Dr. Carmine Rizzo
CISA, CISM, CISSP, ITIL, PRINCE2
ETSI Technical Officer – ETSI Standardisation Projects
ETSI Security Standardisation
ITU-T SG17 (ITU - Geneva 13 February 2009): ETSI Security Standardisation

World Class Standards
‰ Introduction
‰ ETSI Security activities in Technical Bodies
‰ ETSI Security horizontal activities
2 ETSI Security Overview

World Class Standards
‰
‰ ETSI Security activities in Technical Bodies
‰ ETSI Security horizontal activities
3 ETSI Security Overview

World Class Standards
ESO
European
Standards
Organization
GSP
Global
Standards
Producer
SPO
Service
Providing
Organization
ESO (European Standards Organization): standardization for European needs
GSP (Global Standards Producer): standardization for the global level
SPO (Service Providing Organization): services such as interoperability testing, forum management etc.
ETSI STQ Workshop - Prague, 17-19 June 2008 4

World Class Standards
‰ Information Security Standards are essential to ensure interoperability
‰ Standardisation ensures products are compliant with
¾
Adequate levels of security
¾ Legislations
‰ ETSI 1988-2009: over 20 years of experience in Security
‰ All ETSI Members participate directly in the standardisation process
ETSI Security Overview 5

World Class Standards
‰ Introduction
‰
‰ ETSI Security horizontal activities
6 ETSI Security Overview

World Class Standards
‰ Next Generation Networks (NGN)
‰ Mobile/Wireless Communications (GSM/UMTS, TETRA, DECT…)
‰ Lawful Interception and Data Retention
‰ Electronic Signatures
‰ Smart Cards
‰ Algorithms
‰ Emergency Communications / Public Safety
‰ RFID
‰ Quantum Key Distribution (QKD)
‰ In 3GPP: SAE/LTE and Common IMS
ETSI Security Overview 7

World Class Standards
‰ ETSI TISPAN WG7 standardizes NGN security
‰ Achievements
¾
Security Requirements, Design Guide, Architecture
¾ Analysis of risks and threats
‰ Current work
¾ Lawful Interception / Data Retention
¾
IPTV, RFID, safety services (emergency communications)
TISPAN:
T elecommunication and I I nternet converged S ervices and P rotocols for A dvanced N etworking
ETSI Security Overview 8

World Class Standards
‰ Security Standardisation: key success factor for GSM
‰ IMEI (International Mobile Equipment Identity)
¾ Protection/deterrent against theft
‰ FIGS (Fraud Information Gathering System)
¾
Terminate fraudulent calls of roaming subscribers
‰ Safety Services (enhancements for UMTS)
¾ Priority access for specific user categories
¾ Location services
ETSI Security Overview 9

‰ TErrestrial Trunked RAdio
World Class Standards
‰ Mobile radio communications
¾ Used for public safety services (e.g. emergency scenarios)
‰ Security features
¾
Mutual Authentication
¾ Encryption
¾ Anonymity
10 ETSI Security Overview

World Class Standards
‰ Delivery of intercepted communications to Authorised Organisations
¾
To support criminal investigation, counter terrorism
¾ Applies to data in transit
‰ Directive 2006/24/EC
¾ Data generated/processed in electronic comms needs to be retained
¾ Applies to data location
‰ ETSI Data Retention standard published in 2008
TB Lawful Interception (LI) works with both LI and DR
• Define Handover Interface from Operator to Authorised Organisation
ETSI Security Overview 11

World Class Standards
‰ TB ESI (Electronic Signatures and Infrastructures)
¾ Supports eSignature EC Directive – in cooperation with CEN
¾
Created ETSI electronic signatures
¾
Successful international collaboration (US, Japan)
‰ Current work
¾
Digital accounting (eInvoicing)
¾
Registered EMail (REM) framework
¾
ETSI electronic signatures in PDF documents
ETSI Security Overview 12

World Class Standards
‰ ETSI Smart Card Standardisation
¾ TB Smart Card Platform (SCP)
¾ GSM SIM Cards: among most widely deployed smart cards ever
¾ Work extended with USIM Card and UICC Platform
‰ Current work
¾ Further extend the smart card and UICC platforms
• Global roaming
• Secure financial transactions
• Operate in M2M communications
USIM: U MTS S ubscriber I I dentity M odule
UICC: U niversal I I ntegrated C ircuit C ard
M2M: M achine-toM achine
ETSI Security Overview 13

World Class Standards
‰ ETSI is world leader in creating cryptographic algorithms / protocols
¾ ETSI SAGE (Security Algorithm Group of Experts)
¾ ETSI is owner and/or custodian of a number of security algorithms
‰ Algorithms for GSM, GPRS, EDGE, UMTS, TETRA, DECT, 3GPP
…
‰ Developed
¾ UEA1 (standard algorithm for confidentiality)
¾ UIA1 (standard algorithm for integrity)
‰ Developed also a second set of algorithms
¾ UEA2 and UIA2, fundamentally different in nature from UEA1 and UIA1
¾ Advances in cryptanalysis are unlikely to impact both sets of algorithm
UEA: U MTS E ncryption A lgorithm
UIA: U MTS I I ntegrity A lgorithm
ETSI Security Overview 14

World Class Standards
‰ EMTEL ( ETSI Special Committee on Emergency Telecommunications )
¾ Co-operation with other TBs and partnership projects, including 3GPP
¾ Requirements for telecommunications infrastructure
‰ MESA ( Mobility for Emergency and Safety Applications )
¾ Partnership project: ETSI, TIA (USA), other members globally
¾ Define digital mobile broadband “system of systems” (interoperability is key!)
15 ETSI Security Overview

World Class Standards
‰ GSM onboard aircrafts
¾ Prevent undesired communications
• Between terrestrial networks and handheld terminals on aircrafts!
‰ GSM eCalls
¾ Automatic emergency calls from vehicles
• In case of crash or other catastrophic events
‰ GSM Direct Mode Operations (DMO)
¾ Terminals to communicate directly
• In tunnels (e.g. railways) or breakdown of telecomms network infrastructure
16 ETSI Security Overview

World Class Standards
‰ System Architecture Evolution / Long Term Evolution (SAE/LTE)
¾
Deliver Global Mobile Broadband at increased data throughput
¾ Security features: integrity and confidentiality
• Developed in 3GPP and ETSI SAGE
‰ Common IP Multimedia Subsystem (IMS)
¾ Architectural framework to deliver IP multimedia to mobile users
¾ Security requirements from TISPAN, CableLabs and 3GPP2
17 ETSI Security Overview

World Class Standards
‰ RFID Security and Privacy by design
¾ In TISPAN WG7 to act on EC Mandate December 2008 (M 436)
• RFID as gateway for the future “Internet of Things” (IoT)
‰ More RFID work in other TBs
¾
Intelligent Transport Systems (ITS)
ETSI Security Overview 18

World Class Standards
‰ New ETSI Industry Specification Group (ISG)
¾ Create an environment for quantum cryptography in ICT networks
¾ Security Assurance Requirements
• Requirements for users, components, applications
• Security certification of quantum cryptographic equipment
ETSI Security Overview 19

World Class Standards
‰ Introduction
‰ ETSI Security activities in Technical Bodies
‰
20 ETSI Security Overview

World Class Standards
‰ Operational Co-ordination ad hoc Group on Security (OCG Sec)
¾
Chairman: Charles Brookson
¾ Technical Officer: Carmine Rizzo
‰ Horizontal co-ordination structure for security issues
¾ Ensure new work is addressed by proper TB
¾ Detect any conflicting or duplicate work
ETSI Security Overview 21

World Class Standards
‰ ETSI to address open issues on security
¾ Prioritization in security standardisation
¾ Security Metrics
¾ Privacy
¾ How to “evaluate” security standards in implementation
¾ …
‰ ETSI is ready to address these challenges
¾
Proactively supporting its Members according to requirements and trends
¾ Proactively promoting security standardisation
¾
In collaboration with other SDOs
22 ETSI Security Overview

World Class Standards
‰ Yearly event hosted at ETSI premises, Sophia Antipolis, France
‰ Security standardisation keeps evolving
¾ New threats arising
‰ ETSI needs feedback to:
¾
Ensure timely standardisation on gaps or hot topics
¾ Initiate new work according to the requirements of ETSI Membership
‰ Next, to be confirmed
¾
5th ETSI Security Workshop 2010 (possibly 19-21 January)
¾ Watch for the Call for Papers
‰ www.etsi.org/SECURITYWORKSHOP
¾
Reports and presentations of all ETSI Security Workshops
ETSI Security Overview 23

World Class Standards
‰ ETSI achievements and current work in all security areas
‰ List of all security-related ETSI publications
‰ Edition No. 2 published in October 2008
¾ Carmine Rizzo (ETSI Security point of reference)
¾ Charles Brookson (Chairman of ETSI OCG Security)
‰ www.etsi.org/WebSite/document/Technologies/ETSI-WP1_Security_Edition2.pdf
‰ Freely downloadable
ETSI Security Overview 24

?
ITU-T SG17 (ITU - Geneva 13 February 2009): ETSI Security Standardisation