Presentation on theme: "Security Standardization in ITU-T"— Presentation transcript:
1 Security Standardization in ITU-T Herbert BertineCo-Chairman ITU-T Study Group 17Ninth Global Standards Collaboration (GSC-9) Meeting – Seoul Korea, 9-13 May 2004
2 ITU Plenipotentiary Conference 2002 Resolution PLEN/2 - Strengthening the role of ITU in information and communication network securityresolvesto review ITU's current activities in information and communication network security;to intensify work within existing ITU study groups in order to:a) reach a common understanding on the importance of information and communication network security by studying standards on technologies, products and services with a view to developing recommendations, as appropriate;b) seek ways to enhance exchange of technical information in the field of information and communication network security, and promote cooperation among appropriate entities;c) report on the result of these studies annually to the ITU Council.
3 ITU-T Study Groups http://www.itu.int/ITU-T/ SG Operational aspects of service provision, networks and performanceSG Tariff and accounting principles including related telecommunications economic and policy issuesSG Telecommunication management, including TMNSG Protection against electromagnetic environment effectsSG Outside plantSG Integrated broadband cable networks and television and sound transmission SG Signalling requirements and protocolsSG End-to-end transmission performance of networks and terminalsSG Multi-protocol and IP-based networks and their internetworkingSG Optical and other transport networksSG Multimedia services, systems and terminalsSG Data networks and telecommunication softwareSSG Special Study Group "IMT-2000 and beyond"TSAG Telecommunication Standardization Advisory GroupCoordination role and focusSG17 Data networks and software for TelecommunicationCoveredSG 2 Operational aspects of service provision, networks and performanceSG 9 Integrated broadband cable networks and television and sound transmission SG 13 Multi-protocol and IP-based networks and their internetworkingSG 16 Multimedia services, systems and terminalsNo timeSG 4 Telecommunication management, including TMNSG 5 Protection against electromagnetic environment effectsSG 6 Outside plantSSG Special Study Group "IMT-2000 and beyond"
4 ITU-T Security Manual December 2003 Basic security architecture and dimensionsVulnerabilities, threats and risksSecurity framework requirementsPKI and privilege management with X.509Applications (VoIP, IPCablecom, Fax, Network Management, e-prescriptions)Security terminologyCatalog of ITU-T security-related RecommendationsList of Study Groups and security-related Questions
5 ITU-T Security Building Blocks Security Architecture FrameworkX.800–Security architectureX.802–Lower layers security modelX.803–Upper layers security modelX.805–Security architecture for systems providing end-to-end communicationsX.810–Security frameworks for open systems: OverviewX.811–Security frameworks for open systems: Authentication frameworkX.812–Security frameworks for open systems: Access control frameworkX.813–Security frameworks for open systems: Non-repudiation frameworkX.814–Security frameworks for open systems: Confidentiality frameworkX.815–Security frameworks for open systems: Integrity frameworkX.816–Security frameworks for open systems: Security audit and alarms frameworkNetwork Management SecurityM.3010–Principles for a telecommunications management networkM.3016–TMN Security OverviewM –TMN management services for IMT-2000 security managementM.3320–Management requirements framework for the TMN X-InterfaceM.3400–TMN management functionsSystems ManagementX.733–Alarm reporting functionX.735–Log control functionX.736–Security alarm reporting functionX.740–Security audit trail functionX.741–Objects and attributes for access controlFacsimileT.30 Annex G–Procedures for secure Group 3 document facsimile transmission using the HKM and HFX systemT.30 Annex H–Security in facsimile Group 3 based on the RSA algorithmT.36–Security capabilities for use with Group 3 facsimile terminalsT.503–Document application profile for the interchange of Group 4 facsimile documentsT.563–Terminal characteristics for Group 4 facsimile apparatusProtocolsX.273–Network layer security protocolX.274–Transport layer security protocolSecurity in Frame RelayX.272–Data compression and privacy over frame relay networksTelevisions and Cable SystemsJ.91–Technical methods for ensuring privacy in long-distance international television transmissionJ.93–Requirements for conditional access in the secondary distribution of digital television on cable television systemsJ.170–IPCablecom security specificationSecurity TechniquesX.841–Security information objects for access controlX.842–Guidelines for the use and management of trusted third party servicesX.843–Specification of TTP services to support the application of digital signaturesMultimedia CommunicationsH.233–Confidentiality system for audiovisual servicesH.234–Encryption key management and authentication system for audiovisual servicesH.235–Security and encryption for H-series (H.323 and other H.245-based) multimedia terminalsH.323 Annex J–Packet-based multimedia communications systems – Security for H.323 Annex F (Security for simple endpoint types)H.350.2–Directory services architecture for H.235H.530–Symmetric security procedures for H.323 mobility in H.510Directory Services and AuthenticationX.500–Overview of concepts, models and servicesX.501–ModelsX.509–Public-key and attribute certificate frameworksX.519–Protocol specifications
6 ITU-T Study Group 17Lead Study Group for Communication System SecurityCoordination/prioritization of security effortsDevelopment of core security RecommendationsLed ITU-T Workshop on Security May 2002Security requirements and telecommunication reliabilityHot topics on IP-based network securitySecurity managementBiometric authenticationInitiated the ITU-T Security ProjectProvide vision and direction for future workReflect situation of current work
8 ITU-T SG 17 Security Focus Public Key and Attribute Certificate Frameworks (X.509) Revision 2005Ongoing enhancements as a result of more complex usesSecurity Architecture (X.805) Approved 2003For end-to-end communicationsSecurity Management System (X.1051) NewFor risk assessment, identification of assets and implementation characteristicsMobile Security (X.1121 and X.1122) NewFor mobile end-to-end data communicationsTelebiometric Multimodal Model (X.1081) NewA framework for the specification of security and safety aspects of telebiometricsSecurityAuthentication - to know who is accessing your dataPrivacy - to protect your data from intrusionEncryption - to secure the data from misuse or abuseBiometrics - 'what you are‘replace ‘what you know' - items, such as PIN numbersaugment 'what you have‘ - forms of identification, such as cardsX.509Public-key and attribute certificate frameworksX.842Guidelines for the use and management of Trusted Third Party servicesX.843Specification of TTP services to support the application of digital signaturesRecommendation X.509Information technology - The Directory: Public-key and attribute certificate frameworksThis Recommendation defines a framework for public-key certificates and attribute certificates. These frameworks may be used to profile application to Public Key Infrastructure (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation defines a framework for the provision of authentication services by Directory to its users. It describes two level of authentication: simple authentication, using a password as a verification of clamed identity; and strong authentication, involving credentials formed using cryptographic techniques.ApprovedInformation technology – Security techniques – Guidelines for the use and management of Trusted Third Party servicesThis Recommendation provides guidance for the use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. This Recommendation identifies different major categories of TTP services including time stamping, non-repudiation, key management, certificate management, and electronic notary public.Q13/7Information technology – Security techniques – Specification of TTP services to support the application of digital signaturesThis Recommendation defines the services required to support the application of digital signatures for non repudiation of creation of a document. Since this implies integrity of the document and authenticity of the creator, the services described can also be combined to implement integrity and authenticity services.
9 X.805: Security Architecture for End-to-End Communications 3 Security layers3 Security PlanesVulnerabilities can exist in each Layer, Plane and Dimension72 Security Perspectives (3 Layers 3 Planes 8 Dimensions)X.805
11 ITU-T X.805 X.805 Provides A Holistic Approach: Comprehensive, End-to-End Network View of SecurityApplies to Any Network TechnologyWireless, Wireline, Optical NetworksVoice, Data, Video, Converged NetworksApplies to Any Scope of Network FunctionService Provider NetworksEnterprise NetworksGovernment NetworksManagement/Operations, Administrative NetworksData Center NetworksCan Map to Existing StandardsCompletes the Missing Piece of the Security Puzzle of what to do nextX.805
12 Security ManagementRequirements for Telecommunications of Information Security Management System (T-ISMS)- specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the telecommunication’s overall business risks.- leverages ISO/IEC 17799:2000, Information technology, Code of practice for information security management- based on BS :2002, Information Security Management Systems — Specifications with Guidance for useX.1051
13 Information Security Management Domains defined in ISO/IEC 17799
14 Information Security Management System ISMSInformation Security Management SystemOrganizational securityAsset managementPersonnel securityPhysical and environmental securityCommunications and operations managementAccess controlSystem development and maintenanceX.1051
15 Mobile Security X.1121 X.1122 Multi-part standard Framework of security technologies for mobile end-to-end data communications - describes security threats, security requirements, and security functions for mobile end-to-end data communication- from the perspectives of the mobile user and application service provider (ASP)Guideline for implementing secure mobile systems based on PKI- describes considerations of implementing secure mobile systems based on PKI, as a particular security technologySecurity Policy (under development)- different quality of security service needs to satisfy various requirements of security services of both user and ASPX.1121X.1122
16 Security framework for mobile end-to-end data communications Mobile NetworkOpen NetworkData communicationApplication Server(ASP)Mobile Terminal(Mobile User)General Communication FrameworkGateway FrameworkMobile Security GatewaySecurity threatsRelationship of security threats and modelsSecurity requirementsRelationship of security requirements and threatsSecurity functions for satisfying requirementsX.1121
17 X.1122 Secure mobile systems based on PKI General Model Gateway Model Mobile NetworkOpen NetworkApplication Server(ASP)Mobile Terminal(Mobile User)Mobile User VAASP’s VAMobile user’s side CACARARepositoryASP’s side CAGeneral ModelASP Application Service ProviderCA Certification Authority RA Registration AuthorityVA Validation AuthorityMobile NetworkOpen NetworkApplication Server(ASP)Mobile Terminal(Mobile User)Mobile User VAASP’s VAMobile user’s side CACARARepositoryASP’s side CAGateway ModelX.1122
18 TelebiometricsA model for security and public safety in telebiometrics that can -assist with the derivation of safe limits for the operation of telecommunications systems and biometric devicesprovide a framework for developing a taxonomy of biometric devices; andfacilitate the development of authentication mechanisms, based on both static (for example finger-prints) and dynamic (for example gait, or signature pressure variation) attributes of a human being.A taxonomy is provided of the interactions that can occur where the human body meets devices capturing biometric parameters or impacting on the body.X.1081
19 Telebiometric Multimodal Model: A Three Layer Model the scientific layer5 disciplines: physics, chemistry, biology, culturology, psychologythe sensory layer – 3 overlapping classifications of interactionsvideo (sight), audio (sound), chemo (smell, taste), tango (touch); radio (radiation) - each with an out (emitted) and in (received) statebehavioral, perceptual, conceptualpostural, gestural, facial, verbal, demeanoral, not-a-signthe metric layer7 SI base units (m, kg, s, A, K, mol, cd)X.1081
20 Study Group 17 Security Questions Networks and Systems on Cyber Security for Telecom *Vulnerability information sharing… *Incident handling operations *Security StrategyApplications & Services Security for telecom*Mobile secure communications *Secure communication services *Security web services *X.1121, X.1122Q.IQ.LQ.JQ.HCommunication System Security *Vision, Project Roadmap, Compendia, …Q10GTelebiometrics Technology*Telebiometric Model*Telebiometric Authentication*X.1081Q.KSecurity Architecture & Framework*Architecture, Model, Concepts, Frameworks, * etc…*X.800 series *X.805Security Management*T-ISMS*Incident Management*Risk Assessment Methodology*etc…*X.1051Telecom SystemsTelecom Systems Users
21 Concluding Observations Security is everybody's businessSecurity needs to be designed in upfrontSecurity must be an ongoing effortSystematically addressing vulnerabilities (intrinsic properties of networks/systems) is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be – X.805 is helpful here
22 Thank You!Ninth Global Standards Collaboration (GSC-9) Meeting – Seoul, Korea, May 2004