1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 29115:2013 Information technology Security techniques Entity authentication assurance frameworkBS ISO/IEC 29115:2013 BRITISH STANDARD National foreword This British
2、 Standard is the UK implementation of ISO/IEC 29115:2013. The UK participation in its preparation was entrusted to T e c h n i c a l C o m m i t t e e I S T / 3 3 , I T - S e c u r i t y t e c h n i q u e s . A list of organizations represented on this committee can be obtained on request to its sec
3、retary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013. ISBN 978 0 580 59544 8 ICS 35.040 Compliance with a British Standard ca
4、nnot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 April 2013. Amendments issued since publication Date T e x t a f f e c t e dBS ISO/IEC 29115:2013Reference number ISO/IEC 29115:2013(E) ISO/IEC 20
5、13INTERNATIONAL STANDARD ISO/IEC 29115 First edition 2013-04-01 Information technology Security techniques Entity authentication assurance framework Technologies de linformation Techniques de scurit Cadre dassurance de lauthentification dentit BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) COPYRIGHT PR
6、OTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
7、ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reservedBS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IE
8、C 2013 All rights reserved iiiContents Page Foreword iv Introduction . v 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards . 1 2.2 Paired Recommendations | International Standards . 1 2.3 Additional references 1 3 Terms and definitions . 1 4 Abbreviations . 5
9、 5 Conventions . 6 6 Levels of assurance 6 6.1 Level of assurance 1 (LoA1) . 7 6.2 Level of assurance 2 (LoA2) . 7 6.3 Level of assurance 3 (LoA3) . 7 6.4 Level of assurance 4 (LoA4) . 8 6.5 Selecting the appropriate level of assurance . 8 6.6 LoA mapping and interoperability . 9 6.7 Exchanging auth
10、entication results based on the 4 LoAs . 10 7 Actors . 10 7.1 Entity . 10 7.2 Credential service provider 10 7.3 Registration authority . 11 7.4 Relying party 11 7.5 Verifier 11 7.6 Trusted third party . 11 8 Entity authentication assurance framework phases . 11 8.1 Enrolment phase . 12 8.2 Credenti
11、al management phase 14 8.3 Entity authentication phase . 16 9 Management and organizational considerations . 16 9.1 Service establishment. 17 9.2 Legal and contractual compliance 17 9.3 Financial provisions 17 9.4 Information security management and audit . 17 9.5 External service components 17 9.6
12、Operational infrastructure 18 9.7 Measuring operational capabilities . 18 10 Threats and controls . 18 10.1 Threats to, and controls for, the enrolment phase 18 10.2 Threats to, and controls for, the credential management phase . 21 10.3 Threats to, and controls for, the authentication phase . 26 11
13、 Service assurance criteria 30 Annex A (informative) Privacy and protection of PII . 31 Annex B (informative) Characteristics of a credential 33 Bibliography 35 BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) iv ISO/IEC 2013 All rights reservedForeword ISO (the International Organization for Standardiza
14、tion) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to
15、 deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO an
16、d IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by
17、the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
18、 rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 29115 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. A similar text is published as ITU-T Recommendation X.1254. It
19、differs from this text in three instances: 1) 3.8: the ISO/IEC definition includes asserted identities; 2) Table 10-1: ISO/IEC includes an example for impersonation that includes use of an identity for an entity that does not exist; 3) 10.2.2.1: ISO/IEC describes SSL as an example of a protected cha
20、nnel. BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IEC 2013 All rights reserved vIntroduction Many electronic transactions within or between ICT systems have security requirements which depend upon an understood or specified level of confidence in the identities of the entities involved. Such req
21、uirements may include the protection of assets and resources against unauthorized access, for which an access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes. This Internati
22、onal Standard provides a framework for entity authentication assurance. Assurance within this International Standard refers to the confidence placed in all of the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication trans
23、actions. Figure 1 Overview of the Entity Authentication Assurance Framework Using four specified Levels of Assurance (LoAs), this International Standard provides guidance concerning control technologies, processes, and management activities, as well as assurance criteria that should be used to mitig
24、ate authentication threats in order to implement the four LoAs. It also provides guidance for the mapping of other authentication assurance schemes to the specified four levels, as well as guidance for exchanging the results of an authentication transaction. Finally, this International Standard prov
25、ides informative guidance concerning the protection of personally identifiable information (PII) associated with the authentication process. Technical Management specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; provides guidance for mapping
26、other authentication assurance schemes to the four LoAs; provides guidance for exchanging the results of authentication that are based on the four LoAs; and provides guidance concerning controls that should be used to mitigate authentication threats. 2 Normative references The following documents, i
27、n whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. 2.1 Identical Recommendations | I
28、nternational Standards None. 2.2 Paired Recommendations | International Standards None. 2.3 Additional references None. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 assertion statement made by an entity without accompanying evidence of its
29、 validity ITU-T X.1252 NOTE The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stronger statement than a claim. BS ISO/IEC 29115:2013 ISO/IE
30、C 29115:2013(E) 2 ISO/IEC 2013 All rights reserved3.2 authentication provision of assurance in the identity of an entity ISO/IEC 18014-2 3.3 authentication factor piece of information and/or process used to authenticate or verify the identity of an entity ISO/IEC 19790 NOTE Authentication factors ar
31、e divided into four categories: something an entity has (e.g., device signature, passport, hardware device containing a credential, private key); something an entity knows (e.g., password, PIN); something an entity is (e.g., biometric characteristic); or something an entity typically does (e.g., beh
32、aviour pattern). 3.4 authentication protocol defined sequence of messages between an entity and a verifier that enables the verifier to perform authentication of an entity 3.5 authoritative source repository which is recognized as being an accurate and up-to-date source of information 3.6 claim stat
33、ement that something is the case, without being able to give proof ITU-T X.1252 NOTE The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stro
34、nger statement than a claim. 3.7 context environment with defined boundary conditions in which entities exist and interact ITU-T X.1252 3.8 credential set of data presented as evidence of a claimed or asserted identity and/or entitlements NOTE See Annex B for additional characteristics of a credenti
35、al. 3.9 credential service provider trusted actor that issues and/or manages credentials BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IEC 2013 All rights reserved 33.10 entity something that has separate and distinct existence and that can be identified in a context ITU-T X.1252 NOTE For the purp
36、oses of this International Standard, entity is also used in the specific case for something that is claiming an identity. 3.11 entity authentication assurance degree of confidence reached in the authentication process that the entity is what it is, or is expected to be ITU-T X.1252 NOTE The confiden
37、ce is based on the degree of confidence in the binding between the entity and the identity that is presented. 3.12 identifier one or more attributes that uniquely characterize an entity in a specific context 3.13 identity set of attributes related to an entity ISO/IEC 24760 NOTE Within a particular
38、context, an identity can have one or more identifiers to allow an entity to be uniquely recognized within that context. 3.14 identity information verification process of checking identity information and credentials against issuers, data sources, or other internal or external resources with respect
39、to authenticity, validity, correctness, and binding to the entity 3.15 identity proofing process by which the Registration Authority (RA) captures and verifies sufficient information to identify an entity to a specified or understood level of assurance 3.16 man-in-the-middle attack attack in which a
40、n attacker is able to read, insert, and modify messages between two parties without their knowledge 3.17 multifactor authentication authentication with at least two independent authentication factors ISO/IEC 19790 3.18 mutual authentication authentication of identities of entities which provides bot
41、h entities with assurance of each others identity BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) 4 ISO/IEC 2013 All rights reserved3.19 non-repudiation ability to protect against denial by one of the entities involved in an action of having participated in all or part of the action ITU-T X.1252 3.20 ph
42、ishing scam by which an email user is duped into revealing personal or confidential information which the scammer can then use illicitly 3.21 registration authority trusted actor that establishes and/or vouches for the identity of an entity to a CSP 3.22 relying party actor that relies on an identit
43、y assertion or claim 3.23 repudiation denial in having participated in all or part of an action by one of the entities involved ITU-T X.1252 3.24 salt non-secret, often random, value that is used in a hashing process NOTE It is also referred to as sand. 3.25 shared secret secret used in authenticati
44、on that is known only to the entity and the verifier 3.26 time stamp reliable time variant parameter which denotes a point in time with respect to a common reference 3.27 transaction discrete event between an entity and service provider that supports a business or programmatic purpose 3.28 trust fra
45、mework set of requirements and enforcement mechanisms for parties exchanging identity information 3.29 trusted third party authority or its agent, trusted by other actors with respect to specified activities (e.g., security-related activities) NOTE A trusted third party is trusted by an entity and/or a verifier for the purposes of authentication. 3.30 validity period time period during which an identity or credential may be used in one or more transactions
