presented at Telecom 2013
Download
Report
Transcript presented at Telecom 2013
ITU-T Study Groups’
Security Achievements
and Security Activities
11 November 2013
ITU-T Study Groups
TSAG
SG 2 Numbering
Performance, QoS,
SG 12 QoE
SG 3 Tariffs, Policy
Future Networks,
SG 13 Cloud Computing
Climate Change
SG 5 & Environment
Review
Committee
Access, Transport,
SG 15 Home Networks
SG 9 BB Cable TV
SG 16 Multimedia
Protocols
SG 11 & Testing
SG 17 Security
2/40
ITU-T SG2
Security Recommendations
TMN security:
Security for the management plane (M.3016.x)
IMT-2000 security management (M.3210.1)
M.3210.1 - Fraud Management for Wireless Services
Visited
network
fraud
detection
system
x
0
Fraud
detection
system
1
4
Home
network
2
3
Visited
networks
x
Home network
fraud detection
system
0 FDS invocation from outside
1 Request for FIGS
(fraud information gathering
System) monitoring
2 Request for FIGS monitoring
3 FIGS data
4 FIGS data
a)
1
2
3
4
5
6
7
3
4
Home
network
7
1
2
5
6
Visited
networks
Fraud suspicion information
Fraud suspicion information
Fraud suspicion information
Request FIGS monitoring
Request FIGS monitoring
FIGS data
FIGS data
b)
SecMan(11)_F20
3/58
ITU-T SG9
Security Recommendations
Cable Modem security (J.112)
IPCablecom security:
IPCablecom security (J.170)
IPCablecom2 Access Security (J.366.7)
IPCablecom2 IP Multimedia Subsystem (IMS): Generic authentication
architecture specification (J.366.9)
Renewable conditional access system (J.1002)
J.170 - IPCablecom component reference model
4/58
ITU-T SG13
Security Recommendations
Next Generation Network security:
NGN security (Y.2701, Y.2702, Y.2703, Y.2704)
Secure mobile financial transactions in next generation networks
(Y.2740, Y.2741)
Mobility security framework in NGN (Y.2760)
Requirements for deep packet inspection in next generation networks
(Y.2770)
5/58
ITU-T SG13 (cnt’d)
Security Recommendations
NGN Identity management (Y.2720, Y.2721, Y.2722).
Support for OAuth in NGN (draft Y.2723, Y.NGN-OAuth)
Framework for NGN support and use of OpenID and Oauth (Draft
Y.2724, Y.NGN-OOF)
Emergency Telecommunications Service security requirements
(Y.2705)
6/58
ITU-T SG15
Security Recommendations
Optical safety procedures & requirements for optical
transport systems (ITU-T G.664)
Generic protection switching: Linear trail and subnetwork
protection, ring protection, Shared mesh protection
(G.808.1, G.808.2, G.808.3)
SDH network protection architectures (G.841, G.842
Linear, ring protection in Optical Transport Network (OTN)
(G.873.1, G.873.2)
Ethernet linear, ring protection switching (G.8031/Y.1342,
G.8032/Y.1344)
MPLS-TP linear protection (G.8131/ Y.1382)
7/58
ITU-T SG16
Security Recommendations
Security capabilities for use with Group 3 facsimile terminals
(T.36)
Confidentiality and key management for ISDN audio visual
(H.233, H.234)
Security for H.323: (H.235.x)
Network Address Translation for H.323 (H.460.18, H.460.19)
Secure JPEG 2000 (T.807)
NAT/FW traversal in ITU-T H.460.18 architecture
8/58
ITU-T SG16 (cnt’d)
Security Recommendations
Security in ITU-T H.323 as provided by ITU-T H.235
9/58
SG17 mandate established by World Telecommunication
Standardization Assembly (WTSA-12)
WTSA-12 decided the following for Study Group 17:
Title: Security
Responsible for building confidence and security in the use of information and
communication technologies (ICTs). This includes studies relating to cybersecurity, security
management, countering spam and identity management. It also includes security
architecture and framework, protection of personally identifiable information, and security
of applications and services for the Internet of things, smart grid, smartphone, IPTV, web
services, social network, cloud computing, mobile financial system and telebiometrics. Also
responsible for the application of open system communications including directory and
object identifiers, and for technical languages, the method for their usage and other issues
related to the software aspects of telecommunication systems, and for conformance
testing to improve quality of Recommendations.
Lead Study Group for:
– Security
– Identity management
– Languages and description techniques
Responsible for specific E, F, X and Z series Recommendations
Responsible for 12 Questions
10/58
SG17 Management Team
Chairman
Arkadiy KREMER
Russian Federation
ViceChairmen
Khalid BELHOUL
United Arab Emirates
Mohamed M.K. ELHAJ
Sudan
Antonio GUIMARAES
Brazil
George LIN
P.R. China
Patrick MWESIGWA
Uganda
Koji NAKAO
Japan
Mario FROMOW RANGEL
Mexico
Sacid SARIKAYA
Turkey
Heung Youl YOUM
Korea (Republic of)
11/58
Study Group 17 Overview
Primary focus is to build confidence and security in the use of
Information and Communication Technologies (ICTs)
Meets twice a year. Last meeting had 131 participants from 22
Member States, 12 Sector Members and 5 Associates.
As of 14 October 2013, SG17 is responsible for 330 approved
Recommendations, 18 approved Supplements and 3 approved
Implementer’s Guides in the E, F, X and Z series.
Large program of work:
• 12 new work items added to work program in 2013
• September 2013 meeting: approved 1 Recommendations, and 1
Amendment; 6 Recommendations and one Corrigendum in TAP
• 89 new or revised Recommendations and other texts are under
development for approval in January 2014 or later
Work organized into 5 Working Parties with 12 Questions
7 Correspondence groups operating,
See SG17 web page for more information
http://itu.int/ITU-T/studygroups/com17
12/58
SG17, Security
Study Group 17
WP 1/17
WP 2/17
WP 3/17
WP 4/17
WP 5/17
Fundamental
security
Network and
information
security
IdM + Cloud
Computing
Security
Application
security
Formal
languages
Q1/17
Q4/17
Q8/17
Q6/17
Q11/17
Telecom./ICT
security
coordination
Cybersecurity
Cloud
Computing
Security
Ubiquitous
services
Directory,
PKI, PMI,
ODP, ASN.1,
OID, OSI
Q2/17
Q5/17
Q10/17
Q7/17
Q12/17
Security
architecture and
framework
Countering spam
IdM
Applications
Languages +
Testing
Q3/17
Q9/17
ISM
Telebiometrics
13/58
SG17, Working Party Structure
•
WP 1 “Fundamental security”
Chairman: Koji NAKAO
– Q1/17
Telecommunication/ICT security coordination
– Q2/17
Security architecture and framework
– Q3/17
Telecommunication information security management
•
WP 2 “Network and information security”
– Q4/17
Cybersecurity
– Q5/17
Countering spam by technical means
•
WP 3 “Identity management and cloud computing security” Chairman: Heung Youl YOUM
– Q10/17
Identity management architecture and mechanisms
– Q8/17
Cloud computing security
•
WP 4 “Application security”
Chairman: Antonio GUIMARAES
– Q6/17
Security aspects of ubiquitous telecommunication services
– Q7/17
Secure application services
– Q9/17
Telebiometrics
•
WP 5 “Formal languages”
Chairman: George LIN
– Q11/17
Generic technologies to support secure applications
– Q12/17
Formal languages for telecommunication software and testing
14/58
Chairman: Sacid SARIKAYA
Study Group 17 is the Lead Study Group on:
● Security
● Identity
management (IdM)
● Languages and description techniques
A study group may be designated by WTSA or TSAG as the lead study group
for ITU-T studies forming a defined programme of work involving a number
of study groups.
This lead study group is responsible for the study of the appropriate core
Questions.
In addition, in consultation with the relevant study groups and in
collaboration, where appropriate, with other standards bodies, the lead
study group has the responsibility to define and maintain the overall
framework and to coordinate, assign (recognizing the mandates of the study
groups) and prioritize the studies to be carried out by the study groups, and
to ensure the preparation of consistent, complete and timely
Recommendations.
* Extracted from WTSA-12 Resolution 1
15/58
SG17 is “Parent” for Joint Coordination Activities (JCAs) on:
● Identity management
● Child
online protection
A joint coordination activity (JCA) is a tool for management of the work
programme of ITU-T when there is a need to address a broad subject
covering the area of competence of more than one study group. A JCA
may help to coordinate the planned work effort in terms of subject matter,
time-frames for meetings, collocated meetings where necessary and
publication goals including, where appropriate, release planning of the
resulting Recommendations.
The establishment of a JCA aims mainly at improving coordination and
planning. The work itself will continue to be conducted by the relevant
study groups and the results are subject to the normal approval processes
within each study group. A JCA may identify technical and strategic issues
within the scope of its coordination role, but will not perform technical
studies nor write Recommendations. A JCA may also address coordination
of activities with recognized standards development organizations (SDOs)
and forums, including periodic discussion of work plans and schedules of
deliverables. The study groups take JCA suggestions into consideration as
they carry out their work.
* Extracted from Recommendation ITU-T A.1
16/58
ITU-T Joint Coordination Activity on Identity Management
(JCA-IdM)
Coordinates of the ITU-T identity management (IdM) work.
Ensures that the ITU-T IdM work is progressed in a well-coordinated way between
study groups, in particular with SG2, SG13 and SG17.
Analyzes IdM standardization items and coordinates an associated roadmap with ITUT Q10/17.
Acts as a point of contact within ITU-T and with other SDOs/Fora on IdM in order to
avoid duplication of work and assist in implementing the IdM tasks assigned by
WTSA-12 Resolution 2 and in implementing GSC-16 Resolution 4 on identity
management.
In carrying out the JCA-IdM’s external collaboration role, representatives from other
relevant recognized SDOs/Fora and regional/national organizations may be invited to
join the JCA-IdM.
Maintains IdM roadmap and landscape document/WIKI.
JCA-COP co-chairmen:
Mr. Jon Shamah, United Kingdom,
Mr. Hiroshi Takechi, LAC Co., Ltd, Japan.
17/58
ITU-T Joint Coordination Activity on Child Online Protection
(JCA-COP)
Purpose and objectives:
co-ordinates activity on COP across ITU-T study groups, in particular Study Groups 2, 9, 13,
15, 16 and 17, and coordinates with ITU-R, ITU-D and the Council Working Group on Child
Online Protection
provides a visible contact point for COP in ITU-T.
cooperates with external bodies working in the field of COP, and enables effective two-way
communication with these bodies
Tasks:
Maintain a list of representatives for COP in each study group
Exchange information relevant to COP between all stakeholders.
Promote a coordinated approach towards any identified and necessary areas of
standardization
Address coordination of activity with relevant SDOs and forums, including periodic
discussion of work plans and schedules of deliverables on COP (if any)
JCA-COP co-chairmen:
– Ms Ashley Heineman, United States,
– Mr Philip Rushton, United Kingdom.
18/58
SG 17 Lead Study Group roles - Coordination & Collaboration
3 Lead Study Group responsibilities:
Security,
Identity management, and
Languages and description techniques
Joint Coordination Activity on Identity Management
(JCA-IdM)
Joint Coordination Activity on Child Online Protection
(JCA-COP)
The two JCAs will run in conjunction with ITU-T SG17 meeting
(15 – 24 January 2014)
19/40
ITU-T SG17
Security Recommendations
Security architecture:
OSI security architecture (X.800)
OSI security models (X.802, X.803, X.830, X.831, X.832, X.833, X.834, X.835)
OSI security frameworks for open systems (X.810, X.811, X.812, X.813, X.814,
X.815, X.816, X.841)
Security architecture for systems providing end-to-end communications (X.805)
Security architecture aspects (X.1031, X.1032)
IP-based telecommunication network security system (TNSS) (X.1032)
Security architectural elements in Recommendation ITU-T X.805
20/58
ITU-T SG17 (cnt’d)
Security Recommendations
Fast infoset security (X.893)
Public Key Infrastructure
and Trusted Third Party
Services:
Public-key and attribute
certificate frameworks
(X.509)
Guidelines for the use of
Trusted Third Party services
(X.842)
Specification of TTP services
to support the application of
digital signatures (X.843)
21/58
ITU-T SG17 (cnt’d)
Security Recommendations
Security protocols:
EAP guideline (X.1034)
Password authenticated key exchange protocol (X.1035)
Technical security guideline on deploying IPv6 (X.1037)
Guideline on secure password-based authentication protocol with key
exchange (X.1151)
Secure end-to-end data communication techniques using trusted third
party services (X.1152)
Management framework of a one time password-based authentication
service (X.1153)
General framework of combined authentication on multiple identity
service provider environments (X.1154)
Non-repudiation framework based on a one time password (X.1156)
OSI Network + transport layer security protocol (X.273, X.274)
22/58
ITU-T SG17 (cnt’d)
Security Recommendations
Information Security Management:
Information Security Management System (X.1051, X.1052)
Governance of information security (X.1054)
Risk management and risk profile guidelines (X.1055)
Security incident management guidelines (X.1056)
Asset management guidelines (X.1057)
X.1052 - Information Security
Management
X.1055 - Risk management
process
23/58
X.1057 - Asset management
process
ITU-T SG17 (cnt’d)
Security Recommendations
Incident organization and security incident handling: Guidelines
for telecommunication organizations (E.409)
X.1056 - Five high-level incident
management processes
E.409 - pyramid of events and incidents
ITU-T SG17 (cnt’d)
Security Recommendations
Telebiometrics:
e-Health generic telecommunication protocol (X.1081.1)
telebiometric multimodal framework model (X.1081)
BioAPI interworking protocol (X.1083)
General biometric authentication protocol (X.1084, X.1088)
Telebiometrics authentication infrastructure (X.1089)
Telebiometric authentication
of an end user
Biometric-key generation
25/58
ITU-T SG17 (cnt’d)
Security Recommendations
Multicast security requirements (X.1101)
Home network security (X.1111, X.1112, X.1113, X.1114)
X.1113 - Authentication service flows for the home network
26/58
ITU-T SG17 (cnt’d)
Security Recommendations
Secure mobile systems (X.1121, X.1122, X.1123, X.1124,
X.1125)
X.1121 - Threats in the mobile end-to-end communications
27/58
ITU-T SG17 (cnt’d)
Security Recommendations
Peer-to-peer security (X.1161, X.1162, X.1164)
IPTV security and content protection (X.1191-X.1198)
X.1191 - General security architecture for IPTV
28/58
ITU-T SG17 (cnt’d)
Security Recommendations
Web Security:
Security Assertion Markup Language (X.1141)
eXtensible Access Control Markup Language (X.1142, X.1144)
Security architecture for message security in mobile web services (X.1143)
X.1141 - Basic template for achieving SSO
29/58
ITU-T SG17 (cnt’d)
Security Recommendations
Networked ID security:
Threats and requirements for protection of personally identifiable
information in applications using tag-based identification (X.1171)
X.1171 - PII infringement
through information
leakage
X.1171 - General PII protection service (PPS) service flow
30/58
ITU-T SG17 (cnt’d)
Security Recommendations
Ubiquitous sensor network security:
Information technology – Security framework for ubiquitous sensor
networks (X.1311)
Ubiquitous sensor network middleware security guidelines (X.1312)
Security requirements for wireless sensor network routing (X.1313)
X.1311 - Security model for USN
X.1312 - Security functions
for USN middleware
31/58
ITU-T SG17 (cnt’d)
Security Recommendations
Incident organization and security incident handling:
Guidelines for telecommunication organizations (E.409)
E.409 - pyramid of events and incidents
Cloud computing security:
Security framework for cloud computing (draft X.1600 , X.ccsec)
32/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBERSPACE SECURITY – Cybersecurity:
Overview of cybersecurity (X.1205)
A vendor-neutral framework for automatic notification of security
related information and dissemination of updates (X.1206)
Guidelines for telecommunication service providers for addressing
the risk of spyware and potentially unwanted software (X.1207)
A cybersecurity indicator of risk to enhance confidence and security
in the use of telecommunication/information and communication
technology (draft X.1208, X.csi)
Capabilities and their context scenarios for cybersecurity
information sharing and exchange (X.1209)
Overview of source-based security troubleshooting mechanisms for
Internet protocol-based networks (draft X.1210 , X.trm)
Emergency communications:
Common alerting protocol (CAP 1.1) (X.1303)
33/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBERSECURITY INFORMATION EXCHANGE (CYBEX):
Overview of cybersecurity information exchange (X.1500)
Procedures for the registration of arcs under the object identifier arc for
cybersecurity information exchange (X.1500.1)
Common vulnerabilities and exposures (X.1520)
X.1500 - CYBEX model
34/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBEX vulnerability/state exchange:
Common vulnerability scoring system (X.1521)
Common weakness enumeration (X.1524)
Open vulnerability and assessment language (X.1526)
Common platform enumeration (X.1528.x)
X.1521 - CVSS metric groups
35/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBEX event/incident/heuristics exchange:
Incident object description exchange format (X.1541)
Common attack pattern enumeration and classification (X.1544)
Malware attribute enumeration and classification (X.1546 , X.maec)
36/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBEX identification and discovery:
Discovery mechanisms in the exchange of cybersecurity information
(X.1570)
X.1570 - Cybersecurity operational information ontology
37/58
ITU-T SG17 (cnt’d)
Security Recommendations
CYBEX event/incident/heuristics exchange:
Incident object description exchange format (X.1541)
Common attack pattern enumeration and classification (X.1544)
Malware attribute enumeration and classification (X.1546 , X.maec)
CYBEX identification and discovery:
Discovery mechanisms in the exchange of cybersecurity information
(X.1570)
CYBEX assured exchange:
Real-time inter-network defence (X.1580)
Transport of real-time inter-network defence messages (X.1581)
Transport protocols supporting cybersecurity information exchange
(Draft X.1582, X.cybex-tp)
38/58
ITU-T SG17 (cnt’d)
Security Recommendations
Countering spam:
Technical strategies for countering spam (X.1231)
Technologies involved in countering email spam (X.1240)
Technical framework for countering email spam (X.1241)
Short message service (SMS) spam filtering system based on userspecified rules (X.1242)
Interactive gateway system for countering spam (X.1243)
Overall aspects of countering spam in IP-based multimedia
applications (X.1244)
Framework for countering spam in IP-based multimedia
applications (X.1245)
Note: These Recommendations do not address the content-related
aspects of telecommunications (ref. ITR 2012).
39/58
ITU-T SG17 (cnt’d)
Security Recommendations
X.1231 - General model
for countering spam
X.1241 - General structure of
e-mail anti-spam processing domain
X.1245 - Framework for countering IP media spam
40/58
ITU-T SG17 (cnt’d)
Security Recommendations
Identity management (IdM):
Baseline capabilities for enhanced global identity management and
interoperability (X.1250)
A framework for user control of digital identity (X.1251)
Baseline identity management terms and definitions (X.1252)
Security guidelines for identity management systems (X.1253)
Entity authentication assurance framework (X.1254)
Framework for discovery of identity management information (X.1255)
Guidelines on protection of personally identifiable information in the
application of RFID technology (X.1275)
41/58
ITU-T SG17 (cnt’d)
Security Recommendations
X.1254 - Overview of the entity authentication assurance framework
Level
1 – Low
2 – Medium
3 – High
4 – Very high
Description
Little or no confidence in the claimed or asserted identity
Some confidence in the claimed or asserted identity
High confidence in the claimed or asserted identity
Very high confidence in the claimed or asserted identity
X.1254 - Levels of assurance
42/58
Security Project
Security Coordination
• Coordinate security matters within SG17, with ITU-T SGs,
ITU-D and externally with other SDOs
• Maintain reference information on LSG security webpage
ICT Security Standards Roadmap
• Searchable database of approved ICT security standards from
ITU-T, ISO/IEC, ETSI and others
Security Compendium
• Catalogue of approved security-related Recommendations
and security definitions extracted from approved
Recommendations
ITU-T Security Manual
• 5th edition published in 2013
43/40
Question 1/17
Telecommunication/ICT security coordination
Security Coordination
• Coordinate security matters within SG17, with ITU-T SGs,
ITU-D, ITU-R and externally with other SDOs
• Maintain reference information on LSG security webpage
ICT Security Standards Roadmap
• Searchable database of approved ICT security standards from
ITU-T, ISO/IEC, ETSI and others
Security Compendium
• Catalogue of approved security-related Recommendations
and security definitions extracted from approved
Recommendations
ITU-T Security Manual
• 5th edition was published in January 2013
Promotion (ITU-T security work and attract participation)
Security Workshops
44/58
Question 1/17 (cnt’d)
Telecommunication/ICT security coordination
SG17 Strategic Plan / Vision for SG17
Internal SG17 Coordination
SDN security
Future Network security
Verification process for cryptographic protocols
Terminology issues that impact users of Recommendations
References in Recommendations to withdrawn standards
Guidelines for correspondence groups
Regional and sub-regional coordinators for SG17
Actions/achievements in support of WTSA, PP, WTDC
Resolutions
Bridging the standardization gap
Rapporteur: Mohamed M.K. ELHAJ
45/58
Question 2/17
Security Architecture and Framework
Responsible for general security architecture and framework for
telecommunication systems
2 Recommendations and 4 Supplements approved in last study period
1 Recommendation approved in this study period
Recommendations currently under study include:
• X.gsiiso, Guidelines on security of the individual information service for
operators
• X.mgv6, Supplement to ITU-T X.1037 – Supplement on security
management guideline for implementation of IPv6 environment
in telecommunications organizations
Relationships with ISO/IEC JTC 1 SCs 27 and 37, IEC TC 25, ISO TC 12, IETF,
ATIS, ETSI, 3GPP, 3GPP2
Rapporteur: Patrick MWESIGWA
46/58
Question 3/17
Telecommunication information security management
Responsible for information security management - X.1051, etc.
5 Recommendations approved in last study period
Developing specific guidelines including:
• X.1051rev, Information technology – Security techniques – Information
security management guidelines for telecommunications
organizations based on ISO/IEC 27002
• X.gpim, Guideline for management of personally identifiable information
for telecommunication organizations.
• X.sgsm, Information security management guidelines
for small and medium telecommunication
organizations
• X.sup1056, Supplement to ITU-T X.1056 – Related
Recommendations, International Standards
and documents for security incident
management
Close collaboration with ISO/IEC JTC 1/SC 27
Rapporteur: Miho NAGANUMA
47/58
Question 4/17
Cybersecurity
Cybersecurity by design no longer possible; a new paradigm:
• know your weaknesses minimize the vulnerabilities
• know your attacks share the heuristics within trust communities
Current work program (17 Recommendations under development)
X.1500 suite: Cybersecurity Information Exchange (CYBEX) – nonprescriptive, extensible, complementary techniques for the new paradigm
•
•
•
•
•
•
Weakness, vulnerability and state
Event, incident, and heuristics
Information exchange policy
Identification, discovery, and query
Identity assurance
Exchange protocols
Non-CYBEX deliverables include compendiums and guidelines for
• Abnormal traffic detection
• Botnet mitigation
• Attack source attribution (including traceback)
• Extensive relationships with many external bodies
• Rapporteur: Youki KADOBAYASHI
48/58
Question 4/17 (cnt’d)
Cybersecurity
16 Recommendations and 3 Supplements approved in last study
period
2 Recommendations and 2 Supplements approved in this study
period
Recommendations in TAP approval process
For approval
For approval
For approval
For approval
For approval
For approval
• X.1208 (X.csi), A cybersecurity indicator of risk to enhance confidence and
security in the use of telecommunication/information and communication
technology
• X.1210 ( X.trm), Overview of source-based security troubleshooting
mechanisms for Internet protocol-based networks
• X.1520rev, Common vulnerabilities and exposures
• X.1526rev (X.oval), Open vulnerability and assessment language
• X.1546 (X.maec), Malware attribute enumeration and characterization
• X.1582 (X.cybex-tp), Transport protocols supporting cybersecurity
information exchange
49/58
Question 4/17 (cnt’d)
Cybersecurity
Recommendations on CYBEX currently under study include:
For
agreement
For determ.
• X.1500 Amd.5, Overview of cybersecurity information exchange –
Amendment 5 - Revised structured cybersecurity
information exchange techniques
• X.cee, Common event expression
• X.cee.1, CEE overview
• X.cee.2, CEE profile
• X.cee.3, CEE common log syntax (CLS)
• X.cee.4, CEE common log transport (CLT) requirements
• X.csmc, An iterative model for cybersecurity operation using CYBEX
techniques
• X.cwss, Common weakness scoring system
• X.cybex-beep, Use of BEEP for cybersecurity information exchange
Recommendations (non-CYBEX) currently under study include:
For consent
For determ
• X.cap, Common alerting protocol (CAP 1.2)
• X.eipwa, Guideline on techniques for preventing web-based attacks
50/58
Question 5/17
Countering spam by technical means
Lead group in ITU-T on countering spam by technical means in
support of WTSA-12 Resolution 52 (Countering and combating
spam)
3 Recommendations and 4 Supplements approved in last study
period
Recommendations currently under study include
(see structure in next slide):
For approval
• X.1243 Cor.1, Corrigendum 1 to Recommendation ITU-T X.1243
• X.tfcmm, Technical framework for countering mobile messaging spam
• X.ticvs, Technologies involved in countering voice spam in
telecommunication organizations
Effective cooperation with ITU-D, IETF, ISO/IEC JTC 1, 3GPP, OECD,
MAAWG, ENISA and other organizations
Rapporteur: Hongwei LUO
51/58
Question 5/17 (cnt’d)
Countering spam by technical means
Technical strategies on countering spam
(X.1231)
Technologies involved in
countering email spam
(X.1240)
Overall aspects of countering spam in IPbased multimedia applications
(X.1244)
Overall aspects of countering mobile messaging
spam
(X-series Supplement 12 to ITU-T X.1240)
Technical framework for
countering email spam
(X.1241)
Framework for countering IP multimedia spam
(X.1245)
Short message service (SMS) spam filtering
system based on user-specified rules
(X.1242)
Framework based on real-time blocking list
(RBL) for countering VoIP spam
(X-series Supplement 11 to Recommendation
ITU-T X.1245)
Technical framework for countering mobile
messaging spam
(X.tfcmm)
Interactive gateway system for countering spam
(X.1243)
A practical reference model for countering email spam using botnet information
(X-series Supplement 14 to ITU-T X.1243)
Technologies involved in countering voice spam in telecommunication organizations
(X.ticvs)
Supplement on countering spam and associated threats
(X-series Supplement 6 to ITU-T X.1240 series)
52/58
Question 8/17
Cloud computing security
• Recommendations currently under study include:
– Security aspects of cloud computing
For approval
- X.1600 (X.ccsec), Security framework for cloud computing
- X.cc-control, Information technology – Security techniques – Code of
practice for information security controls for cloud
computing services based on ISO/IEC 27002
- X.goscc, Guidelines of operational security for cloud computing
– Security aspects of service oriented architecture
- X.fsspvn, Framework of the secure service platform for virtual network
- X.sfcsc, Security functional requirements for Software as a Service
(SaaS) application environment
Working closely with ITU-T SG 13, JCA-Cloud, ISO/IEC JTC 1/SCs 27
and 38, and Cloud Security Alliance on cloud computing
Rapporteur: Liang WEI
53/58
Question 10/17
Identity Management (IdM)
Identity Management (IdM)
•
•
•
•
•
Key focus
•
•
•
•
IdM is a security enabler by providing trust in the identity of both parties to an e-transaction
IdM also provides network operators an opportunity to increase revenues by offering
advanced identity-based services
The focus of ITU-T’s IdM work is on global trust and interoperability of diverse IdM
capabilities in telecommunication.
Work is focused on leveraging and bridging existing solutions
This Question is dedicated to the vision setting and the coordination and organization of the
entire range of IdM activities within ITU-T
Adoption of interoperable federated identity frameworks that use a variety of authentication
methods with well understood security and privacy
Encourage the use of authentication methods resistant to known and projected threats
Provide a general trust model for making trust-based authentication decisions between two
or more parties
Ensure security of online transactions with focus on end-to-end identification and
authentication of the participants and components involved in conducting the transaction,
including people, devices, and services
8 Recommendations and 1 Supplement approved in last study period.
1 Recommendation approved in his study period
54/58
Question 10/17 (cnt’d)
Identity Management (IdM)
Recommendations under development:
For determ.
For determ.
X.atag, Attribute aggregation framework
X.authi, Guideline to implement the authentication integration of the network layer and the
service layer.
X.giim, Mechanisms to support interoperability across different IdM services
X.iamt, Identity and access management taxonomy
X.idmcc, Requirement of IdM in cloud computing
X.idmts, Framework for the interoperable exchange of trusted services
X.oitf, Open identity trust framework
X.scim-use, Application of system for cross identity management (SCIM) in
telecommunication environments
Engagement
• JCA-IdM
• Related standardization bodies: ISO/IEC JTC 1 SCs 6, 27 and 37; IETF; ATIS;
ETSI/TISPAN; OASIS; Kantara Initiative; OMA; NIST; 3GPP; 3GPP2; Eclipse; OpenID
Foundation; OIX etc.
Rapporteur: Abbie BARBIR
55/58
Question 6/17
Security aspects of ubiquitous telecommunication services
Responsible for multicast security, home network security, mobile security,
networked ID security, IPTV security, ubiquitous sensor network security,
intelligent transport system security, and smart grid security
13 Recommendations approved in last study period.
1 Recommendation and 1 Supplement approved in this study period.
Recommendations currently under study include:
X.msec-7, Guidelines on the management of infected terminals in mobile networks
X.msec-8, Secure application distribution framework for communication devices
X.sgsec-1, Security functional architecture for smart grid services using
telecommunication network
X.unsec-1, Security requirements and framework of ubiquitous networking
Close relationship with JCA-IPTV and ISO/IEC JTC 1/SC 6/WG 7
Rapporteur: Jonghyun BAEK
56/58
Question 7/17
Secure application services
Responsible for web security, security protocols, peer-to-peer security
2 Recommendations, and 1 Supplement approved in last study period
3 Recommendations approved in this study period
Recommendations currently under study include:
X.1141 Amd.1, Security Assertion Markup Language (SAML) 2.0 – Amendment 1: Errata
X.1142 Amd.1, eXtensible Access Control Markup Language (XACML 2.0)
Amendment 1: Errata
X.p2p-3, Security requirements and mechanisms of peer-to-peer based telecommunication
network
X.sap-5, Guideline on local linkable anonymous authentication for electronic services
X.sap-7, Technical capabilities of fraud detection and response for services with high assurance
For consent
level requirements
X.sap-8, Efficient multi-factor authentication mechanisms using mobile devices
X.sap-9, Delegated non-repudiation architecture based on ITU-T X.813
X.websec-5, Security architecture and operations for web mashup services
For consent
Relationships include: OASIS, OMA, W3C, ISO/IEC JTC 1/SC 27, Kantara Initiative
Rapporteur: Jae Hoon NAH
57/58
Question 9/17
Telebiometrics
Current focus:
• Security requirements and guidelines for applications of telebiometrics
• Requirements for evaluating security, conformance and interoperability with
privacy protection techniques for applications of telebiometrics
• Requirements for telebiometric applications in a high functionality network
• Requirements for telebiometric multi-factor authentication techniques based on
biometric data protection and biometric encryption
• Requirements for appropriate generic protocols providing safety, security, privacy
protection, and consent “for manipulating biometric data” in applications of
telebiometrics, e.g., e-health, telemedicine
11 Recommendations approved in last study period.
1 Recommendation approved in this study period.
58/58
Question 9/17 (cnt’d)
Telebiometrics
Recommendations under development:
• X.bhsm, Information technology – Security Techniques – Telebiometric
authentication framework using biometric hardware security module
• X.tam, A guideline to technical and operational countermeasures for telebiometric
applications using mobile devices
• X.th-series, e-Health and world-wide telemedicines
For determ.
•
•
•
•
•
X.th2, Telebiometrics related to physics
X.th3, Telebiometrics related to chemistry
X.th4, Telebiometrics related to biology
X.th5, Telebiometrics related to culturology
X.th6, Telebiometrics related to psychology
Close working relationship with ISO/IEC JTC 1/SCs 17, 27 and
37, ISO TCs 12, 68 and 215, IEC TC 25, IETF, IEEE
Rapporteur: John CARAS
59/58
Question 11/17
Generic technologies to support secure applications
Q11/17 consists of four main parts:
X.500 directory, Public-Key Infrastructure (PKI), Privilege Management
Infrastructure (PMI)
Abstract Syntax Notation 1 (ASN.1), Object Identifier (OID)
Open Distributed Processing (ODP)
Open Systems Interconnection (OSI)
Rapporteur: Erik ANDERSEN
60/58
Question 11/17
Generic technologies to support secure applications
(parts: Directory, PKI, PMI)
Three Directory Projects:
• ITU-T X.500 Series of Recommendations | ISO/IEC 9594 - all parts – The
Directory
• ITU-T E.115 - Computerized directory assistance
• ITU-T F.5xx - Directory Service - Support of tag-based identification
services
X.500 series is a specification for a highly secure, versatile and
distributed directory
X.500 work is collaborative with ISO/IEC JTC 1/SC 6/WG 10
20 Recommendations and many Corrigenda approved in last
study period.
61/58
Question 11/17
Generic technologies to support secure applications
(parts: Directory, PKI, PMI)
Recommendations under development:
For consent
•
•
•
•
•
•
•
•
•
•
For
agreement
•
•
•
•
F.5xx, Directory Service - Support of Tag-based Identification Services
X.500rev (8th ed), Information technology – Open Systems Interconnection – The Directory: Overview of
concepts, models and services
th
X.501rev (8 ed), Information technology – Open Systems Interconnection – The Directory – Models
X.509rev (8th ed), Information technology – Open Systems Interconnection – The Directory – Public-key and
attribute certificate frameworks
X.511rev (8th ed), Information technology – Open Systems Interconnection – The Directory – Abstract
Service Definition
th
X.518rev (8 ed), Information technology – Open Systems Interconnection – The Directory – Procedures for
Distributed Operations
X.519rev (8th ed), Information technology – Open Systems Interconnection – The Directory – Protocols
X.520rev (8th ed), Information technology – Open Systems Interconnection – The Directory – Selected
Attribute Types
th
X.521rev (8 ed), Information technology – Open Systems Interconnection – The Directory – Selected object
classes
X.525rev (8th ed), Information technology – Open Systems Interconnection – The Directory – Replication
X.cmail, Certified mail transport and certified post office protocols
X.pki-em, Information Technology - Public-Key Infrastructure: Establishment and maintenance
X.pki-prof, Information Technology - Public-Key Infrastructure: Profile
TR HBPKI, Technical Report: New challenges for Public-Key Infrastructure standardization: Mobile Networks,
Machine-to-Machine communication, Cloud Computing and Smart Grid
62/58
Question 11/17
Generic technologies to support secure applications
(parts: Directory, PKI, PMI)
ITU-T X.509 on public-key/attribute certificates is the
cornerstone for security:
• Base specification for public-key certificates and for attribute certificates
• Has a versatile extension feature allowing additions of new fields to
certificates
• Basic architecture for revocation
• Base specification for Public-Key Infrastructure (PKI)
• Base specifications for Privilege Management Infrastructure (PMI)
ITU-T X.509 is used in many different areas:
• Basis for eGovernment, eBusiness, etc. all over the world
• Used for IPsec, cloud computing, and many other areas
• Is the base specification for many other groups
(PKIX in IETF, ESI in ETSI, CA Browser Forum, etc.)
63/58
Question 11/17
Generic technologies to support secure applications
(parts: ASN.1, OID)
For consent
Developing and maintaining the heavily used Abstract Syntax Notation One (ASN.1) and Object
Identifier (OID) specifications
Recommendations are in the X.680 (ASN.1), X.690 ( ASN.1 Encoding Rules), X.660/X.670 (OID
Registration), and X.890 (Generic Applications, such as Fast Infoset, Fast Web services, etc) series
13 Recommendations and several Corrigenda approved in last study period
Giving advice on the management of OID Registration Authorities, particularly within developing
countries, through the OID Project Leader Olivier Dubuisson
Approving new top arcs of the Object Identifier tree as necessary
Promoting use of OID resolution system by other groups such as SG16
Repository of OID allocations and a database of ASN.1 modules
Promoting the term “description and encoding of structured data” as what ASN.1 is actually about
ASN.1 Packed Encoding Rules reduces the bandwidth required for communication thus conserving
energy (e.g., compared with XML)
Recommendations under development:
X.680/X.690-series Technical Corrigenda
X.cms, Cryptographic Message Syntax (CMS)
X.oer, Specification of Octet Encoding Rules (OER)
X.orf, OID-based resolution framework for heterogeneous identifiers/locators
Work is collaborative with ISO/IEC JTC 1/SC 6/WG 10
64/58
Question 11/17
Generic technologies to support secure applications
(part: ODP)
Open Distributed Processing (ODP)
ODP (X.900 series in collaboration with ISO/IEC JTC 1/SC 7/WG 19)
Recommendations under development:
X.906rev, Open distributed processing – Use of UML for ODP system
specification
X.911rev, Open distributed processing – Reference model – Enterprise
language
Work is carried out in collaboration with ISO/IEC JTC 1
65/58
Question 11/17
Generic technologies to support secure applications
(part: OSI)
Ongoing maintenance of the OSI X-series Recommendations and the OSI
Implementer’s Guide:
•
•
•
•
•
•
•
•
•
OSI Architecture
Message Handling
Transaction Processing
Commitment, Concurrency and Recovery (CCR)
Remote Operations
Reliable Transfer
Quality of Service
Upper layers – Application, Presentation, and Session
Lower Layers – Transport, Network, Data Link, and Physical
109 approved Recommendations (from former study periods)
Work is carried out in collaboration with ISO/IEC JTC 1
66/58
Question 12/17
Formal languages for telecommunication software
and testing
Languages and methods for requirements, specification
implementation
Q12/17 consists of three parts:
Formal languages for telecommunication software
Methodology using formal languages for telecommunication software
Testing languages
18 Recommendations, 1 Amendment, 1 Implementer’s Guide
approved in last study period.
3 new and 9 revised Recommendations approved in this study
period.
Rapporteur: Dieter HOGREFE
67/58
Question 12/17
Formal languages for telecommunication software
and testing
(part: Formal languages for telecommunication software)
Languages and methods for requirements, specification implementation
Recommendations for:
For consent
For consent
For consent
Specification and Description Language (Z.100 series)
Message Sequence Chart (Z.120 series)
User Requirements Notation (Z.150 series)
Framework and profiles for Unified Modeling Language, as well as use of languages (Z.110,
Z.111, Z.400, Z.450).
These techniques enable high quality Recommendations to be written from which
formal tests can be derived, and products to be cost effectively developed.
Recommendations under development:
Z.100 Annex F1rev , Specification and Description Language - Overview of SDL-2010 –
SDL formal definition: General overview
Z.100 Annex F2rev, Specification and Description Language - Overview of SDL-2010 –
SDL formal definition: Static semantics
Z.100 Annex F3rev, Specification and Description Language - Overview of SDL-2010 –
SDL formal definition: Dynamic semantics
Relationship with SDL Forum Society
68/58
Question 12/17
Formal languages for telecommunication software and
testing
(part: Methodology using formal languages for telecommunication
software)
Covers the use of formal ITU system design languages (ASN.1, SDL, MSC, URN,
TTCN, CHILL) to define the requirements, architecture, and behaviour of
telecommunications systems: requirements languages, data description,
behaviour specification, testing and implementation languages.
The formal languages for these areas of engineering are widely used in
industry and ITU-T and commercial tools support them. The languages can be
applied collectively or individually for specification of standards and the
realization of products, but in all cases a framework and methodology is
essential for effective use.
Responsible for formal languages methodology Recommendations: Z.110,
Z.400, Z.450, Z.600, Z.601, and Z.Supp1.
Supplement under development:
For
agreement
Z.Sup1, Supplement 1 to Z-series Recommendations – ITU-T Z.100-series –
Supplement on methodology on the use of description techniques
69/58
Question 12/17
Formal languages for telecommunication software and
testing
(part: Testing languages)
Testing languages, and Testing and Test Control Notation version 3 (TTCN-3)
•
•
•
•
•
•
•
•
•
•
•
•
Z.161, Testing and Test Control Notation version 3: TTCN-3 core language
Z.161.1, Testing and Test Control Notation version 3: TTCN-3 language extensions: Support of interfaces
with continuous signals
Z.161.2, Testing and Test Control Notation version 3: TTCN-3 language extensions: Configuration and
deployment support
Z.161.3, Testing and Test Control Notation version 3: TTCN-3 language extensions: Advanced
parameterization
Z.161.4, The Testing and Test Control Notation version 3: TTCN-3 Language Extensions: Behaviour Types
Z.165, Testing and Test Control Notation version 3: TTCN-3 runtime interface (TRI)
Z.165.1, Testing and Test Control Notation version 3: TTCN-3 extension package: Extended TRI
Z.166, Testing and Test Control Notation version 3: TTCN-3 control interface (TCI)
Z.167, Testing and Test Control Notation version 3: TTCN-3 mapping from ASN.1
Z.168, Testing and Test Control Notation version 3: The IDL to TTCN-3 mapping
Z.169, Testing and Test Control Notation version 3: Using XML schema with TTCN-3
Z.170, Testing and Test Control Notation version 3: TTCN-3 documentation comment specification
Provides support for WTSA-12 Resolution 76 on conformance and
interoperability testing
Close liaisons with SG11, JCA-CIT and ETSI.
70/58
Security Coordination
Security activities in other ITU-T Study Groups
ITU-T SG2 Operational aspects & TMN
–
–
–
–
International Emergency Preference Scheme, ETS/TDR
Disaster Relief Systems, Network Resilience and Recovery
Network and service operations and maintenance procedures, E.408
TMN security, TMN PKI,
ITU-T SG5 Environment and climate change
– protection from lightning damage, from Electromagnetic Compatibility (EMC) issues and also the
effects of High-Altitude Electromagnetic Pulse (HEMP) and High Power Electromagnetic (HPEM)
attack and Intentional Electromagnetic Interference (IEMI)
ITU-T SG9 Integrated broadband cable and TV
– Conditional access, copy protection, HDLC privacy,
– DOCSIS privacy/security
– IPCablecom 2 (IMS w. security), MediaHomeNet security gateway, DRM,
ITU-T SG11 Signaling Protocols and Testing
– EAP-AKA for NGN
– methodology for security testing and test specification related to security testing
ITU-T SG13 Future networks including cloud computing, mobile, NGN, SDN
– Security and identity management in evolving managed networks
– Deep packet inspection
ITU-T SG15 Networks and infrastructures for transport, access and home
– Reliability, availability, Ethernet/MPLS protection switching
ITU-T SG16 Multimedia
– Secure VoIP and multimedia security (H.233, H.234, H.235, H.323, JPEG2000)
71/58
Coordination with other bodies
Study Group 17
ITU-D,
ITU-R,
xyz…
72/40
SG17 collaborative work with ISO/IEC JTC 1
Existing relationships having collaborative (joint) projects:
JTC 1
SG 17 Question
Subject
SC 6/WG 7
Q6/17
Ubiquitous networking
SC 6/WG 10
Q11/17
Directory, ASN.1, OIDs, and Registration
SC 7/WG 19
Q11/17
Open Distributed Processing (ODP)
SC 27/WG 1
Q3/17
Information Security Management System (ISMS)
SC 27/WG 3
Q2/17
Security architecture
SC 27/WG 5
Q10/17
Identity Management (IdM)
SC 37
Q9/17
Telebiometrics
Note – In addition to collaborative work, extensive communications and liaison
relationships exist with the following JTC 1 SCs: 6, 7, 17, 22, 27, 31, 37 and 38
on a wide range of topics. All SG17 Questions are involved.
73/58
SG17 collaborative work with ISO/IEC JTC 1 (cnt’d)
Guide for ITU-T and ISO/IEC JTC 1 Cooperation
• http://itu.int/rec/T-REC-A.23-201002-I!AnnA
Listing of common text and technically aligned
Recommendations | International Standards
• http://itu.int/oth/T0A0D000011
Mapping between ISO/IEC International Standards and
ITU-T Recommendations
• http://itu.int/oth/T0A0D000012
Relationships of SG17 Questions with JTC 1 SCs
that categorizes the nature of relationships as:
– joint work (e.g., common texts or twin texts)
– technical collaboration by liaison mechanism
– informational liaison
• http://itu.int/en/ITU-T/studygroups/com17/Pages/relationships.aspx
74/58
Study Group 17 Meetings
For 2014, Study Group 17 meeting has been scheduled
for:
17 – 26 September 2014 (8 days), Geneva, Switzerland (tbc)
(preceded by 1 ½ day ITU security workshop)
75/58
Reference links
Webpage for ITU-T Study Group 17
• http://itu.int/ITU-T/studygroups/com17
Webpage on ICT security standard roadmap
• http://itu.int/ITU-T/studygroups/com17/ict
Webpage on ICT cybersecurity organizations
• http://itu.int/ITU-T/studygroups/com17/nfvo
Webpage for JCA on identity management
• http://www.itu.int/en/ITU-T/jca/idm
Webpage for JCA on child online protection
• http://www.itu.int/en/ITU-T/jca/COP
Webpage on lead study group on security
• http://itu.int/en/ITU-T/studygroups/com17/Pages/telesecurity.aspx
Webpage on lead study group on identity management
• http://itu.int/en/ITU-T/studygroups/com17/Pages/idm.aspx
Webpage on lead study group on languages and description techniques
• http://itu.int/en/ITU-T/studygroups/com17/Pages/ldt.aspx
76/58