1、 American National Standard for Financial Services ANSI X9.442007 (R2017) Public-Key Cryptography for the Financial Services Industry Key Establishment Using Integer Factorization Cryptography Developed By Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: Au
2、gust 24, 2007 Date Reaffirmed: February 10, 2017 American National Standards Institute American National Standards, Technical Reports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membershi
3、p agreements is prohibited without express written permission of the Accredited Standards Committee X9, Inc. For additional information please contact ASC X9, Inc., 275 West Street, Suite 107, Annapolis, MD 21401. ANSI X9.44- 2007 (R2017) 2017ASC X9 Inc. - All rights reserved ii Contents Page Forewo
4、rd. vii Introduction . viii 1 Scope . 1 2 Normative references . 2 3 Terms and definitions. 2 4 Symbols and abbreviated terms . 7 5 Overview and organization 14 5.1 General. 14 5.2 Compatibility modes. 15 5.3 Organization 15 6 Security levels . 16 7 Data conversion primitives 17 7.1 Overview 17 7.2
5、Integer to Octet String Primitive (I2OSP) 17 7.3 Octet String to Integer Primitive (OS2IP) . 18 8 Components from other X9 sources. 19 8.1 Overview 19 8.2 Random number (bit) generators (RNGs) 19 8.3 Prime number generators 19 8.4 Primality testing methods 19 8.5 Hash functions 20 8.6 Message authen
6、tication codes 20 8.7 Symmetric key-wrapping schemes. 22 8.8 Signature schemes with appendix 22 9 Additional components 23 9.1 Overview 23 9.2 Mask generation functions 23 9.2.1 Overview 23 9.2.2 MGF1 23 9.3 Key derivation functions 24 9.3.1 Overview 24 9.3.2 KDF2/KDF3 25 10 Public-key components .
7、27 10.1 Overview 27 10.2 RSA key pairs 27 10.3 RSA key pair generators 28 10.3.1 RSAKPG1 family: RSA key pair generation with a fixed public exponent 29 10.3.2 RSAKPG2: RSA key pair generation with a random public exponent 32 10.4 RSA key pair validation 35 10.4.1 Overview 35 10.4.2 RSAKPV1: RSA Key
8、 Pair Validation with a Fixed Exponent 36 10.4.3 RSAKPV2: RSA Key Pair Validation with a Random Exponent . 39 10.5 Partial public-key validation and plausibility tests . 43 10.5.1 Overview 43 ANSI X9.442007 (R2017) iii 2017ASC X9 Inc. - All rights reserved 10.5.2 Plausible Size Tests 44 10.5.3 Plaus
9、ible size and value tests 44 10.6 Encryption and decryption primitives .46 10.6.1 Overview .46 10.6.2 RSAEP 46 10.6.3 RSADP 47 10.7 Asymmetric encryption schemes 49 10.7.1 Overview .49 10.7.2 RSAES-OAEP .49 10.7.3 RSAES-KEM-KWS .56 10.8 Secret-value encapsulation scheme .60 10.8.1 Overview .60 10.8.
10、2 RSASVES161 11 Key management considerations for public and private keys .63 11.1 Overview .63 11.2 Public-key distribution 63 11.3 Assurance of possession of the private key associated with the public key .63 11.4 Key usage.63 11.5 Assurances of key pair and public-key validity .64 11.5.1 Owner as
11、surances of key pair validity 64 11.5.2 User assurances of public-key validity .66 12 Key confirmation .67 12.1 Overview .67 12.2 Operation68 12.3 MAC data 68 13 Key agreement schemes 69 13.1 Overview .69 13.2 KAS1 family: Key agreement based on secret-value encapsulation .70 13.2.1 Overview .70 13.
12、2.2 Common components.70 13.2.3 kas1-basic 72 13.2.4 kas1-responder-confirmation.74 13.2.5 kas1-bilateral-confirmation.76 13.2.6 kas1-bilateral-confirmation-initiator-authentication 79 14 Key transport schemes .82 14.1 Overview .82 14.2 KTS1 family: Key transport based on asymmetric encryption .82 1
13、4.2.1 Overview .82 14.2.2 Common components.82 14.2.3 kts1-basic .84 14.2.4 kts1-receiver-confirmation .86 Annex A (normative) Compatibility Components 89 A.1 Overview .89 A.2 US-ASCII to Octet String Primitive (ASC2OSP)89 A.3 PRF-TLS89 A.4 RSA Signature Primitive (RSASP) .91 A.5 RSA Verification Pr
14、imitive (RSAVP) 91 A.6 RSAES-PKCS1-v1_5 92 A.6.1 Overview .92 A.6.2 Encryption operation 92 A.6.3 Decryption operation 93 A.7 RSASVES-TLS95 ANSI X9.44- 2007 (R2017) 2017ASC X9 Inc. - All rights reserved iv A.7.1 Overview 95 A.7.2 Generation operation 95 A.7.3 Recovery operation 96 A.8 RSASSA-TLS . 9
15、8 A.8.1 Overview 98 A.8.2 Signature operation 98 A.8.3 Verification operation . 99 Annex B (normative) ASN.1 Syntax 101 B.1 Overview 101 B.2 Useful types and definitions 101 B.3 Components from other X9 sources. 102 B.3.1 Overview 102 B.3.2 Hash functions 102 B.3.3 Message authentication codes 104 B
16、.3.4 Symmetric key-wrapping schemes. 105 B.3.5 Signature schemes with appendix 106 B.4 Additional components 106 B.4.1 Overview 106 B.4.2 MGF1 106 B.4.3 KDF2. 107 B.4.4 KDF3. 107 B.5 Public-key components . 107 B.5.1 Overview 107 B.5.2 Public and private keys 107 B.5.3 RSAES-OAEP 109 B.5.4 RSAES-KEM
17、-KWS. 110 B.5.5 RSASVES1 . 111 B.6 Key establishment schemes 111 B.6.1 Overview 111 B.6.2 KAS1 family . 112 B.6.3 KTS1 family . 116 B.7 Compatibility components. 118 B.7.1 Overview 118 B.7.2 PRF-TLS . 118 B.7.3 RSAES-PKCS1-v1_5 . 118 B.7.4 RSASVES-TLS . 119 B.7.5 RSASSA-TLS . 119 B.8 ASN.1 module 11
18、9 Annex C (informative) Security Considerations 132 C.1 Overview 132 C.2 RSA Problem . 132 C.3 Integer factoring 134 C.4 RSA key pairs 135 C.4.1 Overview 135 C.4.2 Key size 135 C.4.3 Prime factors . 135 C.4.4 Public exponent 136 C.4.5 Private exponent . 137 C.4.6 Private-key representation. 137 C.5
19、Public-key techniques 137 C.5.1 Encryption and decryption primitives 137 C.5.2 Asymmetric encryption schemes . 137 C.5.3 Secret-value encapsulation schemes. 138 C.5.4 Signature schemes with appendix 139 C.6 Key establishment schemes 139 C.6.1 KAS1 family . 141 ANSI X9.442007 (R2017) v 2017ASC X9 Inc
20、. - All rights reserved C.6.2 KTS1 family 142 C.7 Side-channel attacks .142 C.8 Hash Functions143 Annex D (informative) Assurance of Validity for RSA Public Keys 144 D.1 Introduction144 D.2 Assurance through validation144 D.3 Motivations for checking public keys .145 D.4 Relying on other parties .14
21、6 D.5 Full public-key validation147 Annex E (informative) TLS Profile of KAS1 Family149 E.1 Overview .149 E.2 TLS handshake with server authentication 149 E.3 TLS handshake with mutual authentication .152 E.4 Summary of TLS messages153 E.5 Recommended enhancements.154 E.6 Assurance of public-key val
22、idity in TLS .155 Annex F (informative) ANS X9.73 and S/MIME CMS Profile of KTS1 Family.156 F.1 Overview .156 F.2 kts1-basic parameters.156 F.3 Summary of protocol fields 156 F.4 Recommended enhancements.157 Annex G (informative) Supporting Algorithms.159 G.1 Greatest common divisor .159 G.2 Least c
23、ommon multiple 160 G.3 Modular inverse .160 G.4 Prime factor recovery162 G.5 Enhanced Miller-Rabin Provable Compositeness / Probabilistic Primality Test 163 Annex H (informative) Examples .165 H.1 Example values for rsakpg1-basic 165 H.2 Example values for rsakpg1-prime-factor.167 H.3 Example Values
24、 for RSAkpg1-crt.169 H.4 Example values for RSAEP 172 H.5 Example values for RSADP 174 H.6 Example values for RSAES-OAEP.Encrypt 176 Inputs: 176 Outputs 177 Support Values .178 H.7 Example values for RSAES-KEM-KWS.Encrypt .179 Inputs: 179 Outputs: .180 H.8 Example values for KAS1-basic.181 Step 1 -
25、Initiator.181 Step 2 - Responder .184 Step 3 Initiator186 Support Values .186 H.9 Example values for KTS1-basic .186 Step 1 - Sender186 Step 2 Responder 188 Support Values .189 Bibliography191 ANSI X9.44- 2007 (R2017) 2017ASC X9 Inc. - All rights reserved vi Figures Figure 1: RSAES-OAEP encryption o
26、peration. 53 Figure 2: RSAES-OAEP decryption operation. 56 Figure 3: RSAES-KEM-KWS encryption operation . 58 Figure 4: RSAES-KEM-KWS decryption operation . 60 Figure 5: kas1-basic scheme . 74 Figure 6: kas1-responder-confirmation scheme 76 Figure 7: kas1-bilateral-confirmation scheme 78 Figure 8: ka
27、s1-bilateral-confirmation-initiator-authentication scheme . 81 Figure 9: kts1-basic scheme 85 Figure 10: kts1-receiver-confirmation scheme. 88 Figure E.1: TLS handshake with server authentication, as a profile of kas1-bilateral-confirmation 152 Figure E.2: TLS handshake with mutual authentication, a
28、s a profile of kas1-bilateral-confirmation-initiator- authentication . 153 Tables Table 1: Recommended algorithms and minimum key sizes. . 17 Table C.1: Corresponding RSA and symmetric key sizes based on GNFS running time . 134 Table C.2: Security assurances provided by the key establishment schemes
29、 140 Table E.1: TLS with server authentication as a profile of KAS1 150 Table E.2: Additional elements in TLS with mutual authentication, as a profile of KAS1 152 Table E.3: Proposed enhancements to TLS profile . 155 Table F.1: ANS X9.73 and S/MIME CMS KeyTransRecipientInfo as a profile of kts1-basi
30、c 157 ANSI X9.442007 (R2017) vii 2017ASC X9 Inc. - All rights reserved Foreword Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established
31、 when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be conside
32、red, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, proces
33、ses, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an Ameri
34、can National Standard in the name of the American National Standards Institute. Requests for interpretation should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time
35、. The procedures of the American National Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards 275 West Street Suit
36、e 107 Annapolis, MD 21401 USA X9 Online www.x9.org Copyright 2017 ASC X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the United States of America.
37、 ANSI X9.44- 2007 (R2017) viii 2017 ASC X9 Inc., - All rights reserved Introduction This Standard specifies key establishment schemes using public-key cryptography based on the integer factorization problem. Two types of key establishment schemes are specified. In the first type, key transport, one
38、party selects keying material and conveys it to the other party with cryptographic protection. In the second, key agreement, both parties actively share in the establishment of the keying material. The keying material may consist of one or more individual keys used to provide other cryptographic ser
39、vices that are outside the scope of this Standard, e.g. data confidentiality, data integrity, or symmetric-key-based key establishment. NOTE The users attention is called to the possibility that compliance with this standard may require use of an invention covered by patent rights. By publication of
40、 this Standard, no position is taken with respect to the validity of this claim or of any patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to grant a license under these rights on reasonable and nondiscriminatory terms and conditions to applican
41、ts desiring to obtain such a license. Details may be obtained from the standards developer. Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, P.O. Box 4
42、035, Annapolis, MD 21403 USA. This Standard was processed and approved for submittal to ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval. The X9 committee had the
43、following members: James Shaffer, X9 Chairman Vincent DeSantis, X9 Vice-Chairman Steve Stevens, Executive Director Susan Yashinskie, Managing Director Organization Represented Representative ACI Worldwide James Shaffer American Bamkers Association C. Diane Poole American Financial Services Associati
44、on Mark Zalewski American Express Company John Allen Bank of America Daniel Welch Certicom Corporation Daniel Brown Citigroup, Inc. Mike Halpern Clarke American Checks Inc. John W. McCleary CUSIP Service Bureau James Taylor Deluxe Corporation John FitzPatrick Diebold, Inc. Bruce Chapa Discover Finan
45、cial Services Katie Howser Federal Reserve Bank Dexter Holt First Data Corporation Elizabeth Lynn Fiserv Skip Smith FSTC, Financial Services Consortium Daniel Schutzer Hewlett Packard Larry Hines Hypercom Scott Spiker ANSI X9.442007 (R2017) ix 2017 ASC X9 Inc. - All rights reserved IBM Corporation T
46、odd Arnold Ingenico John Spence Intuit, Inc. Jana Hocker iStream Imaging Bank of Kenney Ken Biel JP Morgan Chase a set of rules which, if followed, will give a prescribed result. 3.2 Algorithm Identifier A unique identifier for a given encryption or hash algorithm, together with any required paramet
47、ers. The unique identifier is an ASN.1 object identifier 3.3 Authentication The act of determining that a message has not been changed since leaving its point of origin. The identity of the originator is implicitly verified. 3.4 Bit String A bit string is an ordered sequence of 0s and 1s. The left-m
48、ost bit is the most-significant bit of the string. The right-most bit is the least-significant bit of the string. 3.5 Certificate The public key and identity of an entity together with some other information rendered unforgeable by signing the certificate with the private key of the certifying autho
49、rity, which issued that certificate. ANSI X9.442007 (R2017) 3 2017ASC X9 Inc. - All rights reserved 3.6 Certification Authority (CA) An entity trusted by one or more entities to create and assign certificates. 3.7 Ciphertext Data in its enciphered form. 3.8 Composite An integer which has at least two prime factors. 3.9 Confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.10 Cryptographic Hash Function A (mathematical) function that maps values from a large (possibly very large) do
