1、BRITISH STANDARD BS ISO/IEC 11586-1:1996 Information technology OpenSystems Interconnection Generic upper layers security: Overview, models and notation (ITU-T Rec. X.830 (1995)| ISO/IEC 11586-1:1996) ICS 35.100.70BSISO/IEC11586-1:1996 This British Standard, having been prepared under the direction
2、of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 November 1996 BSI 11-1998 ISBN 0 580 26540 4 National foreword This British Standard reproduces verbatim ISO/IEC 11586-1:1996, and implements it as the UK national standard. The UK participation i
3、n its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interp
4、retation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented on this committee is available on request. Cross-references The British Standards which implement internat
5、ional or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the “Find” facility of the BSI Standards Electronic Catalogue. A British Standard does not purport to include al
6、l the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and
7、 ii, theISO/IEC title page, pages ii to iv, pages 1 to 56 and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover. Amendments issued since publication Amd. No. Date Comment
8、sBSISO/IEC11586-1:1996 BSI 11-1998 i Contents Page National foreword Inside front cover Foreword iii Text of ISO/IEC 11586-1 1ii blankBSISO/IEC11586-1:1996 ii BSI 11-1998 Contents Page 1 Scope 1 2 Normative references 2 2.1 Identical Recommendations|International Standards 2 2.2 Paired Recommendatio
9、ns|International Standards equivalent in technical content 2 3 Definitions 3 4 Abbreviations 4 5 General overview 5 6 Security exchanges 5 6.1 Security exchange model 5 6.2 Notation for specifying security exchanges 6 7 Security transformations 8 7.1 Security transformation model 8 7.2 Notation for
10、specifying security transformations 12 8 Abstract syntax notation for selective field protection 13 8.1 Basic notation 13 8.2 Notation with transformation qualifier 15 8.3 Mapping protection requirements to security transformations 16 8.4 Notation for specifying protection mappings 16 9 Conformance
11、17 Annex A ASN.1 definitions 18 Annex B Registration of security exchanges and security transformations 23 Annex C Security exchange specifications 23 Annex D Security transformation specifications 28 Annex E Protection mapping specifications 41 Annex F Object identifier usage 44 Annex G Guidelines
12、for the use of generic upper layers security facilities 44 Annex H Relationship to other standards 48 Annex I Examples of use of the generic upper layers security facilities 51 Annex J Bibliography 56 Figure 1 Security exchange model 6 Figure 2 Protected storage or transfer of a data item 9 Figure H
13、.1 Guidelines for incorporating security into an application layer protocol 49 Figure H.2 Incorporating GULS into an OSI Application Protocol 50BSISO/IEC11586-1:1996 BSI 11-1998 iii Foreword ISO (the International Organization for Standardization) and IEC (theInternational Electrotechnical Commissio
14、n) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and
15、 IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC
16、 JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote. International Standard ISO/IEC 11586-1 was prepared by Joint
17、Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 21, Open systems interconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.830. ISO/IEC 11586 consists of the following parts, und
18、er the general title Information technology Open Systems Interconnection Generic upper layers security: Part 1: Overview, models and notation; Part 2: Security Exchange Service Element (SESE) service definition; Part 3: Security Exchange Service Element (SESE) protocol specification; Part 4: Protect
19、ing transfer syntax specification; Part 5: Security Exchange Service Element Protocol Implementation Conformance Statement (PICS) proforma; Part 6: Protecting transfer syntax Protocol Implementation Conformance Statement (PICS) proforma. Annexes A to F form an integral part of this part of ISO/IEC 1
20、1586. Annexes G to J are for information only.iv blankBSISO/IEC11586-1:1996 BSI 11-1998 1 Introduction This Recommendation|International Standard forms part of a series of Recommendations| multi-part International Standards, which provide(s) a set of facilities to aid the construction of Upper Layer
21、s protocols which support the provision of security services. The parts are as follows: Part 1: Overview, Models and Notation; Part 2: Security Exchange Service Element Service Definition; Part 3: Security Exchange Service Element Protocol Specification; Part 4: Protecting Transfer Syntax Specificat
22、ion; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. This Recommendation|International Standard constitutes Part 1 of this series. For informative guidelines on the application of all facilities described in this series, see Annex G. It is i
23、mportant to note that these generic security facilities do not in themselves provide security services; they are simply construction tools for security-related protocols. Furthermore, these facilities do not necessarily provide a stand-alone solution to all security communications requirements of ap
24、plications. Application standards may still need to incorporate security features within their specifications, to work in conjunction with generic security services supported by the Generic Upper Layers Security facilities. 1 Scope 1.1 This series of Recommendations|International Standards defines a
25、 set of generic facilities to assist in the provision of security services in OSI applications. These include: a) a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchan
26、ges and security transformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security services within the Application Layer of OSI; c) a specification and PICS proforma for a security transfer syntax, associa
27、ted with Presentation Layer support for security services in the Application Layer. 1.2 This Recommendation|International Standard defines the following: a) general models of security exchange protocol functions and security transformations, based on the concepts described in the OSI Upper Layers Se
28、curity Model (ITU-T Rec. X.803|ISO/IEC10745); b) a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchanges and security transformations; c) a set of informative guideli
29、nes as to the application of the generic upper layers security facilities covered by this series of Recommendations|International Standards. 1.3 This Recommendation|International Standard does not define the following: a) a complete set of upper layer security facilities which may be required by oth
30、er Recommendations|International Standards; b) a complete set of security facilities for specific applications; c) the mechanisms employed to support security services. 1.4 The security exchange model, and supporting notation, are intended both for use as the basis of defining the security exchange
31、service element in subsequent parts of this series of Recommendations|International Standards, and for use by any other ASE which may import security exchanges into its own specification.BSISO/IEC11586-1:1996 2 BSI 11-1998 2 Normative references The following Recommendations and International Standa
32、rds contain provisions which, through reference in this text, constitute provisions of this Recommendation|International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recomme
33、ndation|International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of th
34、e ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X.200 (1994)|ISO/IEC 7498-1:1994, Information technology Open Systems Interconnection Basic Reference Model: The Basic Model. ITU-T Recommendation X.207 (1993)|
35、ISO/IEC 9545:1994, Information technology Open Systems Interconnection Application Layer structure. ITU-T Recommendation X.214 (1993)|ISO/IEC 8072:1994, Information technology Open Systems Interconnection Transport service definition. ITU-T Recommendation X.216 (1994)|ISO/IEC 8822:1994, Information
36、technology Open Systems Interconnection Presentation service definition. ITU-T Recommendation X.217 (1995)|ISO/IEC 8649: . 1) ), Information technology Open Systems Interconnection Service definition for the Association Control Service. ITU-T Recommendation X.226 (1994)|ISO/IEC 8823-1:1994, Informat
37、ion technology Open Systems Interconnection Connection-oriented presentation protocol: Protocol specification. ITU-T Recommendation X.509 (1993)|ISO/IEC 9594-8:1995, Information technology Open Systems Interconnection The Directory: Authentication framework. ITU-T Recommendation X.511 (1993)|ISO/IEC
38、 9594-3:1995, Information technology Open Systems Interconnection The Directory: Abstract service definition. CCITT Recommendation X.660 (1992)|ISO/IEC 9834-1:1993, Information technology Open Systems Interconnection Procedures for the operation of OSI Registration Authorities: General procedures. I
39、TU-T Recommendation X.680 (1994)|ISO/IEC 8824-1:1995, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T Recommendation X.681 (1994)|ISO/IEC 8824-2:1995, Information technology Abstract Syntax Notation One (ASN.1): Information object specification. IT
40、U-T Recommendation X.682 (1994)|ISO/IEC 8824-3:1995, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification. ITU-T Recommendation X.683 (1994)|ISO/IEC 8824-4:1995, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications. IT
41、U-T Recommendation X.690 (1994)|ISO/IEC 8825-1:1995, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T Recommendation X.803 (1994)|ISO/IEC 10745:1995, Information technology Open Syst
42、ems Interconnection Upper layers security model. ITU-T Recommendation X.811 (1995)|ISO/IEC 10181-2:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Authentication framework. ITU-T Recommendation X.812 1) |ISO/IEC 10181-3: . 1) , Information technology O
43、pen Systems Interconnection Security frameworks for open systems: Access control framework. 2.2 Paired Recommendations|International Standards equivalent in technical content CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. 1) Presentl
44、y at the stage of draft.BSISO/IEC11586-1:1996 BSI 11-1998 3 ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. 3 Definitions 3.1 the following term is used as defined in ITU-T Rec.X.200|ISO/IEC 7498-1: transfer syntax. 3.
45、2 the following terms are used as defined in CCITT Rec. X.800|ISO 7498-2: access control; confidentiality; data origin authentication; decipherment; digital signature; encipherment; integrity; key; key management; selective field protection. 3.3 the following terms are used as defined in ITU-T Rec.
46、X.216|ISO/IEC 8822: abstract syntax; presentation context; presentation data value. 3.4 the following terms are used as defined in ITU-T Rec. X.207|ISO/IEC 9545: application-association application-context; application-service-element (ASE); application-service-object-association (ASO-association).
47、3.5 the following terms are used as defined in ITU-T Rec. X.811|ISO/IEC 10181-2: authentication exchange; claimant; entity authentication; verifier. 3.6 the following term is used as defined in ITU-T Rec.X.812|ISO/IEC 10181-3: access control certificate. 3.7 the following terms are used as defined i
48、n ITU-T Rec. X.803|ISO/IEC 10745: security association; security communication function (SCF); security exchange; security exchange item; security exchange function;BSISO/IEC11586-1:1996 4 BSI 11-1998 security transformation; system security object (SSO). 3.8 For the purposes of this Recommendation|
49、International Standard, the following definitions apply: 3.8.1 presentation-context-bound security association a security association which is established in conjunction with the establishment of a protecting presentation context, and which applies to all presentation data values sent in one direction in that protecting presentation context; attributes of the security associ
