《BS-ISO-IEC-10181-1-1996.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-IEC-10181-1-1996.pdf(24页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO/IEC 10181-1:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Overview (ITU-T Rec. X.810 (1995) | ISO/IEC 10181-1:1996) ICS 35.100.01 Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy
2、, (c) BSI BS ISO/IEC 10181-1:1996 This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 November 1996 BSI 10-1998 ISBN 0 580 26520 X National foreword This British Standard reproduces ve
3、rbatim ISO/IEC 10181:1996, and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to understand t
4、he text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented on this co
5、mmittee is available on request. Cross-references The British Standards which implement international or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the “Find” facil
6、ity of the BSI Standards Electronic Catalogue. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligat
7、ions. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to iv, pages 1 to 17 and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on
8、the inside front cover. Amendments issued since publication Amd. No.DateComments Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS IS
9、O/IEC 10181-1:1996 ii BSI 10-1998 Contents Page Forewordiv Introduction1 1Scope1 2Normative references1 2.1Identical Recommendations|International Standards1 2.2Paired Recommendations|International Standards equivalent in technical content1 3Definitions1 3.1Basic Reference Model definitions1 3.2Secu
10、rity architecture definitions2 3.3Additional definitions2 4Abbreviations4 5Notation4 6Organization4 6.1Part 1 Overview4 6.2Part 2 Authentication4 6.3Part 3 Access control4 6.4Part 4 Non-repudiation5 6.5Part 5 Confidentiality5 6.6Part 6 Integrity5 6.7Part 7 Security audit and alarms5 6.8Key managemen
11、t5 7Common concepts6 7.1Security information6 7.2Security domain6 7.2.1Security policy and security policy rules6 7.2.2Security domain authority7 7.2.3Inter-relationships among security domains7 7.2.4Establishment of secure interaction rules7 7.2.5Inter-domain security information transfer8 7.3Secur
12、ity policy considerations for specific security services8 7.4Trusted entities8 7.5Trust8 7.6Trusted third parties9 8Generic security information9 8.1Security labels9 8.2Cryptographic checkvalues9 8.3Security certificates10 8.3.1Introduction to security certificates10 8.3.2Verification and chaining o
13、f security certificates10 8.3.3Revocation of security certificates10 8.3.4Re-use of security certificates11 8.3.5Security certificate structure11 8.4Security tokens11 9Generic security facilities12 9.1Management related facilities12 9.1.1Install SI12 9.1.2Deinstall SI12 9.1.3Change SI12 9.1.4Validat
14、e SI12 Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-1:1996 BSI 10-1998iii 9.1.5Invalidate SI12 9.1.6Disable/Re-enable security service12 9.1.7Enrol12 9.1.8Un-enrol12 9.1.9Distribute SI12 9.1.10List SI12 9.2Operational rel
15、ated facilities12 9.2.1Identify trusted security authorities12 9.2.2Identify secure interaction rules12 9.2.3Acquire SI13 9.2.4Generate SI13 9.2.5Verify SI13 10Interactions between security mechanisms13 11Denial of service and availability14 12Other requirements14 Annex A Some examples of protection
16、 mechanisms for security certificates15 A.1Protection using an OSI communications security service15 A.2Protection using a parameter within the security certificate15 A.2.1The authentication method15 A.2.2The secret key method15 A.2.3The public key method15 A.2.4The one-way function method16 A.3Prot
17、ection of the internal and external parameters while in transit16 A.3.1Transfer of internal parameters to the issuing security authority16 A.3.2Transfer of external parameters among entities16 A.4Use of security certificates by single entities or by groups of entities16 A.5Linking a security certifi
18、cate with accesses17 Annex B Bibliography17 Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-1:1996 iv BSI 10-1998 Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
19、Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity
20、. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee
21、, ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. International Standard ISO/IEC 10181-1 was prepared
22、 by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 21, Open systems interconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.810. ISO/IEC 10181 consists of the following
23、parts, under the general title Information technology Open Systems Interconnection Security frameworks for open systems: Part 1: Overview; Part 2: Authentication framework; Part 3: Access control framework; Part 4: Non-repudiation framework; Part 5: Confidentiality framework; Part 6: Integrity frame
24、work; Part 7: Security audit and alarms framework. Annexes A and B of this part of ISO/IEC 10181 are for information only. Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-1:1996 BSI 10-19981 Introduction Many applications ha
25、ve requirements for security to protect against threats to the communication of information. Some commonly known threats, together with the security services and mechanisms that can be used to protect against them are described in CCITT Rec. X.800|ISO 7498-2. This Recommendation|International Standa
26、rd defines the framework within which security services for open systems are specified. 1 Scope The security frameworks address the application of security services in an Open Systems environment, where the term Open Systems is taken to include areas such as Database, Distributed Applications, ODP a
27、nd OSI. The security frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The security frameworks are not concerned with the methodology for constructing systems or mechanisms. The security framewo
28、rks address both data elements and sequences of operations (but not protocol elements) which are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. The sec
29、urity frameworks provide the basis for further standardization, providing consistent terminology and definitions of generic abstract service interfaces for specific security requirements. They also categorize the mechanisms that can be used to achieve those requirements. One security service frequen
30、tly depends on other security services, making it difficult to isolate one part of security from the others. The security frameworks address particular security services, describe the range of mechanisms that can be used to provide the security services, and identify interdependancies between the se
31、rvices and the mechanisms. The description of these mechanisms may involve a reliance on a different security service, and it is in this way that the security frameworks describe the reliance of one security service on another. This part of the security frameworks: describes the organization of the
32、security frameworks; defines security concepts which are required in more than one part of the security frameworks; describes the inter-relationship of the services and mechanisms identified in other parts of the frameworks. 2 Normative references The following Recommendations and International Stan
33、dards contain provisions, which through reference in this text, constitute provisions of this Recommendation|International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recom
34、mendation|International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards indicated below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau
35、of the ITU maintains a list of currently valid ITU Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X.200 (1994)| ISO/IEC 7498-1:1994, Information technology Open Systems Interconnection Basic Reference Model: The Basic Model. 2.2 Paired Recommendations | I
36、nternational Standards equivalent in technical content CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. 3
37、 Definitions The following definitions are used either in the overview or are common to two or more of the subsequent parts of the security frameworks. For the purposes of this Recommendation | International Standard, the following definitions apply. 3.1 basic reference model definitions this Recomm
38、endation|International Standard makes use of the following terms defined in ITU-T Rec. X.200|ISO/IEC 7498-1: (N)-layer; (N)-entity; (N)-protocol-data-unit; application process; real open system; real system. Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled
39、 Copy, (c) BSI BS ISO/IEC 10181-1:1996 2 BSI 10-1998 3.2 security architecture definitions this Recommendation|International Standard makes use of the following terms defined in CCITT Rec. X.800|ISO 7498-2: access control; availability; ciphertext; cryptographic checkvalue; decipherment; denial of s
40、ervice; digital signature; encipherment; insider threat; key; key management; plaintext; outsider threat; security audit; security label; security policy; sensitivity; threat. 3.3 Additional definitions For the purposes of this Recommendation | International Standard, the following definitions apply
41、: 3.3.1 asymmetric cryptographic algorithm an algorithm for performing encipherment or the corresponding decipherment in which the keys used for encipherment and decipherment differ NOTEWith some asymmetric cryptographic algorithms, decipherment of ciphertext or the generation of a digital signature
42、 requires the use of more than one private key. 3.3.2 certification authority an entity that is trusted (in the context of a security policy) to create security certificates containing one or more classes of security-relevant data 3.3.3 conditionally trusted entity an entity that is trusted in the c
43、ontext of a security policy, but which cannot violate the security policy without being detected 3.3.4 cryptographic chaining a mode of use of a cryptographic algorithm in which the transformation performed by the algorithm depends on the values of previous inputs or outputs 3.3.5 digital fingerprin
44、t a characteristic of a data item, such as a cryptographic checkvalue or the result of performing a one-way hash function on the data, that is sufficiently peculiar to the data item that it is computationally infeasible to find another data item that will possess the same characteristics 3.3.6 disti
45、nguishing identifier data that uniquely identifies an entity 3.3.7 hash function a (mathematical) function that maps values from a (possibly very) large set of values into a smaller range of values 3.3.8 one-way function a (mathematical) function that is easy to compute but, when knowing a result, i
46、t is computationally infeasible to find any of the values that may have been supplied to obtain it 3.3.9 one-way hash function a (mathematical) function that is both a one-way function and a hash function 3.3.10 private key a key that is used with an asymmetric cryptographic algorithm and whose poss
47、ession is restricted (usually to only one entity) 3.3.11 public key a key that is used with an asymmetric cryptographic algorithm and that can be made publicly available 3.3.12 revocation certificate a security certificate issued by a security authority to indicate that a particular security certifi
48、cate has been revoked 3.3.13 revocation list certificate a security certificate that identifies a list of security certificates that have been revoked Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 06:58:46 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-1:1996 BSI 10-19983 3.3.1
49、4 seal a cryptographic checkvalue that supports integrity but does not protect against forgery by the recipient (i.e. it does not provide non-repudiation). When a seal is associated with a data element, that data element is said to be sealed NOTEAlthough a seal does not by itself provide non-repudiation, some non-repudiation mechanisms make use of the integrity service provided by seals, e.g. to protect communications with trusted third parties. 3.3.15 secret key a key