1、BSI Standards PublicationBS ISO/IEC 20009-2:2013Information technology Security techniques Anonymous entityauthenticationPart 2: Mechanisms based on signaturesusing a group public keyBS ISO/IEC 20009-2:2013 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC200
2、09-2:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contra
3、ct. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 73394 9ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority
4、of theStandards Policy and Strategy Committee on 31 December 2013.Amendments issued since publicationDate Text affectedBS ISO/IEC 20009-2:2013Information technology Security techniques Anonymous entity authentication Part 2: Mechanisms based on signatures using a group public keyTechnologies de linf
5、ormation Techniques de scurit - Authentification anonyme dentit Partie 2: Mcanismes fonds sur des signatures numriques utilisant une cl publique de groupe ISO/IEC 2013INTERNATIONAL STANDARDISO/IEC20009-2First edition2013-12-01Reference numberISO/IEC 20009-2:2013(E)BS ISO/IEC 20009-2:2013ISO/IEC 2000
6、9-2:2013(E)ii ISO/IEC 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the
7、 internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb
8、www.iso.orgPublished in SwitzerlandBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Symbols and abbreviated terms . 35 General model and requirements. 46 Key genera
9、tion process . 57 Mechanisms without an online TTP . 67.1 Introduction 67.2 Unilateral anonymous authentication 77.3 Mutual anonymous authentication . 97.4 Unilateral-anonymous mutual authentication .127.5 Mutual anonymous authentication with binding-property 157.6 Unilateral-anonymous mutual authen
10、tication with binding-property .218 Mechanisms involving an online TTP 288.1 Introduction . 288.2 Unilateral anonymous authentication . 288.3 Mutual anonymous authentication 318.4 Unilateral-anonymous mutual authentication .359 The group membership opening process 449.1 General 449.2 The evidence ev
11、aluation process . 4510 The group signature linking process 4510.1 General 4510.2 Linking process with opener . 4510.3 Linking process with linking key 4610.4 Linking process with linking base . 46Annex A (normative) Object identifiers .47Annex B (informative) Information on mechanisms with binding-
12、property 49Bibliography .51BS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
13、participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, govern
14、mental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part
15、 2.The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bo
16、dies casting a vote.ISO/IEC 20009-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.ISO/IEC 20009 consists of the following parts, under the general title Information technology Security techniques Anonymous entity authentic
17、ation : Part 1: General Part 2: Mechanisms based on signatures using a group public keyMechanisms based on blind signatures and Mechanisms based on weak secrets will form the subjects of future Parts 3 and 4, respectively.Further parts may follow.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-2
18、:2013ISO/IEC 20009-2:2013(E)IntroductionAnonymous entity authentication is a special type of entity authentication. In an anonymous entity authentication mechanism, given a message that was generated during the authentication protocol, an unauthorized entity cannot discover the identifier of the ent
19、ity being authenticated (the claimant). At the same time, an authorized verifier can obtain assurance that the claimant is authentic. However, even an authorized verifier may not be authorized to learn the identifier of the entity being authenticated.The anonymous entity authentication mechanisms sp
20、ecified in this part of ISO/IEC 20009 are based on anonymous signatures using a group public key, discussed in ISO/IEC 20008-2. An anonymous signature using a group public key is sometimes simply known as a group signature. A group signature has the following properties. Only group members are able
21、to correctly sign messages. The verifier can verify that it is a valid group signature, but cannot discover which group member generated it. Optionally, the signature can be “linked” or “opened”.The anonymous entity authentication mechanisms specified in this part of ISO/IEC 20009 involve the follow
22、ing basic operations. An entity (verifier) which wants to authenticate another entity (claimant) interacts with the claimant. The claimant sends a token (and optionally a group public key certificate) to the verifier. The verifier confirms the validity of the provided token (and optionally the group
23、 public key certificate).One of the major differences between a (conventional) entity authentication mechanism based on (conventional) digital signatures and an anonymous entity authentication mechanism based on signatures using a group public key is the nature of the digital signature scheme used t
24、o produce tokens and to provide confirmation of messages that were generated during the authentication protocol. Another difference is that, for an anonymous authentication mechanism, the claimant belongs to a group, and authentication is conducted with respect to this group. Authentication mechanis
25、ms require associated methods to manage the relationship between an entity and a group; for example, how an entity joins the group, how its activity can be linked, and how it can be later identified must all be specified. Thus, this standard specifies methods for issuing, linking and opening.The Int
26、ernational Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of patents.ISO and IEC take no position concerning the evidence, validity and scope of these pate
27、nt rights.The holders of these patent right have ensured the ISO and IEC that they are willing to negotiate licences either free of charge or under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statements of the holders of these pat
28、ent rights are registered with ISO and IEC. Information may be obtained from: Electronics and Telecommunications Research Institute (ETRI) 161, Gajeong-dong, Yuseong-gu, Daejeon, 305-700, KOREA China IWNCOMM Co., LTD. A201,QinFeng Ge, Xian Software Park, No.68 KeJi 2nd Road, Xian Hi-tech Industrial
29、Development Zone, Shaanxi, P.R.China 710075Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 2013 All
30、 rights reserved vBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E)ISO (www.iso.org/patents) and IEC (http:/patents.iec.ch) maintain online databases of patents relevant to their standards. Users are encouraged to consult the databases for the most up to date information concerning patents.vi ISO/IEC 2
31、013 All rights reservedBS ISO/IEC 20009-2:2013INTERNATIONAL STANDARD ISO/IEC 20009-2:2013(E)Information technology Security techniques Anonymous entity authentication Part 2: Mechanisms based on signatures using a group public key1 ScopeThis part of ISO/IEC 20009 specifies anonymous entity authentic
32、ation mechanisms based on signatures using a group public key in which a verifier verifies a group signature scheme to authenticate the entity with which it is communicating, without knowing this entitys identity.This part of ISO/IEC 20009 provides a general description of an anonymous entity authen
33、tication mechanism based on signatures using a group public key; a variety of mechanisms of this type.This part of ISO/IEC 20009 describes the group membership issuing processes; anonymous authentication mechanisms without an online Trusted Third Party (TTP); anonymous authentication mechanisms invo
34、lving an online TTP.Furthermore, this part of ISO/IEC 20009 also specifies the group membership opening process (optional); the group signature linking process (optional).2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispens
35、able for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 20008-1, Information technology Security techniques Anonymous digital signatures Part 1: GeneralISO/IEC 200
36、08-2, Information technology Security techniques Anonymous digital signature Part 2: Mechanisms using a group public keyISO/IEC 20009-1, Information technology Security techniques Anonymous entity authentication Part 1: General3 Terms and definitionsFor the purposes of this document, the terms and d
37、efinitions given in ISO/IEC 20008-1, ISO/IEC 20009-1, and the following apply. ISO/IEC 2013 All rights reserved 1BS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E)3.1binding-propertyproperty providing assurance for binding between the messages of a communicating entity3.2certification authorityentity tr
38、usted to create and assign public key certificatesSOURCE: ISO/IEC 11770-1:20103.3ephemeral key pairasymmetric key pair consisting of an ephemeral public key and an ephemeral private key that are used as a temporary key and are unique for each execution of a cryptographic scheme3.4group public key ce
39、rtificategroup public key information of a group signed by the group public key certification authority3.5group public key certification authorityentity trusted to create and assign group public key certificates3.6group public key informationinformation containing at least the groups identifier and
40、group public key, but which can include other static information regarding the group public key certification authority, the group, restrictions on key usage, the validity period, or the involved algorithms3.7key derivation functionfunction that outputs one or more shared secrets, for use as keys, g
41、iven shared secrets and other mutually known parameters as inputSOURCE: ISO/IEC 11770-3:20083.8local linking capabilitylinking capability with a feature that two or more signatures from same anonymous user are linked only by a specific group signature linker with linking key, but other entities cann
42、ot link the signatures3.9message authentication code (MAC)string of bits which is the output of a MAC algorithmSOURCE: ISO/IEC 9797-1:20113.10message authentication code (MAC) algorithmalgorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits sati
43、sfying the following two properties: for any key and any input string, the function can be computed efficiently; for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the function value on any new input string, even given knowledge of the set of inpu
44、t strings and corresponding function values, where the value of the i th input string may have been chosen after observing the value of the first i 1 function valuesSOURCE: ISO/IEC 9797-1:20112 ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-2:2013ISO/IEC 20009-2:2013(E)3.11public key certificatepu
45、blic key information of an entity signed by the certification authoritySOURCE: ISO/IEC 11770-1:20103.12public key informationinformation containing at least the entitys distinguishing identifier and public key, but which can include other static information regarding the certification authority, the
46、 entity, restrictions on key usage, the validity period, or the involved algorithmsSOURCE: ISO/IEC 11770-1:20104 Symbols and abbreviated termsFor the purposes of this part of ISO/IEC 20009, the following symbols and abbreviations apply.A, B distinguishing identifier of entity A or BCertA, CertBpubli
47、c key certificate of entity A or BCertGgroup public key certificate of the group GG, G distinguishing identifier of the group G or GG cyclic group of order q in which the decisional Diffie-Hellman (DDH) problem is hardg generator of GgsSXG(m) anonymous signature using a group public key created by e
48、ntity X applying one of group signature mechanisms specified in ISO/IEC 20008-2 on message-to-be-signed m using the group member signature key SXGkdf key derivation functionIGidentity of group G which is either G or CertGIXidentity of entity X which is either X or CertXm message-to-be-signedMAC Mess
49、age Authentication CodeMAC output value of a MAC algorithmmacK(M) MAC algorithm using the secret key K and an arbitrary data string MNXsequence number issued by entity XPA, PBpublic key of entity A or BPGgroup public key of a group Gq prime numberResA, ResBresult of verifying a public key or a public key certificate of entity A or BResGresult of verifying a group public key or a group public key certificate for the group GRXrandom number issued by entity X ISO/IEC 2013 All
