1、STD-ITU-T RECMN Q.BL3-ENGL L998 W 48b259L Ob55382 282 INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Q.813 (06198) SERIES Q: SWITCHING AND SIGNALLING Specifications of Signalling System No. 7 - Q3 interface Security Transformations Application Service Ele
2、ment for Remote Operations Service Element (STASE-ROSE) ITU-T Recommendation Q.813 (Previously CCITT Recommendation) STDeITU-T RECMN Q.813-ENGL 1998 4862593 Ob55383 119 ITU-T Q-SERIES RECOMMENDATIONS SWITCHING AND SIGNALLING SIGNALLING IN THE INTERNATIONAL MANUAL SERVICE FUNCTIONS AND INFORMATION FL
3、OWS FOR SERVICES IN THE ISDN SPECIFICATIONS OF SIGNALLING SYSTEMS No. 4 AND No. 5 SPECIFICATIONS OF SIGNALLING SYSTEM No. 6 SPECIFICATIONS OF SIGNALLING SYSTEM Ri SPECIFICATIONS OF SIGNALLING SYSTEM R2 INTERNATIONAL AUTOMATIC AND SEMI-AUTOMATIC WORKING CLAUSES APPLICABLE TO ITU-T STANDARD SYSTEMS DI
4、GITAL EXCHANGES INTERWORKING OF SIGNALLING SYSTEMS SPECIFICATIONS OF SIGNALLING SYSTEM No. 7 General Message transfer part (MTP) Signalling connection control part (SCCP) Telephone user part (TUP) ISDN supplementary services Data user part Signalling System No. 7 management ISDN user part Transactio
5、n capabilities application part Test specification Q.1-Q.3 Q .4-Q. 59 Q .60-Q. 99 Q. 1 OO-Q. 1 I 9 Q.120-Q.249 Q.250-Q.309 Q.310-Q.399 Q.400-Q.499 Q.500-Q.599 Q.600-Q.699 Q. 700-Q. 849 Q.700 Q.701-Q.709 Q.711-Q.719 Q.720-Q. 729 Q.730-Q.739 Q.740-Q. 749 Q.750-Q.759 Q.760-Q. 769 Q.770-Q.779 Q. 780-Q .
6、 799 Q3 interface Q.800-Q .849 DIGITAL SUBSCRIBER SIGNALLING SYSTEM No. 1 Q. 850-Q. 999 General Data link layer Network layer User-network management Stage 3 description for supplementary services using DSS 1 PUBLIC LAND MOBILE NETWORK INTERWORKING WITH SATELLITE MOBILE SYSTEMS INTELLIGENT NETWORK B
7、ROADBAND ISDN Q.850-Q.919 Q .920-Q. 929 Q.930-Q.939 Q. 940-Q. 949 Q.950-Q.999 Q. 1000-Q. 1 O99 Q. 1 1 OO-Q. 1 199 Q. 1200-Q. 1999 Q.2000-Q.2999 For further details, please refer to ITU-T List of Recommendations. STDaITU-T RECMN Q.BIi3-ENGL 3998 - 4862593 Oh55384 055 ITU-T RECOMMENDATION Q.813 SECURI
8、TY TRANSFORMATIONS APPLICATION SERVICE ELEMENT FOR REMOTE OPERATIONS SERVICE ELEMENT (STASE-ROSE) Summary This Recommendation provides specifications to support security transformations, such as encryption, hashing, sealing and signing, focusing on whole Remote Operations Service Element (ROSE) Prot
9、ocol Data Units (PDUs). Security transformations are used to provide various security services such as authentication, confidentiality, integrity and non-repudiation. This Recommendation describes an approach to the provisioning of security transformations that is implemented in the application laye
10、r and requires no security-specific functionality in any of the underlying OS1 stack layers. Source ITU-T Recommendation 4.813 was prepared by ITU-T Study Group 4 (1997-2000) and was approved under the WTSC Resolution No. 1 procedure on the 26th of June 1998. Recommendation Q.813 (0698) 1 STD.ITU-T
11、RECMN Q-833-ENGL 1998 4862593 Ob55385 T93 m FOREWORD IT (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. The ITU-T is responsible for studying
12、 technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Conference (WTSC), which meets every four years, establishes the topics for study by the ITU-T Study Groups
13、 which, in their turn, produce Recommendations on these topics. The approval of Recommendations by the Members of the ITU-T is covered by the procedure laid down in WTSC Resolution No. 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared o
14、n a collaborative basis with IS0 and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. INTELLECTUAL PROPERTY RIGHTS The ITU draws attention to the possibility that the pract
15、ice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. The ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation dev
16、elopment process. As of the date of approval of this Recommendation, the ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are
17、therefore strongly urged to consult the TSB patent database. O ITU 1999 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. Recommendati
18、on Q.813 (06/98) 11 1 1.1 1.2 1.3 2 2.1 2.2 3 4 5 5.1 5.2 5.3 6 7 7.1 7.2 7.3 7.4 8 8.1 8.2 STDnITU-T RECMN Q.BL3-ENGL 3998 4862591 Ob55386 928 CONTENTS Scope. Purpose and Application . Purpose . Application . Scope References Normative references Informative references Definitions Abbreviations . O
19、verview Security transformations . Security information exchange . 5.2.1 5.2.2 Security information default values Negotiation of security algorithms Abstract syntax for negotiation of security parameters 5.3.1 Abstract syntax name Model Service overview Association services . STASE-ROSE services Re
20、lationship to presentation services . Service definition 7.4.1 Conventions . ,7.4.2 Association services 7.4.3 SR-TRANSFER service 7.4.4 SR-TRANSFER parameters Interaction between application service elements Association establishment 8.1.1 Association initiator 8.1.2 Association responder . Associa
21、tion release . 8.2.1 Sender 8.2.2 Receiver . Recommendation Q.813 (06/98) 2 2 2 3 4 5 6 6 7 7 10 13 14 14 16 16 16 16 17 17 17 20 21 22 22 22 23 24 24 25 . 111 8.3 8.4 9 9.1 9.2 9.3 9.4 9.5 9.6 10 11 12 12.1 12.2 13 STD-ITU-T RECMN Q.BL3-ENGL 1998 48b2591 Ob55387 ab4 m Association abort 8.3.1 Sender
22、 8.3.2 Receiver . Data transfer . 8.4.1 Sender 8.4.2 Receiver . STASE-ROSE protocol Abstract syntax definition of APDUs . Abstract syntax name . Algorithms identifiers . Application contexts names 9.4.1 Secure TMN context . 9.4.2 Secure Directory Application Context STASE-ROSE procedures 9.5.1 Trans
23、fer . Mapping of STASE-ROSE services to presentation service Mapping of ROSE services to STASE-ROSE services . Conformance SRPM state tables . Conventions Actions to be taken by SRPM 12.2.1 Invalid intersections 12.2.2 . Valid intersections . Remote-Operations-Protocol-Machine state tables Annex A .
24、 Secure CMISE . A . 1 Application context A.2 Association establishment rules . A.3 Conformance A.3.1 Static requirements A.3.2 Dynamic requirements Annex B - ASN . 1 Syntax defined in this Recommendation . Abstract syntax for negotiation of security parameters Abstract syntax definition of APDUs .
25、B . 1 B.2 B.3 Abstract syntax for public key authenticator Page 25 25 26 26 26 27 27 27 32 32 32 32 32 33 33 40 41 41 42 43 44 44 44 44 45 45 46 46 46 46 46 46 47 49 iv Recommendation Q.813 (06/98) B.4 Abstract syntax object identifier . B.5 Application contexts names Appendix I - Monotonically incr
26、easing time for security . Appendix II . Negotiation of security algorithms example Association Establishment phase . Appendix III . GSS-API use with STASE-ROSE III . 1 111.2 Data transfer phase . Recommendation 4.813 (06/98) Page 53 53 54 55 56 56 58 V Recommendation 4.813 SECURITY TRANSFORMATIONS
27、APPLICATION SERVICE ELEMENT FOR REMOTE OPERATIONS SERVICE ELEMENT (STASE-ROSE) (Geneva, 1998) 1 Scope, Purpose and Application 1.1 Scope Security Transformations (ST) are used to provide various security services such as peer entity authentication, data origin authentication, confidentiality, integr
28、ity and non-repudiation. Security transformations include encryption, hashing, digital seals and digital signatures. This Recommendation supports security services for ROSE PDUs within the application layer. It is independent of the underlying communications protocol stack. This Recommendation defin
29、es a new Application Service Element (ASE) called Security Transformations Application Service Element for ROSE (STASE-ROSE), which resides between the ROSE and the Presentation Layer in the OS1 Protocol Stack. This Recommendation provides an approach for performing Security Transformations (ST) tha
30、t imposes no requirements on any of the 6-lower layers of the communications stack. This is in contrast to methods e.g. Generic Upper Layers Security (GULS) that support security transformations through embedded functionality in the communications stack at the presentation layer. This Recommendation
31、 further provides for peer entity authentication at association Set-up time; for the negotiation of security parameters (such as security algorithms) that will be used in the course of the association; and for dynamic update, in the course of the association, of security parameters that are used for
32、 individual protocol data units. The method presented in this Recommendation could be adapted for ASES other than ROSE that interact directly with the presentation layer. However, this Recommendation focuses on ROSE and does not cover any possible extensions or generalizations. How the actual securi
33、ty transformations are performed (e.g. producing and verifiing digital signatures) is a local matter outside the scope of this Recommendation. In particular, the use of a generic security module, such as the Generic Security Service - Application Programming Interface (GSS-API) for performing securi
34、ty transfomations is a local matter. Nevertheless, while this Recommendation does not mandate the use of GSS-API, it provides the necessary framework for using GSS-API together with STASE-ROSE (see Appendix III). Key management is an important component of a security infrastructure. This Recommendat
35、ion supports the exchange of information related to cryptographic keys. However, a general framework for key management is outside the scope of this Recommendation. Recommendation Q.813 (06/98) 1 1.2 Purpose The purpose of this Recommendation is to protect whole ROSE PDUs. Recommendation Q.8 12 spec
36、ifies File Transfer Administration and Management (FTAM), Common Information Management Application Service Element (CMISE) and X.500 Directory in the application layer for the Q3 and X interfaces of the Telecommunications Management Network (TMN). X.500 and CMISE use the services of the Remote Oper
37、ation Service Element (ROSE). This Recommendation addresses the security of ROSE Protocol Data Units (PDUs). While this Recommendation is motivated by the need to secure TMN interactions or message exchanges, it can be used to provide security for any application that uses ROSE. 1.3 Application This
38、 Recommendation applies to ROSE-based applications such as user applications that use CMISE or X.500 Directory. Providing protection for CMIP PDUs is a major goal of this Recommendation. Since CMIP is based on the 1988 version of ROSE (see Recommendations X.219 and X.229), this Recommendation also f
39、ocuses on that version, rather than the 1994 version (see Recommendations X.880, X.881 and X.882). Therefore this Recommendation may not apply to the current version of Recommendation X.500 which is based on the 1994 version of ROSE. 2 References The following ITU-T Recommendations and other referen
40、ces contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; all users of this Recommendation are therefore encouraged to in
41、vestigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. 2.1 Normative references - ITU-T Recommendation M.30 1 O (1 996), Principles for a telecommunications ma
42、nagement network. ITU-T Recommendation Q.811 (1997), Lower layer protocol proJiles for the Q3 and X interfaces. ITU-T Recommendation Q.812 (1997), Upper layer protocol proJiles for the Q3 and X interfaces. ITU-T Recommendation X.200 (1 994) I ISO/IEC 7498-1 : 1994, Information technology - Open Syst
43、ems Interconnection - Basic reference model: The Basic Model. CCITT Recommendation X.208 (1988), Specijkation of Abstract Syntax Notation One (ASN. I). ITU-T Recommendation X.21 O (1 993) I ISO/IEC 1073 1 : 1994, Information technology - Open Systems Interconnection - Basic reference model: Conventi
44、ons for the definition of OSI services. ITU-T Recommendation X.217 (1 995) I ISO/IEC 8649: 1996, Information technology - Open Systems Interconnection - Service de$nition for the association control service element. CCITT Recommendation X.219 (1 988), Remote Operations: Model, notation and service d
45、ejnition. - - - - - - - 2 Recommendation Q.813 (06/98) - ITU-T Recommendation X.227 (1995) I ISO/IEC 8650-1 : 1996, Information technology - Open Systems Interconnection - Connection-oriented protocol for the association control service element: Protocol speciJication. CCITT Recommendation X.229 (1
46、988), Remote operations: Protocol specification. ITU-T Recommendation X.500 (1 997) I ISODEC 9594- 1 : 1997, Information technology - Open Systems Interconnection - The directory: Overview of concepts, models and services. ITU-T Recommendation X.509 (1997) I ISO/IEC 9594-8: 1997, Information technol
47、ogy - Open Systems Interconnection - The directory: Authentication framework. ITU-T Recommendation X.680 (1 997) I ISO/IEC 8824-1 : 1998, Information technology - Abstract Syntax Notation One (ASN. 1): Specijkation of basic notation. - - - - - ITU-T Recommendation X.681 (1 997) I ISO/IEC 8824-2: 199
48、8, Information technology - Abstract Syntax Notation One (ASN. I): Information object speciJication. ITU-T Recommendation X.682 (1997) I ISO/IEC 8824-3: 1998, Information technology - Abstract Syntax Notation One (ASN. 1): Constraint specijkation. ITU-T Recommendation X.683 (1 997) I ISO/IEC 8824-4:
49、 1998, Information technology - Abstract Syntax Notation One (ASN. 1): Parametrization of ASN. 1 specifications. - - - ITU-T Recommendation X.690 (1 997) I ISO/IEC 8825- 1 : 1998, Information technology - ASN. I encoding rules: SpeciJcation of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T Recommendation X.710 (1997) I ISO/IEC 9595: 1998, Information technology - Open Systems Interconnection - Common management information service. ITU-T Recommendation X.711 (1997) I ISO/IEC 9596-1: 1998, Information technology - Open Systems In