1、 International Telecommunication Union ITU-T X.1154TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2013) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols General framework of combined authentication on multiple identity service
2、provider environments Recommendation ITU-T X.1154 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.
3、599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Tele
4、biometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180
5、X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.15
6、00X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list o
7、f ITU-T Recommendations. Rec. ITU-T X.1154 (04/2013) i Recommendation ITU-T X.1154 General framework of combined authentication on multiple identity service provider environments Summary Recently, many application services, especially financial services, require more reliable or combined authenticat
8、ion methods such as multifactor authentication due to the increase in identity (ID) theft. For example, one-time password authentication and other new authentication methods are used instead of traditional password-based authentication. The combinations of authentication methods provide multiple ide
9、ntity service providers (IdSPs) the ability to enhance the assurance of authentication. Recommendation ITU-T X.1154 provides the general framework of combined authentication in multiple IdSP environments for a service provider. In this Recommendation, three types of combined authentication methods a
10、re considered: multifactor authentication, multi-method authentication and multiple authentications. The framework in this Recommendation describes models, basic operations and security requirements for each model component and each message between the model components to maintain an overall level o
11、f authentication assurance in situations of a combination of multiple IdSPs. In addition, the framework also describes models, basic operations and security requirements to support the authentication service that manages a combination of multiple IdSPs. History Edition Recommendation Approval Study
12、Group 1.0 ITU-T X.1154 2013-04-26 17 Keywords Combined authentication, entity authentication, multifactor authentication. ii Rec. ITU-T X.1154 (04/2013) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information a
13、nd communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide b
14、asis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Res
15、olution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administratio
16、n and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions a
17、re met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the p
18、ossibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of t
19、he Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest inf
20、ormation and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1154 (04/2013) iii Table of Co
21、ntents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions 3 6 Types of combined authentication 3 7 Authentication models on multiple IdSP environments . 4 7.1 Basic models with regard
22、to service provider 4 7.2 Entity authentication life cycle model 10 8 Operations in multiple IdSP environments . 13 8.1 Credential management operations 14 8.2 Usage operations of credentials 14 8.3 Management operations of trust relationships with service providers . 15 9 General framework of combi
23、ned authentication on multiple identity service provider environments 15 9.1 Logical components 16 9.2 Behaviours 17 Annex A Considerations for combined authentication . 23 A.1 Achieving estimated authentication assurance . 23 A.2 Selection of IdSP(s) 23 A.3 Effective authentication assurance . 23 A
24、.4 Security considerations for multifactor authentication . 24 A.5 Security considerations for multi-method authentication . 24 A.6 Security considerations for multiple authentication . 24 Appendix I Relationship with related standards . 25 I.1 Relationship with ITU-T X.1141 . 25 I.2 Relationship wi
25、th ITU-T X.1254 . 25 Bibliography. 26 iv Rec. ITU-T X.1154 (04/2013) Introduction Recently, many application services, especially financial services, require more reliable or combined authentication methods such as multifactor authentication due to the increase in identity (ID) theft. For example, o
26、ne-time password authentication and other new authentication methods are used instead of traditional password-based authentication. ITU-T Recommendations related to authentication for secure application service, see b-ITU-T X.509 and ITU-T X.1141, are standardized as authentication frameworks. These
27、 ITU-T Recommendations basically consider that one service provider and/or one user belongs to one security domain provided by one IdSP even if the service provider and the user belong to different security domains. To achieve enhancement of authentication, IdSP requires the implementation of strong
28、er authentication methods (for example, methods in b-ITU-T X.1151, b-ITU-T X.1084, b-ITU-T X.1086 and b-ITU-T X.1089). On the other hand, it often occurs that one user retrieves several identities from several IdSPs and one service provider establishes trust relationships with several IdSPs. In thes
29、e multiple IdSP environments, there may be an alternative way for enhancement of authentication when the service provider uses multiple IdSPs to authenticate the user. Moreover, even if the service provider (SP) implements stronger authentication, identity service bridge provider may be used to comb
30、ine multiple IdSPs. However, because each IdSP is operated by different providers, a simple combination of multiple IdSPs may lead to the collapse of the overall authentication level. Therefore, the general framework is required to describe models, basic operations and security requirements for each
31、 model component and each message between the model components to maintain an overall level of authentication assurance in situations of a combination of multiple IdSPs. In addition, the requirement of stronger/more reliable authentication increases the complexity of implementation and/or management
32、 of the authentication system. As a result, the authentication service that manages a combination of multiple IdSPs is used to authenticate the user on behalf of the application service. This authentication service is required to manage a combination of multiple IdSPs that satisfy the authentication
33、 policies of each application service. The framework is also required to describe models, basic operations and security requirements to support the authentication service. Rec. ITU-T X.1154 (04/2013) 1 Recommendation ITU-T X.1154 General framework of combined authentication on multiple identity serv
34、ice provider environments 1 Scope This Recommendation provides the general framework of combined authentication in multiple identity service provider (IdSP) environments for the service provider to achieve combined authentication such as multifactor authentication. The framework in this Recommendati
35、on describes models, basic operations and security requirements for each model component and each message between the model components to maintain an overall level of authentication assurance in situations of a combination of multiple IdSPs. In addition, the framework also describes models, basic op
36、erations and security requirements to support the authentication service that manages a combination of multiple IdSPs. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the
37、time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below.
38、 A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.1141 Recommendation ITU-T X.1141 (2006), Security Assertion Markup Language (SAML 2
39、.0). ITU-T X.1254 Recommendation ITU-T X.1254 (2012), Entity authentication assurance framework. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 assertion b-ITU-T X.1252: A statement made by an entity without accompanying evidence of it
40、s validity. 3.1.2 assurance level b-ITU-T X.1252: A level of confidence in the binding between an entity and the presented identity information. 3.1.3 authentication b-ITU-T X.1252: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. 3.1.4 au
41、thentication assurance b-ITU-T X.1252: The degree of confidence reached in the authentication process that the communication partner is the entity that it claims to be or is expected to be. NOTE The confidence is based on the degree of confidence in the binding between the communicating entity and t
42、he identity that is presented. 2 Rec. ITU-T X.1154 (04/2013) 3.1.5 end user ITU-T X.1141: A natural person who makes use of resources for application purposes. 3.1.6 identifier b-ITU-T X.1252: One or more attributes used to identify an entity within a context. 3.1.7 identity b-ITU-T X.1252: A repres
43、entation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context. For identity management (IdM) purposes, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attributes is lim
44、ited by a framework with defined boundary conditions (the context) in which the entity exists and interacts. NOTE Each entity is represented by one holistic identity that comprises all possible information elements characterizing such entity (the attributes). However, this holistic identity is a the
45、oretical issue and eludes any description and practical usage because the number of all possible attributes is indefinite. 3.1.8 identity service bridge provider b-ITU-T X.1252: An identity service provider that acts as a trusted intermediary among other identity service providers. 3.1.9 identity se
46、rvice provider (IdSP) b-ITU-T X.1252: An entity that verifies, maintains, manages, and may create and assign identity information of other entities. 3.1.10 relying party ITU-T X.1141: A system entity that decides to take an action based on information from another system entity. For example, an SAML
47、 relying party depends on receiving assertions from an asserting party (a SAML authority) about a subject. 3.1.11 service provider ITU-T X.1141: A role donned by a system entity where the system entity provides services to principals or other system entities. 3.2 Terms defined in this Recommendation
48、 This Recommendation defines the following terms: 3.2.1 authentication factor: A type of credential; there are three types of authentication factors: ownership factor, knowledge factor and biometric factor. 3.2.2 biometric factor: An authentication factor verifying something the user is or does. 3.2
49、.3 combined authentication: An authentication that uses multiple credentials. 3.2.4 current assurance level: A level of authentication assurance of a certain entity at the current point in time. 3.2.5 knowledge factor: An authentication factor verifying something the user knows. 3.2.6 multifactor authentication: An authentication that uses multiple credentials from two or more of the three categories of authentication factors. 3.2.7 multi-method authentication: An authentication that uses mu
