1、BSI Standards Publication BS ISO/IEC 20009-1:2013 Information technology Security techniques Anonymous entity authentication Part 1: GeneralBS ISO/IEC 20009-1:2013 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 20009-1:2013. The UK participation in its p
2、reparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its
3、correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 73400 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and
4、 Strategy Committee on 31 August 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 20009-1:2013 Information technology Security techniques Anonymous entity authentication Part 1: General Technologies de linformation Techniques de scurit Authentification dentit anonyme Partie 1:
5、Gnralits ISO/IEC 2013 INTERNATIONAL STANDARD ISO/IEC 20009-1 First edition 2013-08-01 Reference number ISO/IEC 20009-1:2013(E)BS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E)ii ISO/IEC 2013 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, n
6、o part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs memb
7、er body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E) ISO/IEC 2013 All rights reserved iii Contents Pa
8、ge Foreword iv Introduction v 1 Scope . 1 2 T erms and definitions . 1 3 Symbols and abbreviated terms . 3 3.1 Symbols . 3 3.2 Abbreviations . 3 4 Anonymous entity authentication model . 4 5 General requirements and constraints . 4 6 Managing anonymity 5 Bibliography 6BS ISO/IEC 20009-1:2013ISO/IEC
9、20009-1:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standard
10、s through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC
11、, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is t
12、o prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibi
13、lity that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 20009-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Securi
14、ty techniques. ISO/IEC 20009 consists of the following parts, under the general title Information technology Security techniques Anonymous entity authentication: Part 1: General Part 2: Mechanisms based on signatures using a group public key The following parts are under preparation: Part 3: Mechani
15、sms based on blind signatures Part 4: Mechanisms based on weak secrets Further parts may follow.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E) Introduction Authenticating communicating partners is one of the most important cryptographic services. There are a wide v
16、ariety of cryptographic mechanisms supporting this service, e.g. the entity authentication mechanisms specified in ISO/IEC 9798 2and the digital signature mechanisms specified in ISO/IEC 9796 1and ISO/IEC 14888. 4 Anonymous authenticated communication involves hiding the identifier of an authenticat
17、ed entity to its communicating partner and/or to a third party, while retaining the property that a verifier can reliably determine that its communication partner is authentic. Anonymous entity authentication mechanisms are designed to support such anonymous communications. The mechanisms are define
18、d as exchanges of information between entities and, where required, exchanges with a trusted third party. In an anonymous entity authentication mechanism, the entity to be authenticated (the claimant) provides evidence to a verifier that it has knowledge of a secret without revealing its identifier
19、to any unauthorized entity. That is, given complete knowledge of the messages exchanged between the parties, an unauthorized entity cannot discover the identifier of the entity being authenticated (i.e. the claimant). At the same time, an authorized verifier can obtain assurance that the claimant is
20、 authentic, i.e. that it possesses certain attributes, e.g. membership of a predefined group of entities. However, even an authorized verifier may not be authorized to learn the identifier of the entity being authenticated. Anonymous entity authentication mechanisms may permit an authorized party to
21、 perform opening, a process which enables the authorized party to learn the identity of the entity that engaged in a particular instance of the mechanism. Mechanisms which permit opening are referred to as partially anonymous entity authentication mechanisms. Anonymous entity authentication can be a
22、pplied in a range of scenarios including electronic business, electronic voting, electronic identities (such as e-driving licences, e-health IDs and e-passports), social networks, mobile payments and trusted computing. In many such services, a clients personally identifiable information (PII) is rev
23、ealed to a service provider as part of the authentication process. As a result the service provider may be in a position to use the PII for a range of purposes, not necessarily in the interests of the PII subject. One way of restricting access by service providers to PII is through the use of anonym
24、ous authentication mechanisms. Some use cases of anonymous entity authentication are described in Annex A of ISO/IEC 29191:2012. 6 ISO/IEC 20009 specifies a general model and a number of mechanisms for anonymous entity authentication. The details of the mechanisms and the contents of the authenticat
25、ion exchanges are not specified in this part of ISO/IEC 20009, but in the following parts of ISO/IEC 20009. ISO/IEC 2013 All rights reserved vBS ISO/IEC 20009-1:2013BS ISO/IEC 20009-1:2013Information technology Security techniques Anonymous entity authentication Part 1: General 1 Scope This part of
26、ISO/IEC 20009 specifies a model, requirements and constraints for anonymous entity authentication mechanisms that allow the legitimacy of an entity to be corroborated. 2 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. 2.1 anonymity strength numb
27、er derived from the probability that an unauthorized entity can correctly determine the true signer from a given signature Note 1 to entry: An anonymity strength of n means that the probability that an unauthorized entity can correctly guess the true signer from a signature is 1/n. SOURCE: ISO/IEC 2
28、0008-1: 2.2 anonymous entity authentication corroboration that an entity possesses certain attributes, without distinguishing this entity from other entities with the same attributes 2.3 anonymous digital signature signature which can be verified using a group public key or multiple public keys, and
29、 which cannot be traced to the distinguishing identifier of its signer by any unauthorized entity including the signature verifier SOURCE: ISO/IEC 20008-1: 2.4 challenge data item chosen at random and sent by the verifier to the claimant, which is used by the claimant, in conjunction with secret inf
30、ormation held by the claimant, to generate a response which is sent to the verifier SOURCE: ISO/IEC 9798-1:2010 2.5 claimant entity which is or represents a principal for the purposes of authentication SOURCE: ISO/IEC 9798-1:2010 INTERNATIONAL ST ANDARD ISO/IEC 20009-1:2013(E) ISO/IEC 2013 All right
31、s reserved 1BS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E) 2.6 key sequence of symbols that controls the operation of a cryptographic transformation SOURCE: ISO/IEC 9798-1:2010 2.7 linker entity which performs linking, i.e. which links two or more instances of anonymous entity authentication 2.8 lin
32、king process by which two or more instances of anonymous entity authentication are shown to have been performed by the same entity 2.9 opener authorized entity which performs opening, i.e. which learns the identity of the party that engaged in a particular instance of an anonymous entity authenticat
33、ion mechanism Note 1 to entry: An opener is referred to as a designated opener in ISO/IEC 29191. 2.10 opening process by which an authorized entity learns the identity of the party that engaged in a particular instance of an anonymous entity authentication mechanism Note 1 to entry: Opening is refer
34、red to as re-identification in ISO/IEC 29191. 2.11 mutual anonymous authentication anonymous entity authentication that provides both entities with assurance of the legitimacy of the other entity 2.12 partially anonymous authentication anonymous entity authentication permitting opening by authorized
35、 entities 2.13 principal entity whose legitimacy can be authenticated 2.14 random number time variant parameter whose value is unpredictable SOURCE: ISO/IEC 9798-1:2010 2.15 sequence number time variant parameter whose value is taken from a specified sequence which is non-repeating within a certain
36、time period SOURCE: ISO/IEC 9798-1:2010 2.16 time stamp time variant parameter which denotes a point in time with respect to a common reference SOURCE: ISO/IEC 9798-1:20102 ISO/IEC 2013 All rights reservedBS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E) 2.17 time variant parameter data item used to ve
37、rify that a message is not a replay, such as a random number, a sequence number, or a time stamp SOURCE: ISO/IEC 9798-1:2010 2.18 token message consisting of data fields relevant to a particular communication and which contains information that has been transformed using a cryptographic technique SO
38、URCE: ISO/IEC 9798-1:2010 2.19 trusted third party security authority or its agent, trusted by other entities with respect to security related activities SOURCE: ISO/IEC 9798-1:2010 2.20 unilateral anonymous authentication anonymous entity authentication that provides one entity with assurance of th
39、e legitimacy of the other entity, but not vice versa 2.21 unilateral-anonymous mutual authentication result of a process between two parties which simultaneously provides anonymous entity authentication in one direction and entity authentication in the other direction 2.22 v er i f i er entity which
40、 requires assurance of the legitimacy of another entity (the claimant) 3 Symbols and abbreviated terms 3.1 Symbols A entity participating in an anonymous entity authentication mechanism B entity participating in an anonymous entity authentication mechanism 3.2 Abbreviations TTP Trusted Third Party I
41、SO/IEC 2013 All rights reserved 3BS ISO/IEC 20009-1:2013ISO/IEC 20009-1:2013(E) 4 Anonymous entity authentication model Figure 1 Anonymous entity authentication model The general model for anonymous entity authentication mechanisms is shown in Figure 1. It is not essential that all the entities and
42、exchanges are present in every authentication mechanism. For the anonymous entity authentication mechanisms specified in the other parts of ISO/IEC 20009, for unilateral anonymous authentication, entity A is considered the claimant, and entity B is considered the verifier. For mutual anonymous authe
43、ntication, A and B each take the roles of both claimant and verifier. For unilateral-anonymous mutual authentication, A and B each take the role of both claimant and verifier; in addition, one direction of the authentication is anonymous and the other is not (for example, A verifies Bs identity and
44、B verifies that A is a member of a pre-defined group of entities). The precise role of the TTP depends on the mechanism in use. Some mechanisms may not use any trusted third parties. Alternatively, a TTP may only be involved in an offline way, e.g. by providing one or both of A and B with informatio
45、n supporting use of the mechanism prior to its use. As a third alternative, a TTP may be actively involved in the mechanism by exchanging messages with one or both parties during use of the mechanism. A TTP may also be involved in the opening or linking processes. If a TTP is involved, either offlin
46、e or online, then it must be trusted by the involved parties for the purpose of anonymous entity authentication. For anonymous entity authentication purposes, the entities generate and exchange standardised messages, called tokens. It takes the exchange of at least one token for unilateral anonymous
47、 authentication and the exchange of at least two tokens for mutual anonymous authentication. An additional pass may be needed if a challenge has to be sent to initiate the anonymous entity authentication exchange. Additional passes may be needed if a trusted third party is involved. In Figure 1 the
48、arrows indicate potential information flow. Entities A and B may directly interact with each other, directly interact with the trusted third party through B or A respectively, or use information issued by the trusted third party. The message exchanges making up an anonymous entity authentication mec
49、hanism provide evidence to the verifier that the claimant is authentic, i.e. that it possesses certain attributes, e.g. membership of a predefined group of entities. This evidence takes the form of demonstrating knowledge via cryptographic techniques of certain secret information, which only an authentic entity is entitled to possess. In addition, certain mechanisms also allow the claimant to demonstrate to the verifier that it possesses other attributes in addition to being an auth
