《安全标准来源》PPT课件.ppt

1、安全协议与标准, 2009, 12,安全标准与规范,RFC ISO FIPS X9 PKCS P1363 NESSIE,安全标准 in RFC,安全相关的协议与标准文件，当属RFC中的最全面。RFC中关于安全的文档涉及多个方面： By IETF,IETF Security Area Working Groups,btns Better-Than-Nothing Security dkim Domain Keys Identified Mail emu EAP Method Update hokey Handover Keying ipsecme IP Security Maintenance

2、and Extensions isms Integrated Security Model for SNMP keyprov Provisioning of Symmetric Keys kitten Kitten (GSS-API Next Generation) krb-wg Kerberos ltans Long-Term Archive and Notary Services msec Multicast Security nea Network Endpoint Assessment pkix Public-Key Infrastructure (X.509) sasl Simple

3、 Authentication and Security Layer smime S/MIME Mail Security syslog Security Issues in Network Event Logging tls Transport Layer Security,（0）安全综述，阐述了安全的概念、术语、需求，给出了一般化的考虑、建议和机制，如1675、2196、2323、2504、3631、4949等。,（1）密码算法和协议/接口规范，比如RC2(2268)、MD5(1321)、PKCS/RSA(3447)、TLS(4346)、IKE(4306)、GSS-API、SASL等。,（

4、2）认证授权和访问控制规范，如RADIUS(2865)、Diameter(3588)、Kerberos、等。,（3）应用规范，PGP(4880)、S/MIME、HTTP over TLS(2818)、IPSec、VPN、等。,（4）其他规范。,RFC：Internet 标准 (中译本) RFC china-pub,ISO,ISO，关于OSI的安全需求(35.100.01)、服务和机制(iso7498)，密码算法(35.040)，安全管理(17799)等。 ISO 7498-2 Security Architecture ISO 10181 Security frameworks for ope

5、n systems ISO 11586 Generic upper layers security /,FIPS,FIPS，包括DES(46)、AES(197)、DSS(186)、HMAC(198)等； /publications/PubsFIPS.html,FIPS-140,FIPS 140是密码模块安全性需求最为重要的标准之一，也是业界衡量密码实现的准则。如果机构的信息或数据需要通过密码的方式进行保护，比如金融或者政府机构，那么FIPS 140-2标准则被适用。经过该标准符合性评估认证的产品模块将满足这些机构的密码系统

6、技术要求，目前世界范围很多机构的IT产品采购和招标要求中均提出了产品满足FIPS 140-2的需求。 The FIPS 140 are series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for cryptography modules. As of December 2006update, the current version of the standard is FIPS 140-2, issued on

7、25 May 2001. /fipspubs /groups/STM/cmvp/index.html ,FIPS 140标准历史和发展情况,CMVP,The Cryptographic Module Validation Program (CMVP) is a joint American and Canadian security accreditation program for cryptographic modules. The program is available to any vendors wh

8、o seek to have their products certified for use by the U.S. Government and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive, but not classfied information. All of the tests under the CMVP are handled by third-party l

9、aboratories that are accredited as Cryptographic Module Testing Laboratories by the National Voluntary Laboratory Accreditation Program (NVLAP). Product certifications under the CMVP are performed in accordance with the requirements of FIPS 140-2. The CMVP was established by the U.S. National Instit

10、ute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada in July 1995.,Validated modules list,Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules /groups/STM/cmvp/validation.html /groups/STM/cmv

11、p/documents/140-1/140val-all.htm,OpenSSL FIPS 140-2 module /docs/fips/,与通用评估准则（CC）的关系,Common Criteria（CC）是业界安全功能和安全保障评估的通用准则，并实现了国际互认。而在美国NIAP体系下的CC产品评估，如果产品包括密码模块或者密码算法，该产品的CC认证证书上将标明该产品是否通过FIPS 140认证。事实上，CC和FIPS 140标准相辅相成，存在强烈的相关性，但关注点各有侧重。 在FIPS 140验证中，如果操作环境是可以更改的，那么CC的操作系统需

12、求适用于安全级别2或者更高。 CC和FIPS 140-2标准分别关注产品测评的不同层面。FIPS 140-2测评针对定义的密码模块，并提供4个级别的一系列符合性测评包。FIPS 140-2描述了密码模块的需求，包括物理安全、密钥管理、自评测、角色和服务等。该标准最初开发于1994年，早于CC标准。而CC是针对于具体的保护轮廓（PP）或者安全目标（ST）的评估。典型的模式是某个PP可能涉及广泛的产品范围。 总之，CC评估不能替代FIPS 140的密码验证。FIPS 140-2中定义的四个安全级别也不能够直接与CC预定义的任何EAL级别或者CC功能需求相对应。CC认证不能取代FIPS 140的认证

13、。,X9,ASC/ANSI X9，制定了一些关系金融领域安全的标准和规范。如随机数产生(X9.17)、公钥算法服务于金融业(X9.63)等。 /standards/,PKCS,PKCS系列标准，RSA公司的标准。 ,P1363,IEEE P1363，制定关于椭圆曲线密码算法等规范。 /groups/1363/,NESSIE,NESSIE，欧洲的密码新标准计划。 The NESSIE project (New European Schemes for Signatures, Integrity and Encryptio

14、n) (2000-2003) evaluates crypto algorithms. NESSIE has selected the following 12 algorithms from the 42 submissions; in addition, 5 well established standard algorithms have been added to the NESSIE portfolio (indicated with a *). https:/www.cosic.esat.kuleuven.be/nessie/,Block ciphers: MISTY1: Mits

15、ubishi Electric Corp., Japan; Camellia: Nippon Telegraph and Telephone Corp., Japan and Mitsubishi Electric Corp., Japan; SHACAL-2: Gemplus, France; AES (Advanced Encryption Standard)* (USA FIPS 197) (Rijndael).,Public-key encryption: ACE Encrypt: IBM Zurich Research Laboratory, Switzerland; PSEC-KE

16、M: Nippon Telegraph and Telephone Corp., Japan; RSA-KEM* (draft of ISO/IEC 18033-2).,MAC algorithms and hash functions: Two-Track-MAC: K.U.Leuven, Belgium and debis AG, Germany; UMAC: Intel Corp., USA, Univ. of Nevada at Reno, USA, IBM Research Laboratory, USA, Technion, Israel and Univ. of Californ

17、ia at Davis, USA; CBC-MAC* (ISO/IEC 9797-1); HMAC* (ISO/IEC 9797-1); Whirlpool: Scopus Tecnologia S.A., Brazil and K.U.Leuven, Belgium; SHA-256*, SHA-384* and SHA-512* (USA FIPS 180-2).,Digital signature algorithms: ECDSA: Certicom Corp., USA and Certicom Corp., Canada; RSA-PSS: RSA Laboratories, USA; SFLASH: Schlumberger, France.,Identification schemes: GPS: Ecole Normale Suprieure, Paris, France Tlcom and La Poste, France.,SECG,SECG，目前主要发布了一些关于ECC的规范。 The Standards for Efficient Cryptography Group (SECG), an industry consortium, was founded in 1998 to develo