1、 STD-ITU-T RECMN Q.8LS-ENGL 2000 = 4862573 Ob85707793 INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Q.815 (02/2000) SERIES Q: SWITCHING AND SIGNALLING Specifications of Signalling System No. 7 - Q3 interface Specification of a security module for whole m
2、essage protection ITU-T Recommendation Q.815 (Formerly CCITT Recommendation) STDmITU-T RECMN Q-815-ENGL 2000 48b2591 Ob85908 b28 ITU-T Q-SERIES RECOMMENDATIONS SWITCHING AND SIGNALLING SIGNALLING IN THE INTERNATIONAL MANUAL SERVICE FUNCTIONS AND INFORMATION FLOWS FOR SERVICES IN THE ISDN SPECIFICATI
3、ONS OF SIGNALLING SYSTEMS No. 4 AND No. 5 SPECIFICATIONS OF SIGNALLING SYSTEM No. 6 SPECIFICATIONS OF SIGNALLING SYSTEM Ri SPECIFICATIONS OF SIGNALLING SYSTEM R2 DIGITAL EXCHANGES INTERWORKING OF SIGNALLING SYSTEMS SPECIFICATIONS OF SIGNALLING SYSTEM No. 7 INTERNATIONAL AUTOMATIC AND SEMI-AUTOMATIC
4、WORKING CLAUSES APPLICABLE TO ITU-T STANDARD SYSTEMS General Message transfer part (MTP) Signailing connection control part (SCCP) Telephone user part (TUP) ISDN supplementary services Data user part Signalling System No. 7 management ISDN user part Transaction capabilities application part Test spe
5、cification 43 interface DIGITAL SUBSCRIBER SIGNALLING SYSTEM No. 1 PUBLIC LAND MOBILE NETWORK INTERWORKING WITH SATELLITE MOBILE SYSTEMS INTELLIGENT NETWORK BROADBAND ISDN SIGNALLING REQUIREMENTS AND PROTOCOLS FOR IMT-2000 Q. 1-4.3 Q.4-Q.59 Q.60-Q.99 Q.1OO-Q.I 19 Q. 120-4.249 Q.250-Q.309 4.3 i 04.39
6、9 Q.40O-Q.499 Q.500-Q.599 Q.600-Q.699 Q.70O-Q.849 Q.700 Q.701-Q.709 4.711-4.719 Q.72O-Q.729 4.730-4.739 4.7404.749 Q.7504.759 Q.76O-Q.769 Q .7 7 0-Q ,7 7 9 Q.780-Q.799 Q.80D-Q.849 Q.SSO-Q.999 Q. 1 OOO-Q. 1099 Q.1100-Q.1199 Q. 12004.1699 Q. 1700-Q. 1 799 Q.200w.2999 For further detaiis, please refer
7、to the list of ITU-T Recommendations. STDmITU-T RECMN Q*BLS-ENGL 2000 4862573 Ob85909 5b4 ITU-T Recommendation Q.815 Specification of a security module for whole message protection Summary This ITU-T Recommendation specifies an optional security module to be used with ITU-T Recommendation Q.8 14, Sp
8、ecification of an Electronic Data Interchange Interactive Agent, that provides security services for whole Protocol Data Units (PDUs). In particular, the security module supports non-repudiation of origin and of receipt, as well as whole message integrity. Source ITU-T Recommendation Q.8 15 was prep
9、ared by ITU-T Study Group 4 (1 997-2000) and approved under the WTSC Resolution 1 procedure on 4 February 2000. STD-ITU-T RECMN Q.815-ENGL ZOO0 4862593 Ob85930 286 FOREWORD The international Telecommunication Union (IT) is the United Nations specialized agency in the field of telecommunications. The
10、 ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standar
11、dization Conference (WTSC), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSC Resolution I. In some areas of information
12、 technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. IN
13、TELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights,
14、 whether asserted by 1TU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors a
15、re cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. o ITU 2001 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
16、 and microfilm, without permission in writing from the ITU. 1 2 2.1 2.2 3 4 5 6 6.1 6.2 7 7.1 7.2 7.3 7.4 Page Scope References Normative references Informative references Definitions Abbreviations . Conventions Q.8 15 details . Security Module Message Types 6.1 . 1 6.1.2 Non-Repudiation of Origin S
17、ervice 6.1.3 Non-Repudiation of Receipt Service . General Charactenstics . General Syntax . Hashed Messages Object Identifiers Referenced by Hashed Messages . Signed Messages Object Identifiers Referenced by Signed Messages Message Integrity Service . 7.1.1 7.1.2 Value Information for Hashed Message
18、s 7.2.1 7.2.2 Value Information for Signed Messages . IA Receipt Message 7.3.1 Object Identifiers Referenced by IA Receipt Messages 7.3.2 Stase-Rose PDU . Value Information for IA Receipt Messages . Annex A . ASN . 1 Production Module Appendix I . Non-normative references . Appendix II . The SHA-1 M
19、essage Digest Algorithm . II . 1 Introduction 11.2 Bit strings and integers . 11.3 Operations on words . 11.4 Message padding 11.5 Functions used 11.6 Constants used 11.7 Computing the message digest . 1 2 2 3 3 4 4 5 5 6 6 6 6 7 7 7 8 8 8 10 10 10 11 11 12 13 13 13 11.8 II .9 STDnITU-T RECMN Q*BLS-
20、ENGL 2000 W 48b2591 Ob85912 O59 H Page 14 14 Alternate method of computation. . . . . . ._ . Comparison of methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . STD-ITU-T RECMN Q*BLS-ENGL 2000 M 4862593 Ob85933 T95 M ITU-T Recommendation Q.815 Specification of a security module for whole m
21、essage protection 1 Scope The security module provides security services for whole Protocol Data Units (PDUs). In particular, it supports non-repudiation of origin and of receipt, as well as whole message integrity. In the context of EDI-based TMN transactions, on the senders side, it accepts as inp
22、ut the output of the ED1 translator, performs the requested security transformations, and provides the resulting octet string to the Interactive Agent (IA). On the receiving side it receives from the IA an octet string that it interprets as security module PDU. It then proceeds to veri the validity
23、of the underlying message. In the case of integrity protection, if the message is valid, then it passes that message (without the message integrity code) to the ED1 translator. The security module keeps a log of all the messages it receives from the IA. It provides those messages, along with an indi
24、cation, for each message, representing the result of the verification procedure. This log is available to the local ED1 user. The specifics of the log, as well as the interface to the log are a local matter outside the scope of this ITU-T Recommendation. The behaviour of the security module when ver
25、ification fails is also a local matter outside the scope of this ITU-T Recommendation. Figure 1 below, duplicated from Figure 2/Q.8 14, is used herein as a reference. STDmITU-T RECMN Q.8LS-ENGL 2000 - 4862593 Ob85914 921 H Management Management Application Service _._._ Security Interface Security S
26、ecure Message Interactive - Origin Integrity Agent Service interface - Receipt Interactive IA Message interactive _-_ lATP cQ,sr4)- - - - - - - - - - - Figure UQ.815 - Message Flow Relationship With Message Security Services 2 References 2.1 Normative references The following ITU-T Recommendations a
27、nd other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; all users of this Recommendation are therefore
28、encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. - ITU-T Recommendation Q.8 12 (1 997)/Amd.3 (2000), Upper layer protocol proJiles for th
29、e Q.3 and X interfaces - Amendment 3: Protocol proJile for electronic communications interactive agent. ITU-T Recommendation Q.8 14 (2000), SpeciJication of an electronic data interchange interactive agent. ITU-T Recommendation X.509 (1 997) I ISODEC 9495-8: 1998, Information technology - Open Syste
30、ms Interconnection - The Directory: Authentication fiamework. ITU-T Recommendation X.680 (1 997) I ISODEC 8824-1 : 1998, Information technology - Abstract Syntax Notation One (ASN. I): Specification of basic notation. - - - sD.1Tu-l RECMN P=BlS-ENGL 2000 Li862593 Ob85935 8b8 - ITU-T Recommendation X
31、.68 1 (1 997) I ISO/IEC 8824-2: 1998, Information technology - Abstract Syntax Notation One (ASN. I): Information object specification. ITU-T Recommendation X.682 (1 997) I ISO/IEC 8824-3 : 1998, Injormation technology Abstract Syntax Notation One (ASN. I): Constraint specification. ITU-T Recommenda
32、tion X.683 (1 997) I ISOAEC 8824-4: 1998, Information technology - Abstract Syntax Notation One (ASN I): Parameterization of ASN. I speciJications. ITU-T Recommendation X.690 (1 997) I ISOAEC 8825- 1 : 1998, Information technology - ASN. I encoding rules: Specrfication of Basic Encoding Rules (BER),
33、 Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). - - - IS0 - International Organization for Standardization: - IS0 3166:(All parts), Codes for the representation of names of countries and their subdivisions. 2.2 Informative references - Directory Implementors Guide (Version 1
34、I) (I 998). 3 Definitions This ITU-T Recommendation defines the following terms: 3.1 application protocol data unit: A packet of data exchanged between two application programs across a network. This is the highest level view of communication in the OS1 seven layer model and a single packet exchange
35、d at this level may actually be transmitted as several packets at a lower layer as well as having extra information (headers) added for routing, etc. 3.2 distinguished encoding rules: A restricted form of Basic Encoding Rules defined in (ITU-T X.690) to eliminate the options in BER. 3.3 electronic d
36、ata interchange: The exchange of documents in standardized electronic form, between organizations, in an automated manner, directly from a computer application in one organization to an application in another. 3.4 electronic data interchange for administration, commerce and transport: The syntax is
37、an IS0 standard (IS0 9739, and was adopted by the United Nations (UN) as the basis for the international development of business messages for ED1 (UNEDIFACT). EDIFACT grew out of a desire to bring together previous standards and ASC X12. 3.5 interactive agent: The Interactive Agent (IA) supports the
38、 exchange of Electronic Data Interchange (ANSI ASC X12 ED1 or EDIFACT) transactions between peer entities within the telecommunications industry. 3.6 RSA: RSA is a public-key cryptosystem developed by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman in 1977 in an effort to help ensure Internet s
39、ecurity. A cryptosystem is simply an algorithm that can convert input data into something unrecognizable (encryption), and convert the unrecognizable data back to its original form (decryption). RSA encryption techniques are described in ITU-T Recommendation X.509. 3.7 secure hash algorithm, revisio
40、n 1: A 160-bit hash function, mandated by the National Institute for Standards Technology (NIST), with security mechanisms similar to MD5. SHA-1 is defined by the United States Government in FIPS 180-1. It is a mechanism to reduce a lengthy text message to a short digest of 160 bits that is both one
41、-way (Le. non-reversible) and not susceptible to collisions from multiple different texts. Because SHA generates a 160-bit hash (message digest) it is much safer from brute-force cryptographic attacks than MD5. STDaITU-T RECMN Q-815-ENGL 2000 D 4862571 068571ib 7T4 M Digests are best thought of as t
42、he digital fingerprint of a message. It is a relatively fast, low-overhead and secure algorithm. SHA-1 can be used to support integrity protection (by itself), or for non- repudiation (in conjunction with public key encryption). The SHA- 1 Message Digest Algorithm is described in Appendix II. 4 Abbr
43、eviations This ITU-T Recommendation uses the following abbreviations: APDU ASC DER ED1 EDIF ACT IA IP PDU RSA SHA- 1 SM SR TCP TLS TMN Application Protocol Data Unit Accredited Standards Committee Distinguished Encoding Rules (of ASN. 1) Electronic Data Interchange Electronic Data Interchange for Ad
44、ministration, Commerce and Transport Interactive Agent Internet Protocol Protocol Data Unit Rivest, Shamir, Aldeman Secure Hash Algorithm, Revision 1 Security Module STASE ROSE Transmission Control Protocol Transport Layer Security Telecommunications Management Network 5 Conventions The following co
45、nventions are used: References to clauses, subclauses, annexes and appendices refer to those items within this ITU-T Recommendation unless another specification is explicitly listed. 6 Q.815 details 6.1 Security Module Message Types Q.815 Security Module specifies the following guidelines: Message I
46、ntegrity and/or Non-Repudiation services may be provided by the Security Module (SM). If the SM provides Message Integrity, it uses SHA-1 to produce the Message Digest (MD). If the SM provides Non-Repudiation of Origin, it uses SHA-1 to produce an MD then uses the RSA digital signature mechanism. No
47、n-Repudiation of Receipt is provided by a mechanism described in this ITU-T Recommendation. A fourth set of security enhancements is available through the use of STASE-ROSE (see ITU-T Recommendation Q.8 13). 6.1.1 Message Integrity Service The direct user supplies the SM with an EDIFACT or ASC X12 E
48、D1 message. The SM will compute a message digest utilizing the EDIFACT or ASC X12 ED1 data as input to the digest algorithm. The STD-ITU-T RECMN O-815-ENGL 2000 m Y8b2591 Ob85917 630 m SM DER encodes a Hashed Message in accordance with 7.1. The IA utilizes the DER encoded octet string as the content
49、s of an Enhanced Message, as defined in ITU-T Recommendation Q.8 14. 6.1.2 Non-Repudiation of Origin Service The direct user supplies the SM with an EDIFACT or ASC X12 ED1 message. The SM will compute a message digest utilizing the EDIFACT or ASC X12 ED1 data as input to the digest algorithm. The SM encrypts a DER encoding of the message digest according to the digital signature algorithm utilizing the private key of the sender. The SM DER encodes a Signed Message in accordance with 7.2. The IA utilizes the DER encoded octet string as the contents
