CAN CSA-ISO IEC 10181-2-2000 Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems Authentication Framework.pdf

1、CSA I NT E R N AT1 0 ?4 A1 I . National Standard of Canada CAN/CSA=ISO/IEC 101 81 -2-00 (ISO/IEC 101 81 -2: 1996) International Standard ISO/IEC 10181-2:1994 (first edition 1996-05-15) has been adopted without modification as CSA Standard CAN/CSA-ISOJIEC 10181-2-00, which has been approved as a Nati

2、onal Standard of Canada by the Standards Council of Canada. ISBN 1-55324-084-7 March 2000 Information technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework (Reaffirmed 2004) Technologies de Iin formation - lnterconnexion de s ystemes ouverts: Cadr

3、e g6ndral dauthentification Reference number lSO/IEC 101 81-2:1996(E) The Canadian Standards Association, which operates under the name CSA International (CSA), under whose auspices this National Standard has been produced, was chartered in 191 4 and accredited by the Standards Council of Canada to

4、the National Standards system in 1973. It is a not-for-profit, nonstatutory, voluntary membership association engaged in standards development and certification activities. and users - including manufacturers, consumers, retailers, unions and professional organizations, and governmental agencies. Th

5、e standards are used widely by industry and commerce and often adopted by municipal, provincial, and federal governments in their regulations, particularly in the fields of health, safety, building and construction, and the environment. indicate their support for CSAs standards development by volunt

6、eering their time and skills to CSA Committee work and supporting the Associations objectives through sustaining memberships. The more than 7000 committee volunteers and the 2000 sustaining memberships together form CSAs total membership from which its Directors are chosen. Sustaining memberships re

7、present a major source of income for CSAs standards development activities. in support of and as an extension to its standards development activities. To ensure the integrity of its certification process, the Association regularly and continually audits and inspects products that bear the CSA Mark.

8、Toronto, CSA has regional branch offices in major centres across Canada and inspection and testing agencies in eight countries. Since 191 9, the Association has developed the necessary expertise to meet its corporate mission: CSA is an independent service organization whose mission is to provide an

9、open and effective forum for activities facilitating the exchange of goods and services through the use of standards, certification and related services to meet national and international needs. For futher information on CSA services, write to CSA International 178 Rexdale Boulevard Toronto, Ontario

10、, M9W 1 R3 Canada CSA standards reflect a national consensus of producers Individuals, companies, and associations across Canada The Association offers certification and testing services In addition to its head office and laboratory complex in The Standards Council of Canada is the coordinating body

11、 of the National Standards system, a federation of independent, autonomous organizations working towards the further development and improvement of voluntary standardization in the national interest. The principal objects of the Council are to foster and promote voluntary standardization as a means

12、of advancing the national economy, benefiting the health, safety, and welfare of the public, assisting and protecting the consumer, facilitating domestic and international trade, and furthering international cooperation in the field of standards. has been approved by the Standards Council of Canada

13、and one which reflects a reasonable agreement among the views of a number of capable individuals whose collective interests provide to the greatest practicable extent a balance of representation of producers, users, consumers, and others with relevant interests, as may be appropriate to the subject

14、in hand. It normally is a standard which is capable of making a significant and timely contribution to the national interest. Approval of a standard as a National Standard of Canada indicates that a standard conforms to the criteria and procedures established by the Standards Council of Canada. Appr

15、oval does not refer to the technical content of the standard; this remains the continuing responsibility of the accredited standards-development organization. Those who have a need to apply standards are encouraged to use National Standards of Canada whenever practicable. These standards are subject

16、 to periodic review; therefore, users are cautioned to obtain the latest edition from the organization preparing the standard. The responsibility for approving National Standards of Canada rests with the Standards Council of Canada 45 OConnor Street, Suite 1200 Ottawa, Ontario, K1 P 6N7 Canada A Nat

17、ional Standard of Canada is a standard which CSA INTERNATIONAL c . Les normes nationales du Canada sont publi6es en versions frangaise et anglaise. Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the use

18、rs to judge its suitability for their particular purpose. lnformation technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework CAN/CSA-ISO/lC 7 0 7 8 1-2-00 CAN/CSA-ISO/IEC 101 81-2-00 Infomation technozogy - Open Systems Interconnection - Security f

19、karneworks for open systems: Authentication j%anzework CSA Preface Standards deveiopment within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Com

20、mittee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTCI ) for the Standards Council of Canada (SCC), the IS0 member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Can

21、ada participates in the International Teiegraph and Telephone Consultative Committee (ITU-T). This International Standard was reviewed by the CSA TClT under the jurisdiction of the Strategic Steering Committee on Information Technology and deemed acceptable for use in Canada. (A committee membership

22、 list is available on request from the CSA Project Manager.) From time to time, ISO/IEC may publish addenda, corrigenda, etc. The CSA TCtT will review these documents for approval and publication. For a listing, refer to the CSA Information Products catalogue or CSA Info Update or contact a CSA Sale

23、s representative. This Standard has been formally approved, without modification, by these Committees and has been approved as a National Standard of Canada by the Standards Council of Canada. March 2000 0 CSA International - 2000 All rights reserved. No part of this publication may be reproduced in

24、 any form whatsoever without the prior permission of the publisher. ISO/EC muterial is reprinted with permission. Inquiries regarding this National Standard of Canada should be addressed to CSA International, 7 78 Rexdale Boulevard, Toronto, Ontario, MPW 7 R3. March 2000 CSA/l I NTE R N AT1 0 NAL ST

25、ANDARD ISO/IEC 10181-2 First edition 1996-05-1 5 fnformation technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework Technologies de !information - lnterconnexion de systemes ouverts: Cadre g Authentication framework - Part 3: Access control framewo

26、rk - Part 4: Non- repudiation - Part 5: Con,dentiality - Part 6: Integrity - Pur? 7: Security audit firnewark Annexes A to G of this part of ISO/IEC 10 18 1 are for information only. iv 0 ISO/IEC LSOLEC 10181-2: 1996(E) Introduction Many applications have requirements for security to protect against

27、 threats to the communication of information. Some commonly known threats, together with the security services and mechanisms that can be used to protect against them, are described in ITU Rec. X.800 I IS0 7498-2. Many Open Systems appIications have security requirements which depend upon correctly

28、identifying the principals involved. Such requirements may include the protection of assets and resources against unauthorized access, for which an identity based access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as

29、well as for accounting and charging purposes. The process of corroborating an identity is called authentication. This Recommendation I International Standard defines a general framework for the provision of authentication services. ISO/IEC 10181-2 : 1996 a) INTERNATIONAL STANDARD ITU-T RECOMMENDATIO

30、N INFORMATION TECHNOLOGY - OPEN SYSTEMS INTl3RCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: AUTHENTICATION FRAMEWORK 1 Scope The series of Recommendations I International Standards on Security Frameworks for Open Systems addresses the application of security services in an Open Systems environm

31、ent, where the term “Open Systems” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions betwee

32、n systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) which are used to obtain specific security services. These security services ma

33、y apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. This Recommendation I International Standard: - - - - - defines the basic concepts for authentication; identifies the possible classes of authentication mechanisms; defines

34、the services for these classes of authentication mechanism; identifies functional requirements for protocols to support these classes of authentication mechanism; and identifies general management requirements for authentication. A number of different types of standards can use this framework includ

35、ing: 1) 2) 3) 4) 5) standards that incorporate the concept of authentication; standards that provide an authentication service; standards that use an authentication service; standards that specify the means to provide authentication within an open system architecture; and standards that specify auth

36、entication mechanisms. Note that the service in 2), 3) and 4) might include authentication but may have a different primary purpose. These standards can use this framework as follows: * * * standard types 1,2), 3), 4) and 5) can use the terminology of this framework; standard types 2), 3), 4) and 5)

37、 can use the services defined in clause 7 of this framework; and standard types 5) can be based on the mechanisms defined in clause 8 of this framework. As with other security services, authentication can only be provided within the context of a defined security poIicy for a particular application.

38、The definitions of security policies are outside the scope of this ITU Recommendation I International Standard. The scope of this Recommendation I International Standard does not include specification of details of the protocol exchanges which need to be performed in order to achieve authentication.

39、 This Recommendation I International Standard does not specify particular mechanisms to support these authentication services. Other standards (such as ISO/IEC 9798) develop specific authentication methods in greater detail. Furthermore, examples of such methods are incorporated into other standards

40、 (such as ITU Rec. X.509 I ISO/IEC 9594-8) in order to address specific authentication requirements. ITU-T Rec. X.811(1995 E) 1 ISO/IEC 10181-2 : 1996 (E) Some of the procedures described in this framework achieve security by the application of cryptographic techniques. This framework is not depende

41、nt on the use of a particular cryptographic or other algorithm, although certain classes of authentication mechanisms may depend on particular algorithm properties, e.g. asymmetric properties. NOTE - Although IS0 does not standardize cryptographic algorithms, it does standardize the procedures used

42、to register them in ISOnEC 9979. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were v

43、alid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0

44、 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid Recommendations. 2.1 Identical Recommendations I International Standards - ITU-T Recommendation X.810) I ISO/TEC 10181-1: .l), Informution techn

45、ology - Security frameworks for open systems: Overview. 2.2 Paired Recommendations I International. Standards equivalent in technid content - CCITT Recommendation X.800: 1991, Security Architecture for Open System Interconnection for CCtiT applications. IS0 7498-2: 1989, Information processing syste

46、ms - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. 2.3 Additional references - ISO/IEC 9979: 199 1, Data cryptographic techniques - Procedures for the registration of Cryptographic algorithms. ISOAEC 101 16: 1991, Information technology - Modes of operation fo

47、r an n-bit block cipher algorithm. - 3 Definitions This Recommendation I International Standard makes use of the following general security-related terms defined in Rw. X.800 I IS0 7498-2: - audit; - audittrail; - authentication information; - confidentiality; - cryptography; - cryptographic checkva

48、lue; - data origin authentication; - data integrity; - decipherment; - digital signature; - encipherment; - key; I) Presently at the stage of draft. 2 ITU-T Rec. X.811(1995 E) ISO/IE.C 10181-2 : 1996 ) - key management; - masquerade; - password; - peer-entity authentication; - security policy. This

49、Recommendation I International Standard makes use of the following tern defined in ESOAEC 101 16: - block chaining This Recommendation I International Standard makes use of the following terms defined in ITU-T Rec. X.810 I ISOPIEC 10181-1: digital fingerprint; hash function; one-way function; private key; public key; seal; secret key; security authority; security certificate; security domain; security token; tms t; trusted third party. For the purposes of this Recommendation I International Standard, the following definitions apply: 3.1 is shared by both entities. asymmetric auth