1、 Reference number ISO/TR 19038:2005(E) ISO 2005TECHNICAL REPORT ISO/TR 19038 First edition 2005-06-15 Banking and related financial services Triple DEA Modes of operation Implementation guidelines Banque et autres services financiers Triple DEA Modes dopration Lignes directrices pour la mise en uvre
2、 ISO/TR 19038:2005(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In d
3、ownloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in
4、the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the addre
5、ss given below. ISO 2005 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs
6、member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2005 All rights reservedISO/TR 19038:2005(E) ISO 2005 All rights reserved iiiConten
7、ts Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions. 1 4 Symbols and abbreviations . 4 5 Specifications 5 6 TDEA modes of operation 8 Annex A (informative) ASN.1 syntax for TDEA modes of operation. 36 Annex B (informative) TDEA modes of operation cryptog
8、raphic attributes 42 Annex C (informative) Key bundle encryption precautions. 45 Bibliography . 54 ISO/TR 19038:2005(E) iv ISO 2005 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The wor
9、k of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governme
10、ntal, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The m
11、ain task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. I
12、n exceptional circumstances, when a technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority vote of its participating members to publish a Technical Report. A T
13、echnical Report is entirely informative in nature and does not have to be reviewed until the data it provides are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held re
14、sponsible for identifying any or all such patent rights. ISO/TR 19038 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2, Security management and general banking operations. ISO/TR 19038:2005(E) ISO 2005 All rights reserved vIntroduction In order to significantly st
15、rengthen DEA (Data Encryption Algorithm) and extend its useful lifetime, the use of Triple Data Encryption Algorithm (TDEA) modes of operation has been recommended. These TDEA modes of operation not only provide greatly increased cryptographic protection, but because they are based on DEA, the TDEA
16、learning curve for users and vendors is reduced. Since certain TDEA modes of operation can be made backward compatible with existing DEA modes of operation, the financial community may leverage its investment in standard DEA technology by using TDEA to extend its secure lifetime. Each mode of operat
17、ion provides different benefits and has different characteristics. The selection, implementation and use of a particular mode of operation is dependent upon the security requirements, risk acceptance posture, and operational needs of the financial institution and are beyond the scope of this Technic
18、al Report. This Technical Report is necessary to provide the basis for interoperability between different parties using any of the TDEA modes specified herein, provided that they use the same mode of operation and share the same secret cryptographic key(s). This Technical Report does not replace the
19、 Data Encryption Algorithm Standard nor the Triple Data Encryption Algorithm specified in ISO/IEC 18033. DEA is the basis for the TDEA modes of operation. TDEA provides increased security in keeping with advances in computing technology and cryptanalytic techniques. TDEA may be implemented in hardwa
20、re, software or a combination of hardware and software. This Technical Report provides implementation guidelines for the modes of operation specified in ISO/IEC 10116. It is the responsibility of the financial institution to put overall security procedures in place with the necessary controls to ens
21、ure that the process is implemented in a secure manner. Furthermore, the process should be audited to ensure compliance with the procedures. TECHNICAL REPORT ISO/TR 19038:2005(E) ISO 2005 All rights reserved 1Banking and related financial services Triple DEA Modes of operation Implementation guideli
22、nes 1 Scope This Technical Report provides the user with technical support and details for the safe and efficient implementation of the Triple Data Encryption Algorithm (TDEA) modes of operation for the enhanced cryptographic protection of digital data. The modes of operation described herein are sp
23、ecified for both enciphering and deciphering operations. The modes described in this Technical Report are implementations of the block cipher modes of operation specified in ISO/IEC 10116 using the Triple DEA algorithm (TDEA) specified in ISO/IEC 18033-3. The TDEA modes of operation may be used in b
24、oth wholesale and retail financial applications. The use of this Technical Report provides the basis for the interoperability of products and facilitates the development of application standards that use the TDEA modes of operation. This Technical Report is intended for use with other ISO standards
25、using DEA. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 10116,
26、Information technology Security techniques Modes of operation for an n-bit block cipher ISO/IEC 18033-3, Information technology Security techniques Encryption algorithms Part 3: Block ciphers ISO/IEC 9797-1, Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mecha
27、nisms using a block cipher 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 birthday phenomenon phenomenon whereby at least two people out of a relatively small group of n people will likely share the same birthday EXAMPLE: when n = 23, the pr
28、obability is over . Generally, if one randomly picks up a number from m possible numbers with replacement, the probability to get at least one coincidence in n experiments (n m) is approximated by: p = 1 e n 2 /2m In the above experiment, the expected number of trials before a coincidence is found i
29、s approximately (m/2) 1/2 . It implies that for a 64-bit block encryption operation with a fixed key, if one has a text dictionary of 2 32plaintext/ciphertext pairs and ISO/TR 19038:2005(E) 2 ISO 2005 All rights reserved2 32blocks of ciphertext produced from random input, then it should be expected
30、that one block of unknown ciphertext will be found in the dictionary (see 11). 3.2 block binary string EXAMPLE: a plaintext or a ciphertext, is segmented with a given length. Each segment is called a block. A plaintext (ciphertext) is encrypted (decrypted) block by block from left to right. In this
31、Technical Report, for TCBC, TCBC-I, TOFB, TOFB-I modes, the plaintext and ciphertext are segmented into 64-bit blocks, while for TCFB and TCFB-P modes, the encryption and decryption support 1-bit, 8-bit and 64-bit plaintext and ciphertext block sizes. 3.3 bundle collection of elements comprising a T
32、DEA (K) key NOTE A bundle may consist of two elements (k 1 ,k 2 ) or three elements (k 1 ,k 2 ,k 3 ). 3.4 ciphertext encrypted (enciphered) data 3.5 clock cycle time unit used in this Technical Report to define the time period for executing DEA operation once by one DEA functional block 3.6 cryptogr
33、aphic initialization process of entering the initialization vector(s) into the TDEA to initialize the algorithm prior to the commencement of encryption or decryption 3.7 cryptographic key key parameter that determines the transformation from plaintext to ciphertext and vice versa NOTE A DEA key is a
34、 64-bit parameter consisting of 56 independent bits and 8 parity bits. 3.8 cryptoperiod time span during which a specific (bundle of) key(s) is authorized for use 3.9 data encryption algorithm DEA algorithm specified in ISO/IEC 18033-3 NOTE The term “single DEA” implies DEA, whereas TDEA implies tri
35、ple DEA as defined in this Technical Report. 3.10 DEA encryption operation enciphering of 64-bit blocks by DEA with a key K 3.11 DEA decryption operation deciphering of 64-bit blocks by DEA with a key K ISO/TR 19038:2005(E) ISO 2005 All rights reserved 33.12 DEA functional block that which performs
36、either a DEA encryption operation or a DEA decryption operation with a specified key NOTE In this Technical Report, each DEA functional block is represented by DEA j . 3.13 decryption process of transforming ciphertext into plaintext 3.14 encryption process of transforming plaintext into ciphertext
37、3.15 exclusive-OR bit-by-bit modulo 2 addition of binary vectors of equal length 3.16 initialization vector binary vector used as the input to initialize the algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchr
38、onize cryptographic equipment NOTE The initialization vector need not be secret. 3.17 key see 3.7 cryptographic key 3.18 plaintext intelligible data that has meaning and can be read or acted upon without the application of decryption NOTE Also known as cleartext. 3.19 propagation delay delay between
39、 the presentation of a plaintext block to a TDEA mode and the availability of the resulting ciphertext block 3.20 re-synchronization synchronization, after being lost because of the addition or deletion of bits in one or more ciphertext blocks EXAMPLE: if the additions or deletions can be detected,
40、and if the appropriate number of bits can be deleted or added to the ciphertext so that the block boundaries are re-established correctly starting at block C isuch that the succeeding decrypted plaintext is correct from block P i+rfor some r, then we say that it is re-synchronized at C i+r . 3.21 se
41、lf-synchronization automatic re-synchronization EXAMPLE: the TCBC mode exhibits self-synchronization in the sense that if an error (including the loss of one or more entire blocks) occurs in ciphertext block C ibut no further error occurs, then C i+2and succeeding ciphertext blocks are correctly dec
42、rypted to P i+2and succeeding plaintext blocks (see 11 and 12). ISO/TR 19038:2005(E) 4 ISO 2005 All rights reserved3.22 synchronization where, for a plaintext with blocks P 1 , P 2 , P nif it is encrypted as a ciphertext with blocks C 1 , C 2 , C n , then for any i, 1 u i u n, P 1 , P 2 , P ican be
43、correctly decrypted from C 1 , C 2 , C i . NOTE If some error occurs in the transmission of the ciphertext or if some bits are added or lost from the ciphertext, then synchronization is lost. 4 Symbols and abbreviations C ii-th ciphertext block consisting of k bits, where k = 1, 8, 64. C (j)j-th cip
44、hertext substream in TCBC-I mode. C j , ii-th block in j-th ciphertext substream. CBC Cipher block chaining. CFB Cipher feedback. D K jA DEA decryption operation with key “K j “. DEA The data encryption algorithm specified in ISO/IEC 18033-3. DEA jj-th DEA functional block. E K jA DEA encryption ope
45、ration with key “K j “. ECB Electronic codebook. I ii-th input block of encryption operation consisting of 64 bits in TCFB, TCFB-P, TOFB, and TOFB-I modes of operation. i Index of blocks. IV Initialization vector. j Index of functional blocks, index of keys, and index of plaintext substreams (cipher
46、text substreams) in TCBC-I. h A given counter value of a clock cycle. It is for describing the actions of each DEA functional block at t = h 1, t = h, and t = h + 1. In the interleaved or pipelined mode, h is used to describe at clock cycle t = 3(h 1) + j, j = 1, 2, 3, the simultaneous actions of th
47、ree functional blocks. In the interleaved mode, h is used as an index of blocks for tripartition of a plaintext. k Size of blocks, a parameter for shifting functions S k , k = 1, 8, 64. K Cryptographic key. n Number of blocks in a plaintext. O ii-th output block of encryption operation consisting of
48、 64 bits in TCFB, TCFB-P, TOFB, and TOFB-I modes of operation. O i kLeftmost k bits of O i , k =1, 8, 64. When k = 64, O i k= O i . OFB Output feedback. ISO/TR 19038:2005(E) ISO 2005 All rights reserved 5P ii-th plaintext block consisting of k bits, where k = 1, 8, 64. P (j)j-th plaintext substream
49、in TCBC-I mode. P j,ii-th plaintext block in j-th plaintext substream. S k “k-Shifting” function, defined as follows: Given a 64-bit block I = (i 1 , i 2 , , i 64 ) and a k-bit block C = (c 1 , c 2 , c k ) where k = 1, 8, 64, the shifting function S k (I | C) produces a 64-bit block: S k (I | C) = i k+1 , i k +2 , ., i 64 , c 1 , c 2 , . c k where the bits of I have been shifted left by k places, discarding i 1 , i 2 , . i kand placing the k bits of C in the rightmost k places of
