1、 Reference number ISO/IEC TR 29149:2012(E) ISO/IEC 2012TECHNICAL REPORT ISO/IEC TR 29149 First edition 2012-03-15Information technology Security techniques Best practices for the provision and use of time-stamping services Technologies de linformation Techniques de scurit Meilleures pratiques pour l
2、a fourniture et lutilisation de services dhorodotage ISO/IEC TR 29149:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocop
3、ying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzer
4、land ii ISO/IEC 2012 All rights reservedISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword iv Introduction . v 1 Scope 1 2 Terms and definitions . 1 3 Symbols and abbreviated terms 4 4 Time-stamping services 5 5 Use cases for non-repudiation . 5 5.1 Introduction 5 5.
5、2 Use case #1 6 5.3 Use case #2 6 5.4 Use case #3 6 6 Potential issues . 7 6.1 Security requirements for custody of evidences . 7 6.2 Weak cryptography: hash-functions . 8 6.3 Weak cryptography: digital signatures . 10 6.4 Weak cryptography: message authentication codes 10 6.5 Signature verification
6、 10 6.6 Time-stamp token renewal . 11 6.7 Time-stamping service availability 12 6.8 Time-stamping service continuity . 12 7 Recommendations 12 7.1 Recommendations for requesters of time-stamp tokens 12 7.2 Recommendations for verifiers of time-stamp tokens 13 7.3 Recommendations for time-stamp servi
7、ce providers . 13 7.4 Recommendations for signature verification . 16 7.5 Non-repudiation policy . 17 8 Algorithms 17 8.1 Overview . 17 8.2 Hash functions . 17 8.3 Keyed message authentication algorithms 18 8.4 Signature algorithms . 18 Bibliography 19 ISO/IEC TR 29149:2012(E) iv ISO/IEC 2012 All ri
8、ghts reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards t
9、hrough technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, a
10、lso take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to p
11、repare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, when t
12、he joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide to publish a Technical Report. A Technical Report is entirely informative in nature and shall be subject to review e
13、very five years in the same manner as an International Standard. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 29149 was prepare
14、d by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved vIntroduction This Technical Report explains how to provide and use time-stamping services so that time-stamp tokens are effecti
15、ve when used to provide timeliness and data integrity services, or non-repudiation services (in conjunction with other mechanisms). ISO/IEC 18014 specifies time-stamping services, explaining how to generate, renew, and verify time-stamp tokens. The goal of a non-repudiation service is to treat evide
16、nce concerning a claimed event or action in order to resolve disputes about the occurrence or non-occurrence of the event or action. Depending on the non-repudiation service which is required, the non-repudiation policy in effect for a specific application, and the legal environment within which the
17、 application operates, time-stamp tokens from time-stamping authorities may be required as components of non-repudiation information. TECHNICAL REPORT ISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved 1Information technology Security techniques Best practices for the provision and use of tim
18、e-stamping services 1 Scope This Technical Report explains how to provide and use time-stamping services so that time-stamp tokens are effective when used to provide timeliness, data integrity, and non-repudiation services in conjunction with other mechanisms. It defines: how time-stamp requesters s
19、hould use time-stamp token generation services; how TSAs (time-stamping authorities) should provide a service of guaranteed quality; how TSAs should deserve trust based on good practices; which algorithms and parameters should be used in TST (time-stamp token) generation and TST renewal, so that TST
20、s resist during the time period during which the TSTs can be verified as being valid; how time-stamp verifiers should use the time-stamp token verification services, both when validating individual TSTs, and when validating sequences of renewal TSTs. 2 Terms and definitions For the purposes of this
21、document, the following terms and definitions apply. 2.1 certification authority CA authority trusted by one or more users to create and assign public-key certificates NOTE Optionally, the certification authority may create the users keys. ISO/IEC 9594-8:2005 2.2 digital signature data appended to,
22、or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient ISO 7498-2:1989 2.3 evidence information which is used, either by itself or in conjunction with other infor
23、mation, to establish proof about an event or action NOTE Evidence does not necessarily prove the truth or existence of something, but can contribute to the establishment of such a proof. ISO/IEC 13888-1:2009 ISO/IEC TR 29149:2012(E) 2 ISO/IEC 2012 All rights reserved2.4 evidence user entity that use
24、s non-repudiation evidence ISO/IEC 13888-1:2009 2.5 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: It is computationally infeasible to find for a given output, an input which maps to this output. It is computationally infea
25、sible to find for a given input, a second input which maps to the same output. NOTE Computational feasibility depends on the specific security requirements and environment. ISO/IEC 10118-1:2000 2.6 hash-value string of bits which is the output of a hash-function ISO/IEC 10118-1:2000, modified The te
26、rm “hash-code” is used to represent this concept in ISO/IEC 10118-1:2000. 2.7 imprint string of bits, either the hash-value of a data string or the data string itself ISO/IEC 13888-1:2009 2.8 message authentication code MAC string of bits which is the output of a MAC algorithm NOTE A MAC is sometime
27、s called a cryptographic check value (see for example ISO 7498-2). ISO/IEC 9797-1:2011 2.9 non-repudiation ability to prove an action or event has taken place, so that this event or action cannot be repudiated later ISO 7498-2:1989 2.10 non-repudiation token special type of security token as defined
28、 in ISO/IEC 10181-1, consisting of evidence, and, optionally, of additional data ISO/IEC 13888-1:2009 2.11 object identifier OID globally unique value associated with an object to unambiguously identify it ISO/IEC 8824-1:2002 ITU X.680:2002 ISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved 3
29、2.12 private key that key of an entitys asymmetric key pair which should only be used by that entity ISO/IEC 9798-1:1997 2.13 public key that key of an entitys asymmetric key pair which can be made public NOTE In the case of an asymmetric signature scheme, the public key defines the verification tra
30、nsformation. In the case of an asymmetric encipherment system, the public key defines the encipherment transformation. A key that is publicly known is not necessarily globally available. The key may only be available to all members of a pre-specified group. ISO/IEC 11770-3:2008 2.14 public key certi
31、ficate public key information of an entity signed by the certification authority and thereby rendered unforgeable ISO/IEC 11770-3:2008 2.15 signer entity generating a digital signature ISO/IEC 13888-1:2009 2.16 time stamp data item which denotes a point in time with respect to a common time referenc
32、e ISO/IEC 11770-1:2010 2.17 time-stamp token renewal process of issuing a new time stamp token to extend the validity period of an earlier time-stamp token ISO/IEC 18014-1:2008, adapted 2.18 time-stamp requester entity which possesses data it wants to be time-stamped NOTE A requester can also be a t
33、rusted third party including a time-stamping authority. ISO/IEC 18014-1:2008 2.19 time-stamp token TST data structure containing a verifiable binding between a data items representation and a time-value NOTE A time-stamp token can also include additional data items in the binding. ISO/IEC 18014-1:20
34、08 ISO/IEC TR 29149:2012(E) 4 ISO/IEC 2012 All rights reserved2.20 time-stamp verifier entity which possesses data and wants to verify that it has a valid time-stamp bound to it NOTE The verification process may be performed by the verifier itself or by a trusted third party. ISO/IEC 18014-1:2008 2.
35、21 time-stamping authority TSA trusted third party trusted to provide a time-stamping service ISO/IEC 18014-1:2008 2.22 time-stamping policy named set of rules that indicates the applicability of a time-stamp token to a particular community or class of application with common security requirements I
36、SO/IEC 18014-1:2008 2.23 time-stamping service TSS service providing evidence that a data item existed before a certain point in time ISO/IEC 18014-1:2008 2.24 trusted third party TTP security authority, or its agent, trusted by other entities with respect to security related activities ISO/IEC 1018
37、1-1:1996 3 Symbols and abbreviated terms In the remainder of this document the following notation will be used: HMAC Hash Message Authentication Code H(D) The hash-value of data D, using hash-function H MAC Message Authentication Code OID Object Identifier PKI Public Key Infrastructure S X (y) The s
38、ignature computed on data y using a signature algorithm and the private key of entity X TSA Time-Stamping Authority TSP Time-Stamp Packet: the combination of the TST and the data upon which the TST is generated ISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved 5TSS Time-Stamping Service TST
39、Time-Stamp Token TST(D, t) time-stamp token on data D, at point in time t 4 Time-stamping services Time-stamping services include generation, renewal, and verification of time-stamp tokens, as defined in ISO/IEC 18014-1. Time-stamp tokens are associations between data and points in time, and are cre
40、ated in a way that aims to provide evidence that the data existed before the associated date and time. This evidence may be used by non-repudiation services. Time-stamping services involve the following entities (from ISO/IEC 18014-1): the time-stamp requester, that has some data (e.g. a document) t
41、o time-stamp; the Time-Stamping Authority (TSA), that generates time-stamp tokens (TST); the time-stamp verifier, that verifies time-stamps bound to data. Time-stamping services (TSS) provide three specific services: time-stamp token generation, where the requester submits data items, and receives a
42、 time-stamp token; this service is provided by the TSA; time-stamp token renewal, a special case of time-stamp token generation, where the requester submits an existing first time-stamp token and related data items, and receives a new time-stamp token, such that the validity period of the first time
43、-stamp token is extended by the new time-stamp token; this service is provided by the TSA; time-stamp token verification, when the verifier validates the time-stamp token; this service may also involve the TSA or other trusted third parties. Users of the time-stamping services handle time-stamp pack
44、ets (TSP), encompassing the data plus the time- stamp token (TST). 5 Use cases for non-repudiation 5.1 Introduction Time-stamping services provide tokens that may be used, in combination with an adequate non-repudiation policy, to support non-repudiation claims. Non-repudiation services provide a us
45、er B with protection against another user A later denying that an action or event has taken place. While these services do not prevent A from trying to repudiate Bs claim, they provide evidence to support the resolution of such disagreement. In general, the evidence needs to be convincing to a third
46、 party arbitrator C. The following clauses present some use cases. ISO/IEC TR 29149:2012(E) 6 ISO/IEC 2012 All rights reserved5.2 Use case #1 Non-repudiation services Data D existed before time t. Integrity of data D is guaranteed after time t. Evidence generation 1. User A has some data D. 2. A get
47、s a time-stamp token on D at t: TST(D, t). Evidence verification 1. User B receives a time-stamp packet TSP(D, TST(D, t). 2. B checks that the TST corresponds to the data D, and verifies TST(D, t). 5.3 Use case #2 Non-repudiation services Data D existed before time t. User A signed D before time t.
48、Integrity of data D is guaranteed after time t. Evidence generation 1. User A has some data D. 2. A signs D: S A (D). 3. A gets a time-stamp token on S A (D) at t: TST(S A (D), t). Evidence verification 1. User B receives the data D and a time-stamp packet TSP(S A (D), TST(S A (D), t). 2. B checks t
49、hat the TST corresponds to S A (D), and verifies the TST. 3. B verifies the signature, using verification data at t. See “7.5 signature verification“ below. 5.4 Use case #3 Non-repudiation services Data D existed before time t2. User A signed D after time t1 and before time t2. Integrity of data D is guaranteed after time t2. ISO/IEC TR 29149:2012(E) ISO/IEC 2012 All rights reserved 7Evidence generation 1. User A has some data D. 2. A requ
