1、BRITISH STANDARD BS ISO/IEC 10181-2:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Authentication framework (ITU-T Rec. X.811 (1995) | ISO/IEC 10181-2:1996) ICS 35.100.01BSISO/IEC 10181-2:1996 This British Standard, having been prepared under the direc
2、tion of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 November 1996 BSI 10-1998 ISBN 0 580 26515 3 National foreword This British Standard reproduces verbatim ISO/IEC 10181-2:1996, and implements it as the UK national standard. The UK participat
3、ion in its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the i
4、nterpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented on this committee is available on request. Cross-references The British Standards which implement int
5、ernational or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the “Find” facility of the BSI Standards Electronic Catalogue. A British Standard does not purport to inclu
6、de all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, the IS
7、O/IEC title page, pages ii to iv, pages 1 to 40 and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on theinside front cover. Amendments issued since publication Amd. No. Date CommentsBSISO/IEC1
8、0181-2:1996 ii Contents Page Foreword iv Introduction 1 1 Scope 1 2 Normative references 2 2.1 Identical Recommendations | International Standards 2 2.2 Paired Recommendations | International Standards equivalent in technical content 2 2.3 Additional references 2 3 Definitions 2 4 Abbreviations 3 5
9、General discussion of authentication 4 5.1 Basic concepts of authentication 4 5.2 Aspects of authentication service 6 5.3 Principles used in authentication 7 5.4 Phases of authentication 7 5.5 Trusted Third Party Involvement 8 5.6 Types of principal 11 5.7 Human user authentication 11 5.8 Types of a
10、ttack on authentication 11 6 Authentication information and facilities 13 6.1 Authentication information 13 6.2 Facilities 16 7 Characteristics of authentication mechanisms 18 7.1 Symmetry/Asymmetry 18 7.2 Use of cryptographic/Non-cryptographic techniques 19 7.3 Types of authentication 19 8 Authenti
11、cation mechanisms 20 8.1 Classification by vulnerabilities 20 8.2 Initiation of transfer 25 8.3 Use of authentication certificates 25 8.4 Mutual authentication 25 8.5 Summary of class characteristics 27 8.6 Classification by configuration 27 9 Interactions with other security services/mechanisms 29
12、9.1 Access control 29 9.2 Data integrity 29 9.3 Data confidentiality 29 9.4 Non-repudiation 30 9.5 Audit 30 Annex A Human user authentication 31 Annex B Authentication in the OSI Model 32 Annex C Countering replay using unique numbers or challenges 33 Annex D Protection against some forms of attack
13、on authentication 33 Annex E Bibliography 36 Annex F Some specific examples of authentication mechanisms 36 Annex G Authentication facilities outline 40 Figure 1 Illustration of relationship between claimant, verifier trusted third party, and types of authentication information 5 Figure 2 Authentica
14、tion without a Trusted Third Party 8 Figure 3 In-line authentication 9BSISO/IEC10181-2:1996 BSI 10-1998 iii Page Figure 4 On-line authentication 10 Figure 5 Off-line authentication 11 Figure 6 Intruder initiated relay attack 12 Figure 7 Relay attacks in which an intruder responds 14 Figure 8 Example
15、 of information flows in operational related services 19 Figure 9 Class 0 mechanism (Unprotected) 21 Figure 10 Class 1 Mechanism protected against disclosure 22 Figure 11 Sub-class 3 Unique number mechanism 23 Figure 12 Sub-class 4b Challenge mechanism 24 Figure 13 Sub-class 4c Dedicated enciphered
16、challenge mechanism 25 Figure 14 Sub-class 4d Computed response mechanism 25 Figure 15 Mutual authentication using challenge mechanisms 26 Figure 16 Schemes for authentication 28 Figure D.1 Protection against an intruder attack when using challenges 35 Figure D.2 Protection against an intruder attac
17、k when using unique numbers 36 Figure F.1 Unique number mechanism with on-line authentication certificate 37 Figure F.2 Challenge mechanism with on-line authentication certificate 39 Table 1 Vulnerabilities and characteristics of mechanisms 26BSISO/IEC10181-2:1996 iv Foreword ISO (the International
18、Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by th
19、e respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of in
20、formation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the natio
21、nal bodies casting a vote. International Standard ISO/IEC 10181-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 21, Open systems interconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is pub
22、lished as ITU-T Recommendation X.811. ISO/IEC consists of the following parts, under the general title Information technology Open Systems Interconnection Security frameworks for open systems: Part 1: Overview; Part 2: Authentication framework; Part 3: Access control framework; Part 4: Non-repudiati
23、on; Part 5: Confidentiality; Part 6: Integrity; Part 7: Security audit framework. Annexes A to G of this part of ISO/IEC 10181 are for information only.BS ISO/IEC 10181-2:1996 BSI 10-1998 1 Introduction Many applications have requirements for security to protect against threats to the communication
24、of information. Some commonly known threats, together with the security services and mechanisms that can be used to protect against them, are described in ITU Rec. X.800 | ISO 7498-2. Many Open Systems applications have security requirements which depend upon correctly identifying the principals inv
25、olved. Such requirements may include the protection of assets and resources against unauthorized access, for which an identity based access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and cha
26、rging purposes. The process of corroborating an identity is called authentication. This Recommendation|International Standard defines a general framework for the provision of authentication services. 1 Scope The series of Recommendations | International Standards on Security Frameworks for Open Syst
27、ems addresses the application of security services in an Open Systems environment, where the term “Open Systems” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means of providing prote
28、ction for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) w
29、hich are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. This Recommendation | International Standard: defines the basic concepts for authentication; id
30、entifies the possible classes of authentication mechanisms; defines the services for these classes of authentication mechanism; identifies functional requirements for protocols to support these classes of authentication mechanism; and identifies general management requirements for authentication. A
31、number of different types of standards can use this framework including: 1) standards that incorporate the concept of authentication; 2) standards that provide an authentication service; 3) standards that use an authentication service; 4) standards that specify the means to provide authentication wi
32、thin an open system architecture; and 5) standards that specify authentication mechanisms. Note that the service in 2), 3) and 4) might include authentication but may have a different primary purpose. These standards can use this framework as follows: * standard types 1), 2), 3), 4) and 5) can use t
33、he terminology of this framework; * standard types 2), 3), 4) and 5) can use the services defined in clause 7 of this framework; and * standard types 5) can be based on the mechanisms defined in clause 8 of this framework. As with other security services, authentication can only be provided within t
34、he context of a defined security policy for a particular application. The definitions of security policies are outside the scope of this ITU Recommendation | International Standard. The scope of this Recommendation | International Standard does not include specification of details of the protocol ex
35、changes which need to be performed in order to achieve authentication. This Recommendation | International Standard does not specify particular mechanisms to support these authentication services. Other standards (such as ISO/IEC 9798) develop specific authentication methods in greater detail. Furth
36、ermore, examples of such methods are incorporated into other standards (such as ITURec.X.509 | ISO/IEC 9594-8) in order to address specific authentication requirements. Some of the procedures described in this framework achieve security by the application of cryptographic techniques. This framework
37、is not dependent on the use of a particular cryptographic or other algorithm, although certain classes of authentication mechanisms may depend on particular algorithm properties, e.g. asymmetric properties.BSISO/IEC 10181-2:1996 2 BSI 10-1998 NOTEAlthough ISO does not standardize cryptographic algor
38、ithms, it does standardize the procedures used to register them in ISO/IEC 9979. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. At the ti
39、me of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations an
40、d Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X.81
41、0 1) |ISO/IEC10181-1:. 1) , Information technology Security frameworks for open systems: Overview. 2.2 Paired Recommendations|International Standards equivalent in technical content CCITT Recommendation X.800:1991, Security Architecture for Open Systems Interconnection for CCITT applications. ISO 74
42、98-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. 2.3 Additional references ISO/IEC 9979:1991, Data cryptographic techniques Procedures for the registration of cryptographic algorithms. ISO/IEC 10116:1991, Information technolo
43、gy Modes of operation for an n-bit block cipher algorithm. 3 Definitions This Recommendation | International Standard makes use of the following general security-related terms defined in Rec. X.800 | ISO 7498-2: audit; audit trail; authentication information; confidentiality; cryptography; cryptogra
44、phic checkvalue; data origin authentication; data integrity; decipherment; digital signature; encipherment; key; key management; masquerade; password; peer-entity authentication; security policy. This Recommendation | International Standard makes use of the following term defined in ISO/IEC10116: bl
45、ock chaining This Recommendation | International Standard makes use of the following terms defined in ITU-TRec. X.810 | ISO/IEC 10181-1: digital fingerprint; hash function; one-way function; private key; public key; seal; secret key; security authority; security certificate; security domain; securit
46、y token; trust; trusted third party. For the purposes of this Recommendation| International Standard, the following definitions apply: 3.1 asymmetric authentication method a method of authentication, in which not all authentication information is shared by both entities 3.2 authenticated identity a
47、distinguishing identifier of a principal that has been assured through authentication 1) Presently at the stage of draft.BS ISO/IEC 10181-2:1996 BSI 10-1998 3 3.3 authentication the provision of assurance of the claimed identity of an entity 3.4 authentication certificate a security certificate that
48、 is guaranteed by an authentication authority and that may be used to assure the identity of an entity 3.5 authentication exchange a sequence of one or more transfers of exchange authentication information (AI) for the purposes of performing an authentication 3.6 authentication information informati
49、on used for authentication purposes 3.7 authentication initiator the entity that starts an authentication exchange 3.8 challenge a time variant parameter generated by a verifier 3.9 claim authentication information (claim AI) information used by a claimant to generate exchange AI needed to authenticate a principal 3.10 claimant an entity which is or represents a principal for the purposes of authentication. A clai