ISO/IEC 9798-2:1999

INTERNATIONAL ISO/IEC
STANDARD 9798-2
Second edition
1999-07-15
Information technology — Security
techniques — Entity authentication —
Part 2:
Mechanisms using symmetric encipherment
algorithms
Technologies de l'information — Techniques de sécurité — Authentification
d'entité —
Partie 2: Mécanismes utilisant des algorithmes de chiffrement symétriques
Reference number
B C
ISO/IEC 9798-2:1999(E)

---------------------- Page: 1 ----------------------
ISO/IEC 9798-2:1999(E)
Contents
1 Scope .1
2 Normative references .1
3 Definitions and notation.1
4 Requirements.2
5 Mechanisms not involving a trusted third party.2
5.1 Unilateral authentication.2
5.1.1 One pass authentication .3
5.1.2 Two pass authentication.3
5.2 Mutual authentication.4
5.2.1 Two pass authentication.4
5.2.2 Three pass authentication .5
6 Mechanisms involving a trusted third party .6
6.1 Four pass authentication .6
6.2 Five pass authentication.7
Annex A (informative) Use of text fields .10
Bibliography.11
©  ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced
or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
© ISO/IEC
ISO/IEC 9798-2:1999(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
International Standard ISO/IEC 9798-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 9798-2:1994), which has been technically
revised. Note, however, that implementations which comply with ISO/IEC 9798-2 (1st edition) will be compliant with
ISO/IEC 9798-2 (2nd edition).
ISO/IEC 9798 consists of the following parts, under the general title Information technology — Security techniques
— Entity authentication:
 Part 1: General

Part 2: Mechanisms using symmetric encipherment algorithms
 Part 3: Mechanisms using digital signature techniques
 Part 4: Mechanisms using a cryptographic check function
 Part 5 : Mechanisms using zero knowledge techniques
Further parts may follow.
Annex A of this part of ISO/IEC 9798 is for information only.
iii

---------------------- Page: 3 ----------------------
INTERNATIONAL STANDARD  © ISO/IEC ISO/IEC 9798-2:1999(E)
Information technology — Security techniques — Entity
authentication —
Part 2:
Mechanisms using symmetric encipherment algorithms
1 Scope
This part of ISO/IEC 9798 specifies entity authentication mechanisms using symmetric encipherment algorithms.
Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved;
two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms
for mutual authentication of two entities. The remaining mechanisms require a trusted third party for the
establishment of a common secret key, and realize mutual or unilateral entity authentication.
The mechanisms specified in this part of ISO/IEC 9798 use time variant parameters such as time stamps, sequence
numbers, or random numbers, to prevent valid authentication information from being accepted at a later time or
more than once.
If no trusted third party is involved and a time stamp or sequence number is used, one pass is needed for unilateral
authentication, while two passes are needed to achieve mutual authentication. If no trusted third party is involved
and a challenge and response method employing random numbers is used, two passes are needed for unilateral
authentication, while three passes are required to achieve mutual authentication. If a trusted third party is involved,
any additional communication between an entity and the trusted third party requires two extra passes in the
communication exchange.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of
this part of ISO/IEC 9798. For dated references, subsequent amendments to, or revisions of, any of these
publications do not apply. However, parties to agreements based on this part of ISO/IEC 9798 are encouraged to
investigate the possibility of applying the most recent editions of the normative documents indicated below. For
undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC
maintain registers of currently valid International Standards.
ISO/IEC 9798-1:1997, Information technology — Security techniques — Entity authentication — Part 1: General.
ISO/IEC 11770-2:1996, Information technology — Security techniques — Key management — Part 2: Mechanisms
using symmetric techniques.
3 Definitions and notation
For the purposes of this part of ISO/IEC 9798, the definitions and notation described in ISO/IEC 9798-1 apply.
1

---------------------- Page: 4 ----------------------
© ISO/IEC
ISO/IEC 9798-2:1999(E)
4 Requirements
In the authentication mechanisms specified in this part of ISO/IEC 9798 an entity to be authenticated corroborates
its identity by demonstrating its knowledge of a secret authentication key. This is achieved by the entity using its
secret key to encipher specific data. The enciphered data can be deciphered by anyone sharing the entity's secret
authentication key.
The authentication mechanisms have the following requirements. If any one of these is not met then the
authentication process may be compromised or it cannot be implemented.
a) A claimant authenticating itself to a verifier shall share a common secret authentication key with that verifier, in
which case the mechanisms of clause 5 apply, or each entity shall share a secret authentication key with a
common trusted third party, in which case the mechanisms of clause 6 apply. Such keys shall be known to the
involved parties prior to the commencement of any particular run of an authentication mechanism. The method
by which this is achieved is beyond the scope of this part of ISO/IEC 9798.
b) If a trusted third party is involved it shall be trusted by both the claimant and the verifier.
c) The secret authentication key shared by a claimant and a verifier, or by an entity and a trusted third party, shall
be known only to those two parties and, possibly, to other entities they both trust.
NOTE 1 The encipherment algorithm and the key lifetime should be chosen so that it is computationally infeasible for
a key to be deduced during its lifetime. In addition, the key lifetime should be chosen to prevent known plaintext or
chosen plaintext attacks.
a) For every possibility for the secret key K, the encipherment function eK and its corresponding decipherment
function dK shall have the following property. The decipherment process dK, when applied to a string eK(X),
shall enable the recipient of that string to detect forged or manipulated data, i.e. only the possessor of the secret
key K shall be capable of generating strings which will be ‘accepted’ when subjected to the decipherment
process dK.
NOTE 2 In practice, this can be achieved in many ways. Two examples are as follows.
1. If sufficient redundancy is present in, or appended to, the data, and the encipherment algorithm is chosen with
care, the integrity requirement can be satisfied. The redundancy is checked for correctness by the recipient
before the deciphered data can be accepted as valid.
2. The key K is used to derive a pair of keys K' and K''. The key K'' is then used to calculate a Message
Authentication Code (MAC) on the data to be enciphered, while the key K' is used to encipher the data
concatenated with the MAC. The recipient checks that the value of the MAC is correct before accepting the
deciphered data as valid.
a) The mechanisms in this part of ISO/IEC 9798 require the use of time variant parameters such as time stamps,
sequence numbers or random numbers. The properties of these parameters, in particular that it is most unlikely
for them to repeat within the lifetime of a secret authentication key, are important for the security of these
mechanisms. For additional information see annex B of ISO/IEC 9798-1.
5 Mechanisms not involving a trusted third party
In these authentication mechanisms the entities A and B shall share a common secret authentication key K or two
AB
unidirectional secret keys K and K prior to the commencement of any particular run of the authentication
AB BA
mechanisms. In the latter case the unidirectional keys K and K are used respectively for the authentication of A
AB BA
by B and of B by A.
All text fields specified in the following mechanisms are available for use in applications outside the scope of this
part of ISO/IEC 9798 (they may be empty). Their relationship and contents depend upon the specific application.
See annex A for information on the use of text fields.
5.1 Unilateral authentication
Unilateral authentication means that only one of the two entities is authenticated by use of the mechanism.
2

---------------------- Page: 5 ----------------------
© ISO/IEC
ISO/IEC 9798-2:1999(E)
5.1.1 One pass authentication
In this authentication mechanism the claimant A initiates the process and is authenticated by the verifier B.
Uniqueness/timeliness is controlled by generating and checking a time stamp or a sequence number (see annex B
of ISO/IEC 9798-1). The authentication mechanism is illustrated in Figure 1.
(1) TokenAB
A B (2)
Figure 1
The form of the token (TokenAB), sent by the claimant A to the verifier B is:
T
A
TokenAB = Text2 || eK ( || B || Text1)
AB
N
A
where the claimant A uses either a sequence number N or a time stamp T as the time variant parameter. The
A A
choice depends on the technical capabilities of the claimant and the verifier as well as on the environment.
The inclusion of the distinguishing identifier B in TokenAB is optional.
NOTE Distinguishing identifier B is included in TokenAB to prevent the re-use of TokenAB on entity A by an
adversary masquerading as entity B. Its inclusion is made optional so that, in environments where such attacks
cannot occur, it may be omitted.
The distinguishing identifier B may also be omitted if a unidirectional key is used.
(1) A generates and sends TokenAB to B.
(2) On receipt of the message containing TokenAB, B verifies TokenAB by deciphering the enciphered part (where
deciphering implies that the requirements of 4.d are met) and then checking the correctness of the
distinguishing identifier B, if present, as well as the time stamp or the sequence number.
5.1.2 Two pass authentication
In this authentication mechanism the claimant A is authenticated by the verifier B who initiates the process.
Uniqueness/timeliness is controlled by generating and checking a random number R (see annex B of ISO/IEC
B
9798-1). The authentication mechanism is illustrated in Figure 2.
(1) R || Text1
B
A B (3)
(2) TokenAB
Figure 2
The form of the token (TokenAB), sent by the claimant A to the verifier B is:
TokenAB = Text3 || eK (R || B || Text2) .
AB B
The inclusion of the distinguishing identifier B in TokenAB is optional.
NOTE 1 In order to prevent the possibility of a known plaintext attack, i.e. a cryptanalytic attack where the
cryptan
...