1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO 16609:2012Financial services Requirements for messageauthentication using symmetrictechniquesBS ISO 16609:2012 BRITISH STANDARDNational forewordThis British Standard is th
2、e UK implementation of ISO 16609:2012. Itsupersedes BS ISO 16609:2004 which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/12, Financial services.A list of organizations represented on this committee can beobtained on request to its secretary.This public
3、ation does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2012. Published by BSI StandardsLimited 2012ISBN 978 0 580 72179 3ICS 35.240.40Compliance with a British Standard cannot confer immunity fr
4、omlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 March 2012.Amendments issued since publicationDate Text affectedBS ISO 16609:2012 ISO 2012Financial services Requirements for message authentication using symmetric techniq
5、uesServices financiers Exigences pour lauthentification des messages utilisant des techniques symtriquesINTERNATIONAL STANDARDISO16609Second edition2012-03-15Reference numberISO 16609:2012(E)BS ISO 16609:2012ISO 16609:2012(E)ii ISO 2012 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2012All rig
6、hts reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of th
7、e requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO 16609:2012ISO 16609:2012(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of na
8、tional standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Intern
9、ational organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.International Standards are drafted in accordance with the r
10、ules given in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at
11、 least 75 % of the member bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO 16609 was prepared by Technical Committee ISO/TC 6
12、8, Financial services, Subcommittee SC 2, Financial services, security.This second edition cancels and replaces the first edition (ISO 16609:2004), which has been technically revised. ISO 2012 All rights reserved iiiBS ISO 16609:2012ISO 16609:2012(E)IntroductionA MAC (message authentication code) is
13、 a data field used to verify the authenticity of a message, generated by the sender of the message and transmitted together with it. The MAC enables an intended recipient to detect whether the message has been altered. While non-keyed message integrity methods, e.g. checksums, only protect against a
14、ccidental alteration of the message, MACs additionally protect against deliberate alteration since the adversary would not have access to the key used to generate the MAC.This International Standard has been prepared so that institutions involved in financial services activities wishing to implement
15、 message authentication can do so in a manner that is secure and facilitates interoperability between separate implementations.This International Standard identifies ciphers, hash functions and algorithms from ISO 9797 (all parts) that are specifically approved for secure banking purposes.iv ISO 201
16、2 All rights reservedBS ISO 16609:2012Financial services Requirements for message authentication using symmetric techniques1 ScopeThis International Standard specifies procedures, independent of the transmission process, for protecting the integrity of transmitted banking messages and for verifying
17、that a message has originated from an authorized source. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods it defines are applicable to messages formatted and transmitted both as coded character sets and as binary
18、 data.This International Standard is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key, nor does it provide for encipherment for the protection of messages against unauthorized disclosure. Its appli
19、cation will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.2 Normative referencesThe following referenced documents are indispensable for the application of this document. For dated references, only the edition cite
20、d applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 9797-1:2011, Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block cipherISO/IEC 9797-2, Information technology Securi
21、ty techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a hash-functionISO 11568-1, Banking Key management (retail) Part 1: PrinciplesISO 11568-2, Financial services Key management (retail) Part 2: Symmetric ciphers, their key management and life cycle3 Terms and definitionsFor th
22、e purposes of this document, the following terms and definitions apply.3.1algorithmspecified mathematical process for computation or set of rules which, if followed, will give a prescribed result3.2authenticationprocess used between a sender and a receiver to ensure data integrity and provide data o
23、rigin authentication3.3authentication algorithmalgorithm used, together with an authentication key and one or more authentication elements, for authentication3.4authentication elementmessage element that is to be protected by authenticationINTERNATIONAL STANDARD ISO 16609:2012(E) ISO 2012 All rights
24、 reserved 1BS ISO 16609:2012ISO 16609:2012(E)3.5authentication keycryptographic key used for authentication3.6beneficiaryultimate party to be credited or paid as a result of a transferNOTE There can be more than one beneficiary.3.7block cipheralgorithm for computing a function which maps a fixed-len
25、gth string of bits and a secret key to another string of bits with the same fixed length3.8checksumfixed-length string of bits calculated from a message of arbitrary length, such that it is unlikely that a change of one or more bits in the message will produce the same string of bits, thereby aiding
26、 detection of accidental modification3.9cryptoperioddefined period of time during which a specific cryptographic key is authorized for use or during which the cryptographic keys in a given system may remain in effect3.10data integrityproperty pertaining to data that has not been altered or destroyed
27、 in an unauthorized manner3.11DMCdate MAC computeddate on which the sender computed the MAC (message authentication code)NOTE The DMC can be used to synchronize the authentication process through selection of the proper key.3.12data origin authenticationcorroboration that the source of data received
28、 is as claimed3.13encipherment(reversible) transformation of data by a cryptographic algorithm with a cryptographic key in order to produce ciphertext, i.e. to hide the information content of the data3.14identifier for authentication key IDAfield that identifies the key to be used in authenticating
29、the message3.15MACmessage authentication codefixed-length string of bits used to verify the authenticity of a message, generated by the sender of the message, transmitted together with the message, and verified by the receiver of the message3.16MAC algorithmkeyed cryptographic algorithm that produce
30、s a fixed-length string of bits (the MAC) from a message of arbitrary length, such that it is not feasible to compute the MAC without knowledge of the key2 ISO 2012 All rights reservedBS ISO 16609:2012ISO 16609:2012(E)3.17message elementcontiguous group of bytes designated for a specific purpose3.18
31、MIDmessage identifiersystems trace audit number (deprecated)field used uniquely to identify a financial message or transaction (e.g. sending banks transaction reference) within a given context (e.g. DMC)NOTE In ISO 8583, the MID was referred to as the systems trace audit number (STAN), which it supe
32、rsedes.3.19message textinformation conveyed or transmitted between sender and receiver, excluding header and trailer information used for transmission purposes3.20receiverparty intended to receive the message3.21senderparty responsible for, and authorized to, send a message3.22value datedate on whic
33、h funds are to be at the disposal of the beneficiary4 Protection4.1 Protection of authentication keysAuthentication keys are secret cryptographic keys that have been previously established by the sender and receiver and which are used by the authentication algorithm. Keys shall be managed in accorda
34、nce with ISO 11568-1 and ISO 11568-2.4.2 Authentication elementsThe MAC calculation shall include those message elements, as agreed between sender and receiver, which require protection against fraudulent alteration.Subject to bilateral agreement, the MAC calculation may also cover data elements not
35、 transmitted in the message (e.g. padding bits or data computable by both parties from information already shared).The choice of data to be included in the MAC will depend on the specific application. When the following elements appear in a message, they should be included in the calculation of the
36、MAC:a) transaction amount;b) currency;c) identifier for authentication key (IDA);d) identification of payer and beneficiary and/or, if appropriate, their payment agents value date;e) message identifier;f) date and time; ISO 2012 All rights reserved 3BS ISO 16609:2012ISO 16609:2012(E)g) indication as
37、 to the disposition of the transaction.NOTE Integrity protection applies only to the selected authentication elements. Other parts of the message can be subject to undetected alterations. It is important that users ensure the integrity of data presentation.4.3 Detection of duplication, loss or seque
38、nce errorsA mechanism should be implemented to detect duplication or loss, or messages arriving out of sequence. Without recourse to further message exchanges, the recipient may only detect the replay of a previous transaction if able to identify transactions uniquely, and should then check that suc
39、h unique identifying information has not already occurred. To detect sequence errors, messages should be identifiable as being in a sequence. Furthermore, in order to detect loss, transactions should be identifiable as being in a defined sequence, predictable by the recipient. These conditions are a
40、chieved by involving in the MAC computation some elements (i.e. message elements or key elements) that are unique to the transaction and that relate it uniquely to the previous transaction. This may be achieved in one of the following ways.a) Include in the MAC calculation a unique transaction refer
41、ence that does not repeat within the lifetime of the system. To detect loss, the reference would need to change in a defined sequence that is known by the recipient who calculates this value and compares it to the received value.EXAMPLE The reference will include sender ID, recipient ID, key ID and
42、transaction number, where the transaction number increases by one for each transaction.b) Include in the MAC calculation a MID, i.e. a value that does not repeat before either the change of date, i.e. DMC (usable if the date is included in MAC elements), or the expiration of the cryptoperiod of the
43、key used for authentication.The MID may consist of a unique sending banks transaction reference number in a fixed format message as a message identifier. A method of protection is described in Annex A. The MID may either contain the DMC or be a separate field. To simplify detection of loss, the MID
44、could increase in a defined sequence.c) Use a unique key per transaction where the key of one transaction is derived from that of the previous transaction (see ISO 11568-2).d) Combine the above techniques.5 Procedures for message authentication5.1 MAC generationThe sender of a message shall generate
45、 a MAC by processing in an agreed order (e.g. the sequence in which they appear in the message) those authentication elements of the transmitted message that are to be protected by an approved authentication mechanism (see 4.2). The mechanism shall be activated by means of an authentication key, whi
46、ch is a secret between the two correspondents. This process creates the MAC, which shall then be included with the original message text.5.2 MAC placementThe MAC shall be eithera) placed in the message, in an additional field specified for the transport of the MAC, orb) appended to the data portion
47、of the message, if there is no specified MAC field.Where the field allocated has a length, for transport, greater than the MAC length, the MAC shall be positioned by left-justifying it within the field.4 ISO 2012 All rights reservedBS ISO 16609:2012ISO 16609:2012(E)5.3 MAC verificationOn receipt of
48、the message, the receiver shall compute a reference MAC using the authentication elements, an identical authentication key and an identical algorithm. Authenticity of the content of the authentication elements and the message source shall be considered to have been confirmed when the receivers compu
49、ted reference MAC agrees with that received with the message text.A received MAC is not included in the algorithm computation.The process of generating the MAC is sensitive to the sequence in which the authentication elements are processed (i.e. a change in the sequence of authentication elements after the MAC is generated will result in a failure to authenticate).5.4 Approved authentication mechanisms based on ISO/IEC 97975.4.1 GeneralThe MAC algorithm shall be one of those specified in ISO/IEC 9797-1 or ISO/IEC 9797-2.5.4.2