TIA-5022 003-2015 Security Solutions (oneM2M TS-0003- v1 0 1).pdf

1、 TIA-5022.003 October 2015Security Solutions (oneM2M TS-0003-v1.0.1) NOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, an

2、d assisting the purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling products not conforming to such Stand

3、ards and Publications. Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or internationally. Standards and Publications are adopted by TIA in accordance with the American National Standards Institute (ANSI) patent poli

4、cy. By such action, TIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all applicable regulatory requirements. It i

5、s the responsibility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. Any use of trademarks in this document are for information purposes and do not constitute an endorsement by TIA or this

6、committee of the products or services of the company. (From Project No. TIA-PN-5022.003, formulated under the cognizance of the TIA TR-50 M2M- Smart Device Communications.) Published by TELECOMMUNICATIONS INDUSTRY ASSOCIATION Technology (b) there is no assurance that the Document will be approved by

7、 any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or changed in the standards development or any editing process. The use or practice of contents of this Document may involve the use of intellectual property rights (“IPR”), including

8、pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR consisting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from the holder thereof is requested, all in accordance

9、 with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope or validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or conditions, which are instead left to the parties involved, nor wil

10、l TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warrant or represent that procedures or practices suggested or provided in the Manual have been complied with as respects the Document or its contents. If the Document contains one

11、or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, development or publication of standards (whether designated as a standard, specification, recommendation or otherwise), whether such reference consists of mandatory, alternate or op

12、tional elements (as defined in the TIA Procedures for American National Standards) then (i) TIA disclaims any duty or obligation to search or investigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Reference; (ii) TIAs policy of encouragement of volunt

13、ary disclosure (see TIA Procedures for American National Standards Annex C.1.2.3) of Essential Patent(s) and published pending patent applications shall apply; and (iii) Information as to claims of IPR in the records or publications of the other SSO shall not constitute identification to TIA of a cl

14、aim of Essential Patent(s) or published pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certify, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document.

15、 ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APPROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIG

16、HTS. TIA EXPRESSLY DISCLAIMS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIANCE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED

17、TO IN THE DOCUMENT OR PRODUCED OR RENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL D

18、AMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS

19、A FUNDAMENTAL ELEMENT OF THE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. OneM2MPartners Page 2 of 91 About oneM2M The purpose and goal of oneM2M is to develop technical specifications which address the need for a common M2M Service Layer tha

20、t can be readily embedded within various hardware and software, and relied upon to connect the myriad of devices in the field with M2M application servers worldwide. More information about oneM2M may be found at: http/www.oneM2M.org Copyright Notification No part of this document may be reproduced,

21、in an electronic retrieval system or otherwise, except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. 2015, oneM2M Partners Type 1 (ARIB, ATIS, CCSA, ETSI, TIA, TTA, TTC). All rights reserved. Notice of Disclaimer Secured packet

22、structure for UICC based applications (Release 11)“. 8 ETSI TS 102 226 (V11.0.0): “Smart Cards; Remote APDU structure for UICC based applications (Release 11)“. 9 3GPP TS 31.115 (V10.1.0): “Remote APDU Structure for (U)SIM Toolkit applications (Release 10)“. 10 3GPP TS 31.116 (V10.2.0): “Remote APDU

23、 Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications (Release 10)“. 11 3GPP2 C.S0078-0 (V1.0): “Secured packet structure for CDMA Card Application Toolkit (CCAT) applications“. 12 3GPP2 C.S0079-0 (V1.0): “Remote APDU Structure for CDMA Card Application Toolkit (CCAT) app

24、lications“. 13 3GPP TS 33.220: “Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)“. 14 3GPP2 S.S0109-A: “Generic Bootstrapping Architecture (GBA) Framework“. 15 IETF RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)“. 16 Void. 17 Void. 18 IET

25、F RFC 5705: “Keying Material Exporters for Transport Layer Security (TLS)“. 19 IETF RFC 3629: “UTF-8, a transformation format of ISO 10646“. 20 “Unicode Standard Annex #15; Unicode Normalization Forms“, Unicode 5.1.0, March 2008. OneM2MPartners Page 8 of 91 NOTE: Available at http:/www.unicode.org.

26、21 GlobalPlatform Device Technology TEE Administration framework, DRAFT. 22 GlobalPlatform Device Technology TEE System Architecture, Version 1.0. 23 ETSI TS 102 671: “Smart Cards; Machine to Machine UICC; Physical and logical characteristics“. 24 ETSI TS 102 221: “Smart Cards; UICC-Terminal interfa

27、ce; Physical and logical characteristics“. 25 ETSI TS 102 484: “Smart Cards; Secure channel between a UICC and an end-point terminal“. 26 ISO/IEC 7816-4: “Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange“. 27 ETSI TS 101 220: “Smart Cards;

28、 ETSI numbering system for telecommunication application providers“. 28 Void. 29 Void. 30 Void. 31 IETF RFC 6655: “AES-CCM Cipher Suites for Transport Layer Security (TLS)“. 32 IETF RFC 5289: “TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)“. 33 IETF RFC 2104: “HM

29、AC: Keyed-Hashing for Message Authentication“. 34 IETF RFC 5280: “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“. 35 IETF RFC 6960: “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP“. 36 IETF RFC 6961: “The Transp

30、ort Layer Security (TLS) Multiple Certificate Status Request Extension“. 37 IETF RFC 7250: “Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)“. 38 IETF RFC 7252: “The Constrained Application Protocol (CoAP)“. 39 National Institute of Standards and T

31、echnology (July 1999): “Recommended Elliptic Curves for Federal Government user“. NOTE: Available at http:/csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf. 40 IETF RFC 6920: “Naming Things with Hashes“. 41 IETF RFC 3548: “The Base16, Base32, and Base64 Data Encodings“. 42 IETF RFC 5487:

32、“Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode“. 43 IETF RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)“. 44 IETF RFC 6066: “Transport Layer Security (TLS) Extensions: Extension Definitions“. 45 IETF RFC 7251: “AES-CC

33、M Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)“. 46 IETF RFC 5480: “Elliptic Curve Cryptography Subject Public Key Information“. OneM2MPartners Page 9 of 91 47 GlobalPlatform Device Technology Secure Element Remote Application Management v1.0 GPD_SPE_008. 2.2 In

34、formative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendment

35、s) applies. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 oneM2M Drafting Rules. NOTE: Available at http:/member.onem2m.org/Static_pages/Others/Rules_Pages/oneM2M-Drafting-Rules-

36、V1_0.doc. i.2 Void. i.3 Void. i.4 oneM2M TR-0008: “Analysis of Security Solutions“. i.5 eXtensible Access Control Markup Language (XACML) Version 3.0. 22 January 2013. OASIS Standard. i.6 Handbook of Applied Cryptography, A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, CRC Press, 1996. i.7 Recomm

37、endation ITU-T X.509 (10/2012): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. i.8 Void. i.9 OMA-TS-REST-NetAPI-TerminalLocation-V1-0-20130924-A: “RESTful Network API for Terminal Location“, Version 1.0. i.10 ISO 3166-1:2013:

38、 “Codes for the representation of names of countries and their subdivisions - Part 1: Country codes“. i.11 ISO/IEC 7816-5: “Identification cards - Integrated circuit cards - Part 5: Registration of Application Providers“. i.12 Guide to Attribute Based Access Control (ABAC) Definition and Considerati

39、ons, NIST Special Publication 800-162. NOTE: Available at http:/nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in oneM2M-TR-0004 2 and the following apply: AE

40、-ID Certificate: certificate with a certificate chain to a trust anchor certificate and containing an AE-ID in the subjectAltName extension NOTE: An AE_ID certificate can be used to verify that an entity has been assigned the AE-ID in the certificate. association configuration: phase of a Security A

41、ssociation Establishment Framework in which the entity establishing the Security Association (and the Central Key Distribution Server, in the case of Centralized Security Frameworks), are OneM2MPartners Page 10 of 91 provided with identities (and any other relevant credentials) to ensure that the se

42、curity association is established between the intended entities association security handshake: phase of a Security Association Framework in which the security association endpoints perform mutual authentication bootstrap credential: pre-provisioned credential enabling mutual authentication of the E

43、nrolee and the M2M Enrolment function bootstrap credential configuration: phase of a Security Bootstrap Framework in which the Bootstrap Credentials are pre-provisioned to the Enrolee and the M2M Enrolment function bootstrap enrolment handshake: phase of a Security Bootstrap Framework in which the E

44、nrolee and M2M Enrolment Function perform mutual authentication bootstrap instruction configuration: phase of a Security Bootstrap Framework in which the Enrolee and M2M Enrolment Function are provided with identities (and any other relevant credentials) to enable the M2M Enrolment function to estab

45、lish a Master Credential between the intended Enrolee and M2M Authentication Function bootstrap server function 13: BSF is hosted in a network element under the control of a Mobile Network Operator. BSF, HSS, and UEs participate in GBA in which a shared secret is established between the network and

46、a UE by running the bootstrapping procedure NOTE: The shared secret can be used between NAFs and UEs, for example, for authentication purposes. bootstrapping transaction identifier 13: bootstrapping transaction identifier (B-TID) is used to bind the subscriber identity to the keying material in GBA

47、reference points Ua, Ub and Zn CA-Certificate i.6: certificate created by one certification authority (CA) certifying the public key of another CA certificate: See Public Key Certificate. certificate chain: sequence of one or more CA-certificates, where: the Public Verification Key in each CA-certif

48、icate is certified in the previous CA-certificate; and the public key of the first CA-Certificate is trusted a priori NOTE: Trust in the public key in each CA-certificate can be based on trust in the previous CA-Certificate. certificate name: unique identifier in a name field of a Certificate (e.g.

49、in the X.509 “Subject“ or “Subject Alternative Name“ attribute) certificate verification: process necessary to trust an entitys Certificate certification authority i.6: responsible for establishing and vouching for the authenticity of public keys NOTE: This includes binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and certificate revocation. credential configuration: phase of a Security Association