1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1158 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols Multi-factor authentication mechanisms us
2、ing a mobile device Recommendation ITU-T X.1158 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.59
3、9 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebi
4、ometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X
5、.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATION
6、 EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD C
7、OMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, p
8、lease refer to the list of ITU-T Recommendations. Rec. ITU-T X.1158 (11/2014) i Recommendation ITU-T X.1158 Multi-factor authentication mechanisms using a mobile device Summary With the wide use of mobile devices, the number of business transactions carried out through these devices is dramatically
9、increasing. However, there are many weaknesses to single-factor authentication when used in the mobile context requiring strong authentication mechanisms to meet requirements for security and convenience. As such, there is a strong need to develop multi-factor authentication mechanisms that are appl
10、icable to the mobile context. Recommendation ITU-T X.1158 provides multi-factor authentication mechanisms using a mobile device. This Recommendation describes the weaknesses of single-factor authentication mechanisms, the need for multi-factor authentication mechanisms, the various combinations of m
11、ulti-factor authentication mechanisms using a mobile device and the threats for two-factor authentication mechanisms. In addition, security requirements to reduce the threats of single-factor authentication are provided, including potential typical multi-factor authentication mechanisms. This Recomm
12、endation assumes the use of a mobile device with subscriber identity module (SIM) card capability, but should not exclude the use of virtual SIM cards. Specifically, this Recommendation is applicable to all applications using mobile devices. This Recommendation is based on the framework described in
13、 Recommendation ITU-T X.1154. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1158 2014-11-13 17 11.1002/1000/12341 Keywords Authentication, authentication factor, mobile device, multi-factor authentication, two-factor authentication. _ * To access the Recommendation, type
14、 the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1158 (11/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agenc
15、y in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view t
16、o standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendation
17、s is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness
18、 to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation i
19、s achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELL
20、ECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whet
21、her asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are ca
22、utioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission o
23、f ITU. Rec. ITU-T X.1158 (11/2014) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Overview of multi-factor authentication 3 6.1 Single-factor authentic
24、ation 3 6.2 Two-factor authentication 4 6.3 Multi-factor authentication . 4 6.4 Combination of multi-factor authentication . 5 6.5 Authentication threats . 5 6.6 Criteria for selecting a multi-factor authentication method . 7 6.7 Features of multi-factor authentication mechanisms using a mobile devi
25、ce 7 7 Security requirements for multi-factor authentication 8 7.1 General . 8 7.2 Mobile device . 9 7.3 Secure element 9 7.4 Service provider 9 8 Generic mechanisms . 10 8.1 Entities 10 8.2 Operations . 11 8.3 Authentication models 12 8.4 Protocols . 18 Appendix I Typical scenario for two-factor au
26、thentication 23 Appendix II Instances of components of multi-factor authentication . 24 II.1 Smart-card 24 II.2 Digital certificate 24 II.3 Biometrics . 24 Bibliography. 25 Rec. ITU-T X.1158 (11/2014) 1 Recommendation ITU-T X.1158 Multi-factor authentication mechanisms using a mobile device 1 Scope
27、This Recommendation provides multi-factor authentication mechanisms using a mobile device. It describes the weakness of a single-factor authentication mechanism, identifies the need for multi-factor authentication, and provides various combinations of multi-factor authentication mechanisms using a m
28、obile device. General security requirements to reduce the threats associated with a single-factor authentication mechanism are provided. In addition, typical multi-factor authentication protocols are given. This Recommendation assumes the use of mobile devices with subscriber identity module (SIM) c
29、ard capability, but should not exclude the use of virtual SIM card capability. Specifically, this Recommendation is applicable to all applications using mobile devices. This Recommendation is based on the framework described in ITU-T X.1154. 2 References The following ITU-T Recommendations and other
30、 references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged t
31、o investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is published regularly. A reference to a document within this Recommendation does not give it, as a stand-alone document, th
32、e status of a Recommendation. ITU-T X.1154 Recommendation ITU-T X.1154 (2013), General framework of combined authentication on multiple identity service provider environments. ITU-T X.1254 Recommendation ITU-T X.1254 (2012), Entity authentication assurance framework. 3 Definitions 3.1 Terms defined
33、elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 authentication factor ITU-T X.1154: A type of credential; there are three types of authentication factors: ownership factor, knowledge factor and biometric factor. 3.1.2 authentication protocol ITU-T X.1254: A defined se
34、quence of messages between an entity and a verifier that enables the verifier to corroborate the entitys identity. 3.1.3 credential b-ITU-T X.1252: Set of data presented as evidence of a claimed identity and/or entitlements. 3.1.4 entity authentication assurance (EAA) ITU-T X.1254: A degree of confi
35、dence reached in the authentication process that the entity is what it is, or is expected to be (this definition is based on the authentication assurance definition given in b-ITU-T X.1252). 3.1.5 man-in-the-middle attack ITU-T X.1254: Attack in which an attacker is able to read, insert, and modify
36、messages between two parties without their knowledge. 3.1.6 multi-factor authentication b-ISO/IEC 19790: Authentication with at least two independent authentication factors. 3.1.7 verifier b-ITU-T X.1252: An entity that verifies and validates identity information. 2 Rec. ITU-T X.1158 (11/2014) 3.2 T
37、erms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 mobile device: A small, hand-held computing device with a subscriber identity module (SIM) card, typically having a display screen with touch input and/or a miniature keyboard and is not heavy. 3.2.2 secure el
38、ement (SE): A dedicated microprocessor system that contains an operating system, memory, application environment and security protocols intended to be used to store sensitive data and execute sensitive applications. NOTE A secure element may reside in a universal subscriber identity module (USIM), a
39、 dedicated chip in a phones motherboard, an external plug in a memory card or as an integrated circuit card. 3.2.3 subscriber identity module (SIM): An integrated chip used mostly in mobile device that operate in the global system for mobile communications (GSM) network. NOTE It securely stores the
40、international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers in mobile telephony devices. 3.2.4 verify: Check information by comparing the provided information with previously corroborated information and the binding to the entity. 3.2.5 virtual s
41、ubscriber identity module (SIM) card: A software application that emulates a SIM card in a mobile device, which does not require a physical SIM card. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations: ATM Automated Teller Machine CA Certification Authority DNA Deoxyri
42、bonucleic Acid DoS Denial of Service EAA Entity Authentication Assurance GSM Global System for Mobile communications HSM Hardware Security Module HTTP Hypertext Transfer Protocol IC Integrated Circuit IMSI International Mobile Subscriber Identity IT Information Technology LAN Local Area Network MAC
43、Media Access Control NFC Near Field Communication OOB Out Of Band OSP One-time password Service Provider OTP One-Time Password PC Personal Computer PIN Personal Identification Number Rec. ITU-T X.1158 (11/2014) 3 PKI Public Key Infrastructure RP Relying Party SE Secure Element SIM Subscriber Identit
44、y Module SMS Short Message Service TAN Transaction Authentication Number TEE Trusted Execution Environment TPM Trusted Platform Module USIM Universal Subscriber Identity Module WiFi Wireless Fidelity 5 Conventions In this Recommendation: The keywords “is required to“ indicate a requirement which mus
45、t be strictly followed and from which no deviation is permitted, if conformance to this Recommendation is to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolutely required. Thus, this requirement need not be present to claim conformance. Th
46、e keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted, if conformance to this Recommendation is to be claimed. The keywords “can optionally“ indicate an optional requirement which is permissible, without implying any sense of
47、being recommended. This term is not intended to imply that the vendors implementation must provide the option, and the feature can be optionally enabled by the network operator/service provider. Rather, it means the vendor may optionally provide the feature and still claim conformance with this Reco
48、mmendation. 6 Overview of multi-factor authentication 6.1 Single-factor authentication A single-factor authentication is a typical authentication that requires, for example, a user name and password before granting access to the user. Table 1 illustrates typical examples of a single-factor authentic
49、ation ITU-T X.1254. Table 1 Typical single-factor authentication Authentication factor Examples Something an entity knows (Knowledge factor) Password, personal identification number (PIN), passphrase, mothers name, phone number. Something an entity has (Possession factor) Smart cards, tokens, one-time password (OTP), drivers license, public key infrastructure (PKI) certificate. Something an entity is (Inherence factor) Fingerprints, hand geometry, facial image, iris, r
