You are on page 1of 92

SOURCE:

ITU-T

TITLE:

Telecommunication Security

AGENDA ITEM:
CONTACT:

[Insert Document File


Name]

Telecommunication Security
Herbert Bertine
Chairman, ITU-T Study Group 17

Standards

Cooperation

Awareness

ITU-T Study Groups

SG 2*

Operational aspects of service provision, networks and


performance
SG 3 Tariff and accounting principles including related telecommunications
economic and policy issues
SG 4* Telecommunication management
SG 5
Protection against electromagnetic environment effects
SG 6
Outside plant and related indoor installations
SG 9
Integrated broadband cable networks and television and sound
transmission
SG 11* Signalling requirements and protocols
SG 12 Performance and quality of service
SG 13* Next generation networks
SG 15 Optical and other transport network infrastructures
SG 16* Multimedia terminals, systems and applications
SG 17** Security, languages and telecommunication software
SG 19 Mobile telecommunication networks
* Significant security work

** Lead Study Group on Security

ITU-T Security Building Blocks


Security Architecture
Framework
(X.800-series)

Network Management
Security
(M.3000-series)

Security Techniques
(X.841,2,3)

Protocols
(X.273,4)

New
Telecommunication
Security
(X.805, X.1000-series)

Systems Management
(X.733,5,6, X.740,1)

Facsimile
(T-series)

New
Directory Services and
Authentication
(X.500-series)

Security
in Frame Relay
(X.272)

NGN Security
(Y.2700-series)

Message Handling
Systems (MHS)
(X.400-series)

Televisions and Cable


Systems
(J-series)

Multimedia
Communications
(H-series)

Study Group 17:


Security, languages and
telecommunication software
SG 17 is the Lead Study Group on telecommunication
security - It is responsible for coordination of security
across all study groups.
Subdivided into three Working Parties (WPs)
WP1 - Open systems technologies;
WP2 - Telecommunications security; and
WP3 - Languages and telecommunications software

Most (but not all) security Questions are in WP2


Summaries of all draft new or revised Recommendations
under development in SG 17 are available on the SG 17
web page at http://www.itu.int/itu-t/studygroups/com17

Working Party 2/17 Work Program


Telecom
Systems Users

Q.
7/17
Security
Management
* ISMS-T
* Incident
management
* Risk
assessment
methodology

Telecom
Systems

Telebiometrics

Q.8/17

* Multimodal model framework


* System mechanism
* Protection procedure

Secure Communication Services


* Secure mobile communications
* Home network security
* Web services security
Q.

Cyber Security

9/17

* Vulnerability information sharing


* Incident handling operations
Q.
* Identity management

6/17
Countering spam by technical
means
* Technical anti-spam measures

Q.
4/17
Communications System Security Project

Q.
5/17

Security
Architecture
and
Framework
* Architecture,
* Model,
* Concepts,
* Frameworks

Q.
17/17
*Vision, Project, Roadmap,

Examples of recently approved


security Recommendations
M.3016.0,
1, 2, 3, 4

Security for the management plane: Overview, Security requirements, Security services,
Security mechanism, Profile proforma

X.509

Information technology Open Systems Interconnection The Directory: Public-key and


attribute certificate frameworks

X.805

Security architecture for systems providing end-to-end communications

X.893

Information technology Generic applications of ASN.1: Fast infoset security

X.1035

Password-authenticated key exchange (PAK) protocol

X.1051

Information security management system - Requirements for telecommunications (ISMST)

X.1081

The telebiometric multimodal model - A framework for the specification of security and
safety aspects of telebiometrics

X.1111

Framework for security technologies for home network

X.1121

Framework of security technologies for mobile end-to-end communications

X.1122

Guideline for implementing secure mobile systems based on PKI

X.1141

Security Assertion Markup Language (SAML 2.0)

X.1142

eXtensible Access Control Markup Language (XACML 2.0)

Y.2701

Security requirements for NGN release 1

Extract from current SG 17 security


work program (~50 items total)
Q.

Acronym

Title or Subject

X.akm

Framework for EAP-based authentication and key management

X.1205

Overview of cybersecurity

X.idmf

Identity management framework

X.gopw

Guideline on preventing worm spreading in a data communication network

X.1051
(Revised)

Information security management guidelines for telecommunications based


on ISO/IEC 27002

X.rmg

Risk management guidelines for telecommunications

X.bip

BioAPI interworking protocol

X.tai

Telebiometrics authentication infrastructure

X.homesec-2,
3, 4

Certificate profile for the device in the home network, User authentication
mechanisms for home network service, Authorization framework for home
network

X.msec-3

General security value added service (policy) for mobile data communication

X.p2p-1

Requirements of security for peer-to-peer and peer-to-multi peer


communications

X.websec-3

Security architecture for message security in mobile web services

17

X.csreq

Requirement on countering spam

17

X.fcsip

Framework of countering IP multimedia spam

Study Group 13 - Question 15/13


NGN Security: work in progress

Y.IdMsec

NGN identity management security

Y.NGN AAA

AAA application for implementation of network and service security


requirements over NGN

Y.NGN
Authentication

NGN Authentication

Y.NGN Certificate
Management

NGN certificate management

Y.SecMechanisms

NGN Security mechanisms and procedures

Y.SecReqR2

Security requirements for NGN release 2

Security standardization
Collaboration is key
Specific Systems, Services, Applications
Security in ITU-T are developed by
SG 2, 3, 4, 5, 6, 9, 11, 13, 15, 16, 19
Core Technology and Common Security
Techniques in ITU-T are developed
by SG 17
JTC 1 SC 27, 37...

IETF

ATIS, ETSI, OASIS, etc.

Security standardization
Collaboration is key
World Standards Cooperation (WSC) ISO, IEC, ITU
Global Standards Collaboration (GSC) Regional, National
SDOs and ITU-T, ITU-R
exchange information between participating standards organizations
to facilitate collaboration and to support the ITU as the preeminent
global telecommunication and radiocommunication standards
development organization
Resolution GSC-11/17 Cybersecurity

Security Standardization Exchange Network (SSEN)


an informal association of individual security practitioners with direct
experience of, or strong interest in, security standardization
facilitate the informal exchange of information on security-standardsrelated matters to increase overall awareness of issues of common
interest with the intention of helping to advance the development of
needed standards and minimizing overlap and duplication of effort in
security standards development

Security standardization
Collaboration is key
ISO/IEC/ITU-T Strategic Advisory Group on Security (SAG-S)

Terms of Reference
To oversee standardization activities in ISO, IEC and ITU-T
relevant to the field of security
To provide advice and guidance to the ISO Technical
Management Board, the IEC Standardization Management
Board and the ITU-T Telecommunication Standardization
Advisory Group (TSAG) relative to the coordination of work
relevant to security, and in particular to identify areas where new
standardization initiatives may be warranted
To monitor implementation of the SAG-S Recommendations

International workshop on security topics planned in


conjunction with each SAG-S meeting
International Workshop on Transit Security, Washington DC, 4-5
October 2007

Security portal under development

Focus Group: Security Baseline for


Network Operators (FG SBNO)
http://www.itu.int/ITU-T/studygroups/com17/sbno/index.html

Established October 2005 by SG 17


Objectives:
Define a security baseline against which network operators can assess
their network and information security posture in terms of what security
standards are available, which of these standards should be used to meet
particular requirements, when they should be used, and how they should
be applied
Describe a network operators readiness and ability to collaborate with
other entities (operators, users and law enforcement authorities) to
counteract information security threats
Provide meaningful criteria that can be used by network operators against
which other network operators can be assessed, if required

Achieved
Surveyed network operators by means of a questionnaire

Next step:
Develop text to be proposed to SG 17 for progressing as an ITU-T
publication

Focus Group: Identity


Management (FG IdM)
http://www.itu.int/ITU-T/studygroups/com17/fgidm/index.html

Established December 2006 by SG 17


The objectives of the FG IdM are

Working Group structure

to perform requirements analysis based on uses case scenarios, in order


to identify generic IdM framework components, so that
a standards gap analysis can be completed, in order
to identify new standards work and the bodies (ITU and other SDOs) that
should perform the work
Ecosystem and Lexicon Working Group
Use Cases Working Group
Requirements Working Group
Framework Working Group

Aggressive schedule

Meetings held: February, April and May 2007; WG meeting June


Meetings planned: July and August 2007

ICT Security Standards Roadmap


http://www.itu.int/ITU-T/studygroups/com17/ict/index.html

Part 1 contains information about organizations


working on ICT security standards
Part 2 is the database of existing security standards
Part 3 is a list of standards in development
Part 4 identifies future needs and proposed new
standards
Part 5 includes security best practices
European Network and Information Security Agency
(ENISA) and the Network and Information Security
Steering Group (NISSG) are collaborating with ITU-T in
the development of the Roadmap

ICT Security Standards Roadmap


http://www.itu.int/ITU-T/studygroups/com17/ict/index.html

Part 2 currently includes ICT security standards from

ITU-T
ISO/IEC JTC 1
IETF
IEEE
ATIS
ETSI
OASIS

Data is available in a database format to allow searching


by organization and topic and to allow organizations to
manage their own data
We invite you to contribute content to the Roadmap,
provide feedback and help us develop it to meet your
needs

Other projects
Security in Telecommunications and Information
Technology (ITU-T Security manual)
Overview of existing ITU-T Recommendations for secure
telecommunications
Third edition of June 2006 to be available in the six official
languages of the ITU
http://www.itu.int/ITU-T/publications/index.html

Security compendium
Catalogue of approved ITU-T Recommendations related to
telecommunication security
Extract of ITU-T approved security definitions
Summary of ITU-T Study Groups with security-related
activities
http://www.itu.int/ITU-T/studygroups/com17/tel-security.html

The ITU Global Cybersecurity Gateway

LIVE at: http://www.itu.int/cybersecurity


Provides an easy-to-use information resource on national, regional and
international cybersecurity-related activities and initiatives worldwide.

Observations
Security is everybody's business
Collaboration with other SDOs is necessary
Security needs to be designed in upfront
Security must be an ongoing effort
Systematically addressing vulnerabilities
(intrinsic properties of networks/systems) is key
so that protection can be provided independent of
what the threats (which are constantly changing
and may be unknown) may be

Some useful web resources


ITU-T Home page
Study Group 17
e-mail:

http://www.itu.int/ITU-T
http://www.itu.int/ITU-T/studygroups/com17
tsbsg17@itu.int

Recommendations
ITU-T Lighthouse

http://www.itu.int/ITU-T/publications/recs.html

ITU-T Workshops

http://www.itu.int/ITU-T/worksem

http://www.itu.int/ITU-T/lighthouse

Supplemental Information on Security


Work in ITU-T

Study Group 17 - Security, languages and telecommunication software


Study Group 4 - Telecommunication management
Study Group 11 Signalling requirements and protocols
Study Group 13 - Next generation networks
Study Group 16 - Multimedia terminals, systems and applications

ITU-T SG 17 work on security

Q.4/17 - Communications systems security project


Q.5/17 - Security architecture and framework
Q.6/17 - Cyber security
Q.7/17 - Security management
Q.8/17 - Telebiometrics
Q.9/17 - Secure communication services
Q.17/17 - Countering spam by technical means

ITU-T SG 17 Question 4
Communications Systems Security Project
Overall Security Coordination
ICT Security Standards Roadmap
Security Compendium
Focus Group on Security Baseline For Network
Operators
ITU-T Security manual

Efforts of Q.4/17 are covered in the main part of the


presentation

ITU-T SG 17 Question 5
Security Architecture and Framework
Brief description of Q.5
Milestones
Draft Recommendations under development

Brief description of Q.5/17


Motivation
The telecommunications and information technology industries are
seeking cost-effective comprehensive security solutions that could
be applied to various types of networks, services and applications.
To achieve such solutions in multi-vendor environment, network
security should be designed around the standard security
architectures and standard security technologies.

Major tasks
Development of a comprehensive set of Recommendations for
providing standard security solutions for telecommunications in
collaboration with other Standards Development Organizations and
ITU-T Study Groups.
Maintenance and enhancements of Recommendations in the X.800
series:
X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816,
X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843

Q.5/17 Milestones
ITU-T Recommendation X.805, Security Architecture for
Systems Providing End-to-end Communications
Approved in 2003

ISO/IEC Standard 18028-2, Network security


architecture
Developed in collaboration between ITU-T Q.5/17 and ISO/IEC
JTC 1 SC 27 WG 1. It is technically aligned with X.805
Published in 2006

ITU-T Recommendation X.1035, Passwordauthenticated key exchange (PAK) protocol


Specifies a password-based protocol for authentication and key
exchange, which ensures mutual authentication of both parties
in the act of establishing a symmetric cryptographic key via
Diffie-Hellman exchange
Approved in 2006

End-user plane
Control plane
Management plane

Destruction

Privacy

Availability

THREATS

Data integrity

Data confidentiality

Non-repudiation

Infrastructure security

Authentication

Services security
VULNERABILITIES

Access control

Security layers
Applications security

Communication security

ITU-T Recommendation X.805

Corruption
Removal
Disclosure
Interruption

ATTACKS

8 Security dimensions
X.805_F3

X.805 defines a network security architecture for providing


end-to-end network security. The architecture can be applied to
various kinds of networks where the end-to-end security is a
concern and independently of the networks underlying
technology.

Q.5/17 Draft Recommendations 1/2


Applications and further development of major
concepts of ITU-T Recommendation X.805
X.805+, Division of the security features between the
network and the users

Specifies division of security features between the networks


and users. It provides guidance on applying concepts of the
X.805 architecture to securing service providers, application
providers networks and the end users equipment

X.805nsa, Network security assessment/guidelines


based on ITU-T Recommendation X.805

Provides a framework for network security


assessment/guidelines based on ITU-T Recommendation
X.805, Security Architecture for Systems Providing End-toEnd Communications

Q.5/17 Draft Recommendations 2/2


Standardization in support of Authentication Security
Dimension (defined in X.805)
X.akm, Framework for authentication and key management for
link layer security of NGN
Establishes a framework for authentication and key management
for securing the link layer. It also provides guidance on selection
of the EAP methods.

Standardization of network security policies


X.spn, Framework for creation, storage, distribution, and
enforcement of security policies for networks
Establishes security policies that are to drive security controls of
a system or service. It also specifies a framework for creation,
storage, distribution, and enforcement of policies for network
security that can be applied to various environmental conditions
and network devices.

ITU-T SG 17 Question 6
Cyber Security

Motivation
Objectives
Scope
Current area of focus
Draft Recommendations under development

Q.6/17 Motivation
Network connectivity and ubiquitous access is central to todays IT
systems
Wide spread access and loose coupling of interconnected IT
systems is a primary source of widespread vulnerability
Threats such as: denial of service, theft of financial and personal
data, network failures and disruption of voice and data
telecommunications are on the rise
Network protocols in use today were developed in an environment
of trust
Most new investments and development is dedicated to building
new functionality and not on securing that functionality
An understanding of cybersecurity is needed in order to build a
foundation of knowledge that can aid in securing the networks of
tomorrow

Q.6/17 Objectives
Perform actions in accordance with Lead Study Group (LSG)
responsibility with the focus on Cybersecurity
Identify and develop standards required for addressing the challenges
in Cybersecurity, within the scope of Q.6/17
Provide assistance to other ITU-T Study Groups in applying relevant
cybersecurity Recommendations for specific security solutions. Review
project-oriented security solutions for consistency
Maintain and update existing Recommendations within the scope of
Q.6/17 (this includes E.409)
Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1
e.g., SC 6, SC 27 and SC 37), and consortia as appropriate
Provide awareness on new security technologies related to
Cybersecurity
Provide an Identity Management Framework that defines the problem
space, representative use case scenarios and requirements. This
includes leveraging other on-going Identity Management activities
Collaborate with Next Generation Networks activities in ITU-T in the
areas of Cybersecurity and Identity Management

Q.6/17 Scope

Definition of Cybersecurity
Security of Telecommunications Network Infrastructure
Security Knowledge and Awareness of Telecom Personnel and
Users
Security Requirements for Design of New Communications Protocol
and Systems
Communications relating to Cybersecurity
Security Processes Life-cycle Processes relating to Incident and
Vulnerability
Security of Identity in Telecommunication Network
Legal/Policy Considerations

Q.6/17 Current Area of Focus 1/2


Work with SG 2 on the definition and requirements of Cybersecurity
Collaborate with Q5,7,9,17/17 and SG 2 in order to achieve better
understanding of various aspects of network security
Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL and
other standardization bodies on Cybersecurity
Work with OASIS on adopting the OASIS Common Alerting Protocol
V1.1 as an ITU-T Recommendation
Work on framework for secure network operations to address how
telecommunications network providers secure their infrastructure and
maintain secure operations
Work on Recommendation for standardization of vulnerability data
definition
Work on network security management framework to address how
telecommunications operators operate uniformly various kind of
security functions
Study new Cybersecurity issues How should ISPs deal with botnets,
evaluating the output of appropriate bodies when available

Q.6/17 Current Area of Focus 2/2


Work on Recommendations on Identity Management (IdM)
addressing the following areas:
An umbrella Recommendation that determines IdM security
requirements from ITU-T prospective
An umbrella Recommendation that defines a framework and
architecture(s) for IdM after identifying IdM security mechanisms that
needs to be addressed
An umbrella Recommendation that assesses security threats and
vulnerabilities associated with IdM
Collaborate with Q.15/13 on NGN IdM issues

Develop guidelines on the protection of personal information and


privacy
Call for contributions for the outstanding questions identified in the
revised scope
Promote the wide adoption of IdM through the IdM Focus Group that
considers the challenges and issues associated with IdM across
various SDO and consortia

Q.6/17 Draft Recommendations 1/5


1.

Overview of Cybersecurity (X.1205, formerly X.cso)

2.

Provides a definition for Cybersecurity and a taxonomy of security threats


from an operator point of view. Cybersecurity vulnerabilities and threats
are presented and discussed at various network layers.
Various Cybersecurity technologies that are available to remedy the
threats include: Routers, Firewalls, Antivirus protection, Intrusion
detection systems, Intrusion protection systems, Secure computing, Audit
and Monitoring. Network protection principles such as defence in depth,
access and identity management with application to Cybersecurity are
discussed. Risk Management strategies and techniques are discussed
including the value of training and education in protecting the network. A
discussion of Cybersecurity Standards, Cybersecurity implementation
issues and certification are presented.

A vendor-neutral framework for automatic checking of the


presence of vulnerabilities information update (X.vds)

Provides a framework of automatic notification on vulnerability


information. The key point of the framework is that it is a vendor-neutral
framework. Once users register their software, updates on the
vulnerabilities and patches of the registered software will automatically be
made available to the users. Upon notification, users can then apply.

Q.6/17 Draft Recommendations 2/5


3.

Guidelines for Internet Service Providers and End-users for


Addressing the Risk of Spyware and Deceptive Software
(X.sds)

4.

Provides guidelines for Internet Service Providers (ISP) and end-users


for addressing the risks of spyware and deceptive software. The
Recommendation promotes best practices around principles of clear
notices, and users consents and controls for ISP web hosting services.
The Recommendation also promotes best practices to end-users on the
Internet to secure their computing devices and information against the
risks of spyware and deceptive software.

Identity Management Framework (X.idmf)

Develops an Identity Management Framework that leverages the use


case scenarios as it applies to Telecommunications and includes nonTelecom applications when (i.e., the orchestration of business
processes that include supply change management, client resource
management, enterprise resource management, location, presence,
and other services). The framework enables service providers to
provide entities with reliable, trusted and secure IdM services over
distributed networks, through the appropriate use of authorization,
authentication, access control mechanisms, and policy management
mechanisms.

Q.6/17 Draft Recommendations 3/5


5.

Identity Management Requirements (X.idmr)

6.

Develops use case scenarios and requirements for the Identity


Management Framework Recommendation (X.idmf). The developed
use cases cover Telecommunications and non-Telecom scenarios (i.e.,
the orchestration of business processes that include supply change
management, client resource management, enterprise resource
management, location, presence, and other services).

Identity Management Security (X.idms)

Performs security analysis on the identity Management Framework as


developed in X.idmf. The Recommendation develops guidelines and
best practice approach for ensuring that security is maintained when
the Identity Management Framework is used as the vehicle for
providing Telecommunications and non-Telecom IdM solutions.

Q.6/17 Draft Recommendations 4/5


7.

Common Alerting Protocol (CAP v1.1), (X.1303, formerly X.cap)

8.

Specifies the common alerting protocol (CAP) which is a simple but


general format for exchanging all-hazard emergency alerts and public
warnings over all kinds of networks. CAP allows a consistent warning
message to be disseminated simultaneously over many different warning
systems, thus increasing warning effectiveness while simplifying the
warning task. CAP also facilitates the detection of emerging patterns in
local warnings of various kinds, such as might indicate an undetected
hazard or hostile act. And CAP provides a template for effective warning
messages based on best practices identified in academic research and
real-world experience.
This Recommendation is technically equivalent and compatible with the
OASIS Common Alerting Protocol, v.1.1 standard.

ASN.1 specification for the Common Alerting Protocol (CAP v1.1),


(X.1303.1, formerly X.cap2)

The common alerting protocol (CAP) is specified in ITU-T Rec. X.1303,


which is technically equivalent and compatible with the OASIS Common
Alerting Protocol, V1.1 standard. This Recommendation provides an
equivalent ASN.1 specification that permits a compact binary encoding
and the use of ASN.1 as well as XSD tools for the generation and
processing of CAP messages. This Recommendation enables existing
systems, such as H.323 systems, to more readily encode, transport and
decode CAP messages.

Q.6/17 Draft Recommendations 5/5


9.

Privacy guideline for RFID (X.rfpg)

Recognizes that as RFID greatly facilitates the access and dispersion


of information pertaining specifically to the merchandise that
individuals wear and/or carry; it creates an opportunity for the same
information to be abused for tracking an individual's location or
invading their privacy in a malfeasant manner. For this reason the
Recommendation develops guidelines and best practices regarding
RFID procedures that can be used by service providers to gain the
benefits of RFID while attempting to protect the privacy rights of the
general public within national policies.

Network Security Management Framework (X.nsmf)

Defines the framework for security management to address how


telecom-operators can uniformly operate various kinds of security
functions.

Guideline on preventing worm spreading in a data communication


network (X.gopw)

Describes worm spreading patterns and scenarios in a data


communication network. In addition, it specifies countermeasures to
prevent from worm spreading. This Recommendation can be used as a
guideline to network designers, network operator, and end users for
preventing Worm spreading.

ITU-T SG 17 Question 7
Security Management
Tasks
Plan on Recommendations
Revised Recommendation X.1051

Q.7/17 Tasks
Information Security Management Guidelines for
telecommunications
(Existing X.1051, Information security management system
Requirements for telecommunications (ISMS-T))
Maintain and revise Recommendation X.1051, Information Security
Management Guidelines for telecommunications based on
ISO/IEC27002.
Jointly develop a guideline of information security management with
ISO/IEC JTC 1/SC 27 (ISO/IEC 27031 =.Recommendation X.1051).

Risk Management Methodology


Study and develop a methodology of risk management for
telecommunications in line with Recommendation X.1051.
Produce and consent a new ITU-T Recommendation for risk
management methodology.

Incident Management
Study and develop a handling and response procedure on security
incidents for the telecommunications in line with Recommendation
X.1051.
Produce and consent a new ITU-T Recommendation for incident
management methodology and procedures.

Q.7/17 plan on Recommendations


X.1050: To be proposed
X.1051: In revision process
Information Security Management Guidelines for
Telecommunications based on ISO/IEC 27002
X.1052: To be proposed
X.1053: To be proposed
(Implementation Guide for Telecommunications)
X.1054: To be proposed
(Measurements and metrics for Telecommunications)
X.1055: In the first stage of development
Risk Management Guidelines for Telecommunications
X.1056: In the first stage of development
Security Incident Management Guidelines for Telecommunications
X.1057: To be proposed
(Identity Management for Telecommunications)

Information security management guidelines


for Telecommunications (Revised X.1051)
Revised X.1051
Security policy
Organising information security
Asset management
Human resources security

Information Assets
for Telecom

Physical & environmental


security
Communications & operations
management
Access control
Information systems acquisition,
development and maintenance

ISMS Process
CONTROL

CONTROL

CONTROL

Implementation
guidance

Implementation
guidance
for Telecom

Implementation
requirements
for Telecom

Other
information

Information security incident


management
Business continuity management
Compliance

ISO/IEC 17799
(2005)

Other
information

Revised
X.1051

Existing
X.1051
(2004)

Approach to develop the revised


Recommendation X.1051

ITU-T SG 17 Question 8
Telebiometrics
Objectives
Study areas on biometric processes
Recommendations

Q.8/17 Objectives

1) To define telebiometric multimodal model


framework
2) To specify biometric authentication mechanism
in open network
3) To provide protection procedures and
countermeasures for telebiometric systems

Q.8/17 Study areas on


Biometric Processes

X.1081
X.Physiol
Safety conformity

X.tai: Telebiometrics Authentication Infrastructure


X.bip: BioAPI Interworking Protocol
X.tsm: Telebiometrics System Mechanism
X.tpp: Telebiometrics Protection Procedure
Storage

Biometric
Sensors

Acquisition
(capturing)

NW
NW

NW

Matching

Extraction

Score
N
W

NW:Network

Decision

NW
Yes/No

Application

Q.8/17 Recommendations 1/3


1)

X.1081, The telebiometric multimodal model framework A


framework for the specification of security and safety aspects
of telebiometrics
Defines a telebiometric multimodal model that can be used as a framework
for identifying and specifying aspects of telebiometrics, and for classifying
biometric technologies used for identification (security aspects).

2)

X.physiol, Telebiometrics related to human physiology


Gives names and symbols for quantities and units concerned with emissions
from the human body that can be detected by a sensor, and with effects on
the human body produced by the telebiometric devices in his environments.

3)

X.tsm-1, General biometric authentication protocol and profile


on telecommunication system
Defines communication mechanism and protocols of biometric authentication
for unspecified endusers and service providers on open network.

Q.8/17 Recommendations 2/3


4)

X.tsm-2, Profile of telecomunication device for Telebiometrics


System Mechanism (TSM)
Defines the requirements, security profiles of client terminals for biometric
authentication over the open network.

5)

X.tai, Telebiometrics authentication infrastructure


Specifies a framework to implement biometric identity authentication with
certificate issuance, management, usage and revocation.

6)

X.bip, BioAPI interworking protocol


Common text of ITU-T and ISO/IEC JTC 1/SC 37. It specifies the syntax,
semantics, and encodings of a set of messages ("BIP messages") that
enable BioAPI-conforming application in telebiometric systems.

Q.8/17 Recommendations 3/3


7)

X.tpp-1, A guideline of technical and managerial


countermeasures for biometric data security
Defines weakness and threats in operating telebiometric systems and
proposes a general guideline of security countermeasures from both
technical and managerial perspectives.

8)

X.tpp-2, A guideline for secure and efficient transmission of


multi-modal biometric data
Defines threat characteristics of multi-modal biometric system, and provides
cryptographic methods and network protocols for transmission of multimodal biometric data.

ITU-T SG 17 Question 9
Secure Communication Services

Focus
Position of each topic
Mobile security
Home network security
Web services security
Secure applications services

Q.9/17 Focus
Develop a set of standards of secure application
services, including

Mobile security Under study


Home network security Under study
Web services security Under study
Secure application services Under study
Privacy protection for RFID Under study
Multicast security Under study
Multimedia content protection To be studied

Position of each topic


Web Services security
Applicatio
n Server

Privacy protection for RFID


Mobile
Terminal

Mobile Network

Open Network

Home
Network

Home network
security

Mobile security

Secure application services


Multicast security

Q.9/17 - Mobile Security


X.1121, Framework of security technologies for mobile end-to-end
data communications

Approved 2004

X.1122, Guideline for implementing secure mobile systems based


on PKI
Approved 2004

X.msec-3, General security value added service (policy) for


mobile data communication
Develops general security service as value added service for secure
mobile end-to-end data communication

X.msec-4, Authentication architecture in mobile end-to-end data


communication
Constructs generic authentication architecture for mobile data
communication between mobile users and application servers

X.crs, Correlative reacting system in mobile network


Develops the generic architecture of a correlative reactive system to
protect the mobile terminal against Virus, worms, Trojan-Horses or other
network attacks to both the mobile network and its mobile users

Q.9/17 - Home network security


X.1111, Framework for security technologies for home network
Framework of security technologies for home network
Define security threats and security requirements, security functions,
security function requirements for each entity in the network, and possible
implementation layer
Approved 2007

X.homesec-2, Certificate profile for the device in the home


network
Device certificate profile for the home network
Develops framework of home network device certificate.

X.homesec-3, User authentication mechanisms for home


network service
User authentication mechanisms for home network service.
Provides the user authentication mechanism in the home network, which
enables various authentication means such as password, certificate,
biometrics and so on.

Q.9/17 - Web Services security


X.1141, Security Assertion Markup Language (SAML)
Adoption of OASIS SAML v2.0 into ITU-T Recommendation X.1141
Define XML-based framework for exchanging security information
The security information expressed in the form of assertions about
subjects, where a subject is an entity (either human or computer) that
has an identity in some security domain
Approved 2006

X.1142, eXtensible Access Control Markup Language


(XACML)
Adoption of OASIS XACML v2.0 into ITU-T Recommendation X.1142
Provides an XML vocabulary for expressing access control policies and
the syntax of the language and the rules for evaluating policies
Approved 2006

X.websec-3, Security architecture for message security in


mobile Web Services
Develops a guideline on message security architecture and service
scenarios for securing messages for mobile Web Services

Q.9/17 - Secure applications services


X.sap-1, Guideline on strong password authentication protocols
Guideline on secure password-based authentication protocol with key
exchange
Defines a set of requirements for password-based protocol with key
exchange and a selection guideline by setting up criteria that can be used in
choosing an optimum authentication protocol for each application.

X.sap-2, Secure communication using TTP service


Secure end-to-end data communication techniques using TTP services
Specifies secure end-to-end data communication techniques using TTP
services that are services defined in X.842 or other services

X.p2p-1, Anonymous authentication architecture in community


communication
Requirements of security for peer-to-peer and peer-to-multi peer
communications
Investigates threat analysis for P2P and P2MP communication services and
describes security requirements for secure P2P and P2MP communication
services

X.p2p-2, Security architecture and protocols for peer to peer


network
Security architecture and protocols for peer to peer network
Describes the security techniques and protocols in the P2P environment

Q.9/17 m-RFID security and


Multicast security
X.rfidsec-1, Privacy protection framework for networked RFID
services
New work item 2006
Privacy infringements for networked RFID service environment
Requirements for privacy protection and privacy protection services
based on a user privacy policy profile

X.mcastsec-1, Security framework and requirement in the


multicast environment
New work item 2007
Requirements of security for multicast communications
Investigates threat analysis for multicast communications services and
describes security requirements for multicast communications services

ITU-T SG 17 Question 17
Countering Spam by Technical
Means
Objectives
Recommendations

Q.17/17 Objectives
The aim of this Question is to develop a set of
Recommendations on countering spam by
technical means for ITU-T, taking into account
the need for collaboration with ITU-T other Study
Groups and cooperation with other SDOs. The
Question focuses particularly on technical
requirement, frameworks and new technologies
for countering spam. Guidelines on countering
spam by technical means are also studied.

Q.17/17 Set of Recommendations


Requirement on countering spam
(X.csreq) Draft

Technical framework for countering


email spam (X.fcs) Draft

Framework Recommendations:

Technology Recommendations:

Technology Recommendations:

Technical means for countering


spam (X.tcs) TBD

Technical means for countering IP


multimedia spam (X.tcs) TBD

Guideline on countering email


spam (X.gcs) Draft

Overview of countering spam for IP


multimedia application (X.ocsip)
Draft

IP multimedia application area TBD

Other SDOs

Q.17/17 Brief Summaries of draft


Recommendations 1/3
X.gcs, Guideline on countering email spam
Specifies technical issues on countering e-mail spam. It provides the current
technical solutions and related activities from various SDOs and relevant
organizations on countering e-mail spam. The purpose of the
Recommendation is to provide useful information to the users who want to
find technical solutions on countering e-mail spam and it will be used as a
basis for further development of technical Recommendations on countering
email spam.

X.ocsip, Overview of countering spam for IP multimedia


applications
Specifie basic concepts, characteristics, and effects of spam in IP
multimedia applications such as IP telephony, video on demand, IPTV,
instant messaging, multimedia conference, etc. It will provide technical
issues, requirements for technical solutions, and various activities on
countering spam for IP multimedia applications. It will provide basis and
guideline for developing further technical solutions on countering spam.

Q.17/17 Brief Summaries of draft


Recommendations 2/3
X.csreq, Requirement on countering spam
Requirements on countering spam are clarified in this Recommendation.
There are many types of spam, such as email spam, mobile messaging
spam and IP multimedia spam. Various types of spam may have both
common and specific requirements on countering it. For one type of spam,
the requirement in different entities should also be clarified.

X.fcs, Technical framework for countering email spam


Specifies the technical framework for network structure for countering spam.
Functions inside the framework are defined. It also provides universal rules
of distinguishing spam from other emails and the common methods of
countering email spam.

X.tcs, Technical means for countering spam


Communication network is evolving, more services are emerging, and
capability of spammers is stronger. Moreover, no single technical means
has perfect performances on countering spam currently. It may be
necessary to propose new technical countermeasures.

Q.17/17 Brief Summaries of draft


Recommendations 3/3
X.fcsip, Framework of countering IP multimedia spam
Specifies general architecture of countering spam system on IP multimedia
applications such as IP telephony, instant messaging, multimedia
conference, etc. It will provide functional blocks of necessary network
entities to counter spam and their functionalities, and describe interfaces
among the entities. To build secure session against spam attack, User
Terminals and edge service entities such as proxy server or application
servers will be extended to have spam control functions. Shown are
interfaces between these extended peer entities, and interfaces with other
network entities which can involve for countering spam.

X.tcs-1, Interactive countering spam gateway system


Specifies interactive countering spam gateway system as a technical mean
for countering various types of spam. The gateway system enables spam
notification from receivers gateway to senders gateway, prevents spam
traffic from going across the network. This specification defines architecture
for the countering spam gateway system, describes basic entities, protocols
and functions, provides mechanisms for spam detection, countering spam
information sharing, and countering spam actions of the gateway systems.

ITU-T SG 4 work on security

SG 4: Security Management
Systems
To complement the M.3016 series on Security of the
Management Plane which is focused on interfaces, SG 4
has initiated new work on Security Management Systems
(SMS). It is viewed as a key addition to support NGN
Management.
Based on equivalent work in ATIS TMOC, M.sec-mgmt-sys
is expected to
Draw on security concepts from X.800 and X.805
Describe the logical SMS architecture to be realized in one or
more physical systems
Describe the managed network elements supported by SMS
Specify the SMS functional requirements

As with the M.3016 series, a proforma will be provided as a


template for other SDOs and forums to indicate for their
membership what parts of M.sec-mgmt-sys are mandatory
or optional

ITU-T SG 11 work on security

SG 11: Security signaling protocol


draft Recommendation in progress
Draft Recommendation Q.3201 (formerly Q.NGN-nacf-sec),
EAP-based security signaling protocol architecture for network
attachment
Describes the security signalling requirements and protocol
architecture for supporting access security aspect of network
attachment in NGN environment. Basic threats and security
requirements for the attachment of NGN access networks are
analyzed, and a model of an EAP-based security signalling
protocol architecture accommodating heterogeneous multi-links
in NGN access environment is presented. Based on it, three
feasible scenarios for authentication signalling in NGN network
attachment control function are developed.

ITU-T SG 13 work on security


Q.15/13
All SG 13 Recommendations have a section on
security

Q.15/13 NGN Security


Y.2701, Security requirements for NGN release 1
Y.NGN Authentication
Y.NGN Security Mechanisms, NGN Security
Mechanisms and Procedures
Y.NGN, Certificate Management
Y.NGN AAA, The Application of AAA Service for
network access control in UNI and ANI over NGN
Y. IdMsec, NGN Identity Management Security

Y.2701, Security requirements for


NGN release 1 (pre-published)
Provides security requirements for Next Generation Networks
(NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs) by
applying ITU-T Recommendation X.805, Security architecture
for systems providing end-to-end communications to ITU-T
Recommendation Y.2201, NGN release 1 requirements and
ITU-T Recommendation Y.2012, Functional requirements and
architecture of the NGN.
Specifies a trust model that is based on network elements
(physical boxes) that support the functional entities defined in
ITU-T Recommendation Y.2012.
Specifies requirements, which should be treated as a
minimum set of security requirements. The NGN network
providers are encouraged to take additional measures beyond
those specified in the Recommendations for NGN security.

Y.NGN Authentication 1/2


Specifies authentication and authorization requirements for
Next Generation Networks (NGNs) based on the ITU-T NGN
release 1 Requirements and NGN Architecture (FRA). This
includes requirements for one-way and mutual authentication
and authorization across the User-to-Network Interface (UNI),
the Network-to-Network Interface (NNI) and the Application-toNetwork Interface (ANI). The scope of this Recommendation
covers:
Authentication and authorization of users for network access
(e.g., authentication and authorization of an end user device, a
home network gateway, or an enterprise gateway to obtain
access or attachment to the network)
Service provider authentication and authorization of users for
access to a service/application (e.g., authentication and
authorization of an user, a device or a combined user/device
where the authentication and authorization applies to NGN
service/application access)

Y.NGN Authentication 2/2


Service provider authentication and authorization of users for
access to a specific service/application (e.g., ETS and TDRspecific authentication and authorization)
User authentication and authorization of a network (e.g., user
authenticating the identity of the NGN network or of the service
provider)
User peer-to-peer authentication and authorization (e.g.,
authentication and authorization of the called user (or terminating
entity), authentication and authorization of the originating entity,
or data origin authentication as network functions)
Mutual network authentication and authorization (e.g.,
authentication and authorization across NNI interface at the
transport level, or service/application level)
Authentication and authorization of a 3rd party service/application
Provider
Use of a 3rd party authentication and authorization service

Y.NGN Security Mechanisms,


NGN Security Mechanisms and
Procedures
Describes specific security mechanisms that should be used
to realize the requirements of Y.2701, Security Requirements
for NGN release 1. It covers the following security subjects:

Identification and authentication


Media security
Audit trail, trapping, and logging systems
Transport security for signalling and OAMP (Operations,
Administration, Maintenance, and Provisioning)
CPE (Customer Premises Equipment) provisioning

Y.NGN, Certificate Management


Defines procedures for managing the X.509 certificates used
for providing NGN security
Specifies the use of X.509 certificates for authentication of the
NGN network elements based on policy and business
agreements

Y.NGN AAA, The Application of


AAA Service for network access
control in UNI and ANI over NGN
Specifies the authentication and authorization procedures for
the NGN. It is based on the principles established in ITU-T
Recommendations Y.2701, Security requirements for NGN
release 1 and Y.2012, Functional requirements and
architecture of the NGN. Y.NGN AAA provides
recommendations on authentication and authorization across
the User-to-Network Interface (UNI) and the Application-toNetwork Interface (ANI)

Y.IdMsec, NGN Identity


Management Security
Describes the fundamental concepts associated with NGN
Identity Management
Provides a framework for Identity Management that is based
on the NGN Functional Requirements and Architecture (FRA)
release 2. This IdM framework is applicable to all NGN entities
(e.g., service providers, network providers, network elements,
users and users equipment)
Outlines the threats and risks to Identity Management within
an NGN environment
Describes trust models for Identity Management within an
NGN environment
Specifies security objectives and requirements for NGN
Identity Management

Q.15/13s Major Contributions on


Security to the Work of other
Questions and Study Groups
Q.15/13 led the development of the Security Considerations
and Requirements section of ITU-T Recommendation Y.2111,
Resource and admission control functions in Next Generation
Networks (Y.2111 was developed by Q.4/13)
Q.15/13 participated to the development of the ITU-T
Recommendation EAP-Based Security Signaling Protocol
Architecture for Network Attachment (the Recommendation is
being developed by Q.7/11)

ITU-T SG 16 Work on Security

Q.25/16 Multimedia Security in


Next-Generation Networks
(NGN-MM-SEC)
Study Group 16 concentrates on multimedia systems.
Q.25/16 focuses on the application-security issues of
MM applications in next generation networks
Standardizes multimedia security
So far Q.25/16 has been standardizing MM-security for
the 1st generation MM/pre-NGN-systems:

H.323/H.248-based systems
H.235 sub-series Recommendations provide a framework and a
set of requirements for multimedia systems

Evolution of H.235
Core Security
Framework
Engineering

1st Deployment

Improvement and Additions

Consolidation

Reorganization

H.235V3 H.235V3 H.235V3


Amd1 +
Amd1
+
Annex I Annex H
H.235 Annex G

H.235V4
H.235.0
~
H.235.9
approved

H.235V2

H.235V1
approved

Initial
Draft
H.323V1

1996

Security
Profiles
Annex D
Annex E
started

H.323V2

1997

1998

Annex D

Annex F
H.530
consent

Annex E
approved

H.323V4

1999

2000

H.323V5

2001

2002

2003

H.323V6

2004

2005

2006

H.235 V4 sub-series
Recommendations

Major restructuring of H.235v3 Amd.1 and annexes in


stand-alone sub-series Recommendations
H.235.x sub-series specify scenario-specific MMsecurity procedures as H.235-profiles for H.323
Some new parts added
Some enhancements and extensions
Incorporated corrections
Approved in September 2005

H.323 Security
Recommendations 1/4

H.235.0, Security framework for H-series (H.323 and other


H.245-based) multimedia systems

H.235.1, Baseline Security Profile

Overview of H.235.x sub-series and common procedures with


baseline text
Authentication & integrity for H.225.0 signaling using shared
secrets

H.235.2, Signature Security Profile

Authentication & integrity for H.225.0 signaling using X.509


digital certificates and signatures

H.323 Security
Recommendations 2/4

enhanced

H.235.3, Hybrid Security Profile

H.235.4, Direct and Selective Routed Call Security

extended

Authentication & integrity for H.225.0 signaling using an


optimized combination of X.509 digital certificates, signatures
and shared secret key management;
specification of an optional proxy-based security processor
Key management procedures in corporate and in interdomain
environments to obtain key material for securing H.225.0 call
signaling in GK direct-routed/selective routed scenarios

H.323 Security
Recommendations 3/4

enhanced

modified

H.235.5, Framework for secure authentication in RAS


using weak shared secrets

Secured password (using EKE/SPEKE approach) in


combination with Diffie-Hellman key agreement for
stronger authentication during H.225.0 signaling

H.235.6, Voice encryption profile with native H.235/H.245


key management

Key management and encryption mechanisms for RTP

H.323 Security
Recommendations 4/4

H.235.7, Usage of the MIKEY Key Management Protocol for


the Secure Real Time Transport Protocol (SRTP) within H.235

NEW

H.235.8, Key Exchange for SRTP using secure Signalling


Channels

SRTP keying parameter transport over secured signaling


channels (IPsec, TLS, CMS)

H.235.9, Security Gateway Support for H.323

NEW

Usage of the MIKEY key management for SRTP

Discovery of H.323 Security Gateways


(SG = H.323 NAT/FW ALG) and key management for H.225.0
signaling

Other SG16 MM-SEC Results

H.350.2 (2003), H.350.2 Directory Services Architecture for


H.235

H.530 (Revision 2003), Symmetric security procedures for


H.323 mobility in H.510

An LDAP schema to represent H.235 elements (PWs,


certificates, ID information)

Authentication, access control and key management in


mobile H.323-based corporate networks

Draft H.460.22 (Jan. 2007), Security protocol negotiation

Negotiate security protocols (IPsec or TLS or others) for


H.323 signaling

Q.5/16 (H.300 NAT/FW Traversal)


Results 1/2

H.460.18 (Sep. 2005), Traversal of H.323 signalling across


FWs and NATs

H.323 protocol enhancements and new client/server proxies to


allow H.323 signalling protocols traverse NATs & FWs;
H.323 endpoints can remain unchanged

H.460.19 (Sep. 2005), NAT & FW traversal procedures for


RTP in H.323 systems

Uses multiplexed RTP media mode and symmetric RTP in


conjunction with H.460.18 as a short-term solution

More Q.5/16 Results 2/2

Technical Paper (2005), Requirements for Network Address


Translator and Firewall Traversal of H.323 Multimedia
Systems

Documentation of scenarios and requirements for NAT & FW


traversal in H.323

Technical Paper (2005), Firewall and NAT traversal


Problems in H.323 Systems

An analysis of scenarios and various problems encountered


by H.323 around NAT & FW traversal

New Q.25/16 items


under current study 1/2

Study Anti-DDoS (Denial-of-Service) countermeasures for


(H.323-based) NAT/FW proxy and MM applications

Security for MM-QoS (H.mmqos.security)

MM security aspects of Vision H.325


Advanced Multimedia Systems (AMS)

Goal: MM-security for H.325,


MM security for Audiovisual on Demand services, Multimedia
Conferencing, Distant learning,..

New Q.25/16 items


under current study
Study Multimedia-Security aspects of Digital Rights
Management (MM-DRM)

What does MM-DRM mean?


Understand DRM security needs for MM content of MM
applications (e.g. IPTV,)
Contributions are solicited
Which other groups are active/interested in this area?

Draft H.proxy

Goal: Specify proxy-aided NAT/firewall traversal mechanism


as a NAT traversal solution for H.323 multimedia systems
Intended for Consent in July 2007

SG 16: Summary
Multimedia systems and applications as
being studied by SG 16 face important
security challenges:

MM-security and NAT/FW traversal

Q.25/16 and Q.5/16 are addressing these


issues and have provided various
Recommendations
The work continues in the scope of
NGN-Multimedia Security