ISO/IEC 9798-2:2019

INTERNATIONAL ISO/IEC
STANDARD 9798-2
Fourth edition
2019-06
IT Security techniques — Entity
authentication —
Part 2:
Mechanisms using authenticated
encryption
Techniques de sécurité IT — Authentification d'entité —
Partie 2: Mécanismes utilisant le chiffrement authentifié
Reference number
ISO/IEC 9798-2:2019(E)
©
ISO/IEC 2019

---------------------- Page: 1 ----------------------
ISO/IEC 9798-2:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 9798-2:2019(E)

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 General . 3
6 Requirements . 3
7 Mechanisms not involving an on-line trusted third party . 4
7.1 General . 4
7.2 Unilateral authentication . 4
7.2.1 General. 4
7.2.2 Mechanism UNI.TS — One-pass authentication . 5
7.2.3 Mechanism UNI.CR — Two-pass authentication . 5
7.3 Mutual authentication . 6
7.3.1 General. 6
7.3.2 Mechanism MUT.TS — Two-pass authentication . 6
7.3.3 Mechanism MUT.CR — Three-pass authentication . 7
8 Mechanisms involving an on-line trusted third party . 8
8.1 General . 8
8.2 Mechanism TP.TS — Four-pass authentication . 8
8.3 Mechanism TP.CR — Five-pass authentication .10
Annex A (normative) Object Identifiers .12
Annex B (informative) Use of text fields .13
Annex C (informative) Properties of entity authentication mechanisms .14
Bibliography .15
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 9798-2:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This fourth edition cancels and replaces the third edition (ISO/IEC 9798-2:2008), which has been
technically revised. It also incorporates the Technical Corrigenda ISO/IEC 9798-2:2008/Cor.1:2010,
ISO/IEC 9798-2:2008/Cor.2:2012 and ISO/IEC 9798-2:2008/Cor.3:2013. The main changes compared to
the previous edition are as follows:
— replacement of encryption by authenticated encryption;
— inclusion of constants uniquely identifying the mechanism and the instance of authenticated
encryption within the mechanism.
A list of all parts in the ISO/IEC 9798 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO/IEC 9798-2:2019(E)
IT Security techniques — Entity authentication —
Part 2:
Mechanisms using authenticated encryption
1 Scope
This document specifies entity authentication mechanisms using authenticated encryption algorithms.
Four of the mechanisms provide entity authentication between two entities where no trusted third
party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while
the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms
require an on-line trusted third party for the establishment of a common secret key. They also realize
mutual or unilateral entity authentication.
Annex A defines Object Identifiers for the mechanisms specified in this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 9798-1, Information technology — Security techniques — Entity authentication — Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 9798-1 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
authenticated encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext (3.2) that
cannot be altered by an unauthorized entity without detection, i.e. it provides data confidentiality, data
integrity, and data origin authentication
[SOURCE: ISO/IEC 19772:2009, 3.1]
3.2
ciphertext
data which has been transformed to hide its information content
[SOURCE: ISO/IEC 10116:2017, 3.2]
3.3
claimant
entity that is, or represents, a principal for the purposes of authentication
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 5 ----------------------
ISO/IEC 9798-2:2019(E)

3.4
time stamp
time variant parameter which denotes a point in time with respect to a common time reference
[SOURCE: ISO/IEC 18014-1:2008, 3.12]
3.5
trusted third party
TTP
security authority, or its agent, trusted by other entities with respect to security related activities
[SOURCE: ISO/IEC 18014-1:2008, 3.20]
4 Symbols and abbreviated terms
A, B Labels used for the entities participating in a mechanism.
d An authenticated decryption process using secret key K.
K
e An authenticated encryption process performed using secret key K.
K
e (X) The result of the encryption process for data X with an authenticated encryption algorithm
K
using a key K.
I A distinguishing identifier of entity U.
U
K A secret key used with the encryption and decryption processes.
K A secret key shared between entities U and V used only in authenticated encryption techniques.
UV
N A sequence number issued by entity U.
U
P A symbol used to represent the trusted third party.
R A random number issued by entity U.
U
i
SID Constant uniquely identifying the mechanism m and the instance of authenticated encryp-
m
tion (number i) within the mechanism.
TN A time variant parameter originated by entity U which is either a time stamp T or a se-
U U
quence number N .
U
Token A token sent from entity U to entity V.
UV
T A time stamp issued by entity U.
U
TVP A time variant parameter originated by entity U which is a time stamp T , a sequence num-
U U
ber N or a random number R .
U U
X || Y The result of the concatenation of data items X and Y in the order specified. In cases where
the result of concatenating two or more data items is encrypted as part of one of the mech-
anisms specified in this document, this result shall be composed so that it can be uniquely
resolved into its constituent data strings, i.e. so that there is no possibility of ambiguity in
interpretation.
NOTE This latter property can be achieved in a variety of ways, depending on the application.
For example, it can be guaranteed by a) fixing the length of each of the substrings throughout
the domain of use of the mechanism, or b) encoding the sequence of concatenated strings using a
method that guarantees unique decoding, e.g. using the distinguished encoding rules defined in
[2]
ISO/IEC 8825-1 .
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 9798-2:2019(E)

5 General
In the authentication mechanisms specified in this document, an entity to be authenticated corroborates
its identity by demonstrating its knowledge of a secret authentication key. This is achieved by the entity
using its secret key to encrypt specific data. The encrypted data can be decrypted by anyone sharing
the entity's secret authentication key. The decrypted data shall include a time variant parameter. The
parameter can be verified in the following ways.
a) If it is a random number, then the recipient should make sure it is identical to the random challenge
previously sent to the claimant. For guidance on the creation and use of random numbers, see ISO/
IEC 18031.
b) If it is a time stamp, the recipient should verify the validity of the time stamp. Guidance on the use
and verification of time stamps is provided in ISO/IEC 9798-1:2010, Annex B.
c) If it is a sequence number, then the recipient shall be able to compare it with previously received or
stored sequence number(s) to make sure it is not a replay. Guidance on the use and verification of
sequence numbers is provided in ISO/IEC 9798-1:2010, Annex B.
The mechanisms specified in this document use time variant parameters such as time stamps, sequence
numbers, or random numbers to prevent valid authentication information from being accepted at a
later time or more than once.
If no trusted third party is involved and a time stamp or sequence number is used, one pass is needed
for unilateral authentication, while two passes are needed to achieve mutual authentication. If no
trusted third party is involved and a challenge and response method employing random numbers is
used, two passes are needed for unilateral authentication, while three passes are required to achieve
mutual authentication. If a trusted third party is involved, the additional communication between an
entity and the trusted third party requires two extra passes in the communication exchange.
Annex A defines the Object Identifiers which shall be used to identify the mechanisms specified in this
document. Annex B shows the information on the use of text fields. Annex C shows the main properties
of the entity authentication mechanisms specified in this document.
6 Requirements
The authentication mechanisms have the following requirements. If any of these is not met, then the
authentication process can be compromised or not implementable.
a) A claimant authenticating itself to a verifier shall share a common secret authentication key with
that verifier, in which case the mechanisms of Clause 7 apply, or each entity shall share a secret
authentication key with a common trusted third party, in which case the mechanisms of Clause 8
apply. Such keys shall be known to the involved parties prior to the beginning of any particular
occurrence of an authentication mechanism. The method by which this is achieved is beyond the
scope of this document. Guidance on the management of shared secret keys is provided in ISO/
IEC 11770-1 and ISO/IEC 11770-2.
b) If a trusted third party is involved, it shall be trusted by both the claimant and the verifier.
c) The secret authentication key shared by a claimant and a verifier, or by an entity and a trusted
third party, shall be known only to those two parties and, possibly, to other entities which they
both trust not to misuse the key, e.g. to masquerade as one of the parties.
NOTE 1 The authenticated encryption algorithm and the key lifetime must be chosen so that it is
computationally infeasible for a key to be deduced during its lifetime. In addition, the key lifetime must be
chosen to prevent known plaintext or chosen plaintext attacks.
d) The tokens used in the mechanisms shall be unforgeable even with the knowledge of old tokens. In
other words, old tokens shall not be reusable in any way (in part or in full) to construct new tokens.
For every possible secret key, K, the authenticated encryption function, e , and its corresponding
K
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 7 ----------------------
ISO/IEC 9798-2:2019(E)

decryption function, d , shall have the following property. The decryption process, d , when
K K
applied to a string, e (X), shall enable the recipient of that string to detect forged or manipulated
K
data, i.e. only the possessor of the secret key, K, shall be capable of generating strings which are
“accepted” when subjected to the decryption process, d .
K
NOTE 2 In practice, this can be achieved in many ways. The most common approach is to use the
secret key, K, with an authenticated encryption technique that provides both confidentiality and integrity
protection, as standardized in ISO/IEC 19772.
e) The mechanisms in this document require the use of time variant parameters such as time stamps,
sequence numbers or random numbers. The properties of these parameters, in particular that it is
most unlikely for them to repeat within the lifetime of a secret authentication key, are important for
the security of these mechanisms. For additional information, see ISO/IEC 9798-1:2010, Annex B.
f) The secret authentication key used in implementations of any of the mechanisms specified in this
document shall be distinct from keys used for any other purposes.
g) The data strings decrypted at various points in an authentication mechanism shall not be
composed so that they can be interchanged. To help achieve this requirement, the mechanisms in
i
this document include constants SID in the encrypted data. The recipient shall verify that the
m
i
constant SID in the authenticated encrypted data is as expected.
m
NOTE 3 The form of the constants is not specified in this document. However, in order to meet the
requirement, they can be defined to include the following data elements:
— the object identifier as specified in Annex A, in particular identifying the ISO/IEC standard number and the
authentication mechanism;
— a constant that uniquely identifies the authenticated encrypted string within the mechanism. This constant
can be omitted in mechanisms that include only one signed string.
h) In the mechanisms specified in Clause 8, the holder of a key K (or K ) shall always use it in the
AP BP
same way, i.e. acting either as the TTP P or as the entity A (or B). That is, no entity shall act as the
TTP in one instance of a protocol and act as A or B in another instance of the protocol, and use the
same key in both cases.
i) The initialization vector (IV) for the authenticated encryption algorithm shall be generated
according to the requirements of that algorithm. In many cases this implies that the IV should be
unique across multiple executions of the authenticated encryption algorithm performed using the
same key.
7 Mechanisms not involving an on-line trusted third party
7.1 General
In these authentication mechanisms, the entities A and B shall share a common secret authentication
key, K , or two unidirectional secret keys, K and K , prior to the commencement of any particular
AB AB BA
occurrence of the authentication mechanisms. In the latter case, entity A always uses the unidirectional
key, K , for encryption, while B always uses it to decrypt (and conversely for key, K ).
AB BA
All text fields specified in the following mechanisms are available for use in applications outside the
scope of this document (they may be empty). Their relationship and contents depend on the specific
application. See Annex B for information on the use of text fields.
7.2 Unilateral authentication
7.2.1 General
Unilateral authentication means that only one of the two entities is authenticated by use of the
mechanism.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 9798-2:2019(E)

7.2.2 Mechanism UNI.TS — One-pass authentication
In this authentication mechanism, the claimant A initiates the process and is authenticated by the
verifier B. Uniqueness/timeliness is controlled by generating and checking a time stamp or a sequence
number (see ISO/IEC 9798-1:2010, Annex B). The authentication mechanism is illustrated in Figure 1.
Figure 1 — Mechanism UNI.TS — One-pass authentication
The form of the token, Token , sent by the claimant A to the verifier B is:
AB
1
TokenT= extTeSID TN I ext
()
AB
...