1、 International Telecommunication Union ITU-T X.1125TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Correlative Reacting System in mobile data communication Recommendation ITU-T X.1125 ITU-T X-SERIES
2、 RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERC
3、ONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289
4、 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality o
5、f service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Manageme
6、nt functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.
7、1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1125 (01/2008) i Recommendation ITU-T X.1125 Correlative Reacting System in mobile data communication Summary In a mobile network environment, while core networks are able to manage security threats, mobile sta
8、tions (MSs) that access the mobile network have little defence capability due to limited hardware resources. Compromised mobile stations can themselves easily become virus agents and threaten the entire network. The Correlative Reacting System (CRS) defined in this Recommendation aims to protect mob
9、ile networks against the threats of insecure terminals that do not conform to the security policy of the network, such as terminals that have been compromised. Source Recommendation ITU-T X.1125 was approved on 13 January 2008 by ITU-T Study Group 17 (2005-2008) under Recommendation ITU-T A.8 proced
10、ure. ii Rec. ITU-T X.1125 (01/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ o
11、f ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topi
12、cs for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prep
13、ared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation ma
14、y contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to exp
15、ress requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Pro
16、perty Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice o
17、f intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008
18、All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1125 (01/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Terms defined elsewhere 2 3.2 Terms defined in this Recommendation. 3
19、4 Abbreviations and acronyms 4 5 Conventions 6 6 Overview of the Correlative Reacting System . 6 7 CRS description 8 7.1 Preconditions 8 7.2 CRS objectives . 8 7.3 CRS system architecture. 9 7.4 CRS entities 10 7.5 CRS interfaces 14 8 CRS policy 15 8.1 Security evaluation policy 15 8.2 Security cont
20、rol policy . 18 8.3 Group attribute management 21 9 Communication between SCA and SCS 22 9.1 Message carrier protocol 22 9.2 Security. 22 9.3 Messages. 22 10 Communication between the NAC/ASC and the SCS . 25 10.1 General . 25 10.2 Message security 25 10.3 Messages. 25 11 General procedures in CRS 2
21、7 11.1 The discovery of SCA/SCS 27 11.2 SCI report and MS control procedure 28 11.3 SCA auto-installation and auto-updating . 30 11.4 Generation and delivery of control policy 32 11.5 MS security updating 32 11.6 MS leave data network . 34 12 Special processing procedures 34 12.1 Large-scale updatin
22、g 34 iv Rec. ITU-T X.1125 (01/2008) Page 13 Handling CRS roaming 38 13.1 CRS roaming definition 38 13.2 CRS roaming within one CRS-deployed network 38 13.3 CRS roaming between CRS-deployed networks 39 13.4 CRS roaming between CRS-deployed network and CRS-undeployed network. 41 Annex A CRSAP messages
23、 42 A.1 XML schema definition 42 A.2 The equivalent ASN.1 specification of the CRSAP messages. 44 Appendix I Some considerations on CRS implementation. 48 I.1 Deployment of SCA . 48 I.2 Deployment of SCS 50 I.3 Deployment of CRS in mobile IP networks. 52 Appendix II An example of CRSAP message excha
24、nge 53 II.1 An example SCI report. 53 II.2 An example SCI response 53 Bibliography 54 Rec. ITU-T X.1125 (01/2008) 1 Recommendation ITU-T X.1125 Correlative Reacting System in mobile data communication 1 Scope Focusing on end-to-end data communication in mobile networks, this Recommendation describes
25、 the open architecture of the Correlative Reacting System (CRS), which protects the network against potential security threats from insecure mobile terminals. This architecture provides operator networks with enhanced security capability through mobile station (MS) security updates, network access c
26、ontrol and application service restrictions. This results in a mechanism that prevents viruses or worms from spreading rapidly through the network operator. This Recommendation provides an abstract level architecture and is an application of current implementation-level protocols in the wired/PC wor
27、ld, e.g., trusted network connection (TNC) specifications for the mobile network scenario. Where appropriate, existing proven concepts and elements from the wired world should be reused as much as possible in the design and implementation of CRSs. This Recommendation specifies Correlative Reacting S
28、ystem application protocol (CRSAP) messages which can be transferred using XML or compact binary encodings as specified in Annex A. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommenda
29、tion. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references
30、listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.680 Recommendation ITU-T X.680 (2002) | ISO/IEC 8824-1:2002, Informati
31、on technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T X.691 Recommendation ITU-T X.691 (2002) | ISO/IEC 8825-2:2002, Information technology ASN.1 encoding rules: Specification of Packed Encoding Rules (PER). ITU-T X.693 Recommendation ITU-T X.693 (2001) | ISO/IEC
32、 8825-4:2002, Information technology ASN.1 encoding rules: XML Encoding Rules (XER). ITU-T X.694 Recommendation ITU-T X.694 (2004) | ISO/IEC 8825-5:2004, Information technology ASN.1 encoding rules: Mapping W3C XML schema definitions into ASN.1. ITU-T X.800 Recommendation ITU-T X.800 (1991), Securit
33、y architecture for Open Systems Interconnection for CCITT applications. ITU-T X.803 Recommendation ITU-T X.803 (1994) | ISO/IEC 10745:1995, Information technology Open Systems Interconnection Upper layers security model. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for system
34、s providing end-to-end communications. 2 Rec. ITU-T X.1125 (01/2008) ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T X.1121 Recommendation ITU-T X.1121 (2004), Framework of
35、 security technologies for mobile end-to-end data communications. RFC 2748 IETF RFC 2748 (2000), The COPS (Common Open Policy Service) Protocol. W3C XSD W3C XML Schema (2004), XML Schema Part 0: Primer Second Edition. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following t
36、erms defined elsewhere: 3.1.1 access control ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 application service ITU-T X.1121: A service like mobile banking, mobile commerce, and so on. 3.1.3 application se
37、rver ITU-T X.1121: An entity that connects to an open network for data communication with mobile terminals. 3.1.4 application service provider (ASP) ITU-T X.1121: An entity (person or group) which provides application service(s) to mobile users through an application server. 3.1.5 availability ITU-T
38、 X.800: The property of being accessible and useable upon demand by an authorized entity. 3.1.6 data integrity ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.7 data origin authentication ITU-T X.800: The corroboration that the source of data rece
39、ived is as claimed. 3.1.8 denial of service ITU-T X.800: The prevention of authorized access to resources or the delaying of time-critical operations. 3.1.9 privacy ITU-T X.800: The right of individuals to control or influence what information related to them may be collected and stored and by whom
40、and to whom that information may be disclosed. NOTE Because this term relates to the rights of individuals, it cannot be very precise and its use should be avoided except as motivation for requiring security. 3.1.10 mobile network ITU-T X.1121: A network that provides wireless network access points
41、to mobile terminals. 3.1.11 mobile security gateway ITU-T X.1121: An entity which relays data communication between a mobile terminal and an application server, changes security parameters or communication protocol from a mobile network to an open network, or vice versa, and can perform security pol
42、icy management functions for mobile end-to-end data communication. 3.1.12 mobile terminal ITU-T X.1121: An entity that has wireless network access function and connects a mobile network for data communication with application servers or other mobile terminals. Rec. ITU-T X.1125 (01/2008) 3 3.1.13 mo
43、bile user ITU-T X.1121: An entity (person) that uses and operates the mobile terminal for receiving various services from application service providers. 3.1.14 system security function ITU-T X.803: A capability of a system to perform security-related processing, such as encipherment/decipherment, di
44、gital signature, or the generation or processing of a security token or certificate conveyed in an authentication exchange. 3.1.15 security communication function ITU-T X.803: A function supporting the transfer of security-related information between open systems. 3.1.16 security transformation ITU-
45、T X.803: A set of functions (system security functions and security communication functions) which, in combination, operate upon user data items to protect those data items in a particular way during communication or storage. 3.1.17 threat ITU-T X.800: A potential violation of security. 3.2 Terms de
46、fined in this Recommendation This Recommendation defines the following terms: 3.2.1 application service controller (ASC): A mobile network element that performs application service access control on mobile subscribers. By correlatively reacting with the security correlation server (SCS), it imposes
47、service restrictions on specified unsafe users based on the application service control policy of CRS. 3.2.2 controlled object: The mobile station (MS) controlled by the CRS. A controlled object may be a single MS or a group of MSs. 3.2.3 Correlative Reacting System (CRS): A mechanism that enables m
48、obile terminals or devices and the network to cooperate together against potential security threats, such as viruses, worms, Trojan-horses, user misbehaviour and other network attacks. 3.2.4 Correlative Reacting System application protocol (CRSAP): An application layer protocol for CRS message encap
49、sulation and transport between the SCA and the SCS. 3.2.5 dedicated security device (DSD): A device that provides dedicated security functions for the network (e.g., firewalls, IDs, security gateways, and security management servers). 3.2.6 mobile station (MS): Any mobile device, such as a mobile handset or computer, which is used to access network services. 3.2.7 mobile station operating system (MSOS): Functionality that can automatically perform self-update, patch installat