ISO/IEC 11770-3:1999

INTERNATIONAL ISO/IEC
STANDARD 11770-3
First edition
1999-11-01
Information technology — Security
techniques — Key management —
Part 3:
Mechanisms using asymmetric techniques
Technologies de l'information — Techniques de sécurité — Gestion de
clés —
Partie 3: Mécanismes utilisant des techniques asymétriques
Reference number
ISO/IEC 11770-3:1999(E)
©
ISO/IEC 1999

---------------------- Page: 1 ----------------------
ISO/IEC 11770-3:1999(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading
this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 � CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 734 10 79
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO/IEC 1999 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 11770-3:1999(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 11770 may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
International Standard ISO/IEC 11770-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC 11770 consists of the following parts, under the general title Information technology — Security techniques
— Key management:
— Part1:Framework
— Part 2: Mechanisms using symmetric techniques
— Part 3: Mecanisms using asymmetruc techniques
Further parts may follow.
Annexes A to E of this part of ISO/IEC 11770 are for information only.
© ISO/IEC 1999 – All rights reserved iii

---------------------- Page: 3 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-3:1999(E)
Information technology — Security techniques —
Key management —
Part 3:
Mechanisms using asymmetric techniques
- mechanisms to generate or validate asymmet-
ric key pairs,
1. Scope
- mechanisms to store, archive, delete, destroy,
etc. keys.
This part of ISO/IEC 11770 defines key management
mechanisms based on asymmetric cryptographic tech-
While this part of ISO/IEC 11770 does not explicitly
niques. It specifically addresses the use of asymmetric
cover the distribution of an entity's private key (of an
techniques to achieve the following goals:
asymmetric key pair) from a trusted third party to a
requesting entity, the key transport mechanisms de-
1. Establish a shared secret key for a symmetric
scribed can be used to achieve this.
cryptographic technique between two entities
A and B by key agreement. In a secret key This part of ISO/IEC 11770 does not cover the imple-
agreement mechanism the secret key is the re- mentations of the transformations used in the key man-
sult of a data exchange between the two enti- agement mechanisms.
ties A and B. Neither of them can prede-
NOTE - To achieve authenticity of key manage-
termine the value of the shared secret key.
ment messages it is possible to make provisions for
2. Establish a shared secret key for a symmetric
authenticity within the key establishment protocol
cryptographic technique between two entities
or to use a public key signature system to sign the
A and B by key transport. In a secret key
key exchange messages.
transport mechanism the secret key is chosen
by one entity A and is transferred to another
2. Normative references
entity B, suitably protected by asymmetric
techniques.
The following normative documents contain provisions
3. Make an entity's public key available to other
which, through reference in this text, constitute provi-
entities by key transport. In a public key
sions of this part of ISO 11770. For dated references,
transport mechanism, the public key of an en-
subsequent amendments to, or revisions of, any of
tity A must be transferred to other entities in
these publications do not apply. However, parties to
an authenticated way, but not requiring se-
agreements based on this part of ISO 11770 are en-
crecy.
couraged to investigate the possibility of applying the
Some of the mechanisms of this part of ISO/IEC 11770
most recent editions of the normative documents indi-
are based on the corresponding authentication mecha-
cated below. For undated references, the latest edition
nisms in ISO/IEC 9798-3.
of the normative document referred to applies. Mem-
This part of ISO/IEC 11770 does not cover aspects of
bers of ISO and IEC maintain registers of currently
key management such as
valid International Standards.
- key lifecycle management,
© ISO/IEC 1999 – All rights reserved 1

---------------------- Page: 4 ----------------------
ISO/IEC 11770-3:1999(E)
transformation suffices for both signing and de-
ISO 7498-2:1989, Information processing systems -
crypting messages, and one public transformation
Open Systems Interconnection - Basic Reference
suffices for both verifying and encrypting mes-
Model - Part 2: Security Architecture.
sages. However, since this does not conform to the
principle of key separation, throughout this part of
ISO/IEC 9594-8:1995, Information technology - Open
ISO/IEC 11770 the four elementary transforma-
Systems Interconnection – The Directory: Authentica-
tions and the corresponding keys are kept separate.
tion framework.
3.2. asymmetric encipherment system: a system
ISO/IEC 9798-3:1998, Information technology - Secu-
based on asymmetric cryptographic techniques whose
rity techniques - Entity authentication - Part 3:
public transformation is used for encipherment and
Mechanisms using digital signature techniques.
whose private transformation is used for decipherment.
ISO/IEC 10118-1:1994, Information technology -
3.3. asymmetric key pair: a pair of related keys
Security techniques - Hash-functions - Part 1: Gen-
where the private key defines the private transforma-
eral.
tion and the public key defines the public transforma-
ISO/IEC 10181-1:1996, Information technology -
tion.
Open Systems Interconnection - Security frameworks
3.4. certification authority (CA): a center trusted
for open systems Overview.
to create and assign public key certificates. Optionally,
ISO/IEC 11770-1:1996, Information technology -
the certification authority may create and assign keys
Security techniques - Key management - Part 1:
to the entities.
Framework.
3.5. cryptographic check function:acrypto-
graphic transformation which takes as input a secret
3. Definitions
key and an arbitrary string, and which gives a crypto-
graphic check value as output. The computation of a
For the purposes of this part of ISO/IEC 11770, the
correct check value without knowledge of the secret
following definitions apply.
key shall be infeasible [ISO/IEC 9798-1:1997].
3.1. asymmetric cryptographic technique:a
3.6. cryptographic check value: information
cryptographic technique that uses two related trans-
which is derived by performing a cryptographic trans-
formations, a public transformation (defined by the
formation on the data unit [ISO/IEC 9798-4:1995].
public key) and a private transformation (defined by
3.7. decipherment: the reversal of a correspond-
the private key). The two transformations have the
ing encipherment [ISO/IEC 11770-1:1996].
property that, given the public transformation, it is
3.8. digital signature: a data appended to, or a
computationally infeasible to derive the private trans-
cryptographic transformation of, a data unit that allows
formation.
a recipient of the data unit to prove the origin and
NOTE - A system based on asymmetric crypto-
integrity of the data unit and protect the sender and the
graphic techniques can either be an encipherment
recipient of the data unit against forgery by third par-
system, a signature system, a combined encipher-
ties, and the sender against forgery by the recipient.
ment and signature system, or a key agreement
3.9. distinguishing identifier: information which
system. With asymmetric cryptographic techniques
unambiguously distinguishes an entity [ISO/IEC
there are four elementary transformations: sign and
11770-1:1996].
verify for signature systems, encipher and decipher
3.10. encipherment: the (reversible) transformation
for encipherment systems. The signature and the
of data by a cryptographic algorithm to produce ci-
decipherment transformation are kept private by
phertext, i.e. to hide the information content of the data
the owning entity, whereas the corresponding veri-
[ISO/IEC 11770-1:1996].
fication and encipherment transformations are pub-
3.11. entity authentication: the corroboration that
lished. There exist asymmetric cryptosystems (e.g.
an entity is the one claimed [ISO/IEC 9798-1:1997].
RSA) where the four elementary functions may be
achieved by only two transformations: one private
2 © ISO/IEC 1999 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 11770-3:1999(E)
3.12. entity authentication of A to B: the assur- formation. In the case of an asymmetric encipher-
ance of the identity of entity A for entity B. ment system the private key defines the decipher-
ment transformation.
3.13. explicit key authentication from A to B:the
assurance for entity B that A is the only other entity 3.25. public key that key of an entity's asymmetric
that is in possession of the correct key. key pair which can be made public
NOTE - implicit key authentication from A to
NOTE - In the case of an asymmetric signature
B and key confirmation from A to B together
system the public key defines the verification trans-
imply explicit key authentication from A to B.
formation. In the case of an asymmetric encipher-
3.14. implicit key authentication from A to B:the ment system the public key defines the encipher-
assurance for entity B that A is the only other entity ment transformation. A key that is 'publicly known'
that can possibly be in possession of the correct key. is not necessarily globally available. The key may
only be available to all members of a pre-specified
3.15. key: a sequence of symbols that controls the
group.
operation of a cryptographic transformation (e.g. enci-
pherment, decipherment, cryptographic check function 3.26. public key certificate the public key infor-
computation, signature calculation, or signature verifi- mation of an entity signed by the certification authority
cation) [ISO/IEC 11770-1:1996]. and thereby rendered unforgeable.
3.16. key agreement: the process of establishing a 3.27. public key information: information con-
shared secret key between entities in such a way that taining at least the entity's distinguishing identifier and
neither of them can predetermine the value of that key. public key. The public key information is limited to
data regarding one entity, and one public key for this
3.17. key confirmation from A to B: the assurance
entity. There may be other static information regarding
for entity B that entity A is in possession of the correct
the certification authority, the entity, the public key,
key.
restrictions on key usage, the validity period, or the
3.18. key control: the ability to choose the key or
involved algorithms, included in the public key infor-
the parameters used in the key computation.
mation.
3.19. key establishment: the process of making
3.28. secret key: a key used with symmetric crypto-
available a shared secret key to one or more entities.
graphic techniques by a specified set of entities.
Key establishment includes key agreement and key
3.29. sequence number: a time variant parameter
transport.
whose value is taken from a specified sequence which
3.20. key token: key management message sent
is non-repeating within a certain time period [ISO/IEC
from one entity to another entity during the execution
11770-1:1996].
of a key management mechanism.
3.30. signature system: a system based on asym-
3.21. key transport: the process of transferring a
metric cryptographic techniques whose private trans-
key from one entity to another entity, suitably pro-
formation is used for signing and whose public trans-
tected.
formation is used for verification.
3.22. mutual entity authentication: entity authen-
3.31. time stamp: a data item which denotes a
tication which provides both entities with assurance of
point in time with respect to a common time reference.
each other's identity.
3.32. time stamping authority: a trusted third
3.23. one-way function : a function with the prop-
party trusted to provide evidence which includes the
erty that it is easy to compute the output for a given
time when the secure time stamp is generated [ISO/IEC
input but it is computationally infeasible to find for a
13888-1:1997].
given output an input which maps to this output.
3.33. time variant parameter: a data item used to
3.24. private key: that key of an entity's asymmet-
verify that a message is not a replay, such as a random
ric key pair which can only be used by that entity.
number, a sequence number, or a time stamp.
NOTE - In the case of an asymmetric signature
system the private key defines the signature trans-
© ISO/IEC 1999 – All rights reserved 3

---------------------- Page: 6 ----------------------
ISO/IEC 11770-3:1999(E)
3.34. trusted third party: a security authority, or KT key token.
its agent, trusted by other entities with respect to secu-
KT the key token sent by entity A after proc-
Ai
rity related activities [ISO/IEC 10181-1:1996].
essing phase i.
p entity A's public key agreement key.
A
4. Symbols and abbrevia-
PKI entity A's public key information
A
tions
r a random number generated in the course of
a mechanism.
The following symbols and abbreviations are used in
r a random number issued by entity A in a key
A
this part of ISO/IEC 11770.
agreement mechanism.
A,B distinguishing identifiers of entities.
S entity A's private signature transformation.
A
BE enciphered data block
s entity A's private signature key.
A
BS signed data block
Texti an optional data field whose use is beyond
CA certification authority.
the scope of this part of ISO/IEC 11770.
Cert entity A's public key certificate
A
TVP time-variant parameter, such as a random
D entity A's private decipherment transforma-
A number, a time stamp, or a sequence num-
tion.
ber.
d entity A's private decipherment key. V entity A's public verification transformation.
A A
E entity A's public encipherment transforma- v entity A's public verification key.
A
A
tion.
w one-way function
e entity A's public encipherment key.
A
� the digital signature
F(h,g) the key agreement function.
�� concatenation of two data elements.
f cryptographic check function
NOTES
f (Z) cryptographic check value which is the
K
1. No assumption is made on the nature of the sig-
result of applying the cryptographic check
nature transformation. In the case of a signature
function f using as input a secret key K and
system with message recovery, S (m) denotes the
A
an arbitrary data string Z.
signature � itself. In the case of a signature system
g the common element shared publicly by all with appendix, S (m) denotes the message m to-
A
the entities that use the key agreement func-
gether with signature �.
tion F.
2. The keys of an asymmetric cryptosystem are
h entity A's private key agreement key.
A denoted by a lower case letter (indicating the func-
tion of that key) indexed with the identifier of its
hash hash-function
owner, e.g. the public verification key of entity A is
H set of elements
denoted by v . The corresponding transformations
A
are denoted by upper case letters indexed with the
G set of elements
identifier of their owner, e.g. the public verification
K a secret key for a symmetric cryptosystem.
transformation of entity A is denoted by V .
A
K a secret key shared between entities A and
AB
B.
5. Requirements
NOTE - In practical implementations the shared
secret key may be subject to further processing be-
It is assumed that the entities are aware of each other’s
fore it can be used for a symmetric cryptosystem.
claimed identities. This may be achieved by the inclu-
4 © ISO/IEC 1999 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 11770-3:1999(E)
sion of identifiers in information exchanged between 2. In practical implementations of the key agree-
the two entities, or it may be apparent from the context ment mechanisms the shared secret key may be
of the use of the mechanism. Verifying the identity subject to further processing. A derived shared se-
means to check that a received identifier field agrees cret key may be computed (1) by extracting bits
with some known (trusted) value or prior expectation. from the shared secret key K directly or (2) by
AB
passing the shared secret K and optionally other
AB
If a public key is registered with an entity then that
nonsecret data through a one-way function and ex-
entity shall make sure that the entity who registers the
tracting bits from the output.
key is in possession of the corresponding private key
(see Part 1 for registration of key).
3. It will in general be necessary to check the re-
ceived function values F(h,g) for weak values. If
such values are encountered, the protocol shall be
aborted. An example known as Diffie-Hellman key
6. Secret key agreement
agreement is given in clause B.5.
Key agreement is the process of establishing a shared
6.1 Key agreement mechanism 1
secret key between two entities A and B in such a way
that neither of them can predetermine the value of the
This key agreement mechanism non-interactively es-
shared secret key. Key agreement mechanisms may
tablishes a shared secret key between entities A and B
provide for implicit key authentication; in the context
with mutual implicit key authentication. The following
of key establishment, implicit key authentication means
requirements shall be satisfied:
that after the execution of the mechanism only an iden-
1. Each entity X has a private key agreement key
tified entity can be in possession of the correct shared
h in H and a public key agreement key p =
X X
secret key.
F(h ,g).
X
The key agreement between two entities A and B takes
2. Each entity has access to an authenticated
place in a context shared by the two entities. The con-
copy of the public key agreement key of the
text consists of the following objects: a set G,a set H
other entity. This may be achieved using the
and a function F. The function F shall satisfy the fol-
mechanisms of clause 8.
lowing requirements:
1. F operates on two inputs, one element h from H
and one element g from G, and produces a re- A B
sult y in G, y = F(h,g).
2. F satisfies the commutativity condition Key Key
Construction Construction
F(h ,F(h ,g)) = F(h ,F(h ,g)).
A B B A (A1) (B1)
3. It is computationally intractable to find
K
K AB
AB
F(h ,F(h ,g)) from F(h ,g), F(h ,g)and g.This
1 2 1 2
.
implies that F( ,g) is a one-way function.
4. The entities A and B share a common element g Figure 1 - Key Agreement Mechanism 1
in G which may be publicly known.
5. The entities acting on this setting can efficiently Key Construction (A1) A computes, using its own
compute function values F(h,g) and can effi- private key agreement key h and B’s public key
A
ciently generate random elements in H. agreement key p , the shared secret key as
B
Depending on the particular key agreement mechanism
KF� (,hp)
AB A B
further conditions may be imposed.
NOTES
Key Construction (B1) B computes, using its own
private key agreement key h and A’s public key
1. An example of a possible function F is given in B
agreement key p , the shared secret key as
Annex B. A
© ISO/IEC 1999 – All rights reserved 5

---------------------- Page: 8 ----------------------
ISO/IEC 11770-3:1999(E)
KF� (,hp)
AB B A A B
As a consequence of requirement 2 of F,the twocom-
puted values for the key K are identical.
AB
Key Token
Construction
(A1)
NOTE - This Key Agreement Mechanism has the
KT
A1
following properties:
Key Key
1. Number of passes: 0. As a consequence, the se-
Construction Construction
(A2) (B1)
cret shared key has always the same value (but see
clause 6 note 2).
K
K AB
AB
2. Key authentication: this mechanism provides
mutual implicit key authentication.
Figure 2 - Key Agreement Mechanism 2
3. Key confirmation: this mechanism provides no
key confirmation.
Key Token Construction (A1) A randomly and se-
4. This is a key agreement mechanism since the
cretly generates r in H, computes F(r,g) and sends the
established key is a one-way function of the private
key token
key agreement keys h and h of A and B respec-
A B
KT =F(r,g)���Text
tively. However, one entity may know the other A1
entity’s public key prior to choosing their private
to B.
key. Such an entity may select approximately s bits
s
of the established key, at the cost of generating 2
Key Construction (A2) Further A computes the key as
candidate values for their private key agreement
K =F(r,p )
key in the interval between discovering the other
AB
B
entity’s public key and choosing their own private
key.
Key Construction (B1) B extracts F(r,g)from the
received key token KT and computes the shared
5. Example: an example known as Diffie-Hellman A1
secret key
key agreement is given in clause B.5.
K =F(h ,F(r,g))
AB B
6.2 Key agreement mechanism 2
According to requirement 2 of F, the two computed
values for the key K are identical.
This key agreement mechanism establishes in one pass AB
a shared secret key between A and B with implicit key
NOTE - This Key Agreement Mechanism has the
authentication from B to A, but no entity authentication
following properties:
from A to B (i.e. B does not know with whom it has
1. Number of passes: 1.
established the shared secret key). The following re-
quirements shall be satisfied:
2. Key authentication: this mechanism provides
1. Entity B has a private key agreement key h in
implicit key authentication from B to A (B is the
B
H and a public key agreement key p =
only entity other than A who can compute the
B
F(h ,g).
shared secret key).
B
2. Entity A has access to an authenticated copy
3. Key confirmation: this mechanism provides
of B's public key agreement key p .This may
B
no key confirmation.
be achieved using the mechanisms of clause 8.
4. This is a key agreement mechanism since the
established key is a one-way function of a random
value r supplied by A and B’s private key agree-
ment key. However, since entity A may know en-
tity B’s public key prior to choosing the value r,
6 © ISO/IEC 1999 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 11770-3:1999(E)
entity A may select approximately s bits of the es- A B
s
tablished key, at the cost of generating 2 candidate
values for r in the interval between discovering B’s
Key
Construction
public key and sending KT .
A1
(A1.1)
Key Token
5. Example: an example of this key agreement
Signature
(A1.2)
mechanism (known as ElGamal key agreement) is
KT
A1
described in clause B.3. Key
Construction
K
AB
(B1.1)
6. Key usage: as B receives the key K from the
AB
Signature
non-authenticated entity A, secure usage of K at
AB
Verification
(B1.2)
B's end is restricted to functions not requiring trust
in A’s authenticity such as decipherment and gen-
K
AB
eration of message authentication codes.
Figure 3 - Key Agreement Mechanism 3
6.3 Key agreement mechanism 3
Key Construction (A1.1) A randomly and secretly
This key agreement mechanism establishes in one pass
generates r in and computes F(r,g). A computes the
a shared secret key between A and B with mutual im-
shared secret key as
plicit key authentication, and entity authentication of A
to B. The following requirements shall be satisfied:
K =F(r,p )
AB B
1. Entity A has an asymmetric signature system
(S ,V ).
A A Using the shared secret key K . A computes a crypto-
AB
graphic check value on the concatenation of the
2. Entity B has access to an authenticated copy
of the public verification transformation V . sender's distinguishing identifier A and a sequence
A
number or time stamp TVP.
This may be achieved using the mechanisms
of clause 8.
Key Token Signature (A1.2) A signs the crypto-
3. Entity B has a key agreement system with
graphic check value, using its private signature trans-
keys (h , p ).
B B
formation S .Then A forms the key token, consisting
A
4. Entity A has access to an authenticated copy
of the sender's distinguishing identifier A, the key input
of the public key agreement key p of entity
B
F(r,g),the TVP, the signed cryptographic check value,
B. This may be achieved using the mecha-
and some optional data
nisms of clause 8.
KT = A||F(r,g)||TVP ||
A1
5. TVP: The TVP shall either be a time stamp or
S (f (A||TVP))||Text1
A K
AB
a sequence number. If time stamps are used,
secure and synchronized time clocks are re-
and sends it to B.
quired; if sequence numbers are used, the
ability to maintain and verify bilateral count-
Key Construction (B1.1) B extracts F(r,g) from the
ersisrequired.
received key token and computes the shared secret key,
using its private key agreement key h ,
6. The entities A and B have agreed on a crypto- B
graphic check function f (such as those stan-
K =F(h ,F(r,g))
AB B
dardized in ISO/IEC 9797) and a way to in-
corporate K as the key in this check func-
AB
Using the shared secret key K B computes the cryp-
AB
tion.
tographic check value on the sender's distinguishing
identifier A and the TVP.
© ISO/IEC 1999 – All rights reserved 7

---------------------- Page: 10 ----------------------
ISO/IEC 11770-3:1999(E)
Signature Verification (B1.2) B uses the sender's A B
public verification transformation V to verify A's
A
signature and thus the integrity and origin of the re-
Key Token Key Token
ceived key token KT .Then B validates the timeliness
A1
Construction Construction
(A1) (B1)
of the token (by inspection of TVP).
KT
A1
KT
NOTE - This Key Agreement Mechanism has the B1
Key Key
following properties:
Construction Construction
(A2) (B2)
1. Number of passes: 1.
K K
2. Key authentication: this mechanism provides
AB AB
explicit key authentication from A to B and implicit
key authentication from B to A.
Figure 4 - Key Agreement Mechanism 4
3. Key confirmation: this mechanism provides
key confirmation from A to B.
Key Token Construction (A1) A randomly and se-
cretly generates r in H, computes F(r ,g), constructs
A A
4. This is a key agreement mechanism since the
the key token
established key is a one-way function of a random
value r supplied by A and B’s private key agree-
KT =F(r ,g)���Text1
A1 A
ment key. However, since entity A may know en-
and sends it to B.
tity B’s public key prior to choosing the value r,
entity A may select approximately s bits of the es-
Key Token Construction (B1) B randomly and se-
s
tablished key, at the cost of generating 2 candidate
cretly generates r in H, computes F(r ,g),constructs
B B
values for r in the interval between discovering B’s
the key token
public key and sending KT .
A1
KT =F(r ,g)���Text2
B1 B
5. TVP: provides entity authentication of A to B
and prevents replay of the key token. and sends it to A.
6. Example: an example of this key agreement
Key Construction (A2) A extracts F(r ,g)from the
B
mechanism (known as Nyberg-Rueppel key agree-
received key token KT and computes the shared
B1
ment) is described in clause B.4.
secret key
7. Public key certificates: if Text1 is used to
K =F(r ,F(r ,g))
AB A B
transfer A’s public key certificate, then requirement
2 at the beginning of this clause can be relaxed to
Key Construction (B2) B extracts F(r ,g)from the
A
the requirement that B is in possession of an
received key token KT and computes the shared
A1
authenticated copy of the CA's public verification
secret key
key.
K =F(r ,F(r ,g))
AB B A
6.4 Key agreement mechanism 4
NOTE - This Key Agreement Mechanism has the
following properties:
This key agreement mechanism establishes in two
passes a shared secret key between entities A and B 1. Number of passes: 2.
with joint key control without prior exchange of keying
2
...