欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    BS ISO IEC 29115-2013 Information technology Security techniques Entity authentication assurance framework《信息技术 安全技术 实体验证保证框架》.pdf

    • 资源ID:396716       资源大小:2MB        全文页数:48页
    • 资源格式: PDF        下载积分:5000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要5000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    BS ISO IEC 29115-2013 Information technology Security techniques Entity authentication assurance framework《信息技术 安全技术 实体验证保证框架》.pdf

    1、raising standards worldwide NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BSI Standards Publication BS ISO/IEC 29115:2013 Information technology Security techniques Entity authentication assurance frameworkBS ISO/IEC 29115:2013 BRITISH STANDARD National foreword This British

    2、 Standard is the UK implementation of ISO/IEC 29115:2013. The UK participation in its preparation was entrusted to T e c h n i c a l C o m m i t t e e I S T / 3 3 , I T - S e c u r i t y t e c h n i q u e s . A list of organizations represented on this committee can be obtained on request to its sec

    3、retary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013. ISBN 978 0 580 59544 8 ICS 35.040 Compliance with a British Standard ca

    4、nnot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 April 2013. Amendments issued since publication Date T e x t a f f e c t e dBS ISO/IEC 29115:2013Reference number ISO/IEC 29115:2013(E) ISO/IEC 20

    5、13INTERNATIONAL STANDARD ISO/IEC 29115 First edition 2013-04-01 Information technology Security techniques Entity authentication assurance framework Technologies de linformation Techniques de scurit Cadre dassurance de lauthentification dentit BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) COPYRIGHT PR

    6、OTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

    7、ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2013 All rights reservedBS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IE

    8、C 2013 All rights reserved iiiContents Page Foreword iv Introduction . v 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards . 1 2.2 Paired Recommendations | International Standards . 1 2.3 Additional references 1 3 Terms and definitions . 1 4 Abbreviations . 5

    9、 5 Conventions . 6 6 Levels of assurance 6 6.1 Level of assurance 1 (LoA1) . 7 6.2 Level of assurance 2 (LoA2) . 7 6.3 Level of assurance 3 (LoA3) . 7 6.4 Level of assurance 4 (LoA4) . 8 6.5 Selecting the appropriate level of assurance . 8 6.6 LoA mapping and interoperability . 9 6.7 Exchanging auth

    10、entication results based on the 4 LoAs . 10 7 Actors . 10 7.1 Entity . 10 7.2 Credential service provider 10 7.3 Registration authority . 11 7.4 Relying party 11 7.5 Verifier 11 7.6 Trusted third party . 11 8 Entity authentication assurance framework phases . 11 8.1 Enrolment phase . 12 8.2 Credenti

    11、al management phase 14 8.3 Entity authentication phase . 16 9 Management and organizational considerations . 16 9.1 Service establishment. 17 9.2 Legal and contractual compliance 17 9.3 Financial provisions 17 9.4 Information security management and audit . 17 9.5 External service components 17 9.6

    12、Operational infrastructure 18 9.7 Measuring operational capabilities . 18 10 Threats and controls . 18 10.1 Threats to, and controls for, the enrolment phase 18 10.2 Threats to, and controls for, the credential management phase . 21 10.3 Threats to, and controls for, the authentication phase . 26 11

    13、 Service assurance criteria 30 Annex A (informative) Privacy and protection of PII . 31 Annex B (informative) Characteristics of a credential 33 Bibliography 35 BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) iv ISO/IEC 2013 All rights reservedForeword ISO (the International Organization for Standardiza

    14、tion) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to

    15、 deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO an

    16、d IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by

    17、the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

    18、 rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 29115 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. A similar text is published as ITU-T Recommendation X.1254. It

    19、differs from this text in three instances: 1) 3.8: the ISO/IEC definition includes asserted identities; 2) Table 10-1: ISO/IEC includes an example for impersonation that includes use of an identity for an entity that does not exist; 3) 10.2.2.1: ISO/IEC describes SSL as an example of a protected cha

    20、nnel. BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IEC 2013 All rights reserved vIntroduction Many electronic transactions within or between ICT systems have security requirements which depend upon an understood or specified level of confidence in the identities of the entities involved. Such req

    21、uirements may include the protection of assets and resources against unauthorized access, for which an access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes. This Internati

    22、onal Standard provides a framework for entity authentication assurance. Assurance within this International Standard refers to the confidence placed in all of the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication trans

    23、actions. Figure 1 Overview of the Entity Authentication Assurance Framework Using four specified Levels of Assurance (LoAs), this International Standard provides guidance concerning control technologies, processes, and management activities, as well as assurance criteria that should be used to mitig

    24、ate authentication threats in order to implement the four LoAs. It also provides guidance for the mapping of other authentication assurance schemes to the specified four levels, as well as guidance for exchanging the results of an authentication transaction. Finally, this International Standard prov

    25、ides informative guidance concerning the protection of personally identifiable information (PII) associated with the authentication process. Technical Management specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance; provides guidance for mapping

    26、other authentication assurance schemes to the four LoAs; provides guidance for exchanging the results of authentication that are based on the four LoAs; and provides guidance concerning controls that should be used to mitigate authentication threats. 2 Normative references The following documents, i

    27、n whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. 2.1 Identical Recommendations | I

    28、nternational Standards None. 2.2 Paired Recommendations | International Standards None. 2.3 Additional references None. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 assertion statement made by an entity without accompanying evidence of its

    29、 validity ITU-T X.1252 NOTE The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stronger statement than a claim. BS ISO/IEC 29115:2013 ISO/IE

    30、C 29115:2013(E) 2 ISO/IEC 2013 All rights reserved3.2 authentication provision of assurance in the identity of an entity ISO/IEC 18014-2 3.3 authentication factor piece of information and/or process used to authenticate or verify the identity of an entity ISO/IEC 19790 NOTE Authentication factors ar

    31、e divided into four categories: something an entity has (e.g., device signature, passport, hardware device containing a credential, private key); something an entity knows (e.g., password, PIN); something an entity is (e.g., biometric characteristic); or something an entity typically does (e.g., beh

    32、aviour pattern). 3.4 authentication protocol defined sequence of messages between an entity and a verifier that enables the verifier to perform authentication of an entity 3.5 authoritative source repository which is recognized as being an accurate and up-to-date source of information 3.6 claim stat

    33、ement that something is the case, without being able to give proof ITU-T X.1252 NOTE The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stro

    34、nger statement than a claim. 3.7 context environment with defined boundary conditions in which entities exist and interact ITU-T X.1252 3.8 credential set of data presented as evidence of a claimed or asserted identity and/or entitlements NOTE See Annex B for additional characteristics of a credenti

    35、al. 3.9 credential service provider trusted actor that issues and/or manages credentials BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) ISO/IEC 2013 All rights reserved 33.10 entity something that has separate and distinct existence and that can be identified in a context ITU-T X.1252 NOTE For the purp

    36、oses of this International Standard, entity is also used in the specific case for something that is claiming an identity. 3.11 entity authentication assurance degree of confidence reached in the authentication process that the entity is what it is, or is expected to be ITU-T X.1252 NOTE The confiden

    37、ce is based on the degree of confidence in the binding between the entity and the identity that is presented. 3.12 identifier one or more attributes that uniquely characterize an entity in a specific context 3.13 identity set of attributes related to an entity ISO/IEC 24760 NOTE Within a particular

    38、context, an identity can have one or more identifiers to allow an entity to be uniquely recognized within that context. 3.14 identity information verification process of checking identity information and credentials against issuers, data sources, or other internal or external resources with respect

    39、to authenticity, validity, correctness, and binding to the entity 3.15 identity proofing process by which the Registration Authority (RA) captures and verifies sufficient information to identify an entity to a specified or understood level of assurance 3.16 man-in-the-middle attack attack in which a

    40、n attacker is able to read, insert, and modify messages between two parties without their knowledge 3.17 multifactor authentication authentication with at least two independent authentication factors ISO/IEC 19790 3.18 mutual authentication authentication of identities of entities which provides bot

    41、h entities with assurance of each others identity BS ISO/IEC 29115:2013 ISO/IEC 29115:2013(E) 4 ISO/IEC 2013 All rights reserved3.19 non-repudiation ability to protect against denial by one of the entities involved in an action of having participated in all or part of the action ITU-T X.1252 3.20 ph

    42、ishing scam by which an email user is duped into revealing personal or confidential information which the scammer can then use illicitly 3.21 registration authority trusted actor that establishes and/or vouches for the identity of an entity to a CSP 3.22 relying party actor that relies on an identit

    43、y assertion or claim 3.23 repudiation denial in having participated in all or part of an action by one of the entities involved ITU-T X.1252 3.24 salt non-secret, often random, value that is used in a hashing process NOTE It is also referred to as sand. 3.25 shared secret secret used in authenticati

    44、on that is known only to the entity and the verifier 3.26 time stamp reliable time variant parameter which denotes a point in time with respect to a common reference 3.27 transaction discrete event between an entity and service provider that supports a business or programmatic purpose 3.28 trust fra

    45、mework set of requirements and enforcement mechanisms for parties exchanging identity information 3.29 trusted third party authority or its agent, trusted by other actors with respect to specified activities (e.g., security-related activities) NOTE A trusted third party is trusted by an entity and/or a verifier for the purposes of authentication. 3.30 validity period time period during which an identity or credential may be used in one or more transactions


    注意事项

    本文(BS ISO IEC 29115-2013 Information technology Security techniques Entity authentication assurance framework《信息技术 安全技术 实体验证保证框架》.pdf)为本站会员(deputyduring120)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开