Title: Telecommunication Security
1Telecommunication Security
SOURCE ITU-T
TITLE ITU-T Security Standardization
AGENDA ITEM GTSC, agenda item 5.5
CONTACT Herb Bertine, hbertine_at_lucent.com
GSC11(06)_GTSC_07
- Herbert Bertine
- Chairman, ITU-T SG 17
2High Level Security Drivers
- ITU Plenipotentiary Conference (PP-02)
- Intensify efforts on security
- World Telecommunications Standardization Assembly
(WTSA-04) - Security robustness of protocols
- Combating/Countering spam
- World Summit on the Information Society (WSIS-05)
- Cyber security
3ITU-T Study Groups
- ITU-T work is divided up between Study Groups
(SGs). - SG 2 Operational aspects of service provision,
networks and performance - SG 4 Telecommunication management
- SG 5 Protection against electromagnetic
environment effects - SG 6 Outside Plant and related indoor
installations - SG 9 Integrated broadband cable networks and
television and sound transmission - SG 11 Signaling requirements and protocols
- SG 12 Performance and quality of service
- SG 13 Next Generation Networks
- SG 15 Optical and other transport networks
- SG 16 Multimedia services, systems and terminals
- SG 17 Security, languages and telecommunication
software - SG 19 Mobile Telecommunications Networks
- SG17 is the Lead Study Group on
telecommunication security.
4Overview of ITU-T Security StandardizationCollabo
ration is key factor
5WP 2/17 Security Questions (2005-2008)
Q8/17
Telecom Systems Users
Telebiometrics Multimodal Model Fwk System
Mechanism Protection Procedure X.1081
TelecomSystems
Q5/17
Secure Communication Services Mobile Secure
Communications Home Network Security
Security Web Services X.1121, X.1122
Q7/17
SecurityManagement ISM Guideline for
Telecom Incident Management Risk
Assessment Methodology etc X.1051
SecurityArchitecture Framework Architecture,
Model, Concepts, Frameworks,etc X.800
seriesX.805
Q9/17
Cyber SecurityOverview of Cyber-securityVulner
ability Information Sharing Incident Handling
Operations
Q6/17
Countering spam Technical anti-spam measures
Q17/17
New
Q4/17
Communications System Security
Vision, Coordination, Roadmap, Compendia
6Highlights of whats new since GSC-10
- Two new ITU-T Questions
- Q.15/13, NGN security
- Q.17/17, Countering spam by technical means
- 38 security Recommendations are under development
in Study Group 17 - Other SGs are developing security Recommendations
for specific technologies for example 5 on NGN
security - Focus Group on Security Baseline For Network
Operators - New Horizons for Security Standardization
Workshop - Security standards roadmap
- Cybersecurity web portal
7Q.15/13 NGN Security
- Recognizing that security is one of the
defining features of NGN, it is essential to put
in place a set of standards that will guarantee,
to the maximum degree possible, the security of
the telecommunications infrastructure as PSTNs
evolve to NGNs. - The NGN Security studies must address
and develop network architectures that - - Provide for maximal network and end-user
resource protection - - Allow for highly-distributed intelligence
end-to-end - - Allow for co-existence of multiple
networking technologies - - Provide for end-to-end security mechanisms
- - Provide for security solutions that apply
over multiple administrative domains
8Q.17/17 Combating spam by technical means
- Spam has become a widespread problem
causing a complex range of problems to users,
service providers, and network operators around
the globe. While spam was originally used to send
unsolicited commercial messages, increasingly
spam messages are being used to spread viruses,
worms, and other malicious code that negatively
impact the security and stability of the global
telecommunication network. Spam may include the
delivery of phishing and spyware. It is a global
problem that requires a multifaceted,
comprehensive approach. - Study items to be considered include,
but are not limited to - - What risks does spam pose to the
telecommunication network? - - What technical factors associated with
the telecommunication network contribute to the
difficulty of identifying the sources of spam? - - How can new technologies lead to
opportunities to counter spam and enhance the
security of the telecommunication network? - - Do advanced telecommunication network
technologies (for example, SMS, instant
messaging, VoIP) offer unique opportunities for
spam that require unique solutions? - - What technical work is already being
undertaken within the IETF, in other fora, and by
private sector entities to address the problem of
spam? - - What telecommunication network
standardization work, if any, is needed to
effectively counter spam as it relates to the
stability and robustness of the telecommunication
network?
9SG 17 Security Recommendations under development
(1/3)
- Summaries of all Study Group 17 Recommendations
under development are available on the Study
Group 17 web page at www.itu.int/itu-t/studygroup
s/com17 - Communications Systems Security Project
- X.sbno, Security baseline for network operators
- Security Architecture and Framework
- X.805, Division of the security features between
the network and the users - X.805nsa, Network security certification based on
ITU-T Recommendation X.805 - X.ngn-akm, Framework for authentication and key
management for link layer security of NGN - X.pak, Password-authenticated key exchange (PAK)
- X.spn, Framework for creation, storage,
distribution and enforcement of security policies
for networks -
10SG 17 Security Recommendations under development
(2/3)
- Cyber Security
- X.cso, Overview of cybersecurity
- X.sds, Guidelines for Internet Service Providers
and End-users for Addressing the Risk of Spyware
and Deceptive Software - X.cvlm, Guidelines on Cybersecurity Vulnerability
Life-cycle Management - X.vds, A vendor-neutral framework for automatic
checking of the presence of vulnerabilities
information update - Security Management
- X.1051 (R), Information security management
guidelines for telecommunications based on
ISO/IEC 27002 - X.rmg, Risk management guidelines for
telecommunications - X.sim, Security incident management guidelines
for telecommunications - Telebiometrics
- X.bip, BioAPI interworking protocol
- X.physiol, Telebiometrics related to human
physiology - X.tai, Telebiometrics authentication
infrastructure - X.tpp-1, A guideline of technical and managerial
countermeasures for biometric data security - X.tpp-2, A guideline for secure and efficient
transmission of multi-modal biometric data - X.tsm-1, General biometric authentication
protocol and profile on telecommunication systems - X.tsm-2, Profile of telecomunication device for
Telebiometrics System Mechanism (TSM)
11SG 17 Security Recommendations under development
(2/3)
- Secure Communication Services
- X.crs, Correlative reacting system in mobile
network - X.homesec-1, Framework of security technologies
for home network - X.homesec-2, Certificate profile for the device
in the home network - X.homesec-3, User authentication mechanisms for
home network service - X.msec-3, General security value added service
(policy) for mobile data communication - X.msec-4, Authentication architecture in mobile
end-to-end data communication - X.p2p-1, Requirements of security for
peer-to-peer and peer-to-multi peer
communications - X.p2p-2, Security architecture and protocols for
peer to peer network - X.sap-1, Guideline on secure password-based
authentication protocol with key exchange - X.sap-2, Secure communication using TTP service
- X.websec-1, Security Assertion Markup Language
(SAML) X.1141 now in AAP Last Call - X.websec-2, eXtensible Access Control Markup
Language (XACML) X.1142 now in AAP Last Call - X.websec-3, Security architecture for message
security in mobile web services - Countering spam by technical means
- X.csreq, Requirement on countering spam
- X.fcs, Technical framework for countering email
spam - X.gcs, Guideline on countering email spam
- X.ocsip, Overview of countering spam for IP
multimedia application
12SG 13 Security Recommendations under development
- NGN Security
- Security Requirements for NGN Release 1
- Guidelines for NGN Security Release 1
- Authentication requirements for NGN Release 1
- AAA Service for Network Access to NGN
- Security considerations for Pseudowire (PWE)
technology - Continuation of the work originated in the
ITU-T Focus Group on NGN
13Focus Group Security Baseline for Network
Operators
- Established October 2005 by SG 17
- Objectives
- Define a security baseline against which network
operators can assess their network and
information security posture in terms of what
security standards are available, which of these
standards should be used to meet particular
requirements, when they should be used, and how
they should be applied - Describe a network operators readiness and
ability to collaborate with other entities
(operators, users and law enforcement
authorities) to counteract information security
threats - Provide meaningful criteria that can be used by
network operators against which other network
operators can be assessed, if required. - Next Step
- Survey network operators by means of a
questionnaire
14New Horizons for Security Standardization Workshop
- Workshop held in Geneva 3-4 October 2005
- Objectives
- Provide an overview of key international security
standardization activities - Seek to identify primary security concerns and
issues - Determine which issues are amenable to a
standards-based solution - Identify which SDOs are are best equipped to do
so and - Consider how SDOs can collaborate to improve the
timeliness and effectiveness of security
standards and avoid duplication of effort. - Results reported under following topics
- What are the crucial problems in ICT security
standardization? - Meta issues and need for a global framework
- Standards Requirements and Priorities
- Liaison and information sharing
- User issues
- Technology and threat issues
- Focus for future standardization work
- Process issues
- Follow-on issues
- Report available at www.itu.int/ITU-T/worksem/sec
urity/200510/index.html
15ICT Security Standards Roadmap
- Four Part Roadmap
- Part 1 contains information about organizations
working on ICT security standards - Part 2 is a database of existing security
standards - Presently includes ITU-T, ISO/IEC JTC1 and IETF
standards - Will be expanded to include other standards
- Part 3 will be a list of standards in development
- Part 4 will identify future needs and proposed
new standards - Publicly available under Special Projects and
Issues at - www.itu.int/ITU-T/studygroups/com17/index
- We invite you to use the Roadmap, provide
feedback and help us develop it to meet your needs
16The ITU Global Cybersecurity Gateway
LIVE at http//www.itu.int/cybersecurity Provides
an easy-to-use information resource on national,
regional and international cybersecurity-related
activities and initiatives worldwide.
17Structure of the Cybersecurity Gateway
- The portal is geared towards four specific
audiences Citizens Businesses
Governments, International Organizations - Database information collected within five main
themes - Information sharing of national approaches, good
practices and guidelines - Developing watch, warning and incident response
capabilities - Technical standards and industry solutions
- Harmonizing national legal approaches and
international legal coordination and enforcement
- Privacy, data and consumer protection.
- Additional information resources on the following
topics spam, spyware, phishing, scams and
frauds, worms and viruses, denial of service
attacks, etc.
18(No Transcript)
19Some useful web resources
- ITU-T Home page www.itu.int/itu-t
- Study Group 17 www.itu.int/itu-t/studygroups/com
17 - LSG on Security http//www.itu.int/ITU-T/studygrou
ps/com17/tel-security.html - e-mail tsbsg17_at_itu.int
- Recommendations www.itu.int/ITU-T/publications/re
cs.html - ITU-T Lighthouse www.itu.int/ITU-T/lighthouse
- ITU-T Workshops www.itu.int/ITU-T/worksem
- Security Roadmap http//www.itu.int/ITU-T/studygr
oups/com17/ict/index.html - Cybersecurity Portal http//www.itu.int/cybersecu
rity
20Closing Observations
- Security is everybody's business
- Collaboration with other SDOs is necessary
- Security needs to be designed in upfront
- Security must be an ongoing effort
- Systematically addressing vulnerabilities
(intrinsic properties of networks/systems) is
keyso that protection can be provided
independent of what the threats (which are
constantly changing and may be unknown) may be - X.805 is helpful here
21Additional details on security work in ITU-T
Study Groups- Study Group 17- Study Group
4- Study Group 9- Study Group 13- Study
Group 16- Study Group 19
22- ITU-T SG 17 Work on Security
23Study Group 17 Security, languages and
telecommunication software
- SG 17 is the Lead Study Group on
telecommunication security - It is responsible
for coordination of security across all Study
Groups. - Subdivided into three Working Parties (WPs)
- WP1 - Open systems technologies
- WP2 - Telecommunications security and
- WP3 - Languages and telecommunications software
- Most (but not all) security Questions are in WP2
- Summaries of all draft Recommendations under
development in SG 17 are available on the SG 17
web page at www.itu.int/itu-t/studygroups/com17
24Current SG 17 security-related Questions
- Working Party 1
- 1/17 End-to-end Multicast Communications with
QoS Managing Facility - 2/17 Directory services, Directory systems, and
public- key/attribute certificates - 3/17 Open Systems Interconnection (OSI)
- 16/17 Internationalized Domain Names (IDN)
- Working Party 2
- 4/17 Communications Systems Security Project
- 5/17 Security Architecture and Framework
- 6/17 Cyber Security
- 7/17 Security Management
- 8/17 Telebiometrics
- 9/17 Secure Communication Services
- 17/17 Countering spam by technical means
25- ITU-T SG 17 Question 4Communications Systems
Security Project - Security Workshop
- ICT Security Roadmap
- Focus Group on Security Baseline For Network
Operators
26New Horizons for Security Standardization Workshop
- Workshop held in Geneva 3-4 October 2005
- Hosted by ITU-T SG17 as part of security
coordination responsibility - ISO/IEC JTC1 played an important role in planning
the program and in providing speakers/panelists. - Speakers, panelists, chairs from
- ITU-T
- ISO/IEC
- IETF
- Consortia OASIS, 3GPP
- Regional SDOs ATIS, ETSI, RAIS
27Workshop Objectives
- Provide an overview of key international security
standardization activities - Seek to find out from stakeholders (e.g., network
operators, system developers, manufacturers and
end-users) their primary security concerns and
issues (including possible issues of adoption or
implementation of standards) - Try to determine which issues are amenable to a
standards-based solution and how the SDOs can
most effectively play a role in helping address
these issues - Identify which SDOs are already working on these
issues or are best equipped to do so and - Consider how SDOs can collaborate to improve the
timeliness and effectiveness of security
standards and avoid duplication of effort.
28Workshop Results
- Excellent discussions, feedback and suggestions
- Documented in detail in the Workshop report
- Results are reported under following topics
- What are the crucial problems in ICT security
standardization? - Meta issues and need for a global framework
- Standards Requirements and Priorities
- Liaison and information sharing
- User issues
- Technology and threat issues
- Focus for future standardization work
- Process issues
- Follow-on issues
- The report is available on-line at
- www.itu.int/ITU-T/worksem/security/200510/index.ht
ml
29ICT Security Standards Roadmap(An SG 17
Work-in-progress)
- Part 1 contains information about organizations
working on ICT security standards - Part 2 is database of existing security standards
- Part 3 will be a list of standards in development
- Part 4 will identify future needs and proposed
new standards
30Roadmap access
- Part 2 includes ITU-T, ISO/IEC JTC1 and IETF
standards. It will be expanded to include other
standards (e.g. regional and consortia
specifications). - It will also be converted to a Database format to
allow searching and to allow organizations to
manage their own data - Publicly available under Special Projects and
Issues at - www.itu.int/ITU-T/studygroups/com17/index
- We invite you to use the Roadmap, provide
feedback and help us develop it to meet your
needs
31Other Q.4/17 projects
- Security in Telecommunications and Information
Technology an overview of existing ITU-T
Recommendations for secure telecommunications. - www.itu.int/ITU-T/publications/index.html
- Security compendium
- catalogue of approved ITU-T Recommendations
related to telecommunication security - extract of ITU-T approved security definitions
- listing of ITU-T security related Questions
- www.itu.int/ITU-T/studygroups/com17/tel-security.h
tml - We are in the process of establishing a Security
Experts Network (SEN) to maintain on-going
dialogue on key issues of security
standardization.
32Focus Group Security Baseline for Network
Operators
- Established October 2005 by SG 17
- Objectives
- Define a security baseline against which network
operators can assess their network and
information security posture in terms of what
security standards are available, which of these
standards should be used to meet particular
requirements, when they should be used, and how
they should be applied - Describe a network operators readiness and
ability to collaborate with other entities
(operators, users and law enforcement
authorities) to counteract information security
threats - Provide meaningful criteria that can be used by
network operators against which other network
operators can be assessed, if required. - Next Step
- Survey network operators by means of a
questionnaire
33- ITU-T SG 17 Question 5Security Architecture and
Framework - Brief description of Q.5
- Milestones
- Draft Recommendations under development
34Brief description of Q.5/17
- Motivation
- The telecommunications and information technology
industries are seeking cost-effective
comprehensive security solutions that could be
applied to various types of networks, services
and applications. To achieve such solutions in
multi-vendor environment, network security should
be designed around the standard security
architectures and standard security technologies. - Major tasks
- Development of a comprehensive set of
Recommendations for providing standard security
solutions for telecommunications in collaboration
with other Standards Development Organizations
and ITU-T Study Groups. - Maintenance and enhancements of Recommendations
in the X.800 series - X.800, X.802, X.803, X.805, X.810, X.811,
X.812, X.813, X.814, X.815, X.816, X.830, X.831,
X.832, X.833, X.834, X.835, X.841, X.842 and
X.843
35Q.5/17 Milestones
- ITU-T Recommendation X.805, Security Architecture
for Systems Providing End-to-end Communications,
was published in 2003. - ISO Standard 18028-2, Network security
architecture, was developed in collaboration
between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG
1. The Standard is technically aligned with
X.805. It was published in 2006.
36ITU-T Recommendation X.805
X.805 defines a network security architecture for
providing end-to-end network security. The
architecture can be applied to various kinds of
networks where the end-to-end security is a
concern and independently of the networks
underlying technology.
37Q.5/17 Draft Recommendations 1/2
- Applications and further development of major
concepts of ITU-T Recommendation X.805 - X.805, Division of the security features between
the network and the users. This Recommendation
specifies division of security features between
the networks and users. It provides guidance on
applying concepts of the X.805 architecture to
securing service providers, application
providers networks and the end users equipment. - X.805nsa, Network security certification based on
ITU-T Recommendation X.805. This Recommendation
describes the methodology, processes and controls
required for network security certification based
on ITU-T Recommendation X.805, Security
Architecture for Systems Providing End-to-End
Communications.
38Q.5/17 Draft Recommendations 2/2
- Standardization in support of Authentication
Security Dimension (defined in X.805) - X.pak, Password-authenticated Key Exchange
Protocol (PAK). This Recommendation specifies a
password-based protocol for authentication and
key exchange, which ensures mutual authentication
of both parties in the act of establishing a
symmetric cryptographic key via Diffie-Hellman
exchange. - X.ngn-akm, Framework for authentication and key
management for link layer security of NGN. This
Recommendation establishes a framework for
authentication and key management for securing
the link layer of NGN. It also provides guidance
on selection of the EAP methods for NGN. - Standardization of network security policies
- X.spn, Framework for creation, storage,
distribution, and enforcement of security
policies for networks. This Recommendation
establishes security policies that are to drive
security controls of a system or service. It also
specifies a framework for creation, storage,
distribution, and enforcement of policies for
network security that can be applied to various
environmental conditions and network devices.
39- ITU-T SG 17 Question 6Cyber Security
- Motivation
- Objectives
- Scope
- Current area of focus
- Draft Recommendations under development
40Q.6/17 Motivation
- Network connectivity and ubiquitous access is
central to todays IT systems - Wide spread access and loose coupling of
interconnected IT systems is a primary source of
widespread vulnerability - Threats such as denial of service, theft of
financial and personal data, network failures and
disruption of voice and data telecommunications
are on the rise - Network protocols in use today were developed in
an environment of trust. - Most new investments and development is dedicated
to building new functionality and not on securing
that functionality - An understanding of cybersecurity is needed in
order to build a foundation of knowledge that
can aid in securing the networks of tomorrow
41Q.6/17 Objectives
- Perform actions in accordance with Lead Study
Group (LSG) responsibility with the focus on
cybersecurity - Work with Q.1 of SG 2 on a definition of
Cybersecurity - Identify and develop standards required for
addressing the challenges in cybersecurity,
within the scope of Q.6/17 - Provide assistance to other ITU-T Study Groups in
applying relevant cybersecurity Recommendations
for specific security solutions. Review
project-oriented security solutions for
consistency. - Maintain and update existing Recommendations
within the scope of Q.6/17. - Coordinate security activities with other ITU-T
SGs, ISO/IEC JTC 1 eg. SC6, SC27 and SC37), and
consortia as appropriate. - Provide awareness on new security technologies
related to cybersecurity
42Q.6/17 Scope
- Definition of Cybersecurity
- Security of Telecommunications Network
Infrastructure - Security Knowledge and Awareness of Telecom
Personnel and Users - Security Requirements for Design of New
Communications Protocol and Systems - Communications relating to Cybersecurity
- Security Processes Life-cycle Processes
relating to Incident and Vulnerability - Security of Identity in Telecommunication Network
- Legal/Policy Considerations
43Q.6/17 Current Area of Focus
- Work with SG 2 on the definition and requirements
of cybersecurity. - Collaborate with Q5,7,9,17/17 and SG 2 in order
to achieve better understanding of various
aspects of network security. - Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C,
APEC-TEL and other standardization bodies on
cybersecurity. - Work on framework for secure network operations
to address how telecommunications network
providers secure their infrastructure and
maintain secure operations. - Work on Recommendation for standardization of
vulnerability data definition. - Study new cybersecurity issues How should ISPs
deal with botnets, evaluating the output of
appropriate bodies when available. - Call for contributions for the outstanding
questions identified in the revised scope.
44Q.6/17 Draft Recommendations 1/2
- Overview of Cybersecurity (X.cso)
- This Recommendation provides a definition for
Cybersecurity. The Recommendation provides a
taxonomy of security threats from an operator
point of view. Cybersecurity vulnerabilities and
threats are presented and discussed at various
network layers. - Various Cybersecurity technologies that are
available to remedy the threats include Routers,
Firewalls, Antivirus protection, Intrusion
detection systems, Intrusion protection systems,
Secure computing, Audit and Monitoring. Network
protection principles such as defence in depth,
access and identity management with application
to Cybersecurity are discussed. Risk Management
strategies and techniques are discussed including
the value of training and education in protecting
the network. A discussion of Cybersecurity
Standards, Cybersecurity implementation issues
and certification are presented. - A vendor-neutral framework for automatic checking
of the presence of vulnerabilities information
update (X.vds) - This Recommendation provides a framework of
automatic notification on vulnerability
information. The key point of the framework is
that it is a vendor-neutral framework. Once users
register their software, updates on the
vulnerabilities and patches of the registered
software will automatically be made available to
the users. Upon notification, users can then apply
45Q.6/17 Draft Recommendations 2/2
- Guidelines for Internet Service Providers and
End-users for Addressing the Risk of Spyware and
Deceptive Software (X.sds) - This Recommendation provides guidelines for
Internet Service Providers (ISP) and end-users
for addressing the risks of spyware and deceptive
software. The Recommendation promotes best
practices around principles of clear notices, and
users consents and controls for ISP web hosting
services. The Recommendation also promotes best
practices to end-users on the Internet to secure
their computing devices and information against
the risks of spyware and deceptive software - Guidelines on Cybersecurity Vulnerability
Life-cycle Management(X.cvlm) - The Recommendation provides a framework for the
provision of monitoring, discovering, responding
and post-analysis of vulnerabilities. Service
providers can use this Recommendation to
complement their existing Information Security
Management System process in the aspect of
regular vulnerability assessment, vulnerability
management, incident handling and incident
management.
46- ITU-T SG 17 Question 7Security Management
Systems - Tasks
- Recommendations planned
- Revised X.1051
- Approach for revised X.1051
47Q.7/17 Tasks
- Information Security Management Guidelines for
telecommunications (Existing X.1051,
Information security management system
Requirements for telecommunications (ISMS-T) )
Maintain and revise Recommendation X.1051,
Information Security Management Guidelines for
telecommunications based on ISO/IEC27002.Jointl
y develop a guideline of information security
management with ISO/IEC JTC 1/SC 27. - Risk Management MethodologyStudy and develop a
methodology of risk management for
telecommunications in line with Recommendation
X.1051.Produce and consent a new ITU-T
Recommendation for risk management methodology. - Incident ManagementStudy and develop a handling
and response procedure on security incidents for
the telecommunications in line with
Recommendation X.1051.Produce and consent a new
ITU-T Recommendation for incident management
methodology and procedures.
48Recommendations planned in Q.7/17 (Security
Management)
- X.1050 To be proposed
- X.1051 In revision process Information Security
Management Guidelines for Telecommunications
based on ISO/IEC 27002 - X.1052 To be proposed
- X.1053 To be proposed (Implementation Guide for
Telecoms) - X.1054 To be proposed (Measurements and metrics
for Telecommunications) - X.1055 In the first stage of development Risk
Management Guidelines for Telecommunications - X.1056 In the first stage of development
Security Incident Management Guidelines for
Telecommunications - X.1057 To be proposed (Identity Management for
Telecoms)
49Information security management guidelines for
Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security
Physical environmental security
Communications operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Compliance
50Q.7/17 Approach to develop revised
Recommendation X.1051
27002
51- ITU-T SG 17 Question 8Telebiometrics
- Objectives
- Study areas on Biometric Processes
- X.1081 and draft Recommendations under development
52Q.8/17 Objectives
-
- 1)To define telebiometric multimodal model
framework - 2)To specify biometric authentication mechanism
in open network -
- 3)To provide protection procedures and
countermeasures for telebiometric systems
53Q.8/17 Study areas on Biometric Processes
54Q.8/17 Recommendations 1/4
- X.1081 The telebiometric multimodal model
framework A framework for the specification of
security and safety aspects of telebiometrics - This Recommendation defines a telebiometric
multimodal model that can be used as a framework
for identifying and specifying aspects of
telebiometrics, and for classifying biometric
technologies used for identification (security
aspects). - X.physiol Telebiometrics related to human
physiology - This Recommendation gives names and symbols for
quantities and units concerned with emissions
from the human body that can be detected by a
sensor, and with effects on the human body
produced by the telebiometric devices in his
environments.
55Q.8/17 Recommendations 2/4
- X.tsm-1 General biometric authentication
protocol and profile on telecommunication system - This Recommendation defines communication
mechanism and protocols of biometric
authentication for unspecified end-users and
service providers on open network. - X.tsm-2 Profile of telecomunication device for
Telebiometrics System Mechanism (TSM) - This Recommendation defines the requirements,
security profiles of client terminals for
biometric authentication over the open network.
56Q.8/17 Recommendations 3/4
- X.tai Telebiometrics authentication
infrastructure - This Recommendation specifies a framework to
implement biometric identity authentication with
certificate issuance, management, usage and
revocation. - X.bip BioAPI interworking protocol
- This Recommendation is common text of ITU-T and
ISO/IEC JTC1 SC37. It specifies the syntax,
semantics, and encodings of a set of messages
("BIP messages") that enable BioAPI-conforming
application in telebiometric systems.
57Q.8/17 Recommendations 4/4
- X.tpp-1 A guideline of technical and managerial
countermeasures for biometric data security - This Recommendation defines weakness and
threats in operating telebiometric systems and
proposes a general guideline of security
countermeasures from both technical and
managerial perspectives. - X.tpp-2 A guideline for secure and efficient
transmission of multi-modal biometric data - This Recommendation defines threat
characteristics of multi-modal biometric system,
and provides cryptographic methods and network
protocols for transmission of multi-modal
biometric data.
58- ITU-T SG 17 Question 9
- Secure Communication Services
- Focus
- Position of each topic
- Mobile security
- Home network security
- Web services security
- Secure applications services
59Q.9/17 Focus
- Develop a set of standards of secure application
services, including - Mobile security Under study
- Home network security Under study
- Web Services security Under study
- Secure application services Under study
- Privacy protection for RFID and multimedia
content and digital Identity management To be
studied
60Position of each topic
Web Services security
Application Server
Home Network
Mobile Terminal
Open Network
Mobile Network
Home network security
Mobile security
Secure application services
61Q.9/17 - Mobile Security
- X.1121, Framework of security technologies for
mobile end-to-end data communications Approved
2004 - X.1122, Guideline for implementing secure mobile
systems based on PKI Approved 2004 - X.msec-3, General security value added service
(policy) for mobile data communication - Develops general security service as value added
service for secure mobile end-to-end data
communication. - X.msec-4, Authentication architecture in mobile
end-to-end data communication - Constructs generic authentication architecture
for mobile data communication between mobile
users and application servers. - X.crs, Correlative reacting system in mobile
network - Develops the generic architecture of a
correlative reactive system to protect the mobile
terminal against Virus, worms, Trojan-Horses or
other network attacks to both the mobile network
and its mobile users.
62Q.9/17 - Home network security
- X.homesec-1, Framework for security technologies
for home network - Framework of security technologies for home
network - Define security threats and security
requirements, security functions, security
function requirements for each entity in the
network, and possible implementation layer - X.homesec-2, Certificate profile for the device
in the home network - Device certificate profile for the home network
- Develops framework of home network device
certificate. - X.homesec-3, User authentication mechanisms for
home network service - User authentication mechanisms for home network
service. - Provides the user authentication mechanism in the
home network, which enables various
authentication means such as password,
certificate, biometrics and so on.
63Q.9/17 - Web Services security
- X.websec-1, Security Assertion Markup Language
(SAML) - Security assertion markup language
- Adoption of OASIS SAML v2.0 into ITU-T
Recommendation X.1141 - Consented April 2006 - Define XML-based framework for exchanging
security information. - The security information expressed in the form of
assertions about subjects, where a subject is an
entity (either human or computer) that has an
identity in some security domain. - X.websec-2, eXtensible Access Control Markup
Language (XACML) - eXtensible Access Control Markup Language
- Adoption of OASIS XACML v2.0 into ITU-T
Recommendation X.1142 - Consented April 2006 - Provides an XML vocabulary for expressing access
control policies and the syntax of the language
and the rules for evaluating policies. - X.websec-3, Security architecture for message
security in mobile Web Services - Develops a guideline on message security
architecture and service scenarios for securing
messages for mobile Web Services.
64Q.9/17 - Secure applications services
- X.sap-1, Guideline on strong password
authentication protocols - Guideline on secure password-based authentication
protocol with key exchange. - Define a set of requirements for password-based
protocol with key exchange and a selection
guideline by setting up criteria that can be used
in choosing an optimum authentication protocol
for each application. - X.sap-2, Secure communication using TTP service
- Secure end-to-end data communication techniques
using TTP services - Specifies secure end-to-end data communication
techniques using TTP services that are services
defined in X.842 or other services. - X.p2p-1, Anonymous authentication architecture in
community communication - Requirements of security for peer-to-peer and
peer-to-multi peer communications - Investigates threat analysis for P2P and P2MP
communication services and describes security
requirements for secure P2P and P2MP
communication services. - X.p2p-2, Security architecture and protocols for
peer to peer network - Security architecture and protocols for peer to
peer network - Describes the security techniques and protocols
in the P2P environment.
65- ITU-T SG 17 Question 17
- Countering spam by technical means
- Objectives
- Set of Recommendations
66Q.17/17 Objectives
- The aim of this Question is to develop a set of
Recommendations on countering spam by technical
means for ITU-T, taking into account the need for
collaboration with ITU-T other Study Groups and
cooperation with other SDOs. The Question focuses
particularly on technical requirement, frameworks
and new technologies for countering spam.
Guidelines on countering spam by technical means
are also studied.
67Q.17/17 Set of Recommendations
68Q.17/17 Brief Summaries of draft Recommendations
under development 1/2
- X.csreq, Requirement on countering spamThis
Recommendation provides the general
characteristics of spam, elicits generic
objectives and provides an overview of the
technical requirements on countering spam. In
addition, this Recommendation provides checklist
to evaluate the solution on countering spam. - X.fcs, Technical framework for countering email
spam - This Recommendation specifies the technical
framework for network structure for the
countering spam. Functions inside the framework
are defined. It also includes the commonsensible
characteristics of email spam, the universal
rules of judgement and the common methods of
countering email spam.
69Q.17/17 Brief Summaries of draft Recommendations
under development 2/2
- X.gcs, Guideline on countering email spam
(X.gcs) - This Recommendation specifies technical
issues on countering email spam. It provides the
current technical solutions and related
activities from various SDOs and relevant
organizations on countering email spam. It will
be used as a basis for further development of
technical Recommendations on countering email
spam. - X.ocsip, Overview of countering spam for IP
multimedia applicationThis Recommendation
specifies basic concepts, characteristics, and
effects of spam in IP multimedia applications
such as IP Telephony, video on demand, IP TV,
instant messaging, multimedia conference, etc. It
will provide basis and guideline for developing
further technical solutions on countering spam.
70- Security Work in other ITU-T Study Groups
- SG 4 Security of Management plane
- SG 9 IPCablecom
- SG 13 NGN security
- SG 16 Multimedia security
- SG 19 Security in IMT-2000
71- ITU-T SG 4 Work on Security
72SG 4 Security of the Management Plane (M.3016
series)
- Approved last year, the M.3016 series is viewed
as a key aspect of NGN Management it is included - in the NGN Management Roadmap issued by the
NGNMFG - In M.3060 on the Principles of NGN Management
- The M.3016 series consists of 5 parts
- M.3016.0 Overview
- M.3016.1 Requirements
- M.3016.2 Services
- M.3016.3 Mechanisms
- M.3016.4 Profile proforma
- The role of M.3016.4 is unique in that it
provides a template for other SDOs and forums to
indicate for their membership what parts of
M.3016 are mandatory or optional
73- ITU-T SG 9 Work on Security
74SG 9 IPCablecom Evolution
- Enhance cables existing IP service environment
to accelerate the convergence of voice, video,
data, and mobility - Define an application agnostic architecture that
allows cable operators to rapidly innovate new
services - Provide a suite of Recommendations that define
the elements and interfaces needed to facilitate
multi-vendor interoperability - Incorporate leading communications technologies
from the IETF and 3GPP IMS
75SG 9 IPCablecom Evolution
76SG 9 Targeted Applications
- Enhanced Cable Voice and Video IP Telephony
- Support for new media and client types (e.g.,
video telephony, soft clients) - Call treatment based on presence, device
capability, identity - Maintain support for cable telephony features
enabled by current IPCablecom Recommendations - Fixed-mobile Convergence over Cable
- Support for dual mode cellular/WiFi handsets over
DOCSIS - Call handover between IPCablecom VoIP networks
and cellular networks - Integrated features and call control between
cellular and VoIP platforms - Cable Cross-Platform Features
- Cross platform notification, messaging (e.g.,
Caller-ID on TV) - Third-party call control features, such as Click
to dial
77SG 9 Design Approach
- Incorporate new IP communication technologies
- Focus on the Session Initiation Protocol (SIP)
and supporting protocols - Leverage the 3GPP IMS as a service delivery
platform - Develop a modular and extensible architecture
that allows new services to be added without
impacting the core IPCablecom infrastructure - Ensure backward compatibility with existing
IPCablecom Recommendations - Support a wide variety of client devices
78SG 9 IPCablecom Security Requirements Under
Consideration
- Support a range of authentication schemes
- UICCs (similar to SIM card)
- Digital Certificates (existing IPCablecom EMTAs)
- SIP digest (software clients)
- Support a range of secure signaling options
- IPsec
- TLS
- Disabled
- Support secure configuration before registration
- Support TLS for intra-domain security
- Minimize changes to IMS
- Reuse existing standards
79SG 9 DOCSIS Base Line Privacy Plus
- The primary goals of DOCSIS BPI are to provide
privacy of customer traffic, integrity of
software downloads, and prevent theft of service. - DOCSIS BPI provides a number of tools to support
these goals - Traffic encryption for privacy/confidentiality.
- Secure Software Download to assure a valid CM
image. - Configuration file authentication to help secure
the provisioning process. - Focus is on the link layer between the CMTS and
CM. Security outside the DOCSIS network is
provided by applications and other networks.
80SG 9 DOCSIS BPI Security Algorithms
- A Cable Modem Terminations System (CMTS)
authenticates cable modems (CM) using X.509
certificates and RSA public key cryptography. - Subscriber Traffic encryption
- 3DES used for key exchange
- DES used for traffic encryption. AES being
considered for future DOCSIS versions. - SW download image validation is performed using
X.509 certificates and digital signatures using
RSA public key cryptography. - Message integrity checks (MIC) with keyed MD5
hash used for CM configuration file security.
81- ITU-T SG 13 Work on Security
82SG 13 NGN Security Outline
- Why NGN security?
- The ITU-T work on NGN Security
- Relationship to other SDOs
- Output of the NGN Focus Group
- Recent developmentsstarting the SG 13 Security
work - Top NGN security issues that need resolution
Security is among the key differentiators of the
NGN. It is also among its biggest challenges!..
83SG 13 Why Security?(Threat examples)
- Providers perspective
- Theft of service
- Denial of service
- Disclosure of network topology
- Non-audited configuration changes
- Additional related risks to the PSTN
- Subscribers perspective
- Eavesdropping, theft of PIN codes
- Tele-spam
- Identity theft
- Infection by viruses, worms, and spyware
- Loss of privacy (call patterns, location, etc.)
- Flooding attacks on the end point
In NGN, known IP security vulnerabilities can
make PSTN vulnerable, too!
84SG 13 The ITU-T work on NGN Security
- SG 13 Lead Study Group on the NGN
standardization. (Question 15/13 is responsible
for X.805-based NGN security) - SG 17 Lead Study Group on Telecommunication
Securitythe fundamental X.800 series, PKI, etc. - SG 4 Lead Study Group on Telecommunication
ManagementManagement Plane security - SG 11 Lead Study Group on signaling and
protocolssecurity of the Control and Signaling
planes - SG 16 Lead Study Group on multimedia terminals,
systems and applicationsMultimedia security
FGNGN has concluded its work has moved to SG 13
85Collaboration of ITU-T with other bodies on NGN
security Recommendations
ATIS
ISO/IEC JTC1 SC 27,
ITU-T SG 13, 17, 4, 11, 16
IETF
3GPP
3GPP2
Fora (such as OASIS)
ETSI TISPAN
TIA
SG 13 is the Lead Study Group for NGN SG 17 is
the Lead Study Group for Security
86SG 13 Question 15, NGN security
- Question 15 (NGN security) of SG 13 ITU-T lead
study group for NGN and satellite matters - will
continue standards work started by FGNGN WG 5. - Q.15/13 major tasks are
- Lead the NGN-specific security project-level
issues within SG 13 and with other Study Groups.
Recognizing SG 17s overall role as the Lead
Study Group for Telecommunication Security,
advise and assist SG 17 on NGN security
coordination issues. - Apply the X.805 Security architecture for systems
providing end-to-end communication within the
context of an NGN environment - Ensure that
- the developed NGN architecture is consistent with
accepted security principles - Ensure that AAA principles are integrated as
required throughout the NGN
87SG 13 FGNGN output Security Requirements for
NGN Release 1 (highlights)
- Security requirements for the Transport Stratum
- NGN customer network domain
- Customer network to IP-Connectivity Access
Network (IP-CAN) interface - Core network functions
- NGN customer network to NGN customer network
interface
- Security requirements for the Service Stratum
- IMS security
- Transport domain to NGN core network interface
- Open service platforms and applications security
- VoIP
- Emergency Telecommunication Services and
Telecommunications for Disaster Relief
88SG 13 FGNGN output Guidelines for NGN Security
Release 1 (highlights)
- General
- General principles and guidelines for building
secure Next Generation Networks - Detailed examination of IMS access security and
NAT and firewall traversal - NGN Security Models
- Security Associations model for NGN
- Security of the NGN subsystems
- IP-Connectivity Access Network
- IMS Network domain and IMS-to-non-IMS network
security - IMS access
- Framework for open platform for services and
applications in NGN - Emergency Telecommunications Service (ETS) and
Telecommunications for Disaster Relief (TDR)
Security - Overview of the existing standard solutions
related to NAT and firewall traversal
89SG 13 Focus of the current work of Question 15,
NGN security
- Security Requirements for NGN Release 1
- Authentication requirements for NGN Release 1
- AAA Service for Network Access to NGN
- Guidelines for NGN Security Release 1
- Security considerations for Pseudowire (PWE)
technology
At the heart of securing network protocols, the
biggest challenge is authentication.
90SG 13 Major Issues for NGN Security
Standardization
- Key distribution (for end-users and network
elements) and Public Key Infrastructure - Network privacytopology hiding and
NAT/Firewall traversal for real-time applications - Convergence with IT security
- Management of security functions (e.g., policy)
- Guidelines on the implementation of the IETF
protocols (e.g., IPsec options) - Security for supporting access DSL, WLAN, and
cable access scenarios - Guidelines for handling 3GPP vs. 3GPP2
differences in IMS Security
Bothnetwork assets and network trafficmust be
protected. Proper management procedures will help
prevent attacks from within.
91SG 13 NGN Architecture
92- ITU-T SG 16 Work on Security
93Question 25/16 Multimedia Security
inNext-Generation Networks (NGN-MM-SEC)
- Study Group 16 concentrates on Multimedia
systems. - Q.25/16 focuses on the application-security
issues of MM applications in next generation
networks - Standardizes Multimedia Security
- So far Q.25 has been standardizing MM-security
for the 1st generation MM/pre-NGN?-systems - H.323/H.248-based systems.
94Evolution of H.235
Improvement and Additions
Consolidation
1st Deployment
Core SecurityFrameworkEngineering
H.235V3 Amd1 Annex H
H.235V3 Amd1
H.235V3 Annex I
H.235 Annex G
H.235V2 Annex D Annex E approved
Security Profiles Annex D Annex E started
Annex F H.530 consent
H.235V1 approved
Initial Draft
H.323V5
H.323V2
H.323V4
1997
1998
1999
2000
2001
2002
2003
2004
1996
gt 2005
95H.235 V4 Subseries Recommendations
- Major restructuring of H.235v3 Amd1 and annexes
in stand-alone subseries Recommendations - H.235.x subseries specify scenario-specific
MM-security procedures as H.235-profiles for
H.323 - Some new parts added
- Some enhancements and extensions
- Incorporated corrections
- Approved in Sept. 2005
96H.323 Security Recommendations (1)
- H.235.0 Security framework for H-series (H.323
and other H.245-based) multimedia systems - Overview of H.235.x subseries and common
procedures with baseline text - H.235.1 "Baseline Security Profile
- Authentication integrity for H.225.0 signaling
using shared secrets - H.235.2 "Signature Security Profile
- Authentication integrity for H.225.0 signaling
using X.509 digital certificates and signatures
97H.323 Security Recommendations (2)
- H.235.3 "Hybrid Security Profile"
- Authentication integrity for H.225.0 signaling
using an optimized combination of X.509 digital
certificates, signatures and shared secret key
managementspecification of an optional
proxy-based security processor - H.235.4 "Direct and Selective Routed Call
Security" - Key management procedures in corporate and in
interdomain environments to obtain key material
for securing H.225.0 call signaling in GK
direct-routed/selective routed scenarios
enhanced
extended
98H.323 Security Recommendations (3)
- H.235.5 "Framework for secure authentication in
RAS using weak shared secrets" - Secured password (using EKE/SPEKE approach) in
combination with Diffie-Hellman key agreement for
stronger authentication during H.225.0 signaling - H.235.6 "Voice encryption profile with native
H.235/H.245 key management" - Key management and encryption mechanisms for RTP
enhanced
modified
99H.323 Security Recommendations (4)
- H.235.7 "Usage of the MIKEY Key Management
Protocol for the Secure Real Time Transport
Protocol (SRTP) within H.235" - Usage of the MIKEY key management for SRTP
- H.235.8 "Key Exchange for SRTP using secure
Signalling Channels" - SRTP keying parameter transport over secured
signaling channels (IPsec, TLS, CMS) - H.235.9 "Security Gateway Support for H.323"
- Discovery of H.323 Security Gateways(SG H.323
NAT/FW ALG) and key management for H.225.0
signaling
100Other SG16 MM-SEC Results
- H.350.2 (2003) H.350.2 Directory Services
Architecture for H.235 - An LDAP schema to represent H.235 elements (PWs,
certificates, ID infor