ITU-T X 1164-2012 Use of service providers- user authentication infrastructure to implement public key infrastructure for peer-to-peer networks (Study Group 17)《(预发布)使用业务供应商提供的用户认证.pdf

《ITU-T X 1164-2012 Use of service providers- user authentication infrastructure to implement public key infrastructure for peer-to-peer networks (Study Group 17)《(预发布)使用业务供应商提供的用户认证.pdf》由会员分享，可在线阅读，更多相关《ITU-T X 1164-2012 Use of service providers- user authentication infrastructure to implement public key infrastructure for peer-to-peer networks (Study Group 17)《(预发布)使用业务供应商提供的用户认证.pdf（16页珍藏版）》请在麦多课文档分享上搜索。

1、 International Telecommunication Union ITU-T X.1164TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Peer-to-peer security Use of service providers user authentication infrastructure to implemen

2、t public key infrastructure for peer-to-peer networks Recommendation ITU-T X.1164 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYST

3、EMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Secur

4、ity management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169Networked ID security X

5、.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANG

6、E Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further det

7、ails, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1164 (10/2012) i Recommendation ITU-T X.1164 Use of service providers user authentication infrastructure to implement public key infrastructure for peer-to-peer networks Summary Peer entity authentication is a mandatory requiremen

8、t for securing peer-to-peer communications. However, especially in pure peer-to-peer (P2P) networks, it is difficult for peers to authenticate corresponding peer entities because there is no central server for authentication they can rely on. In addition, the existing public key infrastructure (PKI)

9、 has little use for this purpose because those peer entities rarely have public key certificates issued by well-known certification authorities. The purpose of Recommendation ITU-T X.1164 is to define mechanisms to utilize service providers user authentication infrastructure to implement PKI for P2P

10、 networks, with which users who have a valid e-mail account managed by a service provider can issue certificates to their devices by themselves and make those certificates verifiable by corresponding peers in P2P networks. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1164 2012-10-

11、14 17 Keywords Peer entity authentication, P2P, peer to peer, PKI, public key infrastructure. ii Rec. ITU-T X.1164 (10/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologie

12、s (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunic

13、ation Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of

14、information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating

15、 agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or

16、 some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice

17、 or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation developmen

18、t process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore s

19、trongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1164 (10/2012) iii Table of Contents Page 1 Scope 1 2 Refe

20、rences. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 2 6 Overview 2 6.1 Model of peer-to-peer communications between devices of peer users . 2 6.2 Overview of mechanisms used for implementing PKI for P2P net

21、works 3 6.3 Usage scenarios 4 7 Information denoted in a peer device certificate 4 8 Operations provided by the service provider 5 8.1 Upload of CA certificate and CRL . 5 8.2 Retrieval of CA certificate and CRL 5 9 Peer entity authentication procedure 5 10 Security considerations . 5 10.1 Authentic

22、ity and integrity of CA certificates . 5 10.2 Scope of peer devices name . 5 10.3 Trustworthiness of service providers 6 Bibliography. 7 Rec. ITU-T X.1164 (10/2012) 1 Recommendation ITU-T X.1164 Use of service providers user authentication infrastructure to implement public key infrastructure for pe

23、er-to-peer networks 1 Scope Recommendation ITU-T X.1164 describes the mechanisms for utilizing service providers user authentication infrastructure to implement public key infrastructure (PKI) used for securing peer-to peer (P2P) networks. The described mechanisms allow a peer in P2P networks to ver

24、ify public key certificates, issued by the owner (peer user), of a corresponding peer. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the edition

25、s indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid I

26、TU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open systems interconnection Th

27、e Directory: Public-key and attribute certificate frameworks. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 authentication b-ITU-T X.800: See data origin authentication defined in clause 3.1.3, and peer entity authentication defined i

28、n clause 3.1.5. 3.1.2 certificate revocation list (CRL) ITU-T X.509: A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. In addition to the generic term CRL, some specific CRL types are defined for CRLs that cover particular scopes. 3.1.3 dat

29、a origin authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.4 peer b-ITU-T X.1161: Communication node on P2P network that functions simultaneously as both “client“ and “server“ to the other nodes on the network. 3.1.5 peer entity authentication b-ITU-

30、T X.800: The corroboration that a peer entity in an association is the one claimed. 3.1.6 peer user b-ITU-T X.1162: A peer user is one who uses a computer system to access the P2P network. A peer user in a P2P network is similar to a user in the Internet, with slight differences. Specifically, peer

31、users in the P2P network have a different operational context including personal interests, resource plans, security considerations, etc. 3.1.7 public key certificate (PKC) ITU-T X.509: The public key of a user, together with some other information, rendered unforgeable by digital signature with the

32、 private key of the certification authority (CA) which issued it. 2 Rec. ITU-T X.1164 (10/2012) 3.1.8 public key infrastructure (PKI) ITU-T X.509: The infrastructure able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services. 3.2 T

33、erms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CA Certification Authority CRL Certificate Revocation List FQDN Fully Qualified Domain Name HTTPS Hypertext Transfer Protocol over Secure Socket layer P2P Peer-to

34、-Peer PDA Personal Digital Assistant PKC Public Key Certificate PKI Public Key Infrastructure S/MIME Secure Multipurpose Internet Mail Extensions URL Uniform Resource Locator 5 Conventions None. 6 Overview 6.1 Model of peer-to-peer communications between devices of peer users A model of peer-to-peer

35、 communications between devices of peer users is shown in Figure 1. Rec. ITU-T X.1164 (10/2012) 3 X.1164(12)_F01Service provider Service providerP2P networkSubscribeSubscribePeer userPeer userBob()Peer deviceJoinJoinPeer deviceP2P communicationAlice()PC(s PC)PDA(s PDA)Own/manageOwn/manage() ()Figure

36、 1 Model of peer-to-peer communications between devices of peer users There are four entities in this model: peer user, peer device, service provider and P2P network. In this model, a peer user is identified by her/his e-mail address and the identity of the peer device is asserted by its owner (peer

37、 user). A service provider has the ability to authenticate its users and authorize them to upload their public key information, which can then be consulted by peers in P2P networks and is used for peer entity authentication. The purpose of peer entity authentication in this model is to prove the ide

38、ntity of a corresponding peer and its owner. 6.2 Overview of mechanisms used for implementing PKI for P2P networks The purpose of the mechanisms described in this Recommendation is to make a public key certificate of a peer device issued by its owner verifiable by anyone. To achieve this, each user

39、acts as a certification authority (CA) for managing public key certificates of her/his own devices. Service providers, then, play the key role in associating users identity with their CA public key. A service provider which supports the PKI scheme described in this Recommendation has to implement th

40、e following two operations. Upload of CA certificate and certificate revocation list (CRL) of a users CA: Authenticate users and authorize them to upload their CA certificate and CRL. Retrieval of CA certificate and CRL of a users CA: Allow anyone to retrieve uploaded CA certificate and CRL in such

41、a way that the binding between the retrieved information and its users identity (i.e., e-mail address) can be guaranteed. When utilizing this PKI scheme, a user first generates her/his own CA public key pair and uses it for issuing public key certificates to her/his devices used for P2P networking.

42、The user uses her/his e-mail address as the identity of the certificate issuer. The user, then, uploads the CA certificate and CRL to her/his service provider. 4 Rec. ITU-T X.1164 (10/2012) When verifying a certificate of a corresponding peer, a peer retrieves a CA certificate and CRL from the certi

43、ficate issuers service provider and uses them to verify authenticity and validity of the certificate. 6.3 Usage scenarios 6.3.1 Building a closed P2P network with friends By having a member list consisting of e-mail addresses, a P2P network can authenticate joining peers so that only peer devices th

44、at are owned by users in the member list will be permitted to join the network. 6.3.2 Access control for P2P resources and services A peer can implement authentication and authorization mechanisms in order to allow only corresponding peers that are owned by certain users specified by their e-mail ad

45、dress to access its resources and services. With the PKI scheme described in this Recommendation, peers do not have to share passwords or secret information beforehand to implement these security mechanisms. 7 Information denoted in a peer device certificate A peer device certificate has to contain

46、the following information in order to make it verifiable. The e-mail address of the issuer: The issuer field of the ITU-T X.509 certificate must contain the e-mail address of the issuer as the emailAddress attribute. e.g., issuer: CN=Alice/emailAddress= The uniform resource locator (URL) of the issu

47、ers CA certificate: The issuerAltName field of the ITU-T X.509 certificate must contain the URL of the issuers CA certificate. The URL of the issuers CA certificate must take the form: https:/usercert.:/.cer where is exactly the same as the domain part of the issuers e-mail address (e.g., ), and is

48、the same as the local part of the e-mail address (e.g., alice). “:“ can be omitted. e.g., issuerAltName: https:/ The URL of the CRL: The cRLDistributionPoints field of the ITU-T X.509 certificate must contain the URL of the CRL. The URL of the CRL must take the form: https:/usercert.:/.crl where is exactly the same as the domain part of the issuers e-mail address (e.g., ), and is the same as the local part of the e-mail address (e.g., alice). “:“ can be omitted. e.g., cRLDistributionPoints: https:/ The correspondence between the e-mail address of the issuer and URLs for CA certific