1、INTERNATIONA1.STANDARDISO/IEC29128-1editionSecond2023-03Informationsecurity,cybersecurityandprivacyprotectionVerificationofcryptographicprotoco1.s一meworkReferencenumberISO/IEC29128-1.:2023(E)ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiHipB1.an
2、donnet8CH-1214Vernier,GenevaPhone:M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.andContentsForewordivIntroductionv2 Scope13 Normativereferences14 Termsanddefinitions1Forma1.verificationofcryptographicprotoco1.s24.1 Methodsformode1.1.ingcryptographicprotoco1.s24.2 Verificationrequirements342J1.Nuthtf
3、1.eatioitoo1.sverification.34.2.3Boundedvsunboundedverification34.3 Cryptographicprotoco1.mode1.41234圣3.3.*4.4.yPW)tionspecifi(SWwf1.4Adversaria1.mode1.5Submittingamode1.5VerificationPrOCeSS65.1 Genera1.65.2 Dutiesofthesubmitter65.3 5BUiiesMtrihaziut1.iestor6532EVa1.Ua1.1.ngIheprover.*.65.3.3Eva1.ua
4、tingthemode1.6多%7Annex A (informative)TheNeedhain-Schroeder-1.owepub1.ickeyprotoco1.8Annex B (informative)Examp1.esubmissionAnnex C (informative)Examp1.eeva1.uation.10Annex D (informative)Do1.ev-Yaomode1.11Annex E (informative)Securityrproperties.12Bib1.iography14ForewordISO(theInternationa1.Organiz
5、ationforStandardization)isawor1.dwidefederationofnationa1.standardsUudiugh(ISOtnrifaaibwrim11thvcekWPfff1.QtafigbodyEtttibtandriteN(11owMycarehf1.t2committeehasbeenestab1.ishedhastherighttoberepresentedonthatcommittee.Internationa1.organizations,governmenta1.andnon-governmenta1.,in1.iaisonwithISO,a1
6、sotakepartinthework.ISOco1.1.aboratesc1.ose1.ywiththee1.ectrotechnica1.standardization.Internationa1.E1.ectrotechnica1.Commission(IEC)ona1.1.mattersofTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenance暇dedd釉魄ddi春nt1.S明段处楹tives,d。翻ents1弧U1.dB射蝴e1槐螂f1.1.ej逊B血邮硒inISO/IECDir
7、ectives.Part2(secwww.iso.org/dircctivesorwww.iec.ch/members.experts/refdocs).附出柚OnrJghts.d1.枪痴nf桃的抄那杷Mg施河F睡H田舛偌曲阻IdoC1.选tfrMfiKs.subjectofanypatentrightsidentifiedduringthedeve1.opmentofUWdxunwmWjI1.buutheIntroductionand/orontheISO1.istofpatentdw1.aradonsreceived(seewww.iso.org/patents)ortheIEC1.ist
8、ofpatentdec1.arationsreceived(seepatents.iec.ch).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsement.E即邮SiOnSeX阀nkbM的CMtbwAWy前stavwtdsrtwfmw加RWQiH(ftificadhcvweit11d:hWOndITadaQrgaNuion(WTO)princip1.esinth。T依hnica1.Ba沁stoTrad。(TBT),seewwvv.iso.or
9、g/iso/foreword.htrn.IntheIEC.seewww.iec.chunderstandmgstandards.j渊田M心肥SC褊呵9K初肺屈衲群咖隰CUr与阳(SOI&肪小econ./brmaonTechno1.ogy.Thissecondeditioncance1.sandrep1.acesthefirstedition(ISO/IEC29128:2011),whichhasbeentechnica1.1.yrevised.Themainchangesareasfo1.1.ows: remova1.Ofinforma1.andpaper-and-penci1.proofs;
10、 deprecationofPA1.1.eve1.s; stream1.iningoftechnica1.requirementsandexp1.anations;minoreditoria1.changestobringthedocumentin1.inewiththeISO/IECDirectivesPart2.2021.A1.istofa1.1.partsintheISO/IEC29128seriescanbefoundontheISOandIECwebsites.Anyfeedbackorquestionsonthisdocumentshou1.dbedirectedtoth(MU4M
11、4aUa1.4aiMuU4h;p1.ete1.istingofthesebodiescanbefoundatwww.iso.org/members.htm1.andIntroductionManycryptographicprotoco1.shavefai1.edtoachievetheirstatedsecuritygoa1.sbecausetheyareco011d9iiUxhfthdraDktt曲PUItyanemeim也EqyrOtOCo1.iwddeuethdtedrirous1.加MrirthHOndcavtmrityfinderrorsinIheirdesign.Thegoa1.
12、ofthisdocumentistostandardizeamethodforana1.ysingprotoco1.sbyProposingadear1.ydefinedverificationframeworkbasedonwe1.1.-foundedscientificmethods.喻rH三entN斗jv1.?jdirCornposabi1.i1.yaresti1.1.intheirinfancy,butastheymature,verificationofprotoco1.susingthoseproofscanbeincorporatedintothisdocument.Confid
13、enceinatoo1.isnotdeterminedbyitstypebutbywhetheritcanhand1.eunboundedsessionsorThestate-of-the-artmethodo1.ogyforverifyingtheSeCUritypropertiesofcryptographicprotoco1.sisthroughtheuseoftoo1.sca1.1.edofSecurityprovers.AnforthatproverTheinathenoftoeitherprovethat,undercertainassumptions,eachsecuritypr
14、opertyho1.dsorfindsasequenceofmessageswhicha1.1.owsanadversarytovio1.atethesecurityproperty.TheseinputsarepartofaAnautomatedprovermaytakeadvantageofcomputationa1.powertoverifycomp1.exsecuritypropertiesbycheckingmanycasesandsub-caseswithouthumanintervention.Ita1.soproducesrepeatab1.eresu1.tswhichbebe
15、writteninaandverifiedbytoo1.ab1.etoparse;inproversrequireistermedaforma1.specification.Manyautomatedproverscurrent1.yexistforverifyingSeCUrityproperties.Inthefuture,newtoo1.swi1.1.sure1.ybedoesnotandof1001.sforcanbebugstobefoundintoo1.s.Assuch,thisthatatoo1.sha1.1.have.Theon1.ytoohyhicharewhichtouse
16、dthisinputprocessareprotoco1.mode1.asdescribedin4.3.whichtheproofsarebyonanproverareInordertohaveconfidenceinistheresu1.ts,onsoundnessoftheframeworksha1.1.beverified.Manyprovershavepapersc1.aimingtoprovesoundness,whichprovideanexce1.1.entstartingpointforthisverification.too1.sha1.1.beproversaresucht
17、hat1.ikeab1.ereviewthecodeforoftoo1.initscodeexists.1.ast1.y,thetoo1.sha1.1.produceresu1.tswhicharerepeatab1.e.ThismeansthatanyonepossessingtheProofstakingadvantageofautomatedtoo1.scanprovideaparticu1.ar1.yeffectivewaytosimp1.ifytheforma1.VerificationaIreadyproven.obtainadvantageofansinceproveristhe
18、andthattheycanuseavai1.ab1.ecomputationa1.powertoso1.veparticu1.ar1.ycomp1.exsecurityproperties;propertiesthatwou1.dbeoutofreachofmanua1.verification.thatthetoo1.canrequirethedocumentofistermedforma1.protoco1.bewritten1.anguageTwotypesOfverificationtoo1.sarerecognizedbythisdocument:mode1.checkersand
19、theoremprovers.notFina1.1.y,verification(semi-automatic),too1.scanbefu1.1.yautomated(automatic)orrequireguidancefromthedeve1.oper4.3 Cryptographicprotoco1.mode1.4.3.1 Descriptionofamode1.Inordertocreateforma1.proofsofsecurityproperties,theconstructionofacryptographicprotoco1.mode1.isrequired.Forthep
20、urposesofthisdocument,suchamode1.consistsof:aforma1.cryptographicprotoco1.specificationbasedontheprotoco1.specification;anadversaria1.mode1.definingtheadversaryScapabi1.ities;amode1.ofthedesiredsecurityproperties.AnnexAprovidesanexamp1.eofaCiyptograp1.ucprotoco1.mode1.Verificationtechniquesarcapp1.i
21、edtotheprotoco1.mode1.inanattempttoprovethecorrectnessofthesecurityproperties.Foreachdesiredsecurityproperty,thesetechniquescanresu1.tinaproofof的(turitycafVoper!T三WackRiW(IW丘H西。随岷SSOfsecuritypropertieswi1.1.bereferredtoasse1.f-assessmentevidence.4.3.2 Forma1.SPeCifiCationCryptographicprotoco1.specif
22、icationsarewritteninawaythathumanscanreadandimp1.ementHmf1.udpxuAjchtocanibeuchaintppwfid9nautbnaoedNh)ViB1.i1.ShaIrbKre-wsjtterticationcmnputer-rearfobhja1.CryPtOgraPhiCprotoco1.specificationandsha1.1.encapsu1.atea1.1.re1.evantaspectsoftheprotoco1.J;临翻MT邓第1怆由拆翻fewdeU般麻前b网施Kc反区撼和即蚁口节删in野鼎馆ro1.einthe
23、protoco1.,orbymode1.1.ingmessagesindividua1.1.y.Snedforn1a1.abovV三81.1.m他闻oaT8般WkfunctiJ旅WhiC抽B乐览盟ver,酬!腋膈Vhi1.舟田寓SageSsha1.1.beinc1.udedintheforma1.specification.Thesefunctionsinc1.udecryptographicfunctionssuchasencryption,signingandhashing,aswe1.1.asnon-cryptographicfunctionssuchasconcatenation.相R
24、fandprq曲怫心思0fDiffie-He1.1.manfthisshou1.dinc1.ude,forexamp1.e,functionsforTheforma1.specificationsha1.1.mode1.variab1.es.Variab1.esareusedasinputstoandoutputsoffunctionsanda1.soascomponentsofmessagessentoverthenetwork.Theforma1.specificationsha1.1.containana1.gebraicstructurewhichdefinesthemathemati
25、ca1.ru1.esgoverningfunctionsandvariab1.es.Thestructuredefinesthebehaviourabouthowfunctionsandvariab1.esinteractwitheachother,inordertomode1.thewaycryptographicoperationsinteractwithEXAMP1.EThefunctionsforencryptinganddecryptingamessagemwithakeykcanbewrittenasenc(m,fc)anddec(m,)withthere1.ationshipde
26、c(cnc(r11).M=m怫他和火即任ftJIthea?8ftfWbutst1.Ky侪眯由已皿附喃观触】献RftW?P砧例谏删蚓Nations4.3.3 /Vdversaria1.mode1.4.3.3.1 Gpromisethesystem.ItstartingPoin1.inforniationsymbo1.icadversaria1.modc1.stoisandDo1.ev-YaoInOdC1.andamoredetai1.edexp1.anationcanbefoundin-AnttE.4.3.3.2 NetworkspecificationConsistscontro1.sing1
27、ecommunicationchanne1.swhereisadversarypartiescontro1.areadversary4.3.3.3 Do1.ev-Yaomode1.sentadversarynetwork,contro)theirownmessagesportionsthenetwork,de1.etemessagespreventingmessagesStrongthiscapabi1.ity,howevera1.1.modernprotoco1.saredesignedtowithstandattackfromadversariestheyareab1.etocomput
28、ecanbestoredindefinite1.yfor1.ateruse.EXAMP1.Ethcntheadversarycanposscssionmcssagc.encryptedmessageandthekeythatisneededtodecryptthe4.3.4 Submittingamode1.adversaria1.itmode1.assumedthatinc1.udedembeddedDo1.ev-Yaoadversaria1.speci11cation.beingadversaria1.mode1.isadditiona1.powerspowerspermitteiInin
29、c1.udedocument1.anguagedescriptiondefinedpowers.oftheadversaria1.4.3.5 SecuritypropertiesTheadversaria1.mode1.constitutesthepowersandabi1.itiesusedbyahypothetica1.adversaryto孤陶蛤潞怖腌Ci他眺es必驶sage.榔史ne1雕眼的佛鼎唯矍IUtO叫监林融眦服钳敞tsandusingthismode1.isrequiredforprotoco1.verificationinthisdocument.Asthisisthemos
30、tcommonmode1.,itisa1.sothemode1.usedbymostautomatedprovers.Abriefdescriptionisprovidedin4.3.3.3,5Thenetworkspecificationexp1.ainsthenetworkoperatingenvironmentoftheprotoco1.Typica1.1.y,thishasfu1.1.ofaover.pub1.icHowever,additiona1.whichChesharedbya1.1.hasIessandwhichana1.soparisomeprotoco1.sandcanb
31、emode1.1.edbymanytoo1.s.TheDo1.ev-Yaoadversaria1.mode1.definesthreemaintypesofabi1.itiesofanadversary.Theoverthehasfu1.1.sendofthepub1.icoveroftheandTheyareab1.etoreada1.1.themfrombeingseenbyothersonthenetwork.Messagessentoverthenetworkbytheadversarywi1.1.beofatypedefinedintheforma1.specification.Fworkcontro1.is,inmanycases,anunrea1.istica1.1.ywiththreatm
