RSS
SPRÁVY
Technické normy k e-fakturácii
Slovenská technická norma a technická normalizačná informácia o elektronickej fakturácii sprístupnená na stiahnutie na základe sponzorovaného prístupu
viac viac

Technická podpora pre STN v elektronickom formáte
Technická podpora pre STN v elektronickom formáte a služby STN-online
viac viac

DEMO verzia služby STN-online
Na tejto DEMO-verzii služby STN-online si môžete vyskúšať základnú prácu s normami v systéme STN-online
viac viac

Ponuka nových noriem
Nové normy vychádzajú vždy k prvému dňu v mesiaci.
viac viac

Návrh noriem na zrušenie
Oznámenie ÚNMS SR o návrhu na zrušenie niektorých STN
viac viac

Dôležité upozornenie k STN
Dôležité upozornenie k STN nájdete tu:
viac viac

LINKY
Portál technických noriem > STN EN 302 878-5 V1.1.1
Poslať linku stránky emailom Vytlačiť obsah stránky

STN EN 302 878-5 V1.1.1



Pridať tlačenú formu normy do košíka:


Pridať elektronickú formu normy do košíka:




Označenie: STN EN 302 878-5 V1.1.1
Slovenský názov: Prístup, koncové zariadenia, prenos a multiplexovanie (ATTM). Prenosové systémy tretej generácie pre interaktívne služby káblovej televízie – káblové modemy IP. Časť 5: Služby zabezpečenia – DOCSIS 3.0
Anglický názov: Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
Pôvodné označenie:
Dátum vydania: 1. 5. 2012
Dátum zrušenia:
Jazyk: EN
ICS: 33.060.40
Triediaci znak: 87 2878
Úroveň zapracovania: idt EN 302 878-5 V1.1.1:2011
Vestník: 04/12
Poplatok: Tlačená verzia: 36,30 € 


Elektronická verzia
  1. Bez možnosti tlače, prenosu textu a obrázkov: 32.67 €
  2. Bez možnosti tlače, s prenosom textu a obrázkov: 36.30 €
  3. S možnosťou tlače, prenosu textu a obrázkov: 47.19 €
Vestník harmonizácie:
Nariadenie vlády:
Zmeny:
Nahradzujúce normy:
Nahradené normy:
Poznámka vo Vestníku:
Predmet normy:



Obsah normy STN EN 302 878-5 V1.1.1
Intellectual Property Rights
Foreword
1 Scope
1.1 Introduction and Purpose
1.2 Requirements
1.3 Conventions
2 References
2.1 Normative references
2.2 Informative references
3 Definitions and abbreviations
3.1 Definitions
3.2 Abbreviations
4 Void
5 Overview
5.1 New DOCSIS 3.0 Security Features
5.2 Technical Overview
5.2.1 BPI+ Architecture
5.2.1.1 Packet Data Encryption
5.2.1.2 Key Management Protocol
5.2.1.3 DOCSIS Security Associations
5.2.1.4 QoS SIDs and DOCSIS SAIDs
5.2.1.5 BPI+ Enforce
5.2.2 Secure Provisioning
5.3 Operation
5.3.1 Cable Modem Initialization
5.3.1.1 Network Admission Control
5.3.1.2 EAE and Authentication Reuse
5.3.1.3 Configuration Registration Enforcement
5.3.2 Cable Modem Key Update Mechanism
5.3.3 Cable Modem Secure Software Download
6 Encrypted DOCSIS MAC Frame Formats
6.1 CM Requirements
6.2 CMTS Requirements
6.3 Variable-Length PDU MAC Frame Format
6.3.1 Baseline Privacy Extended Header Formats
6.4 Fragmentation MAC Frame Format
6.5 Registration Request (REG-REQ-MP) MAC Management Messages
6.6 Use of the Baseline Privacy Extended Header in the MAC Header
7 Baseline Privacy Key Management (BPKM) Protocol
7.1 State Models
7.1.1 Introduction
7.1.1.1 Authorization State Machine Overview
7.1.1.2 TEK State Machine Overview
7.1.2 Encrypted Multicast
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions
7.1.3 Selecting Cryptographic Suites
7.1.4 Authorization State Machine
7.1.4.1 Brief Description of States
7.1.4.1.1 [Start]
7.1.4.1.2 [Auth Wait]
7.1.4.1.3 [Authorized]
7.1.4.1.4 [Reauth Wait]
7.1.4.1.5 [Auth Reject Wait]
7.1.4.1.6 [Silent]
7.1.4.2 Brief Description of Messages
7.1.4.2.1 Authorization Request (Auth Request)
7.1.4.2.2 Authorization Reply (Auth Reply)
7.1.4.2.3 Authorization Reject (Auth Reject)
7.1.4.2.4 Authorization Invalid (Auth Invalid)
7.1.4.2.5 Authentication Information (Auth Info)
7.1.4.3 Brief Description of Events
7.1.4.3.1 {Initiate Authentication}
7.1.4.3.2 {Timeout}
7.1.4.3.3 {Auth Grace Timeout}
7.1.4.3.4 {Reauth}
7.1.4.3.5 {Auth Invalid}
7.1.4.3.6 {Perm Auth Reject}
7.1.4.3.7 {Auth Reject}
7.1.4.3.8 {EAE Disabled Auth Reject}
7.1.4.4 Events sent to TEK State Machine
7.1.4.4.1 {TEK Stop}
7.1.4.4.2 {TEK Authorized}
7.1.4.4.3 {Auth Pend}
7.1.4.4.4 {Auth Comp}
7.1.4.5 Brief Description of Timing Parameters
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout)
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout)
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout)
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout)
7.1.4.6 Timers
7.1.4.6.1 Authorization Request
7.1.4.6.2 Authorization Reject
7.1.4.6.3 Authorization Grace
7.1.4.7 Actions
7.1.5 TEK State Machine
7.1.5.1 Brief Description of States
7.1.5.1.1 [Start]
7.1.5.1.2 [Op Wait]
7.1.5.1.3 [Op Reauth Wait]
7.1.5.1.4 [Op]
7.1.5.1.5 [Rekey Wait]
7.1.5.1.6 [Rekey Reauth Wait]
7.1.5.2 Brief Description of Messages
7.1.5.2.1 Key Request
7.1.5.2.2 Key Reply
7.1.5.2.3 Key Reject
7.1.5.2.4 TEK Invalid
7.1.5.3 Brief Description of Events
7.1.5.3.1 {Stop}
7.1.5.3.2 {Authorized}
7.1.5.3.3 {Auth Pend}
7.1.5.3.4 {Auth Comp}
7.1.5.3.5 {TEK Invalid}
7.1.5.3.6 {Timeout}
7.1.5.3.7 {TEK Refresh Timeout}
7.1.5.4 Brief Description of Timing Parameters
7.1.5.4.1 Operational Wait Timeout
7.1.5.4.2 Rekey Wait Timeout
7.1.5.4.3 TEK Grace Time
7.1.5.5 Timers
7.1.5.5.1 Key Request Retry
7.1.5.5.2 TEK Refresh
7.1.5.6 Actions
7.2 Key Management Message Formats
7.2.1 Packet Formats
7.2.1.1 Authorization Request (Auth Request)
7.2.1.2 Authorization Reply (Auth Reply)
7.2.1.3 Authorization Reject (Auth Reject)
7.2.1.4 Key Request
7.2.1.5 Key Reply
7.2.1.6 Key Reject
7.2.1.7 Authorization Invalid
7.2.1.8 TEK Invalid
7.2.1.9 Authentication Information (Auth Info)
7.2.1.10 SA Map Request (MAP Request)
7.2.1.11 SA Map Reply (Map Reply)
7.2.1.12 SA Map Reject (Map Reject)
7.2.2 BPKM Attributes
7.2.2.1 Serial-Number
7.2.2.2 Manufacturer-ID
7.2.2.3 MAC-Address
7.2.2.4 RSA-Public-Key
7.2.2.5 CM-Identification
7.2.2.6 Display-String
7.2.2.7 Auth-Key
7.2.2.8 TEK
7.2.2.9 Key-Lifetime
7.2.2.10 Key-Sequence-Number
7.2.2.11 HMAC-Digest
7.2.2.12 SAID
7.2.2.13 TEK-Parameters
7.2.2.14 CBC-IV
7.2.2.15 Error-Code
7.2.2.16 Vendor-Defined
7.2.2.17 CA-Certificate
7.2.2.18 CM-Certificate
7.2.2.19 Security-Capabilities
7.2.2.20 Cryptographic-Suite
7.2.2.21 Cryptographic-Suite-List
7.2.2.22 BPI-Version
7.2.2.23 SA-Descriptor
7.2.2.24 SA-Type
7.2.2.25 SA-Query
7.2.2.26 SA-Query-Type
7.2.2.27 IPv4-Address
7.2.2.28 Download-Parameters
7.2.2.29 CVC-Root-CA-Certificate
7.2.2.30 CVC-CA-Certificate
8 Early Authentication and Encryption (EAE)
8.1 Introduction
8.2 EAE Signaling
8.3 EAE Encryption
8.4 EAE Enforcement
8.4.1 CMTS and CM behaviours when EAE is Enabled
8.4.2 EAE enforcement determination
8.4.2.1 Ranging-Based EAE Enforcement
8.4.2.2 Capability-Based EAE Enforcement
8.4.2.3 Total EAE Enforcement
8.4.3 EAE Enforcement of DHCP Traffic
8.4.4 CMTS and CM Behaviour when EAE is Disabled
8.4.5 EAE Exclusion List
8.4.6 Interoperability issues
8.5 Authentication Reuse
8.6 BPI+ Control by Configuration File
8.6.1 EAE Enabled
8.6.2 EAE Disabled
9 Secure Provisioning
9.1 Introduction
9.2 Encryption of Provisioning Messages
9.3 Securing DHCP
9.3.1 Securing DHCP on the Cable Network Link
9.3.2 DHCPv6
9.4 TFTP Configuration File Security
9.4.1 Introduction
9.4.2 CMTS Security Features for Configuration File Download
9.4.2.1 TFTP Proxy
9.4.2.2 Protecting TFTP Server Addresses
9.4.2.3 Configuration File Name Authorization
9.4.2.4 Configuration File Learning
9.4.2.5 TFTP Options for CM's MAC and IP Address
9.5 Securing REG-REQ-MP Messages
9.6 Source Address Verification
9.7 Address Resolution Security Considerations
10 Using Cryptographic Keys
10.1 CMTS
10.2 Cable Modem
10.3 Authentication of Dynamic Service Requests
10.3.1 CM
10.3.2 CMTS
11 Cryptographic Methods
11.1 Packet Data Encryption
11.2 Encryption of the TEK
11.3 HMAC-Digest Algorithm
11.4 TEKs, KEKs and Message Authentication Keys
11.5 Public-Key Encryption of Authorization Key
11.6 Digital Signatures
11.7 The MMH-MIC
11.7.1 The MMH Function
11.7.1.1 MMH[16, , 1]
11.7.1.2 MMH[16, , n]
11.7.1.3 MMH[16, , 4]
11.7.1.4 Handling Variable-Size Data
11.7.2 Definition of MMH-MAC
11.7.3 Calculating the DOCSIS MMH-MAC
11.7.4 MMH Key Derivation for CMTS Extended MIC
11.7.5 Shared Secret Recommendations
11.7.6 Key Generation Function
12 Physical Protection of Keys in the CM
13 BPI+ X.509 Certificate Profile and Management
13.1 BPI+ Certificate Management Architecture Overview
13.2 Cable Modem Certificate Storage and Management in the CM
13.3 Certificate Processing and Management in the CMTS
13.3.1 CMTS Certificate Management Model
13.3.2 Certificate Validation
13.4 Certificate Revocation
13.4.1 Certificate Revocation Lists
13.4.1.1 CMTS CRL Support
13.4.2 Online Certificate Status Protocol
14 Secure Software Download
14.1 Introduction
14.2 Overview
14.3 Software Code Upgrade Requirements
14.3.1 Code File Processing Requirements
14.3.2 Code File Access Controls
14.3.2.1 Subject Organization Names
14.3.2.2 Time Varying Controls
14.3.3 Cable Modem Code Upgrade Initialization
14.3.3.1 Manufacturer Initialization
14.3.3.2 Network Initialization
14.3.3.2.1 Processing the Configuration File CVC
14.3.3.2.2 Processing the SNMP CVC
14.3.4 Code Signing Guidelines
14.3.5 Code Verification Requirements
14.3.5.1 Cable Modem Code Verification Steps
14.3.6 DOCSIS Interoperability
14.3.7 Error Codes
14.4 Security Considerations (Informative)
Annex A (normative): TFTP Configuration File Extensions
A.1 Encodings
A.1.1 Baseline Privacy Configuration Setting
A.1.1.1 Internal Baseline Privacy Encodings
A.1.1.1.1 Authorize Wait Timeout
A.1.1.1.2 Reauthorize Wait Timeout
A.1.1.1.3 Authorization Grace Time
A.1.1.1.4 Operational Wait Timeout
A.1.1.1.5 Rekey Wait Timeout
A.1.1.1.6 TEK Grace Time
A.1.1.1.7 Authorize Reject Wait Timeout
A.1.1.1.8 SA Map Wait Timeout
A.1.1.1.9 SA Map Max Retries
A.2 Parameter Guidelines
Annex B (normative): TFTP Options
Annex C (normative): DOCSIS 1.1/2.0 Dynamic Security Associations
C.1 Introduction
C.2 Theory of Operation
C.3 SA Mapping State Model
C.3.1 Brief Description of States
C.3.1.1 [Start]
C.3.1.2 [Map Wait]
C.3.1.3 [Mapped]
C.3.2 Brief Description of Messages
C.3.2.1 Map Request
C.3.2.2 Map Reply
C.3.2.3 Map Reject
C.3.3 Brief Description of Events
C.3.3.1 {Map}
C.3.3.2 {Unmap}
C.3.3.3 {Map Reply}
C.3.3.4 {Map Reject}
C.3.3.5 {Timeout}
C.3.3.6 {Max Retries}
C.3.3.7 Brief Description of Parameters
C.3.3.8 SA Map Wait Timeout
C.3.3.9 SA Map Max Retries
C.3.4 Actions
Annex D (normative): BPI/BPI+ Interoperability
D.1 DOCSIS BPI/BPI+ Interoperability Requirements
D.2 BPI 40-bit DES Export Mode Considerations
D.3 System Operation
D.3.1 CMTS with BPI Capability
D.3.2 CMTS with BPI+ Capability
Annex E (informative): Example Messages, Certificates, PDUs and Code File
E.1 Notation
E.2 Authentication Info
E.2.1 CA Certificate details
E.3 Authorization Request
E.3.1 CM Certificate details
E.4 Authorization Reply
E.4.1 RSA encryption details
E.4.2 RSA decryption details
E.4.3 Hashing details
E.4.3.1 KEK
E.4.3.2 Message authentication keys
E.4.3.3 Mask-generation function
E.5 Key Request
E.5.1 HMAC digest details
E.6 Key Reply
E.6.1 TEK encryption details
E.6.2 HMAC details
E.7 Packet PDU encryption (DES)
E.7.1 CBC only
E.7.2 CBC with residual block processing
E.7.3 Runt frame
E.7.4 40-bit key
E.8 Encryption of PDU with Payload Header Suppression (DES)
E.8.1 Downstream
E.8.2 Upstream
E.9 Fragmented packet encryption (DES)
E.10 Packet PDU encryption (AES)
E.10.1 CBC only
E.10.2 CBC with residual block processing
E.10.3 Runt frame
E.11 Encryption of PDU with Payload Header Suppression (AES)
E.11.1 Downstream
E.11.2 Upstream
E.12 Fragmented packet encryption (AES)
E.13 Secure Software Download CM Code File
Annex F (informative): Example of Multilinear Modular Hash (MMH) Algorithm Implementation
Annex G (informative): Certificate Authority and Provisioning Guidelines
G.1 Certificate Format and Extensions
G.1.1 tbsCertificate.validity.notBefore and tbsCertificate.validity.notAfter
G.1.2 tbsCertificate.serialNumber
G.1.3 tbsCertificate.signature and signatureAlgorithm
G.1.4 tbsCertificate.issuer and tbsCertificate.subject
G.1.4.1 DOCSIS Root CA Certificate
G.1.4.2 Centralized Mfg CA Certificate
G.1.4.3 Manufacturer CA Certificate
G.1.4.4 CM Device Certificate
G.1.5 tbsCertificate.issuerUniqueID and tbsCertificate.subjectUniqueID
G.1.6 tbsCertificate.extensions
G.1.6.1 CM Device Certificates
G.1.6.2 Manufacturer CA Certificates
G.1.6.3 Centralized Mfg CA Certificate
G.1.6.4 DOCSIS Root CA Certificate
G.1.7 Code Verification Certificate Format
G.1.8 signatureValue
G.2 Certificate Provisioning
G.2.1 DOCSIS Root CA
G.2.2 Digital Certificate Validity Period and Re-issuance
G.2.2.1 DOCSIS Root CA Certificate
G.2.2.2 Void
G.2.2.3 Code Verification Certificate
G.2.3 CM Code File Signing Policy
G.2.3.1 Manufacturer CM Code File Signing Policy
G.2.3.2 Operator CM Code File Signing Policy
G.2.4 CM Code File Format
G.2.4.1 DOCSIS PKCS#7 Signed Data
G.2.4.1.1 Code Signing Keys
G.2.4.1.2 Code Verification Certificate Format
G.2.4.1.3 Code Verification Certificate Revocation
G.2.4.2 Signed Content
Annex H (informative): Bibliography
History