Presentation is loading. Please wait.

Presentation is loading. Please wait.

World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.

Published byBernice Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security."— Presentation transcript:

1 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security Innovation ETSI TISPAN NGN Security Presentazione per l’Osservatorio Sicurezza Anfov

2 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 2 Table of Contents  ETSI TISPAN: WG7 activities  TISPAN NGN overview  TISPAN NGN security:  Security areas  Network Domain Security  TISPAN IMS Security IMS-AKA NASS bundled HTTP DIGEST  Application security  TISPAN NGN Security Standards  Main technical documents  Conclusion

3 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ETSI TISPAN: WG7 activities

4 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 4 WG7 - security  TISPAN Working Group (WG) 7 is responsible for the management and co-ordination of the development of security specifications for TC TISPAN.  For TISPAN NGN, TISPAN WG7 is responsible for:  Defining the security requirements;  Defining the security architecture for NGN;  Conducting threat and risk analyses for specific NGN use cases;  Proposing security countermeasures;  WG7 security standardization process is risk-based. The Threats, Vulnerability and Risk Analysis (TVRA) methodology has been defined specifically to address the needs of the NGN security. The TVRA is ISO15408 (Common Criteria)-based

5 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 5 WG7 security – Current focus (NGN rel. 2):  Fixed-mobile convergence (authentication schema coexistence)  Media security  Network Address Translation  IPTV security  Impact of unsolicited communication in the NGN environment  Identity Management  Customer Premises Network Security

6 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS TISPAN NGN overview

7 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 7 TISPAN NGN outline UMTS FTTx WiFi/WiMax xDSL PSTN / ISDN Broadcast IP Transport layer NASS RACS Service layer PES Other… User Profile Applications PSTN Other network IMS

8 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS TISPAN NGN security

9 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 9 Security areas NGN Access Security Interconnection Security Intra-Operator Security Subsystems

10 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 10 Security Domains  A security domain (TS 187 003) consists of the functional entities administered by a single authority (e.g. the same operator's network). A security domain is required to:  protect the integrity and the confidentiality of its functional elements,  ensure the availability of the elements and activities under its protection.  Interdomain interfaces are protected by security gateway functions (SEGF)  SEGFs connect domains using IPsec in ESP tunnel mode with Internet Key Exchange (IKE)  The actual inter-security domain policy is not standardized and is left to the discretion of the roaming agreements of the operators

11 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 11 TISPAN NGN Security Domains SEGF Access Network Security Domain Visited Network Security Domain Home Network Security Domain 3Party ASP Security Domain 3Party ASP Security Domain SEGF Securty Gateway Function IPSEC tunnel

12 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 12 Access Security  Access domain registration involves access-level authentication and authorization procedures between the UE and the Access Network.  Fixed broadband access (and non-3GPP WLAN access) may employ different access domain registration methods based on the access network configuration and operator policy.  These solutions usually do not rely on any kind of security token. An AAA infrastructure is used for bearer-level registration.  TISPAN requirements (TS 187 001) states that NGN shall support both the use explicit (e.g. PPP or IEEE 802.1x) and/or implicit line authentication (e.g. MAC address authentication or line authentication) of the users/subscribers at the NASS layer.

13 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 13 IMS Security  The IMS is independent of the transport network.  The identity of the accessing UE is checked at the edge of the IMS. The nodes in the IMS domain will trust SIP messages with asserted identity headers.  At the border of the IMS the P-CSCF is in charge of authenticate the UE and insert within each SIP request an asserted identity (token). This identity is passed between nodes in the IMS domain, with no need for further authentication.  IMS Authentication options (TS 187 001):  Full IMS security: Authentication and Key Agreement (AKA) as defined by 3GPP (plus NAT traversal)  Early deployment scenarios: NASS bundled authentication HTTP DIGEST

14 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 14 IMS and call control P-CSCF I-CSCF S-CSCF P-CSCF I-CSCF S-CSCF P-CSCF I-CSCF S-CSCF Access VisitedHomeCalled UPSF DNS

15 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 15 UE Full IMS Security (IMS-AKA) NASS P-CSCFI/S-CFCS UPSF IMS NASS Auth. UICC User credential and secret Key IPSEC protects signalling confidentiality and integrity User profile, credential and keys NGN and UE are mutually authenticated (AKA) SIP protocol

16 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 16 UE NASS Bundled Authentication (NBA) NASS P-CSCFI/S-CFCS UPSF IMS NASS Auth. SIP protocol CLF NO UICC and NO IMS credential required NO IPSEC, the signalling is transmitted in the clear The authentication is one-way: only the NGN authenticates the UE User profile, no credential required

17 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 17 HTTP Digest (HD) UE NASS P-CSCFI/S-CFCS UPSF IMS NASS Auth. SIP Protocol NO UICC required (user credential and keys in the UE memory) Explicit authentication NO IPSEC: the signalling is transmitted in the clear User profile, credential and keys NGN and UE are mutually authenticated

18 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 18 Application Security (optional) UE UICC AS BSF UPSF HD over TLS GBA-u mode

19 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ETSI TISPAN NGN Security Standards

20 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 20 Security ETSI TISPAN specifications  Main Technical Specification  NGN Security requirements (TS 187 001)  NGN Security architecture (TS 187 003)  NGN Lawful Interception functional entities, information flow and reference points (TS 187 005)  Main Technical Report (feasibility studies).  NGN Threats, Vulnerability and Risk Analysis (TVRA) (TR 187 002)  NAT traversal (TR 187 008)  Media security (TR 187 007)  Impact of unsolicited communication in the NGN (WI 07 025)  Identity Management (WI 07 027)  Data Retention (WI 07 032) All the TISPAN activities related to the core IMS have been delegated to the 3GPP

21 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS Conclusions

22 World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS 22 Conclusions  NGN is divided into Security domains. Domains are considered to be trusted environment  Core or intra-domain security is mainly under the responsibility of the Operator  Inter-domain security is provided by SEGF  Access Authentication is performed on both service layer (e.g. IMS) and network attachment (NASS)  IMS-AKA (as defined by 3GPP plus NAT support) is the preferred solution for IMS authentication:  Identity and keys stored on smart card (UICC)  Mutual authentication between Network and UE (AKA)  IPSEC for the protection of the signalling only  Other authentication mechanisms (NBA, HD) have been defined for early deployment scenarios (short term solutions).

Download ppt "World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security."

Similar presentations

Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI 2010. All rights reserved.

Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI All rights reserved.
World Class Standards 1 SCP(11)0001 SCP Plenary #47 January 12-14, 2011 Title*: Update on TC M2M activities (and Smart Metering Mandate) Submitted by:

World Class Standards 1 SCP(11)0001 SCP Plenary #47 January 12-14, 2011 Title*: Update on TC M2M activities (and Smart Metering Mandate) Submitted by:
U M T S F o r u m © UMTS 2002 UMTS Security aspects UMTS Forum ICTG Chair Bosco Fernandes Siemens AG

U M T S F o r u m © UMTS 2002 UMTS Security aspects UMTS Forum ICTG Chair Bosco Fernandes Siemens AG
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
D1 - 16/05/2014 Le présent document contient des informations qui sont la propriété de France Télécom. L'acceptation de ce document par son destinataire.

D1 - 16/05/2014 Le présent document contient des informations qui sont la propriété de France Télécom. L'acceptation de ce document par son destinataire.
22-23 June 2004TISPAN-3GPP Workshop - Sophia-Antipolis 1 TISPAN NGN Architecture Overview Richard Brennan pulver.com, WG2 Chair

22-23 June 2004TISPAN-3GPP Workshop - Sophia-Antipolis 1 TISPAN NGN Architecture Overview Richard Brennan pulver.com, WG2 Chair
LTE Security. Agenda Intro … Intro … The LTE System Radio Side (LTE – Long Term Evolution/Evolved UTRAN - EUTRAN) – Improvements in spectral efficiency,

LTE Security. Agenda Intro … Intro … The LTE System Radio Side (LTE – Long Term Evolution/Evolved UTRAN - EUTRAN) – Improvements in spectral efficiency,
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
D1 - 12/05/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.

D1 - 12/05/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.
IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.

IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Presents H.323 Forum 2002. ETSI TIPHON Presented by: Richard Brennan - Telxxis LLC Vice-Chair ETSI-TIPHON.

Presents H.323 Forum ETSI TIPHON Presented by: Richard Brennan - Telxxis LLC Vice-Chair ETSI-TIPHON.
Lawful Interception in 3G IP Multimedia Subsystem

Lawful Interception in 3G IP Multimedia Subsystem
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
SIP and the application of SIP as used in 3GPP Keith Drage - Lucent Technologies.

SIP and the application of SIP as used in 3GPP Keith Drage - Lucent Technologies.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Similar presentations

Ads by Google