1、 International Telecommunication Union ITU-T Series YTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 18(06/2012) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS ITU-T Y.2700-series Supplement on next generation network certificate manage
2、ment ITU-T Y-series Recommendations Supplement 18 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399
3、Interfaces and protocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabil
4、ities and resource management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS
5、 Frameworks and functional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.23
6、00Y.2399 Network management Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Smart ubiquitous networks Y.2600Y.2699 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 Future networks Y.3000Y.3099 For further details, please refer
7、to the list of ITU-T Recommendations. Y series Supplement 18 (06/2012) i Supplement 18 to ITU-T Y-series Recommendations ITU-T Y.2700-series Supplement on next generation network certificate management Summary Supplement 18 to ITU-T Y-series Recommendations provides guidelines for managing ITU-T X.5
8、09 certificates for NGN security based on the trust model defined in ITU-T Y.2701 to supplement the information in ITU-T Y.2704. This Supplement is applicable to any next generation network (NGN) using certificates based on the framework for public key infrastructure (PKI) and privilege management i
9、nfrastructure (PMI) specified in ITU-T X.509 for identification, authentication, privilege/attribute management and/or encryption between network elements and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element. History Edition Recommendation Approval
10、 Study Group 1.0 ITU-T Y Suppl. 18 2012-06-15 13 Keywords Next generation network, privilege management infrastructure, public key infrastructure, security and ITU-T X.509 certificates. ii Y series Supplement 18 (06/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations
11、 specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on
12、them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of IT
13、U-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used
14、for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publica
15、tion is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INT
16、ELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whe
17、ther asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned
18、that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Y
19、 series Supplement 18 (06/2012) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Supplement 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Reference model . 3 7 Certificate management 3 7.1 Obtaining certificates 3 7.2 C
20、ertificate verification 4 7.3 Certificate contents for NGN infrastructure . 4 7.4 Expected content of service provider certificate for peering 8 7.5 Certificate revocation . 9 Appendix I ITU-T X.509-based authorization privilege management . 10 I.1 Overview of ITU-T X.509-based privilege management
21、infrastructure 10 I.2 Applicability of the PMI to NGN security . 14 Bibliography. 15 iv Y series Supplement 18 (06/2012) Introduction Recommendation ITU-T Y.2704 identified the use of ITU-T X.509 certificates as a means of identification, authentication, privilege/attribute management and/or encrypt
22、ion between network elements, and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element. This document supplements ITU-T Y.2704 by providing additional guidelines for managing these ITU-T X.509 certificates. Y series Supplement 18 (06/2012) 1 Supplement
23、 18 to ITU-T Y-series Recommendations ITU-T Y.2700-series Supplement on next generation network certificate management 1 Scope This Supplement defines procedures for managing ITU-T X.509 certificates used for NGN security based on the trust model defined in ITU-T Y.2701. It provides guidance to supp
24、lement ITU-T Y.2704 regarding the use by the NGN of certificates based on the framework for public key infrastructure (PKI) and privilege management infrastructure (PMI) specified in ITU-T X.509. This Supplement is applicable to any NGN using ITU-T X.509 certificates for identification, authenticati
25、on, privilege/attribute management and/or encryption between network elements, and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element, based on the trust model defined in ITU-T Y.2701. This includes use of ITU-T X.509 certificates between network ele
26、ments of peering providers based on policy and business agreements. This Supplement assumes that the NGN provider is the certificate agent (CA). Scenarios where the CA is another entity are not within the scope of this Supplement. NOTE NGN certificate management is viewed as part of the broader topi
27、c of NGN identity management (IdM). 2 References ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirem
28、ents for NGN release 1. ITU-T Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. 3 Definitions 3.1 Terms defined elsewhere This Supplement uses the following terms defined elsewhere: 3.1.1 authentication b-ITU-T X.811: The provision of assurance of the claimed ide
29、ntity of an entity. 3.1.2 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.3 border element ITU-T Y.2701: Network element providing functions connecting different security and administrative domains. 3.1.4 trust b-ITU-T X.810: Ent
30、ity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y behaving in a particular way with respect to the activities. 3.2 Terms defined in this Supplement None. 2 Y series Supplement 18 (06/2012) 4 Abbreviations and acronyms This Supplement uses the follow
31、ing abbreviations and acronyms: AA Attribute Authority AC Attribute Certificate BE Border Element CA Certification Authority CPE Customer Premises Equipment CPE-BE Customer Premises Equipment Border Element CPS Certification Practice Statement CRL Certificate Revocation List CSR Certificate Signing
32、Request DNS Domain Name System ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm FQDN Fully Qualified Domain Name HTTP Hypertext Transfer Protocol IdM Identity Management MAC Media Access Control NE Network Element NGN Next Generation Network OAM authentication of netw
33、ork entities; attributes and privilege management of network entities; establishing secure associations between communicating network entities (e.g., encryption); providing identification and authentication of the NGN provider to customer devices and to peering NGN providers. All certificates of the
34、 NGN providers network elements are issued by the NGN providers certification authority (CA). The CA certificates (root CA certificate or its subordinate CA certificate) have to be securely delivered to, and stored by, the relying party of the CA (e.g., subscribers of the NGN provider or peering NGN
35、 providers). The certification authority is maintained by the NGN provider. Certificates in the NGN providers infrastructure should comply with ITU-T X.509, b-IETF RFC 3279 and b-IETF RFC 5280. NGN network elements obtain certificates from a certification authority by the procedures given in clause
36、7.1. When a certificate is exchanged as part of establishing a secure connection, the certificate contents are checked according to the procedures of clause 7.2. Certificates used for setting up security associations also form the basis of end-user and device identification and authentication. For e
37、xample, in the case of use of the session initiation protocol (SIP), this translates into a mapping between the certificate contents and the allowable values of originator identity for SIP requests. The guidance and requirements provided in b-CA/Browser Forum should be taken into consideration for N
38、GN provider issuance and management of ITU-T X.509 certificates. Each of the following clauses giving certificate contents explains how the originator identity can be determined from the fields in that certificate. 7.1 Obtaining certificates 7.1.1 NGN providers network element certificates The NGN n
39、etwork element should securely generate and store a public/private key pair. Use of Public-Key Cryptographic Standard #10 (PKCS #10) b-IETF RFC 2986 is preferred; however, other mechanisms are possible based on the NGN providers security policy. The key generation may either be done on the device by
40、 the system administrator who then generates a certificate signing request (CSR) (e.g., PKCS #10 request) or performed separately on a secured machine that then is used to generate the CSR. If the key generation is performed on a separate machine, steps should be taken to ensure that the private key
41、 is not compromised. If the key pair is generated on a separate machine, the public/private key pair will need to be securely installed on the network 4 Y series Supplement 18 (06/2012) element as well as the certificate. All key generation and storage should be in compliance with the NGN provider s
42、ecurity policy. Generation of public/private key pairs should be done using an algorithm approved by the NGN provider, to ensure sufficient randomness. After the CSR is generated, the network element sends a CSR to the certification authority (i.e., the request can be sent automatically or by a syst
43、em administrator). This request should contain a distinguishing name, the public key generated as described above, and a set of attributes, which depend on the type of network element. The CSR is sent to the certification authority (CA) using an authenticated communication channel that verifies that
44、 the request is coming from an authenticated user. Some examples of this include a signed e-mail where the signature is checked before the request is passed on to the CA, or a web form that is only accessible through some authentication method that limits access to only authorized certificate reques
45、tors. The CA verifies the signature on the CSR and builds an ITU-T X.509 certificate from the information provided. See clause 7.3 for the basic structure of NGN provider certificates. The CA then returns the certificate to the requesting system administrator. The request may occur through an HTTP r
46、equest or it may be downloaded later by the system administrator, or it may be provided by e-mail. The system administrator will install the device certificate and the root certificate of the CA. 7.1.2 End-user and subscriber certificates End-user certificates may be downloaded into the end-device t
47、hrough the NGN provider provisioning process. Use of PKCS #10 b-IETF RFC 2986 is preferred; however, other mechanisms are possible based on the NGN providers security policy. For these certificates, a CSR is generated with the end-user information and the private key, and the resulting certificate i
48、s sent to the end-user device over a secured channel that should have been authenticated by some other method. Alternatively, memory devices such as a universal integrated circuit card (UICC) may be used to issue end-user certificates. 7.2 Certificate verification All network elements should verify
49、the complete certificate chain of all received certificates up to a known certification authority. If any step in this chain fails, then the certificate is considered invalid and is rejected. The network element should reject the certificate if it has expired. 7.3 Certificate contents for NGN infrastructure This clause describes example certificate profiles for NGN infrastructure using ITU-T X.509 version 3 certificates. All certificates should indicate the following: Ve