaning applied in other parts of ISO/IEC 9798. Instead of one device verifying that the other d
28、evice has a claimed identity (and vice versa), both devices in the possession of a user verify that they correctly share a data string with the other device at the time of execution of the mechanism. Of course, this data string could contain identifiers for one or both of the devices. As described i
29、n informative Annexes B and C, a manual authentication mechanism can be used as the basis for secret key establishment or the reliable exchange of public keys. A manual authentication mechanism could also be used for the reliable exchange of other secret or public security parameters, including secu
30、rity policy statements or timestamps. BS ISO/IEC 9798-6:2010BS ISO/IEC 9798-6:2010 INTERNATIONAL STANDARD ISO/IEC 9798-6:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Entity authentication Part 6: Mechanisms using manual data transfer 1 Scope This part of ISO/I
31、EC 9798 specifies eight entity authentication mechanisms based on manual data transfer between authenticating devices. It indicates how these mechanisms can be used to support key management functions, and provides guidance on secure choices of parameters for the mechanisms. A comparison of the leve
32、ls of security and efficiency provided by the eight mechanisms is given. Such mechanisms can be appropriate in a variety of circumstances. One such application occurs in personal networks, where the owner of two personal devices capable of wireless communications wishes them to perform an entity aut
33、hentication procedure as part of the process of preparing them for use in the network. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of
34、 the referenced document (including any amendments) applies. ISO/IEC 9798-1:2010, Information technology Security techniques Entity authentication Part 1: General 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 9798-1 and the following apply. 3.1
35、 check-value string of bits, computed as the output of a check-value function, sent from the data originator to the data recipient that enables the recipient of data to check its correctness 3.2 check-value function function f which maps a string of bits and a short secret key, i.e. a key that can r
36、eadily be entered into or read from a user device, to a fixed-length string of bits, i.e. a b-bit check-value, satisfying the following properties: for any key k and any input string d, the function f(d, k) can be computed efficiently; it is computationally infeasible to find a pair of distinct data
37、 strings (d, d ) for which the number of keys which satisfy f(d, k) = f(d , k) is more than a small fraction of the possible set of keys. NOTE In practice, a short key would typically contain 46 digits or alphanumeric characters. BS ISO/IEC 9798-6:2010 ISO/IEC 9798-6:2010(E) 2 ISO/IEC 2010 All right
38、s reserved3.3 data origin authentication corroboration that the source of data received is as claimed ISO 7498-2 3.4 digest-value string of bits, computed as the output of a digest function, sent from the data originator to the data recipient that enables the recipient of data to check its correctne
39、ss 3.5 digest function function d which maps a string of bits and a long secret key to a short and fixed-length string of bits, i.e. a b-bit digest-value, that can readily be entered into or read from a user device, satisfying the following properties: for any key k and any input string m, the funct
40、ion d(m, k) can be computed efficiently; it is computationally infeasible to find a pair of distinct data strings (m, m ) for which the proportion of keys which satisfy d(m, k) = d(m , k) is greater than (2 -b+ ), where b is the bit length of a digest-value and is a value that is negligible relative
41、 to 2 -b . NOTE 1 In practice, the second digest function property should be satisfied if the key k is of the size of a typical cryptographic hash value, for example, 160 bits. This requirement derives from theoretical lower bounds on the key length for universal hash-functions, which are a general
42、class of digest functions. More detailed discussions of this issue can be found in Annex F. NOTE 2 See Annexes D, F, and G for further discussions of key and digest lengths. 3.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties
43、: it is computationally infeasible to find for a given output an input which maps to this output; it is computationally infeasible to find for a given input a second input which maps to the same output. ISO/IEC 10118-1 3.7 manual authentication certificate combination of a secret key and a check-val
44、ue, generated by one of the two devices engaging in manual authentication, with the property that, when entered into the other device, this pair of values can be used to complete the manual authentication process at some later time 3.8 Message Authentication Code MAC string of bits which is the outp
45、ut of a MAC algorithm ISO/IEC 9797-1 BS ISO/IEC 9798-6:2010 ISO/IEC 9798-6:2010(E) ISO/IEC 2010 All rights reserved 33.9 Message Authentication Code algorithm MAC algorithm algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits, satisfying the
46、following properties: for any key and any input string the function can be computed efficiently; for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of the set of input strings and co
47、rresponding function values, where the value of the ith input string may have been chosen after observing the value of the first i-1 function values. ISO/IEC 9797-1 3.10 manual entity authentication process achieving entity authentication between two devices using a combination of message exchanges
48、via a (potentially insecure) communications channel and the manual transfer of limited amounts of data between the devices 3.11 simple input interface interface for a device that allows the user to indicate to the device the successful or unsuccessful completion of a procedure, e.g. as could be impl
49、emented as a pair of buttons or a single button which is either pressed or not within a certain time interval 3.12 simple output interface interface for a device that allows the device to indicate to the user the successful or unsuccessful completion of a procedure, e.g. as could be implemented by red and green lights or as single light which is lit in different ways to indicate success or failure 4 Symbols and abbreviated terms A, B Labels used for the tw
