ImageVerifierCode 换一换
格式:PDF , 页数:36 ,大小:238.57KB ,
资源ID:804462      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-804462.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T X 1034-2011 Guidelines on extensible authentication protocol based authentication and key management in a data communication network (Study Group 17)《基于可扩展认证协议的认证和密钥管理指南的数据通信.pdf)为本站会员(priceawful190)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T X 1034-2011 Guidelines on extensible authentication protocol based authentication and key management in a data communication network (Study Group 17)《基于可扩展认证协议的认证和密钥管理指南的数据通信.pdf

1、 International Telecommunication Union ITU-T X.1034TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (02/2011) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Network security Guidelines on extensible authentication protocol based authentication and ke

2、y management in a data communication network Recommendation ITU-T X.1034 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400

3、X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049Security manage

4、ment X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.11

5、79 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overvie

6、w of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, ple

7、ase refer to the list of ITU-T Recommendations. Rec. ITU-T X.1034 (02/2011) i Recommendation ITU-T X.1034 Guidelines on extensible authentication protocol based authentication and key management in a data communication network Summary The extensible authentication protocol (EAP) is an authentication

8、 framework that supports multiple authentication mechanisms between a supplicant and an authentication server in a data communication network. EAP can be used as a basic tool for enabling user authentication and distribution of session keys in a data communication network. Since there are several EA

9、P methods, the application designer should select the optimal EAP method among them. This revision of Recommendation ITU-T X.1034 describes a framework for EAP-based authentication and key management for securing the lower layer in a communication network. It provides guidance on the selection of EA

10、P methods and describes the mechanism for key management for the lower layer of a data communication network. The framework described in this Recommendation can be applied to protect data communication networks with wireless or wired access networks with a shared medium. History Edition Recommendati

11、on Approval Study Group 1.0 ITU-T X.1034 2008-04-06 17 2.0 ITU-T X.1034 2011-02-13 17 ii Rec. ITU-T X.1034 (02/2011) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs)

12、. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication St

13、andardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of informat

14、ion technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency.

15、 Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some ot

16、her obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or impl

17、ementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development proces

18、s. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly

19、urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1034 (02/2011) iii Table of Contents Page 1 Scope 1 2 References.

20、1 3 Terms and definitions . 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 4 5 Conventions 4 6 EAP-based authentication and key management framework . 5 6.1 Introduction 5 6.2 General features of EAP . 6 6.3 Basic operational procedures for

21、authentication and key management protocols . 7 7 EAP protocols . 7 7.1 Vulnerabilities in EAP 7 7.2 Set of requirements for EAP . 8 7.3 Criteria for evaluating and classifying EAP methods 10 7.4 EAP method 12 7.5 Evaluation of existing EAP methods 12 8 Key management 12 8.1 Practical threats to a s

22、pecific wireless access network . 12 8.2 General operational phases for key management . 13 8.3 Set of requirements for key management . 14 8.4 Flow of the key management protocol . 16 8.5 Requirements classification of key management . 17 9 Cryptographic key for key management. 18 9.1 General polic

23、y model . 18 9.2 Possible cryptographic key hierarchy and key derivation 18 Appendix I Evaluation of existing EAP methods . 20 Appendix II AAA protocol . 23 Appendix III Overview of the existing EAP methods 24 III.1 Pre-shared secret-based EAP methods . 24 III.2 EAP methods based on public key . 25

24、III.3 EAP methods that support both shared secret and public key 26 III.4 Tunnel-based EAP methods . 26 Bibliography. 28 Rec. ITU-T X.1034 (02/2011) 1 Recommendation ITU-T X.1034 Guidelines on extensible authentication protocol based authentication and key management in a data communication network

25、1 Scope The extensible authentication protocol (EAP) is an authentication framework that supports multiple authentication mechanisms between a supplicant and an authentication server. EAP can work directly over lower layers, e.g., the data link layer, such as the point-to-point protocol (PPP), IEEE

26、802, CDMA2000, UMTS, or VDSL/ADSL. For example, IEEE 802.1X is a typical transport mechanism for EAP over 802 LANs. The EAP basically performs authentication for a device attached to a LAN, establishing a secure point-to-point connection or preventing access by an unauthorized device. In other words

27、, EAP can be used to authenticate the supplicant wishing to access the network. The AAA function may be used as one of the key functions for lower-layer security of a data communication network. AAA enables transporting the secret key from the authentication server to the authenticator. Thus, defini

28、ng the requirements of the EAP method and key management protocol, establishing criteria for selecting an optimal EAP method among several existing EAP methods, and defining a suitable framework for EAP and an optimal key management protocol including key derivation methods for lower-layer security

29、in end-to-end data communication are essential. This Recommendation applies mainly to EAP-based authentication and key management protocol for data communication with a wireless access network where communication through the wireless access network should be protected by the key material derived fro

30、m the key management protocol. This Recommendation describes a framework for authentication and key management to secure the lower layer in data communication. It also provides guidance on the selection of EAP methods for a data communication network and describes the mechanism for key management an

31、d possible key hierarchy for lower-layer security in a data communication network. This Recommendation is to provide complete sets for EAP-based authentication itself but also the key management, from threat analysis to requirements, allowing the network operator to choose an adequate EAP method by

32、using some criteria described for a specific network environment. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were vali

33、d. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations

34、is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.1121 Recommendatio

35、n ITU-T X.1121 (2004), Framework of security technologies for mobile end-to-end data communications. ITU-T X.1151 Recommendation ITU-T X.1151 (2007), Guideline on secure password-based authentication protocol with key exchange. IETF RFC 3748 IETF RFC 3748 (2004), Extensible Authentication Protocol (

36、EAP). 2 Rec. ITU-T X.1034 (02/2011) IETF RFC 4017 IETF RFC 4017 (2005), Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. IETF RFC 5216 IETF RFC 5216 (2008), The EAP-TLS Authentication Protocol. ISO/IEC 8802-11 ISO/IEC 8802-11:2005/Amd.6:2006, Information technology Tel

37、ecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements). 3 Terms and definitions 3.1 T

38、erms defined elsewhere 3.1.1 passive attack ITU-T X.1151: This refers to an attack that involves listening, i.e., eavesdropping, without modifying or supplementing information. 3.1.2 server-compromised attack ITU-T X.1151: This refers to an attack wherein an attacker obtains verifier information fro

39、m the server and launches a dictionary attack on the password file. 3.1.3 temporal key (TK) ISO/IEC 8802-11: This pertains to the keying materials for the encryption and integrity of messages during later data sessions. TK generally resides in the part of PTK. 3.2 Terms defined in this Recommendatio

40、n 3.2.1 4-way handshake adapted from IETF RFC 4017: A 4-way handshake is a process consisting of 4 messages exchanged by two parties, where a pair-wise master key is involved. As a Pair-wise Authentication and Key Management Protocol (AKMP) defined in ISO/IEC 8802-11, it confirms the mutual possessi

41、on of a Pair-wise Master Key by two parties and distributes a Group Key. 3.2.2 authentication, authorization, accounting (AAA) adapted from IETF RFC 4017: The AAA protocol can be used as transport mechanism for the EAP message; it consists of RADIUS and Diameter. In general, the terms “AAA server“ a

42、nd “backend authentication server“ are used interchangeably. 3.2.3 authenticator adapted from IETF RFC 4017: The authenticator refers to the endpoint of the link initiating EAP authentication when a supplicant wants to access the network. 3.2.4 backend authentication server adapted from IETF RFC 401

43、7: A backend authentication server, i.e., authentication server, pertains to an entity providing authentication service to an authenticator. A typical backend authentication server is the AAA server. 3.2.5 credentials: A set of security-related information comprising keys, keying material and crypto

44、graphic algorithm-related parameters that can be used to establish the identity of an entity, or to help that entity communicate securely. 3.2.6 EAP server adapted from IETF RFC 4017: This entity executes the EAP authentication method with the supplicant. In case no backend authentication server is

45、used, the EAP server plays the role of the authenticator. In case a backend authentication server is used, that is, if the authenticator operates in pass-through mode, i.e., the authenticator forwards the EAP message without any modification to the supplicant or vice versa, the EAP server is placed

46、on the backend authentication server. 3.2.7 key confirmation: A procedure to prove one entity that another entity established the correct secret keying material as a result of a key establishment. Rec. ITU-T X.1034 (02/2011) 3 3.2.8 man-in-the-middle attack adapted from ITU-T X.1151: This refers to

47、an attack wherein an attacker intercepts the public key being exchanged by two entities and substitutes his/her own public key to impersonate the recipient, where the attacker can own the public key or take a copy of it while being exchanged. This attack compromises the security of the cryptosystem.

48、 3.2.9 master key (MK): Top-level keying material is shared between the supplicant and the authentication server to derive the master session key. In general, a master key is different from the master session key. This is because the MK represents a positive access decision for a supplicant by the a

49、uthentication server. 3.2.10 master session key (MSK) adapted from IETF RFC 4017: This refers to the keying material derived between the EAP peer and server and exported to the authenticator using the EAP method. MSK is at least 64 octets long. In existing implementations, an AAA server acting as an EAP server transports the MSK to the authenticator. It refers to the privilege given to a supplicant by an authenticator to access the lower layer of a data communication network. In this Recomm

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1