本文档定义了基于非对称密码技术的密钥管理机制。它特别解决了使用非对称技术来实现以下目标。 a)通过密钥协议在两个实体A和B之间建立用于对称加密技术中的共享秘密密钥。在秘密密钥协议机制中，秘密密钥被计算为两个实体A和B之间的数据交换的结果。它们都不能预先确定共享密钥的值。 b)经由密钥传输在两个实体A和B之间建立用于对称加密技术中的共享秘密密钥。在秘密密钥传输机制中，秘密密钥由一个实体A选择并被传送到另一个实体B，适当地由非对称技术保护。c)通过密钥传输使实体的公钥对其他实体可用。在公钥传输机制中，实体A的公钥以经认证的方式传输给其他实体，但不要求保密。 本文的部分机制是基于ISO/IEC中相应的认证机制？9798？3. 本文件不涵盖关键管理的某些方面，例如: —？关键生命周期管理； —？生成或验证非对称密钥对的机制；和 —？存储、存档、删除、销毁等机制。，钥匙。 虽然本文档没有明确地涵盖从可信第三方向请求实体分发实体的私钥(非对称密钥对的)，但是可以使用所描述的密钥传输机制来实现这一点。在所有情况下，私钥都可以通过这些机制在已经存在现有的、未受损的密钥的情况下分发。然而，在实践中，私钥的分发通常是依赖于诸如智能卡等技术手段的手动过程。 本文档没有指定密钥管理机制中使用的转换。 笔记？为了提供密钥管理消息的来源认证，可以在密钥建立协议内提供真实性，或者使用公钥签名系统来签名密钥交换消息。

This document defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals. a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as the result of a data exchange between the two entities A and B. Neither of them is able to predetermine the value of the shared secret key. b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one entity A and is transferred to another entity B, suitably protected by asymmetric techniques. c) Make an entity's public key available to other entities via key transport. In a public key transport mechanism, the public key of entity A is transferred to other entities in an authenticated way, but not requiring secrecy. Some of the mechanisms of this document are based on the corresponding authentication mechanisms in ISO/IEC？9798？3. This document does not cover certain aspects of key management, such as: —？key lifecycle management; —？mechanisms to generate or validate asymmetric key pairs; and —？mechanisms to store, archive, delete, destroy, etc., keys. While this document does not explicitly cover the distribution of an entity's private key (of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport mechanisms described can be used to achieve this. A private key can in all cases be distributed with these mechanisms where an existing, non-compromised key already exists. However, in practice the distribution of private keys is usually a manual process that relies on technological means such as smart cards, etc. This document does not specify the transformations used in the key management mechanisms. NOTE？To provide origin authentication for key management messages, it is possible to make provisions for authenticity within the key establishment protocol or to use a public key signature system to sign the key exchange messages.