1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1163 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2015) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Peer-to-peer security Security requirements and mechanisms o
2、f peer-to-peer-based telecommunication networks Recommendation ITU-T X.1163 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.
3、400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security ma
4、nagement X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170
5、X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.13
6、49 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured e
7、xchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X
8、.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1163 (05/2015) i Recommendation ITU-T X.1163 Security requirements and mechanisms of peer-to-peer-based telecommunication networks Summary Because of the obvious merits of peer-to-peer (P2P) networks (such as
9、lower cost, scalability and fault tolerance), some operators began to consider the possibility of constructing the next-generation kernel network based on P2P. In order to implement an operable and manageable P2P-based telecommunication network, the security solution must be a critical part of it. T
10、he distributed service network (DSN) defined in Recommendations ITU-T Y.2206 and ITU-T Y.2080 is designed as a telecommunication network based on P2P. The capability requirements and the functional architecture are defined in Recommendations ITU-T Y.2206 and ITU-T Y.2080, respectively; however, the
11、security aspects are not addressed in either of these two Recommendations. The security requirements and mechanisms defined in Recommendation ITU-T X.1163 complement the DSN-related work. Recommendation ITU-T X.1163 provides a security guideline for a telecommunication network based on P2P technolog
12、y. It briefly introduces the characteristics of the network, it also analyses the security requirements of the network and the services, and it specifies the security mechanisms to fulfil these requirements. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1163 2015-05-29 1
13、7 11.1002/1000/12476 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1163 (05/2015) FOREWORD The International Telecommun
14、ication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff
15、questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommenda
16、tions on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendati
17、on, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability
18、 or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that complian
19、ce with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
20、applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to
21、implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2015 All rights reserved. No part of this publication may be reproduced, by a
22、ny means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1163 (05/2015) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 1 5 Conventions 3 6 Architectu
23、re of telecommunication network based on P2P 3 7 Security requirements analysis . 4 7.1 Authentication and authorization . 5 7.2 Trust management 5 7.3 Confidentiality 5 7.4 Integrity 5 7.5 Digital rights management . 5 8 Security mechanisms 6 8.1 Authentication and authorization mechanism 6 8.2 Tru
24、st management mechanism . 8 8.3 Confidentiality and integrity mechanisms 10 8.4 Digital rights management mechanism in streaming services . 12 Appendix I Relationship of Recommendation ITU-T X.1163 and DSN-related Recommendations . 14 I.1 Comparison between this Recommendation and b-ITU-T Y.2206 and
25、 ITU-T Y.2080 14 I.2 Mapping with DSN functional architecture in ITU-T Y.2080 14 Bibliography. 17 Rec. ITU-T X.1163 (05/2015) 1 Recommendation ITU-T X.1163 Security requirements and mechanisms of peer-to-peer-based telecommunication networks 1 Scope This Recommendation provides a security guideline
26、for a telecommunication network based on peer-to-peer (P2P) technology, including the network characteristics, the security requirements of the network and the services, as well as security mechanisms to fulfil these requirements. 2 References The following ITU-T Recommendations and other references
27、 contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investiga
28、te the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status
29、of a Recommendation. ITU-T Y.2080 Recommendation ITU-T Y.2080 (2012), Functional architecture for distributed service networking. 3GPP TS 33.102 3GPP TS 33.102 V7.1.0 (2006), 3G Security; Security architecture. 3 Definitions 3.1 Terms defined elsewhere None. 3.2 Terms defined in this Recommendation
30、This Recommendation defines the following terms: 3.2.1 ContentID: An identity number which is the same in different content fragments to identify the fragments of the same content file. 3.2.2 copyright problem: Legal issue resulting from spreading copies without the permission and authorization of t
31、he owner. 3.2.3 privacy problem: Attackers steal private information without the permission of or authorization by the owner. 3.2.4 KeyID: An identity number to identify a key in the security algorithms. 3.2.5 KeySeed: A random number based on a key which will be produced in the security algorithms.
32、 3.2.6 trust: The relationship between two entities where each one is certain that the other will behave exactly as it expects. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AF Application Function 2 Rec. ITU-T X.1163 (05/2015) AKA Authentication and
33、 Key Agreement AUTN Authentication Token AV Authentication Vector CDF Content Delivery Function CK Confidentiality Key C/S Client/Server CS Content Server CSAF Content Service Application Function DHT Distributed Hash Table DoS Denial of Service DRM Digital Rights Management DSN Distributed Service
34、Network EF End-user Function GPRS General Packet Radio Service GSM Global System for Mobile communications HLR Home Location Register ICT Information and Communication Technology ID Identity IK Integrity Key IP Internet Protocol MF Management Function NAT Network Address Translation NEF Node Enrolme
35、nt Function NGN Next-Generation Network P2P Peer-to-Peer PC Personal Computer QoS Quality of Service RAND Random number (used for authentication) RES Response RF Relay Function RLF Resource Location Function SCF Service Control Function SP Streaming Packer SS Streaming Server TOCF Traffic Optimizati
36、on Control Function UE User Equipment USIM Universal Subscriber Identity Module Rec. ITU-T X.1163 (05/2015) 3 VoIP Voice over IP WLAN Wireless Local Area Network XRES expected Response 5 Conventions In this Recommendation: The keywords “is required to“ indicate a requirement which must be strictly f
37、ollowed and from which no deviation is permitted, if conformance to this Recommendation is to be claimed. The keywords “is recommended“ indicate a requirement which is recommended but which is not absolutely required. Thus, this requirement need not be present to claim conformance. 6 Architecture of
38、 a telecommunication network based on P2P The architecture of constructing a telecommunication network based on P2P technology is as shown in Figure 6-1. Figure 6-1 Telecommunication network architecture based on P2P In Figure 6-1, the core network based on P2P technology is connected with users thr
39、ough the access network (e.g., the global system for mobile communications (GSM), the general packet radio service (GPRS), the wireless local area network (WLAN) and provides different services to them. The distributed service network (DSN) architecture defined in ITU-T Y.2080 can be regarded as a c
40、onceptual model of the telecommunication network architecture based on P2P. For the convenience of defining the security requirements and mechanisms of a P2P-based telecommunication network, the network elements are simplified in Figure 6-1 compared to the architecture defined in ITU-T Y.2080. See A
41、ppendix II for the mapping relationship between the two architectures. The nodes in this architecture can be divided into three types: Core node: Nodes of this type are deployed and configured by the operator. Operators are able to control these nodes completely. The main functions of these nodes in
42、clude signal processing, data transmission and billing generation, etc. User node: Nodes of this type are terminals owned by users, e.g., personal computers (PCs), mobile terminals, etc., and use the services provided by the network. In some cases, user nodes have the 4 Rec. ITU-T X.1163 (05/2015) a
43、bility to transfer data packets to other user nodes. Those user nodes which transfer data to other user nodes can be called relay nodes. Relay node: Nodes of this type relay data packets in order to improve node reachability. If a node cannot meet the request of the origin, the node relays the packe
44、t(s). Additionally, these nodes can relay multicasting packets to neighbouring peers in multicasting service. The main characteristics of such a telecommunication network based on P2P are as follows: 1) Distributed network architecture The P2P-based core network has no centralized node. Such a netwo
45、rk is highly decentralized and hence has only weak ability for resource coordination. The network exploits diverse connectivity between nodes and the rich set of resources (e.g., computing power and storage) available at each node rather than conventional centralized resources to provide distributed
46、 computing power and services. With the rapid advancement of ICT, many more aggregate information and computing resources are available from distributed nodes than from a limited number of centralized servers. 2) Robustness and scalability First, as services are provided by distributed servers and n
47、odes, the influence on other nodes is limited when some nodes are subject to intrusion or destruction. Second, the P2P network is self-organized and can adjust the topology automatically to maintain connectivity between peers when parts of the nodes have failed. Third, the network can adjust itself
48、automatically according to the change of network bandwidth, load balance, and the number of nodes. 3) Privacy protection Because the transferring path of the data is distributed, there is no single point at which to intercept data packets. This reduces significantly wiretapping threats and informati
49、on leakage. 4) Load balance The P2P-based architecture reduces the requirements for computing capability and storage capacity as in a traditional client/server (C/S) structure. As the resources are stored in different server peers in a distributed manner, the network can afford better load balance. 5) Self-management In P2P-based networks, nodes are not fully controlled by a central system. The network nodes can manage themselves to a large extent in many aspects including security policy defi
