CAN CSA-ISO IEC 11586-2-2000 Information technology - Open Systems interconnection - Generic upper layers security Security Exchange Service Element (SESE) service definition.pdf

1、National Standard of Canada CAN/CSA-ISO/IEC 11586-2-00 (ISO/IEC 11586-2:1996) CSA INTERNATIONAL International Standard ISO/IEC 11586-2:1996 (first edition, 1996-06-01) has been adopted without modification as CSA Standard CAN/CSA-ISO/IEC 11586-2-00, which has been approved as a National Standard of

2、Canada by the Standards Council of Canada. r ISBN 1-55324-007-3 March 2000 Information technology - Open Systems interconnection - Generic upper layers security: Security Exchange Service Element (SESE) service definition Technologies de lin formation - lnterconnexion de s ystemes ouverts (OS11 - S

3、this remains the continuing responsibility of the accredited standards-development organization. Those who have a need to apply standards are encouraged to use National Standards of Canada whenever practicable. These standards are subject to periodic review; therefore, users are cautioned to obtain

4、the latest edition from the organization preparing the standard. The responsibility for approving National Standards of Canada rests with the Standards Council of Canada 45 OConnor Street, Suite 1200 Ottawa, Ontario, K1 P 6N7 Canada A National Standard of Canada is a standard which CSA INTERNATIONAL

5、 c . Les normes nationales du Canada sont publi6es en versions frangaise et anglaise. Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the users to judge its suitability for their particular purpose. lnfo

6、rmation technology - Open Systems Interconnection - Generic upper layers security: Security Exchange Service Element (SESE) service definition CAN/CSA-ISO/IEC I 7 586-2-00 CAN/CSA-ISO/IEC 1 1586-2-00 Information technology - Open Systems Interconnection - Gene Part 2: Security Exchange Service Eleme

7、nt Service Definition; Part 3: Security Exchange Service Element Protocol Specification; Part 4: Protecting Transfer Syntax Specification; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. - - - - - - This Recommendation I International Standa

8、rd constitutes Part 2 of this series. iV ISO/IEC 11586-2 : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: SECURITY EXCHANGE SERVICE ELEMENT (SESE) SERVICE DEFINITION 1 Scope 1.1 provision of security service

9、s in application Iayer protocols. These include: This series of Recommendations 1 International Standards defines a set of generic facilities to assist in the a) a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and

10、 to support the specification of security exchanges and security transformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security services within the Application Layer; a specification and PICS proforma f

11、or a security transfer syntax, associated with Presentation Layer support for security services in the Application Layer. c) 1.2 This Recommendation I InternationaI Standard defines the service provided by the Security Exchange Service Element (SESE). The SESE is an ASE which allows the communicatio

12、n of security information to support the provision of security services within the Application Layer. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I Internationa

13、l Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of t

14、he Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a Iist of currently valid ITU-T Recommendations. 2.1 Identical Recommendations I International Standa

15、rds - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-1 : 1994, Znforrnation technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. - ITU-T Recommendation X.803 (1994) I ISO/IEC 10745: 1995, Information technology - Open Systems Interconnection - Upper layers security m

16、odel. 3 Definitions The following terms are used as defined in ITU-T Rec. X.803 I ISO/IEC 10745: - security exchange; - security exchange item. ITU-T Rec. X.831(1995 E) 1 ISO/IEC 11586-2 : 1996 (E) 4 Abbreviations For the purposes of this Recommendation I International Standard, the following abbrev

17、iations apply: ASE Application Service Element OS1 Open Systems Interconnection PICS Protocol Implementation Conformance Statement SEI Security Exchange Item 5 Conventions Clause 7 employs a tabular presentation of the SESE service primitive parameters. Each parameter is summarized using the followi

18、ng notation: M 0 U C (= Presence of the parameter is mandatory Presence of the parameter is an SESE protocol machine option Presence of the parameter is an SESE service user option Presence of the parameter is conditional The value of this parameter is identical to the value of the corresponding par

19、ameter of the preceding SESE service primitive. 6 Service overview The security exchange service element provides for the communication of information associated with any security exchange, as described in Part 1. This service is typically used for the transfer of authentication, access control, non

20、-repudiation or security management information. 6.1 Specific service facilities The following service facilities are defined: a) SE-TRANSFER; b) SE-U-ABORT; c) SE-P-ABORT. The SE-TRANSFER service facility is used to initiate a security exchange of a certain type, transfer the first security- exchan

21、ge-item (SEI), as well as transfer the other SEIs of a security exchange. It is the only service facility required in completing a security exchange. The SE-U-ABORT service facility is used by the SESE service user to indicate that an error has occurred. This service is used to abnormally terminate

22、a security exchange in progress. Optionally, this service may also abnormally terminate the ASO-association. The SE-P-ABORT service facility is used by the SESE service provider to indicate that an error has occurred. This service is used to abnormally terminate a security exchange in progress. Opti

23、onally, this service may also abnormally terminate the ASO-association. 6.2 Procedural model for SE-TRANSFER service facility Part 1 of this Recornmendation I International Standard defines the following procedural model for security exchanges: An initial Security Exchange Item (SEI) is transferred

24、from A to B. This is optionally followed by one or more transfers of SEIs between A and B, according to the specific security exchange identified in the SE-TRANSFER. The sequence may be terminated upon receipt of any SEI, by generation of an error indication by either service user or service provide

25、r. The time-sequence diagram shown below is an example illustrating the special case of a sequence of SEI transfers in alternate directions for an n-way security exchange. (This is an example of the “Alternating” class of exchange defined in 6.1 of ITU-T Rec. X.830 I ISOAEC 11586-1.) 2 ITU-T Rec. X.

26、831(1995 E) ISOAEC 11586-2 : 1996 (E) 7 SE-TRANSFER indication SE-TRANSFER request - SE-TRANSFER indication Service definition The SESE service primitives are of the following types: SE-TRANSFER Non-confirmed SE-W-ABORT Non-confirmed SE-P-AB ORT Provider-initiated 7.1 Parameters of service primitive

27、s Following are descriptions of the service primitives parameters. 7.1.1 Security exchange identifier This parameter identifies the particuIar type of security exchange being initiated. The identifier is established when the security exchange is defined, using the SECURITY-EXCHANGE information objec

28、t class defined in Part 1. 7.1.2 Invocation identifier This parameter identifies a particular security exchange invocation. It is used for subsequently referring to that invocation for correlation purposes, in a SE-TRANSFER, SE-U-ABORT, or SE-P-ABORT primitives. Invocation identifiers are especially

29、 useful in handling multiple security exchange invocations within the context of, for example, an application association. Invocation identifiers are provided by the users of services which initiate security exchanges, and it is the responsibility of such users to ensure that these identifiers are u

30、nambiguous within the scope of all active security exchange invocations. 7.1.3 Security exchange item The item to be conveyed, as implied by the security exchange identifier. 7.1.4 Item identifier In a SE-TRANSFER primitive, this parameter indicates which item of the security exchange this primitive

31、 is conveying. In a SE-U-ABORT or SE-P-ABORT primitive, this parameter indicates the item of a security exchange on which an error condition has been detected. The specification of a security exchange may place specific constraints on the use of the “item identifier”. It is the responsibility of the

32、 SESE user to ensure that these constraints are met. 7.1.5 Start flag In a SE-TRANSFER primitive, this parameter is used to indicate the transfer of the first security-exchange-item of a security exchange. 7.1.6 End flag In a SE-TRANSFER primitive, this parameter is used to indicate that this securi

33、ty exchange item corresponds to the last security exchange required to satisfy the security mechanism. It is needed to accommodate those mechanisms requiring n exchanges, where n is not known a priori. ITU-T Rec. X.831(1995 E) 3 ISO/IEC 11586-2 : 1996 (E) 7.1.7 Error list This parameter is one or mo

34、re lists of error codes with optional error parameters. The error code indicates the cause of a SE-U-ABORT being generated. Error codes are established when a security exchange is defined, using the SE-ERROR information object class defined in Part 1. The optional error parameters provide additional

35、 information describing the cause of an abort. 7.1.8 Problem code This parameter indicates the cause of an SE-P-ABORT being generated. The set of possible values is specified in clause 6 of Part 3. 7.1.9 Fatality indicator In a SE-U-ABORT request primitive, this parameter is used to indicate to the

36、SESE service provider whether or not the ASO-association (e.g. application association) must be terminated. In a SE-U-ABORT indication and SE-P-mORT indication primitives, this parameter is used to indicate to the SESE service user whether or not the ASO-association (e.g. application association) mu

37、st be terminated. 7.2 Service primitives The parameters of the SESE service primitives are provided below. (Refer to 6.1 for a definition of the SESE services, and to 7.1 for a description of the specific parameters.) 7.2.1 SE-TRANSFER service The parameters of the SE-TRANSFER service are as follows

38、: Parameter Name Req Pnd Security exchange identifier M M(=? Invocation identifier U Ct=? Security exchange item M Mt=) Item identifier U C(= Start flag U C(= End flag U C(= 7.2.2 SE-U-ABORT service The parameters of the SE-U-ABORT service are as follows: Parameter Name Req ind Invocation identifier

39、 U C(= Item identifier U C(=) Error list U ct= Fatality Indicator U C(=? 7.2.3 SE-P-ABORT service The parameters of the SE-P-ABORT service are as follows: Parameter Name ind Invocation identifier 0 Item identifier 0 Problem code M Fatality Indicator 0 8 Sequencing information The only sequencing con

40、straint stipulated in this Service definition is that the invocation of SE-TRANSFER primitives with the same invocation identifier must be consistent with 7.1.2. 4 ITU-T Rec. X.831(1995 E) Proposition de modi#?cation Nhesitez pas 2 nous faire part de vos suggestions et de vos commentaires. PriPre du

41、tiliser le formulaire qui suit pour formuler Ies propositions de modification aux normes CSA et autres publications CSA. II est recommand6 dinclure le num6ro de la norme/publication le numero de Iarticle, du tableau ou de la figure vis6 la formulation proposee la raison de cette modification. Propos

42、al for chunge CSA welcomes your suggestions and comments. Please use the following form to submit your proposals for changes to CSA Standards and other CSA publications. Be sure to include the Standard/publication number relevant Clause, Table, and/or Figure n u m ber (s) wording of the proposed cha

43、nge rationale for the change. Nom/Name: Affiliation: Adresse/Addrers: Vi I I e/ C i ty : Etat/Province/State: Pays/Cou n try: Tbli$hone/Telephone: T6lkopieu r/Fax: Date: Proposition de modificatiom/Proposed change: Code postal/fostal/Zip code: (Si Iespace est insuffisani, utiliser le verso et des fe

44、uilies volantes/Use reverse and additional pages as required.) ISO/IEC 11586-2:1996(E) ISO/IEC ICs 35.100 Descriptors: data processing, information interchange, network Interconnection, open systems Interconnection applicatton layer communication procedure, securlty techniques, services ISBN 1-55324-007-3