ITU-T X 1080 0-2017 Access control for telebiometrics data protection (Study Group 17).pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1080.0 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Telebiometrics Access control for telebiometrics data prot

2、ection Recommendation ITU-T X.1080.0 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWO

3、RKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.

4、1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBER

5、SPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 Internet of things (IoT) security X.

6、1360X.1369 Intelligent transportation system (ITS) security X.1370X.1379 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information re

7、quest X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing secur

8、ity implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1080.0 (03/2017) i Recommendation ITU-T X.1080.0 Access control for telebiometrics data protection Summary Recommendation ITU-T X.1080.0 pr

9、ovides specifications on how to protect telebiometrics information against unauthorized access. A service-oriented view is taken, where only information necessary for a particular purpose is provided, i.e., access is given not only on a right-to-know basis, but also on a need-to-know basis. The core

10、 of this Recommendation is an attribute specification included in an attribute certificate or public-key certificate that specifies in detail what privileges a particular entity has for one or more service types. Security is provided by using a profile of the cryptographic message syntax (CMS). The

11、CMS profile provides authentication, integrity and, when required, confidentiality (encryption). This profile is intended to provide security support for telebiometrics specifications in general. The profile assumes, and is dependent upon, the correct deployment of a public-key infrastructure (PKI).

12、 This Recommendation is also dependent on the deployment of a privilege management infrastructure (PMI). History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1080.0 2017-03-30 17 11.1002/1000/13193 Keywords Access control, Diffie-Hellman, PKI, telebiometrics. * To access the Re

13、commendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1080.0 (03/2017) FOREWORD The International Telecommunication Union (ITU) is the United Natio

14、ns specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations o

15、n them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of

16、ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is

17、used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with

18、the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required

19、of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual

20、Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However

21、, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior

22、 written permission of ITU. Rec. ITU-T X.1080.0 (03/2017) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation . 3 4 Abbreviations and acronyms 3 5 Conventions 4 6 Basic concepts and models . 4 6.1 Protection i

23、n a single data protection domain 4 6.2 Cross data protection domain . 6 6.3 Service-oriented model . 6 6.4 The object and attribute model . 7 6.5 Basic access control principles . 7 6.6 Relationship to other access control schemes 7 6.7 Protocols overview . 8 6.8 Use of CMS 8 6.9 Public-key certifi

24、cate considerations 9 7 Provision of privilege information 9 7.1 Use of attribute certificates . 9 7.2 Use of public-key certificates . 9 7.3 The access service attribute type 10 7.4 Operations on objects as a whole . 12 7.5 Operations on attributes 12 7.6 Error handling . 13 8 Privilege assertion p

25、rotocol 13 8.1 Overview 13 8.2 Common request components 14 8.3 Accessing a service . 14 8.4 Read operation 14 8.5 Compare operation . 15 8.6 Add operation . 17 8.7 Delete operation 18 8.8 Modify operation 18 8.9 Rename object operation 20 8.10 Error handling . 21 8.11 Information selection 21 8.12

26、Object information 22 iv Rec. ITU-T X.1080.0 (03/2017) Page 8.13 Defined error codes 22 9 Privilege assignment protocol . 23 9.1 Scope of protocol 23 9.2 Content types 23 Annex A Object identifier allocation for the ITU-T 1080-series 25 A.1 Top level of object identifier tree . 25 A.2 Object identif

27、iers for CMS content types . 25 A.3 Object identifiers for privilege attribute types 26 Annex B Cryptographic message syntax profile. 27 B.1 General . 27 B.2 Use of the signedData content type 28 B.3 Use of envelopedData content type 30 B.4 Use of the authenticated-enveloped-data content type . 34 B

28、.5 Attributes 35 B.6 Cryptographic message syntax error codes 36 Annex C Formal specification of the privilege assertion and assignment protocols 38 Appendix I Informal specification for the cryptographic message syntax profile 44 Bibliography. 49 Rec. ITU-T X.1080.0 (03/2017) v Introduction When co

29、llecting telebiometrics data from individuals, there is a risk of infringement of privacy. There may be several reasons for protecting such information. Information may provide access to a company or an organization or it may be of a sensitive nature that restricts its distribution. The protection a

30、gainst unwanted disclosure of telebiometrics data has two major aspects: protection of data during transmission, typically by encryption, and protection of stored data; control of access to stored data. While telebiometric systems should have a high level of security with respect to confidentiality

31、(encryption), authentication, integrity, physical protection, use of firewalls, virus protection programs, etc., it is also necessary to establish an elaborate access control system for access to stored information, in particular information about individuals. This latter aspect is particularly impo

32、rtant for telebiometric systems. General access control schemes have a shortcoming in that they mainly consider the right (or refusal) to information, but do not consider, in detail, the need-to-know aspect. A need-to-know implies that it is not sufficient to have the right to see the data, but it a

33、lso must be established that this information is to be used for legitimate purposes. Information should only be provided for its intended use. Medical information about a patient is collected to allow optimal treatment of that patient and should not be used for any other purpose, except possibly for

34、 tightly controlled research projects that may require use of some pieces of information from a specific collection of patients, otherwise information shall be protected against information trawling. There are two main types of access control: physical and logical. Physical access control limits acc

35、ess to campuses, buildings, rooms and physical information technology (IT) assets. Logical access limits connections to computer networks, system files and data. Only logical access control is considered in this Recommendation Access control includes secure authentication of accessors by the service

36、 provider. This Recommendation assumes the use of digital signatures and an established public-key infrastructure (PKI). Recommendation ITU-T X.1080.0 may be referenced by other telebiometrics specifications. Annex A, which is an integral part of this Recommendation, specifies the allocation of obje

37、ct identifiers used by the ITU-T X.1080-series of Recommendations. Annex B, which is an integral part of this Recommendation, provides a telebiometrics profile of the cryptographic message syntax (CMS), as discussed in IETF RFC 5652, that is used by this Recommendation. It can also be referenced by

38、other telebiometrics specifications. Annex C, which is an integral part of this Recommendation, provides a formal specification for the privilege assertion and assignment protocols in the form an Abstract Syntax Notation One (ASN.1) module. Appendix I, which is not an integral part of this Recommend

39、ation, provides an informal specification for the CMS profile in the form of an ASN.1 module. Rec. ITU-T X.1080.0 (03/2017) 1 Recommendation ITU-T X.1080.0 Access control for telebiometrics data protection 1 Scope This Recommendation provides a specification for how privacy may be protected in a tel

40、ebiometrics environment by using privacy-based access control for telebiometrics (ACT). While this Recommendation cannot identify all possible information types, it is within the scope to provide general tools for handling all types of information in a secure way. This includes definition of a proto

41、col for assigning privileges and a protocol for accessing information using privilege assertion. This Recommendation provides guidelines and does not contain compliance requirements. The following is outside the scope of this Recommendation: physical protection of the information; unauthorized acces

42、s by operational personal that maintain the security system and therefore having the possibility to circumvent security. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At th

43、e time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed belo

44、w. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.500-series Recommendation ITU-T X.5xx (2016) | ISO/IEC 9594-x series, Information

45、 technology Open Systems Interconnection The Directory. ITU-T X.501 Recommendation ITU-T X.501 (2016) | ISO/IEC 9594-2, Information technology Open Systems Interconnection The Directory: Models. ITU-T X.509 Recommendation ITU-T X.509 (2016) | ISO/IEC 9594-8, Information technology Open Systems Inter

46、connection The Directory: Public-key and attribute certificate frameworks. ITU-T X.520 Recommendation ITU-T X.520 (2016) | ISO/IEC 9594-6, Information technology Open Systems Interconnection The Directory: Selected attribute types. ITU-T X.521 Recommendation ITU-T X.521 (2016) | ISO/IEC 9594-7, Info

47、rmation technology Open Systems Interconnection The Directory: Selected object classes. ITU-T X.680 Recommendation ITU-T X.680 (2015) | ISO/IEC 8824-1, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T X.681 Recommendation ITU-T X.681 (2015) | ISO/IE

48、C 8824-2, Information technology Abstract Syntax Notation One (ASN.1): Information object specification. 2 Rec. ITU-T X.1080.0 (03/2017) ITU-T X.682 Recommendation ITU-T X.682 (2015) | ISO/IEC 8824-3, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification. ITU-T X.683

49、Recommendation ITU-T X.683 (2015) | ISO/IEC 8824-4, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications. ITU-T X.690 Recommendation ITU-T X.690 (2015) | ISO/IEC 8825-1, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T X.1080.1 Recommendation ITU-T X.1080.1 (2011), e-Healt