安全協(xié)議與標(biāo)準(zhǔn)13-安全標(biāo)準(zhǔn)來(lái)源ppt課件

1、平安協(xié)議與規(guī)范linfb2021, 12平安規(guī)范與規(guī)范RFCISOFIPSX9PKCSP3NESSIE平安規(guī)范 in RFC平安相關(guān)的協(xié)議與規(guī)范文件，當(dāng)屬RFC中的最全面。RFC中關(guān)于平安的文檔涉及多個(gè)方面：By IETFIETF Security Area Working Groups btns Better-Than-Nothing Security dkim Domain Keys Identified Mail emu EAP Method Update hokey Handover Keying ipsecme IP Security Maintenance and Extensio

2、ns isms Integrated Security Model for SNMP keyprov Provisioning of Symmetric Keys kitten Kitten (GSS-API Next Generation) krb-wg Kerberos ltans Long-Term Archive and Notary Services msec Multicast Security nea Network Endpoint Assessment pkix Public-Key Infrastructure (X.509) sasl Simple Authenticat

3、ion and Security Layer smime S/MIME Mail Security syslog Security Issues in Network Event Logging tls Transport Layer Security 0平安綜述，論述了平安的概念、術(shù)語(yǔ)、需求，給出了普通化的思索、建議和機(jī)制，如1675、2196、2323、2504、3631、4949等。1密碼算法和協(xié)議/接口規(guī)范，比如RC2(2268)、MD5(1321)、PKCS/RSA(3447)、TLS(4346)、IKE(4306)、GSS-API、SASL等。2認(rèn)證授權(quán)和訪問(wèn)控制規(guī)范，如RADIU

4、S(2865)、Diameter(3588)、Kerberos、等。3運(yùn)用規(guī)范，PGP(4880)、S/MIME、 over TLS(2818)、IPSec、VPN、等。4其他規(guī)范。RFC：Internet 規(guī)范 (中譯本)networkdictionary/rfcRFC china-pubISOISO，關(guān)于OSI的平安需求(35.100.01)、效力和機(jī)制(iso7498)，密碼算法(35.040)，平安管理(17799)等。ISO 7498-2 Security ArchitectureISO 10181 Security frameworks for open systemsISO 11

5、586 Generic upper layers security/FIPSFIPS，包括DES(46)、AES(197)、DSS(186)、HMAC(198)等；/publications/PubsFIPS.htmlFIPS-140FIPS 140是密碼模塊平安性需求最為重要的規(guī)范之一，也是業(yè)界衡量密碼實(shí)現(xiàn)的準(zhǔn)那么。假設(shè)機(jī)構(gòu)的信息或數(shù)據(jù)需求經(jīng)過(guò)密碼的方式進(jìn)展維護(hù)，比如金融或者政府機(jī)構(gòu)，那么FIPS 140-2規(guī)范那么被適用。經(jīng)過(guò)該規(guī)范符合性評(píng)價(jià)認(rèn)證的產(chǎn)品模塊將滿足這些機(jī)構(gòu)的密碼系統(tǒng)技術(shù)要求，目前世界范圍很多機(jī)構(gòu)的IT產(chǎn)品采購(gòu)和招標(biāo)要求中均提出了產(chǎn)品滿足FIPS 140-2的需求。The FI

6、PS 140 are series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for cryptography modules. As of December 2006update, the current version of the standard is FIPS 140-2, issued on 25 May 2001. /fipspubs/groups/STM/cmvp/index.html atsec/0

7、5/index.php?id=06-0201-01FIPS 140規(guī)范歷史和開(kāi)展情況 CMVPThe Cryptographic Module Validation Program (CMVP) is a joint American and Canadian security accreditation program for cryptographic modules. The program is available to any vendors who seek to have their products certified for use by the U.S. Governmen

8、t and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive, but not classfied information. All of the tests under the CMVP are handled by third-party laboratories that are accredited as Cryptographic Module Testing Labor

9、atories by the National Voluntary Laboratory Accreditation Program (NVLAP). Product certifications under the CMVP are performed in accordance with the requirements of FIPS 140-2.The CMVP was established by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security

10、 Establishment (CSE) of the Government of Canada in July 1995.Validated modules listValidated FIPS 140-1 and FIPS 140-2 Cryptographic Modules/groups/STM/cmvp/validation.html/groups/STM/cmvp/documents/140-1/140val-all.htm OpenSSL FIPS 140-2 module/docs/fips/ 與通用評(píng)價(jià)準(zhǔn)那么CC的關(guān)系Common CriteriaCC是業(yè)界平安功能和平安保證

11、評(píng)價(jià)的通用準(zhǔn)那么，并實(shí)現(xiàn)了國(guó)際互認(rèn)。而在美國(guó)NIAP體系下的CC產(chǎn)品評(píng)價(jià)，假設(shè)產(chǎn)品包括密碼模塊或者密碼算法，該產(chǎn)品的CC認(rèn)證證書(shū)上將標(biāo)明該產(chǎn)品能否經(jīng)過(guò)FIPS 140認(rèn)證?，F(xiàn)實(shí)上，CC和FIPS 140規(guī)范相輔相成，存在劇烈的相關(guān)性，但關(guān)注點(diǎn)各有偏重。在FIPS 140驗(yàn)證中，假設(shè)操作環(huán)境是可以更改的，那么CC的操作系統(tǒng)需求適用于平安級(jí)別2或者更高。CC和FIPS 140-2規(guī)范分別關(guān)注產(chǎn)品測(cè)評(píng)的不同層面。FIPS 140-2測(cè)評(píng)針對(duì)定義的密碼模塊，并提供4個(gè)級(jí)別的一系列符合性測(cè)評(píng)包。FIPS 140-2描畫(huà)了密碼模塊的需求，包括物理平安、密鑰管理、自評(píng)測(cè)、角色和效力等。該規(guī)范最初開(kāi)發(fā)于199

12、4年，早于CC規(guī)范。而CC是針對(duì)于詳細(xì)的維護(hù)輪廓PP或者平安目的ST的評(píng)價(jià)。典型的方式是某個(gè)PP能夠涉及廣泛的產(chǎn)品范圍?？傊?，CC評(píng)價(jià)不能替代FIPS 140的密碼驗(yàn)證。FIPS 140-2中定義的四個(gè)平安級(jí)別也不可以直接與CC預(yù)定義的任何EAL級(jí)別或者CC功能需求相對(duì)應(yīng)。CC認(rèn)證不能取代FIPS 140的認(rèn)證。X9ASC/ANSI X9，制定了一些關(guān)系金融領(lǐng)域平安的規(guī)范和規(guī)范。如隨機(jī)數(shù)產(chǎn)生(X9.17)、公鑰算法效力于金融業(yè)(X9.63)等。/standards/PKCSPKCS系列規(guī)范，RSA公司的規(guī)范。rsa/rsalabs/pkcs/P3IEEE P3，制定關(guān)于橢圓曲線密碼算法等規(guī)范。

13、/groups/3/NESSIENESSIE，歐洲的密碼新規(guī)范方案。The NESSIE project (New European Schemes for Signatures, Integrity and Encryption) (2000-2003) evaluates crypto algorithms.NESSIE has selected the following 12 algorithms from the 42 submissions; in addition, 5 well established standard algorithms have been added to

14、 the NESSIE portfolio (indicated with a *).httpscosic.esat.kuleuven.be/nessie/Block ciphers: MISTY1: Mitsubishi Electric Corp., Japan; Camellia: Nippon Telegraph and Telephone Corp., Japan and Mitsubishi Electric Corp., Japan; SHACAL-2: Gemplus, France; AES (Advanced Encryption Standard)* (USA FIPS

15、197) (Rijndael).Public-key encryption: ACE Encrypt: IBM Zurich Research Laboratory, Switzerland; PSEC-KEM: Nippon Telegraph and Telephone Corp., Japan; RSA-KEM* (draft of ISO/IEC 18033-2).MAC algorithms and hash functions: Two-Track-MAC: K.U.Leuven, Belgium and debis AG, Germany; UMAC: Intel Corp.,

16、USA, Univ. of Nevada at Reno, USA, IBM Research Laboratory, USA, Technion,Israel and Univ. of California at Davis, USA; CBC-MAC* (ISO/IEC 9797-1); HMAC* (ISO/IEC 9797-1); Whirlpool: Scopus Tecnologia S.A., Brazil and K.U.Leuven, Belgium; SHA-256*, SHA-384* and SHA-512* (USA FIPS 180-2).Digital signa

17、ture algorithms: ECDSA: Certicom Corp., USA and Certicom Corp., Canada; RSA-PSS: RSA Laboratories, USA; SFLASH: Schlumberger, France.Identification schemes: GPS: Ecole Normale Suprieure, Paris, France Tlcom and La Poste, France.SECGSECG，目前主要發(fā)布了一些關(guān)于ECC的規(guī)范。The Standards for Efficient Cryptography Group (SECG), an industry consortium, was founded in 1998