Network and Information Security Standardisation Issues (interim draft version 0.3)

raggedsquadNetworking and Communications

Oct 30, 2013 (3 years and 1 month ago)

225 views

Network and Information Security


Standardisation Issues


(interim draft version 0.3)


A report issued by the joint CEN/ETSI group on Network and Information Security
(NIS)
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


1

Document History


Version

Date

Comments

Outline Draft

5/12/2002

Initial draft for
NIS meeting (5 December 2002)

0.1

21/1/2003

Addressing comments received by email and at
meeting (5/12) + adding detail

0.2

24/2/2003

Interim Draft for NIS meeting (March 3
rd
) taking
into account most of comments received on draft
0.1

0.3

14/03/2003

Add
ressing TIPHON concerns, comments
received at March meeting and additional
comments on version 0.2.

















DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


2

Contents



I.

Introduction

................................
................................
................................
................................
....................

3

II.

Executi ve Summary and Recommendations

................................
................................
.....................

3

III.

Scope

................................
................................
................................
................................
.............................

4

IV.

References
................................
................................
................................
................................
....................

6

V.

Definiti ons and Abbrevi ati ons
................................
................................
................................
....................

7

VI.

Background

................................
................................
................................
................................
.................

7

VII.

Aims of this Report

................................
................................
................................
................................
...

7

VIII.

User Requirements

................................
................................
................................
...............................

8

IX.

General Threats to Network and Informati on Security

................................
...............................

11

X.

Security Services, Security Measures and Recommendations for Future Acti vi ties

................

14

A.

Registration and Authentication Services

................................
................................
........................

15

Security Measures

................................
................................
................................
................................
.......

15

Recommendati ons
................................
................................
................................
................................
........

25

B.

Confi dentiality and Pri vacy Services

................................
................................
................................
.

26

Security Measures

................................
................................
................................
................................
.......

26

Recommendati ons
................................
................................
................................
................................
........

30

C.

Trust Services

................................
................................
................................
................................
...........

31

Security Measures

................................
................................
................................
................................
.......

31

Recommendati ons
................................
................................
................................
................................
........

37

D.

Busi
ness Services

................................
................................
................................
................................
.....

38

Security Measures

................................
................................
................................
................................
.......

38

Recommendati ons
................................
................................
................................
................................
........

40

E.

Network Defence Services

................................
................................
................................
.....................

41

Security Measures

................................
................................
................................
................................
.......

41

Re
commendati ons
................................
................................
................................
................................
........

42

F.

Assurance Services

................................
................................
................................
................................
..

43

Recommendati ons
................................
................................
................................
................................
........

45

ANNEX TO NIS REPORT


LIST OF CURRENT STANDARDS

................................
.........................

1

A.

Registration and Authentic
ation

................................
................................
................................
...........

1

B.

Confi dentiality Services

................................
................................
................................
.........................

21

C.

Trust Services

................................
................................
................................
................................
...........

29

D.

Business Services

................................
................................
................................
................................
.....

36

E.

Network Defence Services

................................
................................
................................
.....................

37

F.

Assurance Services

................................
................................
................................
................................
..

38

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


3


I.

Introduction


1.

[tbd


by John Phillips, background to report, reference to Council resolution and
communication]



II.

Executive Summary and Recommendations




[summary of recommendations here


the f
ollowing is a list of some possibilities
arrived as during the writing the report ]


There is a lack of advice on appropriate security guidance and standards for
organisations wishing to set up e
-
business applications in Europe. This not only
inhibits grow
th but may lead to the development of interoperable ad
-
hoc services.




The Commission should consider the development of a “framework for e
-
business” identifying preferred security technologies and corresponding
standards for organisations wishing to implem
ent e
-
business solutions in Europe.


Home users in particular may be unaware of the need for PC
-
based software to be
resistant to attack. Developers of application software will be disinclined to build in
resistance for commercial reasons. In a global e
-
bu
siness environment this could
increase the spread of malicious software such as computer viruses. (section
VIII
)




The standardisation bodies should consider the possibility of developing a “kite
mark” scheme for

“safe” application software for e
-
business use.




The Commission should encourage the development of effective, inexpensive, easy
to use security products (for instance encryption software) for the home user.
Internet Service providers should be encouraged

to provide security products
(such as anti
-
virus software) and training/awareness services.


Civil liberties concerns and general public anxiety about the possible health risks
resulting from their use will hamper the use of biometrics for authentication
(paragraphs
40

onwards)




The Commission should sponsor research to investigate assess the health risks
resulting from long
-
term use of biometric
-
based authentication methods.





National governments should deve
lop guidelines on the recording and storing of
biometric records in relation to civil liberties.


There is a lack of authoritative information, best practice and standards available to
enable potential users to make informed decisions on the selection and
deployment of
biometric
-
based authentication solutions. (paragraph
40

onwards).




The Standards bodies should develop a “best practice” document for Biometrics
usage.

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


4




The Standards Bodies should review the

activities of the various Biometrics
working groups with a view to proposing the development of official standards for
performance testing, evaluation methodology, protection profiles (under the
Common Criteria standard), APIs and templates.


The increasi
ng diversity of network (e.g. Internet, Virtual Private Networks, wireless
LANs, 3G) will invariably raise interoperability problems as global e
-
business
expands. It is likely that a specific transaction may need to utilise a number of
different protocols
in its path. Thus it is crucial that the various protocols (including
security
-
related ones) must be interoperable in order to maintain the integrity and
confidentiality of the data over the communications path.(Section
III
).




Standardisation bodies should develop security
-
related interoperability standards
communications protocols.



The growth of a global e
-
business environment will be facilitated by the availability
of interoperable PKI products. At the cur
rent time there are many commercial PKI
products available but many of these are not interoperable with other products.
(Paragraph
128
).




The Standards bodies should define what features of PKI systems are necess
ary to
provide interoperability and to work with product suppliers to develop
specifications and standards to provide the necessary interoperability.


There are several “standards” for digital signature products. In general products
conforming to one stand
ard do not interoperate with products conforming to another
standard. Users unfamiliar with digital signature technology should not be expected to
decide which standard to use on a specific occasion. (Paragraph
113
).




The standards bodies should identify a preferred set of digital signature
standards. Suppliers of e
-
business applications should be encouraged to support
each preferred standard transparently as far as the end user is concerned. E
-
business service p
roviders should provide users of the service with access to a
preferred digital signature product.


The uptake of global e
-
business will be inhibited by the lack of harmonisation of
standards for Trust Service Providers.( See chapter
C

of Part
X
)




Need some input here from the group working on this as to what they might like
included (if anything).



III.

Scope


2.

Network and Information Security is defined in COM(2001) 29
8 as:


“the ability of a network or an information system to resist, at a given level of
confidence, accidental events or malicious actions. Such events or actions could
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


5

compromise the availability, authenticity, integrity and confidentiality of stored or
transmitted data as well as related services offered via these networks and
systems”


3.

This report considers Network and Information Security in the context of the
security issues arising in global e
-
business where e
-
business is defined simply as
any norma
l commercial transaction that is carried out electronically. The report
does not address all aspects of network security but essentially those that relate to
the user of e
-
business services. To help understand the scope reference should be
made to the secu
rity architecture described in the ITU report COM 17


D29,
Security Architecture for Systems Providing End
-
to
-
End Communications. In
essence this report addresses those security issues arising in the “End User Plane”
as defined in the ITU report.



4.

Typic
al transactions arising in e
-
business will include invoicing, ordering,
payment etc. Other forms of activity, which though not strictly commercial, will
have similar security issues. A prime example is mobile health care (“e
-
health”)
where the security of
communications is paramount in order to protect the privacy
of patients. This report does not address the requirements of e
-
health in detail but
appropriate references are made at various points in the report.


5.

The emphasis in the report is on the use IP
-
b
ased based networks. However
reference is also made to the use of Virtual Private Networks, wireless LANs and
3G networks since it is likely that a specific e
-
business transaction may utilise one
or more of these types of networks. Thus it is crucial that
the various protocols
(including security) must be interoperable in order to maintain the data over the
communications path.


6.

Network and Information security has to take account of legal issues and policy
(e.g. data protection), law enforcement (e.g. cybe
rcrime) and telecommunications
technology. The following chart extracted from the COM(2001) 298 illustrates
this in diagrammatic form:

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


6







Network &



Hacking



CyberCrime


Information Security







ID Theft













Intrusion


Data R
etention















Data Protection /






Telecomm Framework





7.

This document does not deal in detail with legislative issues, the reader is referred
to ETSI Technical Report 336 which provides further information on this subject.



IV.

References


8.

The following references were consulted during the preparation of this report:


a.

Council Resolution of 28 January 2002: On a common approach and specific
actions in the area of network and information security;


b.

Communication of the European Communities,
COM(2001) 298: Network
and Information Security: Proposal for A European Policy Approach;


c.

e
-
Government Strategy Framework Policy and Guidelines Version 4.0
September 2002, issued by the UK Office of the e
-
Envoy;


d.

APEC
-
TEL Information Systems Security Stan
dards, developed by the APEC
-
Telecommunications Information Working Group by Standards New Zealand;


e.

OECD Guidelines for the Security of Information Systems and Networks.


f.

Glossary of IT Security Terminology, SD 6, SC27 N2776, issued by the
International
Organisation for Standardisation and Electrotechnical
Commission (ISO/IEC).


g.

COM


D79, Study Group 17, Security Architecture for Systems Providing
End
-
to
-
End Communications.


h.

ETSI Technical Report 336, Telecommunications Management Network
(TMN); Introduc
tion to standardising security for TMN.


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


7


9.

Further information was obtained from web sites of various organisations notably
the European Telecommunications and Standards Institute (ETSI) and the
European Standards Committee

(CEN).



V.

Definitions and Abbrevi
ations


Definitions




Abbreviations



VI.

Background


10.

This report has been developed in the context of eEurope 2002, an initiative
launched by the European Commission for an Information Society for All that
also addressed security and trust in electronic busi
ness (e
-
business) carried out
over private or public networks (including the Internet). Part of the aim of the
initiative is to facilitate the growth of electronic business in the European
Community.



11.

It is clear that the provision of a secure and trustwo
rthy infrastructure for carrying
out electronic business in “cyberspace” will encourage its growth in Europe. This
requires that all parties in an e
-
business environment have the responsibility to put
in place effective security measures to convince the en
d user that doing business
in this way in Europe is not only efficient but secure also. In view of the fact that
e
-
business transactions traverse national boundaries and, where the Internet is
concerned the communications path is unpredictable, the end use
r must also be
sure that security measures conform to common standards and where necessary
meet the requirement for interoperability.



VII.

Aims of this Report


12.

The overall of this report is to make recommendations for a series of supportive
actions to be carr
ied out by various bodies with the ultimate aim of facilitating the
growth of e
-
business within a European environment and beyond. Appropriate
actions include the development of new standards and frameworks, adoption of
standards, awareness campaigns and o
ther actions that support the overall aims of
COM(2001)298.


13.

Recommendations are set out in the form of an
action

(e.g. development of a
standard, commissioning a piece of research) to be carried out by a
target

(e.g. a
standardisation body, a government)
on a specific
topic

(e.g. e
-
signatures,
biometrics).

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


8

14.

The term “standard” in this report is used to refer both to standards issued by the
recognised standards bodies (often known as “formal standards”, although not all
undergo a full process as such) and th
ose issued by open or closed industry
standards consortia, academic interests, etc. (often known as “informal”
standards). It is also used to refer to “best practice” consensus
-
based documents
that contribute to Network and Information Security.


15.


In order

to achieve this aim the report identifies existing relevant standards that
contribute to Network Information Security and support the requirement for
interoperability in a global e
-
business environment. The report seeks to identify
conflicts and overlaps
between existing standards and to highlight gaps in the
standards spectrum. It also identifies development activity being carried out by
groups outside the official standardisation bodies that may result in the
development of suitable standards.



VIII.

Use
r Requirements


16.

The recommendations proposed by this report are based upon a consideration of
the security requirements of various classes of potential users of e
-
business
services. The User classes are Home Users, Small to Medium Enterprises and
Large Org
anisations and industries.


Home Users


17.

The home user typically has a single PC and will use either dial
-
up over public
switched networks (PSTNs) or broad band facilities to access an e
-
business
service provider. The Home User’s requirements are as follows
.


a.

Many home users will be unfamiliar with computer security and would benefit
from the availability of guidance in the form of security checklists. These
could be made available by product suppliers, Internet Service Providers
(ISPs) and e
-
business servic
e providers.


b.

The e
-
business services will protect the integrity and confidentiality of
personal information when it leaves his personal computer. The expectation is
that the ISPs and the e
-
business service providers should provide this
assurance.


c.

Eff
ective, inexpensive (or free) security products will be available to protect
personal information stored on the home PC. These products will be easy to
use (ideally “transparent” to the user) by non
-
computer experts and will
counter the threat of hacking a
nd virus attacks. The onus here is on the product
suppliers.


d.

Application software to support the home user (e.g. PC operating systems,
word processing packages, spreadsheet packages etc.) should be resistant to
attack. Manufacturers of software for home s
ystems should be responsible for
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


9

ensuring that this is the case and for providing guidance on the safe operation
of their
systems
.


18.

It is envisaged that there will be significant growth in the use of microprocessor
-
based control for domestic systems and a
n increasing number of home workers
requiring access to office
-
based systems. This will lead to a requirement for
standards for communications protocols (e.g. to provide connection from home
-
based workstations and networks to wide area networks providing g
lobal
connectivity). Many microprocessor devices in the home will become accessible
from the Internet and thus vulnerable to attack. Because, in many cases, they
operate independently of human input, the establishment of automatic and remote
methods of pro
tection are necessary together with codes of practice and standards
that underpin them. Since the average home owner will be entirely ignorant of
network security, this should be regarded as a major area of concern for Network
and Information Security.



19.

A

significant amount of work has already been carried out on behalf of the UK
Department for Trade and Industry (DTI) (“The Application Home Initiative”). A
copy of the report including recommendations for standards is available from the
DTI, The Applicatio
n Home Initiative (www.theapplicationhome.com) or from
Telemetry Associates Ltd., Church Farm Barn, Rickinghall, Diss, Norfolk, UK
IP22 1EC.


SMEs


20.

The SME user will typically be an organisation with a small number of employees
(typically up to 50). An ex
ample is an organisation that uses an Internet
-
based
trading service to source raw materials or office supplies. The SME will generally
have a Local Area Network providing connectivity to e
-
business services via a
public network. The SME requirements are a
s follows.


a.

In some cases the SME may be unfamiliar with computer security and in
consequence may benefit from the supply of guidance material as described in
paragraph
17.a
.


b.

The SME will also expect that the ISP and the e
-
busi
ness supplier will protect
the confidentiality and integrity of both personal and commercially sensitive
data when it leaves the domain of the SME.


c.

The SME will expect that effective security products will be available to
protect personal and commercially

sensitive information stored on the internal
network. These products should be easy to use (ideally “transparent” to the
user) by non
-
computer experts and will counter the threat of hacking and virus
attacks which could affect the availability of the SME
system. SME
information and systems may also be subject to legal requirements such as
Data Protection or the Computer Misuse Act


Large Organisations and industries


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


10

21.

The large organisation user will typically have multiple sites possibly in several
countri
es. It will normally have a large range of e
-
business partners including
commercial suppliers, banks, government organisations and Trusted Third Parties
(e.g. Certification and Registration authorities). The organisation will have large
numbers of networke
d workstations and may make use of Virtual Private
Networks (VPNs). The Large Organisation requirements are as follows.


a.

Most large organisations will be aware to a greater or lesser extent of the need
for adequate security. However, they may not have suff
icient specialist
security resources to formulate and operate a security regime. Consequently
they may need advice/guidance/standards on security policies, risk
assessments and the like. Because their business may involve multiple sites in
several countrie
s they will require global standards in order that their business
runs effectively.


b.

Their main requirements will be similar to SMEs as set out in paragraphs
20.b

and
20.c
.


22.

The security requiremen
ts outlined above must be met by the users themselves or
by the providers of the e
-
business service. Providers of e
-
business services include
SMEs, large organisations, Internet Service Providers, Trusted Third Parties (e.g.
certification authorities, regi
stration authorities, suppliers of cryptographic
services). The report addresses these requirements in the light of COM(2001) 298
and makes recommendations whether there is a need to instigate new activities in
standardisation and related areas. . However,

it must be emphasised that in the
case of equipment in the home accessed across the internet by service providers
and other applications are uniquely vulnerable and the home
-
owner may well be
unaware of any risk and must be protected.





DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


11


IX.

General Threat
s to Network and Information Security



23.

The e
-
business service must meet certain security objectives in order to protect the
assets of the service and to ensure the availability of the service. The assets of the
service are:


a.

The data of organisations and
citizens using the e
-
business service.



b.

The assets of the e
-
business service itself (e.g. systems, networks,
information).


c.

Data and remote control information to networked home based equipment and
systems


d.

User authentication credentials.


24.


The security

objectives are:


a.

Authenticity. The property that the identity of a user of the e
-
business service
is reliably verified.


b.

Confidentiality and Privacy. The property that information relating to users of
the e
-
business service is not made available or disclo
sed to unauthorised users.


c.

Integrity. The property that information within the e
-
business service is not
unknowingly altered or destroyed.


d.

Accountability. The property that specific action can be traced uniquely to an
individual.


e.

Availability. The prope
rty that the functions and information of the e
-
business
service is accessible and useable by an authorised user.


25.

The threats to the assets of the e
-
business service are summarised in the
Commission’s communication as follows:


a.

Electronic communication ca
n be intercepted and data copied or modified.
This can cause damage both through invasion of the privacy of individuals and
through the exploitation of data intercepted.



b.

Unauthorised access into computer and computer networks is usually carried
out with
malicious intent to copy, modify or destroy data and is likely to be
extended to systems and automatic equipment in the home.


c.

Disruptive attacks on the Internet have become quite common and in future
the telephone network may also become more vulnerable.



DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


12

d.

Malicious software, such as viruses, can disable computers, delete or modify
data or reprogram home equipment. Some recent virus attacks have been
extremely destructive and costly.



e.

Misrepresentation of people or entities can cause substantial damages,
e.g.
customers may download malicious software from a website masquerading as
a trusted source, contracts may be repudiated, confidential information may be
sent to the wrong persons.


f.

Many security incidents are due to unforeseen and unintentional events
such as
natural disasters (floods, storms, earthquakes), hardware or software failures,
human error.


26.

These threats may be distilled into the following technical descriptions as set out
in ETSI Technical Report No. 336:


a.

Masquerade ("spoofing"): The prete
nce of an entity to be a different entity.
This may be a basis for other threats like unauthorised access or forgery.


b.

Unauthorised access: An entity accesses data in violation to the security policy
in force.


c.

Eavesdropping: A breach of confidentiality by

unauthorised monitoring of
communication.


d.

Loss or corruption of information: The integrity of data (transferred) is
compromised by unauthorised deletion, insertion, modification, reordering,
replay or delay.


e.

Repudiation: An entity involved in a communic
ation exchange subsequently
denies the fact.


f.

Forgery: An entity fabricates information and claims that such information
was received from another entity or sent to another entity.


g.

Denial of service: An entity fails to perform its function or prevents oth
er
entities from performing their functions.


27.

The following table (adapted from ETS 336


see references) shows which
security objectives are compromised by the above threats:


Threat

Security Objectives


Authenticity

Confidentiality

Integrity

Accountabil
ity

Availability

Masquerade

X

X

X

X

X

Unauthorised
Access

X

X

X

X

X

Eaves
-
dropping


X




Loss or
Corruption of


X

X

X

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


13

Threat

Security Objectives

Data

Repudiation

X



X


Forgery



X

X


Denial of
Service





X



28.

The security objectives may be met within a series of high
-
level

security measures
as described in Part
X
.


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


14


X.

Security Services, Security Measures and Recommendations
for Future Activities



29.

This section of the report is structured using an adapted version of the framework
de
vised by the UK government’s Office of the e
-
Envoy for representing the
security requirements in the context of an “e
-
citizen e
-
business e
-
government”
environment. The following paragraphs explain how this has been done.



30.

In order to protect the network
and information systems that provide the e
-
business services, the threats to the security objectives described in part
IX

must
be countered by a number of technical or procedural security measures. These
security

measures can be grouped under a set of high
-
level
security services.
The
high
-
level security services are as follows:


a.

Registration and Authentication Services
. These services provide the means
to ensure that users are uniquely and unambiguously identifie
d and granted
access only to those assets for which they have authorised. The overall
security of the e
-
business services and their assets rely ultimately on the
capability to authenticate users of the service.


b.

Confidentiality and Privacy Services
. These
services provide the means
whereby e
-
business information is stored and transferred securely. They also
ensure that private information (such as an individual’s medical information is
protected in accordance with legislation such as Data protection.



c.

Trus
t Services
. These services are required to ensure that e
-
business
transactions are properly traceable and accountable to authenticated
individuals and cannot be subsequently disavowed. They are the services that
enable e
-
business service providers and e
-
bu
siness clients to make
commitments in electronic form.


d.

Business Services
. These services are required to ensure that the e
-
business
applications are designed, configured and operated in a secure manner and
their information assets properly protected agai
nst non
-
malicious threats
including accidental failure. E
-
business applications include the web servers
that present the information to the e
-
business users and the back
-
office
systems that host the applications.


e.

Network Defence Services
. These services e
nsure that the physical assets,
stored data and other assets of the e
-
business service are properly protected
against malicious attack.


f.

Assurance Services
. These services are intended to provide the e
-
business
user with confidence that the technical (h
ardware and software applications)
and non
-
technical (physical, personal and procedural) security measures
provide protection against the assessed risk to the services. That confidence is
achieved by ensuring that e
-
business services have been designed, co
nfigured
and operated in a manner in accordance with identified standards. The end
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


15

result of the process is often a statement to that effect in the form of a
certificate
1
. Assurance services apply therefore across all the high
-
level
security services defin
ed above.



A.

Registration and Authentication Services


31.

It is of paramount importance that effective and secure registration and
authentication services are put in place in an e
-
business environment since
registration and authentication represents the “fro
nt line” in the defence of the e
-
business services and data. For the purpose of this report the definitions of
“authentication” and “registration” are taken from the UK Governments e
-
government Strategy Framework (see references):



Registration
. Registrat
ion is the process by which a user of the e
-
business
service gains a credential (such as a username or digital certificate) for
subsequent authentication. In many cases this will require the potential user to
present proof of real
-
world identity (e.g. a bi
rth certificate or passport) to the
registration authority. It includes the case for anonymous or pseudonymous
identity (i.e. the holder of the credential is entitled to a service without
revealing a real world identity)


Authentication
. Authentication is
the process by which the electronic identity
of a user (as represented by the credential supplied in the registration process)
is asserted and validated by the e
-
business system to access specific e
-
business
services. In general the authentication process
checks that the user is the true
owner of the credential supplied during the registration process by means of a
password or biometric for instance.



32.

Registration and Authentication Services comprise the following activities:


a.

Effective User Registration


b.

Effective user identification and authentication;


c.

Effective access control;


d.

Effective user management.


Security Measures


Effective User Registration


33.

The aim of user registration is to ensure that access credentials are only issued to
those whose bona

fides have been properly established. This is normally achieved



1

Note that the use of “certificate” in this context is not the same as a “digital
certificate” that is used to
prove ownership of a public key

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


16

by procedural means. In some cases an independent Trusted Service Provider may
be involved in operating the registration process.


Effective User Identification and Authentication (ID&A)


34.

The

aim of User ID&A is to ensure that access to the service is only granted to
individuals whose credentials have been validated. It is achieved by the following
measures:


a.

The asserted credential is verified by a
password
,
biometric

or
digital
certificate
.
A
smartcard

may be used to support the authentication
mechanism.



b.

The use of
firewalls
,
intrusion detection systems

(IDS) and
penetration
testing

will help prevent hackers gaining unauthorised access to e
-
business
services.


35.

Note that in some cases (notab
ly in health care) it may be necessary to protect the
real world identity of the individual and provide pseudonymous or anonymous
identity. MobiHealth is an EU funded project in the IST programme set up to
develop new mobile, value added services in e
-
heal
thcare including the
identification of appropriate communications security standards. See
http:/www.mobihealth.org).


Effective Access Control


36.

The aim of Access Control is to ensure that access to the services and the
information is in accordance with
user profiles. Access control may be based on
software
-
based access control mechanisms operating at a service, file or record
level and access permissions held in digital certificates.



Effective User Management


37.

The aim of User Management is to control a
nd maintain user profiles in order that
e
-
business service users may access those parts of the e
-
business service that are
necessary to carry out their business requirement. The use of digital certificates
may be appropriate to maintain such profiles.


Pas
swords


38.

Username/password combinations are relatively insecure. Passwords are
vulnerable to opportunistic attacks (e.g. badly structured passwords may be
guessed, passwords may be accidentally disclosed to unauthorised individuals) or
directed attacks such

as password cracking. Standards have been issued by
various bodies providing general guidance on password selection, usage,
management and maintenance and are listed in Annex A. Additionally local
guidance has been issued widely by individual organisatio
ns and national entities.


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


17

39.

One
-

time password systems provide better protection because each password may
be used once only. Passwords are typically generated automatically using
software. Standards have been issued and are identified in Annex A.



Biom
etrics


40.

At face value Biometrics seem to offer a foolproof way of authenticating an
individual. However, they do have specific vulnerabilities. Biometrics based
authentication systems need to allow for day
-
to day changes in a biometric. A
“margin of error”

is necessary so that day
-
to
-
day variations in an individual’s
offered biometric do not cause an authorised user to be rejected because the
offered biometric does not match exactly with the stored biometric template.
However, this margin of error may allow

an unauthorised user to gain access to
the system.


41.

Thus a compromise must be found between performance (measured by the
percentage of genuine users rejected by the system and security (measured by the
percentage of unauthorised users accepted by the sys
tem).



42.

Other biometric vulnerabilities include mimicry (e.g. of signature or voice),
spoofing (e.g. fake finger using the residual image left behind on a fingerprint
reader).


43.

However, Biometric
-
based authentication systems offer some flexibility in use.
For instance they can be used in the same way as a password to verify a claimed
identity (i.e. one to one comparison) or in pure identification mode where an
individual asserts his identity simply by presenting a biometric alone (one to many
comparison).


44.

Biometric
-
based authentication may be used in both positive identification (i.e.
similarly to passwords
-

to prove I am who I say I am) or in negative identification
(i.e. to prove I am not who I say I am not).


45.

Though there are very few issued standards

on biometrics there are numerous
groups carrying out activities which could lead to the development of useful
standards:


a.

ANSI/NIST


i.

ITL
-
2000 Data Format for the interchange of Fingerprint, Facial and
Scar Mark/Tattoo


ii.

X9.84 Biometrics Management and Sec
urity for the Financial Services
Industry. Specifies the security of the physical hardware and the
management of the biometrics data throughout the biometric life cycle.


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


18

iii.

CBEFF Common Biometric Exchange Format. Describes a set of data
elements necessary t
o support biometric technologies independently of
application and use (e.g. smart cards, data storage).


iv.

Performance Testing Methodology, Assurance, Protection Profiles,
Best Practices


v.

BioAPI version 1.1. Application Programming Interface defines a
gener
ic way of interfacing to a broad range of biometric technologies.
Developed by the BioAPI consortium (comprising approx. 80 biometrics
vendors) with the aim of providing cross
-
platform support.


vi.

B10.8/AAMVA. Driving Licenses and Identification. Format for
fingerprint minutiae on Driving Licenses.


b.

ISO/IEC/JTC1/SC17 has a series of work groups working on various aspects
of biometric
-
based authentication:


i.

WG1


Physical Characteristics of Smart Cards (e.g. location of
fingerprint sensor on card)


ii.

WG3


Mach
ine readable travel documents


iii.

WG4


Smart Cards: ISO/IEC 7816 Personal verification through
biometrics


iv.

WG10
-

Motor Vehicle Driver Licenses: Biometrics and Encryption


v.

WG11


Biometrics: development of BioAPI and CBEFF (see below)
into ISO standards


c.

I
SO/IEC/JTC1/SC 37 is a working group with the aim of accelerating the
development and adoption of Biometrics standards such as BioAPI and
CBEFF through the ISO process.


d.

Other Organisations/Activities


i.

Work is also being undertaken widely in Industry (Bio
metric
Consortium), Academia and Government.


ii.

In the US the NSA and the DoD carry out research into Biometrics.
The DoD has established the Biometrics Management Office to ensure the
availability of biometrics technologies within the DoD.


iii.

In the UK the
UK Biometrics User Group comprising a group of
vendors, standards developers and users is organised by the UK National
Technical Authority for Information Security (CESG) and mainly funded
by the Office of the e
-
Envoy. The group includes representatives f
rom the
US, Canada and Germany. It is active in developing Performance
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


19

Standards, Best Practice guidance, Protection Profiles and Common
Criteria Evaluation Methodology. It is intended that Protection Profiles
and Common Criteria may be issued under the IS
O Common Criteria
standard in due course. Discussions are taking place between the US
Biometrics Office to attempt to rationalise the UK developed Protection
Profiles and the US Protection Profiles.


iv.

Biovision is an EU funded initiative conceived in Fra
mework 5, the
programme being carried out in Framework 6. The aim is to produce a
“road map” for Biometrics.


v.

The UK National Authority for Infosec is currently working on a
method that will allow the “strength” of different authentication
technologies (bi
ometrics, passwords and tokens) to be compared.


46.

The use of biometrics for authentication is a relatively new technique which
potentially offers advantages over traditional authentication techniques
particularly in terms of convenience and some security as
pects (e.g. a biometric
cannot be stolen or guessed). However, concerns over performance versus security
means that biometrics are generally used in low risk situations. In general for
higher risk situations biometrics may be combined with other authentica
tion
technologies (such as passwords, PINS or smart cards) to provide a combined
security measure which is commensurate with the assessed risk to the system.



47.

There are also general public concerns about the physiological effects of the use of
biometrics

and civil liberty issues related to the holding of biometrics records by
law enforcement authorities.


Digital Certificates


48.

A digital certificate contains information in electronic form that identifies the
owner of a specific public key. A third par
ty who is trusted by the e
-
business
service provider digitally signs the certificate to prove its authenticity. The user
presents the digital certificate to the e
-
business service and is authenticated by
providing the matching private key. A Public Key Inf
rastructure is generally
required to support the distribution, management and maintenance of digital
certificates. Digital certificate standards define the format of the certificate and
privacy enhancing features. Relevant standards are listed in Annex A.


Smart Cards


49.

A smart card is a credit card sized token containing a micro processor enabling it
to
process

and store information, to support single or multiple applications and to
operate both off
-
line and on
-
line. They may be used as
contact

cards where
the
card and the card reader are in contact during the operation or
contactless

cards
where the card and the card reader communicate with each other over a short
distance.


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


20

50.

Smart cards are an important enabler of e
-
business applications particularly
becaus
e they can be used to hold authentication information such as a user’s
private key in a PKI infrastructure scheme or a user’s biometric template. The
card may be activated by a user PIN or biomeric sample thus avoiding security
issues associated with sendi
ng authentication credentials over computer networks.
In addition to providing secure access control, smart cards may also be used in a
wide variety of other applications such as electronic purses, storage of confidential
information and loyalty cards.


51.

Th
ough smart cards are vulnerable to physical attacks, these attacks are
technologically difficult to mount so for this reason smart cards do offer secure
access control.


52.

Many of the standards associated with smart cards are associated with defining the
phy
sical design of the card in order to achieve interoperability with card readers.
Other standards are application specific and describe how the smart card interacts
with the application. See Annex A for issued smart card standards. In addition the
following

groups are working on smart card activities.


53.

CEN has issued a large number of European standards on aspects of smart cards.
See Annex A for a full list. The following proposed standards are in
development: (see the CEN web page www.cenorm.be/isss) for
the latest status of
these documents):




Reference

Title



Comments




CEN pr TS
1332
-
5

Identification card systems


Man
-
machine


interface


Tactile identification of applications
-
embossed symbols
for the differentiation of applications of ID1 cards




Working draft to be provided by
WG 6



CEN pr TS

IOPTA

Identification card systems


Interoperable public
transport applications


Ticketing applications




Working draft to be
provided by CEN/TC 224
WG 11



CEN pr TS
14062
-
3

Identification card syste
ms


Electronic fee collection


Part 3 : Application and security aspects




Working draft to be
provided by CEN/TC 224
WG 11



CEN pr TS
14062
-
4

Identification card systems


Electronic fee collection


Part 4 : Test procedures



Working draft to be
pro
vided by CEN/TC 224
WG 11



EN ISO/IEC
7810

Identification cards


Physical characteristics




Revision of EN ISO/IEC
7810:1996 by transposition
of the revised edition of the
ISO /IEC Standard



EN 13343
-
1

Identification card systems


Telecommunications

IC
cards and terminals


Test methods and conformance
testing for EN 726
-
3


Part 1 : Implementation
Conformance Statement (ICS) proforma specification




Formal Vote to be
launched



EN 13343
-
2

Identification card systems


Telecommunications IC
cards a
nd terminals


Test methods and conformance


Formal Vote to be
launched

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


21

testing for EN 726
-
3


mart O W qest suite structure and
test purposes Eqpp and qm)




bk NPPQP
J
P

fdentification card systems


qelecommunications fC
cards and terminals


qest metho
ds and conformance
testing for bk TOS
J



mart P W Abstract test suite EAqp)
and implementation for testing Efufq) proforma
specification




Formal Vote to be
launched



EN 13344
-
1

Identification card systems


qelecommunications fC
cards and terminals


qest methods and conformance
testing for bk TOS
J



mart N W fmplementation
conformance statement EfCp) proforma specification




Formal Vote to be
launched



EN 13344
-
2

Identification card systems


qelecommunications fC
cards and terminals


qest method
s and conformance
testing for bk TOS
J



mart O W qest suite structure and
test purposes Eqpp and qm)




Formal Vote to be
launched



EN 13344
-
3

Identification card systems


qelecommunications fC
cards and terminals


qest methods and conformance
testing

for bk TOS
J



mart P W Abstract test suite EAqp)
and implementation eutra information for testing Efufq)
proforma specification




Formal Vote to be
launched



EN 13345
-
1

Identification card systems


qelecommunications fC
cards and terminals


qest met
hods and conformance
testing for bk TOS
J



mart N W fmplementation
conformance statement EfCp) proforma specification




Formal Vote to be
launched



EN 13345
-
2

Identification card systems


qelecommunications fC
cards and terminals


qest methods and co
nformance
testing for bk TOS
J



mart O W qest suite structure and
test purposes Eqpp and qm)




Formal Vote to be
launched



EN 13345
-
3

Identification card systems


qelecommunications fC
cards and terminals


qest methods and conformance
testing for bk
㜲T
J



mart P W Abstract test suite EAqp)
and implementation eutra information for testing Efufq)
pro
J
forma specification



Formal Vote to be
launched


54.

In addition CEN Technical Committees 224, 251 and 278 are carrying out
application specific work on sm
art cards in the areas of healthcare, transport and
people with special needs.


55.

CEN/ISSS Workshop FINREAD validated a set of technical specifications
produced by a consortium of banking interests for a secure IC card reader for
bankcard payments and remote

banking services delivered over the Internet and
open networks. CEN/ISSS Workshop Embedded FINREAD is now extending the
specification to card acceptance devices linked to mobiles, PDAs and set
-
top
boxes. The FINREAD specifications are available from the C
EN web site for
downloading


see Annex A for details.


56.

A new CEN/ISSS Workshop will shortly be announced for European Electronic
Authentication, to cover a functional architecture and required IAS (Identification,
authentication and electronic signature)
characteristics for a European Public
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


22

Identity using smart cards and other aspects related to multi
-
application cards and
user best practice. This will take the major results of the Smart Card Charter
activity and collaborate with similar work in Japan and

the US


57.

ETSI is also carrying out a considerable amount of work under the Smart Card
Project (EP SCP) approved in March 2000 to replace the SMG Technical Sub
-
Committee SMG9. EP SCP provide a central focus for the standardisation of a
common integrated cir
cuit (IC) card platform for 2G and 3G mobile
communication systems. It also enables the participation of companies involved in
standardisation work in 3GPP, 3GPP”, GAIT, T1P1, TR45 and other related
activities.


58.

The main responsibilities of EC SCP are:




development and maintenance of a common IC card platform for all mobile
telecommunication systems;




development and maintenance of the application independent specifications for
the Integrated Circuit Card/Mobile Equipment interface of those
telecommunica
tion systems under the responsibility of ETSI;




development and maintenance of IC card standards for general telecommunication
purposes;




development and maintenance of IC card standards employing advanced security
methods for telecommunications applicati
ons such as financial transactions over
Mobile Telecommunication Networks ("mobile commerce").


59.

The main tasks of EP SCP are:





maintenance of the common platform standards developed by the committee;




specification of enhancements to the common platform
to allow the addition of
innovative features and functions;




specification of generic issues for IC cards for Telecommunications, these include
but are not restricted to:




physical enhancements and specification of new form factors;




interface enhancements

such as new commands and improved speed;




generic application download and load mechanisms;




electrical parameters and protocol issues;




advanced security mechanisms and related protocols;


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


23



advanced functionality for use by applications supported by the c
ommon
platform standards;




specifications for the use of low voltage technology for telecommunications cards;




enhancement of the existing specification ETSI TS 102 222 for administrative
commands;




elaboration and maintenance of IC card related test spec
ifications for the common
platform in collaboration with the respective groups of 3GPP and other mobile
smart card specification bodies;




identification and investigation of the standardisation of application features such
as ME personalisation, PLMN selec
tors, access technology selectors and a
common phonebook (Telecom Directory);




identification and investigation of new features and functionalities such as
transmission enhancements and the use of databases.



60.

SCP has established direct liaisons with the r
elevant bodies of all committees
involved in elaborating the common platform. In particular, SCP has direct
liaisons with ETSI TC SEC involved in the specification of security matters. In
addition, SCP has liaison with CEN TC224. Other liaisons with region
al and
national bodies remain to be identified. For further information on SCP liaison
activities see:
http://webapp.etsi.org/Forawatch/HOME.ASP?TB=534&FIND=SEARCH_TB



61.

SCP

has established 3 Working groups SCP WG1
-
3) to progress its work on smart
cards. Further information on their terms of reference can be found on the above.


62.

ETSI has also published numerous specifications regarding authentication for
mobile telephony. Ann
ex A contains a list of these specifications. The
specifications may be downloaded from the ETSI web site (www.etsi.org).


63.

Annex A contains a list of current ETSI specifications and current work items.


64.

The eEurope Smart Card (eESC) is an activity that w
as launched by the European
Commission in 1999 in response to the eEurope initiative. The aim of eESC is to
accelerate and develop the development of smart cards across Europe as the
preferred method of access control to information society services. The a
ctivity is
industry
-
driven but membership is open to developers and potential users of smart
card based applications. The eESC have produced a set of Common Specifications
with the aim of achieving an interoperable European smart card infrastructure
based
upon existing standards, workshop agreements including:


a.

ETSI/CEN Joint Workshops EESSII


b.

ISSS Workshops eURI, FASTEST


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


24

c.

FINREAD and Embedded FINREAD


d.

Common Criteria for smart card security


e.

NICSS Documents


f.

US NIST GSC documents.


65.

A full list of eESC docu
ments extracted from the eESC web site is contained in
Annex A. More details on eESC can be found at
www.eeurope
-
smartcards.org



66.

The Personal Computer Smart Card workgroup comprising Groupe Bull, Hewlett
Pa
ckard, Microsoft, Schlumberger and Siemans Nixdorf have developed a
specification to facilitate interoperability in a PC environment. The specification is
in eight parts as follows:


a.

Part 1, Introduction and Architecture overview


b.

Part 2, Interface Require
ments for Compatible Smart cards and Interface
Devices


c.

Part 3, Requirements for PC
-
Connected Interface Devices


d.

Part 4, IFD Design Considerations and Reference Design Information


e.

Part 5, ICC Resource Manager Definition


f.

Part 6, ICC Service Provider Defin
ition


g.

Part 7, Application Domain/Developer Design Considerations


h.

Part 8, Recommendations for Implementation of Security and Privacy ICC
Devices.


67.

The Smart Card Alliance is a US/European association of various organisations
including representatives fro
m government, the finance, computing and
telecommunications, healthcare, retail and entertainment sectors. The alliance aim
is to encourage the use of smart cards through education programs, market
research, advocacy and open forums (see www.smartcardallia
nce.org).


68.

Eurosmart is a joint project between Europe and Japan with the aim of reinforcing
co
-
operation between Europe and Japan. In particular it has developed a series
specifications for electronic purse applications, a glossary of smart card security
terms and a set of Common Criteria protection profiles for smart cards (see
www.eurosmart.com)
.



69.

A working group consisting of Europay International, Mastercard and Visa
(EMV) have issued a series of specification
s for smart cards and smart card
terminals. These include aspects such as public key security, secure messaging
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


25

and data authentication. The specifications are covered in the documents
Integrated Specifications for Payment comprising::


a.

Part 1


Electromec
hanical Characteristics, Logical Interface, and
Transmission Protocols, EMV 1996


b.

Part 2


Data Elements and Commands, EMV 1996


c.

Part 3


Transaction Processing, EMV 1996


d.

Part 4


Integrated Circuit Card Terminal Specification, EMV 1996.


70.

Visa and
Mastercard International have also issued the joint specification for
Secure Electronic Payment (SET). SET specifies the use of message encryption,
digital signatures and cryptographic certificates to provide confidentiality,
integrity and authentication s
ervices using RSA cryptography.


71.

The European Committee for Banking Standards (ECBS) has developed guidance
in the form of technical reports (generally based upon existing European or
International standards) on secure banking over the Internet. See
www.ecbs.org

for
details.


72.

ISO/IEC JTC1 SC25 WG1 is starting to work on a standard for aspects of security
as they impinge on the home
-
based user of home electronic systems and
equipment. Input to the sub group that will be de
veloping this standard will be
welcomed.

Recommendations

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


26


B.

Confidentiality and Privacy Services


73.

Confidentiality services provide the means by which sensitive information held on
or transmitted from e
-
business systems is prevented from being disclosed to
individuals not authorised to see it. This includes Information that may be
sensitive at a national level (e.g. national security), or at a corporate (e.g.
commercial) level or appertaining to a specific individual (privacy).



74.

Unauthorised disclosure can
cause damage both through invasion of the privacy of
individuals and through the exploitation of data intercepted. It may also be subject
to statutory requirements such as Data Protection or Human rights or legislation
associated with national security suc
h as Lawful Interception. ETSI has issued a
series of technical papers through Technical Committee U on aspects of Lawful
Interception and work is also being undertaken in Technical Subgroups such as
SPAN, TETRA, TIPHON and 3GPP. A list of completed docum
ents can be found
in Annex A.


Security Measures


75.

The
aim

of Confidentiality services is to prevent the disclosure of sensitive
information stored within the e
-
business services or in transit over networks to
individuals not authorised to receive the infor
mation.


76.

The
aim

of Privacy services is to ensure that private data appertaining to an
individual (such as medical or financial data) is protected in accordance with data
protection legislation. Note that in some cases it may be necessary to provide
protec
tion many of the transaction fields including identity, origin, destination etc.
See
www.mobihealth.org
.


77.

The security measures that support confidentiality and privacy are mainly
predicated upon effective access co
ntrol functions and consequently are the same
as those for authentication (see section
A
). This section of the report deals with
additional measures over and above those for authentication.


78.

The additional securi
ty measures required are:


a.

The use of
encryption

to control access to stored or transmitted data.


b.

An effective
object re
-
use

procedure to prevent the accidental release of
sensitive information to unauthorised individuals.


Encryption


79.

Encryption may be u
sed to protect information stored within the systems
providing the e
-
business services and the end user systems. It may also be applied
at various levels in the networking infrastructure to protect transmitted
information.

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


27


Encryption of stored information


80.

There are many stand
-
alone low cost (or free) PC
-
based products available for
encrypting stored information. Unfortunately these are often difficult to use for the
non
-
technical user. Documentation is generally poor and there is a lack of
information on
issues such as key management. Stand
-
alone systems may be
based upon symmetric key techniques involving the end
-
user in key generation
and distribution. More efficient products are based upon a mixture of symmetric
encryption for bulk encryption supported
by asymmetric (public key) encryption
for transfer of keys. Many products also require the recipient to have the same or a
compatible product installed on his system. In some cases encryption features are
included in application products such as word proce
ssing packages.



81.

Some of the more sophisticated (and expensive) products are supported by a
Public Key Infrastructure

to provide for the maintenance and distribution of key
material. However, in general these products are considered too expensive for the

home user.


Electronic mail encryption



82.

The de
-
facto standard for defining the content, format and capabilities of
electronic mail is the Multipurpose Internet Mail Extensions (MIME)
specification. MIME enables the encryption of messages and multi
-
media

attachments. Secure MIME (S/MIME) adds security to email messages using the
MIME standard. Messages are encrypted using symmetric encryption but use an
asymmetric (public key) mechanism for key exchange. Note that S/MIME also
provides a digital signature
using a public key mechanism. S/MIME utilises the
X.509 certificate standard for the provision of certificate hierarchy. The S/MIME
standard is defined in RFC 2633 (see APEC 6.1.132).


83.

S/MIME supports the Digital Encryption Standard (DES), Triple DES and
RC2
for symmetric encryption and the Rivest Shamir, Addleman algorithm (RSA) for
public key encryption.


84.

Other proprietary specifications such as Pretty Good Privacy (PGP) are also
widely used but are not yet regarded as official standards. The main issue
surrounding the use of products such as PGP is a lack of interoperability with
other encryption products.


Network Encryption


85.

The industry standard network layer protocol for Ethernet networks and the
Internet is the Internet Protocol (IP) standard. IP
protocol is a packet switching
protocol providing for the fragmentation, routing and re
-
assembly of packets.



86.

The industry standard transport layer protocol for Ethernet and the Internet is the
Transmission Layer Protocol (TCP). TCP adds reliable communic
ation, flow
control, multiplexing and connection
-
oriented communication to the IP services.
DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


28

TCP is used to communicate between client and server in a client/server
environment and supports applications such as Web services, electronic mail and
file transpo
rt.


87.

Transport Layer Security Protocol (TLS) was developed by the Internet
Engineering Task Force (IETF) to provide encrypted communications on the
Internet. TLS is based upon the proprietary product Secure Sockets Layer
developed by Netscape. SSL/TLS prov
ides transport layer communications
security by encrypting the content of a TCP connection between two end points in
a network. It may be used to provide security for use with protocols such as
Simple Mail Transfer Protocol (SMTP), Post Office Protocol (PO
P3) and
Lightweight Directory Access Protocol (LDAP) but it is mainly used to provide
security between web browsers and web servers. TLS/SSL also allows sessions
that are not encrypted but are authenticated and proof against tampering.


88.

TLS/SSL has the
advantage of being present in most of the common web browsers
on the market. However, it should be borne in mind that it only provides security
between TCP endpoints in a network, it does not provide security for stored data
or application level security.
The TLS standard is defined in ISO/IEC 10736 (see
APEC, section 4.1.8).



89.

IPSec is a security architecture developed by the IETF for securing the
transmission of data across IP based networks. It may be used in Transport mode
to encrypt the data part of t
he transmitted package (i.e. routing information is sent
in clear) or in Tunnel mode where the whole package is encrypted. In the former it
is widely used as the mechanism for creating IP based Virtual Private Networks
(VPNs). However, the only non
-
trivial

encryption algorithm supported by the
IPSec standard is DES and pending the development of the new Advanced
Encryption Standard (AES) this means that products based on DES are vulnerable
to brute force attacks. The IPSsec standard is described in RFC 2401
: Security
Architecture for the Internet Protocol (see APEC 6.1.76).


90.

Note that the current protocol standard for IP networks, IPv4, is expected to run
out of address space in the near future. The successor to IPv4 is IPv6 will resolve
the address space is
sue and is compatible with IPSec.


91.

ETSI SAGE (Security Algorithms Expert Group) is a task force with
responsibility for standardisation in the areas of cryptographic algorithms, fraud
prevention, unauthorised access to private and public telecommunications

services
and privacy of user data. In particular SAGE has recently delivered algorithm
specifications to the Third generation Partnership Project (3GPP) for the
protection of confidentiality and integrity of information transmitted over
Universal Mobile T
elecommunications System (UMTS).


92.

The increasing use of voice over IP may introduce security concerns resulting
from the unmanaged and unpredictable nature of voice traffic. ETSI has
established the “TIPHON (Telecommunications and Internet Protocol
Ha
rmonisation over Networks) group in order to establish standards for voice over
IP networks.

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


29


93.

The project's objective is to support the market for voice communication and
related voiceband communication (such as facsimile) between users. It will ensure
th
at users connected to IP based networks can communicate with users in
Switched Circuit Networks (SCN
-

such as PSTN /ISDN and GSM, and vice
versa. as well as between users in SCN, where IP
-
based networks are used for
connection/trunking between the SCN inv
olved.


94.

The support comes in the production of appropriate ETSI deliverables: technical
specifications and reports. In addition, the activity will include validation and
demonstrations, in order to confirm the appropriateness of the solutions proposed.


95.

G
iven the universal nature of IP networks, the prime goal is to produce global
standards. As ETSI is essentially a European body, it recognises that co
-
operation
with relevant groupings in ITU
-
T and IETF is necessary. ETSI specifically
believes that it has
a role in opinion leadership and in helping to build

consensus
between all the major market players. The Institute co
-
operates closely with
relevant Fora, especially the IMTC VoIP Activity Group.


96.

The following workshop themes have been identified:




Requi
rements for service interoperability, technical aspects of charging/billing and
security;



Architecture and reference configurations;



Call control procedures, information flows and protocols;



Naming, Numbering and Addressing;



Quality of Service;



Verificatio
n and Demonstration Implementation.


97.

A major issue for the future security of network security is the potential use of
many communications protocols (e.g. IP, Wireless telephony such as Bluetooth,
mobile telephony) within a single transaction. Security wil
l need to be both
effective and user transparent over the transaction path. There is a requirement for
the standardisation bodies to develop interoperability standards which will
facilitate the security of transactions over multiple protocols.



Object Re
-
use Policy


98.

An object re
-
use policy should be in place to prevent the inadvertent release of
sensitive information to unauthorised individuals. This applies to unauthorised
individuals within the e
-
business environment (i.e. in the domain of the e
-
busines
s
supplier or within the domain(s) of e
-
business users. In most cases the threat will
arise if workstations or computers or magnetic media (e.g. floppy discs, tapes, CD
ROMs) are released for disposal. Disclosure of sensitive information may be
subject to
data protection legislation.


99.

The use of secure physical disposal procedures and/or the use of reputable
software based data erasure products are appropriate measures against this threat.

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


30

Recommendations




]

DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


31


C.

Trust Services


100.

Trust services provide th
e confidence that e
-
business transactions have in fact
been carried out by those individuals purporting to have carried them out and
provide the necessary evidence that to support that fact. They ensure that
commitments were made by authenticated individua
ls cannot be subsequently
disavowed. Effective Trust Services are predicated on the fact that individuals
have been subject to a rigorous registration and authentication process to establish
their credentials.



101.

The evidence created may be required to sup
port informal or formal
agreements between parties, financial transactions or legal actions between
parties. In many cases it may also be necessary to retain evidence that transactions
resulting from the commitment were in fact carried out.


102.

Trust Service
s will often be provided by independent Trusted Service
Providers (TSPs) to participants in the e
-
business service.


103.

In the context of this document Trust Services comprises the following
activities:


a.

Key Management


b.

Non
-
Repudiation.


c.

Evidence of Receip
t.


d.

Trusted Commitment Service.


e.

Integrity.


104.

Other services which are commonly supplied by TSPs include archive services
(e.g. long term storage of documents, key pairs, certificates), directory services
and notarisation services. These services are con
sidered to be outside the scope of
this report.



105.

Note that the activities described below in the section on Security Objectives
and Security Measures may be carried out by a single TSP or a combination of
TSPs.


Security Measures


Key Management


106.

The aims

of Key Management are as follows:


DRAFT NIS Report

Version 0.3


DRAFT NIS Report

Versio
n 0.3


32

a.

Provide the means for the secure generation, storage, distribution, revocation,
and recovery of cryptographic keys;


b.

Protect secret keys from disclosure to unauthorised individuals whilst in
storage or in transit;


c.

Pro
tect the integrity of archived keys and if appropriate apply
time
-
stamping

to indicate the validity period of the key.


d.

Where appropriate provide key escrow facilities to enable key recovery under
legal warrant or for business purposes. (ETSI LI group has
developed several
documents (including European Standards) covering standards for Lawful
Interception. They are not covered in this documents but can be found at
http://portal.etsi.org/li)
.



Non
-
Repudiation


107.

The

aim of a Non
-
Repudiation service is to furnish evidence that the originator
of an electronic transaction or communication must have the real world identity
associated with the electronic identity. Measures which support this service are:


a.

At very low risk

levels user identity and a transaction number may provide the
appropriate level of confidence. Additional confidence may be provided using
agreed
passwords

to authorise the transaction.


b.

Stronger measures will be based upon
electronic signatures

supporte
d by
proof of ownership of public keys.


c.

Procedural measures such as audit log files showing transaction times and
records of system activities may be used to support the security measures.


d.

A secure