ANSI INCITS ISO IEC 24824-3-2008 Information technology - Generic applications of ASN.1 Fast infoset security.pdf

1、 INCITS/ISO/IEC 24824-3:20082010 (ISO/IEC 24824-3:2008, IDT) Information technology - Generic applications of ASN.1: Fast infoset security Reaffirmed as INCITS/ISO/IEC 24824-3:2008 R2015INCITS/ISO/IEC 24824-3:20082010 PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Ad

2、obes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing polic

3、y. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every ca

4、re has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an A

5、merican National Standard. Date of ANSI Approval: 11/17/2010 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2010 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of Inte

6、rnational Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval

7、 system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1101 K Street NW, Suite 610, Washington DC 20005. Printed in the United States of America ii ITIC 2010 All rights reserved ISO/IEC 24824-3:2008(E) ISO/IEC 2008 All rights reserv

8、ed iiiCONTENTS Page 1 Scope . 1 2 Normative references 1 2.1 Identical Recommendations | International Standards . 1 2.2 Additional references. 1 3 Definitions 2 3.1 Imported definitions 2 3.2 Additional definitions 2 4 Abbreviations 2 5 Notation . 2 6 Canonical Fast Infoset algorithms 3 6.1 Require

9、ments on canonical Fast Infoset algorithms 3 6.2 Requirements on canonical XML algorithms for use by a canonical Fast Infoset algorithm 3 6.3 Restrictions when serializing an XML infoset to a canonical fast infoset document 3 6.4 Canonical Fast Infoset algorithms. 4 7 W3C XML Signature and Fast Info

10、set 4 8 W3C XML Encryption and Fast Infoset 5 8.1 Application-level extensions for encryption 5 8.2 Generation of a complete XML infoset from part of an XML infoset. 5 8.3 Application-level extensions for decryption 6 Annex A Examples of signing and encrypting an XML infoset 7 A.1 Introduction of ex

11、amples 7 A.2 Signing and verifying the SOAP message infoset 7 A.3 Encrypting and decrypting the SOAP message infoset 10 Annex B Signed SOAP message infoset. 12 Annex C Signed and encrypted SOAP message infoset . 13 Bibliography . 14 ISO/IEC 24824-3:2008(E) iv ISO/IEC 2008 All rights reservedForeword

12、 ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical comm

13、ittees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

14、work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International

15、Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the el

16、ements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24824-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information

17、 exchange between systems, in collaboration with ITU-T. The identical text is published as ITU-T Rec. X.893 (05/07). ISO/IEC 24824-3:2008(E) ISO/IEC 2008 All rights reserved vIntroduction This Recommendation | International Standard specifies: a) the application of integrity to one or more parts of

18、an XML infoset using Fast Infoset serialization and W3C XML Signature; b) the application of encryption to one or more parts of an XML infoset using Fast Infoset serialization and W3C XML Encryption. W3C XML Signature specifies a means of generating W3C XML Signature information items that contain (

19、inter alia): a) explicit (using URIs) or implicit (dependent on the use of the XML infoset signature information item) identification of one or more data objects (a data object is anything that either already is, or can be transformed into, a string of octets); b) a (possibly empty) list of sequenti

20、al transforms (specified by URIs for the algorithm to be used in performing the transform) from those data objects to a sequence of octets; these transforms can select all or part of the identified data objects, but are required to result in a sequence of octets; c) digest and encryption information

21、 for the production of a signature of the resulting sequence of octets; and d) the resulting signature. This Recommendation | International Standard specifies four (canonical Fast Infoset) algorithms that can be referenced in a W3C XML Signature transform (and provides URIs for them) and can also be

22、 (independently) used as the algorithm for the W3C XML Signature canonicalization method. NOTE 1 The same Fast Infoset algorithm could be used for both the transform and the canonicalization method, but use of two different Fast Infoset algorithms (or a Fast Infoset algorithm and some other algorith

23、m) is not excluded. In all four cases, the input to the canonical Fast Infoset algorithm is either an XML infoset, or an XPath node set (restricted, in accordance with 6.1.4 b, to those node sets that produce a well-formed XML document when serialized). The output of all four canonical Fast Infoset

24、algorithms is a sequence of octets (the octets of a fast infoset document, see ITU-T Rec. X.891 | ISO/IEC 24824-1) that are suitable for digest and hashing in order to provide a signature in accordance with W3C XML Signature. NOTE 2 This will usually be the last transform in the sequential list of W

25、3C XML Signature transforms, but need not be. A typical use will be to sign one or more parts of a single XML infoset. NOTE 3 Use to sign parts of multiple XML infosets is not excluded. It is expected, but not required, that the resulting W3C XML Signature information items will be used either as a

26、detached signature, or as an enveloping or enveloped signature (see W3C XML Signature) for the XML infoset that is signed, and that the resulting XML infoset will be serialized using ITU-T Rec. X.891 | ISO/IEC 24824-1. This Recommendation | International Standard specifies application-level extensio

27、ns (see 3.2.1) to W3C XML Encryption. These application-level extensions enable encryption to be applied to part of an XML infoset using octets provided by a Fast Infoset serialization, rather than to the octets provided by an XML serialization of those parts. NOTE 4 W3C XML Encryption can be applie

28、d to a complete fast infoset document as specified in W3C XML Encryption, 3.1, without the use of this Recommendation | International Standard. The MimeType attribute will have the value “application/fastinfoset“. The means of identifying the parts of the XML infoset that are encrypted is specified

29、by W3C XML Encryption and allows the encryption of: a) an element information item and its properties, including any direct or indirect child information items (and their properties); and b) the child information items of the child property of an element information item and their properties, includ

30、ing any direct or indirect child information items (and their properties). Encryption requires that those parts of an XML infoset that are to be encrypted have to be first serialized into a string of octets for input to an encryption algorithm. The ability to produce a serialization of a and b above

31、 is not supported by ITU-T Rec. X.891 | ISO/IEC 24824-1, but is specified in clause 8 of ITU-T Rec. X.893 | ISO/IEC 24824-3 (using ITU-T Rec. X.891 | ISO/IEC 24824-1). This is done by converting such fragments (in a defined way) to a complete XML infoset and then applying ITU-T Rec. X.891 | ISO/IEC

32、24824-1 to the complete XML infoset. This Recommendation | International Standard also specifies two URIs, one for a above and one for b above, that are used in XML Encryption to identify the application-level extensions which determine the use of Fast Infoset serialization rather than XML serializa

33、tion for the production of the octets to be input to an encryption algorithm. ISO/IEC 24824-3:2008(E) vi ISO/IEC 2008 All rights reservedUse of Fast Infoset serialization to determine the octets for input to an encryption algorithm in general reduces the number of octets that have to be encrypted an

34、d decrypted, and would be normal (but not necessary) if the XML infoset is transferred using a Fast Infoset serialization. NOTE 5 It is also possible (but would be unusual) to use Fast Infoset serialization to determine the octets for input to an encryption algorithm when the XML infoset is to be tr

35、ansferred using an XML serialization. The serialization of an XML infoset containing W3C XML Signature information items and/or W3C XML Encryption information items to a fast infoset document has the following advantages over serialization to an XML document: a) repeating information such as multipl

36、e signed references or multiple encrypted parts with the same XML tags or content will be encoded more efficiently; and b) the (binary) octets associated with signature values, digest values, cipher values or keys may be encoded directly (see ITU-T Rec. X.891 | ISO/IEC 24824-1, 10.3) if a (binary) f

37、ast infoset document is used to serialize the XML infoset; when serializing an XML infoset to an XML document (which is a string of characters), such octets are required to be base64 encoded, increasing processing speed and size. Clause 6 specifies four canonical Fast Infoset algorithms that can be

38、referenced in a W3C XML Signature transform. Clause 7 specifies the use of W3C XML Signature with canonical Fast Infoset algorithms. Clause 8 specifies the use of W3C XML Encryption for the encryption of parts of an XML infoset that are serialized to fast infoset documents. Annex A does not form an

39、integral part of this Recommendation | International Standard and provides examples of signing and validating a SOAP XML infoset (that makes use of canonical Fast Infoset algorithms), and encrypting and decrypting a SOAP message infoset (that makes use of the encryption of part of the SOAP message i

40、nfoset that is serialized to a fast infoset document). Annexes B and C do not form an integral part this Recommendation | International Standard, and provide examples of a signed SOAP message infoset and a signed and encrypted SOAP message infoset, respectively. ISO/IEC 24824-3:2008 (E) ITU-T Rec. X

41、.893 (05/2007) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Information technology Generic applications of ASN.1: Fast infoset security 1 Scope This Recommendation | International Standard specifies four (canonical Fast Infoset) algorithms that can be used in the application of W3C XML Signature (a

42、nd provides URIs for them). It also specifies application-level extensions to the W3C XML Encryption processing rules for the encryption of part of an XML infoset (see 8.1) serialized as a fast infoset document and for the decryption of an encrypted part (see 8.3) that was serialized as a fast infos

43、et document. The use of any resulting W3C XML Signature information items or W3C XML Encryption information items is not within the scope of this Recommendation | International Standard. 2 Normative references The following Recommendations and International Standards contain provisions which, throug

44、h reference in this text, constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation | International Standard a

45、re encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of curren

46、tly valid ITU-T Recommendations. The IETF maintains a list of RFCs, together with those that have been obsoleted by later RFCs. The reference to a document within this Recommendation | International Standard does not give it, as a stand-alone document, the status of a Recommendation or International

47、 Standard. 2.1 Identical Recommendations | International Standards ITU-T Recommendation X.891 (2005) | ISO/IEC 24824-1:2007, Information technology Generic applications of ASN.1: Fast infoset. 2.2 Additional references ISO/IEC 10646:2003, Information technology Universal Multiple-Octet Coded Charact

48、er Set (UCS). W3C Canonical XML:2001, W3C Canonical XML Version 1.0, W3C Recommendation, Copyright 15 March 2001 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/2001/REC-xml-c14

49、n-20010315. W3C XML Encryption:2002, XML Encryption Syntax and Processing, W3C Recommendation, Copyright 10 December 2002 World Wide Web Consortium (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University), http:/www.w3.org/TR/2002/REC-xmlenc-core-20021210. W3C Exclusive Canonical XML:2002, W3C Exclusive XML Canonicalization Version 1.0, W3C Recommendation, Copyright 18 July