1、ANSI/INCITS/ISO/IEC 9798-1:19972008(ISO/IEC 9798-1:1997, IDT) Information technology Security techniques Entity authentication Part 1: GeneralANSI/INCITS/ISO/IEC 9798-1:19972008(ISO/IEC 9798-1:1997, IDT)ANSI/INCITS/ISO/IEC 9798-1:19972008 ii ITIC 2008 All rights reserved PDF disclaimer This PDF file
2、 may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the r
3、esponsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-cre
4、ation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational C
5、ommittee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/2/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry Council (ITI). All rights reserved. The
6、se materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be repro
7、duced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Information technology - Security techniaue
8、s - Entity authentication - Part 1: General 1 Scope This part of ISO/IEC 9798 specifies an authentication model and general requirements and constraints for en- tity authentication mechanisms which use security tech- niques. These mechanisms are used to corroborate that an entity is the one that is
9、claimed. An entity to be au- thenticated proves its identity by showing its knowledge of a secret. The mechanisms are defined as exchanges of information between entities, and where required, ex- changes with a trusted third party. The details of the mechanisms and the contents of the authentication
10、 exchanges are not specified in this part of ISO/IEC 9798 but in the subsequent parts. Certain of the mechanisms specified in subsequent parts of ISO/IEC 9798 can be used to help provide non- repudiation services, mechanisms for which are specified in ISO/IEC 13888. The provision of non-repudiation
11、services is beyond the scope of ISO/IEC 9798. 2 Normative references The following standards contain provisions which, through reference in this text, constitute provisions of this part of ISO/IEC 9798. At the time of publication, the editions indicated were valid. All standards are sub- ject to rev
12、ision, and parties to agreements based on this part of ISO/IEC 9798 are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. Members of IEC and IS0 maintain registers of currently valid International Stan- dards. IS0 7498-2: 1989, Informati
13、on processing systems - Open Systems Interconnection _ Basic Reference Model - Part 2: Security Architecture. ISO/IEC 9594-8: 1995, Information technology - Open Systems Interconnection - The Directory - Part 8: Authentication framework. ISO/IEC 10181-2: 1996, Information technology - Open Systems I
14、nterconnection - Security frameworks for open systems: Authentication framework. ISO/IEC 13888-1 -I: Information technology - Secu- rity techniques - Non-repudiation- Part I: General. 3 Definitions 3.1 ISO/IEC 9798 makes use of the following general security-related terms defined in IS0 7498-2: 3.1.
15、1 cryptographic check value: information which is derived by performing a cryptographic transforl mation on the data unit. 3.1.2 masquerade: the pretence by an entity to be a different entity. 3.1.3 digital signature (signature): data appended to, or a cryptographic transformation of, a data unit th
16、at allows the recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient. 3.2 ISO/IEC 9798 makes use of the following general security-related terms defined in ISO/IEC 10181-2: 3.2.1 claimant: an entity which is or represents a pri
17、ncipal for the purposes of authentication. A claimant includes the functions necessary for en- gaging in authentication exchanges on behalf of a principal. 3.2.2 principal: an entity whose identity can be au- thenticated. lto be published AMERICAN NATIONAL STANDARD ANSI/INCITS/ISO/IEC 9798-1:1997200
18、8 ITIC 2008 All rights reserved3.2 3 trusted third party: a security authority or its agent, trusted by other entities with respect to security-related activities. In the context of ISO/IEC 9798, a trusted third party is trusted by a claimant and/or a verifier for the purposes of au- thentication. 3
19、.2.4 verifier: an entity which is or represents the en- tity requiring an authenticated identity. A verifier includes the functions necessary for engaging in au- thentication exchanges. 3.3 For the purposes of ISO/IEC 9798 the following definitions apply: 3.3.1 asymmetric cryptographic technique: a
20、cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (de- fined by the private key). The two transformations have the property that, given the public transfor- mation, it is computationally infeasible to deriv
21、e the private transformation. NOTE A system based on asymmetric crypto- graphic techniques can either be an encipherment system, a signature system, a combined encipher- ment and signature system, or a key agreement system. With asymmetric cryptographic tech- niques there are four elementary transfo
22、rmations: sign and verify for signature systems, encipher and decipher for encipherment systems. The signature and decipherment transformation are kept private by the owning entity, whereas the corresponding verification and encipherment transformation are published. There exist asymmetric cryptosys
23、tems (e.g. RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transfor- mation suffices for both verifying and encrypting messages. However, since this is not the general c
24、ase, throughout ISO/IEC 9798 the four elemen- tary transformations and the corresponding keys are kept separate. 3.3.2 asymmetric encipherment system: a system based on asymmetric cryptographic techniques whose public transformation is used for encipher- ment and whose private transformation is used
25、 for decipherment. 3.3.3 asymmetric key pair: a pair of related keys where the private key defines the private transfor- mation and the public key defines the public trans- formation. 3.3.4 asymmetric signature system: a system based on asymmetric cryptographic techniques whose private transformatio
26、n is used for signing and whose public transformation is used for verification. 3.3.5 challenge: a data item chosen at random and sent by the verifier to the claimant, which is used by the claimant, in conjunction with secret infor- mation held by the claimant, to generate a response which is sent t
27、o the verifier. 3.3.6 ciphertext: data which has been transformed to hide its information content. 3.3.7 cryptographic check function: a cryptogra- phic transformation which takes as input a secret key and an arbitrary string, and which gives a cryp- tographic check value as output. The computation
28、of a correct check value without knowledge of the secret key shall be infeasible. 3.3.8 decipherment: the reversal of a corresponding encipherment. 3.3.9 distinguishing identifier: information which unambiguously distinguishes an entity. 3.3.10 encipherment: the (reversible) transformation of data b
29、y a cryptographic algorithm to produce ciphertext, i.e., to hide the information content of the data. 3.3.11 entity authentication: the corroboration that an entity is the one claimed. 3.3.12 interleaving attack: a masquerade which in- volves use of information derived from one or more ongoing or pr
30、evious authentication exchanges. 3.3.13 key: a sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment, cryptographic check function computation, signature generation, or sig- nature verification). 3.3.14 mutual authentication: entity authen
31、tication which provides both entities with assurance of each others identity. 3.3.15 plaintext: unenciphered information. 3.3.16 private decipherment key: private key which defines the private decipherment transformation. 3.3.17 private key: that key of an entitys asymmet- ric key pair which should
32、only be used by that en- tity. ANSI/INCITS/ISO/IEC 9798-1:19972008 ITIC 2008 All rights reserved3.3.18 fin NOTE - In the case of an asymmetric signature system the private key defines the signature trans- formation. In the case of an asymmetric encipher- ment system the private key defines the decip
33、her- ment transformation. private signature key: private key wh .ich de- .es the private signature transformation. NOTE - This is sometimes referred to as a secret signature key. 3.3.19 public encipherment key: public key which defines the public encipherment transformation. 3.3.20 public key: that
34、key of an entitys asymmetric key pair which can be made public. NOTE - In the case of an asymmetric signa- ture system the public key defines the verification transformation. In the case of an asymmetric en- cipherment system the public key defines the enci- pherment transformation. A key that is pu
35、blicly known is not necessarily globally available. The key may only be available to all members of a pre- specified group. 3.3.21 public key certificate (certificate): the pub- lic key information of an entity signed by the certifi- cation authority and thereby rendered unforgeable (see also Annex
36、C) . 3.3.22 public key information: information specific to a single entity and which contains at least the entitys distinguishing identifier and at least one public key for this entity. There may be other in- formation regarding the certification authority, the entity, and the public key included i
37、n the public key information, such as the validity period of the pub- lic key, the validity period of the associated private key, or the identifier of the involved algorithms (see also Annex C). 3.3.23 public verification key: public key which de- fines the public verification transformation. 3.3. 2
38、4 random number: a time variant parameter whose value is unpredictable (see also Annex B). 3.3.25 reflection attack: a masquerade which in- volves sending a previously transmitted message back to its originator. 3.3.26 replay attack: a masquerade which use of previously transmitted messages. involve
39、s 3.3.27 sequence number: a time variant parameter whose value is taken from a specified sequence which is non-repeating within a certain time period (see also Annex B). 3.3.28 symmetric cryptographic technique: a cryptographic technique that uses the same secret key for both the originators and the
40、 recipients transformation. Without knowledge of the secret key, it is computationally infeasible to compute ei- ther the originators or the recipients transforma- tion. 3.3.29 symmetric encipherment algorithm: an encipherment algorithm that uses the same secret key for both the originators and the
41、recipients transformation. 3.3.30 time stamp: a time variant parameter which denotes a point in time with respect to a common reference (see also Annex B) . 3.3.31 time variant parameter: a data item used to verify that a message is not a replay, such as a ran- dom number, a sequence number, or a ti
42、me stamp (see also Annex B). 3.3.32 token: a message consisting of data fields rele- vant to a particular communication and which con- tains information that has been transformed using a cryptographic technique. 3.3.33 unilateral authentication: entity authentica- tion which provides one entity with
43、 assurance of the others identity but not vice versa. 4 Notation Throughout ISO/IEC 9798 the following notation is used: A: the distinguishing identifier of entity A. B: the distinguishing identifier of entity B. TP: the distinguishing identifier of the trusted third party. KXY: a secret key shared
44、between entities X and Y, used only in symmetric cryptographic techniques. PX : a public verification key associated with entity X, used only in asymmetric cryptographic techniques. sx: a pri vate signature key associated with entity used only in asymmetric cryptographic techniques. Nx: a sequence n
45、umber issued by entity X. Rx: a random number issued by entity X. TX: a time stamp issued by entity X. x, ANSI/INCITS/ISO/IEC 9798-1:19972008 ITIC 2008 All rights reservedTX . Nx - a time variant parameter originated by entity X which is either a time stamp TX or a sequence number Y Z: the result of
46、 the concatenation Y and 2 in that order. of the data items eK(Z): the result of the encipherment of data 2 with a symmetric encipherment algorithm using the key K. dK(Z): the result of the decipherment of data 2 with a symmetric encipherment algorithm using the key K. fK(Z): a cryptographic check v
47、alue which is the result of applying the cryptographic check function f using as input a secret key EC and an arbitrary data string 2. CertX: a trusted third partys certificate for entity X. TokenXY: a token sent from entity X to entity Y. TVP: a time variant parameter. sSx (2): the signature result
48、ing from applying the pri- vate signature transformation on data 2 using the pri- vate signature key SX. 5 Authentication model The general model for entity authentication mechanisms is shown in Figure 1. It is not essential that all the en- tities and exchanges are present in every authentication m
49、echanism. For the authentication mechanisms specified in the other parts of ISO/IEC 9798, for unilateral authentication, entity A is considered the claimant, and entity B is con- sidered the verifier. For mutual authentication, A and B each take the roles of both claimant and verifier. For authentication purposes, the entities generate and exchange standardised messages, called tokens. It takes the exchange of at least one token for unilateral authen- tication and the exchange of at least two tokens for mu- tual authentication. An additional p
