《BS-ISO-7498-2-1989.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-7498-2-1989.pdf(42页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO 7498-2:1989 Implementation of ISO 7498-2:1989 Information processing systems Open systems Interconnection Basic reference model Part 2: Security architecture Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO 7498
2、-2:1989 This British Standard, having been prepared under the direction of the Information Technology Systems Standards Policy Committee, was published under the authority of the Board of BSI and comes into effect on 30 November 1990 BSI 03-1999 The following BSI references relate to the work on thi
3、s standard: Committee reference IST/21 Draft for comment DD 148 ISBN 0 580 19068 4 Committees responsible for this British Standard The preparation of this British Standard was entrusted by the Information Technology Systems Standards Policy Committee (IST/-) to Technical Committee IST/21, upon whic
4、h the following bodies were represented: Association for Payment Clearing Services British Computer Society British Gas plc British Railways Board British Telecommunications plc Computing Services Association Department of Trade and Industry Alvey (Advanced Network Systems Architecture) Department o
5、f Trade and Industry (Information Technology Division) Department of Trade and Industry (National Physical Laboratory) EEA (the Electronics and Business Equipment Association) HM Treasury (Central Computer and Telecommunications Agency) Institute of Chartered Secretaries and Administrators Instituti
6、on of Electrical Engineers Inter-universities Computing Committee Joint Network Team Mercury Communications Limited Ministry of Defence National Health Services Post Office United Kingdom Atomic Energy Authority University of London Computer Centre Amendments issued since publication Amd. No.DateCom
7、ments Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO 7498-2:1989 BSI 03-1999i Contents Page Committees responsible Inside front cover National forewordii Forewordiii Text of ISO 7498-21 Licensed Copy: sheffieldun sheffieldun, na, Sun
8、 Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO 7498-2:1989 ii BSI 03-1999 National foreword This British Standard reproduces verbatim ISO 7498-2:1989 and implements it as the UK national standard. This British Standard is published under the direction of the Information Technolog
9、y Systems Standards Policy Committee whose Technical Committee IST/21 has the responsibility to: aid enquirers to understand the text; present to the responsible international committee any enquiries on interpretation, or proposals for change, and keep UK interests informed; monitor related internat
10、ional and European developments and promulgate them in the UK. NOTEInternational and European Standards, as well as overseas standards, are available from BSI Sales Department, BSI, Linford Wood, Milton Keynes, MK14 6LE. A British Standard does not purport to include all the necessary provisions of
11、a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, the ISO title page, pages
12、 ii to iv, pages 1 to 32 and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover. Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontroll
13、ed Copy, (c) BSI Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ISO 7498-2:1989 (E) ii BSI 03-1999 Contents Page Foreword iii 0Introduction1 1Scope and Field of Application1 2References1 3Definitions1 4Notation5 5General description of secu
14、rity services and mechanisms5 5.1Overview5 5.2Security services5 5.3Specific security mechanisms6 5.4Pervasive security mechanisms8 5.5Illustration of relationship of security services and mechanisms10 6The relationship of services, mechanisms and layers10 6.1Security layering principles10 6.2 Model
15、 of Invocation, Management and Use of Protected (N)-Services11 7Placement of security services and mechanisms13 7.1Physical layer13 7.2Data link layer13 7.3Network layer14 7.4Transport layer15 7.5Session layer15 7.6Presentation layer15 7.7Application layer16 7.8Illustration of relationship of securi
16、ty services and layers17 8Security management17 8.1General17 8.2Categories of OSI security management19 8.3Specific system security management activities20 8.4Security mechanism management functions20 Annex A (informative) Background information on security in OSI22 Annex B (informative) Justificati
17、on for security service placement in clause 729 Annex C (informative) Choice of position of encipherment for applications31 Figure 1 Direct Signature Scheme27 Figure 2 Arbitrated Signature Scheme28 Table 110 Table 219 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Un
18、controlled Copy, (c) BSI ISO 7498-2:1989 (E) BSI 03-1999iii Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical commit
19、tees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the In
20、ternational Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. Draft International Standards adopted by the technical committees are circulated to the member bodies for approval before their acceptance as International Standards by the ISO Council. They are approve
21、d in accordance with ISO procedures requiring at least 75 % approval by the member bodies voting. International Standard ISO 7498-2 was prepared by Technical Committee ISO/TC 97, Information processing systems. Users should note that all International Standards undergo revision from time to time and
22、 that any reference made herein to any other International Standard implies its latest edition, unless otherwise stated. Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI iv blank Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 12:05:21
23、 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ISO 7498-2:1989 (E) BSI 03-19991 0 Introduction ISO 7498 describes the Basic Reference Model for Open Systems Interconnection (OSI). That part of ISO 7498 establishes a framework for coordinating the development of existing and future standards for the int
24、erconnection of systems. The objective of OSI is to permit the interconnection of heterogeneous computer systems so that useful communication between application processes may be achieved. At various times, security controls must be established in order to protect the information exchanged between t
25、he application processes. Such controls should make the cost of obtaining or modifying data greater than the potential value of so doing, or make the time required to obtain the data so great that the value of the data is lost. This part of ISO 7498 defines the general security-related architectural
26、 elements which can be applied appropriately in the circumstances for which protection of communication between open systems is required. It establishes, within the framework of the Reference Model, guidelines and constraints to improve existing standards or to develop new standards in the context o
27、f OSI in order to allow secure communications and thus provide a consistent approach to security in OSI. A background in security will be helpful in understanding this document. The reader who is not well versed in security is advised to read Annex A first. This part of ISO 7498 extends the Basic Re
28、ference Model to cover security aspects which are general architectural elements of communications protocols, but which are not discussed in the Basic Reference Model. 1 Scope and field of application This part of ISO 7498: a) provides a general description of security services and related mechanism
29、s, which may be provided by the Reference Model; and b) defines the positions within the Reference Model where the services and mechanisms may be provided. This part of ISO 7498 extends the field of application of ISO 7498, to cover secure communications between open systems. Basic security services
30、 and mechanisms and their appropriate placement have been identified for all layers of the Basic Reference Model. In addition, the architectural relationships of the security services and mechanisms to the Basic Reference Model have been identified. Additional security measures may be needed in ends
31、ystems, installations and organizations. These measures apply in various application contexts. The definition of security services needed to support such additional security measures is outside the scope of this standard. OSI security functions are concerned only with those visible aspects of a comm
32、unications path which permit end systems to achieve the secure transfer of information between them. OSI Security is not concerned with security measures needed in end systems, installations, and organizations, except where these have implications on the choice and position of security services visi
33、ble in OSI. These latter aspects of security may be standardized but not within the scope of OSI standards. This part of ISO 7498 adds to the concepts and principles defined in ISO 7498; it does not modify them. It is not an implementation specification, nor is it a basis for appraising the conforma
34、nce of actual implementations. 2 References ISO 7498, Information processing systems Open Systems Interconnection Basic Reference Model. ISO 7498-4, Information processing systems Open Systems Interconnection Basic Reference Model Part 4: Management Framework1). ISO 7498/Add.1, Information processin
35、g systems Open Systems Interconnection Basic Reference Model Addendum 1: Connectionless-mode transmission. ISO 8648, Information processing systems Open Systems Interconnection Internal organization of the Network Layer. 3 Definitions and abbreviations 3.1 This part of ISO 7498 builds on concepts de
36、veloped in ISO 7498 and makes use of the following terms defined in it: a) (N)-connection; b) (N)-data-transmission; c) (N)-entity; d) (N)-facility; e) (N)-layer; f) open system; g) peer entities; 1) At present at the stage of draft: publication anticipated in due course. Licensed Copy: sheffieldun
37、sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ISO 7498-2:1989 (E) 2 BSI 03-1999 h) (N)-protocol; i) (N)-protocol-data-unit; j) (N)-relay; k) routing; l) sequencing; m) (N)-service; n) (N)-service-data-unit; o) (N)-user-data; p) subnetwork; q) OSI resource; and r) tr
38、ansfer syntax. 3.2 This part of 7498 uses the following terms drawn from the respective International Standards. in addition, the following abbreviations are used: OSI for Open Systems Interconnection; SDU for Service Data Unit; SMIB for Security Management Information Base; and MIB for Management I
39、nformation Base. 3.3 For the purpose of this part of ISO 7498, the following definitions apply: 3.3.1 access control the prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner 3.3.2 access control list a list of entities, together with t
40、heir access rights, which are authorized to have access to a resource 3.3.3 accountability the property that ensures that the actions of an entity may be traced uniquely to the entity 3.3.4 active threat the threat of a deliberate unauthorized change to the state of the system NOTEExamples of securi
41、ty-relevant active threats may be: modification of messages, replay of messages, insertion of spurious messages, masquerading as an authorized entity and denial of service. 3.3.5 audit see security audit 3.3.6 audit trail see security audit trail 3.3.7 authentication see data origin authentication,
42、and peer entity authentication NOTEIn this part of 7498 the term “authentication” is not used in connection with data integrity; the term “data integrity” is used instead. 3.3.8 authentication information information used to establish the validity of a claimed identity 3.3.9 authentication exchange
43、a mechanism intended to ensure the identity of an entity by means of information exchange 3.3.10 authorization the granting of rights, which includes the granting of access based on access rights 3.3.11 availability the property of being accessible and useable upon demand by an authorized entity 3.3
44、.12 capability a token used as an identifier for a resource such that possession of the token confers access rights for the resource 3.3.13 channel an information transfer path 3.3.14 ciphertext data produced through the use of encipherment. The semantic content of the resulting data is not availabl
45、e NOTECiphertext may itself be input to encipherment, such that super-enciphered output is produced. Connectionless Mode Transmission(ISO 7498/Add.1) End system(ISO 7498) Relaying and routing function(ISO 8648) UNITDATA(ISO 7498) Management Information Base (MIB)(ISO 7498-4) Licensed Copy: sheffield
46、un sheffieldun, na, Sun Nov 26 12:05:21 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ISO 7498-2:1989 (E) BSI 03-19993 3.3.15 cleartext intelligible data, the semantic content of which is available 3.3.16 confidentiality the property that information is not made available or disclosed to unauthorized i
47、ndividuals, entities, or processes 3.3.17 credentials data that is transferred to establish the claimed identity of an entity 3.3.18 cryptanalysis the analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext 3.3.19 cr
48、yptographic checkvalue information which is derived by performing a cryptographic transformation (see cryptography) on the data unit NOTEThe derivation of the checkvalue may be performed in one or more steps and is a result of a mathematical function of the key and a data unit. It is usually used to
49、 check the integrity of a data unit. 3.3.20 cryptography the discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use NOTECryptography determines the methods used in encipherment and decipherment. An attack on a cryptographic principle, means, or method is cryptanalysis. 3.3.21 data integrity the property that data has not been altered or destroyed in an unauthorized manner 3.3.22 data origin authent
链接地址:https://www.31doc.com/p-3747406.html