International Telecommunication Union Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003 Security Standardization

International Telecommunication Union

Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003

Security Security StandardizationStandardization

in ITU-Tin ITU-THerbert Bertine

Co-Chairman ITU-T Study Group 17

[email protected]

Ninth Global Standards Collaboration (GSC-9) Meeting – Seoul Korea, 9-13 May 2004

Ninth Global Standards Collaboration (GSC-9) Meeting - Seoul, Korea, 9-13 May 2004

2

ITU Plenipotentiary Conference 2002Resolution PLEN/2 - Strengthening the role

of ITU in information and communication network

securityresolves1 to review ITU's current activities in information

and communication network security;2 to intensify work within existing ITU study

groups in order to: a) reach a common understanding on the

importance of information and communication network security by studying standards on technologies, products and services with a view to developing recommendations, as appropriate;

b) seek ways to enhance exchange of technical information in the field of information and communication network security, and promote cooperation among appropriate entities;

c) report on the result of these studies annually to the ITU Council.


3

ITU-T Study Groupshttp://www.itu.int/ITU-T/

o SG 2 Operational aspects of service provision, networks and performance

o SG 3 Tariff and accounting principles including related telecommunications economic and policy

issues o SG 4 Telecommunication management, including TMN o SG 5 Protection against electromagnetic environment effects o SG 6 Outside plant o SG 9 Integrated broadband cable networks and television and

sound transmission o SG 11 Signalling requirements and protocols o SG 12 End-to-end transmission performance of networks and

terminals o SG 13 Multi-protocol and IP-based networks and their

internetworking o SG 15 Optical and other transport networks o SG 16 Multimedia services, systems and terminals o SG 17 Data networks and telecommunication softwareo SSG Special Study Group "IMT-2000 and beyond" o TSAG Telecommunication Standardization Advisory Group


4

ITU-T Security Manual

December 2003

o Basic security architecture and dimensionso Vulnerabilities, threats and riskso Security framework requirementso PKI and privilege management with X.509o Applications (VoIP, IPCablecom, Fax,

Network Management, e-prescriptions)o Security terminology o Catalog of ITU-T security-related

Recommendationso List of Study Groups and security-related

Questions

http://www.itu.int/ITU-T/edh/files/security-manual.pdf


5

ITU-T Security Building Blocks

Network Management SecurityM.3010–Principles for a telecommunications management networkM.3016–TMN Security OverviewM.3210.1–TMN management services for IMT-2000 security managementM.3320–Management requirements framework for the TMN X-InterfaceM.3400–TMN management functions

Televisions and Cable SystemsJ.91–Technical methods for ensuring privacy in long-distance international television transmissionJ.93–Requirements for conditional access in the secondary distribution of digital television on cable television systemsJ.170–IPCablecom security specification

Systems ManagementX.733–Alarm reporting functionX.735–Log control functionX.736–Security alarm reporting functionX.740–Security audit trail functionX.741–Objects and attributes for access control

FacsimileT.30 Annex G–Procedures for secure Group 3 document facsimile transmission using the HKM and HFX systemT.30 Annex H–Security in facsimile Group 3 based on the RSA algorithmT.36–Security capabilities for use with Group 3 facsimile terminalsT.503–Document application profile for the interchange of Group 4 facsimile documentsT.563–Terminal characteristics for Group 4 facsimile apparatus

Multimedia CommunicationsH.233–Confidentiality system for audiovisual servicesH.234–Encryption key management and authentication system for audiovisual servicesH.235–Security and encryption for H-series (H.323 and other H.245-based) multimedia terminalsH.323 Annex J–Packet-based multimedia communications systems – Security for H.323 Annex F (Security for simple endpoint types)H.350.2–Directory services architecture for H.235H.530–Symmetric security procedures for H.323 mobility in H.510

Security Architecture FrameworkX.800–Security architectureX.802–Lower layers security modelX.803–Upper layers security modelX.805–Security architecture for systems providing end-to-end communicationsX.810–Security frameworks for open systems: OverviewX.811–Security frameworks for open systems: Authentication frameworkX.812–Security frameworks for open systems: Access control frameworkX.813–Security frameworks for open systems: Non-repudiation frameworkX.814–Security frameworks for open systems: Confidentiality frameworkX.815–Security frameworks for open systems: Integrity frameworkX.816–Security frameworks for open systems: Security audit and alarms framework

Security TechniquesX.841–Security information objects for access controlX.842–Guidelines for the use and management of trusted third party servicesX.843–Specification of TTP services to support the application of digital signatures

ProtocolsX.273–Network layer security protocolX.274–Transport layer security protocol

Security in Frame RelayX.272–Data compression and privacy over frame relay networks

Directory Services and AuthenticationX.500–Overview of concepts, models and servicesX.501–ModelsX.509–Public-key and attribute certificate frameworksX.519–Protocol specifications


6

ITU-T Study Group 17

o Lead Study Group for Communication System Securityhttp://www.itu.int/ITU-T/studygroups/com17/cssecurity.html

• Coordination/prioritization of security efforts• Development of core security Recommendations

o Led ITU-T Workshop on Security 13-14 May 2002http://www.itu.int/ITU-T/worksem/security/index.html

• Security requirements and telecommunication reliability• Hot topics on IP-based network security• Security management• Biometric authentication

o Initiated the ITU-T Security Project• Provide vision and direction for future work• Reflect situation of current work


7

Existing Recommendations in X.800-series

Security ArchitectureX.800

Lower LayersSecurity Model

X.802

Upper LayersSecurity Model

X.803

Security Frameworks: Overview X.810

Auth

enticatio

n

Fram

ework

Access C

on

trol

Fram

ework

Non-R

epudiatio

n

Fram

ework

Con

fiden

tiality

Fram

ework

Integ

rity

Fram

ework

・・・

Generic Upper Layers Security: Overview X.830

Secu

rity E

xch

ang

e

Serv

ice Ele

ment

Pro

tecting

Tra

nsfer

Syntax

Specificatio

n

Secu

rity

Info

rmatio

n O

bje

ct

Guid

elin

e on th

e

Use o

f TT

P

・・・

・・・

Communication SystemSecurity

Information Security Management(Telecom ISMS)

Mobile Security

Tele-biometrics

NEW

Current work items

Study Group 17 Security Focus


8

ITU-T SG 17 Security Focus

o Public Key and Attribute Certificate Frameworks (X.509) Revision 2005• Ongoing enhancements as a result of more complex

useso Security Architecture (X.805) Approved 2003

• For end-to-end communicationso Security Management System (X.1051) New

• For risk assessment, identification of assets and implementation characteristics

o Mobile Security (X.1121 and X.1122) New• For mobile end-to-end data communications

o Telebiometric Multimodal Model (X.1081) New• A framework for the specification of security and safety

aspects of telebiometrics


9

X.805: Security Architecturefor End-to-End Communications

3Security layers

3 Security Planes

• Vulnerabilities can exist in each Layer, Plane and Dimension• 72 Security Perspectives (3 Layers 3 Planes 8 Dimensions)

X.805


10

ITU-T X.805 Approach

Bell Labs Advanced Technologies Lucent Technologies - Proprietary 21

Access Control

Authentication

Non-repudiation

Data Confidentiality

Module NineModule SixModule ThreeUser Plane

Module EightModule FiveModule TwoControl/Signaling Plane

Module SevenModule FourModule OneManagement Plane

Applications LayerServices LayerInfrastructure Layer

Communication Security

Data Integrity

Availability

Privacy

The 8 Security DimensionsAre Applied to Each Security Perspective

Execute– Top Row for Analysis

of Management Network

– Middle Column for Analysis of Network Services

– I ntersection of Each Layer and Plane for analysis of Security Perspective

X.805


11

ITU-T X.805

Provides A Holistic Approach:o Comprehensive, End-to-End Network View of Securityo Applies to Any Network Technology

• Wireless, Wireline, Optical Networks• Voice, Data, Video, Converged Networks

o Applies to Any Scope of Network Function• Service Provider Networks• Enterprise Networks• Government Networks• Management/Operations, Administrative Networks• Data Center Networks

o Can Map to Existing Standards o Completes the Missing Piece of the Security Puzzle of

what to do nextX.80

5


12

Security Management

o Requirements for Telecommunications of Information Security Management System (T-ISMS)

- specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the telecommunication’s overall business risks.

- leverages ISO/IEC 17799:2000, Information technology, Code of practice for information security management

- based on BS 7799-2:2002, Information Security Management Systems — Specifications with Guidance for use X.105

1


13

3. Asset classification& control

2. Organizational Security

1. Security policy

5. Physical & environmental security

4. Personnel security

7. Access control

10. Compliance

9. Business continuitymanagement

8. Systems development &maintenance

Information Assetsfor Telecom

6. Communications &operations management

Information Security Management Domains defined in ISO/IEC 17799


14

o Organizational securityo Asset managemento Personnel securityo Physical and environmental securityo Communications and operations managemento Access controlo System development and maintenance

ISMS

Information Security

Management System

X.1051


15

Mobile Security

Multi-part standard o Framework of security technologies for mobile

end-to-end data communications - describes security threats, security requirements, and security

functions for mobile end-to-end data communication - from the perspectives of the mobile user and application

service provider (ASP)

o Guideline for implementing secure mobile systems based on PKI

- describes considerations of implementing secure mobile systems based on PKI, as a particular security technology

o Security Policy (under development)- different quality of security service needs to satisfy various requirements of security services of both user and ASP

X.1121

X.1122


16

Mobile Network Open Network

Data communication

Application Server

(ASP)

Mobile Terminal

(Mobile User)

Datacommunication

Application Server

(ASP)

Mobile Terminal

(Mobile User)

Datacommunication

GeneralCommunicati

onFramework

GatewayFramewor

k

• Security threats

• Relationship of security threats and models

• Security requirements

• Relationship of security requirements and threats

• Security functions for satisfying requirementsX.1121

Security framework for mobileend-to-end data communications

Mobile Securit

yGatew

ay


17

Mobile Network

Open Network

Application Server

(ASP)

Mobile Terminal

(Mobile User)

MobileUser VA

ASP’s VA

Mobile user’s side CA

CA

RA

Repository

Repository

ASP’s side CA

Mobile Network

Open Network

Application Server

(ASP)

Mobile Terminal

(Mobile User)

MobileUser VA

ASP’s VA

Mobile user’s side CA

CA

RA

Repository

Repository

ASP’s side CAGatewa

yModel

General Model

X.1122

Secure mobile systems based on PKI

ASP Application Service Provider CA Certification AuthorityRA Registration AuthorityVA Validation Authority


18

Telebiometrics

o A model for security and public safety in telebiometrics that can -• assist with the derivation of safe limits for the

operation of telecommunications systems and biometric devices

• provide a framework for developing a taxonomy of biometric devices; and

• facilitate the development of authentication mechanisms, based on both static (for example finger-prints) and dynamic (for example gait, or signature pressure variation) attributes of a human being.

o A taxonomy is provided of the interactions that can occur where the human body meets devices capturing biometric parameters or impacting on the body. X.108

1


19

Telebiometric Multimodal Model:A Three Layer Model

o the scientific layer• 5 disciplines: physics, chemistry, biology,

culturology, psychology

o the sensory layer – 3 overlapping classifications of interactions• video (sight), audio (sound), chemo (smell,

taste), tango (touch); radio (radiation) - each with an out (emitted) and in (received) state

• behavioral, perceptual, conceptual• postural, gestural, facial, verbal, demeanoral,

not-a-sign

o the metric layer• 7 SI base units (m, kg, s, A, K, mol, cd)X.108

1


20

Networks and Systemson Cyber Security for Telecom*Vulnerability information sharing…*Incident handling operations*Security Strategy

Applications & ServicesSecurity for telecom *Mobile secure communications *Secure communication services *Security web services *X.1121, X.1122

Q.I

Q.L

Q.JQ.H

Communication System Security *Vision, Project Roadmap, Compendia, …Q10G

Telebiometrics Technology *Telebiometric Model *Telebiometric Authentication *X.1081

Q.K

SecurityArchitecture& Framework

*Architecture, Model, Concepts, Frameworks,* etc…*X.800 series*X.805

SecurityManagement*T-ISMS*Incident Management*Risk Assessment Methodology*etc…*X.1051

TelecomSystems

Telecom Systems Users

Study Group 17 Security Questions


21

Concluding Observations

o Security is everybody's business

o Security needs to be designed in upfront

o Security must be an ongoing effort

o Systematically addressing vulnerabilities (intrinsic properties of networks/systems)is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be – X.805 is helpful here

International Telecommunication Union

Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003

Thank You!Thank You!

Ninth Global Standards Collaboration (GSC-9) Meeting – Seoul, Korea, 9-13 May 2004

Documents

International Telecommunication Union Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003 Security Standardization