1、 International Telecommunication Union ITU-T X.1123TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Differentiated security service for secure mobile end-to-end data communication Recommendation ITU-
2、T X.1123 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.
3、199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Man
4、aged Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficien
5、cy X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Informat
6、ion X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECO
7、MMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1123 (11/2007) i Recommendation ITU-T X.1123 Differentiated security service for secure mobile end-to-end data communication Summary Recommendation ITU-T X.1123 describes the differentiat
8、ed security service for secure mobile communication. The investigation of differentiated security service is important for both service providers and users. The service providers can use the differentiated security service to overcome the rigorous circumstances of wireless access networks and satisf
9、y various users and services with different levels of security. The differentiated security service is realized by security policy with three layers. One layer is super security policy used as a value-added service that safeguards mobile communication with sensitive information. The second layer is
10、baseline security policy used as the prevalent service that satisfies mobile communication without sensitive information. The last layer is no security policy, defined as the policy under which no security function is configured during communication. Source Recommendation ITU-T X.1123 was approved o
11、n 13 November 2007 by ITU-T Study Group 17 (2005-2008) under Recommendation ITU-T A.8 procedure. Keywords Differentiated, security dimension, security level, security policy, security service. ii Rec. ITU-T X.1123 (11/2007) FOREWORD The International Telecommunication Union (ITU) is the United Natio
12、ns specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations o
13、n them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of
14、ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is
15、used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with th
16、e Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of
17、 any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Pr
18、operty Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However,
19、implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior w
20、ritten permission of ITU. Rec. ITU-T X.1123 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation. 2 4 Abbreviations and acronyms 3 5 Conventions 3 6 Network model for differentiated security service . 3 7 Differe
21、ntiated security service 4 7.1 Types of assets in the mobile environment 4 7.2 Framework of differentiated security service. 5 8 Security policy 8 8.1 Framework of security policy. 9 8.2 Configuration of security policy. 10 9 Negotiation process 10 9.1 Negotiation process of security policy . 11 9.2
22、 Negotiation process between terminal and SGW. 12 9.3 Negotiation process between SGWs 13 9.4 Negotiation process between SGW and terminal. 13 10 Billing of security service. 13 11 Triggering of security resources . 14 Annex A Functions of the network model for differentiated security service 15 A.1
23、 Functions of the network model. 15 A.2 Depiction of functions 15 A.3 Protocols between functions. 18 Appendix I Example of security mechanism in line with subgroup of security policy 19 Bibliography. 21 iv Rec. ITU-T X.1123 (11/2007) Introduction It is necessary to establish a differentiated securi
24、ty service in secure mobile communication. The reasons are described as follows: Rigorous mobile environment The number of types of services that are provided through mobile networks is increasing quickly. Moreover, the number of mobile users also grows remarkably all around the world. Similar to wi
25、red networks, mobile networks are also threatened by various attacks. In addition, the mobile environment has many limitations such as limited computing power in mobile terminals, inadequate memory space and low network bandwidth at the air interface. Therefore, the running of applications is more d
26、ifficult in mobile networks than that in wired networks. Since the purpose of a security service is to organize various security technologies together to achieve a certain level of security for various applications, a differentiated security service mechanism is necessary for applications in the rig
27、orous mobile environment. Additional investment for security Compared with unsecured networks, secure networks require additional investment from the service providers point of view. Moreover, there is no absolute network security. The investment in security strongly relies on the level of security
28、the network can provide. The additional investment at least includes network management of security, security devices, additional consumption on bandwidth and computing power, training for security managers and users, etc. When telecommunication networks evolve from circuit switched to packet switch
29、ed, multimedia communication develops fast. The data volume of multimedia communication is much larger than that of audio communication. Data protection with a unique high security level becomes impossible because of the large, real-time data flow. For example, in second generation mobile networks,
30、such as the GSM network, we can encrypt all the data flow at the air interface since the audio communication has a much smaller data flow compared with multimedia communication. However, in third generation mobile networks, when multimedia communication is popular, we need differentiated security le
31、vels to protect data flow and save resources. Since next generation networks are based on package networks, the open characteristics of package networks will cause many new security threats. The intelligence of mobile terminals also induces various threats from viruses. Thus, simple management is ne
32、cessary to integrate the essential configuration of security for users. Evidently, security is a kind of service that needs a large amount of investment. Thus, it is impossible to provide the total security service without any charging. Service providers should find efficient methods to present stro
33、ng security service as value-added service. Various secure algorithms and protocols in different types of terminals A variety of security algorithms and protocols exists in different types of terminals. A rigorous problem is how to organize them to provide not only enough security, but also full int
34、eroperation among different types of mobile terminals. The problem cannot be solved without an effective security policy. Since a general mobile network includes various types of terminals, it is necessary to develop a security policy at both the terminal and network ends that can satisfy the securi
35、ty requirements effectively. Different security requirements for various users and applications Although secure communication is important in many applications, such as e-commerce, etc., many other applications require just a low level of security, such as accessing the Internet for open information
36、. In this case, the unidirectional authentication from network to user may be enough. Therefore, security requirements vary among different users and Rec. ITU-T X.1123 (11/2007) v services. Service providers should provide differentiated security services to users. The structure of security policy i
37、s necessary to provide the differentiated security. By this means, it is important to study the differentiated security service that is driven by security policy. Simple and effective security services for users Security management is of critical importance in network security. For example, a networ
38、k is totally unsecured without effective security management even though it deploys many advantageous security entities and implements perfect security solutions. A secure network not only requires professional security managers at the network end, but also mobile users who can take charge of securi
39、ty management at the terminal end. If security management fails at either end, communication is unsecure. As we know, it is impossible to require that all users have enough security management ability. Thus, for better services, it is necessary to develop an effective security policy that is as simp
40、le as possible at the terminal end, and in which most policy decisions are executed in the network. For some services, all of the security policies may be determined at the (network) server end, such as e-banking services, etc. Rec. ITU-T X.1123 (11/2007) 1 Recommendation ITU-T X.1123 Differentiated
41、 security service for secure mobile end-to-end data communication 1 Scope This Recommendation provides a specification of differentiated security services for secure mobile end-to-end data communication, which includes a series of security policies, security levels and negotiation of security levels
42、 between security domains. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other refere
43、nces are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference t
44、o a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.800 Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.803 Recommendation ITU-T X.803 (1994) | ISO/IEC 1
45、0745:1995, Information technology Open Systems Interconnection Upper layers security model. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technolo
46、gy Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.1121 Recommendation ITU-T X.1121 (2004), Framework of security technologies for mobile end-to-end data communications. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms define
47、d elsewhere: 3.1.1 access control: ITU-T X.800. 3.1.2 anonymity: ITU-T X.1121. 3.1.3 application server: ITU-T X.1121. 3.1.4 application service: ITU-T X.1121. 3.1.5 application service provider (ASP): ITU-T X.1121. 3.1.6 authentication: ITU-T X.800. 3.1.7 authentication exchange: ITU-T X.800. 3.1.8
48、 authorization: ITU-T X.800. 3.1.9 availability: ITU-T X.800. 2 Rec. ITU-T X.1123 (11/2007) 3.1.10 confidentiality: ITU-T X.800. 3.1.11 data integrity: ITU-T X.800. 3.1.12 encipherment: ITU-T X.800. 3.1.13 identity management: ITU-T X.1121. 3.1.14 integrity: ITU-T X.800. 3.1.15 key: ITU-T X.800. 3.1
49、.16 mobile network: ITU-T X.1121. 3.1.17 mobile terminal: ITU-T X.1121. 3.1.18 mobile user: ITU-T X.1121. 3.1.19 non-repudiation: ITU-T X.800. 3.1.20 password: ITU-T X.800. 3.1.21 privacy: ITU-T X.800. 3.1.22 security dimension: ITU-T X.805. 3.1.23 security policy: ITU-T X.800. 3.1.24 usability: ITU-T X.1121. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 security level: Security level is the application of a network system to