ISO/IEC 9798-6:2005

INTERNATIONAL ISO/IEC
STANDARD 9798-6
First edition
2005-08-01


Information technology — Security
techniques — Entity authentication —
Part 6:
Mechanisms using manual data transfer
Technologies de l'information — Techniques de sécurité —
Authentification d'entité —
Partie 6: Mécanismes utilisant un transfert manuel de données




Reference number
ISO/IEC 9798-6:2005(E)
©
ISO/IEC 2005

---------------------- Page: 1 ----------------------
ISO/IEC 9798-6:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2005 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 9798-6:2005(E)

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Symbols and abbreviated terms . 2
5 Requirements . 3
6 Mechanisms using a short check-value. 4
6.1 General. 4
6.2 Mechanism 1 – One device with simple input, one device with simple output. 4
6.2.1 Requirements . 4
6.2.2 Specification of data exchanged. 4
6.2.3 Manual authentication certificates. 5
6.3 Mechanism 2 – Devices with simple input capabilities . 6
6.3.1 Requirements . 6
6.3.2 Specification of data exchanged. 6
7 Mechanisms using a MAC. 7
7.1 General. 7
7.2 Mechanism 3 – Devices with simple output capabilities. 7
7.2.1 General. 7
7.2.2 Requirements . 7
7.2.3 Specification of data exchanged in mechanism 3a. 7
7.2.4 Specification of data exchanged in mechanism 3b . 9
7.3 Mechanism 4 – One device with simple input, one device with simple output. 10
7.3.1 General. 10
7.3.2 Requirements . 10
7.3.3 Specification of data exchanged in mechanism 4a. 10
7.3.4 Specification of data exchanged in mechanism 4b . 11
Annex A (informative) Using manual authentication protocols for the exchange of secret keys . 12
A.1 General. 12
A.2 Authenticated Diffie-Hellman key agreement . 12
A.3 Authenticated Diffie-Hellman key agreement using a manual authentication certificate . 12
A.3.1 General. 12
A.3.2 Stage 1 . 13
A.3.3 Stage 2 (initiated by either device at some later time).13
A.4 More than two components . 13
Annex B (informative) Using manual authentication protocols for the exchange of public keys . 14
B.1 General. 14
B.2 Requirements . 14
B.3 Private key generated in device . 14
B.4 Private key generated externally. 15
Annex C (informative) On mechanism security and choices for parameter lengths . 16
C.1 General. 16
C.2 Use of mechanisms 1 and 2. 16
C.3 Use of mechanisms 3 and 4. 17
Annex D (informative) A method for generating short check-values. 18
D.1 General . 18
Bibliography . 20
© ISO/IEC 2005 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 9798-6:2005(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 9798-6 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 9798 consists of the following parts, under the general title Information technology — Security
techniques — Entity authentication:
 Part 1: General
 Part 2: Mechanisms using symmetric encipherment algorithms
 Part 3: Mechanisms using digital signature techniques
 Part 4: Mechanisms using a cryptographic check function
 Part 5: Mechanisms using zero-knowledge techniques
 Part 6: Mechanisms using manual data transfer
iv © ISO/IEC 2005 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 9798-6:2005(E)
I ntroduction
W ithin networks of communicating devices it is often necessary for two devices to perform an entity
authentication procedure using a channel which may be subject to both passive and active attacks, where
an active attack may include a malicious third party introducing data into the channel and/or modifying, deleting
or repeating data legitimately sent on the channel. Other parts of this International Standard describe entity
authentication mechanisms applicable when the two devices share a secret key, or where one device has an
authenticated copy of a public key for the other device.
In this part of ISO/IEC 9798, entity authentication mechanisms, referred to as manual authentication
mechanisms, are specified where there is no such assumption of pre-established keying relationships.
Instead entity authentication is achieved by manually transferring short data strings from one device to the
other, or by manually comparing short data strings output by the two devices.
For the purposes of this part of ISO/IEC 9798, the meaning of the term entity authentication is different to the
meaning applied in other parts of ISO/IEC 9798. Instead of one device verifying that the other device has a
claimed identity (and vice versa), both devices in possession of a user verify that they correctly share a data
string with the other device at the time of execution of the mechanism. Of course, this data string could
contain identifiers for one or both of the devices.
As described in informative annexes A and B, a manual authentication mechanism may be used as the basis
for secret key establishment or reliable exchange of public keys. A manual authentication mechanism could
also be used for reliable exchange of other secret or public security parameters, including security policy
statements or timestamps.
© ISO/IEC 2005 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD                 ISO/IEC 9798-6:2005(E)
Information technology — Security techniques — Entity
authentication —
Part 6:
Mechanisms using manual data transfer
1 Scope
This part of ISO/IEC 9798 specifies four entity authentication mechanisms based on manual data transfer
between authenticating devices. As described in Annexes A and B, these mechanisms may be used to
support key management functions; guidance on secure choice of parameters for the mechanisms is provided
in Annex C.
Such mechanisms may be appropriate in a variety of circumstances. One such application occurs in personal
networks, where the owner of two personal devices capable of wireless communications wishes them to
perform an entity authentication procedure as part of the process of preparing them for use in the network.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 9798-1:1997, Information technology — Security techniques — Entity authentication — Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 9798-1 and the following
apply.
3.1
check-value
string of bits, computed as the output of a check-value function, sent from the data originator to data recipient
that enables the recipient of data to check its correctness
3.2
check-value function
function f which maps strings of bits and a short secret key, i.e. a key that can readily be entered into or read
from a user device, to fixed-length strings of bits, satisfying the following properties:
 for any key k and any input string d, the function f(d, k) can be computed efficiently;
 it shall be computationally infeasible to find a pair of data strings (d, d′) for which the number of keys
which satisfy f(d, k) = f(d′, k) is more than a small fraction of the possible set of keys.
NOTE 1 In practice, a short key would typically contain 4-6 digits or alphanumeric characters.
NOTE 2 In practice, security is maximized if the set of possible outputs from the check-value function is the same size
as the set of possible keys.
© ISO/IEC 2005 — All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 9798-6:2005(E)
3.3
data origin authentication
corroboration that the source of data received is as claimed
[ISO 7498-2]
3.4
manual authentication certificate
combination of a secret key and a check value generated by one of the two devices engaging in manual
authentication, with the property that, when entered into the other device, these values can be used to
complete the manual authentication process at some later time
3.5
Message Authentication Code
MAC
string of bits which is the output of a MAC algorithm
[ISO/IEC 9797-1]
3.6
Message Authentication Code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits,
satisfying the following properties:
 for any key and any input string the function can be computed efficiently;
 for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the
function value on any new input string, even given knowledge of the set of input strings and
corresponding function values, where the value of the ith input string may have been chosen after
observing the value of the first i-1 function values.
[ISO/IEC 9797-1]
3.7
manual entity authentication
process achieving entity authentication between two devices using a combination of message exchanges via
a (potentially insecure) communications channel and the manual transfer of limited amounts of data between
the devices
3.8
simple input interface
interface for a device that shall allow the user to indicate to the device the successful or unsuccessful
completion of a procedure, e.g. as could be implemented as a pair of buttons or a single button which is either
pressed or not within a certain time interval
3.9
simple output interface
interface for a device that shall allow the device to indicate to the user the successful or unsuccessful
completion of a procedure, e.g. as could be implemented by red and green lights or as single light which is lit
in different ways to indicate success or failure
4 Symbols and abbreviated terms
A, B Labels used for the two devices engaging in a manual entity authentication mechanism
D Data string whose value is established between devices A and B as the result of performing
a manual entity authentication mechanism
2 © ISO/IEC 2005 — All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 9798-6:2005(E)
I , I Distinguishing identifiers of A and B respectively.
A B
K (Short) secret key used with a check-value function in mechanisms 1 and 2
K , K , K , K Random MAC keys used in mechanisms 3 and 4
A Ai B Bi
MAC Message Authentication Code
R (Short) random bit-string used in mechanisms 3 and 4
5 Requirements
The authentication mechanisms specified in this part of ISO/IEC 9798 have the following requirements.
a) The pair of devices performing the manual authentication procedure shall be connected via a
communications link (e.g. a wireless link). No security assumptions are made regarding this link; that is,
the mechanisms are designed to operate securely even in an environment where an attacker can monitor
and change data transferred on this link.
b) The pair of devices performing the manual authentication procedure shall both have a user interface
capable of data input and data output.
c) The user data input interface for a device shall, at minimum, be capable of indicating successful or
unsuccessful completion of a procedure (e.g. as could be implemented by using either two buttons or a
single button which is either pressed or not within a certain time interval); such a means of data input is
referred to below as a simple input interface. By contrast, a standard input interface shall provide means
for the input of a short string of symbols, e.g. a numeric, hexadecimal or alphanumeric keypad. Unless
explicitly stated otherwise, it is necessary that every device has a standard means of data input.
d) The user data output interface for a device shall, at minimum, be capable of indicating either success or
failure of an authentication procedure (e.g. as could be implemented by means of red and green lights);
such a means of data output is referred to below as a simple output interface. By contrast, a standard
output interface shall provide means for the output of a short string of symbols, e.g. a numeric,
hexadecimal or alphanumeric display. Unless explicitly stated otherwise, it is necessary that every device
has a standard means of data output.
e) For mechanisms 1 and 2, the two devices performing the entity authentication procedure shall have
agreed on the use of a specific check-value function, and shall have the means to implement this
function.
NOTE Guidance on appropriate choices for check-value functions and lengths for check-values and random keys
for use in mechanisms 1 and 2 is provided in Annex C. A construction for an unconditionally secure check-value
function suitable for use with mechanisms 1 and 2 is given in Annex D.
f) For mechanisms 3 and 4, the two devices performing the entity authentication procedure shall have
agreed on the use of a specific MAC algorithm, and shall have the means to implement this algorithm.
NOTE Guidance on appropriate choices for MAC algorithms and lengths for MACs and random keys for use in
mechanisms 3 and 4 is provided in Annex C.
g) Prior to invocation of one of the manual authentication mechanisms, the two devices performing the
mechanism shall have exchanged a data string D. This may be generated by one device and sent to the
other device, or it may consist of the concatenation of data generated by both devices and sent in both
directions across the communications link.
h) Either a single human user shall be in possession of both devices and shall operate them both, or the two
devices shall be operated by two users who share a trusted means of communication.
© ISO/IEC 2005 — All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 9798-6:2005(E)
6 Mechanisms using a short check-value
6.1 General
In this clause two manual authentication mechanisms are specified that are based on the use of a check-
value. The two mechanisms are appropriate for different types of devices. Specifically,
 the first mechanism (mechanism 1) is appropriate for the case where one device has a simple input
interface and the other has a simple output interface, and
 the second mechanism (mechanism 2) is appropriate for the case where both devices have a simple
input interface.
A standard input or output interface can emulate a simple interface, and hence if both devices have standard
input and output interfaces then either of the mechanisms may be used.
Both mechanisms operate in the following general way. A data string D is transferred from one device to the
other (or is the concatenation of data transferred in both directions) via the communications link between
them. The manual entity authentication mechanism is then executed. As a result of the mechanism both
devices are provided with assurance that the data string D they possess is the same as the value held by the
other device.
6.2 Mechanism 1 – One device with simple input, one device with simple output
6.2.1 Requirements
This mechanism has the following specific requirements.
a) The mechanism specified in this subclause is appropriate for the case where one device (device A) has a
simple input interface and the other (device B) has a simple output interface.
b) Device A shall have the means to generate keys.
6.2.2 Specification of data exchanged
The following data exchanges and operations shall take place (see also Figure 1).
a) Both devices shall output a signal to acknowledge that they have received data D and that they are ready
for the authentication mechanism to commence. On observing that both devices are ready, the user shall
then enter a signal into device A to notify it that the mechanism can start.
b) Device A shall generate a random key K, where K is suitable for use with the check-value function shared
by the two components. Using this key K, device A shall compute a check-value as a function of the data
D. The check-value and the key K shall then be output via the output interface of device A. The user shall
read the check-value and the key K from the output interface.
c) The user shall enter the check-value and the key K output by device A to device B using its input interface.
Device B shall use the key K to re-compute the check-value as a function of its stored version of data D.
If the two check-values agree, then device B shall output a success signal to the user via its simple output
interface. Otherwise it shall give a failure signal.
d) The user shall enter the result output by device B, i.e. success or failure, into device A via its simple input
interface.
4 © ISO/IEC 2005 — All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 9798-6:2005(E)
A B
simple simple
input output
Output: Data D ready Output: Data D ready
User verifies: Both components ready
User enters: Start
Generate K, compute
check-value, and output
K and check-value
User reads K and check-value User enters K and check-value
Recompute check-
value and compare
Output Accept or Reject
User reads result
User enters result
Figure 1 — Manual authentication mechanism 1
6.2.3 Manual authentication certificates
Manual authentication mechanism 1 has the property that no authentication information is transmitted over the
insecure channel. Therefore, it does not affect the security of the mechanism if the manual authentication
values K and check-value are transferred from device A to device B before the latter has received the actual
data D. Naturally, such an approach is applicable only to situations where device A generates the data D.
However, in such a case, mechanism 1 offers a means of authenticating data to be received at some later
time. Such authentication means is called a manual authentication certificate. A protocol for data origin
authentication using a manual authentication certificate is now specified (with the same requirements as
specified in subclause 6.2.1). Note that this protocol does not provide entity authentication.
Suppose device A has data D that needs to be sent to device B at some later time.
a) Device A generates a random key K, where K is suitable for use with the check-value function shared by
the two devices. Using this key K, device A computes a check-value as a function of the data D. The
check-value and the key K are then output to the user by the output interface of device A. The user reads
the output check-value and key K.
b) The user enters the check-value and key K output from device A to the input interface of device B. The
key K and the check-value are stored in device B.
c) When device B at some later time receives data D, it can verify the authenticity of the data using the
stored values of K and check-value. Device B uses the key K to recompute the check-value as a function
of the received data D. If the two check-values agree then device B accepts the data and outputs a
success signal to the user. Otherwise it gives a failure signal.
The manual authentication certificate consists of K and the check-value computed as a function of K and D.
NOTE An example of data that could be included in D are a public key of a device, its identity, the domain of service,
etc. In Annex A an example is provided of how manual authentication certificates can be used to establish a shared
secret key between two devices.
© ISO/IEC 2005 — All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 9798-6:2005(E)
6.3 Mechanism 2 – Devices with simple input capabilities
6.3.1 Requirements
This mechanism has the following specific requirements.
a) The mechanism specified in this subclause is appropriate for the case where both devices (A and B) have
a simple input interface.
b) One of the devices (the device labelled A below) shall have the means to generate keys.
6.3.2 Specification of data exchanged
The following data exchanges and operations shall take place (see also Figure 2).
a) Both devices shall output a signal to acknowledge that they have received data D and that they are ready
for the authentication mechanism to commence. On observing that both devices are ready, the user shall
then enter a signal into device A to notify it that the mechanism can start.
b) Device A shall generate a random key K, where K is suitable for use with the check-value function shared
by the two components. Using this key K, device A shall compute a check-value as a function of the data
D. The check-value and the key K shall then be output via the output interface of device A. Device A shall
also transmit the key K to device B via the communications link.
c) Device B shall use the key K to compute the check-value as a function of its stored version of data D, and
shall output the key K and the computed check-value.
d) The user shall compare the two output check-values and the two output keys. If the values agree,
then the user enters a signal of acceptance into both devices. If the check-values or the key values are
different then the mechanism has failed and the user shall enter a rejection signal into the devices. The
devices shall interpret the absence of an acceptance signal as a failure signal (this will require the
implementation of a time-out mechanism).

A B
simple simple
input input
Output: Data D ready Output: Data D ready
User verifies: Both components ready
User enters: Start
Generate K, and
transmit K to second
component
Receive K
Compute check-value Compute check-value
Output K and check-value Output K and check-value
User compares the key K and the two check-values.
User enters OK or REJECT in both components.
Figure 2 — Manual authentication mechanism 2
6 © ISO/IEC 2005 — All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 9798-6:2005(E)
7 Mechanisms using a MAC
7.1 General
In this clause two manual authentication mechanisms are specified that are based on the use of a Message
Authentication Code (MAC). The two mechanisms are appropriate for different types of devices. Specifically,
 the first mechanism (mechanism 3) is appropriate for the case where both devices have a simple output
interface, and
 the second mechanism (mechanism 4) is appropriate for the case where one device has a simple input
interface and the other has a s
...