AS 2805.6.1.4:2009 pdf free download – Electronic funds transfer—Requirements for interfacesPart 6.1.4: Key management—Asymmetric crypto systems-Key management and life cycle.
3.10
digital signature system
asymmetric cryptosystem that provides for the creation and subsequent verification of digital signatures
hash function
one-way function that maps a set of strings of arbitrary length on to a set of fixed-length strings of bits
NOTE A collision-resistant hash function is one with the property that it is computationally infeasible to construct distinct inputs that map to the same output.
3.12
independent communication
process that allows an entity to counter-verify the correctness of a credential and identification documents prior to producing a certificate (e.g., call-back, visual identification, etc.)
3.13
key agreement
process of establishing a shared secret key between entities in such a way that neither of them can predetermine the value of that key
3.14
key share
one of at least two parameters related to a cryptographic key generated in such a way that a quorum of such parameters can be combined to form the cryptographic key but such that fewer than a quorum provide no information about the key
3.15
non-repudiation of origin
property that the originator of a message and associated cryptographic check value (i.e., digital signature) is not able to subsequently deny, with an accepted level of credibility, having originated the message
4 Uses of asymmetric cryptosystems in retail financial services systems
4.1 General
Asymmetric cryptosystems include asymmetric ciphers. digital signature systems and key agreement systems.
In financial services systems, asymmetric cryptosystems are used predominantly for key management; firstly for the management of the keys of symmetric ciphers, and secondly for the management of the keys of the asymmetric cryptosystems themselves. This clause describes these applications of asymmetric cryptosystems. Clause 5 describes the techniques employed in support of these applications relating to key management services and certificate management. Clause 6 describes how these techniques and methods are used in relation to the security and implementation requirements for the key pair life cycle.
6.3.3 Permissible forms for public keys
6.3.3.1 General
In an asymmetric cryptosystem there is no secrecy requirement for the storage of the public key, but authenticity and integrity of this key shall be ensured.
It shall not be possible to substitute or alter any public key or associated information without detection.
A public key shall be stored either in plaintext or enciphered forms as detailed in 6.3.3.2 and 6.3.3.3 respectively
6.3.3.2 Plaintext public key
When the public key is stored in plaintext as a certificate, the techniques described in Clause 5 shall apply for the production of this certificate.
When the public key does not appear as a certificate, it shall be stored with sufficient protection to ensure that the value of the key and its identity cannot be modified without detection as follows:
a) in plain text in an SCD designed to detect unauthorized key replacement;
b) in plain text using key verification techniques as defined in 5.5.
6.3.3.3 Enciphered public key
In some instances, the authenticity and integrity of a public key can be achieved by encipherment e.g., by
inclusion of check values in the enciphered data. Such encipherment shall be as defined in 5.2.
6.3.4 Protection against substitution during storage
When plaintext public keys are stored and are not in the form of a certificate or when their certificate has been checked and they will be used without re-checking the certificate, integrity and authenticity shall be ensured by means described in 6.3.3 and by techniques described in Clause 5.
Protection against substitution of the public key during storage is essential. For example, the substitution of a public key used for encipherment may result in a threat to data secrecy.
One means of protecting a public key against substitution is to implement the same techniques as for a private key. Another means is to store the public key in a certificate, allowing verification of the key’s integrity and authenticity before use.
