Title: Information Security Standardisation the ETSI perspective
1Information Security Standardisationthe ETSI
perspective
- Charles Brookson
- ETSI OCG Chairman UK DTI
- cbrookson_at_iee.org
-
- Dionisio Zumerle
- ETSIdionisio.zumerle_at_etsi.org
2Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
3Security in Design and Implementation
- Security is not an optional feature
- Security must be a core concern in the design
phase - Technology provides ever more potential
- Attackers taking advantage of it become more
powerful - Security failures are not just an embarrassment
- they cause substantial financial loss
- they directly affect the stock value of companies
- In some cases security can be a winning driver
for the success of new products and services
4Security in Standardisation
- Information Security Standards are essential to
ensure interoperability - Standardisation ensures compliance of products
with - Adequate levels of security
- Legislative action
- Information Security Standardisation facilitates
economic realization and cost reduction - ETSI has 20 years of experience in Security
- Other European Standards Organisations
- CEN
- CENELEC
5What is ETSI?
- A European Standards Organization
- Setting globally-applicable standards for
- Telecommunications
- other Electronic Communications networks and
services - Independent, not-for-profit, created in 1988
- The home of GSM
- A founding partner of 3GPP
- ISO 90012000 certified
- Offering direct participation
- We have more than 16 000 publications - freely
available!
6ETSI Committees per Security Areas
Mobile/Wireless
Algorithms
Emergency Telecommunications
SES
MESA
SecurityAlgorithms Group of Experts (SAGE)
2G/3G Mobile3GPP
EMTEL
DECT
TETRA
LawfulInterception(LI)
Mobile Commerce
AT
Next GenerationNetworks(TISPAN)
ElectronicSignatures(ESI)
SmartCardPlatform(SCP)
Fixed and Convergent Networks
Information TechnologyInfrastructure
Smart Cards
ETSI is a founding partner for this partnership
project Closed Committee
7Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
8GSM and 3G
- IMEI (International Mobile Equipment Identity)
- Protection against theft
- Physical marking of the terminal
- Blacklisted by operator if stolen
- FIGS (Fraud Information Gathering System)
- Monitors activities of roaming subscribers
- Home network informed
- Fraudulent calls identified terminated
- Priority
- Public safety service
- Allows for high priority access
- Location
9TETRA
- TErrestrial Trunked Radio
- Mobile radio communications
- Used for public safety services
- Security features include
- Mutual Authentication
- Encryption
- Anonymity
10Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
11Algorithms
- ETSI is a world leader in creating cryptographic
algorithms and protocols to prevent fraud and
unauthorised access to ICT and broadcast
networks, and to protect customers privacy - ETSI SAGE (Security Algorithm Group of Experts)
- Centre of competence for algorithms in ETSI
- Algorithms for
- DECT
- GSM, GPRS, EDGE
- TETRA
- UMTS
12GSM and UMTS Algorithms
- GSM and EDGE
- A3, A5 and A8 used in most GSM networks all
over the world - GPRS
- GEA3 encryption algorithms used
- UMTS radio interface (UTRA)
- UEA1 and UIA1Providing Encryption and Integrity
- UEA2 and UIA2 just released
- For more info ETSI TR 133 908
13Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
14Smart cards
- Smart cards
- Micro-processor equipped Tokens
- Able to store and process information
- Private key
- Biometric template
-
- Provide Strong Authentication
- Used in
- Banking
- Healthcare
- Telecoms
- IT
15Smart Card Standardization
- ETSI Smart Card Standardization
- ETSI Technical Committee Smart Card Platform (TC
SCP) - GSM SIM Cards among most widely deployed smart
cards ever - Work extended with UMTS USIM Card and UICC
Platform - Current challenges
- Expand the smart card platform
- Implement Extensible Authentication Protocol
(EAP) in Smart Cards - Allow users access to global roaming
- UICC platform in secure financial transactions
over mobile communications systems
16Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
17ETSI TISPAN WG7
- NGN concept fixed-mobile network convergence to
packet-switched technology delivering multimedia
services - ETSI extending the 3GPP IMS concepts in TISPAN
Committee designing NGN - (TISPAN Telecommunication and Internet
converged Services and Protocols for Advanced
Networking) - Working Group 7 NGN competence centre for
security with a group of security experts - WG7 standardizes NGN security
-
www.tispan.org
18ETSI TISPAN Security
- NGN Release 1 Security Architecture includes
- Definition of Security Domains
- Definition of Security Services
- confidentiality
- Integrity
- Availability
-
- Security Design Guide
- Common Criteria framework used
- For each new network component
19NGN Security Standards
NGN Architecture (NASS, RACS, )
IMS Security Architecture
NGN Release 1 Security Requirements TR 187 001
NGN Release 1 Threat, Vulnerabilities, Risk
Analysis TR 187 002
NGN Release 1 Security Architecture TS 187 003
Security Domains
Countermeasures
Security Functions
Security Services
Security Components and Building Blocks
NGN Release 2 Security Architecture
20Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
21What is Lawful Interception?
- Delivery of intercepted communications to Law
Enforcement Authorities - To support criminal investigation
- To counter terrorism
- Applies to data in transit
- not a search of records
- Applied to any data in transit
- Signalling
- Speech
- Video
- Email
- Web
22Simple architecture
Interception interface
target
Handover interface
Monitor
23Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
24Electronic Signatures
- ETSI and CEN co-operation on the European
Electronic Signature - Goal provide Europe with a reliable electronic
signatures framework - Enabling electronic commerce
- Supporting eSignature EC Directive
- Current challenges
- eInvoicing
- Registered EMail (REM)
- International collaboration
- Certificate Policy mapped and aligned with US
policy - XML Signature Standard adopted in Japan
25Agenda
- Introduction
- Mobile and Wireless Security
- Algorithms
- Smart Cards
- Next Generation Networks Security
- Lawful Interception
- Electronic Signatures
- Future Challenges
26Need for further action
- ETSI Future Security Workshop
- Held in January 2006, Sophia-Antipolis France
- Assessment of gaps in Security Standards
- Recommendations for future work areas
- Coming up 2nd Workshop in January 2007
- EC Communication on a strategy for a Secure
Information Society COM(2006) 251 - Requesting concrete action from Europe in
Security - Industry-driven, with possible standardization
- 5-13 of IT expenditure in Security according to
EC - Need for further standardization!
27Future Challenges (1/4)
- NGN
- Co-ordination between multitude of bodies
- Alignment between fixed and mobile security
techniques - Product Proofing
- Identifying and analyzing the threats when
designing products - EC Mandate M/355
- Need for set of standards to be produced
28Future Challenges (2/4)
- DRM
- Content ever more a key asset to be protected
from unauthorized access - No single effective DRM standard exists
- Great number of technical issues to be defined
- Optimal layer
- Device specific VS device agnostic
- Online VS offline verification
-
- Privacy
- Definition of privacy levels for users
29Future Challenges (3/4)
- Retained Data
- 2006/24/EC Directive of the European Parliament
- Information on telephone calls and Internet use
would be kept for six to twelve months - ETSI TC LI has started to address the subject
with a series of specifications that are being
currently produced - Mobile Terminal Security
- Attacks on mobile data platforms, especially
employee PDAs - Antivirus, firewall, IDS to prevent DoS attacks
30Future Challenges (4/4)
- Online Banking Security
- High levels of Trust and Privacy paramount
- Need for enterprise transactional SOA (Service
Oriented Architecture) standard - Collaboration between banking, telecom and IT
standardization - RFID
- Used to prevent illicit tracking and cloning of
tags - Lighter encryption algorithms needed
- ETSI ERM TG34 producing specifications on RFID
31Conclusions
- ETSI is a leader in European ICT Security
Standardsand also Globally - Future Security Standards are the next challenge
- ETSI can meet that challenge
32Thank you for your attention
- cbrookson_at_iee.org
- dionisio.zumerle_at_etsi.org
- portal.etsi.org/securityworkshop