ДСТУ ISO/IEC 10736:2018 Информационные технологии. Телекоммуникации и обмен информацией между системами. Протокол безопасности транспортного уровня (ISO/IEC 10736:1995, IDT)



ДСТУ ISO/IEC 10736:2018
(ISO/IEC 10736:1995, IDT)

Інформаційні технології. Телекомунікації та обмін інформацією між системами. Протокол безпеки транспортного рівня

 
   
 
 
     
Не є офіційним виданням.
Офіційне видання розповсюджує національний орган стандартизації
(ДП «УкрНДНЦ» http://uas.gov.ua)

Contents

Foreword

Introduction

1 Scope

2 Normative references

2.1 Identical Recommendations | International Standards

2.2 Paired Recommendations | International Standards equivalent in technical content

2.3 Additional references

3 Definitions

3.1 Security reference model definitions

3.2 Additional definitions

4 Symbols and abbreviations

5 Overview of the Protocol

5.1 Introduction

5.2 Security Associations and attributes

5.2.1 Security services for connection oriented Transport protocol

5.2.2 Security Service for connectionless Transport protocol

5.3 Service assumed of the Network Layer

5.4 Security management requirements

5.5 Minimum algorithm characteristics

5.6 Security encapsulation function

5.6.1 Data encipherment function

5.6.2 Integrity function

5.6.3 Security label function

5.6.4 Security padding function

5.6.5 Peer Entity Authentication function

5.6.6 SA Function using in band SA-P

6 Elements of procedure

6.1 Concatenation and separation

6.2 Confidentiality

6.2.1 Purpose

6.2.2 TPDUs and parameters used

6.2.3 Procedure

6.3 Integrity processing

6.3.1 Integrity Check Value (ICV) processing

6.3.1.1 Purpose

6.3.1.2 TPDUs and parameters used

6.3.1.3 Procedure

6.3.2 Direction indicator processing

6.3.2.1 Purpose

6.3.2.2 TPDUs and parameters used

6.3.2.3 Procedure

6.3.3 Connection integrity sequence number processing

6.3.3.1 Unique sequence numbers

6.3.3.2 Purpose

6.3.3.3 Procedure

6.4 Peer address check processing

6.4.1 Purpose

6.4.2 Procedure

6.5 Security labels for Security Associations

6.5.1 Purpose

6.5.2 TPDUs and parameters used

6.5.3 Procedure

6.6 Connection release

6.7 Key replacement

6.8 Unprotected TPDUs

6.9 Protocol identification

6.10 Security Association-Protocol

7 Use of elements of procedure

8 Structure and encoding of TPDUs

8.1 Structure of TPDU

8.2 Security encapsulation TPDU

8.2.1 Clear header

8.2.1.1 PDU clear header length

8.2.1.2 PDU type

8.2.1.3 SA-ID

8.2.2 Crypto sync

8.2.3 Protected contents

8.2.3.1 Structure of protected contents field

8.2.3.2 Content length

8.2.3.3 Flags

8.2.3.4 Label

8.2.3.5 Protected data

8.2.3.6 Integrity PAD

8.2.4 ICV

8.2.5 Encipherment PAD

8.3 Security Association PDU

8.3.1 LI

8.3.2 PDU Type

8.3.3 SA-ID

8.3.4 SA-P Type

8.3.5 SA PDU Contents

9 Conformance

9.1 General

9.2 Common static conformance requirements

9.3 TLSP with ITU-T Rec. X.234| ISO 8602 static conformance requirements

9.4 TLSP with ITU-T Rec. X.224| ISO/IEC 8073 static conformance requirements

9.5 Common dynamic conformance requirements

9.6 TLSP with ITU-T Rec. X.234| ISO 8602 dynamic conformance requirements

9.7 TLSP with ITU-T Rw. X.224| ISO/IEC 8073 dynamic conformance requirements

10 Protocol implementation conformance statement (PICS)

Annex A PICS proforma

A.1 Introduction

A.1.1 Background

A.1.2 Approach

A.2 Implementation identification

A.3 General statement of conformance

A.4 Protocol implementation

A.5 Security services supported

A.6 Supported functions

A.7 Supported Protocol Data Units (PDUs)

A.7.1 Supported Transport PDUs (TPDUs)

A.7.2 Supported parameters of issued TPDUs

A.7.3 Supported parameters of received TPDUs

A.7.4 Allowed values of issued TPDU parameters

A.8 Service, function, and protocol relationships

A.8.1 Relationship between services and functions

A.8.2 Relationship between services and protocol

A.9 Supported algorithms

A.10 Error handling

A.10.1 Security errors

A.10.2 Protocol errors

A.11 Security Association

A.11.1 SA Generic Fields

A.11.2 Content Fields Specific to Key Exchange SA-P

Annex B Security Association Protocol Using Key Token Exchange and Digital Signatures

B.1 Overview

B.2 Key Token Exchange (KTE)

B.3 SA-Protocol Authentication

B.4 SA Attribute Negotiation

B.4.1 Service Negotiation

B.4.2 Label Set Negotiation

B.4.3 Key and ISN Selection

B.4.4 Miscellaneous SA Attribute Negotiation

B.4.5 Re-keying Overview

B.4.6 SA Abort/Release Overview

B.5 Mapping of SA-Protocol Functions to Protocol Exchanges

B.5.1 KTE (First) Exchange

B.5.1.1 Request to Initiate the SA-Protocol

B.5.1.2 Receipt of the First Exchange PDU by Recipient

B.5.2 Authentication and Security Negotiation (Second) Exchange

B.5.2.1 Receipt of First Exchange PDU by Initiator

B.5.2.2 Receipt of the Second Exchange PDU by Recipient

B.5.3 Rekey Procedure

B.5.4 SA Release/Abort Exchange

B.5.4.1 Request to Initiate SA Release/Abort

B.5.4.2 Receipt of SA Abort/Release Requests

B.6 SA PDU — SA Contents

B.6.1 Exchange ID

B.6.2 Content Length

B.6.3 Content Fields

B.6.3.1 My SA-ID

B.6.3.2 Old Your SA ID

B.6.3.3 Key Token 1, Key Token 2, Key Token 3, and Key Token 4

B.6.3.4 Authentication Digital Signature. Certificate

B.6.3.5 Service Selection

B.6.3.6 SA Rejection Reason

B.6.3.7 SA Abort/Release Reason

B.6.3.8 Label

B.6.3.9 Key Selection

B.6.3.10 SA Flags

B.6.3.11 ASSR

Annex C An example of an agreed set of security rules (ASSR)

Annex D Overview of EKE Algorithm

Figure 1 — TLSP with ITU-T Rec. X.234| ISO 8602

Figure 2 — TLSP with ITU-T Rec. X.224| ISO/IEC 8073

Figure 3 — Illustration of exchanges to support peer entity authentication

Figure 4 — TLSP Encapsulation Methods (TLSP's method for encapsulation and encipherment in support of Confidentiality as indicated in 6.2)

Figure 5 — TLSP Encapsulation Methods (TLSP’s method for encapsulation and ICV generation in support of integrity as indicated in 6.3)

Figure 6 — TLSP Encapsulation Method (TLSP’s method for encapsulation and ICV generation in support of “Integrity and Confidentiality” as indicated in 6.2 and 6.3)

Figure 7 — Structure of the TPDU

Figure 8 — Format of the clear header

Figure 9 — Protected contents

Figure 10 — Flags field

Figure 11 — Format of the label field

Figure 12 — Format of the protected data field

Figure 13 — SA PDU Structure

Figure B.2 — SA Contents

Figure D.1 — Illustration of On-Line Key Derivation and Digital Signature using EKE

Table 1 — TLSP elements of procedure

Table A.1 — TLSP Implementation Identification

Table A.2 — General Conformance Statement

Table A.3 — CO and CL Transport Implemented

Table A.4 — Service Element Proforma for CO

Table A.5 — Service Element Proforma for C1, C2, C3

Table A.6 — Service Element Proforma for C4

Table A.7 — Service Element Proforma for C4L

Table A.8 — Service Element Proforma for CLTP

Table A.9 — Mandatory Functions for CO

Table A.10 — Optional Functions for CO

Table A.11 — Mandatory Functions for C1

Table A.12 — Optional Functions for C1

Table A.13 — Mandatory Functions for C2, C3

Table A.14 — Optional Functions for C2, C3

Table A.15 — Mandatory Functions for C4, C4L

Table A.16 — Optional Functions for C4, C4L

Table A.17 — Mandatory Functions for CLTP

Table A.18 — Optional Functions for CLTP

Table A.19 — TPDUs Supported

Table A.20 — Mandatory Parameters for COTP, CLTP

Table A.21 — Optional Parameters for COTP, CLTP

Table A.22 — Mandatory parameters for COTP, CLTP

Table A.23 — Values for Parameters of issued TPDUs for COTP, CLTP

Table A.24 — Values for parameters of received TPDUs for COTP, CLTP

Table A.25 — Mapping of security services to supported functions

Table A.26 — Mapping of security services to SE TPDU parameters

Table A.27 — Supported algorithms

Table A.28 — Mandatory security error actions for COTP, CLTP

Table A.29 — Protocol error actions for COTP, CLTP

Table A.30

Table A.31