1、 KS X ISO/IEC 15816 KSKSKSKS SKSKSKS KSKSKS SKSKS KSKS SKS KS KS X ISO/IEC 15816 :2007 (2012 ) 2007 10 29 http:/www.kats.go.krKS X ISO/IEC 15816:2007 : e- ( ) ( ) () () ( ) : () ( ) () () JS KS X ISO/IEC 15816:2007 : (http:/www.standard.go.kr) : :2002 11 26 :2007 10 29 :2012 12 31 : e 2012-0848 : e
2、( 02-509-7262) (http:/www.kats.go.kr). 10 5 , . KS X ISO/IEC 15816:2007 i e . KS X ISO/IEC 15816:2007 . A() ASN.1 B() SECURITY-CATEGORY KS X ISO/IEC 15816:2007 (2012 ) Information technologySecurity techniques Security information objects for access control 2002 1 ISO/IEC 15816, Information technolo
3、gySecurity techniques Security information objects for access control , . “ (security information objects:SIO)” , . ITUT X.680(1997)ISO/IEC 88241: 1998 ITUT X.681(1997)ISO/IEC 88242:1998 1(ASN.1) . , . . , ( ), ( ) . , , . , , , . . . 1 . a) (SIO) b) SIO c) SIO 1(ASN. 1) SIO “ (statics)” . SIO KS X
4、ISO/IEC 15816:2007 2 “ (dynamics)” . SIO . 2 . . ( ) . 2.1 ITUT X.411(1999)ISO/IEC 100214:1999, Information technologyOpen Systems Interconnection Message Handling Systems(MHS)Message transfer system:Abstract service definition and procedures ITUT X.500(1997)ISO/IEC 95941:1999, Information technolog
5、yOpen Systems Interconnection The Directory:Overview of concepts, models and services. ITUT X.501(1997)ISO/IEC 95942:1999, Information technologyOpen Systems Interconnection The Directory:Models ITUT X.509(2000)ISO/IEC 95948:2000, Information technologyOpen Systems Interconnection The Directory:Publ
6、ic Key and Attribute Certificate Frameworks. ITUT X.680(1997)ISO/IEC 88241:1998, Information technologyAbstract syntax notation one(ASN.1):Specification of basic notation ITUT X.681(1997)ISO/IEC 88242:1998, Information technologyAbstract syntax notation one(ASN.1):Information object specification IT
7、UT X.682(1997)ISO/IEC 88243:1998, Information technologyAbstract syntax notation one(ASN.1):Constraint specification ITUT X.683(1997)ISO/IEC 88244:1998, Information technologyAbstract syntax notation one(ASN.1):Parameterization of ASN.1 specifications ITUT X.690(1997)ISO/IEC 88251:1998, Information
8、technologyASN.1 Encoding Rules:Specification of basic encoding rules(BER), canonical encoding rules(CER) and distinguished encoding rules(DER) CCITT X.722(1992)ISO/IEC 101654:1992, Information technologyOpen Systems Interconnection Structure of management informationGuidelines for the definition of
9、managed objects. ITUT X.741(1995)ISO/IEC 101649:1995, Information technologyOpen System Interconnection System management:Objects and attributes for access control. ITUT X.803(1994)ISO/IEC 10745:1995, Information technologyOpen System Interconnection Upper layers security model ITUT X.810(1995)ISO/I
10、EC 101811:1996, Information technologyOpen System Interconnection Security frameworks for open systems:Overview. ITUT X.830(1995)ISO/IEC 115861:1996, Information technologyOpen System Interconnection Generic upper layers security;Overview, models and notation. 2.2 CCITT X.800(1991), Security archite
11、cture for Open Systems Interconnection for CCITT applications. ISO 74981:1989, Information processing systemsOpnen Systems InterconnectionBasic reference ModelPart 2:Security Architecture. KS X ISO/IEC 15816:2007 3 3 . 3.1 (compartmentalization) ISO/IEC 23828 . 3.2 SIO (generic SIO Class) SIO 3.3 (i
12、nformation object) ITUT Rec. X.681ISO/IEC 88242 . 3.4 (information object class) ITUT Rec. X.681ISO/IEC 88242 . 3.5 (object identifier:OID) ITUT Rec. X.680ISO/IEC 88241 . 3.6 (seal) ITUT Rec. X.810ISO/IEC 101811 . 3.7 (security authority) 3.8 (security domain) 3.9 (security information object) SIO 3
13、.10 (security information object class) 3.11 (security label) CCITT Rec. X.800ISO/IEC 74982 . 3.12 (security policy) ISO/IEC DIS 23828 . KS X ISO/IEC 15816:2007 4 3.13 (security policy information file) 3.14 SIO (specific SIO class) SIO 4 . ASN.1 1(abstract syntax notation one) EE (end entitiy) IT (
14、information technology) OID (object identifier) RBAC (rule based access control) SIO (security information object) SPIF (security policy information file) 5 (convention) 5.1 SIO . SIO SIO SIO 5.2 SIO SIO . , SIO SIO . SIO SIO . 5.3 SIO . SIO SIO SIO SIO 1(ASN.1) . 6 KS X ISO/IEC 15816:2007 5 SIO , ,
15、 . SIO , . , SIO SIO . SIO (subclass) . ASN.1 A . . id-SIOsAccessControl-MODULE OBJECT IDENTIFIER := joint-iso-ITUT sios(24) specification(0) modules(0) accessControl(0) 6.1 (Confidentiality Label) 6.1.1 , . , . . , , , , , , . , . . IT , . , , , , , IT . ( ) , . , . KS X ISO/IEC 15816:2007 6 , . .
16、. , IT . , . . 6.1.2 ASN.1 . id-ConfidentialityLabel OBJECT IDENTFIER := joint-iso-ITU T sios(24) specification(0) securityLabels(1) confidentiality(0) ConfidentialityLabel := SET security-policy-identifier SecurityPolicyIdentifier OPTIONAL, security-classification INTEGER(0MAX) OPTIONAL, privacy-ma
17、rk PrivacyMark OPTIONAL, security-categories SecurityCategories OPTIONAL (ALL EXCEPT(-; -) SecurityPolicyIdentifier := OBJECT IDENTIFIER PrivacyMark := CHOICE pString PrintableString(SIZE(1ub-privacy-mark-length), utf8String UTF8String(SIZE(1ub-privacy-mark-length) ub-privacy-mark-length INTEGER :=
18、128 ITUT RecZ.411ISO/IEC 100214 . SecurityCategories := SET SIZE(1MAX) OF SecurityCategory SecurityCategory := SEQUENCE type0 SECURITY-CATEGORY.&id(SecurityCategoriesTable), Value 1 SECURITY-CATEGORY.&Type(SecurityCategoriesTabletype) SECURITY-CATEGORY := TYPE-IDENTIFIER SecurityCategoriesTable SECU
19、RITY-CATEGORY := . TYPE-IDENTIFIER B . 6.1.3 (binding methods for confidentiality labels) 6.1.3.1 1(binding method 1) (D) (L) . , . KS X ISO/IEC 15816:2007 7 . , . 6.1.3.2 2(binding method 2) (S) (SigAlg) (X) D L . . S=SigAlg(X,f(D),L) D, L . L D . , f f(D) D . , L S . L, D, S , . . 6.1.3.3 3(bindin
20、g method 3) (MAC) MAC (MacAlg) MAC (K-MAC) D L . . MAC=MacAlg(K-MAC,f(D),L) MAC D, L . MAC L D . , f f(D) D . , L MAC . L, D, MAC , . L D K-MAC MAC , MAC . 6.2 6.2.1 . . . . . . . KS X ISO/IEC 15816:2007 8 . versionInformation 1(ASN.1) . updateInformation . securityPolicyIdData . privilegeId (OID) .
21、 privilegeId rbacId . securityClassifications . rbacId securityLabel (rule based access control) . rbacId privilegeId . securityCategories , . equivalentPolicies (SPIF) . defaultSecurityPolicyIdData , . extensions . . 6.2.2 ASN.1 . SecurityPolicyInformati onFile := SIGNEDEncodedSPIF EncodedSPIF := T
22、YPE-IDENTIFIER.&Type(SPIF) SPIF := SEQUENCE versionInformation VersionInformationData DEFAULT v1, updateInformation UpdateInformationData, securityPolicyIdData ObjectIdData, privilegeId OBJECT IDENTIFIER, rbacId OBJECT IDENTIFIER, securityClassifications 0 SEQUENCE OF SecurityClassfication OPTONAL,
23、securityCategories 1 SEQUENCE OF SecurityCategory OPTIONAL, equivalentPolicies 2 SEQUENCE OF EquivalentPolicy OPTIONAL, defaultSecurityPolicyIdData 3 ObjectIDData OPTIONAL, extensions 4 Extensions OPTIONAL 6.2.2.1 versionInformation 1(ASN.1) . VersionInformationData := INTEGER v1(0) (0MAX) KS X ISO/
24、IEC 15816:2007 9 6.2.2.2 updateInformationData (SPIF) . sPIFVersionNumber (SPIF) securityPolicyIdData (SPIF) . creationDate (SPIF) . originatorDistinguishedName (SPIF) . keyIdentifier (SPIF) . UpdateInformationData := SEQUENCE sPIFVersionNumber INTEGER(0MAX), creationDate GeneralizedTime, originator
25、DistinguishedName Name, keyIdentifier OCTET STRING OPTIONAL 6.2.2.3 ID securityPolicyIdData (SPIF) . securityPolicyIdData ObjectIdData , ObjectIdData objectId objectIdName . objectId (OID), objectIDName . ObjectIdData := SEQUENCE objectId OBJECT IDENTIFIER, objectIdName ObjectIdName ObjectIdName := DirectoryStringubObjectIdNameLength 6.2.2.4 privilegeId (OID) . 6.2.2.5 (RBAC) rbacId (SPIF) securityLabel . rbacId privilegeId
