标准摘要
[中文适用范围]: 本部分定义了基于非对称加密技术密钥管理机制。它专门解决了使用非对称技术实现以下目标:a) 通过密钥协商在两个实体A和B之间建立用于对称加密技术的共享密钥。在秘密密钥协商机制中,共享密钥是两个实体A和B之间数据交换的结果。任何一方都不应能够预先确定共享密钥的值。b) 通过密钥传输在两个实体A和B之间建立用于对称加密技术的共享密钥。在秘密密钥传输机制中,秘密密钥由一个实体A选择,并通过非对称技术适当保护后传输给另一个实体B。c) 通过密钥传输将实体的公钥提供给其他实体。在公钥传输机制中,实体A的公钥应以认证方式传输给其他实体,但不要求保密。本部分的一些机制基于ISO/IEC 9798-3中的相应认证机制。本部分不涵盖密钥管理的某些方面,例如:密钥生命周期管理;生成或验证非对称密钥对的机制;存储、归档、删除、销毁等密钥的机制。虽然本部分没有明确涵盖从可信第三方向请求方分发实体私钥(非对称密钥对),但所描述的密钥传输机制可用于实现这一点。在任何情况下,如果已存在未受损的现有密钥,均可使用这些机制分发私钥。然而,在实践中,私钥的分发通常是一个依赖智能卡等技术手段的手工过程。本部分不指定密钥管理机制中使用的转换。注:为了为密钥管理消息提供来源认证,可以在密钥建立协议内提供认证措施,或使用公钥签名系统对密钥交换消息进行签名。 [外文原描述]: ISO/IEC 11770-3:2015 defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals: a) establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as the result of a data exchange between the two entities A and B. Neither of them should be able to predetermine the value of the shared secret key; b) establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one entity A and is transferred to another entity B, suitably protected by asymmetric techniques; and c) make an entity's public key available to other entities via key transport. In a public key transport mechanism, the public key of entity A shall be transferred to other entities in an authenticated way, but not requiring secrecy. Some of the mechanisms of ISO/IEC 11770-3:2015 are based on the corresponding authentication mechanisms in ISO/IEC 9798‑3. ISO/IEC 11770-3:2015 does not cover certain aspects of key management, such as key lifecycle management, mechanisms to generate or validate asymmetric key pairs, and mechanisms to store, archive, delete, destroy, etc. keys. While ISO/IEC 11770-3:2015 does not explicitly cover the distribution of an entity's private key (of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport mechanisms described can be used to achieve this. A private key can in all cases be distributed with these mechanisms where an existing, non-compromised key already exists. However, in practice the distribution of private keys is usually a manual process that relies on technological means such as smart cards, etc. ISO/IEC 11770-3:2015 does not specify the transformations used in the key management mechanisms.
英文名称Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques