Security standards

A critical component of our telecommunication and information systems

The ITU Telecommunication Standardization Sector (ITU–T) holds regular workshops on subjects of great interest in order to foster the development of standards that meet market needs. Network security was the topic of a recent workshop held in Seoul on 13 and 14 May 2002, at the invitation of the Government of the Republic of Korea. These dates were agreed upon to take advantage of related events also staged in Seoul in the month of May, namely: the Security World Expo 2002 Exhibition and the ITU Strategic Planning Workshop on “Creating Trust in Critical Network Infrastructures”.

Security standards have become a critical component of our telecommunication and information systems. Recognizing this, the Telecommunication Standardization Advisory Group (TSAG) requested ITU–T Study Group 17 in March 2001 to organize a technical workshop on network security. Study Group 17 is the lead Study Group for communication systems security. TSAG also requested all ITU–T Study Groups to consider their contribution or participation in the workshop to allow the Sector to take a more active and visible role in global standardization in the area of security of networks and services.

In his welcome address, Kim Chang-Kon, Assistant Minister for Informatization Planning in the Republic of Korea’s Ministry of Information and Communication declared: “A growing number of computer attacks such as hacking and viruses are being perpetrated by people who fully take advantage of the openness and anonymity of the Internet. And the resulting damages are spreading the world over within a short period of time. In order to tackle such information infringement incidents, all nations have to cooperate on the development of technologies.”

Houlin Zhao, Director of the Telecommunication Standardization Bureau (TSB) had this to say: “With our increasing dependence on computer networks, the importance of network security cannot be overemphasized. We are in a crucial phase and are required to review all of our technical and societal systems from the aspect of security. To join the world efforts in addressing security, ITU–T is contributing by providing to the public its technical knowledge and its perception on security.”

The workshop was open to non-ITU Members, and attracted some 143 experts and participants from ITU–T Study Groups and other standards development organizations (SDO), such as the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), 3GPP2, OASIS, the Internet Engineering Task Force (IETF) and the academic community.

High on the workshop programme were five technical sessions covering security requirements and telecommunication reliability, hot topics on IP-based network security, security management, biometric authentication and mobile security technologies. All presentations are available at http://www.itu.int/ITU-T/worksem/security. That the workshop was very well attended is in no small part thanks to the efforts of the Vice-Chairman of Study Group 17, Byoung-Moon Chin from the Republic of Korea, who made an outstanding effort in organizing local support for the event.

Security requirements and telecommunication reliability

This session focused on security issues and requirements in four areas:

• network reliability;

• protocol vulnerabilities;

• emergency telecommunication services;

• e-commerce.

Chidung Lac of France Telecom R&D focused on network reliability, highlighting the difference between safety (due to natural disaster, for example) and security (due to man-made events). Several protection and restoration mechanisms for network reliability were explored.

Greg Shannon, Security Standards Manager at Lucent Technologies (United States), remarked that “standards development bodies have a unique ability and responsibility to address security vulnerabilities in protocols.” He went on to define a security vulnerability as a flaw or weakness in a system’s design, implementation or operation that can be exploited to violate that very system’s own security. Mr Shannon’s presentation further explained that “a security vulnerability is not: a risk, a threat, or an attack. A security vulnerability combined with a security threat, creates a security risk. And hence, vulnerability combined with threat equals risk.” He also noted that while threats change over time, security vulnerabilities may well last for the lifetime of a protocol.

A number of recommendations were made to standards development bodies for consideration when developing protocols. These include: promoting open security discussions, providing protocol security guidelines to all protocol authors and identifying root causes of vulnerabilities.

Harold Folts, Senior Systems Engineer at National Communications System or NCS (United States) focused on “Emergency Telecommunication Service (ETS) Standards Initiatives”. His presentation highlighted the role of telecommunication services in supporting recovery operations. It stressed the importance for authorized users, such as medical services, fire brigades or government and industry recovery teams, to get priority access to telecommunications from public networks, especially early in a recovery operation. Serious disasters happen anytime anywhere. Telecommunication resources are often stretched to the limit, with damaged infrastructure and very high traffic loads during times of disaster, for example, earthquakes, hurricanes, floods, fires, volcanic eruptions or terrorist attacks. Initial recovery response teams need telecommunication support to organize and coordinate recovery resources immediately. Response teams must depend on readily available public telecommunication resources — Internet, cellular or the plain old telephone service (POTS).

In-Seop Lee of Korea Telecom underscored two trends that make network security a matter of increasing importance and vital interest. “Firstly, the explosive growth in computer systems and their interconnection via networks has increased the dependence of organizations and individuals alike on the information stored and communicated using these systems. This, in turn, has led to a heightened awareness of the need to protect data and resources from disclosure, guarantee the authenticity of data and messages and protect systems from network-based attacks,” he said. Secondly, cryptography and network security have evolved considerably, leading to the development of practical, readily available applications to enforce network security. He then reviewed the various security mechanisms to counter threats. Six layers of network security were noted: security auditing, security tools, software, monitoring, physical security and network administration. Secure e-commerce was taken as an example by examining security and trust as part of a risk-management strategy.

Hot topics on IP-based network security

Professor Suguru Yamaguchi of the Nara Institute of Science and Technology (Japan) provided some statistics on security incidents observed recently (port scanning and probe, intrusion or break-in and denial of service) and identified some reasons for attacks (poor design and implementation of the operating system and of security-conscious protocols and low focus on eliminating security loopholes). More work is required on network security, and this should involve industry (technology development and engineering), telecommunication operators, regulators, policy-makers and the insurance sector. The importance of disseminating information on security threats was stressed, and the Computer Security Incident Response Teams (CSIRT) was cited as an important actor in this context.

Dong-il Seo of ETRI (Republic of Korea) introduced a major study item related to trace-back technology, which applies to systems locating hackers. It is generally considered that the automatic trace-back of the hacker on the Internet is too difficult because of the anonymity of Internet and possible re-attacking via several hosts. So, to date, the most general type of trace-back used is done by experts based on a log analysis. He went on to describe two variants of trace-back systems: IP packet trace-back (used to find the real location of the hacker who is sending the packet that adapted the spoofed IP address), and connection chain trace-back (used to find the real location of the hacker who attacks the victim via several intermediate hosts). Several trace-back techniques may be used and new systems are under consideration to develop a quick and accurate real-time trace-back system, which is needed urgently.

Pierre-André Probst, Chairman of ITU–T Study Group 16 presented the multimedia security studies within this Study Group. Main achievements and new projects were described. Multimedia security covers the security needs of multimedia applications such as audio/video conferencing, Internet protocol-based telephony and collaborative data conferencing. Some of the nuts and bolts of IP telephony are being hammered out in Study Group 16, where one of the success stories has been the ITU–T Recommendation H.323 suite of protocols — recognized as a global standard for IP telephony. Another recent achievement is Recommendation H.235 Annex F, which describes a security scheme for Voice-over-IP (VoIP) carriers that deploy public-key based security infrastructures in electronic commerce-enabled environments.

Here, subscribers and H.323-based network entities alike authenticate initially with their digital certificate and prove their identity by applying digital PKI-based signatures. Once authentication has been achieved and permission granted, subscribers can make secure VoIP calls.

Semyon Mizikovsky of Lucent Technologies (United States) described one of the current security activities in the Internet Engineering Task Force targeted to support mobile IP architecture, including combined mutual authentication and session key generation protocols for Mobile Nodes (MN) suitable for use at layer-2 in 802.1x networks (such as 802.11 wireless local area networks — LANs).

Information security management

Professor Jungduk Kim of the Chung-Ang University (Republic of Korea) shared his views on future standardization topics in the area of information security management. Since information security has long ceased to be considered purely as a technical issue, and has instead become more of a management issue in any organization, there are many aspects to be standardized in the information security management field. In the presentation, the functions and processes of information security management were introduced to show the areas that are covered in the standardization activities including the International Organization for Standardization and various national bodies.

Among the many issues not addressed in standardization efforts, three topics were given priority: information security metrics management, incident cost analysis and return on security investment. The rationale to cover these topics in future standardization efforts was also discussed.

Ted Humphreys of ISO/IEC/JTC 1/SC 27 focused on the ISO/IEC 17799 International Standard. The standard was introduced as the best practice for information security management: a risk-based approach for defining policy and procedures and for selecting appropriate controls to manage risk.

Professor David Chadwick, Information Systems Security, University of Salford (United Kingdom), made a presentation on privilege management infrastructure (PMI). The fourth edition of ITU–T Recommendation X.509, adopted in 2000, is the first to standardize the components of privilege management infrastructures. This complements X.509’s position as the foremost standard for public key infrastructures (PKI). PMIs provide a distributed highly secure way of managing authorization tokens (called attribute certificates), in the same way that PKIs provide an infrastructure for managing public key certificate authentication tokens. The presentation introduced delegates to the components and concepts of PMIs as described in X.509 (2000).

Biometric authentication

Professor Naohisa Komatsu of Waseda University (Japan) discussed trends of biometrics standardization, especially in the United States and Japan. Phil Griffin of the OASIS Security Technical Committee (United States) spoke on biometric information management for security. Both speakers referred to the relationship between privacy and biometrics, a very hot topic not only for biometric authentication but also for the whole information security area.

Professor Tsutomu Matsumoto of Yokohama National University (Japan) pointed out the vulnerability of finger printing authentication technology. Although impressive, biometric authentication is not perfect because of certain vulnerabilities that exist in almost every system. More secure systems can be developed by combining biometric authentication with other authentication mechanisms. There are more than six billion people in the world today. As Paul Gérôme, an expert in Security Models in Study Group 17 put it, “the aim is to have over six billion safe and secure biometrically authenticated natural systems interconnected by secured open networks and terminals”.

Generally, biometric authentication systems have a user-friendly interface in the sense that the end-user does not have to remember special keywords, difficult theories or methods.

Mobile security

Krishna Kumar Sirohi, Vice-Chairman of the ITU–T Special Study Group (SSG) on IMT-2000 and beyond, gave a brief description of SSG activities. His presentation included details on security aspects for mobile networks with respect to the scope of Question 3/SSG, which covers the identification of existing and evolving IMT-2000 systems. Security requirements and the visualized architecture for IMT-2000 and systems beyond, with regard to core networks were also discussed.

Frank Quick, Chairman of 3GPP2 TSG-S WG4 (Security), introduced the cdma2000 specifications developed by 3GPP2 which support a variety of wireless services using both voice and data. The security features of the cdma2000 system protect service providers against fraud and protect the privacy of system users. Current cdma2000 security features and future enhancements were discussed, including the system architecture and the regulatory environment in which these features operate.

DaeHun Nyang of the Information Security Technology Division at ETRI (Republic of Korea) presented ETRI’s design experience in WAP Identity Module (WIM), expected to be a very versatile device for secure M-commerce. WIM cooperates with wireless transport layer security (WTLS) to authenticate participating parties and to provide confidentiality of network traffic. To achieve this purpose, various standards including wireless public key infrastructure (WPKI), X.509, ISO 7816 and PKCS#15 are supported in the WIM card.

ETRI WIM implementation is designed with a strict layering approach, which separates the transport layer protocol and the application protocol from the overall structure. This layered approach helps developers upgrade easily the internal software modules.

The presentation also showed how the mobile terminal interacts with the WIM card at the device driver level. Although smart cards with public-key cryptography do not yet have many applications in the Republic of Korea, their use is growing gradually with the increase of M-commerce.