TIA-4940 022-2012 Smart Device Communications Protocol Aspects Deploying and Securing Applications.pdf

1、TIA-4940.022November 2012Smart Device Communications; Protocol Aspects; Deploying and Securing ApplicationsNOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangea

2、bility and improvement of products, and assisting the purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling

3、 products not conforming to such Standards and Publications. Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or internationally. Standards and Publications are adopted by TIA in accordance with the American National

4、Standards Institute (ANSI) patent policy. By such action, TIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all ap

5、plicable regulatory requirements. It is the responsibility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. (From Project No. TIA-PN-4940.022, formulated under the cognizance of the TIA TR-5

6、0 M2M-Smart Device Communications). Published by TELECOMMUNICATIONS INDUSTRY ASSOCIATION Standards and Technology Department 2500 Wilson Boulevard Arlington, VA 22201 U.S.A. PRICE: Please refer to current Catalog of TIA TELECOMMUNICATIONS INDUSTRY ASSOCIATION STANDARDSAND ENGINEERING PUBLICATIONS or

7、 call IHS, USA and Canada (1-877-413-5187) International (303-397-2896) or search online at http:/www.tiaonline.org/standards/catalog/All rights reserved Printed in U.S.A. NOTICE OF COPYRIGHT This document is copyrighted by the TIA. Reproduction of these documents either in hard copy or soft copy (i

8、ncluding posting on the web) is prohibited without copyright permission. For copyright permission to reproduce portions of this document, please contact the TIA Standards Department or go to the TIA website (www.tiaonline.org) for details on how to request permission. Details are located at: http:/w

9、ww.tiaonline.org/standards/catalog/info.cfm#copyrightorTelecommunications Industry Association Technology (b) there is no assurance that the Document will be approved by any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or changed in t

10、he standards development or any editing process. The use or practice of contents of this Document may involve the use of intellectual property rights (“IPR”), including pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR cons

11、isting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from the holder thereof is requested, all in accordance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope o

12、r validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or conditions, which are instead left to the parties involved, nor will TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warrant or r

13、epresent that procedures or practices suggested or provided in the Manual have been complied with as respects the Document or its contents. If the Document contains one or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, development

14、or publication of standards (whether designated as a standard, specification, recommendation or otherwise), whether such reference consists of mandatory, alternate or optional elements (as defined in the TIA Engineering Manual, 4thedition) then (i) TIA disclaims any duty or obligation to search or i

15、nvestigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Reference; (ii) TIAs policy of encouragement of voluntary disclosure (see Engineering Manual Section 6.5.1) of Essential Patent(s) and published pending patent applications shall apply; and (iii) I

16、nformation as to claims of IPR in the records or publications of the other SSO shall not constitute identification to TIA of a claim of Essential Patent(s) or published pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certify, in

17、spect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document. ALL WARRANTIES, EXPRESS OR IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APPROPRIA

18、TENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAIMS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIANCE WIT

19、H ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED TO IN THE DOCUMENT OR PRODUCED OR RENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING TO AN

20、Y USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLI

21、GENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF THE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. TIA-4940.022: Smart Device Communicatio

22、ns; Protocol Aspects; Deploying and Securing Applications Contents |i 1 Contents 2 3 Protocol Aspects; Deploying and Securing Applications ii |List of Figures List of Figures 1 Figure 1 - Certificate Chaining 82 Figure 2 - Architecture for Securing and Deploying Applications 103 4 5 TIA-4940.022: Sm

23、art Device Communications; Deploying and Securing Applications Foreword | iii Foreword 1 (This foreword is not part of this Standard.) 2 This document was formulated under the cognizance of the TIA Committee 3 TR-50, Smart Device Communications. 4 The contents of the present document are subject to

24、continuing work within 5 the Formulating Group and may change following formal approval. Should 6 the Formulating Group approve modification, the present document will be re-7 released with an identifying change of release level, for example: 8 TIA-4940.022-Arevision levelpart numberstandard number9

25、 The document contains informative annexes. 10 Suggestions for improvement of this document are welcome, and should be 11 sent to: 12 Telecommunications Industry Association, 13 Standards and Technology, 14 2500 Wilson Boulevard, Suite 300 15 Arlington, VA 22201-3834 16 17 TIA-4940.022: Smart Device

26、 Communications; Protocol Aspects; Deploying and Securing Applications iv |Scope 1 Scope 2 This document is a member of a multi-part standard that, when taken in total, 3 defines the requirements for communications pertaining to the access agnostic 4 (e.g., PHY and MAC agnostic) monitoring and bi-di

27、rectional communication 5 of events and information between smart devices and other devices, 6 applications and networks. 7 This standard enables organizations to increase security when deploying the 8 applications across a hostile network. 9 This standard provides a common foundation for personnel

28、who support or 10 use risk management processes for IT systems. 11 12 TIA-4940.022: Smart Device Communications; Deploying and Securing Applications Introduction | i 1) Introduction 1 This standard is designed to build on existing cyber security policies and 2 procedures, help organize and clarify r

29、isk management goals, and provide a 3 consistent approach in which to make risk decisions. 4 The guidance provided in this standard is intended to address only the 5 management of cyber security related risk derived from or associated with the 6 operation and use of information technology and system

30、s and/or the 7 environments in which they operate. The guidance is not intended to replace 8 or subsume other risk-related activities, programs, processes, or approaches 9 that organizations have implemented or intend to implement addressing areas 10 of risk management covered by other legislation,

31、regulation, policies, 11 programmatic initiatives, or mission and business requirements. Additionally, 12 this guidance is not part of any regulatory framework. Rather, the cyber 13 security risk mitigation guidance described herein is complementary to and 14 should be used as part of a more compreh

32、ensive enterprise risk management 15 program. 16 17 TIA-4940.022: Smart Device Communications; Protocol Aspects; Deploying and Securing Applications ii |Scope 2) References 1 2 2.1 Normative References 3 The following standards contain provisions which, through reference in this 4 text, constitute p

33、rovisions of this Standard. At the time of publication, the 5 editions indicated were valid. All standards are subject to revision, and parties 6 to agreements based on this Standard are encouraged to investigate the 7 possibility of applying the most recent editions of the standards indicated 8 bel

34、ow. ANSI and TIA maintain registers of currently valid national standards 9 published by them. 10 References are either specific (identified by date of publication, release level, 11 etc.) or non-specific. For a specific reference, subsequent revisions do not 12 apply. For a non-specific reference,

35、the latest version applies: a non-specific 13 reference implicitly refers to the latest version. 14 1 TIA-4940.005: Smart Device Communications; 15 Reference Architecture 16 2.2 Informative References 17 The following documents may be useful to the reader 18 a TSB-4940: Smart Device Communications;

36、Security Aspects 19 TIA-4940.022: Smart Device Communications; Deploying and Securing Applications Defintions, Symbols and Abbreviations |3 3) Defintions, Symbols and Abbreviations 1 This section contains definitions, symbols and abbreviations that are used in 2 this document. 3 4 3.1 Definitions 5

37、For the purposes of the present document, the following terms and definitions apply: 6 Asymmetric Cryptography: Public key cryptography is an asymmetric scheme that 7 uses a pair of keys for encryption. 8 Attack Surface: All A set of vulnerabilities that, when unprotected, may compromise 9 a system.

38、 10 Authentication: The process of verifying the identity of entity. 11 Certificate: A document that binds a signature to an entity. 12 Cipher: An algorithm for performing encryption (reverse is decryption). 13 Ciphertext: Encrypting plaintext results in unreadable text. 14 Cleartext: Data that can

39、be read and understood without any special measures. This 15 term is used interchangeable with “plaintext” in this document. 16 Confidentiality: The assurance to an entity that no one can read a particular piece of 17 data except the receiver(s) explicitly intended. 18 Cryptanalysis: The science of

40、analyzing and breaking secure communication. 19 Cryptographic algorithm/cipher: A mathematical function used in the encryption and 20 decryption process. 21 Cryptography: The science of using mathematics to secure data via encrypting and 22 decrypting data. 23 Cryptology: Study of both cryptography

41、and cryptanalysis. 24 Data-at-rest: Data that is stored within entities in a M2M system. 25 Data-in-transit: Data moving between entities in a M2M system. 26 Decryption: The process of reverting ciphertext to its original plaintext. 27 Diffie-Helman: is an anonymous (non-authenticated) key-agreement

42、 protocol, it 28 provides the basis for a variety of authenticated protocols, and is used to provide 29 perfect forward secrecy in Transport Layer Securitys ephemeral modes. 30 Digital Signature: Enables the recipient of information to verify the authenticity of 31 the informations origin, and also

43、verify that the information is intact. 32 Encryption: The method of disguising plaintext in such a way as to hide the actual 33 content of the text. 34 TIA-4940.022: Smart Device Communications; Protocol Aspects; Deploying and Securing Applications 4 |Defintions, Symbols and Abbreviations Hash: A on

44、e-way function takes variable-length input and produces a fixed-length 1 output; that ensures the information has not changed in any way. 2 Integrity: The assurance to an entity that data has not been altered (intentionally or 3 unintentionally) between “there” and “here” or between “then” and “now.

45、” 4 Key: A value that works with a cryptographic algorithm to produce a specific 5 ciphertext. 6 Non-Repudiation: Ensures that an author cannot refute that they signed or encrypted 7 a particular message once it has been sent, assuming the private key is secured. 8 Public Key Infrastructure: PKI is

46、a set of hardware, software, people, policies, and 9 procedures needed to create, manage, store, distribute, and revoke Digital 10 Certificates. A Public Key Infrastructure (PKI) enables users of a basically unsecure 11 public network such as the Internet to securely and privately exchange data thro

47、ugh 12 the use of a public and a private cryptographic key pair that is obtained and shared 13 through a trusted authority. 14 Symmetric Cryptography: One secret key is used both for encryption and 15 decryption. 16 17 3.2 Abbreviations 18 For the purposes of the present document, the following abbr

48、eviations apply: 19 CIA: Confidentiality, Integrity and Availability. 20 CA: Certification Authority. 21 CRL: Certification Revocation List. 22 DH: Diffie-Helman. 23 DSA: Digital Signature Algorithm. 24 ECC: Elliptical Curve Cryptography. 25 ECDSA: Elliptic Curve Digital Signature Algorithm. 26 FIPS

49、: Federal Information Processing Standards. 27 HTTP: Hypertext Transfer Protocol. 28 IoT: Internet of Things. 29 IPSec: Internet Protocol Security. 30 M2M: Machine to Machine. 31 MQV: Menezes-Qu-Vanstone algorithm. 32 SHA: Secure Hashing Algorithm. 33 SSL: Secure Sockets Layer 34 TIA-4940.022: Smart Device Communications; Deploying and Securing Applications Cryptology Introduction |5 4) Cryptology Introduction 1 To familiarize the reader with cryptology concepts and terminology that are 2 used within this standard, this introductory section attempts