ISO 11568-4 pdf download – Banking -Key management (retail)—Part 4: Asymmetric cryptosystems 一Key management and life cycle.
3.8
credentials
denWication data for an entity. incorporating at a minimum the entity’s distinguished name and public key
NOTE Addoonal data can be inc*,ded.
cryptoperlod
time span during which a specific key is authorized for use or in which the keys for a given system may iemaln in effect
3.10
digital signature system
asymmetric cryptosystem that provides for the creation and subsequent verification of digital signatures
hash function
one-way function that maps a set of airings of arbitrary length on to a set of fixed-length strings of bits
NOTE A colllsion-reslslant hash function one with the property that if Is compulallonally nteas4e to conetruct distinct inputs that map to the same output.
3.12
independent communication
process that allows an entity to counter-verity the correctness of a credential and identification documents prior to producing a certificate (e.g.. call-back, visual identification, etc.)
3.13
key agreement
process of establishing a shared secret key between entities in such a way that neither of them can predetermine the value of that key
3.14
key share
one of at least two parameters related to a cryptographic key generated in such a way that a quorum of such parameters can be combined to form the cryptographic key but such that fewer than a quorum provide no information about the key
3.15
non-repudiation of origin
property that the originator of a message and associated cryptographic check value (Ic., digital signature) is not able to subsequently deny, with an accepted level of credibility, having originated the message
4 Uses of asymmetric cryptosystems In retail financial services systems
4.1 General
Asymmetric cryptosystems include asymmetric ciphers. digital signature systems and key agreement systems.
In financial services systems, asymmetric cryptosystems are used predominantly for key management: firstly for the management of the keys of symmetric ciphers, and secondly for the management of the keys of the asymmetric cryptosystems themselves. This clause describes these applications of asymmetric cryptosystenis. Clause 5 describes the techniques employed in support of these applications relating to key management services and certificate management. Clause 6 describes how these techniques and methods are used in relation to the security and implementation requirements for the key paw life cycle.
An independent communication shall be used to verity that the identification of the key and Is owner are correct and authonzed This may require confirmation obtained via a different channel from the one whereby the information was originally obtained.
During distribution to authorized recipients, o during storage in a key database, the authenticity of the peAAic key shall be ensured.
5.4 Key separation techniques
5.4.1 General
In order to ensure that a stored key is useable only for its intended purpose, key separation for stored keys shall be provided by one or more of the following:
a) physically segregating stored keys as a function of their intended purpose;
b) storing a key enciphered under a key encipherment key dedicated to encipherment of a specific type of key;
C) modifying or appending information to a key as a fts’iction of its intended purpose, prior ID encipherment of the key for storage i.e.. key tagging.
5.4.2 Key tagging
5.4.2.1 General
Key tagging is a technique for identifying the type of a key existing outside a secure cryptographic facikty and the uses to which that key can be put. The key value and its privileges are bound together in a manner that prevents undetectable modifications to either.
5.4.2.2 ExplicIt key tagging
Explicit key tagging involves the use of a field containing information defining the limits of privilege for the associated key and key type. This field is bound together with the key value in a manner that prevents undetectable mootfications to either.
5.4.2.3 ImplIcit key tagging
Implicit key tagging does not rety on the use of an explicit field containing information defining the limits of privilege for the associated key and key type, but rather relies on other characteristics of the system such as the position of the key In the record, or the associated functions to determine and limit the rights and privileges of the key.
5.5 Key verification
Key verification Is a technique that allows the value of a key to be checked and venfied. withoul exposing any secret values arid without using plic key certificates. The technique utibzes a key verification code (KVC) that is cryptographically related to the key via a collision-resistant one-way function. For example, the reference KVC may be computed as the hash of the public or private key and associated data using an algorithm defined in ISO,IEC 10118.
ISO 11568-4 pdf download – Banking -Key management (retail)—Part 4: Asymmetric cryptosystems 一Key management and life cycle
