ImageVerifierCode 换一换
格式:PDF , 页数:36 ,大小:389.28KB ,
资源ID:803472      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-803472.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T SERIES Y SUPP 12-2010 ITU-T Y 2720 C Supplement on NGN identity management mechanisms (Study Group 13)《ITU-T Y 2720 下一代网络(NGN)身份管理机制的补充 13号研究组》.pdf)为本站会员(bowdiet140)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T SERIES Y SUPP 12-2010 ITU-T Y 2720 C Supplement on NGN identity management mechanisms (Study Group 13)《ITU-T Y 2720 下一代网络(NGN)身份管理机制的补充 13号研究组》.pdf

1、 International Telecommunication Union ITU-T Series YTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 12(04/2010) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS ITU-T Y.2720 Supplement on NGN identity management mechanisms ITU-T Y-series

2、 Recommendations Supplement 12 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and prot

3、ocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource

4、management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and fun

5、ctional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network ma

6、nagement Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Future networks Y.2600Y.2699 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 For further details, please refer to the list of ITU-T Recommendations. Y series Supplement

7、12 (04/2010) i Supplement 12 to ITU-T Y-series Recommendations ITU-T Y.2720 Supplement on NGN identity management mechanisms Summary Supplement 12 to ITU-T Y-series Recommendations provides a description of some example mechanisms that can be used to meet certain identity management (IdM) requiremen

8、ts and deployment needs of NGN. History Edition Recommendation Approval Study Group 1.0 ITU-T Y Suppl. 12 2010-04-30 13 Keywords Authentication, authorization, identity management, next generation network, single sign-on. ii Y series Supplement 12 (04/2010) FOREWORD The International Telecommunicati

9、on Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff quest

10、ions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations

11、 on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the

12、expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure e.g., interoperability or applicabili

13、ty) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the public

14、ation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claime

15、d Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. H

16、owever, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the

17、 prior written permission of ITU. Y series Supplement 12 (04/2010) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 4 Abbreviations 2 5 Conventions 3 6 Mechanisms and procedures supporting IdM functions . 3 6.1 Lifecycle management 3 6.2 Authentication and authentication assurance . 3 6.3

18、 IdM communications and information exchange . 22 6.4 Identity information access control 25 6.5 Single sign-on . 25 Appendix I ITU-T X.509 v3 message authentication . 27 Y series Supplement 12 (04/2010) 1 Supplement 12 to ITU-T Y-series Recommendations ITU-T Y.2720 Supplement on NGN identity manage

19、ment mechanisms 1 Scope This supplement provides a description of some example mechanisms that can be used to meet certain identity management (IdM) requirements and deployment needs of NGN. NOTE This supplement provides only a subset of the IdM mechanisms needed for NGN. The purpose of this supplem

20、ent is to provide the information in a timely manner while the work to develop a Recommendation specifying a more complete set of IdM mechanisms progresses. The objective of this work is to define the IdM mechanism in support of the requirements specified in ITU-T Y.2721. 2 References ITU-T X.509 Re

21、commendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open systems interconnection The Directory: Public-key and atribute certificate frame works. ITU-T X.1035 Recommendation ITU-T X.1035 (2007), Password-authenticated key exchange (PAK) protocol. ITU-T X.1141 Recommendation

22、ITU-T X.1141 (2006), Security Assertion Markup Language (SAML 2.0). ITU-T Y.2012 Recommendation ITU-T Y.2012 (2006), Functional requirements and architecture of the NGN release 1. ITU-T Y.2702 Recommendation ITU-T Y.2702 (2008), Authentication and authorization requirements for NGN release 1. ITU-T

23、Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. ITU-T Y.2721 Recommendation ITU-T Y.2721 (2010), NGN identity management requirements and use cases. ATIS 33102 ATIS.3GPP.33.102V

24、710-2007, 3G Security; Security Architecture. IETF RFC 2289 IETF RFC 2289 (1998), A One-Time Password System. IETF RFC 2616 IETF RFC 2616 (1999), Hypertext Transfer Protocol HTTP/1.1. IETF RFC 2617 IETF RFC 2617 (1999), HTTP Authentication: Basic and Digest Access Authentication. IETF RFC 3310 IETF

25、RFC 3310 (2002), Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA). IETF RFC 4169 IETF RFC 4169 (2005), Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2. IETF RFC 4279 IETF RFC 4279 (20

26、05), Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). 2 Y series Supplement 12 (04/2010) 3GPP TR 33.924 3GPP TR 33.924 Release 9 (2009), 3rd Generation Partnership Project; Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture

27、(GAA) interworking (Release 9). OpenID v.2 OpenID OpenID Authentication 2.0. OASIS WSS X.509 profile OASIS (2006), Web Services Security X.509 Certificate Token Profile 1.1. OASIS SAML token OASIS (2006), SAML Token Profile 1.1, OASIS Approved Erratta 1. OASIS WSS SOAP OASIS (2004), Web Services Sec

28、urity (WSS) SOAP Message Security 1.1. LA ID-WSF security Liberty Alliance Project (2007), Liberty ID-WSF Security Mechanisms Core Version 2.0-errata Version 1.0. LA SOAP binding Liberty Alliance Project, Web Services Security (WSS) (2006), Liberty SOAP Binding Ver-2.0. W3C XML signature World Wide

29、Web Consortium (W3C) (2008), XML Signature Syntax and Processing (Second Edition). 3 Definitions This supplement relies on the terms defined in ITU-T Y.2720. 4 Abbreviations This supplement uses the following abbreviations and acronyms: AKA Authentication and Key Agreement ASP Application Service Pr

30、ovider AV Authentication Vector BSF Bootstrapping Server Function CK Ciphering Key GBA Generic Bootstrapping Architecture HSS Home Subscriber System IdM Identity Management IdP Identity Provider ID-WSF Identity Web Services Framework IK Integrity Key IMPI IP Multimedia Private User Identity IMPU IP

31、Multimedia Public User identity IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IPTV Internet Protocol Television ISIM IMS Subscriber Identity Module Y series Supplement 12 (04/2010) 3 NAF Network Application Function NGN Next Generation Network OASIS Organization for the A

32、dvancement of Structured Information Standards OTP One Time Password PKI Public Key Infrastructure SAML Security Assertion Markup Language SIP Session Initiation Protocol SLF Subscriber Locator Function SOAP Simple Object Access Protocol SSO Single Sign-On UE User Equipment UICC Universal Integrated

33、 Circuit Card UMTS Universal Mobile Telecommunications System WSS Web Services Security XML eXtensible Markup Language 5 Conventions None. 6 Mechanisms and procedures supporting IdM functions This clause describes mechanisms and procedures that support IdM functions. 6.1 Lifecycle management Refer t

34、o ITU-T Y.2720 for information on identity lifecycle management. 6.2 Authentication and authentication assurance This clause describes mechanisms for authentication and assurance of identities and identity information. It references authentication mechanisms defined elsewhere. The identity provider

35、(IdP) supports authentication methods such as authentication based on web services (WS) security assertion markup language (SAML) profile, certificate-based authentication, or password-based authentication (including one time password (OTP). The authentication methods are selected based on the assur

36、ance-level requirements. The IdP may request assurance-level information to find the authentication methods that satisfy the service providers assurance-level requirements. 6.2.1 Authentication based on the WS security SAML profile This clause describes SAML-based authentication. 6.2.1.1 SAML assert

37、ions The security assertion markup language (SAML) ITU-T X.1141 specifies a format of assertions that can be used in identity management for exchanging security information. Among the IdM functions that can be implemented with the use of SAML are authentication, attribute sharing, and authorization,

38、 which correspond to three types of statements about a subject of a SAML assertion: 4 Y series Supplement 12 (04/2010) Authentication statement conveys information that the assertion subject was authenticated by a particular means at a particular time. Attribute statement conveys information that th

39、e assertion subject is associated with the listed attributes. Authorization decision statement conveys information that access to a specified resource was granted to the assertion subject, or the subject was denied such access. The content of a SAML assertion can be described at a high level as foll

40、ows: assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid. The use of the SAML assertions for conveying authentication, attribute and authorization information in simple object access protocol (SOAP) messages is a special and important application of SAML.

41、 When SOAP messages are exchanged over an unprotected transport, it is strongly recommended that XML signature W3C XML signature is used to verify the relationship between the SOAP message and the statements of the assertions carried in the message. The Web Services Security (WSS): SAML Token Profil

42、e OASIS SAML token standard describes how: SAML assertions (also referred to as SAML tokens) are carried in and referenced from a SOAP message; an XML signature is used to bind a subject and the statements of a SAML assertion with a SOAP message. A typical use of a SAML token with a SOAP message con

43、structed according to this specification is depicted by Figure 1 and described below. In this example, a signed SOAP message contains a SAML assertion with an attribute statement. Based on the information in this statement, the receiver decides whether to allow access to the requested resource. Figu

44、re 1 Typical steps of construction and processing of a SOAP message with a SAML token 1. The attesting entity obtains a SAML assertion with an attribute statement and constructs and includes it in a SOAP message constructed according to OASIS SAML token. 2. The attesting entity sends a SOAP message

45、to the receiver. 3. The receiver verifies the digital signature. 4. The information of the SAML statement is used for access control. Receiver Verify Signature Access Control 1 Attesting Entity 2 34 WSS signedSOAP message SAML Attribute informationY series Supplement 12 (04/2010) 5 6.2.1.2 Subject c

46、onfirmation methods of the SAML tokens The OASIS Standard, OASIS SAML token specifies how to attach a SAML assertion to a SOAP message and defines two mandatory subject confirmation methods: holder-of-key; sender-vouches. The main XML elements of the SOAP message constructed according to OASIS WSS S

47、OAP are depicted in Figure 2. The SAML assertion is placed into the header, which also contains the digital signature . The digital signature is used by the receiver of the SOAP message to verify that the sender of the message knows the key used for computing the signature over the digest of the SOA

48、P body and for checking its integrity. The digest algorithm is SHA 1 and the signature algorithm is RSA_SHA 1 as specified in OASIS WSS SOAP. The signatures value is provided in the element of the . Two subject confirmation methods define different ways for conveying information on the key to the re

49、ceiver. Figure 2 Structure of the SOAP message with SAML assertion The following clauses describe two subject confirmation methods. 6.2.1.2.1 The holder-of-key subject confirmation method Figure 3 depicts the structure of the SAML assertion used for the holder-of-key subject confirmation method. The method attribute of element indicates the method of the subject confirmation (holder-of-key). The method specifies that the sender (a

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1