1、Information technology Secu rity techniques Random bit generationCAN/CSA-ISO/IEC 18031:13(ISO/IEC 18031:2011, IDT)National Standard of CanadaNOT FOR RESALE. / PUBLICATION NON DESTINE LA REVENTE.Legal Notice for StandardsCanadian Standards Association (operating as “CSA Group”) develops standards thr
2、ough a consensus standards development process approved by the Standards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA Group administers the process and establishes rules to promote fa
3、irness in achieving consensus, it does not independently test, evaluate, or verify the content of standards.Disclaimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied wa
4、rranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or its non-infringement of any third partys intellectual property rights. CSA Group does not warrant the accuracy, completeness, or currency of any of the information published in this docu
5、ment. CSA Group makes no representations or warranties regarding this documents compliance with any applicable statute, rule, or regulation. IN NO EVENT SHALL CSA GROUP, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRE
6、CT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGL
7、IGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA GROUP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this document available, CSA Group is not unde
8、rtaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents
9、, and CSA Group accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA Group is a private not-for-profit company that publishes voluntary standards and related documents. CSA Group has no power, nor does it under
10、take, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownershipAs between CSA Group and the users of this document (whether it be in printed or electronic form), CSA Group is the owner, or the authorized licensee, of all work
11、s contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected by patents and applications for patents. Withou
12、t limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that protect CSA Groups and/or others intellectual property and may give rise to a right in CSA Group and/or others to seek legal redress for such use, modification, copying, or disclosure. To
13、the extent permitted by licence or by law, CSA Group reserves all intellectual property rights in this document.Patent rightsAttention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA Group shall not be held responsible for identifying a
14、ny or all such patent rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility.Authorized use of this documentThis document is being provided by CSA Group for informational and non-commercial use only. The
15、user of this document is authorized to do only the following:If this document is in electronic form:sLOADTHISDOCUMENTONTOACOMPUTERFORTHESOLEPURPOSEOFREVIEWINGITsSEARCHANDBROWSETHISDOCUMENTANDsPRINTTHISDOCUMENTIFITISIN0$ this remains the continuing responsibility of the SDO. An NSC reflects a consens
16、us of a number of capable individuals whose collective interests provide, to the greatest practicable extent, a balance of representation of general interests, producers, regulators, users (including consumers), and others with relevant interests, as may be appropriate to the subject in hand. It nor
17、mally is a standard which is capable of making a significant and timely contribution to the national interest.Those who have a need to apply standards areencouraged to use NSCs. These standards are subjectto periodic review. Users of NSCs are cautionedto obtain the latest edition from the SDO which
18、publishes the standard.The responsibility for approving standards as National Standards of Canada rests with theStandards Council of Canada270 Albert Street, Suite 200Ottawa, Ontario, K1P 6N7CanadaAlthough the intended primary application of this Standard is stated in its Scope, it is importantto no
19、te that it remains the responsibility of the users to judge its suitability for their particular purpose.Registered trade-mark of Canadian Standards AssociationCette norme est offerte en anglais seulement pour le moment. Le Groupe CSA publiera la versionen franais ds quelle sera produite par lorgani
20、sme rdacteur.TMA trade-mark of the Canadian Standards Association, operating as “CSA Group”National Standard of CanadaPublished in January 2013 by CSA GroupA not-for-profit private sector organization5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4044Visit o
21、ur Online Store at shop.csa.caApproved byStandards Council of CanadaCAN/CSA-ISO/IEC 18031:13Information technology Security techniques Random bit generationPrepared by InternationalOrganizationforStandardization/ International Electrotechnical CommissionReviewed byCAN/CSA-ISO/IEC 18031:13 Informatio
22、n technology Security techni ques Random bit generationCSA/4 2013 CSA Group January 2013CAN/CSA-ISO/IEC 18031:13Information technology Security techniques Random bit generationCSA PrefaceStandards development within the Information Technology sector is harmonized with international standards develop
23、ment. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor o
24、f the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T).This Standard supersedes CAN/CSA-ISO/IEC 18031-06 (adoption of ISO/IEC 18031:2005).At th
25、e time of publication, ISO/IEC 18031:2011 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC.This International Standard was reviewed by the TCIT under the jurisdiction of the Strategic Steering Committee on Information
26、 Technology and deemed acceptable for use in Canada. From time to time, ISO/IEC may publish addenda, corrigenda, etc. The TCIT will review these documents for approval and publication. For a listing, refer to the Current Standards Activities page at standardsactivities.csa.ca. This Standard has been
27、 formally approved, without modification, by the Technical Committee and has been approved as a National Standard of Canada by the Standards Council of Canada. 2013 CSA GroupAll rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of thep
28、ublisher. ISO/IEC material is reprinted with permission. Where the words “this International Standard” appear in the text, they should be interpreted as “this National Standard of Canada”.Inquiries regarding this National Standard of Canada should be addressed toCSA Group5060 Spectrum Way, Suite 100
29、, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4000http:/csa.caTo purchase standards and related publications, visit our Online Store at shop.csa.ca or call toll-free 1-800-463-6727 or 416-747-4044.This Standard is subject to periodic review, and suggestions for its improvement will be
30、 referred to the appropriate committee. To submit a proposal for change, please send the following information to inquiriescsagroup.org and include “Proposal for change” in the subject line:(a) Standard designation (number);(b) relevant clause, table, and/or figure number;(c) wording of the proposed
31、 change; and(d) rationale for the change.Reference numberISO/IEC 18031:2011(E)ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC18031Second edition2011-11-15Information technology Security techniques Random bit generation Technologies de linformation Techniques de scurit Gnration de bits alatoires ISO/IEC 1
32、8031:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO
33、 at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org ii ISO/IEC 2011 All rights reservedCAN/CSA-ISO/IEC 18031:13ISO/IEC 18031:2011(E) ISO/
34、IEC 2011 All rights reserved iiiContents Page Foreword vi Introduction . vii 1 Scope 1 2 Normative references 1 3 Terms and definitions . 2 4 Symbols 5 5 Properties and requirements of an RBG . 6 5.1 Properties of an RBG 6 5.2 Requirements of an RBG 7 5.3 Optional requirements for an RBG 8 6 RBG mod
35、el . 8 6.1 Conceptual functional model for random bit generation 8 6.2 RBG basic components 9 6.2.1 Introduction to the RBG basic components . 9 6.2.2 Entropy source 10 6.2.3 Additional inputs . 10 6.2.4 Internal state 11 6.2.5 Internal state transition functions . 12 6.2.6 Output generation functio
36、n 13 6.2.7 Support functions 13 7 Types of RBGs . 14 7.1 Introduction to the types of RBGs . 14 7.2 Non-deterministic random bit generators . 14 7.3 Deterministic random bit generators 15 7.4 The RBG spectrum 15 8 Overview and requirements for an NRBG . 16 8.1 NRBG overview 16 8.2 Functional model o
37、f an NRBG . 16 8.3 NRBG entropy sources . 18 8.3.1 Primary entropy source for an NRBG . 18 8.3.2 Physical entropy sources for an NRBG 20 8.3.3 NRBG non-physical entropy sources 20 8.3.4 NRBG additional entropy sources . 21 8.3.5 Hybrid NRBGs 22 8.4 NRBG additional inputs 22 8.4.1 NRBG additional inp
38、uts overview 22 8.4.2 Requirements for NRBG additional inputs . 22 8.5 NRBG internal state . 23 8.5.1 NRBG internal state overview 23 8.5.2 Requirements for the NRBG internal state . 23 8.5.3 Optional requirements for the NRBG internal state . 24 8.6 NRBG internal state transition functions 24 8.6.1
39、 NRBG internal state transition functions overview . 24 8.6.2 Requirements for the NRBG internal state transition functions 25 8.6.3 Optional requirements for the NRBG internal state transition functions 25 8.7 NRBG output generation function . 26 8.7.1 NRBG output generation function overview. 26 8
40、.7.2 Requirements for the NRBG output generation function 26 ISO/IEC 18031:2011(E) iv ISO/IEC 2011 All rights reserved8.7.3 An optional requirement for the NRBG output generation function 26 8.8 NRBG health tests .26 8.8.1 NRBG health tests overview .26 8.8.2 General NRBG health test requirements .2
41、7 8.8.3 NRBG health test on deterministic components 27 8.8.4 NRBG health tests on entropy sources .28 8.8.5 NRBG health tests on random output .29 8.9 NRBG component interaction 31 8.9.1 NRBG component interaction overview 31 8.9.2 Requirements for NRBG component interaction .31 8.9.3 Optional requ
42、irements for NRBG component interaction .31 9 Overview and requirements for a DRBG .31 9.1 DRBG overview 31 9.2 Functional model of a DRBG 32 9.3 DRBG entropy source .34 9.3.1 Primary entropy source for a DRBG 34 9.3.2 Generating seed values for a DRBG 36 9.3.3 Additional entropy sources for a DRBG
43、36 9.3.4 Hybrid DRBG 37 9.4 Additional inputs for a DRBG .37 9.5 Internal state for a DRBG 37 9.6 Internal state transition function for a DRBG .38 9.7 Output generation function for a DRBG 39 9.8 Support functions for a DRBG .39 9.8.1 DRBG support functions overview 39 9.8.2 DRBG health test .39 9.
44、8.3 DRBG deterministic algorithm test 40 9.8.4 DRBG software/firmware integrity test 40 9.8.5 DRBG critical functions test .40 9.8.6 DRBG software/firmware load test .40 9.8.7 DRBG manual key entry test 40 9.8.8 DRBG continuous random bit generator test .40 9.9 Additional requirements for DRBG keys
45、.41 Annex A (normative) Combining RBGs 43 Annex B (normative) Conversion methods 44 B.1 Random number generation .44 B.1.1 Techniques for generating random numbers .44 B.1.2 The simple discard method 44 B.1.3 The complex discard method .44 B.1.4 The simple modular method .45 B.1.5 The complex modula
46、r method 45 B.2 Extracting bits in the Dual_EC_DRBG .46 B.2.1 Potential bias in an elliptic curve over a prime field Fp.46 B.2.2 Adjusting for the missing bit(s) of entropy in the x coordinates 47 B.2.3 Values for E 48 B.2.4 Observations 50 Annex C (normative) DRBGs .51 C.1 DRBG mechanism examples 5
47、1 C.2 DRBGs based on hash-functions .51 C.2.1 Introduction to DRBGs based on hash-functions 51 C.2.2 Hash_DRBG 51 C.2.3 HMAC_DRBG 59 C.3 DRBGs based on block ciphers .65 C.3.1 Introduction to DRBGs based on block ciphers .65 C.3.2 CTR_DRBG .65 C.3.3 OFB_DRBG .74 C.4 DRBGs based on number theoretic p
48、roblems 76 C.4.1 Introduction to DRBGs based on number theoretic problems .76 ISO/IEC 18031:2011(E) ISO/IEC 2011 All rights reserved vC.4.2 Dual Elliptic Curve DRBG (Dual_EC_DRBG) 76 C.4.3 Micali Schnorr DRBG (MS_DRBG) . 85 C.5 DRBG based on multivariate quadratic equations 95 C.5.1 Introduction to
49、a DRBG based on multivariate quadratic equations . 95 C.5.2 Multivariate Quadratic DRBG (MQ_DRBG) . 95 Annex D (normative) Application specific constants . 107 D.1 Constants for the Dual_EC_DRBG 107 D.1.1 Introduction to Dual_EC_DRBG required constants . 107 D.1.2 Curves over prime fields. 107 D.1.3 Curves over binary fields . 110 D.2 Default m