1. FMS/TR-069 File Download Security Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder (apg@qualcomm.com)apg@qualcomm.com Yinian Mao (yinianm@qualcomm.com)yinianm@qualcomm.com Recommendation: Discuss and adopt Notice QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include all or portions of this contribution; and at the Organizational Partner’s sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner’s standards publication. QUALCOMM Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by QUALCOMM Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on QUALCOMM Incorporated. QUALCOMM Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of QUALCOMM Incorporated other than provided in the copyright statement above. S40-20090713-001

2. TR-069 Architecture Managing CPE using remote ACS Layered Architecture CPE/ACS Management Application SOAP HTTP RPC Methods SSL/TLS TCP

3. TR-069 File Transfer RPC methods define a mechanism to facilitate file downloads or (optionally) uploads File Transfer protocols – Unicast: HTTP/HTTPS (mandatory), FTP, SFTP and TFTP – Multicast: FLUTE and DSM-CC Download Options – (1) ACS initiated, providing location or file to be transferred – (2) CPE initiated, CPE first request, then follow (1) – (3) Initiated by an external event, e.g. announce firmware – (4) Signed Package Format for download

4. TR-069 RPC “Download” Used by the ACS to cause the CPE to download a specified file from the designated location. Example Command arguments – CommandKey string(32) – FileType string(64): 1-Firmware Upgrade Image, 2-Web Content, 3-Vendor Configuration File – URL string(256), FileSize unsignedInt – Username string(256), Password string(256) This command can be issued by ACS over a secure channel (e.g., TLS) and/or using Signed Package Format (see later slide)

5. File Transfer Connection Options When File Transfer is Initiated During a Session – (1) The CPE MAY send the HTTP GET/PUT over the already established connection. – (2) The CPE MAY open a second connection over which to transfer the file, while maintaining the session to the ACS. – (3) The CPE MAY terminate the session to the ACS and then perform the transfer. – (2) & (3) are not necessarily HTTP based Requirements for HTTP based transfer – CPE shall support TLS for (2) and (3), and use TLS when the download URL is HTTPS

6. TR-069 Signed Package Format

7. TR-069 Command Types

8. TR-069 Signature Field A content block using PKCS#7 format Uses “SignedData” type in PKCS#7 – PKCS#7 typically have data and signature together – Data part can be empty, and the signature is for “external” content – certificates is a set of extended certificates in X.509 certificate format. The certificate can contain chain of trust. – Hash of payload included in commands An Example SignedData format: SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL,0 crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,1 signerInfos SignerInfos }

9. Conclusion When the FMS is inside operator’s core network: – Many FMS-FAP operations can be secured using IPSec (between the FAP and SeGW) and the use of TLS for FAP-FMS interface – The FAP can download files from the FMS or from other locations indicated by the FMS If file download location indicated is not inside of SeGW, then Signed Package format shall be used When the FMS is outside operator’s core network – TLS shall be used for FAP – FMS operations – The FAP can download files from the FMS or from other locations indicated by the FMS If location indicated is not inside of SeGW, then Signed Package format shall be used If location indicated for file download is outside of SeGW, the following security requirements shall be met: – The downloaded file shall be in the Signed Package Format according to TR-069 Ammendment 2. – The signature field in the Signed Package Format shall contain at least one signature signed by a trusted entity, together with a certificate or a certificate chain that can be verified by the FAP. – The FAP shall verify both the certificate(s) and the signature of the downloaded file before taking any action using the file. – If signature verification fails, the FAP shall discard the downloaded file and report to FMS. – In order to provide additional security, it is proposed that WG4 also require the use of Signed Package Format even when the FMS/file download server is located inside operator’s network – This is required to prevent certain attacks – e.g., an attacker hacking into the FAP and installing unsigned software by making it appear as though the file is from a server inside operator’s network

10. Proposal Incorporate the conclusion/requirements for FMS/File Download security in the S.P0132-0