Security assurance and the role of ETSI

Security assurance and the role of ETSI

Scott Cadzow

STF292 (the follow on from STF268)

C3L

ETSI Security Workshop

16 th January 2006

Sophia Antipolis

16 th January 2006 ETSI Future security workshop 1

Contents

 Problems with security practice

 ETSI approach to security

 Tools and techniques

 Results


Common security standards problems

 Poor statement of objectives

¾ I want <<my product/service>> to be secure

¾ I want to authenticate my users

 Prior assumption or declaration of solution

¾ I need to use IPsec

¾ Must use PKI

 Not clear !!!


Common security solutions

 Secrecy

¾ Don’t let anyone know what you’re doing

 Containment

¾ Once the attacker is in the system and committed a crime keep them locked in the system

 Intrusion detection

¾ Find out when an attacker is in the system (before damage occurs)

 Access control (restriction)

¾ Only allow known parties into the system

 And on and on …


Scalability of security solutions

 Easy to keep a secret with two parties?

¾ Basis of symmetric key cryptology

 Impossible to keep a secret with more than 3 parties?

¾

Basis of asymmetric key cryptology (Ellis of UK CESG proposed Non-Secret Encryption in 1970 (6 years before Diffie and Hellman))

 Scenarios:

¾ Correspondents know and trust one another and the network

¾

Correspondents know and trust one another but don’t trust the network

¾

Correspondents know but don’t trust one another but trust the network

¾

Correspondents don’t know one another

¾

Communications network is public

¾ Communications network is private

¾ Etc.


How secure are we?

 A safe is rated by the number of hours it takes to break the lock

¾ Without the key

¾ With knowledge of the locking mechanism

¾ A safe is safe if

• You can control access to less than its rating

• The key is kept secure and separate

 Security needs to be determined in terms of risk

¾ What is the risk if

• … our identity leaks?

• … our conversation is overheard?

• … our credit card details are corrupted?

 How can we check that risk is mitigated?


What does ETSI mean by security?

 Security in the standards world refers to a collection of attributes

¾ Confidentiality

¾ Integrity

¾ Authenticity

¾ Availability

¾ Assurance

¾ Maintenance

 We try not to use the term security as it is unclear

¾ Except as an umbrella term to capture the collection

¾ ETSI also uses security in the context of providing awareness


ETSI approach to security

 Risk based analysis and countermeasure development

¾ TVRA as primary tool

¾ Technology and interface specific security

¾ Simplicity

 Countermeasures based on application of known techniques to critical risk areas

¾ ISO based methods

¾ SAGE sourced algorithms

 Collaboration with industry deployments

¾ TETRA through MoU SFPG

¾ GSM/3GPP though GSM-OA

 Testing and Maintenance


ITU-T X.805

 ETSI approach

¾ Addresses risk first

¾ Find solutions to mitigate risk

 ITU-T X.805 approach

¾

Does not address risk

¾

Offers presentation of security results within 1 of 8 security dimensions

• (1) Access Control,

• (2) Authentication,

• (3) Non-repudiation,

• (4) Data Confidentiality,

• (5) Communication Security,

• (6) Data Integrity,

• (7) Availability, and

• (8) Privacy.

¾ Simplified threat model

• Interruption, Interception, Modification, and Fabrication.


Understanding of vulnerability and risk

 Required for every system or product

¾

Justifies the security investment and targets that investment

 Captured in a TVRA document

¾ Not an easy document to prepare

 Requires thinking about attack

¾ Good people can’t think as criminals

¾

Criminals unlikely to admit to it and unlikely to help

 Security components required depend on risk

¾ Risk may depend on motivation of attacker

¾ Motivation is difficult to assess and damage may bear no relation to the logical motivation

(suicide attack, pleasure attack)

 Vulnerabilities are dynamic

¾ Tools available to the attacker change over time

¾ First attack may be expensive

¾ Later attacks may incur no cost

(script kiddies)


Proof of security

 Need to answer the inevitable questions:

¾ What is being secured?

¾ For how long will it be secure?

¾ What attacks are we safe from?

¾ What is the risk we are mitigating?

¾ What is the residual risk we are accepting?

 Furthermore we need to examine:

¾ Can security be measured (security metrics)?

¾ Can security be presented (security indicators)?

¾ How can security be managed?


Assurance programme assists proof

 Assurance programme offers

¾ Process of security development

¾ Quality

¾ Understanding and visualisation

¾ Credible measurement of result

 Assurance offers similarities to standards process

¾ Quality

¾ Understanding

¾ Shared development


Simple solutions

 Clarity

¾ A learned technique (not necessarily intuitive)

 Exactness

¾ A learned technique (not necessarily intuitive)

 Testability

¾ Can a test be written to determine if an objective is fulfilled?

 Illustrative

¾ Can the solution be pictured by the end user?

 Assurance

¾ Independent testing of security solution


Standards authoring as a tool for clarity

 Semi-formal language

¾ Shall, should, may, can as active verbs

 Design using formal languages

¾ SDL, UML

 Validation using formal languages

¾ SDL, UML, TTCNv3

 Testing using formal languages

¾ SDL, UML, TTCNv3


Measuring our security

 To what degree are we assured our security is taken care of?

¾ Is there an equivalent to the NCAP rating for cars?

 To answer this we need to be exact in our design

¾ What are we securing? ASSETS

¾ Against what? THREATS

¾ For what? RISK

¾ Protecting it with what? COUNTERMEASURES

 We also need to be exact in our claims for the design

¾ It protects against this threat for this length of time

 We should be ready to test our claims

¾ Evaluation of assurance


Illustrating security

 Clarity is essential

¾ Security by obscurity cannot be tested

¾ Security by secrecy is counter intuitive

 But … clarity is often difficult to achieve

 Tools, methods and language may help

 ETSI has proven expertise in methods to aid standardisation

¾ Guides to the use of UML, SDL, text

¾ Normative language: 4 actions - shall, should, may, can


ETSI and STF292 in eEurope

 Introducing assurance rigour to standardisation

 Based on Common Criteria for IT security evaluation

¾ ISO/IEC 15408

¾ http://www.commoncriteriaportal.org

¾ Offering interpretations from developer view as opposed to evaluator view

 Extending “Making Better Standards” to security

¾ http://portal.etsi.org/mbs/

 Development of a pro-active approach to security


The role of STF268

 To introduce Common Criteria to ETSI

 To produce 4 deliverables (published and available):

¾ EG 202 387

• Guide to the Common Criteria for an ETSI audience

¾ ES 202 382

• Method and proforma for the development of Protection

Profiles

¾ ES 202 383

• Method and proforma for the development of Security

Targets

¾ TR 102 420

• Report on issues surrounding CC in Standards


Common Criteria

 Products offering security features always carefully evaluated (particularly by government bodies)

 Mid-90s, evaluation bodies got together to define a single set of evaluation requirements, the “Common

Criteria (CC)” in ISO/IEC 15408

¾ Part 1: Introduction and general model

¾ Part 2: Security functional requirements

¾ Part 3: Security assurance requirements

 Rapidly growing interest in security and evaluation within commercial world

 Key aspects of CC:

¾ Formal evaluation process

¾ Using trained evaluators

¾ International recognition of results


Evaluation Assurance Levels (EAL)

 EAL 1:

 EAL 2:

 EAL 3:

 EAL 4:

 EAL 5:

 EAL 6:

 EAL 7:

Functionally tested

Structurally tested

Methodically tested and checked

Methodically designed, tested and reviewed

Semiformally designed and tested

Semiformally verified design and tested

Formally verified design and tested

 Standards should naturally fall into the documentation levels of anything up to EAL6.


Standards and CC [1]

CC generally used to evaluate product

Communications products often incorporate implementations of standards

 Standards are rarely evaluated under CC

 The question for ETSI:

¾ Can standards be written in a way that simplifies the evaluation of products implementing them?


Standards and CC [2]

 Protocol standards are spiritually close to PPs

¾ Specify implementation independent requirements

¾ Use formalized text to specify requirements (shall, may, should…)

¾ Use specification languages for design, validation and testing (SDL, UML, MSC, ASN.1, TTCN)

¾ Have traceability:

• Title

• Version numbering

• Change control


Standards content and the PP

 Implementation independent

¾ Spiritually close to PP

 Outline requirements

¾

Sufficient to allow interworking

¾ Open to allow innovation in implementation

 Behaviour and coding rules

¾

Protocols and data

 A PP is written in a different way to a standard. It is, therefore:

¾ unlikely (and undesirable) that ETSI will change the style of its standards;

¾ unreasonable to expect ISO and the security community to change the way a PP is written;

¾ unrealistic to expect an evaluator to find all PP information in an

ETSI standard (or multiple standards);

¾ inefficient to write out information twice (once in a standard and again in the PP).

“PICS” approach adopted where information is summarized in a table which includes references to text rather than the text itself.


What work needs done?

 Method for effective vulnerability analysis

¾

Using UML for illustration and simulation

¾ Template and proforma to allow simpler preparation

 Security for the NGN

¾ Objectives

¾

Requirements

¾ New methods

¾ Assurance

 New techniques

¾

Digital Rights Management over networks

¾ Multi-value content over networks

¾ Multi-level countermeasures in networks

¾

Interoperability


Need more promotion!

 ETSI is good at standards

¾ Probably the world leader

 ETSI is good at security

¾ Protocols (TETRA, DECT, GSM, 3GPP, TISPAN …)

¾ Algorithms (SAGE)

¾ Methods (TISPAN)

 Common Criteria and assurance are good practices

¾ Effective when applied

¾ Need to be applied across ETSI


Summary

 Risk based security at core of ETSI approach

¾ TVRA method and guide being developed

 Assurance ready standards development being introduced

¾ PP proforma using PICS method

 Security maintenance developed with industry

¾ TETRA SFPG and GSM/3G OA being good examples


Security assurance and the role of ETSI

Security assurance and the role of ETSI

Contents

Common security standards problems

Common security solutions

Scalability of security solutions

How secure are we?

What does ETSI mean by security?

ETSI approach to security

ITU-T X.805

Understanding of vulnerability and risk

Proof of security

Assurance programme assists proof

Simple solutions

Standards authoring as a tool for clarity

Measuring our security

Illustrating security

ETSI and STF292 in eEurope

The role of STF268

Common Criteria

Evaluation Assurance Levels (EAL)

Standards and CC [1]

Standards and CC [2]

Standards content and the PP

What work needs done?

Need more promotion!

Summary

Related documents

Products

Support

Security assurance and the role of ETSI