ImageVerifierCode 换一换
格式:PDF , 页数:84 ,大小:188.41KB ,
资源ID:704698      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-704698.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ECMA 235-1996 The ECMA GSS-API Mechanism《ECMA GSS-API机制》.pdf)为本站会员(eveningprove235)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ECMA 235-1996 The ECMA GSS-API Mechanism《ECMA GSS-API机制》.pdf

1、Standard ECMA-235March 1996Standardizing Information and Communication SystemsPhone: +41 22 849.60.00 - Fax: +41 22 849.60.01 - URL: http:/www.ecma.ch - Internet: helpdeskecma.chThe ECMA GSS-APIMechanismStandard ECMA-235March 1996Standardizing Information and Communication SystemsPhone: +41 22 849.6

2、0.00 - Fax: +41 22 849.60.01 - URL: http:/www.ecma.ch - Internet: helpdeskecma.chGino Lauri - ECMA-235.DOC - 20/03/96 11:50The ECMA GSS-APIMechanismBrief HistoryECMA, ISO and ITU-T are working on standards for distributed applications in an open system environment. Security ingeneral and authenticat

3、ion and distributed access control in particular are major concerns in information processing.In July 1988, ECMA TR/46, “Security in Open Systems - A Security Framework“, was published. In December 1989, based onthe concepts of this framework, ECMA-138, “Security in Open Systems - Data Elements and

4、Service Definitions“, wasproduced. It defines a set of Security Services for use in the Application Layer of the ISO OSI Reference Model.In December 1994, the first edition of Standard ECMA-219 was published. Based on this earlier work, it describes a model fordistributed authentication and access c

5、ontrol in which a trusted third party, the Authentication and Privilege AttributeApplication (APA-Application) and related key distribution functions are used to authenticate human and software entities,provide them with the privileges they need for access control purposes and provide the means of p

6、rotection of these privilegesin interchange.Over this period also, the Internet Engineering Task Force (IETF) and other de facto and de jure standards organisations havebeen developing a standard general interface through which a security infrastructure such as that described in ECMA-219 canbe exerc

7、ised by application clients and servers. It has been designed so that callers do not need to know the details of theunderlying infrastructure, or even whether it is provided by ECMA-219 services or other infrastructure designs. This interfaceis the Generic Security Services Application Programming I

8、nterface, or GSS-API (GSS-API).This ECMA standard follows on from ECMA-219, showing how the security services described there can be used underneaththe GSS-API by application clients and servers. It describes the interface calls supported, the success and error responses thatcan be returned, and the

9、 format and content of the data tokens exchanged between the client and the server.In order to implement Privilege Attribute based access control features for distributed open applications using the GSS-API,this Standard also defines support functions that have to be used in addition to the standard

10、 GSS-API function set.KRB5GSS and SPKM also define ways of supporting the GSS-API, and some of the data constructs defined there are alsoused here.The Standard is based on the practical experience of ECMA member Companies. It is oriented towards urgent and wellunderstood needs.This ECMA Standard has

11、 been adopted by the ECMA General Assembly in March 1996.- i -Table of contents1 Introduction 11.1 Scope 11.2 Field of application 11.3 Requirements to be satisfied 11.4 Conformance 11.5 Overview and document structure 22 References 22.1 Normative references 22.2 Informative references 33 Definition

12、s 33.1 Imported definitions 33.2 New Definitions 33.2.1 Security Context 33.2.2 Generic Security Mechanism 33.2.3 Security Mechanism Options 43.2.4 Primary Principal Identifier (PPID) 43.3 Acronyms 44 Token formats 44.1 Token framings 44.2 InitialContextToken format 54.3 TargetResultToken 84.4 Error

13、Token 84.5 Per Message Tokens 94.5.1 MICToken 104.5.2 WrapToken 114.6 ContextDeleteToken 115 Key distribution and PAC protection options 125.1 PAC protection options 125.2 Key Distribution schemes 125.2.1 Basic symmetric key distribution scheme 125.2.2 Symmetric key distribution scheme with symmetri

14、c KD-Servers 125.2.3 Symmetric key distribution scheme with asymmetric KD-Servers 125.2.4 Asymmetric initiator / symmetric target key distribution scheme 135.2.5 Symmetric initiator / asymmetric target key distribution scheme 135.2.6 Full public key distribution scheme 135.3 Key distribution data el

15、ements 135.3.1 KD-Scheme independent data elements 135.3.2 Key distribution scheme OBJECT IDENTIFIERs 145.3.3 Hybrid inter-domain key distribution scheme data elements 15- ii -5.3.4 Key establishment data elements 165.3.5 Kerberos Data elements 175.3.6 Profiling of KD-schemes 175.3.6.1 Profile of Ti

16、cket (symmIntradomain and symmInterdomain) 185.3.6.2 Profile of PublicTicket (hybridInterdomain) 195.3.6.3 Profile of SPKM_REQ (asymmInitToSymmTarget, symmInitToAsymmTarget, asymmetric) 205.4 Returned Key Scheme Information 206 Algorithm use within ECMA mechanism 217 Identifiers for ECMA mechanism c

17、hoices 237.1 Architectural mechanism identifiers 238 Errors 248.1 Minor Status Codes 248.1.1 Non ECMA-specific codes 248.1.2 ECMA-specific codes 258.2 Quality of protection 279 Support functions 279.1 Attribute handling support functions 279.1.1 GSS_Set_cred_attributes 289.1.2 GSS_Get_sec_attributes

18、 299.1.3 GSS_Get_received_creds 309.2 Control and support functions for context acceptors 309.2.1 GSS_Set_cred_controls call 329.2.2 GSS_Get_sec_controls 329.2.3 GSS_Compound_creds call 339.3 Attribute specifications 349.3.1 Privilege attributes 349.3.1.1 Access Identity 349.3.1.2 Group 349.3.1.3 Pr

19、imary group 349.3.1.4 Role attribute 349.3.2 Attribute set reference 359.3.2.1 Role name 359.3.3 Miscellaneous attributes 359.3.3.1 Audit Identity 359.3.3.2 Issuer domain name 359.3.3.3 Validity periods 359.3.3.4 Optional restrictions 359.3.3.5 Mandatory restrictions 359.3.4 Qualifier attributes 369

20、.3.4.1 Acceptor name 369.3.4.2 Application trust group 36- iii -9.4 C Bindings 369.4.1 Data types and calling conventions 369.4.1.1 Identifier 369.4.1.2 Identifier set 379.4.1.3 Time periods 379.4.1.4 time period list 379.4.1.5 Security attributes 389.4.1.6 Security Attribute Sets 389.4.1.7 Credenti

21、als List 389.4.1.8 Acceptor Control 389.4.1.9 Acceptor Control Set 399.4.2 gss_set_cred_attributes 399.4.3 gss_get_sec_attributes 399.4.4 gss_get_received_creds 399.4.5 gss_set_cred_controls 399.4.6 gss_get_sec_controls 409.4.7 gss_compound_cred 4010 Relationship to other standards 40Annex A - Forma

22、l ASN.1 definitions of data types defined in this standard 43Annex B - Definitions of Kerberos data types 51Annex C - Definitions of SPKM data types 55Annex D - Mappings of Minor Status Returns onto ECMA-219 error values 61Annex E - Imported Types 631 Introduction1.1 ScopeStandard ECMA-219 defines s

23、ervices, data elements and operations for authentication, Privilege Attribute and keydistribution applications (the APA-Application).Following on from ECMA-219, this Standard ECMA-235defines the syntax of the tokens that enable distributedapplications implementing the APA-Application and related dat

24、a elements specified in Standard ECMA-219 tointerwork. The tokens defined in this Standard are : Tokens for Security Association establishment An error token for communicating a failure to establish a Security Association Tokens for message protection A token for Security Association deletionIn orde

25、r to provide a basic set of implementation options, this Standard also defines some key distribution schemesbased on symmetric and asymmetric cryptographic technologies. These include specification of the encryptionalgorithms and methods to be used.The tokens are intended for use through the Generic

26、 Security Service API (GSS-API) as defined in GSS-API. ThisStandard defines minor status returns that are returned by the GSS-API when a GSS-API conformantimplementation is used to generate and validate the tokens.In order to implement Privilege Attribute based access control features for distribute

27、d open applications using theGSS-API, this Standard also defines support functions that have to be used in addition to the standard GSS-APIfunction set.1.2 Field of applicationThe field of application of this ECMA Standard is the design, implementation and interworking of security modulesthat make u

28、se of the APA-Application as defined in ECMA-219. They define an implementation of the “ECMAGSS-API mechanism“.1.3 Requirements to be satisfiedRequirements for secure distributed environments have led to specifications of security services such as ECMA-219, Kerberos and SPKM. Each of these defines w

29、hat is known in GSS-API as a “security mechanism“.The ECMA-219 mechanism defines security services and data elements required to secure distributedapplications. However, in order to achieve interworking between normal application servers using these securityservices , the syntax of the security toke

30、ns to be exchanged between the application servers themselves needs to bedefined.GSS-API specifies an interface that is independent of the underlying supporting security mechanism, but throughwhich mechanism-specific security tokens can be exchanged. The GSS-API is intended to be used by implementor

31、sof distributed secured applications.The GSS-API provides functions to implement identity based access control policies, but it does not providesupport functions to handle in a generic way Privilege Attributes for access control purposes. Neither does itprovide for the control of delegation. This st

32、andard therefore specifies such support functions.1.4 ConformanceThere are a number of types of conformance to this Standard as follows :Type 1 Support functions conformanceThe implementation shall be conformant to GSS-API, with the addition of the ECMA mechanism supportfunctions defined in clause 9

33、. Any minor status returns must be from the set defined in clause 8. This type ofconformance is in support of application portability, and does not demand that the underlying GSS-API mechanismis the ECMA one.Type 2 Security Association level context token conformance- 2 -The implementation shall sup

34、port at least one mechanism option of the ECMA mechanism Security Associationestablishment, deletion, and error tokens defined in clause 4.1 to 4.4 and 4.6 Any minor status returns must be fromthe set defined in clause 8. This type of conformance is in support of interoperability, and does not requi

35、re supportfor the GSS-API.Type 3 Message level token conformanceThe implementation shall be Type 2 conformant, and also provide an implementation of the ECMA mechanismmessage protection tokens defined in clause 4.5 Any minor status returns must be from the set defined in clause 8.Type 4 Full ECMA GS

36、S-API mechanism conformanceThis is achieved if both Type 1 and Type 3 conformance are achieved1.5 Overview and document structureThe standard described in ECMA-219 defines specific service interfaces to security services supporting theprovision of authentication, key establishment, data integrity, d

37、ata confidentiality and access control information.Although the scope of that standard does not encompass the specification of how to establish Security Associationswith productive application servers, it does assume and describe a model for these exchanges. The combined modeland standard is defined

38、 as the ECMA mechanism. This document describes how the generic ECMA mechanism is tobe exercised through the GSS-API to form the ECMA GSS-API Mechanism. Contents of specific clauses are:Clauses 2 and 3: These contain the usual references and definitions respectively.Clause 4: Describes the token for

39、mats exchanged between GSS-API peers using the ECMA GSS-APImechanism.Clause 5: Defines specific key distribution schemes within the framework laid down in ECMA-219.It gives detailed syntax and semantics for these schemes.Clause 6: Describes the use of cryptographic algorithms in the ECMA GSS-API mec

40、hanism.Clause 7: Describes the ways in which OBJECT IDENTIFIERS are used to nominate particularspecific ECMA GSS-API mechanism types, including the choice of cryptographicalgorithms themselves.Clause 8: Describes the GSS-API minor status codes that can be returned by the ECMA GSS-APImechanism. See a

41、lso annex E.Clause 9: Defines additional GSS-API support functions needed to enable PAC attribute and controlinformation to be set and exploited by GSS-API callers. It also defines some specificattribute types.Clause 10: Explains the relationship between this standard and other standards.Annex A: Co

42、ntains normative formal ASN.1 definitions of ASN.1 defined in this standard.Annex B: Contains normative formal ASN.1 definitions of ASN.1 also used in SPKM.Annex C: Contains normative formal ASN.1 definitions of ASN.1 also used in Kerberos.Annex D: Maps the minor status codes given in clause 8 onto

43、the relevant error values defined inECMA-219.Annex E: Expands the imported ASN.1 constructs (for information purposes).2 References2.1 Normative referencesECMA-219 ECMA-219, Authentication and Privilege Attribute Application with related keydistribution functionsGSS-API 1. Internet RFC 1508 Generic

44、Security Service API (J. Linn, September 1993)2. X/Open P308 Generic Security Service API (GSS-API) Base3. Internet RFC 1509 “Generic Security Service API: C-Bindings“- 3 -Kerberos Internet RFC 1510 The Kerberos Network Authentication Service (V5) (J. Kohl and C.Neumann, September 1993)ISO 10745 ISO

45、 10745, Upper Layers Security ModelISO/IEC 9594-2 ISO/IEC 9594-2, Information Processing Systems - Open Systems Interconnection - TheDirectory - Part 2: Information Framework (X.501)ISO/IEC 9594-8 ISO/IEC 9594-8, Information Processing Systems - Open Systems Interconnection - TheDirectory - Part 8:

46、Authentication Framework (X.509)2.2 Informative referencesKERB5GSS draft-ietf-cat-kerb5gss-03 The Kerberos Version 5 GSS-API Mechanism (J. Linn,September 1995)SPKM draft-ietf-cat-spkmgss-04: The Simple Public-Key GSS-API Mechanism (C. Adams, May1995)SNEGO draft-ietf-cat-snego-00 Simple GSS-API Negot

47、iation Mechanism (Eric Baize and DenisPinkas, July 1995)3 Definitions3.1 Imported definitionsThe following terms are used with the meaning defined in ECMA-219 :access identityattribute set referenceAudit Identitybasic keydelegatedialogue keyExternal Control ValuePrivilege Attribute Certificatetarget

48、Target AEFtarget key blockThe following terms are used with the meaning defined in GSS-APIacceptorinitiatorchannel bindingscontext acceptorcontext InitiatorcredentialsGSS-API tokenmechanism typequality of protectionThe following terms are used with the meaning defined in ISO 10745:Security Associati

49、on3.2 New Definitions3.2.1 Security ContextSecurity information that represents, or will represent a Security Association to an initiator or acceptor that hasformed, or is attempting to form such an association.3.2.2 Generic Security MechanismA generic security mechanism identifies a class of support functions, data structures and protocols from whichspecific security mechanism options can be derived.- 4 -3.2.3 Security Mechanism OptionsA security mechanism option identifies for a generic security mechanism, a specific choice of sup

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1