Data Transmission Security of Identity Resolution in Industrial Internet
draft-wang-data-transmission-security-irii-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Bin Wang , Kezhang Lin , Chonghua Wang , Xing (Tony) Wang | ||
| Last updated | 2021-04-16 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-wang-data-transmission-security-irii-00
Internet Engineering Task Force B. Wang, Ed.
Internet-Draft K. Lin, Ed.
Intended status: Standards Track Hikvision
Expires: 18 October 2021 C. Wang, Ed.
IIE, CAS
X. Wang, Ed.
Hikvision
16 April 2021
Data Transmission Security of Identity Resolution in Industrial Internet
draft-wang-data-transmission-security-irii-00
Abstract
This draft provides an overview of the security of data transmission
in the identity resolution system for the Industrial Internet.
Identity resolution systems play a vital role in the Industrial
Internet by providing secure sharing and intelligent association of
heterogeneous information among different organizations. This draft
focuses on the security services that identity resolution systems
should provide for resolution data transmission.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 October 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Wang, et al. Expires 18 October 2021 [Page 1]
Internet-Draft Data Transmission Security of IR April 2021
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3
3.1. International Root Node . . . . . . . . . . . . . . . . . 3
3.2. National Root Node . . . . . . . . . . . . . . . . . . . 3
3.3. Secondary Node . . . . . . . . . . . . . . . . . . . . . 3
3.4. Enterprise Node . . . . . . . . . . . . . . . . . . . . . 3
3.5. Recursive Node . . . . . . . . . . . . . . . . . . . . . 4
3.6. Transmission Security . . . . . . . . . . . . . . . . . . 4
3.7. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Protection Scope . . . . . . . . . . . . . . . . . . 6
7. Safety Technical Requirements . . . . . . . . . . . . . . . . 7
7.1. Data Transmission Integrity . . . . . . . . . . . . . . . 7
7.2. Data Transmission Availability . . . . . . . . . . . . . 8
7.3. Data Transmission Confidentiality . . . . . . . . . . . . 8
7.4. Data Transmission Authentication . . . . . . . . . . . . 8
7.5. Data Transmission Strategy . . . . . . . . . . . . . . . 9
7.6. Data Transmission Protocol . . . . . . . . . . . . . . . 9
7.7. Maintenance and Update of Transmission Protocol . . . . . 9
7.8. Log and Audit . . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10. Informative References . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Identity resolution system is an important network infrastructure for
the Industrial Internet. It provides codes, registration and
resolution services for industrial equipment, machines, materials,
parts and products to achieve interoperability, secure sharing and
intelligent association of heterogeneous information, which is an
important cornerstone for the rapid development of the Industrial
Internet. Typical global identity resolution systems include the
Handle system [RFC3650] [RFC3651], the Object Identifier (OID)
resolution system [OID], etc. In order to ensure the security of
data transmission involved in the Industrial Internet identity
resolution system, the security technical requirements are formulated
Wang, et al. Expires 18 October 2021 [Page 2]
Internet-Draft Data Transmission Security of IR April 2021
to enhance the security of the entire Industrial Internet identity
resolution system and reduce the security risk caused by data
leakage. The security technical requirements can be applied to the
planning, construction, operation and management of data transmission
security of Industrial Internet identity resolution.
2. Scope
This draft specifies the security technical requirements for the
transmission of Industrial Internet identity resolution data.
This draft applies to the planning, construction, operation and
management of the Industrial Internet identity resolution data
transmission security of the relevant parties.
3. Terms and Definitions
3.1. International Root Node
International root nodes are the top-level service node of the
identity resolution system. They are not limited to specific
countries or regions to provide public root-level identity services
for the global scope on the one hand, and to provide services such as
data synchronization and registration resolution for different levels
of nodes in local country on the other hand.
3.2. National Root Node
The top-level node within a country or region, which is connected to
the international root node and secondary nodes, provides top-level
identity resolution services for the whole country.
3.3. Secondary Node
The public node providing identity services for specific industries
or multiple industries is responsible for allocating identity and
providing identity registration, identity resolution and identity
data services for industrial enterprises. And they are divided into
two types of industry secondary nodes and comprehensive secondary
nodes.
3.4. Enterprise Node
An intra-enterprise identity service node is able to provide identity
registration, identity resolution service, identity data service,
etc. for a specific enterprise and connect with secondary nodes.
Wang, et al. Expires 18 October 2021 [Page 3]
Internet-Draft Data Transmission Security of IR April 2021
3.5. Recursive Node
The key entrance facility of the identity resolution system is
responsible for caching and other operations on the resolution data
in the process of identity resolution, reducing the amount of
resolution data processing and improving the efficiency of resolution
services.
3.6. Transmission Security
Protect the confidentiality, integrity, availability and timeliness
characteristics of information transmitted in the network.
3.7. Privacy
Privacy refers to the authority that individuals have to control
their information, including who collects and stores it and who
discloses it.
4. Abbreviation
+==============+====================================+
| Abbreviation | Full Name |
+==============+====================================+
| TLS | Transport Layer Security |
+--------------+------------------------------------+
| IPSec | Internet Protocol Security |
+--------------+------------------------------------+
| HTTPS | Hypertext Transfer Protocol Secure |
+--------------+------------------------------------+
| OID | Object Identifier |
+--------------+------------------------------------+
| DNS | Domain Name System |
+--------------+------------------------------------+
Table 1: Abbreviation
5. Overview
The Industrial Internet identity resolution and management service
system is mainly a system that supports the global traceability
management of industrial IoT product data and dynamic sharing of data
information in all aspects of the product life cycle by using the
capabilities of the security identity management and resolution
platform. Industrial Internet identity resolution data transmission
refers to the data technology collection used in the industrial
Internet terminal to obtain information and transmit information, and
its transmission security involves the network security part of the
Wang, et al. Expires 18 October 2021 [Page 4]
Internet-Draft Data Transmission Security of IR April 2021
basic security protection measures dimension, all inter-domain and
intra-domain data transmission of the functional domain dimension of
the Industrial Internet of Things identity resolution and management
service system, and the whole process of the system life cycle
dimension.
+---------------+
+-------------+ DNS Root Node +----------------+
| +---------------+ |
+-----+-------+ +--------+------+
|OID Root Node| International Root Node |Ecode Root Node|
+-----+-------+ +--------+------+
| |
| +---------------------+ |
+---------+ +--------------+
| Handle Root Node |
+-----------> <----------------+
| +---------------------+ |
| |
| +----------v---+
| |Secondary Node|
+-----+--------+ +---------+ +------+-------+
|Recursive Node+----+----->National | |
+-----^--------+ | |Top Level| +-------+--------+
| | |Node | | |
| | +---------+ +----+------+ +-------+--+
| | | Enterprise| |Enterprise|
| | | Node | |Node |
| | +-----------+ +----------+
| |
+-----------+---------+ | +--------------+
|Identity Resolution | +---->Secondary Node|
|Data and Application | | +------+-------+
| +------------+ | | |
| |Industry App| | | +-------+--------+
| +------------+ | | | |
| +-----------+ | +v---+------+ +-------+--+
| |Enterprise | | | Enterprise| |Enterprise|
| |Information| | | Node | |Node |
| |System | | +-----------+ +----------+
| +-----------+ |
| +-----------+ |
| |Industrial | |
| |Internet | |
| |Platform | |
+-------------+-------+
Wang, et al. Expires 18 October 2021 [Page 5]
Internet-Draft Data Transmission Security of IR April 2021
Figure 1: Industrial Internet Identity Resolution and Management
Service System
6. Security Protection Scope
The security protection scope of the Industrial Internet identity
resolution and management service system proposed in this draft
mainly means that the identity is written into the device and is
responsible for collecting product information including device
model, device type, generation batch, generation date, generation
site, device production information link, device description data
link, etc., integrate this information into identity data, and then
publish it to the data exchange system for access by identity
resolution enterprise nodes. Among the identity resolution
enterprise node, the identity resolution secondary node, and the
identity resolution root node, the process of data synchronization
between the application scenarios, the collection of data
transmission technologies used, is used to provide security assurance
and security support for the Industrial Internet identity data
transmission.
The scope of Industrial Internet identity data transmission security
protection specifically includes the security and the security
support of the data transmission interface within and between the
functional domains of the Industrial Internet identity resolution
system. Its role is in the whole life cycle of the system (planning
and design, development and construction, operation and maintenance ,
abandonment and exit).
Wang, et al. Expires 18 October 2021 [Page 6]
Internet-Draft Data Transmission Security of IR April 2021
+--------------------------------------------------------+
| Identity Resolution Root Node |
+-------------------------^------------------------------+
|
+-------------------------v------------------------------+
| Identity Resolution Secondary Node |
+-------------------------^------------------------------+
+------------------------------------|--------------------------------+
| | |
| +-------------------------v------------------------------+ |
| | Identity Resolution Enterprise Node | |
| +-------------------------^------------------------------+ |
|Demilitarized | |
| Zone +-------------------------v------------------------------+ |
| | Data Exchange System | |
| +-------------------------^------------------------------+ |
| | |
+------------------------------------|--------------------------------+
| +-------------------------|------------------------------+ |
| | Identity Generation and Management System | |
| +------^------------------------------------------^------+ |
|Enterprise | | |
| Intranet +------v-------+ Enterprise Products ------------v------+ |
| | | | +-----------------+ +--------------+ | |
| | | | |Network Hard Disk| |Access Control| | |
| | Enterprise | | |Video Recorder | | Device | | |
| | Information | | +-----------------+ +--------------+ | |
| | System | | +------------+ +---+ | |
| | | | |Video Camera| |...| | |
| | | | +------------+ +---+ | |
| +--------------+ +--------------------------------------+ |
+---------------------------------------------------------------------+
Figure 2: Industrial Internet Identity Resolution and Management
Service System
7. Safety Technical Requirements
7.1. Data Transmission Integrity
Data transmission should comply with the following common
requirements:
1) Support the information integrity check mechanism during
transmission to realize the transmission integrity protection of
management data, authentication information, sensitive information,
important business data and other data (such as: check code, message
abstract, digital signature, etc.).
Wang, et al. Expires 18 October 2021 [Page 7]
Internet-Draft Data Transmission Security of IR April 2021
2) It has the functions of communication delay and interrupt
processing to ensure the integrity of the data.
3) For important data, use the relevant cryptographic algorithm
technology of National Cryptography Administration to ensure the
integrity of data transmission
4) Take measures to restore or regain data when it detects that the
integrity has been compromised.
7.2. Data Transmission Availability
The timeliness and accuracy of the data shall be guaranteed during
data transmission. Specifically:
1) Timeliness: the feature of identifying historical data received or
data beyond the time limit. Specifically, the data comes from the
system using a unified time allocation/correction mechanism, and the
data should include time stamps, etc.
2) Accuracy: When there is an acceptable error in the data, there is
an overload to ensure the normal acquisition of the data in time.
7.3. Data Transmission Confidentiality
When transferring data, it is necessary to ensure the confidentiality
of the data, including:
1) For important data, authenticate information and important
business data such as user passwords, biometrics, private keys,
symmetric keys, product order information, device unique identity
(Handle ID), etc., a certain strength encryption algorithm or other
effective measures should be used to ensure Confidentiality.
2) Choose appropriate security protocols (such as HTTPS, SSH, IPSec,
TLS, etc.) to protect the transmitted data.
7.4. Data Transmission Authentication
Ensure the legitimacy of the identities of both parties in the data
transmission, which means, ensure the identity authentication of the
subject to the object before the interaction, and establish a trusted
transmission path.
Wang, et al. Expires 18 October 2021 [Page 8]
Internet-Draft Data Transmission Security of IR April 2021
7.5. Data Transmission Strategy
Establish a formal transmission strategy to protect the security of
all types of information transmitted through communication
facilities, and meet:
1) Clarify the type and scope of information that can be transmitted
in plain text.
2) For sensitive data, such as user passwords, biometrics, private
keys, symmetric keys, etc., an encrypted transmission strategy is
required.
7.6. Data Transmission Protocol
The protocol should address the safe transmission of internal and
external business, and meet:
Cryptographic algorithms such as data abstract, signature, and
authentication shall use the cryptographic algorithms and
combinations of abstract, signature, and authentication required by
national regulations or national mandatory standards.
7.7. Maintenance and Update of Transmission Protocol
The confidentiality protocol for data transmission should be
regularly maintained and updated so that the procotol should reflect
the requirements for data transmission security protection and meet:
1) The transmission security protocol needs to be reviewed every year
to ensure that the agreement should reflect the requirements for data
transmission security protection
2) When new services are launched or existing services are changed,
the transmission security protocol needs to be audited and updated if
necessary
7.8. Log and Audit
The transmission system shall log and audit the following security
failure events. The content of the log shall at least contains date/
time, event type, event subject, event description, success/failure
information, and meet the following requirements:
1) Data transmission establishment success and failure
2) Transmission device online monitoring abnormalities and alarm
events
Wang, et al. Expires 18 October 2021 [Page 9]
Internet-Draft Data Transmission Security of IR April 2021
3) Malicious program intrusion alert event
4) Configuration modification operations caused by administrators/
non-administrators
8. Security Considerations
This entire memo deals with security issues.
9. IANA Considerations
This documents has no IANA actions.
10. Informative References
[OID] "Introduction to OIDs and the OID Resolution System
(ORS)", May 2020,
<http://www.oid-info.com/introduction.htm>.
[RFC3650] Sun, S., Lannom, L., and B. Boesch, "Handle System
Overview", DOI 10.17487/RFC3650, November 2003,
<https://www.rfc-editor.org/info/rfc3650>.
[RFC3651] Sun, S., Reilly, S., and L. Lannom, "Handle System
Namespace and Service Definition", DOI 10.17487/RFC3651,
November 2003, <https://www.rfc-editor.org/info/rfc3651>.
Authors' Addresses
Bin Wang (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: wbin2006@gmail.com
Kezhang Lin (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Wang, et al. Expires 18 October 2021 [Page 10]
Internet-Draft Data Transmission Security of IR April 2021
Email: lkz_wz98@163.com
Chonghua Wang (editor)
IIE, CAS
Beijing
100093
China
Phone: +86 185 1894 5987
Email: chonghuaw@live.com
Xing Wang (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: xing.wang.email@gmail.com
Wang, et al. Expires 18 October 2021 [Page 11]