《BS-ISO-IEC-10181-6-1996.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-IEC-10181-6-1996.pdf(22页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO/IEC: 10181-6:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Integrity framework (ITU-T Rec. X.815 (1995)| ISO/IEC 10181-6:1996) ICS 35.100.01 Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncont
2、rolled Copy, (c) BSI BS ISO/IEC 10181-6:1996 This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 March 1997 BSI 11-1998 ISBN 0 580 26596 X National foreword This British Standard repro
3、duces verbatim ISO/IEC 10181-6:1996 and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to und
4、erstand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented o
5、n this committee can be obtained on request. Cross-references The British Standards which implement international or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the
6、“Find” facility of the BSI Standards Electronic Catalogue. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from l
7、egal obligations. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to iv, pages 1 to 14 and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendme
8、nt table on the inside front cover. Amendments issued since publication Amd. No.DateComments Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (
9、c) BSI BS ISO/IEC 10181-6:1996 ii BSI 11-1998 Contents Page Forewordiii Introduction1 1Scope1 2Normative references2 2.1Identical Recommendations|International Standards2 2.2Paired Recommendations|International Standards equivalent in technical content2 2.3Additional References2 3Definitions2 4Abbre
10、viations3 5General discussion of integrity3 5.1Basic concepts4 5.2Types of integrity services4 5.3Types of integrity mechanisms5 5.4Threats to integrity5 5.5Types of integrity attacks5 6Integrity policies6 6.1Policy expression6 6.1.1Data characterization6 6.1.2Entity characterization6 6.1.2.1Identit
11、y based policies6 6.1.2.2Rule based policies6 7Integrity information and facilities6 7.1Integrity information7 7.1.1Shield integrity information7 7.1.2Modification detection integrity information7 7.1.3Unshield integrity information7 7.2Integrity facilities7 7.2.1Operational related facilities7 7.2.
12、2Management related facilities7 8Classification of integrity mechanisms7 8.1Integrity provision through cryptography7 8.1.1Integrity provision through sealing8 8.1.2Integrity provision through Digital Signatures8 8.1.3Integrity provision through encipherment of redundant data8 8.2Integrity provision
13、 through context9 8.2.1Data Replication9 8.2.2Pre-agreed context9 8.3Integrity provision through detection and acknowledgement9 8.4Integrity provision through prevention9 9Interactions with other security services and mechanisms10 9.1Access Control10 9.2Data origin authentication10 9.3Confidentialit
14、y10 Annex A Integrity in the OSI Basic Reference Model11 Annex B External Data Consistency12 Annex C Integrity Facilities Outline13 Descriptors: Data processing, information interchange, network interconnection, open systems interconnection, communication procedure, protection of information, securi
15、ty techniques. Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-6:1996 BSI 11-1998iii Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the speciali
16、zed system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical commi
17、ttees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. Draft Intern
18、ational Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. International Standard ISO/IEC 10181-6 was prepared by Joint Technical Committee
19、 ISO/IEC JTC 1, Information technology, Subcommittee SC 21, Open Systems Interconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.815. ISO/IEC 10181 consists of the following parts, under the general titl
20、e Information technology Open Systems Interconnection Security frameworks for open systems: Part 1: Overview; Part 2: Authentication framework; Part 3: Access control framework; Part 4: Non-repudiation framework; Part 5: Confidentiality framework; Part 6: Integrity framework; Part 7: Security audit
21、framework. Annexes A to C of this part of ISO/IEC 10181 are for information only. Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c) BSI iv blank Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c)
22、 BSI BS ISO/IEC 10181-6:1996 BSI 11-19981 Introduction Many open systems applications have security requirements which depend upon the integrity of data. Such requirements may include the protection of data used in the provision of other security services such as authentication, access control, conf
23、identiality, audit and non-repudiation, that, if an attacker could modify them, could reduce or nullify the effectiveness of those services. The property that data has not been altered or destroyed in an unauthorized manner is called integrity. This Recommendation|International Standard defines a ge
24、neral framework for the provision of integrity services. 1 Scope The Recommendation|International Standard on Security Frameworks for Open Systems addresses the application of security services in an Open Systems environment, where the term “Open System” is taken to include areas such as Database, D
25、istributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for co
26、nstructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) which may be used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged
27、 between systems, and to data managed by systems. This Recommendation|International Standard addresses the integrity of data in information retrieval, transfer, and management: 1) defines the basic concept of data integrity; 2) identifies possible classes of integrity mechanism; 3) identifies facili
28、ties for each class of integrity mechanisms; 4) identifies management required to support the class of integrity mechanism; 5) addresses the interaction of integrity mechanism and the supporting services with other security services and mechanisms. A number of different types of standard can use thi
29、s framework, including: 1) standards that incorporate the concept of integrity; 2) standards that specify abstract services that include integrity; 3) standards that specify uses of an integrity service; 4) standards that specify means of providing integrity within an open system architecture; and 5
30、) standards that specify integrity mechanisms. Such standards can use this framework as follows: standards of type 1), 2), 3), 4) and 5) can use the terminology of this framework; standards of type 2), 3), 4) and 5) can use the facilities identified in clause 7; standards of type 5) can be based upo
31、n the classes of mechanisms identified in clause 8. Some of the procedures described in this security framework achieve integrity by the application of cryptographic techniques. This framework is not dependent on the use of particular cryptographic or other algorithms, although certain classes of in
32、tegrity mechanisms may depend on particular algorithm properties. NOTEAlthough ISO does not standardize cryptographic algorithms, it does standardize the procedures used to register them in ISO/IEC 9979. The integrity addressed by this Recommendation|International Standard is that defined by the con
33、stancy of a data value. This notion (constancy of a data value) encompasses all instances in which different representations of a data value are deemed equivalent (such as different ASN.1 encodings of the same value). Other forms of invariance are excluded. The usage of the term data in this Recomme
34、ndation|International Standard includes all types of data structures (such as sets or collections of data, sequences of data, file-systems and databases). This framework addresses the provision of integrity to data that are deemed to be write-accessible to potential attackers. Therefore, it focusses
35、 on the provision of integrity through mechanisms, both cryptographic and non-cryptographic that do not rely exclusively on regulating access. Licensed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-6:1996 2 BSI 11-1998 2 Normative
36、references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation|International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are sub
37、ject to revision, and parties to agreements based on this Recommendation|International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid Internatio
38、nal Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X.200 (1994)| ISO/IEC 7498-1:1994, Information technology Open Systems Interconnection Basic Re
39、ference Model: The Basic Model. ITU-T Recommendation X.273 (1994)| ISO/IEC 11577:1995, Information technology Open Systems Interconnection Network layer security protocol. ITU-T Recommendation X.274 (1994)| ISO/IEC 10736:1995, Information technology Telecommunications and information exchange betwee
40、n systems Transport layer security protocol. ITU-T Recommendation X.810 (1995)| ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T Recommendation X.811 (1995)| ISO/IEC 10181-2:1996, Information technology Open Systems Inter
41、connection Security frameworks for open systems: Authentication framework. ITU-T Recommendation X.812 (1995)| ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. 2.2 Paired Recommendations|International Standards e
42、quivalent in technical content ITU-T Recommendation X.224 (1993), Protocol for providing the OSI connection-mode transport service. ISO/IEC 8073:1992, Information technology Telecommunications and information exchange between systems Open Systems Interconnection Protocol for providing the connection
43、-mode transport service. CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. 2.3 Additional References ISO/I
44、EC 9979:1991, Data cryptographic techniques Procedures for the registration of cryptographic algorithms. 3 Definitions For the purposes of this Recommendation|International Standard, the following definitions apply. 3.1 this Recommendation|International Standard builds on concepts developed in ITU-T
45、 Recommendation X.200|ISO/IEC 7498-1 and makes use of the following terms defined in it: a) (N)-connection; b) (N)-entity; c) (N)-facility; d) (N)-layer; e) (N)-SDU; f) (N)-service; g) (N)-user-data. 3.2 this Recommendation|International Standard builds on concepts developed in CCITT Recommendation
46、X.800|ISO 7498-2 and makes use of the following terms defined in it: a) access control; b) connection integrity; c) data integrity; d) decipherment; e) decryption; f) digital signature; g) encipherment; h) encryption; i) identity-based security policy; j) integrity; k) key; l) routing control; Licen
47、sed Copy: sheffieldun sheffieldun, na, Wed Nov 22 07:02:10 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 10181-6:1996 BSI 11-19983 m) rule-based security policy. NOTEWhere not otherwise qualified, the term “integrity” in this standard is taken to mean data integrity. 3.3 this Recommendation|
48、International Standard makes use of the following general security-related terms defined in ITU-T Rec. X.810|ISO/IEC 10181-1: a) digital fingerprint; b) hash function; c) one-way function; d) private key; e) public key; f) seal; g) secret key; h) trusted third party. 3.4 this Recommendation|Internat
49、ional Standard builds on concepts developed in ITU-T Rec. X.811|ISO/IEC 10181-2 and makes use of the following terms defined in it: time variant parameter. 3.5 For the purpose of this Recommendation|International Standard, the following definitions apply: 3.5.1 integrity-protected channel a communications channel to which an integrity service has been applied NOTETwo forms of integrity services for communication channels are referred to in CCITT Rec. X.800|ISO 7498-2. These forms (connecti