12-安全标准来源.ppt

1、 安全协议与标准2009,12 安全标准与规范RFCISOFIPSX9PKCSP1363NESSIE 安全标准 in RFC安全相关的协议与标准文件，当属RFC中的最全面。RFC中关于安全的文档涉及多个方面：By IETF IETF Security Area Working Groups btns Better-Than-Nothing Security dkim Domain Keys Identified Mail emu EAP Method Update hokey Handover Keying ipsecme IP Security Maintenance and Extensi

2、ons isms Integrated Security Model for SNMP keyprov Provisioning of Symmetric Keys kitten Kitten(GSS-API Next Generation)krb-wg Kerberos ltans Long-Term Archive and Notary Services msec Multicast Security nea Network Endpoint Assessment pkix Public-Key Infrastructure(X.509)sasl Simple Authentication

3、 and Security Layer smime S/MIME Mail Security syslog Security Issues in Network Event Logging tls Transport Layer Security （0）安全综述，阐述了安全的概念、术语、需求，给出了一般化的考虑、建议和机制，如1675、2196、2323、2504、3631、4949等。（1）密码算法和协议/接口规范，比如RC2(2268)、MD5(1321)、PKCS/RSA(3447)、TLS(4346)、IKE(4306)、GSS-API、SASL等。（2）认证授权和访问控制规范，如RA

4、DIUS(2865)、Diameter(3588)、Kerberos、等。（3）应用规范，PGP(4880)、S/MIME、HTTP over TLS(2818)、IPSec、VPN、等。（4）其他规范。RFC：Internet 标准(中译本)http:/ china-pub ISOISO，关于OSI的安全需求(35.100.01)、服务和机制(iso7498)，密码算法(35.040)，安全管理(17799)等。ISO 7498-2 Security ArchitectureISO 10181 Security frameworks for open systemsISO 11586 Gen

5、eric upper layers securityhttp:/www.iso.org/FIPSFIPS，包括DES(46)、AES(197)、DSS(186)、HMAC(198)等；http:/csrc.nist.gov/publications/PubsFIPS.html FIPS-140FIPS 140是密码模块安全性需求最为重要的标准之一，也是业界衡量密码实现的准则。如果机构的信息或数据需要通过密码的方式进行保护，比如金融或者政府机构，那么FIPS 140-2标准则被适用。经过该标准符合性评估认证的产品模块将满足这些机构的密码系统技术要求，目前世界范围很多机构的IT产品采购和招标要求中

6、均提出了产品满足FIPS 140-2的需求。The FIPS 140 are series of publications numbered 140 which are a U.S.government computer security standards that specify requirements for cryptography modules.As of December 2006update,the current version of the standard is FIPS 140-2,issued on 25 May 2001.http:/www.itl.nist.go

7、v/fipspubshttp:/csrc.nist.gov/groups/STM/cmvp/index.html http:/ FIPS 140标准历史和发展情况 CMVPThe Cryptographic Module Validation Program(CMVP)is a joint American and Canadian security accreditation program for cryptographic modules.The program is available to any vendors who seek to have their products cer

8、tified for use by the U.S.Government and regulated industries(such as financial and health-care institutions)that collect,store,transfer,share and disseminate sensitive,but not classfied information.All of the tests under the CMVP are handled by third-party laboratories that are accredited as Crypto

9、graphic Module Testing Laboratories by the National Voluntary Laboratory Accreditation Program(NVLAP).Product certifications under the CMVP are performed in accordance with the requirements of FIPS 140-2.The CMVP was established by the U.S.National Institute of Standards and Technology(NIST)and the

10、Communications Security Establishment(CSE)of the Government of Canada in July 1995.Validated modules listValidated FIPS 140-1 and FIPS 140-2 Cryptographic Moduleshttp:/csrc.nist.gov/groups/STM/cmvp/validation.htmlhttp:/csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm OpenSSL FIPS 140-2 m

11、odulehttp:/www.openssl.org/docs/fips/与通用评估准则（CC）的关系Common Criteria（CC）是业界安全功能和安全保障评估的通用准则，并实现了国际互认。而在美国NIAP体系下的CC产品评估，如果产品包括密码模块或者密码算法，该产品的CC认证证书上将标明该产品是否通过FIPS 140认证。事实上，CC和FIPS 140标准相辅相成，存在强烈的相关性，但关注点各有侧重。在FIPS 140验证中，如果操作环境是可以更改的，那么CC的操作系统需求适用于安全级别2或者更高。CC和FIPS 140-2标准分别关注产品测评的不同层面。FIPS 140-2测评针对

12、定义的密码模块，并提供4个级别的一系列符合性测评包。FIPS 140-2描述了密码模块的需求，包括物理安全、密钥管理、自评测、角色和服务等。该标准最初开发于1994年，早于CC标准。而CC是针对于具体的保护轮廓（PP）或者安全目标（ST）的评估。典型的模式是某个PP可能涉及广泛的产品范围。总之，CC评估不能替代FIPS 140的密码验证。FIPS 140-2中定义的四个安全级别也不能够直接与CC预定义的任何EAL级别或者CC功能需求相对应。CC认证不能取代FIPS 140的认证。X9ASC/ANSI X9，制定了一些关系金融领域安全的标准和规范。如随机数产生(X9.17)、公钥算法服务于金融业

13、(X9.63)等。http:/www.x9.org/standards/PKCSPKCS系列标准，RSA公司的标准。http:/ P1363，制定关于椭圆曲线密码算法等规范。http:/grouper.ieee.org/groups/1363/NESSIENESSIE，欧洲的密码新标准计划。The NESSIE project(New European Schemes for Signatures,Integrity and Encryption)(2000-2003)evaluates crypto algorithms.NESSIE has selected the following 1

14、2 algorithms from the 42 submissions;in addition,5 well established standard algorithms have been added to the NESSIE portfolio(indicated with a*).https:/www.cosic.esat.kuleuven.be/nessie/Block ciphers:MISTY1:Mitsubishi Electric Corp.,Japan;Camellia:Nippon Telegraph and Telephone Corp.,Japan and Mit

15、subishi Electric Corp.,Japan;SHACAL-2:Gemplus,France;AES(Advanced Encryption Standard)*(USA FIPS 197)(Rijndael).Public-key encryption:ACE Encrypt:IBM Zurich Research Laboratory,Switzerland;PSEC-KEM:Nippon Telegraph and Telephone Corp.,Japan;RSA-KEM*(draft of ISO/IEC 18033-2).MAC algorithms and hash

16、functions:Two-Track-MAC:K.U.Leuven,Belgium and debis AG,Germany;UMAC:Intel Corp.,USA,Univ.of Nevada at Reno,USA,IBM Research Laboratory,USA,Technion,Israel and Univ.of California at Davis,USA;CBC-MAC*(ISO/IEC 9797-1);HMAC*(ISO/IEC 9797-1);Whirlpool:Scopus Tecnologia S.A.,Brazil and K.U.Leuven,Belgium;SHA-256*,SHA-384*and SHA-512*(USA FIPS 180-2).Digital signature algorithms:ECDSA:Certicom Corp.,USA and Certicom Corp.,Canada;RSA-PSS:RSA Laboratories,USA;SFLASH:Schlumberger,France.Identification s