tvra 003 tvra cpn worked example document - etsi · 2009-04-09 · the present document provides...

ETSI TISPANWG7 WG7-05-015

25th - 27th March 2009, Sophia Antipolis - France

of 34

Title eTVRA Workshop CPN analysis

Source STF357

Contact [email protected]

Agenda Item

WI Ref. (if any) MI-07040

For Information: X Late submission:

For Agreement:

For Approval:

Contents

Contents .............................................................................................................................................................. 1

1 Customer Premises Network (CPN) Threat Vulnerability and Risk Analysis (TVRA) .......................... 3

2 References ................................................................................................................................................ 3

3 Definitions and Abbreviations ................................................................................................................. 3

3.1 Definitions ......................................................................................................................................................... 3 3.2 Abbreviations ..................................................................................................................................................... 4

4 Identification of CPN for TVRA analysis ................................................................................................ 4

4.1 Overall description of the CPN ...................................................................................................................... 4 4.2 The security analysis process ....................................................................................................................... 4 4.3 Initial security analysis .................................................................................................................................... 5

4.3.1 Assumptions ............................................................................................................................................... 5

4.3.2 Objectives (Identified in Step 1 of the TVRA) ........................................................................................ 6

4.3.2.1 Confidentiality ........................................................................................................................................ 6

4.3.2.2 Integrity .................................................................................................................................................. 6

4.3.2.3 Availability ............................................................................................................................................. 7

4.3.2.4 Accountability ....................................................................................................................................... 7

4.3.2.5 Authenticity ........................................................................................................................................... 7

4.3.3 Functional requirements derived from objectives (Identified in Step 2 of the TVRA) ...................... 8 4.3.4 Mapping from objectives to functional requirements ................................................................................... 9

4.4 Identification of the ToE ............................................................................................................................... 10 4.4.1 Inherent weakness of the ToE ............................................................................................................... 11 4.4.2 Assets inside the ToE (From Step 3 of the TVRA: Produce Inventory of Assets) ......................... 12 4.4.2.1 User Access Control ............................................................................................................................. 13

4.4.2.2 Further decomposition of the ToE (CNG) ............................................................................................ 14

4.5 Mapping of functional requirements to assets in the ToE ....................................................................... 17 4.6 Weaknesses of assets in the ToE .............................................................................................................. 18 4.6.1 Wireless access devices ........................................................................................................................ 18 4.6.1.1 Wireless Ethernet (IEEE 802.11 series) ............................................................................................... 18

4.6.1.1.1 Wired Equivalent Privacy (WEP) ................................................................................................... 19 4.6.1.1.2 WiFi Protected Access (WPA) ....................................................................................................... 19

4.6.1.1.3 WPA-2 or Robust Security Network (RSN) ................................................................................... 19



of 34

4.6.1.2 DECT devices ....................................................................................................................................... 20

4.6.1.3 Bluetooth devices ................................................................................................................................. 20

4.6.2 SIP signalling ............................................................................................................................................ 20

4.7 Identifiable attacks against assets in the ToE ........................................................................................... 21

4.7.1 Denial of service ...................................................................................................................................... 23

4.7.2 Eavesdropping ......................................................................................................................................... 23

4.7.2.1 Eavesdropping of content of communication ....................................................................................... 23 4.7.2.2 Eavesdropping of network element IDs ................................................................................................ 24

4.7.3 Masquerade .............................................................................................................................................. 24

4.7.4 Unauthorized access ............................................................................................................................... 25 4.7.5 Loss of information .................................................................................................................................. 25

4.7.6 Corruption of information ........................................................................................................................ 25 4.7.7 Repudiation .............................................................................................................................................. 26

4.8 Risk factor calculation ..................................................................................................................................... 27

5 Countermeasures in the form of detailed requirements .......................................................................... 29 5.1 General measures ............................................................................................................................................. 29 5.2 Wireless connection measures (CND to CNG) ................................................................................................ 29

5.3 Connection measures (CNG to NGN) ............................................................................................................. 29

5.4 Anti-masquerade countermeasures .................................................................................................................. 29

6 CPN TVRA in tabular format .............................................................................................................. 31



of 34

1 Customer Premises Network (CPN) Threat Vulnerability and Risk Analysis (TVRA)

Risk analysis based security provision is at the heart of the "design for assurance" approach adopted in TISPAN to security standards development. In the NGN environment a Customer Premises Network is a loosely managed entity in the customer premises equipment offering both local services and connectivity (e.g. connecting the PCs, media centers, gaming platforms, printers and other ICT equipment of the household) and offering a gateway to the services of the NGN from the household.

The present document provides the documented output of the TVRA exercise performed against the CPN as defined in TISPAN WG5.

The content of the present document is intended to drive solutions for securing the CPN in the context of the NGN.

2 References The following referenced documents are indispensable for the application of the present document. For dated references, only the edition cited applies. For non-specific references, the latest edition of the referenced document (including any amendments) applies.

[1] ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis"

[2] ETSI TS 185 006v2.0.0: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Customer Devices architecture and Reference Points"

[3] ETSI TR 187 011: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Application of ISO-15408-2 requirements to ETSI standards - guide, method and application with examples"

[4] ETSI TS 184 002: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Identifiers (IDs) for NGN"

[5] ETSI ES 283 003: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); IP Multimedia Call Control Protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP) Stage 3 [3GPP TS 24.229 [Release 7], modified]"

[6] IETF RFC 3261: "SIP: Session Initiation Protocol"

[7] ETSI ES 282 001: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture"

[8] ETSI ES 282 007: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); IP Multimedia Subsystem (IMS); Functional architecture "

3 Definitions and Abbreviations

3.1 Definitions For the purposes of the present document, the following terms and definitions apply:

user equipment: one or more devices allowing a user to access services delivered by TISPAN NGN networks



of 34

NOTE: This includes devices when under user control commonly referred to as IAD, ATA, RGW, TE, etc., UE does not include network controlled entities such as network terminations and access gateways.

Editor's note: The CNG is the same as an RGW in the above definition from ES 282 001.

3.2 Abbreviations For the purposes of the present document, the following abbreviations apply:

ADSL Asymmetric Digital Subscriber Line CND Customer Network Device CNG Customer Network Gateway CPN Customer Premises Network IMS Internet Multimedia System NGN Next Generation Network TVRA Threat Vulnerability and Risk Analysis

4 Identification of CPN for TVRA analysis

4.1 Overall description of the CPN The Customer Premises Network offers a subset of NGN functionality within the domain of the subscriber whilst also allowing full access to the NGN by terminal/client emulation. In simple terms the CPN comprises a number of user terminals, referred to as Customer Network Devices (CNDs), connected to a Customer Network Gateway (CNG) which provides local routing, local services and access to the NGN.

There are a large number of technologies that may be used to connect CNDs to the CNG and the current analysis includes due consideration of how to apply some of the security capabilities of these to the abstract technologies of the modelled CPN.

NOTE: Existing home ADSL devices may share some of the functionality of CNGs and the set of devices in existing home networks may share some of the functionality of CPNs but should not be considered as NGN CPNs as defined in ETSI TISPAN.

4.2 The security analysis process The security analysis follows the process described in TS 102 165-1 [1] as illustrated below.



of 34

Vulnerability

Analysis

Security

Requirements

Functional

Specifications

TOE Design

Implementation

Representation

Class:

Vulnerability

Analysis

Class:

PP Evaluation

Class:

Development

Assets,

Threats,

Risks,

Assumptions,

Policies,

Security Objectives

Stage 1 Description

Stage 2 Description

Text,

Block Diagrams,

Class Diagrams,

MSCs

Etc.

Text,

Process Diagrams,

State Diagrams,

ASN.1,

Stage 3 Description.

Figure 1: Structure of security analysis and development in standards documents

The eTVRA method consists of the following steps:

1) Identification of the objectives resulting in a high level statement of the security aims and issues to be resolved.

NOTE: Any assumptions made should be explicitly stated at this point as the assumptions may lead the analysis in one direction and the assumptions have to be to be verified during the course of the analysis.

2) Specification of the security functional requirements, derived from the objectives developed in step 1.

3) Compilation of an inventory of system assets.

4) Identification and classification of the vulnerabilities in the system, the threats that can exploit them and the unwanted incidents that may result.

5) Quantification of the likelihood of occurrence and impact of the threats.

6) Establishment of the risks.

7) Specification of countermeasures as detailed security requirements.

NOTE: There should be a clear mapping from objectives (step 1) through functional requirements (step 2) to detailed requirements (step 7).

4.3 Initial security analysis

4.3.1 Assumptions

The following pre-conditions have been assumed to be valid within the CPN security analysis:



of 34

• CNG is able to perform networking functions from physical connection to bridging and routing capabilities (L1-L3), but also possibly implementing functions related to the service support (up to L7)

• The UNI connection to NGN-IMS services is provided at the Gm reference point

• The Ut reference point may act as a UNI connection to non-IMS NGN services (where the services are in the application server space)

• The CNG may host an application server for local Ut connections (CND to CNG at Ut reference point)

• The CPN is a low cost and low maintenance environment

• Where an IMS terminal uses the CNG in "pass through" mode the CNG is for this instance considered as network controlled access gateway and not as a CNG in the sense considered as the normal case and is out of scope of the CPN analysis.

• A CNG and a network controlled access gateway may co-exist in the same physical hardware but are maintained in separate security domains. This is somewhat similar to a single PC acting both as a database server and as a web server where some attacks on the base hardware or operating system will affect both capabilities equally but attacks specific to the server types will affect only the attacked server type.

• The CNG acts on behalf of the CNDs in communicating with the NGN;

• The CNG is a full NGN terminal with an NGN identity as defined in TS 184 002 [4]:

- the NGN is assumed to be protected by a full security association with the CNG created using any specified method including IMS-AKA in order to provide authentication of the CNG-identity, and which may also provide confidentiality of the communications between the CNG and the NGN and protection of the integrity of signalling between the CNG and the NGN

• The CND may be a full NGN terminal with an NGN identity as defined in TS 184 002 or a non-NGN terminal attached to the CNG via an appropriate terminal adaptor;

• The CNG only connects to the NGN by a fixed line connection (i.e. not by a UMTS radio connection);

• The NGN does not distinguish between a CNG and any other NGN terminal.

• The NGN includes IMS as a service platform

4.3.2 Objectives (Identified in Step 1 of the TVRA)

4.3.2.1 Confidentiality

The following objectives related to the confidentiality of stored and transmitted information have been identified for CPNs:

1. Information sent to or from a registered user of a CPN should not be revealed to any unauthorized party

2. Information held within the CNG and CNDs that together constitute a CPN should be protected from unauthorized access.

3. Details relating to the identity and service capabilities of a CPN user should not be revealed to any unauthorized 3rd party within the CPN or in the wider NGN

4. Management Information sent to or from a CPN should not be revealed to any unauthorized party

5. Management Information held within a CPN should be protected from unauthorized access.

4.3.2.2 Integrity

The following objectives related to the integrity of stored and transmitted data have been identified for CPNs:



of 34

1. Information held within the CNG and CNDs that together constitute a CPN should be protected from unauthorized modification and destruction

2. Information sent to or from a registered user of a CPN should be protected against unauthorized or malicious modification or manipulation during transmission

3. Management Information held within a CPN should be protected from unauthorized modification and destruction

4. Management Information sent to or from a CPN should be protected against unauthorized or malicious modification or manipulation during transmission

4.3.2.3 Availability

The following objectives related to the availability of CPN services have been identified:

1. Services provided within a CPN should be available only to authorized users of the CPN whether they are attached to an access point within the CPN or to an access point within the wider NGN

2. Access to and the operation of services by authorized CPN users should not be prevented by malicious activity within the CPN or in the wider NGN

4.3.2.4 Accountability

The following objective related to accountability has been identified for CPNs:

1. The owner of a CPN should only be billed for the legitimate use of NGN services by legitimate users of the CPN

4.3.2.5 Authenticity

The following objectives related to the authenticity of CPN users have been identified:

1. It should not be possible for an unauthorized user to pose as an authorized user when communicating with an application or other user of a CPN

2. It should not be possible for a CPN to receive and process management and configuration information from an unauthorized user

Access to and the operation of services by authorized CPN users should not be prevented by malicious activity within the CPN or in the wider NGN



of 34

Table 1: CPN Security objectives

OBJ ID Security Objective Description Confidentiality

OBJ-C-1 Information sent to or from a registered user of a CPN should not be revealed to any unauthorized party OBJ-C-2 Information held within the CNG and CNDs that together constitute a CPN should be protected from

unauthorized access OBJ-C-3 Details relating to the identity and service capabilities of a CPN user should not be revealed to any

unauthorized 3rd party within the CPN or in the wider NGN OBJ-C-4 Management Information sent to or from a CPN should not be revealed to any unauthorized party OBJ-C-5 Information held within a CPN should be protected from unauthorized access

Integrity OBJ-I-1 Information held within the CNG and CNDs that together constitute a CPN should be protected from

unauthorized modification and destruction OBJ-I-2 Information sent to or from a registered user of a CPN should be protected against unauthorized or

malicious modification or manipulation during transmission OBJ-I-3 Management Information held within a CPN should be protected from unauthorized modification and

destruction OBJ-I-4 Management Information sent to or from a CPN should be protected against unauthorized or malicious

modification or manipulation during transmission Availability

OBJ-A-1 Services provided within a CPN should be available only to authorized users of the CPN whether they are attached to an access point within the CPN or to an access point within the wider NGN

OBJ-A-2 Access to and the operation of services by authorized CPN users should not be prevented by malicious activity within the CPN or in the wider NGN

Authenticity OBJ-Au-1 It should not be possible for an unauthorized user to pose as an authorized user when communicating with

an application or other user of a CPN OBJ-Au-2 It should not be possible for a CPN to receive and process management and configuration information from

an unauthorized user Accountability

OBJ-Acc-1 The owner of a CPN should only be billed for the legitimate use of NGN services by legitimate users of the CPN

Non-Repudiation OBJ-NRep-1 none

4.3.3 Functional requirements derived from objectives (Identified in Step 2 of the TVRA)

The following functional requirements have been derived from the objectives above following the guidelines given in TR 187 011 [3].

a) All CPN users shall be required to register (log in) to a CNG before being provided with CPN services

b) Each CPN user shall be granted a defined level of access to CPN services upon registration

c) As an option, it shall be possible for signalling and media exchanged between the CNG and the NGN to be encrypted

d) Each CPN user shall be granted a defined level of access to CPN data upon registration

e) At least the three following levels of access to CPN data should be available to be assigned to individual users:

- no access other than for operation of services

- read-only access

- read and write access (administrator)



of 34

f) All CPN users who have read-only access or read and write access to CPN data shall be authenticated as part of the user registration process (whether local registration or remote)

g) It shall not be possible for a user who is not currently registered to the CPN to have any access to CPN data

h) As part of the registration process, a CPN user (either local or remote) shall provide sufficient information to identify that user uniquely within the CPN

i) As an option, it shall be possible for management information exchanged between the CNG and the NGN to be encrypted

j) A CNG shall implement or activate mechanisms for detecting changes en route to data (signalling and media) exchanged with the NGN

k) It shall not be possible for a user to invoke CPN services unless the user is currently registered either locally or remotely to the CPN

l) A CNG shall implement mechanisms for detecting possible denial-of-service attacks from within the CPN

m) A CNG shall implement mechanisms for detecting possible denial-of-service attacks on the CPN from within the NGN

n) All CPN users who are authorized to invoke NGN services shall be authenticated by the CNG as part of the user registration process (whether local registration or remote)

o) All CPN users who are authorized to invoke internal CPN applications shall be authenticated as part of the user registration process (whether local registration or remote)

p) All CPN users who are authorized to communicate directly with other users of the same CPN shall be authenticated as part of the user registration process (whether local registration or remote)

q) All CPN users who are authorized to view and modify CPN management and configuration information shall be authenticated as part of the user registration process (whether local registration or remote)

NOTE: All of the above functional requirements may be mapped to generic ones from ISO/IEC 15408-2. For reasons of readability this is not shown.

4.3.4 Mapping from objectives to functional requirements

A major objective of the TVRA is to ensure visibility of security associations in the widest possible sense. In the following table the objectives are mapped to the functional requirements.



of 34

Table 2: Mapping from objectives to functional requirements

Ref Functional requirement Objective implemented a All CPN users shall be required to register (log in) to a CNG before

being provided with CPN services OBJ-A-1

b Each CPN user shall be granted a defined level of access to CPN services upon registration

OBJ-A-1, OBJ-Au-1, OBJ-C-2

c As an option, it shall be possible for signalling and media exchanged between the CNG and the NGN to be encrypted

OBJ-C-2, OBJ-4

d Each CPN user shall be granted a defined level of access to CPN data upon registration

OBJ-C-1,OBJ-C-2, OBJ-C-3, OBJ-C-4, OBJ-C-5

e At least the three following levels of access to CPN data should be available to be assigned to individual users: - no access other than for operation of services - read-only access - read and write access (administrator)

OBJ-C-1,OBJ-C-2, OBJ-C-3, OBJ-C-4, OBJ-C-5, OBJ-Au-1, OBJ-I-1, OBJ-I-3

f All CPN users who have read-only access or read and write access to CPN data shall be authenticated as part of the user registration process (whether local registration or remote)

OBJ-C-1,OBJ-C-2, OBJ-C-3, OBJ-C-4, OBJ-C-5, OBJ-Au-2

g It shall not be possible for a user who is not currently registered to the CPN to have any access to CPN data

OBJ-A-1

h As part of the registration process, a CPN user (either local or remote) shall provide sufficient information to identify that user uniquely within the CPN

OBJ-Au-1, OBJ-C-1

i As an option, it shall be possible for management information exchanged between the CNG and the NGN to be encrypted

OBJ-C-4

j A CNG shall implement or activate mechanisms for detecting changes en route to data (signalling and media) exchanged with the NGN

OBJ-I-2, OBJ-I-4

k It shall not be possible for a user to invoke CPN services unless the user is currently registered either locally or remotely to the CPN

OBJ-A-1

l A CNG shall implement mechanisms for detecting possible denial-of-service attacks from within the CPN

OBJ-A-2

m A CNG shall implement mechanisms for detecting possible denial-of-service attacks on the CPN from within the NGN

OBJ-A-2

n All CPN users who are authorized to invoke NGN services shall be authenticated by the CNG as part of the user registration process (whether local registration or remote)

OBJ-A-1

o All CPN users who are authorized to invoke internal CPN applications shall be authenticated as part of the user registration process (whether local registration or remote)

OBJ-Au-1

p All CPN users who are authorized to communicate directly with other users of the same CPN shall be authenticated as part of the user registration process (whether local registration or remote)

OBJ-Au-1

q All CPN users who are authorized to view and modify CPN management and configuration information shall be authenticated as part of the user registration process (whether local registration or remote)

OBJ-Au-1

4.4 Identification of the ToE The concept of a Target of Evaluation (ToE) in security analysis is described in ISO/IEC 15408 as the core of the security analysis. The identification of the ToE is referred to in the ETSI TVRA method as the identification of the assets of a system.

The purpose of the ToE is to identify the security boundary for the purposes of risk analysis and to provide a focus for the risk analysis. The CPN environment is made up of the NGN on one side and the CNDs on the other. This is shown in Figure 2 below. This figure identifies only the primary signalling interfaces from CNDs to the CNG, and from CNG to NGN (Gm' and Gm respectively).



of 34

Figure 2: Identification of ToE

The CNG interfaces to the NASS in the NGN at the following reference points:

• e1 and e3 reference points for address allocation, authentication and authorization purposes;

The CNG interfaces to the NGN for sending and receiving media and media control flows at the Dj reference point.

The CNG interfaces to the NGN to access IMS at the Gm reference point.

The CNG interfaces to SIP Application Servers at the Ut reference point. (This reference point enables the user to manage information related to his services).

The CNDs, which may be of a number of variants, are presented in this example to the NGN as pseudo-IMS devices (i.e. the CNG offers a set of IMS like services). In each case an external adapter may be necessary to provide a signalling connection from the CND to the NGN, e.g. a Terminal Adapter (TA) to connect conventional analogue phones. The packaging of devices into the physical environment of the CNG is not considered (e.g. a CNG may be sold with a TA built in).

4.4.1 Inherent weakness of the ToE

The primary signalling system of the CPN is SIP and a number of studies have shown that SIP has a number of core weaknesses. In addition SIP is semantically and syntactically imprecise although best practice guidelines have made significant efforts to address these issues.

There may be only wireless connections from CNDs to the CNG thus exposing all communication between CNDs and CNGs to interception attack.

The physical environment in which the CPN is placed is not controlled and thus may open the physical elements of the CPN (the CNDs and the CNG) to theft (it is assumed that all CPN equipment fit the criminal criteria of CRAVED []).

The home based installation is not protected in general against interruptions of power or against EM interference as the environment is not strictly controlled.



of 34

As the CNG connects to the NGN at three distinct logical points (Transport, IMS/Service, Application) and the transport attachment is a normal IP termination it is possible to invoke end-user services directly at the transport layer thus bypassing any equivalent service normally connected at either the IMS/Service or Application layers.

NOTE: The impact of any attack that exploits this weakness varies for the point of observation of the attack whereas the likelihood is constant.

The CNG hardware may allow coexistence of Public Network Gateway (PNG) services (e.g. FON) and the CPN CNG. It is assumed in such cases that the CPN-CNG is distinct from the PNG service.

4.4.2 Assets inside the ToE (From Step 3 of the TVRA: Produce Inventory of Assets)

A decomposition of the assets inside the CNG (the ToE) identifies a number of interoperating assets both functional and data (or information). In order to further analyse the risk each asset has to be listed and their vulnerabilities exposed.

Target Of Evaluation

Gm’

CNG

Gm

Services and

Applications

Session

Control

Policy Control

Routing

User Access

Control

Network

Access

ControlUser Agent NGN

Ut

e1’, e3'

Ut

e1, e3

Dj

Figure 3: Decomposition of ToE (i.e. functional blocks inside CNG)

The core assets within the CNG/ToE are then shown in the following table.



of 34

Table 3: Decomposed CNG assets

CNG entity Functionality Internal Reference point (CND

to CNG)

NGN equivalent entity or system

External Reference point (CNG

to NGN) User Access Control

User access control is the primary point at which CNDs (representing their users) access the facilities of the CNG (and thus the CPN) and through which they may access the NGN (if permission is granted)

Ut, Gm' UPSF, SIP-REGISTER

Ut, Gm

Network Access Control

Offers NASS like services au, e1', e3' NASS e1, e3

Session Control Manage sessions, negotiate session parameters (bandwidth, screen resolution, codecs…)

Gm' IMS, CSCF, SIP-INVITE

Gm

Routing Network address translation, routing e1' NASS, BGF

e1

Policy Control Security policy, rights management, QoS policy Ut, RACS, SPDF

Services and Applications

Communication services (SIP, IMS-based services), IPTV services, customer applications

Ut, Gm' IMS, Application Server

Ut, Gm

Each of these core assets needs to be further decomposed and analysed to better identify functional and data assets and the interactions they have with each other.

Table 4: Data assets transferred by reference point (CND to CNG)

au authentication and authorization information pertaining to attachment, encryption and security processes (WEP, WPA2, …)

e1' CND/NCG Hardware identities – MAC address, device ID, etc. e3' Information related to: auto-configuration and dynamic service provisioning; software/firmware management; status

and performance monitoring; diagnostics Ut Information related to user service management, management of public service identities, management of service

authorization policies (e.g. used by Presence service, conference policy management) Gm' registration and session control data (e.g. parameters)

4.4.2.1 User Access Control

User access control is the primary point at which CNDs (representing their users) access the facilities of the CNG (and thus the CPN) and through which they may access the NGN (if permission is granted).

The UAC shares much of its functionality with the User Profile Server Function (UPSF) of the NGN and is responsible for holding the following user related information:

• Service-level user identification, numbering and addressing information.

• Service-level user security information

• Service-level user location information.

• Service-level user profile information.

The data stores required are modelled as a user-descriptor and user-authentication parameters in the decomposition below. In addition any user specific parameters for signalling and content validation are shown.



of 34

Figure 4: Decomposition of User Access Control

4.4.2.2 Further decomposition of the ToE (CNG)

Each of the other elements of the ToE can be decomposed. This is shown figuratively in the following set of figures.



of 34

Session Control

Service

Activation

Connection

Control

QoS

Management

Services and

Applications

Policy Control

Routing

User Access

Control

Network

Access

Control

Service

Characteristics

QoS Parameters

Figure 5: Decomposition of Session Control



of 34


Network

Identity

Management

Media

Management

Policy Control

Routing

Session

ControlProtocol

Control

Access

Management

Signalling

Validation

Parameters

Content

Validation

Parameters

CPN

Authentication

Signalling

Content

Validation

Media

Content

Validation

Authentication

Parameters

Network Connection

Descriptor

Figure 6: Decomposition of Network Access Control

Policy Control

Network

Rights

Management

User Access

Control

Network

Access

Control

Session

Control

User Rights

Management

Security

Management

QoS

Capability

Management

User Service

Profile Database

Network Service

Profile Database

Figure 7: Decomposition of Policy Control



of 34

Figure 8: Decomposition of Routing

4.5 Mapping of functional requirements to assets in the ToE



of 34

Table 5: Mapping of functional requirements to ToE assets

Ref Functional requirement ToE asset impacted a All CPN users shall be required to register (log in) to a CNG before

being provided with CPN services User Access Control

b Each CPN user shall be granted a defined level of access to CPN services upon registration

User Access Control, Policy Control

c As an option, it shall be possible for signalling and media exchanged between the CNG and the NGN to be encrypted

User Access Control, Network Access Control, Policy Control Function

d Each CPN user shall be granted a defined level of access to CPN data upon registration


e At least the three following levels of access to CPN data should be available to be assigned to individual users: - no access other than for operation of services - read-only access - read and write access (administrator)


f All CPN users who have read-only access or read and write access to CPN data shall be authenticated as part of the user registration process (whether local registration or remote)


g It shall not be possible for a user who is not currently registered to the CPN to have any access to CPN data


h As part of the registration process, a CPN user (either local or remote) shall provide sufficient information to identify that user uniquely within the CPN

User Access Control

i As an option, it shall be possible for management information exchanged between the CNG and the NGN to be encrypted

Network access Control, Policy Control Function

j A CNG shall implement or activate mechanisms for detecting changes en route to data (signalling and media) exchanged with the NGN


k It shall not be possible for a user to invoke CPN services unless the user is currently registered either locally or remotely to the CPN

User Access Control

l A CNG shall implement mechanisms for detecting possible denial-of-service attacks from within the CPN


m A CNG shall implement mechanisms for detecting possible denial-of-service attacks on the CPN from within the NGN


n All CPN users who are authorized to invoke NGN services shall be authenticated by the CNG as part of the user registration process (whether local registration or remote)

User Access Control

o All CPN users who are authorized to invoke internal CPN applications shall be authenticated as part of the user registration process (whether local registration or remote)

User Access Control

p All CPN users who are authorized to communicate directly with other users of the same CPN shall be authenticated as part of the user registration process (whether local registration or remote)

User Access Control

q All CPN users who are authorized to view and modify CPN management and configuration information shall be authenticated as part of the user registration process (whether local registration or remote)

User Access Control

4.6 Weaknesses of assets in the ToE

4.6.1 Wireless access devices

4.6.1.1 Wireless Ethernet (IEEE 802.11 series)

CNDs may attach to the CNG using wireless Ethernet technologies (IEEE 802.11a/b/g/n) which have a number of built in security features of variable cryptographic strength and capability. The au reference point is where the transfer of



of 34

authentication and authorization data between the CND and the CNG may be visible, however the CPN specifications do not tie the WEP/WPA/RSN authentications to au explicitly.

4.6.1.1.1 Wired Equivalent Privacy (WEP)

There are a number of well documented flaws in WEP mainly relating to the management of keys and the cryptographic parameters. In particular WEP is susceptible to the following attacks:

• Passive attacks to decrypt traffic based on statistical analysis.

• Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.

• Active attacks to decrypt traffic, based on tricking the access point.

• Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic.

The cryptographic provision of confidentiality of WEP uses 64-bit and 128-bit key implementations of the RC4 algorithm but the use of repeated (re-used) initialisation vectors brings the effective key length down to 40 and 104 bits in each case. A number of researchers have shown that using some known plaintext and signal injection the key in WEP can be recovered from a few thousand transactions hence negating any security of the RC4 algorithm itself. The attacks can be performed over the air in real time with easily accessible tools.

For use in WiFi WEP only provides confidentiality and does not purport to offer any support to identification. Furthermore WEP installations use a shared secret that may be susceptible to directory attacks.

4.6.1.1.1.1 Notes on RC4

RC4 is a two stage key stream generator where the first phase is the key scheduling algorithm and the second stage is the random number generator. RC4 was designed in 1987 to be very simple to implement and whilst this goal is achieved practical implementations (such as in WEP) often fail. A stream cipher attempts to achieve the perfect secrecy of the One Time Pad (n bits of plain text protected by a key of length n to give a cipher text also of length n where the key is absolutely random) but using a short key (i.e. key length l is much less than plain text length n) and a pseudo random generator with some seed information (initialisation vector) to generate a key stream sequence of length n. If the generator is good and the seed information is sufficiently long (with respect to the key) and where the seed is changed for every instance of key stream generation a key stream generator should approach the goals of the One Time Pad.

NOTE: Shannon proved the perfect encryption capability of the one time pad in 1949.

4.6.1.1.2 WiFi Protected Access (WPA)

In order to address the weaknesses in WEP the WiFi Alliance implemented a revision in the form of a specific standard 802.11i of which WPA implements a sub-set. WPA retains the use of RC4 as the encryption algorithm but improves on the key management sub-system over that used in WEP. The interim key management solution is Temporal Key Integrity Protocol (TKIP) which has inputs of the initialisation vector and the key to create a cryptographically modified key as input to RC4. (This is opposed to the case in WEP where a simple concatenation of Initialisation Vector and Key are input to RC4). TKIP also introduces an anti-replay counter (as there is only a single hop anti-replay mechanisms are immune to store and forward errors and attacks).

For use in WiFi WPA only provides confidentiality and does not purport to offer any support to identification. Furthermore WPA installations use a shared secret that may be susceptible to directory attacks.

4.6.1.1.3 WPA-2 or Robust Security Network (RSN)

WPA-2 is a full implementation of 802.11i and replaces RC4 with an algorithm derived from AES known as CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol).

For use in WiFi WPA-2 provides confidentiality and integrity and does not purport to offer any support to identification. Furthermore WPA-2 installations use a shared secret that may be susceptible to directory attacks although some modes provide rudimentary support for challenge-response authentication extensions that inhibit such attacks.



of 34

4.6.1.2 DECT devices

DECT has been specified in ETSI and contains authentication and confidentiality countermeasures built in. There have no reported successful attacks on the DECT Standard Authentication Algorithm (DSAA) nor on the DECT Standard Cipher (DSC). However the source of both these algorithms is private (i.e. not public in the way that AES is). Depending on manufacturer and specific devices the keys are shared between handsets and base stations and may be discoverable by an enterprising attacker (may require physical access to the DECT base-station).

4.6.1.3 Bluetooth devices

There is significant historical evidence of Bluetooth vulnerabilities and tools to exploit them (btscanner, btxml, Gnokki, OpenOBEX, Redfang and others). The extent of attacks is very wide and available over an extended physical range (750m has been reported with unmodified equipment):

• Theft or alteration of personal information

• Mobile phone IMEI number availability

• Privacy, tracking

• Complete control of certain devices

• Denial of Service (DoS)

• Airborne viruses and worms

Most attack tools are able to counter the conventional responses of placing the Bluetooth device in non-discoverable mode, and of requiring explicit pairing of devices. The Bluetooth specification does allow for both authentication of the devices and confidentiality protection of the radio interface transmissions although many of these are based on default (published) PIN codes. The confidentiality mechanism in Bluetooth is a 128-bit crypto form but the key is derived from the user entered PIN code commonly as short as 4 digits (say 16 bits in BCD format) and is often set to "0000" by default at installation and rarely changed.

4.6.2 SIP signalling

SIP has been much written about with respect to its security vulnerabilities and whilst many of these are resolvable the core protocol maintains many weaknesses. In addition because of the popularity, and relative simplicity of SIP, there are a large number of attack tools available.

The CPN supports two variants of SIP each of which share attributes including extensibility. The Gm reference point supports IMS-SIP as defined in ES 283 003 [5], the Gm' reference point supports other IETF SIP variants using SIP as defined in IETF RFC 3261 [6]. The concept of the CNG as a SIP Back to Back User Agent (i.e. acting as a SIP server to the CND and as a SIP client to the NGN) may require a mapping of IETF SIP to IMS SIP, or may allocate any non-IMS SIP signalling to the Ut reference point or directly to an uncontrolled SIP server across the root IP connection.



of 34

Table 6: Overview of Weaknesses

Weakness ID Weakness Name

Weakness Description Unwanted Incident Attack system knowledge

W-1 WEP protocol flaws

There are a number of well documented flaws in WEP mainly relating to the management of keys and the cryptographic parameters

Disclosure of private information

Public The attacks can be performed over the air in real time with easily accessible tools.

W-2 SIP protocol weaknesses

Message flow attacks on SIP methods e.g. “BYE”, “Invite”, “Cancel”, “Refer”

Loss of Service Public There are a wide number of attack tools available

W-3 HTTP digest (for access to SIP/IMS)

Both the protocol and algorithm have weaknesses that can be exploited

Fraudulent use of service

Public/Restricted?

W-4 NBA (for access to IMS)

The WIFI can be exploited

Fraudulent use of service

Public/Restricted?

4.7 Identifiable attacks against assets in the ToE NOTE: The threat analysis presented in the present document identifies and analyses threats on network elements

and reference points from a generic point of view and thus it does not reflect possible physical implementations and configurations.

The major categories of threats (threat families) are described below:

• Denial of service.

• Eavesdropping/Interception.

• Masquerade.

• Unauthorized access.

• Loss of information.

• Corruption of information/Manipulation.

• Repudiation.



of 34

Table 7: List of Threats

Threat ID

Threat Name Asset Name Threat Description Threat Family

T-1 DoS on CNG Network elements


This attack is made by continuously sending data to the CNG network elements so that no more resources are available to the CNDs.

DoS

T-2 Denial of access to services

Services and applications

This threat might be a result of the previous one. If the relevant network elements are no longer able to perform a user request the CPN services could not be offered to the users any longer.

DoS

T-3 Eavesdropping of content of communication

Session Control/ Services and Applications

unauthorized monitoring of communication Eavesdropping/ Interception

T-4 Eavesdropping of network element IDs


Network element IDs may be used by entities to authenticate each other prior to the exchange of data. If attackers know these IDs,

Eavesdropping/ Interception

T-5 Masquerade as legitimate user during the registration process

User Access Control/ Services and applications

Masquerade as a legitimate user during registration so that the attacker can obtain unauthorized access to services.

Masquerade

T-6 Masquerade as network entity during the service authentication and registration process

User Access Control

The attacker can intercept and obtain user data, e.g. authentication information

Masquerade

T-7 Masquerade as legitimate user during the authentication process

User Access Control/ Services and applications

Obtain unauthorised access to services Masquerade

T-8 Masquerade as calling party during call setup

Session Control/ Services and applications

The attacker may place calls charged to the legitimate user

Masquerade

T-9 Masquerade as called party during call setup


this may cause rerouting of calls to another domain e.g. to perform subscription fraud.

Masquerade

T-10 Masquerade as non-terminating network entity during an active connection


After successful call setup an attacker may masquerade as another network entity in order to obtain parts of the content of communication (e.g. one time password) for use in fraudulent activities

Masquerade

T-11 Unauthorised access to Management functions and elements

Policy control/ Routing

The attacker can change routing tables Unauthorised access

T-12 Unauthorised access to network and/or services

CNG network elements/ Services and applications

Fraudulent use of CPN resources and services

Unauthorised access

T-13 Modification of stored information

Network access control

Modification of stored IDs e.g allowed Mac addresses allowing unauthorized access and/or causing DoS for authorized users

Manipulation

T-14 Modification of call setup information

Session Control For fraudulent access to services or DoS Manipulation



of 34

Threat ID

Threat Name Asset Name Threat Description Threat Family

T-15 Modification of routing information

Routing Control Modification of this information may lead to denial of service attacks or to billing fraud against NGN CSPs as well as against users.

Manipulation

T-16 Modification of user access authentication data (e.g. for subsequent use)

User Access Control

denial of service attacks to the user wanting to get access to the environment of the CPN or to the NGN

Manipulation

T-17 Denial of transmission.

CNG Denial of participation in transmission Repudiation

T-18 Denial of data receipt.

CNG Denial of receipt of data Repudiation

T-19 Denial of data access.

CNG Denial of access to data Repudiation

T-20 Denial of modification of data.

CNG Denial of modification of data Repudiation

4.7.1 Denial of service

An entity fails to perform its function or prevents other entities from performing their functions. Attack vectors include the use of UDP, ICMP echo, SYN packets and other methods to flood the target with the goal of consuming all of the target's network capacity and other resources including processes, CPU time, disk space, nodes, ports and directories. Alternative and valid attack vectors include the physical removal of resources (e.g. theft of equipment) and the modification of stored information (e.g. user profile, routing information).

Denial of Service on Network Elements

This attack is made by continuously sending data to the CNG network elements so that no more resources are available to the CNDs.

Denial of access to Services

This threat might be a result of the previous one. If the relevant network elements are no longer able to perform a user request the CPN services could not be offered to the users any longer.

4.7.2 Eavesdropping

A breach of confidentiality by unauthorized monitoring of communication and may be invoked in a number of ways including attaching a protocol analyser to any accessible link, illegal use of lawful interception facilities (not applicable in the ToE but may be applicable in the CNG to NGN connection) and illegal activation of optional features/tools (e.g. conference features).

4.7.2.1 Eavesdropping of content of communication

For the connection of CNDs to the CNG using IEEE 802.11 wireless connections the likelihood of eavesdropping is very high with attack tools being widely available on the internet. However the impact depends on the protection given to the link.



of 34

Table 8: Attack potential for eavesdropping attack

Factor Range Value Time ≤1 day 0 Expertise Proficient 2 Knowledge Public 0 Opportunity Easy 1 Equipment Standard 0 Total 3 (Basic)

Impact for WiFi links with and without protection:

• No protection, impact = 3, resultant risk = 9

• WEP, impact = 3, resultant risk = 9

• WPA, impact = 2, resultant risk = 6

• WPA-2 = 1, resultant risk = 3

The adoption of WPA-2 takes the risk to an acceptable level, i.e. whilst there is no impact on the ability of an eavesdropper to intercept the radio transmissions between CND and CNG the use of link encryption gives the attacker no reasonable means to derive knowledge of the content. It is assumed for this analysis that an attacker is aware of the presence of a wireless enabled CNG and is able to get physically close enough to intercept the transmissions (typically within 100m).

For wireless connections between CNG and CND based on Bluetooth the likelihood of interception is very high (value=3) and the impact is very high too but undocumented as the role of Bluetooth in the CPN is not defined. If Bluetooth is used in like manner to that of mobile phones where Bluetooth is used as a direct replacement of a trusted wired connection then all facilities of the trusted connection may be made available to the Bluetooth device leading to an impact of exploit with value=3 and hence resultant risk of 9.

For wireless connections using DECT the likelihood of interception is very high (value=3). The impact of DECT interception depends on the invocation of the native security capabilities of DECT. If authentication (mutual) and encryption are enabled with appropriate keys the impact of interception is low leading to low residual risk (value=3).

4.7.2.2 Eavesdropping of network element IDs

Network element IDs may be used by entities to authenticate each other prior to the exchange of data. If attackers know these IDs, they can use them to run masquerade attacks to a later point of time to some NE. This may be the precursor of other attacks. Many protocols exchange identifying data in the clear and the level of vulnerability for wireless connections is the same as for eavesdropping of content of communication.

4.7.3 Masquerade

The pretence of an entity to be a different entity.

• Masquerade as legitimate user during the registration process

• Masquerade as network entity during the registration process

• Masquerade as legitimate user during the authentication process

• Masquerade as network entity during the authentication process

• Masquerade as calling party during call setup

• Masquerade as called party during call setup

• Masquerade as non-terminating network entity during call setup

• Masquerade as non-terminating network entity during an active connection



of 34

The principal countermeasure to any form of masquerade is authentication of the identity (user or device identity). Both the identity and the credentials used for authentication have to be authoritative within the domain of use and the authority for the identity recognised as such. In the NGN conventionally masquerade is countered using the IMS-Authentication and Keying Agreement protocols (IMS-AKA) where an IMS-Identity and authentication credentials are given to the end-user by the IMS provider (and authority in this case).

Identifiers in the CPN which may be attacked by masquerade are given in tables 9 and 10.

Table 9: CND Identifiers

Identifier Format Notes Authority Device identifier IMEI etc. Hard-coded identifier associated with the

specific CND IMEI = Manufacturer MAC = Manufacturer

CPN User Identifier

IMS Address

Private number only known within the CPN CNP supervisor

CPN User Aliases

CPN specific

Other identifier(s) by which the CPN user can be addressed within the CPN. Could be short form of 2 or 3 digits for example

CPN supervisor

NGN Directory Number

IMS Address

Optional public address which is used for routing, for example, DDI calls to the user's terminal

NGN operator

Table 10: Network Access Identifiers

Identifier Format Notes Authority Access Identifier IMEI etc. Hard-coded identifier associated with the

specific access point between the CNG and the NGN

IMEI = Manufacturer MAC = Manufacturer

NGN Access Identifier

IMS address

Private number used for routing calls from CPN users to the NGN access point. Only known within the CPN

CNP supervisor

NGN Directory Number

IMS Address

Public address of the network access point NGN operator

4.7.4 Unauthorized access

An attacker gains access to a system or application without permission by exploiting system weaknesses or by masquerading as an entity with higher access permission.

4.7.5 Loss of information

The destruction of information which may be stored or in transit along a path of communication.

4.7.6 Corruption of information

The compromise of data integrity by unauthorized insertion, modification or reordering.

NOTE: In principle it is not possible to prevent users from deliberately manipulating data or destroying a database within the scope of the access rights allocated to them. However, if access rights can be circumvented (e.g. due to incorrect administration of the DBMS), then even unauthorized parties can gain access to the database and manipulate the data contained therein.

Modification of Terminal IDs

If this ID would be changed this could lead to other attacks such as denial of service, which may be used, with a masquerade attack.



of 34

Modification of call setup information

The following are only some examples for attacks that are possible when modifying the call setup information:

modification of the calling ID could result in masquerade attacks and further on in billing frauds against the calling party;

modification of the called ID could result in denial of service attacks to the called party;

modification of the service number might result in billing frauds against the NGN CSP (e.g. replacing a PRS number with a low rate number).

Modification of routing information

Routing information has to be stored in each domain (e.g. either in the CNG or the NGN). Modification of this information may lead to denial of service attacks or to billing fraud against NGN CSPs as well as against users.

Modification of user access authentication data (e.g. for subsequent use)

The service profile of each user stored in the CNG contains the identification and authentication data. If this data would be modified it will result in denial of service attacks to the user wanting to get access to the environment of the CPN or to the NGN.

Modification of data exchanged in the registration process

Before a user is able to place a call he must register to the CPN. Generally modifying these data could lead to other threats like denial of service, masquerade or fraud attacks.

Modification of content of communication

This threat is considered to be not very relevant for voice communication since this is a mostly real-time communication. One possible case is the case where there is a speech recognition device present changing the content of communication. Other possible scenarios are communication with the digital voice box of a user or adding some kind of noise leading to a denial of service attack.

Modification of network element IDs

Each network element must have a domain unique ID so that it can be identified in the CPN.

Modification of service authentication data (i.e. part of content of communication)

An ITSP may provide different kinds of services. For each subscriber of these services his service profile specifies which services the subscriber is allowed to use and how much he has to pay for using it.

If these data would be modified, a user might change the entries in his service profile to enable himself to use special services he is currently not allowed to use or to change the rates he has to pay for using the services.

Modification of network element authentication data

Modification of billing data

Should not apply within the CPN

4.7.7 Repudiation

One or more users involved in a communication deny participation by one or more of the following:

• Denial of transmission.

• Denial of data receipt.



of 34

• Denial of data access.

• Denial of modification of data.

The level of risk presented by denial of involvement is dependent on a number of factors. If no audit records are maintained then the likelihood of plausible denial is increased but the impact depends on the value to the erred party of the supposed infringement. Where log records are maintained the likelihood of plausible denial is reduced but again the impact to the erred party depends on the value of the infringement. Where there is no financial element involved, and where the parties in the CPN are mostly trusted the implementation of legally assured non-repudiation countermeasures may not be necessary. In most cases for CPN networks simple logs of access attempts both successful and failed should be maintained and made available to expert interpretation to support analysis of other attacks.

4.8 Risk factor calculation It has to be noted that this threat analysis identifies and analyses threats on network elements and reference points from a generic point of view and thus it does not reflect possible physical implementations and configurations.

Table 11: Risk factors for CPN ToE

Attack scenario Threat Reference

Possible occurrence of

threats (entities/reference

points)

Motivation Likelihood Impact Risk factor

Denial of Service

1 Flooding the target for Denial of Service

T-1

Network access control, Session Control, Routing

Sabotage, attacker satisfaction

2 3 6

e1' , e3' - e1, e3

2 Modifying stored information

T-13, T-16

Network Access Control/ User Access Control

Sabotage, disabling and harming of individual subscribers, attacker satisfaction 1 3 3

e1' , e3' - e1, e3

au

Eavesdropping

3 Attaching a protocol analyser to any accessible link

T-3

Espionage, getting information (e.g. prerequisite for masquerade and sabotage), attacker satisfaction

5 Illegal activation of optional features/tools T-13, T-3,

T-4

Espionage, getting information, attacker satisfaction



of 34

Attack scenario Threat Reference

Possible occurrence of

threats (entities/reference

points)

Motivation Likelihood Impact Risk factor

Masquerade

6 Hijacking a link after authentication has been performed.

T-8, T-9, T-10

Fraud, harming subscribers, sabotage, getting information, attacker satisfaction

1 3 3

7 Using authentication information, which has been obtained by eavesdropping. T-7

Fraud, harming subscribers, sabotage, getting information, attacker satisfaction

2 3 6

Unauthorized access

8 Exploiting system weaknesses T-1 etc.

Fraud, harming providers, sabotage, getting information, attacker satisfaction

2 3 6

9 Masquerading as an entity with higher access permission T-11, T-12

Fraud, harming providers, sabotage, getting information, attacker satisfaction

2 3 6

Loss of information

10 Deletion of data T-13

Sabotage, harming providers and individual subscribers, fraud

2 3 6

11 Modification of access rights of other parties T-13, T-16

Harming providers and individual subscribers 2 3 6

Corruption of information

12 Modifying transmitted information

Sabotage, harming providers and individual subscribers

1 3 3

13 Modifying stored information

Sabotage, harming providers and individual subscribers

2 3 6

Repudiation

14 Denial of data transmission T-17

Fraud, harming providers and subscribers 3 3 9

15 Denial of data receipt T-18

Fraud, harming providers and subscribers 3 3 9

16 Denial of having accessed data in a database T-19

Fraud, sabotage 3 3 9



of 34

5 Countermeasures in the form of detailed requirements

5.1 General measures Those attacks which have either major or critical risk should be protected against by standard measures that operators and service providers of CNGs shall establish and apply a security policy for by default in deployed equipment.

5.2 Wireless connection measures (CND to CNG) Where IEEE 802.11 (WiFi) connection of CNDs to the CNG is provided mechanisms to provide protection from interception should be deployed. Because of the inherent weaknesses in WEP and WPA these mechanisms should be avoided. WPA-2 (also known as RSN) should be installed and configured as default.

NOTE: The CNG may act as a key management and distribution centre for CNDs.

For both DECT and Bluetooth connections link encryption should be enabled and for Bluetooth the user entered key should be of significant length (i.e. such that if the key is made by concatenation of the user entered PIN code it should exhibit very high entropy).

5.3 Connection measures (CNG to NGN) In order to insulate itself from the NGN the CNG should ensure that there is a security association established between itself and the NGN providing authentication of the NGN-identity and, ideally, differentiated protection of signalling integrity and confidentiality.

NOTE: In this context, "differentiated" implies the ability of having cryptographic separation of messages sent to or received from the NGN if cryptographic protection mechanisms are deployed.

5.4 Anti-masquerade countermeasures Masquerade is countered by authentication. A pre-requisite of authentication is the establishment of authoritative identity and the credential set to allow validation of the identity (through authentication). However authentication by itself does not remove the likelihood of masquerade and in addition the identity itself should be concealed as much as possible in signalling. This may be achieved by either encrypting the identity (e.g. the ESI scheme defined in EN 300 392-7) or the Temporary Identity scheme used in GSM (TMSI), and where a protected cache/store is maintained of the concealed identity subsequent transmissions can conceal the identity thus minimising the exposure and making it more difficult for an attacker to time an attack.

Specific authentication countermeasures fall into one of (at least) 3 categories:

• Challenge response countermeasures

- The model used in DECT, TETRA, GSM and others in which a random challenge is offered and based on a shared secret a cryptographic response calculated. The strength of the measure lies in the inability of an attacker to correctly guess the response without the knowledge of the key.

• Signature countermeasure

- Applies to symmetric keying schemes whereby a document (data package) hash is signed by the private key of the claimant and verified as true by verifying the signed hash with the public key of the claimant. The strength of the measure relies on the inability of an attacker to find the private exponent of the key-pair.

• Message Authentication Code countermeasures

- Similar to the signature countermeasure but using symmetric keys to encrypt the hash of a document.



of 34

NOTE: Many pen-test environments allow MAC addresses to be masqueraded.



of 34

6 CPN TVRA in tabular format A Security Environment

a.1 Assumptions

a.1.1 The CNG acts on behalf of the CNDs in communicating with the NGN Citation for full text

a.1.2 The CNG is a full NGN terminal with an NGN identity as defined in TS 184 002 []

a.1.3 The CND may be a full NGN terminal with an NGN identity as defined in TS 184 002

a.1.4 The CNG only connects to the NGN by a fixed line connection (i.e. not by a PLMN connection)

a.1.5 The NGN is not configured to distinguish between a CNG and a normal NGN terminal

a.2 Assets

a.2.1 CND – generic customer network equipment Citation for full text

a.2.2 CNG -

a.3 Threat agents

a.3.1 Short text describing threat agent Citation for full text

a.3.2

a.4 Threats

a.4.1 Short text describing threat Citation for full text

a.4.2

a.5 Security policies (OPTIONAL)

a.5.1 Short text describing security policy Citation for full text

a.5.2

B Security Objectives

b.1 Security objectives for the ToE

b.1.1 Information sent to or from a registered user of a CPN should not be revealed to any unauthorized party

Citation for full text

b.1.2 Information held within the CNG and CNDs that together constitute a CPN should be protected from unauthorized access.

b.1.3 Details relating to the identity and service capabilities of a CPN user should not be revealed to any unauthorized 3rd party within the CPN



of 34

b.1.4 Management Information sent to or from a CPN should not be revealed to any unauthorized party

b.1.5 Management Information held within a CPN should be protected from unauthorized access.

b.1.6 Information held within the CNG and CNDs that together constitute a CPN should be protected from unauthorized modification and destruction

b.1.7 Information sent to or from a registered user of a CPN should be protected against unauthorized or malicious modification or manipulation during transmission

b.1.8 Management Information held within a CPN should be protected from unauthorized modification and destruction

b.1.9 Management Information sent to or from a CPN should be protected against unauthorized or malicious modification or manipulation during transmission

b.1.10 Services provided within a CPN should be available only to authorized users of the CPN attached to an access point within the CPN

b.1.11 Access to and the operation of services by authorized CPN users should not be prevented by malicious activity within the CPN

b.1.12 It should not be possible for an unauthorized user to pose as an authorized user when communicating with an application or other user of a CPN

b.1.13 It should not be possible for a CPN to receive and process management and configuration information from an unauthorized user

b.2 Security objectives for the environment

b.2.1 Details relating to the identity and service capabilities of a CPN user should not be revealed to any unauthorized 3rd party within the NGN

Citation for full text

b.2.2 Services provided within a CPN should be available only to authorized users of the CPN attached to an access point within the NGN

b.2.3 Access to and the operation of services by authorized CPN users should not be prevented by malicious activity within the NGN

b.2.4 The owner of a CPN should only be billed for the legitimate use of NGN services by legitimate users of the CPN

C IT Security Requirements

c.1 asset security requirements

c.1.1 asset security functional requirements

c.1.1.1 Short text describing security functional requirement ISO15408 [16] class Citation for full text

c.1.1.2

c.1.2 asset security assurance requirements

c.1.2.1 Short text describing security assurance requirement ISO15408[16] class Citation for full text

c.1.2.2



of 34

c.2 Environment security requirements (OPTIONAL)

c.2.1 Short text describing security environment requirement ISO15408[16] class Citation for full text

c.2.2

D Application notes (OPTIONAL)

E Rationale

The eTVRA should define the full rational, if this is true only a citation (reference) to the full text is required



of 34

tvra 003 tvra cpn worked example document - etsi · 2009-04-09 · the present document provides...

Documents