1、INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COM M UN I CATI ON S SECURITY X.832 (04/95) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: SECURITY EXCHANGE SERVICE ELEMENT (SESE) PROTOC
2、OL SPECIFICATION ITU-T Recommendation X.832 (Previously “CCIlT Recommendation“) FOREWORD ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The IT Telecommunication Standardization Sector (ITU-T) is a permanent organ of the IT. So
3、me 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards (Recommendations). The approval of Recommendations by the Members of ITU-T is co
4、vered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to it and establishes the study programme for the following period. In some areas o
5、f information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of IT-T Recommendation X.832 was approved on 10th of April 1995. The identical text is also published as ISO/IEC International Standard 11586-3. NOTE In
6、 this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1996 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or me
7、chanical, including photocopying and microfilm, without permission in writing from the ITU. ITU-T RECMN*X-832 95 m 4862591 0608032 185 m Subject area PUBLIC DATA NETWORKS ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X-SERIES RECOMMENDATI
8、ONS Recommendation Series Services and Facilities Interfaces Transmission, Signalling and Switching X. l-X. 19 X.20-X.49 X.50-X.89 7 Network Aspects Maintenance Administrative Arrangements OPEN SYSTEMS INTERCONNECTION Model and Notation Service Definitions Connection-mode Protocol Specifications Con
9、nectionless-mode Protocol Specifications X.90-X. 149 X.150-X.179 X.180-X.199 X.200-X.209 X.2 10-X.2 19 X.220-X.229 X.230-X.239 Protocol Identification Security Protocols Layer Managed Objects Conformance Testing INTERWORKING BETWEEN NETWORKS General Mobile Data Transmission Systems Management MESSAG
10、E HANDLING SYSTEMS DIRECTORY OS1 NETWORKING AND SYSTEM ASPECTS X.260-X.269 X.270-X.279 X.280-X.289 X.290-X.299 X.300-X.349 X.350-X.369 X.370-X.399 X.400-X.499 x.500-x.599 Networking Naming, Addressing and Registration Abstract Syntax Notation One (ASN.l) OS1 MANAGEMENT I OS1 APPLICATIONS I X.600-X.6
11、49 X.650-X.679 X.680-X.699 x.700-x.799 I Commitment, Concurrency and Recoveq I X.850-X.859 I Transaction Processing Remote ODerations X.860-X.879 X.880-X.899 I OPEN DISTRIBUTED PROCESSING I x.900-x.999 I ITU-T RECMN*X-832 95 m 4862593 Ob08033 OLL m CONTENTS Scope Normative references . 2.1 Identical
12、 Recommendations I International Standards Definitions Abbreviations . Overview of the protocol . 5.1 Service provision 5.2 Use of underlying services Elements of procedure 6.1 APDUs used 6.2 Transfer procedure 6.3 User-initiated abort procedure Structure and encoding of SESE APDUs . 7.1 Generic APD
13、U specification . 7.2 Abstract syntax construction . 8.1 General 8.2 Mapping to ACSE services . Conformance 9.1 Statement Requirements . 9.2 Static Requirements 6.4 Provider-initiated abort procedure Mapping to underlying services . 9.3 Dynamic Requirements . Annex A . SEPM state tables . A.l Genera
14、l A.2 Conventions A.3 Tables Annex B -Basic SESE application context definition B.l Application Context Name B.2 Application Service Elements . B.3 SESE APDU Mappings B.4 PDV concatenation constraints . B.5 PDV embedding constraints B.6 Procedural constraints . B.7 Presentation context constraints P
15、age 1 1 1 2 2 2 2 2 3 3 3 3 3 4 4 6 6 6 7 7 7 7 7 8 8 8 8 11 11 11 11 11 11 12 12 ITU-T Rec . X.832 (1995 E) 1 ITU-T RECMN*X.832 55 = 4862553 Ob08034 T58 U Summary This Recommendation I International Standard belongs to a series of Recommendations which provide a set of facilities to aid the constru
16、ction of OS1 Upper Layer protocols which support the provision of security services. This Recommendation i International Standard specifies the protocol provided by the Security Exchange Service Element (SESE). The SESE is an application-service-element (ASE) which facilitates the communication of s
17、ecurity information to support the provision of security services within the Application Layer of OSI. 11 ITU-T Rec. X.832 (1995 E) Introduction This Recommendation I International Standard forms part of a series of Recommendations I International Standards, which provide) a set of facilities to aid
18、 the construction of Upper Layers protocols which support the provision of security services. The parts are as follows: - - - - - - Part 1: Overview, Models and Notation; Part 2: Security Exchange Service Element Service Definition; Part 3: Security Exchange Service Element Protocol Specification; P
19、art 4: Protecting Transfer Syntax Specification; Part 5: Security Exchange Service Element PICS Proforma; Part 6: Protecting Transfer Syntax PICS Proforma. This Recommendation I International Standard constitutes Part 3 of this series. ITU-T Rec. X.832 (1995 E) . 111 ITU-T RECMNaX.832 95 = 4862591 O
20、b08037 767 m ISOAEC 11586-3 : 1995 (E) INTERNATIONAL STANDARD , ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: SECURITY EXCHANGE SERVICE ELEMENT (SESE) PROTOCOL SPECIFICATION 1 Scope 1.1 provision of security services in application layer
21、protocols. These include: This series of Recommendations I International Standards defines a set of generic facilities to assist in the a) a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specifi
22、cation of security exchanges and security transformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to suppok the provision of security services within the Application Layer; c) a specification and PICS proforma for a security transfe
23、r syntax, associated with Presentation Layer support for security services in the Application Layer. 1.2 This Recommendation I International Standard defines the protocol provided by the Security Exchange Service Element (SESE). The SESE is an ASE which allows the communication of security informati
24、on to support the provision of security services within the Application Layer. 2 Normative references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time
25、 of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and
26、Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid IT-T Recommendations. 2.1 Identical Recommendations I International Standards - ITU-T Recommendati
27、on X.207 (1993) I ISO/IEC 9545:1994, Information technology - Open Systems Interconnection - Application Layer structure. ITU-T Recommendation X.216 (1994) I ISO/IEC 8822:1994, Information technology - Open Systems Interconnection - Presentation service definition. IT-T Recommendation X.217 (1995) I
28、 ISO/IEC 8649: .). Information technology - Open Systems Interconnection - Service definition for the Association Control Service Element. ITU-T Recommendation X.226 (1994) I ISO/IEC 8823-1:1994, Information technology - Open Systems Interconnection - Connection-oriented presentation protocol: Proto
29、col specification. IT-T Recommendation X.227 (1995) I ISO/IEC 8650-1: .l), Information technology - Open Systems Interconnection - Connection-oriented protocol for the Association Control Service Element: Protocol specification. IT-T Recommendation X.680 (1994) I ISO/IEC 8824-1: 1995, Information te
30、chnology -Abstract Syntax Notation One (ASN. I): Specification of basic notation. ITU-T Recommendation X.68 1 (1994) I ISOAEC 8824-2: 1995, Information technology -Abstract Syntax Notation One (ASN. I): Information object specification. - - - - - - ) To be published. ITU-T Rec. X.832 (1995 E) 1 ITU-
31、T RECMN*X=832 95 = 4862591 Ob08038 bT3 M ISO/IEC 11586-3 : 1995 (E) - ITU-T Recommendation X.682 (1994) I ISO/IEC 8824-3:1995, Information technology -Abstract Syntax Notation One (ASN. I): Constraint specification. IT-T Recommendation X.683 (1994) I ISO/IEC 8824-4:1995, Infonnation technology - Abs
32、tract Syntax Notation One (ASN. I): Parameterization of ASN. I specifications. IT-T Recommendation X.690 (1994) I ISO/IEC 8825-1:1995, Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). IT
33、U-T Recommendation X.803 (1994) I ISO/IEC 10745:1995, Information technology - Open Systems Interconnection - Upper layers securis, model. - - - 3 Definitions This Recommendation I International Standard makes use of the following terms defined in ITU-T Rec. X.803 I ISO/IEC 10745: - security exchang
34、e; - security exchange item. 4 Abbreviations ACSE APDU ASE ASO os1 PICS SEPM SEI SESE Association Control Service Element application-protocol-data-unit application-service-element application-service-object Open Systems Interconnection Protocol Implementation Conformance Statement Security Exchange
35、 Protocol Machine Security Exchange Item Security Exchange Service Element 5 Overview of the protocol 5.1 Service provision The protocol defined in this Specification provides the services defined in IT-T Rec. X.831 I ISOEC 11586-2. These services are as follows: SE-TRANSFER Non-confirmed SE-U- AB O
36、RT Non-confirmed SE-P-ABORT Provider-initiated 5.2 Use of underlying services This SESE protocol defines a set of APDUs, each of which may potentially be mapped onto any Presentation Layer service which conveys user-data, or which may be embedded in or concatenated with any other application-PDU, ac
37、cording to the rules of the ASO-context or application-context in force. Clause 8 defines some useful mappings to the presentation-service and ACSE. 2 ITU-T Rec. X.832 (1995 E) ITU-T RECMNUX.832 95 m 4862593 Ob08039 53T m ISOAEC 11586-3 : 1995 (E) 6 Elements of procedure 6.1 APDUs used The SESE prot
38、ocol specifies the following APDUs: SE-TRANSFER APDU (SETR) SE-U-ABORT APDU (SEAB) SE-P-ABORT APDU (SEPA) 6.2 Transfer procedure This procedure is used by a requestor SEPM to initiate a security-exchange requiring the transfer of one or more security-exchange-items. This procedure is also used by ei
39、ther requestor or responder SEPM to transfer further security- exchange-items started by the requestor SEPM. On receipt of a SE-TRANSFER request primitive, the SEPM retains the security exchange identifier, and generates a SE-TRANSFER APDU (SETR). On receipt of a SE-TRANSFER APDU (SETR), the SEPM re
40、tains the security exchange identifier, and issues a SE-TRANSFER indication primitive. If the security exchange belongs to the “Alternating“ class, and the exchange does not follow the expected sequence, then the SEPM generates an SE-P-ABORT APDU (SEPA), and issues an SE-P-ABORT indication. 6.3 User
41、-initiated abort procedure This procedure is used for one SESE user to indicate to the peer SESE user and the SEPM that an error has occurred and that any security exchange in progress is to be abnormally terminated. Additionally, it may optionally cause the abnormal release of the ASO-association w
42、ith the possible loss of information in transit. It is initiated by an SE-U- ABORT request primitive. On receipt of an SE-U-ABORT request primitive, the SEPM generates an SE-ABORT APDU (SEAB). On receipt of an SE-ABORT APDU (SEAB), the SEPM issues an SE-U-ABORT indication primitive. 6.4 Provider-ini
43、tiated abort procedure This procedure is used for the SEPM to indicate to the SESE users that an error has occurred and that any security exchange in progress is to be abnormally terminated. Additionally, it may optionally cause the abnormal release of the ASO-association with the possible loss of i
44、nformation in transit. On detection of an error, the SEPM issues an SE-P-ABORT indication primitive and generates an SE-P-ABORT APDU (SEPA). If the severity of the error requires the ASO-association to be terminated, the SEPA APDU is mapped to the ASO-Association Abort service. On receiving an ASO-A
45、ssociation Abort indication with SEPA APDU, the SEPM issues an SE-P-ABORT indication with the fatality indicator set. An error condition causing a SE-P-ABORT to be generated has an associated problem code, which may be indicated to both ends. The problems so indicated are categorized as follows: a)
46、b) c) general problem - Not peculiar to any particular APDU type; transfer problem - Problem resulting from receipt of a SE-TRANSFER APDU; abort problem - Problem resulting from receipt of a SE-U-ABORT APDU. Particular error conditions, and the associated problem codes, are described in the followin
47、g. 6.4.1 General problem - Invalid APDU - The structure andfor encoding of the APDU do not conform to either SETR, SEAB, or SEPA APDUs. ITU-T Rec. X.832 (1995 E) 3 ITU-T RECMN*X*B32 95 II 4862591 Ob08040 251 M ISO/IEC 11586-3 : 1995 (E) 6.4.2 Transfer problem a) b) c) d) e) Duplicate invocation iden
48、tifier - The same invocation identifier is in use for another active security exchange invocation. Unrecognized securiry exchange - The security exchange identified is not valid for this ASO-context. Misryped item - The type of the SEI does not conform to that in the object class definition. Inappro
49、priate invocation identifier - The invocation identifier is not within the set specified for this ASO-context. Alternating sequence error - The received SETR does not follow the sequence of the “Alternating“ class of security exchange. - 6.4.3 Abort problem a) b) c) d) e) Unrecognized invocation identifier - The invocation identifier does not identify an active or just- completed security exchange transfer. Abort unexpected - The identified security exchange does not generate an abort for this security exchange item. Unrecognized error - The identified sec
