📄 fips171.txt
字号:
(i.e., a manually distributed (*)KK if (*)KKs are to be sent,
otherwise a manually or automatically distributed (*)KK).
SELECTION FOR FEDERAL GOVERNMENT USE:
The use of centers is optional. In large networks, the use of
centers reduces procedural problems and the operational costs
of manual entry. Centers are used to reduce the operational
and security problems inherent in the manual distribution of
large numbers of keys. Their use does not reduce the number
of keys that must be sent (by whatever means), but provides an
electronic mechanism that substitutes for costly and
inefficient manual key distribution (e.g., by a courier
service).
24 RSI FROM PARTY A TO A CKD
USE IN ANSI X9.17:
In the Key Distribution Center (CKD) environment, an RSI
allows Party A to request that the CKD generate or otherwise
acquire data keys and IVs and send them to Party A in a
Response-To-Request (RTR) message.
Note that the CKD may send the data keys and IVs to Party A
without receiving an RSI from Party A (i.e., send an
unsolicited RTR) (see Option 24).
SELECTION FOR FEDERAL GOVERNMENT USE:
The use of RSIs from Party A to the CKD is optional. If Party
A must use a CKD to get keys and IVs when Party A determines
that they are needed, then the RSI provides an automated
method of doing so.
25 UNSOLICITED RESPONSE TO REQUEST (RTR) MESSAGES
USE IN ANSI X9.17:
In the Key Distribution Center (CKD) environment, a request
for keys may be initiated by Party A. Alternatively, in an
unsolicited action, the CKD can send keys to Party A for Party
A to use in establishing a keying relationship with Party B.
The CKD sends one or two KD(s) for Party A, and sends the same
keys as KDU(s) for Party A to forward to Party B. An optional
IV may be included.
The use of the unsolicited RTR provides a centralization of
control over key generation and acquisition as well as the
timing of key exchanges.
SELECTION FOR FEDERAL GOVERNMENT USE:
The use of unsolicited RTRs is optional. The use of the
unsolicited RTR will reduce communications costs by
eliminating the use of the RSI from Party A to the CKD and
will allow the CKD to control the timing of key exchanges.
26 SEND (*)KK OR KD TO A CKT FOR TRANSLATION
USE IN ANSI X9.17:
In the CKT environment, Party A may generate or otherwise
acquire and send one or two KDs in a RFS to a CKT for
translation, notarization, and return as one or two KDUs for
forwarding to Party B. Alternatively, Party A may generate or
otherwise acquire and send a (*)KK in an RFS to a CKT for
translation, notarization, and return as a (*)KKU for
forwarding to Party B. In the latter case, a KD is also sent
in the RFS message which is used only for message
authentication of the RFS and the responding RTR message.
SELECTION FOR FEDERAL GOVERNMENT USE:
In the CKT environment, it is mandatory that Party A only send
*KKs in an RFS message to a CKT for translation and
notarization. The translation of one or two KDs may not be
requested. This restriction significantly reduces the load on
the CKT since the parties to the exchange may then enter a PTP
mode to send KDs.
27 USE OF A COUNT WINDOW
USE IN ANSI X9.17:
In the CKD and CKT environments, it is possible for a
recipient to receive CSMs whose counts are out of sequence,
yet the MACs in these CSMs indicate that the messages are
authentic. A recipient of these CSMs may establish a window
which represents a range of reception counter values such that
the corresponding CSMs, should they arrive out of sequence,
shall be accepted without declaring an error.
Appendix F of ANSI X9.17 describes a method of defining and
managing such a window.
SELECTION FOR FEDERAL GOVERNMENT USE:
The use of the window technique described in Appendix F of
ANSI X9.17 is mandatory in the CKD and CKT environments. It
is desirable to have a uniform window technique for Federal
Government use. The use of the window technique in Appendix
F of ANSI X9.17 in the CKD and CKT environments will permit
interoperabilty. Note that when the window size is equal to
one, the window technique functions as if no window technique
was present. However, the implemented window technique shall
allow for a window size greater than one to be used.
TABLE I
SUMMARY OF OPTIONS AND SELECTIONS: ALL ENVIRONMENTS
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
1 8.6.2 Role Optional Implementing both
8.6.3 assumed by roles provides
8.6.4 a party to flexibility
a key
exchange
2 8.2 RSIs from Optional Implementation
8.6.2 Party B to provides
Party A flexibility
3 Table II SVR Defined Simplifies
subfield order is implementation;
ordering mandatory improves
interoperability
4 7.2.8 EDC in Mandatory Automated means
RSIs and of detecting errors
ESMs
5 8.6.2 Generate Optional Implementation
5. or other- provides autonomy;
wise acquire no generation or
keys and IVs acquisition
capability
6 5. Key As defined Provides required
5.3 generation in Appendix randomness
technique C
7 Table II Key naming Mandatory Eliminates
(see Option ambiguities; allows
6) a better journaling
capability
8 8.3 Key and Mandated Eliminates
8.4 facility per Option ambiguities;
8.5 identifier 7 improves
Table II character interoperability
sets
13 Table II Send odd Mandatory Improves
parity on interoperability
keys
TABLE I (Cont'd).
SUMMARY OF OPTIONS AND SELECTIONS: ALL ENVIRONMENTS
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
14 8.6.2 Send IVs Optional Provides a reliable
8.6.3 with keys means of
8.6.4 transmitting
an IV
15 7.2.6 Encrypt Mandatory Simplifies
IVs implementation
since encryption
requires
encrypted IVs
16 Table II Send EDKs Optional Permits the
with keys exchange of keys
prior to
activation
17 8.2 Use of Mandatory Automated,
8.6.4 DSMs convenient and
reliable means of
discontinuing keys
18 Table II Use of the Mandatory Provides
IDA field interoperability
in a DSM
if only one
data key
is shared
19 Table II Use "C" as Mandatory Eliminates
a general confusion
error code
in an ESM
and ERS
20 7.3.3 Action Mandatory Eliminates the need
when a for one for human
count attempt to intervention
error is adjust
reported before
sending
new keys
TABLE I (Cont'd).
SUMMARY OF OPTIONS AND SELECTIONS: ALL ENVIRONMENTS
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
21 8.3 Use Forbidden Provides
8.4 " CRLF" interoperability
8.5 as a field
delimiter
22 Table I Logging of Mandatory Prudent accounting
CSMs and control
practice
23 8.1 Use of Optional Reduces cost;
centers improves security
(CKD and
CKT)
TABLE II
SUMMARY OF OPTIONS AND SELECTIONS: POINT_TO_POINT ENVIRONMENT
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
9 8.6.2 Key Use of *KK Reduces cost;
8.6.4 encrypting is mandatory improves security
key length
10 Table II Notariza- Mandatory Provides a digital
tion of signature
keys capability;
improves security
11 8.6.2 Sending Optional Operational
Table III key flexibility
encrypting
keys in
KSMs
12 4.3 Send Optional Implementation
8.6.2 either one allows encryption
8.6.3 or two and authentication
8.6.4 data keys keys to be sent in
the same message
TABLE III
SUMMARY OF OPTIONS AND SELECTIONS: KEY DISTRIBUTION CENTER
ENVIRONMENT
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
12 4.3 Send Optional Implementation
8.6.2 either one allows encryption
8.6.3 or two and authentication
8.6.4 data keys keys to be sent in
the same message
24 8.2 RSIs from Optional Automated method of
8.6.3 Party A to acquiring keys
a CKD
25 8.6.3 Unsolicited Optional Reduces
RTR messages communication
costs; allows
centralized control
27 7.3.3 Use of a Window Reduces costs;
count technique provides
window of Appendix interoperability
F of ANSI
X9.17 is
mandatory
TABLE IV
SUMMARY OF OPTIONS AND SELECTIONS: KEY TRANSLATION CENTER
ENVIRONMENT
Option Section(s) Description Federal Impact(s)
Number of ANSI of Option Government
X9.17 Use
9 8.6.2 Key Use of *KK Reduces costs;
8.6.4 encrypting is mandatory improves security
key length
26 8.6.4 Send KDs Mandatory Reduces costs and
or (*)KKs that *KKs load on the CKT
to a CKT be sent
for
translation
27 7.3.3 Use of a Window Reduces costs;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -