1、 International Telecommunication Union ITU-T X.1254TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Entity authentication assurance framework Recommendation ITU-T X.1254 ITU-T X-SERIES R
2、ECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.
3、700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast
4、 security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering
5、spam X.1230X.1249 Identity management X.1250X.1279SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/
6、heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1254 (09/2012) i Recommendat
7、ion ITU-T X.1254 Entity authentication assurance framework Summary This Recommendation defines four levels of entity authentication assurance (i.e., LoA 1 LoA 4), and the criteria and threats for each of the four levels of entity authentication assurance. Additionally, it: specifies a framework for
8、managing the assurance levels; provides guidance concerning control technologies that are to be used to mitigate authentication threats, based on a risk assessment; provides guidance for mapping the four levels of assurance to other authentication assurance schemas; and provides guidance for exchang
9、ing the results of authentication that are based on the four levels of assurance. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1254 2012-09-07 17 ii Rec. ITU-T X.1254 (09/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the
10、 field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standa
11、rdizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is cov
12、ered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. A similar text is published as ISO/IEC 29115. It differs from this text in four instances: 1
13、) clause 3.1.6: the definition for credential is different and in this Recommendation references the definition in Recommendation ITU-T X.1252; 2) Table 10-1: ISO/IEC 29115 includes an example for impersonation that includes use of an identity for an entity that does not exist; 3) clause 10.2.2.1: I
14、SO/IEC 29115 describes SSL as an example of a protected channel; 4) In this Recommendation, Annex A, Characteristics of a credential, is normative. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognize
15、d operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words
16、 “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that t
17、he practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation
18、 development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are
19、therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1254 (09/2012) iii Table of Contents Page 1 Sco
20、pe 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions 4 6 Levels of assurance . 4 6.1 Level of assurance 1 (LoA1) 5 6.2 Level of assurance 2 (LoA2) 5 6.3 Level of assurance 3 (LoA3) 6 6.4 Level of
21、assurance 4 (LoA4) 6 6.5 Selecting the appropriate level of assurance 6 6.6 LoA mapping and interoperability . 7 6.7 Exchanging authentication results based on the 4 LoAs 8 7 Actors 9 7.1 Entity 9 7.2 Credential service provider . 9 7.3 Registration authority . 9 7.4 Relying party 9 7.5 Verifier . 1
22、0 7.6 Trusted third party 10 8 Entity authentication assurance framework phases 10 8.1 Enrolment phase . 10 8.2 Credential management phase 13 8.3 Entity authentication phase . 15 9 Management and organizational considerations . 16 9.1 Service establishment . 16 9.2 Legal and contractual compliance
23、16 9.3 Financial provisions 17 9.4 Information security management and audit 17 9.5 External service components 17 9.6 Operational infrastructure . 17 9.7 Measuring operational capabilities . 17 10 Threats and controls 18 10.1 Threats to, and controls for, the enrolment phase 18 10.2 Threats to, and
24、 controls for, the credential management phase . 20 iv Rec. ITU-T X.1254 (09/2012) Page 10.3 Threats to, and controls for, the authentication phase 25 11 Service assurance criteria . 29 Annex A Characteristics of a credential . 30 Appendix I Privacy and protection of PII . 31 Bibliography. 33 Rec. I
25、TU-T X.1254 (09/2012) v Introduction Many electronic transactions within or between ICT systems have security requirements which depend upon an understood or specified level of confidence in the identities of the entities involved. Such requirements may include the protection of assets and resources
26、 against unauthorized access, for which an access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes. Recommendation ITU-T X.1254 provides a framework for entity authentication
27、 assurance. Assurance within this Recommendation refers to the confidence placed in all of the processes, management activities and technologies used to establish and manage the identity of an entity for use in authentication transactions. Figure 1 Overview of the entity authentication assurance fra
28、mework Using four specified levels of assurance (LoAs), this Recommendation provides guidance concerning control technologies, processes and management activities, as well as assurance criteria, that should be used to mitigate authentication threats in order to implement the four LoAs. It also provi
29、des guidance for the mapping of other authentication assurance schemes to the specified four levels, as well as guidance for exchanging the results of an authentication transaction. Finally, this Recommendation provides guidance concerning the protection of personally identifiable information (PII)
30、associated with the authentication process. This Recommendation is intended to be used principally by credential service providers (CSPs) and by others having an interest in their services (e.g., relying parties, assessors and auditors of those services). This entity authentication assurance framewo
31、rk (EAAF) specifies the minimum technical, management and process requirements for four LoAs to ensure equivalence among the credentials issued by various CSPs. It also provides some additional management and organizational considerations that affect entity authentication assurance, but it does not
32、set forth specific criteria for those considerations. Relying parties (RPs) and others may find this Recommendation helpful to gain an understanding of what each LoA provides. Additionally, it may be adopted for use within a trust framework to define technical requirements for LoAs. The EAAF is inte
33、nded for, but not limited to, session-based and document-centric use cases using various authentication technologies. Both direct and brokered trust scenarios are possible, within either legal/bilateral arrangements or federations. Rec. ITU-T X.1254 (09/2012) 1 Recommendation ITU-T X.1254 Entity aut
34、hentication assurance framework11 Scope This Recommendation provides a framework for managing entity authentication assurance in a given context. In particular, it: specifies four levels of entity authentication assurance; specifies criteria and guidelines for achieving each of the four levels of en
35、tity authentication assurance; provides guidance for mapping other authentication assurance schemes to the four LoAs; provides guidance for exchanging the results of authentication that are based on the four LoAs; and provides guidance concerning controls that should be used to mitigate authenticati
36、on threats. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 assertion b-ITU-T X.1252: A statement made by an entity without accompanying evidence of its validity. NOTE The meaning of the terms claim and assertion are
37、generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this Recommendation, an assertion is considered to be a stronger statement than a claim. 3.1.2 authentication b-ISO/IEC 18014-2: Provision of assurance in the identity of an entity. 3.1.3 authentication
38、 factor b-ISO/IEC 19790: Piece of information and/or process used to authenticate or verify the identity of an entity. NOTE Authentication factors are divided into four categories: something an entity has (e.g., device signature, passport, hardware device containing a credential, private key); somet
39、hing an entity knows (e.g., password, PIN); something an entity is (e.g., biometric characteristic); something an entity typically does (e.g., behaviour pattern). _ 1Korea (Republic of) has expressed a reservation and will not apply this Recommendation because this Recommendation is in conflict with
40、 regulations in Korea, with regard to the required four levels of entity authentication assurance and their criteria for achieving each of the four levels of entity authentication assurance. 2 Rec. ITU-T X.1254 (09/2012) 3.1.4 claim b-ITU-T X.1252: To state as being the case, without being able to g
41、ive proof. NOTE The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this Recommendation, an assertion is considered to be a stronger statement than a claim. 3.1.5 context b-ITU-T X.1252: An environment wit
42、h defined boundary conditions in which entities exist and interact. 3.1.6 credential b-ITU-T X.1252: A set of data presented as evidence of a claimed identity and/or entitlements. NOTE See Appendix I for additional characteristics of a credential. 3.1.7 entity b-ITU-T X.1252: Something that has sepa
43、rate and distinct existence and that can be identified in a context. NOTE For the purposes of this Recommendation, entity is also used in the specific case for something that is claiming an identity. 3.1.8 identity b-ISO/IEC 24760: Set of attributes related to an entity. NOTE Within a particular con
44、text, an identity can have one or more identifiers to allow an entity to be uniquely recognized within that context. 3.1.9 multifactor authentication b-ISO/IEC 19790: Authentication with at least two independent authentication factors. 3.1.10 non-repudiation b-ITU-T X.1252: The ability to protect ag
45、ainst denial by one of the entities involved in an action of having participated in all or part of the action. 3.1.11 repudiation b-ITU-T X.1252: Denial in having participated in all or part of an action by one of the entities involved. 3.2 Terms defined in this Recommendation This Recommendation de
46、fines the following terms: 3.2.1 authentication protocol: A defined sequence of messages between an entity and a verifier that enables the verifier to perform authentication of an entity. 3.2.2 authoritative source: A repository which is recognized as being an accurate and up-to-date source of infor
47、mation. 3.2.3 credential service provider (CSP): A trusted actor that issues and/or manages credentials. 3.2.4 entity authentication assurance (EAA): A degree of confidence reached in the authentication process that the entity is what it is, or is expected to be (this definition is based on the auth
48、entication assurance definition given in b-ITU-T X.1252). NOTE The confidence is based on the degree of confidence in the binding between the entity and the identity that is presented. 3.2.5 identifier: One or more attributes that uniquely characterize an entity in a specific context. 3.2.6 identity
49、 information verification: A process of checking identity information and credentials against issuers, data sources or other internal or external resources with respect to authenticity, validity, correctness and binding to the entity. 3.2.7 identity proofing: The process by which the registration authority (RA) captures and verifies sufficient information to identify an entity to a specified or understood level of assurance. 3.2.8 man-in-t