ATIS 1000054-2013 ATIS Technical Report on Next Generation Network Certificate Management.pdf

1、 TECHNICAL REPORT ATIS-1000054 ATIS TECHNICAL REPORT ON NEXT GENERATION NETWORK CERTIFICATE MANAGEMENT As a leading technology and solutions development organization, ATIS brings together the top global ICT companies to advance the industrys most-pressing business priorities. Through ATIS committees

2、 and forums, nearly 200 companies address cloud services, device solutions, emergency services, M2M communications, cyber security, ehealth, network evolution, quality of service, billing support, operations, and more. These priorities follow a fast-track development lifecycle from design and innova

3、tion through solutions that include standards, specifications, requirements, business use cases, software toolkits, and interoperability testing. ATIS is accredited by the American National Standards Institute (ANSI). ATIS is the North American Organizational Partner for the 3rd Generation Partnersh

4、ip Project (3GPP), a founding Partner of oneM2M, a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications sectors, and a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit . Notice of Disclaimer or

5、 a web form that is only accessible through some authentication method that limits access to only authorized certificate requestors. The CA verifies the signature on the CSR and builds an X.509 certificate from the information provided. See Section 7.3 for the basic structure of NGN provider certifi

6、cates. The CA then returns the certificate to the requesting System Administrator. The request may occur through an HTTP request or it may be downloaded later by the system administrator, or it may be provided by email. The System Administrator will install the device certificate and the root certif

7、icate of the CA. 7.1.2 End User however, other mechanisms are possible based on the NGN providers security policy. For these certificates, a CSR is generated with the end user information, and the private key and the resulting certificate is sent to the end user device, over a secured channel that s

8、hould have been authenticated by some other method. Alternatively, memory devices such as an UICC (Universal Integrated Circuit Card) may be used to issue end-user certificates. 7.2 Certificate Verification All Network Elements should verify the complete certificate chain of all received certificate

9、s up to a known Certification Authority. If any step in this chain fails, then the Certificate is considered invalid and is rejected. The Network Element should reject the certificate if it has expired. 7.3 Certificate Contents for NGN Infrastructure This section describes example certificate profil

10、es for NGN infrastructure using X.509 version 3 Certificates . All certificates should indicate the following: Version: 3 Signature Algorithm: should be one of the following: o sha256withRSAEncription ( 1 2 840 113549 1 1 11 ) o sha256withRSA-PSS ( 1 2 840 113549 1 1 10 ) ATIS-1000054 5 o sha1withRS

11、A ( 1 2 840 113549 1 1 5 ) o sha1withECDSA ( 1 2 840 10045 4 1 ) Public Key Algorithm: should be one of the following and match the Signature Algorithm: o rsaEncryption ( 1 2 840 113549 1 1 1 ) o ECC ( 1 2 840 10045 2 1 ) Key Size: o A minimum of 2048 bits for the RSA Modulus o A minimum of 224 bits

12、 for the EC generator. IssuerName: Subject name will contain: C= O=Certificate Contents for NGN Provider CA Certificate This certificate corresponds to the top level Certification Authority for the NGN provider infrastructure. This certificate will be signed by the NGN provider CA. This can be viewe

13、d as self signed certificate. The following certificates elements are marked with one or more of the following notations: c: critical; m: mandatory; n: non-critical. An example format of the NGN provider CA Certificate is as follows: Issuer Name Subject Name: o C= o O= o CN= Modulus length: 2048 Ext

14、ensions keyUsagec,m(keyCertSign, cRLSign) subjectKeyIdentifiern,m authorityKeyIdentifiern,m(keyIdentifier=) basicConstraintsc,m(cA=true, pathLenConstraint=1). ATIS-1000054 6 7.3.1 Certificate Contents for NGN Network Elements This certificate is signed by the NGN provider CA and follows the requirem

15、ents outlined in section 7.3. This certificate is used to authenticate elements of the NGN infrastructure and for Session Key generation. The validity period of this certificate is determined by the NGN provider on the basis of its policies and the issuing CAs policies. An example format of the cert

16、ificate is as follows: Issuer Name Subject Name: C= O= OU= CN= Issuer Name In the above Subject Name, when using Domain Name System (DNS), the value of has to be the DNS Fully Qualified Domain Name (FQDN). The client establishing the secure connection, when using DNS, should make a DNS query to obta

17、in the IP address of the server. The client has to verify that the CN=, in the server certificate, matches the name used to query the DNS server. The server establishing the secure connection, when using DNS, has to verify that the client IP address of the client matches one of the DNS entries assoc

18、iated with the CN, in the client certificate. Modulus length: 2048 Extensions authorityKeyIdentifiern,m(keyIdentifier=) subjectAltNamen,m(dNSName=) The subjectAltName extension should be included for all servers that are capable of generating event messages. This will be the name used on the OAMklnm

19、2Figure A 2 - Example Attribute Certificate NOTE: The AC can be used for many applications. ATIS-1000054 13 A.1.4 Attribute Certificate: Attribute Types basis for authorizing actions; determines RBAC3. Unique identity for charging; not relevant for SPs4. Group Membership Info (core, access)5. Inform

20、ation about the role allocation assigned to the AC holder (e.g admin)6. Clearance level assigned to the AC holder; tied to policyID7. Conformance to specific profile (RFC 3280ATIS-1000054 14 Table A.4 - Explanation of key extensions Extension Usage1. To protect privacy and provide anonymity.May be t

21、raceable via AC issuer2. The targeting information simply consists of a list of named targets or groups the AC is usable at. 3. Assists the AC verifier in checking the signature of the of the AC 4. Assists the AC verifier in checking the revocation status of the AC1. Audit Identity To protect privac

22、y and provide anonymity May be traceable via AC issuer2. AC Targeting3. Authority Key Identifier4. Authority Information AccessThe target information extension may be used to specify a list of target entities the AC holder can request access to/establish secure communication with. The intent is that

23、 the AC should only be usable at the specified servers/services/NEs. An AC verifier who is not amongst the named servers/services has to reject the AC. The targeting information simply consists of a list of named targets or groups so that AC targeting can be used to prevent an NE from establishing c

24、ommunication links with non-authorized NEs. A.1.5 Binding of Public Key Certificates user; public keySigned attribute certificate: name;user; group: G1Policy (R)= RBAC (R) = G1:Read,Write, G2:Access to R If user belongs to G1 and G1 is linkedto Policy (R) then user can access R with the privilege of

25、 G1User Figure A.4 - Example of PKC and AC usage A.2 Applicability of PMI to NGN Security Potential applications of PMI in NGN include, but are not limited to: 1. Role Based Access Control (RBAC). ATIS-1000054 16 2. RBAC is usually associated with Operation, Administration and Management (OAM) acces

26、s in that it defines “privileges“ assigned to a user with respect to access to NEs for administrative purposes, change the root directory, etc. 3. NGN-wide uniform deployment of security algorithms. 4. PMI can be used to specify the various authentication, integrity, and encryption algorithms an NE

27、or group/class of NEs can use for secure NE-NE and inter-domain connections. 5. Backwards compatibility with NEs supporting log-in and password based authentication and authorization. This feature is important as networks transition to NGN. 6. End user administrative access to application servers. P

28、MI could also be used to “assign“ roles to end-users/subscribers with respect to administrative access to the application servers/subscriber management systems to manage their own services. In general, PMI will be applicable to NGN management, control, and end-user processes and interactions with ne

29、twork elements/interfaces, services, and applications. The applicable areas benefit end-to-end network in many areas as described in b-ITU-T X.805 security architecture. b-ITU- T X.805 should be used in conjunction with other standards and industry best practices for identifying and integrating PMI

30、for NGN. ATIS-1000054 17 Appendix B (informative) B Bibliography b-ITU-T X.800 ITU-T Recommendation X.800, Security architecture for Open Systems Interconnection for CCITT applications.2b-ITU-T X.805 ITU-T Recommendation, X.805, Security architecture for systems providing end-to-end communications.2

31、b-ITU-T X.810 ITU-T Recommendation X.810, Information technology - Open Systems Interconnection - Security frameworks for open systems: Overview.2b-ITU-T X.811 ITU-T Recommendation X.811, Information technology - Open Systems Interconnection - Security frameworks for open systems: Authentication fra

32、mework.2b-ITU-T Y.2012 ITU-T Recommendation Y.2012, Functional Requirements and Architecture of the NGN.2b-IETF RFC4211 IETF RFC4211 (2005), Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF).3b-W3C XKMS W3C Recommendation (2005), XML Key Management Specification (XKM

33、S 2.0) version 2.0.4b-IETF RFC2560 IETF RFC2560 (1999), X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP).3b-IETF RFC3029 IETF RFC3029 (20010, Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols.3b-IETF RFC2986 IETF RFC2986, PK

34、CS #10: Certification Request Syntax Specification Version 1.7.3b-IETF RFC2315 IETF RFC2315 (1993), PKCS #7: Cryptographic Message Syntax Standard. Version 1.5.3b-IETF RFC5055 IETF RFC5055 (2005), Server-based Certificate Validation Protocol.3b-IETF RFC3279 IETF RFC3279, Algorithms and Identifiers f

35、or the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.3b-IETF RFC5280 IETF RFC5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.3b-IETF RFC6277 IETF RFC6277, Online Certificate Status Protocol

36、Algorithm Agility.3b-IETF RFC5987 IETF RFC5987, The application/pkcs10 Media Type.3b-IETF RFC4055 IETF RFC4055, Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Infrastructure Certificate and Certificate Revocation List (CRL) Profile.3b-IETF RFC4491 IET

37、F RFC4491,Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile.3b-IETF RFC5480 IETF RFC5480, Elliptic Curve Cryptography Subject Public Key Information.3b-CA/Browser Forum CA/Browser Forum document, Guidelines For The Issuance And Management Of Extended Validation Certificates, version 1.3.33This document is available from the Internet Engineering Task Force (IETF). 4This document is available from the World Wide Web Consortium.