《ANSI-X9.57-1997.pdf》由会员分享,可在线阅读,更多相关《ANSI-X9.57-1997.pdf(103页珍藏版)》请在三一文库上搜索。
1、Financial Services Technical Publication Developed By Accredited Standards Committee X9 - Financial Services PUBLIC KEY CRYPTOGRAPHY FOR THE FINANCIAL SERVICES INDUSTRY: CERTIFICATE MANAGEMENT Developed by Accredited Standards Committee X9 - Financial Services PUBLISHED BY AMERICAN BANKERS ASSOCIATI
2、ON X9 - SECRETARIAT Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- Copyright American Nation
3、al Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- American National Standard for Financial Services X9.57-1997, Public K
4、ey Cryptography For The Financial Services Industry: Certificate Management Secretariat American Bankers Association Approved: February 3, 1997 American National Standards Institute Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111
5、001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- American National Standard Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other crit
6、eria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but no
7、t necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the s
8、tandards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover
9、, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CA
10、UTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be taken to rearm, revise, or withdraw this standard no later than five years from the date of approval. Published by American Banker
11、s Association 1120 Connecticut Avenue, NW Washington, DC 20036 USA Customer Service Center 1 (800) 338-0626 or Fax l(202) 663-7543, E-mail X9 Online http:/www.x9.org 1 (202) 663-5087 Copyright O 1997 by American Bankers Association. All rights reserved. No part of this publication may be reproduced
12、 in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice No
13、t for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- Table of Contents (X9.57-1997) FOREWORD V 1 . SCOPE . 1 2 . DEFINITIONS AND COMMON ABBREVIATIONS 1 2.1. DEFINITIONS . 1 2.2. ACRONYMS . 5 2.3. NOTATION 6 3 . INTRODUCTION . 7 4 . CERTIFICATE M
14、ANAGEMENT . 8 4.1. GENERAL 8 4.2. THE CERTIFICATION AUTHORITY . 13 Certification Authority Responsibilities . 13 Entitys Responsibility Regarding Key Integrity 14 Distribution Of A CAs Public Key 16 Security Requirements For A CAs Private Key . 19 4.2. 1 . 4.2.2. 4.2.3. 4.2.4. 4.3. TRUST MODELS . 19
15、 4.4. CERTIFICATE GENERATION 20 4.5. CERTIFICATE VALIDATION . 22 4.6. CERTIFICATE REVOCATION LIST (CE) 22 4.6.1. General Requirements . 22 Actions To Be Taken Whenever A Certificate i s Revoked or Held 24 Compromise Or Suspected Compromise Of An Entitys Private Key 27 Request For Revocation Of an En
16、titys Certifcate(s) Because Of A Cessation o f Operations 27 4.6.2. 4.6.3. 4.6.4. 4.6.5. 4.6.6. 4.6.7. Algorithm Key Exchanges . 31 4.6.8. 4.6.9. 4.6.10. 4.6.11. 4.6.12. 4.6.13. 4.7.1. 4.7.2. Request For Revocation Of Entitys Certificate(s) Because Of A Change Of Afiliation Of The Entity . 28 Revoca
17、tion Of Certificates For Reasons Other Than For Key Compromise, Cessation Of Revocation or Holding Of Certificates For Public Keys Which Are Used To Protect Symmetric Operations, Or A Change Of Afiliation 28 Certificate Holds Due to Unauthenticated Revocation Requests or Other Business Reasons 32 Im
18、plied Release o f Certificate Hold via Natural Expiration of the Hold 32 Reissuance of a Certificate Hold with an Extended Expiration Date 33 Revocation of a Certificate Superseding a Prior Certijicate Hold Expiration Date 34 Certificate Hold Release to Cancel Certificate Hold Prior to Expiration .
19、35 Expiration of Certificate Prior to the Expiration of a Hold 36 Applying for Certificates . 36 4.7. THE LOCAL REGISTRATION AGENT (LRA) 36 Requesting Certificate Revocation . 38 4.8. AITRIBUTE CERTIFICATES . 39 DATA ELEMENTS AND RELATIONSHIPS . 39 5.1. GENERAL 39 5.2. DSA LIC KEYS 40 5.3. SIGNATURE
20、S 41 5.3.1. Single Signatures . 41 5 . 5.3.2. Multiple Signatures . 42 5.4. CERTIFICATION REQUEST DATA (CERTREQDATA) 43 5.5. PUBLIC KEY CERTIFICATES 47 . 1- Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Mauric
21、e Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- 5.6. ATTRIBUTE CERTIFICATES . 49 5.7. CERTIFICATE REVOCATION AND HOLD/RELEASE . 52 5.7.1. Certificate Revocation . 52 5.7.2. Certificate HoldRelease . 54 Hold Instruction Codes 55 CRL Data
22、 Structures . 55 5.7.3. 5.7.4. AUDIT JOURNAL REQUIREMENTS . 58 6 . 7 . REFERENCES 58 8 . ASN.l MODULE . 59 ANNEX A: SUGGESTED REQUIREMENTS FOR THE ACCEPTANCE OF CERTIFICATE REQUEST DATA . 66 A.l. INTRODUCTION 66 ACCEPTANCE OFTHE CERTIFICATEREQUEST DATA OF AN INDIVIDUAL . 66 A.2.1.Low RISK APPLICATIO
23、NS 66 A.2.2. MEDIUM RISK APPLICATIONS 66 A.2. A.2.3.HIGH RISK APPLICATIONS . 67 A.3. ACCEPTANCE OFTHE CERTIFICATION REQUESTDATA OFA LEGALENTITY 67 A.3.1.A FINANCIALINSTITUTION IN A PEER-TO-PEERRELATIONSHIP . 67 A.3.2.A BUSINESS CUSTOMER OF A FINANCIAL INSTITUTION 67 ACCEPTANCE OFTHE CERTIFICATE REQU
24、EST DATA OFA HARDWAREDEVICE . 68 B.l. OVERVIEW . 69 B.2. TRUST MODELS 69 B.4. EXAMPLES . 71 ISSUES INVOLVING MULTIPLE DOMAINS 76 A.4. ANNEX B: ALTERNATIVE TRUST MODELS . 69 B.3. CENTRALIZED AND DECENTRALIZED MODELS . 70 B.5. B.5.1. MULTIPLE LEVELS OF ASSRANCE 76 B.5.2. MULTIPLETRUST MODELS . 76 B.6.
25、 SUBSCRIBER AND ORGANIZATIONAL CERTIFICATES . 76 ANNEX C: OBJECT IDENTIFIERS AND ATTRIBUTES 78 C.2. MODULES . 79 C.3. ATRIBUTES . 79 C.4. CERTIFICATE AND CFU EXTENSIONS . 79 C.5. CERTIFICATE HOLD I r I s u c n o s 79 C.1. ALGORITHMS . 78 ANNEX D: RECOMMENDED CERTIFICATION AUTHORITY AUDIT JOURNAL CON
26、TENTS AND USE 80 D.1. AUDIT JOURNAL CONTENTS AND PROTECTION . 80 D.ELEMENTS To BE INCLUDED IN ALL JOURNALENTRIES . 80 D.1.2. CERTIFICATE APPLICATION INFORMATION To BE JOURNALIZED BY AN L U , CA OR AA 80 D.1.4.Acnos To BE JOURNALIZED 81 D.SECURITY-SENSITIVE EVENTS To BE JOURNALIZED . 81 D.1.3.Ews To
27、BE JOURNALIZED 81 D.1.6.MESSAGES AND DATA TO BE JOURNALIZED 82 AUDIT JOURNAL BACKW 82 AUDIT JOURNAL USE 82 D.2. D.3. Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MD
28、TNo reproduction or networking permitted without license from IHS -,-,- ANNEX E: DISTRIBUTION OF CERTIFICATES AND CERTIFICATE REVOCATION LISTS . 83 E.l. INTRODUCTION 83 E.2. CERTIFICATE DISTRIBUTION . 83 E.3. CFU DISTRIBUTION 83 ANNEX F: MULTIPLE ALGORITHM CERTIFICATE VALIDATION . 85 F.1. F.2. MULTI
29、PLE ALGORITHM CERTFICATION PATHS 85 UNWRAPPING DSA/RSA MULTIPLE ALGORITHM CERTIFICATION PATHS 85 ANNEX G: CERTIFICATE AUTHORITY TECHNIQUES FOR DISASTER RECOVERY . 87 G.l. INTRODUCTION 87 G.2. NOTIFICATION WITH CAs SECONDARY KEY P R 87 G.3. REISSUANCE WITH CAs SECONDARY KEY PAIR . 88 G.4. REISSUANCE
30、WITH CAs NEW PRIMARY KEY PAIR 88 G.5. NOTIFICATION WITH MULTIPLY SIGNED CERTIFICATES 89 . -lu- Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or ne
31、tworking permitted without license from IHS -,-,- Figures A SINGLE CA . 11 A CA R A R C I Y 12 CROSS CERTIFICATION 13 “ E O D S OF DISTRIBUTING A CAS PUBLIC KEY . 18 THE CERTIFICATE APPLICATION AND GENERATION PROCESS 23 THE CERTIFICATE APPLICATION AND GENERATION PROCESS WITH AN LRA 26 ISSUANCE OF A
32、CERTIFICATE BY A CA ALONE 49 ISSUANCE OF A CERTIFICATE BY A CA USING AN LRA 50 ISSUANCE OF AN AITRIBUTE CERTIFICATE BY AN AA USING AN LRA . 53 ISSUANCE OF AN AITRIBUTE CERTIFICATE BY AN AA ALONE . 52 REVOCATION OF A CERTIFICATE OR AN AITRIBUTE CERTIFICATE USING A CA OR AN AA ALONE 57 REVOCATION OF A
33、 CERTIFICATE OR AN ATTRIBUTE CERTIFICATE USING A CA OR AN AA AND AN L m 59 CREATION OF CERTIFICATES FOR SUBSCRIBERS OF EACH CA 70 CREATION OF CERTIFICATES FOR EACH CA . 71 AUTHENTICATION OF A MESSAGE BETWEEN Two ENTITIES 73 CREATION OF CERTIFICATES WHEN CENTERS OFTWO ENTITIES HAVE A COMMON CA 74 FIG
34、URE 1 FIGURE 2 FIGURE 3 FIGURE 4 FIGURE 5 FIGURE 6 FIGURE 7 FIGURE 8 FIGURE 9 FIGURE 10 FIGURE 11 FIGURE 12 FIGURE 13 FIGURE 14 FIGURE 15 FIGURE 16 TABLE 1 TABLE 2 TABLE 3 TABLE 4 TABLE 5 TABLE 6 TABLE 7 TABLE 8 TABLE 9 TABLE 10 TABLE 1 1 TABLE 12 Tables ACTIONS TO BE TAKEN WHENEVER A CERTIFICATE IS
35、 REVOKED 29 ADDITIONAL ACTIONS THAT SHALL BE TAKEN ON THE COMPROMISE OR SUSPECTED COMPROMISE OF AN ENTITYS PFUVATE =Y 30 ADDITIONAL ACTIONS THAT SHALL BE TAKEN BECAUSE OF A CESSATION OF OPERATIONS . 30 ADDITIONAL ACTIONS THAT SHALL BE TAKEN BECAUSE OF A CHANGE OF AFFILIATION OF THE ENTITY3 1 ADDITIO
36、NAL ACTIONS TO BE TAKEN WHEN CERTIFICATES ARE REVOKED FOR REASONS OTHER T “ FOR KEY COMPROMISE. CESSATION OF OPERATIONS. OR A CHANGE OF AFFILIATION 32 ADDITIONAL ACTIONS TO BE TAKEN WHEN CERTIFICATES FOR PUBLIC KEYS WHICH ARE USED T O PROTECT SYMMETRIC ALGORITHM KEY EXCHANGES ARE REVOKED . 33 ACTION
37、S TO BE TAKEN ON CERTIFICATE HOLDS DUE TO UNAUTHENTICATED REVOCATION REQUESTS OR OTHER BUSINESS REASONS . 35 ACTIONS TO BE TAKEN ON THE IMPLIED RELEASE OF CERTIFICATE HOLD VIA NATURAL EXPIRATION OF THE HOLD 36 ACTIONS TO BE TAKEN ON REISSUANCE OF A CERTIFICATE HOLD WITH AN EXTENDED EXPIRATION DATE37
38、 ACTIONS TO BE TAKEN WHEN THE REVOCATION OF CERTIFICATE SUPERSEDES A M O R CERTIFICATE HOLD EXPIRATION DA TE . 38 ACTIONS TO BE TAKEN ON A CERTIFICATE HOLD RELEASE TO CANCEL A CERTIFICATE HOLD PRIOR TO THE EXPIRATION OF THE HOLD 38 ACTIONS TO BE TAKEN ON THE EXPIRATION OF CERTIFICATE M O R TO THE EX
39、PIRATION OF A HOLD . 39 -iv- Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- Foreword (This F
40、oreword is included for information only and is not a part of X9.57-1997.) Business practice has changed with the introduction of computer-based technologies. The substitution of electronic transactions for their paper-based predecessors has reduced costs and improved efficiency. Trillions of dollar
41、s in funds and securities are transferred daily by telephone, wire services, and other electronic communication mechanisms. The high value or sheer volume of such transactions within an open environment exposes the financial community and its customers to potentially severe risks from accidental or
42、deliberate alteration, substitution or destruction of data. This risk is compounded by interconnected networks, and the increased number and sophistication of malicious adversaries. Some of the conventional “due care“ controls used with paper-based transactions are unavailable in electronic transact
43、ions, Examples of such controls are safety paper which protects integrity, and handwritten signatures or embossed seals which indicate the intent of the originator to be legally bound. In an electronic-based environment, controls must be in place that provide the same degree of assurance and certain
44、ty as in a paper environment. The financial community is responding to these needs. The Accredited Standards Committee on Financial Services (ASC X9) has developed the following set of standards based on irreversible public key cryptography to protect financial information: o X9.30-1997, Public Key
45、Cryptography Using Irreversible Algorithms for the Financial Services Industry contains the following two Standards: Part 1: The Digital Signature Algorithm (DSA) (Revised), and Part 2: The Secure Hash Algorithm (SHA-1) (Revised) X9.55-1997, Extensions to Public Key Certificates and Certificate Revo
46、cation Lists X9.57- 1997, Public Key Cryptography for the Financial Services Industry, Certificate Management o o In order to prove the ownership of a public key, a binding association between the owner of a public key and that function must be documented. This binding is called a “Certificate“. Cer
47、tificates are generated by a trusted third party called a Certification Authority (CA). This Standard, Public Key Cryptography for the Financial Services Industry, Certificate Management, defines a certificate management system that includes: o Credentials and Certificate Contents o The Certificatio
48、n Authority o Certificate Generation and Validation o o Cancellation and Recovery Procedures Authentication Structure and Certification Paths - v - Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:41:44 MDTNo reproduction or networking permitted without license from IHS -,-,- e Certificate Life Cycle At the time of publication, this Sta