BS ISO/IEC 10736:1995
Current
The latest, up-to-date edition.
Information technology. Telecommunications and information exchange between systems. Transport layer security protocol
Hardcopy , PDF
English
09-15-1995
1. Scope
2. Normative references
2.1 Identical Recommendations/International Standards
2.2 Paired Recommendations/International Standards
equivalent in technical content
2.3 Additional references
3. Definitions
3.1 Security reference model definitions
3.2 Additional definitions
4. Symbols and abbreviations
5. Overview of the Protocol
5.1 Introduction
5.2 Security Associations and attributes
5.2.1 Security services for connection-oriented Transport
protocol
5.2.2 Security Service for connectionless Transport
protocol
5.3 Service assumed of the Network Layer
5.4 Security management requirements
5.5 Minimum algorithm characteristics
5.6 Security encapsulation function
5.6.1 Data encipherment function
5.6.2 Integrity function
5.6.3 Security label function
5.6.4 Security padding function
5.6.5 Peer Entity Authentication function
5.6.6 SA Function using in band SA-P
6. Elements of procedure
6.1 Concatenation and separation
6.2 Confidentiality
6.2.1 Purpose
6.2.2 TPDUs and parameters used
6.2.3 Procedure
6.3 Integrity processing
6.3.1 Integrity Check Value (ICV) processing
6.3.2 Direction indicator processing
6.3.3 Connection integrity sequence number processing
6.4 Peer address check processing
6.4.1 Purpose
6.4.2 Procedure
6.5 Security labels for Security Associations
6.5.1 Purpose
6.5.2 TPDUs and parameters used
6.5.3 Procedure
6.6 Connection release
6.7 Key replacement
6.8 Unprotected TPDUs
6.9 Protocol identification
6.10 Security Association-Protocol
7. Use of elements of procedure
8. Structure and encoding of TPDUs
8.1 Structure of TPDU
8.2 Security encapsulation TPDU
8.2.1 Clear header
8.2.2 Crypto sync
8.2.3 Protected contents
8.2.4 ICV
8.2.5 Encipherment PAD
8.3 Security Association PDU
8.3.1 LI
8.3.2 PDU Type
8.3.3 SA-ID
8.3.4 SA-P Type
8.3.5 SA PDU Contents
9. Conformance
9.1 General
9.2 Common static conformance requirements
9.3 TLSP with ITU-T Rec. X.234/ISO 8602 static
conformance requirements
9.4 TLSP with ITU-T Rec. X.224 / ISO/IEC 8073 static
conformance requirements
9.5 Common dynamic conformance requirements
9.6 TLSP with ITU-T Rec. X.234 / ISO 8602 dynamic
conformance requirements
9.7 TLSP with ITU-T Rec. X.224 / ISO/IEC 8073 dynamic
conformance requirements
10. Protocol implementation conformance statement (PICS)
Annex A - PICS proforma
A.1 Introduction
A.1.1 Background
A.1.2 Approach
A.2 Implementation identification
A.3 General statement of conformance
A.4 Protocol implementation
A.5 Security services supported
A.6 Supported functions
A.7 Supported Protocol Data Units (PDUs)
A.7.1 Supported Transport PDUs (TPDUs)
A.7.2 Supported parameters of issued TPDUs
A.7.3 Supported parameters of received TPDUs
A.7.4 Allowed values of issued TPDU parameters
A.8 Service, function, and protocol relationships
A.8.1 Relationship between services and functions
A.8.2 Relationship between services and protocol
A.9 Supported algorithms
A.10 Error handling
A.10.1 Security Errors
A.10.2 Protocol Errors
A.11 Security Association
A.11.1 SA Generic Fields
A.11.2 Content Fields Specific to Key Exchange SA-P
Annex B - Security Association Protocol using
Key Token Exchange and Digital Signatures
B.1 Overview
B.2 Key Token Exchange (KTE)
B.3 SA-Protocol Authentication
B.4 SA-Attribute Negotiation
B.4.1 Service Negotiation
B.4.2 Label Set Negotiation
B.4.3 Key and ISN Selection
B.4.4 Miscellaneous SA Attribute Negotiation
B.4.5 Re-keying Overview
B.4.6 SA Abort
B.5 Mapping of SA-Protocol Functions to Protocol
Exchanges
B.5.1 KTE (First) Exchange
B.5.1.1 Request to Initiate the SA-Protocol
B.5.1.2 Receipt of the First Exchange PDU by Recipient
B.5.2 Authentication and Security Negotiation (Second)
Exchange
B.5.2.1 Receipt of First Exchange PDU by Initiator
B.5.2.2 Receipt of the Second Exchange PDU by Recipient
B.5.3 Rekey Procedure
B.5.4 SA Release / Abort Exchange
B.5.4.1 Request to Initiate SA Release / Abort
B.5.4.2 Receipt of SA Abort/Release Requests
B.6 SA PDU - SA Contents
B.6.1 Exchange ID
B.6.2 Content Length
B.6.3 Content Fields
B.6.3.1 My SA-ID
B.6.3.2 Old Your SA-ID
B.6.3.3 Key Token 1, Key Token 2, Key Token 3, and Key
Token 4
B.6.3.4 Authentication Digital Signature, Certificate
B.6.3.5 Service Selection
B.6.3.6 SA Rejection Reason
B.6.3.7 SA Abort/Release Reason
B.6.3.8 Label
B.6.3.9 Key Selection
B.6.3.10 SA Flags
B.6.3.11 ASSR
Annex C - An example of an agreed set of security rules (ASSR)
Annex D - Overview of EKE algorithm
Defines a protocol which may be used for Security Association establishment. Specifies one algorithm for authentication and key distribution which is based on public key crypto systems. Defines a security protocol that achieves protection that depends on the proper operation of security management including key management. Does not specify the management functions and protocols needed to support this security protocol. Supports peer-entity authentication at the time of connection establishment.
Committee |
IST/6
|
DevelopmentNote |
Supersedes 91/69325 DC. (07/2005)
|
DocumentType |
Standard
|
Pages |
62
|
PublisherName |
British Standards Institution
|
Status |
Current
|
Supersedes |
The procedures specified in this Recommendation | International Standard operate as extensions to those defined in ITU-T Rec. X.224 | ISO/IEC 8073 and ITU-T Rec. X.234 | ISO/IEC 8602 and do not preclude unprotected communication between transport entities implementing ITU-T Rec. X.224 | ISO/IEC 8073 or ITU-T Rec. X.234 | ISO 8602. The protection achieved by the security protocol defined in this Recommendation | International Standard depends on the proper operation of security management including key management. However, this Recommendation | International Standard does not specify the management functions and protocols needed to support this security protocol. This protocol can support all the integrity, confidentiality, authentication and access control services identified in CCITT Rec. X.800 I ISO 7498-2 as relevant to the transport layer. The protocol supports these services through use of cryptographic mechanisms, security labelling and attributes, such as keys and authenticated identities, pre-established by security management or established through the use of the Security Association - Protocol (SA-P). Protection can be provided only within the context of a security policy. This protocol supports peer-entity authentication at the time of connection establishment. In addition, rekeying is supported within the protocol through the use of SA-P or through means outside the protocol. Security associations can only be established within the context of a security policy. It is a matter for the users to establish their own security policy, which may be constrained by the procedures specified in this Recommendation | International Standard. The following items could be included in a Security Policy: the method of SA establishment/release, the lifetime of SA; Authentication/Access Control mechanisms; Label mechanism; the procedure of the receiving an invalid TPDU during SA establishment procedure or transmission of protected PDU; the lifetime of Key; the interval of the rekey procedure in order to update key and security control information (SCI) exchange procedure; the time out of SCI exchange and rekey procedure; the number of retries of sci exchange and rekey procedure. this Recommendation | International Standard defines a protocol which may be used for Security Association establishment. Entities wishing to establish an SA must share common mechanisms for authentication and key distribution. this Recommendation | International Standard specifies one algorithm for authentication and key distribution which is based on public key crypto systems. The implementation of this algorithm is not mandatory; however, when an alternative mechanism is used, it shall satisfy the following conditions: All SA attributes defined in 5.2 are derived. Derived keys are authenticated.
Standards | Relationship |
ISO/IEC 10736:1995 | Identical |
ISO/IEC 7498-1:1994 | Information technology Open Systems Interconnection Basic Reference Model: The Basic Model |
ISO/IEC 11570:1992 | Information technology Telecommunications and information exchange between systems Open Systems Interconnection Transport protocol identification mechanism |
ISO/IEC 9834-1:2012 | Information technology — Procedures for the operation of object identifier registration authorities — Part 1: General procedures and top arcs of the international object identifier tree |
ISO/IEC 8824:1990 | Information technology — Open Systems Interconnection — Specification of Abstract Syntax Notation One (ASN.1) |
ISO 7498-2:1989 | Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture |
ISO/IEC 8825:1990 | Information technology — Open Systems Interconnection — Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1) |
ISO/IEC 9834-3:2008 | Information technology — Open Systems Interconnection — Procedures for the operation of OSI Registration Authorities — Part 3: Registration of Object Identifier arcs beneath the top-level arc jointly administered by ISO and ITU-T |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.