ISO/IEC 13888-1:2009

INTERNATIONAL ISO/IEC
STANDARD 13888-1
Third edition
2009-07-15


Information technology — Security
techniques — Non-repudiation —
Part 1:
General
Technologies de l'information — Techniques de sécurité —
Non-répudiation —
Partie 1: Généralités





Reference number
ISO/IEC 13888-1:2009(E)
©
ISO/IEC 2009

---------------------- Page: 1 ----------------------
ISO/IEC 13888-1:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2009 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 13888-1:2009(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Symbols and abbreviated terms . 8
5 Organisation of the remainder of this part of ISO/IEC 13888. 8
6 Requirements . 9
7 Generic non-repudiation services. 9
7.1 Entities involved in the provision and verification of evidence. 9
7.2 Non-repudiation services. 10
8 Trusted third party involvement. 10
8.1 General. 10
8.2 Evidence generation phase . 10
8.3 Evidence transfer, storage and retrieval phase. 11
8.4 Evidence verification phase . 11
9 Evidence generation and verification mechanisms. 12
9.1 General. 12
9.2 Secure envelopes . 12
9.3 Digital signatures. 13
9.4 Evidence verification mechanism . 13
10 Non-repudiation tokens. 13
10.1 General. 13
10.2 Generic non-repudiation token . 14
10.3 Time-stamping token. 15
10.4 Notarization token. 15
11 Specific non-repudiation services . 15
11.1 General. 15
11.2 Non-repudiation of origin. 16
11.3 Non-repudiation of delivery . 16
11.4 Non-repudiation of submission. 16
11.5 Non-repudiation of transport. 16
12 Use of specific non-repudiation tokens in a messaging environment . 17
Bibliography . 19

© ISO/IEC 2009 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 13888-1:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 13888-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This third edition cancels and replaces the second edition (ISO/IEC 13888-1:2004), which has been
technically revised.
ISO/IEC 13888 consists of the following parts, under the general title Information technology — Security
techniques — Non-repudiation:
⎯ Part 1: General
⎯ Part 2: Mechanisms using symmetric techniques
⎯ Part 3: Mechanisms using asymmetric techniques
iv © ISO/IEC 2009 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 13888-1:2009(E)
Introduction
The goal of a non-repudiation service is to generate, collect, maintain, make available and verify evidence
concerning a claimed event or action in order to resolve disputes about the occurrence or non occurrence of
the event or action. This part of ISO/IEC 13888 defines a model for non-repudiation mechanisms providing
evidence based on cryptographic check values generated using symmetric or asymmetric cryptographic
techniques.
Non-repudiation services establish evidence; evidence establishes accountability regarding a particular event
or action. The entity responsible for the action, or associated with the event, with regard to which evidence is
generated, is known as the evidence subject.
Non-repudiation mechanisms provide protocols for the exchange of non-repudiation tokens specific to each
non-repudiation service. Non-repudiation tokens consist of secure envelopes and/or digital signatures and,
optionally, additional data:
⎯ Secure envelopes are generated by an evidence generating authority using symmetric cryptographic
techniques.
⎯ Digital signatures are generated by an evidence generator or an evidence generating authority using
asymmetric techniques.
Non-repudiation tokens can be stored as non-repudiation information that can be used subsequently by
disputing parties or by an adjudicator to arbitrate in disputes.
Depending on the non-repudiation policy in effect for a specific application, and the legal environment within
which the application operates, additional information may be required to complete the non-repudiation
information, for example:
⎯ evidence including a trusted time-stamp provided by a time-stamping authority,
⎯ evidence provided by a notary which provides assurance about data created or the action or event
performed by one or more entities.
Non-repudiation can only be provided within the context of a clearly defined security policy for a particular
application and its legal environment. Non-repudiation policies are described in ISO/IEC 10181-4.
Specific non-repudiation mechanisms generic to the various non-repudiation services are first described and
then applied to a selection of specific non-repudiation services such as:
⎯ non-repudiation of origin,
⎯ non-repudiation of delivery,
⎯ non-repudiation of submission,
⎯ non-repudiation of transport.
Additional non-repudiation services mentioned in this part of ISO/IEC 13888 are:
⎯ non-repudiation of creation,
⎯ non-repudiation of receipt,
⎯ non-repudiation of knowledge,
⎯ non-repudiation of sending.
© ISO/IEC 2009 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 13888-1:2009(E)

Information technology — Security techniques —
Non-repudiation —
Part 1:
General
1 Scope
This part of ISO/IEC 13888 serves as a general model for subsequent parts specifying non-repudiation
mechanisms using cryptographic techniques. ISO/IEC 13888 provides non-repudiation mechanisms for the
following phases of non-repudiation:
⎯ evidence generation;
⎯ evidence transfer, storage and retrieval; and
⎯ evidence verification.
Dispute arbitration is outside the scope of ISO/IEC 13888.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10181-4:1997, Information technology — Open Systems Interconnection — Security frameworks for
open systems: Non-repudiation framework
ISO/IEC 18014 (all parts), Information technology — Security techniques — Time-stamping services
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
accountability
property that ensures that the actions of an entity may be traced uniquely to the entity
[ISO 7498-2]
3.2
certificate
entity's data rendered unforgeable with the private or secret key of a certification authority
© ISO/IEC 2009 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 13888-1:2009(E)
3.3
certification authority
authority trusted by one or more users to create and assign certificates
NOTE 1 Adapted from ISO/IEC 9594-8:2001, 3.3.17.
NOTE 2 Optionally the certification authority can create the users‘ keys.
3.4
cryptographic check function
cryptographic transformation which takes as input a secret key and an arbitrary string, and which gives a
cryptographic check value as output
3.5
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[ISO 7498-2]
3.6
data origin authentication
corroboration that the source of data received is as claimed
[ISO 7498-2]
3.7
data storage
means for storing information from which data is submitted for delivery, or into which data is put by the
delivery authority
3.8
delivery authority
authority trusted by the sender to deliver the data from the sender to the receiver, and to provide the sender
with evidence on the submission and transport of data upon request
3.9
digital signature
data appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to
prove the source and integrity of the data unit and protect against forgery e.g. by the recipient
[ISO 7498-2]
3.10
distinguishing identifier
information which unambiguously distinguishes an entity in the non-repudiation process
3.11
evidence
information which is used, either by itself or in conjunction with other information, to establish proof about an
event or action
NOTE Evidence does not necessarily prove the truth or existence of something (see proof) but can contribute to the
establishment of such a proof.
3.12
evidence generator
entity that produces non-repudiation evidence
[ISO/IEC 10181-4]
2 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 13888-1:2009(E)
3.13
evidence user
entity that uses non-repudiation evidence
[ISO/IEC 10181-4]
3.14
evidence verifier
entity that verifies non-repudiation evidence
[ISO/IEC 10181-4]
3.15
evidence requester
entity requesting evidence to be generated either by another entity or by a trusted third party
3.16
evidence subject
entity responsible for the action, or associated with the event, with regard to which evidence is generated
3.17
hash-code
string of bits that is the output of a hash-function
[ISO/IEC 10118-1]
3.18
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:
⎯ it is computationally infeasible to find for a given output an input which maps to this output;
⎯ it is computationally infeasible to find for a given input a second input which maps to the same output
[ISO/IEC 10118-1]
3.19
imprint
string of bits, either the hash-code of a data string or the data string itself
3.20
key
sequence of symbols that controls the operations of a cryptographic transformation (e.g. encipherment,
decipherment, cryptographic check-function computation, signature calculation, or signature verification)
[ISO/IEC 11770-3]
3.21
monitoring authority
monitor
trusted third party monitoring actions and events, and that is trusted to provide evidence about what has been
monitored
3.22
Message Authentication Code
MAC
string of bits which is the output of a MAC algorithm
[ISO/IEC 9797-1]
NOTE A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2).
© ISO/IEC 2009 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 13888-1:2009(E)
3.23
Message Authentication Code algorithm
MAC algorithm
algorithm for computing a function that maps strings of bits and a secret key to fixed-length strings of bits,
satisfying the following two properties:
⎯ for any key and any input string the function can be computed efficiently;
⎯ for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the
function value on any new input string, even given knowledge of the set of input strings and
corresponding function values, where the value of the ith input string may have been chosen after
observing the value of the first i − 1 function values
NOTE 1 A MAC algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2).
NOTE 2 Computational feasibility depends on the user's specific security requirements and environment.
[ISO/IEC 9797-1]
3.24
non-repudiation of creation
service intended to protect against an entity's false denial of having created the content of a message (i.e.
being responsible for the content of a message)
3.25
non-repudiation of delivery
service intended to protect against a recipient's false denial of having received a message and recognised the
content of a message
3.26
non-repudiation of delivery token
data item which allows the originator to establish non-repudiation of delivery for a message
3.27
non-repudiation exchange
sequence of one or more transfers of non-repudiation information (NRI) for the purpose of non-repudiation
3.28
non-repudiation information
set of information that may contain information about an event or action for which evidence is to be generated
and verified, the evidence itself, and the non-repudiation policy in effect
3.29
non-repudiation of knowledge
service intended to protect against a recipient's false denial of having taken notice of the content of a received
message
3.30
non-repudiation of origin
service intended to protect against the originator's false denial of having created the content of a message
and of having sent a message
3.31
non-repudiation of origin token
data item which allows recipients to establish non-repudiation of origin for a message
3.32
non-repudiation policy
set of criteria for the provision of non-repudiation services
4 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 13888-1:2009(E)
NOTE More specifically, a set of rules to be applied for the generation and verification of evidence and for
adjudication.
3.33
non-repudiation of receipt
service intended to protect against a recipient's false denial of having received a message
3.34
non-repudiation of sending
service intended to protect against the sender's false denial of having sent a message
3.35
non-repudiation service requester
entity that requests that non-repudiation evidence be generated for a particular event or action
3.36
non-repudiation of submission
service intended to provide evidence that a delivery authority has accepted a message for transmission
3.37
non-repudiation of submission token
data item which allows either the originator (sender) or the delivery authority to establish non-repudiation of
submission for a message having been submitted for transmission
3.38
non-repudiation token
special type of security token as defined in ISO/IEC 10181-1, consisting of evidence, and, optionally, of
additional data
3.39
non-repudiation of transport
service intended to provide evidence for the message originator that a delivery authority has delivered a
message to the intended recipient
3.40
non-repudiation of transport token
a data item which allows either the originator or the delivery authority to establish non-repudiation of transport
for a message
3.41
notary authority
trusted third party trusted to provide evidence about the properties of the entities involved and of the data
stored or communicated, or to extend the lifetime of an existing token beyond its expiry or beyond subsequent
revocation
3.42
notarization
provision of evidence by a notary about the properties of the entities involved in an action or event, and of the
data stored or communicated
3.43
notarization token
non-repudiation token generated by a notary
3.44
originator
entity that sends a message to the recipient or makes available a message for which non-repudiation services
are to be provided
© ISO/IEC 2009 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 13888-1:2009(E)
3.45
private key
key of an entity's asymmetric key pair which can only be used by that entity
[ISO/IEC 11770-3]
NOTE In the case of an asymmetric signature system, the private key defines the signature transformation. In the
case of an asymmetric encipherment system, the private key defines the decipherment transformation.
3.46
proof
corroboration that evidence is valid in accordance with the non-repudiation policy in force
NOTE Proof is evidence that serves to prove the truth or existence of something.
3.47
public key
key of an entity's asymmetric key pair which can be made public
[ISO/IEC 11770-3]
NOTE In the case of an asymmetric signature scheme, the public key defines the verification transformation. In the
case of an asymmetric encipherment system, the public key defines the encipherment transformation. A key that is
'publicly known' is not necessarily globally available. The key might only be available to all members of a pre-specified
group.
3.48
public key certificate
public key information of an entity signed by the certification authority and thereby rendered unforgeable
[ISO/IEC 11770-3]
3.49
recipient
entity that gets (receives or fetches) a message for which non-repudiation services are to be provided
3.50
secret key
key used with symmetric cryptographic techniques and usable only by a set of specified entities
NOTE Adapted from ISO/IEC 11770-3:1999, 3.35.
3.51
security authority
entity that is responsible for the definition or enforcement of security policy
NOTE Adapted from ISO/IEC 10181-1, 3.3.17.
3.52
security certificate
set of security-relevant data issued by a security authority or trusted third party, together with security
information which is used to provide the integrity and data origin authentication
NOTE Adapted from ISO/IEC 10181-1, 3.3.18.
3.53
secure envelope
SENV
set of data items which is constructed by an entity in such a way that any entity holding the secret key can
verify their integrity and origin
6 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 13888-1:2009(E)
NOTE For the purpose of generating evidence, the SENV is constructed and verified by a trusted third party (TTP)
with a secret key known only to the TTP.
3.54
security policy
set of criteria for the provision of security services
[ISO 7498-2]
3.55
security token
set of security-relevant data that is protected by integrity and data origin authentication from a source which is
not considered a security authority
NOTE Adapted from ISO/IEC 10181-1, 3.3.26.
3.56
signer
entity generating a digital signature
3.57
time-stamp
time variant parameter which denotes a point in time with respect to a common time reference
[ISO/IEC 18014-1]
3.58
time-stamping authority
trusted third party trusted to provide a time-stamping service
[ISO/IEC 18014-1]
3.59
trust
relationship between two elements, a set of activities and a security policy in which element x trusts element y
if and only if x has confidence that y will behave in a well defined way (with respect to the activities) that does
not violate the given security policy
NOTE Adapted from ISO/IEC 10181-1, 3.3.28.]
3.60
trusted third party
security authority, or its agent, trusted by other entities with respect to security-related activities
NOTE 1 Adapted from ISO/IEC 10181-1, 3.3.30.
NOTE 2 In the context of ISO/IEC 13888, a trusted third party is trusted by the originator, the recipient, and/or the
delivery authority for the purposes of non-repudiation, and by another party such as an adjudicator.
3.61
trusted time-stamp
time-stamp assured by a time-stamping authority
3.62
verification key
value required to verify a MAC
3.63
verifier
entity that verifies evidence
© ISO/IEC 2009 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 13888-1:2009(E)
4 Symbols and abbreviated terms
A, B Distinguishing identifiers for two entities.
CA Certification authority.
CHK (y) The cryptographic check value computed on the data y using the key of entity X.
X
DA The distinguishing identifier of the delivery authority.
GNRT Generic non-repudiation token.
Q Optional data that need to be origin/ integrity protected,
Imp(y) The imprint of the data string y, either (1) the hash-code of data string y, or (2) the data string y.
m A message for which evidence is generated.
MAC Message Authentication Code.
NA Notary authority.
NRDT Non-repudiation of delivery token.
NRI Non-repudiation information.
NROT Non-repudiation of origin token.
NRST Non-repudiation of submission token.
NRTT Non-repudiation of transport token.
NT Notarization token.
OSI Open Systems Interconnection.
Pol The distinguishing identifier of the non-repudiation policy (or policies) which apply to evidence.
SENV Secure envelope.
SENV (y) Secure envelope computed on data y using the secret key of entity X.
X
SIG Signed message.
SIG (y) Signed message generated on data y by entity X using its private key.
X
S (y) The signature computed on data y using a signature algorithm and the private key of entity X.
X
text A data item forming a part of the token that may contain additional information, e.g., a key
identifier and/or message identifier.
T Date and time the evidence was generated.
g
T Date and time the event or action took place.
i
TSA The distinguishing identifier of the trusted time-stamping authority.
TST Time-stamping token generated by the TSA.
TTP The distinguishing identifier of the trusted third party.
V (y) The verification operation applied to data y (a secure envelope or a digital signature) by using a
X
verification algorithm and the verification key of entity X.
(y, z) The result of the concatenation of y and z in that order.
5 Organisation of the remainder of this part of ISO/IEC 13888
Non-repudiation services are modelled by first specifying basic requirements in Clause 6, and then describing
in Clause 7 the roles of the entities involved in the provision and verification of evidence. The involvement of
trusted third parties in the various phases of non-repudiation, in particular in the provision and verification of
evidence, is described in Clause 8. Evidence generation and verification mechanisms are described in
Clause 9, involving the generation of secure envelopes and digital signatures based on symmetric and
asymmetric cryptographic techniques respectively. Cryptographic check functions common to both basic
mechanisms are derived in order to better represent non-repudiation tokens. In Clause 10 three kinds of
tokens are defined, firstly, the generic non-repudiation token suitable for many non-repudiation services,
secondly, the time-stamping token generated by a trusted time-stamping authority and, thirdly, the notarization
token generated by a notary to provide evidence about the properties of the entities involved and of the data
stored or communicated. Specific non-repudiation services and non-repudiation tokens are described in
Clause 11. An example of the use of specific non-repudiation tokens in a messaging environment is given in
Clause 12.
8 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/IEC 13888-1:2009(E)
6 Requirements
Depending on the derivation of the cryptographic check value used for generating secure envelopes and
digital signatures, and independent of the non-repudiation service supported by the non-repudiation
mechanisms, the following requirements hold for the entities involved in a non-repudiation exchange:
⎯ The entities of a non-repudiation exchange shall trust any trusted third party (TTP) involved in the
exchange.
NOTE When using symmetric cryptographic algorithms, a TTP is always required. When using asymmetric
cryptographic algorithms a TTP is always required to either generate a public-key certificate or create a digital
signature for evidence.
⎯ Prior to the generation of evidence, the evidence generator has to know which non-repudiation policy is
acceptable to the verifier(s), the kind of evidence that is required and the set of mechanisms that are
acceptable to the verifier(s).
⎯ Either the mechanisms for generating or verifying evidence shall be available to the entities of the
particular non-repudiation exchange, or a trusted authority shall be available to provide the mechanisms
and perfo
...