ITU-T X 841-2000 Information Technology - Security Techniques - Security Information Objects for Access Control Series X Data Networks and Open System Communications Security (Stud.pdf

1、INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU X.841 (1 0/2000) SERIES X: DATA NETWORKS AND OPEN SYSTEM COM M U N I CATI ON S Security Information technology - Security techniques - Security information objects for access control ITU-T Recommendation X.84

2、1 (Formerly CCITT Recommendation) ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS PUBLIC DATA NETWORKS Services and facilities Interfaces Transmission, signalling and switching Network aspects Maintenance Administrative arrangements Model and notation Service definitions

3、Connection-mode protocol specifications Connectionless-mode protocol specifications PICS proformas Protocol Identification Security Protocols Layer Managed Objects Conformance testing General Satellite data transmission systems IP-based networks MESSAGE HANDLING SYSTEMS DIRECTORY OS1 NETWORKING AND

4、SYSTEM ASPECTS Networking Efficiency Quality of service Naming, Addressing and Registration Abstract Syntax Notation One (ASN. 1) Systems Management fiamework and architecture Management Communication Service and Protocol Structure of Management Information Management functions and ODMA functions OP

5、EN SYSTEMS INTERCONNECTION INTERWORKING BETWEEN NETWORKS OS1 MANAGEMENT SECURITY OS1 APPLICATIONS Commitment, Concurrency and Recoveq Transaction processing Remote operations OPEN DISTRIBUTED PROCESSING X. l-X. 19 X.20-X.49 X.50-X.89 X.90-X.149 X. 150-X. 179 X. 180-X. 199 X.200-X.209 X.210-X.219 X.2

6、20-X.229 X.230-X.239 X.240-X.259 X.260-X.269 X.270-X.279 X.280-X.289 X.290-X.299 X.300-X.349 X.350-X.369 x.370-x.399 X.400-X.499 X.500-X.599 X.600-X.629 X.630-X.639 X.640-X. 649 X.650-X.679 X.680-X.699 X.700-X.709 X.710-X.7 19 X.720-X.729 x.730-x.799 X.800-X.849 X.850-X.859 X.860-X.879 X.880-X.899 X

7、900-X.999 For further details, please refer to the list of ITU-T Recommendations. INTERNATIONAL STANDARD 15816 ITU-T RECOMMENDATION X.841 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - SECURITY INFORMATION OBJECTS FOR ACCESS CONTROL Summary This Recommendation I International Standard provides obje

8、ct definitions that are commonly needed in security standards to avoid multiple and different definitions of the same functionality. Precision in these definitions is achieved by use of the Abstract Syntax Notation One (ASN. 1). This Recommendation I International Standard covers only static aspects

9、 of Security Information Objects (SIOs). Source ITU-T Recommendation X.841 was prepared by ITU-T Study Group7 (1997-2000) and approved by the World Telecommunication Standardization Assembly (Montreal, 27 Septembre - 6 October 2000). An identical text is also published as ISOAEC 158 16. ITU-T X.841(

10、10/2000 E) i FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff q

11、uestions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendat

12、ions on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. NOTE In this Recommendatio

13、n, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a cl

14、aimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had

15、 not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. O ITU 2001 All righ

16、ts reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from ITU. 11 ITU-T X.841(10/2000 E) CONTENTS Scope Normative references 2.1 Identical Recommendations I In

17、ternational Standards . 2.2 Definitions Abbreviations Conventions 5.1 5.2 5.3 Security Information Object Composition . Specification of Security Information Objects 6.1.1 Introduction . 6.1.2 ASN.1 Specification of the Label 6.1.3 Security Policy Information File . 6.2.1 introduction . 6.2.2 ASN.l

18、Specification of the Security Policy Information File . 6.3 Clearance Attribute Introduction . 6.3.1 6.3.2 Definition of clearance attribute Security Information Object Interaction . Security Information Object Interaction for Access Control . Paired Recommendations I International Standards equival

19、ent in technical content . Security Information Object Class Description . Generic Security Information Object Class Correspondence 6.1 Confidentiality Label . Binding Methods for Confidentiality Labels . 6.2 7.1 7.2 SI0 Class Structure Comparison . Annex A . Security Information Objects for Access

20、Control in ASN.1 . Annex B . Expansion of the SECURITY-CATEGORY Syntax Page 1 1 1 2 2 2 3 3 3 3 3 3 3 4 5 5 5 6 9 9 10 10 10 10 13 19 . ITU-T X.841(10/2000 E) 111 Introduction This Recommendation I International Standard on Security Information Objects (SIOs) for Access Control provides object defin

21、itions that are commonly needed in more than one security standard such that multiple and different definitions of the same functionality may be avoided. Precision in these definitions is achieved by use of the Abstract Syntax Notation One (ASN.l) defined in ITU-T Rec. X.680 (1997) I ISOAEC 8824-1:1

22、998, and ITU-T Rec. X.681 The aim of security management is to ensure that assets, including information, are protected appropriately and cost effectively. In order to protect proprietary interests and Intellectual Property Rights, organizations need to control the handling of their information. Sev

23、ere damage or embarrassment can be caused to either the originator or holder of sensitive information, for example, if it is released to those not authorized to receive it (a breach of confidentiality), or if it is modified in any way (a breach of integrity). Each organization needs to ensure that i

24、t protects its own information and assets adequately in all forms during its storage, processing and transmission between and within organizations over both private and public networks. Organizations must be satisfied that their assets will be protected properly when they are held or processed by ot

25、hers if business is to be conducted more widely. The motivation for development of SIOs for Access Control is the achievement of the flexibility and interoperability in security management that accrues fiom the use of common stnictures for similar functions. Standardization of security labels and al

26、ternative methods for access control have been pursued in this Recommendation I International Standard. (1997) I ISO/IEC 8824-21998. iv ITU-T X.841 (10/2000 E) ISO/IEC 15816 : 2001 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - SECURITY INFORMATION OBJ

27、ECTS FOR ACCESS CONTROL 1 Scope The scope of this Recommendation I International Standard is: a) b) c) the definition of guidelines for specifjmg the abstract syntax of generic and specific Security Information Objects (SIOs) for Access Control; the specification of generic SIOs for Access Control;

28、the specification of specific SIOs for Access Control. The scope of this Recommendation I International Standard covers only the “statics“ of SIOs through syntactic definitions in tem of ASN.l descriptions and additional semantic explanations. It does not cover the “dynamics“ of SIOs, for example ru

29、les relating to their creation and deletion. The dynamics of SIOs are a local implementation issue. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I Intemational S

30、tandard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation 1 International Standard are encouraged to investigate the possibility of applying the most recent edition of the

31、Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of ITU maintains a list of currently valid ITU-T Recommendations. Identical Recommendations I International Standards - ITU-T

32、 Recommendation X.411 (1999) I ISOIEC 10021-4, Information technology - Message Handling Systems (MHS): Message transfer system: Abstract service de3nition and procedures. ITU-T Recommendation X.500 (2001) I ISOIEC 9594-1:2001 , Information technology - Open Systems Interconnection - The Directory:

33、Overview of concepts, models and services. ITU-T Recommendation X.501 (2001) I ISOIEC 9594-2:2001, Information technology - Open Systems Interconnection - The Directory: Models. ITU-T Recommendation X.509 (2000) I ISOAEC 9594-8:2001, Information technology - Open Systems Interconnection - The Direct

34、ory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.680 (1997) I ISOiEC 8824-1: 1998, Information technology -Abstract syntax notation one (ASN. I): SpeciJication of basic notation. ITU-T Recommendation X.68 1 (1 997) I ISOAEC 8824-2: 1998, Information technology - Abstract

35、syntax notation one (ASN. 1): Information object specification. ITU-T Recommendation X.682 (1997) 1 ISOIEC 8824-3:1998, Information technology -Abstract syntax notation one (ASN. I): Constraint specification. ITU-T Recommendation X.683 (1997) I ISOIEC 8824-4:1998, Information technology -Abstract sy

36、ntax notation one (ASN. I): Parameterization of ASN. I specijkations. ITU-T Recommendation X.690 (1 997) I ISOIEC 8825-1 : 1998, Information technology - ASN. I encoding rules: Speci3cation of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). - - - -

37、 - - - ITU-T X.841(10/2000 E) 1 ISO/IEC 15816 : 2001 (E) - CCITT Recommendation X.722 (1992) I ISOLEC 10165-4:1992, Information technology - Open Systems Interconnection - Structure of management information: Guidelines for the definition of managed objects. ITU-T Recommendation X.741 (1 995) I ISO

38、/IEC 10164-9: 1995, Information technology - Open Systems Interconnection - Systems Management: Objects and attributes for access control. ITU-T Recommendation X.803 (1994) I ISOLEC 10745:1995, Information technology - Open Systems Interconnection - Upper layers security model. ITU-T Recommendation

39、X.8 1 O ( 1995) I ISOIEC 1 O 18 1-1 : 1996, Information technology - Open Systems Interconnection - Security frameworks for open systems: Overview. ITU-T Recommendation X.830 (1 995) I ISO/IEC 1 1586-1 : 1996, Information technology - Open Systems Interconnection - Generic upper layers security: Ove

40、rview, models and notation. - - - - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCITT Recommendation X.800 (1991), Securiy architecture for Open Systems Interconnection for CCITT applications. IS0 7498-2: 1989, Information processing systems - Open Systems

41、Interconnection - Basic Reference Model - Part 2: Security Architecture. 3 Definitions For the purposes of this Recommendation I International Standard, the following definitions apply. 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 4 Compartmentalization: As defined in ISOhEC DIS 2382

42、8. Generic SI0 Class: An SI0 Class in which the data types for one or more of the components are not fully specified. Information Object: As defined in ITU-T Rec. X.681 I ISO/IEC 8824-2. Information Object Class: As defined in ITU-T Rec. X.681 I ISOLEC 8824-2. Object Identifier (OID): As defined in

43、 ITU-T Rec. X.680 I ISOLEC 8824-1. Seal: As defined in ITU-T Rec. X.810 I ISO/IEC 10181-1. Security Authority: The entity accountable for the administration of a security policy within a security domain. Security Domain: A collection of users and systems subject to a common security policy. Security

44、 Information Object: An instance of an SI0 Class. Security Information Object Class: An Information Object Class that has been tailored for security use. Security Label: As defined in CCITT Rec. X.800 and ISO/IEC 7498-2. Security Policy: As defined in ISO/IEC DIS 2382-8. Security Policy Information

45、File: A construct that conveys domain-specific security policy information. Specific SI0 Class: An SI0 Class in which the data types for all components are fully specified. Abbreviations For the purposes of this Recommendation I International Standard, the following abbreviations apply: ASN. 1 EE En

46、d Entity IT Information Technology Abstract Syntax Notation One 2 ITU-T X.841(10/2000 E) ISODEC 15816 : 2001 (E) OID Object Identifier RBAC Rule Based Access Control SI0 Security Information Object SPIF Security Policy Information File 5 Conventions 5.1 An SI0 Class comprises: Security Information O

47、bject Class Description - - - a value for a SI0 Class identifier; a set of one or more data type specifications, one for each component the SI0 Class contains; and a statement of the semantics associated with use of the SI0 Class. 5.2 A Generic SI0 Class is an SI0 Class in which the data types for o

48、ne or more of the components are not fully specified. A Specific SI0 Class is an SI0 Class in which the data types for all components are fully specified. A generic SI0 Class corresponds to a family of specific SI0 Classes. Generic Security Information Object Class Correspondence 5.3 Security Inform

49、ation Object Composition The specification of each SI0 in this Recommendation I International Standard contains the following parts: - - - a description of the SIO; an explanation of the usage of the SIO; a description of the components of the SIO. The description of the components of the SI0 includes the ASN.l specification and the object identifier of the object class being defined. 6 When a new requirement is identified for an SIO, the following steps shall be followed to encourage reuse of existing specifications and to reduce the proliferation of different specifications meetin