GB/T 25320.11-2023 Power systems management and associated information exchange—Data and communications security—Part 11:Security for XML documents (English Version)
Power systems management and associated information exchange - Data and communications security - Part 11: Security for XML documents
1 Scope
This document specifies schema, procedures, and algorithms for securing XML documents that are used within the scope of the IEC as well as documents in other domains (e.g. IEEE, proprietary, etc.). This part is intended to be referenced by standards if secure exchanges are required, unless there is an agreement between parties in order to use other recognized secure exchange mechanisms.
This document utilizes well-known W3C standards for XML document security and provides profiling of these standards and additional extensions. The document extensions provide the capability to provide:
——Header: the header contains information relevant to the creation of the secured document such as the Date and Time when IEC 62351-11 was created.
——A choice of encapsulating the original XML document in an encrypted (Encrypted) or non-encrypted (nonEncrypted) format. If encryption is chosen, there is a mechanism provided to express the information required to actually perform encryption in an interoperable manner (EncryptionInfo).
——AccessControl: a mechanism to express access control information regarding information contained in the original XML document.
——Body: is used to contain the original XML document that is being encapsulated.
——Signature: a signature that can be used for the purposes of authentication and tamper
detection.
The general structure is shown in Figure 1 .
For the measures described in this document to take effect, they must be accepted and referenced by the specifications themselves. This document is written to enable that process.
The subsequent audience for this documnet is intended to be the developers of products that implement these specifications.
Portions of this part of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
IEC TS 62351-2 Power systems management and associated information exchange - Data and communications security - Part 2: Glossary of terms
IEC TS 62351-8 Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control
RFC 6931 Additional XML Security Uniform ResourceIdentifiers ( URIs)
W3C XML1.0 Recommended Canonical XML1.0 with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
W3C XML1.0 Required Canonical XML 1.0, Omits comments (http://www.w3.org/TR/2001/REC-xml-c14n-2001 0315)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62351-2 and the following apply.
3.1
nonce
random or pseudo-random value used within an authentication system
[SOURCE: IEEE 1455-1999, 3.1.22]
3.2
Internet Assigned Numbers Authority; IANA
the organization responsible for coordinating Internet digital resources
Note: IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
[SOURCE: http://www.iana.org]
4 Security issues addressed by this document
4.1 General
Within the industry and the IEC, XML document exchange is becoming more prevalent. Within the scope of the IEC, exchanges of XML documents are used for IEC 61970 as well as IEC 61850. Within other standards, such as IEEE 1815 and IEEE C37.111 (COMTRADE), XML is also utilized. For these standards and other XML-based documentss, the information contained in thedocument may:
1) be sensitive to inadvertant or malicious modifications of its contents that could result in mis-operation/misinterpretation if the exchanged information is used (e.g. a tamper security vulnerability);
2) contain confidential or private data;
3) contain subsets of information that may be considered sensitive by the document creation entity.
This document proposes to standardize mechanisms to protect the document contents from tampering/disclosure when the document is being exchanged (e.g. in transit). Additionally, this part of IEC 62351 proposes to standardize a mechanism to aid in the protection of the information when in transition (e.g. entity A trusts entity B; B trusts A and C, and B needs to exchange information with C. but A does not know of or trust C).
Although this document is intended to secure XML documents used within the scope of the IEC, the mechanism/methodologies specified within this document can be applied to any XML document.
4.2 Security threats countered
See IEC TS 62351-1 for a discussion of security threats and attack methods.
If encryption is not employed, then the specific threats countered in this document include:
• unauthorized modification (tampering) of information through XML document level authentication.
If encryption is employed, then the specific threats countered in this document include:
• unauthorized access to information through XML document level authentication and encryption of the documents;
• unauthorized modification (tampering) of information through XML document level authentication regardless if encryption is utilized.
4.3 Attack methods countered
The following security attack methods are intended to be countered through the appropriate implementation of the specification/recommendations found within this document:
• man-in-the-middle: this threat will be countered through the use of a Message Authentication Code (e.g. Signature) mechanism specified within this document;
• message tampering: These threats will be countered through the algorithm used to create the authentication mechanism as specified within this document.
Standard
GB/T 25320.11-2023 Power systems management and associated information exchange—Data and communications security—Part 11:Security for XML documents (English Version)
Standard No.
GB/T 25320.11-2023
Status
valid
Language
English
File Format
PDF
Word Count
21500 words
Price(USD)
645.0
Implemented on
2024-7-1
Delivery
via email in 1~3 business day
Detail of GB/T 25320.11-2023
Standard No.
GB/T 25320.11-2023
English Name
Power systems management and associated information exchange—Data and communications security—Part 11:Security for XML documents
Power systems management and associated information exchange - Data and communications security - Part 11: Security for XML documents
1 Scope
This document specifies schema, procedures, and algorithms for securing XML documents that are used within the scope of the IEC as well as documents in other domains (e.g. IEEE, proprietary, etc.). This part is intended to be referenced by standards if secure exchanges are required, unless there is an agreement between parties in order to use other recognized secure exchange mechanisms.
This document utilizes well-known W3C standards for XML document security and provides profiling of these standards and additional extensions. The document extensions provide the capability to provide:
——Header: the header contains information relevant to the creation of the secured document such as the Date and Time when IEC 62351-11 was created.
——A choice of encapsulating the original XML document in an encrypted (Encrypted) or non-encrypted (nonEncrypted) format. If encryption is chosen, there is a mechanism provided to express the information required to actually perform encryption in an interoperable manner (EncryptionInfo).
——AccessControl: a mechanism to express access control information regarding information contained in the original XML document.
——Body: is used to contain the original XML document that is being encapsulated.
——Signature: a signature that can be used for the purposes of authentication and tamper
detection.
The general structure is shown in Figure 1 .
For the measures described in this document to take effect, they must be accepted and referenced by the specifications themselves. This document is written to enable that process.
The subsequent audience for this documnet is intended to be the developers of products that implement these specifications.
Portions of this part of this document may also be of use to managers and executives in order to understand the purpose and requirements of the work.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
IEC TS 62351-2 Power systems management and associated information exchange - Data and communications security - Part 2: Glossary of terms
IEC TS 62351-8 Power systems management and associated information exchange - Data and communications security - Part 8: Role-based access control
RFC 6931 Additional XML Security Uniform ResourceIdentifiers ( URIs)
W3C XML1.0 Recommended Canonical XML1.0 with comments (http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
W3C XML1.0 Required Canonical XML 1.0, Omits comments (http://www.w3.org/TR/2001/REC-xml-c14n-2001 0315)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC TS 62351-2 and the following apply.
3.1
nonce
random or pseudo-random value used within an authentication system
[SOURCE: IEEE 1455-1999, 3.1.22]
3.2
Internet Assigned Numbers Authority; IANA
the organization responsible for coordinating Internet digital resources
Note: IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
[SOURCE: http://www.iana.org]
4 Security issues addressed by this document
4.1 General
Within the industry and the IEC, XML document exchange is becoming more prevalent. Within the scope of the IEC, exchanges of XML documents are used for IEC 61970 as well as IEC 61850. Within other standards, such as IEEE 1815 and IEEE C37.111 (COMTRADE), XML is also utilized. For these standards and other XML-based documentss, the information contained in thedocument may:
1) be sensitive to inadvertant or malicious modifications of its contents that could result in mis-operation/misinterpretation if the exchanged information is used (e.g. a tamper security vulnerability);
2) contain confidential or private data;
3) contain subsets of information that may be considered sensitive by the document creation entity.
This document proposes to standardize mechanisms to protect the document contents from tampering/disclosure when the document is being exchanged (e.g. in transit). Additionally, this part of IEC 62351 proposes to standardize a mechanism to aid in the protection of the information when in transition (e.g. entity A trusts entity B; B trusts A and C, and B needs to exchange information with C. but A does not know of or trust C).
Although this document is intended to secure XML documents used within the scope of the IEC, the mechanism/methodologies specified within this document can be applied to any XML document.
4.2 Security threats countered
See IEC TS 62351-1 for a discussion of security threats and attack methods.
If encryption is not employed, then the specific threats countered in this document include:
• unauthorized modification (tampering) of information through XML document level authentication.
If encryption is employed, then the specific threats countered in this document include:
• unauthorized access to information through XML document level authentication and encryption of the documents;
• unauthorized modification (tampering) of information through XML document level authentication regardless if encryption is utilized.
4.3 Attack methods countered
The following security attack methods are intended to be countered through the appropriate implementation of the specification/recommendations found within this document:
• man-in-the-middle: this threat will be countered through the use of a Message Authentication Code (e.g. Signature) mechanism specified within this document;
• message tampering: These threats will be countered through the algorithm used to create the authentication mechanism as specified within this document.
