ISO/TC68における金融分野向け推奨暗号アルゴリズムの検討状況

Size: px

Start display at page:

Download "ISO/TC68における金融分野向け推奨暗号アルゴリズムの検討状況"

やすもりわかはら
5 years ago
Views:

1 ISO/TC68 2-key DES 1,024 RSA SHA-1 NIST ISO/TC68 2-key DES ISO/TC68 ISO/TC68 DES ISO/TC68 SHA-1 RSA / /

2 1. IC PIN FISCFISC [2006] 1 2-key DES 1,024 RSA 1,024 RSA SHA NIST: National Institute of Standards and Technology 2011 NIST [2005b, c] NIST NIST ISO ISO/TC ISO/TC68 SD: standing documentiso [2007] NIST 2-key DES 2030 SD TR: technical report FISC 55.9% 13.8% 79.2%FISC [2008] 174 /2009.3

3 ISO/TC68 CRYPTREC Cryptography Research and Evaluation Committees NISC: National Information Security Center 1,024 RSA SHA-1 NISC [2008] ISO/TC68 ISO/TC ISO/TC68 SD 4 EMV EV SSL key DES 1,024 RSA SHA-1 175

4 2 NIST NIST [2005b, c] 2 NIST NIST NIST FIPS 3 SP 4 FIPS AES FIPS 197 FIPS FIPS DES 2005 DES FIPS 46-3 SP SP NIST [2007b] SP NIST [2007c] NIST [2007b, c] CRYPTREC key DES DES 2-key 3-key FIPS Federal Information Processing Standard unclassified sensitive FIPS FIPS 4SP Special Publication FIPS FIPS FIPS FIPS 5 FIPS RSA DSA ECDSA 2006 FIPS FIPS FIPS FIPS SHA-1 SHA-224 SHA-256 SHA-384 SHA /2009.3

5 ISO/TC68. SP n n n-bits of security DES AES 1 2-key DES van Oorschot and Wiener [1990] ,024 RSA ffl factoring problem N N D p q p q ffl discrete logarithm problem G g; y 2 G y D g x x ffl elliptic curve discrete logarithm problem E E 2 G Y Y D xg x 7 SP n

6 1 SP n key DES 3-key DES RSA N D p q N DSA y D g x y x ECDSA Y D xg Y 1,024 1, ,048 2, AES-128 3,072 3, AES-192 7,680 7, AES ,360 15, SP FIPS n 2 H 2 ffl y y D H.x/ x ffl 2 x H.x/ D H.x 0 / 2 x 0 ( x) ffl H.x/ D H.x 0 / (x; x 0 ) (x; x 0 ) h 2 h 2 2 h 2 h=2 8 NIST 2011 SHA-1 8 SP FIPS n SHA-1 SHA-224 SHA-256 SHA /2009.3

7 ISO/TC68 2 SP n HMAC 80 SHA SHA SHA-256 SHA SHA-384 SHA SHA-512 SHA-256 SHA-384 SHA-512 SP HMAC SHA-1. SP PIV: Personal Identity Verification 10 SP PIV PIV 4 3 SP PIV PIV 2-key DES 3-key DES 9 HMAC keyed-hash message authentication code MAC 10 PIV FIPS 201 IC PIV PIV PIN 179

8 3 SP PIV RSA 1,024 RSA 2,048 ECDSA key DES RSA 1,024 3-key DES AES RSA 2,048 ECDSA 256 RSA 1,024 RSA 2,048 ECDSA RSA 1,024 RSA 2,048 ECDH ECC MQV SP NIST [2007c] 3.1 FIPS P-256 P-384 AES 2-key DES 2010 PIV RSA ECDSA 1,024 RSA ,024 RSA ,024 RSA PIV RSA RSA e 1, C 1» e» , C 1» e» PIV 3 2,048 3,072 4, SP NIST [2005c] PIV 1,024 RSA 2010 SP /2009.3

9 ISO/TC68 RSA ECDSA SHA-1 SHA-256 SHA-384 RSA PKCS#1 v1.5 PSS RSA 2009 PKCS#1 v1.5 SHA SHA-1 SHA-256 SHA-256 PKCS#1 v1.5 PSS 2011 SHA-256 ECDSA 256 ECDSA SHA ECDSA SHA-384. SHA-3 NIST SHA-1 Wang, Yao, and Yao [2005] NIST SHA-1 SHA-2 SHA-224 SHA-256 SHA-384 SHA-512 SHA-2 SHA-3 NIST [2007a] SHA NSA NSA: National Security Agency classified unclassified Suite B Cryptography 12 NSA [2005] Suite B FIPS AES FIPS ECDSA FIPS ECDH ECMQV Draft SP SHA-256 SHA-384 FIPS Suite A Cryptography sensitive 181

10 Suite B RSA DSA ECDSA NSA 13 1,024 NSA ISO/TC68 1 ISO/TC68 ISO/TC ISO/TC a 9 ISO/TC68/SC2 15 Une and Kanda [2007] SC2 2005b ISO/TC68/SC2 TC68 SD TC68/SC2 SD SD TR TR 2 ISO/TC68/SC2 SD ISO/IEC JTC1/SC27 13 NSA [2005] RSA DSA classical public key technology 14 Certicom 350 Certicom [2008] 15 SC2 ISO/TC68 SC: sub-committee 182 /2009.3

11 ISO/TC68 4 n SD 1 SD. SD NIST NIST [2007b] NIST SD ISO/IEC DES MISTY1 CAST-128 AES Camellia SEED DES AES AES n n key DES t t van Oorschot and Wiener [1990] 183

12 5 n key DES key DES 192 AES AES AES SD min.112;120 t / 16 min.112; 120 t/ SD 2-key DES key DES 2 57 s 2 112Cs 1» s» 56 Menezes, van Oorschot, and Vanstone [1997] 112 n 2 n=2 2 n= DES 128 AES min min.112; 120 t/ t 184 /2009.3

13 ISO/TC NIST 2-key DES SD 2-key DES key DES 2007 SD NIST 2-key DES key DES key ISO/IEC JTC1/SC27 ISO/IEC NIST key DES 2-key DES 2-key DES 2-key DES 2-key DES TC68/SC2 2-key DES SD 2-key DES. ISO/IEC SD 185

14 . ISO/IEC ISO/IEC SD n m h min.h=2; m/ SD AES ISO/IEC SHA SHA-1 63 SD 63 SHA SHA-1 17 SD 2 18 MD5 APOP Sasaki, Wang, Ohta, and Kunihiro [2008] ITU-T X.509 MD Stevens, Lenstra, and Weger [2007]200 PlayStation 3 1 MD5 SSL Sotirov et al. [2008] 186 /2009.3

15 ISO/TC68 6 RIPEMD n RIPEMD SHA SHA SHA SHA SHA WHIRLPOOL SD NIST SP HMAC SD 2 SD. MAC: message authentication code MAC ISO/IEC AES 2-key DES AES DES 3 19 ISO/IEC CMAC NIST [2005a] MAC MAC MAC SD 1 MAC 1 MAC p 2 m i=p MAC m MAC 19 ISO/IEC CBC-MAC 3 ANS X CBC-MAC 187

16 i MAC MAC Mitchell [2002] MAC 128 MAC 64 MAC MAC MAC ISO/IEC MAC 2 MAC. ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC SD 7 RSA e e D C RSA N D p q DSA y D g x ECDSA Y D xg N y x Y 1,024 1, ,536 1, ,048 2, ,072 3, SD 5 20 SD 188 /2009.3

17 ISO/TC68 ISO/IEC KEM key encapsulation mechanism DEM data encapsulation mechanism KEM 2-key DES 3 ISO/IEC JTC1/SC27 2 SD 2-key DES 2030 ISO/IEC JTC1/SC27 ISO/IEC NIST key DES ISO/TC68/SC2 ISO 2-key DES ISO/IEC JTC1/SC SC SD SC27/WG SD ISO and IEC [2007] SC27 SC27 SD n 2 n=2 2-key DES key DES 21 WG2 SC27 189

18 4. 1 EMVCo EMVCo IC EMV EMVCo [2008b]EMV EMV IC RSA SDA static data authentication DDA dynamic data authentication 2 CA: certificate authority IC EMVCo CA 1,024 RSA ,152 RSA ,408 1,984 RSA EMVCo [2008c] EMVCo 1,984 RSA 1,984 RSA NIST TC68 SD 1,024 RSA 2,048 RSA IC RSA RSA 8 EMVCo CA RSA 1, , ,408 1, ,024 RSA /2009.3

19 ISO/TC68 EMVCo New Cryptography Drafts EMVCo [2007d] 1,984 RSA 3 23 RSA CA IC RSA CA IC RSA EMVCo [2007a] CA 3,960 3,952 IC 1,984 1,984 RSA SHA-256 SHA-512 EMVCo [2007b] CA 4,016 IC 4,008 SHA-1 SHA-256 SHA-512 EMVCo [2007c] SHA SHA IC 2-key AES EMV [2008a] 2 CABF EV SSL 2007EV SSL CA/Browser Forum CABF SSL EV SSL EV SSL EV SSL 23 EMVCo [2008b] CA IC 1,984 SHA-1 191

20 9 EV SSL RSA CA MD5* CA 1, CA SHA-1** CA 2, SHA-256 SHA SHA-512 Λ MD5 ΛΛ 2011 SHA-1 SHA-256 EV SSL CABF [2008] Appendix A CA CA 9 1,024 RSA CA ,024 RSA SHA-256 SHA-384 SHA-512 SHA CRYPTREC. CRYPTREC ,048 RSA 1,024 RSA 1,024 RSA 2010 RSA1, Λ 2010 WG Λ JCAF: Japan Certification Authority Forum EV SSL 192 /2009.3

21 ISO/TC68 FISC FISC [2006] 3-key DES FIPS 46-3 SHA CRYPTREC 2, CRYPTREC CRYPTREC ffl CRYPTREC ffl CRYPTREC 193

22 ffl CRYPTREC ffl NISC NISC SHA-1 1,024 RSA NISC [2008] 2,048 RSA SHA-1 2,048 RSA SHA ,024 RSA SHA /2009.3

23 ISO/TC68 6. ISO/TC68 1. ISO/TC68 SD SD SD NIST PIV 4 ISO/TC68 SD

24 SD ISO/TC68 SD EMVCo IC IC IC IC IC IC IC IC IC IC SHA-1 SHA-1 63 SHA-1 Chang and Dworkin [2005] Hoffman and Schneier [2005] SHA /2009.3

25 ISO/TC68 ffl NIST SHA SHA-1 SHA-2 SHA-2 SHA-3 SHA-1 ffl SHA-2 NIST SHA-1 NIST SHA-3 SHA-1 SHA-3 ffl SHA-1 ffl SHA-1 SHA-256 ffl SHA SHA-2 2 ISO/TC68 SD SHA SHA SHA-1 Szydlo and Yin [2006] SHA-1 32 SHA-1 NISC 197

26 CRYPTREC 1, , ISO/TC68 SD SD 2005 JIS 2008a, b 4 ISO/TC68 SD NISC 198 /2009.3

27 ISO/TC68 CMVP Cryptographic Module Validation Program FIPS NIST [2001] FIPS NIST ,000 CMVP 2011 JCMVP Japan Cryptographic Module Validation Program key DES 1,024 RSA SHA COPACOBANA DES 6.4 Güneysu et al. [2007] 2-key DES ,024 3,000 1 Geiselmann and Steinwandt [2007] Shimoyama [2006] DES Deep Crack 25 Güneysu et al. [2007] 199

28 . SHA-1 2 SHA-256 SHA SHA :5 24 SHA Indesteege, Mendel, Preneel, and Rechberger [2008] SHA Andreeva et al. [2008] 45 SHA Cannière and Rechberger [2008] SHA-1 34 SHA : Sasaki and Aoki [2008] AES SHA-2 NIST CRYPTREC 7. ISO/TC ISO/TC68 ISO/TC /2009.3

29 ISO/TC DES DES DES AES 201

30 2010 JNSA PKI WG PKI Day FISC NICT IPA NICT IPA 2008 CRYPTREC Report 2006 NICT IPA NISC SHA-1 RSA1024 NISC IC ISO/TC68/SC a 202 /2009.3

31 ISO/TC68 ISO/TC68/SC b ISO/TC68/SC ISO/TC68/SC JISCJIS X 5092: 2008 CMS CAdES 2008 a JIS X 5093: 2008 XML XAdES 2008 b Andreeva, Elena, Charles Bouillaguet, Pierre-Alain Fouque, Jonathan J. Hoch, John Kelsey, Adi Shamir, and Sebastien Zimmer, Second Preimage Attacks on Dithered Hash Functions, Proceedings of Eurocrypt 2008, LNCS 4985, Springer-Verlag, 2008, pp CA/Browser Forum (CABF), Guidelines for the Issuance and Management of Extended Validation Certificates v1.1, CA/Browser Forum, 2008 (available in Cannière, Christophe de, and Christian Rechberger, Preimages for Reduced SHA-0 and SHA-1, Proceedings of CRYPTO 2008, LNCS 5157, Springer-Verlag, 2008, pp Certicom, Certicom Intellectual Property, Certicom, 2008 (available in Chang, Chu-jen, and Morris Dworkin, Workshop Report The First Cryptographic Hash Workshop, NIST, 2005 (available in HashWshop_2005_Report.pdf). EMVCo, Draft Specification Update Bulletin No. 74, AES option in EMV, EMVCo, 2008a., EMV ICC Specifications for Payment Systems v4.1x RSA+ Book2, EMVCo, 2007a., EMV ICC Specifications for Payment Systems v4.1y RSA++ Book2, EMVCo, 2007b., EMV ICC Specifications for Payment Systems v4.1z ECC Book2, EMVCo, 2007c., EMV Integrated Circuit Card Specifications for Payment Systems Book2 Security and Key Management Version 4.2, EMVCo, 2008b., New Cryptography Drafts, EMVCo, 2007d (available in specifications.asp?show=94)., Notice Bulletin No. 12 EMVCo Annual RSA Key Lengths Assessment, EMVCo, 2008c. 203

32 Geiselmann, Willi, and Rainer Steinwandt, Non-wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-Bit, Proceedings of Eurocrypt 2007, LNCS 4515, Springer-Verlag, 2007, pp Güneysu, Tim, Christof Paar, Jan Pelzl, Gerd Pfeiffeer, Manfred Schimmler, and Christian Schleiffer, Parallel Computing with Low-Cost FPGAs-A Framework for COPACOBANA, Proceedings of ParaFPGA Symposioum LNI 2007, Hoffman, Paul, and Bruce Schneier, Request for Comments: 4270 Attacks on Cryptographic Hashes in Internet Protocols, 2005 (available in rfc4270.txt). Indesteege, Sebastiaan, Florian Mendel, Bart Preneel, and Christian Rechberger, Collisions and other Non-Random Properties for Step-Reduced SHA-256, Proceedings of SAC 2008, Springer-Verlag, International Organization for Standardization (ISO), Financial services Recommendations on cryptographic algorithms and their use Standing Document, ISO, 2007., and International Electrotechnical Commission (IEC), ISO/IEC JTC1/SC27 Standing Document No. 12 (SD12) on the Assessment of Cryptographic Algorithms and Key-Lengths 1 st Draft, ISO and IEC, Menezes, Alfred J., Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applid Cryptography, CRC Press, Mitchell, Chris J., A new key recovery attack on the ANSI retail MAC, 2002 (available in National Institute of Standards and Technology (NIST) Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family, Federal Register, 72 (212), U.S. Government Printing Office, 2007a., NIST Special Publication B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, NIST, 2005a., NIST Special Publication , Recommendation for Key Management Part 1: General, NIST, 2005b., NIST Special Publication , Recommendation for Key Management Part 1: General (Revised), NIST, 2007b., NIST Special Publication , Cryptographic Algorithms and Key Sizes for Personal Identity Verification, NIST, 2005c., NIST Special Publication , Cryptographic Algorithms and Key Sizes for Personal Identity Verification, NIST, 2007c., NIST Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules, NIST, National Security Agency (NSA), Fact Sheet NSA Suite B Cryptography, NSA, /2009.3

33 ISO/TC68 van Oorschot, Paul C., and Michael Wiener, A Known-Plaintext Attack on Two-Key Triple Encryption, Proceedings of EUROCRYPT 90, LNCS 473, Springer-Verlag, 1990, pp Sasaki, Yu, and Kazumaro Aoki, Preimage Attacks on MD, HAVAL, SHA, and Others, Presentation at CRYPTO 2008 Rump Session, 2008., Lei Wang, Kazuo Ohta, and Noboru Kunihiro, Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack, Proceedings of CT- RSA 2008, LNCS 4964, Springer-Verlag, 2008, pp Shimoyama, Takeshi, Factoring c128 in 7^352 C 1 by using special sieving hardware, 2006 (available in Sotirov, Alexander, Mark Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger, MD5 Considered Harmful Today, Creating a rogue CA certificate, Presentation at 25th Chaos Communication Congress, Stevens, Marc, Arjen Lenstra, and Benne de Weger, Chosen-prefix for MD5 and Colliding X.509 Certificates for Different Identities, Proceedings of Eurocrypt 2007, LNCS 4515, Springer-Verlag, 2007, pp Szydlo, Michael, and Yiqun Lisa Yin, Collision-Resistant Usage of MD5 and SHA-1 via Message Preprocessing, Proceedings of CT-RSA 2006, LNCS 3860, Springer- Verlag, 2006, pp Une, Masashi, and Masayuki Kanda, Year 2010 Issues on Cryptographic Algorithms, Monetary and Economic Studies, 25 (1), Institute for Monetary and Economic Studies, Bank of Japan, 2007, pp Wang, Xiaoyun, Andrew Yao, and Frances Yao, New Collision Search for SHA-1, Presentation at CRYPTO 2005 Rump Session,

34 206 /2009.3

<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F5F A815B FD B A5F E646F63>

<4D F736F F D20838A B F955C8E8682A982E796DA8E9F914F5F A815B FD B A5F E646F63> 2008 年度版リストガイド ( メッセージ認証コード ) 平成 21 年 3 月独立行政法人情報通信研究機構独立行政法人情報処理推進機構 1 1 1.1............................. 1 1.1.1............................ 1 1.1.2....................... 1 1.1.3...........................