1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1085 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Telebiometrics Information technology Security techniques Te
2、lebiometric authentication framework using biometric hardware security module Recommendation ITU-T X.1085 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.3
3、99 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network sec
4、urity X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.116
5、9 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI rela
6、ted Recommendations X.1340X.1349 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and di
7、scovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cl
8、oud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1085 (10/2016) i INTERNATIONAL STANDARD ISO/IEC 17922 RECOMMENDATION ITU-T X.1085 Information technology Security techniques Telebiometric authentication framework using biometric
9、 hardware security module Summary Recommendation ITU-T X.1085 | ISO/IEC 17992 describes a telebiometric authentication scheme using biometric hardware security module (BHSM) for the telebiometric authentication of proving owner of ITU-T X.509 certificate registered individual at registration authori
10、ty (RA). This Recommendation | International Standard provides the requirements for deploying the BHSM scheme to securely operate the telebiometric authentication under PKI environments. The scheme focuses on providing how to assure the telebiometric authentication with biometric techniques and hard
11、ware security module and it also suggests ASN.1 standard format for including the proposed scheme in ITU-T X.509 framework when telebiometric authentication and ITU-T X.509 certificate are combined to prove the owner of the certificate. History Edition Recommendation Approval Study Group Unique ID*
12、1.0 ITU-T X.1085 2016-10-14 17 11.1002/1000/13060 Keywords Biometric hardware security module, BHSM, ITU-T X.509 certificate, ISO/IEC 24761, pseudonymous identifier, PSID, public key infrastructure, PKI, telebiometric authentication. * To access the Recommendation, type the URL http:/handle.itu.int/
13、 in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1085 (10/2016) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunic
14、ations, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunicat
15、ions on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure
16、laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommun
17、ication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these m
18、andatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draw
19、s attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or
20、 others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not repr
21、esent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1085 (10/2
22、016) iii CONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards 1 2.2 Paired Recommendations | International Standards equivalent in technical content . 2 2.3 Additional references 2 3 Definitions 2 3.1 Terms defined in this Recommendation | Internat
23、ional Standard 2 3.2 Terms defined in other International Standards 2 4 Abbreviations . 3 5 Symbols and terminology . 3 6 Biometric hardware security module for telebiometric authentication . 3 6.1 Additional feature of BHSM to the HSM 3 6.2 General scenario for use of the BHSM 4 6.3 Telebiometric a
24、uthentication using the BHSM . 4 7 Telebiometric authentication with biometric hardware security module 5 7.1 General 5 7.2 Enrolment procedures . 5 7.3 Telebiometric authentication processes . 7 8 BHSM based telebiometric authentication procedures . 9 8.1 PSID generation and ITU-T X.509 certificate
25、 9 8.2 BHSM based telebiometric authentication process . 10 8.3 ASN.1 type for the encrypted PSID 10 Annex A PSID and related information 11 A.1 General 11 A.2 Encrypted PSID requesting an ITU-T X.509 certificate . 11 A.3 ASN.1 for PSID 11 Annex B Procedures for inserting PSID using PKCS #10 with mo
26、dification 13 Bibliography 14 iv Rec. ITU-T X.1085 (10/2016) Introduction This Recommendation | International Standard describes a telebiometric authentication scheme using a biometric hardware security module (BHSM) for the telebiometric authentication of the person who presents the BHSM as the own
27、er of an ITU-T X.509 certificate embedded in the BHSM as registered with the certification authority (CA). This Recommendation | International Standard provides the requirements for deploying a BHSM scheme to provide secure telebiometric authentication within public key infrastructure (PKI) environm
28、ents. The scheme provides assurance for telebiometric authentication using biometric recognition integrated into a hardware security module. It also provides ASN.1 definitions that allow the biometric authentication to be incorporated into an ITU-T X.509 framework to authenticate the user as the own
29、er of the ITU-T X.509 certificate. ISO/IEC 17922:2017 (E) Rec. ITU-T X.1085 (10/2016) 1 INTERNATIONAL STANDARD ITU-T RECOMMENDATION Information technology Security techniques Telebiometric authentication framework using biometric hardware security module 1 Scope To prove ownership of an ITU-T X.509
30、certificate registered individually with the registration authority (RA), a biometric hardware security module has been considered to provide a high-level biometric authentication. This Recommendation | International Standard provides a framework for telebiometric authentication using BHSM. Within t
31、he scope of this Recommendation | International Standard, the following issues are addressed: telebiometric authentication mechanisms using BHSM in telecommunication network environments; and abstract syntax notation one (ASN.1) format and protocols for implementing the mechanisms in the ITU-T X.509
32、 framework. The related standard environment is depicted in Figure 1. The main role of this Recommendation | International Standard is to harmonize with existing telebiometric authentication and public key infrastructure (PKI) standards and to establish a standard mechanism using BHSM to verify the
33、ownership of the ITU-T X.509 certificate in the telebiometric environment. NOTE In this Recommendation | International Standard, ITU-T X.509 certificate means ITU-T X.509 public-key certificate. Figure 1 Standard environment for BHSM 2 Normative references The following Recommendations and Internati
34、onal Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on
35、 this Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication Standardizati
36、on Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations | International Standards Recommendation ITU-T X.509 (2016) | ISO/IEC 9594-8:2016, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate fra
37、meworks. ISO/IEC 17922:2017 (E) 2 Rec. ITU-T X.1085 (10/2016) 2.2 Paired Recommendations | International Standards equivalent in technical content None. 2.3 Additional references ISO/IEC 24745:2011, Information technology Security techniques Biometric information protection. ISO/IEC 24761:2009, Info
38、rmation technology Security techniques Authentication context for biometrics. ISO/IEC 19790:2012, Information technology Security techniques Security requirements for cryptographic modules. ISO/IEC 19792:2009, Information technology Security techniques Security evaluation of biometrics. 3 Definition
39、s 3.1 Terms defined in this Recommendation | International Standard For the purposes of this Recommendation | International Standard, the following definitions apply: 3.1.1 biometric hardware security module: Hardware security module incorporating biometric sensor(s) and biometric recognition to aut
40、henticate the user. NOTE In case of a comparison of biometric hardware security modules, they come traditionally in the form of a smart card but recently also in the form of a universal serial bus (USB) type security token which can be attached directly to general purpose computers. 3.1.2 hardware s
41、ecurity module: Hardware implementation of a secure crypto-processor using an ITU-T X.509 certificate and a private key to provide secure authentication. 3.1.3 telebiometric authentication: Biometric authentication utilising data communication by telephony, radio or a related technology. 3.2 Terms d
42、efined in other International Standards 3.2.1 The following terms are defined in ISO/IEC 2382-37: a) biometric reference: One or more stored biometric samples, biometric templates or biometric models attributed to a biometric data subject and used as the object of biometric comparison. b) biometric
43、sample: Analogue or digital representation of biometric characteristics prior to biometric feature extraction. 3.2.2 The following term is defined in ISO/IEC 9798-1: a) entity authentication: Corroboration that an entity is the one claimed. 3.2.3 The following terms are defined in ISO/IEC 24745: a)
44、identity reference: Non-biometric attribute that is an identifier with a value that remains the same for the duration of the existence of the entity in a domain. b) pseudonymous identifier: Part of a renewable biometric reference that represents an individual or data subject within a certain domain
45、by means of a protected identity that can be verified by means of a captured biometric sample and the auxiliary data (if any). c) renewability: Property of a transform or process to create multiple, independent transformed biometric references derived from one or more biometric samples obtained from
46、 the same data subject and which can be used to recognize the individual while not revealing information about the original reference. d) renewable biometric reference: Revocable or renewable identifier that represents an individual or data subject within a certain domain by means of a protected bin
47、ary identity (re)constructed from the captured biometric sample. NOTE A renewable biometric reference consists of a pseudonymous identifier and additional optional data elements required for biometric verification or identification such as auxiliary data. e) revocability: Ability to prevent future s
48、uccessful verification of a specific biometric reference and the corresponding identity reference. ISO/IEC 17922:2017 (E) Rec. ITU-T X.1085 (10/2016) 3 4 Abbreviations For the purposes of this Recommendation | International Standard, the following abbreviations apply: ACBio Authentication Context fo
49、r Biometrics ASN.1 Abstract Syntax Notation One BCA Biometric Certificate Authority BHSM Biometric Hardware Security Module BIR Biometric Information Record BRA Biometric Registration Authority BRT Biometric Reference Template BR Biometric Reference CA Certification Authority CSR Certificate Signing Request DN Distinguished Name EPSID Encrypted PSID HSM Hardware Security Module I/F Interface IR Identity Reference OID Object Identifier PIN Personal Identification Number PK
