3 ITU-T Study GroupsSG 2* Operational aspects of service provision, networks and performanceSG Tariff and accounting principles including related telecommunications economic and policy issuesSG 4* Telecommunication managementSG Protection against electromagnetic environment effectsSG Outside plant and related indoor installationsSG Integrated broadband cable networks and television and sound transmission SG 11* Signalling requirements and protocolsSG Performance and quality of serviceSG 13* Next generation networksSG Optical and other transport network infrastructuresSG 16* Multimedia terminals, systems and applicationsSG 17** Security, languages and telecommunication softwareSG Mobile telecommunication networks* Significant security work ** Lead Study Group on Security
4 Network Management Security (M.3000-series) ITU-T Security Building BlocksNetwork Management Security (M.3000-series)Security Architecture Framework (X.800-series)Security Techniques (X.841,2,3)Systems Management (X.733,5,6, X.740,1)Telecommunication Security (X.805, X.1000-series)NewProtocols (X.273,4)Facsimile (T-series)NGN Security (Y.2700-series)NewTelevisions and Cable Systems (J-series)Directory Services and Authentication (X.500-series)Message Handling Systems (MHS) (X.400-series)Security in Frame Relay (X.272)Multimedia Communications (H-series)
5 Study Group 17: Security, languages and telecommunication software SG 17 is the Lead Study Group on telecommunication security - It is responsible for coordination of security across all study groups.Subdivided into three Working Parties (WPs)WP1 - Open systems technologies;WP2 - Telecommunications security; andWP3 - Languages and telecommunications softwareMost (but not all) security Questions are in WP2Summaries of all draft new or revised Recommendations under development in SG 17 are available on the SG 17 web page at
6 Working Party 2/17 Work Program Telecom Systems UsersQ.8/17Telebiometrics* Multimodal model framework* System mechanism* Protection procedureQ.7/17Q.5/17Telecom SystemsSecurity Management* ISMS-T* Incident management* Risk assessment methodologySecurity Architecture and Framework* Architecture, * Model, * Concepts, * FrameworksSecure Communication Services* Secure mobile communications * Home network security* Web services securityQ.9/17Cyber Security * Vulnerability information sharing… * Incident handling operations* Identity managementQ.6/17Countering spam by technical means* Technical anti-spam measuresQ.17/17Q.4/17Communications System Security Project *Vision, Project, Roadmap, …
7 Examples of recently approved security Recommendations Security for the management plane: Overview, Security requirements, Security services, Security mechanism, Profile proformaX.509Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworksX.805Security architecture for systems providing end-to-end communicationsX.893Information technology – Generic applications of ASN.1: Fast infoset securityX.1035Password-authenticated key exchange (PAK) protocolX.1051Information security management system - Requirements for telecommunications (ISMS-T)X.1081The telebiometric multimodal model - A framework for the specification of security and safety aspects of telebiometricsX.1111Framework for security technologies for home networkX.1121Framework of security technologies for mobile end-to-end communicationsX.1122Guideline for implementing secure mobile systems based on PKIX.1141Security Assertion Markup Language (SAML 2.0)X.1142eXtensible Access Control Markup Language (XACML 2.0)Y.2701Security requirements for NGN release 1
8 Extract from current SG 17 security work program (~50 items total) Q.AcronymTitle or Subject5X.akmFramework for EAP-based authentication and key management6X.1205Overview of cybersecurityX.idmfIdentity management frameworkX.gopwGuideline on preventing worm spreading in a data communication network7X.1051 (Revised)Information security management guidelines for telecommunications based on ISO/IEC 27002X.rmgRisk management guidelines for telecommunications8X.bipBioAPI interworking protocolX.taiTelebiometrics authentication infrastructure9X.homesec-2, 3, 4Certificate profile for the device in the home network, User authentication mechanisms for home network service, Authorization framework for home networkX.msec-3General security value added service (policy) for mobile data communicationX.p2p-1Requirements of security for peer-to-peer and peer-to-multi peer communicationsX.websec-3Security architecture for message security in mobile web services17X.csreqRequirement on countering spamX.fcsipFramework of countering IP multimedia spam
9 Study Group 13 - Question 15/13 NGN Security: work in progress Y.IdMsecNGN identity management securityY.NGN AAAAAA application for implementation of network and service security requirements over NGNY.NGN AuthenticationNGN AuthenticationY.NGN Certificate ManagementNGN certificate managementY.SecMechanismsNGN Security mechanisms and proceduresY.SecReqR2Security requirements for NGN release 2
10 Security standardization Collaboration is key Specific Systems, Services, Applications Security in ITU-T are developed by SG 2, 3, 4, 5, 6, 9, 11, 13, 15, 16, 19Core Technology and Common Security Techniques in ITU-T are developed by SG 17JTC 1 SC 27, 37...IETFATIS, ETSI, OASIS, etc.
11 Security standardization Collaboration is key World Standards Cooperation (WSC) ISO, IEC, ITUGlobal Standards Collaboration (GSC) Regional, National SDOs and ITU-T, ITU-Rexchange information between participating standards organizations to facilitate collaboration and to support the ITU as the preeminent global telecommunication and radiocommunication standards development organizationResolution GSC-11/17 CybersecuritySecurity Standardization Exchange Network (SSEN)an informal association of individual security practitioners with direct experience of, or strong interest in, security standardizationfacilitate the informal exchange of information on security-standards-related matters to increase overall awareness of issues of common interest with the intention of helping to advance the development of needed standards and minimizing overlap and duplication of effort in security standards development
12 Security standardization Collaboration is key ISO/IEC/ITU-T Strategic Advisory Group on Security (SAG-S)Terms of ReferenceTo oversee standardization activities in ISO, IEC and ITU-T relevant to the field of securityTo provide advice and guidance to the ISO Technical Management Board, the IEC Standardization Management Board and the ITU-T Telecommunication Standardization Advisory Group (TSAG) relative to the coordination of work relevant to security, and in particular to identify areas where new standardization initiatives may be warrantedTo monitor implementation of the SAG-S RecommendationsInternational workshop on security topics planned in conjunction with each SAG-S meetingInternational Workshop on Transit Security, Washington DC, 4-5 October 2007Security portal under development
13 Focus Group: Security Baseline for Network Operators (FG SBNO)Established October 2005 by SG 17Objectives:Define a security baseline against which network operators can assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be appliedDescribe a network operator’s readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security threatsProvide meaningful criteria that can be used by network operators against which other network operators can be assessed, if requiredAchievedSurveyed network operators by means of a questionnaireNext step:Develop text to be proposed to SG 17 for progressing as an ITU-T publication
14 Focus Group: Identity Management (FG IdM) http://www. itu Established December 2006 by SG 17The objectives of the FG IdM areto perform requirements analysis based on uses case scenarios, in orderto identify generic IdM framework components, so thata standards gap analysis can be completed, in orderto identify new standards work and the bodies (ITU and other SDOs) that should perform the workWorking Group structureEcosystem and Lexicon Working GroupUse Cases Working GroupRequirements Working GroupFramework Working GroupAggressive scheduleMeetings held: February, April and May 2007; WG meeting JuneMeetings planned: July and August 2007
15 ICT Security Standards Roadmap http://www. itu Part 1 contains information about organizations working on ICT security standardsPart 2 is the database of existing security standardsPart 3 is a list of standards in developmentPart 4 identifies future needs and proposed new standardsPart 5 includes security best practicesEuropean Network and Information Security Agency (ENISA) and the Network and Information Security Steering Group (NISSG) are collaborating with ITU-T in the development of the Roadmap
16 ICT Security Standards Roadmap http://www. itu Part 2 currently includes ICT security standards fromITU-TISO/IEC JTC 1IETFIEEEATISETSIOASISData is available in a database format to allow searching by organization and topic and to allow organizations to manage their own dataWe invite you to contribute content to the Roadmap, provide feedback and help us develop it to meet your needs
17 Other projectsSecurity in Telecommunications and Information Technology (ITU-T Security manual)Overview of existing ITU-T Recommendations for secure telecommunicationsThird edition of June 2006 to be available in the six official languages of the ITUSecurity compendiumCatalogue of approved ITU-T Recommendations related to telecommunication securityExtract of ITU-T approved security definitionsSummary of ITU-T Study Groups with security-related activities
18 The ITU Global Cybersecurity Gateway LIVE at:Provides an easy-to-use information resource on national, regional and international cybersecurity-related activities and initiatives worldwide.
19 ObservationsSecurity is everybody's businessCollaboration with other SDOs is necessarySecurity needs to be designed in upfrontSecurity must be an ongoing effortSystematically addressing vulnerabilities (intrinsic properties of networks/systems) is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be
20 Some useful web resources ITU-T Home pageStudy Group 17RecommendationsITU-T LighthouseITU-T Workshops
21 Supplemental Information on Security Work in ITU-T Study Group 17 - Security, languages and telecommunication softwareStudy Group 4 - Telecommunication managementStudy Group 11 – Signalling requirements and protocolsStudy Group 13 - Next generation networksStudy Group 16 - Multimedia terminals, systems and applications
22 ITU-T SG 17 work on security Q.4/17 - Communications systems security projectQ.5/17 - Security architecture and frameworkQ.6/17 - Cyber securityQ.7/17 - Security managementQ.8/17 - TelebiometricsQ.9/17 - Secure communication servicesQ.17/17 - Countering spam by technical means
23 ITU-T SG 17 Question 4 Communications Systems Security Project Overall Security CoordinationICT Security Standards RoadmapSecurity CompendiumFocus Group on Security Baseline For Network OperatorsITU-T Security manualEfforts of Q.4/17 are covered in the main part of the presentation
24 ITU-T SG 17 Question 5 Security Architecture and Framework Brief description of Q.5MilestonesDraft Recommendations under development
25 Brief description of Q.5/17 MotivationThe telecommunications and information technology industries are seeking cost-effective comprehensive security solutions that could be applied to various types of networks, services and applications. To achieve such solutions in multi-vendor environment, network security should be designed around the standard security architectures and standard security technologies.Major tasksDevelopment of a comprehensive set of Recommendations for providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups.Maintenance and enhancements of Recommendations in the X.800 series:X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816, X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843
26 Q.5/17 MilestonesITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-end CommunicationsApproved in 2003ISO/IEC Standard , Network security architectureDeveloped in collaboration between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG 1. It is technically aligned with X.805Published in 2006ITU-T Recommendation X.1035, Password-authenticated key exchange (PAK) protocolSpecifies a password-based protocol for authentication and key exchange, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchangeApproved in 2006
27 ITU-T Recommendation X.805 X.805 defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where the end-to-end security is a concern and independently of the network’s underlying technology.
28 Q.5/17 Draft Recommendations 1/2 Applications and further development of major concepts of ITU-T Recommendation X.805X.805+, Division of the security features between the network and the users Specifies division of security features between the networks and users. It provides guidance on applying concepts of the X.805 architecture to securing service provider’s, application provider’s networks and the end user’s equipmentX.805nsa, Network security assessment/guidelines based on ITU-T Recommendation X.805 Provides a framework for network security assessment/guidelines based on ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications
29 Q.5/17 Draft Recommendations 2/2 Standardization in support of Authentication Security Dimension (defined in X.805)X.akm, Framework for authentication and key management for link layer security of NGN Establishes a framework for authentication and key management for securing the link layer. It also provides guidance on selection of the EAP methods.Standardization of network security policiesX.spn, Framework for creation, storage, distribution, and enforcement of security policies for networksEstablishes security policies that are to drive security controls of a system or service. It also specifies a framework for creation, storage, distribution, and enforcement of policies for network security that can be applied to various environmental conditions and network devices.
30 ITU-T SG 17 Question 6 Cyber Security MotivationObjectivesScopeCurrent area of focusDraft Recommendations under development
31 Q.6/17 MotivationNetwork connectivity and ubiquitous access is central to today’s IT systemsWide spread access and loose coupling of interconnected IT systems is a primary source of widespread vulnerabilityThreats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the riseNetwork protocols in use today were developed in an environment of trustMost new investments and development is dedicated to building new functionality and not on securing that functionalityAn understanding of cybersecurity is needed in order to build a foundation of knowledge that can aid in securing the networks of tomorrow
32 Q.6/17 ObjectivesPerform actions in accordance with Lead Study Group (LSG) responsibility with the focus on CybersecurityIdentify and develop standards required for addressing the challenges in Cybersecurity, within the scope of Q.6/17Provide assistance to other ITU-T Study Groups in applying relevant cybersecurity Recommendations for specific security solutions. Review project-oriented security solutions for consistencyMaintain and update existing Recommendations within the scope of Q.6/17 (this includes E.409)Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1 e.g., SC 6, SC 27 and SC 37), and consortia as appropriateProvide awareness on new security technologies related to CybersecurityProvide an Identity Management Framework that defines the problem space, representative use case scenarios and requirements. This includes leveraging other on-going Identity Management activitiesCollaborate with Next Generation Networks activities in ITU-T in the areas of Cybersecurity and Identity Management
33 Q.6/17 Scope Definition of Cybersecurity Security of Telecommunications Network InfrastructureSecurity Knowledge and Awareness of Telecom Personnel and UsersSecurity Requirements for Design of New Communications Protocol and SystemsCommunications relating to CybersecuritySecurity Processes – Life-cycle Processes relating to Incident and VulnerabilitySecurity of Identity in Telecommunication NetworkLegal/Policy Considerations
34 Q.6/17 Current Area of Focus 1/2 Work with SG 2 on the definition and requirements of CybersecurityCollaborate with Q5,7,9,17/17 and SG 2 in order to achieve better understanding of various aspects of network securityCollaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL and other standardization bodies on CybersecurityWork with OASIS on adopting the OASIS Common Alerting Protocol V1.1 as an ITU-T RecommendationWork on framework for secure network operations to address how telecommunications network providers secure their infrastructure and maintain secure operationsWork on Recommendation for standardization of vulnerability data definitionWork on network security management framework to address how telecommunications operators operate uniformly various kind of security functionsStudy new Cybersecurity issues – How should ISPs deal with botnets, evaluating the output of appropriate bodies when available
35 Q.6/17 Current Area of Focus 2/2 Work on Recommendations on Identity Management (IdM) addressing the following areas:An umbrella Recommendation that determines IdM security requirements from ITU-T prospectiveAn umbrella Recommendation that defines a framework and architecture(s) for IdM after identifying IdM security mechanisms that needs to be addressedAn umbrella Recommendation that assesses security threats and vulnerabilities associated with IdMCollaborate with Q.15/13 on NGN IdM issuesDevelop guidelines on the protection of personal information and privacyCall for contributions for the outstanding questions identified in the revised scopePromote the wide adoption of IdM through the IdM Focus Group that considers the challenges and issues associated with IdM across various SDO and consortia
36 Q.6/17 Draft Recommendations 1/5 Overview of Cybersecurity (X.1205, formerly X.cso)Provides a definition for Cybersecurity and a taxonomy of security threats from an operator point of view. Cybersecurity vulnerabilities and threats are presented and discussed at various network layers.Various Cybersecurity technologies that are available to remedy the threats include: Routers, Firewalls, Antivirus protection, Intrusion detection systems, Intrusion protection systems, Secure computing, Audit and Monitoring. Network protection principles such as defence in depth, access and identity management with application to Cybersecurity are discussed. Risk Management strategies and techniques are discussed including the value of training and education in protecting the network. A discussion of Cybersecurity Standards, Cybersecurity implementation issues and certification are presented.A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update (X.vds)Provides a framework of automatic notification on vulnerability information. The key point of the framework is that it is a vendor-neutral framework. Once users register their software, updates on the vulnerabilities and patches of the registered software will automatically be made available to the users. Upon notification, users can then apply.
37 Q.6/17 Draft Recommendations 2/5 Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software (X.sds)Provides guidelines for Internet Service Providers (ISP) and end-users for addressing the risks of spyware and deceptive software. The Recommendation promotes best practices around principles of clear notices, and users’ consents and controls for ISP web hosting services. The Recommendation also promotes best practices to end-users on the Internet to secure their computing devices and information against the risks of spyware and deceptive software.Identity Management Framework (X.idmf)Develops an Identity Management Framework that leverages the use case scenarios as it applies to Telecommunications and includes non- Telecom applications when (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services). The framework enables service providers to provide entities with reliable, trusted and secure IdM services over distributed networks, through the appropriate use of authorization, authentication, access control mechanisms, and policy management mechanisms.
38 Q.6/17 Draft Recommendations 3/5 Identity Management Requirements (X.idmr)Develops use case scenarios and requirements for the Identity Management Framework Recommendation (X.idmf). The developed use cases cover Telecommunications and non-Telecom scenarios (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services).Identity Management Security (X.idms)Performs security analysis on the identity Management Framework as developed in X.idmf. The Recommendation develops guidelines and best practice approach for ensuring that security is maintained when the Identity Management Framework is used as the vehicle for providing Telecommunications and non-Telecom IdM solutions.
39 Q.6/17 Draft Recommendations 4/5 Common Alerting Protocol (CAP v1.1), (X.1303, formerly X.cap)Specifies the common alerting protocol (CAP) which is a simple but general format for exchanging all-hazard emergency alerts and public warnings over all kinds of networks. CAP allows a consistent warning message to be disseminated simultaneously over many different warning systems, thus increasing warning effectiveness while simplifying the warning task. CAP also facilitates the detection of emerging patterns in local warnings of various kinds, such as might indicate an undetected hazard or hostile act. And CAP provides a template for effective warning messages based on best practices identified in academic research and real-world experience. This Recommendation is technically equivalent and compatible with the OASIS Common Alerting Protocol, v.1.1 standard.ASN.1 specification for the Common Alerting Protocol (CAP v1.1), (X , formerly X.cap2)The common alerting protocol (CAP) is specified in ITU-T Rec. X.1303, which is technically equivalent and compatible with the OASIS Common Alerting Protocol, V1.1 standard. This Recommendation provides an equivalent ASN.1 specification that permits a compact binary encoding and the use of ASN.1 as well as XSD tools for the generation and processing of CAP messages. This Recommendation enables existing systems, such as H.323 systems, to more readily encode, transport and decode CAP messages.
40 Q.6/17 Draft Recommendations 5/5 Privacy guideline for RFID (X.rfpg)Recognizes that as RFID greatly facilitates the access and dispersion of information pertaining specifically to the merchandise that individuals wear and/or carry; it creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation develops guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect the privacy rights of the general public within national policies.Network Security Management Framework (X.nsmf)Defines the framework for security management to address how telecom-operators can uniformly operate various kinds of security functions.Guideline on preventing worm spreading in a data communication network (X.gopw)Describes worm spreading patterns and scenarios in a data communication network. In addition, it specifies countermeasures to prevent from worm spreading. This Recommendation can be used as a guideline to network designers, network operator, and end users for preventing Worm spreading.
42 Q.7/17 TasksInformation Security Management Guidelines for telecommunications(Existing X.1051, Information security management system – Requirements for telecommunications (ISMS-T))Maintain and revise Recommendation X.1051, “Information Security Management Guidelines for telecommunications based on ISO/IEC27002”.Jointly develop a guideline of information security management with ISO/IEC JTC 1/SC 27 (ISO/IEC =.Recommendation X.1051).Risk Management MethodologyStudy and develop a methodology of risk management for telecommunications in line with Recommendation X.1051.Produce and consent a new ITU-T Recommendation for risk management methodology.Incident ManagementStudy and develop a handling and response procedure on security incidents for the telecommunications in line with Recommendation X.1051.Produce and consent a new ITU-T Recommendation for incident management methodology and procedures.
43 Q.7/17 plan on Recommendations X.1050: To be proposedX.1051: In revision process Information Security Management Guidelines for Telecommunications based on ISO/IEC 27002X.1052: To be proposedX.1053: To be proposed (Implementation Guide for Telecommunications)X.1054: To be proposed (Measurements and metrics for Telecommunications)X.1055: In the first stage of development Risk Management Guidelines for TelecommunicationsX.1056: In the first stage of development Security Incident Management Guidelines for TelecommunicationsX.1057: To be proposed (Identity Management for Telecommunications)
44 Information security management guidelines for Telecommunications (Revised X.1051) Information Assetsfor TelecomSecurity policyOrganising information securityAsset managementHuman resources securityPhysical & environmentalsecurityCommunications & operations managementISMS ProcessAccess controlCONTROLCONTROLCONTROLImplementation requirements for TelecomImplementation guidanceImplementation guidance for TelecomInformation systems acquisition, development and maintenanceOther informationOther informationInformation security incident managementExisting X.1051 (2004)ISO/IEC (2005)Revised X.1051Business continuity managementApproach to develop the revised Recommendation X.1051Compliance
45 ITU-T SG 17 Question 8 Telebiometrics ObjectivesStudy areas on biometric processesRecommendations
46 Q.8/17 ObjectivesTo define telebiometric multimodal model frameworkTo specify biometric authentication mechanism in open networkTo provide protection procedures and countermeasures for telebiometric systems
47 Q.8/17 Study areas on Biometric Processes SensorsX.1081X.PhysiolSafety conformityMatchingApplicationYes/NoScoreNWExtractionNW:NetworkDecisionStorageX.tai: Telebiometrics Authentication InfrastructureX.bip: BioAPI Interworking ProtocolX.tsm: Telebiometrics System MechanismX.tpp: Telebiometrics Protection ProcedureAcquisition(capturing)
48 Q.8/17 Recommendations 1/3X.1081, The telebiometric multimodal model framework – A framework for the specification of security and safety aspects of telebiometricsDefines a telebiometric multimodal model that can be used as a framework for identifying and specifying aspects of telebiometrics, and for classifying biometric technologies used for identification (security aspects).X.physiol, Telebiometrics related to human physiologyGives names and symbols for quantities and units concerned with emissions from the human body that can be detected by a sensor, and with effects on the human body produced by the telebiometric devices in his environments.X.tsm-1, General biometric authentication protocol and profile on telecommunication systemDefines communication mechanism and protocols of biometric authentication for unspecified end‑users and service providers on open network.
49 Q.8/17 Recommendations 2/3X.tsm-2, Profile of telecomunication device for Telebiometrics System Mechanism (TSM)Defines the requirements, security profiles of client terminals for biometric authentication over the open network.X.tai, Telebiometrics authentication infrastructureSpecifies a framework to implement biometric identity authentication with certificate issuance, management, usage and revocation.X.bip, BioAPI interworking protocolCommon text of ITU-T and ISO/IEC JTC 1/SC 37. It specifies the syntax, semantics, and encodings of a set of messages ("BIP messages") that enable BioAPI-conforming application in telebiometric systems.
50 Q.8/17 Recommendations 3/3X.tpp-1, A guideline of technical and managerial countermeasures for biometric data securityDefines weakness and threats in operating telebiometric systems and proposes a general guideline of security countermeasures from both technical and managerial perspectives.X.tpp-2, A guideline for secure and efficient transmission of multi-modal biometric dataDefines threat characteristics of multi-modal biometric system, and provides cryptographic methods and network protocols for transmission of multi-modal biometric data.
51 Secure Communication Services ITU-T SG 17 Question 9Secure Communication ServicesFocusPosition of each topicMobile securityHome network securityWeb services securitySecure applications services
52 Develop a set of standards of secure application services, including Q.9/17 FocusDevelop a set of standards of secure application services, includingMobile security Under studyHome network security Under studyWeb services security Under studySecure application services Under studyPrivacy protection for RFID Under studyMulticast security Under studyMultimedia content protection To be studiedSecurityAuthentication - to know who is accessing your dataPrivacy - to protect your data from intrusionEncryption - to secure the data from misuse or abuseBiometrics - 'what you are‘replace ‘what you know' - items, such as PIN numbersaugment 'what you have‘ - forms of identification, such as cardsX.509Public-key and attribute certificate frameworksX.842Guidelines for the use and management of Trusted Third Party servicesX.843Specification of TTP services to support the application of digital signaturesRecommendation X.509Information technology - The Directory: Public-key and attribute certificate frameworksThis Recommendation defines a framework for public-key certificates and attribute certificates. These frameworks may be used to profile application to Public Key Infrastructure (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation defines a framework for the provision of authentication services by Directory to its users. It describes two level of authentication: simple authentication, using a password as a verification of clamed identity; and strong authentication, involving credentials formed using cryptographic techniques.ApprovedInformation technology – Security techniques – Guidelines for the use and management of Trusted Third Party servicesThis Recommendation provides guidance for the use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. This Recommendation identifies different major categories of TTP services including time stamping, non-repudiation, key management, certificate management, and electronic notary public.Q13/7Information technology – Security techniques – Specification of TTP services to support the application of digital signaturesThis Recommendation defines the services required to support the application of digital signatures for non repudiation of creation of a document. Since this implies integrity of the document and authenticity of the creator, the services described can also be combined to implement integrity and authenticity services.
53 Position of each topic Web Services security Application ServerPrivacy protection for RFIDHomeNetworkMobile TerminalMobile NetworkOpen NetworkHome networksecurityMobile securitySecure application servicesMulticast security
54 Q.9/17 - Mobile SecurityX.1121, Framework of security technologies for mobile end-to-end data communicationsApproved 2004X.1122, Guideline for implementing secure mobile systems based on PKIX.msec-3, General security value added service (policy) for mobile data communicationDevelops general security service as value added service for secure mobile end-to-end data communicationX.msec-4, Authentication architecture in mobile end-to-end data communicationConstructs generic authentication architecture for mobile data communication between mobile users and application serversX.crs, Correlative reacting system in mobile networkDevelops the generic architecture of a correlative reactive system to protect the mobile terminal against Virus, worms, Trojan-Horses or other network attacks to both the mobile network and its mobile users
55 Q.9/17 - Home network security X.1111, Framework for security technologies for home networkFramework of security technologies for home networkDefine security threats and security requirements, security functions, security function requirements for each entity in the network, and possible implementation layerApproved 2007X.homesec-2, Certificate profile for the device in the home networkDevice certificate profile for the home networkDevelops framework of home network device certificate.X.homesec-3, User authentication mechanisms for home network serviceUser authentication mechanisms for home network service.Provides the user authentication mechanism in the home network, which enables various authentication means such as password, certificate, biometrics and so on.
56 Q.9/17 - Web Services security X.1141, Security Assertion Markup Language (SAML)Adoption of OASIS SAML v2.0 into ITU-T Recommendation X.1141Define XML-based framework for exchanging security informationThe security information expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domainApproved 2006X.1142, eXtensible Access Control Markup Language (XACML)Adoption of OASIS XACML v2.0 into ITU-T Recommendation X.1142Provides an XML vocabulary for expressing access control policies and the syntax of the language and the rules for evaluating policiesX.websec-3, Security architecture for message security in mobile Web ServicesDevelops a guideline on message security architecture and service scenarios for securing messages for mobile Web Services
57 Q.9/17 - Secure applications services X.sap-1, Guideline on strong password authentication protocolsGuideline on secure password-based authentication protocol with key exchangeDefines a set of requirements for password-based protocol with key exchange and a selection guideline by setting up criteria that can be used in choosing an optimum authentication protocol for each application.X.sap-2, Secure communication using TTP serviceSecure end-to-end data communication techniques using TTP servicesSpecifies secure end-to-end data communication techniques using TTP services that are services defined in X.842 or other servicesX.p2p-1, Anonymous authentication architecture in community communicationRequirements of security for peer-to-peer and peer-to-multi peer communicationsInvestigates threat analysis for P2P and P2MP communication services and describes security requirements for secure P2P and P2MP communication servicesX.p2p-2, Security architecture and protocols for peer to peer networkSecurity architecture and protocols for peer to peer networkDescribes the security techniques and protocols in the P2P environment
59 ITU-T SG 17 Question 17 Countering Spam by Technical Means ObjectivesRecommendations
60 Q.17/17 ObjectivesThe aim of this Question is to develop a set of Recommendations on countering spam by technical means for ITU-T, taking into account the need for collaboration with ITU-T other Study Groups and cooperation with other SDOs. The Question focuses particularly on technical requirement, frameworks and new technologies for countering spam. Guidelines on countering spam by technical means are also studied.
61 Requirement on countering spam (X.csreq) Draft Q.17/17 Set of RecommendationsGuideline on countering spam (X.gcs) DraftFramework Recommendations:IP multimedia application area TBDTechnical framework for countering spam (X.fcs) DraftOverview of countering spam for IP multimedia application (X.ocsip) DraftTechnology Recommendations:Technical means for countering spam (X.tcs) TBDOther SDOsRequirement on countering spam (X.csreq) DraftTechnical means for countering IP multimedia spam (X.tcs) TBD
62 Q.17/17 Brief Summaries of draft Recommendations 1/3 X.gcs, Guideline on countering spamSpecifies technical issues on countering spam. It provides the current technical solutions and related activities from various SDOs and relevant organizations on countering spam. The purpose of the Recommendation is to provide useful information to the users who want to find technical solutions on countering spam and it will be used as a basis for further development of technical Recommendations on countering spam.X.ocsip, Overview of countering spam for IP multimedia applicationsSpecifie basic concepts, characteristics, and effects of spam in IP multimedia applications such as IP telephony, video on demand, IPTV, instant messaging, multimedia conference, etc. It will provide technical issues, requirements for technical solutions, and various activities on countering spam for IP multimedia applications. It will provide basis and guideline for developing further technical solutions on countering spam.
63 Q.17/17 Brief Summaries of draft Recommendations 2/3 X.csreq, Requirement on countering spamRequirements on countering spam are clarified in this Recommendation. There are many types of spam, such as spam, mobile messaging spam and IP multimedia spam. Various types of spam may have both common and specific requirements on countering it. For one type of spam, the requirement in different entities should also be clarified.X.fcs, Technical framework for countering spamSpecifies the technical framework for network structure for countering spam. Functions inside the framework are defined. It also provides universal rules of distinguishing spam from other s and the common methods of countering spam.X.tcs, Technical means for countering spamCommunication network is evolving, more services are emerging, and capability of spammers is stronger. Moreover, no single technical means has perfect performances on countering spam currently. It may be necessary to propose new technical countermeasures.
64 Q.17/17 Brief Summaries of draft Recommendations 3/3 X.fcsip, Framework of countering IP multimedia spamSpecifies general architecture of countering spam system on IP multimedia applications such as IP telephony, instant messaging, multimedia conference, etc. It will provide functional blocks of necessary network entities to counter spam and their functionalities, and describe interfaces among the entities. To build secure session against spam attack, User Terminals and edge service entities such as proxy server or application servers will be extended to have spam control functions. Shown are interfaces between these extended peer entities, and interfaces with other network entities which can involve for countering spam.X.tcs-1, Interactive countering spam gateway systemSpecifies interactive countering spam gateway system as a technical mean for countering various types of spam. The gateway system enables spam notification from receiver’s gateway to sender’s gateway, prevents spam traffic from going across the network. This specification defines architecture for the countering spam gateway system, describes basic entities, protocols and functions, provides mechanisms for spam detection, countering spam information sharing, and countering spam actions of the gateway systems.
66 SG 4: Security Management Systems To complement the M.3016 series on Security of the Management Plane which is focused on interfaces, SG 4 has initiated new work on Security Management Systems (SMS). It is viewed as a key addition to support NGN Management.Based on equivalent work in ATIS TMOC, M.sec-mgmt-sys is expected toDraw on security concepts from X.800 and X.805Describe the logical SMS architecture to be realized in one or more physical systemsDescribe the managed network elements supported by SMSSpecify the SMS functional requirementsAs with the M.3016 series, a proforma will be provided as a template for other SDOs and forums to indicate for their membership what parts of M.sec-mgmt-sys are mandatory or optional
68 SG 11: Security signaling protocol draft Recommendation in progress Draft Recommendation Q.3201 (formerly Q.NGN-nacf-sec), EAP-based security signaling protocol architecture for network attachmentDescribes the security signalling requirements and protocol architecture for supporting access security aspect of network attachment in NGN environment. Basic threats and security requirements for the attachment of NGN access networks are analyzed, and a model of an EAP-based security signalling protocol architecture accommodating heterogeneous multi-links in NGN access environment is presented. Based on it, three feasible scenarios for authentication signalling in NGN network attachment control function are developed.
69 ITU-T SG 13 work on security Q.15/13All SG 13 Recommendations have a section on security
70 Q.15/13 NGN Security Y.2701, Security requirements for NGN release 1 Y.NGN AuthenticationY.NGN Security Mechanisms, NGN Security Mechanisms and ProceduresY.NGN, Certificate ManagementY.NGN AAA, The Application of AAA Service for network access control in UNI and ANI over NGNY. IdMsec, NGN Identity Management Security
71 Y.2701, Security requirements for NGN release 1 (pre-published) Provides security requirements for Next Generation Networks (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs) by applying ITU-T Recommendation X.805, Security architecture for systems providing end-to-end communications to ITU-T Recommendation Y.2201, NGN release 1 requirements and ITU-T Recommendation Y.2012, Functional requirements and architecture of the NGN.Specifies a trust model that is based on network elements (physical boxes) that support the functional entities defined in ITU-T Recommendation Y.2012.Specifies requirements, which should be treated as a minimum set of security requirements. The NGN network providers are encouraged to take additional measures beyond those specified in the Recommendations for NGN security.
72 Y.NGN Authentication 1/2Specifies authentication and authorization requirements for Next Generation Networks (NGNs) based on the ITU-T NGN release 1 Requirements and NGN Architecture (FRA). This includes requirements for one-way and mutual authentication and authorization across the User-to-Network Interface (UNI), the Network-to-Network Interface (NNI) and the Application-to-Network Interface (ANI). The scope of this Recommendation covers:Authentication and authorization of users for network access (e.g., authentication and authorization of an end user device, a home network gateway, or an enterprise gateway to obtain access or attachment to the network)Service provider authentication and authorization of users for access to a service/application (e.g., authentication and authorization of an user, a device or a combined user/device where the authentication and authorization applies to NGN service/application access)
73 Y.NGN Authentication 2/2Service provider authentication and authorization of users for access to a specific service/application (e.g., ETS and TDR- specific authentication and authorization)User authentication and authorization of a network (e.g., user authenticating the identity of the NGN network or of the service provider)User peer-to-peer authentication and authorization (e.g., authentication and authorization of the called user (or terminating entity), authentication and authorization of the originating entity, or data origin authentication as network functions)Mutual network authentication and authorization (e.g., authentication and authorization across NNI interface at the transport level, or service/application level)Authentication and authorization of a 3rd party service/application ProviderUse of a 3rd party authentication and authorization service
74 Y.NGN Security Mechanisms, NGN Security Mechanisms and Procedures Describes specific security mechanisms that should be used to realize the requirements of Y.2701, Security Requirements for NGN release 1. It covers the following security subjects:Identification and authenticationMedia securityAudit trail, trapping, and logging systemsTransport security for signalling and OAMP (Operations, Administration, Maintenance, and Provisioning)CPE (Customer Premises Equipment) provisioning
75 Y.NGN, Certificate Management Defines procedures for managing the X.509 certificates used for providing NGN securitySpecifies the use of X.509 certificates for authentication of the NGN network elements based on policy and business agreements
76 Y.NGN AAA, The Application of AAA Service for network access control in UNI and ANI over NGN Specifies the authentication and authorization procedures for the NGN. It is based on the principles established in ITU-T Recommendations Y.2701, Security requirements for NGN release 1 and Y.2012, Functional requirements and architecture of the NGN. Y.NGN AAA provides recommendations on authentication and authorization across the User-to-Network Interface (UNI) and the Application-to-Network Interface (ANI)
77 Y.IdMsec, NGN Identity Management Security Describes the fundamental concepts associated with NGN Identity ManagementProvides a framework for Identity Management that is based on the NGN Functional Requirements and Architecture (FRA) release 2. This IdM framework is applicable to all NGN entities (e.g., service providers, network providers, network elements, users and user’s equipment)Outlines the threats and risks to Identity Management within an NGN environmentDescribes trust models for Identity Management within an NGN environmentSpecifies security objectives and requirements for NGN Identity Management
78 Q.15/13’s Major Contributions on Security to the Work of other Questions and Study Groups Q.15/13 led the development of the Security Considerations and Requirements section of ITU-T Recommendation Y.2111, Resource and admission control functions in Next Generation Networks (Y.2111 was developed by Q.4/13)Q.15/13 participated to the development of the ITU-T Recommendation EAP-Based Security Signaling Protocol Architecture for Network Attachment (the Recommendation is being developed by Q.7/11)
80 Q.25/16 “Multimedia Security in Next-Generation Networks” (NGN-MM-SEC) Study Group 16 concentrates on multimedia systems.Q.25/16 focuses on the application-security issues of MM applications in next generation networksStandardizes multimedia securitySo far Q.25/16 has been standardizing MM-security for the “1st generation MM/pre-NGN-systems”:H.323/H.248-based systemsH.235 sub-series Recommendations provide a framework and a set of requirements for multimedia systems
82 H.235 V4 sub-series Recommendations Major restructuring of H.235v3 Amd.1 and annexes in stand-alone sub-series RecommendationsH.235.x sub-series specify scenario-specific MM-security procedures as H.235-profiles for H.323Some new parts addedSome enhancements and extensionsIncorporated correctionsApproved in September 2005
83 H.323 Security Recommendations 1/4 H.235.0, Security framework for H-series (H.323 and other H.245-based) multimedia systemsOverview of H.235.x sub-series and common procedures with baseline textH.235.1, Baseline Security ProfileAuthentication & integrity for H signaling using shared secretsH.235.2, Signature Security ProfileAuthentication & integrity for H signaling using X.509 digital certificates and signatures
84 H.323 Security Recommendations 2/4 H.235.3, Hybrid Security ProfileAuthentication & integrity for H signaling using an optimized combination of X.509 digital certificates, signatures and shared secret key management; specification of an optional proxy-based security processorH.235.4, Direct and Selective Routed Call SecurityKey management procedures in corporate and in interdomain environments to obtain key material for securing H call signaling in GK direct-routed/selective routed scenariosenhancedextended
85 H.323 Security Recommendations 3/4 H.235.5, Framework for secure authentication in RAS using weak shared secretsSecured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H signalingH.235.6, Voice encryption profile with native H.235/H.245 key managementKey management and encryption mechanisms for RTPenhancedmodified
86 H.323 Security Recommendations 4/4 H.235.7, Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235Usage of the MIKEY key management for SRTPH.235.8, Key Exchange for SRTP using secure Signalling ChannelsSRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS)H.235.9, Security Gateway Support for H.323Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG) and key management for H signalingNEWNEW
87 Other SG16 MM-SEC Results H (2003), H Directory Services Architecture for H.235An LDAP schema to represent H.235 elements (PWs, certificates, ID information)H.530 (Revision 2003), Symmetric security procedures for H.323 mobility in H.510Authentication, access control and key management in mobile H.323-based corporate networksDraft H (Jan. 2007), Security protocol negotiationNegotiate security protocols (IPsec or TLS or others) for H.323 signaling
88 Q.5/16 (H.300 NAT/FW Traversal) Results 1/2 H (Sep. 2005), Traversal of H.323 signalling across FWs and NATsH.323 protocol enhancements and new client/server proxies to allow H.323 signalling protocols traverse NATs & FWs; H.323 endpoints can remain unchangedH (Sep. 2005), NAT & FW traversal procedures for RTP in H.323 systemsUses multiplexed RTP media mode and symmetric RTP in conjunction with H as a short-term solution
89 More Q.5/16 Results 2/2Technical Paper (2005), Requirements for Network Address Translator and Firewall Traversal of H.323 Multimedia SystemsDocumentation of scenarios and requirements for NAT & FW traversal in H.323Technical Paper (2005), Firewall and NAT traversal Problems in H.323 SystemsAn analysis of scenarios and various problems encountered by H.323 around NAT & FW traversal
90 New Q.25/16 items under current study 1/2 Study Anti-DDoS (Denial-of-Service) countermeasures for (H.323-based) NAT/FW proxy and MM applicationsSecurity for MM-QoS (H.mmqos.security)MM security aspects of Vision “H.325” Advanced Multimedia Systems (AMS)Goal: MM-security for “H.325”, MM security for Audiovisual on Demand services, Multimedia Conferencing, Distant learning,..
91 New Q.25/16 items under current study Study Multimedia-Security aspects of Digital Rights Management (MM-DRM)What does MM-DRM mean?Understand DRM security needs for MM content of MM applications (e.g. IPTV,…)Contributions are solicitedWhich other groups are active/interested in this area?Draft H.proxyGoal: Specify proxy-aided NAT/firewall traversal mechanism as a NAT traversal solution for H.323 multimedia systemsIntended for Consent in July 2007
92 The work continues in the scope of NGN-Multimedia Security SG 16: SummaryMultimedia systems and applications as being studied by SG 16 face important security challenges:MM-security and NAT/FW traversalQ.25/16 and Q.5/16 are addressing these issues and have provided various RecommendationsThe work continues in the scope of NGN-Multimedia Security