1、 International Telecommunication Union ITU-T X.1124TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Authentication architecture for mobile end-to-end communication Recommendation ITU-T X.1124 ITU-T X
2、-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS
3、 INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.2
4、80X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Qu
5、ality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 M
6、anagement functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECU
7、RITY X.1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1124 (11/2007) i Recommendation ITU-T X.1124 Authentication architecture for mobile end-to-end communication Summary Recommendation ITU-T X.1124 describes a service layer authentication architecture for
8、mobile end-to-end data communication between mobile users and various service providers in the network. The generic negotiation mechanisms and authentication procedures specified in this Recommendation support both those entities that have miscellaneous authentication capabilities and those entities
9、 that have differentiated security requirements. The authentication addressed in this Recommendation is used for service providers and requesters and is independent of network access authentication of the mobile users. Source Recommendation ITU-T X.1124 was approved on 13 November 2007 by ITU-T Stud
10、y Group 17 (2005-2008) under Recommendation ITU-T A.8 procedure. ii Rec. ITU-T X.1124 (11/2007) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommuni
11、cation Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembl
12、y (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which
13、fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this
14、 Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language
15、 such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Reco
16、mmendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of ap
17、proval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TS
18、B patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1124 (11/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Terms defi
19、ned elsewhere 2 3.2 Terms defined in this Recommendation. 2 4 Abbreviations and acronyms 5 5 Conventions 6 6 Overview 6 6.1 Use case description . 6 6.2 Security considerations. 7 7 Security architecture . 8 7.1 Authentication model . 8 7.2 Network elements. 9 7.3 Reference points . 11 7.4 Requireme
20、nts for authentication information. 12 7.5 Key structure 13 8 Authentication procedures 14 8.1 Authentication procedures overview 14 8.2 Entity initial authentication procedure . 17 8.3 Entity re-authentication procedure . 20 8.4 Authentication inquiring procedure with key generation. 21 8.5 Mutual
21、authentication procedure between SS and SP 25 9 Overall authentication procedures 25 Appendix I Some examples of entity authentication procedure . 26 I.1 HTTP digest AKA used in 3GPP . 26 I.2 HTTP digest AKA used in 3GPP2 . 27 I.3 TLS-Cert based authentication mechanism 28 I.4 Authentication procedu
22、re based on public key certificate authentication mechanism 29 I.5 Authentication procedure based on a biometric authentication mechanism 31 Appendix II Examples of mutual authentication between SS and SP 33 II.1 Standardized cases 33 II.2 Other possible cases . 33 Appendix III Key lifetime. 35 Appe
23、ndix IV Mapping of the reference points to those in 3GPP/3GPP2. 36 Bibliography. 37 Rec. ITU-T X.1124 (11/2007) 1 Recommendation ITU-T X.1124 Authentication architecture for mobile end-to-end communication 1 Scope This Recommendation describes service layer authentication architecture in mobile end-
24、to-end data communication between mobile users and various service providers in the network. This Recommendation applies to three types of entities: mobile terminals in compliance with different mobile communication standards, service authentication-related network elements, and application servers
25、in various networks including mobile networks and open networks. This Recommendation applies to three types of services: the services that are operated by mobile network operators (including the services operated by a visited network, e.g., when a user in a 3rd Generation Partnership Project (3GPP)
26、network uses the service in a 3rd Generation Partnership Project 2 (3GPP2) network); the services provided by application servers on open networks such as the Internet for mobile terminals (e.g., web services and e-mail services); and the services provided by certain powerful mobile users acting as
27、customized service brokers for other mobile users. This Recommendation provides generic negotiation mechanisms and authentication procedures to support both those entities that have miscellaneous authentication capabilities and those that have differentiated security requirements. The authentication
28、 addressed herein is used for service providers and requesters and it is independent of network access authentication of the mobile users. This Recommendation builds upon the work of other standard bodies and consortia to define a more generalized authentication architecture for mobile environments.
29、 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revisi
30、on; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this R
31、ecommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T M.3016 Recommendation ITU-T M.3016 (1998), TMN Security Overview. ITU-T X.509 Recommendation ITU-T X.509 (2000) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory: P
32、ublic-key and attribute certificate frameworks. ITU-T X.800 Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.
33、810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.1121 Recommendation ITU-T X.1121 (2004), Framework of security technologies for mobile end-to-end data communications. ITU-T X.112
34、2 Recommendation ITU-T X.1122 (2004), Guideline for implementing secure mobile systems based on PKI. 2 Rec. ITU-T X.1124 (11/2007) IETF RFC 4120 IETF RFC 4120 (2005), The Kerberos Network Authentication Service (V5). 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following te
35、rms defined elsewhere: 3.1.1 application server ITU-T X.1121: An entity that connects to an open network for data communication with mobile terminals. 3.1.2 authentication b-ITU-T X.811: The provision of assurance of the claimed identity of an entity. 3.1.3 authentication information ITU-T X.800: In
36、formation used to establish the validity of a claimed identity. 3.1.4 certificate repository ITU-T X.1122: Database in which the certificates, CRL and other PKI-related information are stored and which is accessible online. 3.1.5 confidentiality ITU-T X.800: The property that information is not made
37、 available or disclosed to unauthorized individuals, entities or processes. 3.1.6 denial of service ITU-T X.800: The prevention of authorized access to resources or the delaying of time-critical operations. 3.1.7 eavesdropping ITU-T M.3016: A breach of confidentiality by monitoring communication. 3.
38、1.8 masquerade ITU-T X.800: The pretence by an entity to be a different entity. For instance, an authorized entity with few privileges may use a masquerade to obtain extra privileges by impersonating an entity that has those privileges. Types include replay, relay and compromise of claim authenticat
39、ion information. 3.1.9 mobile network ITU-T X.1121: A network that provides wireless network access points to mobile terminals. 3.1.10 mobile terminal ITU-T X.1121: An entity that has wireless network access function and connects to a mobile network for data communication with application servers or
40、 other mobile terminals. 3.1.11 mobile user ITU-T X.1121: An entity (person) that uses and operates the mobile terminal for receiving various services from application service providers. 3.1.12 replay ITU-T X.800: A message, or part of a message, is repeated to produce unauthorized effect. For examp
41、le, a valid message containing authentication information may be replayed by another entity in order to authenticate itself (as something that it is not). 3.1.13 trusted third party (TTP) ITU-T X.810: A security authority or its agent, trusted by other entities with respect to security-related opera
42、tions. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 authentication capability information: Authentication mechanisms supported by a service subscriber or a service provider. 3.2.2 authentication mode: An identifier that specifies authentication mech
43、anisms between a service subscriber (SS) and an entity authentication centre (EAC), a service provider (SP) and an Rec. ITU-T X.1124 (11/2007) 3 EAC, and authentication inquiring/derived key generation mechanism/mutual authentication mechanisms between an SS and an SP. 3.2.3 authentication negotiati
44、on procedure: A procedure that happens during the authentication procedure in which, according to the local policy, the EAC must choose an authentication mode from the authentication mechanisms supported by service providers/service subscribers and the network. 3.2.4 authentication procedure: The pr
45、ocess of authentication between a service entity and the EAC, and authentication between two service entities, i.e., an SS and an SP. Generally, a whole authentication procedure comprises three independent integral sub-procedures: initial authentication between service entity and EAC; authentication
46、 inquiring and key generation/transportation/negotiation; and mutual authentication between service entities. 3.2.5 challenge/response: A method of protecting against replay attack. For example, if entity A wants to obtain a new message from entity B, it can first send a challenge in the form of a n
47、once (e.g., a cryptographic value that is used only once) to B. A then receives a response from B, based on the nonce that proves B was the intended recipient. 3.2.6 derived key: A key, indicated by Ksp, that is generated during the authentication inquiring and key generation/transportation/negotiat
48、ion procedure. The key is shared by an SS and an SP, and it is generally derived using shared keying material Ks, which is the shared key between the EAC and the SS, and the identity information of service entities. It can be the base of mutual authentication between SS and SP, and be used to derive
49、 a following session key Kt to protect service communication between the SS and the SP. The length and lifetime of a derived key will be set according to parameters such as service type and security degree. Generally, the algorithm to derive the derived key has a default value. 3.2.7 entity authentication centre (EAC): A central network element defined in the authentication architecture, which accomplishes authentication negotiation and mutual authentication with service entities, establishes shar