Information Security Standardisation the ETSI perspective

1
Information Security Standardisationthe ETSI
perspective

• Charles Brookson
• ETSI OCG Chairman UK DTI
• cbrookson_at_iee.org
• Dionisio Zumerle
• ETSIdionisio.zumerle_at_etsi.org

2
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

3
Security in Design and Implementation

• Security is not an optional feature
• Security must be a core concern in the design
  phase
• Technology provides ever more potential
• Attackers taking advantage of it become more
  powerful
• Security failures are not just an embarrassment
• they cause substantial financial loss
• they directly affect the stock value of companies
• In some cases security can be a winning driver
  for the success of new products and services

4
Security in Standardisation

• Information Security Standards are essential to
  ensure interoperability
• Standardisation ensures compliance of products
  with
• Adequate levels of security
• Legislative action
• Information Security Standardisation facilitates
  economic realization and cost reduction
• ETSI has 20 years of experience in Security
• Other European Standards Organisations
• CEN
• CENELEC

5
What is ETSI?

• A European Standards Organization
• Setting globally-applicable standards for
• Telecommunications
• other Electronic Communications networks and
  services
• Independent, not-for-profit, created in 1988
• The home of GSM
• A founding partner of 3GPP
• ISO 90012000 certified
• Offering direct participation
• We have more than 16 000 publications - freely
  available!

6
ETSI Committees per Security Areas
Mobile/Wireless
Algorithms
Emergency Telecommunications
SES
MESA
SecurityAlgorithms Group of Experts (SAGE)
2G/3G Mobile3GPP
EMTEL
DECT
TETRA
LawfulInterception(LI)
Mobile Commerce
AT
Next GenerationNetworks(TISPAN)
ElectronicSignatures(ESI)
SmartCardPlatform(SCP)
Fixed and Convergent Networks
Information TechnologyInfrastructure
Smart Cards
ETSI is a founding partner for this partnership
project Closed Committee
7
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

8
GSM and 3G

• IMEI (International Mobile Equipment Identity)
• Protection against theft
• Physical marking of the terminal
• Blacklisted by operator if stolen
• FIGS (Fraud Information Gathering System)
• Monitors activities of roaming subscribers
• Home network informed
• Fraudulent calls identified terminated
• Priority
• Public safety service
• Allows for high priority access
• Location

9
TETRA

• TErrestrial Trunked Radio
• Mobile radio communications
• Used for public safety services
• Security features include
• Mutual Authentication
• Encryption
• Anonymity

10
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

11
Algorithms

• ETSI is a world leader in creating cryptographic
  algorithms and protocols to prevent fraud and
  unauthorised access to ICT and broadcast
  networks, and to protect customers privacy
• ETSI SAGE (Security Algorithm Group of Experts)
• Centre of competence for algorithms in ETSI
• Algorithms for
• DECT
• GSM, GPRS, EDGE
• TETRA
• UMTS

12
GSM and UMTS Algorithms

• GSM and EDGE
• A3, A5 and A8 used in most GSM networks all
  over the world
• GPRS
• GEA3 encryption algorithms used
• UMTS radio interface (UTRA)
• UEA1 and UIA1Providing Encryption and Integrity
• UEA2 and UIA2 just released
• For more info ETSI TR 133 908

13
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

14
Smart cards

• Smart cards
• Micro-processor equipped Tokens
• Able to store and process information
• Private key
• Biometric template
• Provide Strong Authentication
• Used in
• Banking
• Healthcare
• Telecoms
• IT

15
Smart Card Standardization

• ETSI Smart Card Standardization
• ETSI Technical Committee Smart Card Platform (TC
  SCP)
• GSM SIM Cards among most widely deployed smart
  cards ever
• Work extended with UMTS USIM Card and UICC
  Platform
• Current challenges
• Expand the smart card platform
• Implement Extensible Authentication Protocol
  (EAP) in Smart Cards
• Allow users access to global roaming
• UICC platform in secure financial transactions
  over mobile communications systems

16
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

17
ETSI TISPAN WG7

• NGN concept fixed-mobile network convergence to
  packet-switched technology delivering multimedia
  services
• ETSI extending the 3GPP IMS concepts in TISPAN
  Committee designing NGN
• (TISPAN Telecommunication and Internet
  converged Services and Protocols for Advanced
  Networking)
• Working Group 7 NGN competence centre for
  security with a group of security experts
• WG7 standardizes NGN security

www.tispan.org
18
ETSI TISPAN Security

• NGN Release 1 Security Architecture includes
• Definition of Security Domains
• Definition of Security Services
• confidentiality
• Integrity
• Availability
• Security Design Guide
• Common Criteria framework used
• For each new network component

19
NGN Security Standards
NGN Architecture (NASS, RACS, )
IMS Security Architecture
NGN Release 1 Security Requirements TR 187 001
NGN Release 1 Threat, Vulnerabilities, Risk
Analysis TR 187 002
NGN Release 1 Security Architecture TS 187 003
Security Domains
Countermeasures
Security Functions
Security Services
Security Components and Building Blocks
NGN Release 2 Security Architecture
20
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

21
What is Lawful Interception?

• Delivery of intercepted communications to Law
  Enforcement Authorities
• To support criminal investigation
• To counter terrorism
• Applies to data in transit
• not a search of records
• Applied to any data in transit
• Signalling
• Speech
• Video
• Email
• Web

22
Simple architecture
Interception interface
target
Handover interface
Monitor
23
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

24
Electronic Signatures

• ETSI and CEN co-operation on the European
  Electronic Signature
• Goal provide Europe with a reliable electronic
  signatures framework
• Enabling electronic commerce
• Supporting eSignature EC Directive
• Current challenges
• eInvoicing
• Registered EMail (REM)
• International collaboration
• Certificate Policy mapped and aligned with US
  policy
• XML Signature Standard adopted in Japan

25
Agenda

• Introduction
• Mobile and Wireless Security
• Algorithms
• Smart Cards
• Next Generation Networks Security
• Lawful Interception
• Electronic Signatures
• Future Challenges

26
Need for further action

• ETSI Future Security Workshop
• Held in January 2006, Sophia-Antipolis France
• Assessment of gaps in Security Standards
• Recommendations for future work areas
• Coming up 2nd Workshop in January 2007
• EC Communication on a strategy for a Secure
  Information Society COM(2006) 251
• Requesting concrete action from Europe in
  Security
• Industry-driven, with possible standardization
• 5-13 of IT expenditure in Security according to
  EC
• Need for further standardization!

27
Future Challenges (1/4)

• NGN
• Co-ordination between multitude of bodies
• Alignment between fixed and mobile security
  techniques
• Product Proofing
• Identifying and analyzing the threats when
  designing products
• EC Mandate M/355
• Need for set of standards to be produced

28
Future Challenges (2/4)

• DRM
• Content ever more a key asset to be protected
  from unauthorized access
• No single effective DRM standard exists
• Great number of technical issues to be defined
• Optimal layer
• Device specific VS device agnostic
• Online VS offline verification
• Privacy
• Definition of privacy levels for users

29
Future Challenges (3/4)

• Retained Data
• 2006/24/EC Directive of the European Parliament
• Information on telephone calls and Internet use
  would be kept for six to twelve months
• ETSI TC LI has started to address the subject
  with a series of specifications that are being
  currently produced
• Mobile Terminal Security
• Attacks on mobile data platforms, especially
  employee PDAs
• Antivirus, firewall, IDS to prevent DoS attacks

30
Future Challenges (4/4)

• Online Banking Security
• High levels of Trust and Privacy paramount
• Need for enterprise transactional SOA (Service
  Oriented Architecture) standard
• Collaboration between banking, telecom and IT
  standardization
• RFID
• Used to prevent illicit tracking and cloning of
  tags
• Lighter encryption algorithms needed
• ETSI ERM TG34 producing specifications on RFID

31
Conclusions

• ETSI is a leader in European ICT Security
  Standardsand also Globally
• Future Security Standards are the next challenge
• ETSI can meet that challenge

32
Thank you for your attention

• cbrookson_at_iee.org
• dionisio.zumerle_at_etsi.org
• portal.etsi.org/securityworkshop