Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

oneM2M-REQ-2012-0139R01

advertisement 
Doc# 116099530
Input Contribution
INPUT CONTRIBUTION
Group Name:*
TP#3
Title:*
Security Terminology for Definition and Acronyms TR
Source:*
Cisco Systems
Contact:
Philip Jacobs, phjacobs@cisco.com
Date:*
<2013-02-15>
Abstract:*
This contribution contains proposed definitions of security terminology
used in potential requirements
Agenda Item:*
TBD
Work item(s):
WI 0003
Document(s)
Impacted*
Definition and Acronyms TR
Intended purpose of
document:*
Decision requested or
recommendation:*
Decision
Discussion
Information
Other <specify>
Decide whether to include in Definition and Acronyms TR
oneM2M IPR STATEMENT
Participation in, or attendance at, any activity of oneM2M, constitutes acceptance of and
agreement to be bound by all provisions of IPR policy of the admitting Partner Type 1 and
permission that all communications and statements, oral or written, or other information
disclosed or presented, and any translation or derivative thereof, may without compensation,
and to the extent such participant or attendee may legally and freely grant such copyright
rights, be distributed, published, and posted on oneM2M’s web site, in whole or in part, on a
non-exclusive basis by oneM2M or oneM2M Partners Type 1 or their licensees or assignees,
or as oneM2M SC directs.
© 2013 oneM2M Partners
Page 1 (of 7)
Doc# 116099530
Input Contribution
Background
Between TP#2 and TP#3, the following set of 13 proposed definitions were distributed via
email to the TP and SEC mailing lists. 1 additional definition was proposed. Three comments
were received which are listed below.
For each security term used in the potential requirements spreadsheet distributed, the
identifiers(s) where the term was used is/are listed together with any source reference and
comment received.
authentication: The corroboration that a entity in an association is
the one claimed.
(HLR-057, HLR-206, HLR-192, HLR-184, HLR-174, HLR-198,
HLR-175, HLR-205, HLR-193, HLR-185, HLR-183, HLR-202,
HLR-211)
Comment 1: Is it necessary to have both definitions (“authentication” &
“mutual authentication”). Maybe they can be merged into only one?
Also it would be nice to add the fact that shared secret among parties allows
challenge/response to authenticate two parties.
Comment 3 – use NIST sp800-57 part 1 rev3 definition
A process that establishes the source of information, provides assurance of an entity’s identity
or provides assurance of the integrity of communications sessions, messages, documents or
stored data.
mutual authentication: Two parties authenticating each other
(HLR-184, HLR-174, HL-180)
Comment 1: Is it necessary to have both definitions (“authentication” &
“mutual authentication”). Maybe they can be merged into only one?
Also it would be nice to add the fact that shared secret among parties allows
challenge/response to authenticate two parties.
Comment 2: We may need to expand the definition as in TETRA
“4.1.4 Mutual authentication of user and infrastructure
Mutual authentication of user and infrastructure shall be achieved
using a combined three pass mechanism. The algorithms and key K
used shall be same as those used in the one way authentication
described in the previous subclauses. The decision to make the
authentication mutual shall be made by the first party to be
challenged, not the initial challenging party. Thus mutual
© 2013 oneM2M Partners
Page 2 (of 7)
Doc# 116099530
Input Contribution
authentication shall be started as a one way authentication by the
first challenging party, and shall be made mutual by the responding
party. If the first authentication in such a case fails the second
authentication shall be abandoned.”
http://www.etsi.org/deliver/etsi_i_ets/300300_300399/30039307/0
1_60/ets_30039307e01p.pdf
Re “Also it would be nice to add the fact that shared secret among
parties allows challenge/response to authenticate two parties.”
Again from the “roaming and handover radio technology model”
rather than the “permanently connected client- server model ” we
could state:
· Explicit authentication by challenge response at the start of the
session (registration) followed by ongoing Implicit authentication by
either 1) knowledge of a shared ciphering key or 2) knowledge of a
shared integrity key, This implicit authentication may be realized by
exchanging protected messages only, so that only an entity in
possession of a certain shared key can make use of the data
authorization [ITU-T X.800]: The granting of rights, which includes
the granting of access based on access rights.
(HLR-183, HLR-180, HLR-188, HLR-214)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
Access privileges that are granted to an entity; conveying an “official” sanction to perform a
security function or activity.
confidentiality [ITU-T X.800]: The property that information is not
made available or disclosed to unauthorized individuals, entities, or
processes.
(HLR-189, HLR-215)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
The property that sensitive information is not disclosed to unauthorized entities.
credentials : Data objects which are used to uniquely identify an
entity and which are used in security procedures.
© 2013 oneM2M Partners
Page 3 (of 7)
Doc# 116099530
Input Contribution
(HLR-178)
encryption [ITU-T X.800]: The cryptographic transformation of data
to produce cipher text.
(HLR-202, HLR-211)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
The process of changing plaintext into ciphertext using a cryptographic algorithm and key.
integrity [IEC/ISO 27001], [IEC/ISO 27002]: Safeguarding the
accuracy and completeness of information and processing methods.
(HLR-211, HLR-186, HLR-199, HLR-213, HLR-207, HLR-187,
HLR-111, HLR-200, HLR-202)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
A property whereby data has not been altered in an unauthorized manner since it was created,
transmitted or stored.
key [ITU-T X.800]:A sequence of symbols that controls the
operations of encryption and decryption.
(HLR-190, HLR-212)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
A parameter used in conjunction with a cryptographic algorithm that determines its operation
in such a way that an entity with knowledge of the key can reproduce or reverse the
operation, while an entity without knowledge of the key cannot. Examples include:
1. The transformation of plaintext data into ciphertext data,
2. The transformation of ciphertext data into plaintext data,
3. The computation of a digital signature from data,
4. The verification of a digital signature,
5. The computation of an authentication code from data,
6. The verification of an authentication code from data and a
received authentication code,
7. The computation of a shared secret that is used to derive keying
material.
privacy [ITU-T X.800 Amd.1]: The right of individuals to control or
influence what information related to them may be collected and
stored and by whom and to whom that information may be disclosed.
(HLR-091, HLR-179, HLR-196, HL-181, HLR-208)
© 2013 oneM2M Partners
Page 4 (of 7)
Doc# 116099530
Input Contribution
repudiation [ITU-T X.800]: Denial by one of the entities involved in
a communication of having participated in all or part of the
communication.
(HLR-182)
Comment 3 – use NIST sp800-57 part 1 rev3 definition
Non-repudiation: A service that is used to provide assurance of the integrity and origin of
data in such a way that the integrity and origin can be verified by a third party as having
originated from a specific entity in possession of the private key of the claimed signatory.
secure [IETF RFC4949]: A system condition in which the system is
in conformance with the applicable security policy.
(HLR-210, HLR-191, HLR-202, HLR-211, HLR-190, HLR-212)
security [IETF RFC4949]: A system condition that results from the
establishment and maintenance of measures to protect the system.
(HLR-203, HLR-204, HLR-178, HLR-179, HLR-188, HLR-202,
HLR-211, HLR-197, HLR-190, HLR-212, HLR-086, HLR-055,
HLR-092, HLR-091, HLR-184, HLR-174)
trust [IETF RFC4949]: A feeling of certainty either (a) that the
system will not fail or (b) that the system meets its specifications.
(HLR-198, HLR-209)
validity: The extent to which an assertion is logically founded.
(HLR-111, HLR-200, HLR-207)
Proposals:
Note that the syntax of the following proposals may need to be adjusted depending upon the
accepted Definition and Acronyms TR template:
Proposal 1:
It is proposed to include the following informative references in the Definition and Acronyms
TR. A, b, c, d and e represent integers to be assigned by the Rapporteur.
Start of proposed text for proposal 1
___________________________________________________________________________
[i.a]
© 2013 oneM2M Partners
ITU-T Recommendation X.800 (1991), security architecture for
open system interconnection for CCIT applications
Page 5 (of 7)
Doc# 116099530
Input Contribution
[i.b]
ITU-T Recommendation X.800 Amd.1 (1996), Security
architecture for open systems interconnection for CCITT
applications. Amendment 1: Layer Two Security Service and
Mechanisms for LANs.
[i.c]
ISO/IEC 27001 (2005), Information technology – Security
techniques - Information security management systems Requirements.
[i.d]
ISO/IEC 27002 (2005), Information technology - Security
techniques -Code of practice for information security
management.
[i.e]
IETF RFC 4949 (2007), Internet Security Glossary, Version 2
End of proposed text for proposal 1
___________________________________________________________________________
Proposal 2:
It is proposed to include the following definitions in the Definition and Acronyms TR
Start of proposed text for proposal 2
___________________________________________________________________________
authentication: The corroboration that a entity in an association is
the one claimed.
authorization [i.a]: The granting of rights, which includes the
granting of access based on access rights.
confidentiality [i.a]: The property that information is not made
available or disclosed to unauthorized individuals, entities, or
processes.
credentials : Data objects which are used to uniquely identify an
entity and which are used in security procedures.
encryption [i.a]: The cryptographic transformation of data to
produce cipher text.
integrity [i.c], [i.d]: Safeguarding the accuracy and completeness of
information and processing methods.
© 2013 oneM2M Partners
Page 6 (of 7)
Doc# 116099530
Input Contribution
key [i.a]:A sequence of symbols that controls the operations of
encryption and decryption.
mutual authentication: Two parties authenticating each other
privacy [i.b]: The right of individuals to control or influence what
information related to them may be collected and stored and by whom
and to whom that information may be disclosed.
repudiation [i.a]: Denial by one of the entities involved in a
communication of having participated in all or part of the
communication.
secure [i.e]: A system condition in which the system is in
conformance with the applicable security policy.
security [i.e]: A system condition that results from the establishment
and maintenance of measures to protect the system.
trust [i.e]: A feeling of certainty either (a) that the system will not fail
or (b) that the system meets its specifications.
validity: The extent to which an assertion is logically founded.
___________________________________________________________________________
End of proposed text for proposal 2
© 2013 oneM2M Partners
Page 7 (of 7)
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
Chapter 11 HW
Chapter 11 HW
Davis
Davis
cryptography and network security
cryptography and network security
sequence authentication
sequence authentication
CS 5352 - Computer Security Spring 2010 Course Syllabus Course
CS 5352 - Computer Security Spring 2010 Course Syllabus Course
ARC-2015-1930-ARC#17_1_Agenda - FTP
ARC-2015-1930-ARC#17_1_Agenda - FTP
REQ-2015-0638R01-WG1_REQ_18_1_Agenda - FTP
REQ-2015-0638R01-WG1_REQ_18_1_Agenda - FTP
Download
advertisement