ITU-T X 830-1995 Information Technology - Open Systems Interconnection - Generic Upper Layers Security Overview Models and Notation - Data Networks and Open System Communications -.pdf

1、INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SECURITY X.830 (04/95) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: OVERVIEW, MODELS AND NOTATION ITU-T Recommendation X.

2、830 (Previously “CCITT Recommendation“) ITU-T RECMN*Xm3O 95 U 4b259L Ob079bL 227 FOREWORD ITLJ (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU

3、. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards (Recommendations). The approval of Recommendations by the Members of ITU-T i

4、s covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to it and establishes the study programme for the following period. In some are

5、as of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of ITU-T Recommendation X.830 was approved on the 10th of April 1995. The identical text is also published as ISO/IEC International Standard 11586-1

6、. NOTE In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1996 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electro

7、nic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. ITU-T RECMN*X.830 95 m 48bZ59L Ob07962 Lb3 m PUBLIC DATA NETWORKS Services and Facilities ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X

8、-SERIES RECOMMENDATIONS X. 1 -X. 19 I Subject area I Recommendation Series I Interfaces Transmission, Signalling and Switching Network Aspects Maintenance Administrative Arrangements OPEN SYSTEMS INTERCONNECTION Model and Notation Service Definitions Connection-mode Protocol Specifications Connectio

9、nless-mode Protocol SDecifications X.20-X.49 X.50-X.89 X.90-X. 149 X.150-X.179 X. 180-X. 199 X.200-X.209 X.2 10-X.2 19 X.220-X.229 X.230-X.239 PICS Proformas X.240-X.259 Protocol Identification X.260-X.269 Security Protocols X.270-X.279 Layer Managed Objects X.280-X.289 Conformance Testing INTERWORK

10、ING BETWEEN NETWORKS X.290-X.299 General X.300-X.349 Mobile Data Transmission Systems Management X.350-X.369 X.370-X.399 w MESSAGE HANDLING SYSTEMS DIRECTORY X.400-X.499 X.500-X.599 OS1 APPLICATIONS OS1 NETWORKING AND SYSTEM ASPECTS Networking X .600-X. 649 Naming, Addressing and Registration Abstra

11、ct Syntax Notation One (ASN.l) X.650-X.679 X.680-X.699 OS1 MANAGEMENT SECURITY x.700-x.799 X.800-X.849 Commitment, Concurrency and Recovery Transaction Processing X.850-X.859 X.860-X.879 - Remote Operations OPEN DISTRDBUTED PROCESSING X.880-X.899 x.900-x.999 CONTENTS Summary . Introduction . Scope N

12、ormative references . 2.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content Definitions Abbreviations General overview . Security exchanges . 6.1 Security exchange model : . 6.2 Notation for specifying security ex

13、changes Security transformations 7.1 Security transformation model 7.2 Notation for specifying security transformations Abstract syntax notation for selective field protection . 8.1 Basic notation 8.2 Notation with transformation qualifier 8.3 8.4 Notation for specifying protection mappings Conforma

14、nce Mapping protection requirements to security transformations . Annex A . ASN.l definitions . Annex B - Registration of security exchanges and security transformations . Annex C - Security exchange specifications Annex D - Security transformation specifications Annex E - Protection mapping specifi

15、cations . Annex F - Object identifier usage . Annex G - Guidelines for the use of generic upper layers security facilities . Annex H - Relationship to other standards . Annex I - Examples of use of the generic upper layers security facilities Annex J - Bibliography . ITU-T Rec . X.830 (1995 E) Page

16、11 ii 1 1 2 2 2 4 4 5 5 6 7 7 11 12 12 14 15 15 16 17 22 23 27 38 41 42 47 50 54 1 ITU-T RECMNtX*830 95 m 4862591 0607964 T3b m Summary This Recommendation belongs to a series of Recommendations which provide a set of facilities to aid the construction of OS1 Upper Layer protocols which support the

17、provision of security services. This Recommendation defines the following: a) b) general models of security exchange protocol functions and security transformations; a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification,

18、 and to support the specification of security exchanges and security transformations; a set of informative guidelines as to the application of the generic upper layer security facilities covered by this series of Recommendations. c) Introduction This Recommendation I International Standard forms par

19、t of a series of Recommendations I multi-part International Standards, which provide(s) a set of facilities to aid the construction of Upper Layers protocols which support the provision of security services. The parts are as follows: Part 1: Overview, Models and Notation; Part 2: Security Exchange S

20、ervice Element Service Definition; Part 3: Security Exchange Service Element Protocol Specification; Part 4: Protecting Transfer Syntax Specification; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. - - - - - - This Recommendation I Internat

21、ional Standard constitutes Part 1 of this series. For informative guidelines on the application of all facilities described in this series, see Annex G. It is important to note that these generic security facilities do not in themselves provide security services; they are simply construction tools f

22、or security-related protocols. Furthermore, these facilities do not necessarily provide a stand-alone solution to all security communications requirements of applications. Application standards may still need to incorporate security features within their specifications, to work in conjunction with g

23、eneric security services supported by the Generic Upper Layers Security facilities. ii ITU-T Rec. X.830 (1995 E) ITU-T RECMN*X.B30 95 LIB62591 0607965 972 ISOAEC 11586-1 : 1995 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYER

24、S SECURITY: OVERVIEW, MODELS AND NOTATION 1 Scope 1.1 provision of security services in OS1 applications. These include: This series of Recommendations I International Standards defines a set of generic facilities to assist in the a) a set of notational tools to support the specification of selectiv

25、e field protection requirements in an abstract syntax specification, and to support the specification of security exchanges and security transformations; a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security servi

26、ces within the Application Layer of OSI; a specification and PICS proforma for a security transfer syntax, associated with Presentation Layer support for security services in the Application Layer. b) c) 1.2 This Recommendation I International Standard defines the following: a) general models of sec

27、urity exchange protocol functions and security transformations, based on the concepts described in the OS1 Upper Layers Security Model (ITU-T Rec. X.803 I ISO/IEC 10745); a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specifica

28、tion, and to support the specification of security exchanges and security transformations; a set of informative guidelines as to the application of the generic upper layers security facilities covered by this series of Recommendations I International Standards. b) c) 1.3 This Recommendation I Intern

29、ational Standard does not define the following: a) a complete set of upper layer security facilities which may be required by other Recommendations I International Standards; b) c) 1.4 The security exchange model, and supporting notation, are intended both for use as the basis of defining the securi

30、ty exchange service element in subsequent parts of this series of Recommendations I International standards, and for use by any other ASE which may import security exchanges into its own specification. a complete set of security facilities for specific applications; the mechanisms employed to suppor

31、t security services. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Re

32、commendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of EC and IS0 maintain reg

33、isters of currently valid International Standards. The Telecommunication Standardization Bureau of the maintains a list of currently valid ITU-T Recommendations. ITU-T Rec. X.830 (1995 E) 1 ITU-T RECMNxX.830 95 E 48b2593 06079bb 809 E ISO/IEC 11586-1 : 1995 (E) 2.1 Identical Recommendations I Intern

34、ational Standards - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. ITU-T Recommendation X.207 (1993) I ISO/IEC 9545:1994, Information technology - Open Systems Interconnection - Application Laye

35、r structure. ITU-T Recommendation X.214 (1993) I ISO/IEC 8072:1994, Information technology - Open Systems Interconnection - Transport service definition. ITU-T Recommendation X.216 (1994) I ISO/IEC 8822:1994, Information technology - Open Systems Interconnection - Presentation service definition. IT

36、U-T Recommendation X.217 (1995) I ISO/IEC 8649: .l), Information technology - Open Systems Interconnection - Service definition for the Association Control Service. ITU-T Recommendation X.226 (1994) I ISO/IEC 8823-1:1994, Information technology - Open Systems Interconnection - Connection-oriented pr

37、esentation protocol: Protocol specification. ITU-T Recommendation X.509 (1993) I ISO/IEC 9594-8: 1995, Information technology - Open Systems Interconnection - The Directory: Authentication framework. ITU-T Recommendation X.5 1 1 (1993) I ISO/IEC 9594-3: 1995, Information technology - Open Systems In

38、terconnection - The Directory: Abstract service definition. CCITT Recommendation X.660 (1992) I ISO/IEC 9834-1:1993, Information technology - Open Systems Interconnection - Procedures for the operation of OSI Registration Authorities: General procedures. ITU-T Recommendation X.680 (1994) I ISO/IEC 8

39、824-1: 1995, Information technology -Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T Recommendation X.681 (1994) I ISO/IEC 8824-2:1995, Information technology - Abstract Syntax Notation One (ASN. 1): Information object specification. ITU-T Recommendation X.682 (1994) I I

40、SO/IEC 8824-3: 1995, Information technology - Abstract Syntax Notation One (ASN. I): Constraint specification. ITU-T Recommendation X.683 (1994) I ISO/IEC 8824-4: 1995, Information technology - Abstract Syntax Notation One (ASN. I): Parameterization of ASN. 1 specifications. ITU-T Recommendation X.6

41、90 (1994) I ISO/IEC 8825-1:1995, Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T Recommendation X.803 (1994) I ISO/IEC 10745:1995, Information technology - Open Systems Interconne

42、ction - Upper layers security model. ITU-T Recommendation X.811 (1995) I ISO/IEC 10181-2:1995, Information technology - Open Systems Interconnection - Securio frameworks for open systems: Authentication framework. ITU-T Recommendation X.812l) I ISOAEC 10181-3: .l), Information technology - Open Syst

43、ems Interconnection - Security frameworks for open systems: Access control framework. - - - - - - - - - - - - - - - - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for C

44、CITT applications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. 3 Definitions 3.1 The following term is used as defined in ITU-T Rec. X.200 I ISO/IEC 7498-1: - transfer syntax. l) Presently at the stage of dr

45、aft. 2 ITU-T Rec. X.830 (1995 E) ITU-T RECMNUX.830 95 U 4862531 O607967 745 = ISO/IEC 11586-1 : 1995 (E) 3.2 The following terms are used as defined in CCIIT Rec. X.800 I IS0 7498-2: - access control; - confidentiality; - data origin authentication; - decipherment; - digital signature; - enciphermen

46、t; - integrity; - key; - key management; - selective field protection. The following terms are used as defined in ITU-T Rec. X.216 I ISO/IEC 8822: - abstract syntax; - presentation context; - presentation data value. The following terms are used as defined in ITU-T Rec. X.207 I ISO/IEC 9545: - appli

47、cation-association - application-context; - application-service-element (ASE); - application-service-object-association (ASO-association), The following terms are used as defined in ITU-T Rec. X.811 I ISOAEC 10181-2: - authentication exchange; - claimant; - entity authentication; - verifier. The fol

48、lowing term is used as defined in ITU-T Rec. X.812 I ISO/IEC 10181-3: - access control certificate. The following terms are used as defined in ITU-T Rec. X.803 I ISO/IEC 10745: - security association; - security communication function (SCF); - security exchange; - security exchange item; - security

49、exchange function; - security transformation; - system security object (SSO). 3.3 3.4 3.5 3.6 3.7 3.8 For the purposes of this Recommendation I International Standard, the following definitions apply: 3.8.1 presentation-context-bound security association: A security association which is established in conjunction with the establishment of a protecting presentation context, and which applies to all presentation data values sent in one direction in that protecting presentation context; attributes of the security association are indicated explicitly along with th