GB/T 15843.3-2023_English: PDF (GB/T15843.3-2023)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 15843.3-2023 | English | 514 |
Add to Cart
|
5 days [Need to translate]
|
Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques
| Valid |
GB/T 15843.3-2023
|
GB/T 15843.3-2016 | English | 210 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques
| Obsolete |
GB/T 15843.3-2016
|
GB/T 15843.3-2008 | English | 439 |
Add to Cart
|
3 days [Need to translate]
|
Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques
| Obsolete |
GB/T 15843.3-2008
|
GB/T 15843.3-1998 | English | 439 |
Add to Cart
|
3 days [Need to translate]
|
Information technology--Security techniques--Entity authentication--Part 3: Mechanisms using asymmetric signature techniques
| Obsolete |
GB/T 15843.3-1998
|
Standard ID | GB/T 15843.3-2023 (GB/T15843.3-2023) | Description (Translated English) | Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.030 | Word Count Estimation | 26,231 | Date of Issue | 2023-03-17 | Date of Implementation | 2023-10-01 | Older Standard (superseded by this standard) | GB/T 15843.3-2016 | Drafting Organization | Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., Zhongguancun Wireless Network Security Industry Alliance, National Information Technology Security Research Center, China Mobile Communications Group Co., Ltd., Zhongneng Fusion Smart Technology Co., Ltd., China Southern Power Grid Co., Ltd., Beijing Digital Certification Co., Ltd., Software Research Institute of Chinese Academy of Sciences, First Research Institute of Ministry of Public Security, Commercial Password Testing Center of State Cryptography Administration, National Radio Monitoring Center Testing Center, Guangxi University, China Radio and Television Network Group Co., Ltd., Guangxi Chengxin Huichuang Technology Co., Ltd., Geer Software Co., Ltd., Guangxi Flux Energy Technology Co., Ltd., China General Technology Research Institute, Beijing Computer Technology and Application Research Institute | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC260) | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Management Committee | Standard ID | GB/T 15843.3-2016 (GB/T15843.3-2016) | Description (Translated English) | Information technology -- Security techniques -- Entity authentication -- Part 3: Mechanisms using digital signature techniques | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 18,155 | Date of Issue | 25/4/2016 | Date of Implementation | 2016-11-01 | Older Standard (superseded by this standard) | GB/T 15843.3-2008 | Drafting Organization | Xi An Xietong Jietong Wireless Network Communications Co., Ltd., State Password Bureau of Commerce Password Censoring Center, State Key Laboratory of Information Security, China Electronics Standardization Institute, National Radio Monitoring Center Testing Center, Xi An University of Electronic Science and Technology, Xi An University of Posts and Telecommunications, China Information Security Certification Center, the National Information Security Engineering Technology Research Center, the National Computer Network Emergency Technology Processing Coordination Center, the National Information Technology Security Research Center, the National Information Technology Research Center, the National Information Network Technology Co., Ltd., Ministry of Public Security of the first research institute, the Ministry of Industry and Information Technology Communication Measurement Center, the Ministry of Public Security Information Security Level Protection and Evaluation Center, National University of Defense Technology, Beijing Municipal Government Network Management Center, Chongqing University of Posts and Telecommunications, Yulong Computer Communications Technology (Shenzhen) | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Regulation (derived from) | National Standard Announcement No | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | General Administration of Quality Supervision, Inspection and Quarantine of the People Republic of China, Standardization Administration of the People Republic of China | Standard ID | GB/T 15843.3-2008 (GB/T15843.3-2008) | Description (Translated English) | Information technology. Security techniques. Entity authentication. Part 3: Mechanisms using digital signature techniques | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 11,138 | Date of Issue | 2008-06-19 | Date of Implementation | 2008-11-01 | Older Standard (superseded by this standard) | GB/T 15843.3-1998 | Quoted Standard | GB/T 15843.1-2008; GB 15851-1995 | Adopted Standard | ISOIEC 9798-3-1998, IDT | Drafting Organization | Data Protection Research Institute of Education and Communication Center (State Key Laboratory of Information Security) | Administrative Organization | Standardization Technical Committee of the National Information Security | Regulation (derived from) | Announcement of Newly Approved National Standards No. 10 of 2008 (total 123) | Proposing organization | National Safety Standardization Technical Committee | Issuing agency(ies) | Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China; Standardization Administration of China | Summary | This standard specifies the use of digital signature technology Entity authentication mechanisms. There are two types of authentication mechanisms are a single entity identification (one-way authentication), the remaining two entities mutual authentication mechanism. Mechanisms provided in this section uses such as timestamps, serial number, or other time-varying parameters of random numbers, to prevent previously valid authentication information has been received or is later repeatedly accepted. If a timestamp or sequence number, then the only way to identify a single pass, and mutual authentication is required two passes. If a random number using the excitation response method, two -way authentication to be transmitted, mutual authentication is required to pass three or four (depending on the mechanisms used). |
GB/T 15843.3-2023
ICS 35.030
CCSL80
National Standards of People's Republic of China
Replace GB/T 15843.3-2016
Information Technology Security Technology Entity Authentication
Part 3.Mechanisms using digital signature technology
Released on 2023-03-17
2023-10-01 implementation
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface III
Introduction IV
1 Range 1
2 Normative references 1
3 Terms and Definitions 1
4 Symbols and abbreviations 2
4.1 Symbol 2
4.2 Abbreviations 3
5 General 3
5.1 Time-varying parameters 3
5.2 Token 3
5.3 Usage of Text field 3
6 Requirements 4
7 Mechanisms that do not introduce online trusted third parties4
7.1 One-way authentication 4
7.2 Two-way authentication 6
8 Mechanisms for Introducing Online Trusted Third Parties9
8.1 General 9
8.2 One-way authentication 9
8.3 Two-way authentication 11
Appendix A (Normative) Object Identifiers 17
A.1 Form definition 17
A.2 Use of Subsequent Object Identifiers 17
Appendix B (Informative) User Guide 18
B.1 Security properties 18
B.2 Comparison and selection of mechanisms19
Appendix C (informative) How to use the Text field 20
Reference 21
foreword
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules for Standardization Documents"
drafting.
This document is part 3 of GB/T 15843 "Information Technology Security Technical Entity Identification". GB/T 15843 has been issued
The following sections.
--- Part 1.General;
--- Part 2.Mechanisms using symmetric encryption algorithms;
--- Part 3.Mechanisms using digital signature technology;
--- Part 4.Mechanisms using cryptographic verification functions;
--- Part 5.Mechanisms for using zero-knowledge technology;
--- Part 6.Using manual data transfer mechanism.
This document replaces GB/T 15843.3-2016 "Information Technology Security Technical Entity Authentication - Part 3.Using digital signature technology
Compared with GB/T 15843.3-2016, except for structural adjustment and editorial changes, the main technical changes are as follows.
a) Added "Symbols and Abbreviations" (see Chapter 4);
b) Added "General Principles" (see Chapter 5);
c) Added "one-way authentication" (see 8.2);
d) Added "seven pass identification" (see 8.3.4);
e) Added "Guidelines for Use" (see Appendix B).
This document is equivalent to ISO /IEC 9798-3.2019 "IT Security Technology Entity Authentication Part 3.Mechanisms Using Digital Signature Technology".
The following minimal editorial changes have been made to this document.
---In order to coordinate with my country's technical standard system, the name of the standard is changed to "Information Technology Security Technical Entity Identification Part 3.
Mechanisms using digital signature technology";
---In order to conform to the technical expression habits of our country, TP (third party) is changed to TTP (trusted third party);
--- For the convenience of understanding, an informative note was added to 5.1, 8.1, and 8.2.1 respectively.
This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This document is drafted by. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., Zhongguancun Wireless Network Security Industry Alliance, National
Information Technology Security Research Center, China Mobile Communications Group Co., Ltd., China Energy Fusion Smart Technology Co., Ltd., China Southern Power Grid Co., Ltd.
The responsible company, Beijing Digital Certification Co., Ltd., the Institute of Software of the Chinese Academy of Sciences, the First Research Institute of the Ministry of Public Security, and the State Encryption Administration
Password Testing Center, National Radio Monitoring Center Testing Center, Guangxi University, China Radio and Television Network Group Co., Ltd., Guangxi Chengxin
Huichuang Technology Co., Ltd., Geer Software Co., Ltd., Guangxi Flux Energy Technology Co., Ltd., China General Technology Research Institute, Beijing
Institute of Computer Technology and Applications.
The main drafters of this document. Cao Jun, Du Zhiqiang, Zhang Lulu, Wang Hong, Chen Yu, Li Qin, Huang Zhenhai, Wang Yuehui, Zhang Bianling, Tie Manxia, Zhang Yang,
Wang Li, Hou Pengliang, Hu Xiaoliang, Zheng Li, Sha Xuesong, Lai Xiaolong, Zhao Xiaorong, Yan Xiang, Zhang Guoqiang, Chen Baoren, Zhang Liwu, Zhang Yan, Jiang Caiping, Jian Jian,
Zhou Tao, Li Dong, Li Guoyou, Tao Hongbo, Yin Yuang, Luo Peng, Deng Kaiyong, Lu Quan, Li Shuang, Wei Lina, Zheng Qiang, Wei Changcai, Liu Kewei, Yu Guangming,
Wang Rui, Li Yujiao, Zhu Zhengmei, Zhao Hui, Jia Jia, Liu Hongyun, He Shuangyu, Li Nan, Jing Jingtao, Pan Qi, Chen Weigang, Bai Kunpeng, Zhang Zhijun, Sun Shuo,
Chen Xiaolong, Lu Liang, Guo Jinfa, Tian Yucun.
The release status of previous versions of this document and the documents it replaces are as follows.
--- First published as GB/T 15843.3-1998 in.1998, first revised in.2008, and second revised in.2016;
--- This is the third revision.
introduction
This document stipulates that the entity authentication mechanism using digital signature technology is divided into two types. one-way authentication and two-way authentication. Among them, one-way authentication is pressed
According to the number of message transmissions, it is divided into one-pass authentication, two-pass authentication and four-pass authentication; two-way authentication is based on the number of message transmissions,
Divided into two-pass authentication, three-pass authentication, five-pass authentication and seven-pass authentication.
GB/T 15843 aims to standardize entity authentication technology and consists of 6 parts.
--- Part 1.General. The purpose is to standardize the model, framework and general requirements of entity authentication technology.
--- Part 2.Mechanisms using symmetric encryption algorithms. The purpose is to standardize six entity authentication mechanisms based on symmetric encryption algorithms
and relevant requirements.
--- Part 3.Mechanisms using digital signature technology. The purpose is to standardize ten kinds of entity authentication mechanisms based on digital signature technology
and related requirements.
--- Part 4.Mechanisms using cryptographic verification functions. The purpose is to standardize four entity authentication mechanisms based on password verification functions
and related requirements.
--- Part 5.Mechanisms for using zero-knowledge techniques. The purpose is to standardize five entity authentication mechanisms based on zero-knowledge technology and related
related requirements.
--- Part 6.Using manual data transfer mechanism. The purpose is to standardize eight entity authentication mechanisms based on manual data transfer
and related requirements.
Since the distribution of certificates used for signing is beyond the scope of this document, distribution of certificates is optional in all mechanisms.
The issuer of this document draws attention to the fact that when declaring compliance with this document, CN201510654832.X, CN201510654832.X,
JP5425314B2, EP2472772, KR10-1405509, CN200910023774.5, CN200910023735.5, US8,763,100B2,
JP5468138B2, KR10-1471259, CN200910023734.0, US8,732,464B2, JP5468137B2, KR10-1471827,
1139547, RU2445741C2, CN200710018920.6, US8,356,179B2, EP2214429B1, JP5099568B2, KR10-
1117393, RU2458481C2, CN201510654785.9, US10,615,978B2, JP6687728, EP16853041.8, KR10-
The use of patents such as 2141289 and CN201510654784.4.
The issuing agency of this document takes no position on the veracity, validity and scope of the above patents.
The above-mentioned patent holder has undertaken to the issuing authority of this document that he is willing to cooperate with any applicant on reasonable and non-discriminatory terms and conditions
Next, negotiate the licensing of patents. Statements from the above patent holders are on file with the issuing authority of this document. Relevant information can be passed through
Obtained through the following contact information.
Name of patent holder. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd.
Address. A201, Qinfengge, Xi'an Software Park, No. 68, Keji 2nd Road, High-tech Zone, Xi'an
Contact. Wang Lizhen
Zip Code. 710075
Email. ipri@iwncomm.com
Tel. 029-87607836
Fax. 029-87607829
Please note that in addition to the above patents, some content of this document may still involve patents. The issuer of this document is not responsible for identifying patents
responsibility.
Information Technology Security Technology Entity Authentication
Part 3.Mechanisms using digital signature technology
1 Scope
This document specifies two types of entity authentication mechanisms using digital signature technology. The first category does not introduce online trusted third parties, including two
One-way authentication mechanism and three kinds of two-way authentication mechanism; the second type introduces online trusted third party, also includes two kinds of one-way authentication mechanism and three kinds of two-way authentication mechanism
authentication mechanism.
This document is applicable to guide the research of entity authentication mechanism using digital signature technology, as well as the development and application of related products and systems.
Appendix A defines the object identifiers for the entity authentication mechanisms specified in this document.
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text. Among them, dated references
For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to
this document.
GB/T 15843.1-2017 Information Technology Security Technology Entity Identification Part 1.General Principles (ISO /IEC 9798-1.
2010, IDT)
ISO /IEC 9796 (all parts) Information technology security techniques digital signature scheme with message recovery (Information
Note. GB/T 15851.3-2018 Information Technology Security Technology Digital Signature Scheme with Message Recovery Part 3.Mechanism Based on Discrete Logarithm
(ISO /IEC 9796-3.2006, MOD)
ISO /IEC 14888 (all parts) Information technology security techniques Digital signature with appendices (Information
Note. GB/T 17902.2-2005 Information technology security technology digital signature with appendix Part 2.Identity-based mechanism (ISO /
IEC 14888-2.1999, IDT)
GB/T 17902.3-2005 Information Technology Security Technology Digital Signature with Appendix Part 3.Certificate-Based Mechanism (ISO /
IEC 14888-3.1998, IDT)
3 Terms and Definitions
The following terms and definitions apply to this document.
3.1
Atomic business atomictransaction
A business that cannot be further split into multiple smaller businesses.
3.2
claiming party claimant
The authenticated entity itself or some representative entity for the purpose of authentication.
Note. The claiming party has the parameters and private data needed to authenticate the exchange.
[Source. GB/T 15843.1-2017, 3.6]
......
GB/T 15843.3-2016
Information technology - Security techniques - Entity authentication - Part 3.Mechanisms using digital signature techniques
ICS 35.040
L80
National Standards of People's Republic of China
Replace GB/T 15843.3-2008
Information technology security technology entity authentication
Part 3.Mechanisms using digital signature technology
Released on.2016-04-25
2016-11-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
Introduction Ⅲ
1 Scope 1
2 Normative references 1
3 Terms, definitions and symbols 1
4 Requirements 1
5 Mechanism 2
5.1 Overview 2
5.2 One-way authentication 2
5.3 Mutual authentication 3
6 Mechanism for introducing online trusted third parties 6
6.1 Overview 6
6.2 Five passes to authenticate TePA-A (initiated by entity A) 6
6.3 Five passes to authenticate TePA-B (initiated by entity B) 8
Appendix A (informative appendix) Use of text fields 10
Appendix B (Normative Appendix) OID and ASN.1 Notation 11
B.1 Formal definition 11
B.2 Use of subsequent object identifiers 11
B.3 Coding example based on basic coding rules 11
Preface
GB/T 15843 "Information Technology Security Technical Entity Identification" is currently divided into five parts.
---Part 1.Overview;
---Part 2.The mechanism of using symmetric encryption algorithms;
---Part 3.The mechanism of using digital signature technology;
---Part 4.Using the mechanism of password verification function;
---Part 5.The mechanism of adopting zero-knowledge technology.
This part is Part 3 of GB/T 15843.
This section was drafted in accordance with the rules given in GB/T 1.1-2009.
This Part replaces GB/T 15843.3-2008 "Information Technology Security Technology Entity Authentication Part 3.Using Digital Signature Technology
The mechanism of technology. Compared with GB/T 15843.3-2008, the main technical changes in this part are as follows.
---Added an authentication mechanism for introducing online trusted third parties (see Chapter 6);
---Added OID and ASN.1 syntax (see Appendix B).
Among them, the relevant chapters and articles involved in the amendment of GB/T 15843.3-2008 are as follows.
Modified item number GB/T 15843.3-2008 chapter number modification description
1 Chapter 1 replaces the third paragraph of Chapter 1
2 Chapter 3 adds three term descriptions at the end of Chapter 3
3 Add chapter 6 after chapter 5
4 Appendix A replaces the first paragraph of Appendix A
5 Add Appendix B after Appendix A
The translation method used in this part is equivalent to the ISO /IEC 9798-3.1998 "Information Technology Security Technical Entity Authentication Part 3.
The Mechanism of Using Digital Signature Technology and Amd.1.2010 "Information Technology Security Technology Entity Authentication Part 3.Using Digital
The mechanism of signature technology No. 1 amendment. the introduction of an online trusted third-party authentication mechanism", only editorial changes.
This part is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
The main drafting units of this section. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., and the State Cryptography Administration
Center, State Key Laboratory of Information Security, China Electronics Standardization Institute, National Radio Monitoring Center Testing Center, Xi’an Electronics
University of Technology, Xi'an University of Posts and Telecommunications, Guangzhou Jiesai Technology Co., Ltd., Shenzhen Minghua Aohan Technology Co., Ltd., China Information Security
Certification Center, National Information Security Engineering Technology Research Center, National Computer Network Emergency Technology Processing Coordination Center, National Information Technology Security
Full Research Center, the First Research Institute of the Ministry of Public Security, the Communication Metrology Center of the Ministry of Industry and Information Technology, the Information Security Level Protection Evaluation Center of the Ministry of Public Security,
University of Defense Technology, Beijing Municipal Affairs Network Management Center, Chongqing University of Posts and Telecommunications, Yulong Computer Communication Technology (Shenzhen) Co., Ltd., People of China
University, Chinese People’s Liberation Army Information Security Evaluation and Certification Center, China Telecom Corporation, National Information Center, Peking University Shenzhen Postgraduate
Institute, China Electric Power Research Institute, Beijing Zhongdian Huada Electronic Design Co., Ltd., Southeast University, China Mobile Communications Group Design Institute have
Co., Ltd., Chinese People’s Liberation Army Information Engineering University, Jiangnan Institute of Computing Technology, Beijing University of Posts and Telecommunications, Shanghai Longzhao Electronics Co., Ltd.,
Beijing Wulong Telecommunications Technology Company, Beijing Wangbei Hechuang Technology Co., Ltd., Shenzhen Hongdian Technology Co., Ltd., Peking University Founder Group
Company, Haier Group, Beijing Guangxin Finance Technology Co., Ltd., Beijing Liuhe Wantong Microelectronics Technology Co., Ltd., Honghao Ming Chuan Technology (North
Beijing) Co., Ltd., Beijing City Hotspot Information Co., Ltd., Beijing Huaan Guangtong Technology Development Co., Ltd., Maipu Communication Technology Co., Ltd.,
Changchun Jida Zhengyuan Information Technology Co., Ltd., Tsinghua University, Beijing Tianyi Integrated Technology Co., Ltd., Guilin University of Electronic Technology, Xi'an
Realan Technology Co., Ltd., Broadband Wireless IP Standard Working Group, WAPI Industry Alliance.
The main drafters of this section. Huang Zhenhai, Lai Xiaolong, Li Dawei, Feng Dengguo, Song Qizhu, Tie Manxia, Cao Jun, Li Jiandong, Lin Ning, Shu Min,
Zhu Zhixiang, Chen Xiaohua, Guo Xiaolei, Li Jingchun, Yu Yali, Wang Yumin, Zhang Bianling, Xiao Yuelei, Gao Bo, Gao Kunlun, Pan Feng, Hu Yanan, Jiang Qingsheng,
Xiao Li, Zhu Jianping, Jia Yan, Shi Weinian, Li Qin, Li Guangsen, Wu Yafei, Liang Zhaohui, Liang Qiongwen, Luo Xuguang, Long Zhaohua, Shen Lingyun, Zhang Wei,
Xu Pingping, Ma Huaxing, Gao Feng, Qiu Hongbing, Zhu Yuesheng, Wang Yahui, Lan Tian, Wang Zhijian, Du Zhiqiang, Zhang Guoqiang, Tian Xiaoping, Tian Hui, Zhang Yongqiang,
Shou Guoliang, Mao Liping, Cao Zhuqing, Guo Zhigang, Gao Hong, Han Kang, Wang Gang, Bai Guoqiang, Chen Zhifeng, Li Jianliang, Li Dawei, Wang Liren, Gao Yuan,
Yue Lin, Jing Jingtao.
The previous releases of the standards replaced by this part are.
---GB/T 15843.3-1998, GB/T 15843.3-2008.
introduction
This part of GB/T 15843 defines the entity authentication mechanism using digital signature technology, which is divided into two types. one-way authentication and mutual authentication.
Among them, one-way authentication is divided into one-pass authentication and two-pass authentication according to the number of message transfers; mutual authentication is based on the number of message transfers.
The number is divided into two pass authentication, three pass authentication, two pass parallel authentication, and five pass authentication.
Since the distribution method of the certificate used for signature is beyond the scope of this section, the sending of the certificate is optional in all mechanisms.
All relevant content related to cryptographic algorithms in this section shall be implemented in accordance with relevant national regulations.
The issuing agency of this document draws attention to the fact that when a declaration conforms to this document, it may involve the chapter 6 and "a method of two-way authentication of entities".
A kind of two-way authentication method and system for entities based on a trusted third party" and other related patents.
The issuing agency of this document has no position on the authenticity, validity and scope of the patent.
The patent holder has assured the issuing organization of this document that he is willing to work with any applicant under reasonable and non-discriminatory terms and conditions.
Negotiations on patent licensing. The statement of the patent holder has been filed with the issuing agency of this document. For relevant information, please contact
Way to get.
Patentee. Xi'an Xidian Jietong Wireless Network Communication Co., Ltd.
Address. A201, Qinfeng Tower, Xi'an Software Park, No. 68, Keji 2nd Road, High-tech Zone, Xi'an
Contact. Liu Changchun
Please note that in addition to the above-mentioned patents, certain contents of this document may still involve patents. The issuing agency of this document is not responsible for identifying these
Liability for patents.
Information technology security technology entity authentication
Part 3.Mechanisms using digital signature technology
1 Scope
This part of GB/T 15843 specifies an entity authentication mechanism using digital signature technology. There are two authentication mechanisms for a single entity
Authentication (one-way authentication), the rest is the mutual authentication mechanism of two entities.
The mechanisms specified in this section use time-varying parameters such as timestamps, serial numbers, or random numbers to prevent previously valid authentication information from being
Accepted or accepted multiple times.
If time stamps or serial numbers are used, one-way authentication only needs to be transmitted once, while mutual authentication requires two transmissions. If using random numbers
Challenge-response method, one-way authentication requires two passes, and mutual authentication requires three passes, two passes in parallel, or five passes (depending on the
mechanism).
This section applies to all applications and equipment with identification requirements.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 15843.1-2008 Information Technology Security Technical Entity Authentication Part 1.Overview (ISO /IEC 9798-1.
1997, IDT)
GB 15851-1995 Information Technology Security Technology Digital Signature Scheme with Message Recovery (idtISO /IEC 9796.1991)
GB/T 16263.1-2006 Information Technology ASN.1 Encoding Rules Part 1.Basic Encoding Rules (BER), Regular Encoding
Rules (CER) and Atypical Encoding Rules (DER) specifications (ISO /IEC 8825-1.2002, IDT)
3 Terms, definitions and symbols
The terms, definitions and the following symbols defined in GB/T 15843.1-2008 apply to this document.
IA. The identity of entity A, which can be A or CertA
IB. The identity of entity B, which can be B or CertB
ResX. Entity X's certificate verification result or entity X's public key
4 requirements
In the authentication mechanism specified in this section, the entity to be authenticated proves its identity by showing that it has a private signature key. This wants
This is done by the entity using its private signature key to sign specific data. The signature can be used by any public verification key of the entity
Entity to verify.
The authentication mechanism has the following requirements.
a) The verifier should have a valid public key of the claimant;
b) The claimant should have a private signature key that is only known by the claimant.
If any one of these two requirements is not met, the authentication process will be attacked or cannot be completed successfully.
Note 1.One way to obtain a valid public key is to use a certificate (see Appendix C of GB/T 15843.1-2008). Generation, distribution and revocation of certificates
All are beyond the scope of this section. In order to obtain a valid public key in the form of a certificate, a trusted third party can be introduced. Another way to obtain an effective public secret
The key method is to use trusted messengers.
Note 2.References related to digital signature schemes are described in the references of GB/T 15843.1-2008.
5 Mechanism
5.1 Overview
The entity authentication mechanism specified in this section uses time-varying parameters, such as timestamps, serial numbers or random numbers (see GB/T 15843.1-2008
Appendix B and Note 1) of this article.
In this section, the form of the token (also called token) is as follows.
Token=X1||||Xi||sSA(Y1||||Yj)
In this section, "signed data" refers to "Y1||||Yj", which is used as the input of the digital signature scheme, and "unsigned data" refers to
"X1||||Xi".
If the information contained in the tag name data can be recovered from the signature, it does not need to be included in the unsigned data of the tag (see
GB 15851-1995).
If the information contained in the text field of the tag name data cannot be recovered from the signature, it should be included in the unsigned text of the tag name.
In the paragraph.
If the information in the signature data of the token (such as the random number generated by the verifier) is known to the verifier, it need not be included in the voice
Said party sent the token in the unsigned data.
All text fields specified in the following mechanisms are also applicable to applications outside the scope of this section (text fields may be empty). they
The relationship and content of the depends on the specific application. See Appendix A for information on the use of text fields.
Note 1.In order to prevent the data block signed by an entity from being deliberately constructed by the second entity, the first entity can include it in the data block signed by it
Own random number. In this case, the addition of random numbers makes the signature value unpredictable, thereby preventing the pre-defined data
signature.
Note 2.Since the distribution of certificates is beyond the scope of this section, the sending of certificates is optional in all mechanisms.
Appendix B specifies the OID and ASN.1 syntax of the entity authentication mechanism specified in this section for accurate reference to a specific mechanism.
5.2 One-way authentication
5.2.1 Overview
One-way authentication means that only one of the two entities is authenticated when using this mechanism.
5.2.2 One pass authentication
In this authentication mechanism, the claimant A initiates the process and the verifier B authenticates it. Uniqueness and timeliness is achieved through generation and
Check the time stamp or serial number (see Appendix B of GB/T 15843.1-2008) to control.
The authentication mechanism is shown in Figure 1.
Figure 1 Schematic diagram of one-way authentication mechanism
5.2.3 Two pass authentication
In this authentication mechanism, the verifier B starts this process and authenticates the claimant A. Uniqueness and timeliness is achieved through generation and
Check the random number RB (see Appendix B of GB/T 15843.1-2008) to control.
The authentication mechanism is shown in Figure 2.
Figure 2 Schematic diagram of two-pass one-way authentication mechanism
The form of the token (TokenAB) sent by the claimant A to the verifier B is.
TokenAB=RA||RB||B||Text3||sSA(RA||RB||Text2)
Whether to include distinguishable identifier B in TokenAB is optional, and whether to use an application environment that depends on the authentication mechanism.
Note 1.The optional inclusion of distinguishable identifier B in the signature data of TokenAB is to prevent the information from being accepted by entities other than the intended verifier
(For example, when a man-in-the-middle attack occurs).
Note 2.Including the random number RA in the signature data of TokenAB can prevent B from obtaining A's signature on the data selected by B before the authentication mechanism is activated.
name. This kind of protection method is needed, for example, when A uses the same key for other purposes than entity authentication.
(1) B sends a random number RB to A, and optionally sends a text field Text1.
(2) A generates and sends TokenAB to B, and optionally sends A's certificate.
(3) Once a message containing TokenAB is received, B performs the following steps.
(i) Ensure possession of A's valid public key by verifying A's certificate or by other means.
(i) Verify TokenAB by the following methods. verify the digital signature of A contained in the token; send in verification step (1)
Whether the random number RB given to A matches the random number contained in the TokenAB signature data; check TokenAB
The value of the identifier field (B) in the signature data (if any) should be equal to the distinguishable identifier of B.
5.3 Mutual authentication
5.3.1 Overview
Mutual authentication means that two communicating entities use this mechanism to authenticate each other.
In 5.3.2 and 5.3.3, the two mechanisms described in 5.2.2 and 5.2.3 are extended to achieve mutual authentication. This expansion adds a
Messages are delivered, thus adding two operating steps.
The steps specified in 5.3.4 use four messages, but these messages do not need to be sent sequentially. In this way, the identification process can be accelerated.
5.3.2 Two-pass authentication
In this authentication mechanism, the uniqueness and timeliness is achieved by generating and checking the time stamp or serial number (see the attachment of GB/T 15843.1-2008).
Record B) to control.
5.3.3 Three pass authentication
In this mechanism, uniqueness and timeliness are controlled by generating and testing random numbers (see Appendix B of GB/T 15843.1-2008).
The authentication mechanism is shown in Figure 4.
5.3.4 Two-pass parallel authentication
In this mechanism, identification is performed in parallel, and uniqueness and timeliness are controlled by generating and testing random numbers (see GB/T 15843.1-
Appendix B of.2008).
The authentication mechanism is shown in Figure 5.
6 Mechanism for introducing online trusted third parties
6.1 Overview
The authentication mechanism in this chapter requires the two entities A and B to pass through an online trusted third party (with distinguishable
Sub-identifier TP) to verify the other party’s public key. Entity A and B have valid public keys of TP. And A and B don’t have each other’s validity
Public key.
This chapter describes two five-pass authentication mechanisms, which realize mutual authentication between entities A and B. In these two authentication mechanisms,
There are three elements (A, B and TP). A and B are peer authentication entities relative to TP. The format of the token and text field follows the description of 5.1
Narrated. These two mechanisms are collectively referred to as the ternary peer authentication mechanism TePA (Tri-element Peer Authentication), and they use
The signature mechanism defined in ISO /IEC 14888 or GB 15851-1995.
6.2 Five passes to authenticate TePA-A (initiated by entity A)
In this identification mechanism, uniqueness/timeliness is controlled by generating and checking random numbers (see Appendix B of GB/T 15843.1-2008).
6.3 Five passes to authenticate TePA-B (initiated by entity B)
In this identification mechanism, uniqueness/timeliness is controlled by generating and checking random numbers (see Appendix B of GB/T 15843.1-2008).
The authentication mechanism is shown in Figure 7.
Appendix A
(Informative appendix)
Use of text fields
The tokens specified in Chapters 5 and 6 of this part include text fields. The practical use of different text fields in a given pass
And the relationship between each text field depends on the specific application. Some examples are given below, and you can also refer to the attachment of GB/T 15843.1-2008
Record A.
If a digital signature scheme without message recovery is used, and the text field of the signature is not empty, the verifier will verify the signature before
To have text. In this appendix, "signed text field" refers to the text field in the signed data, and "unsigned text field" refers to the number of unsigned
The text field in the data.
For example, if a digital signature scheme without message recovery is used, any information that needs to be authenticated for the origin of the data should be placed in the signature of the token.
The name text field and (as part of) the unsigned text field.
If the token does not contain (sufficient) redundancy, the signature text field can be used to provide additional redundancy.
The signature text field can be used to indicate that the token is only valid when used for entity authentication purposes. It should also be noted that an entity may
Will deliberately attempt to choose a "degenerate" value for another entity to sign. To prevent this possibility, another entity can
Introduce a random number in the segment.
If a certain algorithm is used, a claimant uses the same key for all verifiers communicating with it, then potential
s attack. If you think that this potential attack is a threat, you need to include in the signed text field and (if necessary) the unsigned text field.
Contains the identity of the intended verifier.
The unsigned text field can also be used to provide information to the verifier to indicate who the claimant is claiming (but has not yet been authenticated).
If a certificate is not used to distribute the public key, this information is required to allow the verifier to determine which public key to use to authenticate the claimant.
......
GB/T 15843.3-2008
Information technology Security techniques Entity authentication Part 3.. Mechanisms using digital signature techniques
ICS 35.040
L80
National Standards of People's Republic of China
GB/T 15843.3-2008/ISO /IEC 9798-3.1998
Replacing GB/T 15843.3-1998
Information technology - Security techniques - Entity Identification
Part 3. The digital signature mechanism
(ISO /IEC 9798-3.1998, IDT)
Posted 2008-06-19
2008-11-01 implementation
Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
Standardization Administration of China released
Table of Contents
Preface Ⅰ
Introduction Ⅱ
1 Scope 1
2 Normative references 1
3 Terms, definitions and symbols 1
4 Requirements 1
5 Mechanism 1
5.0 Overview 1
5.1 Identification of 2-way
5.1.1 Identification of a transfer 2
5.1.2 Identification of two passes 2
5.2 mutual authentication 3
5.2.1 Identification of two passes 3
Three Pass 5.2.2 Identification 4
5.2.3 Identification of two passes parallel 4
Appendix A (informative) text field 6
GB/T 15843.3-2008/ISO /IEC 9798-3.1998
Foreword
GB/T 15843 "Information technology - Security techniques - Entity authentication" is divided into five parts.
--- Part 1. Overview
--- Part 2. using symmetric encryption algorithm mechanism
--- Part 3. The digital signature mechanism
--- Part 4. the mechanism using a cryptographic check function
--- Part 5. zero-knowledge techniques Mechanism
You may also add other subsequent section.
This section GB/T 15843 Part 3, identical with ISO /IEC 9798-3.1998 "Information technology - Security techniques - Entity
Identification - Part 3. Digital Signature Technology mechanism ", only editorial changes.
This Part replaces GB/T 15843.3-1998 "Information technology - Security techniques entity identification - Part 3. Asymmetric signature technology
Operation mechanism. " This section compared with GB 15843.3-1998, the main changes are as follows.
--- The partial modification of the name.
--- This section according to GB/T 15843.1 revision, change some of the terms.
--- Delete this part of ISO /IEC foreword, introduction and increased.
Appendix A of this section is an informative annex.
This part of the National Security Standardization Technical Committee and centralized.
This part of the main drafting unit. Institute of Education Data and Research Center (State Key Laboratory of Information Security) communications protection.
The main drafters of this section. Jingji Wu, Jian Ping, Xia Luning, high-energy, to continue.
This part of the standard replaces the previous release case.
--- GB/T 15843.3-1998.
GB/T 15843.3-2008/ISO /IEC 9798-3.1998
introduction
This section identical with the international standard ISO /IEC 9798-3.1998, which is by the ISO /IEC Joint Technical Committee JTC1 (INFORMATION TECHNOLOGY
Surgery) sub-committee SC27 (IT security technology) drafted.
This section defines the use of digital signature technology entity authentication mechanisms, divided into one-way authentication and mutual authentication two kinds. Wherein the one-way identification
According to the number of messaging, it is divided into two passes one pass authentication and identification; mutual authentication based on the number of messaging, is divided into two
Transfer identification, authentication and passed three times two passes parallel identification.
Since the signing certificate used by way beyond the scope of this distribution, send a certificate in all the mechanisms are optional.
This part of the cryptographic algorithm involving relevant content, according to the national laws and regulations implemented.
GB/T 15843.3-2008/ISO /IEC 9798-3.1998
Information technology - Security techniques - Entity Identification
Part 3. The digital signature mechanism
1 Scope
This section provides entity authentication mechanisms using digital signature technology. There are two authentication mechanisms is to identify a single entity (one-way mirror
Do), the rest is a mutual authentication mechanism for the two entities.
Variable parameters specified in this part of the mechanism, such as the use of a time stamp, serial number or random number, etc., to prevent previously valid authentication information later
Accepted or received multiple times.
If the time stamp or serial number, the identification with a single one-way transmission, and mutual authentication is required two passes. If random
Number incentive - response method, single identification required two passes, the mutual authentication is required to pass three or four (depending on the mechanism employed).
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated references, subsequently
Some amendments (not including errata content) or revisions do not apply to this section, however, encourage the parties to agreements based on this research
Study whether the latest versions of these documents. For undated reference documents, the latest versions apply to this section.
GB/T 15843.1-2008 Identification Information technology - Security techniques - Entity - Part 1. General (ISO /IEC 9798-1.
1997, IDT)
GB 15851-1995 Information technology - Security techniques - Digital signature schemes giving message recovery (idt ISO /IEC 9796.1991)
3 Terms, definitions and symbols
GB/T terms, definitions and symbols 15843.1-2008 established in this section apply.
4 Requirements
Authentication mechanisms specified in this part of the entity to be identified by indicating that it has a private signature key to verify their identity. To this
Specific data to complete the signature using its private signature key by the entity. The signature can be by the use of the entity's public key to verify any
Entity authentication.
Authentication mechanisms have the following requirements.
a) shall verify that claim to have a valid public key parties;
b) shall have only claimed by the party claiming they know the private signature key.
If these two requirements are not met any one, then the authentication process will be attacked, or can not be completed successfully.
Note 1. One way to obtain a valid public key with a certificate (see GB/T 15843.1-2008 Appendix C). Produce the certificate, distribution and revocation
We are beyond the scope of this section. In order to obtain a valid certificate in the form of a public key, trusted third party can be introduced. Another effective public encryption
Key way is to use a trusted courier.
Note 2. For digital signature scheme is described in references GB/T 15843.1-2008 references.
5 Mechanism
5.0 Overview
If the entity authentication mechanisms using the parameters specified in this variable, such as time stamp, serial number or a random number (see GB/T 15843.1-2008
Appendix B below and Note 1).
Present, the right to form part of the subject as follows.
GB/T 15843.3-2008/ISO /IEC 9798-3.1998
......
|