ITU T Achievements in ICT Security Standardizationdocbox.etsi.org/.../1_INTRODUCTION/ITU_SG17overview_EUCHNER.pdf · ITU‐T Achievements in ICT Security Standardization 7th ... Q7

ITU‐T Achievements in ICT Security Standardization

7th ETSI Security Workshop18 ‐19 January 2012, Sophia Antipolis, France

Martin EuchnerAdvisor of Study Group [email protected]

January 2012y

Contents

Brief recap of SG 17 work program

Update on SG 17 Security Standardization WorkUpdate on SG 17 Security Standardization Work since the last ETSI Security Workshop:

ITU T Recommendations Approved or Approval ProcessITU‐T Recommendations Approved or Approval Process Initiated in 2011

N W k It I iti t d i 2011New Work Items Initiated in 2011

Security Project

Collaboration

Useful references2/31

Study Group 17 Overview

Primary focus is to build confidence and security in the use of Information and Communication Technologies (ICTs)

Meets twice a year. Last meeting had 171 participants from 21 Member States, 20 Sector Members and 7 Associates.

As of 27 December 2011, SG 17 is responsible for 286 approved Recommendations, 11 approved Supplements and 3 approved Implementer’s Guides in the E, F, X and Z series.

Large program of work:• 23 new work items added to work program in 2011• 33 Recommendations, 22 Corrigenda and 3 Supplements approved or

entered approval process in 2011• 143 new or revised Recommendations and other texts are under

development for approval in 2012 or laterWork organized into 3 Working Parties with 15 Questions3 LSG responsibilities: Security, Identity Management, and Languagesp y y g g gSee SG 17 web page for more informationhttp://itu.int/ITU‐T/studygroups/com17 3/31

SG 17, Securityty g

esWorking Party 1 Working Party 2 Working Party 3

secu

rit

ty anguag

Q10 IdM

Q11 DirectoryQ6 UbiquitousSecurityprojectQ1

mat

ion

sec

urit

nt

and l Q11 Directory,

PKI and PMI

Q12 ASN.1, OIDQ7 Applications

Q6 qservices

project

Q2 Architecture

d info

rm

icat

ion

agem

en

Q13 LanguagesQ8 SOA

Q3 ISM

Q4 Cybersecurity

ork

and

Appl

y m

ana Q14 Testing

Q15 OSI

Q9 Telebiometrics

Q y y

Q5 Counteringspam

WP 1 WP 2 WP 3

Net

wo

Iden

tity

I4/31

Additional Security Work

Cloud Computing Security• Expected transfer in early 2012 of security work from ITU T• Expected transfer in early 2012 of security work from ITU‐T Focus Group on Cloud Computing to SG 17

• Smart Grid Securityy• Expected transfer in early 2012 of security work from ITU‐T Focus Group on Smart Grid to SG 17

h ld l• Child Online Protection• Correspondence group currently looking at what aspects are appropriate given SG 17 mandate and area of expertiseare appropriate given SG 17 mandate and area of expertise

• MoU UNODC‐ITU• ITU Secretary General signed MoU with United NationsITU Secretary General signed MoU with United Nations Office on Drugs and Crime (UNODC) – Role of SG 17 needs further consideration

SG 17 h d fi t d ft f 17 d Q ti fSG 17 has prepared first draft of 17 proposed Questions for the 2013‐2016 study period

5/31

U d SG 17 S iUpdate on SG 17 SecurityStandardization Work since the last

h6th ETSI SECURITY WORKSHOP, 19.01.2011

6/31

ITU‐T Recommendations Approved orApproval Process Initiated in 2011 (1/12)Approval Process Initiated in 2011 (1/12)

SG 17 Recommendation ActionQuestion

Acronym Title Equivalent

2, Security X.1034 Framework for extensible authentication protocol (EAP)‐ None Approved, yarchitecture and framework

revp ( )

based authentication and key managementpp

X.1037 (X.rev)

Architectural systems for security controls for preventing fraudulent activities in public carrier networks

None Determined

3, Telecommunica‐tions information security

X.1052 Information security management framework None Approved

X.1057 Asset management guidelines in telecommunication organizations

None Approved

security management

g

7/31




4, Cybersecurity X.1500 Overview of cybersecurity information exchange (CYBEX) None Approved, y y y y g ( ) pp

X.1500.1 (X.cybex.1)

Procedures for the registration of arcs under the object identifier (OID) arc for cybersecurity information exchange

None Determined

X 1520 Common vulnerabilities and exposures (CVE) None ApprovedX.1520 Common vulnerabilities and exposures (CVE) None Approved

X.1521 Common vulnerability scoring system (CVSS) None Approved

X.1524 Common weakness enumeration (CWE) None Determined(X.cwe)

X.1541 (X.iodef)

Incident object description exchange format None Determined

X.1570 Discovery mechanisms in the exchange of cybersecurityinformation

None Approved

8/31




4, Cybersecurity X.Suppl.9 Supplement 9 to ITU‐T X‐series Recommendations ‐ None Approved, y y pp ppITU‐T X.1205 ‐ Guidelines for reducing malware in ICT networks

pp

X.Suppl.10 Supplement 10 to ITU‐T X‐series Recommendations ‐ITU T X 1205 Usability of network traceback

None ApprovedITU‐T X.1205 ‐ Usability of network traceback

5, Countering spam by technical means

X.Suppl.11 Supplement 11 to ITU‐T X‐series Recommendations ‐ITU‐T X.1246 ‐ Framework based on real‐time blocking list (RBL) for countering VoIP spam

None Approved

( ) g p

9/31




6, Security X.1192 Functional requirements and mechanisms for the secure None Approved, yaspects ofubiquitoustelecommunica‐tion services

qtranscodable scheme of IPTV

pp

X.1193 Key management framework for secure internet protocol television (IPTV) services

None Approved

X.1195 Service and content protection (SCP) interoperability scheme

None Approved

X.1311 Information technology – Security framework for the ubiquitous sensor network

ISO/IEC 29180

Approvedubiquitous sensor network 29180

X.1312 Ubiquitous sensor network (USN) middleware security guidelines

None Approved

7, Secure X.1153 A management framework of an one time password‐based None Approved7, Secure application services

X.1153 A management framework of an one time password based authentication service

None Approved

10/31


SG 17Question

Recommendation Action


9, Telebiometrics X.1080.1 e‐Health and world‐wide telemedicines – Generic telecommunication protocol

None Approved

X.1081Amd 3

The telebiometric multimodal model – A framework for the specification of security and safety aspects of telebiometrics ‐ Amendment 3: Enhancement to support a new modality (ELECTRO)

None Approved

a new modality (ELECTRO)

X.1090 Authentication framework with one‐time telebiometrictemplate

None Approved

10, Identity X.1253 Security guidelines for identity management systems None Approvedymanagementarchitecture andmechanisms

y g y g y pp

X.1261(X.Evcert)

Extended validation certificate framework (EVcert) CA/Browser Forum

Determined

11/31


SG 17Question


Acron m Title Eq i alentAcronym Title Equivalent

11, Directory services, Directory systems

X.501 (2005)Cor. 3

Technical Corrigendum 3 to ITU‐T X.501 (2005) | ISO/IEC 9594‐2:2005

ISO/IEC 9594‐2:2005

Cor. 3

Approved

Directory systems, and public‐key/attribute certificates

X.509 (2005)Cor. 3


ISO/IEC 9594‐8:2005

Cor. 3

Approved

X 511 (2005) Technical Corrigendum 3 to ITU‐T X 511 (2005) | ISO/IEC 9594‐ ISO/IEC ApprovedX.511 (2005)Cor. 3

Technical Corrigendum 3 to ITU T X.511 (2005) | ISO/IEC 95943:2005

ISO/IEC 9594‐3:2005

Cor. 3

Approved

X.518 (2005)Cor. 2


ISO/IEC 9594‐4:2005

Approved

Cor. 2

X.519 (2005)Cor. 2


ISO/IEC9594‐5:2005

Cor. 2

Approved

X.520 (2005)Cor. 3


ISO/IEC 9594‐6:2005

Cor. 3

Approved

X 525 (2005) Technical Corrigendum 1 to ITU‐T X 525 (2005) | ISO/IEC 9594‐ ISO/IEC ApprovedX.525 (2005)Cor. 1


ISO/IEC 9594‐9:2005

Cor. 1

Approved

12/31


SG 17Question


Acron m Title Eq i alentAcronym Title Equivalent

11, Directory services, Directory systems, and public‐

X.501 (2008) Cor. 1


ISO/IEC 9594‐2:2008

Cor. 1

Approved

key/attribute certificates

X.509 (2008) Cor. 1


ISO/IEC 9594‐8:2008

Cor. 1

Approved

X 511 (2008) Technical Corrigendum 1 to ITU‐T X 511 (2008) | ISO/IEC 9594‐ ISO/IEC ApprovedX.511 (2008) Cor. 1

Technical Corrigendum 1 to ITU T X.511 (2008) | ISO/IEC 95943:2008

ISO/IEC 9594‐3:2008

Cor. 1

Approved

X.518 (2008) Cor. 1


ISO/IEC 9594‐4:2008

Approved

Cor. 1

X.519 (2008) Cor. 1


ISO/IEC9594‐5:2008

Cor. 3

Approved

X.520 (2008) Cor. 1


ISO/IEC 9594‐6:2008

Cor. 1

Approved

X 525 (2008) Technical Corrigendum 1 to ITU‐T X 525 (2008) | ISO/IEC 9594‐ ISO/IEC ApprovedX.525 (2008) Cor. 1


ISO/IEC 9594‐9:2008

Cor. 1

Approved

13/31


SG 17Question



12, Abstract Syntax

X.660rev Information technology – Procedures for the operation of Object Identifier Registration Authorities: General

ISO/IEC 9834‐1

Approved

Notation One (ASN.1), object identifiers (OIDs) and associated

procedures and top arcs of the International Object Identifier tree

X.674 Procedures for the registration of arcs under the alerting object identifier arc

None Approved

registrationobject identifier arc

X.680Cor.1

Information technology – Abstract Syntax Notation One (ASN.1): Specification of basic notation – Technical Corrigendum 1

ISO/IEC 8824‐1Cor.1

Approved

X.681Cor.1

Information technology – Abstract Syntax Notation One (ASN.1): Information object specification – Technical Corrigendum 1


Approved

X 690 Information technology ASN 1 encoding rules: ISO/IEC ApprovedX.690Cor.1

Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) – Technical Corrigendum 1


Approved

X.691Cor.1

Information technology – ASN.1 encoding rules: Specification of Packed Encoding Rules (PER) – Technical Corrigendum 1


Approved

14/31


SG 17Question



12, AbstractSyntax

X.692Cor.1

Information technology – ASN.1 encoding rules: Specification of Encoding Control Notation (ECN) –

ISO/IEC 8825‐3

Approved

Notation One (ASN.1), objectidentifiers (OIDs) and associated

Technical Corrigendum 1 Cor.1

X.693Cor.1

Information technology – ASN.1 encoding rules: XML Encoding Rules (XER) – Technical Corrigendum 1


Approved

registrationCor.1

X.694Cor.1

Information technology – ASN.1 encoding rules: Mapping W3C XML schema definitions into ASN.1 – Technical Corrigendum 1


Approved

X.891Cor.1

Information technology – Generic applications of ASN.1: Fast infosec – Technical Corrigendum 1


Approved

15/31




13, Formal Z.100rev Specification and Description Language: Overview of None Approved,languages and telecommunica‐tion software

p p g gSDL‐2010

pp

Z.101 Specification and Description Language: Basic SDL‐2010 None Approved

Z.102 Specification and description language: Comprehensive SDL‐2010

None Approved

Z.103 Specification and Description Language: Shorthand None Approvednotation and annotation in SDL‐2010

Z.104rev Specification and Description Language: Data and action language in SDL‐2010

None Approved

Z.105rev Specification and Description Language: SDL‐2010 combined with ASN.1 modules

None Approved

Z.106rev Specification and Description Language: Common None Approvedinterchange format for SDL‐2010

16/31




13, Formal Z.120rev Message sequence chart (MSC) None Approved,languages and telecommunica‐tion software

g q ( ) pp

Z.150rev User requirements notation (URN) – Language requirements and framework

None Approved

Z.Imp100rev

Specification and description language implementers’ guide None Approved

17/31


SG 17Question



14, Testing languages,

Z.161rev Testing and Test Control Notation version 3: TTCN 3 Core Language

ETSI ES 201 873‐1

Approved

methodologies and framework Z.164rev Testing and Test Control Notation version 3: TTCN‐3

Operational SemanticsETSI ES 201

873‐4Approved

Z.165rev Testing and Test Control Notation version 3: TTCN‐3 ETSI ES 201 ApprovedRuntime Interface (TRI) 873‐5

Z.166rev Testing and Test Control Notation version 3: TTCN‐3 Control Interface (TCI)

ETSI ES 201 873‐6

Approved

Z.167rev Testing and Test Control Notation version 3: TTCN‐3 Using ASN.1 with TTCN‐3

ETSI ES 201 873‐7

Approved

Z.168rev Testing and Test Control Notation version 3: TTCN‐3 The ETSI ES 201 ApprovedIDL to TTCN‐3 Mapping 873‐8

Z.169rev Testing and Test Control Notation version 3: TTCN‐3 Using XML schema with TTCN‐3

ETSI ES 201 873‐9

Approved

Z.170rev Testing and Test Control Notation version 3: TTCN‐3 Documentation Comment Specification

ETSI ES 201 873‐10

Approved

18/31

New Work Items Initiated in 2011 (1/4)

SG 17 Draft RecommendationQuestion

Acronym Title

2, Security X.hsn Heterarchic architecture for secure distributed service networks2, Security architecture andFramework

X.hsn Heterarchic architecture for secure distributed service networks

X.ipv6‐secguide

Technical guideline on deploying IPv6

3, Telecommunications information security

X.gpim Guideline for management of personally identifiable information for telecommunication organizations

X.mgv6 Security management guideline for implementation of IPv6management

X.mgv6 Security management guideline for implementation of IPv6 environment in telecommunications organizations

Supplement of X.1051

Supplement to X‐series Recommendations – ITU‐T X.1051: Information security management users' guide for y g gRecommendation ITU‐T X.1051

Handbook Handbook on information security incident management for developing countries

19/31



Acronym Title

4, Cybersecurity X.csmc Continuous security monitoring using CYBEX techniques4, Cybersecurity X.csmc Continuous security monitoring using CYBEX techniques

X.cvrf Common vulnerability reporting format

X.rid Real‐time inter‐network defense

X.ridt Transport of real‐time inter‐network defense messagesp g

X.sisnego Framework of security information sharing negotiation

5, Countering spam by technical means

X.ticvs Technologies involved in countering voice spam in telecommunication organizations

20/31



Acronym Title

6, Security aspects of X.iptvsec‐8 Virtual machine‐based security platform for renewable IPTV6, Security aspects of ubiquitoustelecommunicationservices

X.iptvsec 8 Virtual machine based security platform for renewable IPTV service and content protection (SCP)

7, Secure application services

X.p2p‐4 Use of service providers’ user authentication infrastructure to implement PKI for peer‐to‐peer networks

X.sap‐6 One time password based non‐repudiation framework

X.sap‐7 The requirements of fraud detection and response service for sensitive Information Communication Technology

X.xacml3 Extensible access control markup language 3.0

8, Service oriented X.sfcse Security functional requirements for Software as a Service architecture security (SaaS) application environment

21/31



Acronym Title

9, Telebiometrics X.1081 The telebiometric multimodal model – A framework for the9, Telebiometrics X.1081 Amd.3

The telebiometric multimodal model A framework for the specification of security and safety aspects of telebiometrics ‐Amendment 3: Enhancement to support a new modality “ELECTRO” and define new object identifiers

X.tam A guideline to technical and operational countermeasures for telebiometric applications using mobile devices

10, Identity X.atag Attribute aggregation frameworkmanagementarchitecture andmechanisms

13, Formal languagesand telecommunicationsoftware

Z.10x Specification and Description Language: Object‐oriented data in SDL‐2010

Z.104A C

Language bindingsoftware Annex C

22/31

Security ProjectSecurity Coordination• Coordinate security matters within SG 17, with ITU-T SGs,

ITU-D and externally with other SDOsITU-D and externally with other SDOs• Maintain reference information on LSG security webpage

ICT S it St d d R dICT Security Standards Roadmap• Searchable database of approved ICT security standards from

ITU-T, ISO/IEC, ETSI and othersITU T, ISO/IEC, ETSI and others

Security Compendium• Catalogue of approved security-related Recommendations

and security definitions extracted from approved Recommendations

ITU-T Security Manual • 5th edition planned for 2012

23/31

Coordination & Collaboration

Joint Coordination Activity on Identity Management (JCA-IdM)

Joint Coordination Activity on Conformance and Interoperability Testing (JCA-CIT)

Both JCAs will run in conjunction with ITU-T SG 17 meeting (20 February 2 March 2012)meeting (20 February – 2 March 2012)

24/31

Security CoordinationSecurity activities in other ITU‐T Study GroupsSecurity activities in other ITU T Study Groups

ITU‐T SG 2 Operation aspects & TMN– Q3 International Emergency Preference Scheme , ETS/TDR

– Q5 Network and service operations and maintenance procedures , E.408

– Q11 TMN security, TMN PKI

ITU‐T SG 9 Integrated broadband cable and TVITU‐T SG 9 Integrated broadband cable and TV– Q3 Conditional access, copy protection, HDLC privacy,

– Q7, Q8 DOCSIS privacy/security

bl ( ) d– Q9 IPCablecom 2 (IMS w. security), MediaHomeNet security gateway, DRM,

ITU‐T SG 11 Signaling Protocols– Q7 EAP‐AKA for NGN

ITU‐T SG 13 Future network– Q16 Security and identity management for NGN

Q17 Deep packet inspection– Q17 Deep packet inspection

ITU‐T SG 15 Optical Transport & Access– Reliability, availability, Ethernet/MPLS protection switching

ITU‐T SG 16 Multimedia– Secure VoIP and multimedia security (H.233, H.234, H.235, H.323, JPEG2000) 25/31

Coordination with other bodies

Study Group 17

ITU-D, ITU-R, xyz…y

26/31


SG Question Recommendation Action


2 11, Protocols and security for

M.3016.1 Amd.1

Security for the management plane: Security requirements ‐ Authentication extension

None Approved

managementM.3016.3Amd.1

Security for the management plane: Security requirements ‐ Redundant authentication extension

None Approved

M.3016.4 Security for the management plane: Security None ApprovedAmd.1 mechanism ‐ Authentication extension

5 15, Security of telecommunication and

K.87 Guide for the application of electromagnetic security requirements ‐ Basic Recommendation

None Approved

on and information systems regarding the electromagneticelectromagnetic environment

27/31


SG Question Recommendation Action

A Titl E i l tAcronym Title Equivalent

13 16, Security and identity management

Y.2722 NGN identity management mechanisms None Approved

management Y.2740 Security requirements for mobile remote financial transactions in next generation networks

None Approved

Y2741 Architecture of secure mobile financial None ApprovedY.2741 Architecture of secure mobile financial transactions in next generation networks

None Approved

Y.2760 Mobility security framework in NGN None Approved

15 5, Transport equipment and network protection/

G.873.1 Optical Transport Network (OTN): Linear protection

None Approved

G.8031/ Y1342

Ethernet linear protection switching None Approvedprotection/ restoration

Y.1342

16 3, Multimedia gateway control

hit t d

H.248.77 Gateway control protocol: Secure real‐time transport protocol ‐ (SRTP) package and

d

None Approved

architectures and protocols

procedures

28/31

New Work Items Initiated in 2011

SG Question Draft Recommendation

Acronym Title

13 16, Security and Y.ETS‐Sec Y.ETS Security , yidentity management

y

Y.NGN‐OOF Framework for NGN Support and Use of OpenID and OAuth

Y.NGN‐OpenID

Support for OpenID in NGNOpenID

Y.NGN‐OAuth

Support for OAuth in NGN

S it A f M bil V IP S iSecurity Assurance for Mobile VoIP Service

Supplement Y.2700 series: NGN Security Planning and Operations Guidelines

16 3, Multimedia gateway control architectures and protocols

H.248.TLS Gateway control protocol: H.248 packages for control of transport security

29/31

Reference linksWebpage for ITU‐T Study Group 17

• http://itu.int/ITU‐T/studygroups/com17

Webpage on ICT security standard roadmapp g y p

• http://itu.int/ITU‐T/studygroups/com17/ict

Webpage on ICT cybersecurity organizations

• http://itu int/ITU T/studygroups/com17/nfvo• http://itu.int/ITU‐T/studygroups/com17/nfvo

Webpage for JCA on Identity management

• http://www.itu.int/en/ITU‐T/jca/idm/Pages/default.aspx

Webpage for JCA on Conformance and interoperability testing

• http://itu.int/en/ITU‐T/jca/idm

Webpage on lead study group on telecommunication securityWebpage on lead study group on telecommunication security

• http://itu.int/en/ITU‐T/studygroups/com17/Pages/telesecurity.aspx

Webpage on lead study group on identity management

// / / / / / /• http://itu.int/en/ITU‐T/studygroups/com17/Pages/idm.aspx

Webpage on lead study group on languages and description techniques

• http://itu.int/en/ITU‐T/studygroups/com17/Pages/ldt.aspxp yg p g p

Webpage for security workshop on Addressing security challenges on a global scale

• http://itu.int/ITU‐T/worksem/security/201012 30/31

Thank you!Thank you!

Martin EuchnerAd i f St d G 17Advisor of Study Group [email protected]

31/31

Documents

ITU T Achievements in ICT Security Standardizationdocbox.etsi.org/.../1_INTRODUCTION/ITU_SG17overview_EUCHNER.pdf · ITU‐T Achievements in ICT Security Standardization 7th ... Q7