1、INTERNATIONAL STANDARD ISO/IEC I 1770-2 First edition 1996-04-I 5 Information technology - Security techniques - Key management - Part 2: Mechanisms using symmetric techniques Technologies de /information - Techniques de s see for example IS0 8732. Besides key establishment, goals of such a mechanis
2、m may include unilateral or mutual authentication of the communicating entities. Further goals may be the verification of the integrity of the established key, or key confirmation. The following standards contain provisions which, through reference in this text, constitute provisions of this part of
3、 ISO/IEC 11770. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this part of ISO/IEC 11770 are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. Mem
4、bers of IEC and IS0 maintain registers of currently valid International Standards. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. ISO/IEC 9798-2: 1994, Information technology - Security techniques - Entity auth
5、entication - Part 2: Mechanisms using symmetric encipherment algorithms. This part of ISO/IEC 11770 addresses three environments for the establishment of keys: Point-to-Point, Key Distribution Centre (KDC) and Key Translation Centre (KTC). This part of ISOiIEC 11770 describes the required content of
6、 messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. The document does not indicate other information which may be contained in the messages or specify other messages such as error messages. The explicit format of message
7、s is not within the scope of this part of ISO/IEC 11770. ISOIIEC 9798-4: 1995, Information technology - Security techniques - Entity authentication - Part 4: Mechanisms using a cryptographic check function. lSO/lEC 11770-l: - , Information technology - Security techniques - Key management - Part I:
8、Key management framework. 3 Definitions and Notation 3.1 Definitions This part of ISO/IEC 11770 does not explicitly address the issue of interdomain key management. This part of ISO/IEC 11770 also does not define the implementation of key management mechanisms; there may be different products that c
9、omply with this part of ISO/IEC 11770 and yet are not compatible. For the purposes of this part of ISO/IEC 11770 the definitions given in ISO/IEC 11770-l apply. In addition, this part of ISO/IEC 11770 makes use of the following terms: 3.1.1 distinguishing identifier: Information which unambiguously
10、distinguishes an entity. 1 To be published. 1 ISO/IEC 11770-2:1996(E) ISO/IEC 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 3.1.10 entity authentication: The corroboration that an entity is the one claimed. key confirmation: The assurance for one entity that another identified entity is in possess
11、ion of the correct key. key control: The ability to choose the key, or the parameters used in the key computation. key generating function: A function which takes as input a number of parameters, at least one of which shall be secret, and which gives as output keys appropriate for the intended algor
12、ithm and application. The function shall have the property that it shall be computationally infeasible to deduce the output without prior knowledge of the secret input. point-to-point key establishment: The direct establishment of keys between entities, without involving a third party. random number
13、: A time variant parameter whose value is unpredictable. redundancy: Any information that is known and can be checked. sequence number: A time variant parameter whose value is taken from a specified sequence which is non-repeating within a certain time period. time variant parameter: A data item use
14、d to verify that a message is not a replay, such as a random number, a sequence number, or a time stamp. 3.2 Notation Throughout this part of ISO/IEC 11770 the following notation is used: x is the distinguishing identifier of entity X. KDC denotes a Key Distribution Centre. KTC denotes a Key Transla
15、tion Centre. T is the distinguishing identifier of the Key Distribution Centre or the Key Translation Centre. F denotes keying material. KXY is a secret key associated with the entities X and Y. R is a random number. Rx is a random number issued by entity X. T/N is a time stamp or a sequence number.
16、 Txmx is a time stamp or a sequence number issued by entity X. TVP is a time variant parameter. TVPx eK(Z) WZ) VW) f x II y is a time variant parameter issued by entity X. is the result of the encipherment of data Z with a symmetric algorithm using the key K. is the result of the decipherment of dat
17、a Z with a symmetric algorithm using the key K. is the result of a cryptographic check function computed on data Z using the key K. vK(Z) is also called message authentication code (MAC) and may be denoted as macK(Z). denotes a key generating function. is the result of the concatenation of data item
18、s X and Y in that order. The fields Textl, Text2, . . . specified in the mechanisms may contain optional data for use in applications outside the scope of this part of ISO/IEC 11770 (they may be empty). Their relationship and contents depend upon the specific application. One such possible applicati
19、on is message authentication (see annex B for an example). Likewise, optional plaintext text fields may be prepended or appended to any of the messages. They have no security implications and are not explicitly included in the mechanisms specified in this part of ISO/IEC 11770. Data items that are o
20、ptional in the mechanisms are shown in italics. 4 Requirements The key establishment mechanisms specified in this part of ISO/IEC 11770 make use of symmetric cryptographic techniques, more specifically symmetric encipherment algorithms and/or key generating functions. The cryptographic algorithms an
21、d the key life-time shall be chosen such that it is computationally infeasible for a key to be deduced during its life-time. If the following additional requirements are not met, the key establishment process may be compromised or it cannot be implemented. For those mechanisms making use of a symmet
22、ric encipherment algorithm, either assumption a) or assumption b) is required. 4 The encipherment algorithm, its mode of operation and the redundancy in the plaintext shall provide the recipient with the means to detect forged or manipulated data. b) The integrity of the enciphered data shall be ens
23、ured by a data integrity mechanism. If a hash-function is used for this purpose the hash-code shall either be appended to the data before encipherment or be placed in a plaintext text field. ISO/IEC ISO/IEC 11770-2:1996(E) NOTES 5.1 Key Establishment Mechanism 1 1 - Modes of operation for block ciph
24、er algorithms are standardized in ISOiIEC 10116. 2 - A data integrity mechanism is standardized in ISO/IEC 9797. Hash-functions are standardized in ISO/IEC 10118. 3 - When a KDC or KTC is involved, assumptions a) and b) are not always equivalent in terms of the ability to detect unambiguously on whi
25、ch link an active attack is being performed. See Annex B for examples. In key establishment mechanism 1 the key K is derived from a time variant parameter TVP, e.g., a random number R, a time stamp T, or a sequence number N, using a key generating function. Key establishment mechanism 1 provides no
26、authentication of the key K established by the mechanism. fie mechanism requires that A is able to generate a TVP. IZI A (1) TwJ B In each exchange specified in the mechanisms of clauses 5, 6 and 7, the recipient of a message shall know the claimed identity of the originator. If this is not the case
27、 from the context in which the mechanism is being used then this could, e.g., be achieved by the inclusion of identifiers in additional plaintext text fields of certain of the messages. Keying material may be established using either secure or insecure communication channels. When using only symmetr
28、ic cryptographic techniques, at least the first key shall be exchanged between two entities using a secure channel in order to allow secure communications. The key establishment mechanisms in this part of ISO/IEC 11770 require the use of time variant parameters such as time stamps, sequence numbers,
29、 or random numbers. In this context the use of the term random number also includes unpredictable pseudo-random numbers. The properties of these parameters, in particular that they are non-repeating, are important for the security of these mechanisms. For additional information on time variant param
30、eters see Annex B of ISO/IEC 9798-2. Figure 1 - Mechanism 1 Steps: (1) A generates a random number R, a time stamp T, or a sequence number N and transfers it to B. (1 a) Both A and B then derive the key K by using a key generating function P with inputs the shared secret key KAB and the time variant
31、 parameter TVP: K = f(KAB, TVP). See Annex B for examples of possible key generating functions. NOTE - To also provide authentication, key establishment mechanism 1 may be combined with an authentication mechanism as specified in 9798-2 or 9798-4. See annex B for an example. 5 Point-to-Point Key Est
32、ablishment The basic mechanism of every key establishment scheme is point-to-point key establishment which requires that the entities already share a key so that further keys may be established directly between the entities. For the implementation of the mechanisms specified in this clause it is ass
33、umed that 5.2 Key Establishment Mechanism 2 In key establishment mechanism 2 the key K is supplied by entity A. The mechanism provides no authentication of the key K established by the mechanism nor does it provide entity authentication. l A key KAB is shared by the entities A and B. l At least one
34、of A or B is able to generate, acquire or (1) eKAB( F 11 Textf ) contribute to a secret key K as described in the individual mechanism. A 0 Security requirements are concerned with the c confidentiality of K, and modification and replay Figure 2 - Mechanism 2 detection. 3 ISO/IEC 11770-2:1996(E) 0 I
35、SO/IEC Steps: (1) A sends B the keying material F (key K and optional data) enciphered with KAn. (la) On receipt of the message, B deciphers the enciphered part and thus obtains the key K. 5.3 Key Establishment Mechanism 3 Key establishment mechanism 3 is derived from the one pass entity authenticat
36、ion mechanism of ISO/IEC 9798-2, clause 5.1.1. In this mechanism the key K is supplied by entity A. Key establishment mechanism 3 provides unilateral authentication, i.e., entity A is authenticated by the mechanism. Uniqueness/timeliness is controlled by time stamps or sequence numbers. The mechanis
37、m requires that both A and B are able to maintain mechanisms for generating or verifying the validity of time stamps T or sequence numbers N. i (1) eKAe(TlN II B II F II Textl) A Figure 3 - Mechanism 3 Steps: (1) A sends B a time stamp or sequence number T/N, the distinguishing identifier B, and the
38、 keying material F (key K and optional data). The inclusion of the distinguishing identifier B is optional. The data fields are enciphered with KAn. (la) On receipt of the message, B deciphers the enciphered part, checks the correctness of its distinguishing identifier, if present, checks the time s
39、tamp or sequence number, and obtains the key K. NOTE - Distinguishing identifier B is included in step (1) to prevent a substitution attack, i.e., the re-use of this message by an adversary masquerading as B (see Annex A). In environments where such attacks cannot occur, the identifier may be omitte
40、d. 5.4 Key Establishment Mechanism 4 Key establishment mechanism 4 is derived from the two pass unilateral entity authentication mechanism of ISO/IEC 9798-2, clause 5.1.2. In this mechanism the key K is supplied by entity A. Key establishment mechanism 4 provides unilateral authentication, i.e., ent
41、ity A is authenticated by the mechanism. Uniqueness/timeliness is controlled by a random number RB. The mechanism requires that B is able to generate random numbers. Steps: (1) (2) (24 (1) RB (2) eKAB(RB II I3 II F II Text?) Figure 4 - Mechanism 4 B sends A a random number Rn. A sends B the received
42、 number Rn, the distinguishing identifier B, and the keying material F (key K and optional data). The inclusion of the distinguishing identifier B is optional. The data fields are enciphered with KAn. On receipt of message (2), B deciphers the enciphered part, checks the correctness of its distingui
43、shing identifier, if present, checks that the random number RB, sent to A in step (1) was used in constructing message (2), and obtains the key K. NOTE - Distinguishing identifier B is included in step (2) to prevent a substitution attack, i.e., the re-use of this message by an adversary masqueradin
44、g as B (see Annex A). In environments where such attacks cannot occur, the identifier may be omitted. 5.5 Key Establishment Mechanism 5 Key establishment mechanism 5 is derived from the two pass mutual authentication mechanism of ISO/IEC 9798-2, clause 5.2.1. This mechanism enables both A and B to c
45、ontribute part of the established key K. Key establishment mechanism 5 provides mutual authentication, i.e., both communicating entities are authenticated by the mechanism. Uniqueness/timeliness is controlled by time stamps or sequence numbers. The mechanism requires that both A and B are able to ma
46、intain mechanisms for generating and verifying the validity of time stamps T or sequence numbers N. Steps: (1) A sends B a time stamp or sequence number TA/NA, the distinguishing identifier B, and the keying material FA. The inclusion of the 0 ISO/lEC ISO/IEC 11770-2:1996(E) 3. (1) eKne(TdNn II B II
47、 FA II Text?) A (2) eKAB(TdNB II A II FB II Texf2) 0) (2) Pa) (2b) Figure 5 - Mechanism 5 distinguishing identifier B is optional. The data fields are enciphered with KAB. On receipt of message (I), B deciphers the enciphered part, checks the correctness of its distinguishing identifier, if present,
48、 and checks the time stamp or sequence number. B sends A a time stamp or sequence number TB/NB, the distinguishing identifier A, and the keying material Fe. The inclusion of the distinguishing identifier A is optional. The data fields are enciphered with KAB. On receipt of message (2) A deciphers th
49、e enciphered part, checks the correctness of its distinguishing identifier, if present, and checks the time stamp or sequence number. Both A and B derive the key K by using a key generating function f with inputs the secret keying material fields FA and FB: K = f(F this process produces the translated key. The KTC then either (4 sends the translated key back to the originator who then forwards it to the ultimate recipient, or I forwards the translated key to the ultimate recipient directly. In an environment where a KTC is used the originator shall have the ability to generate or ot
