1、BRITISH STANDARD BS ISO/IEC 11586-3:1996 Information technology Open Systems Interconnection Generic upper layers security: Security Exchange Service Element (SESE) protocol specification (ITU-T Rec. X.832 (1995) | ISO/IEC 11586-3:1996) ICS 35.100.70BS ISO/IEC 11586-3:1996 This British Standard, hav
2、ing been prepared under the direction of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 November 1996 BSI 11-1998 ISBN 0 580 26550 1 National foreword This British Standard reproduces verbatim ISO/IEC 11586-3:1996, and implements it as the UK nat
3、ional standard. The UK participation in its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to understand the text; present to the responsible international/European
4、 committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented on this committee is available on request. Cross-references The Brit
5、ish Standards which implement international or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the “Find” facility of the BSI Standards Electronic Catalogue. A British S
6、tandard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cov
7、er, an inside front cover, the ISO/IEC title page, pages ii to iv, pages 1 to 10, an inside back cover and aback cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on theinside front cover. Amendments iss
8、ued since publication Amd. No. Date CommentsBS ISO/IEC 11586-3:1996 ii BSI 11-1998 Contents Page Introduction 1 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations|International Standards 1 3 Definitions 2 4 Abbreviations 2 5 Overview of the protocol 2 5.1 Service provision 2 5.2 Use of
9、 underlying services 2 6 Elements of procedure 2 6.1 APDUs used 2 6.2 Transfer procedure 2 6.3 User-initiated abort procedure 2 6.4 Provider-initiated abort procedure 3 7 Structure and encoding of SESE APDUs 3 7.1 Generic APDU specification 3 7.2 Abstract syntax construction 6 8 Mapping to underlyin
10、g services 7 8.1 General 7 8.2 Mapping to ACSE services 7 9 Conformance 7 9.1 Statement Requirements 7 9.2 Static Requirements 7 9.3 Dynamic Requirements 7 Annex A SEPM state tables 8 A.1 General 8 A.2 Conventions 8 A.3 Tables 8 Annex B Basic SESE application context definition 10 B.1 Application Co
11、ntext Name 10 B.2 Application Service Elements 10 B.3 SESE APDU Mappings 10 B.4 PDV concatenation constraints 10 B.5 PDV embedding constraints 10 B.6 Procedural constraints 10 B.7 Presentation context constraints 10 Table 1 Incoming Event List 8 Table 2 Outgoing Event List 8 Table 3 Predicates 8 Tab
12、le 4 SEPM States 9 Table 5 SEPM State Table 9BS ISO/IEC 11586-3:1996 BSI 11-1998 iii Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members o
13、f ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organiza
14、tions, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to
15、 national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. International Standard ISO/IEC 11586-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 21, Open systems int
16、erconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.832. ISO/IEC 11586 consists of the following parts, under the general title Information technology Open Systems Interconnection Generic upper layers s
17、ecurity: Part 1: Overview, models and notation; Part 2: Security Exchange Service Element (SESE) service definition; Part 3: Security Exchange Service Element (SESE) protocol specification; Part 4: Protecting transfer syntax specification; Part 5: Security Exchange Service Element Protocol Implement
18、ation Conformance Statement (PICS) proforma; Part 6: Protecting transfer syntax Protocol Implementation Conformance Statement (PICS) proforma. Annexes A and B form an integral part of this part of ISO/IEC 11586.iv blankBS ISO/IEC 11586-3:1996 BSI 11-1998 1 Introduction This Recommendation | Internat
19、ional Standard forms part of a series of Recommendations |International Standards, which provide(s) a set of facilities to aid the construction of Upper Layers protocols which support the provision of security services. The parts are as follows: Part 1: Overview, Models and Notation; Part 2: Securit
20、y Exchange Service Element Service Definition; Part 3: Security Exchange Service Element Protocol Specification; Part 4: Protecting Transfer Syntax Specification; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. This Recommendation |Internati
21、onal Standard constitutes Part 3 of this series. 1 Scope 1.1 This series of Recommendations | International Standards defines a set of generic facilities to assist in the provision of security services in application layer protocols. These include: a) a set of notational tools to support the specifi
22、cation of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchanges and security transformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provis
23、ion of security services within the Application Layer; c) a specification and PICS proforma for a security transfer syntax, associated with Presentation Layer support for security services in the Application Layer. 1.2 This Recommendation | International Standard defines the protocol provided by the
24、 Security Exchange Service Element (SESE). The SESE is an ASE which allows the communication of security information to support the provision of security services within the Application Layer. 2 Normative references The following Recommendations and International Standards contain provisions which,
25、through reference in this text, constitute provisions of this Recommendation| International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation| International Standa
26、rd are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of cu
27、rrently valid ITU-T Recommendations. 2.1 Identical Recommendations | International Standards ITU-T Recommendation X.207 (1993)| ISO/IEC 9545:1994, Information technology Open Systems Interconnection Application Layer structure. ITU-T Recommendation X.216 (1994)| ISO/IEC 8822:1994, Information techno
28、logy Open Systems Interconnection Presentation service definition. ITU-T Recommendation X.217 (1995) | ISO/IEC 8649:. 1) . Information technology Open Systems Interconnection Service definition for the Association Control Service Element. ITU-T Recommendation X.226 (1994) | ISO/IEC 8823-1:1994, Info
29、rmation technology Open Systems Interconnection Connection-oriented presentation protocol: Protocol specification. ITU-T Recommendation X.227 (1995)| ISO/IEC 8650-1:. 1) , Information technology Open Systems Interconnection Connection-oriented protocol for the Association Control Service Element: Pr
30、otocol specification. ITU-T Recommendation X.680 (1994)| ISO/IEC 8824-1:1995, Information technology Abstract Syntax Notation One (ASN.1):Specification of basic notation. ITU-T Recommendation X.681 (1994)| ISO/IEC 8824-2:1995, Information technology Abstract Syntax Notation One (ASN.1):Information o
31、bject specification. ITU-T Recommendation X.682 (1994)| ISO/IEC 8824-3:1995, Information technology Abstract Syntax Notation One (ASN.1):Constraint specification. 1) To be published.BS ISO/IEC 11586-3:1996 2 BSI 11-1998 ITU-T Recommendation X.683 (1994)| ISO/IEC 8824-4:1995, Information technology A
32、bstract Syntax Notation One (ASN.1):Parameterization of ASN.1 specifications. ITU-T Recommendation X.690 (1994)| ISO/IEC 8825-1:1995, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T
33、 Recommendation X.803 (1994)| ISO/IEC 10745:1995, Information technology Open Systems Interconnection Upper layers security model. 3 Definitions This Recommendation |International Standard makes use of the following terms defined in ITU-TRec. X.803 | ISO/IEC 10745: security exchange; security exchan
34、ge item. 4 Abbreviations 5 Overview of the protocol 5.1 Service provision The protocol defined in this Specification provides the services defined in ITU-T Rec. X.831 | ISO/IEC 11586-2. These services are as follows: 5.2 Use of underlying services This SESE protocol defines a set of APDUs, each of w
35、hich may potentially be mapped onto any Presentation Layer service which conveys user-data, or which may be embedded in or concatenated with any other application-PDU, according to the rules of the ASO-context or application-context in force. Clause 8 defines some useful mappings to the presentation
36、-service and ACSE. 6 Elements of procedure 6.1 APDUs used The SESE protocol specifies the following APDUs: 6.2 Transfer procedure This procedure is used by a requestor SEPM to initiate a security-exchange requiring the transfer of one or more security-exchange-items. This procedure is also used by e
37、ither requestor or responder SEPM to transfer further security-exchange-items started by the requestor SEPM. On receipt of a SE-TRANSFER request primitive, the SEPM retains the security exchange identifier, and generates a SE-TRANSFER APDU (SETR). On receipt of a SE-TRANSFER APDU (SETR), the SEPM re
38、tains the security exchange identifier, and issues a SE-TRANSFER indication primitive. If the security exchange belongs to the “Alternating” class, and the exchange does not follow the expected sequence, then the SEPM generates an SE-P-ABORT APDU (SEPA), and issues an SE-P-ABORT indication. 6.3 User
39、-initiated abort procedure This procedure is used for one SESE user to indicate to the peer SESE user and the SEPM that an error has occurred and that any security exchange in progress is to be abnormally terminated. Additionally, it may optionally cause the abnormal release of the ASO-association w
40、ith the possible loss of information in transit. It is initiated by an SE-U-ABORT request primitive. On receipt of an SE-U-ABORT request primitive, the SEPM generates an SE-ABORT APDU (SEAB). On receipt of an SE-ABORT APDU (SEAB), the SEPM issues an SE-U-ABORT indication primitive. ACSE Association
41、Control Service Element APDU application-protocol-data-unit ASE application-service-element ASO application-service-object OSI Open Systems Interconnection PICS Protocol Implementation Conformance Statement SEPM Security Exchange Protocol Machine SEI Security Exchange Item SESE Security Exchange Ser
42、vice Element SE-TRANSFER Non-confirmed SE-U-ABORT Non-confirmed SE-P-ABORT Provider-initiated SE-TRANSFER APDU (SETR) SE-U-ABORT APDU (SEAB) SE-P-ABORT APDU (SEPA)BS ISO/IEC 11586-3:1996 BSI 11-1998 3 6.4 Provider-initiated abort procedure This procedure is used for the SEPM to indicate to the SESE
43、users that an error has occurred and that any security exchange in progress is to be abnormally terminated. Additionally, it may optionally cause the abnormal release of the ASO-association with the possible loss of information in transit. On detection of an error, the SEPM issues an SE-P-ABORT indi
44、cation primitive and generates an SE-P-ABORT APDU (SEPA). If the severity of the error requires the ASO-association to be terminated, the SEPA APDU is mapped to the ASO-Association Abort service. On receiving an ASO-Association Abort indication with SEPA APDU, the SEPM issues an SE-P-ABORT indicatio
45、n with the fatality indicator set. An error condition causing a SE-P-ABORT to be generated has an associated problem code, which may be indicated to both ends. The problems so indicated are categorized as follows: a) general problem Not peculiar to any particular APDU type; b) transfer problem Probl
46、em resulting from receipt of a SE-TRANSFER APDU; c) abort problem Problem resulting from receipt of a SE-U-ABORT APDU. Particular error conditions, and the associated problem codes, are described in the following. 6.4.1 General problem Invalid APDU The structure and/or encoding of the APDU do not co
47、nform to either SETR, SEAB, or SEPA APDUs. 6.4.2 Transfer problem a) Duplicate invocation identifier The same invocation identifier is in use for another active security exchange invocation. b) Unrecognized security exchange The security exchange identified is not valid for this ASO-context. c) Mist
48、yped item The type of the SEI does not conform to that in the object class definition. d) Inappropriate invocation identifier The invocation identifier is not within the set specified for this ASO-context. e) Alternating sequence error The received SETR does not follow the sequence of the “Alternati
49、ng” class of security exchange. 6.4.3 Abort problem a) Unrecognized invocation identifier The invocation identifier does not identify an active or just-completed security exchange transfer. b) Abort unexpected The identified security exchange does not generate an abort for this security exchange item. c) Unrecognized error The identified security exchange does not generate this error. d) Unexpected error The identified secu
