BS ISO IEC 10745-1995 Information technology - Open systems interconnection - Upper layers security model《信息技术 开放式系统互连 上层加密模式》.pdf

1、BRITISH STANDARD BS ISO/IEC 10745:1995 Implementation of ISO/IEC 10745 Information technology Open Systems Interconnection Upperlayers security model ICS 35.100BSISO/IEC10745:1995 This British Standard, having been prepared under the directionof the Information Systems Technology Assembly, was publi

2、shed under the authorityof the Standards Boardand comes into effect on 15December 1995 BSI 01-2000 The following BSI references relate to the work on this standard: Committee reference IST/21 Draft for comment 92/64456 DC ISBN 0 580 25118 7 Committees responsible for this BritishStandard The prepara

3、tion of this British Standard was entrusted to Technical Committee IST/21, Open Systems Interconnection, data management and open distributed processing, upon which the following bodies were represented: British Computer Society British Telecommunications plc CCTA (the Government Centre for Informat

4、ion Systems) Department of Trade and Industry IT Standards Unit (ITD6A) Digital Equipment Co. Ltd. IBM United Kingdom Ltd. International Computers Limited Joint Information Systems Committee Level 7 Ltd. Logica UK Ltd. National Computing Centre Ltd. National Health Services Nine Tiles Computer Syste

5、ms Ltd. PSC International Ltd. Rank Xerox Ltd. SEMA Group Systems Ltd. Salford Services (3-5) X Open Company Ltd. Amendments issued since publication Amd. No. Date CommentsBSISO/IEC10745:1995 BSI 01-2000 i Contents Page Committees responsible Inside front cover National foreword ii Foreword iii Text

6、 of ISO/IEC 10745 1BSISO/IEC10745:1995 ii BSI 01-2000 National foreword This British Standard reproduces verbatim ISO/IEC10745:1995 and implements it as the UK national standard. This British Standard is published under the direction of the Information Systems Technology Assembly whose Technical Com

7、mittee IST/21 has the responsibility to: aid enquirers to understand the text; present to the responsible international committee any enquiries on interpretation, or proposals for change, and keep UK interests informed; monitor related international and European developments and promulgate them in t

8、he UK. NOTEInternational and European Standards, as well as overseas standards, are available from Customer Services, BSI, 389 Chiswick High Road, London W44AL. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for t

9、heir correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pagesi andii, theISO title page, pagesii toiv, pages1 to16, an inside back cover and abackcover. This

10、 standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover.ISO/IEC10745:1995(E) ii BSI 01-2000 Contents Page Foreword iii Introduction 1 1 Scope 1 2 Normative references 1 2.1 Identical Recommendat

11、ions|International Standards 1 2.2 Paired Recommendations|International Standards equivalent in technical content 2 3 Definitions 2 4 Abbreviations 3 5 Concepts 4 5.1 Security policy 4 5.2 Security associations 4 5.3 Security state 4 5.4 Application Layer requirements 5 6 Architecture 5 6.1 Overall

12、model 5 6.2 Security associations 7 6.3 Security exchange functions 8 6.4 Security transformations 9 7 Services and mechanisms 11 7.1 Authentication 11 7.2 Access control 12 7.3 Non-repudiation 13 7.4 Integrity 13 7.5 Confidentiality 14 8 Layer interactions 14 8.1 Interactions between Application an

13、d Presentation Layers 14 8.2 Interactions between Presentation and Session Layers 15 8.3 Use of lower layer services 15 Annex A Relationship to OSI management 16 Annex B Bibliography Inside back cover Figure 1 Security functions associated with the OSI upper layers 6 Figure 2 Application relay scena

14、rio 8ISO/IEC10745:1995(E) BSI 01-2000 iii Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development

15、 of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, i

16、n liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

17、an International Standard requires approval by at least75% of the national bodies casting a vote. International Standard ISO/IEC10745 was prepared by Joint Technical Committee ISO/IEC JTC1, Information technology, Subcommittee SC21, Opensystems interconnection, data management and open distributed p

18、rocessing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.803. Annex A and Annex B of this International Standard are for information only.iv blankISO/IEC10745:1995(E) BSI 01-2000 1 Introduction The OSI Security Architecture (CCITT Rec. X.800|ISO7498-2) define

19、s the security-related architectural elements which are appropriate for application when security protection is required in an open systems environment. This Recommendation|International Standard describes the selection, placement, and use of security services and mechanisms in the upper layers (App

20、lication, Presentation, and Session Layers) of the OSI Reference Model. 1 Scope 1.1 This Recommendation|International Standard defines an architectural model that provides a basis for: a) the development of application-independent services and protocols for security in the upper layers of OSI; and b

21、) the utilization of these services and protocols to fulfil the security requirements of a wide variety of applications, so that the need for application-specific ASEs to contain internal security services is minimized. 1.2 In particular, this Recommendation|International Standard specifies: a) the

22、security aspects of communication in the upper layers of OSI; b) the support in the upper layers of the security services defined in the OSI Security Architecture and the Security Frameworks for Open Systems; c) the positioning of, and relationships among, security services and mechanisms in the upp

23、er layers, according to the guidelines of CCITT Rec. X.800|ISO7498-2 and ITU-T Rec. X.207|ISO/IEC9545. d) the interactions among the upper layers, and interactions between the upper layers and the lower layers, in providing and using security services; e) the requirement for management of security i

24、nformation in the upper layers. 1.3 With respect to access control, the scope of this Recommendation|International Standard includes services and mechanisms for controlling access to OSI resources and resources accessible via OSI. 1.4 This Recommendation|International Standard does not include: a) d

25、efinition of OSI services or specification of OSI protocols; b) specification of security techniques and mechanisms, their operation, and their protocol requirements; or c) aspects of providing security which are not concerned with OSI communications. 1.5 This Recommendation|International Standard i

26、s neither an implementation specification for systems nor a basis for appraising the conformance of implementations. NOTEThe scope of this Recommendation|International Standard includes security for connectionless applications and for distributed applications (such as store-and-forward applications,

27、 chained applications, and applications acting on behalf of other applications). 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation|International Standard. At the time

28、 of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and entities to agreements based on this Recommendation|International Standard are encouraged to investigate the possibility of applying the most recent editions of the Recommendations and

29、Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of theITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X

30、.207 (1993)| ISO/IEC9545:1994, Information technology Open Systems Interconnection Application layer structure. ITU-T Recommendation X.811 1)(1993)| ISO/IEC10181-2 1) , Information technology Security frameworks in Open Systems: Authentication framework. ITU-T Recommendation X.812 1)(1993)| ISO/IEC1

31、0181-3 1) , Information technology Security frameworks in Open Systems: Access control framework. 1) Presently at stage of draft.ISO/IEC10745:1995(E) 2 BSI 01-2000 2.2 Paired Recommendations|International Standards equivalent in technical content CCITT Recommendation X.200 (1988), Basic reference mo

32、del of open systems interconnection for CCITT applications. ISO 7498:1984/Corr.1:1988, Information processing systems Open Systems Interconnection Basic Reference Model. CCITT Recommendation X.216 (1988), Presentation service definition for open systems interconnection for CCITT applications. ISO 88

33、22:1988, Information processing systems Open Systems Interconnection Connection oriented presentation service definition. CCITT Recommendation X.217 (1988), Association control service definition for open systems interconnection for CCITT applications. ISO 8649:1988, Information processing systems O

34、pen Systems Interconnection Service definition for the Association Control Service Element. CCITT Recommendation X.700 (1992), Management framework definition for Open Systems Interconnection for CCITT applications. ISO/IEC 7498-4:1989, Information processing systems Open Systems Interconnection Bas

35、ic Reference Model Part 4: Management framework. CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security architecture. 3 Defin

36、itions 3.1 The following terms are used as defined in CCITT Rec. X.200|ISO7498: a) abstract syntax; b) application-entity; c) application-process; d) application-process-invocation; e) application-protocol-control-information; f) application-protocol-data-unit; g) local system environment; h) (N)-fu

37、nction; i) (N)-relay; j) open system; k) presentation context; l) presentation-entity; m) real open system; n) systems-management; o) transfer syntax. 3.2 The following terms are used as defined in CCITT Rec. X.800|ISO 7498-2: a) access control; b) authentication; c) confidentiality; d) data integri

38、ty; e) data origin authentication; f) decipherment; g) encipherment; h) key; i) non-repudiation; j) notarization; k) peer-entity authentication; l) security audit; m) Security Management Information Base; n) security policy; o) selective field protection; p) signature; q) traffic flow confidentialit

39、y; r) trusted functionality. 3.3 The following terms are used as defined in CCITT Rec. X.700|ISO/IEC7498-4: a) Management Information; b) OSI Management. 3.4 The following terms are used as defined in Rec. ITU-T Rec. X.207|ISO/IEC9545: a) application-association; b) application-context; c) applicati

40、on-entity-invocation (AEI); d) application-service-element (ASE); e) ASE-type; f) application-service-object (ASO); g) ASO-association; h) ASO-context; i) ASO-invocation; j) ASO-type; k) control function (CF). 3.5 The following term is used as defined in CCITTRec. X.216|ISO8822: presentation data va

41、lue.ISO/IEC10745:1995(E) BSI 01-2000 3 3.6 The following terms are used as defined in ITU-T Rec. X.811|ISO/IEC10181-2: a) authentication exchange; b) claim authentication information; c) claimant; d) exchange authentication information; e) entity authentication; f) principal; g) verification authent

42、ication information; f) verifier. 3.7 The following terms are used as defined in ITU-T Rec. X.812|ISO/IEC10181-3: a) access control certificate; b) access control information. 3.8 For the purposes of this Recommendation|International Standard, the following definitions apply: association security st

43、ate security state relating to a security association protecting presentation context a presentation context that associates a protecting transfer syntax with an abstract syntax protecting transfer syntax a transfer syntax based on encoding/decoding processes that employ a security transformation se

44、al a cryptographic check value that supports integrity but does not protect against forgery by the recipient (i.e.it does not support non-repudiation) security association a relationship between two or more entities for which there exist attributes (state information and rules) to govern the provisi

45、on of security services involving those entities security communication function a function supporting the transfer of security-related information between open systems security domain a set of elements, a security policy, a security authority and a set of security relevant activities in which the s

46、et of elements are subject to the security policy, administered by the security authority, for the specified activities security exchange a transfer or sequence of transfers of application-protocol-control-information between open systems as part of the operation of one or more security mechanisms s

47、ecurity exchange item a logically-distinct piece of information corresponding to a single transfer (in a sequence of transfers) in a security exchange security exchange function a security communication function, located in the Application Layer, that provides the means for communicating security in

48、formation between AE-invocations secure interaction rules common aspects of the rules necessary in order for interactions to take place between security domains security state state information that is held in an open system and that is required for the provision of security services system security

49、 function a capability of an open system to perform security-related processing system security object an object that represents a set of related system security functions security transformation a set of functions (system security functions and security communication functions) which, in combination, operate upon user data items to protect those data items in a particular way during communication or storage NOTESpecifications of system security functions and system security object are not part of OSI layer service d