YD/T 1163-2001 IP网络安全技术要求-安全框架

YD/T 1163-2001 IP Network Security Technical Requirements-Security Frame

行业标准-邮电通信中文(简体) 现行页数：46页 | 格式：PDF

基本信息

标准号

YD/T 1163-2001

标准类型

行业标准-邮电通信

标准状态

现行

中国标准分类号（CCS）

国际标准分类号（ICS）

发布日期

2001-10-19

实施日期

2001-11-01

发布单位/组织

归口单位

适用范围

发布历史

2001年10月

YD/T 1163-2001　IP网络安全技术要求-安全框架

当前标准现行 2001-10-19

文前页预览

研制信息

起草单位：: 信息产业部数据科学技术研究所深圳市中兴通讯股份有限公司信息产业部电信传输研究所华为技术有限公司上海贝尔有限公司

起草人：: 万兆泽易星聂秀英姚鑫王俊文

出版信息：: 页数：46页 | 字数：- | 开本： -

内容描述

��

中华人民共和国通信行业标准

��

��网络安全技术要求—安全框架

��一一一��

��一��发布��一��实施

中华人民共和国信息产业部发布

��

月�舀·································，·························“··············。·。�··�···，······，·。························。一��

�范围··························································，··，···········································。·····⋯⋯�

�引用标准·················‘·········，··········‘···“·，�···，·，·，·····················，，·····，··············⋯⋯�

�符号与缩略语·��

�基本概念与定义··········································，······················································一�

��访问控制···············································································，····················，······一�

��授权···············································································································⋯⋯�

��路由控制··。············‘········，，····························，··················‘··········，··········。······。··⋯⋯�

��密码体制·��

��主动威胁��·一�

��被动威胁��

��操作检测··································································。·····································⋯⋯，�

��通信业务��分析·。·······················································································⋯⋯�

��安全审计·��

��安全审计事件···············，········。········································································一�

��数字签名··，····。······，········，··············甲，······，···，···················，··，·，·，，·，，···········⋯⋯�

��认证信息·��

��认证·��

��凭证。��

��否认·························，·························，································，·······················⋯⋯�

��公证···。·················‘········。····。····················，······························，···················⋯⋯�

��冒充·，·。，·····················，··，···，···········。·······························⋯⋯。二，·⋯，��·��·��⋯⋯�

��可追溯性·��··⋯⋯�

��可用性·��

��机密性···········。··································································��········⋯⋯�

��通信业务填充··································································································一�

��密码校检值。····。··。·································································，························⋯⋯�

��数据完整性···········。···························。···························。·····························。·⋯⋯�

��物理安全·····价·········甲·········�·····�·········甲·····�·。⋯⋯，·�·�，·············一�

��安全标签··············��

��安全服务·��

��安全策略···············································，·····························，························⋯⋯�

��安全级别·��

��选择域保护················。，···························，·······················‘·····························⋯⋯�

��敏感性，，···············。··································，·，····，·····················，··，··，·················⋯⋯�

��服务拒绝

泊

��防重放·兮

��网基本模型气

亡

��协议族、

、�

��链路层·��·��︸

��网络层···················。······································。·················································⋯⋯�﹄

��传输层······················�························。····。···············································�···⋯⋯勺�

‘

��应用层·························。······························。··············································，···⋯⋯�

�

�安全服务与安全机制�

��概述·��······⋯⋯�

乙

��安全服务·····························。······。································································��·�⋯⋯�

�

��安全机制·····················。·······························。···················································⋯⋯�

��偏�

�

��网安全体系结构��

��安全服务、安全机制与模型分层的关系·��，，············��⋯⋯卫��

��链路层安全技术要求·��·��·⋯⋯。��·��⋯⋯��

��互联网络层安全技术要求·········································��·��·��⋯⋯。��⋯⋯��

��

��传输层安全技术要求······················，····，··············‘········��·��·��·�···��⋯⋯。��⋯⋯，

��应用层安全技术要求···············‘·‘······················，，··�⋯⋯‘⋯，·⋯，��·一‘��⋯⋯�勺﹄

，今

�加密算法与认证算法，一

��加密算法······················，···············。···································。·····························。⋯⋯，门�

内内

��认证算法··························································。··，············，···························，··⋯⋯、乙

岛�

�安全管理、

，内

��概述·��···�··⋯⋯，�

内八

��安全管理·��，‘

伟�

附录��提示的附录��实现示范�

��

附录��提示的附录�安全背景知识甘

��

前言

��本标准规定基于密码技术的网络安全技术，参考��，等序列标准，对分层��网络中在

不同层上的安全性进行了框架性的描述。

��本标准的附录�、附录�都是提示的附录。

��本标准由信息产业部电信研究院提出并归口。

��本标准起草单位�信息产业部数据科学技术研究所

��深圳市中兴通讯股份有限公司

��信息产业部电信传输研究所

��华为技术有限公司

��上海贝尔有限公司

��本标准主要起草人�万兆泽易星聂秀英姚鑫王俊文

中华人民共和国通信行业标准

��网络安全技术要求—安全框架

��

��叮��

��—��

�范围

��本标准规定��网安全的总技术要求，描述��网安全的一全框架性结构，可作为在��网上构建安

全的技术性指导文件。

�引用标准

��下列标准所包含的条文，通过在本标准中引用而成为本标准的条文。本标准出版时，所示版本均

为有效。所有标准都会被修订，使用本标准的各方应探讨使用下列标准最新版本的可能性。

��信息处理系统一开放系统互连一基本参考模型一第二部分�安全体系结构

��一��

��一��一��

��一��

一��

��

��〔一��

��

��正��

��

��玖加��

��

��正��

��

中华人民共和国信息产业部��批准��实施

丫��

正��

��

�符号与缩略语

��先进加密标准

��认证头

��压缩控制协议

��数据加密标准

��加密控制协议

��封装安全净荷

��文件传送协议

��超文本传输协议

��完整性检测值

��因特网密钥交换

��因特网协议

��初始向量

��消息摘要

��消息认证码

��安全关联

��安全关联数据库

��服务数据单元

��安全网关

��安全��算法

��安全管理信息库

��简单邮件传送协议

��多用途因特网邮件扩展

��简单网络管理协议

��安全策略数据库

��安全参数索引

��安全套接层

��传输控制协议

��传输层安全

��

��用户数据报协议

�基本概念与定义

��下面的概念基本上来自��或��

��访问控制

��防止未经授权使用资源，包括防止以未经授权的方式使用资源。

��授权

��授予权力，包括根据访问权进行访问的权力。

��路由控制

��在路由选择的过程中，应用规则来选择或绕过特定的网络、链路或转接点。

��密码体制

��数据变换原理、手段和方法具体化的规程，用来隐藏数据的信息内容，防止数据的未发现修改和�

或未授权使用。它与下列概念密切相关�

��密文一经过密码变换后得到的数据。

��明文一可理解的数据。

��加密一明文数据经过密码变换变成密文数据的操作。

��解密一密文数据经过密码变换还原成明文数据的操作。

��密钥一控制加密与解密操作所使用的数据。

��密钥管理一根据安全策略产生、分发、储存、使用、更换和销毁密钥。

��密码分析一分析密码系统及其输入与输出，以导出机密变量与敏感数据，甚至明文。

��主动威胁��

��蓄意擅自改变系统状态。比如�修改消息、重播消息、插入假消息、冒充有权实体以及拒绝服务。

��被动威胁��

��不改变系统状态擅自透露信息

��操作检测

��检测数据单元是否己被修改�偶然的或有意的�的一种机制

��通信业务��分析

��从观察通信业务流�有无通信业务流，通信业务流的量、方向和频率�推断信息。

��安全审计

��对系统的记录及活动独立的复查与检查，以便检测系统控制是否充分，确保系统控制与现行策略

和操作程序保持一致，探测违背安全性的行为，并介绍控制、策略和程序中所显示的任何变化。

��安全审计事件

��为了便于进行安全审计而收集的数据。

��数字签名

��附在数据单元后面的数据，或对数据单元进行密码变换得到的数据，允许数据的接收者证明数据

的来源和完整性，保护数据不被伪造。

��认证信息

��用来鉴定实体所声称的身份是否有效的信息。

��认证

��通过信息交换鉴定一个实体身份的机制。

��凭证

��用来证明实体所声称的身份而传送的数据。

��否认

��参与通信的实体否认参加了全部或部分的通信过程。

��

份，，，，，，一，，，，，，，，

��公证

��委托可信任的第三方对数据进行登记注册，使他能够保证该数据特征如内容、源、时间和传递的

精确性。

��冒充

��一个实体伪装成别的实体。

��可追溯性

��保证实体的行为可以追溯到唯一的实体。

��可用性

��根据需要，信息允许有权实体访问和使用的特性。

��机密性

��信息对非授权个人、实体或进程是不可知、不可用的特性。

��通信业务填充

��生成假通信实例、假数据单元或在数据单元中生成假数据。

��密码校检值

��对数据单元进行密码变换�见密码体制�导出的数据。校检值是密钥和数据单元的一个数学变换的结

果，通常被用来检查数据单元的完整性。

��数据完整性

��数据免遭非法更改或破坏的特性。

��物理安全

��保护资源免遭蓄意性和偶然性威胁所使用的措施。

��安全标签

��挂在资源�数据单元�上的标签，指定或指出该资源的安全属性。

��安全服务

��由通信的系统提供的，对系统或数据传递提供充分的安全保障的一种服务。

��安全策略

��提供安全服务所使用的一套准则。包含两个基本概念�

��基于规则的安全策略以全局规则对所有用户均有效为基础的安全策略。规则通常依赖于被访问

��资源的敏感性与用户�群�或代理具有的对应属性间的比较。

��基于身份的安全策略以用户的身份为基础的安全策略。规则通常依赖于访问资源的用户身份的

��特权或能力，或者依赖于存取控制表。

��安全级别

��所选择安全服务的保护质量，本文件主要指不选择安全保护、选择认证保护、选择机密性保护、

选择认证保护和机密性保护�种。

��选择域保护

��为要发送的消息的特定字段提供保护。

��敏感性

��资源的一种特性，表示资源的价值或重要性，可能包括资源受攻击的脆弱性。

��服务拒绝

��阻止授权访问资源或延迟时间敏感操作口

��防重放

��防止对传送数据的重放攻击。

��

��网基本模型

��协议族

��协议族是在��传输控制协议�和��互联网协议�两个重要协议的基础上形成的协议族�详

细情况请

定制服务

关联标准

引用标准

GB/T 9387.2-1995

GB/T 9387.2-1995 信息处理系统开放系统互连基本参考模型第2部分：安全体系结构

现行

IETF draft

相似标准推荐

更多>