ISO/IEC 11770-3:2008 信息技术 安全技术 密钥管理 第3部分：用非对称技术的机制

标准编号：ISO/IEC 11770-3:2008

中文名称：信息技术 安全技术 密钥管理 第3部分：用非对称技术的机制

英文名称：Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques

发布日期：2008-07

标准范围

ISO/IEC 11770-3:20 08定义了基于非对称加密技术的密钥管理机制。它特别解决了使用非对称技术来实现以下目标。通过密钥协商在两个实体A和B之间建立对称密码技术的共享密钥。在秘密密钥协议机制中，秘密密钥是两个实体A和B之间的数据交换的结果。它们都不能预先确定共享密钥的值。通过密钥传输在两个实体A和B之间建立对称密码技术的共享密钥。在秘密密钥传输机制中，秘密密钥由一个实体A选择并被传送到另一个实体B，适当地由非对称技术保护。通过密钥传输使一个实体的公钥对其他实体可用。在公钥传输机制中，实体A的公钥必须以认证的方式传输给其他实体，但不要求保密。ISO/IEC 11770-3:20 08的一些机制基于ISO/IEC 9798-3中的相应认证机制。ISO/IEC 11770-3:20 08不涵盖关键管理方面，例如关键生命周期管理，生成或验证非对称密钥对的机制，存储、存档、删除、销毁等机制。钥匙。虽然ISO/IEC 11770-3:20 08没有明确地涵盖实体的私钥(非对称密钥对的)从可信第三方到请求实体的分发，但是可以使用所描述的密钥传输机制来实现这一点。在所有情况下，私钥都可以通过这些机制来分发，其中现有的、非泄露的密钥已经存在。然而，在实践中，私钥的分发通常是依赖于智能卡等技术手段的手动过程。ISO/IEC 11770-3:20 08不涵盖密钥管理机制中使用的转换的实现。

ISO/IEC 11770-3:2008 defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals.

1. Establish a shared secret key for a symmetric cryptographic technique between two entities A and B by key agreement. In a secret key agreement mechanism, the secret key is the result of a data exchange between the two entities A and B. Neither of them can predetermine the value of the shared secret key.
2. Establish a shared secret key for a symmetric cryptographic technique between two entities A and B by key transport. In a secret key transport mechanism, the secret key is chosen by one entity A and is transferred to another entity B, suitably protected by asymmetric techniques.
3. Make an entity's public key available to other entities by key transport. In a public key transport mechanism, the public key of entity A must be transferred to other entities in an authenticated way, but not requiring secrecy.

Some of the mechanisms of ISO/IEC 11770-3:2008 are based on the corresponding authentication mechanisms in ISO/IEC 9798-3.ISO/IEC 11770-3:2008 does not cover aspects of key management such as

• key lifecycle management,
• mechanisms to generate or validate asymmetric key pairs,
• mechanisms to store, archive, delete, destroy, etc. keys.

While ISO/IEC 11770-3:2008 does not explicitly cover the distribution of an entity's private key (of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport mechanisms described can be used to achieve this. A private key can in all cases be distributed with these mechanisms where an existing, non-compromised key already exists. However, in practice the distribution of private keys is usually a manual process that relies on technological means like smart cards, etc.ISO/IEC 11770-3:2008 does not cover the implementations of the transformations used in the key management mechanisms.

标准预览图