1、 International Telecommunication Union ITU-T X.1112TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Device certificate profile for the home network ITU-T Recommendation X.1112 ITU-T X-SERIES RECOMMEN
2、DATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION
3、 Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 Conforma
4、nce testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of service
5、 X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Management functi
6、ons and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.1000 For
7、further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1112 (11/2007) i ITU-T Recommendation X.1112 Device certificate profile for the home network Summary ITU-T Recommendation X.1112 proposes a certificate profile for authenticating the device in the home network. It also
8、describes how authentication works between devices in the home network with a secure home gateway. In addition, this Recommendation describes the certificate profile standard for home network devices using ITU-T Recommendation X.509 as the basic reference for the device certificate profile. Finally,
9、 this Recommendation describes the certificate management procedures for the home device certificate in the home network. Source ITU-T Recommendation X.1112 was approved on 13 November 2007 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1112 (11/200
10、7) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for s
11、tudying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study g
12、roups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis wit
13、h ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provi
14、sions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of suc
15、h words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no positio
16、n concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protecte
17、d by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of t
18、his publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1112 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 OSI reference model security architecture definitions . 2 3.2 Public-key and attribute certificate fram
19、eworks definitions 2 3.3 Framework of security technologies for home network definitions. 3 4 Abbreviations and acronyms 3 5 Conventions 4 6 Framework for home network device certification 4 7 Certificate profile for the home network device. 5 7.1 Basic certificate fields 5 7.2 Extensions. 6 7.3 Sec
20、urity considerations. 8 8 Certificate management for device certificate in the home network 8 8.1 Procedures for device certificate issuance 8 8.2 Procedure for device certificate revocation 9 8.3 Procedure for device certificate validation. 9 9 Use cases for the device certificate. 9 10 Message for
21、mat for certificate management. 10 Appendix I Examples of the home device certificate profile 11 I.1 CA certificate profile (self-signed certificate) 11 I.2 Home device certificate profile 11 Bibliography. 13 ITU-T Rec. X.1112 (11/2007) 1 ITU-T Recommendation X.1112 Device certificate profile for th
22、e home network 1 Scope The framework for device certification in the home network can generally be categorized into two models, one of which is the internal issuing model wherein all home device certificates including a self-signed certificate (i.e., certification authority certificate) and an end-e
23、ntity certificate (i.e., home device certificate) are issued by an internal certification authority (CA) in the home network. Usually, an internal CA can be a secure home gateway with the capability for generating a key pair and issuing a certificate. Therefore, the secure home gateway can issue a C
24、A certificate as well as home device certificates. Moreover, the secure home gateway can have a device certificate which is issued by an external certification authority for use in external home services. In particular, this home gateway device certificate can be used for authentication between the
25、home gateway and home network service provider as defined in ITU-T J.192. The other model is the external issuing model wherein all home device certificates are issued by an external CA. This Recommendation defines the CA certificate profile and the device certificate profile in the first model part
26、icularly that wherein the home security gateway acts as the internal CA. These profiles are used for device authentication in the general home network environment. This Recommendation also defines the procedure for device certificate management. 2 References The following ITU-T Recommendations and o
27、ther references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encourag
28、ed to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone docume
29、nt, the status of a Recommendation. ITU-T J.190 ITU-T Recommendation J.190 (2002), Architecture of MediaHomeNet that supports cable-based services. ITU-T J.192 ITU-T Recommendation J.192 (2004), A residential gateway to support the delivery of cable data services. ITU-T Q.1701 ITU-T Recommendation Q
30、.1701 (1999), Framework for IMT-2000 networks. ITU-T Q.1711 ITU-T Recommendation Q.1711 (1999), Network functional model for IMT-2000. ITU-T Q.1761 ITU-T Recommendation Q.1761 (2004), Principles and requirements for convergence of fixed and existing IMT-2000 systems. ITU-T X.500 ITU-T Recommendation
31、 X.500 (2005), Information technology Open Systems Interconnection The Directory: Overview of concepts, models and services. ITU-T X.501 ITU-T Recommendation X.501 (2005), Information technology Open Systems Interconnection The Directory: Models. 2 ITU-T Rec. X.1112 (11/2007) ITU-T X.509 ITU-T Recom
32、mendation X.509 (2005), Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.520 ITU-T Recommendation X.520 (2005), Information technology Open Systems Interconnection The Directory: Selected attribute types. ITU-T X.680 ITU-T Re
33、commendation X.680 (2002), Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T X.800 ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.803 ITU-T Recommendation X.803 (1994), Inform
34、ation technology Open Systems Interconnection Upper layers security model. ITU-T X.805 ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.810 ITU-T Recommendation X.810 (1995), Information technology Open Systems Interconnection Security
35、 frameworks for open systems: Overview. ITU-T X.1111 ITU-T Recommendation X.1111 (2007), Framework of security technologies for home network. ITU-T X.1121 ITU-T Recommendation X.1121 (2004), Framework of security technologies for mobile end-to-end data communications. IETF RFC 2511 IETF RFC 2511 (19
36、99), Internet X.509 Certificate Request Message Format. IETF RFC 3280 IETF RFC 3280 (2002), Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. 3 Definitions 3.1 OSI reference model security architecture definitions The following terms are defined in I
37、TU-T X.800: a) authentication; b) authentication information; c) authorization; d) encipherment; e) integrity; f) key; g) key management. 3.2 Public-key and attribute certificate frameworks definitions The following terms are defined in ITU-T X.509: a) authority; b) certification authority (CA); c)
38、CA certificate; d) certificate revocation list (CRL); e) certificate serial number; f) certificate user; ITU-T Rec. X.1112 (11/2007) 3 g) certificate validation; h) certificate path; i) end-entity; j) hash function; k) private key; l) public key; m) public key infrastructure (PKI); n) self-signed ce
39、rtificate; o) trust. 3.3 Framework of security technologies for home network definitions The following terms are defined in ITU-T X.1111: a) administrator of home network; b) device certificate; c) home device; d) home user; e) remote terminal; f) remote user; g) secure home gateway. 4 Abbreviations
40、 and acronyms This Recommendation uses the following abbreviations: AKI Authority Key Identifier ASN.1 Abstract Syntax Notation One CA Certification Authority CMP Certificate Management Protocol CMS Cryptographic Message Syntax CN Common Name CPU Central Processing Unit CRL Certificate Revocation Li
41、st DN Distinguished Name LAN Local Area Network MAC Message Authentication Code OID Object Identifier OSI Open Systems Interconnection PC Personal Computer PDA Personal Data Assistant PIN Personal Identification Number PK Public Key 4 ITU-T Rec. X.1112 (11/2007) PKI Public Key Infrastructure RA Regi
42、stration Authority RSA Rivest, Shamir, Adleman (algorithm for public-key cryptography) SAN Subject Alternative Name SHA Secure Hash Algorithm SKI Subject Key Identifier SSL Secure Socket Layer TLS Transport Layer Security UTF Universal Transformation Format 5 Conventions None. 6 Framework for home n
43、etwork device certification Authentication of the presented identity of a person or device will be one of the most important functions of home network security. In general, authentication in the home network can be classified into user authentication and device authentication. In providing a device
44、authentication, device certification can be used. The framework for device certification in the home network can generally be categorized into two models: one is the internal issuing model wherein all home device certificates including a self-signed certificate (i.e., CA certificate) and an end-enti
45、ty certificate (i.e., home device certificate) are issued by an internal CA in the home network. Usually, an internal CA can be a secure home gateway with the capability of generating a key pair and issuing a certificate. Therefore, the secure home gateway can issue a CA certificate as well as home
46、device certificates. Moreover, the secure home gateway can have a device certificate issued by an external certification authority for use in external home services. This home gateway device certificate can be used for authentication between the home gateway and home network service provider as defi
47、ned in ITU-T J.192. The other model is the external issuing model wherein all home device certificates are issued by an external CA. For this model, ITU-T J.192 defines the device certificate profile for authentication between a cable TV service provider and a set-top box. This Recommendation only d
48、eals with the first model particularly that wherein the home security gateway acts as the internal CA (the other model is dealt with in ITU-T J.192). ITU-T Rec. X.1112 (11/2007) 5 Figure 6-1 Device authentication model for the secure home network 7 Certificate profile for the home network device Thi
49、s clause describes the home network device certificate profile that complies with ITU-T X.509 and IETF RFC 3280. For the home network device authentication, a unique identifier that can identify each device in the home network is needed. Specifically, a home device certificate will be required as a unique trust element when used in the home network. The home network service provider can identify the valid home network device using the device certificate. 7.1 Basic certifi
