1、ETSI SR 002 176 1.1.1 (2003-03) Special Repor Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures 2 ETSI SR 002 176 VI .I .I (2003-03) Reference DSR/ESI-000016 Keywords e-commerce, electronic signature, security ETSI 650 Route des Lucioles F-O6
2、921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 O0 Fax: +33 4 93 65 47 16 Siret No 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-prfecture de Grasse (06) No 7803/88 Important notice Individual copies of the present document can be downloaded from: http:lwmv.e
3、tsi .arq The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing
4、 on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at ha p:/pa r
5、ta I. etsi I a rgltbistat uslstatus .as p If you find errors in the present document, send your comment to: Cori vriaht Notifica tion No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. O European Tele
6、communications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTMand UMTSTMare Trade Marks of ETSI registered for the benefit of its Members. TIPHONTM and the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI
7、 registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI 3 ETSI SR 002 176 VI . 1 . 1 (2003-03) Contents Intellectual Property Rights 5 Foreword . 5 Introduction 5 1 Scope 6 2 References 6 3 Definitions and abbreviations . 7 3.1 Definitions 7 3.2 Abbreviations 8 4 Alg
8、orithms and Parameters for Secure Electronic Signatures 8 4.1 4.2 4.3 4.4 4.5 4.5.1 4.5.2 4.5.2.1 4.5.2.2 4.5.3 4.5.3.1 4.5.3.2 4.5.4 4.5.4.1 4.5.4.2 4.5.5 4.5.5.1 4.5.5.2 4.5.6 4.5.6.1 4.5.6.2 4.5.7 4.5.7.1 4.5.7.2 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 . Management activities 8 Signature suites for sec
9、ure electronic signatures 8 Cryptographic hash functions . 9 Padding methods 10 Signature algorithms . 10 General comments 10 RSA 11 Parameters . 11 Key and parameter generation algorithm rsagenl . 12 DSA 12 Parameters . 12 Key and parameter generation algorithm dsagenl 12 Elliptic curve analogue of
10、 DSA based on a group E(F, ) . 12 Parameters . 12 Key and parameter generation algorithm ecgenl for ecdsa-Fp 13 13 13 14 14 14 14 14 14 14 15 General comments 15 Random generator requirements trueran . 15 Random generator requirements pseuran 15 Random number generator cr-toX9.30-x . 15 Random numbe
11、r generator cr-toX9.30-k . 16 Annex A (normative): Updating algorithms and parameters 17 A . 1 Introduction 17 A.2 Management Process 17 Annex B (informative): Algorithm Object Identifiers 19 Annex C (informative): Generation of RSA keys for signatures 20 C . 1 Generation of random prime numbers 20
12、C . 1.1 Probabilistic primality test 20 C . 1.2 Strong prime numbers 20 C.2 Generation of RSA modulus 21 . ETSI 4 ETSI SR 002 176 VI .I .I (2003-03) C.3 Generation of RSA keys. . .2 1 Annex D (informative): On the generation of random data . 22 Why cryptography needs random numbers 22 Generation of
13、truly random bits .22 D.3 Statistical tests 23 Pseudorandom bit generation. . .24 D. 1 D.2 D.4 24 D.4.1 General . . 24 D.4.2 ANSI X9.17 generator . . 24 D.4.3 FIPS 186 generator . 25 D.4.4 RSA PRNG and Blum-Blum-Shub PRNG . D.5 Conclusion. .25 Annex E (informative): Verification . 26 Annex F (inform
14、ative): Bibliography . 27 History .28 . ETSI 5 ETSI SR 002 176 VI .I .I (2003-03) Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI me
15、mbers and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (7PRs); Essential, orpotentially Essential, IPRs notlJied to ETSI in respect ofETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (5). All publish
16、ed ETSI deliverables shall include information which directs the reader to the above source of information. Foreword This Special Report (SR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). I n t rod uct ion The present document provides for security an
17、d interoperability for the application of the underlying mathematical algorithms and related parameters for secure electronic signatures in accordance with the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures i.
18、 The present document will be handed to the EC via the EESSI-SG through ICTSB as a substantial contribution to be discussed further at the A9C (Article 9 Committee) level. The final decision on how to respect and how to handle this contribution and its future handling process will be the responsibil
19、ity of the EC and A9C. The present document defines a list of approved cryptographic algorithms together with the requirements on their parameters, as well as the approved combinations of algorithms in the form of “signature suites“. The approved algorithms and parameters shall be referenced in the
20、corresponding Protection Profiles (e.g. for SSCDs or trusted CSP components). The present document contains several informative annexes which provide useful information on a number of subjects mentioned in the text. ETSI 6 ETSI SR 002 176 VI .I .I (2003-03) 1 Scope The present document defines an in
21、itial set of algorithms and the corresponding parameters to be included in a list of approved methods for producing or verif$ng Electronic Signatures in Secure Signature-Creating Devices (SSCD) (EESSI-work area F: CWA 14168 / 14169 Secure Signature-Creation Devices), to be referenced in the Certific
22、ate Policy documents (EESSI-work area A: TS 10 1 456: Policy requirements for certification authorities issuing qualified certificates), during the signature creation and validation process and environment (EESSI-work area G1/2: CWA 14170: Security Requirements for Signature Creation Systems; CWA 14
23、171 Procedures for Electronic Signature Verification), in trusted CSP components (Certification Service Provider) (EESSI-work-area D: CWA 14167-1: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures) and other technical components and related areas. The pres
24、ent document defines a list of approved cryptographic algorithms combined with the requirements on their parameters, as well as the approved combinations of algorithms in the form of “signature suites“. The approved algorithms and parameters shall be referenced in the corresponding Protection Profil
25、es (e.g. for SSCDs or trusted CSP components). To support the management activities, a numbering scheme for cryptographic algorithms and their parameters is defined. Specifically, the present document gives guidance on management practices for cryptographic algorithms (see clause 4. i), signature su
26、ites (see clause 4.2), cryptographic hash functions (see clause 4.3), padding methods (see clause 4.4), signature algorithms and the corresponding key generation algorithms (see clause 4.5), and random-number generation (see clause 4.6). The present document also gives guidance on the management pra
27、ctices that shall be applied to cope with developments such as the examples given in the annex A. It describes a process for updating the approved algorithms lists and parameters. Annex B contains OIDs assigned to the approved algorithms, annex C gives more information on the generation of RSA keys
28、for signatures and annex D addresses the generation of random data. Currently no algorithms are specified for symmetric encryption of critical data outside a secure device or for proving correspondence between the Signature Creation Data (SCD) and Signature Verification Data (SVD). Nonetheless such
29、algorithms are within the scope of a subsequent version of the present document. Patent related issues are out of the scope of the present document. 2 Re fe re nces The following documents contain provisions which, through reference in this text, constitute provisions of the present document. Refere
30、nces are either specific (identified by date of publication andor edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly availabl
31、e in the expected location might be found at htlr,. il Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. ETSI 7 ETSI SR 002 176 VI .I .I (2003-03) 31 41 ISO/IEC 9979 (1999): “Information technology - Security te
32、chniques - Procedures for the registration of cryptographic algorithms“. IETF RFC 2459 (1999): “Internet X.509 Public Key Infiastructure Certificate and CRL Profile“, Housley,R., et al. ISO/IEC 101 18-3 (1998): “Information technology - Security techniques - Hash functions - Part 3: Dedicated hash f
33、unctions“. FIPS Publication 180-1 (1995): “Secure Hash Standard (SHS)“. PKCS #1 v2.0 (1998): “RSA Cryptography Standard“. ISO/IEC 14888-3 (1999): “Information technology - Security techniques - Digital signatures with appendix - Part 3 : Certificate-based mechanisms“. FIPS Publication 140-1 (1994):
34、“Security requirements for cryptographic modules“. FIPS Publication 186-2 (2000): “Digital Signature Standard (DSS)“. IEEE P1363 (2000): “Standard Specifications for Public-Key Cryptography“. ANSI X9.62-1998 (1998): “Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Dig
35、ital Signature Algorithm (ECDSA)“. ISO/IEC 9796-3 (2000): “Information technology - Security techniques - Digital signature schemes giving message recovery - Part 3: Discrete logarithm based mechanisms“. ISO/IEC FCD 15946-2 (1999): “Information technology - Security techniques - Cryptographic techni
36、ques based on elliptic curves - Part 2: Digital signatures“. ISO/IEC CD 15946-4 (2001): “Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 4: Digital signatures giving message recovery“. IETF RFC 1750 (1994): “Randomness Recommendations for Secur
37、ity“, Eastlake, D., et al. ANSIX9.17-1985 (1985): “Financial Institution Key Management (wholesale)“. PKCS #1 v2.1 draft 2 (2001): “RSA Cryptography Standard“. Change Recommendation for ANSI X9.30-1995, (Part i), Draft, April 2001. IETF RFC 3 161 (2001): “Internet X.509 Public Key Infrastructure Tim
38、e-Stamp Protocol (TSP)“, Adams, C., et al. 3 3.1 Definitions and abbreviations De fi nit ions For the purposes of the present document, the following terms and definitions apply: bit length: The bit length of an integery is r if 2-l n, it is permissible to slowly feed in true randomness (from a true
39、ran generator) at a rate of at least j=S bits per output on top of the initial entropy requirement, otherwise the generator should be completely re-seeded. If re-seeding is employed the security of the re-seeding process shall be as strong as that of the original seeding and follow procedures simila
40、r to those for the generation of root keys. The use of re-seeding in smartcards is not permitted. No backups of the seed or internal states of a pseuran generator are permitted. 4.6.4 Random number generator cr-to-X9.30-x This random number generator is specified in clause B.2.1 of 181. ETSI 16 ETSI
41、 SR 002 176 VI .I .I (2003-03) 4.6.5 Random number generator cr-to-X9.30-k This random number generator is specified in clause B.2.2 of 18. ETSI 17 ETSI SR 002 176 VI .I .I (2003-03) Annex A (normative): Updating algorithms and parameters A. 1 I n t rod uct ion Cryptographic algorithms in general do
42、 not offer unlimited perfect security in the information-theoretical sense. Their security depends on: the difficulty of solving a hard mathematical problem that they are based on, and the computational infeasibility of solving the problem using the current technology. This effectively means that a
43、previously secure cryptographic algorithm cannot be considered secure any longer if, for example, a mathematical method has been found so that the previously hard problem the algorithm was based on is no longer hard, or the advances in technology make it possible to solve the problem within a signif
44、icantly shorter period of time. In any of these cases a cryptographic algorithm cannot be considered secure any longer. It is therefore of crucial importance to establish suitable management practices to cope with such developments to prevent the use of insecure algorithms. This annex defines the ma
45、nagement practices to enable fast and technologically appropriate reactions to new developments in computing technology and new findings in the area of cryptography. A.2 Management Process As a response to relevant developments in the area of cryptography and technology, it is recommended that the l
46、ists of approved algorithms and parameter values be dynamically updated. The initial lists of approved algorithms and their parameter values are given in the present document. This annex identifies several cases where an update of the lists is required: Adopting a new algorithm. As a result of monit
47、oring the relevant developments in cryptography and computing technology, a notified body of a member state may propose adoption of a new algorithm. An algorithm can be adopted if at least one complete set of parameters for this algorithm has been adopted. Definitions of the complete sets of paramet
48、ers for a specific algorithm are given in the present document. Cancelling an algorithm. As a result of monitoring the relevant developments in cryptography and computing technology, a notified body of a member state may propose cancellation of a currently approved algorithm. The proposal should con
49、tain a clear reasoning about the insufficient security of the algorithm to be cancelled and about the implications for existing products using this algorithm. Updating parameter values for an approved algorithm. As a result of monitoring the relevant developments in cryptography and computing technology, a notified body of a member state may propose an update to the parameter values of an approved algorithm. The proposal should contain clear reasoning about the insufficient security of the parameter values to be updated and about the implications for existing products using
