1、 International Telecommunication Union ITU-T Y.2702TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2008) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Authentication and authorization requirements for NGN rel
2、ease 1 Recommendation ITU-T Y.2702 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interfaces and
3、protocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and resou
4、rce management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 NEXT GENERATION NETWORKS Frameworks and functional architecture mo
5、dels Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.2300Y.2399 Network management Y.2400Y.2499 N
6、etwork control architectures and protocols Y.2500Y.2599 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T Y.2702 (09/2008) i Recommendation ITU-T Y.2702 Authentication and authorization requirements for NGN rele
7、ase 1 Summary Recommendation ITU-T Y.2702 specifies authentication and authorization requirements for next generation networks (NGNs). Source Recommendation ITU-T Y.2702 was approved on 12 September 2008 by ITU-T Study Group 13 (2005-2008) under the WTSA Resolution 1 procedure. Keywords Attributes,
8、Authentication, Authorization, Identifiers, Identity Management (IdM), Next Generation Network (NGN), Privileges and Security. ii Rec. ITU-T Y.2702 (09/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, informat
9、ion and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldw
10、ide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTS
11、A Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administ
12、ration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provision
13、s are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to th
14、e possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside o
15、f the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest
16、information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2702 (09/2008) iii CONTENTS
17、 Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Definitions from ITU-T X.800 2 3.2 Definitions from ITU-T X.810 2 3.3 Definitions from ITU-T X.811 2 3.4 Definitions from ITU-T Y.2701 3 3.5 Terms defined in this Recommendation. 3 4 Abbreviations and acronyms 3 5 Reference models 5 5.1 ITU-T X.811
18、 authentication framework. 5 5.2 Authentication threats. 9 5.3 Authentication assurance 11 5.4 Authorization and privilege management 13 5.5 End-to-end reference architectural model 13 5.6 Relationship with NGN architecture specified in ITU-T Y.2012 14 6 General Requirements 16 7 Authentication and
19、authorization of user for network access. 16 7.1 Description . 16 7.2 General reference model. 17 7.3 Requirements 20 8 Service NGN provider authentication and authorization of user for access to service/application 23 8.1 Description . 23 8.2 Requirements 24 9 User authentication and authorization
20、of NGN providers 27 9.1 Description . 27 9.2 Objectives and requirements 27 10 NGN provider supported user peer-to-peer authentication and authorization 28 11 Mutual network authentication and authorization 28 11.1 Description . 28 11.2 Mutual network authentication requirements. 29 12 NGN provider
21、authentication and authorization of 3rd party service/application provider. 30 12.1 Description . 30 12.2 Requirements 30 13 Use of 3rd party authentication and authorization service . 31 13.1 Description . 31 iv Rec. ITU-T Y.2702 (09/2008) Page 13.2 Requirements 31 14 Authentication and authorizati
22、on of objects. 31 14.1 Description . 31 14.2 Requirements 32 Appendix I SAML use case 33 I.1 Use of b-ITU-T X.1141, Security Assertion Markup Language (SAML 2.0) 33 I.2 Service/application authentication procedures. 33 I.3 Service/application authentication Call flow examples 33 I.4 Security of serv
23、ice/application authentication procedures and mechanisms 34 Appendix II ETS authentication and authorization. 35 II.1 Overview 35 II.2 ETS user authentication and authorization. 35 II.3 NGN provider authentication and authorization for ETS. 36 II.4 ETS authentication and authorization use case examp
24、les 36 Appendix III 3GPP Generic bootstrapping architecture. 41 Appendix IV Identity management (IdM) call flow examples. 43 IV.1 Overview 43 IV.2 Call flow examples. 43 Bibliography. 54 Rec. ITU-T Y.2702 (09/2008) 1 Recommendation ITU-T Y.2702 Authentication and authorization requirements for NGN r
25、elease 1 1 Scope This Recommendation provides authentication and authorization requirements for next generation networks (NGN) based on ITU-T Y.2012. This includes requirements for authentication and authorization across the user-to-network interface (UNI), the network-to-network interface (NNI) and
26、 the application-to-network interface (ANI) as well as any entities internally with a network that may require authentication and authorization. The scope of this Recommendation includes: 1) Authentication and authorization of user for network access (e.g., authentication and authorization of an end
27、 user device, a home network gateway, or an enterprise gateway to obtain access or attachment to the network) 2) Service provider authentication and authorization of user for access to service/application (e.g., authentication and authorization of a user, a device or a combined user/device where the
28、 authentication and authorization apply to NGN service/application access) 3) User authentication and authorization of Network (e.g., user authenticating the identity of the connected NGN network or of the service provider) 4) User peer-to-peer authentication and authorization (e.g., authentication
29、and authorization of the called user (or terminating entity), authentication and authorization of the originating entity, or data origin authentication as network functions) 5) Mutual network authentication and authorization (e.g., authentication and authorization across NNI interface at the transpo
30、rt level, or service/application level) 6) Authentication and authorization of service/application provider 7) Use of 3rd party authentication and authorization service 8) Authentication of objects (e.g., application process, message content and data content identifiers). The items above include aut
31、hentication of flows of the signalling, bearer and management traffic as applicable. In addition, this Recommendation also provides reference models for NGN authentication and authorization. NOTE 1 NGN authentication and authorization is viewed as part of the broader topic of NGN identity management
32、 (IdM). Specifically, the authentication and authorization functions and capabilities described in this Recommendation should be used to support identity assurance capabilities for NGN IdM. NOTE 2 In this Recommendation, the use of the term “user“ is not intended to be restricted to a person. A user
33、 could be a person, groups, companies, or juridical entities. NOTE 3 Authentication of an entity is not intended to indicate positive validation of a person. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute pro
34、visions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendat
35、ions and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. 2 Rec. ITU-T Y.2702 (09/2008) ITU-T X.800 Recommenda
36、tion ITU-T X.800 (1991), Security architecture for Open Systems Interconnections for CCITT applications. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. ITU-T X.810 Recommendation ITU-T X.810 (1995) | ISO/IEC 10181-1:1996, Informa
37、tion technology Open System Interconnection Security framework for open systems: Overview. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10181-2:1996, Information technology Open System Interconnection Security frameworks for open system: Authentication framework. ITU-T Y.2012 Recommendati
38、on ITU-T Y.2012 (2006), Functional requirements and architecture of the NGN release 1. ITU-T Y.2201 Recommendation ITU-T Y.2201 (2007), NGN release 1 requirements. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirements for NGN release 1. 3 Definitions 3.1 Definitions from ITU-T X.800
39、 This Recommendation makes use of the following terms defined in ITU-T X.800: 3.1.1 authentication information: Information used to establish the validity of a claimed identity. 3.1.2 authorization: The granting of rights, which includes the granting of access based on access rights. 3.1.3 credentia
40、l: Data that is transferred to establish the claimed identity of an entity. 3.1.4 data origin authentication: The corroboration that the source of data received is as claimed. 3.1.5 peer-entity authentication: The corroboration that a peer entity in an association is the one claimed. 3.2 Definitions
41、 from ITU-T X.810 This Recommendation makes use of the following terms defined in ITU-T X.810: 3.2.1 trust: Entity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y behaving in a particular way with respect to the activities. 3.2.2 trusted third party:
42、A security authority or its agent that is trusted with respect to some security-relevant activities (in the context of a security policy). 3.3 Definitions from ITU-T X.811 This Recommendation makes use of the following terms defined in ITU-T X.811: 3.3.1 asymmetric authentication method: A method of
43、 authentication, in which not all authentication information is shared by both entities. 3.3.2 authenticated identity: A distinguishing identifier of a principal that has been assured through authentication. 3.3.3 authentication: The provision of assurance of the claimed identity of an entity. Rec.
44、ITU-T Y.2702 (09/2008) 3 3.3.4 authentication certificate: A security certificate that is guaranteed by an authentication authority and that may be used to assure the identity of an entity. 3.3.5 authentication exchange: A sequence of one or more transfers of exchange authentication information (AI)
45、 for the purposes of performing an authentication. 3.3.6 authentication information (AI): Information used for authentication purposes. 3.3.7 authentication initiator: The entity that starts an authentication exchange. 3.3.8 claimant: An entity which is or represents a principal for the purposes of
46、authentication. A claimant includes the functions necessary for engaging in authentication exchanges on behalf of a principal. 3.3.9 claim authentication information (claim AI): Information used by a claimant to generate exchange AI needed to authenticate a principal. 3.3.10 exchange authentication
47、information (exchange AI): Information exchanged between a claimant and a verifier during the process of authenticating a principal. 3.3.11 principal: An entity whose identity can be authenticated. 3.3.12 symmetric authentication method: A method of authentication in which both entities share common
48、 authentication information. 3.3.13 verification authentication information (verification AI): Information used by a verifier to verify an identity claimed through exchange AI. 3.3.14 verifier: An entity which is or represents the entity requiring an authenticated identity. A verifier includes the f
49、unctions necessary for engaging in authentication exchanges. 3.4 Definitions from ITU-T Y.2701 This Recommendation makes use of the following terms defined in ITU-T Y.2701: 3.4.1 border element: Network element providing functions connecting different security and administrative domains. 3.4.2 corporate network: A private network that supports multiple users and may be in multiple locations (e.g., an enterprise, a campus). 3.4.3 security domain: A set of elements, a security policy, a security a
