1、 ETSI EG 202 238 V1.1.1 (2003-10)ETSI Guide Telecommunications and Internet ProtocolHarmonization Over Networks (TIPHON);Evaluation criteria for cryptographic algorithmsETSI ETSI EG 202 238 V1.1.1 (2003-10) 2 Reference DEG/TIPHON-08007 Keywords algorithm, security, telephony ETSI 650 Route des Lucio
2、les F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:
3、/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the pri
4、nting on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:
5、/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. Europea
6、n Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark
7、of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI EG 202 238 V1.1.1 (2003-10) 3 Contents Intellectual Property Rights4 Foreword.4 1 Scope 5 2 References 5 3 Abbreviations .5 4 Introduction 6 4.1 Background 6 4.2 Algorithm purpose6 4.3 Export control
8、.6 4.3.1 Wassenaar Arrangement .7 4.4 Acquisition methods.7 4.5 Liability and Responsibility for algorithms7 5 Open and secret algorithms 7 6 Design Strategy 8 6.1 Selection of an off the shelf algorithm .8 6.2 Invite submissions 8 6.3 Commission a special group to design an algorithm9 7 Evaluation
9、Strategy 9 8 Distribution Strategy 9 9 Relevant aspects in an algorithm acquisition process 10 9.1 Design methodology.10 9.2 Evaluation methodology.10 Annex A (informative): Overview of ETSI Standard Algorithms .11 A.1 GSM the Global System for Mobile communications 11 A.2 DECT Digital Enhanced Cord
10、less Telecommunications 11 A.3 ISDN based audio-visual system11 A.4 Multi-application telecommunications cards .11 A.5 UPT - User Personal Telecommunications 12 A.6 Hiperlan - High Performance radio LAN.12 A.7 Binary Encryption Algorithm for Network Operators (BEANO)12 A.8 TETRA - Terrestrial Trunke
11、d Radio 12 Annex B (informative): Development of AES using public RFP design strategy.13 B.1 Overview of the AES selection 13 B.1.1 Purpose of the algorithm 13 B.1.2 Boundary conditions.13 B.2 Overall timetable14 B.3 Analysis of AES.15 Annex C (informative): ETSI SAGE 16 C.1 SAGE Report from 2001 (e
12、xtract) .16 History 17 ETSI ETSI EG 202 238 V1.1.1 (2003-10) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-membe
13、rs, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.a
14、sp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the pr
15、esent document. Foreword This ETSI Guide (EG) has been produced by ETSI Project Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON). ETSI ETSI EG 202 238 V1.1.1 (2003-10) 5 1 Scope The present document describes the process options for acquisition of cryptographic algorithm
16、s that are subject to standardization within ETSI Technical Bodies. The document describes: design strategies; evaluation strategies; and algorithm distribution strategies. In addition some consideration to liability and responsibility resulting from each strategy is given. 2 References The followin
17、g documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply
18、. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 ITU-T Recommendation H.221: “Frame structure for a 64 to 1920 kbit/s channel in audiovisual tele
19、services“. 2 ITU-T Recommendation H.233: “Confidentiality system for audiovisual services“. 3 ITU-T Recommendation H.261: “Video codec for audiovisual services at p x 64 kbit/s“. 3 Abbreviations For the purposes of the present document, the following abbreviations apply: 3GPP Third Generation Partne
20、rship Project AEG Algorithm Expert Group AES Advanced Encryption System ANSI American National Standards Institute ATM Asynchronous Transfer Mode BARAS Baseline Algorithm Recommended for Audio-visual Services BEANO Binary Encryption Algorithm for Network Operators B-ISDN Broadband-Integrated Service
21、 Digital Network DES Data Encryption Standard DSAA DECT Standard Authentication Algorithm FIPS Federal Information Processing Standard GEA GPRS Encryption Algorithm GPRS General Packet Radio Service GSM Global System for Mobile HDTV High Definition Television IC Integrated Circuit ISDN Integrated Se
22、rvice Digital Network ETSI ETSI EG 202 238 V1.1.1 (2003-10) 6 KAT Known Answer Tests MAC Message Authentication Code MCT Monte-Carlo Tests RFP Request For ProposalSAGE Security Algorithm Group of Experts TAA1 TETRA Authentication and key management Algorithms TC Technical Committee TE Terminal Equip
23、ment UMTS Universal Mobile Telecommunications System UPT User Personal Telecommunications 4 Introduction 4.1 Background The selection of cryptographic algorithms and the evaluation of them requires a number of clearly defined steps: determination of purpose of the algorithm; determination of the out
24、line boundary conditions for the algorithm; selection of design method; selection of evaluation method; selection of distribution method. The distribution method may of itself form one of the boundary conditions to the algorithm. 4.2 Algorithm purpose A cryptographic algorithm may be used to provide
25、 one or more of the building blocks in a security service: confidentiality; integrity; and authenticity. The primary purpose shall be stated and the application environment shall be identified (generally this will be found in the security framework specification to which the cryptographic technique
26、shall be applied). 4.3 Export control In recognizing that cryptographic devices may have dual-use capability (i.e. may be used for both civil and non-civil applications) the distribution and application of encryption algorithms is limited by export controls and by national or regional policy. It can
27、 be expected that export control rules, and national/regional policy, will vary over time. The impact of this on the development of cryptographic algorithms may restrict some forms of implementation and wherever possible the full scope of application of an algorithm should be stated within the bound
28、ary conditions (including the form of device that the algorithm will be supplied to). Similarly the requirements on the strength of cryptographic mechanisms may vary with time as the capabilities of attackers develop (e.g. a 56-bit algorithm is now unlikely to offer the same degree of immunity to at
29、tack as it was 10 years ago). ETSI ETSI EG 202 238 V1.1.1 (2003-10) 7 4.3.1 Wassenaar Arrangement The Wassenaar Arrangement was the first global multilateral arrangement on export controls for conventional weapons and sensitive dual-use goods and technologies which includes those related to cryptolo
30、gy. It received final approval by the 33 co-founding countries in July 1996 and began operations in September 1996. Cryptographic restrictions apply as limitations of key length in symmetric systems to 56 bits, and in asymmetric systems to 512 bits. However the restrictions do not apply to the use o
31、f cryptographic material for civil telecommunications systems that are not capable of end-to-end encryption. These restrictions are subject to renewal on 5thDecember 2003 by unanimous consent. For systems designed for civil use the provisions of the Wassenaar Arrangement in the area of application (
32、geographic as well as technical application) should be reviewed. For systems employing encryption for non-civil use due consideration should be taken of the impact of the Wassenaar Arrangement particularly in respect of the available strength of the algorithm if export control restrictions are to be
33、 avoided. 4.4 Acquisition methods Each algorithm that is required can be acquired in one of 3 ways: selection from available off the shelf algorithms; invitation to submit proposals against a known set of boundary conditions; or commission to a dedicated design group. NOTE: In general for ETSI techn
34、ical bodies requiring the acquisition of cryptographic material the first port of call should be SAGE. These methods are applicable both for secret algorithms, i.e. algorithms that are intended to be kept secret, and for open algorithms, i.e. algorithms that are published. The received wisdom within
35、 the security community is that open algorithms are to be preferred and examples that show this are to be found in the development of AES as FIPS-197 (see annex B), and in the recent work of ETSI SAGE which has built the 3GPP authentication algorithm suite on Rijndael (AES) (see annex C). 4.5 Liabil
36、ity and Responsibility for algorithms In the end, someone has to take responsibility for the algorithms. It is useful to be able to predetermine which party for example is liable if an algorithm is broken and financial losses occur. In case of a commissioned design the responsibilities are more or l
37、ess clear. In principle the person/organisation which commissions the design is responsible, but some of the responsibility might, e.g. by contract, be transferred to the party which takes on the task to design the algorithm. In case of an open call for algorithms the responsibility for the algorith
38、m is less clear. It is probably not realistic to make responsibility part of the call (i.e. if you are submitting an algorithm and it will be used then you are liable if it is broken). So the responsibility lies with the party selecting the algorithm. But it is not clear if this selecting party is a
39、ble to take on any responsibility. This will depend on the process which is applied. An option in both cases might be to make the algorithm available (distributing, publishing) without taking any responsibility. This is certainly practical in cases where the end use of the algorithm is not fully spe
40、cified. 5 Open and secret algorithms The protection offered by an algorithm should always be evaluated under the assumptions that the attacker knows all details of the algorithm and the system it is used within. The only thing the attacker does not know is the key. Of course, keeping the algorithm s
41、ecret gives an extra layer of protection, however for the purposes of evaluation it is safer in most cases to assume that the algorithm has been made public. ETSI ETSI EG 202 238 V1.1.1 (2003-10) 8 The trust in an algorithm is dependent in part on the trust placed on those who have evaluated it (its
42、 evaluators). An open algorithm that has undergone public review should incur more trust of the end users in the design. The competitive situation should also be considered. Where a secret algorithm is concerned, although it may be prudent to assume that the algorithm is more widely known than desir
43、ed, it is unlikely that there will be any public cryptanlysis of the secret algorithm. Possible choices. open algorithms; secret algorithms. Assumptions: competitive situation is better with open algorithms; trust is higher in open algorithms; it is very difficult to keep secret algorithms secret; i
44、f a design flaw in a secret algorithm is detected and published, the trust is seriously hurt; open algorithms are always open for analysis, which may result in publication of attacks that are only of theoretical interest. 6 Design Strategy 6.1 Selection of an off the shelf algorithm In order to sele
45、ct an off-the-shelf algorithm the selection shall be based on the suitability of the algorithm for its use and implementation in the system. The experts performing the selection do not necessarily need to be experts in cryptology but are required to be expert in the security and systems aspects for
46、the end application. Assumptions: the expertise needed for evaluating suitability is available; the selection process will not be too time-consuming (approximately 2 months); there exist candidates (e.g. ETSI secret algorithms, open FIPS standards and AES candidates); and there is no difference betw
47、een selecting secret or open algorithms. 6.2 Invite submissions Interested parties, within and outside ETSI are invited to submit proposals. The success of the approach relies on the willingness from the interested parties to submit proposals. This approach is mainly used for open algorithms but it
48、would be possible to invite submissions for secret algorithms. The time from issuing the Request For Proposal (RFP) until the deadline for submissions in a world-wide environment should be at least 6 months. The number of submitted proposals will be dependent on the response time. Thus there is a ce
49、rtain minimum response time to get any proposals at all. If there are several proposals (but also in case of a single proposal) an evaluation/selection regarding suitability has to be performed. Assumptions: interest to submit proposals is limited but present; the time from issuing the RFP till deadline for submissions should be at least 6 months; ETSI ETSI EG 202 238 V1.1.1 (2003-10) 9 the expertise needed for evaluating suitability is available; and the selection process will not be too time-consuming (
