GB/T 15843.6-2018 English PDF (GBT15843.6-2018)
GB/T 15843.6-2018 English PDF (GBT15843.6-2018)
GB/T 15843.6-2018: Information technology -- Security techniques -- Entity authentication -- Part 6: Mechanisms using manual data transfer
Information technology - Security techniques - Entity authentication - Part 6. Mechanisms using manual data transfer ICS 35.040
National Standards of People's Republic of China
Information technology security technology entity authentication
Part 6. Mechanisms for manual data transfer
Part 6. Mechanismsusingmanualdatatransfer
(ISO /IEC 9798-6.2010, IDT)
State market supervision and administration
China National Standardization Administration issued
1 range 1
2 Normative references 1
3 Terms and Definitions 1
4 symbols and abbreviations 3
5 General requirements 3
6 Mechanisms using short test values 4
6.1 Overview 4
6.2 Mechanism 1. One device has a simple input interface and the other has a simple output interface 4 6.3 Mechanism 2. Both devices have a simple input interface 6
7 Mechanisms using short digest values or short keys 7
7.1 Overview 7
7.2 Mechanism 3. One device has a simple input interface and the other has a simple output interface 7 7.3 Mechanism 4. One device has a simple input interface and the other has a simple output interface 9 7.4 Mechanism 5. Both devices have a simple input interface 10
7.5 Mechanism 6. Both devices have a simple input interface 11
8 Mechanism using Message Authentication Code (MAC) 13
8.1 Overview 13
8.2 Mechanism 7. Both devices have a simple output interface 13
8.3 Mechanism 8. One device has a simple input interface and the other has a simple output interface 16 Appendix A (Normative) ASN.1 Definition 18
Appendix B (informative) Using a manual authentication protocol to perform key exchange 19 Appendix C (informative) Using a manual authentication protocol to perform public key exchange 21 Appendix D (informative) Mechanism security and parameter length selection 23 Appendix E (informative) A method for generating short test values 25
Appendix F (informative appendix) Comparative analysis of the safety and efficiency of mechanisms 1-8 Appendix G (informative) Method for generating short summary values 29
GB/T 15843 "Information Technology Security Technology Entity Identification" is divided into the following parts. --- Part 1. General;
--- Part 2. Mechanisms using symmetric encryption algorithms;
--- Part 3. Mechanisms using digital signature technology;
--- Part 4. The mechanism of using the password check function;
--- Part 5. Mechanisms using zero-knowledge technology;
--- Part 6. The mechanism of using manual data transfer.
This part is the sixth part of GB/T 15843.
This part is drafted in accordance with the rules given in GB/T 1.1-2009. This part uses the translation method equivalent to ISO /IEC 9798-6.2010 "Information Technology Security Technology Entity Identification Part 6. The mechanism of using manual data transfer.
Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This part is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This section drafted by. Chinese Academy of Sciences Data and Communication Protection Research and Education Center, Beijing Digital Certification Co., Ltd., Fei Tiancheng Letter Technology Co., Ltd.
The main drafters of this section. Xia Luning, Zhang Guozhu, Zhang Qionglu, Lin Xueyan, Zhu Pengfei. introduction
In daily communication, entity authentication is often required between two devices through non-secure channels, but non-secure channels are susceptible to active or Dynamic attacks, so-called active attacks, include malicious third parties performing data insertion, tampering, deletion, or playback on non-secure channels. The authentication mechanism specified in the other parts of GB/T 15843 applies to two devices sharing the same secret key, or each other owns each other. Asymmetric public key.
The entity authentication mechanism described in this part of GB/T 15843 does not need to assume that the two parties establish a shared key relationship in advance, but use artificial Means for authentication, that is, entity authentication is achieved by manually transmitting a short data string from one device to another, or by manually comparing two Whether the short data strings output by the devices are consistent or not. In this section, the meaning of the term "physical authentication" is different from other parts. The two devices involved in the identification are used by the same one. The user holds, or is held by two different users who have a trusted communication path between them, and the user verifies that the two devices are performing the test of this part. Whether the data string is successfully shared after the mechanism. Of course, the data string can contain identifiers for two devices or one of them. As described in informative Appendix B and Appendix C, the manual authentication mechanism can be used as a secret key sharing or a reliable exchange of public keys. The basics. In addition, manual authentication mechanisms can be used as an exchange of other secret or public security parameters, including security policy statements or time. Poke and so on.
In this part, the relevant content related to the cryptographic algorithm is implemented in accordance with relevant national laws and regulations; where it involves the use of cryptography to resolve confidentiality and complete Integrity, authenticity, and non-repudiation requirements are implemented in accordance with password-related national standards and industry standards. Information technology security technology entity authentication
Part 6. Mechanisms for manual data transfer
This part of GB/T 15843 specifies eight mechanisms for entity authentication based on manual data transfer between devices. This section refers to It is clear how these mechanisms are used to support key management functions and how to safely select the parameters of each mechanism. For these 8 mechanisms, this The definitions of ASN.1 are given in sections, and their safety levels and efficiencies are analyzed and compared. These mechanisms can be applied to multiple types of application scenarios. A typical application is in the personal network as a process for devices to access the network. In part, the user performs physical authentication between the two devices with wireless communication capabilities that they have mastered. 2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 15843.1-2017 Information technology security technology entity identification Part 1. General (ISO /IEC 9798-1. 2010, IDT)
3 Terms and definitions
The following terms and definitions as defined in GB/T 15843.1-2017 apply to this document. 3.1
Check value check-value
A bit string, generated by a test function, transmitted from the originator of the communication to the receiver of the communication, and the receiver has the capability to check Test its correctness.
Test function check-valuefunction
The function f maps a bit string and a short key to a test value of a fixed length b, and the short key can be easily input to The device is read from or read from. The validation function satisfies the following properties. --- For any key k and any bit string d, the function f(d, k) can be effectively calculated; --- Find two different bit strings d and d', so that for the key k there is f(d,k)=f(d',k), which is not feasible in calculation However, the k value that satisfies the above equation is not a small part of the value space of k. Note. In practice, a typical short key contains 4 to 6 numbers or letters. 3.3
Data origin identification dataoriginauthentication
For the received data, confirm the authenticity of its source.
Digest value digest-value
A bit string, generated by a digest function, passed from the originator of the communication to the receiver of the communication, and the receiver has the capability to check Test its correctness.
Summary function digestfunction
The function d maps a bit string and a long key into a digest value of fixed length b bits. Summary values can be easily entered Read into or read from the user device and satisfy the following attributes. --- For any key k and any bit string m, d(m,k) can be effectively calculated; --- Find two different bit strings m and m' so that d(m,k)=d(m',k) for key k is computationally infeasible of. The ratio of the key satisfying this equation to the value of all possible keys is greater than (2-b ε), and b is the fixed length of the digest value. ε is a negligible number relative to 2-b.
Note 1. In practice, if the length of the key k is a typical cryptographic hash length, for example 160 bits, then the second attribute above should be satisfied. This demand The theoretical lower bound of the length of the key from the hash function is generated. See Appendix F for more details. Note 2. A further discussion of the length of the key and the summary is given in Appendix D, Appendix F and Appendix G. 3.6
Hash function hash-function
A function that maps an arbitrary long bit string into a fixed length bit string, which satisfies the following attributes. --- Given an output bit string, finding an input bit string to produce this output bit string is computationally infeasible; --- Given an input bit string, look for another different input bit string to produce the same output bit string, which is not calculated feasible.
[ISO /IEC 10118-1]
Manual authentication certificate manualauthenticationcertificate
A combination of a key and a check value, generated by one of the two devices participating in the authentication, and having the following attributes. when input to another This certificate can be used to complete the manual authentication process at a later time when a device is in use. 3.8
Message authentication code messageauthenticationcode;MAC
An output bit string generated using a message authentication algorithm. [ISO /IEC 9797-1]
Message authentication algorithm messageauthenticationcode(MAC) algorithm Calculating a bit string and a key to obtain a fixed-length bit string algorithm, which satisfies the following attributes. --- For any key and any input bit string, it can be effectively calculated; --- For any specific key, calculate any new input bit string without any prior knowledge of this key The message authentication code is computationally infeasible, even if all previous input bit strings and corresponding message authentication codes are known. This means that the i-th input bit string is deliberately selected even after observing the first i-1 bit string and the corresponding message authentication code. Make it equal to one of the previous input bit strings, and the message authentication codes of the two will not be equal or have any correlation. [ISO /IEC 9797-1]
Artificial entity identification manualentityauthentication
Message exchange between two devices via a (potentially non-secure) communication channel, while also passing a limited number manually According to this, the process of entity identification is realized.
Simple input interface simpleinputinterface
A device interface that allows the user to inform the device of a successful or unsuccessful completion of a step, such as 2 or 1 button, at a given time interval The user chooses to press or not to press to inform the device of success or failure. 3.12
Simple output interface simpleoutputinterface
Allows the device to inform the user of the device interface for a successful or unsuccessful completion of a step, for example, can be implemented as a red-green indicator or separately An indicator light that informs the user of success or failure through different blinking methods. 4 symbols and abbreviations
The following symbols and abbreviations apply to this document.
A, B The label of the entity involved in the authentication mechanism
d summary function for mechanisms 3 and 5, d(D, k) represents the digest value calculated for bit string D using key k D A bit string shared between devices A and B, generated by performing an artificial entity authentication mechanism h hash function, used in mechanisms 3~6
Distinguishing identifier of IU entity U
K In mechanisms 1 and 2, the (short) key used by the function being checked k (long) key used in mechanisms 3~6
KA, KAi, KB, KBi random MAC key used in mechanisms 7 and 8.
MAC message authentication code
RU uses (short) random bit strings in mechanisms 4, 6, 7, and 8.
‖ In GB/T 15843.1-2017, X‖Y is defined as the result of cascading data items X and Y according to the given order. when The result of cascading two or more data items is used as input in one of the mechanisms described in this section, then the result of this cascading should be able to be It is parsed into the data items that make up it, that is, it can be interpreted unambiguously. This feature can be implemented in a variety of ways. The method is related to a specific application, for example, the following method a) can be used to require a fixed length for each cascaded data item, and is executed in the mechanism The entire process maintains their fixed length, or b) uses a method that ensures uniqueness for the sequence of data items after cascading Encoding, for example using the Discernible Encoding Rules (DER) as defined by ISO /IEC 8825-1. Note. Appendix D and Appendix F give guidelines on how to choose the appropriate short key and MAC key length. 5 General requirements
This chapter specifies the general requirements that the authentication mechanisms 1-8 should meet. In addition to these general requirements, each authentication mechanism should also meet the sixth Specific requirements specified in Chapters, Chapters 7, and 8.
a) There should be a channel between the two devices performing manual pass authentication (eg wireless link or internet link), this link does not have to It is safe, that is, the mechanism in this section is designed to be able to monitor or even tamper with the data being transmitted when an attacker has the ability to monitor or even tamper with the data being passed. It can also be executed safely;
b) Two devices performing manual transfer authentication shall have both a user data input interface and an output interface; c) The user data input interface of the device shall have at least the ability to indicate the success or unsuccessful completion of an authentication step (eg 2 Or 1 button, the user chooses to press or not to press during a given time interval to inform the device of success or failure) The data input interface is hereinafter referred to as a simple input interface. In contrast, a standard input interface should support short symbol string input. For example, a keyboard that supports numbers, hexadecimal numbers, or letters. Each device should have a standard unless otherwise stated Quasi-data input interface;
d) The user data output interface of the device shall have at least the ability to indicate the success or failure of an authentication step (eg red This is done in the form of a green light. This user data output interface is hereinafter referred to as a simple output interface. In contrast, a standard The output interface should support the output of short symbol strings, such as numeric, hexadecimal or alphanumeric displays. Unless otherwise stated explicitly, no Then each device should have a standard data output interface;
e) For mechanisms 1 and 2, the devices identified by the two implementing entities shall agree on the specific test function used and have Force to implement this function;
Note 1. Appendix D gives a selection guide for the test functions, test values and random key lengths for mechanisms 1 and 2. Appendix E gives the mechanism The construction method of the unconditional safety check function of 1 and 2. f) For mechanisms 3 to 6, the devices identified by the two executing entities shall agree on the specific hash function h used and have the ability Implement this function;
Note 2. Appendix D gives a selection guide for the input and output bit lengths of the hash function for mechanisms 3~6. g) For mechanisms 3 and 5, the devices identified by the two implementing entities shall agree on the specific digest function d used, and Ability to implement this function;
Note 3. Appendix D gives a guideline for the selection of the length of the summary for Mechanism 3 and Mechanism 5, and Appendix G gives the application for the use of Mechanism 3 and Mechanism 5. The method of identifying the algorithm and the hash function to construct the digest function. h) that for mechanisms 7 and 8, the devices identified by the two implementing entities shall agree on the specific message authentication algorithm used, and Have the ability to implement this algorithm;
Note 4. Appendix D gives a selection guide for the message authentication algorithm, message authentication code and random key length for mechanisms 7 and 8. i) Before performing mechanisms 1-8, the two devices shall exchange a data string D (combining the hash values in mechanisms 3-6). D can be One device generates and sends to another device, or two devices generate a data string and send it to the two-way channel The other party, D is the cascade of data strings generated by both parties; j) The two devices performing the authentication can be controlled by the same user or by two different users, if the latter There should be a trusted communication path between users;
k) Users of the equipment should participate in the authentication process throughout the process to ensure that these mechanisms are handled correctly. Manual data transfer between devices during execution There should be no significant delay in the delivery, and the device should automatically trigger a timeout as specified by the specification to exclude specific attacks. 6 Mechanisms using short test values
This clause specifies two manual authentication mechanisms that use test values for a variety of different types of equipment. specifically. --- The first mechanism (mechanism 1) applies to one device with a simple input interface and the other device with a simple output interface Happening;
--- The second mechanism (mechanism 2) applies when both devices have simple input interfaces. Standard input or output interfaces can be used to simulate simple input or output interfaces. So if both devices have standard input and Output interface, then both mechanisms are applicable.
Both of these mechanisms are performed in such a way that one data string D is passed from one device to another through a channel shared by two devices. A device (or a cascade of data strings generated by each of the two devices), the artificial entity authentication mechanism is initiated. As a mechanism of identification If both devices confirm that the data string D they are mastering is the same as that of the other party. 6.2 Mechanism 1. One device has a simple input interface and the other has a simple output interface 6.2.1 Specific requirements
This mechanism should meet the following specific requirements.