ISO/IEC 11770-2:1996

INTERNATIONAL lSO/IEC
STANDARD 11770-2
First edition
1996-04-15
Information technology - Security
techniques -
Key management -
Part 2:
Mechanisms using symmetric techniques
Technologies de Yin forma tion - Techniques de s&urit@ - Gestion
de cl& -
Partie 2: Mkanismes utilisan t des techniques sym&-iques
Reference number
ISO/IEC 117702 1996(E)
ISO/IEC 11770-2: 1996(E)
Foreword
for Standardization) and IEC (the
ISO (the International Organization
International Electrotechnical Commission) form the specialized System for
worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical
committees established by the respective organization to deal with particular
Felds of technical activity. ISO and IEC technical committees collaborate in
fields of mutual interest. Other international organizations, govemmental and
non-govemmental, in liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1. Drafi International Standards adopted by
the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75% of the
national bodies casting a vote.
International Standard ISO/IEC 11770-2 was prepared by Joint Technical
Committee ISO/IEC JTC 1, Information technology, Sub-committee SC 27, IT
Security techniques.
ISO/IEC 11770 consists of the following Parts, under the general title
Information technology - Security techniques - Key management:
- Part 1: Key management framework
- Part 2: Mechanisms using symmetric techniques
- Part 3: Mechanisms using asymmetric techniques
Further Parts may follow.
Annexes A, B and C of this part of ISO/IEC 11770 are for information only.
0 ISO/IEC 1996
All rights reserved. Unless otherwise specified, no gart of this publication may
be reproduced or utilized in any form or by any means, electronie or mechanical,
including photocopying and microfilm, without Permission in writing from the
publisher.
ISO/IEC Copyright Office l Case Postale 56 l CH-121 1 Geneve 20 l
Switzerland
Printed in Switzerland
ii
INTERNATIONAL STANDARD @ ISO/IEC
ISO/IEC 11770-2: 1996(E;
Information technology
- Security techniques -
QY
management -
Part 2:
Mechanisms using symmetric techniaues
1 Scope 2 Normative References
The purpose of key management is to provide procedures The following Standards contain provisions which, through
for handling cryptographic keying material to be used in reference in this text, constitute provisions of this part of
syrnmetric or asymmetric cryptographic algorithms ISO/IEC 11770. At the time of publication, the editions
according to the security policy in forte. This part of indicated were valid. All Standards are subject to revision,
ISO/IEC 11770 defines key establishment mechanisms and Parties to agreements based on this part of ISO/IEC
using symmetric cryptographic techniques. 11770 are encouraged to investigate the possibility of
applying the most recent editions of the Standards indicated
establishment mechanisms using symmetric
KeY
below. Members of IEC and ISO maintain registers of
cryptographic techniques tan be derived from entity
currently valid International Standards.
authentication mechanisms of ISO/IEC 9798-2 and
ISO/IEC 9798-4 by specifying the use of text fields ISO 7498-2: 1989, Information processing Systems - Open
available in those mechanisms. Other key establishment Systems Interconnection - Basic Reference Model - Part 2:
mechanisms exist for specific environments; see for Security Architecture.
example ISO 8732. Besides key establishment, goals of
ISO/IEC 9798-2: 1994, Information technology - Security
such a mechanism may include unilateral or mutual
techniques - Entity authentication - Part 2: Mechanisms
authentication of the communicating entities. Further goals
using symmetric encipherment algorithms.
may be the verification of the integrity of the established
key, or key confirmation.
ISO/IEC 9798-4: 1995, Information technology - Security
techniques - Entity authentication - Part 4: Mechanisms
This part of ISOIIEC 11770 addresses three environments
using a cryptographic check function.
for the establishment of keys: Point-to-Point, Key
Distribution Centre (KDC) and Key Translation Centre
ISO/IEC 11770-1: - ‘, Information technology - Security
(KTC). This part of ISO/IEC 11770 describes the required
techniques - Key management - Part I: Key management
content of messages which carry keying material or are
framework.
necessary to set up the conditions under which the keying
material tan be established. The document does not
indicate other information which may be contained in the
messages or specify other messages such as error 3 Definitions and Notation
messages. The explicit format of messages is not within the
3.1 Definitions
scope of this part of ISO/IEC 11770.
For the purposes of this part of ISO/IEC 11770 the
This part of ISO/IEC 11770 does not explicitly address the
definitions given in ISO/IEC 11770-1 apply. In addition,
issue of interdomain key management. This part of
this part of ISO/IEC 11770 makes use of the following
ISO/IEC 11770 also does not define the implementation of
terms:
key management mechanisms; there may be different
3.1.1 distinguishing identifier: Information which
products that comply with this part of ISO/IEC 11770 and
unambiguously distinguishes an entity.
yet are not compatible.
1 To be published.
ISO/IEC 11770-2: 1996(E) 0 ISO/IEC
3.1.2 entity authentication: The corroboration that an TVPx is a time variant Parameter issued by entity X.
entity is the one claimed.
is the result of the encipherment of data
Z with a
WZ)
3.1.3 key confirmation: The assurance for one entity symmetric algorithm using the key K.
that another identified entity is in possession of
is the result of the decipherment of data
Z with a
the correct key.
symmetric algorithm using the key K.
3.1.4 key control: The ability to choose the key, or
is the result of a cryptographic check function
the Parameters used in the key computation.
computed on data Z using the key K. vK(Z) is
3.1.5 key generating function: A function which also called message authentication code
(MAC)
takes as input a number of Parameters, at least and may be denoted as macK(Z).
one of which shall be secret, and which gives as
f denotes a key generating function.
output keys appropriate for the intended
is the result of the concatenation of data items X
x II y
algorithm and application. The function shall
and Y in that Order.
have the property that it shall be computationally
infeasible to deduce the output without Prior
knowledge of the secret input.
The Felds Ted, Text2, . . .
specified in the mechanisms
may contain optional data for use in applications outside
3.1.6 Point-to-Point key establishment: The direct
the scope of this part of ISOIIEC 11770 (they may be
establishment of keys between entities, without
empty). Their relationship and contents depend upon the
involving a third Party.
specific application. One such possible application is
3.1.7 random number: A time variant Parameter
message authentication (see annex B for an example).
whose value is unpredictable.
Likewise, optional plaintext text fields may be prepended
3.1.8 redundancy: Any information that is known
or appended to any of the messages. They have no security
and tan be checked.
implications and are not explicitly included in the
3.1.9 sequence number: A time variant Parameter
mechanisms specified in this part of ISO/IEC 11770.
whose value is taken from a specified sequence
which is non-repeating within a certain time
Data items that are optional in the mechanisms are shown
period.
in italics.
3.1.10 time variant Parameter: A data item used to
verify that a message is not a replay, such as a
random number, a sequence number, or a time
4 Requirements
stamp.
The key establishment mechanisms specified in this part of
ISO/IEC 11770 make use of symmetric cryptographic
techniques,
more specifically symmetric encipherment
3.2 Notation
algorithms and/or key generating mnctions. The
Throughout this part of ISO/IEC 11770 the following
cryptographic algorithms and the key life-time shall be
notation is used:
Chosen such that it is computationally infeasible for a key
X is the distinguishing identifier of entity X.
to be deduced during its life-time. If the following
additional requirements are not met, the key establishment
KDC denotes a Key Distribution Centre.
process may be compromised or it cannot be implemented.
KTC denotes a Key Translation Centre.
For those mechanisms making use of a symmetric
T is the distinguishing identifier of the Key
encipherment algorithm, either assumption a) or
Distribution Centre or the Key Translation
assumption b) is required.
Centre.
The encipherment algorithm, its mode of Operation
a>
F denotes keying material.
and the redundancy in the plaintext shall provide the
is a secret key associated with the entities X and
KXY
recipient with the means to detect forged or
Y.
manipulated data.
R is a random number.
The integrity of the enciphered data shall be ensured
b)
is a random number issued by entity X.
Rx
by a data integrity mechanism. If a hash-function is
T/N is a tirne stamp or a sequence number.
used for this purpose the hash-code shall either be
is a time stamp or a sequence number issued by
TxfNx
appended to the data before encipherment or be
entity X.
placed in a plaintext text field.
TVP is a time variant Parameter.

0 ISO/IEC
ISO/IEC 11770-2: 1996(h
NOTES
5.1 Key Establishment Mechanism 1
1 - Modes of Operation for block tipher algorithms are
In key establishment mechanism 1 the key K is derived
standardized in ISO/IEC 10116.
from a time variant Parameter TVP, e.g., a random number
2 - A data integrity mechanism is standardized in
R, a time stamp T, or a sequence number N, using a key
ISO/IEC 9797. Hash-functions are standardized in
generating function. Key establishment mechanism 1
ISO/IEC 10118.
provides no authentication of the key K established by the
mechanism. The mechanism requires that A is able to
3 - When a KDC or KTC is involved, assumptions a) and
generate a TVP.
b) are not always equivalent in terms of the ability to
detect unambiguously on which link an active attack is
being performed. See Annex B for examples.
”
.:
. . . .
(1) -l-VP
<: .’
‘.
‘<. ‘:
i .< ::
:. :
In each exchange specified in the mechanisms of clauses 5,
1.
A :. B .<.
” ‘:.
I-i d!YIYl
6 and 7, the recipient of a message shall know the claimed
identity of the originator. If this is not the case from the
Figure 1 - Mechanism 1
context in which the mechanism is being used then this
could, e.g., be achieved by the inclusion of identifiers in
additional plaintext text Felds of certain of the messages.
Steps:
Keying material may be established using either secure or
A generates a random number R, a time stamp T, or
(1)
insecure comrnunication channels. When using only
a sequence number N and transfers it to B.
symmetric cryptographic techniques, at least the first key
(la) Both A and B then derive the key K by using a key
shall be exchanged between two entities using a secure
channel in Order to allow secure communications.
generating function f with inputs the shared secret
key KAB and the time variant Parameter TVP:
The key establishment mechanisms in this part of ISO/IEC
11770 require the use of time variant Parameters such as K = f(KAB, TVP).
time stamps, sequence numbers, or random numbers. In
See Annex B for examples of possible key
this context the use of the term random number also
generating functions.
The
includes unpredictable pseudo-random numbers.
properties of these Parameters, in particular that they are
non-repeating, are important for the security of these
NOTE - To also provide authentication, key establishment
mechanisms. For additional information on time variant
mechanism 1 may be combined with an authentication
Parameters see Annex B of ISO/IEC 9798-2.
mechanism as specified in 9798-2 or 9798-4. See annex B
for an example.
5 Point-to-Point Key Establishment
5.2 Key Establishment Mechanism 2
The basic mechanism of every key establishment scheme is
Point-to-Point key establishment which requires that the
In key establishment mechanism 2 the key K is supplied by
entities already share a key so that further keys may be
entity A. The mechanism provides no authentication of the
established directly between the entities.
key K established by the mechanism nor does it provide
entity authentication.
mech anisms specified in this
For the implementation of the
clause it is assumed that
A key KAB is shared by the entities A and B.
At least one of A or B is able to generate, acquire or
(1) eKAB( F 11 Text? )
contribute to a secret key K as described in the
individual mechanism.
concerned with the
Security requirements are
confidentiality of K, and modiflcation and replay
Figure 2 - Mechanism 2
detection.
0 ISO/IEC
ISO/IEC 11770-2: 1996(E)
provides unilateral authentication, i.e.,
entity A is
Steps:
authenticated by the mechanism. Uniqueness/timeliness is
(1) A sends B the keying material F (key K and
controlled by a random number RB. The mechanism
optional data) enciphered with KAB.
requires that B is able to generate random numbers.
(la) On receipt of the message, B deciphers the
enciphered part and thus obtains the key K.
(1) RB
(2) eKm(b 11 B 11 F 11 Texf?) .B
5.3 Key Establishment Mechanism 3
A
~~
.1_1
Key establishment mechanism 3 is derived from the one
pass entity authentication mechanism of ISO/IEC 9798-2,
Figure 4 - Mechanism 4
clause 5.1.1. In this mechanism the key K is supplied by
entity A. Key establishment mechanism 3 provides
unilateral authentication, i.e., entity A is authenticated by
Steps:
the mechanism. Uniqueness/timeliness is controlled by
B sends A a random number RB.
(1)
time stamps or sequence numbers. The mechanism requires
sends B the received number RB, the
that both A and B are able to maintain mechanisms for (2) A
distinguishing identifier B, and the keying material
generating or verifying the validity of time stamps T or
sequence numbers N.
F (key K and optional data). The inclusion of the
distinguishing identifier B is optional. The data
fields are enciphered with KAR.
(1) eKAB(TN 11
...