ImageVerifierCode 换一换
格式:PDF , 页数:37 ,大小:471.79KB ,
资源ID:735731      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-735731.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI TR 102 206-2003 Mobile Commerce (M-COMM) Mobile Signature Service Security Framework (V1 1 3)《移动商务(M-COMM) 移动签名业务 安全框架(版本1 1 3)》.pdf)为本站会员(postpastor181)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI TR 102 206-2003 Mobile Commerce (M-COMM) Mobile Signature Service Security Framework (V1 1 3)《移动商务(M-COMM) 移动签名业务 安全框架(版本1 1 3)》.pdf

1、 ETSI TR 102 206 V1.1.3 (2003-08)Technical Report Mobile Commerce (M-COMM);Mobile Signature Service;Security FrameworkETSI ETSI TR 102 206 V1.1.3 (2003-08) 2 Reference DTR/M-COMM-005 Keywords commerce, electronic signature, M-commerce, mobile, security, service ETSI 650 Route des Lucioles F-06921 So

2、phia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org

3、The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI

4、printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.o

5、rg/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunic

6、ations Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI regist

7、ered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 206 V1.1.3 (2003-08) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 7 2 References 7 3 Definitions and abbreviations.8 3.1 Definitions8 3.2 Abbreviations .10 4 Introduction to mo

8、bile signature 11 4.1 Overview 11 4.1.1 Mobile signature .11 4.1.2 Using mobile signature .12 4.1.3 Mobile signature service.12 4.2 Notation13 4.3 XML Schema declaration.13 5 General security analysis14 5.1 Architecture14 5.3 European Directive for electronic signatures .14 5.3 Identification of a M

9、obile Signature Environment (MSE) .17 5.4 Operation of the MSA 18 6 Security requirements for a Mobile Signature Creation System (MSCS)21 6.1 Overall security requirements of the MSCS.22 6.1.1 Requirements of the DTBS.22 6.1.2 Trusted channel requirements .22 6.1.3 Requirements resulting from un-tru

10、sted processes and communication ports23 6.1.4 Input control23 6.2 Mobile Signature Creation Application (MSCA).23 6.2.1 Signers Document Presentation component (SDP)23 6.2.2 Signature Attribute Viewer (SAV) .24 6.2.3 Signer Interaction Component (SIC) 24 6.2.4 Signers Authentication Component (SAC)

11、 24 6.2.5 MSCD/MSCA Communicator (DAC)25 6.2.6 MSSP/MSCA Communicator (PAC) .25 6.3 Mobile Signature Service Provider (MSSP).25 6.3.1 Data To Be Signed Verifier (DTBSV)26 6.3.2 Data To Be Signed Formatter (DTBSF) .26 6.3.3 Data Hashing Component (DHC).27 6.3.4 Signed Data Object Composer (SDOC)27 6.

12、3.5 CSP Interaction Component (CSPC) 27 6.3.6 Signature Logging Component (SLC) 27 6.3.7 MSSP/MSCA Communicator (PAC) .27 6.3.8 MSSP/AP Communicator (MAC) 28 6.4 Mobile Signature Creation Device (MSCD) 28 6.4.1 Overall security requirements for the MSCD .28 6.4.2 User Authentication Component (UAC).

13、29 6.4.3 Signature Creation Component (SCC)29 7 Mobile signature profile .30 7.1 Rationales.30 7.2 Framework .30 7.3 XML Schema .32 7.3.1 URIs34 ETSI ETSI TR 102 206 V1.1.3 (2003-08) 4 7.3.1.1 MSCS34 7.3.1.2 MSCA .34 7.3.1.3 MSSP 34 7.3.1.4 MSCD .34 7.3.2 Example 1 .34 7.3.3 Example 2 .35 Annex A: B

14、ibliography36 History 37 ETSI ETSI TR 102 206 V1.1.3 (2003-08) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-mem

15、bers, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home

16、.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the

17、present document. Foreword This Technical Report (TR) has been produced by ETSI Project M-Commerce (M-COMM). Introduction Citizens around the world are making use increasingly of electronic communications facilities in their daily lives. This often involves interactions between parties who have neve

18、r previously met - or may never meet - and for whom no pre-established relationship exists. Consequently, communications networks of all kinds are being exploited in new ways to conduct business, to facilitate remote working and to create other virtual shared environments. Consumers, businesses and

19、government departments alike benefit in various ways. For the European Union (EU), electronic commerce presents an excellent opportunity to advance its programmes for economic integration. But, such an approach requires an appropriate security mechanism to allow completion of remote interactions bet

20、ween parties with confidence. To this end, the European Parliament and Council Directive on Electronic Signatures (1999/93/EC 12) was published on December 13th, 1999. The definition of electronic signature contained in article 2 of the directive facilitated the recognition of data in electronic for

21、m in the same manner as a hand-written signature satisfies those requirements for paper-based data. Since electronic signatures can only be as good as the technology and processes used to create them, “standardization“ activities such as those in Europe by ETSI and CEN within the EESSI framework aim

22、 to ensure that a common level of confidence and acceptance can be recognized. The result will be a powerful enabling facility for electronic commerce and, more generally, for completion of transactions of any kind. In the context of the EU Directive, the present document focuses on electronic signa

23、tures created by cryptographic means in a “secure signature creation device“. As at June 2003, security provisions for signature creation and verification systems are such that parties wishing to provide a signature require special equipment. Typically, this involves a smartcard and a card reader wi

24、th sufficient processing power and display capabilities to present full details of the transaction to be “signed“. For consumer markets, however, it is doubtful whether individual citizens will want to invest in such equipment, which for the most part may remain connected to (or inserted into) perso

25、nal computer equipment located in the home. An alternative approach is to capitalize on the fact that many citizens already possess a device which contains a smartcard and which itself is effectively a personal card reader- their mobile phone. In some European countries, mobile penetration rates are

26、 approaching 80 % of the population. As one of the most widely-owned electronic devices, the mobile phone represents the natural choice for implementation of a socially-inclusive, electronic signature solution for the majority of citizens. Electronic signatures created in this way have become known

27、as “Mobile Signatures“ and a number of initiatives are already underway to evaluate the feasibility of such an approach. Only a small number of these have so far been implemented commercially and none have yet been extended to a mass-market scale. Many of those engaged in such activity cite interope

28、rability issues as a restraining factor, requiring standardization to avoid market fragmentation. ETSI ETSI TR 102 206 V1.1.3 (2003-08) 6 The concept of a “Mobile Signature“ is attractive because it leverages existing commercial models, network infrastructure, mobile device technology (including the

29、 SIM-infrastructure) and customer relationships managed by GSM mobile network operators. This offers the prospect that the concept could be adopted by around one billion mobile phone users in 179 countries, world-wide. Extension of the concept to other mobile network technologies is also possible. A

30、doption of mobile signature might also assist in the fight against international crimes, such as money laundering. In this case, the opportunity provided by mobile signature to identify the citizens who are party to a transaction is attractive, subject to provisions concerning Data Protection, Priva

31、cy and Legal Interception (as applied to data services). Acceptance of the concept universally now requires “standardization“ of a common service methodology, where signature requests/responses can be issued/received in a standard format - irrespective of mobile device characteristics. To this end,

32、the European Commission allocated funds to ETSI to establish a Specialist Task Force (STF-221) to produce a set of deliverables on mobile signature service. It is envisaged that mobile signature services will play a pivotal role in reaching an appropriate level of confidence, acceptance and interope

33、rability to support implementation of the European Directive on Electronic Signature - particularly for consumer (mass) markets. The present document focuses on those technologies able to realize a mobile signature the equivalent of an “enhanced electronic signature“ as defined by the European Direc

34、tive. The mobile signature service is considered suitable for the administration and management of all aspects relating to: Advising and guiding citizens about the use of mobile signature. Acquiring mobile signature capability. Managing citizen identity (including data protection and individual priv

35、acy). Processing of signature requests from application providers (and providing responses). Maintaining signature transaction records for the citizen. Managing all aspects of signature lifecycle (e.g. validity, expiry). Supporting service administration and maintenance activities. The definition of

36、 the Mobile Signature Service comprises the following report and specifications: TR 102 203 18: “Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements“. TS 102 204 26: “Mobile Signature Service; Web Service Interface“. TR 102 206 (the present document): “Mobile Signature

37、Service; Security Framework“. TS 102 207 27: “Mobile Signature Service; Specifications for Roaming in Mobile Signature Services“. Together, the TR and the TSs allow the design and implementation of interoperable mobile signature solutions. ETSI ETSI TR 102 206 V1.1.3 (2003-08) 7 1 Scope The Mobile S

38、ignature Service is a service provided by a Mobile Signature Service Provider (MSSP) to a Signer and an Application Provider (AP). Because a Mobile Signature is a “universal method for using a mobile device to confirm the intention of a citizen to proceed with a transaction“ (see TR 102 203 18), the

39、 Mobile Signature Service becomes a crucial security element within the architecture of the Application Provider itself. In the case of transactions (e.g. financial) that rely on a Mobile Signature, the issue of liability may be raised. Both parties, i.e. the enduser and the Application Provider are

40、 willing to protect themselves from fraudulent behaviours between each other, or even from hackers, thanks to the Mobile Signature. Without a wide and common understanding of the security considerations for Mobile Signatures by all parties (e.g. the Signer, the Application Provider etc.), it will be

41、 quite difficult for MSSPs to build commercial agreements with those parties. In this respect, it is essential for all the stakeholders to identify the level of security, a MSSP may, should, or must provide. This is the purpose of the present document. The concept of Mobile Signatures has also to be

42、 linked with the current work of EESSI on electronic signatures taking into account the specificities of the mobile environment. TR 102 203 18 explain that a Mobile Signature is an electronic signature that goes mobile. The present document clarifies the meaning of this sentence in the context of th

43、e security requirements of the European Directive. 2 References For the purposes of this Technical Report (TR) the following references apply: 1 CWA 14167-1 (2001): “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements“.

44、 2 CWA 14167-2 (2002): “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2 Cryptographic Module for CSP Signing Operations - Protection Profile (MCSO-PP)“. 3 CWA 14169 (2002): “Secure Signature-Creation Devices, version EAL 4+“. 4 CWA 14170 (2001):

45、 “Security Requirements for Signature Creation Systems“. 5 CWA 14171 (2001): “Procedures for Electronic Signature Verification“. 6 CWA 14172-1 (2001): “EESSI Conformity Assessment Guidance - Part:1: General“. 7 CWA 14172-2 (2001): “EESSI Conformity Assessment Guidance - Part 2: Certification Authori

46、ty services and processes“. 8 CWA 14172-3 (2001): “EESSI Conformity Assessment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures“. 9 CWA 14172-4 (2001): “EESSI Conformity Assessment Guidance - Part 4: Signature Creation Applications and Procedures for Electronic

47、Signature Verification“. 10 CWA 14172-5 (2001): “EESSI Conformity Assessment Guidance - Part 5: Secure signature creation devices“. 11 CWA 14355 (2002): “Guidelines for the implementation of Secure Signature-Creation Devices“. 12 Directive 1999/93/EC of the European Parliament and of the Council of

48、13 December 1999 on a Community framework for electronic signatures 13 RSA PKCS#1 (1999): “RSA Encryption Standard“. 14 RSA PKCS#7 (1993): “Cryptographic Message Syntax Standard“. 15 IETF RFC 2119: “Key words for use in RFCs to Indicate Requirement Levels“. ETSI ETSI TR 102 206 V1.1.3 (2003-08) 8 16

49、 IETF RFC 3275: “(Extensible Markup Language) XML-Signature Syntax and Processing“. 17 ETSI SR 002 176: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures“. 18 ETSI TR 102 203: “Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements“. 19 ETSI TS 101 456: “Policy requirements for certification authorities issuing qualified certificates“. 20 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1