1、ECMA EUROPEAN COMPUTER MAN U FACTURERS ASSOCIATIOR SECURITY IN OPEN SYSTEMS A SECURITY FRAMEWORK ECMA TR/46 July 1988 Free copies of this document are available from ECMA, European Computer Manufacturers Association 114 Rue du Khne- 1204 Geneva (Switzerland) ECMA EUROPEAN CO YPUTE R MAN U FACTURER S
2、 ASS OC1 ATIOIQ SECURITY IN OPEN SYSTEMS A SECURITY FRAMEWORK ECNIA TR/46 July 1988 Brief History ECMA, IS0 and CCITT are working on standards for distributed applications in an Open System environment. Exampla are the OS1 Reference Model, the work on Open Distributed Processing and the Framework fo
3、r Distributed Office Applications. Security is a major concern in information processing. The security aspects of interconnection have been addressed by IS0 in the work on the OS1 Reference Model (DIS 7498/2, Security Architecture). The purpose of this Technical Report is to provide a Framework for
4、the development of security provisions in the Application Layer. This Framework unifies many views of security needs and of security functionality including notions about end-systems security and therefore it allows a coherent approach to the specification of protocols and protocol elements as neede
5、d to realize secure Open Systems. This Report gives an overview of security needs and of the basic functionality needed to answer these needs. Using a generic building block approach it shows how supportive security applications may be constructed to satisfy a wide range of uses. in doing so this Re
6、port makes extensive use of the concepts developed in ECMA TW42, Framework for Distributed Office Applications as well as in ISO/OSI standards. However, other concepts such as the Object Model of processing used in the work of ECMMC32-TG2 on the Distributed Application Services Environment, may also
7、 be used to describe the security functions developed in this document. This Report is one of a set of Standards and Reports for Open Systems Interconnection. Open Systems Interconnection standards are intended to facilitate homogeneous interconnection between heterogeneous information processing sy
8、stems. This Report is within the framework for the coordination of standards for Open Systems Interconnection which is defined by IS0 7498. This Report is based on the practical experience of ECMA member Companies worldwide and on the results of their active participation in the work of IS0 and CCIT
9、 as well as in national standards bodies in Europe and the USA.lt represents a pragmatic, widely based consensus. This Report emphasises the need for specification of the externally visible and verifiable characteristics needed for the communication of security related information. However, it avoid
10、s placing unnecessary constraints upon the internal design and implementation of information processing system that process and exchange security related information. This Report is oriented towards urgent and well understood needs and supports rapid and effective standardization. It is intended to
11、be capable of extensions to cover future developments in technology and needs. Adopted as an ECMA Technical Report by the General Assembly of June 30, 1988. TABLE OF CONTENTS Page 1. INTRODUffION 1 1.1 Need and Application 1.2 Scope of Security in this Report 1.3 The Application Layer Security Frame
12、work 1.4 References 1.5 Definitions 1 21.1 General Terminology 1.5.2 Specific Terminology 1 S.3 Acronyms 2. REQUIREMENTS 2.1 Requirements on this Report 2.2 Environment Compatibility 2.3 General Security Requirements 2.3.1 User View Of Security 2.3.2 Threats to be addressed 2.3.3 Methods of Attack 2
13、.4 Security Policies and Domains 2.4.1 Security Policy 2.4.2 Security Administration Domains 2.4.3 Cooperation between Security Domains 2.4.4 Levels of Policy 2.4.5 Implementation of Policies 2.5 Functional Security Requirements 2.5.1 Access Control 2.5.2 Resource Protection 2.5.3 Information Protec
14、tion 2.5.4 Security Management 2.6 Implementation Considerations 2.6. I 2.6.2 Cryptography 2.7 Design Requirements Use of Supportive Applications 2.7.1 Separation of Functionality 2.7.2 Distributed Operation 2.7.3 RobustnesdResilience 2.7.4 Selective implementation 2.7.5 Usability 2.7.6 Evaluation a
15、nd Testing 2.7.7 Certification and Accreditation 4 4 7 7 7 8 8 8 9 10 10 10 11 11 12 13 14 14 15 16 17 18 18 19 19 19 19 20 20 20 20 3. SECURITY CONCEPTS AND MODELS 3.1 The Security Domain Concept 3. i .I Introduction 3.1.2 Autonomous Peer Domains 3.1.3 The Security Subdomain 3.1.4 Types of Security
16、 Domain 3.2 The Security Facility Concept 3.2.1 Introduction 4. DETAILED DESCRIPTION OF SECURITY FACILITIES 4.1 Subject Sponsor 4.1.1 Introduction 4.1.2 Functionality 4.1.3 Interaction With Other Facilities 4.1.4 4.1.5 Use of Other Applications 4.1.6 Facility Management 4.1.7 Interactions with Commu
17、nications Layer Management Characteristics of the Subject Sponsor 4.2 Authentication Facility 4.2.1 Introduction 4.2.2 4.2.3 Interactions With other Facilities 4.2.4 4.2.5 Use of Other Applications 4.2.6 Facility Management 4.3 Association Management Facility Functions Of the Authentication Facility
18、 Interactions with Communications Layer Management 4.3.1 Introduction 4.3.2 Functions of Association Management 4.3.3 Interaction With Other Facilities 4.3.4 4.3.5 Interactions With Other Applications 4.3.6 Facility Management Interactions With Communication Layer Management 4.4 Security State Facil
19、ity 4.4.1 Introduction 4.4.2 4.4.3 Interactions with other Facilities 4.4.4 4.4.5 Use Of Other Applications 4.4.6 Facility Management Functions Of the Security State Facility Interactions with Communication Layer Management 4.5 Security Attribute Management Facility 4.5.1 Introduction 4.5.2 Function
20、s Of the Facility 4.5.3 Interactions With other Facilities 4.5.4 4.5.5 Use of Other Applications 4.5.6 Facility Management Interactions with Communications Layer Management 20 20 20 21 21 23 25 25 29 29 29 29 30 30 31 31 31 31 31 32 32 33 33 33 34 34 34 35 35 36 36 36 36 36 36 36 37 37 37 37 38 38 3
21、8 39 39 4.6 Authorization Facility 4.6.1 Introduction 4.6.2 4.6.3 Interactions With other Facilities 4.6.4 4.6.5 Use of Other Applications 4.6.6 Facility Management Functions Of the Authorization Facility Interactions with Communications Layer Management 4.7 Inter-Domain Facility 4.7.1 Introduction
22、4.7.2 4.7.3 Interactions With other Facilities 4.7.4 4.7.5 Use of Other Applications 4.7.6 Facility Management Functions Of the Inter-Domain Facility Interactions with Communication Layer Management 4.8 Security Audit Facility 4.8.1 Introduction 4.8.2 4.8.3 interactions With other Facilities 4.8.4 4
23、.8.5 Use of Other Applications 4.8.6 Facility Management Functions Of The Security Audit Facility Interactions with Communications Layer Management 4.9 Security Recovery Facility 4.9.1 Introduction 4.9.2 Functions Of the Facility 4.9.3 Interactions With other Facilities 4.9.4 4.9.5 Use of Other Appl
24、ications 4.9.6 Facility Management Interactions with Communications Layer Management 4.1 O Cryptographic Support Facility 4. IO. I Introduction 4.10.2 Functions Of The Cryptographic Support Facility 4.10.3 Interactions With other Facilities 4.10.4 Interactions with Communications Layer Management 4.
25、10.5 Use of Other Applications 4.10.6 Facility Management 4.1 1 Facility Interaction Matrix RELATIONSHIP TO THE OS1 REFERENCE MODEL 5.1 5.2 Single Associates Objects 5.3 Security Application Entity Types 6. SUPPORTIVE SECURITY APPLICATIONS 5. Security Facilities and Application Service Elements 6.1
26、6.2 Client and Servers Role in The Distributed Environment 6.2. 1 6.2.2 Client/Server Interaction Within a Supportive Security Application Server/Server Interaction within a Supportive Security Application 39 39 40 40 41 41 41 41 41 41 42 43 43 43 43 43 44 45 45 45 45 46 46 46 46 47 47 47 47 47 48 4
27、8 49 49 49 49 50 50 51 52 53 53 53 53 53 - iv - 6.3 Supportive Security Applications and the OS1 Reference Model 6.4 Supportive Security Application Process Structure 6.5 Service and Management Aspects 7. SECURITY MANAGEMENT 7.1 Operational Security Management 7.1 .I Security Management Functions 7.
28、 I .2 Security Management Structures 7.1.3 Consistency and Synchronization of Security Management 7.2 Security Configuration Management 7.3 Ordering of Security Management 8. CONCLUSION 54 55 55 56 56 56 58 59 59 60 61 APPENDIX A - DETAILED EXAMPLE OF THE USE OF SECURITY FACILITIES IN ELECTRONICAL M
29、AIL 63 APPENDIX B - DISCUSSION OF SECURITY ATTRIBUTES 67 APPENDIX C - MANDATORY VERSUS DISCRETIONARY AUTHORIZATION POLICIES 71 -1- 1. INTRODUCTION In recent years, advances in computing and telecommunications technology have greatly expanded the tools available to all users of data processing system
30、s, irrespective of the field of application. This de- velopment is paralleled by the emergence of facilities for the distributed processing of application tasks, thus giving users great flexibility in the structuring of their systems and in the interaction with other systems. As a consequence, user
31、organizations are becoming more and more dependent on the services provided by their systems. Increasingly, information of high value, possibly critical to the sur- vival of the organization, is placed on computer systems and exchanged over telecommunications fa- cilities. This trend raises the need
32、 for dependable systems that process information securely. This Report defines a Framework for the development of standards that support a wide variety of se- curity requirements in a multi-user, multi-vendor systems environment. Major objectives in the devel- opment of such standards are: - to allo
33、w effective interworking of diverse products - to allow modular, expandable development of products - to facilitate implementation. This report is structured as follows: - Clause 1 (this Clause) gives a general introduction, references and definitions of terms, - Clause 2 gives an overview of securi
34、ty requirements from both the operational and from the func- tional point of view. It also gives implementation considerations and design requirements relevant to the design of secure systems on the basis of this Framework, - Clauses 3, 4, 5 and 6 describe the Security Framework: the Security Domain
35、 concept, the Security Facilities concepts, and the mapping of these concepts to other architectures such as the OS1 Refer- ence Model and the Distributed Office Applications Framework, - Clause 7 describes the management aspects of the security functions introduced in the preceding Clauses. - Claus
36、e 8 gives a summary and conclusions. 1.1 Need and Application Applications may be distributed for various reasons such as sharing of costly resources (e.g a printer) or distributing functionality (e.g. electronic mail services). Standards for Open Systems Interconnection permit the functional compon
37、ents of applications to be distributed over a network. This must be done in a secure fashion that assures that users can depend on the services provided and the information stored and processed. Generally, security refers to a complex of measures of procedural, logical and physical measures aimed at
38、 prevention, detection and correction of certain kinds of misuse e.g. together with the tools to install, operate and maintain these measures. For the purpose of this report “security“ will refer to characteristics of data processing systems that give resistance to attack and misuse, intentional or
39、otherwise. Other aspects of systems security such as reliability, availability and redundancy, are outside the scope of this report. Given the above definition, security addresses not only attacks and threats originating externally, .e. by persons not belonging to the organization operating a given
40、network or system, it also addresses internal attacks and threats coming from known persons. By providing guarantees of integrity and or confidentiality of information, secure systems may be used to perform business transactions in such a manner as not to expose their users to unacceptable liabiliti
41、es. Already, major insurance companies are using higher rates for customers with insecure computer systems. -2- Secure systems may more easily survive system failures because the tools and mechanisms needed to assure the integrity of information are available. More and more computers are linked toge
42、ther in systems that provide a wide variety of services to their users. Such systems are frequently referred to as distributed processing systems because single task may require cooperation between processes executing on several end-systems. This Report pro- vides unifying principles, structuring di
43、stributed security functions and the associated protocols. This allows a secure environment to be created in which other types of applications may be executed. 1.2 Scope of Security in this Report Many different security needs can be met by a common set of secure functions to be provided out- side a
44、pplication processes. These functions will affect the interactions between users and productive applications, and between productive applications and supportive applications. They will also affect the installation, maintenance and management of applications and of the underlying system. These functi
45、ons, their interactions and their management constitute the scope of security in this Report. The level of view addressed in this Report is the level of the “secure environment“.This has close parallels with the concept of Open Distributed Processing. The security requirements of distributed applica
46、tions that are specific to the nature of these applications (e.g. access controls to the objects owned by a given application) are addressed here only to the extent that generally applicable func- tions and their interactions can be identified. Where appropriate, this Framework refers to Security Se
47、rvices defined by the OS1 Reference Model as defined in IS0 149812. 1.3 The Application Layer Security Framework This document describes a Security Framework in terms of Application Layer functions necessary to build secure Open Systems. Figure 1 illustrates the concept of a secure, distributed syst
48、em. To the users and owners, the value represented by computer systems lies mostly in the information residing on these systems and in the application software processing this information. The informa- tion will exist in various forms including files on magnetic media and messages transmitted by ele
49、c- tronic means. In the figure, this information - the application data - is indicated as “Security Objects“. A secure system protects the application data it processes as well as the application software that performs the processing. it protects information from misuse by users and from misuse by applica- tion software. In the figure, users and active applications are indicated as “Security Subjects“. (A passive application is a Security Object). In the Security Framework, the access of Security Subjects to Security Objects is mediated and con- trolled by Security Facilities. This concept
