Telecommunication_Security by wuxiangyu


									SOURCE:        ITU-T
TITLE:         Telecommunication Security

                                            [Insert Document File

 Telecommunication Security

                Herbert Bertine
         Chairman, ITU-T Study Group 17


ITU-T Study Groups
   SG 2*   Operational aspects of service provision, networks and
   SG 3 Tariff and accounting principles including related telecommunications
           economic and policy issues
   SG 4* Telecommunication management
   SG 5    Protection against electromagnetic environment effects
   SG 6    Outside plant and related indoor installations
   SG 9    Integrated broadband cable networks and television and sound
   SG 11* Signalling requirements and protocols
   SG 12 Performance and quality of service
   SG 13* Next generation networks
   SG 15 Optical and other transport network infrastructures
   SG 16* Multimedia terminals, systems and applications
   SG 17** Security, languages and telecommunication software
   SG 19 Mobile telecommunication networks
     * Significant security work   ** Lead Study Group on Security
ITU-T Security Building Blocks
                     Security Architecture                      Network Management
                         Framework                                    Security
                        (X.800-series)                             (M.3000-series)

       Security Techniques                                              Systems Management
           (X.841,2,3)                           New                     (X.733,5,6, X.740,1)
                                         (X.805, X.1000-series)
       Protocols                                                                     Facsimile
       (X.273,4)                                                                     (T-series)
                                              NGN Security
      Directory Services and                 (Y.2700-series)              Televisions and Cable
          Authentication                                                         Systems
          (X.500-series)                                                        (J-series)

                       Security              Message Handling             Multimedia
                   in Frame Relay             Systems (MHS)             Communications
                       (X.272)                 (X.400-series)             (H-series)
         Study Group 17:
      Security, languages and
   telecommunication software

 SG 17 is the Lead Study Group on telecommunication
  security - It is responsible for coordination of security
  across all study groups.
 Subdivided into three Working Parties (WPs)
   • WP1 - Open systems technologies;
   • WP2 - Telecommunications security; and
   • WP3 - Languages and telecommunications software
 Most (but not all) security Questions are in WP2
 Summaries of all draft new or revised Recommendations
  under development in SG 17 are available on the SG 17
  web page at
   Working Party 2/17 Work Program
       Systems Users
                               * Multimodal model framework
    Q.7/1        Telecom       * System mechanism
                 Systems       * Protection procedure
      7                                                               7
Security           Secure Communication Services                Security
Management          * Secure mobile communications              Architecture
* ISMS-T            * Home network security                     and
* Incident
                    * Web services security      Q.9/1          Framework
   management      Cyber Security                   7
                   * Vulnerability information sharing…         * Architecture,
* Risk             * Incident handling operations               * Model,
   assessment      * Identity management              Q.6/1     * Concepts,
   methodology                                                  * Frameworks
                   Countering spam by technical 7
                   * Technical anti-spam measures       Q.17/1
  Communications System Security Project            *Vision, Project, Roadmap, …
     Examples of recently approved
      security Recommendations
M.3016.0,    Security for the management plane: Overview, Security requirements, Security services,
1, 2, 3, 4   Security mechanism, Profile proforma

X.509        Information technology – Open Systems Interconnection – The Directory: Public-key and
             attribute certificate frameworks
X.805        Security architecture for systems providing end-to-end communications
X.893        Information technology – Generic applications of ASN.1: Fast infoset security
X.1035       Password-authenticated key exchange (PAK) protocol
X.1051       Information security management system - Requirements for telecommunications (ISMS-T)
X.1081       The telebiometric multimodal model - A framework for the specification of security and
             safety aspects of telebiometrics
X.1111       Framework for security technologies for home network
X.1121       Framework of security technologies for mobile end-to-end communications
X.1122       Guideline for implementing secure mobile systems based on PKI
X.1141       Security Assertion Markup Language (SAML 2.0)
X.1142       eXtensible Access Control Markup Language (XACML 2.0)
Y.2701       Security requirements for NGN release 1
Extract from current SG 17 security
  work program (~50 items total)
 Q.     Acronym                                     Title or Subject
 5    X.akm          Framework for EAP-based authentication and key management
 6    X.1205         Overview of cybersecurity
 6    X.idmf         Identity management framework
 6    X.gopw         Guideline on preventing worm spreading in a data communication network
 7    X.1051         Information security management guidelines for telecommunications based
      (Revised)      on ISO/IEC 27002
 7    X.rmg          Risk management guidelines for telecommunications
 8    X.bip          BioAPI interworking protocol
 8    X.tai          Telebiometrics authentication infrastructure
 9    X.homesec-2,   Certificate profile for the device in the home network, User authentication
      3, 4           mechanisms for home network service, Authorization framework for home
 9    X.msec-3       General security value added service (policy) for mobile data communication
 9    X.p2p-1        Requirements of security for peer-to-peer and peer-to-multi peer
 9    X.websec-3     Security architecture for message security in mobile web services
 17   X.csreq        Requirement on countering spam
 17   X.fcsip        Framework of countering IP multimedia spam
  Study Group 13 - Question 15/13
  NGN Security: work in progress

Y.IdMsec            NGN identity management security
Y.NGN AAA           AAA application for implementation of network and service security
                    requirements over NGN
Y.NGN               NGN Authentication
Y.NGN Certificate   NGN certificate management
Y.SecMechanisms     NGN Security mechanisms and procedures
Y.SecReqR2          Security requirements for NGN release 2
     Security standardization
       Collaboration is key

       Specific Systems, Services, Applications
       Security in ITU-T are developed by
       SG 2, 3, 4, 5, 6, 9, 11, 13, 15, 16, 19

       Core Technology and Common Security
       Techniques in ITU-T are developed
       by SG 17

JTC 1 SC 27, 37...   IETF     ATIS, ETSI, OASIS, etc.
   Security standardization
     Collaboration is key
 World Standards Cooperation (WSC) ISO, IEC, ITU
 Global Standards Collaboration (GSC) Regional, National
  SDOs and ITU-T, ITU-R
   • exchange information between participating standards organizations
     to facilitate collaboration and to support the ITU as the preeminent
     global telecommunication and radiocommunication standards
     development organization
   • Resolution GSC-11/17 Cybersecurity
 Security Standardization Exchange Network (SSEN)
   • an informal association of individual security practitioners with direct
     experience of, or strong interest in, security standardization
   • facilitate the informal exchange of information on security-
     standards-related matters to increase overall awareness of issues of
     common interest with the intention of helping to advance the
     development of needed standards and minimizing overlap and
     duplication of effort in security standards development
     Security standardization
       Collaboration is key
ISO/IEC/ITU-T Strategic Advisory Group on Security (SAG-S)
 Terms of Reference
   • To oversee standardization activities in ISO, IEC and ITU-T
     relevant to the field of security
   • To provide advice and guidance to the ISO Technical
     Management Board, the IEC Standardization Management
     Board and the ITU-T Telecommunication Standardization
     Advisory Group (TSAG) relative to the coordination of work
     relevant to security, and in particular to identify areas where new
     standardization initiatives may be warranted
   • To monitor implementation of the SAG-S Recommendations
 International workshop on security topics planned in
  conjunction with each SAG-S meeting
   • International Workshop on Transit Security, Washington DC, 4-5
     October 2007
 Security portal under development
Focus Group: Security Baseline for
  Network Operators (FG SBNO)

 Established October 2005 by SG 17
 Objectives:
   • Define a security baseline against which network operators can assess
     their network and information security posture in terms of what security
     standards are available, which of these standards should be used to
     meet particular requirements, when they should be used, and how they
     should be applied
   • Describe a network operator’s readiness and ability to collaborate with
     other entities (operators, users and law enforcement authorities) to
     counteract information security threats
   • Provide meaningful criteria that can be used by network operators
     against which other network operators can be assessed, if required
 Achieved
   • Surveyed network operators by means of a questionnaire
 Next step:
   • Develop text to be proposed to SG 17 for progressing as an ITU-T
             Focus Group: Identity
             Management (FG IdM)

     Established December 2006 by SG 17
     The objectives of the FG IdM are
     •    to perform requirements analysis based on uses case scenarios, in order
     •    to identify generic IdM framework components, so that
     •    a standards gap analysis can be completed, in order
     •    to identify new standards work and the bodies (ITU and other SDOs) that
          should perform the work
     Working Group structure
     •    Ecosystem and Lexicon Working Group
     •    Use Cases Working Group
     •    Requirements Working Group
     •    Framework Working Group
     Aggressive schedule
     •    Meetings held: February, April and May 2007; WG meeting June
     •    Meetings planned: July and August 2007
ICT Security Standards Roadmap

 Part 1 contains information about organizations
  working on ICT security standards
 Part 2 is the database of existing security standards
 Part 3 is a list of standards in development
 Part 4 identifies future needs and proposed new
 Part 5 includes security best practices

   European Network and Information Security Agency
   (ENISA) and the Network and Information Security
   Steering Group (NISSG) are collaborating with ITU-T in
   the development of the Roadmap
 ICT Security Standards Roadmap

 Part 2 currently includes ICT security standards from
    •   ITU-T
    •   ISO/IEC JTC 1
    •   IETF
    •   IEEE
    •   ATIS
    •   ETSI
    •   OASIS
 Data is available in a database format to allow searching
  by organization and topic and to allow organizations to
  manage their own data
 We invite you to contribute content to the Roadmap,
  provide feedback and help us develop it to meet your
              Other projects

 Security in Telecommunications and Information
  Technology (ITU-T Security manual)
   • Overview of existing ITU-T Recommendations for secure
   • Third edition of June 2006 to be available in the six official
     languages of the ITU

 Security compendium
   • Catalogue of approved ITU-T Recommendations related to
     telecommunication security
   • Extract of ITU-T approved security definitions
   • Summary of ITU-T Study Groups with security-related
The ITU Global Cybersecurity Gateway

 LIVE at:
 Provides an easy-to-use information resource on national, regional and
 international cybersecurity-related activities and initiatives worldwide.

 Security is everybody's business
 Collaboration with other SDOs is necessary
 Security needs to be designed in upfront
 Security must be an ongoing effort
 Systematically addressing vulnerabilities
  (intrinsic properties of networks/systems) is key
  so that protection can be provided independent of
  what the threats (which are constantly changing
  and may be unknown) may be
               Some useful web resources

 ITU-T Home page
 Study Group 17
   • e-mail:
 Recommendations
 ITU-T Lighthouse
 ITU-T Workshops
    Supplemental Information on Security
    Work in ITU-T
   Study Group 17 - Security, languages and telecommunication software
   Study Group 4 - Telecommunication management
   Study Group 11 – Signalling requirements and protocols
   Study Group 13 - Next generation networks
   Study Group 16 - Multimedia terminals, systems and applications
ITU-T SG 17 work on security
   Q.4/17 - Communications systems security project
   Q.5/17 - Security architecture and framework
   Q.6/17 - Cyber security
   Q.7/17 - Security management
   Q.8/17 - Telebiometrics
   Q.9/17 - Secure communication services
   Q.17/17 - Countering spam by technical means
         ITU-T SG 17 Question 4
    Communications Systems Security Project

 Overall Security Coordination
 ICT Security Standards Roadmap
 Security Compendium
 Focus Group on Security Baseline For Network
 ITU-T Security manual
    Efforts of Q.4/17 are covered in the main part of the
       ITU-T SG 17 Question 5
   Security Architecture and Framework

 Brief description of Q.5
 Milestones
 Draft Recommendations under development
     Brief description of Q.5/17
 Motivation
   • The telecommunications and information technology industries are
     seeking cost-effective comprehensive security solutions that could
     be applied to various types of networks, services and applications.
     To achieve such solutions in multi-vendor environment, network
     security should be designed around the standard security
     architectures and standard security technologies.
 Major tasks
   • Development of a comprehensive set of Recommendations for
     providing standard security solutions for telecommunications in
     collaboration with other Standards Development Organizations and
     ITU-T Study Groups.
   • Maintenance and enhancements of Recommendations in the X.800
         X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816,
         X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843
               Q.5/17 Milestones

 ITU-T Recommendation X.805, Security Architecture for
  Systems Providing End-to-end Communications
   • Approved in 2003
 ISO/IEC Standard 18028-2, Network security
   • Developed in collaboration between ITU-T Q.5/17 and ISO/IEC
     JTC 1 SC 27 WG 1. It is technically aligned with X.805
   • Published in 2006
 ITU-T Recommendation X.1035, Password-
  authenticated key exchange (PAK) protocol
   • Specifies a password-based protocol for authentication and key
     exchange, which ensures mutual authentication of both parties in
     the act of establishing a symmetric cryptographic key via Diffie-
     Hellman exchange
   • Approved in 2006
ITU-T Recommendation X.805

X.805 defines a network security architecture for providing
end-to-end network security. The architecture can be applied to
various kinds of networks where the end-to-end security is a
concern and independently of the network’s underlying
Q.5/17 Draft Recommendations 1/2

 Applications and further development of major
  concepts of ITU-T Recommendation X.805
   • X.805+, Division of the security features between the
     network and the users
     Specifies division of security features between the networks
     and users. It provides guidance on applying concepts of the
     X.805 architecture to securing service provider’s, application
     provider’s networks and the end user’s equipment
   • X.805nsa, Network security assessment/guidelines
     based on ITU-T Recommendation X.805
     Provides a framework for network security
     assessment/guidelines based on ITU-T Recommendation
     X.805, Security Architecture for Systems Providing End-to-
     End Communications
Q.5/17 Draft Recommendations 2/2

 Standardization in support of Authentication Security
  Dimension (defined in X.805)
   • X.akm, Framework for authentication and key management for
     link layer security of NGN
     Establishes a framework for authentication and key management
     for securing the link layer. It also provides guidance on selection
     of the EAP methods.
 Standardization of network security policies
   • X.spn, Framework for creation, storage, distribution, and
     enforcement of security policies for networks
   • Establishes security policies that are to drive security controls of
     a system or service. It also specifies a framework for creation,
     storage, distribution, and enforcement of policies for network
     security that can be applied to various environmental conditions
     and network devices.
         ITU-T SG 17 Question 6
              Cyber Security

   Motivation
   Objectives
   Scope
   Current area of focus
   Draft Recommendations under development
           Q.6/17 Motivation

 Network connectivity and ubiquitous access is central to today’s IT
 Wide spread access and loose coupling of interconnected IT
  systems is a primary source of widespread vulnerability
 Threats such as: denial of service, theft of financial and personal
  data, network failures and disruption of voice and data
  telecommunications are on the rise
 Network protocols in use today were developed in an environment of
 Most new investments and development is dedicated to building
  new functionality and not on securing that functionality
 An understanding of cybersecurity is needed in order to build a
  foundation of knowledge that can aid in securing the networks of
             Q.6/17 Objectives
 Perform actions in accordance with Lead Study Group (LSG)
  responsibility with the focus on Cybersecurity
 Identify and develop standards required for addressing the challenges
  in Cybersecurity, within the scope of Q.6/17
 Provide assistance to other ITU-T Study Groups in applying relevant
  cybersecurity Recommendations for specific security solutions. Review
  project-oriented security solutions for consistency
 Maintain and update existing Recommendations within the scope of
  Q.6/17 (this includes E.409)
 Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1 e.g.,
  SC 6, SC 27 and SC 37), and consortia as appropriate
 Provide awareness on new security technologies related to
 Provide an Identity Management Framework that defines the problem
  space, representative use case scenarios and requirements. This
  includes leveraging other on-going Identity Management activities
 Collaborate with Next Generation Networks activities in ITU-T in the
  areas of Cybersecurity and Identity Management
               Q.6/17 Scope

 Definition of Cybersecurity
 Security of Telecommunications Network Infrastructure
 Security Knowledge and Awareness of Telecom Personnel and
 Security Requirements for Design of New Communications Protocol
  and Systems
 Communications relating to Cybersecurity
 Security Processes – Life-cycle Processes relating to Incident and
 Security of Identity in Telecommunication Network
 Legal/Policy Considerations
 Q.6/17 Current Area of Focus 1/2

 Work with SG 2 on the definition and requirements of Cybersecurity
 Collaborate with Q5,7,9,17/17 and SG 2 in order to achieve better
  understanding of various aspects of network security
 Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL and
  other standardization bodies on Cybersecurity
 Work with OASIS on adopting the OASIS Common Alerting Protocol
  V1.1 as an ITU-T Recommendation
 Work on framework for secure network operations to address how
  telecommunications network providers secure their infrastructure and
  maintain secure operations
 Work on Recommendation for standardization of vulnerability data
 Work on network security management framework to address how
  telecommunications operators operate uniformly various kind of
  security functions
 Study new Cybersecurity issues – How should ISPs deal with botnets,
  evaluating the output of appropriate bodies when available
 Q.6/17 Current Area of Focus 2/2

 Work on Recommendations on Identity Management (IdM)
  addressing the following areas:
    • An umbrella Recommendation that determines IdM security
      requirements from ITU-T prospective
    • An umbrella Recommendation that defines a framework and
      architecture(s) for IdM after identifying IdM security mechanisms that
      needs to be addressed
    • An umbrella Recommendation that assesses security threats and
      vulnerabilities associated with IdM
    • Collaborate with Q.15/13 on NGN IdM issues
 Develop guidelines on the protection of personal information and
 Call for contributions for the outstanding questions identified in the
  revised scope
 Promote the wide adoption of IdM through the IdM Focus Group that
  considers the challenges and issues associated with IdM across
  various SDO and consortia
 Q.6/17 Draft Recommendations 1/5
1.       Overview of Cybersecurity (X.1205, formerly X.cso)
     •    Provides a definition for Cybersecurity and a taxonomy of security threats
          from an operator point of view. Cybersecurity vulnerabilities and threats
          are presented and discussed at various network layers.
     •    Various Cybersecurity technologies that are available to remedy the
          threats include: Routers, Firewalls, Antivirus protection, Intrusion
          detection systems, Intrusion protection systems, Secure computing,
          Audit and Monitoring. Network protection principles such as defence in
          depth, access and identity management with application to Cybersecurity
          are discussed. Risk Management strategies and techniques are
          discussed including the value of training and education in protecting the
          network. A discussion of Cybersecurity Standards, Cybersecurity
          implementation issues and certification are presented.
2.       A vendor-neutral framework for automatic checking of the
         presence of vulnerabilities information update (X.vds)
     •    Provides a framework of automatic notification on vulnerability
          information. The key point of the framework is that it is a vendor-neutral
          framework. Once users register their software, updates on the
          vulnerabilities and patches of the registered software will automatically
          be made available to the users. Upon notification, users can then apply.
Q.6/17 Draft Recommendations 2/5

3.       Guidelines for Internet Service Providers and End-users for
         Addressing the Risk of Spyware and Deceptive Software
     •    Provides guidelines for Internet Service Providers (ISP) and end-users
          for addressing the risks of spyware and deceptive software. The
          Recommendation promotes best practices around principles of clear
          notices, and users’ consents and controls for ISP web hosting services.
          The Recommendation also promotes best practices to end-users on the
          Internet to secure their computing devices and information against the
          risks of spyware and deceptive software.
4.       Identity Management Framework (X.idmf)
     •    Develops an Identity Management Framework that leverages the use
          case scenarios as it applies to Telecommunications and includes non-
          Telecom applications when (i.e., the orchestration of business
          processes that include supply change management, client resource
          management, enterprise resource management, location, presence,
          and other services). The framework enables service providers to
          provide entities with reliable, trusted and secure IdM services over
          distributed networks, through the appropriate use of authorization,
          authentication, access control mechanisms, and policy management
Q.6/17 Draft Recommendations 3/5

5.       Identity Management Requirements (X.idmr)
     •    Develops use case scenarios and requirements for the Identity
          Management Framework Recommendation (X.idmf). The developed
          use cases cover Telecommunications and non-Telecom scenarios (i.e.,
          the orchestration of business processes that include supply change
          management, client resource management, enterprise resource
          management, location, presence, and other services).
6.       Identity Management Security (X.idms)
     •    Performs security analysis on the identity Management Framework as
          developed in X.idmf. The Recommendation develops guidelines and
          best practice approach for ensuring that security is maintained when
          the Identity Management Framework is used as the vehicle for
          providing Telecommunications and non-Telecom IdM solutions.
Q.6/17 Draft Recommendations 4/5

7.       Common Alerting Protocol (CAP v1.1), (X.1303, formerly X.cap)
     •    Specifies the common alerting protocol (CAP) which is a simple but
          general format for exchanging all-hazard emergency alerts and public
          warnings over all kinds of networks. CAP allows a consistent warning
          message to be disseminated simultaneously over many different
          warning systems, thus increasing warning effectiveness while
          simplifying the warning task. CAP also facilitates the detection of
          emerging patterns in local warnings of various kinds, such as might
          indicate an undetected hazard or hostile act. And CAP provides a
          template for effective warning messages based on best practices
          identified in academic research and real-world experience.
          This Recommendation is technically equivalent and compatible with the
          OASIS Common Alerting Protocol, v.1.1 standard.
8.       ASN.1 specification for the Common Alerting Protocol (CAP v1.1),
         (X.1303.1, formerly X.cap2)
     •    The common alerting protocol (CAP) is specified in ITU-T Rec. X.1303,
          which is technically equivalent and compatible with the OASIS
          Common Alerting Protocol, V1.1 standard. This Recommendation
          provides an equivalent ASN.1 specification that permits a compact
          binary encoding and the use of ASN.1 as well as XSD tools for the
          generation and processing of CAP messages. This Recommendation
          enables existing systems, such as H.323 systems, to more readily
          encode, transport and decode CAP messages.
Q.6/17 Draft Recommendations 5/5

9.       Privacy guideline for RFID (X.rfpg)
     •     Recognizes that as RFID greatly facilitates the access and dispersion
           of information pertaining specifically to the merchandise that
           individuals wear and/or carry; it creates an opportunity for the same
           information to be abused for tracking an individual's location or
           invading their privacy in a malfeasant manner. For this reason the
           Recommendation develops guidelines and best practices regarding
           RFID procedures that can be used by service providers to gain the
           benefits of RFID while attempting to protect the privacy rights of the
           general public within national policies.

10. Network Security Management Framework (X.nsmf)
     •     Defines the framework for security management to address how
           telecom-operators can uniformly operate various kinds of security
11. Guideline on preventing worm spreading in a data communication
    network (X.gopw)
     •     Describes worm spreading patterns and scenarios in a data
           communication network. In addition, it specifies countermeasures to
           prevent from worm spreading. This Recommendation can be used as
           a guideline to network designers, network operator, and end users for
           preventing Worm spreading.
     ITU-T SG 17 Question 7
      Security Management

 Tasks
 Plan on Recommendations
 Revised Recommendation X.1051
               Q.7/17 Tasks
 Information Security Management Guidelines for
   • (Existing X.1051, Information security management system –
     Requirements for telecommunications (ISMS-T))
   • Maintain and revise Recommendation X.1051, “Information Security
     Management Guidelines for telecommunications based on
   • Jointly develop a guideline of information security management with
     ISO/IEC JTC 1/SC 27 (ISO/IEC 27031 =.Recommendation X.1051).
 Risk Management Methodology
   • Study and develop a methodology of risk management for
     telecommunications in line with Recommendation X.1051.
   • Produce and consent a new ITU-T Recommendation for risk
     management methodology.
 Incident Management
   • Study and develop a handling and response procedure on security
     incidents for the telecommunications in line with Recommendation
   • Produce and consent a new ITU-T Recommendation for incident
     management methodology and procedures.
  Q.7/17 plan on Recommendations

X.1050: To be proposed
X.1051: In revision process
   Information Security Management Guidelines for
   Telecommunications based on ISO/IEC 27002
X.1052: To be proposed
X.1053: To be proposed
   (Implementation Guide for Telecommunications)
X.1054: To be proposed
   (Measurements and metrics for Telecommunications)
X.1055: In the first stage of development
   Risk Management Guidelines for Telecommunications
X.1056: In the first stage of development
   Security Incident Management Guidelines for Telecommunications
X.1057: To be proposed
   (Identity Management for Telecommunications)
Information security management guidelines
  for Telecommunications (Revised X.1051)
       Revised X.1051
           Security policy

   Organising information security
         Asset management
      Human resources security                         Information Assets
                                                       for Telecom
      Physical & environmental

    Communications & operations                                              ISMS Process
                                        CONTROL                CONTROL         CONTROL
            Access control

                                                            Implementation   Implementation
   Information systems acquisition,      guidance              guidance       requirements
                                                                               for Telecom
    development and maintenance                               for Telecom
                                       information               Other
    Information security incident                                              Existing
                                      ISO/IEC 17799           Revised
  Business continuity management                                                (2004)
                                      (2005)                  X.1051
             Compliance                         Approach to develop the revised
                                                   Recommendation X.1051
  ITU-T SG 17 Question 8

 Objectives
 Study areas on biometric processes
 Recommendations
         Q.8/17 Objectives

1) To define telebiometric multimodal model

2) To specify biometric authentication mechanism
   in open network

3) To provide protection procedures and
   countermeasures for telebiometric systems
     Q.8/17 Study areas on
     Biometric Processes

                        X.tai: Telebiometrics Authentication Infrastructure
     X.1081             X.bip: BioAPI Interworking Protocol
    X.Physiol           X.tsm: Telebiometrics System Mechanism
Safety conformity       X.tpp: Telebiometrics Protection Procedure


          Acquisition   NW                NW      Matching
                             Extraction                  Score

                                                  Decision       NW           Application
     Q.8/17 Recommendations 1/3

1)   X.1081, The telebiometric multimodal model framework – A
     framework for the specification of security and safety aspects
     of telebiometrics
     Defines a telebiometric multimodal model that can be used as a framework
     for identifying and specifying aspects of telebiometrics, and for classifying
     biometric technologies used for identification (security aspects).
2)   X.physiol, Telebiometrics related to human physiology
     Gives names and symbols for quantities and units concerned with emissions
     from the human body that can be detected by a sensor, and with effects on
     the human body produced by the telebiometric devices in his environments.
3)   X.tsm-1, General biometric authentication protocol and profile
     on telecommunication system
     Defines communication mechanism and protocols of biometric
     authentication for unspecified end-users and service providers on open
        Q.8/17 Recommendations 2/3

4)   X.tsm-2, Profile of telecomunication device for Telebiometrics
     System Mechanism (TSM)
     Defines the requirements, security profiles of client terminals for biometric
     authentication over the open network.

5)   X.tai, Telebiometrics authentication infrastructure
     Specifies a framework to implement biometric identity authentication
     with certificate issuance, management, usage and revocation.
6)   X.bip, BioAPI interworking protocol
     Common text of ITU-T and ISO/IEC JTC 1/SC 37. It specifies the syntax,
     semantics, and encodings of a set of messages ("BIP messages") that
     enable BioAPI-conforming application in telebiometric systems.
      Q.8/17 Recommendations 3/3

7)   X.tpp-1, A guideline of technical and managerial
     countermeasures for biometric data security
     Defines weakness and threats in operating telebiometric systems and
     proposes a general guideline of security countermeasures from both
     technical and managerial perspectives.

8)   X.tpp-2, A guideline for secure and efficient transmission of
     multi-modal biometric data
     Defines threat characteristics of multi-modal biometric system, and provides
     cryptographic methods and network protocols for transmission of multi-
     modal biometric data.
       ITU-T SG 17 Question 9
    Secure Communication Services

   Focus
   Position of each topic
   Mobile security
   Home network security
   Web services security
   Secure applications services
                Q.9/17 Focus

 Develop a set of standards of secure application
  services, including
  •   Mobile security Under study
  •   Home network security Under study
  •   Web services security Under study
  •   Secure application services Under study
  •   Privacy protection for RFID Under study
  •   Multicast security Under study
  •   Multimedia content protection To be studied
     Position of each topic

                                    Web Services security

Privacy protection for RFID

  Mobile                                                       Home
                   Mobile Network      Open Network           Network

                                                            Home network
           Mobile security

                                Secure application services

                                      Multicast security
            Q.9/17 - Mobile Security

 X.1121, Framework of security technologies for mobile end-to-
  end data communications
       •   Approved 2004
 X.1122, Guideline for implementing secure mobile systems based
  on PKI
       • Approved 2004
 X.msec-3, General security value added service (policy) for
  mobile data communication
       • Develops general security service as value added service for secure
         mobile end-to-end data communication
 X.msec-4, Authentication architecture in mobile end-to-end data
       • Constructs generic authentication architecture for mobile data
         communication between mobile users and application servers
, Correlative reacting system in mobile network
       • Develops the generic architecture of a correlative reactive system to
         protect the mobile terminal against Virus, worms, Trojan-Horses or other
         network attacks to both the mobile network and its mobile users
    Q.9/17 - Home network security

 X.1111, Framework for security technologies for home network
   • Framework of security technologies for home network
   • Define security threats and security requirements, security functions,
     security function requirements for each entity in the network, and possible
     implementation layer
   • Approved 2007
 X.homesec-2, Certificate profile for the device in the home
   • Device certificate profile for the home network
   • Develops framework of home network device certificate.
 X.homesec-3, User authentication mechanisms for home
  network service
   • User authentication mechanisms for home network service.
   • Provides the user authentication mechanism in the home network, which
     enables various authentication means such as password, certificate,
     biometrics and so on.
   Q.9/17 - Web Services security

 X.1141, Security Assertion Markup Language (SAML)
   • Adoption of OASIS SAML v2.0 into ITU-T Recommendation X.1141
   • Define XML-based framework for exchanging security information
   • The security information expressed in the form of assertions about
     subjects, where a subject is an entity (either human or computer) that
     has an identity in some security domain
   • Approved 2006
 X.1142, eXtensible Access Control Markup Language (XACML)
   • Adoption of OASIS XACML v2.0 into ITU-T Recommendation X.1142
   • Provides an XML vocabulary for expressing access control policies and
     the syntax of the language and the rules for evaluating policies
   • Approved 2006
 X.websec-3, Security architecture for message security in
  mobile Web Services
   • Develops a guideline on message security architecture and service
     scenarios for securing messages for mobile Web Services
 Q.9/17 - Secure applications services
, Guideline on strong password authentication protocols
   • Guideline on secure password-based authentication protocol with key
   • Defines a set of requirements for password-based protocol with key
     exchange and a selection guideline by setting up criteria that can be used in
     choosing an optimum authentication protocol for each application.
, Secure communication using TTP service
   • Secure end-to-end data communication techniques using TTP services
   • Specifies secure end-to-end data communication techniques using TTP
     services that are services defined in X.842 or other services
 X.p2p-1, Anonymous authentication architecture in community
   • Requirements of security for peer-to-peer and peer-to-multi peer
   • Investigates threat analysis for P2P and P2MP communication services and
     describes security requirements for secure P2P and P2MP communication
 X.p2p-2, Security architecture and protocols for peer to peer
   • Security architecture and protocols for peer to peer network
   • Describes the security techniques and protocols in the P2P environment
 Q.9/17 – m-RFID security and
 Multicast security

 X.rfidsec-1, Privacy protection framework for networked RFID
   • New work item 2006
   • Privacy infringements for networked RFID service environment
   • Requirements for privacy protection and privacy protection services
     based on a user privacy policy profile
 X.mcastsec-1, Security framework and requirement in the
  multicast environment
   • New work item 2007
   • Requirements of security for multicast communications
   • Investigates threat analysis for multicast communications services and
     describes security requirements for multicast communications services
  ITU-T SG 17 Question 17
Countering Spam by Technical
 Objectives
 Recommendations
        Q.17/17 Objectives

 The aim of this Question is to develop a set of
  Recommendations on countering spam by
  technical means for ITU-T, taking into account
  the need for collaboration with ITU-T other Study
  Groups and cooperation with other SDOs. The
  Question focuses particularly on technical
  requirement, frameworks and new technologies
  for countering spam. Guidelines on countering
  spam by technical means are also studied.
 Q.17/17 Set of Recommendations
                      Requirement on countering spam
                              (X.csreq) Draft

Technical framework for countering      Framework Recommendations:
email spam (X.fcs) Draft
                                        IP multimedia application area TBD

Technology Recommendations:             Technology Recommendations:
Technical means for countering          Technical means for countering IP
spam (X.tcs) TBD                        multimedia spam (X.tcs) TBD

Guideline on countering email           Overview of countering spam for IP
spam (X.gcs) Draft                      multimedia application (X.ocsip)

                                 Other SDOs
Q.17/17 Brief Summaries of draft
     Recommendations 1/3

 X.gcs, Guideline on countering email spam
  Specifies technical issues on countering e-mail spam. It provides the current
  technical solutions and related activities from various SDOs and relevant
  organizations on countering e-mail spam. The purpose of the
  Recommendation is to provide useful information to the users who want to
  find technical solutions on countering e-mail spam and it will be used as a
  basis for further development of technical Recommendations on countering
  email spam.
 X.ocsip, Overview of countering spam for IP multimedia
  Specifie basic concepts, characteristics, and effects of spam in IP
  multimedia applications such as IP telephony, video on demand, IPTV,
  instant messaging, multimedia conference, etc. It will provide technical
  issues, requirements for technical solutions, and various activities on
  countering spam for IP multimedia applications. It will provide basis and
  guideline for developing further technical solutions on countering spam.
 Q.17/17 Brief Summaries of draft
      Recommendations 2/3

 X.csreq, Requirement on countering spam
  Requirements on countering spam are clarified in this Recommendation.
  There are many types of spam, such as email spam, mobile messaging
  spam and IP multimedia spam. Various types of spam may have both
  common and specific requirements on countering it. For one type of spam,
  the requirement in different entities should also be clarified.
 X.fcs, Technical framework for countering email spam
  Specifies the technical framework for network structure for countering spam.
  Functions inside the framework are defined. It also provides universal rules
  of distinguishing spam from other emails and the common methods of
  countering email spam.
 X.tcs, Technical means for countering spam
  Communication network is evolving, more services are emerging, and
  capability of spammers is stronger. Moreover, no single technical means
  has perfect performances on countering spam currently. It may be
  necessary to propose new technical countermeasures.
  Q.17/17 Brief Summaries of draft
       Recommendations 3/3
 X.fcsip, Framework of countering IP multimedia spam
  Specifies general architecture of countering spam system on IP multimedia
  applications such as IP telephony, instant messaging, multimedia
  conference, etc. It will provide functional blocks of necessary network
  entities to counter spam and their functionalities, and describe interfaces
  among the entities. To build secure session against spam attack, User
  Terminals and edge service entities such as proxy server or application
  servers will be extended to have spam control functions. Shown are
  interfaces between these extended peer entities, and interfaces with other
  network entities which can involve for countering spam.
 X.tcs-1, Interactive countering spam gateway system
  Specifies interactive countering spam gateway system as a technical mean
  for countering various types of spam. The gateway system enables spam
  notification from receiver’s gateway to sender’s gateway, prevents spam
  traffic from going across the network. This specification defines architecture
  for the countering spam gateway system, describes basic entities, protocols
  and functions, provides mechanisms for spam detection, countering spam
  information sharing, and countering spam actions of the gateway systems.
ITU-T SG 4 work on security
  SG 4: Security Management

 To complement the M.3016 series on Security of the
  Management Plane which is focused on interfaces, SG 4
  has initiated new work on Security Management Systems
  (SMS). It is viewed as a key addition to support NGN
 Based on equivalent work in ATIS TMOC, M.sec-mgmt-sys
  is expected to
   – Draw on security concepts from X.800 and X.805
   – Describe the logical SMS architecture to be realized in one or
     more physical systems
   – Describe the managed network elements supported by SMS
   – Specify the SMS functional requirements
 As with the M.3016 series, a proforma will be provided as a
  template for other SDOs and forums to indicate for their
  membership what parts of M.sec-mgmt-sys are mandatory
  or optional
ITU-T SG 11 work on security
SG 11: Security signaling protocol
draft Recommendation in progress

 Draft Recommendation Q.3201 (formerly Q.NGN-nacf-sec),
  EAP-based security signaling protocol architecture for
  network attachment
   • Describes the security signalling requirements and protocol
     architecture for supporting access security aspect of network
     attachment in NGN environment. Basic threats and security
     requirements for the attachment of NGN access networks are
     analyzed, and a model of an EAP-based security signalling
     protocol architecture accommodating heterogeneous multi-links
     in NGN access environment is presented. Based on it, three
     feasible scenarios for authentication signalling in NGN network
     attachment control function are developed.
ITU-T SG 13 work on security
 Q.15/13
 All SG 13 Recommendations have a section on
      Q.15/13 NGN Security

 Y.2701, Security requirements for NGN release 1
 Y.NGN Authentication
 Y.NGN Security Mechanisms, NGN Security
  Mechanisms and Procedures
 Y.NGN, Certificate Management
 Y.NGN AAA, The Application of AAA Service for
  network access control in UNI and ANI over NGN
 Y. IdMsec, NGN Identity Management Security
 Y.2701, Security requirements for
  NGN release 1 (pre-published)

 Provides security requirements for Next Generation Networks
  (NGNs) and its interfaces (e.g., UNIs, NNIs and ANIs) by
  applying ITU-T Recommendation X.805, Security architecture
  for systems providing end-to-end communications to ITU-T
  Recommendation Y.2201, NGN release 1 requirements and
  ITU-T Recommendation Y.2012, Functional requirements and
  architecture of the NGN.
 Specifies a trust model that is based on network elements
  (physical boxes) that support the functional entities defined in
  ITU-T Recommendation Y.2012.
 Specifies requirements, which should be treated as a
  minimum set of security requirements. The NGN network
  providers are encouraged to take additional measures beyond
  those specified in the Recommendations for NGN security.
      Y.NGN Authentication 1/2
 Specifies authentication and authorization requirements for
  Next Generation Networks (NGNs) based on the ITU-T NGN
  release 1 Requirements and NGN Architecture (FRA). This
  includes requirements for one-way and mutual authentication
  and authorization across the User-to-Network Interface (UNI),
  the Network-to-Network Interface (NNI) and the Application-to-
  Network Interface (ANI). The scope of this Recommendation
    • Authentication and authorization of users for network access
      (e.g., authentication and authorization of an end user device, a
      home network gateway, or an enterprise gateway to obtain
      access or attachment to the network)
    • Service provider authentication and authorization of users for
      access to a service/application (e.g., authentication and
      authorization of an user, a device or a combined user/device
      where the authentication and authorization applies to NGN
      service/application access)
  Y.NGN Authentication 2/2

• Service provider authentication and authorization of users for
  access to a specific service/application (e.g., ETS and TDR-
  specific authentication and authorization)
• User authentication and authorization of a network (e.g., user
  authenticating the identity of the NGN network or of the service
• User peer-to-peer authentication and authorization (e.g.,
  authentication and authorization of the called user (or terminating
  entity), authentication and authorization of the originating entity,
  or data origin authentication as network functions)
• Mutual network authentication and authorization (e.g.,
  authentication and authorization across NNI interface at the
  transport level, or service/application level)
• Authentication and authorization of a 3rd party
  service/application Provider
• Use of a 3rd party authentication and authorization service
  Y.NGN Security Mechanisms,
 NGN Security Mechanisms and
 Describes specific security mechanisms that should be used
  to realize the requirements of Y.2701, Security Requirements
  for NGN release 1. It covers the following security subjects :
   • Identification and authentication
   • Media security
   • Audit trail, trapping, and logging systems
   • Transport security for signalling and OAMP (Operations,
     Administration, Maintenance, and Provisioning)
   • CPE (Customer Premises Equipment) provisioning
 Y.NGN, Certificate Management

 Defines procedures for managing the X.509 certificates used
  for providing NGN security
 Specifies the use of X.509 certificates for authentication of the
  NGN network elements based on policy and business
 Y.NGN AAA, The Application of
AAA Service for network access
control in UNI and ANI over NGN

 Specifies the authentication and authorization procedures for
  the NGN. It is based on the principles established in ITU-T
  Recommendations Y.2701, Security requirements for NGN
  release 1 and Y.2012, Functional requirements and
  architecture of the NGN. Y.NGN AAA provides
  recommendations on authentication and authorization across
  the User-to-Network Interface (UNI) and the Application-to-
  Network Interface (ANI)
       Y.IdMsec, NGN Identity
       Management Security

 Describes the fundamental concepts associated with NGN
  Identity Management
 Provides a framework for Identity Management that is based
  on the NGN Functional Requirements and Architecture (FRA)
  release 2. This IdM framework is applicable to all NGN
  entities (e.g., service providers, network providers, network
  elements, users and user’s equipment)
 Outlines the threats and risks to Identity Management within
  an NGN environment
 Describes trust models for Identity Management within an
  NGN environment
 Specifies security objectives and requirements for NGN
  Identity Management
 Q.15/13’s Major Contributions on
  Security to the Work of other
   Questions and Study Groups

 Q.15/13 led the development of the Security Considerations
  and Requirements section of ITU-T Recommendation Y.2111,
  Resource and admission control functions in Next Generation
  Networks (Y.2111 was developed by Q.4/13)
 Q.15/13 participated to the development of the ITU-T
  Recommendation EAP-Based Security Signaling Protocol
  Architecture for Network Attachment (the Recommendation is
  being developed by Q.7/11)
ITU-T SG 16 Work on Security
    Q.25/16 “Multimedia Security in
      Next-Generation Networks”

       Study Group 16 concentrates on multimedia systems.
       Q.25/16 focuses on the application-security issues of
        MM applications in next generation networks
       Standardizes multimedia security
       So far Q.25/16 has been standardizing MM-security for
        the “1st generation MM/pre-NGN-systems”:
    •      H.323/H.248-based systems
    •      H.235 sub-series Recommendations provide a framework and a
           set of requirements for multimedia systems
                            Evolution of H.235

      Core Security
       Framework         1st Deployment         Consolidation            Improvement and Additions             Reorganization

                                                                                     H.235V3 H.235V3 H.235V3      H.235.0
                                                                                        +    Amd1 +   Amd1           ~
                                                                                     Annex I Annex H              H.235.9
                                                                                          H.235 Annex G
                                    Security           Annex D
                                    Prof iles                            Annex F
                                                       Annex E            H.530
                                    Annex D
                                    Annex E            approved          consent
                         approved    started
Draf t
      H.323V1          H.323V2                         H.323V4                      H.323V5                                 H.323V6

1996            1997      1998      1999              2000        2001      2002       2003          2004       2005        2006
      H.235 V4 sub-series

   Major restructuring of H.235v3 Amd.1 and annexes in
    stand-alone sub-series Recommendations
   H.235.x sub-series specify scenario-specific MM-
    security procedures as H.235-profiles for H.323
   Some new parts added
   Some enhancements and extensions
   Incorporated corrections
   Approved in September 2005
           H.323 Security
        Recommendations 1/4

   H.235.0, Security framework for H-series (H.323 and other
    H.245-based) multimedia systems
       Overview of H.235.x sub-series and common procedures with
        baseline text

   H.235.1, Baseline Security Profile
       Authentication & integrity for H.225.0 signaling using shared

   H.235.2, Signature Security Profile
       Authentication & integrity for H.225.0 signaling using X.509
        digital certificates and signatures
               H.323 Security
            Recommendations 2/4

           H.235.3, Hybrid Security Profile
enhanced       Authentication & integrity for H.225.0 signaling using an
                optimized combination of X.509 digital certificates, signatures
                and shared secret key management;
                specification of an optional proxy-based security processor
           H.235.4, Direct and Selective Routed Call Security
               Key management procedures in corporate and in interdomain
                environments to obtain key material for securing H.225.0 call
                signaling in GK direct-routed/selective routed scenarios
                  H.323 Security
               Recommendations 3/4

              H.235.5, Framework for secure authentication in RAS
               using weak shared secrets
                  Secured password (using EKE/SPEKE approach) in
                   combination with Diffie-Hellman key agreement for stronger
                   authentication during H.225.0 signaling

              H.235.6, Voice encryption profile with native H.235/H.245
               key management
modified          Key management and encryption mechanisms for RTP
              H.323 Security
           Recommendations 4/4

     H.235.7, Usage of the MIKEY Key Management Protocol for
      the Secure Real Time Transport Protocol (SRTP) within
           Usage of the MIKEY key management for SRTP

     H.235.8, Key Exchange for SRTP using secure Signalling
            SRTP keying parameter transport over secured signaling
            channels (IPsec, TLS, CMS)
     H.235.9, Security Gateway Support for H.323
           Discovery of H.323 Security Gateways
            (SG = H.323 NAT/FW ALG) and key management for H.225.0
    Other SG16 MM-SEC Results

   H.350.2 (2003), H.350.2 Directory Services Architecture for
        An LDAP schema to represent H.235 elements (PWs,
         certificates, ID information)
   H.530 (Revision 2003), Symmetric security procedures for
    H.323 mobility in H.510
        Authentication, access control and key management in
         mobile H.323-based corporate networks
   Draft H.460.22 (Jan. 2007), Security protocol negotiation
        Negotiate security protocols (IPsec or TLS or others) for
         H.323 signaling
Q.5/16 (H.300 NAT/FW Traversal)
           Results 1/2

   H.460.18 (Sep. 2005), Traversal of H.323 signalling across
    FWs and NATs
       H.323 protocol enhancements and new client/server proxies to
        allow H.323 signalling protocols traverse NATs & FWs;
        H.323 endpoints can remain unchanged

   H.460.19 (Sep. 2005), NAT & FW traversal procedures for
    RTP in H.323 systems
       Uses multiplexed RTP media mode and symmetric RTP in
        conjunction with H.460.18 as a short-term solution
    More Q.5/16 Results 2/2

   Technical Paper (2005), Requirements for Network Address
    Translator and Firewall Traversal of H.323 Multimedia
       Documentation of scenarios and requirements for NAT & FW
        traversal in H.323

   Technical Paper (2005), Firewall and NAT traversal
    Problems in H.323 Systems
       An analysis of scenarios and various problems encountered by
        H.323 around NAT & FW traversal
          New Q.25/16 items
        under current study 1/2

   Study Anti-DDoS (Denial-of-Service) countermeasures for
    (H.323-based) NAT/FW proxy and MM applications
   Security for MM-QoS (
   MM security aspects of Vision “H.325”
    Advanced Multimedia Systems (AMS)
        Goal: MM-security for “H.325”,
         MM security for Audiovisual on Demand services, Multimedia
         Conferencing, Distant learning,..
            New Q.25/16 items
           under current study
       Study Multimedia-Security aspects of Digital Rights
        Management (MM-DRM)
    •      What does MM-DRM mean?
    •      Understand DRM security needs for MM content of MM
           applications (e.g. IPTV,…)
    •      Contributions are solicited
    •      Which other groups are active/interested in this area?
       Draft H.proxy
          Goal: Specify proxy-aided NAT/firewall traversal mechanism
           as a NAT traversal solution for H.323 multimedia systems
          Intended for Consent in July 2007
            SG 16: Summary

       Multimedia systems and applications as
        being studied by SG 16 face important
        security challenges:
    •     MM-security and NAT/FW traversal
       Q.25/16 and Q.5/16 are addressing these
        issues and have provided various
       The work continues in the scope of
        NGN-Multimedia Security

To top