1、 KSKSKSKS SKSKSKS KSKSKS SKSKS KSKS SKS KS 2003 5 28 KS X ISO/IEC 11586 1 :, KS X ISO/IEC 11586 1: 2003 X ISO/IEC 11586 1: 2003 ( ) ( ) ( ) ( ) ( ) ( ) : : 2003 5 28 03 551 : : ( ) ( 02 509 7336) . 7 5 , . ICS 35.100 KS X ISO/IEC :, 11586 1: 2003Information technology Open Systems Interconnection Ge
2、neric upper layers security: Overview, models and notation KS 1996 1 ISO/IEC 11586 1 Information technology Open Systems InterconnectionGeneric upper layers security: Overview, models and notation , . 1. 1.1 OSI . a) b) OSI c) , 1.2 . a) OSI (ITU T X.803 ISO/IEC 10745) b) c) 1.3 . a) b) c) 1.4 , . I
3、NTERNATIONAL STANDARD ISO/IEC 11586-l First edition 1996-06-o I Information technology - Open Systems Interconnection - Generic upper layers security: Overview, models and notation Technologies de /information - Interconnexion de systemes ouverts (OS/) - S - Part 2: Security Exchange Service Element
4、 Service Definition; - Part 3: Security Exchange Service Element Protocol Specification; - Part 4: Protecting Transfer Syntax Specification; - Part 5: Security Exchange Service Element PICS Proforma; - Part 6: Protecting Transfer Syntax PICS Proforma. This Recommendation I International Standard con
5、stitutes Part 1 of this series. For informative guidelines on the application of all facilities described in this series, see Annex G. It is important to note that these generic security facilities do not in themselves provide security services; they are simply construction tools for security-relate
6、d protocols. Furthermore, these facilities do not necessarily provide a stand-alone solution to all security communications requirements of applications. Application standards may still need to incorporate security features within their specifications, to work in conjunction with generic security se
7、rvices supported by the Generic Upper Layers Security facilities. iv ISO/IEC 11586-l : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: OVERVIEW, MODELS AND NOTATION 1 Scope 1.1 This series of Recommendations
8、I International Standards defines a set of generic facilities to assist in the provision of security services in OS1 applications. These include: a a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support th
9、e specification of security exchanges and security transformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security services within the Application Layer of OSI; C a specification and PICS proforma for a
10、security transfer support for security services in the Application Layer. syntax, associated with Presentation Layer 1.2 This Recommendation I International Standard defines the following: a) general models of security exchange protocol functions and security transformations, based on the concepts d
11、escribed in the OS1 Upper Layers Security Model (ITU-T Rec. X.803 I ISO/IEC 10745); b) a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchanges and security transforma
12、tions; C a set of informative guidelines as to the application of the generic upper layers security facilities covered by this series of Recommendations I International Standards. 1.3 This Recommendation I International Standard does not define the following: a b) C a complete set of upper Internati
13、onal Standards; layer security facilities which may be required by other Recommendations I a complete set of security facilities for specific applications; the mechanisms employed to support security services. 1.4 The security exchange model, and supporting notation, are intended both for use as the
14、 basis of defining the security exchange service element in subsequent parts of this series of Recommendations I International Standards, and for use by any other ASE which may import security exchanges into its own specification. 2 Normative references The following Recommendations and Internationa
15、l Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on th
16、is Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization
17、Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. ITU-T Rec. X.830 (1995 E) 1 ISO/IEC 11586-l : 1996 (E) 21 . Identical Recommendations I International Standards - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-l : 1994, Information technozogy - Open Systems Interconnect
18、ion - Basic Reference Model: The Basic Model. - ITU-T Recommendation X.207 (1993) I ISO/IEC 9545:1994, Information technology - Open Systems Interconnection - Application Layer structure. - ITU-T Recommendation X.214 (1993) I ISO/IEC 8072: 1994, Znformation technology - Open Systems Interconnection
19、- Transport service definition. - ITU-T Recommendation X.216 (1994) I ISO/IEC 8822:1994, Information technology - Open Systems Interconnection - Presentation service definition. - ITU-T Recommendation X.21 7 (1995) I ISO/IEC 8649: . . . 1, Znformation technozogy - Open Systems Interconnection - Serv
20、ice definition for the Association Control Service. - ITU-T Recommendation X.226 (1994) I ISO/IEC 8823-l : 1994, Information technology - Open Systems Interconnection - Connection-oriented presentation protocol: Protocol specification. - ITU-T Recommendation X.509 (1993) I ISOPIEC 9594-8: 1995, Info
21、rmation technology - Open Systems Interconnection - The Directory: Authentication framework. - ITU-T Recommendation X.5 11 (1993) I ISO/IEC 9594-3: 1995, Information technology - Open Systems Interconnection - The Directory: Abstract service definition. - CCITT Recommendation X.660 (1992) I ISO/IEC
22、9834-l : 1993, Information technology - Open Systems Interconnection - Procedures for the operation of OSI Registration Authorities: General procedures. - ITU-T Recommendation X.680 (1994) I ISO/IEC 8824-l : 1995, Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic
23、notation. - ITU-T Recommendation X.68 1 (1994) I ISO/IEC 8824-2: 1995, Information technology - Abstract Syntax Notation One (ASN. I): Information object specification. - ITU-T Recommendation X.682 (1994) I ISO/IEC 8824-3: 1995, Information technology - Abstract Syntax Notation One (ASN. I ): Constr
24、aint specification. - ITU-T Recommendation X.683 (1994) I ISO/IEC 8824-4: 1995, Znformation technology - Abstract Syntax Notation One (ASN. I): Parameterization of ASN. 1 specifications. - ITU-T Recommendation X.690 (1994) I ISO/IEC 8825-l : 1995, Information technology - ASN. I encoding rules: Spec
25、ification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). - ITU-T Recommendation X.803 (1994) I ISOLIEC 10745:1995, Information technology - Open Systems Interconnection - Upper layers security model. - ITU-T Recommendation X.8 11 (1995) 1 ISO/IE
26、C 1018 l-2: 1996, Information technology - Open Systems Interconnection - Security frameworks for open systems: Authentication framework. - ITU-T Recommendation X.812) I ISO/IEC 10181-3: . I). Information technology - Open Systems Interconnection - Security frameworks for open systems: Access contro
27、l framework. 22 l Paired Recommendations I International Standards equivalent in technical content - CCITT Recommendation X.800 (199 1), Security architecture for Open Systems Interconnection for CCITT applications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Ba
28、sic Reference Model - Part 2: Security Architecture. 3 Definitions 31 . The following term is used as defined in ITU-T Rec. X.200 I ISO/IEC 7498-l : transfer syntax. l) Presently at the stage of draft. 2 ITU-T Rec. X.830 (1995 E) ISO/IEC 11586-l : 1996 (E) 32 . 35 . 36 . 37 . 38 . The following term
29、s are used as defined in CCITT Rec. X.800 I IS0 7498-2: - access control; - confidentiality; - data origin authentication; - decipherment; - digital signature; - encipherment; - integrity; - key; - key management; - selective field protection. The following terms are used as defined in ITU-T Rec. X.
30、216 I ISO/IEC 8822: - abstract syntax; - presentation context; - presentation data value. The following terms are used as defined in ITU-T Rec. X.207 I ISO/IEC 9545: - - - - The - - - - The - application-association application-context; application-service-element (ASE); application-service-object-a
31、ssociation (ASO-association). following terms are used as defined in ITU-T Rec. X.81 1 I ISO/IEC 10181-2: authentication exchange; claimant; entity authentication; verifier. following term is used as defined in ITU-T Rec. X.812 I ISO/IEC 10181-3: access control certificate. The following terms are u
32、sed as defined in ITU-T Rec. X.803 I ISO/IEC 10745: - security association; - security communication function (SCF); - security exchange; - security exchange item; - security exchange function; - security transformation; - system security object (SSO). For the purposes of this Recommendation I Inter
33、national Standard, the following definitions apply: 3.8.1 presentation-context-bound security association: A security association which is established in conjunction with the establishment of a protecting presentation context, and which applies to all presentation data values sent in one direction i
34、n that protecting presentation context; attributes of the security association are indicated explicitly along with the encoding of the first presentation data value in the protecting presentation context. 3.8.2 single-item-bound security association: A security association applying to a single indep
35、endently-protected presentation data value which is not associated with a presentation context; attributes of the security association are indicated explicitly along with the presentation data value encoding. ITU-T Rec. X.830 (1995 E) 3 ISO/IEC 11586-l : 1996 (E) 3.8.3 externally-established securit
36、y instances of its use, and which has a global 1 association: A security y-unique identifi er enabl associa tie n which 1s established i .ndependently ng it to be referent :ed at the time of use. of 3.8.4 initial encoding rules: The ASN.l encoding rules used to generate an unprotected bit string fro
37、m a value of an ASN.l type, when that value is to be protected using a security transformation. 3.8.5 protecting abstract syntax. 3.8.6 3.8.7 protection mapping: A specification which relates a protection requirement, identified syntax specification, to a specifi c security transformation to be used
38、 to satisfy that requirement. presentation context: A presentation context which associates a protecting transfer syntax with an protecting transfer syntax: A transfer syntax which employs a security transformation. 4 Abbreviations ACSE ASE AS0 GULS OS1 PDU PDV PIGS SCF SE1 SESE sso Association Cont
39、rol Service Element application-service-element application-service-object Generic Upper Layers Security Open Systems Interconnection protocol-data-unit Presentation Data Value Protocol Implementation Conformance Statement Security Communication Function Security Exchange Item Security Exchange Serv
40、ice Element System Security Object bY name in an abstract 5 General overvrew The Generic Upper Layers Security (GULS) Standards define a set of protocol-construction tools and protocol components to support the provision of security protection for applications. These facilities support the provision
41、 of security services in the OS1 Upper Layers (Application Layer, sometimes with Presentation Layer support). NOTE - Security services for OS1 applications may be provided using security mechanisms at either the upper or lower layers. In the latter case, the protection is obtained by specifying an a
42、ppropriate protection quality-of-service (as defined in ITU-T Rec. X.214 I ISO/IEC 8072) to ACSE when establishing an application-association. This protection quality-of-service is passed transparently through the Presentation and Session Layers to the transport service. Provision of security servic
43、es in the lower layers is outside the scope of this Recommendation I International Standard. The facilities provided in the GULS Standards include: - a general means of building Application Layer protocol components to support the exchange of security- related information between a pair of communica
44、ting application-entity-invocations (the security exchange concept, which is supported by the SESE); these facilities are described in clause 6; - a general approach to using Presentation Layer facilities to perform security-related transformations on information items in order to protect these item
45、s (the security transformation concept, which is supported by a generic protecting transfer syntax); these facilities are described in clause 7; - abstract syntax notation tools to assist an application protocol designer in specifying that security protection is to apply to selected fields of this protocol (a PROTECTED parameterized type, and the PROTECTED-Q variant of this type); these facilities are described in clause 8. Security exchan
