1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1256 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Guidelines and framework for sharing network authenti
2、cation results with service applications Recommendation ITU-T X.1256 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.49
3、9 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security managemen
4、t X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179
5、IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBE
6、RSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange
7、 X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 F
8、or further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1256 (03/2016) i Recommendation ITU-T X.1256 Guidelines and framework for sharing network authentication results with service applications Summary With the surge of mobile devices and applications accessing the Inter
9、net, the network and the service environment are becoming increasingly complicated. As a result, there is a pressing need to simplify the user authentication mechanism to improve user experience and service quality. Many standardization organizations including ITU-T have conducted a lot of research
10、work on the unified authentication mechanism (i.e., single sign-on). However, all the current work is basically focused on unified authentication among the service applications, without considering the relationship with the network authentication. From the network operators perspective, users underg
11、o some forms of network authentication when they access the network. However, when they log in again to request access to a service their initial network authentication is not reused. When adopting an authentication results sharing mechanism between the service and the network, the service applicati
12、ons can identify a user by using the authentication results from the network. Such mechanism allows a user to be authenticated only once by the network and directly gain access to the service. Recommendation ITU-T X.1256 develops guidelines for network operators and service providers to share networ
13、k authentication results, and provides a framework for sharing minimum attributes across multiple services within an established trust relationship. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1256 2016-03-23 17 11.1002/1000/12605 Keywords Authentication, identity attr
14、ibutes, network level authentication. * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1256 (03/2016) FOREWORD The Internati
15、onal Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operat
16、ing and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, pro
17、duce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In th
18、is Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., i
19、nteroperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not sugges
20、t that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidenc
21、e, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may
22、be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2016 All rights reserved. No part of this publication may be r
23、eproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1256 (03/2016) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 1 5 Conventions
24、 2 6 Authentication attributes sharing mechanisms . 2 6.1 Framework 2 6.2 Network pushing mechanism . 4 6.3 Service pulling mechanism . 5 7 Security considerations . 5 Appendix I Use Cases . 7 I.1 Network pushing use case 7 I.2 Service pulling use case 8 Bibliography. 10 Rec. ITU-T X.1256 (03/2016)
25、1 Recommendation ITU-T X.1256 Guidelines and framework for sharing network authentication results with service applications 1 Scope This Recommendation develops guidelines for network operators and service providers to share network authentication results, and provides a framework for sharing minimu
26、m attributes across multiple services within an established trust relationship. The methods for network operators to perform, integrate or implement network level authentication is out of the scope of this Recommendation. 2 References The following ITU-T Recommendations and other references contain
27、provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the po
28、ssibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Reco
29、mmendation. ITU-T X.1254 Recommendation ITU-T X.1254 (2012), Entity authentication assurance framework. 3 Definitions 3.1 Terms defined elsewhere None. 3.2 Terms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: 2G/3G
30、 Second/Third Generation AC Access Controller AKA Authentication and Key Agreement AN Access Network AP Access Point API Application Programming Interface AUG Authentication Gateway BRAS Broadband Remote Access Server EAP-SIM Extensible Authentication Protocol Method for (GSM) Subscriber Identity Mo
31、dules GGSN Gateway GPRS Support Node 2 Rec. ITU-T X.1256 (03/2016) GPRS General Packet Radio Service HTTP Hyper Text Transfer Protocol IMPI IP Multimedia Private Identity IMPU IP Multimedia Public User identity IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IP Internet Pro
32、tocol ISDN Integrated Services Digital Network LoA Level of Assurance MSISDN Mobile Subscriber International ISDN/PSTN Number PSTN Public Switched Telephone Network RADIUS Remote Authentication Dial-In User Service SGSN Serving GPRS Support Node SIM Subscriber Identity Module SIP Session Initiation
33、Protocol SNS Social Network Service UE User Equipment USIM Universal Subscriber Identity Module URI Uniform Resource Identifier WAP Wireless Application Protocol WLAN Wireless Local Area Network 5 Conventions None. 6 Authentication attributes sharing mechanisms 6.1 Framework When users access an ope
34、rators network, it is required that they should be strongly authenticated by the access network. However, this authentication capability does not usually facilitate the services. In most cases, the end users are authenticated respectively on the network and in the service system. For example, end us
35、ers are authenticated by the third generation (3G) network based on the universal subscriber identity module (USIM) card inside their cell phones (what they have), but when they visit a certain social network service (SNS) they need to be authenticated by the web server again based on the (username,
36、 password) pair registered beforehand (what they know). The basic concept of authentication attributes sharing is to enable the services to utilize the authentication attributes of the network. The authentication attributes sharing framework is shown in Figure 6-1. Rec. ITU-T X.1256 (03/2016) 3 Figu
37、re 6-1 Framework of sharing network authentication attributes with service applications In this framework there are two types of authentication attributes sharing mechanisms: Mechanism 1 Network pushing mechanism: transfer the network authentication attributes to service applications directly When t
38、he network access control entity understands the services application layer protocol (e.g., SIP, WAP, HTTP, etc.), it is feasible for it to insert the network authentication attributes into the application layer messages and transfer them directly to the service platform. In this case, no applicatio
39、n programming interface (API) needs to be defined for the service applications to actively obtain the authentication attributes because they only passively receive these parameters contained in the headers of the messages. The service applications may decide to parse and use the headers inserted by
40、the network, or simply ignore them. If the service applications need more attributes than what is pushed, they should use the service pulling mechanism. See Appendix I.1 for a concrete use case. Mechanism 2 Service pulling mechanism: share the network authentication attributes through the authentica
41、tion gateway (AUG) If the network access control entity cannot parse or modify the services application layer messages (e.g., when the application layer protocol is a proprietary one, or the application layer messages are integrity and/or confidentiality protected), a standalone AUG needs to be intr
42、oduced to the network for authentication attributes sharing. The AUG implements well-defined network APIs which the service applications can call to obtain the authentication attributes from the network. 4 Rec. ITU-T X.1256 (03/2016) In addition, if the service applications as mentioned in network p
43、ushing mechanism require more attributes than what is pushed, they should also use this service pulling mechanism to obtain additional authentication attributes from the network. See Appendix I.2 for a concrete use case. 6.2 Network pushing mechanism 6.2.1 Implementation guidance When the user visit
44、s the network, the network access control entity at the border of the network authenticates the users identity. Typical examples of the network access control entity include the access controller (AC) device in a wireless local area network (WLAN), serving GPRS support node (SGSN) or gateway GPRS su
45、pport node (GGSN) in a general packet radio service (GPRS) network, and the broadband remote access server (BRAS) device in a fixed network. The network access control entity knows the user identity as a result of the network authentication. If the network access control entity understands the servi
46、ces application layer protocol (e.g., SIP, WAP, HTTP, etc.) it is feasible for it to encapsulate the users identity and some accompanying information in the service request messages and transfer them to the service platform. If the service platform trusts the network access control entity, it can di
47、rectly extract the user identity from the service requests and regard the user to be authenticated already. In this architecture, the service platform needs to determine whether or not to trust the authentication attributes inserted by the network access control entity. To support this, the network
48、operator should make an agreement with the service provider, and provide a list of trustable access control devices or a mechanism (e.g., pre-shared keys, or digital certificates) to identify the trustable access control devices. The user information transferred between the access control device and
49、 the service platform should be protected. The access control devices of the network should also maintain a white list of the contracted service platforms. The network authentication attributes should only be transferred to the service platforms on the white list. Guidelines on how to achieve this trust relationship is out of the scope of this Recommendation. 6.2.2 Interface description The network authentication attributes are loaded in the application protocol (e.g., SIP or HTTP) heade
