ITU-T X 831-1995 Information Technology - Open Systems Interconnection - Generic Upper Layers Security Security Exchange Service Element (SESE) Service Definition - Data Networks ap《信.pdf

1、ITU-T RECMN*X*831 95 4862.593 Ob08020 4b3 INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SEC U RITY X.831 (04/95) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: SECURITY

2、EXCHANGE SERVICE ELEMENT (SESE) SERVICE DEFINITION ITU-T Recommendation X.831 (Previously “CCITT Recommendation”) - ITU-T RECNN*X.33 95 U 4862593 0608023 3TT FOREWORD ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Tele

3、communication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards

4、(Recommendations). The approval of Recommendations by the Members of ITU-T is covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to

5、it and establishes the study programme for the following period. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of IT-T Recommendation X.831 was approved on the 10th of April 1995. The

6、 identical text is also published as ISOAEC International Standard 11586-2. NOTE In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1996 All rights reserved. No part of this publ

7、ication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. ITU-T RECMN*X=83L 75 6 48b257L Ob08022 236 6 PUBLIC DATA NETWORKS Services and Facilities ITU-T X-SERIES RECOMMENDATIONS DATA

8、 NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X-SERIES RECOMMENDATIONS X.1-X.19 I Subject area I Recommendation Series I Interfaces Transmission, Signalling and Switching Network Aspects X.20-X.49 X.50-X. 89 X.90-X. 149 Maintenance Administrative Arrangements X.150-X.179 X

9、. 180-X. 199 OPEN SYSTEMS INTERCONNECTION Model and Notation I Service Definitions I X.210-X.219 I X.200-X.209 Connection-mode Protocol Specifications I PICS Proformas I X.240-X.259 I X.220-X.229 Protocol Identification Security Protocols X.260-X.269 X.270-X.279 I General I x.300-x.349 I Layer Manag

10、ed Objects Conformance Testing INTERWORKING BETWEEN NETWORKS I Mobile Data Transmission Systems I X.350-X.369 I X.280-X.289 X.290-X.299 Management MESSAGE HANDLING SYSTEMS X.370-X.399 X.400-X.499 I OS1 NETWORKING AND SYSTEM ASPECTS I I DIRECTORY x.500-x.599 Networking Naming, Addressing and Registra

11、tion X.600-X.649 X.650-X.679 Abstract Syntax Notation One (ASN. 1) OS1 MANAGEMENT SECURITY X .6 80-X. 699 X.700-X.799 X. 800-X. 849 OS1 APPLICATIONS Commitment, Concurrency and Recovery Transaction Processing X.850-X.859 X.860-X. 879 Remote Operations OPEN DISTRIBUTED PROCESSING X.880-X.899 X.900-X.

12、999 CONTENTS Summary . Introduction . Scope Normative references . 2.1 Identical Recommendations I International Standards Definitions Abbreviations . Conventions Service overview 6.1 Specific service facilities 6.2 Procedural model for SE-TRANSFER service facility . Service definition . 7.1 7.2 Ser

13、vice primitives . Sequencing information . Parameters of service primitives . ITU-T RW . X.831(1995 E) Page ii 11 1 1 1 1 2 2 2 2 2 3 3 4 4 i ITU-T RECMN*X=83L 95 46162591 0608024 O09 m Summary This Recommendation i International Standard belongs to a series of Recommendations which provide a set of

14、 facilities to aid the construction of OS1 Upper Layer protocols which support the provision of security services. This Recommendation defines the service provided by the Security Exchange Service Element (SESE). The SESE is an application-service-element (ASE) which facilitates the communication of

15、 security information to support the provision of security services within the Application Layer of 0%. Introduction This Recommendation I International Standard forms part of a series of Recommendations I multi-part International Standards, which provide(s) a set of facilities to aid the constructi

16、on of Upper Layers protocols which support the provision of security services. The parts are as follows: Part 1 : Overview, Models and Notation; Part 2: Security Exchange Service Element Service Definition; Part 3: Security Exchange Service Element Protocol Specification; Part 4: Protecting Transfer

17、 Syntax Specification; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. - - - - - - This Recommendation I International Standard constitutes Part 2 of this series. 11 ITU-T Rec. X.831(1995 E) ITU-T RECHNdX.831 95 W +Ab2591 Ob08025 T45 W ISOAE

18、C 11586-2 : 1995 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: SECURITY EXCHANGE SERVICE ELEMENT (SESE) SERVICE DEFINITION 1 Scope 1.1 provision of security services in application layer protocols. These include

19、: This series of Recommendations I International Standards defines a set of generic facilities to assist in the a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchange

20、s and security transformations; a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security services within the Application Layer; a specification and PICS proforma for a security transfer syntax, associated with Presen

21、tation Layer support for security services in the Application Layer. a) b) c) 1.2 This Recommendation I International Standard defines the service provided by the Security Exchange Service Element (SESE). The SESE is an ASE which allows the communication of security information to support the provis

22、ion of security services within the Application Layer. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the edi

23、tions indicated were valid. Ali Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below.

24、Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations I Intemational Standards - ITU-T Recommendation X.200 (1994) I ISOIZE

25、C 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. IT-T Recommendation X.803 (1994) I ISO/IEC 10745:1995, Information technology - Open Systems Interconnection - Upper layers security model. - 3 Definitions The following terms are used as d

26、efined in ITU-T Rec. X.803 I ISO/IEC 10745: - security exchange; - security exchange item. ITU-T RW. X.831(1995 E) 1 ITU-T RECMN*X-833 95 M 4862593 0608026 9AL B ISO/IEC 11586-2 : 1995 (E) 4 Abbreviations For the purposes of this Recommendation I International Standard, the following abbreviations a

27、pply: ASE Application Service Element OS1 Open Systems Interconnection PICS Protocol Implementation Conformance Statement SEI Security Exchange Item 5 Conventions Clause 7 employs a tabular presentation of the SESE service primitive parameters. Each parameter is summarized using the following notati

28、on: M O U C (=) Presence of the parameter is mandatory Presence of the parameter is an SESE protocol machine option Presence of the parameter is an SESE service user option Presence of the parameter is conditional The value of this parameter is identical to the value of the corresponding parameter o

29、f the preceding SESE service primitive. 6 Service overview The security exchange service element provides for the communication of information associated with any security exchange, as described in Part 1. This service is typically used for the transfer of authentication, access control, non-repudia

30、tion or security management information. 6.1 Specific service facilities The following service facilities are defined: a) SE-TRANSFER; b) SE-U-ABORT; C) SE-P-ABORT. The SE-TRANSFER service facility is used to initiate a security exchange of a certain type, transfer the first security- exchange-item

31、(SEI), as well as transfer the other SEIS of a security exchange. It is the only service facility required in completing a security exchange. The SE-U-ABORT service facility is used by the SESE service user to indicate that an error has occurred. This service is used to abnormally terminate a securi

32、ty exchange in progress. Optionally, this service may also abnormally terminate the ASO-association. The SE-P-ABORT service facility is used by the SESE service provider to indicate that an error has occurred. This service is used to abnormally terminate a security exchange in progress. Optionally,

33、this service may also abnormally terminate the ASO-association. 6.2 Part 1 of this Recommendation I International Standard defines the following procedural model for security exchanges: An initial Security Exchange Item (SEI) is transferred from A to B. This is optionally followed by one or more tra

34、nsfers of SEIS between A and B, according to the specific security exchange identified in the SE-TRANSFER. The sequence may be terminated upon receipt of any SEI, by generation of an error indication by either service user or service provider. The time-sequence diagram shown below is an example illu

35、strating the special case of a sequence of SEI transfers in alternate directions for an n-way security exchange. (This is an example of the “Alternating” class of exchange defined in 6.1 of ITU-T Rec. X.830 I ISO/iEC 11586-1.) Procedural model for SE-TRANSFER service facility 2 ITU-T Rec. X.831(1995

36、 E) ITU-T RECMN*X.83L 95 48h259L Ob08027 818 D ISO/IEC 11586-2 : 1995 (E) SE-TRANSFER indication SE-TRANSFER request I 7 Service definition The SESE service primitives are of the following types: I SE-TRANSFER Non-confirmed SE-U-ABORT Non-confirmed SE-P-ABORT Provider-initiated 7.1 Parameters of ser

37、vice primitives Following are descriptions of the service primitives parameters. 7.1.1 Security exchange identifier This parameter identifies the particular type of security exchange being initiated. The identifier is established when the security exchange is defined, using the SECURITY-EXCHANGE inf

38、ormation object class defined in Part 1. 7.1.2 Invocation identifier This parameter identifies a particular security exchange invocation. It is used for subsequently referring to that Invocation identifiers are especially useful in handling multiple security exchange invocations within the context o

39、f, for example, an application association. Invocation identifiers are provided by the users of services which initiate security exchanges, and it is the responsibility of such users to ensure that these identifiers are unambiguous within the scope of all active security exchange invocations. I invo

40、cation for correlation purposes, in a SE-TRANSFER, SE-U-ABORT, or SE-P-ABORT primitives. 7.1.3 Security exchange item The item to be conveyed, as implied by the security exchange identifier. 7.1.4 Item identifier In a SE-TRANSFER primitive, this parameter indicates which item of the security exchang

41、e this primitive is conveying. In a SE-U-ABORT or SE-P-ABORT primitive, this parameter indicates the item of a security exchange on which an error condition has been detected. The specification of a security exchange may place specific constraints on the use of the ?item identifier?. It is the respo

42、nsibility of the SESE user to ensure that these constraints are met. 7.1.5 Start flag In a SE-TRANSFER primitive, this parameter is used to indicate the transfer of the first security-exchange-item of a security exchange. 7.1.6 End flag In a SE-TRANSFER primitive, this parameter is used to indicate

43、that this security exchange item corresponds to the last security exchange required to satisfy the security mechanism. It is needed to accommodate those mechanisms requiring n exchanges, where n is not known a priori. ITU-T Rec. X.831(1995 E) 3 ITU-T RECMN*X*83L 95 W V8b2593 Ob08028 754 W ISOAEC 115

44、86-2 : 1995 (E) 7.1.7 Error list This parameter is one or more lists of error codes with optional error parameters. The error code indicates the cause of a SE-U-BORT being generated. Error codes are established when a security exchange is defined, using the SE-ERROR information object class defined

45、in Part 1. The optional error parameters provide additional information describing the cause of an abort. 7.1.8 Problem code This parameter indicates the cause of an SE-P-ABORT being generated. The set of possible values is specified in clause 6 of Part 3. 7.1.9 Fatality indicator In a SE-U-BORT req

46、uest primitive, this parameter is used to indicate to the SESE service provider whether or not the ASO-association (e.g. application association) must be terminated. In a SE-U-ABORT indication and SE-P-ABORT indication primitives, this parameter is used to indicate to the SESE service user whether o

47、r not the ASO-association (e.g. application association) must be terminated. I 7.2 Service primitives The parameters of the SESE service primitives are provided below. (Refer to 6.1 for a definition of the SESE services, and to 7.1 for a description of the specific parameters.) 7.2.1 SE-TRANSFER ser

48、vice The parameters of the SE-TRANSFER service are as follows: Parameter Name Req Ind Security exchange identifier M M(= Invocation identifier U C(= Security exchange item M M(=) Item identifier U C(=) Start flag U C(= End flag U C(=) 7.2.2 SE-U-ABORT service The parameters of the SE-U-BORT service

49、are as fobws: Parameter Name Req Ind Invocation identifier U C(=) Item identifier U C(=) Error list U C(=) Fatality Indicator U C(= 7.2.3 SE-P-ABORT service The parameters of the SE-P-ABORT service are as follows: Parameter Name Ind Invocation identifier O Item identifier O Problem code M Fatality Indicator O 8 Sequencing information The only sequencing constraint stipulated in this Service definition is that the invocation of SE-TRANSFER primitives with the same invocation identifier must be consistent with 7.1.2. 4 ITU-T Rec X.831(1995 E) ITU-T RECHN*X-831 95 II 48625