1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1258 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management Enhanced entity authentication based on aggregated at
2、tributes Recommendation ITU-T X.1258 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWO
3、RKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.
4、1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBER
5、SPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITY INFORMATION EXCHANGE O
6、verview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SE
7、CURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer
8、 to the list of ITU-T Recommendations. Rec. ITU-T X.1258 (09/2016) i Recommendation ITU-T X.1258 Enhanced entity authentication based on aggregated attributes Summary Aggregating attributes from multiple attribute authorities may be needed in order to enable a relying party to enhance its trust in t
9、he identity of a party. The aggregation can be regarded as having to deal with a collection of globally unique identifiers, which is common across all attribute authorities. Practically, entities do not have a global identifier but have different entity identifiers and attributes assigned by their v
10、arious identity service providers (IdSPs). To address the attribute-aggregating problem in this scenario, the concept of identity federation is used. For example, if an e-book store plans to have a sale for seniors, the store has to be given the aggregated set of attributes (credit card and age brac
11、ket) from two IdSPs, but without the IdSPs knowing about each others involvement. In standard federated identity management, an entity can only provide attributes from one identity, but this transaction requires attributes from two. There are several identity federation methods: security assertion m
12、arkup language (SAML), Shibboleth, open identity (OpenID), and open authentication (OAuth), etc. Recommendation ITU-T X.1258 introduces the concept of attribute aggregation to allow an entity to aggregate attributes from multiple IdSPs. Attribute aggregation is the mechanism for collecting attribute
13、s of an entity retrieved from multiple IdSPs. Attribute aggregation is needed to aggregate the attributes dynamically on demand. IdSP can realize the aggregation request when an entity wants to get a service. Additionally, an entity-centric attribute aggregation mechanism could also be applied to th
14、e authentication for mitigating privacy leakage. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1258 2016-09-07 17 11.1002/1000/12850 Keywords Attribute aggregation, federated identity management. * To access the Recommendation, type the URL http:/handle.itu.int/ in the a
15、ddress field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1258 (09/2016) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, i
16、nformation and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a
17、 worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down
18、 in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication a
19、dministration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory
20、provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attenti
21、on to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others o
22、utside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the lat
23、est information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1258 (09/2016) iii Tabl
24、e of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 General 2 7 Architectures and flows for attribute aggregation methods 3 7.1 Identity service provider-mediated m
25、ethods 4 7.2 Service provider-mediated methods . 8 7.3 Entity-mediated method . 12 8 Comparison of the aggregated authentication methods 13 Bibliography. 15 Rec. ITU-T X.1258 (09/2016) 1 Recommendation ITU-T X.1258 Enhanced entity authentication based on aggregated attributes 1 Scope This Recommenda
26、tion provides enhanced authentication based on aggregation of entity attributes across domains. This Recommendation covers the following topics: methods for aggregating multiple identity service provider (IdSP) attributes; and enhanced authentication based on aggregated attributes. 2 References None
27、. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 attribute b-ITU-T X.1252: Information bound to an entity that specifies a characteristic of the entity. 3.1.2 (entity) authentication b-ITU-T X.1252: A process used to achieve sufficient
28、 confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in an identity management (IdM) context is taken to mean entity authentication. 3.1.3 circle of trust b-ITU-T X.1251: A set of criteria established for joining organizations within a federat
29、ion for the purposes of trusted access to each others resources. Note that a circle of trust is also the end result of joining organizations within a federation. 3.1.4 federation b-ITU-T X.1252: An association of users, service providers, and identity service providers. 3.1.5 identity b-ITU-T X.1252
30、: A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context. For identity management (IdM) purposes, the term identity is understood as contextual identity (subset of attributes), i.e., the variety of attribu
31、tes is limited by a framework with defined boundary conditions (the context) in which the entity exists and interacts. NOTE Each entity is represented by one holistic identity that comprises all possible information elements characterizing such entity (the attributes). However, this holistic identit
32、y is a theoretical issue and eludes any description and practical usage because the number of all possible attributes is indefinite. 3.1.6 identity service provider (IdSP) b-ITU-T X.1252: An entity that verifies, maintains, manages, and may create and assign identity information of other entities. 3
33、.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 attribute aggregation: A mechanism for collecting attributes from multiple identity service providers (IdSPs). NOTE Once the attributes have been collected, they need to be aggregated and asserted for auth
34、entication and authorization. 2 Rec. ITU-T X.1258 (09/2016) 3.2.2 domain: Management coverage of a single identity service provider (IdSP). 3.2.3 service provider (SP): An entity that provides services to the clients or to the other service providers. 4 Abbreviations and acronyms This Recommendation
35、 uses the following abbreviations and acronyms: CoT Circle of Trust DB Database ID Identity IdM Identity Management IdSP Identity Service Provider LS Linking Service OAuth Open Authentication OpenID Open Identity PKI Public Key Infrastructure SAML Security Assertion Markup Language SP Service Provid
36、er SSO Single Sign-On VC Virtual Collaboration 5 Conventions None. 6 General In general, electronic identity management (IdM) covers the management of any form of digital identity. The development of directories, such as those supported by b-ITU-T X.500, could be an origin of IdM. b-ITU-T X.509 defi
37、nes certificates containing identity attributes. The certificates of b-ITU-T X.509 and public key infrastructure (PKI) systems operate to prove the online “identity“ of a subject. Therefore, IdM could be considered as the management of information. The identity of an entity may be composed of attrib
38、utes that characterize this entity in different contexts. Different identities may be needed depending on the context and situation. An IdM system provides tools for the management of these identities in a digital world. IdM is a set of functions and capabilities such as identity creation/deletion,
39、discovery and exchange of information. In the real world, people choose which information can be revealed to others, taking into account the context and sensitivity of the information. In the digital world, in turn, this task is performed by the IdM system. Based on the technologies and standards wi
40、th regards to IdM, IdM system methods are classified as conventional, centralized and federated. The characteristics of the conventional method is that a service provider (SP) handles identities and is collocated with the identity service provider (IdSP). An entity creates its digital identity (ID)
41、for each SP from which it wants to get services. Usually, entity IDs are not shared among the different SPs and this approach tends to be more costly for both the entity and the SPs. Each SP may require repeatedly its own set of attributes to form the digital identity of the entity. Rec. ITU-T X.125
42、8 (09/2016) 3 The centralized method has been developed as a solution to the inflexibility of the conventional method and shares identities among SPs; it is based on the concept of single authentication, single sign-on (SSO). This method tries to avoid inconsistencies and redundancies in the convent
43、ional method, giving entities the capability to interact with various SPs without the need to perform redundant authentication. Every SP that has trust relationships with an IdSP relies completely on the entity authentications provided by this IdSP. The IdSP is responsible for authenticating an enti
44、ty and supplying to SPs the attribute information of the entity within a domain, which can represent a company, a university, etc., and is composed of entities, multiple SPs and a single IdSP. SSO provides a great convenience to the entities, since they only need to perform the authentication proces
45、s once. Thereafter, entities can use the obtained credentials on all SPs they wish to access. However, the weak point of the centralized method is that the IdSP has absolute control over the information of its entities, and may use their information in any way it wants. This is the main reason why t
46、he centralized method has not been widely adopted. To resolve the problems resulting from the centralized method, the federated identity method was introduced, based on the distribution of the task of authentication over multiple IdSPs. These IdSPs belong to different domains. The concept of the fed
47、erated identity relies on trust relationships that are established among multiple IdSPs and the corresponding domains. To connect distributed identity information between an IdSP and an SP, a trust relationship is required between the two parties. This trust relationship is called a circle of trust
48、(CoT), which may include one or more IdSP and SPs. In a CoT, if the user is authenticated in an IdSP, then access to SPs within the CoT without further authentication is permitted. As a result, a user needs to be authenticated only once in a CoT b-ITU-T X.1251. Federated IdM is an approach to resolv
49、e the risk of a single IdSP and decrease information exchange with the IdSP during authentication. These agreements between IdSPs ensure that identities issued in one domain are recognized by SPs in other domains and the concept of SSO is available even when different domains are involved. The benefit of federated identities to SPs is that they can handle a smaller number of entities information. The Kantara Initiative b-Kantara, Shibboleth b-Shibboleth and Higgins b-Higgins follow the federated I
