1、 International Telecommunication Union ITU-T X.1164TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Peer-to-peer security Use of service providers user authentication infrastructure to implemen
2、t public key infrastructure for peer-to-peer networks Recommendation ITU-T X.1164 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYST
3、EMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Secur
4、ity management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169Networked ID security X
5、.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANG
6、E Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further det
7、ails, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1164 (10/2012) i Recommendation ITU-T X.1164 Use of service providers user authentication infrastructure to implement public key infrastructure for peer-to-peer networks Summary Peer entity authentication is a mandatory requiremen
8、t for securing peer-to-peer communications. However, especially in pure peer-to-peer (P2P) networks, it is difficult for peers to authenticate corresponding peer entities because there is no central server for authentication they can rely on. In addition, the existing public key infrastructure (PKI)
9、 has little use for this purpose because those peer entities rarely have public key certificates issued by well-known certification authorities. The purpose of Recommendation ITU-T X.1164 is to define mechanisms to utilize service providers user authentication infrastructure to implement PKI for P2P
10、 networks, with which users who have a valid e-mail account managed by a service provider can issue certificates to their devices by themselves and make those certificates verifiable by corresponding peers in P2P networks. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1164 2012-10-
11、14 17 Keywords Peer entity authentication, P2P, peer to peer, PKI, public key infrastructure. ii Rec. ITU-T X.1164 (10/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologie
12、s (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunic
13、ation Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of
14、information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating
15、 agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or
16、 some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice
17、 or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation developmen
18、t process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore s
19、trongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1164 (10/2012) iii Table of Contents Page 1 Scope 1 2 Refe
20、rences. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 2 6 Overview 2 6.1 Model of peer-to-peer communications between devices of peer users . 2 6.2 Overview of mechanisms used for implementing PKI for P2P net
21、works 3 6.3 Usage scenarios 4 7 Information denoted in a peer device certificate 4 8 Operations provided by the service provider 5 8.1 Upload of CA certificate and CRL . 5 8.2 Retrieval of CA certificate and CRL 5 9 Peer entity authentication procedure 5 10 Security considerations . 5 10.1 Authentic
22、ity and integrity of CA certificates . 5 10.2 Scope of peer devices name . 5 10.3 Trustworthiness of service providers 6 Bibliography. 7 Rec. ITU-T X.1164 (10/2012) 1 Recommendation ITU-T X.1164 Use of service providers user authentication infrastructure to implement public key infrastructure for pe
23、er-to-peer networks 1 Scope Recommendation ITU-T X.1164 describes the mechanisms for utilizing service providers user authentication infrastructure to implement public key infrastructure (PKI) used for securing peer-to peer (P2P) networks. The described mechanisms allow a peer in P2P networks to ver
24、ify public key certificates, issued by the owner (peer user), of a corresponding peer. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the edition
25、s indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid I
26、TU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open systems interconnection Th
27、e Directory: Public-key and attribute certificate frameworks. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 authentication b-ITU-T X.800: See data origin authentication defined in clause 3.1.3, and peer entity authentication defined i
28、n clause 3.1.5. 3.1.2 certificate revocation list (CRL) ITU-T X.509: A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. In addition to the generic term CRL, some specific CRL types are defined for CRLs that cover particular scopes. 3.1.3 dat
29、a origin authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.4 peer b-ITU-T X.1161: Communication node on P2P network that functions simultaneously as both “client“ and “server“ to the other nodes on the network. 3.1.5 peer entity authentication b-ITU-
30、T X.800: The corroboration that a peer entity in an association is the one claimed. 3.1.6 peer user b-ITU-T X.1162: A peer user is one who uses a computer system to access the P2P network. A peer user in a P2P network is similar to a user in the Internet, with slight differences. Specifically, peer
31、users in the P2P network have a different operational context including personal interests, resource plans, security considerations, etc. 3.1.7 public key certificate (PKC) ITU-T X.509: The public key of a user, together with some other information, rendered unforgeable by digital signature with the
32、 private key of the certification authority (CA) which issued it. 2 Rec. ITU-T X.1164 (10/2012) 3.1.8 public key infrastructure (PKI) ITU-T X.509: The infrastructure able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services. 3.2 T
33、erms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CA Certification Authority CRL Certificate Revocation List FQDN Fully Qualified Domain Name HTTPS Hypertext Transfer Protocol over Secure Socket layer P2P Peer-to
34、-Peer PDA Personal Digital Assistant PKC Public Key Certificate PKI Public Key Infrastructure S/MIME Secure Multipurpose Internet Mail Extensions URL Uniform Resource Locator 5 Conventions None. 6 Overview 6.1 Model of peer-to-peer communications between devices of peer users A model of peer-to-peer
35、 communications between devices of peer users is shown in Figure 1. Rec. ITU-T X.1164 (10/2012) 3 X.1164(12)_F01Service provider Service providerP2P networkSubscribeSubscribePeer userPeer userBob()Peer deviceJoinJoinPeer deviceP2P communicationAlice()PC(s PC)PDA(s PDA)Own/manageOwn/manage() ()Figure
36、 1 Model of peer-to-peer communications between devices of peer users There are four entities in this model: peer user, peer device, service provider and P2P network. In this model, a peer user is identified by her/his e-mail address and the identity of the peer device is asserted by its owner (peer
37、 user). A service provider has the ability to authenticate its users and authorize them to upload their public key information, which can then be consulted by peers in P2P networks and is used for peer entity authentication. The purpose of peer entity authentication in this model is to prove the ide
38、ntity of a corresponding peer and its owner. 6.2 Overview of mechanisms used for implementing PKI for P2P networks The purpose of the mechanisms described in this Recommendation is to make a public key certificate of a peer device issued by its owner verifiable by anyone. To achieve this, each user
39、acts as a certification authority (CA) for managing public key certificates of her/his own devices. Service providers, then, play the key role in associating users identity with their CA public key. A service provider which supports the PKI scheme described in this Recommendation has to implement th
40、e following two operations. Upload of CA certificate and certificate revocation list (CRL) of a users CA: Authenticate users and authorize them to upload their CA certificate and CRL. Retrieval of CA certificate and CRL of a users CA: Allow anyone to retrieve uploaded CA certificate and CRL in such
41、a way that the binding between the retrieved information and its users identity (i.e., e-mail address) can be guaranteed. When utilizing this PKI scheme, a user first generates her/his own CA public key pair and uses it for issuing public key certificates to her/his devices used for P2P networking.
42、The user uses her/his e-mail address as the identity of the certificate issuer. The user, then, uploads the CA certificate and CRL to her/his service provider. 4 Rec. ITU-T X.1164 (10/2012) When verifying a certificate of a corresponding peer, a peer retrieves a CA certificate and CRL from the certi
43、ficate issuers service provider and uses them to verify authenticity and validity of the certificate. 6.3 Usage scenarios 6.3.1 Building a closed P2P network with friends By having a member list consisting of e-mail addresses, a P2P network can authenticate joining peers so that only peer devices th
44、at are owned by users in the member list will be permitted to join the network. 6.3.2 Access control for P2P resources and services A peer can implement authentication and authorization mechanisms in order to allow only corresponding peers that are owned by certain users specified by their e-mail ad
45、dress to access its resources and services. With the PKI scheme described in this Recommendation, peers do not have to share passwords or secret information beforehand to implement these security mechanisms. 7 Information denoted in a peer device certificate A peer device certificate has to contain
46、the following information in order to make it verifiable. The e-mail address of the issuer: The issuer field of the ITU-T X.509 certificate must contain the e-mail address of the issuer as the emailAddress attribute. e.g., issuer: CN=Alice/emailAddress= The uniform resource locator (URL) of the issu
47、ers CA certificate: The issuerAltName field of the ITU-T X.509 certificate must contain the URL of the issuers CA certificate. The URL of the issuers CA certificate must take the form: https:/usercert.:/.cer where is exactly the same as the domain part of the issuers e-mail address (e.g., ), and is
48、the same as the local part of the e-mail address (e.g., alice). “:“ can be omitted. e.g., issuerAltName: https:/ The URL of the CRL: The cRLDistributionPoints field of the ITU-T X.509 certificate must contain the URL of the CRL. The URL of the CRL must take the form: https:/usercert.:/.crl where is exactly the same as the domain part of the issuers e-mail address (e.g., ), and is the same as the local part of the e-mail address (e.g., alice). “:“ can be omitted. e.g., cRLDistributionPoints: https:/ The correspondence between the e-mail address of the issuer and URLs for CA certific
