ITU-T X 815-1995 Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems Integrity Frameworks - Data Networks and Open System Communications Se.pdf

1、ITU-T RECMN*X.BL5 95 id62591 Ob33376 5TL INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SECURITY X.815 (1 1 /95) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: INT

2、EGRITY FRAMEWORKS ITU-T Recommendation X.815 (Previously “CCIlT Recommendation”) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesFOREWORD ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field

3、of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets

4、world telecommunications standards (Recommendations). The approval of Recommendations by the Members of ITU-T is covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, app

5、roves Recommendations submitted to it and establishes the study programme for the following period. In some areas of information technology which fail within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of ITU-T Recommendation X.815 was app

6、roved on 21st of November 1995. The identical text is also published as ISOAEC Intemational Standard 10181-6. NOTE In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1996 All rig

7、hts reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Informat

8、ion Handling ServicesITU-T RECMN*X.815 95 4862591 Ob33378 374 = _ PUBLIC DATA NETWORKS Services and Facilities ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS X. I-X. 19 (February 1994) - interfaces X.20-X.49 Transmission, Signalling and Switching X.50-X.89 ORGANIZATION O

9、F X-SERIES RECOMMENDATIONS Network Aspects Maintenance I Subject area I Recommendation Series I X.90-X.149 X.150-X.179 OPEN SYSTEMS INTERCONNECTION Model and Notation x.200-x.209 Service Definitions Connection-mode Protocol Specifications I X. 180-X. 199 I Administrative Arrangements I X.210-X.2 19

10、X.220-X.229 Connectionless-mode Protocol Specifications PICS Proformas X.230-X.239 X.240-X.259 Security Protocols Layer Managed Objects Conformance Testing INTERWORKING BETWEEN NETWORKS I Protocol Identification I X.260-X.269 I X.270-X.279 X.280-X.289 X.290-X.299 MESSAGE HANDLING SYSTEMS DIRECTORY I

11、 General I X.300-X.349 I X.400-X.499 x.500-x.599 I Mobile Data Transmission Systems OS1 NETWORKING AND SYSTEM ASPECTS Networking Naming, Addressing and Registration 1 X.350-X.369 X.600-X.649 X.650-X.679 I Management I X.370-X.399 I Abstract Syntax Notation One (ASN. i) OS1 MANAGEMENT X.680-X.699 X.7

12、00-X.799 SECURITY OS1 APPLICATIONS X.800-X.849 Transaction Processing Remote Operations I Commitment, Concurrency and Recovery I X.850-X.859 I _ X.860-X.879 X.880-X.899 I OPEN DISTRIBUTED PROCESSING I X.900-X.999 I COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by In

13、formation Handling ServicesITU-T RECflN*X*815 95 4862591 0613379 200 W 1 2 3 4 5 6 7 8 9 CONTENTS scope Normative references . 2.1 Identical Recommendations i International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content 2.3 Additional References . Defi

14、nitions Abbreviations . General discussion of integrity . 5.1 Basic concepts . 5.2 Types of integrity services 5.3 Types of integrity mechanisms . 5.5 Types of integrity attacks Integrity policies . 6.1 Policy expression 6.1.1 Data characterization . 6.1.2 Entity characterization 6.1.2.1 Identity ba

15、sed policies . 6.1.2.2 Rule based policies . Integrity information and facilities . 7.1.1 Shield integrity information 7.1.2 7.1.3 Unshield integrity information 7.2 Integrity facilities 7.2.1 Operational related facilities . 7.2.2 Management related facilities . Classification of integrity mechanis

16、ms 8.1 8.1.1 Integrity provision through sealing . 8.1.2 Integrity provision through Digital Signatures . 8.1.3 Integrity provision through encipherment of redundant data Integrity provision through context 8.2.1 Data Replication 8.2.2 Pre-agreed context 8.3 Integrity provision through detection and

17、 acknowledgement . 8.4 Integnty provision through prevention . Interactions with other security services and mechanisms . 9.1 Access Control 9.2 Data origin authentication . 9.3 Confidentiality 5.4 Threats to integrity 7.1 Integrity information . Modification detection integrity information Integrit

18、y provision through cryptography . 8.2 Annex A . Integrity in the OS1 Basic Reference Model . Annex B - External Data Consistency Page 1 2 2 2 2 2 4 4 5 5 5 6 6 7 7 7 7 7 7 7 7 8 8 8 8 8 9 9 9 9 9 10 10 10 11 11 11 11 11 12 12 13 15 Annex C . Integrity Facilities Outline 17 ITU-T Rec . X.815 (1995 E

19、) 1 COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECNN*X-BLS 95 m 48b2591 Ob13380 T22 Summary This Recommendation I International Standard defines a general framework for the provision of integrity services. The property that d

20、ata has not been altered or destroyed in an unauthorized manner is called integrity. Introduction Many open systems applications have security requirements which depend upon the integrity of data. Such requirements may include the protection of data used in the provision of other security services s

21、uch as authentication, access control, confidentiality, audit and non-repudiation, that, if an attacker could modify them, could reduce or nullify the effectiveness of those services. The property that data has not been altered or destroyed in an unauthorized manner is called integrity. This Recomme

22、ndation I International Standard defines a general framework for the provision of integrity services. 11 ITU-T Rec. X.815 (1995 E) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesISO/IEC 10181-6 : 1996 (E) INTERNATIONAL STANDARD ITU-T R

23、ECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: INTEGRITY FRAMEWORK 1 Scope The Recommendation I International Standard on Security Frameworks for Open Systems addresses the application of security services in an Open Systems environment, w

24、here the term “Open System” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and 0%. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between system

25、s. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) which may be used to obtain specific security services. These security services may app

26、ly to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. This Recommendation I International Standard addresses the integrity of data in information retrieval, transfer, and management: 1) 2) 3) 4) 5) defines the basic concept of data

27、integrity; identifies possible classes of integrity mechanism; identifies facilities for each class of integrity mechanisms; identifies management required to support the class of integrity mechanism; addresses the interaction of integrity mechanism and the supporting services with other security se

28、rvices and mechanisms. A number of different types of standard can use this framework, including: 1) 2) 3) 4) 5) standards that incorporate the concept of integrity; standards that specify abstract services that include integrity; standards that specify uses of an integrity service; standards that s

29、pecify means of providing integrity within an open system architecture; and standards that specify integrity mechanisms. Such standards can use this framework as follows: - - - standards of type 1). 2), 3), 4) and 5) can use the terminology of this framework; standards of type 2), 3), 4) and 5) can

30、use the facilities identified in clause 7; standards of type 5) can be based upon the classes of mechanisms identified in clause 8. Some of the procedures described in this security framework achieve integrity by the application of cryptographic techniques. This framework is not dependent on the use

31、 of particular cryptographic or other algorithms, although certain classes of integrity mechanisms may depend on particular algorithm properties. NOTE - Although IS0 does not standardize cryptographic algorithms, it does standardize the procedures used to register them in ISOAEC 9979. The integrity

32、addressed by this Recommendation I International Standard is that defined by the constancy of a data value. This notion (constancy of a data value) encompasses all instances in which different representations of a data value are deemed equivalent (such as different ASN.l encodings of the same value)

33、 Other forms of invariance are excluded. The usage of the term data in this Recommendation I International Standard includes all types of data structures (such as sets or collections of data, sequences of data, file-systems and databases). ITU-T Rec. X.815 (1995 E) 1 COPYRIGHT International Telecom

34、munications Union/ITU TelecommunicationsLicensed by Information Handling Services ITU-T RECMN+X.BLS 95 m 4862593 Ob33382 8T5 m ISO/TEC 10181-6 : 1996 (E) This framework addresses the provision of integrity to data that are deemed to be wnte-accessible to potential attackers. Therefore, it focusses o

35、n the provision of integrity through mechanisms, both cryptographic and non-cryptographic that do not rely exclusively on regulating access. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provision

36、s of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility o

37、f applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical

38、 Recommendations I International Standards - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-1: 1994, Information technology - Basic Reference Model: The Basic Model. IT-T Recommendation X.273 (1994) I ISOAEC 1 1577: 1995, Informution technology - Open Systems Interconnection - Network layer securi

39、ty protocol. - ITU-T Recommendation X.274 (1994) I ISOAEC 10736:1995, Information technology - Telecommunication and information exchange between systems - Transport layer security protocol. IT-T Recommendation X.810 (1995) I ISOAEC 10181-1:1996, Information technology - Open Systems Interconnection

40、 - Security frameworks for open systems: Overview. ITU-T Recommendation X.811 (1995) I ISO/IEC 10181-2:1996, Information technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework. IT-T Recommendation X.812 (1995) I ISOAEC 10181-3:1996, Information tec

41、hnology - Open Systems Interconnection - Security frameworks for open systems: Access control framework. - - - - 2.2 Paired Recommendations I International Standards equivalent in technical content - ITU-T Recommendation X.224 (1993), Protocol for providing the OSI connection-mode transport service.

42、 ISOAEC 8073: 1992, Information technology - Telecommunications and information exchange between systems - Open Systems Interconnection - Protocol for providing the connection-mode transport service. CCIT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCIT ap

43、plications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. - 2.3 Additional References - ISOAEC 9979: 1991, Data cryptographic techniques - Procedures for the registration of cryptographic algorithms. 3 Definit

44、ions For the purposes of this Recommendation I International Standard, the following definitions apply. 3.1 tion X.200 I ISOAEC 7498-1 and makes use of the following terms defined in it: This Recommendation I International Standard builds on concepts developed in ITU-T Recommenda- a) (N)-connection;

45、 b) (N)-entity; c) (N)-facility; 2 ITU-T Rec. X.815 (1995 E) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling Services ITU-T RECMNUX.815 95 m 48b259L 0613383 731 m ISO/IEC 10181-6 : 1996 (E) d) (N)-layer; e) (N)-SDU; f) (N)-service; g) (N)-user-

46、data. This Recommendation I International Standard builds on concepts developed in CCIT Recommenda- a) access control; b) connection integrity; c) data integrity; d) decipherment; e) decryption; f) digitai signature; g) encipherment; h) encryption; i) identity-based security policy; j) integrity; 3.

47、2 tion X.800 I IS0 7498-2 and makes use of the following terms defined in it: k) key; 1) routing control; m) rule-based security policy. NOTE - Where not otherwise qualified, the term “integrity” in this standard is taken to mean data integrity. This Recommendation I Intemational Standard makes use

48、of the following general security-related terms a) digital fingerprint; b) hash function; c) one-way function; d) private key; e) public key; f) seal; g) secret key; h) trusted third party. This Recommendation I International Standard builds on concepts developed in ITU-T Rec. X.811 I - time variant

49、 parameter. For the purpose of this Recommendation I International Standard, the following definitions apply: integrity-protected channel: A communications channel to which an integrity service has been applied. NOTE - Two forms of integrity services for communication channels are referred to in CCIT Rec. X.800 i IS0 7498-2. integrity-protected environment: An environment in which unauthorized data alterations (including creation 3.3 defined in -T Rec. X.810 I ISOAEC 10181-1: 3.4 ISO/IEC 10181-2 and makes use of the following terms defined in it: 3.5 3