1、 International Telecommunication Union ITU-T Series YTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 12(04/2010) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS ITU-T Y.2720 Supplement on NGN identity management mechanisms ITU-T Y-series
2、 Recommendations Supplement 12 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and prot
3、ocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resource
4、management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Frameworks and fun
5、ctional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network ma
6、nagement Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Future networks Y.2600Y.2699 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 For further details, please refer to the list of ITU-T Recommendations. Y series Supplement
7、12 (04/2010) i Supplement 12 to ITU-T Y-series Recommendations ITU-T Y.2720 Supplement on NGN identity management mechanisms Summary Supplement 12 to ITU-T Y-series Recommendations provides a description of some example mechanisms that can be used to meet certain identity management (IdM) requiremen
8、ts and deployment needs of NGN. History Edition Recommendation Approval Study Group 1.0 ITU-T Y Suppl. 12 2010-04-30 13 Keywords Authentication, authorization, identity management, next generation network, single sign-on. ii Y series Supplement 12 (04/2010) FOREWORD The International Telecommunicati
9、on Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff quest
10、ions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations
11、 on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the
12、expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure e.g., interoperability or applicabili
13、ty) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the public
14、ation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claime
15、d Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. H
16、owever, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2010 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the
17、 prior written permission of ITU. Y series Supplement 12 (04/2010) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 4 Abbreviations 2 5 Conventions 3 6 Mechanisms and procedures supporting IdM functions . 3 6.1 Lifecycle management 3 6.2 Authentication and authentication assurance . 3 6.3
18、 IdM communications and information exchange . 22 6.4 Identity information access control 25 6.5 Single sign-on . 25 Appendix I ITU-T X.509 v3 message authentication . 27 Y series Supplement 12 (04/2010) 1 Supplement 12 to ITU-T Y-series Recommendations ITU-T Y.2720 Supplement on NGN identity manage
19、ment mechanisms 1 Scope This supplement provides a description of some example mechanisms that can be used to meet certain identity management (IdM) requirements and deployment needs of NGN. NOTE This supplement provides only a subset of the IdM mechanisms needed for NGN. The purpose of this supplem
20、ent is to provide the information in a timely manner while the work to develop a Recommendation specifying a more complete set of IdM mechanisms progresses. The objective of this work is to define the IdM mechanism in support of the requirements specified in ITU-T Y.2721. 2 References ITU-T X.509 Re
21、commendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open systems interconnection The Directory: Public-key and atribute certificate frame works. ITU-T X.1035 Recommendation ITU-T X.1035 (2007), Password-authenticated key exchange (PAK) protocol. ITU-T X.1141 Recommendation
22、ITU-T X.1141 (2006), Security Assertion Markup Language (SAML 2.0). ITU-T Y.2012 Recommendation ITU-T Y.2012 (2006), Functional requirements and architecture of the NGN release 1. ITU-T Y.2702 Recommendation ITU-T Y.2702 (2008), Authentication and authorization requirements for NGN release 1. ITU-T
23、Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management framework. ITU-T Y.2721 Recommendation ITU-T Y.2721 (2010), NGN identity management requirements and use cases. ATIS 33102 ATIS.3GPP.33.102V
24、710-2007, 3G Security; Security Architecture. IETF RFC 2289 IETF RFC 2289 (1998), A One-Time Password System. IETF RFC 2616 IETF RFC 2616 (1999), Hypertext Transfer Protocol HTTP/1.1. IETF RFC 2617 IETF RFC 2617 (1999), HTTP Authentication: Basic and Digest Access Authentication. IETF RFC 3310 IETF
25、RFC 3310 (2002), Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA). IETF RFC 4169 IETF RFC 4169 (2005), Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2. IETF RFC 4279 IETF RFC 4279 (20
26、05), Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). 2 Y series Supplement 12 (04/2010) 3GPP TR 33.924 3GPP TR 33.924 Release 9 (2009), 3rd Generation Partnership Project; Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture
27、(GAA) interworking (Release 9). OpenID v.2 OpenID OpenID Authentication 2.0. OASIS WSS X.509 profile OASIS (2006), Web Services Security X.509 Certificate Token Profile 1.1. OASIS SAML token OASIS (2006), SAML Token Profile 1.1, OASIS Approved Erratta 1. OASIS WSS SOAP OASIS (2004), Web Services Sec
28、urity (WSS) SOAP Message Security 1.1. LA ID-WSF security Liberty Alliance Project (2007), Liberty ID-WSF Security Mechanisms Core Version 2.0-errata Version 1.0. LA SOAP binding Liberty Alliance Project, Web Services Security (WSS) (2006), Liberty SOAP Binding Ver-2.0. W3C XML signature World Wide
29、Web Consortium (W3C) (2008), XML Signature Syntax and Processing (Second Edition). 3 Definitions This supplement relies on the terms defined in ITU-T Y.2720. 4 Abbreviations This supplement uses the following abbreviations and acronyms: AKA Authentication and Key Agreement ASP Application Service Pr
30、ovider AV Authentication Vector BSF Bootstrapping Server Function CK Ciphering Key GBA Generic Bootstrapping Architecture HSS Home Subscriber System IdM Identity Management IdP Identity Provider ID-WSF Identity Web Services Framework IK Integrity Key IMPI IP Multimedia Private User Identity IMPU IP
31、Multimedia Public User identity IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IPTV Internet Protocol Television ISIM IMS Subscriber Identity Module Y series Supplement 12 (04/2010) 3 NAF Network Application Function NGN Next Generation Network OASIS Organization for the A
32、dvancement of Structured Information Standards OTP One Time Password PKI Public Key Infrastructure SAML Security Assertion Markup Language SIP Session Initiation Protocol SLF Subscriber Locator Function SOAP Simple Object Access Protocol SSO Single Sign-On UE User Equipment UICC Universal Integrated
33、 Circuit Card UMTS Universal Mobile Telecommunications System WSS Web Services Security XML eXtensible Markup Language 5 Conventions None. 6 Mechanisms and procedures supporting IdM functions This clause describes mechanisms and procedures that support IdM functions. 6.1 Lifecycle management Refer t
34、o ITU-T Y.2720 for information on identity lifecycle management. 6.2 Authentication and authentication assurance This clause describes mechanisms for authentication and assurance of identities and identity information. It references authentication mechanisms defined elsewhere. The identity provider
35、(IdP) supports authentication methods such as authentication based on web services (WS) security assertion markup language (SAML) profile, certificate-based authentication, or password-based authentication (including one time password (OTP). The authentication methods are selected based on the assur
36、ance-level requirements. The IdP may request assurance-level information to find the authentication methods that satisfy the service providers assurance-level requirements. 6.2.1 Authentication based on the WS security SAML profile This clause describes SAML-based authentication. 6.2.1.1 SAML assert
37、ions The security assertion markup language (SAML) ITU-T X.1141 specifies a format of assertions that can be used in identity management for exchanging security information. Among the IdM functions that can be implemented with the use of SAML are authentication, attribute sharing, and authorization,
38、 which correspond to three types of statements about a subject of a SAML assertion: 4 Y series Supplement 12 (04/2010) Authentication statement conveys information that the assertion subject was authenticated by a particular means at a particular time. Attribute statement conveys information that th
39、e assertion subject is associated with the listed attributes. Authorization decision statement conveys information that access to a specified resource was granted to the assertion subject, or the subject was denied such access. The content of a SAML assertion can be described at a high level as foll
40、ows: assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid. The use of the SAML assertions for conveying authentication, attribute and authorization information in simple object access protocol (SOAP) messages is a special and important application of SAML.
41、 When SOAP messages are exchanged over an unprotected transport, it is strongly recommended that XML signature W3C XML signature is used to verify the relationship between the SOAP message and the statements of the assertions carried in the message. The Web Services Security (WSS): SAML Token Profil
42、e OASIS SAML token standard describes how: SAML assertions (also referred to as SAML tokens) are carried in and referenced from a SOAP message; an XML signature is used to bind a subject and the statements of a SAML assertion with a SOAP message. A typical use of a SAML token with a SOAP message con
43、structed according to this specification is depicted by Figure 1 and described below. In this example, a signed SOAP message contains a SAML assertion with an attribute statement. Based on the information in this statement, the receiver decides whether to allow access to the requested resource. Figu
44、re 1 Typical steps of construction and processing of a SOAP message with a SAML token 1. The attesting entity obtains a SAML assertion with an attribute statement and constructs and includes it in a SOAP message constructed according to OASIS SAML token. 2. The attesting entity sends a SOAP message
45、to the receiver. 3. The receiver verifies the digital signature. 4. The information of the SAML statement is used for access control. Receiver Verify Signature Access Control 1 Attesting Entity 2 34 WSS signedSOAP message SAML Attribute informationY series Supplement 12 (04/2010) 5 6.2.1.2 Subject c
46、onfirmation methods of the SAML tokens The OASIS Standard, OASIS SAML token specifies how to attach a SAML assertion to a SOAP message and defines two mandatory subject confirmation methods: holder-of-key; sender-vouches. The main XML elements of the SOAP message constructed according to OASIS WSS S
47、OAP are depicted in Figure 2. The SAML assertion is placed into the header, which also contains the digital signature . The digital signature is used by the receiver of the SOAP message to verify that the sender of the message knows the key used for computing the signature over the digest of the SOA
48、P body and for checking its integrity. The digest algorithm is SHA 1 and the signature algorithm is RSA_SHA 1 as specified in OASIS WSS SOAP. The signatures value is provided in the element of the . Two subject confirmation methods define different ways for conveying information on the key to the re
49、ceiver. Figure 2 Structure of the SOAP message with SAML assertion The following clauses describe two subject confirmation methods. 6.2.1.2.1 The holder-of-key subject confirmation method Figure 3 depicts the structure of the SAML assertion used for the holder-of-key subject confirmation method. The method attribute of element indicates the method of the subject confirmation (holder-of-key). The method specifies that the sender (a
