1、 KSKSKSKS SKSKSKS KSKSKS SKSKS KSKS SKS KS 2003 5 28 KS X ISO/IEC 11586 4 : KS X ISO/IEC 11586 4: 2003 X ISO/IEC 11586 4: 2003 ( ) ( ) ( ) ( ) ( ) ( ) : : 2003 5 28 03 551 : : ( ) ( 02 509 7336) . 7 5 , . ICS 35.100 KS X ISO/IEC : 11586 4: 2003Information technology Open Systems Interconnection Gene
2、ric upper layers security: Protecting transfer syntax specification KS 1996 1 ISO/IEC 11586 4 Information technology Open Systems InterconnectionGeneric upper layers security: Protecting transfer syntax specification , . 1. 1.1 OSI . a) b) OSI c) , 1.2 , . INTERNATIONAL STANDARD ISO/IEC 11586-4 Firs
3、t edition 1996-06-o 1 Information technology - Open Systems Interconnection - Generic upper layers security: Protecting transfer syntax specification Technologies de I information - Interconnexion de systemes ouverts (OS/) - S - Part 2: Security Exchange Service Element Service Definition; - Part 3:
4、 Security Exchange Service Element Protocol Specification; - Part 4: Protecting Transfer Syntax Specification; - Part 5: Security Exchange Service Element PICS Proforma; - Part 6: Protecting Transfer Syntax PICS Proforma. This Recommendation I International Standard constitutes Part 3 of this series
5、. iv ISO/IEC 11586-4 : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - GENERIC UPPER LAYERS SECURITY: PROTECTING TRANSFER SYNTAX SPECIFICATION 1 Scope 11 This series of Recommendations 1 International Standards defines a set of generic fac
6、ilities to assist in the piovision of security services in OS1 applications. These include: a a set of notational tools to support the specification of selective field protection requirements in an abstract syntax specification, and to support the specification of security exchanges and security tra
7、nsformations; b) a service definition, protocol specification and PICS proforma for an application-service-element (ASE) to support the provision of security services within the Application Layer of OSI; C a specification and PICS proforma for a security transfer syntax, associated with Presentation
8、 Layer support for security services in the Application Layer. 1.2 This Recommendation I International Standard defines the Presentation Layer support for security services in the Application Layer. protecting transfer syntax, associated with 2 Normative references The following Recommendations and
9、International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements
10、 based on this Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Stan
11、dardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 21 . Identical Recommendations I International Standards - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-l : 1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Mode
12、l. - ITU-T Recommendation X.216 (1994) I ISO/IEC 8822: 1994, Information technology - Open Systems Interconnection - Presentation service definition. - ITU-T Recommendation X.226 (1994) I ISO/IEC 8823-l: 1994, Information technology - Open Systems Interconnection - Connection-oriented presentation p
13、rotocol: Protocol specification. - ITU-T Recommendation X.680 (1994) I ISO/IEC 8824-l : 1995, Znformation technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation. - ITU-T Recommendation X.681 (1994) I ISO/IEC 8824-2: 1995, Information technology - Abstract Syntax Notation
14、One (ASN. 1): Information object specification. - ITU-T Recommendation X.682 (1994) I ISO/IEC 8824-3: 1995, Information technology - Abstract Syntax Notation One (ASN. 1): Constraint specification. - ITU-T Recommendation X.683 (1994) I ISO/IEC 8824-4: 1995, Information technology - Abstract Syntax N
15、otation One (ASN. I): Parameterization of ASN. I specifications. - ITU-T Recommendation X.690 (1994) I ISOAEC 8825- 1: 1995, Information technology - ASN. I encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T Rec.
16、X.833 (1995 E) 1 ISO/IEC 11586-4 : 1996 (E) - ITU-T Recommendation X.803 (1994) I ISO/IEC 10745: 1995, Znformation technology - en Systems Interconnection - Upper layers security model. - ITU-T Recommendation X.830 (1995) I ISO/IEC 11586-l: 1996, Znformation technology - Open Systems Interconnection
17、 - Generic upper layers security: Overview, models and notation. 3 Definitions 31 This Recommendation I presentation context; presentation data value. 33 This Recommendation security transformation. 34 This Recommendation I International Standard makes use of the following terms defined in I - - - -
18、 single-item-bound security association; externally-established security association; initial encoding rules; protecting presentation context; protecting transfer syntax. 4 Abbreviations GULS Generic Upper Layers Security OS1 Open Systems Interconnection PDU Protocol-data-unit PDV Presentation data
19、value PIGS Protocol implementation conformance statement 5 General overview The concept of a protecting transfer syntax was introduced in ITU-T Rec. X.830 I ISO/IEC 11586-l. This Specification defines a generic protecting transfer syntax. This Specification can be used, in conjunction with particula
20、r security transformation definitions, to generate particular protecting transfer syntaxes, tailored to satisfy particular application protection requirements. NOTE - The generic protecting transfer syntax may also prove useful in providing data compression for non-security- related purposes, howeve
21、r such use is outside the scope of this Specification. The generic protecting transfer syntax is based upon the security transformation model described in ITU-T Rec. X.830 I ISO/IEC 11586-l. The purpose of a protecting transfer syntax is to provide a standard means for representing, for transfer pur
22、poses, the following information items: - the transformed item resulting representation of an unprotected from item applying the encoding which is to be protected; process of a security transformation to a IT - - unprotected static and dynamic parameters of a security transformation; on the first PD
23、V of a protecting presentation context, or a protected PDV sent outside. a presentation context, either: a) b) in the case of a presentation-context-bound or single-item-bound security association, an identifier of the security transformation; in the case of an externally-established security associ
24、ation, an identifier of that security association. Use of a protecting transfer syntax is negotiated by the presentation protocol or announced in an ASN.1 EXTERNAL or EMBEDDED PDV construct. It can be applied to any abstract syntax, which may be specified using ASN.1 or by other means. Object identi
25、fiers for negotiating or announcing protecting transfer syntaxes are addressed in clause 9. A protecting transfer syntax is a context-sensitive transfer syntax, i.e. state is retained within encoders and decoders. 51 l Model of a protecting transfer syntax Figure 1 illustrates, in finer detail than
26、in ITU-T Rec. X.830 I ISO/IEC 11586-l) the operations associated with a protecting transfer syntax at an encoding system (the corresponding operations at a decoding system follow naturally). Unprotected item (ASN.1 value) I . 4 Protected Parameter Initial encoding parameters a) + encoding process a)
27、 prccess a) (on unprotected item) / . Bit string(s) z I I I Security transformation I Unprotected 1 encoding process parameters a), transformation id b), security association id b, 7 1 ASN.1 pafavaiue Construct and encode protecting transfer syntax ASN. 1 data value 1 Bit string for transmission TlS
28、05680-95/dOl a) If applicable. b, These two encoding processes may be combined. Figure 1 - Protecting transfer syntax construction at encoding system 52 . Initial encoding rules The initial encoding process (in the encoding system) and corresponding decoding process (in the decoding system) map betw
29、een an abstract syntax and an unprotected syntax. The rules applied to this process are known as the initial encoding rules. rules. NOTE - For an ASN. l-based abstract syntax, this mapping will typically employ some variant of the ASN. 1 encoding Single-valued encoding rules (e.g. the ASN.l Canonica
30、l Encoding Rules or Distinguished Encoding Rules) should be applied where the transformation is a function of data which may also be sent separately, particularly when used via a relay sy stem. ITU-T Rec. X.833 (1995 E) 3 ISO/IEC 11586-4 : 1996 (E) The initial encoding rules for use in a protecting
31、transfer syntax are established as follows: 53 . a if the security transformation in use provides for conveying an identifier of a specific set of encoding rules as a static (protected or unprotected) parameter, and if this parameter is present in the applicable first-PDV field, then these encoding
32、rules are used; otherwise b) the encoding rules indicated by the JkinitialEncodingRules field of the applicable security transformation definition are used. Security transformation The security transformation to be employed is determined in either of two ways: a when the PDV transfer relates to a pr
33、esentation-context-bound or single-item-bound security association, the security transformation identifier is conveyed in the transfer syntax structure along with the first PDV in that security association; b) when the PDV transfer relates to an externally established transformation identifier is an
34、 attribute of that security association. security The rules of a security transformation indicate map to an ASN. 1 value for transfer purposes. how a bit string of user data and a set of protected parameter values are to association, the security 54 . Syntax structure A protecting transfer syntax de
35、fines the data structure used to convey the output of the encoding process of a security transformation, plus unprotected parameters and identifiers of the security transformation or security association (as applicable). The data structure transferred has a different variant for each of the cases: a
36、 b) C the first PDV of a protecting presentation context in a presentation-context- the one PDV in a single-item-bound security association; the first PDV of a protecting presentation context, or a protected PDV sent in the case of an externally established security association; a subsequent PDV in
37、a protecting presentation context. bound security association, or outside a presentation context, 6 Data structures for a protecting transfer syntax The set of data structures used by a protecting transfer syntax is defined by the ASN.l type SyntaxStructure in the following ASN.l module. The SyntaxS
38、tructure type is parameterized by the object set ValidSTs, which is a set of SECURITY-TRANSFORMATION objects. When a value for ValidSTs is supplied, together with the corresponding security transformation specifications, the SyntaxStructure type becomes a complete syntax specification for a specific
39、 protecting transfer syntax. GenericProtectingTransferSyntax Goint-iso-ccitt genericULS (20) modules (1) genericProtectingTransferSyntax (7) 1 DEFINITIONS AUTOMATIC TAGS := BEGIN EXPORTS SyntaxStructure ; IMPORTS notation FROM ObjectIdentifiers uoint-iso-ccitt genericULS (20) modules (1) ObjectIdent
40、ifiers (0) SECURITY-TRANSFORMATION, ExternalSAID FROM Notation notation; SyntaxStructure SECURITY-TRANSFORMATION: ValidSTs:= CHOICE 1 firstPdvExplicit FirstPdvExplicit ValidSTs, - To be used on thefirst PDV of a protecting presentation - context, or a protected PDV sent outside a presentation mm con
41、text, in the case of a presentation-context-bound or - single-item-bound security association. ITU-T Rec. X.833 (1995 E) ISO/IEC 11586-4 : 1996 (E) firstPdvExternal FirstPdvExternal ValidSTs, - To be used on thefirst PDV of a protecting presentation - context, or a protected PDV sent outside a prese
42、ntation MS context, in the case of an externally established - security association. subsequentpdv SubsequentPdv (ValidSTs) - To be used on a subsequent PDV in a protecting - presentation context. 1 FirstPdvExplicit SECURITY-TRANSFORMATION: ValidSTs):= SEQUENCE 1 transformationId SECURITY-TRANSFORMA
43、TION&T-Identifier ( ValidSTs), staticUnprotParm SECURITY-TRANSFORMATION.&StaticUnprotectedParm (ValidSTs) transformationId) OPTIONAL, dynamicUnprotParm SECURITY-TRANSFORMATION.&DynamicUnprotectedParm ( ValidSTs) transformationId) OPTIONAL, xformedData SECURITY-TRANSFORMATION.&XformedDataType (ValidS
44、Ts) transformationId) 1 FirstPdvExternal SECURITY-TRANSFORMATION: ValidSTs):= SEQUENCE 1 externalSAID ExternalSAID, dynamicUnprotParm SECURITY-TRANSFORMATION.&DynamicUnprotectedParm (ValidSTs) OPTIONAL, - Actual member of ValidSTs is as implied - by externalSAID xformedData SECURITY-TRANSFORMATIONJk
45、XformedDataType ( ValidSTs) - Actual member of ValidSTs is as implied - by externalSAID 1 SubsequentPdv SECURITY-TRANSFORMATION: ValidSTs):= SEQUENCE dynamicUnprotParm SECURITY-TRANSFORMATION.&DynamicUnprotectedParm (ValidSTs) OPTIONAL, xformedData SECURITY-TRANSFORMATIONJkXformedDataType ( ValidSTs
46、) - Actual member of ValidSTs is implied - by presentation context 1 END 7 Incorporation into underlying protocol When conveyed directly in a presentation PDU (as specified in ITU-T Rec. X.226 I ISO/IEC 8823-l) or when embedded in an EXTERNAL or EMBEDDED PDV ASN. 1 construct (as specified in ITU-T Rec. X.680 I ISO/IEC 8824-l), the appropriate value of the SyntaxStructure type is encoded using the encoding rules implied by the t
