ETSI TS 118 103-2016 oneM2M Security solutions (V2 4 1 oneM2M TS-0003 version 2 4 1 Release 2)《oneM2M(物联网协议联盟) 安全解决方案(V2 4 1 oneM2M TS-0003 版本2 4 1 发行版本2)》.pdf

1、 ETSI TS 118 103 V1.1.0 (2016-03) oneM2M; Security solutions (oneM2M TS-0003 version 1.4.2 Release 1) TECHNICAL SPECIFICATION ETSI ETSI TS 118 103 V1.1.0 (2016-03)2oneM2M TS-0003 version 1.4.2 Release 1Reference RTS/oneM2M-000003v110 Keywords IoT, M2M, security ETSI 650 Route des Lucioles F-06921 So

2、phia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The

3、present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such v

4、ersions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on th

5、e current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification

6、 No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the

7、 foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for

8、 the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 118 103 V1.1.0 (2016-03)3oneM2M TS-0003 version 1.4.2 Release 1Contents Intellectual Property Rights 7g3Foreword . 7g31 Scope 8g32 Refer

9、ences 8g32.1 Normative references . 8g32.2 Informative references 10g33 Definitions, symbols and abbreviations . 11g33.1 Definitions 11g33.2 Symbols 14g33.3 Abbreviations . 14g34 Conventions 15g35 Security Architecture 15g35.1 Overview 15g35.1.1 Introduction. 15g35.1.1 Identification and Authenticat

10、ion . 17g35.1.2 Authorization 17g35.1.3 Identity Management 17g35.2 Security Layers . 17g35.2.1 Security Service Layer 17g35.2.2 Secure Environment Abstraction Layer 18g35.3 Integration within overall oneM2M architecture 18g36 Security Services and Interactions . 18g36.1 Security Integration in oneM

11、2M flow of events. 18g36.1.1 Interactions between layers . 18g36.1.2 High level sequence of events. 19g36.1.2.1 Enrolment phase 19g36.1.2.2 Operational phase 20g36.1.2.2.1 M2M Service Access . 20g36.1.2.2.2 Authorization to access M2M resources 21g36.2 Security Service Layer . 21g36.2.1 Access Manag

12、ement . 21g36.2.1.1 Authentication . 21g36.2.2 Authorization Architecture . 21g36.2.3 Security Administration 24g36.2.3.0 Introduction . 24g36.2.3.1 Security Pre-Provisioning of SE . 24g36.2.3.2 Remote security administration of SE . 24g36.2.4 Identity Protection 24g36.2.5 Sensitive Data Handling .

13、24g36.2.5.0 Introduction . 24g36.2.5.1 Sensitive Functions . 25g36.2.5.2 Secure Storage . 25g36.2.6 Trust Enabler security functions . 25g36.3 Secure Environment Abstraction Layer Components 25g36.3.1 Secure Environment 25g36.3.2 SE Plug-in . 26g36.3.3 Secure Environment Abstraction 26g37 Authorizat

14、ion 26g37.1 Access Control Mechanism 26g37.1.1 General Description 26g37.1.2 Parameters of the Request message 27g37.1.3 Format of privileges and selfprivileges Attributes 28g37.1.4 Access Control Decision . 30g37.1.5 Description of the Access Decision Algorithm . 30g3ETSI ETSI TS 118 103 V1.1.0 (20

15、16-03)4oneM2M TS-0003 version 1.4.2 Release 17.2 AE Impersonation Prevention 32g38 Security Frameworks 33g38.1 General Introductions to the Security Frameworks 33g38.1.0 General 33g38.1.1 General Introduction to the Symmetric Key Security Framework 33g38.1.2 General Introduction to the Certificate-B

16、ased Security Framework . 33g38.1.2.0 Introduction . 33g38.1.2.1 Public Key Certificate Flavours 33g38.1.2.2 Path Validation and Certificate Status Verification 34g38.1.2.3 Credential Configuration for Certificate-Based Security Framework . 35g38.1.2.4 Information Needed for Certificate Authenticati

17、on of another Entity . 35g38.1.2.5 Certificate Verification 36g38.1.3 General Introduction to the GBA (Generic Bootstrapping Architecture) Framework 37g38.2 Security Association Establishment Frameworks 38g38.2.1 Overview on Security Association Establishment Frameworks . 38g38.2.2 Detailed Security

18、 Association Establishment Frameworks 41g38.2.2.1 Provisioned Symmetric Key Security Association Establishment Frameworks . 41g38.2.2.2 Certificate-Based Security Association Establishment Frameworks 43g38.2.2.3 MAF-Based Symmetric Key Security Association Establishment Frameworks . 45g38.3 Remote S

19、ecurity Provisioning Frameworks . 48g38.3.1 Overview on Remote Security Provisioning Frameworks 48g38.3.1.1 Purpose of Remote Security Provisioning Frameworks 48g38.3.1.2 Overview on Remote Security Provisioning Frameworks 48g38.3.2 Detailed Remote Security Provisioning Framework . 52g38.3.2.1 Pre-P

20、rovisioned Symmetric Key Remote Security Provisioning Framework . 52g38.3.2.2 Certificate-Based Remote Security Provisioning Framework . 55g38.3.2.3 GBA-Based Remote Security Provisioning Framework . 56g39 Security Framework Procedures and Parameters . 59g39.0 Introduction 59g39.1 Security Associati

21、on Establishment Framework Procedures and Parameters 59g39.1.1 Credential Configuration Parameters 59g39.1.1.0 Introduction . 59g39.1.1.1 Credential Configuration of Entity A and Entity B . 59g39.1.1.2 Credential Configuration of M2M Authentication Functions . 60g39.1.2 Association Configuration Pro

22、cedures and Parameters 60g39.1.2.0 Introduction . 60g39.1.2.1 Association Configuration of Entity A and Entity B . 60g39.1.2.1.1 Association Configuration of Entity A 60g39.1.2.1.2 Association Configuration of Entity B 61g39.1.2.2 Association Configuration of M2M Authentication Functions . 61g39.2 R

23、emote Security Provisioning Framework Procedures and Parameters . 62g39.2.1 Bootstrap Credential Configuration Procedures and Parameters 62g39.2.1.0 Introduction . 62g39.2.1.1 Bootstrap Credential Configuration of Enrolee . 62g39.2.1.2 Bootstrap Credential Configuration of M2M Enrolment Functions 62

24、g39.2.2 Bootstrap Instruction Configuration Procedures and Parameters . 63g39.2.2.0 Introduction . 63g39.2.2.1 Bootstrap Instruction Configuration of Enrolees 63g39.2.2.2 Void. 64g39.2.2.3 Bootstrap Instruction Configuration of M2M Enrolment Functions . 64g39.2.2.4 Bootstrap Instruction Configuratio

25、n of UNSP Authentication Server 64g310 Protocol and Algorithm Details 65g310.1 Certificate-Based Security Framework Details 65g310.1.1 Certificate Profiles 65g310.1.1.0 General 65g310.1.1.1 Common Certificate Details 65g310.1.1.2 Raw Public Key Certificate Profile . 65g310.1.1.3 Details Common to Ce

26、rtificates with Certificate Chains 65g310.1.1.4 Profile for Device Certificates and their Certificate Chains 65g310.1.1.4.1 Profile for Device Certificates . 65g3ETSI ETSI TS 118 103 V1.1.0 (2016-03)5oneM2M TS-0003 version 1.4.2 Release 110.1.1.4.2 Profile for Certificate Authority Certificates for

27、Device Certificates 66g310.1.1.5 Profile for AE-ID Certificates and their Certificate Chains 66g310.1.1.6 Profile for FQDN Certificates and their Certificate Chains 66g310.1.1.7 Profile for CSE-ID Certificates and their Certificate Chains 66g310.1.2 Public Key Identifiers . 67g310.1.3 Support Requir

28、ements for each Public Key Certificate Flavour . 67g310.2 TLS and DTLS Details . 67g310.2.1 TLS and DTLS Versions 67g310.2.2 TLS and DTLS Ciphersuites for TLS-PSK-Based Security Frameworks 68g310.2.3 TLS and DTLS Ciphersuites for Certificate-Based Security Frameworks . 68g310.3 Key Export and Key De

29、rivation Details . 69g310.3.1 TLS Key Export Details . 69g310.3.2 Derivation of Master Credential from Enrolment Key . 69g310.3.3 Derivation of Provisioned Secure Connection Key from Enrolment Key 69g310.3.4 Generating KeId 70g310.3.5 Generating KcId 70g310.4 Credential-ID Details . 70g310.5 KpsaId

30、70g310.6 KmId Format 71g310.7 Enrolment Expiry . 71g3Annex A (informative): Mapping of 3GPP GBA terminology . 72g3Annex B (informative): General Mutual Authentication Mechanism . 73g3B.0 Introduction 73g3B.1 Group Authentication . 73g3Annex C (normative): Security protocols associated to specific SE

31、 technologies. 75g3C.0 Introduction 75g3C.1 UICC 75g3C.2 Other secure element and embedded secure element with ISO/IEC 7816-4 interface . 75g3C.3 Trusted Execution Environment . 75g3C.4 SE to CSE binding 75g3Annex D (normative): UICC security framework to support oneM2M Services . 76g3D.0 Introducti

32、on 76g3D.1 Access Network UICC-based oneM2M Service Framework. 77g3D.1.1 Access Network UICC-based oneM2M Service Framework characteristics . 77g3D.1.2 M2M Service Framework discovery for Access Network UICC . 77g3D.1.3 Content of files at the DF1M2Mlevel . 78g3D.1.3.0 Introduction. 78g3D.1.3.1 EF1M

33、2MST(oneM2M Service Table) 78g3D.1.3.2 EF1M2MSID(oneM2M Subscription Identifier) . 80g3D.1.3.3 EF1M2MSPID (oneM2M Service Provider Identifier) . 80g3D.1.3.4 EFM2MNID(M2M Node Identifier) . 81g3D.1.3.5 EFCSEID(local CSE Identifier) . 81g3D.1.3.6 EFM2MAE-ID(M2M Application Identifiers list) . 81g3D.1.

34、3.7 EFINCSEIDS(M2M IN-CSE IDs list) . 82g3D.1.3.8 EFMAFFQDN(MAF-FQDN). 82g3D.1.3.9 EFMEFID(M2M Enrolment Function Identifier) 83g3D.2 oneM2M Service Module application for symmetric credentials on UICC (1M2MSM) 84g3D.2.0 Introduction 84g3D.2.1 oneM2M Service Module application file structure . 84g3D

35、.2.1.0 Introduction. 84g3D.2.1.1 Content of UICC files at the Master File (MF) level 84g3D.2.1.2 Content of files at the 1M2MSM ADF (Application DF) level 84g3ETSI ETSI TS 118 103 V1.1.0 (2016-03)6oneM2M TS-0003 version 1.4.2 Release 1D.2.2 oneM2M Subscription related procedures for M2M Service . 85

36、g3D.2.2.0 Introduction. 85g3D.2.2.1 Initialization - 1M2MSM Application selection . 85g3D.2.2.2 1M2MSM session termination 85g3D.2.2.3 oneM2M Service discovery procedure . 85g3D.2.2.4 oneM2M Service provisioning procedures . 85g3D.2.2.5 oneM2M Application Identifiers provisioning procedure 85g3D.2.2

37、.6 oneM2M Secure provisioning related procedures 86g3D.2.2.7 oneM2M Security Association related procedures . 86g3Annex E (informative): Precisions for the UICC framework to support M2M Services 87g3E.0 Introduction 87g3E.1 Suggested content of the EFs at pre-personalization 87g3E.2 EF changes via D

38、ata Download or CAT applications 87g3E.3 List of SFI values at the ADFM2MSMor DFM2Mlevel 88g3E.4 UICC related tags defined in annex J . 88g3Annex F (normative): Acquisition of Location Information for Location based Access Control 89g3F.0 Introduction 89g3F.1 Description of Region 89g3F.1.1 Circular

39、 Description . 89g3F.1.2 Country Description . 89g3F.2 Acquisition of Location Information 89g3F.2.0 Introduction 89g3F.2.1 Circular Description . 90g3F.2.2 Country Description . 91g3Annex G (informative): Access Control Decision Request 92g3Annex H (informative): Implementation Guidance and index o

40、f solutions . 93g3Annex I (informative): Bibliography . 94g3History 95g3ETSI ETSI TS 118 103 V1.1.0 (2016-03)7oneM2M TS-0003 version 1.4.2 Release 1Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining

41、to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat.

42、Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ET

43、SI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Partnership Project oneM2M (oneM2M). ETSI ETSI TS 118 103 V1.1.0 (2016-03)8oneM2M TS-0003 version 1.4.2 Release 11 Scope The present document de

44、fines security solutions applicable within the M2M system. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific refer

45、ences, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at th

46、e time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI TS 118 101: “oneM2M; Functional Architecture (oneM2M TS-0001)“. 2 ETSI TS 118 111: “oneM2M; Common Terminology (oneM2M TS-0011)“

47、. 3 Void. 4 ETSI TS 118 104: “oneM2M; Service Layer Core Protocol Specification (oneM2M TS-0004)“. 5 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“. 6 IETF RFC 6347: “Datagram Transport Layer Security Version 1.2“. 7 ETSI TS 102 225 (V11.0.0): “Smart Cards; Secured packet s

48、tructure for UICC based applications (Release 11)“. 8 ETSI TS 102 226 (V11.0.0): “Smart Cards; Remote APDU structure for UICC based applications (Release 11)“. 9 ETSI TS 131 115 (V10.1.1): “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Secu

49、red packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications (3GPP TS 31.115 version 10.1.1 Release 10)“. 10 ETSI TS 131 116 (V10.2.0): “Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Remote APDU Structure for (U)SIM Toolkit applications (3GPP TS 31.116 version 10.2.0 Release 10)“. 11 3GPP2 C.S0078-0 (V1.0): “Secured packet structure for CDMA Card Application Toolkit (CCAT) applications“. 12 3GPP2 C.S0079-0 (V1.0): “Remote APDU Structure for CDMA Card Applica