ITU-T X 811-1995 Information Technology - Open Systems Interconnection - Security Frameworks for Open Systems Authentication Framework - Data Networks and Open System Communication.pdf

1、ITU-T RECMNUX-833 75 = 4862593 Ob07708 LO7 INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COM MUN ICATIONS SECURITY X.811 (04195) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: A

2、UTHENTICATION FRAMEWORK ITU-T Recommendation X.811 (Previously “CCIlT Recommendation”) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECMN*X.BLL 95 i862591 Ob07909 043 W FOREWORD ITU (International Telecommunication Union) is th

3、e United Nations Specialized Agency in the field of telecommunications. The IT Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations pa

4、rticipate in ITU-T which is the body which sets world telecommunications standards (Recommendations). The approval of Recommendations by the Members of IT-T is covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Confe

5、rence (WTSC), which meets every four years, approves Recommendations submitted to it and establishes the study programme for the following period. In some areas of information technology which fall within ITLJ-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC

6、. The text of IT-T Recommendation X.811 was approved on 10th of April 1995. The identical text is also published as ISO/IEC International Standard 10181-2. NOTE In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a r

7、ecognized operating agency. O ITU 1996 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. COPYRIGHT International Telecommunications Un

8、ion/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECMNUX.83L 95 R 4862593 0607930 865 R PUBLIC DATA NETWORKS Services and facilities ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X-SERIES RECOMMENDATIONS X. 1-X.19

9、I Subject area 1 Recommendation series Interfaces Transmission, signalling and switching X.20-X.49 X.50-X.89 Network aspects Maintenance X.90-X.149 X. 150-X. 179 Administrative arrangements OPEN SYSTEMS INTERCONNECTION X.180-X.199 Model and notation X.200-X.209 Service definitions X.2 1 O-X.2 19 - C

10、onnection-mode protocol specifications Connectionless-mode protocol specifications X.220-X.229 X.230-X.239 PICS proformas Protocol identification X.240-X.259 X.260-X.269 Security protocols X.270-X.279 Layer managed objects X.280-X.289 Conformance testing INTERWORKING BETWEEN NETWORKS X.290-X.299 Gen

11、eral Mobile data transmission systems x.300-x.349 X.350-X.369 Management MESSAGE HANDLING SYSTEMS X.370-X.399 x.400-x.499 DIRECTORY OS1 NETWORKING AND SYSTEM ASPECTS x.500-x.599 Networking Naming, addressing and registration X.600-X.649 X.650-X.679 Abstract Syntax Notation One (ASN.l) OS1 MANAGEMENT

12、 X.680-X.699 x.700-x.799 SECURITY OS1 APPLICATIONS X.800-X.849 Commitment, concurrency and recovery Transaction processing X.850-X.859 X.860-X.879 Remote operations OPEN DISTRIBUTED PROCESSING X.880-X.899 x.900-x.999 COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by

13、Information Handling Services _ ITU-T RECMN*X.Bll 75 U 4862571 QbO9Ll Tl CONTENTS . Introduction 1 2 3 4 5 6 7 8 9 Scope Normative references . 2.1 Identical Recommendations I International Standards 2.2 2.3 Additional references Definitions Abbreviations . General discussion of authentication 5.1 B

14、asic concepts of authentication . 5.2 Aspects of authentication service 5.3 Principles used in authentication . 5.4 Phases of authentication 5.5 Trusted Third Party Involvement 5.6 Types of principal . 5.7 Human user authentication 5.8 Types of attack on authentication . Authentication information a

15、nd facilities . 6.1 Authentication information . Characteristics of authentication mechanisms 7.1 Symmetry/Asymmetry 7.2 Use of CryptographicNon-cryptographic techniques . 7.3 Types of authentication . Authentication mechanisms . 8.1 Classification by vulnerabilities 8.2 Initiation of transfer 8.3 U

16、se of authentication certificates 8.4 Mutual authentication . 8.5 Summary of class characteristics Paired Recommendations I International Standards equivalent in technical content 6.2 Facilities 8.6 Classification by configuration . Interactions with other security services/mechanisms . 9.1 Access c

17、ontrol . 9.2 Data integrity 9.3 Data confidentiality . 9.4 Non-repudiation 9.5 Audit . Annex A . Human user authentication Annex B . Authentication in the OS1 Model Annex C - Countering replay using unique numbers or challenges . Annex D - Protection against some forms of attack on authentication .

18、Annex E - Bibliography Annex F - Some specific examples of authentication mechanisms Annex G - Authentication facilities outline ITU-T Rec . X.Sll(1995 E) Page 11 1 2 2 2 2 2 4 4 4 6 8 8 9 12 13 13 15 15 18 22 22 23 23 23 23 29 29 29 30 30 33 33 33 34 34 34 35 31 38 39 42 43 46 1 COPYRIGHT Internati

19、onal Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECMN*X.BLL 95 Y862591 Ob03912 b38 Introduction Many applications have requirements for security to protect against threats to the communication of information. Some commonly known threats, together wi

20、th the security services and mechanisms that can be used to protect against them, are described in IT Rec. X.800 I IS0 7498-2. Many Open Systems applications have security requirements which depend upon correctly identifying the principals involved. Such requirements may include the protection of as

21、sets and resources against unauthorized access, for which an identity based access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes. The process of corroborating an identity

22、is called authentication. This Recommendation I International Standard defines a general framework for the provision of authentication services. 11 ITU-T Rec. X.811(1995 E) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECMN*X-8

23、33 95 = 4862591 0607933 574 = ISOAEC 10181-2 : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: AUTHENTICATION FRAMEWORK 1 Scope The series of Recommendations I International Standards on Security Frame

24、works for Open Systems addresses the application of security services in an Open Systems environment, where the term “Open Systems” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means

25、 of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not p

26、rotocol elements) which are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. This Recommendation I International Standard: - - - - - defines the basic co

27、ncepts for authentication: identifies the possible classes of authentication mechanisms; defines the services for these classes of authentication mechanism; identifies functional requirements for protocols to support these classes of authentication mechanism; and identifies general management requir

28、ements for authentication. A number of different types of standards can use this framework including: 1) 2) 3) 4) 5) standards that incorporate the concept of authentication; standards that provide an authentication service; standards that use an authentication service: standards that specify the me

29、ans to provide authentication within an open system architecture; and standards that specify authentication mechanisms. Note that the service in 2), 3) and 4) might include authentication but may have a different primary purpose. These standards can use this framework as follows: * * * standard type

30、s 1), 2), 3), 4) and 5) can use the terminology of this framework: standard types 2), 3), 4) and 5) can use the services defined in clause 7 of this framework; and standard types 5) can be based on the mechanisms defined in clause 8 of this framework. As with other security services, authentication

31、can only be provided within the context of a defined security policy for a particular application. The definitions of security policies are outside the scope of this ITU Recommendation I International Standard. The scope of this Recommendation I International Standard does not include specification

32、of details of the protocol exchanges which need to be performed in order to achieve authentication. This Recommendation i International Standard does not specify particular mechanisms to support these authentication services. Other standards (such as ISO/IEC 9798) develop specific authentication met

33、hods in greater detail. Furthermore, examples of such methods are incorporated into other standards (such as ITU Rec. X.509 I ISOAEC 9594-8) in order to address specific authentication requirements. ITU-T Rec. X.811(1995 E) 1 COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLic

34、ensed by Information Handling Services ITU-T RECMN*X-811 95 m 48b2591 Ob07914 400 m ISO/IEC 10181-2 : 1996 (E) . Some of the procedures described in this framework achieve security by the application of cryptographic techniques. This framework is not dependent on the use of a particular cryptographi

35、c or other algorithm, although certain classes of authentication mechanisms may depend on particular algorithm properties, e.g. asymmetric properties. NOTE - Although IS0 does not standardize cryptographic algorithms, it does standardize the procedures used to register them in ISO/IEC 9979. 2 Normat

36、ive references The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards a

37、re subject to revision, and parties to agreements based on this Recommendation I Intemational Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0 maintain registers of currently valid Int

38、ernational Standards. The Telecommunication Standardization Bureau of the IT maintains a list of currently valid Recommendations. 2.1 Identical Recommendations I International Standards - ITU-T Recommendation X.810) I ISO/IEC 10181-l:.1), Information technology - Security frameworks for open systems

39、: Overview. 2.2 Paired Recommendations I International Standards equivalent in technical content - CCITT Recommendation X.800: 199 1, Security Architecture for Open System Interconnection for CCIT applications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic R

40、eference Model - Part 2: Security Architecture. 2.3 Additional references - ISODEC 9979: 199 1, Data cryptographic techniques - Procedures for the registration of cryptographic algorithms. ISODEC 101 16: 1991, Information technology - Modes of operation for an n-bit block cipher algorithm. - 3 Defin

41、itions This Recommendation I International Standard makes use of the following general security-related terms defined in Rec. X.800 I IS0 7498-2: - audit; - audit trail; - authentication information; - confidentiality; - cryptography; - cryptographic checkvalue; - data origin authentication; - data

42、integrity; - decipherment; - digital signature; - encipherment; - key; Presently at the stage of draft. 2 IT-T Rec. X.811(1995 E) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling Services- ITU-T RECHN*X.BLL 95 W 4862593 Ob07935 347 W ISODEC 1018

43、1-2 : 1996 (E) - key management; - masquerade; - password; - peer-entity authentication; - security policy. This Recommendation I International Standard makes use of the following term defined in ISO/IEC 101 16: - block chaining This Recommendation I International Standard makes use of the following

44、 terms defined in ITU-T Rec. X.810 I ISO/IEC 10181-1: - digital fingerprint; - hash function; - one-way function; - privatekey; - public key; - seal; - secret key; - security authority; - security certificate; - security domain; - security token; - trust; - trusted third party. For the purposes of t

45、his Recommendation I International Standard, the following definitions apply: 3.1 is shared by both entities. 3.2 3.3 3.4 be used to assure the identity of an entity. 3.5 for the purposes of performing an authentication. 3.6 3.7 3.8 3.9 needed to authenticate a principal. 3.10 the functions necessar

46、y for engaging in authentication exchanges on behalf of a principal. 3.11 distinguishing identifier: Data that unambiguously distinguishes an entity in the authentication process. This Recommendition I International Standard requires that such an identifier be unambiguous at least within a security

47、domain. 3.12 exchange authentication information (exchange AI): Information exchanged between a claimant and a verifier during the process of authenticating a principal. asymmetric authentication method: A method of authentication, in which not all authentication information authenticated identity:

48、A distinguishing identifier of a principal that has been assured through authentication. authentication: The provision of assurance of the claimed identity of an entity. authentication certificate: A security certificate that is guaranteed by an authentication authority and that may authentication e

49、xchange: A sequence of one or more transfers of exchange authentication information (AI) authentication information: Information used for authentication purposes. authentication initiator: The entity that starts an authentication exchange. challenge: A time variant parameter generated by a verifier. claim authentication information (claim AI): Information used by a claimant to generate exchange AI claimant: An entity which is or represents a principal for the purposes of authentication. A claimant includes ITU-T Rec. X.Sll(1995 E) 3 COPYRIGHT In