1、 International Telecommunication Union ITU-T X.1089TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Telebiometrics authentication infrastructure (TAI) Recommendation ITU-T X.1089 ITU-T X-SERIES RECOM
2、MENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.
3、799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast secu
4、rity X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam
5、X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1089 (05/2008) i Recommendation ITU-T X.1089 Teleb
6、iometrics authentication infrastructure (TAI) Summary Recommendation ITU-T X.1089 defines an authentication infrastructure, using a range of biometric certificates, for remote authentication of human beings. It extends Recommendation ITU-T X.509 Public-key and attribute certificate frameworks and IS
7、O/IEC 24761 Authentication context for biometrics. The combination of the X.509 extensions and telecommunications and biometrics is called the telebiometrics authentication infrastructure (TAI). It can be used in authentication applications with or without a public key infrastructure (PKI) and/or a
8、privilege management infrastructure (PMI) based on Recommendation ITU-T X.509, but would normally be used with both. It defines biometric extension fields for use in X.509 certificates, to produce biometric certificates. An important part of this Recommendation is to recognize and provide for biomet
9、ric devices and associated software to operate at different (certified) security levels, depending on the needs of the application that is being accessed. Source Recommendation ITU-T X.1089 was approved on 29 May 2008 by ITU-T Study Group 17 (2005-2008) under Recommendation ITU-T A.8 procedures. Key
10、words Authentication, biometric certificate, biometric policy certification, telebiometrics. ii Rec. ITU-T X.1089 (05/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies
11、 (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunica
12、tion Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of i
13、nformation technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating
14、agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or so
15、me other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or
16、 implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development p
17、rocess. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly
18、 urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1089 (05/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Defi
19、nitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation. 3 4 Abbreviations and acronyms 4 5 Notation and encodings 5 6 Authorities involved in the telebiometrics authentication infrastructure . 5 6.1 Operation of a BCA, revocation and processing of a BC. 5 6.2 Operation of a
20、 TBA, revocation and processing of a BDC or BPC . 6 7 Flow of information in the TAI 7 7.1 Scenarios. 7 7.2 Client side verification . 7 7.3 Server side verification. 8 8 Biometric certificate . 8 9 Biometric policy certificate 9 10 Biometric device certificate 11 11 TAI extensions defined for X.509
21、 12 11.1 Extension used in a BC to index a PKC. 12 11.2 TAI extensions defined for use with PMI 12 11.3 Extension used in the BC for cryptographic key generation 12 11.4 Biometric certificate index extension. 12 11.5 Security level of privilege extension 13 11.6 BPC extension for a BDC. 14 Annex A C
22、omplete formal ASN.1 specifications. 15 Appendix I Examples of possible security level lists . 19 Bibliography. 21 iv Rec. ITU-T X.1089 (05/2008) Introduction Information security plays an increasingly important role in our daily lives. Many efforts have been made to develop an information system th
23、at can accurately authenticate, properly authorize, and efficiently audit legitimate users. Among these activities, authentication is the first and most critical link in the security chain. Authentication is a process that verifies a users identity. As an emerging authentication technique, biometric
24、s authentication is attracting more and more attention. For more information on the problems and processes involved in biometric authentication (also called biometric verification), see b-ISO/IEC TR 24741. For more information on the use of multiple biometrics and the way the results of several comp
25、arisons can be combined (multimodal fusion), see b-ISO/IEC TR 24722. This Recommendation defines an authentication infrastructure that uses biometric authentication to authenticate a client to a server across a network the telebiometrics authentication infrastructure (the TAI). ITU-T X.509 Public-ke
26、y and attribute certificate frameworks has for many years provided an established base for the use of public keys with certificate chaining to provide a public key infrastructure (PKI). It defines both public key certificates and attribute certificates. The former supports the PKI (sometimes referre
27、d to as PKIX, which is the IETF profiling of ITU-T X.509). The latter provides an open-ended mechanism for certificates using the abstract syntax notation one (ASN.1) extension mechanisms. Attribute certificates have many potential uses. They can and do form the basis of the privilege management inf
28、rastructure, using the appropriate extensions. In this Recommendation, further extensions are defined for the X.509 attribute certifications to provide biometric certificates and biometric policy certificates, and to recognize the existence of certification authorities related to the issuing of thes
29、e. ISO/IEC 24761 Authentication context for biometrics (ACBio) introduces the concept of a biometric processing unit (BPU), that is, hardware and associated software related to a biometric capture device. In ACBio, a BPU operates at a single security level, and the processing it performs is accompan
30、ied by a certified report of the result it has produced (including a hash of the inputs and outputs of the processing where appropriate). Those reports are made available to the entity that eventually takes decisions on the granting of various privileges to a human user. In ACBio, the BPU consists o
31、f the totality of a biometric capture device and the associated processing of the raw data and matching with a previously captured biometric, with all stages being potentially distributed to different systems across a network. In the TAI, the device is kept distinct from the further processing, as t
32、here is a distinction to be made between the security levels that can be provided by a device and the levels that can be provided by the use of different processing or matching software and algorithms. This Recommendation extends both X.509 and ACBio and uses the concepts in ISO/IEC 19785-1 Common B
33、iometric Exchange Formats Framework Part 1: Data element specification and ISO/IEC 19785-3 Common Biometric Exchange Formats Framework Part 3: Patron format specifications together with the biometric data formats registered with the International Biometric Industry Association (IBIA see URL http:/ww
34、w.ibia.org) that carry biometric data such as finger-print images, iris images, finger-minutiae, etc. The concept drawn from ISO/IEC 19785-1 is of a biometric data block, also called a biometric template that carries this biometric data for comparison purposes. There is no restriction on the type of
35、 biometric template used, either standardized or vendor-specific, provided it is registered with the IBIA in their CBEFF Registry as a biometric data block. Rec. ITU-T X.1089 (05/2008) v The concept drawn from ISO/IEC 19785-3 is of a biometric template with associated metadata, sometimes called a bi
36、ometric information record or a patron format. In this Recommendation, it is called a biometric information template (BIT), following the terminology in b-ISO/IEC 7816-11 Integrated circuit cards Part 11: Personal verification through biometric methods. There is no restriction on the types of BIT th
37、at can be used, but the BIT in b-ISO/IEC 7816-11 is recommended. In terms of ITU-T X.509, this Recommendation defines further extensions for use in attribute certificates that carry biometric information. The two most important are the biometric certificate and the biometric policy certificate. This
38、 Recommendation introduces the fundamental concept that a biometric processing unit (BPU) (hardware devices, supporting software, and fusion mechanisms when multiple biometrics are in use) can operate at any one of several security levels. These relate partly to the availability of liveness testing,
39、 and the setting of thresholds for a uni-modal biometric comparison, but more importantly to the way in which biometric fusion scores are combined (see b-ISO/IEC TR 24722). For example, a low security level might accept a claimant if any of the fingerprints or iris scans were positive (above a perha
40、ps low threshold), a high security level might require that all scores were positive (above a perhaps high threshold), and require liveness testing in any associated biometric devices. It also recognizes that a client can interact with a server that requires privileges for the operations that the cl
41、ient wishes to perform. In some cases, such as reading a Web page from a Web server, it is possible that no privileges are required (the information is public). In other cases, the same server may have private areas where privileged access is needed. A still higher set of privileges (and hence a hig
42、her security level for authentication) may be needed if the client wishes to change the data on the website, or for a technician taking remedial action or uploading new software. Again, for access to a bank account, different privileges may be needed for reading account details, for transferring mon
43、ey, and for maintaining the accounts database. So for transactions that a client wishes to perform with a given server, there can be many different sets of privileges needed, depending on the nature of the transaction. A key concept in the TAI is that once the privileges required are known by the pr
44、esentation of an attribute certificate (AC), a security level for the authentication process can be obtained from that AC, and that a BPU can operate at different (certified) security levels. This Recommendation does not define a set of standardized security levels, but Appendix I provides the basis
45、 for a template that would contain such definitions, and may be subject to subsequent standardization. The precise definition of security levels is currently a matter for agreement between the BPU, the authority that issues the biometric policy certificate, and the applications that will use the rel
46、ated reports and certificates. The focus of the TAI is primarily on capture and comparison for verification (authentication) purposes, but the security levels used for capture and enrolment are equally important. Two types of trusted third party (with trust chained through the certificate chains est
47、ablished by ITU-T X.509) are recognized in the telebiometrics authentication infrastructure (TAI). The first type is a biometric certificate authority (BCA) concerned with enrolling users and issuing a biometric certificate that binds them to their biometric information. In general, a user may be is
48、sued with many different biometric certificates (using the same or different biometrics), for example from his employer for access control, from his library, from his sports club, or from his government (passports for border control). The stringency of the enrolment process and the security level ne
49、eded for enrolment can vary, depending on the requirements of these different BCAs. The same hardware and software may (but need not) be capable of supporting enrolment and verification for all these different BCAs, depending on the security level at which it operates. vi Rec. ITU-T X.1089 (05/2008) The second type of trusted third party is the telebiometrics authority (TBA) that evaluates the security of biometric devices and issues biometric device certificates (BDCs) for a biometric device and biometric policy certif