ITU-T X 1153-2011 Management framework of a one time password-based authentication service (Study Group 17)《验证业务一次性密码的管理结构 17号研究组》.pdf

《ITU-T X 1153-2011 Management framework of a one time password-based authentication service (Study Group 17)《验证业务一次性密码的管理结构 17号研究组》.pdf》由会员分享，可在线阅读，更多相关《ITU-T X 1153-2011 Management framework of a one time password-based authentication service (Study Group 17)《验证业务一次性密码的管理结构 17号研究组》.pdf（42页珍藏版）》请在麦多课文档分享上搜索。

1、 International Telecommunication Union ITU-T X.1153TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (02/2011) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols Management framework of a one time password-based authentication service R

2、ecommendation ITU-T X.1153 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND

3、SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099

4、 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECUR

5、ITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/

6、state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendations

7、. Rec. ITU-T X.1153 (02/2011) i Recommendation ITU-T X.1153 Management framework of a one time password-based authentication service Summary Recommendation ITU-T X.1153 provides a management framework of a one time password (OTP)-based authentication service to support multi-factor authentication. S

8、pecifically, this Recommendation includes the general management framework, the centralized management framework, the enhanced centralized framework, and the cross-domain management framework. These frameworks consist of the OTP management models, OTP management operations, and security consideratio

9、ns for providing the OTP authentication service in a secure telecommunication network. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1153 2011-02-13 17 Keywords Management framework, multi-factor authentication, one time password. ii Rec. ITU-T X.1153 (02/2011) FOREWORD The Interna

10、tional Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, oper

11、ating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, p

12、roduce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In

13、this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g.,

14、 interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not sugg

15、est that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evid

16、ence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which m

17、ay be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2011 All rights reserved. No part of this publication may b

18、e reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1153 (02/2011) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 3 5 Conventions

19、 3 6 OTP-based authentication service 4 6.1 Introduction 4 6.2 General features 4 6.3 OTP-based authentication service 8 7 OTP management architecture . 9 7.1 OTP entities 9 7.2 OTP management blocks 9 7.3 OTP management framework . 11 7.4 OTP management procedures . 13 7.5 OTP management requiremen

20、ts . 14 8 General management framework 15 8.1 OTP management model for the general management framework 15 8.2 OTP management operations for the general management framework . 16 8.3 Security considerations for the general management framework 17 9 Interoperable management frameworks . 18 9.1 Centra

21、lized management framework 18 9.2 Enhanced centralized management framework 20 9.3 Cross-domain management framework 23 Appendix I Service deployment scenarios 26 I.1 Overview of service deployment scenarios 26 I.2 Local network access control scenario . 26 I.3 Remote access control scenario 29 I.4

22、Application/contents access control scenario . 32 Bibliography. 34 Rec. ITU-T X.1153 (02/2011) 1 Recommendation ITU-T X.1153 Management framework of a one time password-based authentication service 1 Scope The one time password (OTP) authentication service supports multi-factor authentication throug

23、h an OTP token that creates a password for one-time use only. OTP has been developed to cope with fundamental security threats inherent in the traditional static password while requiring each OTP user to have several OTP tokens for the authentication service unless a management framework is provided

24、. This framework enables using the service with only one token. This Recommendation provides the management framework of a one time password (OTP)-based authentication service to support multi-factor authentication. In addition, it offers an interoperable management framework that allows sharing of

25、a single OTP token among different service providers. Specifically, this Recommendation provides the following: overview of an OTP-based authentication service; a general management framework including an OTP management model, OTP management operations, and security considerations in providing the O

26、TP-based authentication service; additional features for the interoperable management framework for sharing the OTP token. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At

27、the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed be

28、low. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.811 Recommendation ITU-T X.811 (1995) | ISO/IEC 10181-2:1996, Information techn

29、ology Open Systems Interconnection Security frameworks for open systems: Authentication framework. ITU-T X.842 Recommendation ITU-T X.842 (2000) | ISO/IEC TR14516:2002, Information technology Security techniques Guidelines for the use and management of trusted third party services. 3 Definitions 3.1

30、 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 identity provider b-ITU-T X.1252: An entity that verifies, maintains and manages, and may create and assign identity information of other entities. 3.1.2 tamper detection b-FIPS PUB 140-2: A cryptographic

31、modules automatic determination that an attempt has been made to compromise the physical security of the module. 2 Rec. ITU-T X.1153 (02/2011) 3.1.3 tamper evidence b-FIPS PUB 140-2: The external indication that an attempt has been made to compromise the physical security of a cryptographic module.

32、(The evidence of tamper attempt should be observable by an operator subsequent to the attempt.) 3.1.4 tamper response b-FIPS PUB 140-2: The automatic action taken by a cryptographic module when tamper detection has occurred (the minimum response action is the zeroization of plaintext keys and CSPs).

33、 3.1.5 trusted third party (TTP) ITU-T X.842: An organisation or its agent that provides one or more security services, and is trusted by other entities with respect to activities related to these security services. A TTP is used to offer value-added services to entities wishing to enhance the trust

34、 and business confidence in the services that they receive and to facilitate secure communications between business trading partners. TTPs need to offer value with regard to confidentiality, integrity and availability of the services and information involved in the communications between business ap

35、plications. TTPs should be able to choose the entities to which they will provide services. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 authentication factor: A piece of information used to authenticate or verify a persons identity with regard to a

36、ppearance or in a procedure for security purposes and with respect to individually granted access rights. Authentication factors consist of ownership factor, knowledge factor, and inherent factor. 3.2.2 authentication framework based on ITU-T X.811: A general framework for the provision of authentic

37、ation service; two-party and (trusted) third-party authentication frameworks. 3.2.3 authorization framework based on b-IETF RFC 2904: An architectural framework for understanding the authorization of Internet resources and services; single domain and roaming sequence models. 3.2.4 multi-factor authe

38、ntication: The combined use of more than one authentication factor. Multi-factor authentication is either two-factor or three-factor. Note, however, that using two types of the same factor is not multi-factor authentication. 3.2.5 one time password based on b-IETF RFC 2289: A password that can be us

39、ed only once as it is changed every time an OTP user logs into the computer system and network. It is secure against the passive attacks allowed by the replaying of captured reusable passwords such as traditional fixed passwords. 3.2.6 OTP authentication system: A system that supports OTP validation

40、 for Internet resource access (e.g., login) and other application services requiring authentication. It consists of OTP validation server(s), protocols, facilities, and related-operational system. 3.2.7 OTP service provider: The provider(s) of the OTP validation service offering multi-factor authent

41、ication service to other service providers, e.g., Internet service provider or application/contents service provider. A trusted third party would be a good example for OTP service provider to perform OTP validation more efficiently. The OTP service provider does not necessarily have the role of iden

42、tity provider as defined in b-ITU-T X.1141. 3.2.8 OTP token: A physical device that generates OTP, wherein a token means that the OTP user possesses and controls a key or password used to authenticate the OTP users identity. Such physical device embeds the display showing OTP and the numeric keypad

43、optionally. 3.2.9 OTP token identifier: A unique identifier assigned to each OTP token for distinguishing it from other OTP tokens. It may consist of alphanumeric characters. Rec. ITU-T X.1153 (02/2011) 3 3.2.10 OTP token vendor: An OTP device manufacturer or vendor dispensing the OTP token to the s

44、ervice provider. 3.2.11 OTP user: A user who carries the OTP token and tries to log into a particular system or use other application services through multi-factor authentication. 3.2.12 OTP validation server: A dedicated server managed by OTP service providers or service providers to validate the O

45、TPs generated by OTP users using their OTP tokens. 3.2.13 service agreement: A mutual agreement regarding the service level among service providers. This agreement includes contracts such as security level, performance level, and billing policy for the provision of the OTP authentication service. 3.

46、2.14 service provider: An Internet service provider and/or an application/contents service provider possessing a dedicated authentication system for verifying subscribers/users. The service provider can be provided with the OTP authentication service directly or through either the identity provider

47、or the OSP. 3.2.15 side-channel attack: Any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms. For example, timing information, power consumption, electromagnetic leaks or even sound can provide

48、an extra source of information which can be exploited to break the system. Many side-channel attacks require considerable technical knowledge of the internal operation of the system on which the cryptography is implemented. 4 Abbreviations and acronyms This Recommendation uses the following abbrevia

49、tions and acronyms: ACSP Application and Contents Service Provider IdP Identity Provider ISP Internet Service Provider OSP OTP Service Provider OTP One Time Password PIN Personal Identification Number PKI Public Key Infrastructure SA Service Agreement TTP Trusted Third Party 5 Conventions The keywords “is required to“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this Recommendation is to be claimed. The keywords “is recommend