rfc5091.Identity-Based Cryptography Standard (IBCS) #1 Supersingular Curve Implementations of the BF
PKI安全体系标准规范
PKI安全体系标准规范 PKI安全体系标准规范 发布单位
公钥加密标准(Public Key 美国RSA数据安全公司及其 第一代标准 Cryptography Standards,PKCS)系 合作伙伴 列
ITU-T X.509
ITU-T
RFC 2459 Internet X.509 公钥基础 IETF 设施证书和CRL简介 RFC 2560 x.509因特网公钥基础设施 IETF 在线证书状态协议——OCSP
RFC 2510 公钥基础设施证书管理协 议 RFC 2511 证书信息请求格式 RFC 3647 公钥基础设施政策实施框 架 RFC3280 X.509 V3证书 RFC2528 密钥交换算法KEA(Key Exchange Algorithm) RFC3039 高可信证书(Qualified Certificates) RFC3279 X.509 v3 公钥证书 RFC2559 公钥基础设施 LDAP v2 RFC2585 Internet X.509 公钥基础 设施: FTP and HTTP RFC2587 Internet X.509 公钥基础 设施 LDAPv2 Schema RFC2527 Internet X.509 公钥基础 设施 Certificate Policy and Certification Practices
微软、Versign和 webMethods 微软、Versign和 webMethods
国内规范
GB/T 19713- 信息技术 安全技术 公钥基础设施 在 信息安全标准委员会 2005 线证书 安全技术 公钥基础设施 证 信息安全标准委员会 2005 书管理协议
国内规范
本标准规定了一种无需请求证书撤销列表(CRL)即可 查询数字证书状态的机制(即在线证书状态协议-OCSP)。该机制可代替CRL或作为周期性检查CRL的一种 补充方式,以便及时获得证书撤销状态的有关信息。本 标准主要描述了以下内容:a)具体描述了在线证书状 态协议的请求形式;b)具体描述了在线证书状态协议 的响应形式;c)分析了处理在线证书状态协议响应时 可能出现的各种异常情况;d)说明了在线证书状态协 议基于超文本传输协议(HTTP)的应用方式;e)提供 了采用抽象语法记法1(ASN.1)描述的在线证书状态协 本标准描述了公钥基础设施(PKI)中的证书管理协议, 定义了与证书产生和管理相关的各方面所需要的协议消 息,这些消息主要包括申请证书、撤销证书、密钥更新 、密钥恢复、交叉认证等。本标准主要适用于在安全或 不安全环境中实施PKI组件并实施管理,可作为PKI运 营机构、PKI组件开发者的参考指南。 本部分提出了基本的管理概念和模型,将这些概念和模 型引入IT安全管理是必要的。在指南的其余部分还将进 一步讨论和开发这些概念和模型以提供更详细的指南。 为有助于标识和管理IT安全的各个方面可以同时使用本 提出IT安全管理的一些基本专题以及这些专题之间的关 系 本部分为GB/T15843的第5部分,等同采用国际标准 ISO/IEC 9798—5:1999《信息技术实体鉴别 第5部 分:使用零知识技术的机制》(英文版)。 规定了任意长度消息的带附录的基于身份的数字签名和 验证过程的总的结构和基本过程 本部分规定了带附录的基于证书的数字签名机制。特别 是,本部分提供了:1)基于证书的签名机制的一般描 述,其安全性是基于所用交换群上的离散对数问题的困 难性。2)基于证书的签名机制的一般描述,其安全机 制是基于因子分解的困难性。3)使用任意长度消息的 基于证书机制的带附录的各种常规数字签名机制。
pkcs标准简介
公钥密码标准(Public-Key Cryptography Standards)Hanyil整理编写 保留版权由于公钥密码被广泛接受已成为事实,如果要将其发展成为广泛应用的技术,就必须有支持互操作的标准。
即便是所有的用户都认同公钥密码技术,使各种不同的实现版本相兼容也是必然的。
互操作性要求严格按照一个获得认可的标准格式来传输数据,这里所描述的标准就为互操作性提供了基础。
这里描述的标准被称为公钥密码标准(Public-Key Cryptography Standards,PKCS)。
这个标准涵盖了RSA密码、Diffie-Hellman 密钥交换、基于口令的加密、扩展证书语法、密码报文语法、私钥信息语法、认证请求语法、选择性属性,密码令牌以及椭圆曲线密码等内容。
公钥密码标准PKCS是由RSA实验室与其它安全系统开发商为促进公钥密码的发展而制订的一系列标准,是最早的公钥密码标准,也是公钥密码发展过程中最重要的标准之一。
自1991年作为一份会议结果,由早期的公钥密码使用者公布以来,PKCS文档已经被广泛引用和实现。
许多正式和非正式工业标准部分内容的制订都参照了PKCS,如ANSI X9, PKIX, SET, S/MIME, 和SSL等。
RSA实验室在标准制订过程中起了很重要的作用:发布了认真撰写的标准描述文档;保持了标准制订过程的决策权威;负责收集其它开发者所提出的修改和扩充意见;适时发布标准的修订版;提供了实现该标准的参考资料和指导。
PKCS目前共发布过15个标准,每个标准都经过数次修订,部分文档还在不断的修改和制订中。
15个标准如下:•PKCS #1: RSA Cryptography Standard RSA密码标准•PKCS #2:已合并入1。
•PKCS #3: Diffie-Hellman Key Agreement Standard DH密钥交换标准•PKCS #4:已并入1。
•PKCS #5: Password-Based Cryptography Standard基于口令的密码标准•PKCS #6: Extended-Certificate Syntax Standard证书扩展语法标准•PKCS #7: Cryptographic Message Syntax Standard密文信息语法标准•PKCS #8: Private-Key Information Syntax Standard私钥信息语法标准•PKCS #9: Selected Attribute Types•PKCS #10: Certification Request Syntax Standard认证请求语法标准•PKCS #11: Cryptographic Token Interface Standard密码令牌接口标准•PKCS #12: Personal Information Exchange Syntax Standard个人信息交换语法标准•PKCS #13: Elliptic Curve Cryptography Standard椭圆曲线密码标准•PKCS #14: Random Number Generation Standards (伪随机数生成标准)• PKCS #15: Cryptographic Token Information Format Standard 密码令牌信息格式 PKCS #标准 13 5678910111215其它标准 自由算法语法:数字签名信息 xx 数字信封加密信息 x认证请求 x x数字证书X.509, RFC 1422 扩展证书 x x证书撤销列表X.509, RFC 1422 私钥加密信息x x 密码令牌x x 个人交换信息x 密钥交换信息 [ISO90a], [ISO90b]特定算法语法: RSA 公钥 xRSA 私钥 x算法: 消息摘要:MD2, 5 RFCs 1319, 1321私钥加密:DES RFC 1423, [NIST92a] 公钥加密:RSA x签名:MD2,4,5w/RSA x基于口令的加密 x D-H 密钥交换 xPKCS 与其它标准对比PKCS#1 RSA 密码标准1.0 – 1.3版是为参加RSA 数据安全公司1991年2月和3月的公开密钥密码标准会议而发布的。
pki体系所遵循的国际标准
pki体系所遵循的国际标准
PKI(Public Key Infrastructure)体系所遵循的国际标准包括:
1. X.509证书标准:X.509是一种数字证书的格式标准,定义了证书的结构和字段,以及数字证书的验证流程和规则。
2. RSA加密标准:RSA(Rivest-Shamir-Adleman)是一种常用的非对称加密算法,公钥和私钥的生成、加密和解密流程符合RSA标准。
3. PKCS(Public Key Cryptography Standards)标准:PKCS是一系列公钥密码学
的标准,包括PKCS#1(RSA加密标准)、PKCS#7(加解密消息语法标准)、PKCS#10(证书请求语法标准)、PKCS#11(密码令牌接口标准)等。
4. RFC(Request for Comments)标准:RFC是Internet工程任务组(IETF)发布
的一系列技术规范,其中包括一些与PKI相关的标准,如RFC 3280(证书和证
书撤销列表的Internet公钥基础结构–证书撤销列表(CRL)文件格式)、RFC 5280(Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件)等。
5. ISO(国际标准化组织)标准:ISO也发布了一些与PKI相关的标准,如
ISO/IEC 11770(关于认证框架的安全技术)、ISO/IEC 15408(通用评估准则)等。
这些国际标准为PKI的建立和运行提供了技术规范和指导,确保了PKI的相互操
作性和安全性。
《RFC5091》中Tate对算法改进
g rtm h te h n e e c lu ai n s e d o e T t arn s p e e td A a y i r s l n i o h t a n a c st a c l t p e ft ae p i g i r s ne . n lss e u t i d — i h o h i s c r st a e i r v d ag r h c n e h n e t e c mp tt n e f in y b 0 . ae t h mp o e lo i m a n a c o ua i f c e c y 2 % h t t h o i
第 9卷 第 1期 2 1 年 2月 01
福建 工 程学 院学报
Ju a o ui nvrt o T cnlg o r l f j nU i sy f ehooy n F a e i
V0 . .1 19 No
Fb 0 1 e .2 1
d i1 .9 9j 1 n 17 4 4 .0 10 .04 o:0 36 /.s . 62- 38 2 1 .1 02 s
W a ng ng Fe
( te t s n hs s eat n,Fj nU ie i f ehooy F zo 5 18 C i ) Ma mac dP yi pr t ui nvr t o cnlg , uhu3 00 ,hn h i a cD me a sy T a
曲线上 的 wel 和 T t 进 行 算 法 设 计 。2 0 i对 a e对 07
1 T t 的 基 本 概 念 ae对
设 E( )是 有 限域 ( P为素 数 )上 的椭 圆
曲线 y +a 2= x+b 的点 构造 的加法 群 , 是一 上 q
.net framework 时间戳验证时要求的证书
.net framework 时间戳验证时要求的证书在.NET Framework中,时间戳验证通常涉及使用X.509证书来验证时间戳的完整性和准确性。
X.509证书是一种数字证书,用于在互联网上验证实体(如网站、服务器或个人)的身份。
在时间戳验证的上下文中,证书通常由时间戳权威机构(TSA)颁发,用于证明某个特定时刻的数据没有被篡改。
为了在.NET Framework中进行时间戳验证,你需要以下步骤:1.获取时间戳证书:你需要从可信赖的时间戳权威机构获取X.509证书。
这些证书通常以Base64编码的DER格式提供。
2.安装证书:将获取的证书安装到你的应用程序或系统的受信任根证书颁发机构(CA)中。
这可以通过使用证书管理工具(如Certmgr.msc)来完成。
3.配置时间戳验证:在.NET应用程序中,你可以使用X509Certificate2类来加载时间戳证书,并使用X509TimeStampingServices类来执行时间戳验证。
以下是一个简单的示例代码,演示如何在C#中使用.NET Framework进行时间戳验证:csharp复制代码using System;using System.Security.Cryptography;using System.Security.Cryptography.X509Certificates;using System.Threading;using System.Threading.Tasks;public class TimeStampVerificationExample{public static async Task Main(){// 加载时间戳证书var certificate = newX509Certificate2("path/to/your/timestamp-certificate.cer");var timeStampService = new X509TimeStampingServices();// 获取当前时间戳请求var timeStampRequest = newTimeStampRequest("path/to/your/timestamp-request.tsr");// 验证时间戳请求var response = awaittimeStampService.Validate(timeStampRequest, certificate);// 检查响应的有效性if (response.Status == TimeStampStatus.Success){Console.WriteLine("时间戳验证成功!");}else{Console.WriteLine("时间戳验证失败:" + response.Status);}}}请注意,上述代码中的path/to/your/timestamp-certificate.cer和path/to/your/timestamp-request.tsr应替换为实际的文件路径。
(完整word版)TCPIP答案
1-1 你认为在因特网的发展过程中,哪几件事对其发展起到了非常重要的作用?1—2 什么是数字地球?数字地球是按地理空间位置,以极高的分辨率(1米左右)对大地进行选点抽样,将抽样点上的自然资源信息,社会资源信息作为该点的属性输入到计算机中,然后对这些信息进行统筹安排,抽样分析和逻辑组合,最终为决策者提供服务。
虚拟现实技术是实现数字地球的关键技术之一.1-3 中国国内第一个被IETF认可的RFC文档是什么文档?1-4 与因特网相关的机构IAB、IETF、IRTF、ISOC、InterNIC、ICANN、W3C的主要工作分别是什么?1—5 RFC文档有哪几种可能的状态?各种状态的含义是什么?RFC文档共有8种状态。
3个状态属于标准化轨迹,3个状态属于非标准化轨迹,2个状态为其他状态。
(1)标准化轨迹由3个成熟级构成,由低到高分别为提案标准、草案标准和标准。
提案标准经过了深入的审查过程,收到多组织关注并认为有价值。
但在成为因特网标准之前,还可能有很大变化. (2)非标准轨迹分为实验性的规范,信息性的规范,历史性的规范。
实验性规范是研究和开发工作的归档记录。
信息性的规范并不表示得到了英特网组织的推荐和认可,是一些因特网组织以外的协议组织和提供者提出的未纳入因特网标准的规范可以以这种规范发布。
历史性的规范已经被更新的规范所取代.(3)其他状态。
有一些RFC文档专门用于对因特网组织机构商议结果进行标准化,为当前最佳实现BCP。
还有一些RFC文档未被分类,其状态被标记为未知性(UNKNOWN),如因特网早起RFC 文档。
2-1 网络协议的对等实体之间是如何进行通信的?2—2 协议分层有什么好处?网络协议的分层有利于将复杂的问题分解成多个简单的问题,从而分而治之;分层有利于网络的互联,进行协议转换时可能只涉及某一个或几个层次而不是所有层次;分层可以屏蔽下层的变化,新的底层技术的引入,不会对上层的应用协议产生影响。
rfc中常用的测试协议
rfc中常用的测试协议摘要:1.RFC 简介2.RFC 中常用的测试协议a.网络协议测试1.网络数据包抓取和分析2.网络仿真和测试工具b.应用层协议测试1.HTTP 和HTTPS 测试2.FTP 和FTPS 测试3.SMTP 和SMTPS 测试c.安全协议测试1.TLS 和SSL 测试2.IPsec 测试d.传输协议测试1.TCP 和UDP 测试e.无线网络协议测试1.802.11 无线网络测试正文:RFC(Request for Comments)是一个用于讨论和记录互联网协议的标准文档系列。
在RFC 中,有许多常用的测试协议,这些协议用于确保互联网协议在实际应用中能够正常工作。
本文将详细介绍这些测试协议。
首先,RFC 中包含了大量的网络协议测试。
网络数据包抓取和分析是网络协议测试的基础,这对于诊断网络问题和优化网络性能至关重要。
此外,网络仿真和测试工具也是必不可少的,例如,网络模拟器(如NS-3)和测试平台(如Ixia)可以帮助工程师在实验室环境中模拟实际网络状况,从而对协议进行更严格的测试。
其次,应用层协议测试在RFC 中也占据重要地位。
HTTP 和HTTPS 是Web 应用中最常用的协议,有许多测试工具可以对它们的性能和安全性进行测试,例如,JMeter 和Locust 等负载测试工具。
此外,FTP 和FTPS、SMTP 和SMTPS 等传输协议也是常用的测试对象。
在安全协议方面,RFC 中包含了TLS 和SSL、IPsec 等协议的测试方法。
这些协议对于保护互联网数据传输的安全至关重要,因此需要进行严格的测试以确保其性能和安全性。
传输协议方面,TCP 和UDP 是互联网中最常用的传输协议,它们的测试方法也是RFC 中的重要内容。
TCP 测试关注可靠性和流量控制等方面,而UDP 测试则更注重数据传输速率和丢包率等指标。
最后,无线网络协议测试在RFC 中也有一定的比重。
例如,802.11 无线网络测试是评估无线局域网性能的关键。
RFC简介
RFC的分类
• 2.BCP RFC • 由于Internet应用领域广泛,各种不同的组织有不同的使用目的和 使用规则,IETF除了建议STD以外,也有必要对于Internet的使用和管理 提供一些一般性的指导,同时也为I ETF、IAB、IESG提供一种渠道,以 便推动某一方面的工作,反映其技术趋向,反映这些组织本身的工作进 展。于是,1995年以RFC1818定义了BCP,即Best Current Practice。 BCP同时有一个BCP编号和一个RFC编号,一旦约定了一个BCP编号, 就不会再变,而其RFC编号则可能会经过修订不断更新。例如反映 Internet标准化工作程序的BCP9的RFC编号就从RFC16 02上升到 RFC2026,相应地就废弃了RFC1602。 BCP在发表以前,以电子邮件 的形式广泛征求IETF的意见,经过IESG的审查,通过后即正式发表。但 是BCP本身不是Internet标准。
谢谢观赏
WPS Office
Make Presentation much more fun
@WPS官方微博 @kingsoftwps
历史
• 从1969年到1998年,Jon Postel一直担任RFC文档的编辑 职务。随着美国政府赞助合同的到期,Internet Society(代表IETF),和南加州大学 (USC)Information Sciences Institute的网络部门合作,(在IAB领导下)负 责RFT文档的起草和发布工作。Jon Postel继续担任RFC 编辑直到去世。随后,由Bob Braden接任整个项目的领 导职务,同时Joyce Reynolds继续在团队中的担任职务。
rfc的分类?2bcprfc?由于internet应用领域广泛各种不同的组织有不同的使用目的和使用规则ietf除了建议std以外也有必要对于internet的使用和管理提供一些一般性的指导同时也为ietfiabiesg提供一种渠道以便推动某一方面的工作反映其技术趋向反映这些组织本身的工作进展
x.509因特网公钥基础设施在线证书状态协议——OCSP(中文版)
Network Working Group M. Myers Request for Comments: 2560 VeriSign Category: Standards Track R. Ankney CertCo A. Malpani ValiCert S. Galperin My CFO C. Adams Entrust Technologies June 1999x.509因特网公钥基础设施在线证书状态协议——OCSP(RFC2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP)本备忘录的状态本文档讲述了一种Internet社区的Internet标准跟踪协议,它需要进一步进行讨论和建议以得到改进。
请参考最新版的“Internet正式协议标准” (STD1)来获得本协议的标准化程度和状态。
本备忘录的发布不受任何限制。
版权声明Copyright (C) The Internet Society (1999). All Rights Reserved.1.摘要本文档描述了无需证书撤消列表就可以决定一张数字证书当前状态的协议。
附加描述PKIX操作必要条件的机制在另外的文档中有详细说明。
第二章中有协议的概述。
功能必要条件在第三章中有详细描述。
第四章是具体协议。
第五章我们将讨论一些和协议有关的安全问题。
附录A定义了在HTTP之上的OCSP,附录B有ASN.1的语义元素,附录C详细描述了信息的mime类型。
本文档中的关键字"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"同RFC2119中的叙述一样。
X.509 Certificate Generator 使用手册说明书
X.509 Certificate Generator User ManualIntroductionX.509 Certificate Generator is a tool that allows you to generate digital certificates in PFX format, on Microsoft Certificate Store or directly on your cryptographic smart card.X.509 Certificate Generator contains two main applications:–PFX Certificate Generator – this application can be used when it is necessary to issue digital certificates in PFX format.–Smart Card Certificate Generator – this tool is useful when the certificate must be generated directly on your smart card.LinksX.509 Certificate Generator main page:/x509-certificate-generator/Download X.509 Certificate Generator:/apps/X509CertificateGenerator.msiWarning and DisclaimerEvery effort has been made to make this manual as complete and accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this manual.Trademarks.NET, Visual Studio .NET are trademarks of Microsoft Inc.Adobe, Adobe Reader are trademarks of Adobe Systems Inc.All other trademarks are the property of their respective owners.Page 1 - X.509 Certificate Generator User Manual (version 3.6) -Table of ContentsX.509 Certificate Generator User Manual (1)Introduction (1)Links (1)Warning and Disclaimer (1)Trademarks (1)Digital Certificate Properties (3)Certificate Subject (3)Validity Period (3)Cryptographic Algorithms (4)Key Usage (5)Enhanced Key Usage (6)PFX Certificate Generator (7)Issuing Certificates (8)Issuing Certificates Signed by a Root Certificate (10)Issue the Root Certificate (10)Saving the Root Certificate Public Part (11)Issue the Client Certificate Signed by the Root Certificate (12)Installing a PFX Certificate (14)Issuing Certificates from CSR (SSL Certificates) (15)Create the CSR for an IIS website (16)Signing the CSR Request with the Root Certificate (17)Installing the CSR response on the IIS website (18)Validating the SSL certificate (19)Smart Card Certificate Generator (20)Microsoft Certificate Store (21)How to Access Microsoft Certificate Store (21)Export the Root Certificate from Microsoft Store (22)Import the Root Certificate on Microsoft Store (22)Observations (24)X.509 Certificate Generator and CRL (24)Page 2 - X.509 Certificate Generator User Manual (version 3.6) -Digital Certificate PropertiesCertificate SubjectEvery certificate must have a Subject. This option can be set on the main interface. The Subject can contains Unicode characters like ä,æ, £, Ñ.Certificate SubjectValidity PeriodEvery certificate has a validity period. A certificate becomes invalid after it expires. Observation: On the demo version of the product, the certificate validity cannot exceed 30 days. This is the single limitation of the product on demo mode.Certificate Validity periodPage 3 - X.509 Certificate Generator User Manual (version 3.6) -Cryptographic AlgorithmsThe certificates use RSA algorithm(RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers).The default value of RSA Key Length is1024bit and should be enough for common certificates. For the Root certificates a 2048 key could be used.The default value of SignatureAlgorithm property is SHA1WithRSA but it can be set to other values if it is necessary.Observation:The certificate will requires more time to be generated if a larger key size is used.Certificate public keyPage 4 - X.509 Certificate Generator User Manual (version 3.6) -Key UsageA CA, user, computer, network device, or service can have more than one certificate. The Key Usage extension defines the security services for which a certificate can be used. The options can be used in any combination and can include the following:DataEncipherment-The public key can be used to directly encrypt data,rather than exchanging a symmetric key for data encryption.DigitalSignature- The certificate use the public key for verifying digital signatures that have purposes other than non-repudiation, certificate signature, and CRL signature. KeyEncipherment - The certificate use the public key for key transport.CRLSigning - The certificate use the public key for verifying a signature on certificates. CertificateSigning - The certificate use the public key for key agreement.For a Regular User certificate,the most used Key Usages are:DigitalSignature, NonRepudiation, KeyEncipherment and DataEncipherment.For a Root Certificate (CA certificate), the most used Key Usages are: CertificateSigning and CRLSigning.Certificate Key UsagePage 5 - X.509 Certificate Generator User Manual (version 3.6) -Enhanced Key UsageThis extension indicates how a certificate’s public key can be used. The Enhanced Key Usage extension provides additional information beyond the general purposes defined in the Key Usage extension. For example, OIDs exist for Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and Secure E-mail (1.3.6.1.5.5.7.3.4).When a certificate is presented to an application, an application can require the presence of an Enhanced Key Usage OID specific to that application.X.509 Certificate Generator supports a lot of well known Enhanced Key Usages but also support to specify a custom Enhanced Key Usage extension. The Enhanced Key Usage can be also marked as a Critical extension.Some of Enhanced Key Usages available by default are:CodeSigning - The certificate can be used for signing code.SmartcardLogon - The certificate enables an individual to log on to a computer by using a smart card.DocumentSigning - The certificate can be used for signing documents.TimeStamping - The certificate can be used for signing public key infrastructure timestamps according to RFC 3161.Enhanced Key Usage (marked as Critical Extension)Page 6 - X.509 Certificate Generator User Manual (version 3.6) -PFX Certificate GeneratorPFX Certificate Generator is designed to issue custom PFX certificates. All certificate options like Validity period, Signature algorithm, Key length, Key Usage are fully customizable.Also,the CSR(Certificate Signing Request)can be signed by a previous created Root Certificate. This option is available on Generate main menu.PFX Certificate Generator main interfaceAfter the PFX certificate is generated, if “Install certificate on local computer (Microsoft Store)”is checked, the certificate can be automatically installed on local computer Certificate Store. Page 7 - X.509 Certificate Generator User Manual (version 3.6) -Issuing CertificatesBy default,the certificates issued by PFX Certificate Generator are signed by a Root Certificate created on the fly.Also, the application can issue digital certificates signed by a Root Certificate loaded from a PFX file or self-signed digital certificates.More details about Self-signed Certificates can be found here.Self-signed certificatesCertificate subjectPage 8 - X.509 Certificate Generator User Manual (version 3.6) -A digital certificate issued by PFX Certificate Generator will look like below:Self-signed certificatePage 9 - X.509 Certificate Generator User Manual (version 3.6) -Issuing Certificates Signed by a Root CertificateIssue the Root CertificateIn some cases, is necessary to issue certificates for an entire organization. On this scenario you can issue a Root Certificate and every certificate issued for an entity will be signed by this Root Certificate.A Root Certificate (CA certificate) is a special type of certificate that can be used to digitally sign other certificates.To issue a Root Certificate with X.509 Certificate Generator, simply select“Root Certificate”template from Extensions dialog and issue the certificate.Root Certificate TemplateNote to remember the file name and PFX password used to issue this certificate.Page 10 - X.509 Certificate Generator User Manual (version 3.6) -Creating a Root CertificateSaving the Root Certificate Public PartThe certificates signed by the Root Certificate,could be considered invalid on some computers.For example, if a CSR is signed by the Root Certificate, when the SSL certificate is installed, it will considered untrusted by the web browsers.In order to validate the certificates on other computers, the Root Certificate used to issue Client Certificates (like SSL certificates), must be installed on that computers first.After the Root Certificate is created and imported, it is available on Microsoft Certificate Store (Personal or Trust Root Certification Authorities Tab)Page 11 - X.509 Certificate Generator User Manual (version 3.6) -The resulting .CER file must be installed on Microsoft Certificate Store-Trusted Root Certification Authorities Tab(see section:Microsoft Certificate Store-Import the Root Certificate on Microsoft Store for more details).Issue the Client Certificate Signed by the Root CertificateIn order to issue certificates signed by this Root Certificate, do the following:–on Extension tab, select “Standard User” template–fill the Certificate Subject (Issued to, Organization, E-mail address, etc.) with your data –on Certificate Type tab, select “Create a certificate signed by a Root Certificate” and select the previous created Root certificate.–Issue and save the PFX certificate.Issue certificates signed by a Root CertificatePage 12 - X.509 Certificate Generator User Manual (version 3.6) -A certificate signed by a Root Certificate will look like below:Certificate signed by a Root CertificateCertification PathPage 13 - X.509 Certificate Generator User Manual (version 3.6) -Installing a PFX CertificateIf you already have a PFX digital certificate and you want to be validated by your system, follow these steps:–double click the PFX file (just press Next without change anything)–enter the PFX protection password–press Yes when the message below appears.When a user certificate is issued by a Root Certificate, in order to trust the user certificate, the Root Certificate must be imported on Microsoft Store – Trusted Root Certification Authorities. When the PFX user certificate is imported on Microsoft Store, the Root Certificate can be also imported as follow:Atthis step,the Root Certificate is imported and every certificate issued by this Root isconsidered trusted.Page 14 - X.509 Certificate Generator User Manual (version 3.6) -Installing Root Certificate on Microsoft StoreIssuing Certificates from CSR (SSL Certificates)A Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the PKCS#10 specification.Certificate Signing Request (CSR)PFX Certificate Generator can digitally sign CSR request using a Root Certificate. To create a Root Certificate see the section Issuing Certificates Signed by a Root Certificate - Issue the Root Certificate.Page 15 - X.509 Certificate Generator User Manual (version 3.6) -Create the CSR for an IIS websiteTo generate a CSR for your website,access IIS-Computer–Manage–Service and Applications – IIS Manager – Server Certificates, like below:IIS Configuration–select Create Certificate Request and fill the form with your information, click Finish, click Next and save the CSR file on a local file (e.g. c:\CSR.txt).Creating the CSR RequestPage 16 - X.509 Certificate Generator User Manual (version 3.6) -Signing the CSR Request with the Root CertificateEvery CSR Request must be signed by a Root Certificate. To create a Root Certificate, see the section Issuing Certificates Signed by a Root Certificate - Issue the Root Certificate.To digitally sign the CSR Request, follow the steps below:–select SSL Certificate template from the Certificate Type tab.–Load the Root Certificate previously created–Load the CSR by pressing Generate from CSR... menu item–Save the resulting .CER file (e.g. c:\resp.cer)Signing the CSR with a Root CertificatePage 17 - X.509 Certificate Generator User Manual (version 3.6) -Installing the CSR response on the IIS websiteGo to IIS - Computer – Manage – Service and Applications – IIS Manager – Server Certificates – Complete Certificate Request . Select the resulting .CER file previously signed by the Root Certificate (c:\resp.cer) and click OK.Right now, the certificate is installed. To test the SSL website, go to https://loclahost .Page 18 - X.509 Certificate Generator User Manual (version 3.6) -Untrusted certificateValidating the SSL certificateIf the SSL certificate is considered untrusted by your web browser, you must install the Root Certificate pubic part used to digitally sign the CSR on Microsoft Certificate Store – Trusted Root Certification Authorities.More details about this issue are available on this section: Saving the Root Certificate Public Part.After the Root Certificate is imported, the website will look like below:Trusted SSL certificateSteps to validate the SSL certificate:–Issue the Root certificate–Install the certificate and extract the Root Certificate public part from Microsoft Store.–Create and sign the CSR request with the Root Certificate–Install the CSR Response on the webserver–Install the Root Certificate pubic part on Microsoft Certificate Store – Trusted Root Certification Authorities.This step must be done on every computer that access your website.Page 19 - X.509 Certificate Generator User Manual (version 3.6) -Smart Card Certificate GeneratorObservation: This product will work only on Windows Vista or higher.Smart Card Certificate Generator is designed to issue self-signed digital certificates directly on cryptographic Smart Cards.To issue the certificate on your smart card, follow the steps below:–plug in your smart card on the USB port–select the CSP smart card from the top left section–be sure that you have enough space on the smart card–set the proper settings from the product interface (certificate subject, validity period, extensions, etc).–Generate your certificate.If you like to generate the certificate directly on the Microsoft Certificate Store, check Include Microsoft CSP (software) checkbox, and select Microsoft Enhanced Cryptographic Provider v1.0 or other CSP.Page 20 - X.509 Certificate Generator User Manual (version 3.6) -Microsoft Certificate StoreAll digital certificates installed on the system appears in Microsoft Certificate Store.Microsoft Certificate StoreHow to Access Microsoft Certificate Store–start Internet Explorer–go to Tools menu –Internet Options – Content tab – Certificates button–on Certificates window your personal certificates appears in Personal tab.–The Root certificates appears in Trusted Root Certification Authorities tab. Also, the Microsoft Store can be accessed by running certmgr.msc on Run Command.Accessing Microsoft Certificate StorePage 21 - X.509 Certificate Generator User Manual (version 3.6) -Export the Root Certificate from Microsoft Store–Go to Microsoft Store–Select Trusted Root Certification Authorities tab–Select the Root Certificate that you want to export–Click Export button and Next–Select the path and file name for your exported certificate–Click Finish.The Root Certificate is exported as .cer file. This file can be imported on the computers where you want to validate your certificate.Note that if you digitally sign a file or send a digitally sign an email message to a computer that not have the Root Certificate installed, a warning message can appear.If you digitally sign a PDF file and want to validate Adobe PDF digital signatures, read this document:/manuals/ValidatingDigitalSignaturesInAdobe.pdfImport the Root Certificate on Microsoft Store–Copy the exported .cer file obtained above (Export the Root Certificate from Microsoft Store) on the target computer–Right click on the imported .cer file and select Install Certificate–Click Next and select Place all certificates in the following store–Click Browse and select Trusted Root Certification AuthoritiesPage 22 - X.509 Certificate Generator User Manual (version 3.6) -–Click Finish–press Yes when the message below appears.After the Root Certificate is imported in Microsoft Store, the certificates issued by that Root Certification Authority will be considered valid on the machine where the Root Certificate was imported.Page 23 - X.509 Certificate Generator User Manual (version 3.6) -ObservationsX.509 Certificate Generator and CRLA CRL file is a web resource that is a list with all invalid certificates (e.g. /crls/rapidssl.crl). The certificate can be revoked by the issuer in some circumstances (e.g. the person leaves the company) and the certificate serial number of that person is appended to the CRL when the revocation is made.According the the X.509 standard, the CRL field is optional and should be ignored if it not exists but in Office 2010 digital signatures this field is mandatory.If CRL field not appears on the certificate, the Office 2010 digital signature is considered invalid.The CRL file MUST be published on the web (e.g. /crls/rapidssl.crl) but X.509 Certificate Generator is a desktop product and cannot generates a CRL file and publish it on the web. This is the reason why the CRL attribute is not set on the certificates issued by X.509 Certificate Generator.Page 24 - X.509 Certificate Generator User Manual (version 3.6) -Office 2010 - Digital signature made by a certificate without CRL – signature is considered invalidOffice 2007 - Digital signature made by a certificate without CRL – signature is considered validPage 25 - X.509 Certificate Generator User Manual (version 3.6) -Adobe Reader - Digital signature made by a certificate without CRL – signature is considered validPage 26 - X.509 Certificate Generator User Manual (version 3.6) -A digital certificate with CRL Page 27 - X.509 Certificate Generator User Manual (version 3.6) -。
X.509 数字证书结构简介
X.509 数字证书结构简介1、简介X.509被广泛使用的数字证书标准,是由国际电联电信委员会(ITU-T)为单点登录(SSO-Single Sign-on)和授权管理基础设施(PMI-Privilege Management Infrastructure)制定的PKI标准。
X.509定义了(但不仅限于)公钥证书、证书吊销清单、属性证书和证书路径验证算法等证书标准。
在X.509系统中,CA签发的证书依照X.500的管理,绑定了一个唯一甄别名(DN-Distinguished Name ),可以包含多个字段和值,还可以支持别名(Alternative Name )。
一个组织受信任的根证书会分发给所有需要用到的PKI系统的员工手上。
主流浏览器:IE、Netscape/Mozilla,Opera和Safari会预先安装一部分根证书,这些根证书都是受信任的证书认证机构CA,这样他们颁发的证书,浏览器将可以直接信任。
虽然用户可以删除或者禁用这些根证书,但事实上,用户很少这么做。
在最新的微软平台,甚至会在用户移除了预先安置的根证书后,当用户再访问这些被删除的根证书网站的时候,会自动将这些根证书恢复到信任列表中。
X.509包含了一个证书吊销列表(CRL-Certificate Revocation List)实施的标准,这在PKI系统中经常被人所忽略。
IETF提出的检查证书有效性的方法是在线证书状态(OCSP- Online Certificate Status Protocol)。
Firefo3 缺省就是使用OCSP协议。
2、历史和用途X.509最初是在1988年的7月3日发布的,版本是X.509 v1,当时是作为ITU X.500目录服务标准的一部分。
它设定了一系列严格的CA分级体系来颁发数字证书。
和其他网络信任模型(譬如PGP)对比,任何人,不仅仅是特定的CA,可以签发并验证其他密钥证书的有效性。
X.509 2 版引入了主体和签发人唯一标识符的概念,以解决主体和/或签发人名称在一段时间后可能重复使用的问题。
x.509认证协议中的证书格式
x.509认证协议中的证书格式X.509认证协议是建立在公钥基础设施(PKI)框架之上的一种数字证书标准,用于证明实体的身份和建立安全通信。
在X.509认证协议中,证书是一种核心组件,它包含了公钥持有者的身份信息和公钥,用于验证持有者的身份并确保通信安全。
本文将介绍X.509证书的格式和组成部分。
一、证书的基本结构X.509证书是一个基于国际标准ASN.1(Abstract Syntax Notation One)编码的数据结构。
它由多个字段组成,每个字段都有特定的功能和含义。
以下是证书的基本结构:1. 版本号(Version):表示证书的格式版本,通常为3代表X.509 v3证书。
2. 序列号(Serial Number):表示证书的唯一标识,由证书颁发机构(CA)生成。
3. 签名算法标识(Signature Algorithm):表示证书签名所使用的算法,如SHA256withRSA。
4. 签发者(Issuer):表示证书的签发者信息,包括名称和唯一标识符。
5. 有效期(Validity):表示证书的生效起止时间。
6. 主体(Subject):表示证书持有者的信息,包括名称和唯一标识符。
7. 主体公钥信息(Subject Public Key Info):表示证书持有者的公钥及其算法标识。
8. 扩展字段(Extensions):表示证书的扩展信息,用于附加额外的功能和属性。
二、证书的编码格式X.509证书可以使用多种编码格式进行存储和传输,常见的格式包括DER编码和PEM编码。
1. DER编码(Distinguished Encoding Rules):是一种二进制编码格式,通常以二进制文件的形式存储。
DER编码的证书具有较小的存储和传输开销,适用于网络通信和软件存储。
2. PEM编码(Privacy-Enhanced Mail):是一种基于Base64编码的文本格式,通常包含了DER编码的证书。
x.509 证书解析的原理 -回复
x.509 证书解析的原理-回复什么是x.509证书?x.509证书是一种用于进行身份验证和加密通信的数字证书。
x.509证书是由国际电信联盟(ITU)制定的标准,现在已成为公认的公钥基础设施(PKI)的一部分。
它广泛应用于网络通信、网站安全以及其他需要身份验证和加密的场景中。
x.509证书的结构x.509证书由多个字段组成,每个字段都包含了与证书相关的信息。
以下是一些主要的字段:1. 版本字段(Version):指定证书的版本号,目前最新的版本是3。
2. 序列号字段(Serial Number):唯一标识该证书的序列号,在同一证书颁发机构颁发的多个证书中必须唯一。
3. 签名算法字段(Signature Algorithm):指定用于生成证书签名的算法类型,例如SHA-256、RSA等。
4. 颁发者字段(Issuer):指定证书颁发者的信息,包括颁发者的名称和具体细节。
5. 有效期字段(Validity):指定证书的有效期,包括证书的起始日期和终止日期。
6. 使用者字段(Subject):指定证书持有者的信息,包括持有者的名称和具体细节。
7. 主体公钥字段(Subject Public Key Info):包含持有者的公钥,并指定使用的加密算法。
8. 扩展字段(Extensions):提供一些附加信息,如证书用途、主题备用名称等。
如何解析x.509证书?要解析x.509证书,需要按照特定的步骤进行操作。
以下是解析x.509证书的主要步骤:1. 获取证书数据解析x.509证书的第一步是获取该证书的数据。
证书可以以文件的形式存在,也可以通过网络进行获取。
所需的数据包括证书的编码格式(如DER 或PEM)以及证书的内容。
2. 解析证书结构根据证书的编码格式,将证书数据解析为特定的结构。
对于DER编码的证书,可以使用ASN.1解析工具来解析证书结构。
对于PEM编码的证书,需要将其进行Base64解码,然后使用ASN.1解析工具进行解析。
公钥密码基础设施应用技术体系框架规范
公钥密码基础设施应用技术体系框架规范Public Key Infrastructure Application TechnologyInterface Specifications of Identification Authentication国家密码管理局2010年8月目次前言 (II)前言 (III)1范围 (1)2规范性引用文件 (1)3术语和定义 (1)4公钥密码基础设施应用技术体系框架 (2)4.1概述 (2)4.2密码设备服务层 (2)4.3通用密码服务层 (2)4.4典型密码服务层 (3)4.5基础设施安全支撑平台 (3)5框架内的系列规范 (4)附录A(规范性附录)函数的命名 (5)附录B(规范性附录)错误代码区间划分 (6)参考文献 (7)I前言本规范是基于公钥密码基础设施的基础性规范之一,它描述了应用技术体系的体系框架,说明了应用技术体系各组成部分的层次结构和逻辑关系。
本规范的附录A、B都是规范性附录。
本规范由国家密码管理局提出并归口。
本规范主要起草单位:上海格尔软件股份有限公司、成都卫士通信息产业股份有限公司、北京数字证书认证中心有限公司、无锡江南信息安全工程技术中心、万达信息股份有限公司、长春吉大正元信息技术股份有限公司、北京海泰方圆科技有限公司、上海市数字证书认证中心有限公司、兴唐通信科技有限公司、济南得安计算机技术有限公司。
本规范主要起草人:杨茂江、谭武征、许俊、柳增寿、李伟平、李述胜、李元正、崔久强、徐强、高志权、周栋、蒋红宇、何长龙、李玉峰、林岳嵩。
本规范责任专家:刘平。
本规范凡涉及密码算法相关内容,按国家有关法规实施。
II前言本规范是基于公钥密码基础设施的基础性规范之一,它描述了应用技术体系的体系框架,说明了应用技术体系各组成部分的层次结构和逻辑关系。
本规范的附录A、B都是规范性附录。
本规范由国家密码管理局提出并归口。
本规范主要起草单位:上海格尔软件股份有限公司、成都卫士通信息产业股份有限公司、北京数字证书认证中心有限公司、无锡江南信息安全工程技术中心、万达信息股份有限公司、长春吉大正元信息技术股份有限公司、北京海泰方圆科技有限公司、上海市数字证书认证中心有限公司、兴唐通信科技有限公司、济南得安计算机技术有限公司。
X.509证书解析和使用
X.509证书解析和使用来自:/dww410/article/details/6887895一、概述常见的X.509证书格式包括:cer/crt是用于存放证书,它是2进制形式存放的,不含私钥。
pem 跟crt/cer的区别是它以Ascii来表示,可以用于存放证书或私钥。
pfx/p12用于存放个人证书/私钥,他通常包含保护密码,2进制方式。
p10是证书请求。
p7r是CA 对证书请求的回复,只用于导入p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。
二、证书文件/私钥文件在HTTPS通讯中最常用的是cer/crt 和pem。
下面以pem格式的证书为例进行说明。
下面是一个完整的PEM格式证书:Certificate: Data:Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US,ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-/emailAddress=info@ Validity Not Before: Jun 30 18:52:17 2010 GMT Not After : Mar 26 18:52:17 2013 GMT Subject: C=US,ST=Montana, L=Bozeman, O=yaSSL, OU=support,CN=/emailAddress=info@ Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit)Modulus (512 bit):00:c6:7b:c0:68:81:2f:de:82:3f:f9:ac:c3:86:4a:66:b7:ec:d4:f1:f6:6 4:21:ff:f5:a2:34:42:d0:38:9f:c6:dd:3b:6e:26:65:6a:54:96:dd:d2: 7b:eb:36:a2:ae:7e:2a:9e:7e:56:a5:b6:87:9f:15:c7:18:66:7e:16:7 7:e2:a7 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption58:a9:98:e7:16:52:4c:40:e7:e1:47:92:19:1b:3a:8f:97:6c:7b:b7:b 0:cb:20:6d:ad:b5:d3:47:58:d8:e4:f2:3e:32:e9:ef:87:77:e5:54:36: f4:8d:50:8d:07:b4:77:45:ea:9d:a4:33:36:9b:0b:e0:74:58:11:c5:0 1:7b:4d-----BEGIN CERTIFICATE-----MIICFDCCAb4CAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJB gNVBAYTAlVTMRAwDgYDVQQIEwdNb250YW5hMRAwDgY DVQQHEwdCb3plbWFuMREwDwYDVQQKEwhzYXd0b290a DETMBEGA1UECxMKY29uc3VsdGluZzEkMCIGA1UEAxMbd3 d3LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKo ZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMDA2MzA xODUyMTdaFw0xMzAzMjYxODUyMTdaMIGKMQswCQYDV QQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1 UEBxMHQm96ZW1hbjEOMAwGA1UEChMFeWFTU0wxEDAOBgNVBAsTB3N1cHBvcnQxFjAUBgNVBAMTDXd3dy55YXNz bC5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY 29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMZ7wGiBL 96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpUlt3S e+s2oq5+Kp5+VqW2h58VxxhmfhZ34qcCAwEAATANBgkqh kiG9w0BAQQFAANBAFipmOcWUkxA5+FHkhkbOo+XbHu3s Msgba2100dY2OTyPjLp74d35VQ29I1QjQe0d0XqnaQzNpsL 4HRYEcUBe00=-----END CERTIFICATE----- 从Certificate开始到“-----BEGIN CERTIFICATE-----”为止,中间的内容是证书的明文格式。
补充知识:编码规则
11:02
5
(3) 私有类型(private) 私有类型只在特定的实 体中有意义,实际上很少用到私有类型。 (4) 上下文特定类型(Context Specific) 上下文 特定类型在一个给定的结构里是有效的。
11:02
6
基本类型
BIT STRING IA5String
TAG
Universal 3 Universal 22
11:02 28
位串(BIT STRING)类型 BIT STRING类型表示一个任意的由位 组成的串,一个位串的值可以有任意的长度, 甚至0长度。 位串的ASN.1表述为:BIT STRING 举例来说,X.509的 SubjectPublicKeyInfo有一个名为BIT STRING的组件:
11:02
10
共有3种BER方法:本原的、有限长度编 码;结构的、有限长度编码;结构的、无长 度限制的编码。在每种方式中,BER编码包 括三或四个部分:
11:02
11
(1) 标识八元组:这个八元组标识ASN.1抽象值 的类和标注码,而且从这个八元组可以看出, 编码方法是本原的还是结构的。 (2) 长度八元组:对于有限长度方法,这部分给 出了ASN.1抽象值内容中八元组的个数;对 于无长度限制编码方法,它表明长度是无限 制的。
假设证书序列号为1,则编码结果为02 01 01
因为第一位02是INTEGER类型的Tag值, 第二位01标识序列号值所占的字节长度是一 位,第三位就是序列号的值。
11:02
21
证书签名算法标志
signatureAlgorithm AlgorithmIdentifier AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL }
信息安全学习总结16-PKI相关的标准
(十六) PKI相关的标准作者:山石1.Certificate——X.509 V3X.509是由国际电信联盟(ITU-T)制定的数字证书标准。
最初版本公布于1988年,在公开讨论后,于 1993 年作了一些安全问题的修正。
X.509证书由用户公共密钥和用户标识符组成。
此外还包括版本号、证书序列号、CA标识符、签名算法标识、签发者名称、证书有效期等信息。
X.509标准的最新版本是颁布于1997年的第3版——X.509v3,它定义了包含扩展信息的数字证书。
该版数字证书提供了一个扩展信息字段,用来提供更多的灵活性及特殊应用环境下所需的信息传送。
图1 X.509数字证书格式(三个版本)2.PKCS系列标准公钥密码标准 PKCS 是由 RSA 实验室与其它安全系统开发商为促进公钥密码的发展而制订的一系列标准,是最早的公钥密码标准,也是公钥密码发展过程中最重要的标准之一。
自 1991 年作为一份会议结果,由早期的公钥密码使用者公布以来,PKCS 文档已经被广泛引用和实现。
许多正式和非正式工业标准部分内容的制订都参照了PKCS,如 ANSI X9, PKIX, SET, S/MIME, 和 SSL 等。
●PKCS #1:定义RSA公开密钥算法加密和签名机制●PKCS #3:定义Diffie-Hellman密钥交换协议●PKCS #5:描述一种利用从口令派生出来的安全密钥加密字符串的方法●PKCS #6:描述公钥证书的标准语法(主要是X.509证书的扩展格式)●PKCS #7:定义一种通用的消息语法●PKCS #8:描述私有密钥格式●PKCS #9:定义可选信息属性类型●PKCS #10:描述证书请求语法●PKCS #11:定义一套独立于技术的程序设计接口●PKCS #12:描述个人信息交换语法标准●PKCS #13:椭圆曲线密码体制标准●PKCS #15:密码令牌信息格式标准3.OCSP在线证书状态协议GB/T 1 971 3—2005《在线证书状态协议》(Online Certificate Status Protocol-OCSP)某一时间使用的数字证书是否有效的标准。
OpenSSL之X509系列
OpenSSL之X509系列之1---引言和X509概述【引言】X509是系列的函数在我们开发与PKI相关的应用的时候我们都会用到,但是OpenSSL中对X509的描述并不是很多,鉴于些,我将以前工作与学习过程的经验整理出来,供大家参考,不用多走弯路,可以将精力集中在自己要处理的业务逻辑上,同时也希望更多的人参与到研究与整理信息安全的理论与技术中来,提高中国的科研与应用技术水平。
提高中国信息安全意识与能力从我做起。
【X509概述】X.509是国际标准化组织CCITT建议作为X.500目录检索的一部分提供安全目录检索服务。
一份X.509证书是一些标准字段的集合,这些字段包含有关用户或设备及其相应公钥的信息一种非常通用的证书格式,所有的证书都符合X.509国际标准。
目前X.509有不同的版本,例如X.509V2和x.509v3都是目前比较新的版本,2000年还推出V4版本,但是都在原有版本基础上进行功能的扩充,其中每一版本必须包含下列信息:(1)用来区分X.509的不同版本号既版本号(2)由CA给予每一个证书的分配的编号即序列号;(3)用于产生证书所用的方法以及一切参数即签名算法(4) CA的x.500名字即发出该证书的认证机构(5)证书有效的时间包括两个日期,在所指定的两个时间之间有效即有效期限(6)证书持有人的姓名、服务处所等信息即主题信息(7)认证机构的数字签名(8)被证明的公钥值,加上使用这个公钥的方法名称即公钥信息【X.509证书格式】X.509是另一种非常通用的证书格式。
所有的证书都符合ITU-T X.509国际标准;因此(理论上)为一种应用创建的证书可以用于任何其他符合X.509标准的应用。
但实际上,不同的公司对X.509证书进行了不同的扩展,不是所有的证书都彼此兼容。
在一份证书中,必须证明公钥及其所有者的姓名是一致的。
对PGP 证书来说,任何人都可以扮演认证者的角色。
对X.509证书来说,认证者总是CA或由CA指定的人(其实PGP证书也完全支持使用CA来确认证书的体系结构),一份X.509证书是一些标准字段的集合,这些字段包含有关用户或设备及其相应公钥的信息。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Network Working Group X. Boyen Request for Comments: 5091 L. Martin Category: Informational Voltage Security December 2007 Identity-Based Cryptography Standard (IBCS) #1:Supersingular Curve Implementations of the BF and BB1 Cryptosystems Status of This MemoThis memo provides information for the Internet community. It doesnot specify an Internet standard of any kind. Distribution of thismemo is unlimited.IESG NoteThis document specifies two mathematical algorithms for identitybased encryption (IBE). Due to its specialized nature, this document experienced limited review within the IETF. Readers of this RFCshould carefully evaluate its value for implementation anddeployment.AbstractThis document describes the algorithms that implement Boneh-Franklin (BF) and Boneh-Boyen (BB1) Identity-based Encryption. This document is in part based on IBCS #1 v2 of Voltage Security’s Identity-basedCryptography Standards (IBCS) documents, from which some irrelevantsections have been removed to create the content of this document. Boyen & Martin Informational [Page 1]Table of Contents1. Introduction (4)1.1. Sending a Message That Is Encrypted Using IBE (5)1.1.1. Sender Obtains Recipient’s Public Parameters (6)1.1.2. Construct and Send an IBE-Encrypted Message (6)1.2. Receiving and Viewing an IBE-Encrypted Message (7)1.2.1. Recipient Obtains Public Parameters from PPS (8)1.2.2. Recipient Obtains IBE Private Key from PKG (8)1.2.3. Recipient Decrypts IBE-Encrypted Message (9)2. Notation and Definitions (9)2.1. Notation (9)2.2. Definitions (12)3. Basic Elliptic Curve Algorithms (12)3.1. The Group Action in Affine Coordinates (13)3.1.1. Implementation for Type-1 Curves (13)3.2. Point Multiplication (14)3.3. Operations in Jacobian Projective Coordinates (17)3.3.1. Implementation for Type-1 Curves (17)3.4. Divisors on Elliptic Curves (19)3.4.1. Implementation in F_p^2 for Type-1 Curves (19)3.5. The Tate Pairing (21)3.5.1. Tate Pairing Calculation (21)3.5.2. The Miller Algorithm for Type-1 Curves (21)4. Supporting Algorithms (24)4.1. Integer Range Hashing (24)4.1.1. Hashing to an Integer Range (24)4.2. Pseudo-Random Byte Generation by Hashing (25)4.2.1. Keyed Pseudo-Random Bytes Generator (25)4.3. Canonical Encodings of Extension Field Elements (26)4.3.1. Encoding an Extension Element as a String (26)4.3.2. Type-1 Curve Implementation (27)4.4. Hashing onto a Subgroup of an Elliptic Curve (28)4.4.1. Hashing a String onto a Subgroup of anElliptic Curve (28)4.4.2. Type-1 Curve Implementation (29)4.5. Bilinear Mapping (29)4.5.1. Regular or Modified Tate Pairing (29)4.5.2. Type-1 Curve Implementation (30)4.6. Ratio of Bilinear Pairings (31)4.6.1. Ratio of Regular or Modified Tate Pairings (31)4.6.2. Type-1 Curve Implementation (32)5. The Boneh-Franklin BF Cryptosystem (32)5.1. Setup (32)5.1.1. Master Secret and Public Parameter Generation (32)5.1.2. Type-1 Curve Implementation (33)5.2. Public Key Derivation (34)Boyen & Martin Informational [Page 2]5.2.1. Public Key Derivation from an Identity andPublic Parameters (34)5.3. Private Key Extraction (35)5.3.1. Private Key Extraction from an Identity, aSet of Public (35)5.4. Encryption (36)5.4.1. Encrypt a Session Key Using an Identity andPublic Parameters (36)5.5. Decryption (37)5.5.1. Decrypt an Encrypted Session Key UsingPublic Parameters, a Private Key (37)6. The Boneh-Boyen BB1 Cryptosystem (38)6.1. Setup (38)6.1.1. Generate a Master Secret and Public Parameters (38)6.1.2. Type-1 Curve Implementation (39)6.2. Public Key Derivation (41)6.2.1. Derive a Public Key from an Identity andPublic Parameters (41)6.3. Private Key Extraction (41)6.3.1. Extract a Private Key from an Identity,Public Parameters and a Master Secret (41)6.4. Encryption (42)6.4.1. Encrypt a Session Key Using an Identity andPublic Parameters (42)6.5. Decryption (45)6.5.1. Decrypt Using Public Parameters and Private Key (45)7. Test Data (47)7.1. Algorithm 3.2.2 (PointMultiply) (47)7.2. Algorithm 4.1.1 (HashToRange) (48)7.3. Algorithm 4.5.1 (Pairing) (48)7.4. Algorithm 5.2.1 (BFderivePubl) (49)7.5. Algorithm 5.3.1 (BFextractPriv) (49)7.6. Algorithm 5.4.1 (BFencrypt) (50)7.7. Algorithm 6.3.1 (BBextractPriv) (51)7.8. Algorithm 6.4.1 (BBencrypt) (52)8. ASN.1 Module (53)9. Security Considerations (58)10. Acknowledgments (60)11. References (60)11.1. Normative References (60)11.2. Informative References (60)Boyen & Martin Informational [Page 3]1. IntroductionThis document provides a set of specifications for implementingidentity-based encryption (IBE) systems based on bilinear pairings.Two cryptosystems are described: the IBE system proposed by Boneh and Franklin (BF) [BF], and the IBE system proposed by Boneh and Boyen(BB1) [BB1]. Fully secure and practical implementations aredescribed for each system, comprising the core IBE algorithms as well as ancillary hybrid components used to achieve security againstactive attacks. These specifications are restricted to a family ofsupersingular elliptic curves over finite fields of large primecharacteristic, referred to as "type-1" curves (see Section 2.1).Implementations based on other types of curves currently fall outside the scope of this document.IBE is a public-key technology, but one which varies from otherpublic-key technologies in a slight, yet significant way. Inparticular, IBE keys are calculated instead of being generatedrandomly, which leads to a different architecture for a system using IBE than for a system using other public-key technologies. Anoverview of these differences and how a system using IBE works isgiven in [IBEARCH].Identity-based encryption (IBE) is a public-key encryption technology that allows a public key to be calculated from an identity, and thecorresponding private key to be calculated from the public key.Calculation of both the public and private keys in an IBE-basedsystem can occur as needed, resulting in just-in-time key material.This contrasts with other public-key systems [P1363], in which keysare generated randomly and distributed prior to secure communication commencing. The ability to calculate a recipient’s public key, inparticular, eliminates the need for the sender and receiver in anIBE-based messaging system to interact with each other, eitherdirectly or through a proxy such as a directory server, beforesending secure messages.This document describes an IBE-based messaging system and how thecomponents of the system work together. The components required for a complete IBE messaging system are the following:o a Private-key Generator (PKG). The PKG contains the cryptographic material, known as a master secret, for generating an individual’s IBE private key. A PKG accepts an IBE user’s private key request, and after successfully authenticating them in some way, returnsthe IBE private key.Boyen & Martin Informational [Page 4]o a Public Parameter Server (PPS). IBE System Parameters includepublicly sharable cryptographic material, known as IBE publicparameters, and policy information for the PKG. A PPS provides a well-known location for secure distribution of IBE publicparameters and policy information for the IBE PKG.A logical architecture would be to have a PKG/PPS per name space,such as a DNS zone. The organization that controls the DNS zonewould also control the PKG/PPS and thus the determination of whichPKG/PSS to use when creating public and private keys for theorganization’s members. In this case the PPS URI can be uniquelycreated by the form of the identity that it supports. Thisarchitecture would make it clear which set of public parameters touse and where to retrieve them for a given identity.IBE-encrypted messages can use standard message formats, such as the Cryptographic Message Syntax (CMS) [CMS]. How to use IBE with CMS is described in [IBECMS].Note that IBE algorithms are used only for encryption, so if digital signatures are required, they will need to be provided by anadditional mechanism.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].1.1. Sending a Message That Is Encrypted Using IBEIn order to send an encrypted message, an IBE user must perform thefollowing steps:1. Obtain the recipient’s public parameters.The recipient’s IBE public parameters allow the creation ofunique public and private keys. A user of an IBE system iscapable of calculating the public key of a recipient after heobtains the public parameters for their IBE system. Once thepublic parameters are obtained, IBE-encrypted messages can besent.2. Construct and send an IBE-encrypted message.All that is needed, in addition to the IBE public parameters,is the recipient’s identity in order to generate their publickey for use in encrypting messages to them. When this identity is the same as the identity that a message would be addressedto, then no more information is needed from a user to send Boyen & Martin Informational [Page 5]someone a secure message than is needed to send them anunsecured message. This is one of the major benefits of anIBE-based secure messaging system. Examples of identities can be an individual, group, or role identifiers.1.1.1. Sender Obtains Recipient’s Public ParametersThe sender of a message obtains the IBE public parameters that heneeds for calculating the IBE public key of the recipient from a PPS that is hosted at a well-known URI. The IBE public parameterscontain all of the information that the sender needs to create anIBE-encrypted message except for the identity of the recipient.[IBEARCH] describes the URI where a PPS is located, the format of IBE public parameters, and how to obtain them. The URI from which users obtain IBE public parameters MUST be authenticated in some way; PPSservers MUST support Transport Layer Security (TLS) 1.1 [TLS] tosatisfy this requirement and MUST verify that the subject name in the server certificate matches the URI of the PPS. [IBEARCH] alsodescribes the way in which identity formats are defined and a minimum interoperable format that all PPSs and PKGs MUST support. This step is shown below in Figure 1.IBE Public Parameter Request----------------------------->Sender PPS<-----------------------------IBE Public ParametersFigure 1. Requesting IBE Public ParametersThe sender of an IBE-encrypted message selects the PPS andcorresponding PKG based on his local security policy. Different PPSs may provide public parameters that specify different IBE algorithmsor different key strengths, for example, or require the use of PKGsthat require different levels of authentication before granting IBEprivate keys.1.1.2. Construct and Send an IBE-Encrypted MessageTo IBE-encrypt a message, the sender chooses a content encryption key (CEK) and uses it to encrypt his message and then encrypts the CEKwith the recipient’s IBE public key (for example, as described in[CMS]). This operation is shown below in Figure 2. This documentdescribes the algorithms needed to implement two forms of IBE.[IBECMS] describes how to use the Cryptographic Message Syntax (CMS) to encapsulate the encrypted message along with the IBE informationthat the recipient needs to decrypt the message.Boyen & Martin Informational [Page 6]CEK ----> Sender ----> IBE-encrypted CEK^||Recipient’s Identityand IBE Public ParametersFigure 2. Using an IBE Public-Key Algorithm to Encrypt1.2. Receiving and Viewing an IBE-Encrypted MessageIn order to read an encrypted message, a recipient of anIBE-encrypted message parses the message (for example, as describedin [IBECMS]). This gives him the URI he needs to obtain the IBEpublic parameters required to perform IBE calculations as well as the identity that was used to encrypt the message. Next, the recipientmust carry out the following steps:1. Obtain the recipient’s public parameters.An IBE system’s public parameters allow it to uniquely createpublic and private keys. The recipient of an IBE-encryptedmessage can decrypt an IBE-encrypted message if he has both the IBE public parameters and the necessary IBE private key. ThePPS can also provide the URI of the PKG where the recipient of an IBE-encrypted message can obtain the IBE private keys.2. Obtain the IBE private key from the PKG.To decrypt an IBE-encrypted message, in addition to the IBEpublic parameters, the recipient needs to obtain the privatekey that corresponds to the public key that the sender used.The IBE private key is obtained after successfullyauthenticating to a private key generator (PKG), a trustedthird party that calculates private keys for users. Therecipient receives the IBE private key over an HTTPSconnection. The URI of a PKG MUST be authenticated in someway; PKG servers MUST support TLS 1.1 [TLS] to satisfy thisrequirement.3. Decrypt the IBE-encrypted message.The IBE private key decrypts the CEK, which is then used todecrypt encrypted message.Boyen & Martin Informational [Page 7]The PKG may allow users other than the intended recipient toreceive some IBE private keys. Giving a mail filteringappliance permission to obtain IBE private keys on behalf ofusers, for example, can allow the appliance to decrypt and scan encrypted messages for viruses or other malicious features.1.2.1. Recipient Obtains Public Parameters from PPSBefore he can perform any IBE calculations related to the messagethat he has received, the recipient of an IBE-encrypted message needs to obtain the IBE public parameters that were used in the encryption operation. This operation is shown below in Figure 3.IBE Public Parameter Request----------------------------->Recipient PPS<-----------------------------IBE Public ParametersFigure 3. Requesting IBE Public Parameters1.2.2. Recipient Obtains IBE Private Key from PKGTo obtain an IBE private key, the recipient of an IBE-encryptedmessage provides the IBE public key used to encrypt the message andtheir authentication credentials to a PKG and requests the privatekey that corresponds to the IBE public key. Section 4 of thisdocument defines the protocol for communicating with a PKG as well as a minimum interoperable way to authenticate to a PKG that all IBEimplementations MUST support. Because the security of IBE privatekeys is vital to the overall security of an IBE system, IBE privatekeys MUST be transported to recipients over a secure protocol. PKGs MUST support TLS 1.1 [TLS] for transport of IBE private keys. Thisoperation is shown below in Figure 4.IBE Private Key Request---------------------------->Recipient PKG<----------------------------IBE Private KeyFigure 4. Obtaining an IBE Private KeyBoyen & Martin Informational [Page 8]1.2.3. Recipient Decrypts IBE-Encrypted MessageAfter obtaining the necessary IBE private key, the recipient usesthat IBE private key, and the corresponding IBE public parameters, to decrypt the CEK. This operation is shown below in Figure 5. He then uses the CEK to decrypt the encrypted message content (for example,as specified in [IBECMS]).IBE-encrypted CEK ----> Recipient ----> CEK^||IBE Private Keyand IBE Public ParametersFigure 5. Using an IBE Public-Key Algorithm to Decrypt2. Notation and Definitions2.1. NotationThis section summarizes the notions and definitions regardingidentity-based cryptosystems on elliptic curves. The reader isreferred to [ECC] for the mathematical background and to [BF],[IBEARCH] regarding all notions pertaining to identity-basedencryption.F_p denotes finite field of prime characteristic p; F_p^2 denotes its extension field of degree 2.Let E/F_p: y^2 = x^3 + a * x + b be an elliptic curve over F_p. For an extension of degree 2, the curve E/F_p defines a group (E(F_p^2), +), which is the additive group of points of affine coordinates (x,y) in (F_p^2)^2 satisfying the curve equation over F_p^2, with nullelement, or point at infinity, denoted as 0.Let q be a prime such that E(F_p) has a cyclic subgroup G1’ of order q.Let G1’’ be a cyclic subgroup of E(F_p^2) of order q, and G2 be acyclic subgroup of (F_p^2)* of order p.Under these conditions, a mathematical construction known as the Tate pairing provides an efficiently computable map e: G1’ x G1’’ -> G2that is linear in both arguments and believed hard to invert [BF].If an efficiently computable non-rational endomorphism phi: G1’ -> Boyen & Martin Informational [Page 9]G1’’ is available for the selected elliptic curve on which the Tatepairing is computed, then we can construct a function e’: G1’ x G1’’ -> G2, defined as e’(A, B) = e(A, phi(B)), called the modified Tatepairing. We generically call a pairing either the Tate pairing e or the modified Tate pairing e’, depending on the chosen elliptic curve used in a particular implementation.The following additional notation is used throughout this document.p - A 512-bit to 7680-bit prime, which is the order of the finitefield F_p.F_p - The base finite field of order p over which the elliptic curve of interest E/F_p is defined.#G - The size of the set G.F* - The multiplicative group of the non-zero elements in the fieldF; e.g., (F_p)* is the multiplicative group of the finite field F_p.E/F_p - The equation of an elliptic curve over the field F_p, which, when p is neither 2 nor 3, is of the form E/F_p: y^2 = x^3 + a * x + b, for specified a, b in F_p.0 - The null element of any additive group of points on an ellipticcurve, also called the point at infinity.E(F_p) - The additive group of points of affine coordinates (x, y),with x, y in F_p, that satisfy the curve equation E/F_p, includingthe point at infinity 0.q - A 160-bit to 512-bit prime that is the order of the cyclicsubgroup of interest in E(F_p).k - The embedding degree of the cyclic subgroup of order q in E(F_p). For type-1 curves this is always equal to 2.F_p^2 - The extension field of degree 2 of the field F_p.E(F_p^2) - The group of points of affine coordinates in F_p^2satisfying the curve equation E/F_p, including the point at infinity 0.Z_p - The additive group of integers modulo p.lg - The base 2 logarithm function, so that 2^lg(x) = x.The term "object identifier" will be abbreviated "OID."Boyen & Martin Informational [Page 10]A Solinas prime is a prime of the form 2^a (+/-) 2^b (+/-) 1.The following conventions are assumed for curve operations.Point addition - If A and B are two points on a curve E, their sum is denoted as A + B.Point multiplication - If A is a point on a curve, and n an integer, the result of adding A to itself a total of n times is denoted [n]A.The following class of elliptic curves is exclusively considered for pairing operations in the present version of this document, which are referred to as "type-1" curves.Type-1 curves - The class of curves of type-1 is defined as the class of all elliptic curves of equation E/F_p: y^2 = x^3 + 1 for allprimes p congruent to 11 modulo 12. This class forms a subclass ofthe class of supersingular curves. These curves satisfy #E(F_p) = p + 1, and the p points (x, y) in E(F_p) \ {0} have the property that x = (y^2 - 1)^(1/3) (mod p). Type-1 curves always have an embeddingdegree k = 2.Groups of points on type-1 curves are plentiful and easy to construct by random selection of a prime p of the appropriate form. Therefore, rather than to standardize upon a small set of common values of p, it is henceforth assumed that all type-1 curves are freshly generated at random for the given cryptographic application (an example of suchgeneration will be given in Algorithm 5.1.2 (BFsetup1) or Algorithm6.1.2 (BBsetup1)). Implementations based on different classes ofcurves are currently unsupported.We assume that the following concrete representations of mathematical objects are used.Base field elements - The p elements of the base field F_p arerepresented directly using the integers from 0 to p - 1.Extension field elements - The p^2 elements of the extension fieldF_p^2 are represented as ordered pairs of elements of F_p. Anordered pair (a_0, a_1) is interpreted as the complex number a_0 +a_1 * i, where i^2 = -1. This allows operations on elements of F_p^2 to be implemented as follows. Suppose that a = (a_0, a_1) and b =(b_0, b_1) are elements of F_p^2. Then a + b = ((a_0 + b_0)(mod p), (a_1 + b_1)(mod p)) and a * b = ((a_1 * b_1 - a_0 * b_0)(mod p), (a_1 * b_0 + a_0 * b_1)(mod p)).Boyen & Martin Informational [Page 11]Elliptic curve points - Points in E(F_p^2) with the point P = (x, y) in F_p^2 x F_p^2 satisfying the curve equation E/F_p. Points notequal to 0 are internally represented using the affine coordinates(x, y), where x and y are elements of F_p^2.2.2. DefinitionsThe following terminology is used to describe an IBE system.Public parameters - The public parameters are a set of common,system-wide parameters generated and published by the private keygenerator (PKG).Master secret - The master secret is the master key generated andprivately kept by the key server and used to generate the privatekeys of the users.Identity - An identity is an arbitrary string, usually ahuman-readable unambiguous designator of a system user, possiblyaugmented with a time stamp and other attributes.Public key - A public key is a string that is algorithmically derived from an identity. The derivation may be performed by anyone,autonomously.Private key - A private key is issued by the key server to correspond to a given identity (and the public key that derives from it) underthe published set of public parameters.Plaintext - Plaintext is an unencrypted representation, or in theclear, of any block of data to be transmitted securely. For thepresent purposes, plaintexts are typically session keys, or sets ofsession keys, for further symmetric encryption and authenticationpurposes.Ciphertext - Ciphertext is an encrypted representation of any blockof data, including plaintext, to be transmitted securely.3. Basic Elliptic Curve AlgorithmsThis section describes algorithms for performing all needed basicarithmetic operations on elliptic curves. The presentation isspecialized to the type of curves under consideration for simplicity of implementation. General algorithms may be found in [ECC].Boyen & Martin Informational [Page 12]3.1. The Group Action in Affine Coordinates3.1.1. Implementation for Type-1 CurvesAlgorithm 3.1.1 (PointDouble1): adds a point to itself on a type-1elliptic curve.Input:o A point A in E(F_p^2), with A = (x, y) or 0o An elliptic curve E/F_p: y^2 = x^3 + 1Output:o The point [2]A = A + AMethod:1. If A = 0 or y = 0, then return 02. Let lambda = (3 * x^2) / (2 * y)3. Let x’ = lambda^2 - 2 * x4. Let y’ = (x - x’) * lambda - y5. Return (x’, y’)Algorithm 3.1.2 (PointAdd1): adds two points on a type-1 ellipticcurve.Input:o A point A in E(F_p^2), with A = (x_A, y_A) or 0o A point B in E(F_p^2), with B = (x_B, y_B) or 0o An elliptic curve E/F_p: y^2 = x^3 + 1Output:o The point A + BMethod:1. If A = 0, return BBoyen & Martin Informational [Page 13]2. If B = 0, return A3. If x_A = x_B:(a) If y_A = -y_B, return 0(b) Else return [2]A computed using Algorithm 3.1.1 (PointDouble1)4. Otherwise:(a) Let lambda = (y_B - y_A) / (x_B - x_A)(b) Let x’ = lambda^2 - x_A - x_B(c) Let y’ = (x_A - x’) * lambda - y_A(d) Return (x’, y’)3.2. Point MultiplicationAlgorithm 3.2.1 (SignedWindowDecomposition): computes the signedm-ary window representation of a positive integer [ECC].Input:o An integer k > 0, where k has the binary representation k ={Sum(k_j * 2^j, for j = 0 to l} where each k_j is either 0 or 1and k_l = 0o An integer window bit-size r > 0Output:o An integer d and the unique d-element sequence {(b_i, e_i), for i = 0 to d - 1} such that k = {Sum(b_i * 2^(e_i), for i = 0 to d -1}, each b_i = +/- 2^j for some 0 < j <= r - 1 and each e_i is anon-negative integerMethod:1. Let d = 02. Let j = 03. While j <= l, do:(a) If k_j = 0, then:Boyen & Martin Informational [Page 14]i. Let j = j + 1(b) Else:i. Let t = min{l, j + r - 1}ii. Let h_d = (k_t, k_(t - 1), ..., k_j) (base 2)iii. If h_d > 2^(r - 1), then:A. Let b_d = h_d - 2^rB. Increment the number (k_l, k_(l-1),...,k_j) (base 2) by 1 iv. Else:A. Let b_d = h_dv. Let e_d = jvi. Let d = d + 1vii. Let j = t + 14. Return d and the sequence {(b_0, e_0), ...,(b_(d - 1), e_(d - 1))}Algorithm 3.2.2 (PointMultiply): scalar multiplication on an elliptic curve using the signed m-ary window method.Input:o A point A in E(F_p^2)o An integer l > 0o An elliptic curve E/F_p: y^2 = x^3 + a * x + bOutput:o The point [l]AMethod:1. (Window decomposition)(a) Let r > 0 be an integer (fixed) bit-wise window size,e.g., r = 5Boyen & Martin Informational [Page 15](b) Let l’ = l where l = {Sum(l_j * 2^j), for j = 0 tolen_l} is the binary expansion of l, where len_l =Ceiling(lg(l))(c) Compute (d, {(b_i, e_i), for i = 0 to d - 1} =SignedWindowDecomposition(l, r), the signed 2^r-ary windowrepresentation of l using Algorithm 3.2.1(SignedWindowDecomposition)2. (Precomputation)(a) Let A_1 = A(b) Let A_2 = [2]A, using Algorithm 3.1.1 (PointDouble1)(c) For i = 1 to 2^(r - 2) - 1, do:i. Let A_(2 * i + 1) = A_(2 * i - 1) + A_2 usingAlgorithm 3.1.2 (PointAdd1)(d) Let Q = A_(b_(d - 1))3. Main loop(a) For i = d - 2 to 0 by -1, do:i. Let Q = [2^(e_(i + 1) - e_i)]Q, using repeatedapplications of Algorithm 3.1.1 (PointDouble1)e_(i + 1) - e_i timesii. If b_i > 0, then:A. Let Q = Q + A_(b_i) using Algorithm 3.1.2(PointAdd1)iii. Else:A. Let Q = Q - A_(-(b_i)) using Algorithm 3.1.2(PointAdd1)(b) Calculate Q = [2^(e_0)]Q using repeated applications ofAlgorithm 3.1.1 (PointDouble1) e_0 times4. Return Q.Boyen & Martin Informational [Page 16]3.3. Operations in Jacobian Projective Coordinates3.3.1. Implementation for Type-1 CurvesAlgorithm 3.3.1 (ProjectivePointDouble1): adds a point to itself inJacobian projective coordinates for type-1 curves.Input:o A point (x, y, z) = A in E(F_p^2) in Jacobian projectivecoordinateso An elliptic curve E/F_p: y^2 = x^3 + 1Output:o The point [2]A in Jacobian projective coordinatesMethod:1. If z = 0 or y = 0, return (0, 1, 0) = 0, otherwise:2. Let lambda_1 = 3 * x^23. Let z’ = 2 * y * z4. Let lambda_2 = y^25. Let lambda_3 = 4 * lambda_2 * x6. Let x’ = lambda_1^2 - 2 * lambda_37. Let lambda_4 = 8 * lambda_2^28. Let y’ = lambda_1 * (lambda_3 - x’) - lambda_49. Return (x’, y’, z’)Algorithm 3.3.2 (ProjectivePointAccumulate1): adds a point in affine coordinates to an accumulator in Jacobian projective coordinates, for type-1 curves.Input:o A point (x_A, y_A, z_A) = A in E(F_p^2) in Jacobianprojective coordinatesBoyen & Martin Informational [Page 17]。