1、 ETSI TS 102 176-1 V2.1.1 (2011-07)Technical Specification Electronic Signatures and Infrastructures (ESI);Algorithms and Parameters for Secure Electronic Signatures;Part 1: Hash functions and asymmetric algorithmsETSI ETSI TS 102 176-1 V2.1.1 (2011-07)2Reference RTS/ESI-000080-1 Keywords e-commerce
2、, electronic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual cop
3、ies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format
4、(PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current stat
5、us of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced excep
6、t as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Me
7、mbers. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)3Contents Intellectual Property Rights 6g3Foreword
8、 . 6g3Introduction 6g31 Scope 8g32 References 9g32.1 Normative references . 9g32.2 Informative references 12g33 Definitions and abbreviations . 13g33.1 Definitions 13g33.2 Abbreviations . 13g34 Maintenance of the document 14g35 Hash functions 15g35.1 General . 15g35.2 Recommended one way hash functi
9、ons 16g35.2.1 SHA-1 is no more recommended 16g35.2.2 RIPEMD-160 is no more recommended . 16g35.2.3 SHA-224 . 16g35.2.4 SHA-256 . 17g35.2.5 WHIRLPOOL . 17g35.2.6 SHA-384 . 17g35.2.7 SHA-512 . 17g35.2.8 SHA-3 . 17g36 Signature schemes 17g36.1 Signature algorithms. 17g36.1.1 General 17g36.1.2 Recommend
10、ed signature algorithms . 18g36.1.2.1 RSA . 18g36.1.2.2 DSA. 18g36.1.2.3 Elliptic curve analogue of DSA based on a group E(Fp) 19g36.1.2.4 Elliptic curve analogue of DSA based on a group E(F2m) 20g36.1.2.5 EC-GDSA based on a group E(Fp) . 20g36.1.2.6 EC-GDSA based on a group E(F2m) . 20g36.2 Recomme
11、nded key pair generation methods 21g36.2.1 General 21g36.2.2 Recommended key pair generation methods 21g36.2.2.1 Key and parameter generation algorithm rsagen1 . 21g36.2.2.2 Key and parameter generation algorithm dsagen1 22g36.2.2.3 Key and parameter generation algorithm ecgen1 for ecdsa-Fp . 22g36.
12、2.2.4 Key and parameter generation algorithm ecgen2 for ecdsa-F2m 22g36.2.2.5 Key and parameter generation algorithm ecgen1 for ecgdsa-Fp . 22g36.2.2.6 Key and parameter generation algorithm ecgen2 for ecgdsa-F2m 23g37 Signature suites 23g37.1 General . 23g37.2 Padding methods 23g37.3 Recommended si
13、gnature suites 24g38 Random number generation methods . 25g38.1 General . 25g38.2 Recommended random number generation methods . 25g38.2.1 Random generator requirements trueran . 26g38.2.2 Random generator requirements pseuran 27g3ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)49 Recommended hash functions
14、and key sizes versus time 28g39.1 Basis for the recommendations 28g39.2 Recommended hash functions versus time . 29g39.3 Recommended key sizes versus time . 29g310 Time period resistance of hash functions and keys 32g310.1 Time period resistance for hash functions 32g310.2 Time period resistance for
15、 signers key 32g310.3 Time period resistance for trust anchors . 32g310.4 Time period resistance for other keys . 32g311 Practical ways to identify hash functions and signature algorithms . 33g311.1 Hash functions and signature algorithms objects identified using OIDs 33g311.1.1 Hash functions 33g31
16、1.1.2 Signature algorithms . 33g311.1.3 Signature suites . 34g311.2 Hash functions and signature algorithms identified objects using URNs . 35g311.2.1 Hash functions 35g311.2.2 Signature algorithms . 35g311.2.3 Signature suites . 35g311.3 Recommended hash functions and signature algorithms objects t
17、hat do not yet have an OID or a description 36g311.4 Recommended hash functions and signature algorithms objects that do not yet have a URN or a description 36g3Annex A (normative): Algorithms for various data structures 37g3A.1 Advanced Electronic Signatures based on TS 101 733 37g3A.2 Advanced Ele
18、ctronic Signatures based on TS 101 903 38g3A.3 Signers certificates . 38g3A.4 CRLs. 39g3A.5 OCSP responses . 39g3A.6 CA certificates 40g3A.7 Self-signed certificates for CA issuing CA certificates 40g3A.8 TSTs based on RFC 3161 and TS 101 861 41g3A.9 TSU certificates 41g3A.10 Self-signed certificate
19、s for CAs issuing TSU certificates 41g3A.11 Attribute certificates . 42g3A.12 AA certificates 42g3Annex B (informative): Recommended key sizes (historical) . 43g3B.1 Changes in 2005 . 43g3B.2 Changes in 2007 . 45g3B.3 Changes in 2011 . 45g3Annex C (informative): Generation of RSA modulus . 46g3Annex
20、 D (informative): Generation of elliptic curve domain parameters 47g3D.1 ECDSA and ECGDSA based on a group E(Fp) . 47g3D.2 ECDSA and ECGDSA based on a group E(F2m) 48g3D.3 The class number condition 49g3ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)5Annex E (informative): On the generation of random data .
21、 51g3E.1 Classes of random number generators 51g3E.2 On tests for NRNGs . 52g3Annex F (informative): Algorithm identifiers defined in various documents . 53g3F.1 Algorithm identifiers defined in RFC 3278 53g3F.2 Algorithm identifiers defined in RFC 3279 53g3F.3 Algorithm identifiers defined in RFC 3
22、370 54g3F.4 Algorithm identifiers defined in RFC 3447 54g3F.5 Algorithm identifier defined in RFC 3874 . 54g3F.6 Algorithm identifiers defined in XML-Signature Syntax and Processing W3C Recommendation . 54g3F.7 Algorithm identifiers defined in XML Encryption Syntax and Processing. W3C Recommendation
23、 55g3F.8 Algorithm identifiers defined in RFC 4050 55g3F.9 Algorithm identifiers defined in RFC 4051 55g3F.10 Algorithm identifiers defined in RFC 4055 56g3Annex G (informative): Abstracts of ISO/IEC 10118-3 and ISO/IEC 9796-2 57g3Annex H (informative): Signature maintenance 58g3Annex I (informative
24、): Major changes from previous versions . 59g3Annex J (informative): National Bodies . 60g3Annex K (informative): Bibliography . 64g3History 66g3ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)6Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared
25、 to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is
26、available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI S
27、R 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 1 of a mult
28、i-part deliverable covering the Algorithms and Parameters for Secure Electronic Signatures, as identified below: Part 1: “Hash functions and asymmetric algorithms“; Part 2: “Secure channel protocols and algorithms for signature creation devices“. Introduction The present document provides for securi
29、ty and interoperability for the application of the underlying mathematical algorithms and related parameters for electronic signatures in accordance with the Directive 1999/93/EC 1 of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. O
30、n the other side the present document is not a legal document answering the question which key lengths or use dates are sufficient to ensure a certain level of liability. In particular the reader is advised that some national signature laws or regulations may require a different level of security fo
31、r qualified electronic signatures than recommended here by the key lengths and use dates in the present document. The present document is based on cryptographic analysis of the algorithms and it recommends using at least the parameters given here. The present document defines a list of hash function
32、s, as well as a list of signature schemes together with the requirements on their parameters, as well as the recommended combinations of these schemes with hash functions and padding method in the form of “signature suites“ to be used with the data structures defined in the documents developed under
33、 the European Electronic Signature Standardization Initiative (EESSI). The present document contains several informative annexes which provide useful information on a number of subjects mentioned in the text. The present document is not a general purpose document dealing with hash functions and asym
34、metrical algorithms in general. The goal of the present document is not to list all “good“ signature algorithms but those that are most important to be used in the context of advanced electronic signatures. In addition, the intent of the present document is not to have a catalog of all algorithms su
35、itable for advanced electronic signatures, but to limit the list to a reasonable set so that interoperability can be achieved. Interoperability with security is the main issue. The primary criterion for inclusion of an algorithm in the document is “Secure, widely used and deployed in practice“. Wher
36、eas all listed algorithms have been checked for security by cryptographic experts, it cannot be concluded from the document, that an algorithm not listed would be insecure. Therefore algorithms are not listed as recommended if they require a restricted environment or remain secure for a short time f
37、rame only. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)7The second part of this multi-part deliverable (protocols and algorithms for SCDev secure channels) is outdated. It defined at the date of issuance protocols and symmetric algorithms that may optionally be used to construct a secure channel providin
38、g either only integrity or both integrity and confidentiality between an application and a signature creation device (SCDev). Such a secure channel may be used during the operational phase of a signature creation device: when the key pair is not generated by the SCDev, to remotely download in the SC
39、Dev both a private key and the associated public key certificate; when the key pair is generated by the SCDev, to remotely download in the SCDev a public key certificate and associate it with the previously generated private key. The protocols and symmetric algorithms in the former scope of part 2 o
40、f this multi-part deliverable are defined now in the European Norm EN 14890-1 16. Additionally second part is in preparation. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)81 Scope The present document is targeted to support advanced electronic signatures and the related infrastructure. The present documen
41、t defines a list of hash functions and a list of signature schemes, as well as the recommended combinations of hash functions and signatures schemes in the form of “signature suites“. The primary criteria for inclusion of an algorithm in the present document are: the algorithm is considered as secur
42、e; the algorithm is commonly used; and the algorithm can easily be referenced (for example by means of an OID). This does not mean that other hash functions and signature suites cannot be used, but either they do not correspond to the above criteria or their security has not been assessed. The docum
43、ent also provides guidance on the hash functions, signature schemes and signature suites to be used with the data structures used in the context of electronic signatures. For each data structure, the set of algorithms to be used is specified. Each set is identified by an identifier which is either a
44、n OID (Object IDENTIFIER) or a URI /URN. The use of such identifiers is necessary so that interoperability can be achieved. In order to allow for data interchange, the document references algorithms in terms of OIDs and URIs / URNs together with algorithm parameters. Different requirements apply to
45、the issuers and to the users of the data structures in order to allow for interoperability. RFC documents use the terms SHALL, SHOULD, MAY, RECOMMENDED in order to allow for interoperability. The same terminology is used in the present document (see RFC 2119 25). Issuers of the data structures (e.g.
46、 CSPs, CRL Issuers, OCSP responders, TSUs) need to know the algorithms and key sizes they SHOULD or MAY support. There SHOULD be at least one algorithm recommended to support, but may be more than one. Users of the data structures (i.e. signers or verifiers of electronic signatures) need to know the
47、 algorithms and key sizes they SHALL, SHOULD or MAY support. Users may support more than one algorithm for each data structure. These requirements are listed in annex A. Annex B provides historical information on the recommended hash functions, algorithms and key sizes for the generation and verific
48、ation of electronic signatures. This annex will be periodically updated. Annex C provides more information on the generation of RSA modulus. Annex D provides more information on the generation of elliptic curve domain parameters. Annex E addresses the generation of random data. Annex F lists the alg
49、orithm identifiers defined in various documents. Annex G provides a short abstract of ISO/IEC 10118-3 3 and ISO/IEC 9796-2 17. Annex H provides some guidance on signature maintenance. Annex I lists the major changes from the previous versions. The present document defines a set of algorithms (i.e. hash functions, signature schemes and signature suites) and the corresponding parameters that are recommended to be used. If such algorithms are used according to the context where they are expected to be used, then a reasonable security level can be assumed. Th
