Update on ETSI Security work

Charles Brookson OCG Security Chairman

DOCUMENT #: GSC13-PLEN-57

FOR: Information

SOURCE: Charles Brookson

AGENDA ITEM: 6.3

CONTACT(S): charles@zeata.co.uk

Submission Date:June 27, 2008

2

OCG Security (1)

• Operational Co-ordination Sub-Group on Security• Horizontal co-ordination structure for security issues

– Ensuring security is properly considered in each ETSI Technical Body (TB)

– Detecting any conflicting or duplicate work• Participation:

– TBs are free to nominate Members to participate in the work of the group

• Working methods:– Via email – When necessary co-sited “joint security” technical working

meetings– Issues sent to SECsupport@etsi.org – Mailing list: OCG_SECURITY@LIST.ETSI.ORG

3

OCG Security (2)

Security Workshop• ETSI holds an annual security workshop. The 3rd Workshop

held in January this year was well attended, and details can be found on many security issues at http://portal.etsi.org/securityworkshop/

• The next workshop is scheduled for 13th and 14th January 2009 in Sophia Antipolis, and contributions are welcome.

White Papers• The latest edition of our Security White and Product Proofing

papers giving information and all security activities can be found at: http://www.etsi.org/WebSite/technologies/WhitePapers.aspx

• The Security White paper is in the process of being updated and a new edition will be published later this year.

4

ETSI Committees per Security Areas

Mobile/Wireless Algorithms

Information TechnologyInfrastructure

Fixed and Convergent Networks

2G/3G Mobile3GPP*

ElectronicSignatures

(ESI)Next Generation

Networks(TISPAN)

LawfulInterception

(LI)

SmartCardPlatform

(SCP)

SecurityAlgorithms Group

of Experts(SAGE)

TETRA

MESA*

EMTEL

Emergency Telecommunications

Smart Cards

Mobile

Com

mer

ce**

* ETSI is a founding partner for this partnership project** Closed Committee

DECT

AT

SES

5

TETRA• TErrestrial Trunked Radio• Mobile radio communications

– Used for public safety services • Security features include:

– Mutual Authentication– Encryption– Anonymity

6

Mobile Security • IMEI (International Mobile Equipment Identity)

– Protection against theft– Physical marking of the terminal– Blacklisted by operator if stolen

• FIGS (Fraud Information Gathering System)– Monitors activities of roaming subscribers– Home network informed– Fraudulent calls identified terminated

• Priority– Public safety service – Allows for high priority access

• Location

7

Algorithms

• ETSI is a world leader in creating cryptographic algorithms and protocols to prevent fraud and unauthorised access to ICT and broadcast networks, and to protect customers’ privacy

• ETSI SAGE (Security Algorithm Group of Experts)– Centre of competence for algorithms in ETSI

• Algorithms for:– DECT– GSM, GPRS, EDGE– TETRA– UMTS– …

8

Smart Card Standardization

• ETSI Smart Card Standardization– ETSI Technical Committee Smart Card Platform

(TC SCP)– GSM SIM Cards: among most widely deployed smart cards ever– Work extended with UMTS USIM Card and UICC Platform

• Current challenges– Expand the smart card platform – Implement Extensible Authentication Protocol (EAP) in Smart Cards– Allow users access to global roaming– UICC platform in secure financial transactions over mobile

communications systems

9

Lawful Interception

• Delivery of intercepted communications to Law Enforcement Authorities– To support criminal investigation– To counter terrorism

• Applies to any data in transit• ETSI Technical Committee LI

– defines the Handover interface– from the Operator to

the Law Enforcement Authorities

10

Data Retention

• Data generated/processed in electronic communications services need to be retained– Required by EC since 2006 (Directive 2006/24/EC)

• Retention of Data is similar to LI– Concerns stored traffic, rather than traffic in transit (LI)

• ETSI TC LI currently working on three deliverables– Requirements– Specification for Handover interface– Security framework in Lawful Interception and Retained Data

environment

11

Electronic Signatures

• ETSI and CEN co-operation on the European Electronic Signature• Goal: provide Europe with a

reliable electronic signatures framework– Enabling electronic commerce– Supporting eSignature EC Directive

• Current challenges– eInvoicing– Registered EMail (REM)

• International collaboration– Certificate Policy mapped and aligned with US policy– XML Signature Standard adopted in Japan

12

Future Challenges• ETSI addressing a number of areas

• Issues on security are still open– Security Metrics

– RFID Security and Privacy

– …

• ETSI is ready to address these challenges– Supporting its Members

– Following its Members’ requirements

– Collaborating with other SDO’s