ITU-T Y 2722-2011 NGN identity management mechanisms (Study Group 13)《下一代网络(NGN)身份管理机制 13号研究组》.pdf

1、 International Telecommunication Union ITU-T Y.2722TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security NGN identity management mechanisms Recommendation ITU-T Y

2、.2722 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and protocols Y.400Y.499 Numberin

3、g, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource management Y.1200Y.1299 T

4、ransport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and functional architecture mode

5、ls Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management Y.2400Y.2499 Net

6、work control architectures and protocols Y.2500Y.2599 Smart ubiquitous networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 Future networks Y.3000Y.3099 For further details, please refer to the list of ITU-T Recommendations. Rec. IT

7、U-T Y.2722 (01/2011) i Recommendation ITU-T Y.2722 NGN identity management mechanisms Summary Recommendation ITU-T Y.2722 specifies the mechanisms that can be used to meet the identity management (IdM) requirements and deployment needs of next generation networks (NGN). History Edition Recommendatio

8、n Approval Study Group 1.0 ITU-T Y.2722 2011-01-28 13 Keywords Federated identity, identity management, identity management mechanisms, next generation network, security. ii Rec. ITU-T Y.2722 (01/2011) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency

9、in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to

10、standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations

11、is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness t

12、o indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is

13、achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLEC

14、TUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, wheth

15、er asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are caution

16、ed that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU

17、. Rec. ITU-T Y.2722 (01/2011) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 2 4 Abbreviations 2 5 Conventions 3 6 Mechanisms and procedures supporting IdM functions . 4 6.1 Lifecycle management 4 6.2 Authentication and authentication assurance . 4 6.3 Correlation and binding 24

18、6.4 Discovery 25 6.5 IdM communications and information exchange . 26 6.6 Protection of personally-identifiable information (PII) 30 6.7 Federated identity functions . 30 6.8 Identity information access control 31 6.9 Single sign-on . 31 6.10 Single sign-off 32 7 Security . 35 Appendix I WSS ITU-T X

19、.509 v3 message authentication 36 Appendix II “OpenID + OAuth“-based mechanism for access control 38 II.1 OAuth b-IETF RFC 5849 38 II.2 Using OpenID in conjunction with OAuth . 38 II.3 OpenID + OAuth authorization flow 38 Bibliography. 41 Rec. ITU-T Y.2722 (01/2011) 1 Recommendation ITU-T Y.2722 NGN

20、 identity management mechanisms 1 Scope ITU-T Y.2721, NGN identity management requirements and use cases, specifies identity management (IdM) requirements for the next generation networks (NGN). This Recommendation describes the specific IdM mechanisms and suites of options that should be used to me

21、et the requirements specified in ITU-T Y.2721. In addition, it provides best practices and guidelines to support interoperability and other needs. This Recommendation is intended to be used together with ITU-T Y.2720 and ITU-T Y.2721, as the fundamental architectural concepts, requirements and use c

22、ases are not repeated in this Recommendation. NOTE Implementers and users of the described mechanisms shall comply with all applicable national and regional laws, regulations and policies. Some specific regulations and legislations may require implementation of mechanisms to protect personally-ident

23、ifiable information. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references a

24、re subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a do

25、cument within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2005) | ISO/IEC 9594-8:2005, Information technology Open systems interconnection The Directory: Public-key and attribute certificate frameworks. ITU-

26、T X.1035 Recommendation ITU-T X.1035 (2007), Password-authenticated key exchange (PAK) protocol. ITU-T X.1141 Recommendation ITU-T X.1141 (2006), Security Assertion Markup Language (SAML 2.0). ITU-T X.1252 Recommendation ITU-T X.1252 (2010), Baseline identity management terms and definitions. ITU-T

27、Y.2012 Recommendation ITU-T Y.2012 (2006), Functional requirements and architecture of NGN release 1. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirements for NGN release 1. ITU-T Y.2702 Recommendation ITU-T Y.2702 (2008), Authentication and authorization requirements for NGN relea

28、se 1. ITU-T Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. 2 Rec. ITU-T Y.2722 (01/2011) ITU-T Y.2721 Recommendation ITU-T Y.2721 (2010), NGN identity management requirements a

29、nd use cases. 3GPP TS 23.228 3GPP TS 23.228 (in force), IP Multimedia Subsystem (IMS); Stage 2. ATIS 33102 ATIS.3GPP.33.102V710-2007, Security Architecture. IETF RFC 2289 IETF RFC 2289 (1998), A One-Time Password System. 3 Definitions This Recommendation relies on the terms defined in ITU-T Y.2720 a

30、nd ITU-T X.1252. Particularly, the following definitions are adopted from ITU-T X.1252: 3.1 identity provider (IdP): See identity service provider (IdSP). 3.2 identity service provider (IdSP): An entity that verifies, maintains, manages, and may create and assign identity information of other entiti

31、es. 4 Abbreviations This Recommendation uses the following abbreviations and acronyms: AKA Authentication and Key Agreement ASP Application Service Provider AuC Authentication Centre AV Authentication Vector BSF Bootstrapping Server Function CK Ciphering Key GBA Generic Bootstrapping Architecture HS

32、S Home Subscriber System IdM Identity Management IdP Identity Provider IdSP Identity Service Provider IK Integrity Key IMPI IP Multimedia Private user Identity IMPU IP Multimedia Public User identity IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IPTV Internet Protocol Tel

33、evision ISIM IMS Subscriber Identity Module LDAP Lightweight Directory Access Protocol MS Mobile Station NAF Network Application Function NGN Next Generation Networks OASIS Organization for the Advancement of Structured Information Standards Rec. ITU-T Y.2722 (01/2011) 3 OTP One-Time Password PII Pe

34、rsonally Identifiable Information PKI Public Key Infrastructure RP Relying Party SAML Security Assertion Markup Language SIP Session Initiation Protocol SLF Subscriber Locator Function SOAP Simple Object Access Protocol SQL Structured Query Language SSO Single Sign-On UE User Equipment UICC Universa

35、l Integrated Circuit Card UMTS Universal Mobile Telecommunications System USIM Universal Subscriber Identifier Module WAP Wireless Application Protocol WSS Web Services Security XML eXtensible Markup Language XRDS eXtensible Resource Descriptor Sequence 5 Conventions In this Recommendation: The keyw

36、ords “is required to“ indicate a requirement which must be strictly followed and from which no deviation is permitted, if conformance to this Recommendation is to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolutely required. Thus this req

37、uirement need not be present to claim conformance. The keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted, if conformance to this Recommendation is to be claimed. The keywords “can optionally“ indicate an optional requirement

38、 which is permissible, without implying any sense of being recommended. This term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled by the network operator/service provider. Rather, it means the vendor may optionally provide th

39、e feature and still claim conformance with this Recommendation. In the body of this Recommendation and its appendices, the words shall, shall not, should, and may sometimes appear, in which case they are to be interpreted, respectively, as is required to, is prohibited from, is recommended, and can

40、optionally. The appearance of such phrases or keywords in an appendix or in material explicitly marked as informative are to be interpreted as having no normative intent. 4 Rec. ITU-T Y.2722 (01/2011) 6 Mechanisms and procedures supporting IdM functions 6.1 Lifecycle management Refer to ITU-T Y.2720

41、, NGN identity management framework, for information on identity lifecycle management. 6.2 Authentication and authentication assurance This clause describes mechanisms for authentication and assurance of identities and identity information. It references authentication mechanisms defined elsewhere.

42、Specific authentication mechanisms such as authentication based on web services (WS), security assertion markup language (SAML) profile, certificate-based authentication, or password-based authentication (including one-time password (OTP) can be used by the IdSP for specific applications or services

43、 based on the context and on the needed level of assurance. The authentication method (or methods) is selected based on the assurance level requirements. The IdSP may request information to determine the authentication methods that satisfy the service providers assurance level requirements. 6.2.1 Au

44、thentication based on WS security SAML profile 6.2.1.1 SAML assertions Security assertion markup language (SAML), ITU-T X.1141, specifies the format of assertions that can be used for exchanging security information for IdM. Among the IdM functions that can be implemented with the use of SAML are au

45、thentication, attribute sharing, and authorization, which correspond to three types of the statements about a subject of a SAML assertion: Authentication statement Conveys information that the assertion subject was authenticated by a particular means at a particular time. Attribute statement Conveys

46、 information that the assertion subject is associated with the listed attributes. Authorization decision statement Conveys information that access to a specified resource was granted to the assertion subject, or the subject was denied such access. The content of a SAML assertion can be described at

47、a high level as follows: assertion A was issued at time t by issuer R regarding subject S, provided conditions C are valid. The SAML assertions used for communicating authentication, attribute and authorization information are conveyed in simple object access protocol (SOAP) messages. When SOAP mess

48、ages are exchanged over an unprotected transport, it is strongly recommended that XML signature b-W3C XML signature be used to verify the relationship between the SOAP message and the statements of the assertions carried in the message. The web services security (WSS): SAML token profile b-OASIS SAM

49、L token standard describes how: SAML assertions (also referred to as SAML tokens) are carried in and referenced from a SOAP message. XML signature is used to bind a subject and the statements of a SAML assertion with a SOAP message. A typical use of a SAML token with a SOAP message constructed according to this Recommendation is depicted in Figure 1 and described below. In this example, a signed SOAP message contains a SAML assertion with an attribute statement. Bas