KS X ISO IEC 15816-2007 Information technology－Security techniques－Security information objects for access control《信息技术 安全技术 访问控制的安全信息对象》.pdf

1、 KS X ISO/IEC 15816 KSKSKSKS SKSKSKS KSKSKS SKSKS KSKS SKS KS KS X ISO/IEC 15816 ：2007 (2012 ) 2007 10 29 http:/www.kats.go.krKS X ISO/IEC 15816：2007 : e- ( ) ( ) () () ( ) : () ( ) () () JS KS X ISO/IEC 15816：2007 : (http:/www.standard.go.kr) ： ：2002 11 26 ：2007 10 29 ：2012 12 31 ： e 2012-0848 ： e

2、( 02-509-7262) (http:/www.kats.go.kr). 10 5 , . KS X ISO/IEC 15816：2007 i e . KS X ISO/IEC 15816：2007 . A() ASN.1 B() SECURITY-CATEGORY KS X ISO/IEC 15816：2007 (2012 ) Information technologySecurity techniques Security information objects for access control 2002 1 ISO/IEC 15816, Information technolo

3、gySecurity techniques Security information objects for access control , . “ (security information objects：SIO)” , . ITUT X.680(1997)ISO/IEC 88241： 1998 ITUT X.681(1997)ISO/IEC 88242：1998 1(ASN.1) . , . . , ( ), ( ) . , , . , , , . . . 1 . a) (SIO) b) SIO c) SIO 1(ASN. 1) SIO “ (statics)” . SIO KS X

4、ISO/IEC 15816：2007 2 “ (dynamics)” . SIO . 2 . . ( ) . 2.1 ITUT X.411(1999)ISO/IEC 100214：1999, Information technologyOpen Systems Interconnection Message Handling Systems(MHS)Message transfer system：Abstract service definition and procedures ITUT X.500(1997)ISO/IEC 95941：1999, Information technolog

5、yOpen Systems Interconnection The Directory：Overview of concepts, models and services. ITUT X.501(1997)ISO/IEC 95942：1999, Information technologyOpen Systems Interconnection The Directory：Models ITUT X.509(2000)ISO/IEC 95948：2000, Information technologyOpen Systems Interconnection The Directory：Publ

6、ic Key and Attribute Certificate Frameworks. ITUT X.680(1997)ISO/IEC 88241：1998, Information technologyAbstract syntax notation one(ASN.1)：Specification of basic notation ITUT X.681(1997)ISO/IEC 88242：1998, Information technologyAbstract syntax notation one(ASN.1)：Information object specification IT

7、UT X.682(1997)ISO/IEC 88243：1998, Information technologyAbstract syntax notation one(ASN.1)：Constraint specification ITUT X.683(1997)ISO/IEC 88244：1998, Information technologyAbstract syntax notation one(ASN.1)：Parameterization of ASN.1 specifications ITUT X.690(1997)ISO/IEC 88251：1998, Information

8、technologyASN.1 Encoding Rules：Specification of basic encoding rules(BER), canonical encoding rules(CER) and distinguished encoding rules(DER) CCITT X.722(1992)ISO/IEC 101654：1992, Information technologyOpen Systems Interconnection Structure of management informationGuidelines for the definition of

9、managed objects. ITUT X.741(1995)ISO/IEC 101649：1995, Information technologyOpen System Interconnection System management：Objects and attributes for access control. ITUT X.803(1994)ISO/IEC 10745：1995, Information technologyOpen System Interconnection Upper layers security model ITUT X.810(1995)ISO/I

10、EC 101811：1996, Information technologyOpen System Interconnection Security frameworks for open systems：Overview. ITUT X.830(1995)ISO/IEC 115861：1996, Information technologyOpen System Interconnection Generic upper layers security；Overview, models and notation. 2.2 CCITT X.800(1991), Security archite

11、cture for Open Systems Interconnection for CCITT applications. ISO 74981：1989, Information processing systemsOpnen Systems InterconnectionBasic reference ModelPart 2：Security Architecture. KS X ISO/IEC 15816：2007 3 3 . 3.1 (compartmentalization) ISO/IEC 23828 . 3.2 SIO (generic SIO Class) SIO 3.3 (i

12、nformation object) ITUT Rec. X.681ISO/IEC 88242 . 3.4 (information object class) ITUT Rec. X.681ISO/IEC 88242 . 3.5 (object identifier：OID) ITUT Rec. X.680ISO/IEC 88241 . 3.6 (seal) ITUT Rec. X.810ISO/IEC 101811 . 3.7 (security authority) 3.8 (security domain) 3.9 (security information object) SIO 3

13、.10 (security information object class) 3.11 (security label) CCITT Rec. X.800ISO/IEC 74982 . 3.12 (security policy) ISO/IEC DIS 23828 . KS X ISO/IEC 15816：2007 4 3.13 (security policy information file) 3.14 SIO (specific SIO class) SIO 4 . ASN.1 1(abstract syntax notation one) EE (end entitiy) IT (

14、information technology) OID (object identifier) RBAC (rule based access control) SIO (security information object) SPIF (security policy information file) 5 (convention) 5.1 SIO . SIO SIO SIO 5.2 SIO SIO . , SIO SIO . SIO SIO . 5.3 SIO . SIO SIO SIO SIO 1(ASN.1) . 6 KS X ISO/IEC 15816：2007 5 SIO , ,

15、 . SIO , . , SIO SIO . SIO (subclass) . ASN.1 A . . id-SIOsAccessControl-MODULE OBJECT IDENTIFIER := joint-iso-ITUT sios(24) specification(0) modules(0) accessControl(0) 6.1 (Confidentiality Label) 6.1.1 , . , . . , , , , , , . , . . IT , . , , , , , IT . ( ) , . , . KS X ISO/IEC 15816：2007 6 , . .

16、. , IT . , . . 6.1.2 ASN.1 . id-ConfidentialityLabel OBJECT IDENTFIER := joint-iso-ITU T sios(24) specification(0) securityLabels(1) confidentiality(0) ConfidentialityLabel := SET security-policy-identifier SecurityPolicyIdentifier OPTIONAL, security-classification INTEGER(0MAX) OPTIONAL, privacy-ma

17、rk PrivacyMark OPTIONAL, security-categories SecurityCategories OPTIONAL (ALL EXCEPT(-; -) SecurityPolicyIdentifier := OBJECT IDENTIFIER PrivacyMark := CHOICE pString PrintableString(SIZE(1ub-privacy-mark-length), utf8String UTF8String(SIZE(1ub-privacy-mark-length) ub-privacy-mark-length INTEGER :=

18、128 ITUT RecZ.411ISO/IEC 100214 . SecurityCategories := SET SIZE(1MAX) OF SecurityCategory SecurityCategory := SEQUENCE type0 SECURITY-CATEGORY.&id(SecurityCategoriesTable), Value 1 SECURITY-CATEGORY.&Type(SecurityCategoriesTabletype) SECURITY-CATEGORY := TYPE-IDENTIFIER SecurityCategoriesTable SECU

19、RITY-CATEGORY := . TYPE-IDENTIFIER B . 6.1.3 (binding methods for confidentiality labels) 6.1.3.1 1(binding method 1) (D) (L) . , . KS X ISO/IEC 15816：2007 7 . , . 6.1.3.2 2(binding method 2) (S) (SigAlg) (X) D L . . S=SigAlg(X,f(D),L) D, L . L D . , f f(D) D . , L S . L, D, S , . . 6.1.3.3 3(bindin

20、g method 3) (MAC) MAC (MacAlg) MAC (K-MAC) D L . . MAC=MacAlg(K-MAC,f(D),L) MAC D, L . MAC L D . , f f(D) D . , L MAC . L, D, MAC , . L D K-MAC MAC , MAC . 6.2 6.2.1 . . . . . . . KS X ISO/IEC 15816：2007 8 . versionInformation 1(ASN.1) . updateInformation . securityPolicyIdData . privilegeId (OID) .

21、 privilegeId rbacId . securityClassifications . rbacId securityLabel (rule based access control) . rbacId privilegeId . securityCategories , . equivalentPolicies (SPIF) . defaultSecurityPolicyIdData , . extensions . . 6.2.2 ASN.1 . SecurityPolicyInformati onFile := SIGNEDEncodedSPIF EncodedSPIF := T

22、YPE-IDENTIFIER.&Type(SPIF) SPIF := SEQUENCE versionInformation VersionInformationData DEFAULT v1, updateInformation UpdateInformationData, securityPolicyIdData ObjectIdData, privilegeId OBJECT IDENTIFIER, rbacId OBJECT IDENTIFIER, securityClassifications 0 SEQUENCE OF SecurityClassfication OPTONAL,

23、securityCategories 1 SEQUENCE OF SecurityCategory OPTIONAL, equivalentPolicies 2 SEQUENCE OF EquivalentPolicy OPTIONAL, defaultSecurityPolicyIdData 3 ObjectIDData OPTIONAL, extensions 4 Extensions OPTIONAL 6.2.2.1 versionInformation 1(ASN.1) . VersionInformationData := INTEGER v1(0) (0MAX) KS X ISO/

24、IEC 15816：2007 9 6.2.2.2 updateInformationData (SPIF) . sPIFVersionNumber (SPIF) securityPolicyIdData (SPIF) . creationDate (SPIF) . originatorDistinguishedName (SPIF) . keyIdentifier (SPIF) . UpdateInformationData := SEQUENCE sPIFVersionNumber INTEGER(0MAX), creationDate GeneralizedTime, originator

25、DistinguishedName Name, keyIdentifier OCTET STRING OPTIONAL 6.2.2.3 ID securityPolicyIdData (SPIF) . securityPolicyIdData ObjectIdData , ObjectIdData objectId objectIdName . objectId (OID), objectIDName . ObjectIdData := SEQUENCE objectId OBJECT IDENTIFIER, objectIdName ObjectIdName ObjectIdName := DirectoryStringubObjectIdNameLength 6.2.2.4 privilegeId (OID) . 6.2.2.5 (RBAC) rbacId (SPIF) securityLabel . rbacId privilegeId