1、 Reference numberISO/IEC 9798-4:1999(E)ISO/IEC 1999INTERNATIONALSTANDARDISO/IEC9798-4Second edition1999-12-15Information technology Securitytechniques Entity authentication Part 4:Mechanisms using a cryptographic checkfunctionTechnologies de linformation Techniques de scurit Authentificationdentit P
2、artie 4: Mcanismes utilisant une fonction cryptographique de vrificationAdopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/13/00Published by American National Standards Institute,25 West 43rd Street, New York, N
3、ew York 10036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Info
4、rmation Technology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washingto
5、n, DC 20005.Printed in the United States of AmericaISO/IEC 9798-4:1999(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall notbe edited unless the typefaces which are embedded are licensed to and insta
6、lled on the computer performing the editing. In downloading thisfile, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in thisarea.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products
7、used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameterswere optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely eventthat a problem relating to it is found, please
8、inform the Central Secretariat at the address given below. ISO/IEC 1999All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronicor mechanical, including photocopying and microfilm, without permission in writing
9、from either ISO at the address below or ISOs member bodyin the country of the requester.ISO copyright officeCase postale 56 c159 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 734 10 79E-mail copyrightiso.chWeb www.iso.chPrinted in Switzerlandii ISO/IEC 1999 All rights reserved ISO/IEC 1999 All
10、rights reserved iiiAnnex A Use of text fields. 7Contents5.2.2 Three pass authentication. 55.2.1 Two pass authentication 45.2 Mutual authentication 45.1.2 Two pass authentication 35.1.1 One pass authentication 25.1 Unilateral authentication 25 Mechanisms 24 Requirements 13 Definitions and notation 12
11、 Normative references. 11 Scope. 1ISO/IEC 9798-4:1999(E)ISO/IEC 9798-4:1999(E)ivForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO o
12、r IECparticipate in the development of International Standards through technical committees established by therespective organization to deal with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, gov
13、ernmental and non-governmental, inliaison with ISO and IEC, also take part in the work.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JT
14、C 1.Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.International Standard ISO/IEC 9798-4 was prepared by Joint Techni
15、cal Committee ISO/IEC JTC 1, Informationwith ISO/IEC 9798-4 (2nd edition).ISO/IEC 9798 consists of the following parts, under the general title Information technology Security techniques Entity authentication: Part 1: General Part 2: Mechanisms using symmetric encipherment algorithms Part 3: Mechani
16、sms using digital signature techniques Part 4: Mechanisms using a cryptographic check function Part 5: Mechanisms using zero knowledge techniquesFurther parts may follow.Annex A of this part of ISO/IEC 9798 is for information only.technology, Subcommittee SC 27, IT Security techniques.This second ed
17、ition cancels and replaces the first edition (ISO/IEC 9798-4:1995), which has been technicallyrevised. Note, however, that implementations which comply with ISO/IEC 9798-4 (1st edition) will be compliant ISO/IEC 1999 All rights reservedAttention is drawn to the possibility that some of the elements
18、of this part of ISO/IEC 9798 may be the subject ofpatent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.INTERNATIONAL STANDARD1Information technology Security techniques Entityauthentication Part 4: Mechanisms using a cryptographic checkfunction1 Scop
19、eThis part of ISO/IEC 9798 specifies entity authentication mechanisms using a cryptographic check function. Twomechanisms are concerned with the authentication of a single entity (unilateral authentication), while the remainingare mechanisms for mutual authentication of two entities.The mechanisms s
20、pecified in this part of ISO/IEC 9798 use time variant parameters such as time stamps,sequence numbers, or random numbers, to prevent valid authentication information from being accepted at a latertime or more than once.If a time stamp or sequence number is used, one pass is needed for unilateral au
21、thentication, while two passes areneeded to achieve mutual authentication. If a challenge and response method employing random numbers isused, two passes are needed for unilateral authentication, while three passes are required to achieve mutualauthentication.Examples of cryptographic check function
22、s are given in ISO/IEC 9797.2 Normative referencesThe following normative documents contain provisions which, through reference in this text, constitute provisions ofmaintain registers of currently valid International Standards.ISO/IEC 9797 (all parts), Information technology Security techniques Mes
23、sage Authentication Codes (MACs).ISO/IEC 9798-1:1997, Information technology Security techniques Entity authentication Part 1: General.3 Definitions and notationFor the purposes of this part of ISO/IEC 9798 , the definitions and notation described in ISO/IEC 9798-1 apply.4 RequirementsIn the authent
24、ication mechanisms specified in this part of ISO/IEC 9798 an entity to be authenticated corroboratesits identity by demonstrating its knowledge of a secret authentication key. This is achieved by the entity using itssecret key with a cryptographic check function applied to specific data to obtain a
25、cryptographic check value. Thecryptographic check value can be checked by anyone sharing the entitys secret authentication key, who can re-calculate the cryptographic check value and compare it with the value received.this part of ISO/IEC 9798. For dated references, subsequent amendments to, or revi
26、sions of, any of thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 9798 are encouraged toinvestigate the possibility of applying the most recent editions of the normative documents indicated below. For undated references, the latest edition of the normative
27、 document referred to applies. Members of ISO and IECISO/IEC 9798-4:1999(E) ISO/IEC 1999 All rights reserved2The authentication mechanisms have the following requirements. If any one of these is not met then theauthentication process may be compromised or it cannot be implemented.a) A claimant authe
28、nticating itself to a verifier shares a common secret authentication key with that verifier. Thiskey shall be known to the involved parties prior to the commencement of any particular run of an authenticationmechanism. The method by which the key is distributed to the entities is beyond the scope of
29、 this part ofISO/IEC 9798.b) The secret authentication key shared by a claimant and a verifier shall be known only to those two entities and,possibly, to other parties they both trust.c) The strength of the mechanisms is dependent on the length and the secrecy of the key, on the nature of thecryptog
30、raphic check functions, and on the length of the check value. These parameters shall be chosen tomeet the required security level, as may be specified by the security policy.5 MechanismsIn these authentication mechanisms the entities A and B shall share a common secret authentication key KABor twoun
31、idirectional secret keys KABand KBAprior to the commencement of any particular run of the authenticationmechanisms. In the latter case, the unidirectional keys KABand KBAare used respectively for the authentication of Aby B and of B by A.The mechanisms require the use of time variant parameters such
32、 as time stamps, sequence numbers or randomnumbers. The properties of the time variant parameters are important for the security of these mechanisms. Inparticular, the parameters shall be chosen so that it shall be most unlikely for them to repeat within the lifetime ofan authentication key. For add
33、itional information see annex B of ISO/IEC 9798-1.The use of the text fields specified in the following mechanisms is outside the scope of this part of ISO/IEC 9798(they may be empty), and will depend upon the specific application. See annex A for information on the use of textfields.A text field ma
34、y only be included in the input to the cryptographic check function if the verifier can determine itindependently, e.g., if it is known in advance, sent in clear or can be derived from one or both of those sources.5.1 Unilateral authenticationUnilateral authentication means that only one of the two
35、entities is authenticated by use of the mechanism.5.1.1 One pass authenticationIn this authentication mechanism the claimant A initiates the process and is authenticated by the verifier B.Uniqueness/timeliness is controlled by generating and checking a time stamp or a sequence number (see annex Bof
36、ISO/IEC 9798-1).The authentication mechanism is illustrated in figure 1.A B(1) TokenAB(2)Figure 1The form of the token (TokenAB), sent by the claimant A to the verifier B is:)1Text|(|2Text|Token BNTfNTABAAKAAAB=ISO/IEC 9798-4:1999(E) ISO/IEC 1999 All rights reserved3where the claimant A uses either
37、a sequence number NAor a time stamp TAas the time variant parameter. Thechoice depends on the technical capabilities of the claimant and the verifier as well as on the environment. Asdefined in ISO/IEC 9798-1, fK(X) denotes the cryptographic check value computed by applying the cryptographiccheck fu
38、nction f to the data X using the key K.The inclusion of the distinguishing identifier B in TokenAB is optional.NOTE Distinguishing identifier B is included in TokenAB to prevent the re-use of TokenAB on entity A by an adversarymasquerading as entity B. Its inclusion is made optional so that, in envi
39、ronments where such attacks cannot occur, itmay be omitted.The distinguishing identifier B may also be omitted if a unidirectional key is used.(1) A generates and sends TokenAB to B.(2) On receipt of the message containing TokenAB, B verifies TokenAB by checking the time stamp or the sequencenumber,
40、 calculating)1Text|( BNTfAAKABand comparing it with the cryptographic check value of the token, thereby verifying the correctness of thedistinguishing identifier B, if present, as well as the time stamp or the sequence number.5.1.2 Two pass authenticationIn this authentication mechanism the claimant
41、 A is authenticated by the verifier B who initiates the process.Uniqueness/timeliness is controlled by generating and checking a random number RB(see annex B of ISO/IEC9798-1).The authentication mechanism is illustrated in figure 2.A B(1) RB| Text1(3)(2) TokenABFigure 2The form of the token (TokenAB
42、), sent by the claimant A to the verifier B is:)2Text|(|3TextToken BRfABBKAB= .The inclusion of the distinguishing identifier B in TokenAB is optional.NOTE Distinguishing identifier B is included in TokenAB to prevent a so-called reflection attack. Such an attack ischaracterised by the fact that an
43、intruder reflects the challenge RBto B pretending to be A. The inclusion of thedistinguishing identifier B is made optional so that, in environments where such attacks cannot occur, it may beomitted.The distinguishing identifier B may also be omitted if a unidirectional key is used.(1) B generates a
44、 random number RBand sends it and, optionally, a text field Text1 to A.(2) A generates and sends TokenAB to B.(3) On receipt of the message containing TokenAB, B verifies TokenAB by calculatingISO/IEC 9798-4:1999(E) ISO/IEC 1999 All rights reserved4)2Text|( BRfBKABand comparing it with the cryptogra
45、phic check value of the token, thereby verifying the correctness of thedistinguishing identifier B, if present, and that the random number RB, sent to A in step (1), was used inconstructing TokenAB.5.2 Mutual authenticationMutual authentication means that the two communicating entities are authentic
46、ated to each other by use of themechanism.The two mechanisms described in 5.1.1 and 5.1.2 are adapted in 5.2.1 and 5.2.2, respectively, to achieve mutualauthentication. In both cases this requires one more pass and results in two more steps.NOTE A third mechanism for mutual authentication can be con
47、structed from two instances of the mechanismspecified in 5.1.2, one started by entity A and the other by entity B.5.2.1 Two pass authenticationIn this authentication mechanism uniqueness/timeliness is controlled by generating and checking time stamps orsequence numbers (see annex B of ISO/IEC 9798-1
48、).The authentication mechanism is illustrated in figure 3.A B(1) TokenAB(2)(4)(3) TokenBAFigure 3The form of the token (TokenAB), sent by A to B, is identical to that specified in 5.1.1.)1Text|(|2Text|Token BNTfNTABAAKAAAB= .The form of the token (TokenBA), sent by B to A, is:)3Text|(|4Text|Token AN
49、TfNTBABBKBBAB= .The inclusion of the distinguishing identifier B in TokenAB and the inclusion of the distinguishing identifier A inTokenBA are (independently) optional.NOTE 1 Distinguishing identifier B is included in TokenAB to prevent the re-use of TokenAB on entity A by anadversary masquerading as entity B. For similar reasons the distinguishing identifier A is present in TokenBA. Theirinclusion is made optional so that, in environments where such attacks cannot occur, one or both may be omitted
