report-etsi 4th security workshop 2docbox.etsi.org/.../report_4th_security_workshop.pdfetsi 4 th...

ETSI 4th Security Workshop 13-14 January 2009 - Sophia-Antipolis, France Workshop Report

1

ETSI 4th Security Workshop 13-14 January 2009 - Sophia-Antipolis, France

Workshop Report


2

Overview ........................................................................................................................ 3

Workshop opening ........................................................................................................ 4

Keynote speeches ........................................................................................................... 4

Session 1: Mobile Security ............................................................................................ 7

Session 2: Security initiatives within CEN and CENELEC ........................................ 9

Session 3: Privacy ....................................................................................................... 11

Session 4: International Standardization .................................................................. 14

Session 5: NGN Security and Data Retention ........................................................... 18

Session 6: Metrics ....................................................................................................... 21

Session 7: R & D ......................................................................................................... 22

Workshop Closure ....................................................................................................... 27


3

Overview The 4th ETSI Security Workshop, organised and hosted by ETSI in Sophia Antipolis, France, took place on 13-14 January 2009. It counted around one hundred participants, covering a diverse range of professional interests within the security arena, with special focus in Security Standards. The agenda included seven sessions and a discussion panel, with presentations given by experts representing organizations such as ETSI, CEN, CENELEC, European Commission, ITU-T, ENISA, as well as the private sector, government and universities. The workshop provided interesting information on all topics covered, with special focus on standardization efforts related to such topics. Besides, it provided co-operation opportunities, and directions for future work, in particular with regards of the priorities for security standardization.


4

Workshop opening Carmine Rizzo (ETSI Technical Officer and Security Expert) opened the 4th ETSI Security Workshop. He informed the audience that, due to sudden very important personal reasons, the ETSI OCG Security Chairman Charles Brookson (Standards Director, UK Department of Business, Enterprise and Regulatory Reform) could not be at this Workshop. A short video was shown, which was sent by Charles Brookson to welcome all participants. Carmine Rizzo asked the ETSI Director General Walter Weigel to officially open the Workshop.

Keynote speeches

Welcoming speech – Walter Weigel, ETSI Director General The ETSI DG, Walter Weigel, welcomed the participants to the 4th ETSI Security Workshop. Mr. Weigel stressed the high importance and value of the standardization work within the security arena. In particular, he pointed out that standardization efforts should to be prioritized as organizations need to optimize the utilization of their resources, especially during the current phase of global economic downturn. Walter Weigel also provided a brief overview of ETSI, a European Standards Organization setting globally-applicable standards for Telecommunications and other Electronic Communications networks and services. ETSI is an independent, not-for-profit, organisation created in 1988. Among various globally recognised achievements, ETSI created the GSM standard. ETSI is ISO 9001:2000 certified. It offers direct participation to members, and is a founding partner of 3GPP. ETSI has more than 20 000 publications, all freely available.

ICT for Competitiveness and Innovation – Antonio Conte, European Commission, DG ENTR Antonio Conte pointed out that an efficient European ICT standardisation policy is key in support of innovation and competitiveness of European enterprises. At the same time, the formal and unofficial standardisation systems should combine their efforts to better respond to the needs of the market. The EC DG Enterprise and Industry has performed an intermediate study which resulted in an open event on 12/2/2008 to present and to discuss the study's recommendations more widely with all interested parties. During this event, consensus was achieved on the following points: the establishment of a High Level ICT standardisation policy platform; three scenarios for the possible integration of fora and consortia standards in the European ICT standardisation scheme; and a list of 10 attributes for standards/standardisation processes to be eligible for association with EU legislation and policies. Issues for further discussion include: IPR in ICT standardisation; the relationship between ICT standardisation and R&D; and referencing ICT standards in public procurement. A White paper is due to be published in 2Q09. The strategy for a Secure Information Society encompasses an open and inclusive multi-stakeholder debate, which would lead to an improved dialogue (structured and


5

multi-stakeholder), partnership (greater awareness and better understanding of the challenges) and empowerment (commitment to responsibilities of all players involved).

ETSI Security Activities Overview - Carmine Rizzo, ETSI Technical Officer and Security Expert Carmine Rizzo provided an overview of the ETSI activities in Security. He gave some details of the achievements and ongoing work within several ETSI Technical Bodies in the following areas: • Next Generation Networks • Mobile and Wireless Communication (GSM/UMTS, TETRA, DECT,…) • Lawful Interception and Data Retention • Electronic Signatures • Smart Card • Algorithms • Emergency Communications / Public Safety • RFID • Quantum Key Distribution (QKD) • In 3GPP: SAE/LTE and Common IMS Carmine Rizzo explained what horizontal coordination activities are carried out at ETSI in order to proactively supervise and promote security standardization work across any ETSI Technical Bodies. He highlighted the role of the ETSI OCG (Operational Coordination Group) Security, which is a horizontal coordination structure for security activities inside ETSI and with organizations outside. The main aim is to make sure that new standardization work is addressed by the proper Technical Body, and that any conflicting or duplicate work is prevented. Carmine Rizzo informed the participants about the publication of the 2nd Edition of the “ETSI Security White Paper”, produced by Carmine Rizzo and Charles Brookson. This document describes ETSI achievements and current work in all security areas and provides a list of all security-related ETSI publications. It can be downloaded freely here: http://www.etsi.org/WebSite/document/Technologies/ETSI-WP1_Security_Edition2.pdf Carmine Rizzo stressed that a number of issues are open and need to be considered as future challenges, which ETSI is prepared to address by supporting its Members and in cooperation with other Standardization Bodies. Such issues include Security Metrics, prioritization of efforts (what security matters should, or should not, be addressed by standardization), how to evaluate standards once they are implemented, and how to measure to what extent they are implemented. This 4th ETSI Security Workshop provides an excellent opportunity to share information about new work, and to discuss new challenges in particular during the final panel discussion which will highlight a number of conclusions.


6

ENISA Activities in Security - Slawomir Gorniak, ENISA Security Expert Slawomir Gorniak gave a speech about the achievements of ENISA in 2008, which included analysis of regulations, measures and technologies enhancing resilience of public communication networks, developing and maintaining co-operation models, identifying emerging risks, several position papers such as on security in web 2.0, virtual worlds, mobile eID etc. He also gave an overview of the work programme of the Agency for 2009 (including resumption of activities in the area of standardization). The current focus of the Agency is on three main Multi-annual Thematic Programmes (MTPs): improving Resilience in European e-Communication Networks, developing and Maintaining co-operation between Member States, and dentifying Emerging Risks for creating trust and confidence. Slawomir Gorniak provided some details of the various Work Packages which compose the three MTPs. Finally, Slawomir Gorniak provided several conclusions: Countries’ preparedness measures and policies are at different level of maturity as only few of them have developed solid strategies to address the stability of the internet, which is not only a technology issue. He pointed out that, as DNSSEC and IPv6 deployment and RFID usage are issues that greatly concern stakeholders, ENISA is taking initiatives to address governance issues on DNSSEC implementation in the root and EPC/ONS.


7

Session 1: Mobile Security Chair: Valtteri Niemi, 3GPP SA3 Chairman, Nokia

Securing emerging wireless networks and services - Ganesh Sundaram, Alcatel Lucent Ganesh Sundaram gave an overview of the evolution of mobile wireless systems and highlighted the security vulnerabilities arising from such process, both related to new applications and the users’ habits. Moreover, markets are discovering new business models to monetize wireless access by further changing security rules of the game. He discussed such issues with a focus on emerging wireless networks, architectures, and services, with emphasis on security threats and solutions. He explained a template to discuss security issues, and to offer potential solutions to specific problems. Some specific new results on end-to-end privacy and secure routing were discussed in detail.

3GPP Security hot topics: LTE/SAE and Home (e)NB - Valtteri Niemi - 3GPP SA3 Chairman, Nokia Valtteri Niemi provided some historical background on this topic. He mentioned the various security specifications related to 3GPP releases and relevant work done by the SA3 Working Group. Valtteri Niemi went on to explain Common IMS security. He started from IMS (SIP) security in Rel. 5 and related aspects such as authentication and key agreement, security mechanism agreement and R99 access security. Then he explained the enhancements introduced in Rel. 6 and Rel. 7, and lastly in Rel. 8 with the introduction of Common IMS security. Enhancements include several new normative annexes to TS 33.203, early IMS security TR 33.978 promoted to TS, and media security. He also showed different IMS authentication schemes. Valtteri Niemi explained the main matters related to the current work for SAE/LTE (System Architecture Evolution / Long Term Evolution): new architecture and business environment require enhancements to 3G security; the radio interface user plane security terminates in base station site; the cryptographic separation of keys; forward/backward security in handovers; and different security mechanisms in many inter-working cases with both 3GPP and non-3GPP access networks. Finally he gave details on current Home (e)NB security work and related issues: a new architecture with more exposed locations of NB’s; new types of threats; hence many new countermeasures are needed.

Open Mobile Terminal Platform (OMTP) recommendations - David Rogers, Director of External Relations, OMPT David Rogers highlighted that the Open Mobile Terminal Platform (OMTP) has developed a number of recommendations in the area of security and released the first version of its ‘Advanced Trusted Environment: OMTP TR1’ recommendation in May 2008. The project continues to be worked on, establishing the foundations of trust for future sensitive services and applications on the handset, whilst enhancing the


8

underlying platform security of the handset. The TR1 document has been in production for nearly two years and builds upon the groundwork of the Trusted Environment (TR0). Whilst TR0 established the basics of a trusted environment for mobile phones, TR1 is forward looking, aiming to provide the base security in handsets for future highly sensitive applications such as m-commerce and broadcast. Access to device based, security sensitive APIs through projects such as OMTP BONDI will rely on a secure device platform. The recommendations further enhance the work designed to protect the unique identity of the device and stored data, making the user’s data safer and the device even more difficult to re-enable after theft. TR1 also provides the underpinning of trust for other services on the device. An Application Security Framework designed to protect the user from malware and to enforce corporate security policies could potentially be undermined if the hardware platform it is running on is insecure.

Secure Multicast and Broadcast Communication in Broadband Wireless Networks - Jaydip Sen, Tata Consultancy Services Jaydip Sen sent his apologies as he could not fly to France due to flight cancellation. A summary of his proposal follows. The next generation WMAN (Wireless Metropolitan Area Network) standards have provisions for Multicast and Broadcast service (MBS), and Tata’s work on MBS security relates particularly to group security association rekeying protocol development. MBS enables a Base Station (BS) to distribute data simultaneously to multiple Mobile Stations (MS) to reduce communication overhead. However, this mechanism is vulnerable since every member of a multicast group in addition to having the ability to decrypt and verify the broadcast messages, can also encrypt and authenticate messages as if they originate from the ‘real’ BS. The proposed mechanism plugs this vulnerability by avoiding broadcast key updates and by generating the Group Traffic Encryption Key (GTEK) as part of a hash chain. The BS first generates a random number which represents the initial key GTEK0. The other GTEKs are generated by applying a one-way function to the previous GTEKs. The further technical details of this mechanism and the related security features highlight that this scheme has low computing requirements both at the BS and the MSs.

Understanding Mobile Phone Threat Vectors - Mohamad Nizam Kassim, Security Assurance Department, CyberSecurity Malaysia Mohamad Nizam Kassim highlighted that the rapid evolution of mobile phones which offer a wide range of services has revolutionised people’s habits. Nowadays, mobile phones carry more personal information than ever. Personal and business contact information, personal images and banking information are examples of sensitive information that may reside in the mobile phones. Therefore, mobile end users are the excellent target for potential attackers. Mohamad Nizam Kassim outlined ten threat vectors of possible mobile phone attacks. These are: mobile phone operating system, mobile software applications, third party applications, subscriber controlled input, mobile messaging, wireless personal area network, wireless local area network, wireless wide area network, mobile malware, and mobile denial-of-service


9

Session 2: Security initiatives within CEN and CENELEC Chair: John Ketchell, CEN/ISSS Director

Towards standardisation measures to support the Security of Control and Real-Time Systems for Energy Critical Infrastructures - Marcelo Masera, Institute for the Protection and Security of the Citizen Joint Research Centre - European Commission Marcelo Masera provided a presentation focused on various security standardization matters within the EU. He explained that the ESCoRTS project, started on 16 June 2008 and set to last 30 months, encompasses the following activities: needs and requirements for control system security, identify best practices, stimulate convergence of work-in-progress, define strategic R&D roadmap, set the basis for test platforms. Marcelo Masera provided an explanation of SCADA (Supervisory Control and Data Acquisition) systems and related vulnerabilities. SCADA is not designed for security, and risk impact could be substantial for several critical sectors, such as major blackouts for energy, process industries and manufacturing sectors. Finally he stresses the importance for Europe to fill security gaps by encourage awareness among stakeholders, and especially: determine best practices, develop security business case, share security information, with permanent data communication structure (national, EU) and establish reference cyber security testing platform.

Current activities of CEN Workshop on Data Protection and Privacy (WS/DPP) - Sati Bains Sati Bains gave an overview of the CEN Workshop on “Data Protection and Privacy” (CEN WP DPP), launched in March 2008, whose main effort is a continuation of an existing programme that is supported by the European Commission, with the objective to develop and deliver three CEN Workshop Agreements (CWA) on: a better practice management system guide; personal data protection / privacy audit tools; and a voluntary technology dialogue system. Sati Bains explained that, if anybody desires to be involved, a public consultation open to everybody will take place on 12 February 2009 in Bruxelles at the new CEN/CENELEC Meeting Centre.

First results of the CEN/ISSS Workshop on Cyber Identity - Charles de Couessin, ID Partners -Counterfeiting Workshop - Nadine Ruhle-Niestroy, TUV Rheinland Japan Ltd Charles de Couessin provided a presentation on the work of a CWA focused on Cyber-Identity: unique identification systems for organizations and parts thereof. He explained the market trends and the EU response to create a legal framework for the unique identification of business identities. He provided an overview of the CWA workplan including collection of requirements (market trends of identification


10

schemes, standardisation initiatives, government initiatives, and use cases and specific issues). Finally he highlighted the expected outcomes and the related time frame. The outcomes include to achieve interoperability among current identifiers by using meta-identification systems, to create the guidelines for the creation of a reconciled and workable framework that can be used in multiple application environments, to define best practices for meta identification and the rules to ensure the interoperability of current identification schemes, and to specify the basic description of legal and procedural registration requirements. Charles de Couessin stressed that The CWA will use existing identification schemes, registries and proven standards for meta-identification rather than reinventing the wheel.


11

Session 3: Privacy Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert

Incorporating privacy into security standardization - Claire Vishik, Security & Privacy Standards & Policy Manager INTEL Claire Vishik highlighted that as standard implementations of security features through the use of industry or international standards become pervasive, concerns arise about support for privacy afforded by some of these standards. As a result, in the last 10 years, numerous security/security related standards have incorporated privacy features. Claire Vishik made an analysis of implementations of privacy features as part of various standards that either focus on security or have significant security components, such as IPv6, GSM, Trusted Computing, WiMax, Wi-Fi, standards associated with RFID or healthcare records, SAML & Liberty Alliance, and in several other contexts. Based on this analysis, she proposed a more general way to ensure that security standards also effectively protect user privacy.

Security and Privacy for C2X Communication Systems - Research and Standards - Matthias Gerlach, Senior Research Officer, Fraunhofer Fokus Matthias Gerlach explained that, starting in the late 90s, research on C2X systems quickly gained momentum with respect to network and application topics. Some successful research projects later, with the prospect of bringing C2X technology to the market within a foreseeable timeframe, standardization efforts started. At the same time, concerns grew that without proper security and privacy protection a market introduction is not possible. Matthias Gerlach provided an overview of the research and standardization efforts in the field of C2X security and privacy with contributions from major actors in the field. Firstly he gave an introduction to the topic before looking at activities in the US, Japan, and Europe, shedding light on the different priorities and expected outcomes of the various efforts. He also covered recent experiences from testing security aspects in real life. Finally, he highlighted that open issues are still being identified and he outlined the next steps concerning both research and standardization.

ETSI Electronic Signatures Activities - Riccardo Genghini, ESI Chairman Riccardo Genghini highlighted that the work done and ongoing within the ETSI TC ESI is the cornerstone for interoperability of digital documents in Europe. He provided an overview of the work of various Specialist Task Forces: STF 351 on XAdES/CAdES interoperability Plugtests (with participants from Asia), STF 318 on Registered Email (REM) and STF 364 on electronic signatures for PDF to offer a global solution for seamless and easy interoperability of signed digital documents (through liaison with ISO 32000 and active participation by Adobe). Riccardo Genghini listed many documents produced by TC ESI. He stressed that an impressive amount of documents is available, and all this work needs to be better organized and disseminated in order to boost interoperability.


12

Profiles and the challenge of providing security in personable ICT devices - Scott Cadzow / Mike Pluke - ETSI STF 342 Scott Cadzow started his presentation by highlighting that a large part of user acceptance of devices is the ability to use them effectively. However one of the characteristics of ICT technology is change in how users use their devices. With a large part of the user experience and the user acceptance being common between ICT devices, there has been significant work in ETSI TC HF over the past few years on personalisation of devices. In such scenario, it is very important to focus on the privacy and security challenges of making profiles for ICT user equipment private and secure whilst remaining usable. Scott Cadzow outlined a number of uses of profiles: profile invocation, profile transfer, profile storage and recovery.

Security and personalized eHealth systems - Françoise Pettersen, ETSI STF 352 Françoise Pettersen informed that the ETSI Human Factors and eHealth Technical Bodies have created a project carried out by the STF352 to standardise the personalization of eHealth systems. eHealth information is among the most personal and sensitive information that a person makes available in an electronic form. Therefore the privacy of this information is of the highest importance if trust in eHealth systems is to be established and maintained. People’s trust that the privacy of their eHealth information is being appropriately handled can only be achieved if they feel confident that their eHealth information is only made available to appropriate people in appropriate circumstances. The work of the STF 352 surveys those aspects of personalization that are specific to eHealth: user capabilities, care provider roles and functions, health related information, and confidentiality measures. In order to manage privacy, there is a need to handle different roles such as those of health personnel, formal and informal carers and telecare agents.

Search Engine based Data Leakage - Hans Pongratz, Technische Universität München Hans Pongratz highlighted that nowadays the world wide web (www) is ubiquitous and estimates say that there are more than 10 billion web pages. Search Engines try to locate, sort and catalogue the web and help the user to find the desired information. Due to wrong web server configuration or other human failure there are many cases of unwanted publication of information through the web. In such scenario, the term “Google Hacking” refers to the use of search engines to find privacy or security issues via search queries, whose results can range from traitorous error messages to login credentials up to special file types and browseable directories. This poses questions about what information can be detected using a search engine like google and whether a company or organization is affected. This leads to an investigation on which security concept takes into account this kind of threat. Based on a summary of the technique of “Google Hacking”, Hans Pongratz explained some countermeasures and localized some gaps in security standards in the field of risk analysis and information leakage.


13

Finger vein authentication technologies for consumer mobile products - Hideo Sato, FVA Biz Development Office, Sony Corp Hideo Sato introduced finger vein authentication technologies for consumer mobile products, which is a new biometric method using the unique finger vein patterns. Since finger veins exist inside the body, they are extremely hard to forge. Hideo Sato explained that quick response time and high-level security authentication are achieved by a new compact-fast-matching algorithm and small-size template that is nearly equal to one of the minutiae-based fingerprint authentication systems. These technologies enable the use of finger vein authentication for mobile devices and smart cards, etc.


14

Session 4: International Standardization Chair: Mike Harrop, ITU-T Rapporteur SG17 Q4

Future security work in the ITU-T - Mike Harrop, IT U-T Rapporteur SG17 Q4, Communication Security Project Mike Harrop pointed out that 4-year ITU-T Study Period ended in 2008 and there has been a restructuring of the work for the new Study Period which begins in 2009. The new structure was approved at the World Telecommunications Standardization Assembly in October 2008. A new management team has been appointed. His presentation outlined the new organizational structure and reviewed prospects for the ITU-T security work in the new Study Period (2009-2012). Mike Harrop explained that Aspects of security are being addressed by most Study Groups (SGs), and that SG 17 has primary focus on communication security and is the Lead Study Group (LSG) on security for ITU-T. Specifically, SG17 Security is responsible for studies relating to security including cybersecurity, countering spam and identity management. SG17 is also responsible for the application of open system communications including directory and object identifiers, and for technical languages, the method for their usage and other issues related to the software aspects of telecommunication systems. Besides, IdM focus has been raised and SG17 is now LSG for IdM.

The UICC as the Security Platform for Value Added Services - Klaus Vedder, Executive Vice President, G & D Klaus Vedder reminded that SIM and UICC represent the driving smart card technology globally. He gave some background information about the ETSI TC Smart Card Platform (SCP), founded in March 2000 as the successor of SMG9, the people which specified the most successful smart card application ever with over 3 billion subscribers using one or more of the 13 billion SIMs, USIMs and R-UIMs delivered to the market. The Mission of TC SCP is to create a series of specifications for a Smart Card Platform, based on real-life (outside) requirements, on which other bodies can base their system specific applications to achieve compatibility between all applications resident on the smart card. Klaus Vedder gave an overview of the main specifications and provided some technical details about the smart card chip evolution. He outlined the work done on the “Contactless” USIM, and explained that the contactless interface for the (U)SIM will create a wealth of new opportunities, as mobile phones will work like a contactless card for payment, ticketing, access control, and as a card reader for the (U)SIM. Finally he highlighted the reasons why the SIM is the preferred secure element for contactless communications.

A Secure-Runtime in the Mobile - The perfect enhancement to a SIM - Stefan Spitz, Manager New Technologies, New Business Development, G&D & Richard Phelan from ARM Stefan Spitz highlighted the reasons why an additional secure execution environment in a mobile is needed and how this can be achieved. He explained that the Secure-


15

Runtime guarantees that resources which were assigned to a secure handset application are never used or modified in an unauthorized manner. An erroneous or malicious code cannot cause damage beyond its memory boundaries. Therefore the basic protection mechanism between different programs is isolation provided by the G&D-Runtime and ARM Trust Zone technology. Finally he pointed out that a Secure-Runtime is conceived for all systems processing security-relevant data in a mid-range security level, but require more flexibility, storage capacity and functionalities than a topical SIM can offer, e.g. secure keypad and secure display.

NFCIP-1 Security Standard protects Near Field Communication - Reinhard Meindl, Senior Principal, NXP Reinhard Meindl provided an overview of new security standards for NFC: the objectives and planned use cases, the standards structure and main functionality. NFCIP-1 is standardised in Ecma-340, ETSI EN 302 190 and ISO/IEC 18092. It specifies the signalling interface and protocols for Near Field Communication (NFC) which is wireless communication technology for closely coupled Consumer Electronic devices. Since NFCIP-1 does not provide any cryptographic encryption functions a complementary series of NFC security standards has been developed by Ecma International. NFC security standards will also be deployed for all those NFC connections which require protection against eavesdropping and data manipulation and which do not necessarily require application specific encryption mechanisms. The modular concept for NFC security standards simplifies the specification and allows for easy future extensibility. A common framework standard, which defines the services, the PDUs and the protocol, is specified by Ecma standards, complemented by a standard which defines cryptographic mechanisms. NFC security standards are based on well established international standards and most were developed by ISO/IEC JTC1/SC27.

DVB-CPCM: a complete interoperable solution for content protection in a multi-device, networked environment - Marc Jeffrey, Microsoft, DVB Project Marc Jeffrey highlighted that the digital broadcast industry and the wider ICT sector are seeing a proliferation of content delivery platforms, along with an ever-increasing range of consumer devices for receiving, storing and consuming content. In-home networks have become a realistic possibility for the ordinary consumer, bringing added complexity to managing the content. This presents a set of challenges not only to those charged with copyright and consumer protection, but also to those wishing to ensure the interoperability of the devices and content involved. The DVB Project has addressed these challenges, with participation from all sectors of the industry, in developing a set of open, interoperable technical specifications called DVB-CPCM – Content Protection and Copy Management, published as a multi-part standard by ETSI (TS 102 825). Marc Jeffrey explained the key advantages of DVB-CPCM as a complete system for managing content in a multi-device networked environment. DVB-CPCM manages content from acquisition until final consumption (or export), in accordance with the


16

particular usage rules of that content. DVB-CPCM facilitates interoperability of such content by networked consumer devices for both home networking and remote access.

The European Commission's new Action Plan on e-signatures and e-identification - Gérard Galler, Policy Officer, Eur opean Commission, Information Society & Media DG Gérard Galler pointed out that on 28 November 2008, the European Commission adopted an Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market. Public authorities offer increasingly more public services by electronic means, for example public procurement, but the implementation mostly focuses on national needs and means. This approach risks to create new ‘e-barriers’ to cross-border markets. The Action Plan seeks an EU-wide solution to cross-border use of online public services, proposing a comprehensive approach and committing to quick delivery dates. It aims to assist Member States in implementing mutually recognised and interoperable electronic signatures and electronic identification solutions. Gérard Galler provided details of the Action Plan and outlined the EU-related undertakings including the CROBIES study (Cross-Border Interoperability of eSignatures) that is expected to deliver input for most of the technical issues raised in the Action Plan.

Making Better Security Standards - Scott Cadzow / Steve Randall, ETSI STF 356 Scott Cadzow stressed that one of the keys to effective standardisation is rigour and this is as true for security as it is for any other standards area. ETSI’s members have over the past 15 years developed a very large number of security standards across a range of technologies including TETRA, DECT, 2G and 3G, and the NGN, as well as having a long and successful history in cryptographic development through SAGE. What has also happened in this period is that a number of guidance documents have been written to help guide the next generation of developers but these have often been discarded, or lost in the volume of ETSI’s product. The “Making Better Standards” initiative in ETSI TC MTS has for a number of years acted to guide developers of protocol specifications, and test specifications, in making high quality standards. This has now been extended to the security field with a view to providing a path to the development of high quality, highly assured, security solutions in ETSI standards. Scott Cadzow explained the key steps in making better security standards and the ETSI web-site that supports this goal. The created structure in developing security standards, when followed, should lead to deployable systems with a high assurance of security under fully documented conditions and thus act as a significant input to the “Design for Assurance” paradigm that is key to assurance evaluation programmes such as Common Criteria.

Identity management - Mike Harrop, The Cottingham Group, Canada Mike Harrop stressed that Identity Management (IdM) is a topic of growing importance. Many organizations are promoting IdM solutions and both ISO and ITU-T are focusing on IdM in their security standardization work. However, the topic is


17

not without controversy and there are some significant differences of opinion regarding the work. Some of the approaches are starting to diverge. In addition, the work is being driven by a number of interests that are not wholly aligned, and insufficient attention is being given to the implications for personal privacy. His presentation reviewed the context of the identity management work, provided an overview of the work in progress, addressed the motivations of the participating organizations, and discussed the implications for personal privacy.


18

Session 5: NGN Security and Data Retention Chair: Judith E.Y. Rossebø, ETSI TISPAN WG7 Chairman, Telenor R&I

NGN Security standards for Fixed-Mobile Convergence - Judith E.Y. Rossebø, ETSI TISPAN WG7 Chairman, Telenor R&I Judith E.Y. Rossebø explained that TISPAN is the ETSI technical body responsible for fixed network standardisation including development of next generation networks (NGN) and is addressing convergence of fixed and wireless networks. There is a strong emphasis on security on a managed IP network and on regulatory compliance on issues such as Lawful Intercept, Number portability, and Emergency services. TISPAN_NGN provides a set of implementable NGN specifications that are being used by industry to build the NGN. The main features are: the Core IP Multimedia Subsystem (IMS) (which is standardized by 3GPP) and its relationship to other TISPAN NGN components, the Network Attachment Subsystem (NASS), the Resource and Admission Control Subsystem (RACS), the PSTN/ISDN Emulation Subsystem (PES), and PSTN/ISDN Simulation Services (PSS), and the IPTV subsystem (including IMS-based IPTV). TISPAN is currently working on TISPAN NGN Release 3 specifications. The new work includes: Evolution of NASS, including additional access technologies, evolution of RACS, to provide resource control in the core, requirements for FMC, and elaboration of requirements and network capabilities to support IPTV services. For TISPAN NGN Release 3, TISPAN WG7, is applying the methods developed by STFs 268 and 292, 329, and 330, designed to raise the quality of standards, and in the security arena to raise the level of assurance in the level of security given by the standardised security measures. The use of the methods already developed by STFs 268 and 292, building on the guidance given in MTS, are designed to raise the quality of standards, and in the security arena to raise the level of assurance in the level of security given by the standardised security measures. The output of STF329 has to ensure that guidance for use of 15408-2 is available for ETSI developers and to assist WG7 specifically, and the TISPAN NGN project in general, in providing rationale for any security decision such that the Common Criteria guidance is engineered into all WG7 and NGN deliverables that may be subject to evaluation at some time. STF329 has provided some support to the TISPAN NGN project on security on engineering of security requirements and in contributing to the WG7 TISPAN NGN Release 2 deliverables. TISPAN Working Group (WG) 7 is responsible for the management and co-ordination of the development of security specifications for the NGN project. The security standards for TISPAN Release 2 include security requirements and architecture for the IPTV, Business Communication, customer networks, and for RACS and its supporting technologies. TISPAN WG7 continues to cooperate with 3GPP to coordinate the Common IMS evolution and resolve issues. When applicable TISPAN re-uses 3G specifications. Ongoing activities: for Lawful Interception and data retention, TISPAN WG7 is identifying appropriate interfaces, reference points and entities in the NGN architecture; TISPAN WG7 is working to support emergency communication from citizen to authority within the NGN architecture. Other ongoing work includes a


19

feasibility study on IPTV security architecture, work on elaborating a schematic overview of the NGN security architecture, and a technical specification on how to counteract the occurrence of Unsolicited Communications (UC) in the NGN.

NGN access networks (in)security, Security proposal for NGN standardization - Paolo Delutiis, Telecom Italia Paolo De Lutiis provided a description of practical vulnerabilities and proposed possible countermeasures that would enable safer Next Generation Access Networks (NGAN) deployment thanks to the use of specific security mechanisms which should be added in the already defined ITU-T standards. He informed that currently G.984.x ITU-T is defining security mechanisms for the Gigabit Passive Optical Networks (GPON) NGAN and provided a GPON and G.984.x ITU-T threats analysis, by describing examples (with specific use cases) of insecurity and by listing the main security threats and related risks to which GPON-based NGAN are subject. Finally, he proposed possible countermeasures to fill the security gap in the current specs in order to better face the identified vulnerabilities. Such countermeasures should permit the Operator to better control its NGAN limiting the impact of security attacks against its infrastructures while providing a trusted access environment to the customers.

Data retention and lawful interception - Peter van der Arend, ETSI TC LI Chairman Peter van der Arend provided an overview of the work of the ETSI TC Lawful Interception (LI), which works on both Lawful Interception and Retained Data (RD). He gave some background information regarding the TC LI and briefly explained the structure and working practises. He explained that the TC LI produces reports and specifications mostly focused on the Handover Interface (from the Operator to the Authorised Organisation) for LI and DR. The TC LI actively promotes globally ETSI Lawful Interception and Data Retention standards amongst operators and national bodies. Peter van der Arend gave an overview of the vast and increasing participation to the work of the TC LI (including Law Enforcement Agencies, Government organisations, Research Organisations, Communication Service Providers, Manufacturers), which also leads to the acquisition of several new ETSI Members. Peter van der Arend explained that the work done on Retained Data follows a European Parliament and the Council of the European Union adopted Directive 2006/24/EC on Data Retention (15 March 2006) which states that Data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks need to be retained. This work has lead to the publication of TS 102 656 (Requirements of LEAs for handling Retained Data) and TS 102657 (Handover Interface for the request and delivery of Retained Data). Besides, an LI and RD security report has been produced: TR 102 661 (Security Framework in Lawful Interception and Retained Data environment).


20

Finally, Peter van der Arend provided some technical details of the TC LI work, and highlighted that TC LI is keeping a close working relation with the EC/Experts Group “The Platform on Electronic Data Retention for the Investigation, Detection and Prosecution of Serious Crime”, will maintain the Retained Data standards, can organise an interoperability test if required, and is encouraging widespread use of the ETSI RD standards.


21

Session 6: Metrics Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert

Implementation of a security metrics dashboard in Telefónica España - Vicente Segura, Technology Specialist in Information Security, Telefonica Vicente Segura pointed out that it is essential to measure security in order to manage it properly. Knowing the security position, analyzing its evolution and comparing the security levels of different areas in the organization is a must to plan, monitor and evaluate information security strategies. Telefonica España has recently deployed a security metrics dashboard in order to measure and monitor security controls and evaluate its compliance with international security standards and internal regulations. The first difficulty when implementing this kind of system is the collection of information or measures to calculate metrics. Usually the information is scattered all over the organization infrastructure, so there are different information sources and probably they must be handled in a different way. In order to deal with those different information sources we need to design and implement a mechanism which enables us to easily configure and extract security measures. The second difficulty we faced is related to the different ways in which each company is organized. We are interested in measuring security aspects of an area or an entire organization, but we can only extract information of the components it is composed of, such as systems, services, business processes. Therefore, we need to develop a process to transform the security measures of those components into security metrics of the area or the organization. Vicente explained the objectives of the security metrics dashboard developed at Telefonica España, the difficulties faced during its design and deployment and the solution that they have implemented to overcome them.

A Security Assurance metrics modelling, to holistically evaluate and assess the Security Level of an organization - Professor Solange Ghernaouti – Hélie, Faculty of Business & Economics and Igli Tashi, Post graduated Research and Teaching Assistant, University of Lausanne Igli Tashi explained that the assurance concept is an important subject of discussion when dealing with the Information Security evaluation and perception level. Several concepts that are subject to perception, behaviour and qualitative evaluation, like confidence and trust, are related to Security Assurance. Under the assumption that it is rather a difficult task to identify the weakest link in a complex system as the information security is, the assessment should be made in a holistic manner. Igli Tashi discussed the concepts of confidence and trust in order to point out some logical and pragmatic elements in order to evaluate the security assurance level within an organization. He proposed a structural model based on the best practices and current practices, having the goal to assess the security in a holistic manner by incorporating technical, organizational, human and legal related aspects of Information Security. The proposed model aims at being used for different structures of organization under different business situations.


22

Session 7: R & D Chair: Scott Cadzow, Cadzow Communications

The INTERSECTION Vulnerability Database - Salvatore D'Antonio, Unina Salvatore D’Antonio explained that INTERSECTION (INfrastructure for heTErogeneous, Resilient, SEcure, Complex, Tightly Inter-Operating Networks) is a European co-funded project in the area of secure, dependable and trusted infrastructures. The main objective of INTERSECTION is to design and implement an innovative network security framework which comprises different tools and techniques for intrusion detection and tolerance. One of the framework components is the vulnerability database, which stores the information about design vulnerabilities of heterogeneous and interconnected networks. Design vulnerabilities differ from implementation vulnerabilities (i.e. application faults) on which NVD (National Vulnerabilities Database) is focused. The INTERSECTION Vulnerability Database is based on the CVE (Common Vulnerabilities and Exposures) vulnerability naming standard and uses the following SCAP (Security Content Automation Protocol) standards: Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE) and Common Vulnerability Scoring System (CVSS) The use of such standards enables automated vulnerability management, measurement, and policy compliance evaluation, and allows the INTERSECTION vulnerability database to interoperate with other databases, such as NVD (National Vulnerability Database) and OSVDB (Open Source Vulnerability Database).

ICT standardisation in UAV-systems - André Hermanns, Chair of Innovation Economics, Technische Universität Berlin André Hermanns informed that the research project AirShield is funded by the national Security Research Program of the German Federal Government, and is managed by the German Federal Ministry of Education and Research. AirShield aims to develop an autonomous drone swarm carrying a variety of remote sensor systems for inspecting large-scale hazards. Sensor data shall be used to forecast the future direction of emissions and fall-out to initiate and adapt necessary counter measures. André Hermanns’ presentation highlighted the importance of standards to provide rescue and security organisations with compatible and easy-to-use UAVs of high quality. Standardisation aspects will be applied on: drone, sensor and communications hard- and software; testing, assembling and standard operation procedures; and data, e.g. for geo-information, and terminology. André Hermanns explained the importance to establish a lead market for safety and security technology, using standards in innovation and procurement processes as an instrument of technology transfer. In this context, the EU Lead Market Initiative from December 2007 and the ESRIF proposal of an EU Security Label from September 2008 are assessed. Finally, he highlighted the possible role of standards for establishing and increasing public and user acceptance for safety and security technology.


23

Ontology- and Bayesian-based Information Security Risk Management - Edgar Weippl, Science Director & Stefan Fenz, Security Research Austria Stefan Fenz explained the motivations which lead to the work on Ontology- and Bayesian-based Information Security Risk Management: almost every business decision is based on electronically stored information; Information security is crucial for ensuring long-term business success; and Information security risk management is an issue since the 1970s, but still linked to several problems. He explained in some detail the assessed approaches for this work, including: System Characterization (inventory and determination of acceptable risk levels); Threat and Vulnerability Assessment (determination of potential threats and corresponding vulnerabilities); Risk Determination (Threat Probability x Impact); Control Identification (identification of risk-reducing controls); and Control Evaluation and Implementation (Cost/Benefit analysis). Finally Stefan Fenz highlighted that incomplete knowledge is one of the main problems in information security risk management. In such context, the explained AURUM method enables organisations to automatically map general information security knowledge to their infrastructures, to comprehensibly quantify the current security status of their organization and to automatically check the organization’s compliance with existing best-practice guidelines and information security standards. At the same time, further research is needed in order to minimize the limitations of the method, such as the fact that Bayesian threat probability determination depends on realistic input values which are not always available.

Content Tag Security - Shahriar Pourazin, Sepehr S. T. Co. Ltd. Shahrian Pourazin highlighted that the digital broadcasting companies may soon deliver their con-tent through Internet Service Providers (ISPs), mobile companies and fixedline telecom companies. This lets the viewers have more options and better access to the content. It will be soon possible to have Standard Content Classifications to let users ask for a content from a class instead of searching blindly within large amounts of content. Each standard content class should have a tag pointing to a specific entry within the ontology of contents. The problem after this implementation will be to somehow securely bind the tag and content. In such scenario the receiver may claim that has received a lower cost content and the transmitter may claim that she has sent a more expensive content. This poses the following questions. How could we check their claims? We may be able to remove the content tag and replace it with the tag of a free content. Who will register the transmission? Is it necessary to force the mobile phone equipment to check the integrity of content and the tag? Can mobile operators check to see if the handsets are hacked or not? Should the content switching companies check content-tag integrity? Should they handle sort of roaming? Finally Shahrian Pourazin provided a proposal for binding content with its related class coded as a tag. The proposal is supposed to help content providers safely deliver their content.


24

Panel discussion and Conclusions: Priorities for security standardization Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert. With: Mike Harrop, ITU-T Rapporteur SG17 Q4, Communication Security Project Klaus Keus, Dipl. Mathematician, JRC IPSC Claire Vishik, Security & Privacy Standards & Policy Manager, INTEL Background Carmine Rizzo led the final discussion among a panel of experts (Mike Harrop, Klaus Keus and Claire Vishik) and the workshop participants. The experts introduced the suggested topics of discussion through brief presentations. The main topics included:

• prioritization of ICT standardization efforts: what areas should be (or should not be) addressed by standardization, especially when faced with a global economic downturn that is forcing organizations to optimize the utilization of their resources;

• the need to address citizens’ security and privacy in current and emerging standards, including those relating to identity management;

• the need to evaluate the use of standards and the need to assess the effectiveness of their implementation for business purposes: who should do it and how (e.g. metrics on the standards themselves).

Prioritization It was stressed that it is very important for standardization bodies to perform a careful assessment of the need and uses for each proposed standard before embarking upon development in order to justify the utilization of resources. E.g. is the need for a specific standard supported across a broad community of interest? Is there a real demand for the standard and technology it covers? What constituency is the standard intended to serve? Who will use it? Are the resources available to develop the standard and will those resources constitute a representative cross section of the community of interest? (E.g. there is usually little point in developing a standard if only one or two organizations are sufficiently interested to commit resources to it). The clear feeling is that this is an area where improvement is needed for standardization bodies that need to match standard development plans with adoption prospects, and efforts should be coordinated among bodies in order to prioritize standardization work and avoid duplication of efforts. Topics on which ICT security standardization should focus include areas where systems interconnect or interact including networked critical infrastructures, public


25

safety communications and areas that include the electronic storage or exchange of personal information. Standardization should not be viewed in isolation but rather as part of a process that includes research, development, implementation and maintenance. And, there needs to be more flexibility in the standardization processes (e.g. by using special interest groups to develop and promote ideas and concepts). In addition, it was suggested that key elements and interfaces should be standardized but standards should not be so prescriptive as to eliminate choice in implementations. Standards should reduce the selection factor, not eliminate it completely, so that implementers are able to exercise creativity while designing products that meet the standard and users are able to choose the best implementation to fit their needs. . Privacy The discussion indicated that standards currently suffer from insufficient attention to the issue of privacy. For example, while the work done so far on identity management is beginning to address some of the issues of managing personally identifiable information, it does not yet address the broader implications for the privacy of the citizen. (There is much more to privacy than personally identifiable information, for example, potential for tracking without identification or re-identification of individuals through the aggregation and analysis of multiple resources). There is considerable potential for information to be collected inappropriately or unnecessarily. In such a scenario, with, for example, identity brokers/providers handling information to serve diverse needs and interests, aggregation becomes a major threat. Identity brokers holding large amounts of private information could become prime targets of attacks, and such information may be held in jurisdictions that are beyond the reach of existing privacy legislation. At the same time it was pointed out that many people do not pay enough attention to their own privacy e.g. by providing personal information too freely and without considering how it will be used. Nevertheless, information collected is, in many countries, covered by privacy laws and regulations. Governments should continue to adopt measures to protect the privacy of their citizens, as the average user cannot realistically be considered to have the technical knowledge and expertise to manage his/her own privacy effectively. ICT standardization needs to tackle these issues, firstly by clearly recognizing the need to address privacy aspects, and then by embedding them into standards from the very beginning. Privacy must be built in to standards, not regarded as an afterthought. Although several groups/bodies are working on aspects of privacy, which makes the entire subject matter less “manageable”, it was observed that it is unrealistic, and probably not advisable, to try to centralize privacy efforts within any one standardization body. Attempting to do so could create conflicts of interest and lead to recommendations that are too broad to be actionable


26

Evaluation A strong need for metrics in IT security and related standards was recognized. The decision to develop some standards but not others should not be based on their “attractiveness” or on the degree of interest of the subject matter experts, but on measurable criteria which would establish cost-effective methods to evaluate final products in the implementation phase. This would provide more reliable means for organisations to build their business cases to participate in the development of security standards and to promote their use on the market. In addition there needs to be some follow-up or review after a standard has been developed to assess whether it has met the original objectives, whether it is actually being used to the extent anticipated and, if not, why not. A way forward could be to establish a consortium of stakeholders, users and standardization bodies to work towards the creation of a seal of approval for products, services and processes that meet predefined criteria. Security standards developed according to the criteria could permit the implementers to apply such seal to their products. The evaluation of the effectiveness of security standards needs to be based ultimately on the effectiveness of security measures in the implemented products using the standards. This implies the need to enhance testing efforts in terms of standards conformity and interoperability. It is recognized that the area of ICT security standards metrics/evaluation is an open issue which needs much additional research by standardization bodies and stakeholders.


27

Workshop Closure Carmine Rizzo closed the Workshop by thanking panel experts, speakers, session Chairs, and participants for their contributions towards a successful 4th ETSI Security Workshop. Special thanks to Nathalie Guinet, ETSI, for her great support throughout the entire process. Finally, Carmine Rizzo sent his greetings and best wishes to Charles Brookson, who could not be at this Workshop for very unfortunate reasons. To be confirmed:

5th ETSI Security Workshop

ETSI, Sophia Antipolis, France

January 2010

report-etsi 4th security workshop 2docbox.etsi.org/.../report_4th_security_workshop.pdfetsi 4 th...

Documents