Information security -- Key management

This document specifies mechanisms for cross-domain password-based authenticated key exchange, all of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols let two communicating entities establish a shared session key using just the login passwords that they share with their respective domain authentication servers. The authentication servers, assumed to be part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that certify key materials that the users can subsequently use to exchange and agree on as a session key. This document does not specify the means to be used to establish a shared password between an entity and its corresponding domain server. This document also does not define the implementation of a PKI and the means for two distinct domain servers to exchange or verify their respective public key certificates.

Sécurité de l'information -- Gestion des clés

General Information

Status
Published
Publication Date
05-Jul-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
31-May-2021
Completion Date
31-May-2021
Ref Project

Buy Standard

Standard
ISO/IEC 11770-7:2021 - Information security -- Key management
English language
26 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC PRF 11770-7:Version 15-maj-2021 - Information security -- Key management
English language
26 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 11770-7
First edition
2021-07
Information security — Key
management —
Part 7:
Cross-domain password-based
authenticated key exchange
Sécurité de l'information — Gestion des clés —
Partie 7: Échange de clés authentifié entre mots de passe entre
domaines
Reference number
ISO/IEC 11770-7:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 11770-7:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 11770-7:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 3

4.1 Abbreviated terms ............................................................................................................................................................................... 3

4.2 Symbols ......................................................................................................................................................................................................... 4

5 Requirements .......................................................................................................................................................................................................... 6

6 Mechanisms ............................................................................................................................................................................................................... 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 Sub-protocols and functions ....................................................................................................................................................... 7

6.2.1 General...................................................................................................................................................................................... 7

6.2.2 Two-party password-based authenticated key exchange ............................................................ 7

6.2.3 Two-party asymmetric-key authenticated key exchange ............................................................. 8

6.2.4 Two-party symmetric-key authenticated key exchange ................................................................ 9

6.2.5 Two-party non-interactive key exchange ................................................................................................10

6.2.6 Session identity function .......................................................................................................................................10

6.3 Mechanism 1 ..........................................................................................................................................................................................11

6.3.1 General...................................................................................................................................................................................11

6.3.2 Prior shared parameters ........................................................................................................................................11

6.3.3 Key exchange operation ..........................................................................................................................................11

6.4 Mechanism 2 ..........................................................................................................................................................................................14

6.4.1 General...................................................................................................................................................................................14

6.4.2 Prior shared parameters ........................................................................................................................................14

6.4.3 Key exchange operation ..........................................................................................................................................15

6.5 Mechanism 3 ..........................................................................................................................................................................................17

6.5.1 General...................................................................................................................................................................................17

6.5.2 Prior shared parameters ........................................................................................................................................18

6.5.3 Key exchange operation ..........................................................................................................................................18

Annex A (normative) Object identifiers .........................................................................................................................................................22

Annex B (normative) Conversion functions ...............................................................................................................................................23

Bibliography .............................................................................................................................................................................................................................26

© ISO/IEC 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 11770-7:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 11770-7:2021(E)
Introduction

In a security domain, two entities can authenticate each other and establish a shared session key to

protect their communication. This authentication is typically based on pre-established information,

such as a shared password or symmetric key or possession of each other’s public key certificates. In

a cross-domain communication, two entities assigned to two distinct security domains may not have

suitable pre-established authentication information. However, they can still establish a shared session

key by using the authentication information that each entity shares with its own domain server and

relying on the domain servers themselves to authenticate each other.

Practical cross-domain communication scenarios include email communication, mobile phone

communication, and instant messaging. In these cases, communications need to be protected against

both passive and active attackers. In these scenarios, each entity is typically registered with a domain-

specific server, such as an email exchange server (for email communications) or a home location register

(for mobile phone communications). Moreover, the two communicating entities from different domains

typically neither share a password or a symmetric key nor possess each other’s public key certificate.

An authenticated key exchange (AKE) mechanism enables two entities to establish a shared session

key based on their pre-established authentication information. A password-based AKE mechanism

is based on two entities pre-sharing a password. Similarly, a symmetric key or an asymmetric key

based AKE mechanism is based on two entities pre-sharing a secret key or possessing each other’s

public key certificate (and a trusted means to verify a certificate). In this document, these three types

of mechanisms are referred to as two-party password-based authenticated key exchange (2PAKE)

protocols, two-party symmetric key based authenticated key exchange (2SAKE) protocols and two-

party asymmetric key based authenticated key exchange (2AAKE) protocols, respectively. 2PAKE

protocols are specified in ISO/IEC 11770-4, 2SAKE protocols are specified in ISO/IEC 11770-2 and

[6]

2AAKE protocols are specified in ISO/IEC 11770-3. All the mechanisms specified in ISO/IEC 11770-1 ,

ISO/IEC 11770-2 and ISO/IEC 11770-3 are appropriate for use in a single security domain. For example,

the mechanisms specified in ISO/IEC 11770-4 are used in authenticated key exchange applications,

where two players, usually referred to as a server and a client, are in the same security domain.

This document (i.e. ISO/IEC 11770-7) specifies cross-domain password-based authenticated key

exchange mechanisms. Such mechanisms enable a user from one domain to establish a session key

shared with another user from a different domain through their respective domain servers, and the

only pre-established authentication information that each user has is a password shared with their

domain server.

More specifically, each mechanism specified in this document involves four parties in two security

domains, in which each user and server pair are in the same domain. This type of mechanism is referred

to as a four-party password-based authenticated key exchange (4PAKE) protocol. This document

contains a framework for designing such 4PAKE protocols using a compositional approach. That is, a

4PAKE protocol can be implemented based on two building blocks:
a) a 2PAKE protocol;
b) a 2SAKE protocol or a 2AAKE protocol.

This document also specifies several mechanisms for such 4PAKE protocols. The 2PAKE, 2SAKE

and 2AAKE protocols used to implement such 4PAKE protocols are chosen from ISO/IEC 11770-4,

ISO/IEC 11770-2 and ISO/IEC 11770-3 respectively.

The hash functions and key derivation functions used in the mechanisms specified in this document

are specified in ISO/IEC 10118-3 and ISO/IEC 11770-6, respectively.

The conversion functions in Annex B used in the mechanisms specified in this document are specified

[16]
in ISO/IEC JTC 1/SC 27 WG 2 SD 7 .
© ISO/IEC 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-7:2021(E)
Information security — Key management —
Part 7:
Cross-domain password-based authenticated key exchange
1 Scope

This document specifies mechanisms for cross-domain password-based authenticated key exchange, all

of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols

let two communicating entities establish a shared session key using just the login passwords that they

share with their respective domain authentication servers. The authentication servers, assumed to be

part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that

certify key materials that the users can subsequently use to exchange and agree on as a session key.

This document does not specify the means to be used to establish a shared password between an entity

and its corresponding domain server. This document also does not define the implementation of a

PKI and the means for two distinct domain servers to exchange or verify their respective public key

certificates.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 11770-2, IT Security techniques — Key management — Part 2: Mechanisms using symmetric

techniques

ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3:

Mechanisms using asymmetric techniques

ISO/IEC 11770-4, Information technology — Security techniques — Key management — Part 4:

Mechanisms based on weak secrets
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 11770-4 and the following

apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
asymmetric key pair

pair of related keys where the private key defines the private transformation and the public key defines

the public transformation
[SOURCE: ISO/IEC 11770-3:2015, 3.3]
© ISO/IEC 2021 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 11770-7:2021(E)
3.2
asymmetric-key authenticated key exchange

process of establishing one or more shared secret keys between two entities using asymmetric-key

techniques and neither of them can predetermine the values of the shared secret keys

3.3
certification authority
entity trusted to create and assign public key certificates (3.9)
[SOURCE: ISO/IEC 11770-1:2010, 2.3]
3.4
cross-domain password-based authenticated key exchange

process of establishing one or more shared secret keys between two entities associated with two

distinct security domains (3.10) using the entity’s prior domain-specific password-based information

such that neither of the entities can predetermine the values of the shared secret keys

3.5
distinguishing identifier
information which unambiguously distinguishes an entity
[SOURCE: ISO/IEC 11770-1:2010, 2.9]
3.6
key derivation function

function which takes as input a number of parameters, at least one of which is secret, and which gives

as output keys appropriate for the intended algorithm(s) and applications

[SOURCE: ISO/IEC 11770-2:2018, 3.6, modified — Note 1 to entry has been removed.]

3.7
key establishment

process of making available a shared key to one or more entities, where the process includes key

agreement or key transport
[SOURCE: ISO/IEC 11770-3:2015, 3.23]
3.8
non-interactive key exchange

process of establishing one or more shared secret keys between two entities in a non-interactive

manner with mutual implicit key authentication
3.9
public key certificate
public key information of an entity signed by the certification authority (3.3)
[SOURCE: ISO/IEC 11770-1:2010, 2.37]
3.10
security domain

set of elements, security policy, security authority and set of security-relevant activities in which the

set of elements are subject to the security policy for the specified activities, and the security policy is

administered by the security authority for the security domain
[SOURCE: ISO/IEC 11770-1:2010, 2.43]
2 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 11770-7:2021(E)
3.11
signature

data unit appended to, or a cryptographic transformation of, a data unit that allows a recipient of the

data unit to verify the origin and integrity of the data unit and protect the sender and the recipient of

the data unit against forgery by third parties, and the sender against forgery by the recipient

[SOURCE: ISO/IEC 11770-3:2015, 3.7, modified — the word "digital" has been removed from the term.]

3.12
symmetric-key

key used with symmetric cryptographic techniques and usable only by a set of specified entities

3.13
symmetric-key authenticated key exchange

process of establishing one or more shared secret keys between two entities using symmetric-key (3.12)

techniques such that neither of the entities can predetermine the values of the shared secret keys

4 Symbols and abbreviated terms
4.1 Abbreviated terms
2AAKE two-party asymmetric-key authenticated key exchange
2NIKE two-party non-interactive key exchange protocol
2PAKE two-party password-based authenticated key exchange
2SAKE two-party symmetric-key authenticated key exchange
4PAKE four-party password-based authenticated key exchange
BS2I function that converts a bit string into an integer
BS2OS function that converts a bit string to an octet string
CA certification authority
FE2I function that converts a field element to an integer
FE2OS function that converts a field element to an octet string

GE2OS function that converts a group element with x-coordinate to an octet string

I2BS function that converts an integer to a bit string
I2OS function that converts an integer to an octet string
KD key derivation function
MAC message authentication code
MAX maximum value function
MIN minimum value function
PKI public key infrastructure
Param 2AAKE prior shared system parameters
Param 2NIKE prior shared system parameters
© ISO/IEC 2021 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 11770-7:2021(E)
Param 2SAKE prior shared system parameters
Param 2PAKE prior shared system parameters
SIF session identity generation function
4.2 Symbols

A, B distinguishing clients’ identities including their respective domain names repre-

sented as octet strings
AK symmetric authentication key shared between X and Y
X, Y
aKG authentication public/private key pair generation function
aKV authentication public key validation function
apk entity X's authentication public key
ask entity X's authentication private key corresponding to apk
X X
c ciphertext generated from a symmetric encryption function by entity X

DEC(K, c) symmetric decryption function taking a secret key K and a ciphertext c as input and

giving as output a message m or a decryption failure symbol "⊥"
DL discrete logarithm setting
EC elliptic curve setting

ENC(K, m) symmetric encryption function taking a secret key K and a variable-length message

m as input and giving a ciphertext c as output, e.g. by using one of the symmetric

[9] [10]
encryption systems specified in ISO/IEC 18033-3 and ISO/IEC 18033-4
EK symmetric encryption key shared between X and Y
X, Y
eKG ephemeral public/private key pair generation function
eKV ephemeral public key validation function
epk entity X's ephemeral public key
esk entity X's ephemeral private key corresponding to epk
X X
GE group element under either discrete logarithm or elliptic curve setting

H hash-function taking an octet string as input and giving a bit string as output, e.g.

[4]
one of the dedicated hash-functions specified in ISO/IEC 10118-3
h entity X's private key agreement key corresponding to p
X X
K symmetric key shared between two entities X and Y
X, Y

MAC(K, m) MAC function taking a symmetric key K and a variable-length message m as input

and giving a fixed-length cryptographic checksum μ as output, e.g., by using one of

[3]
the MAC algorithms specified in ISO/IEC 9797-2

MAX(x, y) maximum value function taking two integers x and y as input and giving the maxi-

mum value between x and y as output
4 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 11770-7:2021(E)

MIN(x, y) minimum value function taking two integers x and y as input and giving the mini-

mum value between x and y as output
MiX step i performed by entity X in a mechanism
p entity X's public key agreement key
pwd password shared between a domain server S and a domain client C
S, C

S , S distinguishing identities of domain servers of clients A and B, respectively, repre-

A B
sented as octet strings
SI group setting index
sid session identity which is uniquely indicating to the session
SK entity X's private signature key corresponding to VK
X X
sn session id contribution from entity A
TK 2SAKE symmetric authentication key
ts timestamp specifying a start time and an end time
VK entity X's public verification key
μ cryptographic checksum generated from a MAC function by entity X
Σ digital signature system
σ digital signature generated from Σ.SIG by entity X

Σ.SIG(SK , m) private signature transformation function taking entity X's private signature key

SK and a variable-length message m as input and giving a digital signature σ as
X X

output, e.g. by using one of the digital signature systems specified in ISO/IEC 9796

[2] [8]
(all parts) and ISO/IEC 14888 (all parts)

Σ.VER(VK, m, σ ) public signature verification function taking entity X's public verification key VK ,

X X X

a variable-length message m and a digital signature σ as input, and giving a single

bit output: 0 (invalid) or 1 (valid)

|| X||Y denotes the result of the concatenation of octet strings X and Y in the order

specified. In cases where the result of concatenating two or more octet strings is

input to a cryptographic function as part of one of the mechanisms specified in this

document, this result shall be composed so that it can be uniquely resolved into its

constituent octet strings, i.e. so that there is no possibility of ambiguity in interpre-

tation. This latter property can be achieved in a variety of different ways, depend-

ing on the application. For example, it can be guaranteed by a) fixing the length

of each of the octet strings throughout the domain of use of the mechanism, or b)

encoding the sequence of concatenated octet strings using a method that guaran-

tees unique decoding, e.g. using the distinguished encoding rules defined in ISO/

[1]
IEC 8825-1 .
|y| bit length of a binary string y
© ISO/IEC 2021 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 11770-7:2021(E)

⎾x⏋ ceiling function taking a real number x as input and giving the least integer greater

than or equal to x as output

⎿x⏌ floor function taking a real number x as input and giving the greatest integer less

than or equal to x as output
0 point at infinity on an elliptic curve E
5 Requirements

Each security domain shall have a trusted domain server acting as an authentication server governing

a group of entities. Each entity within the domain shall share a password with the server. The entity

shall possess a copy of its server’s credential, such as a public key certificate and the means to verify

it, in order to verify messages generated by the server. However, it is not necessarily for the server

credential to be distributed in advance. In practice, the servers can distribute their credentials to the

entities within their respective domains during the execution of a cross-domain key exchange protocol

as specified in this document.

Further, a domain server shall make its public key available to other domain servers in the form of a

public key certificate. That is, each domain server shall have access to the authenticated credentials of

other domain servers. However, there is no interaction between domain servers during a protocol run.

The 4PAKE protocols specified in this document shall make use of currently available secure two-party

key exchange protocols, including:
— 2PAKE protocols as specified in ISO/IEC 11770-4;
— 2AAKE protocols as specified in ISO/IEC 11770-3;
— 2SAKE protocols as specified in ISO/IEC 11770-2;
— 2NIKE protocols as specified in ISO/IEC 11770-3.

NOTE Further information about these protocols can be found in References [12], [15] (for 2PAKE) and [13]

(for 2AAKE and 2SAKE).

In addition, Annex A lists the object identifiers which shall be used to identify the mechanisms specified

in this document.
6 Mechanisms
6.1 General

This clause specifies three cross-domain password-based authenticated key exchange mechanisms.

The key exchange mechanisms specified in 6.3 to 6.5 require that:

a) each domain client involved shares a password-based weak secret with its domain server;

b) each domain server involved shall possess an asymmetric key pair.

For the key exchange mechanisms specified in 6.3 and 6.4, each domain server involved possesses a

private signature key and the corresponding public verification key of a digital signature system.

For the key exchange mechanism specified in 6.5, each domain server involved possesses a pair of

private and public key agreement keys for a two-party non-interactive key exchange protocol.

All three cross-domain password-based authenticated key exchange mechanisms have the following

initialization and key establishment processes.
6 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 11770-7:2021(E)
Initialization process

a) The two involved domain servers acquire each other's public key and agree to provide authentication

tokens to assist their respective domain clients in establishing a shared secret key.

b) Each involved domain client and its respective domain server agree to use a shared password,

which is known only to them, and a two-party password-based authenticated key exchange

(2PAKE) protocol to perform intra-domain client-server authentication and key exchange. Each

domain server also makes its public key available to all its domain clients.

c) The two involved clients and their respective domain servers agree to use a two-party

authenticated key exchange protocol, which is either symmetric or asymmetric key based, to

perform authenticated key exchange between the two clients.

A domain server can deliver its pubic key to other entities using one of the public key transport

mechanisms specified in ISO/IEC 11770-3. To prevent potential attacks, it is recommended to use public

key transport mechanism 3 specified in ISO/IEC 11770-3:2015, which uses digital certificates issued

by trusted certification authorities (i.e. a public key infrastructure) to bind together the identity and

public key of a domain server.
Key establishment process

a) Initial information exchange: both the involved domain clients generate an ephemeral public key

according to the agreed two-party symmetric-key or asymmetric-key authenticated key exchange

(2SAKE or 2AAKE) protocol. The two clients then exchange their user identities and ephemeral

public keys, and validate the received public key from the peer client according to the agreed 2SAKE

or 2AAKE protocol. If any validat
...

INTERNATIONAL ISO/IEC
STANDARD 11770-7
First edition
Information security — Key
management —
Part 7:
Cross-domain password-based
authenticated key exchange
Sécurité de l'information — Gestion des clés —
Partie 7: Échange de clés authentifié entre mots de passe entre
domaines
PROOF/ÉPREUVE
Reference number
ISO/IEC 11770-7:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 11770-7:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 11770-7:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 3

4.1 Abbreviated terms ............................................................................................................................................................................... 3

4.2 Symbols ......................................................................................................................................................................................................... 4

5 Requirements .......................................................................................................................................................................................................... 6

6 Mechanisms ............................................................................................................................................................................................................... 6

6.1 General ........................................................................................................................................................................................................... 6

6.2 Sub-protocols and functions ....................................................................................................................................................... 7

6.2.1 General...................................................................................................................................................................................... 7

6.2.2 Two-party password-based authenticated key exchange ............................................................ 7

6.2.3 Two-party asymmetric-key authenticated key exchange ............................................................. 8

6.2.4 Two-party symmetric-key authenticated key exchange ................................................................ 9

6.2.5 Two-party non-interactive key exchange ................................................................................................10

6.2.6 Session identity function .......................................................................................................................................10

6.3 Mechanism 1 ..........................................................................................................................................................................................11

6.3.1 General...................................................................................................................................................................................11

6.3.2 Prior shared parameters ........................................................................................................................................11

6.3.3 Key exchange operation ..........................................................................................................................................11

6.4 Mechanism 2 ..........................................................................................................................................................................................14

6.4.1 General...................................................................................................................................................................................14

6.4.2 Prior shared parameters ........................................................................................................................................14

6.4.3 Key exchange operation ..........................................................................................................................................15

6.5 Mechanism 3 ..........................................................................................................................................................................................17

6.5.1 General...................................................................................................................................................................................17

6.5.2 Prior shared parameters ........................................................................................................................................18

6.5.3 Key exchange operation ..........................................................................................................................................18

Annex A (normative) Object identifiers .........................................................................................................................................................22

Annex B (normative) Conversion functions ...............................................................................................................................................23

Bibliography .............................................................................................................................................................................................................................26

© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/IEC 11770-7:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 11770-7:2021(E)
Introduction

In a security domain, two entities can authenticate each other and establish a shared session key to

protect their communication. This authentication is typically based on pre-established information,

such as a shared password or symmetric key or possession of each other’s public key certificates. In

a cross-domain communication, two entities assigned to two distinct security domains may not have

suitable pre-established authentication information. However, they can still establish a shared session

key by using the authentication information that each entity shares with its own domain server and

relying on the domain servers themselves to authenticate each other.

Practical cross-domain communication scenarios include email communication, mobile phone

communication, and instant messaging. In these cases, communications need to be protected against

both passive and active attackers. In these scenarios, each entity is typically registered with a domain-

specific server, such as an email exchange server (for email communications) or a home location register

(for mobile phone communications). Moreover, the two communicating entities from different domains

typically neither share a password or a symmetric key nor possess each other’s public key certificate.

An authenticated key exchange (AKE) mechanism enables two entities to establish a shared session

key based on their pre-established authentication information. A password-based AKE mechanism

is based on two entities pre-sharing a password. Similarly, a symmetric key or an asymmetric key

based AKE mechanism is based on two entities pre-sharing a secret key or possessing each other’s

public key certificate (and a trusted means to verify a certificate). In this document, these three types

of mechanisms are referred to as two-party password-based authenticated key exchange (2PAKE)

protocols, two-party symmetric key based authenticated key exchange (2SAKE) protocols and two-

party asymmetric key based authenticated key exchange (2AAKE) protocols, respectively. 2PAKE

protocols are specified in ISO/IEC 11770-4, 2SAKE protocols are specified in ISO/IEC 11770-2 and

2AAKE protocols are specified in ISO/IEC 11770-3. All the mechanisms specified in ISO/IEC 11770-1,

ISO/IEC 11770-2 and ISO/IEC 11770-3 are appropriate for use in a single security domain. For example,

the mechanisms specified in ISO/IEC 11770-4 are used in authenticated key exchange applications,

where two players, usually referred to as a server and a client, are in the same security domain.

This document (i.e. ISO/IEC 11770-7) specifies cross-domain password-based authenticated key

exchange mechanisms. Such mechanisms enable a user from one domain to establish a session key

shared with another user from a different domain through their respective domain servers, and the

only pre-established authentication information that each user has is a password shared with their

domain server.

More specifically, each mechanism specified in this document involves four parties in two security

domains, in which each user and server pair are in the same domain. This type of mechanism is referred

to as a four-party password-based authenticated key exchange (4PAKE) protocol. This document

contains a framework for designing such 4PAKE protocols using a compositional approach. That is, a

4PAKE protocol can be implemented based on two building blocks:
a) a 2PAKE protocol;
b) a 2SAKE protocol or a 2AAKE protocol.

This document also specifies several mechanisms for such 4PAKE protocols. The 2PAKE, 2SAKE

and 2AAKE protocols used to implement such 4PAKE protocols are chosen from ISO/IEC 11770-4,

ISO/IEC 11770-2 and ISO/IEC 11770-3 respectively.

The hash functions and key derivation functions used in the mechanisms specified in this document

are specified in ISO/IEC 10118-3 and ISO/IEC 11770-6, respectively.

The conversion functions in Annex B used in the mechanisms specified in this document are specified

[16]
in ISO/IEC JTC 1/SC 27 WG 2 SD 7 .
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-7:2021(E)
Information security — Key management —
Part 7:
Cross-domain password-based authenticated key exchange
1 Scope

This document specifies mechanisms for cross-domain password-based authenticated key exchange, all

of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols

let two communicating entities establish a shared session key using just the login passwords that they

share with their respective domain authentication servers. The authentication servers, assumed to be

part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that

certify key materials that the users can subsequently use to exchange and agree on as a session key.

This document does not specify the means to be used to establish a shared password between an entity

and its corresponding domain server. This document also does not define the implementation of a

PKI and the means for two distinct domain servers to exchange or verify their respective public key

certificates.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 11770-2, IT Security techniques — Key management — Part 2: Mechanisms using symmetric

techniques

ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3:

Mechanisms using asymmetric techniques

ISO/IEC 11770-4, Information technology — Security techniques — Key management — Part 4:

Mechanisms based on weak secrets
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 11770-4 and the following

apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
asymmetric key pair

pair of related keys where the private key defines the private transformation and the public key defines

the public transformation
[SOURCE: ISO/IEC 11770-3:2015, 3.3]
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 6 ----------------------
ISO/IEC 11770-7:2021(E)
3.2
asymmetric-key authenticated key exchange

process of establishing one or more shared secret keys between two entities using asymmetric-key

techniques and neither of them can predetermine the values of the shared secret keys

3.3
certification authority
entity trusted to create and assign public key certificates
[SOURCE: ISO/IEC 11770-1:2010, 2.3]
3.4
cross-domain password-based authenticated key exchange

process of establishing one or more shared secret keys between two entities associated with two

distinct security domains using the entity’s prior domain-specific password-based information such

that neither of the entities can predetermine the values of the shared secret keys

3.5
distinguishing identifier
information which unambiguously distinguishes an entity
[SOURCE: ISO/IEC 11770-1:2010, 2.9]
3.6
key derivation function

function which takes as input a number of parameters, at least one of which is secret, and which gives

as output keys appropriate for the intended algorithm(s) and applications

[SOURCE: ISO/IEC 11770-2:2018, 3.6, modified — Note 1 to entry has been removed.]

3.7
key establishment

process of making available a shared key to one or more entities, where the process includes key

agreement or key transport
[SOURCE: ISO/IEC 11770-3:2015, 3.23]
3.8
non-interactive key exchange

process of establishing one or more shared secret keys between two entities in a non-interactive

manner with mutual implicit key authentication
3.9
public key certificate
public key information of an entity signed by the certification authority
[SOURCE: ISO/IEC 11770-1:2010, 2.37]
3.10
security domain

set of elements, security policy, security authority and set of security-relevant activities in which the

set of elements are subject to the security policy for the specified activities, and the security policy is

administered by the security authority for the security domain
[SOURCE: ISO/IEC 11770-1:2010, 2.43]
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 11770-7:2021(E)
3.11
signature

data unit appended to, or a cryptographic transformation of, a data unit that allows a recipient of the

data unit to verify the origin and integrity of the data unit and protect the sender and the recipient of

the data unit against forgery by third parties, and the sender against forgery by the recipient

[SOURCE: ISO/IEC 11770-3:2015, 3.7, modified — the word "digital" has been removed from the term.]

3.12
symmetric-key

key used with symmetric cryptographic techniques and usable only by a set of specified entities

3.13
symmetric-key authenticated key exchange

process of establishing one or more shared secret keys between two entities using symmetric-key

techniques such that neither of the entities can predetermine the values of the shared secret keys

4 Symbols and abbreviated terms
4.1 Abbreviated terms
2AAKE two-party asymmetric-key authenticated key exchange
2NIKE two-party non-interactive key exchange protocol
2PAKE two-party password-based authenticated key exchange
2SAKE two-party symmetric-key authenticated key exchange
4PAKE four-party password-based authenticated key exchange
BS2I function that converts a bit string into an integer
BS2OS function that converts a bit string to an octet string
CA certification authority
FE2I function that converts a field element to an integer
FE2OS function that converts a field element to an octet string

GE2OS function that converts a group element with x-coordinate to an octet string

I2BS function that converts an integer to a bit string
I2OS function that converts an integer to an octet string
KD key derivation function
MAC message authentication code
MAX maximum value function
MIN minimum value function
PKI public key infrastructure
Param 2AAKE prior shared system parameters
Param 2NIKE prior shared system parameters
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 8 ----------------------
ISO/IEC 11770-7:2021(E)
Param 2SAKE prior shared system parameters
Param 2PAKE prior shared system parameters
SIF session identity generation function
4.2 Symbols

A, B distinguishing clients’ identities including their respective domain names repre-

sented as octet strings
AK symmetric authentication key shared between X and Y
X, Y
aKG authentication public/private key pair generation function
aKV authentication public key validation function
apk entity X's authentication public key
ask entity X's authentication private key corresponding to apk
X X
c ciphertext generated from a symmetric encryption function by entity X

DEC(K, c) symmetric decryption function taking a secret key K and a ciphertext c as input and

giving as output a message m or a decryption failure symbol "⊥"
DL discrete logarithm setting
EC elliptic curve setting

ENC(K, m) symmetric encryption function taking a secret key K and a variable-length message

m as input and giving a ciphertext c as output, e.g. by using one of the symmetric

[9] [10]
encryption systems specified in ISO/IEC 18033-3 and ISO/IEC 18033-4
EK symmetric encryption key shared between X and Y
X, Y
eKG ephemeral public/private key pair generation function
eKV ephemeral public key validation function
epk entity X's ephemeral public key
esk entity X's ephemeral private key corresponding to epk
X X
GE group element under either discrete logarithm or elliptic curve setting

H hash-function taking an octet string as input and giving a bit string as output, e.g.

[4]
one of the dedicated hash-functions specified in ISO/IEC 10118-3
h entity X's private key agreement key corresponding to p
X X
K symmetric key shared between two entities X and Y
X, Y

MAC(K, m) MAC function taking a symmetric key K and a variable-length message m as input

and giving a fixed-length cryptographic checksum μ as output, e.g., by using one of

[3]
the MAC algorithms specified in ISO/IEC 9797-2

MAX(x, y) maximum value function taking two integers x and y as input and giving the maxi-

mum value between x and y as output
4 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 11770-7:2021(E)

MIN(x, y) minimum value function taking two integers x and y as input and giving the mini-

mum value between x and y as output
MiX step i performed by entity X in a mechanism
p entity X's public key agreement key
pwd password shared between a domain server S and a domain client C
S, C

S , S distinguishing identities of domain servers of clients A and B, respectively, repre-

A B
sented as octet strings
SI group setting index
sid session identity which is uniquely indicating to the session
SK entity X's private signature key corresponding to VK
X X
sn session id contribution from entity A
TK 2SAKE symmetric authentication key
ts timestamp specifying a start time and an end time
VK entity X's public verification key
μ cryptographic checksum generated from a MAC function by entity X
Σ digital signature system
σ digital signature generated from Σ.SIG by entity X

Σ.SIG(SK , m) private signature transformation function taking entity X's private signature key

SK and a variable-length message m as input and giving a digital signature σ as
X X

output, e.g. by using one of the digital signature systems specified in ISO/IEC 9796

(all parts) and ISO/IEC 14888 (all parts)

Σ.VER(VK, m, σ ) public signature verification function taking entity X's public verification key VK ,

X X X

a variable-length message m and a digital signature σ as input, and giving a single

bit output: 0 (invalid) or 1 (valid)

|| X||Y denotes the result of the concatenation of octet strings X and Y in the order

specified. In cases where the result of concatenating two or more octet strings is

input to a cryptographic function as part of one of the mechanisms specified in this

document, this result shall be composed so that it can be uniquely resolved into its

constituent octet strings, i.e. so that there is no possibility of ambiguity in interpre-

tation. This latter property can be achieved in a variety of different ways, depend-

ing on the application. For example, it can be guaranteed by a) fixing the length

of each of the octet strings throughout the domain of use of the mechanism, or b)

encoding the sequence of concatenated octet strings using a method that guaran-

tees unique decoding, e.g. using the distinguished encoding rules defined in ISO/

IEC 8825-1.
|y| bit length of a binary string y
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 5
---------------------- Page: 10 ----------------------
ISO/IEC 11770-7:2021(E)

⎾x⏋ ceiling function taking a real number x as input and giving the least integer greater

than or equal to x as output

⎿x⏌ floor function taking a real number x as input and giving the greatest integer less

than or equal to x as output
0 point at infinity on an elliptic curve E
5 Requirements

Each security domain shall have a trusted domain server acting as an authentication server governing

a group of entities. Each entity within the domain shall share a password with the server. The entity

shall possess a copy of its server’s credential, such as a public key certificate and the means to verify

it, in order to verify messages generated by the server. However, it is not necessarily for the server

credential to be distributed in advance. In practice, the servers can distribute their credentials to the

entities within their respective domains during the execution of a cross-domain key exchange protocol

as specified in this document.

Further, a domain server shall make its public key available to other domain servers in the form of a

public key certificate. That is, each domain server shall have access to the authenticated credentials of

other domain servers. However, there is no interaction between domain servers during a protocol run.

The 4PAKE protocols specified in this document shall make use of currently available secure two-party

key exchange protocols, including:
— 2PAKE protocols as specified in ISO/IEC 11770-4;
— 2AAKE protocols as specified in ISO/IEC 11770-3;
— 2SAKE protocols as specified in ISO/IEC 11770-2;
— 2NIKE protocols as specified in ISO/IEC 11770-3.

NOTE Further information about these protocols can be found in References [12], [15] (for 2PAKE) and [13]

(for 2AAKE and 2SAKE).

In addition, Annex A lists the object identifiers which shall be used to identify the mechanisms specified

in this document.
6 Mechanisms
6.1 General

This clause specifies three cross-domain password-based authenticated key exchange mechanisms.

The key exchange mechanisms specified in 6.3 to 6.5 require that:

a) each domain client involved shares a password-based weak secret with its domain server;

b) each domain server involved shall possess an asymmetric key pair.

For the key exchange mechanisms specified in 6.3 and 6.4, each domain server involved possesses a

private signature key and the corresponding public verification key of a digital signature system.

For the key exchange mechanism specified in 6.5, each domain server involved possesses a pair of

private and public key agreement keys for a two-party non-interactive key exchange protocol.

All three cross-domain password-based authenticated key exchange mechanisms have the following

initialization and key establishment processes.
6 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 11770-7:2021(E)
Initialization process

a) The two involved domain servers acquire each other's public key and agree to provide authentication

tokens to assist their respective domain clients in establishing a shared secret key.

b) Each involved domain client and its respective domain server agree to use a shared password,

which is known only to them, and a two-party password-based authenticated key exchange

(2PAKE) protocol to perform intra-domain client-server authentication and key exchange. Each

domain server also makes its public key available to all its domain clients.

c) The two involved clients and their respective domain servers agree to use a two-party

authenticated key exchange protocol, which is either symmetric or asymmetric key based, to

perform authenticated key exchange between the two clients.

A domain server can deliver its pubic key to other entities using one of the public key transport

mechanisms specified in ISO/IEC 11770-3. To prevent potential attacks, it is recommended to use public

key transport mechanism 3 specified in ISO/IEC 11770-3:2015, which uses digital certificates issued

by trusted certification authorities (i.e. a public key infrastructure) to bind together the identity and

public key of a domain server.
Key establishment process:

a) Initial information exchange. Both the involved domain clients generate an ephemeral public key

according to the agreed two-party symmetric-key or asymmetric-key authenticated key exchange

(2SAKE or 2AAKE) protocol. The two clients then exchange their user identities and ephemeral

public keys, and validate the received pub
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.