1、STD-ITU-T RECMN X-dU3-ENGL 1994 m qdb257L Ob20444 UT9 m INTERNATIONAL TELECOMMUNICATION UN ION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SEC UR ITY X.803 (07194) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - UPPER LAYERS SECURITY MOD
2、EL ITU-T Recommendation X.803 (Previously “CCITT Recommendation”) FOREWORD ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 membe
3、r countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards (Recommendations). The approval of Recommendations by the Members of ITU-T is covered by the
4、 procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to it and establishes the study programme for the following period. In some areas of informatio
5、n technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of ITU-T Recommendation X.803 was approved on Ist of July 1994. The identical text is also published as ISOEC International Standard 10745. NOTE In this Recommendat
6、ion, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1995 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, includi
7、ng photocopying and microfilm, without permission in writing from the ITU. ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X-SERIES RECOMMENDATIONS PUBLIC DATA NETWORKS Services and facilities Subject area I Recommendation series 1 X. I-X.
8、19 Interfaces Transmission, signalling and switching X.20-X.49 X.50-X.89 Network aspects Maintenance X.90-X.149 x. 150-x. 179 Administrative arrangements OPEN SYSTEMS INTERCONNECTION X. 180-X. I99 Model and notation Service definitions x.200-x.209 x.2 1 o-x.219 I Conformance testing I X.290-X.299 I
9、Connection-mode protocol specifications Connectionless-mode protocol specifications X.220-X.229 X.230-X.239 PICS proformas Protocol identification X.240-X.259 X .260- X .269 Security protocols Layer managed objects X.270-X.279 X.280-X.289 INTERWORKING BETWEEN NETWORKS General x.300-x.349 I Transacti
10、on processing I X.860-X.879 I Mobile data transmission systems Management I Remote owrations X.350-X.369 x.370-x.399 1 X.880-X.899 I MESSAGE HANDLING SYSTEMS DIRECTORY I OPEN DISTRIBUTED PROCESSING I x.900-x.999 I x.400-x.499 x.500-x.599 OS1 NETWORKING AND SYSTEM ASPECTS Networking X.600-X.649 Namin
11、g, addressing and registration Abstract Syntax Notation One (ASN. I) X.650-X.679 X ,680-X. 699 OS1 MANAGEMENT SECURITY x.700-x.799 X.800-X.849 OS1 APPLICATIONS Commitment, concurrency and recovery X.850-X.859 STD-ITU-T RECMN X.BU3-ENGL 1774 48b257L Ob20Li47 808 W CONTENTS Fore word . Summary . Intro
12、duction . Scope Normative references . 2.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content Definitions Abbreviations Concepts . . 5.1 Security policy 5.2 Security associations . 5.3 Security state . . Architectu
13、re 6.1 Overall model 6.3 Security exchange functions . Services and mechanisms . 7.1 Authentication . 7.2 Access control . 7.4 Integrity . 7.5 Confidentiality Layer interactions . 8.1 Interactions between Application and Presentation Layers 8.2 Interactions between Presentation and Session Layers .
14、5.4 Application Layer requirements 6.2 Security associations 6.4 Security transformations . 7.3 Non-repudiation 8.3 Use of lower layer services Annex A . Relationship to OS1 management . Annex B . Bibliography ITU-T Rec . X.803 (1994 E) Page II iii . 111 1 1 2 2 2 4 5 5 5 5 6 7 7 8 10 11 12 13 14 15
15、 15 16 17 17 17 17 18 19 i Foreword IS0 (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of IS0 or IEC participate in the development of Internation
16、al Standards through technical committees established by the respective organization to deal with particular fields of technical activity. IS0 and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with
17、IS0 and IEC, also take part in the work. In the field of information technology IS0 and IEC have established a joint technical committee, ISO/IEC JTC I. Draft international Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an Internationa
18、l Standard requires approval by at least 75% of the national bodies casting a vote. International Standard ISOAEC 10745 was prepared by Joint Technical committee ISOAEC JTC I, Information technology, Subcommittee SC21, Information retrieval, transfer and management for open systems interconnection (
19、OSI), in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.803. ii ITU-T Rec. X.803 (1994 E) Summary This Recommendation I International Standard describes the selection, placement and use of security services and mechanisms in the upper layers (applications, presen
20、tation and session layers) of the OS1 Reference Model. Introduction The OS1 Security Architecture (CCITT Rec. X.800 I IS0 7498-2) defines the security-related architectural elements which are appropriate for application when security protection is required in an open systems environment. This Recomm
21、endation I International Standard describes the selection, placement, and use of security services and mechanisms in the upper layers (Application, Presentation, and Session Iayers) of the OS1 Reference Model. . ITU-T RW. X.803 (1994 E) 111 STD-ITU-T RECMN X-803-ENGL 1994 48b259L ObZOi50 3T2 ISOIEC
22、10745 : 1995 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - UPPER LAYERS SECURITY MODEL 1 1.1 1.2 1.3 Scope This Recommendation I International Standard defines an architectural model that provides a basis for: a) the development of applicatio
23、n-independent services and protocols for security in the upper layers of OSI; and the utilization of these services and protocols to fulfil the security requirements of a wide variety of applications, so that the need for application-specific ASES to contain internal security services is minimized.
24、b) In particular, this Recommendation i International Standard specifies: a) b) the security aspects of communication in the upper layers of OSI; the support in the upper layers of the security services defined in the OS1 Security Architecture and the Security Frameworks for Open Systems; the positi
25、oning of, and relationships among, security services and mechanisms in the upper layers, according to the guidelines of CCITT Rec. X.800 I IS0 7498-2 and ITU-T Rec. X.207 i ISOAEC 9545. the interactions among the upper layers, and interactions between the upper layers and the lower layers, in provid
26、ing and using security services: the requirement for management of security information in the upper layers. c) d) e) With respect to access control, the scope of this Recommendation i International Standard includes services and mechanisms for controlling access to OS1 resources and resources acces
27、sible via OSI. 1.4 This Recommendation i International Standard does not include: a) b) c) 1.5 This Recommendation I International Standard is neither an implementation specification for systems nor a basis for appraising the conformance of implementations. NOTE - The scope of this Recommendation I
28、Intemational Standard includes security for connectionless applications and for distributed applications (such as store-and-forward applications, chained applications, and applications acting on behalf of other applications). definition of OS1 services or specification of OS1 protocols; specificatio
29、n of security techniques and mechanisms, their operation, and their protocol requirements; or aspects of providing security which are not concerned with OS1 communications. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in
30、 this text, constitute provisions of this Recommendation i International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and entities to agreements based on this Recommendation I International Standard are encouraged
31、 to investigate the possibility of applying the most recent editions of the Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid IT
32、U-T Recommendations. ITU-T RC. X.803 (1994 E) I - - STD-ITU-T RECMN X.803-ENGL 1774 48b2571 Ob2045L 237 = ISOAEC 10745 : 1995 (E) 2.1 Identical Recommendations I International Standards - ITU-T Recommendation X.207 (1993) I ISO/IEC 9545: 1993, Information technology - Open Systems Interconnection -
33、Application layer structure. ITU-T Recommendation X.81 I) (1993) I ISOAEC 10181-2), Information technology - Securiry frameworks in Open Systems: Authentication framework. ITU-T Recommendation X.812) (1993) I ISOIIEC 10181-31), Information technology - Security frameworks in Open Systems: Access con
34、trol framework. - - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCIn Recommendation X.200 (1988). Basic reference model of open systems interconnection for CCIIT applications. IS0 7498: 1984/Corr. 1 : 1988, Information Processing Systems - Open Systems Inte
35、rconnection - Basic Reference Model. CCITT Recommendation X.2 16 (1988). Presentation service definition for open systems interconnection for CCIn applications. - Is0 8822: 1987, Information Processing Systems - Open Systems Interconnection - Connection Oriented Presentation Service Definition. CCIT
36、T Recommendation X.2 17 ( 1988), Association control service definition for open systems interconnection for CCIT applications. IS0 8649: 1987, Information processing systems - Open Systems Interconnection - Service definition for the Association Control Service Element. CCITT Recommendation X.700 (
37、1 992). Management framework definition for Open Systems Interconnection for CCU applications. ISOAEC 7498-4: 1989. Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 4: Managemem framework. CCITT Recommendation X.800 (1 99 11, Security architecture for Open
38、 Systems Interconnection for CCIIT applications. IS0 7498-2: i 988, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security architecture. 3 Definitions 3.1 The following terms are used as defined in CCITT Rec. X.200 I IS0 7498: a) abstract syntax; b)
39、application-entity; c) application-process; d) application-process-invocation; e) application-protocol-control-information; t) application-protocol-data-unit; g) local system environment; h) (N)-function; i) (N)-relay; j) open system; k) presentation context; i) presentation-entity; ) Presently at s
40、tage of draft. 2 ITU-T RW. X.803 (1994 E) ISO/EC 10745 : 1995 (E) m) real open system; n) systems-management; o) transfer syntax. The following terms are used as defined in CCITT Rec. X.800 I IS0 7498-2: a) access control; b) authentication; c) confidentiality; d) data integrity; e) data origin auth
41、entication; f) decipherment; g) encipherment; 3.2 h) key; i) non-repudiation; j) notarization; k) peer-entity authentication; I) security audit; m) Security Management Information Base; n) security policy; o) selective field protection; p) signature; q) traffic flow confidentiality; r) trusted funct
42、ionality. The following terms are used as defined in CCIT Rec. X.700 I ISOAEC 7498-4: a) Management Information; b) OS1 Management. The following terms are used as defined in Rec. ITU-T Rec. X.207 I ISOAEC 9545: a) application-association; b) application-context; c) application-entity-invocation (AE
43、I); d) application-service-element (ASE); e) ASE-type; f) application-service-objet (ASO); g) ASO-association; h) ASO-context; i) ASO-invocation; j) ASO-type; k) control function (CF). The following term is used as defined in CCITT Rec. X.216 I IS0 8822: - presentation data value. The following term
44、s are used as defined in IT-T Rec. X.811 I ISOAEC 1018 1-2: a) authentication exchange; b) claim authentication information; c) claimant; 3.3 3.4 3.5 3.6 ITU-T Rec. X.803 (1994 E) 3 - - STD-ITU-T RECMN X*BOI-ENGL 1974 48b2571 Ob20453 001 .L. ISO/IEC 10745 : 1995 (E) d) exchange authentication inform
45、ation; e) entity authentication; f) principal; g) verification authentication information; f) verifier. The following terms are used as defined in ITU-T Rec. X.812 I ISOBEC 10181-3: a) access control certificate; b) access control information. For the purposes of this Recommendation i International
46、Standard, the following definitions apply: 3.7 3.8 association security state: Security state relating to a security association. protecting presentation context: A presentation context that associates a protecting transfer syntax with an abstract syntax. protecting transfer syntax: A transfer synta
47、x based on encoding/decoding processes that employ a security transformation. seal: A cryptographic check value that supports integrity but does not protect against forgery by the recipient (i.e. it does not support non-repudiation). security association: A relationship between two or more entities
48、for which there exist attributes (state information and rules) to govern the provision of security services involving those entities. security cornmunication function: A function supporting the transfer of security-related information between open systems. security domain: A set of elements, a secur
49、ity policy, a security authority and a set of security relevant activities in which the set of elements are subject to the security policy. administered by the security authority, for the specified activities. security exchange: A transfer or sequence of transfers of application-protocol-control-information between open systems as part of the operation of one or more security mechanisms. security exchange item: A logicaily-distinct piece of information corresponding to a single transfer (in a sequence of transfers) in a security excha
