ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
th
13-14 January 2009 - Sophia-Antipolis, France
1

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Overview ........................................................................................................................ 3
Workshop opening ........................................................................................................ 4
Keynote speeches ........................................................................................................... 4
Session 1: Mobile Security ............................................................................................ 7
Session 2: Security initiatives within CEN and CENELEC ........................................ 9
Session 3: Privacy ....................................................................................................... 11
Session 4: International Standardization .................................................................. 14
Session 5: NGN Security and Data Retention ........................................................... 18
Session 6: Metrics ....................................................................................................... 21
Session 7: R & D ......................................................................................................... 22
Workshop Closure ....................................................................................................... 27
2

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
The 4 th
ETSI Security Workshop, organised and hosted by ETSI in Sophia Antipolis,
France, took place on 13-14 January 2009. It counted around one hundred participants, covering a diverse range of professional interests within the security arena, with special focus in Security Standards.
The agenda included seven sessions and a discussion panel, with presentations given by experts representing organizations such as ETSI, CEN, CENELEC, European
Commission, ITU-T, ENISA, as well as the private sector, government and universities.
The workshop provided interesting information on all topics covered, with special focus on standardization efforts related to such topics. Besides, it provided cooperation opportunities, and directions for future work, in particular with regards of the priorities for security standardization.
3

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Carmine Rizzo (ETSI Technical Officer and Security Expert) opened the 4 th
ETSI
Security Workshop. He informed the audience that, due to sudden very important personal reasons, the ETSI OCG Security Chairman Charles Brookson (Standards
Director, UK Department of Business, Enterprise and Regulatory Reform) could not be at this Workshop. A short video was shown, which was sent by Charles Brookson to welcome all participants.
Carmine Rizzo asked the ETSI Director General Walter Weigel to officially open the
Workshop.
Welcoming speech – Walter Weigel, ETSI Director General
The ETSI DG, Walter Weigel, welcomed the participants to the 4 th
ETSI Security
Workshop. Mr. Weigel stressed the high importance and value of the standardization work within the security arena. In particular, he pointed out that standardization efforts should to be prioritized as organizations need to optimize the utilization of their resources, especially during the current phase of global economic downturn.
Walter Weigel also provided a brief overview of ETSI, a European Standards
Organization setting globally-applicable standards for Telecommunications and other
Electronic Communications networks and services. ETSI is an independent, not-forprofit, organisation created in 1988. Among various globally recognised achievements, ETSI created the GSM standard. ETSI is ISO 9001:2000 certified. It offers direct participation to members, and is a founding partner of 3GPP. ETSI has more than 20 000 publications, all freely available.
ICT for Competitiveness and Innovation – Antonio Conte, European
Commission, DG ENTR
Antonio Conte pointed out that an efficient European ICT standardisation policy is key in support of innovation and competitiveness of European enterprises. At the same time, the formal and unofficial standardisation systems should combine their efforts to better respond to the needs of the market.
The EC DG Enterprise and Industry has performed an intermediate study which resulted in an open event on 12/2/2008 to present and to discuss the study's recommendations more widely with all interested parties. During this event, consensus was achieved on the following points: the establishment of a High Level
ICT standardisation policy platform; three scenarios for the possible integration of fora and consortia standards in the European ICT standardisation scheme; and a list of
10 attributes for standards/standardisation processes to be eligible for association with
EU legislation and policies. Issues for further discussion include: IPR in ICT standardisation; the relationship between ICT standardisation and R&D; and referencing ICT standards in public procurement. A White paper is due to be published in 2Q09.
The strategy for a Secure Information Society encompasses an open and inclusive multi-stakeholder debate, which would lead to an improved dialogue (structured and
4

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report multi-stakeholder), partnership (greater awareness and better understanding of the challenges) and empowerment (commitment to responsibilities of all players involved).
ETSI Security Activities Overview - Carmine Rizzo, ETSI Technical Officer and
Security Expert
Carmine Rizzo provided an overview of the ETSI activities in Security. He gave some details of the achievements and ongoing work within several ETSI Technical Bodies in the following areas:
•
Next Generation Networks
•
Mobile and Wireless Communication (GSM/UMTS, TETRA, DECT,…)
•
Lawful Interception and Data Retention
•
Electronic Signatures
•
Smart Card
•
Algorithms
•
Emergency Communications / Public Safety
•
RFID
•
Quantum Key Distribution (QKD)
•
In 3GPP: SAE/LTE and Common IMS
Carmine Rizzo explained what horizontal coordination activities are carried out at
ETSI in order to proactively supervise and promote security standardization work across any ETSI Technical Bodies.
He highlighted the role of the ETSI OCG (Operational Coordination Group) Security, which is a horizontal coordination structure for security activities inside ETSI and with organizations outside. The main aim is to make sure that new standardization work is addressed by the proper Technical Body, and that any conflicting or duplicate work is prevented.
Carmine Rizzo informed the participants about the publication of the 2 nd
Edition of the “ETSI Security White Paper”, produced by Carmine Rizzo and Charles Brookson.
This document describes ETSI achievements and current work in all security areas and provides a list of all security-related ETSI publications. It can be downloaded freely here: http://www.etsi.org/WebSite/document/Technologies/ETSI-WP1_Security_Edition2.pdf
Carmine Rizzo stressed that a number of issues are open and need to be considered as future challenges, which ETSI is prepared to address by supporting its Members and in cooperation with other Standardization Bodies. Such issues include Security
Metrics, prioritization of efforts (what security matters should, or should not, be addressed by standardization), how to evaluate standards once they are implemented, and how to measure to what extent they are implemented. This 4 th
ETSI Security
Workshop provides an excellent opportunity to share information about new work, and to discuss new challenges in particular during the final panel discussion which will highlight a number of conclusions.
5

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
ENISA Activities in Security - Slawomir Gorniak, ENISA Security Expert
Slawomir Gorniak gave a speech about the achievements of ENISA in 2008, which included analysis of regulations, measures and technologies enhancing resilience of public communication networks, developing and maintaining co-operation models, identifying emerging risks, several position papers such as on security in web 2.0, virtual worlds, mobile eID etc. He also gave an overview of the work programme of the Agency for 2009 (including resumption of activities in the area of standardization). The current focus of the Agency is on three main Multi-annual
Thematic Programmes (MTPs): improving Resilience in European e-Communication
Networks, developing and Maintaining co-operation between Member States, and dentifying Emerging Risks for creating trust and confidence. Slawomir Gorniak provided some details of the various Work Packages which compose the three MTPs.
Finally, Slawomir Gorniak provided several conclusions: Countries’ preparedness measures and policies are at different level of maturity as only few of them have developed solid strategies to address the stability of the internet, which is not only a technology issue. He pointed out that, as DNSSEC and IPv6 deployment and RFID usage are issues that greatly concern stakeholders, ENISA is taking initiatives to address governance issues on DNSSEC implementation in the root and EPC/ONS.
6

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Valtteri Niemi, 3GPP SA3 Chairman, Nokia
Securing emerging wireless networks and services - Ganesh Sundaram, Alcatel
Lucent
Ganesh Sundaram gave an overview of the evolution of mobile wireless systems and highlighted the security vulnerabilities arising from such process, both related to new applications and the users’ habits. Moreover, markets are discovering new business models to monetize wireless access by further changing security rules of the game. He discussed such issues with a focus on emerging wireless networks, architectures, and services, with emphasis on security threats and solutions. He explained a template to discuss security issues, and to offer potential solutions to specific problems. Some specific new results on end-to-end privacy and secure routing were discussed in detail.
3GPP Security hot topics: LTE/SAE and Home (e)NB - Valtteri Niemi - 3GPP
SA3 Chairman, Nokia
Valtteri Niemi provided some historical background on this topic. He mentioned the various security specifications related to 3GPP releases and relevant work done by the
SA3 Working Group.
Valtteri Niemi went on to explain Common IMS security. He started from IMS (SIP) security in Rel. 5 and related aspects such as authentication and key agreement, security mechanism agreement and R99 access security. Then he explained the enhancements introduced in Rel. 6 and Rel. 7, and lastly in Rel. 8 with the introduction of Common IMS security. Enhancements include several new normative annexes to TS 33.203, early IMS security TR 33.978 promoted to TS, and media security. He also showed different IMS authentication schemes.
Valtteri Niemi explained the main matters related to the current work for SAE/LTE
(System Architecture Evolution / Long Term Evolution): new architecture and business environment require enhancements to 3G security; the radio interface user plane security terminates in base station site; the cryptographic separation of keys; forward/backward security in handovers; and different security mechanisms in many inter-working cases with both 3GPP and non-3GPP access networks.
Finally he gave details on current Home (e)NB security work and related issues: a new architecture with more exposed locations of NB’s; new types of threats; hence many new countermeasures are needed.
Open Mobile Terminal Platform (OMTP) recommendations - David Rogers,
Director of External Relations, OMPT
David Rogers highlighted that the Open Mobile Terminal Platform (OMTP) has developed a number of recommendations in the area of security and released the first version of its ‘Advanced Trusted Environment: OMTP TR1’ recommendation in May
2008. The project continues to be worked on, establishing the foundations of trust for future sensitive services and applications on the handset, whilst enhancing the
7

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report underlying platform security of the handset. The TR1 document has been in production for nearly two years and builds upon the groundwork of the Trusted
Environment (TR0). Whilst TR0 established the basics of a trusted environment for mobile phones, TR1 is forward looking, aiming to provide the base security in handsets for future highly sensitive applications such as m-commerce and broadcast.
Access to device based, security sensitive APIs through projects such as OMTP
BONDI will rely on a secure device platform. The recommendations further enhance the work designed to protect the unique identity of the device and stored data, making the user’s data safer and the device even more difficult to re-enable after theft. TR1 also provides the underpinning of trust for other services on the device. An
Application Security Framework designed to protect the user from malware and to enforce corporate security policies could potentially be undermined if the hardware platform it is running on is insecure.
Secure Multicast and Broadcast Communication in Broadband Wireless
Networks - Jaydip Sen, Tata Consultancy Services
Jaydip Sen sent his apologies as he could not fly to France due to flight cancellation.
A summary of his proposal follows.
The next generation WMAN (Wireless Metropolitan Area Network) standards have provisions for Multicast and Broadcast service (MBS), and Tata’s work on MBS security relates particularly to group security association rekeying protocol development. MBS enables a Base Station (BS) to distribute data simultaneously to multiple Mobile Stations (MS) to reduce communication overhead. However, this mechanism is vulnerable since every member of a multicast group in addition to having the ability to decrypt and verify the broadcast messages, can also encrypt and authenticate messages as if they originate from the ‘real’ BS.
The proposed mechanism plugs this vulnerability by avoiding broadcast key updates and by generating the Group Traffic Encryption Key (GTEK) as part of a hash chain.
The BS first generates a random number which represents the initial key GTEK
0
. The other GTEKs are generated by applying a one-way function to the previous GTEKs.
The further technical details of this mechanism and the related security features highlight that this scheme has low computing requirements both at the BS and the
MSs.
Understanding Mobile Phone Threat Vectors - Mohamad Nizam Kassim,
Security Assurance Department, CyberSecurity Malaysia
Mohamad Nizam Kassim highlighted that the rapid evolution of mobile phones which offer a wide range of services has revolutionised people’s habits. Nowadays, mobile phones carry more personal information than ever. Personal and business contact information, personal images and banking information are examples of sensitive information that may reside in the mobile phones. Therefore, mobile end users are the excellent target for potential attackers.
Mohamad Nizam Kassim outlined ten threat vectors of possible mobile phone attacks.
These are: mobile phone operating system, mobile software applications, third party applications, subscriber controlled input, mobile messaging, wireless personal area network, wireless local area network, wireless wide area network, mobile malware, and mobile denial-of-service
8

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: John Ketchell, CEN/ISSS Director
Towards standardisation measures to support the Security of Control and Real-
Time Systems for Energy Critical Infrastructures - Marcelo Masera, Institute for the Protection and Security of the Citizen Joint Research Centre - European
Commission
Marcelo Masera provided a presentation focused on various security standardization matters within the EU. He explained that the ESCoRTS project, started on 16 June
2008 and set to last 30 months, encompasses the following activities: needs and requirements for control system security, identify best practices, stimulate convergence of work-in-progress, define strategic R&D roadmap, set the basis for test platforms. Marcelo Masera provided an explanation of SCADA (Supervisory Control and Data Acquisition) systems and related vulnerabilities. SCADA is not designed for security, and risk impact could be substantial for several critical sectors, such as major blackouts for energy, process industries and manufacturing sectors.
Finally he stresses the importance for Europe to fill security gaps by encourage awareness among stakeholders, and especially: determine best practices, develop security business case, share security information, with permanent data communication structure (national, EU) and establish reference cyber security testing platform.
Current activities of CEN Workshop on Data Protection and Privacy (WS/DPP)
- Sati Bains
Sati Bains gave an overview of the CEN Workshop on “Data Protection and Privacy”
(CEN WP DPP), launched in March 2008, whose main effort is a continuation of an existing programme that is supported by the European Commission, with the objective to develop and deliver three CEN Workshop Agreements (CWA) on: a better practice management system guide; personal data protection / privacy audit tools; and a voluntary technology dialogue system.
Sati Bains explained that, if anybody desires to be involved, a public consultation open to everybody will take place on 12 February 2009 in Bruxelles at the new
CEN/CENELEC Meeting Centre.
First results of the CEN/ISSS Workshop on Cyber Identity - Charles de
Couessin, ID Partners -Counterfeiting Workshop - Nadine Ruhle-Niestroy, TUV
Rheinland Japan Ltd
Charles de Couessin provided a presentation on the work of a CWA focused on
Cyber-Identity: unique identification systems for organizations and parts thereof. He explained the market trends and the EU response to create a legal framework for the unique identification of business identities. He provided an overview of the CWA workplan including collection of requirements (market trends of identification
9

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report schemes, standardisation initiatives, government initiatives, and use cases and specific issues).
Finally he highlighted the expected outcomes and the related time frame. The outcomes include to achieve interoperability among current identifiers by using metaidentification systems, to create the guidelines for the creation of a reconciled and workable framework that can be used in multiple application environments, to define best practices for meta identification and the rules to ensure the interoperability of current identification schemes, and to specify the basic description of legal and procedural registration requirements. Charles de Couessin stressed that The CWA will use existing identification schemes, registries and proven standards for metaidentification rather than reinventing the wheel.
10

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert
Incorporating privacy into security standardization - Claire Vishik, Security &
Privacy Standards & Policy Manager INTEL
Claire Vishik highlighted that as standard implementations of security features through the use of industry or international standards become pervasive, concerns arise about support for privacy afforded by some of these standards. As a result, in the last 10 years, numerous security/security related standards have incorporated privacy features.
Claire Vishik made an analysis of implementations of privacy features as part of various standards that either focus on security or have significant security components, such as IPv6, GSM, Trusted Computing, WiMax, Wi-Fi, standards associated with RFID or healthcare records, SAML & Liberty Alliance, and in several other contexts. Based on this analysis, she proposed a more general way to ensure that security standards also effectively protect user privacy.
Security and Privacy for C2X Communication Systems - Research and
Standards - Matthias Gerlach, Senior Research Officer, Fraunhofer Fokus
Matthias Gerlach explained that, starting in the late 90s, research on C2X systems quickly gained momentum with respect to network and application topics. Some successful research projects later, with the prospect of bringing C2X technology to the market within a foreseeable timeframe, standardization efforts started. At the same time, concerns grew that without proper security and privacy protection a market introduction is not possible.
Matthias Gerlach provided an overview of the research and standardization efforts in the field of C2X security and privacy with contributions from major actors in the field. Firstly he gave an introduction to the topic before looking at activities in the US,
Japan, and Europe, shedding light on the different priorities and expected outcomes of the various efforts. He also covered recent experiences from testing security aspects in real life. Finally, he highlighted that open issues are still being identified and he outlined the next steps concerning both research and standardization.
ETSI Electronic Signatures Activities - Riccardo Genghini, ESI Chairman
Riccardo Genghini highlighted that the work done and ongoing within the ETSI TC
ESI is the cornerstone for interoperability of digital documents in Europe. He provided an overview of the work of various Specialist Task Forces: STF 351 on
XAdES/CAdES interoperability Plugtests (with participants from Asia), STF 318 on
Registered Email (REM) and STF 364 on electronic signatures for PDF to offer a global solution for seamless and easy interoperability of signed digital documents
(through liaison with ISO 32000 and active participation by Adobe).
Riccardo Genghini listed many documents produced by TC ESI. He stressed that an impressive amount of documents is available, and all this work needs to be better organized and disseminated in order to boost interoperability.
11

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Profiles and the challenge of providing security in personable ICT devices - Scott
Cadzow / Mike Pluke - ETSI STF 342
Scott Cadzow started his presentation by highlighting that a large part of user acceptance of devices is the ability to use them effectively. However one of the characteristics of ICT technology is change in how users use their devices. With a large part of the user experience and the user acceptance being common between ICT devices, there has been significant work in ETSI TC HF over the past few years on personalisation of devices. In such scenario, it is very important to focus on the privacy and security challenges of making profiles for ICT user equipment private and secure whilst remaining usable. Scott Cadzow outlined a number of uses of profiles: profile invocation, profile transfer, profile storage and recovery.
Security and personalized eHealth systems - Françoise Pettersen, ETSI STF 352
Françoise Pettersen informed that the ETSI Human Factors and eHealth Technical
Bodies have created a project carried out by the STF352 to standardise the personalization of eHealth systems. eHealth information is among the most personal and sensitive information that a person makes available in an electronic form.
Therefore the privacy of this information is of the highest importance if trust in eHealth systems is to be established and maintained. People’s trust that the privacy of their eHealth information is being appropriately handled can only be achieved if they feel confident that their eHealth information is only made available to appropriate people in appropriate circumstances. The work of the STF 352 surveys those aspects of personalization that are specific to eHealth: user capabilities, care provider roles and functions, health related information, and confidentiality measures. In order to manage privacy, there is a need to handle different roles such as those of health personnel, formal and informal carers and telecare agents.
Search Engine based Data Leakage - Hans Pongratz, Technische Universität
München
Hans Pongratz highlighted that nowadays the world wide web (www) is ubiquitous and estimates say that there are more than 10 billion web pages. Search Engines try to locate, sort and catalogue the web and help the user to find the desired information.
Due to wrong web server configuration or other human failure there are many cases of unwanted publication of information through the web. In such scenario, the term
“Google Hacking” refers to the use of search engines to find privacy or security issues via search queries, whose results can range from traitorous error messages to login credentials up to special file types and browseable directories.
This poses questions about what information can be detected using a search engine like google and whether a company or organization is affected. This leads to an investigation on which security concept takes into account this kind of threat. Based on a summary of the technique of “Google Hacking”, Hans Pongratz explained some countermeasures and localized some gaps in security standards in the field of risk analysis and information leakage.
12

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Finger vein authentication technologies for consumer mobile products - Hideo
Sato, FVA Biz Development Office, Sony Corp
Hideo Sato introduced finger vein authentication technologies for consumer mobile products, which is a new biometric method using the unique finger vein patterns.
Since finger veins exist inside the body, they are extremely hard to forge. Hideo Sato explained that quick response time and high-level security authentication are achieved by a new compact-fast-matching algorithm and small-size template that is nearly equal to one of the minutiae-based fingerprint authentication systems. These technologies enable the use of finger vein authentication for mobile devices and smart cards, etc.
13

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Mike Harrop, ITU-T Rapporteur SG17 Q4
Future security work in the ITU-T - Mike Harrop, ITU-T Rapporteur SG17 Q4,
Communication Security Project
Mike Harrop pointed out that 4-year ITU-T Study Period ended in 2008 and there has been a restructuring of the work for the new Study Period which begins in 2009. The new structure was approved at the World Telecommunications Standardization
Assembly in October 2008. A new management team has been appointed. His presentation outlined the new organizational structure and reviewed prospects for the
ITU-T security work in the new Study Period (2009-2012).
Mike Harrop explained that Aspects of security are being addressed by most Study
Groups (SGs), and that SG 17 has primary focus on communication security and is the Lead Study Group (LSG) on security for ITU-T. Specifically, SG17 Security is responsible for studies relating to security including cybersecurity, countering spam and identity management. SG17 is also responsible for the application of open system communications including directory and object identifiers, and for technical languages, the method for their usage and other issues related to the software aspects of telecommunication systems. Besides, IdM focus has been raised and SG17 is now
LSG for IdM.
The UICC as the Security Platform for Value Added Services - Klaus Vedder,
Executive Vice President, G & D
Klaus Vedder reminded that SIM and UICC represent the driving smart card technology globally. He gave some background information about the ETSI TC Smart
Card Platform (SCP), founded in March 2000 as the successor of SMG9, the people which specified the most successful smart card application ever with over 3 billion subscribers using one or more of the 13 billion SIMs, USIMs and R-UIMs delivered to the market. The Mission of TC SCP is to create a series of specifications for a
Smart Card Platform, based on real-life (outside) requirements, on which other bodies can base their system specific applications to achieve compatibility between all applications resident on the smart card.
Klaus Vedder gave an overview of the main specifications and provided some technical details about the smart card chip evolution. He outlined the work done on the “Contactless” USIM, and explained that the contactless interface for the (U)SIM will create a wealth of new opportunities, as mobile phones will work like a contactless card for payment, ticketing, access control, and as a card reader for the
(U)SIM. Finally he highlighted the reasons why the SIM is the preferred secure element for contactless communications.
A Secure-Runtime in the Mobile - The perfect enhancement to a SIM - Stefan
Spitz, Manager New Technologies, New Business Development, G&D & Richard
Phelan from ARM
Stefan Spitz highlighted the reasons why an additional secure execution environment in a mobile is needed and how this can be achieved. He explained that the Secure-
14

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Runtime guarantees that resources which were assigned to a secure handset application are never used or modified in an unauthorized manner. An erroneous or malicious code cannot cause damage beyond its memory boundaries. Therefore the basic protection mechanism between different programs is isolation provided by the
G&D-Runtime and ARM Trust Zone technology. Finally he pointed out that a
Secure-Runtime is conceived for all systems processing security-relevant data in a mid-range security level, but require more flexibility, storage capacity and functionalities than a topical SIM can offer, e.g. secure keypad and secure display.
NFCIP-1 Security Standard protects Near Field Communication - Reinhard
Meindl, Senior Principal, NXP
Reinhard Meindl provided an overview of new security standards for NFC: the objectives and planned use cases, the standards structure and main functionality.
NFCIP-1 is standardised in Ecma-340, ETSI EN 302 190 and ISO/IEC 18092. It specifies the signalling interface and protocols for Near Field Communication
(NFC) which is wireless communication technology for closely coupled
Consumer Electronic devices.
Since NFCIP-1 does not provide any cryptographic encryption functions a complementary series of NFC security standards has been developed by Ecma
International. NFC security standards will also be deployed for all those NFC connections which require protection against eavesdropping and data manipulation and which do not necessarily require application specific encryption mechanisms.
The modular concept for NFC security standards simplifies the specification and allows for easy future extensibility. A common framework standard, which defines the services, the PDUs and the protocol, is specified by Ecma standards, complemented by a standard which defines cryptographic mechanisms.
NFC security standards are based on well established international standards and most were developed by ISO/IEC JTC1/SC27.
DVB-CPCM: a complete interoperable solution for content protection in a multidevice, networked environment - Marc Jeffrey, Microsoft, DVB Project
Marc Jeffrey highlighted that the digital broadcast industry and the wider ICT sector are seeing a proliferation of content delivery platforms, along with an ever-increasing range of consumer devices for receiving, storing and consuming content. In-home networks have become a realistic possibility for the ordinary consumer, bringing added complexity to managing the content. This presents a set of challenges not only to those charged with copyright and consumer protection, but also to those wishing to ensure the interoperability of the devices and content involved.
The DVB Project has addressed these challenges, with participation from all sectors of the industry, in developing a set of open, interoperable technical specifications called DVB-CPCM – Content Protection and Copy Management, published as a multi-part standard by ETSI (TS 102 825).
Marc Jeffrey explained the key advantages of DVB-CPCM as a complete system for managing content in a multi-device networked environment. DVB-CPCM manages content from acquisition until final consumption (or export), in accordance with the
15

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report particular usage rules of that content. DVB-CPCM facilitates interoperability of such content by networked consumer devices for both home networking and remote access.
The European Commission's new Action Plan on e-signatures and eidentification - Gérard Galler, Policy Officer, European Commission,
Information Society & Media DG
Gérard Galler pointed out that on 28 November 2008, the European Commission adopted an Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market. Public authorities offer increasingly more public services by electronic means, for example public procurement, but the implementation mostly focuses on national needs and means.
This approach risks to create new ‘e-barriers’ to cross-border markets. The Action
Plan seeks an EU-wide solution to cross-border use of online public services, proposing a comprehensive approach and committing to quick delivery dates. It aims to assist Member States in implementing mutually recognised and interoperable electronic signatures and electronic identification solutions.
Gérard Galler provided details of the Action Plan and outlined the EU-related undertakings including the CROBIES study (Cross-Border Interoperability of eSignatures) that is expected to deliver input for most of the technical issues raised in the Action Plan.
Making Better Security Standards - Scott Cadzow / Steve Randall, ETSI STF
356
Scott Cadzow stressed that one of the keys to effective standardisation is rigour and this is as true for security as it is for any other standards area. ETSI’s members have over the past 15 years developed a very large number of security standards across a range of technologies including TETRA, DECT, 2G and 3G, and the NGN, as well as having a long and successful history in cryptographic development through SAGE.
What has also happened in this period is that a number of guidance documents have been written to help guide the next generation of developers but these have often been discarded, or lost in the volume of ETSI’s product. The “Making Better Standards” initiative in ETSI TC MTS has for a number of years acted to guide developers of protocol specifications, and test specifications, in making high quality standards. This has now been extended to the security field with a view to providing a path to the development of high quality, highly assured, security solutions in ETSI standards.
Scott Cadzow explained the key steps in making better security standards and the
ETSI web-site that supports this goal. The created structure in developing security standards, when followed, should lead to deployable systems with a high assurance of security under fully documented conditions and thus act as a significant input to the
“Design for Assurance” paradigm that is key to assurance evaluation programmes such as Common Criteria.
Identity management - Mike Harrop, The Cottingham Group, Canada
Mike Harrop stressed that Identity Management (IdM) is a topic of growing importance. Many organizations are promoting IdM solutions and both ISO and ITU-
T are focusing on IdM in their security standardization work. However, the topic is
16

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report not without controversy and there are some significant differences of opinion regarding the work. Some of the approaches are starting to diverge. In addition, the work is being driven by a number of interests that are not wholly aligned, and insufficient attention is being given to the implications for personal privacy. His presentation reviewed the context of the identity management work, provided an overview of the work in progress, addressed the motivations of the participating organizations, and discussed the implications for personal privacy.
17

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Judith E.Y. Rossebø, ETSI TISPAN WG7 Chairman, Telenor R&I
NGN Security standards for Fixed-Mobile Convergence - Judith E.Y. Rossebø,
ETSI TISPAN WG7 Chairman, Telenor R&I
Judith E.Y. Rossebø explained that TISPAN is the ETSI technical body responsible for fixed network standardisation including development of next generation networks
(NGN) and is addressing convergence of fixed and wireless networks. There is a strong emphasis on security on a managed IP network and on regulatory compliance on issues such as Lawful Intercept, Number portability, and Emergency services.
TISPAN_NGN provides a set of implementable NGN specifications that are being used by industry to build the NGN. The main features are: the Core IP Multimedia
Subsystem (IMS) (which is standardized by 3GPP) and its relationship to other
TISPAN NGN components, the Network Attachment Subsystem (NASS), the
Resource and Admission Control Subsystem (RACS), the PSTN/ISDN Emulation
Subsystem (PES), and PSTN/ISDN Simulation Services (PSS), and the IPTV subsystem (including IMS-based IPTV).
TISPAN is currently working on TISPAN NGN Release 3 specifications. The new work includes: Evolution of NASS, including additional access technologies, evolution of RACS, to provide resource control in the core, requirements for FMC, and elaboration of requirements and network capabilities to support IPTV services.
For TISPAN NGN Release 3, TISPAN WG7, is applying the methods developed by
STFs 268 and 292, 329, and 330, designed to raise the quality of standards, and in the security arena to raise the level of assurance in the level of security given by the standardised security measures. The use of the methods already developed by STFs
268 and 292, building on the guidance given in MTS, are designed to raise the quality of standards, and in the security arena to raise the level of assurance in the level of security given by the standardised security measures. The output of STF329 has to ensure that guidance for use of 15408-2 is available for ETSI developers and to assist
WG7 specifically, and the TISPAN NGN project in general, in providing rationale for any security decision such that the Common Criteria guidance is engineered into all
WG7 and NGN deliverables that may be subject to evaluation at some time. STF329 has provided some support to the TISPAN NGN project on security on engineering of security requirements and in contributing to the WG7 TISPAN NGN Release 2 deliverables.
TISPAN Working Group (WG) 7 is responsible for the management and coordination of the development of security specifications for the NGN project. The security standards for TISPAN Release 2 include security requirements and architecture for the IPTV, Business Communication, customer networks, and for
RACS and its supporting technologies. TISPAN WG7 continues to cooperate with
3GPP to coordinate the Common IMS evolution and resolve issues. When applicable
TISPAN re-uses 3G specifications.
Ongoing activities: for Lawful Interception and data retention, TISPAN WG7 is identifying appropriate interfaces, reference points and entities in the NGN architecture; TISPAN WG7 is working to support emergency communication from citizen to authority within the NGN architecture. Other ongoing work includes a
18

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report feasibility study on IPTV security architecture, work on elaborating a schematic overview of the NGN security architecture, and a technical specification on how to counteract the occurrence of Unsolicited Communications (UC) in the NGN.
NGN access networks (in)security, Security proposal for NGN standardization -
Paolo Delutiis, Telecom Italia
Paolo De Lutiis provided a description of practical vulnerabilities and proposed possible countermeasures that would enable safer Next Generation Access Networks
(NGAN) deployment thanks to the use of specific security mechanisms which should be added in the already defined ITU-T standards. He informed that currently G.984.x
ITU-T is defining security mechanisms for the Gigabit Passive Optical Networks
(GPON) NGAN and provided a GPON and G.984.x ITU-T threats analysis, by describing examples (with specific use cases) of insecurity and by listing the main security threats and related risks to which GPON-based NGAN are subject.
Finally, he proposed possible countermeasures to fill the security gap in the current specs in order to better face the identified vulnerabilities. Such countermeasures should permit the Operator to better control its NGAN limiting the impact of security attacks against its infrastructures while providing a trusted access environment to the customers.
Data retention and lawful interception - Peter van der Arend, ETSI TC LI
Chairman
Peter van der Arend provided an overview of the work of the ETSI TC Lawful
Interception (LI), which works on both Lawful Interception and Retained Data (RD).
He gave some background information regarding the TC LI and briefly explained the structure and working practises. He explained that the TC LI produces reports and specifications mostly focused on the Handover Interface (from the Operator to the
Authorised Organisation) for LI and DR. The TC LI actively promotes globally ETSI
Lawful Interception and Data Retention standards amongst operators and national bodies.
Peter van der Arend gave an overview of the vast and increasing participation to the work of the TC LI (including Law Enforcement Agencies, Government organisations,
Research Organisations, Communication Service Providers, Manufacturers), which also leads to the acquisition of several new ETSI Members.
Peter van der Arend explained that the work done on Retained Data follows a
European Parliament and the Council of the European Union adopted Directive
2006/24/EC on Data Retention (15 March 2006) which states that Data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks need to be retained.
This work has lead to the publication of TS 102 656 (Requirements of LEAs for handling Retained Data) and TS 102657 (Handover Interface for the request and delivery of Retained Data). Besides, an LI and RD security report has been produced:
TR 102 661 (Security Framework in Lawful Interception and Retained Data environment).
19

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Finally, Peter van der Arend provided some technical details of the TC LI work, and highlighted that TC LI is keeping a close working relation with the EC/Experts Group
“The Platform on Electronic Data Retention for the Investigation, Detection and
Prosecution of Serious Crime”, will maintain the Retained Data standards, can organise an interoperability test if required, and is encouraging widespread use of the
ETSI RD standards.
20

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert
Implementation of a security metrics dashboard in Telefónica España - Vicente
Segura, Technology Specialist in Information Security, Telefonica
Vicente Segura pointed out that it is essential to measure security in order to manage it properly. Knowing the security position, analyzing its evolution and comparing the security levels of different areas in the organization is a must to plan, monitor and evaluate information security strategies. Telefonica España has recently deployed a security metrics dashboard in order to measure and monitor security controls and evaluate its compliance with international security standards and internal regulations.
The first difficulty when implementing this kind of system is the collection of information or measures to calculate metrics. Usually the information is scattered all over the organization infrastructure, so there are different information sources and probably they must be handled in a different way. In order to deal with those different information sources we need to design and implement a mechanism which enables us to easily configure and extract security measures.
The second difficulty we faced is related to the different ways in which each company is organized. We are interested in measuring security aspects of an area or an entire organization, but we can only extract information of the components it is composed of, such as systems, services, business processes. Therefore, we need to develop a process to transform the security measures of those components into security metrics of the area or the organization.
Vicente explained the objectives of the security metrics dashboard developed at
Telefonica España, the difficulties faced during its design and deployment and the solution that they have implemented to overcome them.
A Security Assurance metrics modelling, to holistically evaluate and assess the
Security Level of an organization - Professor Solange Ghernaouti – Hélie,
Faculty of Business & Economics and Igli Tashi, Post graduated Research and
Teaching Assistant, University of Lausanne
Igli Tashi explained that the assurance concept is an important subject of discussion when dealing with the Information Security evaluation and perception level. Several concepts that are subject to perception, behaviour and qualitative evaluation, like confidence and trust, are related to Security Assurance. Under the assumption that it is rather a difficult task to identify the weakest link in a complex system as the information security is, the assessment should be made in a holistic manner.
Igli Tashi discussed the concepts of confidence and trust in order to point out some logical and pragmatic elements in order to evaluate the security assurance level within an organization. He proposed a structural model based on the best practices and current practices, having the goal to assess the security in a holistic manner by incorporating technical, organizational, human and legal related aspects of
Information Security. The proposed model aims at being used for different structures of organization under different business situations.
21

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Scott Cadzow, Cadzow Communications
The INTERSECTION Vulnerability Database - Salvatore D'Antonio, Unina
Salvatore D’Antonio explained that INTERSECTION (INfrastructure for heTErogeneous, Resilient, SEcure, Complex, Tightly Inter-Operating Networks) is a
European co-funded project in the area of secure, dependable and trusted infrastructures. The main objective of INTERSECTION is to design and implement an innovative network security framework which comprises different tools and techniques for intrusion detection and tolerance. One of the framework components is the vulnerability database, which stores the information about design vulnerabilities of heterogeneous and interconnected networks. Design vulnerabilities differ from implementation vulnerabilities (i.e. application faults) on which NVD (National
Vulnerabilities Database) is focused. The INTERSECTION Vulnerability Database is based on the CVE (Common Vulnerabilities and Exposures) vulnerability naming standard and uses the following SCAP (Security Content Automation Protocol) standards: Common Configuration Enumeration (CCE), Common Platform
Enumeration (CPE) and Common Vulnerability Scoring System (CVSS) The use of such standards enables automated vulnerability management, measurement, and policy compliance evaluation, and allows the INTERSECTION vulnerability database to interoperate with other databases, such as NVD (National Vulnerability Database) and OSVDB (Open Source Vulnerability Database).
ICT standardisation in UAV-systems - André Hermanns, Chair of Innovation
Economics, Technische Universität Berlin
André Hermanns informed that the research project AirShield is funded by the national Security Research Program of the German Federal Government, and is managed by the German Federal Ministry of Education and Research. AirShield aims to develop an autonomous drone swarm carrying a variety of remote sensor systems for inspecting large-scale hazards. Sensor data shall be used to forecast the future direction of emissions and fall-out to initiate and adapt necessary counter measures.
André Hermanns’ presentation highlighted the importance of standards to provide rescue and security organisations with compatible and easy-to-use UAVs of high quality. Standardisation aspects will be applied on: drone, sensor and communications hard- and software; testing, assembling and standard operation procedures; and data, e.g. for geo-information, and terminology.
André Hermanns explained the importance to establish a lead market for safety and security technology, using standards in innovation and procurement processes as an instrument of technology transfer. In this context, the EU Lead Market Initiative from
December 2007 and the ESRIF proposal of an EU Security Label from September
2008 are assessed. Finally, he highlighted the possible role of standards for establishing and increasing public and user acceptance for safety and security technology.
22

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Ontology- and Bayesian-based Information Security Risk Management - Edgar
Weippl, Science Director & Stefan Fenz, Security Research Austria
Stefan Fenz explained the motivations which lead to the work on Ontology- and
Bayesian-based Information Security Risk Management: almost every business decision is based on electronically stored information; Information security is crucial for ensuring long-term business success; and Information security risk management is an issue since the 1970s, but still linked to several problems.
He explained in some detail the assessed approaches for this work, including: System
Characterization (inventory and determination of acceptable risk levels); Threat and
Vulnerability Assessment (determination of potential threats and corresponding vulnerabilities); Risk Determination (Threat Probability x Impact); Control
Identification (identification of risk-reducing controls); and Control Evaluation and
Implementation (Cost/Benefit analysis).
Finally Stefan Fenz highlighted that incomplete knowledge is one of the main problems in information security risk management. In such context, the explained
AURUM method enables organisations to automatically map general information security knowledge to their infrastructures, to comprehensibly quantify the current security status of their organization and to automatically check the organization’s compliance with existing best-practice guidelines and information security standards.
At the same time, further research is needed in order to minimize the limitations of the method, such as the fact that Bayesian threat probability determination depends on realistic input values which are not always available.
Content Tag Security - Shahriar Pourazin, Sepehr S. T. Co. Ltd.
Shahrian Pourazin highlighted that the digital broadcasting companies may soon deliver their con-tent through Internet Service Providers (ISPs), mobile companies and fixedline telecom companies. This lets the viewers have more options and better access to the content. It will be soon possible to have Standard Content Classifications to let users ask for a content from a class instead of searching blindly within large amounts of content. Each standard content class should have a tag pointing to a specific entry within the ontology of contents. The problem after this implementation will be to somehow securely bind the tag and content. In such scenario the receiver may claim that has received a lower cost content and the transmitter may claim that she has sent a more expensive content. This poses the following questions. How could we check their claims? We may be able to remove the content tag and replace it with the tag of a free content. Who will register the transmission? Is it necessary to force the mobile phone equipment to check the integrity of content and the tag? Can mobile operators check to see if the handsets are hacked or not? Should the content switching companies check content-tag integrity? Should they handle sort of roaming?
Finally Shahrian Pourazin provided a proposal for binding content with its related class coded as a tag. The proposal is supposed to help content providers safely deliver their content.
23

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Chair: Carmine Rizzo, ETSI Technical Officer and Security Expert.
With:
Mike Harrop, ITU-T Rapporteur SG17 Q4, Communication Security Project
Klaus Keus, Dipl. Mathematician, JRC IPSC
Claire Vishik, Security & Privacy Standards & Policy Manager, INTEL
Background
Carmine Rizzo led the final discussion among a panel of experts (Mike Harrop, Klaus
Keus and Claire Vishik) and the workshop participants. The experts introduced the suggested topics of discussion through brief presentations. The main topics included:
• prioritization of ICT standardization efforts: what areas should be (or should not be) addressed by standardization, especially when faced with a global economic downturn that is forcing organizations to optimize the utilization of their resources;
• the need to address citizens’ security and privacy in current and emerging standards, including those relating to identity management;
• the need to evaluate the use of standards and the need to assess the effectiveness of their implementation for business purposes: who should do it and how (e.g. metrics on the standards themselves).
Prioritization
It was stressed that it is very important for standardization bodies to perform a careful assessment of the need and uses for each proposed standard before embarking upon development in order to justify the utilization of resources. E.g. is the need for a specific standard supported across a broad community of interest? Is there a real demand for the standard and technology it covers? What constituency is the standard intended to serve? Who will use it? Are the resources available to develop the standard and will those resources constitute a representative cross section of the community of interest? (E.g. there is usually little point in developing a standard if only one or two organizations are sufficiently interested to commit resources to it).
The clear feeling is that this is an area where improvement is needed for standardization bodies that need to match standard development plans with adoption prospects, and efforts should be coordinated among bodies in order to prioritize standardization work and avoid duplication of efforts.
Topics on which ICT security standardization should focus include areas where systems interconnect or interact including networked critical infrastructures, public
24

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report safety communications and areas that include the electronic storage or exchange of personal information.
Standardization should not be viewed in isolation but rather as part of a process that includes research, development, implementation and maintenance. And, there needs to be more flexibility in the standardization processes (e.g. by using special interest groups to develop and promote ideas and concepts).
In addition, it was suggested that key elements and interfaces should be standardized but standards should not be so prescriptive as to eliminate choice in implementations.
Standards should reduce the selection factor, not eliminate it completely, so that implementers are able to exercise creativity while designing products that meet the standard and users are able to choose the best implementation to fit their needs. .
Privacy
The discussion indicated that standards currently suffer from insufficient attention to the issue of privacy. For example, while the work done so far on identity management is beginning to address some of the issues of managing personally identifiable information, it does not yet address the broader implications for the privacy of the citizen. (There is much more to privacy than personally identifiable information, for example, potential for tracking without identification or re-identification of individuals through the aggregation and analysis of multiple resources). There is considerable potential for information to be collected inappropriately or unnecessarily. In such a scenario, with, for example, identity brokers/providers handling information to serve diverse needs and interests, aggregation becomes a major threat. Identity brokers holding large amounts of private information could become prime targets of attacks, and such information may be held in jurisdictions that are beyond the reach of existing privacy legislation.
At the same time it was pointed out that many people do not pay enough attention to their own privacy e.g. by providing personal information too freely and without considering how it will be used. Nevertheless, information collected is, in many countries, covered by privacy laws and regulations. Governments should continue to adopt measures to protect the privacy of their citizens, as the average user cannot realistically be considered to have the technical knowledge and expertise to manage his/her own privacy effectively.
ICT standardization needs to tackle these issues, firstly by clearly recognizing the need to address privacy aspects, and then by embedding them into standards from the very beginning. Privacy must be built in to standards, not regarded as an afterthought.
Although several groups/bodies are working on aspects of privacy, which makes the entire subject matter less “manageable”, it was observed that it is unrealistic, and probably not advisable, to try to centralize privacy efforts within any one standardization body. Attempting to do so could create conflicts of interest and lead to recommendations that are too broad to be actionable
25

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Evaluation
A strong need for metrics in IT security and related standards was recognized. The decision to develop some standards but not others should not be based on their
“attractiveness” or on the degree of interest of the subject matter experts, but on measurable criteria which would establish cost-effective methods to evaluate final products in the implementation phase. This would provide more reliable means for organisations to build their business cases to participate in the development of security standards and to promote their use on the market. In addition there needs to be some follow-up or review after a standard has been developed to assess whether it has met the original objectives, whether it is actually being used to the extent anticipated and, if not, why not.
A way forward could be to establish a consortium of stakeholders, users and standardization bodies to work towards the creation of a seal of approval for products, services and processes that meet predefined criteria. Security standards developed according to the criteria could permit the implementers to apply such seal to their products.
The evaluation of the effectiveness of security standards needs to be based ultimately on the effectiveness of security measures in the implemented products using the standards. This implies the need to enhance testing efforts in terms of standards conformity and interoperability.
It is recognized that the area of ICT security standards metrics/evaluation is an open issue which needs much additional research by standardization bodies and stakeholders.
26

ETSI 4 th
Security Workshop
13-14 January 2009 - Sophia-Antipolis, France
Workshop Report
Carmine Rizzo closed the Workshop by thanking panel experts, speakers, session
Chairs, and participants for their contributions towards a successful 4 th
ETSI Security
Workshop.
Special thanks to Nathalie Guinet, ETSI, for her great support throughout the entire process.
Finally, Carmine Rizzo sent his greetings and best wishes to Charles Brookson, who could not be at this Workshop for very unfortunate reasons.
th
27