1、 ETSI TS 119 312 V1.1.1 (2014-11) Electronic Signatures and Infrastructures (ESI); Cryptographic Suites TECHNICAL SPECIFICATION ETSI ETSI TS 119 312 V1.1.1 (2014-11)2Reference DTS/ESI-0019312 Keywords e-commerce, electronic signature, security, trust services ETSI 650 Route des Lucioles F-06921 Soph
2、ia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document ma
3、y be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in p
4、rint, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of
5、 this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilize
6、d in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to repr
7、oduction in all media. European Telecommunications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of th
8、e 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119 312 V1.1.1 (2014-11)3Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative reference
9、s . 6g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 Maintenance of the document 9g35 Hash functions 10g35.1 General . 10g35.2 Recommended hash functions 10g35.2.1 SHA-224 . 10g35.2.2 SHA-256 . 10g35.2.3 SHA-384 . 11g35.2.4 SHA-512 . 1
10、1g35.2.5 SHA-512/256 11g35.3 Other hash functions . 11g35.3.1 SHA-1 is no more recommended 11g35.3.2 WHIRLPOOL is no more recommended 11g35.3.3 SHA-3 . 12g36 Signature schemes 12g36.1 Signature algorithms. 12g36.1.1 General 12g36.1.2 Recommended signature algorithms . 12g36.1.2.1 RSA . 12g36.1.2.2 D
11、SA. 13g36.1.2.3 Elliptic curve analogue of DSA based on a group E(Fp) . 13g36.1.2.4 Elliptic curve analogue of DSA based on a group E(F2m) . 14g36.1.2.5 EC-GDSA based on a group E(Fp) 14g36.1.2.6 EC-GDSA based on a group E(F2m) 14g36.1.2.7 Other EC-DSA variants for future applications 15g36.2 Key ge
12、neration algorithms . 15g36.2.1 General 15g36.2.2 Recommended key generation algorithms 15g36.2.2.1 Key and parameter generation algorithm rsagen1 . 15g36.2.2.2 Key and parameter generation algorithm dsagen1 16g36.2.2.3 Key and parameter generation algorithm ecgen1 for ecdsa-Fp . 16g36.2.2.4 Key and
13、 parameter generation algorithm ecgen2 for ecdsa-F2m 17g36.2.2.5 Key and parameter generation algorithm ecgen1 for ecgdsa-Fp . 17g36.2.2.6 Key and parameter generation algorithm ecgen2 for ecgdsa-F2m 17g37 Signature suites 17g37.1 General . 17g37.2 Padding methods 18g37.3 Recommended signature suite
14、s 19g38 Random number generation methods . 19g38.1 General . 19g3ETSI ETSI TS 119 312 V1.1.1 (2014-11)48.2 Recommended random number generation methods . 20g38.2.1 General 20g38.2.2 Random generator requirements trueran . 20g38.2.3 Random generator requirements pseuran 21g39 Recommended hash functio
15、ns and key sizes versus time 22g39.1 Basis for the recommendations 23g39.2 Recommended hash functions versus time . 23g39.3 Recommended key sizes versus time . 23g310 Time period resistance of hash functions and keys 26g310.1 General notes 26g310.2 Time period resistance for hash functions 26g310.3
16、Time period resistance for signers key 26g310.4 Time period resistance for trust anchors . 26g310.5 Time period resistance for other keys . 27g311 Practical ways to identify hash functions and signature algorithms . 27g311.1 General . 27g311.2 Hash functions and signature algorithms objects identifi
17、ed using OIDs 27g311.2.1 Hash functions 27g311.2.2 Signature algorithms . 27g311.2.3 Signature suites . 28g311.3 Hash functions and signature algorithms identified objects using URNs . 28g311.3.1 Hash functions 28g311.3.2 Signature algorithms . 28g311.3.3 Signature suites . 29g311.4 Recommended hash
18、 functions and signature algorithms objects that do not yet have an OID or a description 29g3Annex A (normative): Algorithms for various data structures 30g3A.1 CAdES and PAdES 30g3A.2 XAdES . 31g3A.3 Signers certificates . 31g3A.4 CRLs. 32g3A.5 OCSP responses . 32g3A.6 CA certificates 32g3A.7 Self-
19、signed certificates for CA issuing CA certificates 33g3A.8 TSTs based on RFC 3161 . 33g3A.9 TSU certificates 33g3A.10 Self-signed certificates for CAs issuing TSU certificates 34g3Annex B (informative): Recommended key sizes (historical) . 35g3Annex C (informative): Signature maintenance 36g3History
20、 37g3ETSI ETSI TS 119 312 V1.1.1 (2014-11)5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
21、 in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy
22、, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Techni
23、cal Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document replaces ETSI TS 102 176-1 (also known as “Algo Paper“) i.4. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“,
24、 “may not“, “need“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduc
25、tion Selection of the cryptographic suites to apply for digital signatures is an important business parameter for products and services implementing digital signatures. The present document provides guidance on selection of cryptographic suites with particular emphasis on security. The present docum
26、ent identifies a range of different cryptographic suites that can be used corresponding to the appropriate level of security, which fulfils the security needs identified during the system design. There is no normative requirement on selection among the alternatives but for all alternatives, normativ
27、e requirements apply to ensure security and interoperability. The present document is based on various security recommendations given by other standardization bodies, security agencies and supervisory authorities of the Member States. National cryptographic recommendations including but not limited
28、to French i.2 and German i.3 are considered in the present document. ETSI ETSI TS 119 312 V1.1.1 (2014-11)61 Scope The present document specifies cryptographic suites used for digital signature creation and verification algorithms. The present document provides guidance on selection of cryptographic
29、 suites corresponding to the appropriate level of security, which fulfils the security needs identified during the system design. The present document identifies a range of alternative cryptographic suites. There is no normative requirement on selection among the alternatives but for all alternative
30、s, normative requirements apply to ensure security and interoperability. The present document also provides guidance on the hash functions, signature schemes and signature suites to be used with the data structures used in the context of digital signatures. For each data structure, the set of algori
31、thms to be used is specified. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (
32、including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long t
33、erm validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 FIPS Publication 180-4 (2012): “Secure Hash Standard (SHS)“. 2 FIPS Publication 186-4 (July 2013): “Digital Signature Standard (DSS)“. 3 IETF RFC 3447 (2003): “Publi
34、c-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1“. 4 ISO/IEC 14888-3 (2006): “Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms“. 5 IETF RFC 5639 (2010): “Elliptic Curve Cryptography (ECC)
35、Brainpool Standard Curves and Curve Generation“. 6 ANSI X9.62 (2005): “Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA)“. 7 IETF RFC 3279 (2002): “Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificat
36、e and Certificate Revocation List (CRL) Profile“. NOTE: Updated by RFC 4055, RFC 4491, RFC 5480, and RFC 5758. 8 IETF RFC 4055 (2005): “Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CR
37、L) Profile“. 9 IETF RFC 5753: “Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)“. 10 IETF RFC 6931 (2013): “Additional XML Security Uniform Resource Identifiers (URIs)“. 11 W3C Recommendation: “XML Encryption Syntax and Processing Version 1.1“, April 2013. ET
38、SI ETSI TS 119 312 V1.1.1 (2014-11)7NOTE: Available at http:/www.w3.org/TR/2013/REC-xmlenc-core1-20130411. 12 IETF RFC 3161 (2001): “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)“. NOTE: Updated by RFC 5816. 13 IETF RFC 6960 (2013): “X.509 Internet Public Key Infrastructure Onli
39、ne Certificate Status Protocol - OCSP“. NOTE: Updates RFC 2560, RFC 6277. 14 W3C Recommendation: “XML-Signature Syntax and Processing Version 1.1“, April 2013. NOTE: Available at http:/www.w3.org/TR/2013/REC-xmldsig-core1-20130411. 15 ETSI TS 101 861 (V1.4.1) (07-2011): “Electronic Signatures and In
40、frastructures (ESI); Time stamping profile“. 16 ISO/IEC 18031 (2011): “Information technology - Security techniques - Random bit generation“. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with rega
41、rd to a particular subject area. i.1 ENISA: “Algorithms, Key Sizes and Parameters Report, 2013 recommendations, version 1.0“ (2013-10). NOTE: Available at http:/www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report. i.2 Agence nationale de
42、la scurit des systmes dinformation, Rfrentiel Gnral de Scurit version 2.0, 2014-06. NOTE: Annex B1 (version 2.03 of 2014-02) is available at http:/www.ssi.gouv.fr/IMG/pdf/RGS_v-2-0_B1.pdf. i.3 Bundesnetzagentur fr Elektrizitt, Gas, Telekommunikation, Post und Eisenbahnen, bersicht ber geeignete Algo
43、rithmen, 2014-01. NOTE: Available at http:/www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/2014Algorithmenkatalog.pd. i.4 ETSI TS 102 176-1 (V2.1.1) (07-2011): “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Elec
44、tronic Signatures; Part 1: Hash functions and asymmetric algorithms“. NOTE: This reference is given only for informational purposes. i.5 ISO/IEC 18032 (2005): “Information technology - Security techniques - Prime number generation“. i.6 ISO/IEC 10118-3 (2004): “Information technology - Security tech
45、niques - Hash functions - Part 3: Dedicated hash functions“. NOTE: This ISO Standard duplicates the standardization from FIPS Publication 180-4 1. i.7 National Institute of Standards and Technology SHA-3 Competition (2007-2012). NOTE: More details on winner selection are available at http:/csrc.nist
46、.gov/groups/ST/hash/sha-3/sha-3_selection_announcement.pdf. i.8 ANSI X9.82 (2006): “Random Number Generation Part 1“. i.9 AIS 20/31: “Application Notes and Interpretation of the Scheme: Functionality classes and evaluation methodology for deterministic random number generators“, Version 2. ETSI ETSI
47、 TS 119 312 V1.1.1 (2014-11)8i.10 ANSI X9.17: “Pseudo Random Number Generator (RNG)“. i.11 NIST Special Publication SP 800-90A: “Recommendation for Random Number Generation Using Deterministic Random Bit Generators“, January 2012. i.12 ETSI TS 101 733 (V2.2.1) (04-2013): “Electronic Signatures and I
48、nfrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. i.13 ETSI TS 101 903 (V1.4.2) (12-2010): “Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)“. i.14 ETSI TS 102 778 (parts 1 to 6): “Electronic Signatures and Infrastructures (ESI); PDF Advanc
49、ed Electronic Signature Profiles“. i.15 IETF RFC 5280 (2008): “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“. i.16 ISO/IEC 14888-3:2006/Amd.1 (2010): “Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm“ and ISO/IEC 14888-3:2006/Amd.2 (2012): “Optimizing hash inputs“. i.17 W3C Recom