1、Home and Building Electronic Systems (HBES)Part 3-4: Secure Application Layer, Secure Service, Secure configuration and security ResourcesBS EN 50090-3-4:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 50090-3-
2、4 August 2017 ICS 97.120 English Version Home and Building Electronic Systems (HBES) - Part 3-4: Secure Application Layer, Secure Service, Secure configuration and security Resources Systmes lectroniques pour les foyers domestiques et les btiments (HBES) - Partie 3-4 : Spcification des KNX S AL, Ser
3、vice scuris, configuration scurise et Resources en matire de scurit Elektrische Systemtechnik fr Heim und Gebude (ESHG) - Teil 3-4: Informationssicherheit auf Anwendungsschicht, Dienste, Konfiguration und Ressourcen This European Standard was approved by CENELEC on 2017-06-12. CENELEC members are bo
4、und to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the
5、CEN-CENELEC Management Centre or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Managemen
6、t Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland
7、, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europische
8、s Komitee fr Elektrotechnische Normung CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN 50090-3-4:2017 E National forewordThis British Standard is the UK implement
9、ation of EN 5009034:2017.The UK participation in its preparation was entrusted to Technical Committee IST/6/12, Home Electronic Systems.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary pro
10、visions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017ISBN 978 0 580 95602 7ICS 97.120Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published
11、 under the authority of the Standards Policy and Strategy Committee on 30 September 2017.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN 5009034:2017EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 50090-3-4 August 2017 ICS 97.120 English Version Home and Bu
12、ilding Electronic Systems (HBES) - Part 3-4: Secure Application Layer, Secure Service, Secure configuration and security Resources Systmes lectroniques pour les foyers domestiques et les btiments (HBES) - Partie 3-4 : Spcification des KNX S AL, Service scuris, configuration scurise et Resources en m
13、atire de scurit Elektrische Systemtechnik fr Heim und Gebude (ESHG) - Teil 3-4: Informationssicherheit auf Anwendungsschicht, Dienste, Konfiguration und Ressourcen This European Standard was approved by CENELEC on 2017-06-12. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulati
14、ons which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC memb
15、er. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official version
16、s. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the N
17、etherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung CEN-CENELEC M
18、anagement Centre: Avenue Marnix 17, B-1000 Brussels 2017 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members. Ref. No. EN 50090-3-4:2017 E BS EN 5009034:2017EN 50090-3-4:2017 (E) 2 Contents Page European foreword . 3 Introduction . 4 1 Scope . 5 2 N
19、ormative references . 5 3 Terms, definitions and abbreviations . 5 3.1 Terms and definitions . 5 3.2 Abbreviations . 7 4 General Introduction (informative) 7 4.1 General 7 4.2 General Overview. 11 5 Specification 12 5.1 Stack and communication 12 5.2 Resource definition or used Resources 50 Annex A
20、(informative) Use of CCM . 52 A.1 Goal 52 A.2 Definitions . 52 A.3 CCM operation 52 Annex B (informative) Examples Full encoding of a HBES Secure APDU 57 B.1 General 57 B.2 S-A_Data-PDU . 57 B.3 S-A_Data-PDU . 58 B.4 S-A_Sync.req . 59 B.5 S-A_Sync.res . 60 Bibliography 62 BS EN 5009034:2017EN 50090-
21、3-4:2017 (E) 2 Contents Page European foreword . 3 Introduction . 4 1 Scope . 5 2 Normative references . 5 3 Terms, definitions and abbreviations . 5 3.1 Terms and definitions . 5 3.2 Abbreviations . 7 4 General Introduction (informative) 7 4.1 General 7 4.2 General Overview. 11 5 Specification 12 5
22、.1 Stack and communication 12 5.2 Resource definition or used Resources 50 Annex A (informative) Use of CCM . 52 A.1 Goal 52 A.2 Definitions . 52 A.3 CCM operation 52 Annex B (informative) Examples Full encoding of a HBES Secure APDU 57 B.1 General 57 B.2 S-A_Data-PDU . 57 B.3 S-A_Data-PDU . 58 B.4
23、S-A_Sync.req . 59 B.5 S-A_Sync.res . 60 Bibliography 62 EN 50090-3-4:2017 (E) 3 European foreword This document (EN 50090-3-4:2017) has been prepared by CLC/TC 205 “Home and Building Electronic Systems (HBES)“. The following dates are fixed: latest date by which this document has to be implemented a
24、t national level by publication of an identical national standard or by endorsement (dop) 2018-06-12 latest date by which the national standards conflicting with this document have to be withdrawn (dow) 2020-06-12 EN 50090-3 is composed with the following parts: EN 50090-3-1, Home and Building Elect
25、ronic Systems (HBES) Part 3-1: Aspects of application - Introduction to the application structure; EN 50090-3-2, Home and Building Electronic Systems (HBES) Part 3-2: Aspects of application User process for HBES Class 1; EN 50090-3-3, Home and Building Electronic Systems (HBES) Part 3-3: Aspects of
26、application HBES Interworking model and common HBES data types; EN 50090-3-4, Home and Building Electronic Systems (HBES) Part 3-4: Secure Application Layer, Secure Service, Secure configuration and security Resources. BS EN 5009034:2017EN 50090-3-4:2017 (E) 4 Introduction KNX Association as Coopera
27、ting Partner to CENELEC confirms that to the extent that the standard contains patents and like rights, the KNX Associations members are willing to negotiate licenses thereof with applicants throughout the world on fair, reasonable and non-discriminatory terms and conditions. Attention is drawn to t
28、he possibility that some of the elements of this document may be the subject of patent rights other than those identified above. CENELEC shall not be held responsible for identifying any or all such patent rights. CEN and CENELEC maintain online lists of patents relevant to their standards. Users ar
29、e encouraged to consult the lists for the most up to date information concerning patents (ftp:/ftp.cencenelec.eu/EN/IPR/Patents/IPRdeclaration.pdf). BS EN 5009034:2017EN 50090-3-4:2017 (E) 4 Introduction KNX Association as Cooperating Partner to CENELEC confirms that to the extent that the standard
30、contains patents and like rights, the KNX Associations members are willing to negotiate licenses thereof with applicants throughout the world on fair, reasonable and non-discriminatory terms and conditions. Attention is drawn to the possibility that some of the elements of this document may be the s
31、ubject of patent rights other than those identified above. CENELEC shall not be held responsible for identifying any or all such patent rights. CEN and CENELEC maintain online lists of patents relevant to their standards. Users are encouraged to consult the lists for the most up to date information
32、concerning patents (ftp:/ftp.cencenelec.eu/EN/IPR/Patents/IPRdeclaration.pdf). EN 50090-3-4:2017 (E) 5 1 Scope This European Standard defines security for Home and Building HBES Open Communication System. It is based on ISO/IEC 24767-2, Home network security / Secure Communication Protocol Middlewar
33、e (SCPM). Having a secure HBES solution has several advantages. It makes the HBES RF Communication Medium more secure: HBES RF Radio Frames in plain communication can easily be traced (by sniffer for example). It allows for secure applications. Secure communication is interesting in shutter and door
34、 control and anti-intrusion security, in order to prevent intrusive commands (burglars). It is also interesting in metering to protect for example electrical consumption data. This document does not define any type of application. 2 Normative references The following documents, in whole or in part,
35、are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. EN 50090-1:2011, Home and Building Electronic Systems
36、 (HBES) - Part 1: Standardization structure EN 50090-3-2, Home and Building Electronic Systems (HBES) - Part 3-2: Aspects of application - User process for HBES Class 1 EN 50090-4-1, Home and Building Electronic Systems (HBES) - Part 4-1: Media independent layers - Application layer for HBES Class 1
37、 EN 50090-4-2, Home and Building Electronic Systems (HBES) - Part 4-2: Media independent layers - Transport layer, network layer and general parts of data link layer for HBES Class 1 3 Terms, definitions and abbreviations 3.1 Terms and definitions For the purposes of this document, the terms and def
38、initions given in EN 50090-1:2011 and the following apply. 3.1.1 Access Control definition and evaluation of which communication partner has the right to access which data or call which services, which is solved by collecting communication partners with the same rights for all data and services in R
39、oles and defining for each Role and for each piece of data or service the Permissions that this Role has 3.1.2 Security Black List standard list of services or DPs that shall exclusively be accepted using HBES Secure communication using confidentiality BS EN 5009034:2017EN 50090-3-4:2017 (E) 6 3.1.3
40、 cipher text generic term that denotes the encrypted data Note 1 to entry: Cipher text is opposed to plain data. 3.1.4 permission definition and conditions (plain, authentication, confidentiality) of the functionality that will be accepted from a Role, in accessing a DP in a device or in accepting s
41、ervices from a communication partner 3.1.5 plain data generic term that denotes unencrypted data, the content of which depends on the service and the user and not of confidentiality and authentication Note 1 to entry: Plain data is opposed to cipher text. 3.1.6 secure DP datapoint that requires eith
42、er authentication and/or confidentiality 3.1.7 role identification of a group of links to a device (multicast, unicast and other) that have the same Permissions throughout the AIL 3.1.8 secure link link to a secure DP 3.1.9 Security Link Resources whole collection of the following Resources: the Poi
43、nt-to-point Keys Table; the Group Keys Table; the Security Individual Address Table; the Tool Key 3.1.10 Group Address Security Flags indication in a configuration tool whether for a Group Address, no secure communication will be used, or secure communication with authentication and/or confidentiali
44、ty 3.1.11 Security White List standard list of services or DPs that are always accepted using plain communication BS EN 5009034:2017EN 50090-3-4:2017 (E) 6 3.1.3 cipher text generic term that denotes the encrypted data Note 1 to entry: Cipher text is opposed to plain data. 3.1.4 permission definitio
45、n and conditions (plain, authentication, confidentiality) of the functionality that will be accepted from a Role, in accessing a DP in a device or in accepting services from a communication partner 3.1.5 plain data generic term that denotes unencrypted data, the content of which depends on the servi
46、ce and the user and not of confidentiality and authentication Note 1 to entry: Plain data is opposed to cipher text. 3.1.6 secure DP datapoint that requires either authentication and/or confidentiality 3.1.7 role identification of a group of links to a device (multicast, unicast and other) that have
47、 the same Permissions throughout the AIL 3.1.8 secure link link to a secure DP 3.1.9 Security Link Resources whole collection of the following Resources: the Point-to-point Keys Table; the Group Keys Table; the Security Individual Address Table; the Tool Key 3.1.10 Group Address Security Flags indic
48、ation in a configuration tool whether for a Group Address, no secure communication will be used, or secure communication with authentication and/or confidentiality 3.1.11 Security White List standard list of services or DPs that are always accepted using plain communication EN 50090-3-4:2017 (E) 7 3
49、.2 Abbreviations CFB Cipher feedback FDSK Factory Default Setup Key IV Initialization Vector MaC Management Client MaS Management Server MAC Message Authentication Code MiM Man-in-the-Middle P-AL Plain Application Layer SAI Security Algorithm Identifier S-AL Secure Application Layer SCF Security Control Field SeqNr Sequence Number SFCC Security Failure Common Counter SFL Security Failure Links SHD Secure Header SKI Security Key Info 4 General Introduction (informative) 4.1
