WPC
2BQZ)Helv 10pt (AC)#|aX2PP"^,44Xp(88T,4,TXXXXXXXXXX00Xhltth`|x,ThXxhlh\tddhd"(#m List Item(Lb)Y
X(#
a2LiIp>"(#m List Item(Lb)
)c
XI. (#
2
tLndList of Names: Description'}:D'#X2PP#
#X2PP#LncContainer for a List of NamesX` hp x (#%'0*,.8135@8:"(#m #X2PP#Ѳ a) 1) a) 1) a) 1) a) 1)LiIp>"(#m LiIp>"(#m #X2PP#a3LiIp>"(#m List Item(Lb)X
` ` #(#`
2]Jqka4LiIp>"(#m List Item(Lb)2Y
` ` #A. (#`
LbOList Outline: Bullets'c:?'#X2PP##X2PP#a1LbIList Item: Bulletse
X (#
a2LbIList Item: BulletsY
X(#
2t?z-EquEquation using Equation Feature2ԫ
#X2PP# 1dddddddd(1)1dddddddd(1)
#X2PP# 1dddddddd(1)1dddddddd(1) a4LbIList Item: Bullets}X
` ` #(#`
a3LbIList Item: BulletswLX
` ` # (#`
a5LbIList Item: Bullets$u
` ` #, (#
2}_}qa6LbIList Item: Bullets
` ` #,(#
a7LbIList Item: Bullets-[#
` ` #,` 4- (#
a8LbIList Item: Bullets'E'#
` ` #,` 4(#
a5LiIp>"(#m List Item(Lb)
` ` #,(#
22 X!"a7LiIp>"(#m List Item(Lb)'F3#
` ` #,` 4(#
ASNASN Definition-'
#d6X@8;f@#N
N#d6X@8;f@#LnnList of Names: Name ?Ca'
X
#&d2PNe&P##&d2PNe&P#FwTDPar
Foreword!RG,A'0*0*0*WԆ#2P+P#Foreword
#X2PP#
#X2PP#2K&"d#A$ %#CPECover Page: SIG Editor"['Y - #2P
+P#SIG Editor:#
2P
+P#H1Heading, Clause, Numbered Level 1#H
W#7o> P+P#X` hp x (#%'0*,.8135@8: P+P#H2Heading, Clause, Numbered Level 2$HPj]
W#xo> P+P#X` hp x (#%'0*,.8135@8: P+P#H3Heading, Clause, Numbered Level 3%HF
P#po> P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#pp2*&}&'
'(9())CPT2Cover Page: Title: Part 2&
S6
'w#2P[P#Implementation
Agreements for Open Systems
Interconnection Protocols:
#2P[P#AbsAbstract'"'PԆ^&#Xl2P0gXP#Abstractă
X#X2PP#
#X2PP#LoFList of Figures(ֆ?'0*0*0*W2#2P+P#List of Figures#X2PP#у
,
%
#X2PP#H0Heading, Part, Unnumbered Level 0)'
P+P#Part
#7o> P+P#2]2*^!++4+,--[.EbEmphasis: Bold*%'NoONote Outline+$U
H#TD4PP#XNOTES(#
I. A. 1. a.(1)(a) i) a) 1 NoI#P2P3
P#Ѳ 1 1 NoINoI#
P2P3
P#ParParagraph: Untitled, Unnumbereded),(D'
#X2PP#
#X2PP#HanNext Annex (normative)-'
0*0*0*yxdddy
Y H #7o> P+P#X` hp x (#%'0*,.8135@8: P+P#2':.2/60^71y7HaiNext Annex (informative).
0*0*0*yxdddy
Y H #7o> P+P#X` hp x (#%'0*,.8135@8: P+P#a1NoINote Item/)
XI. (#
EiEmphasis: Italics0N%j'H4Heading, Clause, Numbered Level 41HbEv
L#&d2PNe&P#X` hp x (#%'0*,.8135@8:5(?LoTList of Tables2`?'0*0*0*W1#2P+P#List of Tables#X2PP#у
,
&
#X2PP#H5Heading, Clause, Numbered Level 53Im̨
H#\o> PP#X` hp x (#%'0*,.8135@8: PP# HAOpen Annexes4U I. A. 1. a.(1)(a) i) a) A .1 .1 .1 .1 .1 .1 .1 OPn ChapterOpen New ParterNew Chapter5+
3'3'Standard3' IIj"Z
l"3'StandardHPLASEII.PRSx
(X` hp x (#%'0*,.8135@8: P0gXP#ă^ I. A. 1. a.(1)(a) i) a) 1 .1 .1 .1 .1 .1 .1 .1 =#X2PP#2E6B7wC8D9 Ea6LiIp>"(#m List Item(Lb)6;0%
` ` %1. (#
a8LiIp>"(#m List Item(Lb)7DC#
` ` %` -a. (#
NtTutorial Note8|'
H#TD4PP#XTutorial Note #P2P3
P#(#
#
P2P3
P#FnFootnote9''#P2P3
P##
P2P3
P#2I:
E;G<G=HTtTable Title:_/`'H#X2PP#D&Table &
*#X2PP#TldTable using Line Draw;C[&(!'
L#d
@l;f@#
*#d
@l;f@#FldFigure using Line Draw:#X2PP#Table (continued)
*#X2PP#2gQ>J?K@KANTTfTable Title (final part)>Vb2'J/$#X2PP#Table (concluded)
*
#X2PP#TTiTable Title (initial part)?Ih
'H#X2PP#&Table &
#X2PP#P2Paragraph: Untitled, Numbered Level 2@i8>U
W#xo> P+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: PP#X` hp x (#%'0*,.8135@8: P+P#X` hp x (#%'0*,.8135@8: P+P#PiIndented ParagraphI3`g'
#X2PP#X(#
#X2PP#2_cJs@^K^LY_Mhba2NoINote ItemJr>4A.BNFBNF DiagramK't|'#d6X@8;
f@##
d6X@8;
f@#ToCTable of ContentsLY10*0*0*0*0*0*ԒW"#2P+P#Table of Contents#\o> PP#у
, X` hp x (#%'0*,.8135@8: PP#LiNoList Item: NoteMxXb'
H#TD4PP#XNOTE #P2P3
P##
P2P3
P#2|jNcOedPdQeLiNeList Item: Editor's NoteNb'
H#X2PP#XEditor's Note #P2P3
P##
P2P3
P#NoParNote Paragraph ExtensionO
'5
XPParagraph, Untitled, Unnumbered (Use explicit Hrt)P8
#\D4Pa'P#
dd
IndexDocument IndexQ{^&x0*0*0*0*0*0*ԒW(#2P+P#Index#P2P3P#у
, X` hp x (#%'0*,.8135@8:
,d=0,TNe&d2P&PTY +h=0,c26&h2pf&<d{y|,w->2PPeu|,l2pLcIdL,Tk2PPHC8N<,+2PPD6N<,e2pdq%P2(,P2P3PXu~)X8,,0X2xKX!s4ddd,fd6X@8;@xvK8!,,82P,Pi7pC4,Xp\ PZuXPs#T2(,"T2pf 5lC4,37Xl*f9 xSXX7lC4,KjXl4 p^XpK8!,aP,82x,X
,HPar
#&d2PNe&P#2
5OP
3'3'Standard3' IIj"Z
l"3'Standardk)HPLASEII.PRSx
(X` hp x (#%'0*,.8135@8: P0gXP#ă^ I. A. 1. a.(1)(a) i) a) 1 .1 .1 .1 .1 .1 .1 .1 =#X2PP#L#&d2PNe&P#PART 12 SECURITY`(#FDecember 1993 (Stable)ăCPT1#2P->P#Stable=XCPT1 #X2PP#&
SCPT2#2P->P#Implementation
Agreements for Open Systems
Interconnection Protocols:
?Part 12 OS Security&6
CPT2
jT#X2PP#SPCPI T` #2P TkP#Output from the December 1993SCPI Open Systems
Environment Implementors' Workshop (OIW)
YN# X2PP#RaCPC N, #2P
+P#Acting SIG Chair: Richard Harris, The Boeing CompanyRCPC
Y(#
X2PP#"CPE (- #2P
+P#SIG Editor:Dr. Mohammad Mirhakkak, MITRE"CPE#
X2PP#!RGFw(=0*0*0*WԆ#2P
+P#Foreword
~J#
X2PP#This part of the Stable Implementation Agreements was prepared by the Security Special Interest Group
(SECSIG) of the Open Systems Environment Implementors' Workshop (OIW) hosted by the National
Institute of Standards and Technology (NIST). See Part 1 Workshop Policies and Procedures of the "Draft
Working Implementation Agreements Document."!,AFw
#X2PP#,Par
#X2PP#Text in this part has been approved by the Plenary of the abovementioned Workshop. This part replaces
the previously existing chapter on this subject. There is significant technical change from this text as
previously given.
,DPar
#X2PP#,Par
#X2PP#Future changes and additions to this version of these Implementor Agreements will be published as change
pages. Deleted and replaced text will be shown as strikeout. New and replacement text will be shown as
shaded.t,DPar
#X2PP#LY1ToCt0*&&PP0*0*0*ԒW"#2P+P#Table of Contents#\o> PP#у
, X` hp x (#%'0*,.8135@8: P
+P#Part 12 SecurityW:)H0
#
X2PP#E-
Ne
H#X2PP#XEditor's Note #P2P3P#Previous material in this part has been deleted and is no longer applicable.j;EANe(#
#X2PP# 1 .1 .1 .1 .1 .1 .1 .1 0.1 .1 .1 .1 .1 .1 .1 #H1
W*#7o> P
+P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#B
ca2LiI
Xa) A grouping of the security services to be offered;C
Ba2LiI(#
B
ca2LiI
Xb) The placement of those security services;GD
Ba2LiI(#
B
ca2LiI
Xc) The selection of mechanisms to support the placed security services.D
Ba2LiI(#
BLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#,Par
#X2PP#This part completes this sequence of steps for several generalized security architectures. A generalized
security architecture is chosen and tailored to derive a protocolspecific security profile. This part is
comprised of protocolspecific security profiles and other supporting functions.F,DPar
#X2PP##H1
W|#7o> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:O0N%EiInformation Processing Systems Open Systems Interconnection Basic
~JReference Model Part 2: Security Architecture, February 1989.nO0>Oj'Ei>OM
Lrt(#
M
Lrn
JBX[ISO8649}P M
lLrn]` ` M
LrtISO/IEC 8649: 1988/Amd 1:1990 Q0N%EiService Definition for the Association Control Service
~JElement, Amendment 1: Peer-Entity Authentication During Association Establishment.AQ0Qj'EiQM
Lrt(#
M
Lrn
JX[ISO8650UR M
lLrn]` ` M
LrtISO/IEC 9594-3 R0N%EiInformation Technology - Open Systems Interconnection - The Directory
~Jf- Part 3: Abstract Service Definition
S0Rj'Ei.RM
Lrt(#
M
Lrn
JX[ISO8650/1T M
lLrn]` ` M
LrtISO/IEC 8650: 1988/Amd 1:1990 T0N%EiProtocol Specification for the Association Control Service
~JElement, Amendment 1: Peer-Entity Authentication During Association Establishment.T0TEiTM
Lrt(#
M
Lrn
JP X[ISO95947U M
lLrn]` ` M
LrtISO/IEC 95947 dV0N%EiInformation Processing Systems Open Systems Interconnection The
~J!Directory Part 7: Selected Object Classes, 1990.V0dVj'EidVM
Lrt(#
M
PLrc#X2PP#` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#r
ca2LiI
Xa) Development of threat analysis; s
ra2LiI(#
r
ca2LiI
Xb) Determination of security services; yt
ra2LiI(#
r
ca2LiI
Xc) Placement of security services; u
ra2LiI(#
r
ca2LiI
Xd) Selection of mechanisms;u
ra2LiI(#
r
ca2LiI
Xe) Selection of algorithms.Ov
ra2LiI(#
rLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#,Par% 0*&&PPԌ#X2PP#These implementation agreements assume that steps a and b have been completed for the specific
application. An introduction to the threat analysis process and the determination of security services is
included in Annex H.w,DPar
#X2PP#,Par
#X2PP#Generic OSI application environments are defined in Clause 5.2. Generic security services as defined by
ISO 74982 are grouped into classes in Clause 5.3. A generalized security architecture for each environment
is developed by mapping the security classes onto the functional groups of each environment and providing
guidance as to at which layer to support the service in Clause 5.4. Guidance on how to select mechanisms
suitable for each security service is presented in Clause 5.5.[y,DPar
#X2PP#,Par
#X2PP#It is beyond the scope of these implementation agreements to specify the use of one algorithm over another.
Clause 7 presents a set of algorithms suitable for various mechanisms.{,DPar
#X2PP#$PH2
W
#xo> P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#Ya1LiI
XService User (SU): an entity that functions as a service initiator or responder ;xa1LiI(#
Ya1LiI
XService Agent (SA): an intermediate entity that actively participates in providing the services between
an initiator and a responder;*a1LiI(#
Ya1LiI
XService System (SS): zero or more cooperating service agents.a1LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~J#X2PP#Basic elements that communicate, either through a direct association or indirectly through intermediaries, are
classified as a functional group. Functional groups defined in Figure 1 are:,DPar
#&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#Ya1LiI
~J'Xa. f0: SU > SU (Service User to Service User directly);a1LiI(#
Ya1LiI
~JXb. f1: SU => SU (Service User to Service User indirectly);ca1LiI(#
Ya1LiI
~JGXc. f2: SU > SA (Service User to Service Agent directly);a1LiI(#
Ya1LiI
~JXd. f3: SU => SA (Service User to Service Agent indirectly);ȟa1LiI(#
Ya1LiI
~JgXe. f4: SA > SA (Service Agent to Service Agent directly);|a1LiI(#
Ya1LiI
~JXf. f5: SA => SA (Service Agent to Service Agent indirectly);/a1LiI(#
Ya1LiI
~JXg. f6: SA > SU (Service Agent to Service User directly);a1LiI(#
Ya1LiI
~J!Xh. f7: SA => SU (Service Agent to Service User indirectly).a1LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#
E-
Ne
H##X2PP#XEditor's Note #P2P3P# the ">" notation indicates association security relationship and "=>" indicates relay security
relationship.*EANe(#
#&d2PNe&P#,Par
~J%#X2PP#These definitions and this functional group syntax will be used to define generic OSI application environments. %0*&&PPIn some applications, these functional groups may have to be combined for the purpose of performing a
security analysis.,DPar
#&d2PNe&P#%FH3
P@#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#
ca2LiI
Xa) FTAM;
a2LiI(#
ca2LiI
Xb) Network Management;~
a2LiI(#
ca2LiI
Xc) Virtual Terminal.
a2LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~JI#X2PP#Applications such as MHS, Directory Services, and TP are only partially covered by this environment because
some of their service elements may use store and forward or chaining types of relay functions. The
environments that apply to these applications are the Application Relay and Distributed Applications
Environments respectively.},DPar
#&d2PNe&P#1bEH4
L#&d2PNe&P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#$
ca2LiI
~J#Xa) f0:SU > SU.
$a2LiI(#
$LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#%FH3o$0*&&PPԌPԙ#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#hYa1LiI
~JXa. f2: SU > SA;Xha1LiI(#
hYa1LiI
~JpXb. f3: SU => SA; ha1LiI(#
hYa1LiI
~J!Xc. f4: SA > SA;iha1LiI(#
hYa1LiI
~J"Xd. f6: SA > SU. ha1LiI(#
hLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#YLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#%FH3X#
0*&&PPԌPԙ#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#T
ca2LiI
~JXa) f0: SU -> {SU; ... };D
Ta2LiI(#
T
ca2LiI
~JhXb) f1: SU => {SU; ... };
Ta2LiI(#
T
ca2LiI
~JXc) f2: SU -> {SA; ... };
Ta2LiI(#
T
ca2LiI
~J!Xd) f3: SU => {SA; ... };?
Ta2LiI(#
T
ca2LiI
~J#Xe) f4: SA -> {SA; ... };
Ta2LiI(#
T
ca2LiI
~J$Xf) f5: SA => {SA; ... };
Ta2LiI(#
T
ca2LiIp%0*&&PPԌ~JXg) f6: SA -> {SU; ... };:
Ta2LiI(#
T
ca2LiI
~JXh) f7: SA => {SU; ... }.
Ta2LiI(#
TLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#$PH2
W#xo> P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#Ya1LiI
Xa) S0 = Authentication and Access Control. a1LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~J#X2PP#The Security Class S0A adds the confidentiality service to the Class S0 as follows:J",DPar
#&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#E#Ya1LiI
Xb) S0A = S0 + Confidentiality.5$E#a1LiI(#
E#LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#%FH3
P#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#
9)Ya1LiI
Xa) S1 = S0 + Data Integrity.**9)a1LiI(#
9)LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~J#X2PP#The Security Class S1A adds the Confidentiality Service to Class S1 as follows:
+,DPar
#&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#,Ya1LiI
Xb) S1A = S1 + Confidentialityo-,a1LiI(#
,LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#%FH3
P#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#s2
ca2LiI
Xa) S2 = S1 + Nonrepudiationc3
s2a2LiI(#
s2LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~Js#X2PP#The Security Class S2A adds the Confidentiality Service to Class S2 as follows:4,DPar
#&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#5Ya1LiI
Xb) S2A = S2 + Confidentiality65a1LiI(#
5LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#$PH2
W{#xo> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:#X2PP#This algorithm is the NIST Secure Hash Algorithm [ab]. It is based on concepts similar to those used in MD4
and MD5, and outputs a 160bit digest.[w,DPar
#&d2PNe&P#ASN
s4#d6X@8;f@#sha ALGORITHM
PARAMETER NULL
::= {algorithm 18}xASN
#&d2PNe&P#E-
Ne
Hs#X2PP#XEditor's Note #P2P3P#This and other algorithms may be registered by ISO instead, in which case this text will be
adjusted prior to moving to Stable Agreements, or if necessary as Alignment Errata.yEANe(#
#&d2PNe&P#$PH2
W#xo> P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:ASN
#&d2PNe&P#%FH3
P:#po> P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:,DPar
#&d2PNe&P#,Par
~Je
#X2PP#DES-MAC is equivalent to DES-CBC using an all zero Initialization Vector (IV), with all but the last cipher output
block discarded. Separate keys (where one may simply be a variant of the other) should be used if both
DES-CBC encrypting and MACing the same data.2?,DPar
#&d2PNe&P#E-
Ne
H#X2PP#XEditor's Note #P2P3P#We need to include the reference which specifies the vulnerability when the same key is used
to DES-CBC encrypt and MAC the same data, and recommends the use of separate keys.@EANe(#
#&d2PNe&P#1bEH4
L#&d2PNe&P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#@`
ca2LiI
Xa) Ordering of SET OF components;0a
@`a2LiI(#
@`
ca2LiI
Xb) Handling of unused trailing zero bits;a
@`a2LiI(#
@`
ca2LiI
Xc) Invocation and designation of new character sets in some of the character string types.pb
@`a2LiI(#
@`LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~J!#X2PP#The following rules remove these ambiguities: $d,DPar
#&d2PNe&P#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#d
ca2LiI
Xa) The [ISO9594-8] distinguished encoding rules are always used;e
da2LiI(#
d
ca2LiI
Xb) For SET OF types, components are sorted into ascending order of the distinguished encodings of
the components;f
da2LiI(#
d
ca2LiI%0*&&PPԌXc) For BIT STRINGS with unused trailing bits, if the type definition that specifies the bits have
significance, then they are included in the encoding; otherwise they are not;g
da2LiI(#
d
ca2LiI
Xd) For those character strings which allow it, escape sequences are generated to invoke and
designate new register entries only when the register entry for the character currently being encoded
is different from that currently designated for G0, C0, or C1. All designations shall be into G0 or C0.
(It is assumed that all characters have entries in the ISO Registry of Coded Character Sets.)h
da2LiI(#
dLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#F`No
HP#TD4PP#XNOTE #P2P3P#Rules b,c, and d are taken from [ISO/CD88253] (Nov. 1990), the ASN.1 Distinguished Encoding Rules.
Other features of [ISO/CD88253], which conflict with [ISO9594-8] (e.g., length encoding for constructors), are
NOT used by this IA.kFU`No(#
#&d2PNe&P#,Par
~J^ #X2PP#It is recommended that whenever the SIGNED or SIGNATURE macro is to be applied to an object, the object
should be transferred in its distinguished encoded form. In this way, when the resources required to encode
or decode an object exceed the resources required to apply the SIGNED or SIGNATURE macro, a receiving
entity may apply the macro immediately, thus realizing enhanced performance. However, if the macro
application is unsuccessful, the object must be distinguished encoded and the macro re-applied to determine
its actual success or failure.m,DPar
#&d2PNe&P##H1
W#7o> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: PP#X` hp x (#%'0*,.8135@8: PP#X` hp x (#%'0*,.8135@8: PP#X` hp x (#%'0*,.8135@8: PP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#~Ya1LiI
X1)X` ` The initEncRules field has the value { jointisoccitt asn1(1) berderived(2) der(1) }, i.e., DER.n~a1LiI(#`
~Ya1LiI
X2)X` ` The signOrSealAlgorithm element shall be keyedhashseal:(#`
` ` keyedhashseal ALGORITHM
` ` PARAMETER NULL
` ` ::= { algorithm 23 }
` ` The keyedhashseal algorithm is specified in the encoding process description below.>~a1LiI
~Ya1LiI
X3)X` ` The hash algorithm, if the hashAlgorithm element is not present, shall default to md5.̼NLiNe(#`
Ja#X2PP#XEditor's Note #P2P3P#_N̼bLiNe#X2PP#Points 2 and 3 are redundant with text in the NM Agreements. This should be resolved
before progressing to the Stable Agreements.̼~a1LiI(#
~Ya1LiI
X4)X` ` The keyInformation field is not present.
~a1LiI(#`
~LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#
Encoding process: When a value of an abstract syntax is to be sealed for transmission, the
following procedures apply:
MLiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP# LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#X1)X` ` Encode the output data type of the transformation using the ASN.1 Distinguished
Encoding Rules, with the shared secret key used as the value of the appendix
component. (Since automatic tagging is used, this is equivalent to encoding the
unprotectedItem using DER, and enclosing it in the intermediateValue and output
data type using BER.)(#`
F`No
H!#TD4PP#XNOTE #P2P3P#This encoding is only for purposes of the security transformation, and does not mean DER must be used
to encode the PDU for transmission, i.e., as the transfer syntax.JFU`No(#
#&d2PNe&P#
X2)X` ` Hash the complete DER encoding of the value derived in step 1.(#`
F`No
H%#TD4PP#XNOTE #P2P3P#The current definition of the gulsSignedTransformation is unduly restrictive in that cryptographic%!0*&&PPoperations are only applied to the intermediateValue element of the output data type, rather than the entire type.
This is being submitted as a ballot comment on DIS 115861.:FU`No(#
#&d2PNe&P#
X3)X` ` Insert the hash value into the appendix component of the output data type, which
is the xformedDataType element of the transmitted PDV.(#`
,Par
~J#X2PP#Encoding process local inputs: Identifier of hash algorithm and any required algorithm parameters, and shared
secret key. (Most currently registered hash algorithms have a NULL parameter.),DPar
#&d2PNe&P#,Par
~J6#X2PP#Decoding process: When a received PDV to be verified, the following procedures apply:d,DPar
#&d2PNe&P#
LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#cYa1LiI
X1)X` ` Extract and save the received hash value contained in the appendix component of the
received xformedDataType component of the received PDV.Sca1LiI(#`
cYa1LiI
X2)X` ` Replace the value in the appendix component of the xformedDataType component with the
shared secret key.Lca1LiI(#`
cF`No
HN#TD4PP#XNOTE #P2P3P#The extraction and replacement of the seal field may be performed directly on the ASN.1 encoded PDU
if the length of the secret key and the hash digest are equal. Otherwise, the PDU must be decoded and
reencoded."FcU`No(#
#X2PP#
cYa1LiI
X3)X` ` Hash the DER encoding of the xformedDataType element. (Reencoding may be avoided if
the unprotectedItem encoding is distinguished, and the generic protecting transfer syntax
defined in DIS 115864 is used.)ca1LiI(#`
cYa1LiI
X4)X` ` Compare the hash extracted in step 1 with the hash derived in step 3. If they are equal, then
the seal is valid; otherwise an error is signalled. ca1LiI(#`
cLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #&d2PNe&P#,Par
~J#X2PP#Decoding process local inputs: Identifier of hash algorithm and any required algorithm parameters, and shared
secret key.,DPar
#&d2PNe&P#,Par
~J#X2PP#Decoding process outputs: Recovered unprotected item. and an indication of whether the seal is valid.!,DPar
#&d2PNe&P#,Par
~J#X2PP#Errors: An error condition occurs if seal verification fails./,DPar
#&d2PNe&P#,Par
~JD#X2PP#Security services: Data origin authentication, data integrity.,DPar
#&d2PNe&P##x\ PCXP##H1"0*&&PPԌWԙ#7o> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#
ca2LiI
Xa) The masquerading of a manager or agent entity;
a2LiI(#
ca2LiI
Xb) The fabrication or modification of Common Management Information Protocol (CMIP) data units.2
a2LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #Xp\ PZuXP#,Par
~J#X2PP#By countering primary threats, disruption of network management services by the casual user can be avoided.,DPar
#Xp\ PZuXP#,Par
~J#X2PP#The secondary threats to be protected against are the following:,DPar
#Xp\ PZuXP#LiO 1 .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#
ca2LiI
Xa) All primary threats;
a2LiI(#
ca2LiI
Xb) The disclosure of CMIP data units;h
a2LiI(#
ca2LiI
Xc) The replay, reflection, reordering, insertion, or deletion of CMIP data units.
a2LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #Xp\ PZuXP#$PH2
D #0*&&PPԌWԙ#xo> P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#
ca2LiI
Xa) Peer entity authentication;
a2LiI(#
ca2LiI
Xb) Data origin authentication;
a2LiI(#
ca2LiI
Xc) Connectionless integrity.A
a2LiI(#
LiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #Xp\ PZuXP#,Par
~J#X2PP#Peer entity authentication is to occur during the establishment of an application association. If the association
is successfully established, the underlying security mechanism provides information that is subsequently used
in data origin authentication. There the information may be included in or, in some other way, transform the
data units of subsequent exchanges so that they can be identified as originating from an authenticated entity.
Both authentication security services are to be provided at the application level of the protocol.,DPar
#Xp\ PZuXP#,Par
~J#X2PP#Connectionless integrity insures that data units originating from an authenticated source are not modifiable
without detection. When combined with a strong data origin authentication mechanism, the ability to fabricate
new data units is also countered. Connectionless integrity may be provided at either the application level of
the protocol or within one of the lower levels of the protocol (i.e., transport or network). ,DPar
#Xp\ PZuXP#%FH3
P#po> P0gXP#X` hp x (#%'0*,.8135@8:"(#m #X2PP#s
ca2LiI
Xa) All basic security services with the possible exception of connectionless integrity;c
sa2LiI(#
s
ca2LiI
Xb) Connectionless confidentiality;5
sa2LiI(#
s
ca2LiI
Xc) Connection integrity with or without recovery.
sa2LiI(#
sLiO۲ a) 1) a) 1) 1 .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #Xp\ PZuXP#,Par
~J#X2PP#Both connectionless confidentiality and connection integrity may be provided at either the application level of
protocol or within one of the lower levels of protocol. The latter provision is assumed here. Enhanced security
services are not discussed further in this note, but to be issued as a requirement for the lower layer protocol
and service standards, and according to functional standards to be developed.],DPar
#Xp\ PZuXP#$PH2
% $0*&&PPԌWԙ#xo> P
+P#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P0gXP#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:xLrt(#
Lrn
JX[27x lLrn] LrtRFC-1115, Privacy Enhancement for Internet Electronic Mail: Part III - Algorithms, Modes, and
Identifiers (August 1989).tyLrt(#
Lrn
J2
X[28;z lLrn] LrtNetwork Layer ISO/IEC JTC1 SC6 zLrt(#
Lrn
JX[29){ lLrn] LrtTransport Layer ISO/IEC JTC1 SC6 6285 {Lrt(#
Lrn
JV
X[30| lLrn] LrtLower Layer ISO/IEC JTC1 SC6 6227|Lrt(#
Lrn
JX[31} lLrn]ANSI X9.9 DES Encryption Algorithum.Hai(#00*&&PPyxPddd1y
Y H #7o> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#OLiO۲ a) 1) a) 1) A .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#LiO A .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#
ca2LiI
~J%Xa)
0N%Eipk0
j'Ei is a prime satisfying the requirements listed in 12.2.2.4.
a2LiI(#%10*&&PPԌ~J
ca2LiIۙXb) is a primitive element mod T
0N%Eip0T
j'Ei.T
a2LiI(#
ca2LiI
~JXc) Note that @
0N%Eip0@
j'Ei and could be used globally, but because they should be easily changeable (see
12.2.2.4 for information about why these two parameters should be easily changeable) it would
~J probably be preferable for each user to choose his/her own @
0N%Eip0@
j'Ei and . If users choose their own, then
~J@
0N%Eipy0@
j'Ei and must be made available to the recipient for use in the signature verification process.@
a2LiI(#
LiO۲ a) 1) a) 1) A .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#,Par
~Jx#X2PP#Signing Procedure: Suppose user 6,0N%EiA06,j'Ei wants to sign a message intended for recipient 6,0N%EiB,06,j'Ei. The basic idea is to
~J@compute a two part signature (6,0N%Eir06,j'Ei, 6,0N%Eis
06,j'Ei) for the message 6,0N%Eiml06,j'Ei such that6,DPar
#X2PP#2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) , dd2<<<alpha sup { h ( m ) } == ( ALPHA p ) sup r r sup s ( mod p )X2PPX2PPX2PP44oouhooump4poour(4roousB4poou(oo@u)4(4)4(4mod4)e4,``"(#Y(4)Equۃ
#X2PP# 1dddddddd(1)1dddddddd(1) ,Par
~J` #X2PP#where ,0N%EihN0,j'Ei is a one-way hash function.,DPar
#X2PP#,Par
~J
#X2PP#Compute the signature (,0N%Eirv0,j'Ei, ,0N%Eisź0,j'Ei) as follows.,DPar
#X2PP#LiO A .1 .1 .1 .1 .1 .1 .1 a) 1) a) 1)LiIp>"(#m #X2PP#n
ca2LiI
~JXa) Choose a random number ^
0N%EikҼ0^
j'Ei, uniformly between 0 and ^
0N%Eip90^
j'Ei۩1 such that ^
0N%Eik0^
j'Ei and ^
0N%Eip0^
j'Ei۩1 have no common
~JH
divisor except 1 (i.e., gcd(^
0N%Eikp0^
j'Ei,^
0N%Eip0^
j'Ei۩1)=1).^
na2LiI(#
n
ca2LiI
~JXb) Compute C
0N%Eir0C
j'Ei such thatC
na2LiI(#
n2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) yt2tdd2<<r == alpha sup k ( mod p )X2PPX2PPX2PP4roouk4pJ44T4(4mod)4)y``"(#Y(5)0nEquۃ
#X2PP# 1dddddddd(1)1dddddddd(1) n
ca2LiI
~JXc) Use Z
0N%Eir0Z
j'Ei to solve for the corresponding Z
0N%Eis(0Z
j'Ei as follows.Z
na2LiI(#
na4LiI
` ` 1) rewrite eq (4) using eq (5) and the definition of the public key to getnYa4LiI(#`
n2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) Qhdd2<<Oalpha sup { h ( m ) } == alpha sup { ( A sub s ) r } alpha sup
{ ks } ( mod p )X2PPX2PPX2PP444oouhooumoo\ASSpsooroouksv4poou(oo@u)oo7(oo)4(44mod4)e4Q``"(#Y(6)nEquۃ
#X2PP# 1dddddddd(1)1dddddddd(1) na3LiI
` ` Combining exponents, getnXa3LiI(#`
n2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) <dd2<<:alpha sup { h(m) } == alpha sup {(A sub s)r + ks } (mod p)X2PPX2PPX2PP44oouhooumoo\ASSpsooroobksK4poou(oo@u)oo7(oo)4( 4mod4)e4oo<``"(#Y(7)nEquۃ
#X2PP# 1dddddddd(1)1dddddddd(1) na3LiI
` ` eq (7) implies thatnXa3LiI(#`
n2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) "i!dd2<<!h(m) == (A sub s)r + ks (mod p1)X2PPX2PPX2PPXhXmXAoov)sXrXksXpoX(0X)X(X)&X(]Xmod_X1X)gXXX"``"(#Y(8)nnEquۃ
#X2PP# 1dddddddd(1)1dddddddd(1) na3LiI
~J` ` Note that eq (8) has a single solution for s because k was chosen such that gcd(A0N%Eik0Aj'Ei,A0N%Eip(0Aj'Ei۩1)=1. See
[ad] for supporting theorem.AnXa3LiI(#`
na4LiI
` ` 2) now solve for s and getnYa4LiI(#`
n2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) S!OE 'Odd2<<#s == I(h(m) (A sub s)r) (mod p1)X2PPX2PPX2PPXsXI/XhXmXAoo)sXrXpfXXDXX(X(LX)X(X)8X)oX(XmodX1X)S``"(#Y(9)knEquۃ
#X2PP# 1dddddddd(1)1dddddddd(1) na3LiI
~J`"` ` where o0N%EiI0oj'Ei is computed such that o0N%Eik"0oj'Ei * o0N%EiIr0oj'Ei 1 (mod o0N%Eip0oj'Ei۩1).onXa3LiI(#`
nLiO۲ a) 1) a) 1) A .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#,Par
#X2PP#The ElGamal signature is comparable in size to the corresponding RSA signature.-,DPar
#X2PP#$PH2
$20*&&PPԌWԙ#xo> P
+P#X` hp x (#%'0*,.8135@8: P
+P#X` hp x (#%'0*,.8135@8:"(#m #X2PP#/
ca2LiI
~JXa)
0N%Eip|0
j'Ei must be prime;
/a2LiI(#
/
ca2LiI
~J Xb)
0N%Eipf0
j'Ei must be large.
/a2LiI(#
/I`Pi
#X2PP#XNote that Expression (2) can be used to speculate on the level of security afforded by crypto systems
based on the discrete log problem. Breaking the ElGamal scheme has not been proven to be
equivalent to finding discrete logs, but if we assume equivalence then we can estimate how large p
should be for a desired level of security.I/gPi(#
#X2PP#/I`Pi
~J#X2PP#XFor instance,suppose we wanted to use Expression (2) to decide how large I0N%Eip0Ij'Ei should be so that we
~J\can be reasonably sure the system cannot be broken (using the best I0N%EiknownH0Ij'Ei algorithm) in a practical
amount of time. To be on the conservative side, we decide we want to protect against a special
~Jpurpose machine that can perform 1015 operations per second. Specifically, we want to know how
~Jlarge I0N%Eip0Ij'Ei should be so that such a machine would take at least one year to break the system.I/gPi(#
#X2PP#/I`Pi
~JD#X2PP#XIn one year, the hypothetical machine can perform 3 x 1022 operations. To find the size of the desired
~JI0N%Eipr0Ij'Ei, solve the following equation for I0N%Eib0Ij'Ei.I/gPi(#
#X2PP#/2Equ
#X2PP# 1dddddddd(1)1dddddddd(1) Add3<<c+exp( SQRT {cb ln b} ) = 3 TIMES 10 sup {22}X2PPX2PPX2PP4exp4(`4ln=4)43410ooPu226UO4cb4bt444'c`"(#X(10)/Equۃ
#X2PP# 1dddddddd(1)1dddddddd(1) /I`Pi
J,#X2PP#XWe get a04 |4dd3b APPROX 606X2PPX2PPX2PP4bo4
4606. This is the number of bits in the desired I0N%Eip0Ij'Ei. So, the magnitude of the desired I0N%Eip:0Ij'Ei is about
~JH2606 which is roughly 266 x 10180.I/gPi(#
#X2PP#/I`Pi
#X2PP#XHence, to be reasonably sure of attaining the desired level of security, we find a prime number greater
~Jthan 266 x 10180 which satisfies all the other criteria listed in this subclause. Our confidence, however,
is strictly based on the assumption that breaking ElGamal is as difficult as finding discrete logs and
the assumption that the best known algorithm for finding discrete logs is near optimal.#I/gPi(#
#X2PP#/
ca2LiI
~JXc) q
0N%Eip0q
j'Ei should occasionally be changed. This requirement is discussed in [ae] and is related to the
~Jdiscovery of new algorithms for computing discrete logarithms in q
0N%EiGF0q
j'Ei(q
0N%Eip0q
j'Ei).q
/a2LiI(#
/
ca2LiI
~J Xd)
0N%Eip0
j'Ei۩1 must have at least one large prime factor. This requirement is discussed in [ae] and is imposed
~J by the Silverman-Pohlig-Hellman algorithm p which computes discrete logarithms in
0N%EiGF0
j'Ei(
0N%EipV0
j'Ei) using on
J!the order 0 '4dd3SQRT rX2PPX2PPX2PPNoOo4r operations and a comparable amount of storage, where
0N%Eir0
j'Ei is the largest prime factor in
~J"
0N%Eip0
j'Ei۩1.
/a2LiI(#
/
ca2LiI
~J$Xe)
0N%Eipp0
j'Ei should not be the square of any prime. A subexponential-time algorithm for computing discrete
~JG%logarithms in
0N%EiGF:0
j'Ei(
0N%Eip0
j'Ei2) has been found. See [af]for details.
/a2LiI(#
/LiO۲ a) 1) a) 1) A .1 .1 .1 .1 .1 .1 .1 LiIp>"(#m #X2PP#