Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU-T Activities on Security

Published byLynne Owens Modified over 6 years ago

Similar presentations

Presentation on theme: "ITU-T Activities on Security"— Presentation transcript:

1 ITU-T Activities on Security
Greg Jones ITU Telecommunication Standardization Sector (ITU-T)

2 ITU-T Study Groups SG 2 Operational aspects of service provision, networks and performance SG 3 Tariff and accounting principles including related telecommunications economic and policy issues SG 4 Telecommunication management, including TMN SG 5 Protection against electromagnetic environment effects SG 6 Outside plant SG 9 Integrated broadband cable networks and television and sound transmission   SG 11 Signalling requirements and protocols SG 12 End-to-end transmission performance of networks and terminals SG 13 Multi-protocol and IP-based networks and their internetworking SG 15 Optical and other transport networks SG 16 Multimedia services, systems and terminals SG17 Data networks and software for Telecommunication SSG Special Study Group "IMT-2000 and beyond" TSAG Telecommunication Standardization Advisory Group Coordination role and focus SG17 Data networks and software for Telecommunication Covered SG 2 Operational aspects of service provision, networks and performance SG 9 Integrated broadband cable networks and television and sound transmission   SG 13 Multi-protocol and IP-based networks and their internetworking SG 16 Multimedia services, systems and terminals No time SG 4 Telecommunication management, including TMN SG 5 Protection against electromagnetic environment effects SG 6 Outside plant SSG Special Study Group "IMT-2000 and beyond" 25 July 2002

3 Lead Study Groups SG 2 Service definition, numbering and routing
SG 4 TMN SG 9 Integrated broadband cable and television networks SG 11 Intelligent networks SG 12 Quality of Service and performance SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters SG 15 Access network transport and optical technology SG 16 Multimedia services, systems and terminals and on e-business and e-commerce SG17 Communication system security, frame relay, languages and description techniques SSG IMT 2000 and beyond and for mobility SG17 designated the Lead Study Group (LSG) for Communication Systems Security (CSS) SG 2 service definition, numbering and routing SG 4 TMN SG 9 integrated broadband cable and television networks SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters SG 15 access network transport and optical technology SG 16 multimedia services, systems and terminals and on e-business and e-commerce 25 July 2002

4 Communication system security
WTSA & TSAG Request to all study groups to coordinate on telecommunication reliability and security SG 17 – Coordination of ITU-T security studies X.509, X.842, X.843 SG 16 – Multimedia services ETS – Emergency Telecommunication Services SG 13 – Network reliability Network requirements and capabilities to support emergency services SG 2 – Service aspects Security requirements and incident handling According to the Resolution 1 of the World Telecommunication Standardization Assembly (WTSA –2000), LSGs are responsible for the study of appropriate core questions. In addition, in consultation with the relevant Study Groups and in collaboration, where appropriate, with other standards bodies, the LSGs have the responsibility to define and to maintain the overall framework and to coordinate the studies to be done by other Study Groups. Activities of the LSG CSS may be categorized as core activities centered on defining and maintaining overall security frameworks, and project management activities involving the coordination, assignment and prioritization of efforts that would lead to timely communication system security Recommendations. The LSG CSS work closely with other Study Groups to identify and develop security solutions. However, specific expertise to integrate these solutions with the technology under development can come only from the Question carrying out the development. It is not planned that the LSG CSS will have a role to develop specific cryptographic algorithms, to register cryptographic algorithms (ISO performs the registration function effectively now), or to certify security of specific systems. 25 July 2002

5 ITU-T SG 17 security focus
Authentication (X.509/X.842/X.843) Public Key Infrastructure Security Management Risk assessment, identification of assets and implementation characteristics Telebiometrics Telebiometric methods, devices and solutions for security purposes Mobile Security For low power, small memory size and small display devices Security Authentication - to know who is accessing your data Privacy - to protect your data from intrusion Encryption - to secure the data from misuse or abuse Biometrics - 'what you are‘ replace ‘what you know' - items, such as PIN numbers augment 'what you have‘ - forms of identification, such as cards X.509 Public-key and attribute certificate frameworks X.842 Guidelines for the use and management of Trusted Third Party services X.843 Specification of TTP services to support the application of digital signatures Recommendation X.509 Information technology - The Directory: Public-key and attribute certificate frameworks This Recommendation defines a framework for public-key certificates and attribute certificates. These frameworks may be used to profile application to Public Key Infrastructure (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation defines a framework for the provision of authentication services by Directory to its users. It describes two level of authentication: simple authentication, using a password as a verification of clamed identity; and strong authentication, involving credentials formed using cryptographic techniques. Approved Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services This Recommendation provides guidance for the use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. This Recommendation identifies different major categories of TTP services including time stamping, non-repudiation, key management, certificate management, and electronic notary public. Q13/7 Information technology – Security techniques – Specification of TTP services to support the application of digital signatures This Recommendation defines the services required to support the application of digital signatures for non repudiation of creation of a document. Since this implies integrity of the document and authenticity of the creator, the services described can also be combined to implement integrity and authenticity services. 25 July 2002

6 Key studies in ITU-T SG 16 Question G - “Multimedia Security”
Secure H.323-based IP Telephony H.235 and associated security profiles H.248 Media Gateway Decomposition Security Secure H.320 Audio/Video and T.120 Data Conferencing Emergency Telecommunications Services Proposed new question on ETS: The ETS is an extension of the International Emergency Preference Scheme (EIPS) of the ITU-T Rec. E.106 and includes additional provisions for multimedia services through an packet-based telecommunications environment. Efforts are underway in the national standards bodies and International organizations to identify, establish, and apply a comprehensive family of ETS standards for new packet-based networks. The purpose of the Emergency Telecommunications Service (ETS) is to facilitate emergency recovery operations for restoring the community infrastructure and for returning the population to normal living conditions after serious disasters and events, such as floods, earthquakes, hurricanes, and terrorist attacks. The ETS will be provided through shared resources from the public telecommunications infrastructure that is evolving from a basic circuit-switched configuration of today’s conventional telephone networks to an Internet-based, packet-switched technology providing a richness of communication capabilities. 25 July 2002

7 IPCablecom security specification
Key studies in ITU-T SG 9 IPCablecom project Interactive services over cable TV networks using IP protocol ITU-T Rec. J.170 IPCablecom security specification Types of threat in IPCablecom: Network attacks Theft of service Eavesdropping Denial of Service Recommendation J.170 IPCablecom security specification This Recommendation defines the Security Architecture, protocols, algorithms, associated functional requirements and any technological requirements that can provide for the security of the system for the IPCablecom network. Authentication, access control, message and bearer content integrity, confidentiality and non-repudiation security services must be provided as defined herein for each of the network element interfaces. 25 July 2002

8 Other studies in SG 2 and 13 Draft new ITU-T Rec. E.sec.1 (SG 2)
Telecommunication networks security requirements Draft new ITU-T Rec. E.sec.2 (SG 2) Incident Organization and Security Incident Handling (Guidelines) Guidelines on threats and countermeasures Draft new ITU-T Rec. Y.roec (SG 13) Network reliability Draft new E.sec.1 – Telecommunication networks security requirements This Recommendation provides an overview and framework that identifies security threats to telecommunication networks in general (both fixed and mobile; both voice and data) and gives guidance for planning countermeasures that can be taken to mitigate the risks arising from the threats. Draft new E.sec.2 – Incident Organisation and Security Incident Handling (Guidelines) The purpose of this Recommendation is to analyse, structure and suggest a method for establishing an incident management organisation, where the flow and structure of an incident are focused. The flow and the handling are useful in determining whether an event is to be classified an event, an incident, a security incident or a crisis. The flow also covers the critical first decisions that have to be made. In the trails of the heavily increased use of computer in society follows computer crime. Over the last years computer crime has literally exploded, which is confirmed by several international and national surveys. In the majority of countries there are no exact figures on the number of computer intrusions as the incidents. Most organisations or companies don’t have any organisation for handling IT security incidents. When an IT security incident occurs it is handled ad hoc, i.e. the person who detects an IT security incident have/take the responsibility to handle it the best (s)he can. In some organisations one tend to forget and cover up IT security incidents as they may affect production, availability and revenues. Oftenly when an IT security incident is detected, the person who detects it doesn’t know whom to report it to. Within the computer field this leads to that the system or networks administrator issues a workaround or quick fix just to get rid of the problem. They do not have the time to correct the system so that the IT security incident does not recur. These are the main reasons why we need a trained unit or group that can handle security incidents in a prompt and correct manner. When reporting or handling an incident, the use of different taxonomy leads to misunderstanding. This may, in turn, lead to that an IT security incident neither gets proper attention nor prompt handling that is needed in order to stop, contain and hinder the incident from recur. This may lead to serious consequences for the affected organisation (victim). To be able to succeed in incident handling and incident reporting one must have an understanding of how incidents are detected, handled and resolved. By establishing a general structure for incidents (i.e. physical, administrative or organisational, and logical incidents) it is possible to obtain a general picture of the structure and flow of an incident. A uniform terminology is the base for a common understanding of words and terms. 25 July 2002

9 Special Projects IMT-2000 Network Aspects (SSG) Call Back (SG 3)
Accounting Rate Reform (SG 3) TMN (SG 4) IP Cablecom (SG 9) Quality of service and performance (SG 12) IP (SG 13) Global Information Infrastructure (SG 13) Access Networks (SG 15) Optical Networks (SG 15) Mediacom 2004 (SG 16) JVT – Joint Video Team (SG 16) E-commerce and E-business (SG 16) ASN.1 & Language coordination (SG 17) Communication system security (SG 17) 25 July 2002

10 Key products Catalogue of ITU-T security Recommendations
itu.int/itudoc/itu-t/com17/activity/cat003_ww9.doc Compendium of security terms itu.int/itudoc/itu-t/com17/activity/def003.html New Canonical form of the XML encoding rules (X.693?) were created to support cryptographic enhancements (encryption, digital signature) of ASN.1 values formatted as XML markup. Note also that these new ASN.1 XML encodings provide an XML markup Representation for every value of every ASN.1 type, including those that are defined in X.509 such as digital certificates and distinguished names. You might spread this notion on into slide 14, as XER encodings of attribute certificates can be used to easily display attribute values and in the future allow applications and systems that are not ASN.1 aware to benefit from ASN.1 based technologies. 25 July 2002

11 security definitions Example: Definitions of public-key 3.3.43/X.509
itu.int/ITU-T/studygroups/com17/cssecurity.html Example: Definitions of public-key 3.3.43/X.509 (In a public key cryptosystem) that key of a user’s key pair which is publicly known. 3.3.11/X.810 A key that is used with an asymmetric cryptographic algorithm and that can be made publicly available. Authentication 1) The process of corroborating an identity. Note -- See principal and verifier and the two distinguished form of authentication (data origin auth. + entity auth.). Authentication can be unilateral or mutual. Unilateral authentication provides assurance of the identity of only one principal. Mutual authentication provides assurance of the identities of both principals. 2) The provision of assurance of the claimed identity of an entity. 3) See data origin authentication, and peer entity authentication. Note - In Rec. X.800 the term “authentication” is not used in connection with data integrity; the term “data integrity” is used instead. 1) Int.,5.1,5.2.4 /X.811 2) 3.3/X.811 3) 3.3.7/X.800 25 July 2002

12 Recommendations related to communication systems security
itu.int/ITU-T/studygroups/com17/cssecurity.html Example: ITU-T Rec. X.509 Information technology - Open Systems Interconnection - The directory: Public-key and attribute certificate frameworks (03/00 – version 4) This Recommendation defines a framework for public-key certificates and attribute certificates… Uses Abstract Syntax Notation 1 (ASN.1) X.400 – Message handling X.500 – The directory X.800 – Open systems security T.36 – Secure G3 facsimile J.170 – IPCablecom security specification M.3016 – Security requirements for TMN M Security Management for IMT-2000 X.509 Approved Information technology - Open Systems Interconnection - The Directory: Authentication framework(1993 edition – version 2) Information technology - Open Systems Interconnection - The Directory: Authentication framework (1997 edition – version 3) Information technology - Open Systems Interconnection - The directory: Public-key and attribute certificate frameworks (03/00 – version 4) This Recommendation defines a framework for public-key certificates and attribute certificates. These frameworks may be used to profile application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation defines a framework for the provision of authentication services by Directory to its users. It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed using cryptographic techniques. While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services. X.842 Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services This Recommendation provides guidance for the use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. This Recommendation identifies different major categories of TTP services including time stamping, non-repudiation, key management, certificate management, and electronic notary public. Q13/7 X.843 Information technology – Security techniques – Specification of TTP services to support the application of digital signatures This Recommendation defines the services required to support the application of digital signatures for non repudiation of creation of a document. Since this implies integrity of the document and authenticity of the creator, the services described can also be combined to implement integrity and authenticity services. T.36 Security capabilities for use with Group 3 facsimile terminals This Recommendation defines the two independent technical solutions which may be used in the context of secure facsimile transmission. The two technical solutions are based upon the HKM/HFX40 algorithms and the RSA algorithm. SG16 J.170 (J.sec) Draft IPCablecom security specification This Recommendation defines the Security Architecture, protocols, algorithms, associated functional requirements and any technological requirements that can provide for the security of the system for the IPCablecom network. Authentication, access control, message and bearer content integrity, confidentiality and non-repudiation security services must be provided as defined herein for each of the network element interfaces. SG9 M.3016 Overview of TMN Security This recommendation (previously M.3sec) provides general overview and a tutorial of the security needs of the TMN. SG4 M.3210 Security Management for IMT-2000 (M.IMTSEC) This recommendation is one of the series of TMN Management Service recommendations that provide description of management services, goals and context for management aspects of IMT2000 networks. This recommendation describes a subset of Security Management services to provide Requirements and Analysis of the Security management and a profile for fraud management. The emphasis is on the X interface between two service providers and the management services needed between the two to detect and prevent fraud by operating the Fraud Information Gathering System (FIGS) as means to monitor a defined set of subscriber activities to limit their financial exposure to large unpaid bills produced on subscriber accounts whilst the subscriber is roaming. X.400/ F.400 Message handling system and service overview This Recommendation defines Message Handling System (MHS) elements of service for User Agent (UA)-to-UA, Message Transfer Agent (MTA)-to-MTA, UA-to-MTA, and UA-to-Message Store (MS) security services of confidentiality, integrity, authentication, non-repudiation and access control identified as relevant to the Application Layer. Q11/7 X.800 Security architecture for Open Systems Interconnection for CCITT applications This Recommendation defines the general security-related architectural elements which can be applied appropriately in the circumstances for which protection of communication between open systems is required. It establishes, within the framework of the Reference Model, guidelines and constraints to improve existing Recommendations or to develop new Recommendations in the context of OSI in order to allow secure communications and thus provide a consistent approach to security in OSI. This Recommendation extends the Reference Model to cover security aspects which are general architectural elements of communications protocols, but not discussed in the Reference Model. This Recommendation: provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and defines the positions within the Reference Model where the services and mechanisms may be provided. 25 July 2002

13 ITU-T publications Recommendations WTSA Resolutions Appendices
Supplements Handbooks Directives ITU Operational Bulletin 25 July 2002

14 Workshops and seminars 2002
IPv6 Geneva, 6 May 2002 Security Seoul, Republic of Korea, May 2002 IMT-2000 and Systems Beyond Ottawa, Canada, 28 May 2002 IP/Optical Chitose, Japan, 9-11 July 2002 Workshop on Use of Description Techniques Geneva, 23 November 2002 Role of Satellites in IP-based and Multimedia Networks and Services Geneva, 9-11 December 2002 25 July 2002

15 ITU-T Workshop on Security 13-14 May 2002
Seoul, May 2002 ITU-T Workshop on Security May 2002 Security World Expo May 2002 ( ITU workshop - Creating trust in critical network Infrastructures May 2002 25 July 2002

16 Cooperation A.4 – Communication with forums/consortia
A.5 – Organizations qualified for referencing A.6 – Communication with SDOs MoUs MoU ICANN Protocol Supporting Organization, 14 July 1999 MoU between IEC, ISO, ITU and UN/ECE Concerning Standardization in the Field of Electronic Business, 24 March 2000 MoU between ITU and ETSI, 14 June 2000 Informal Forum summit “ITU-T and Forums” web page 25 July 2002

17 Security collaboration
ISO/IEC JTC1  SC 6 & SC 27 IETF OASIS 25 July 2002

18 Freely accessible web resources itu.int/ITU-T/dbase
ITU-T patent database International numbering resources itu.int/ITU-T/inr A.4, A.5 and A.6 recognized organizations Terms and definitions List of ITU-T Recommendations ITU-T Work programme ASN.1 module database – new 25 July 2002

19 ITU-T Databases on ITU-T website
ASN.1 Module Database ITU-T Patents Database International Numbering Resources Recognized SDOs for Recs. A.4, A.5 & A.6 Terms & Definitions Database List of ITU-T Recommendations ITU-T Work Programme Database ITU-T Work Programme Database Search Standardization Areas, Domains and their Codes 25 July 2002

20 Ensuring global interoperability
Quality of Service (QOS) Numbering and routing Communication Systems Security Tariffs and Accounting rates Interworking 25 July 2002

21 Thank You! ITU-T Contacts: ITU-T Communication & promotion service:
Greg Jones - ITU-T Study Group 17 Secretariat: Georges Sebek –

Download ppt "ITU-T Activities on Security"

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
International Telecommunication Union ITU-T Seminar – Lisbon, 25 June 2002 ITU-T Activities Greg Jones ITU Telecommunication Standardization Sector (ITU-T)

International Telecommunication Union ITU-T Seminar – Lisbon, 25 June 2002 ITU-T Activities Greg Jones ITU Telecommunication Standardization Sector (ITU-T)
Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.

Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.
ITU-T Workshop on Security : ITU-T Special Study Group on IMT-2000 and Beyond John VisserKrishna Sirohi ChairmanVice-Chairman SSG IMT-2000 and Beyond Tel.+1-613-763-7028+91.

ITU-T Workshop on Security : ITU-T Special Study Group on IMT-2000 and Beyond John VisserKrishna Sirohi ChairmanVice-Chairman SSG IMT-2000 and Beyond Tel
International Telecommunication Union ITU-T Seminar – Lisbon, 25 June 2002 ITU-T Activities on Security Greg Jones ITU Telecommunication Standardization.

International Telecommunication Union ITU-T Seminar – Lisbon, 25 June 2002 ITU-T Activities on Security Greg Jones ITU Telecommunication Standardization.
Security Standardization in ITU-T

Security Standardization in ITU-T
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Fabio Leite, IMT-2000 Project Manager International Telecommunication Union (ITU) Emergency Telecommunications Workshop 26-27 February.

Fabio Leite, IMT-2000 Project Manager International Telecommunication Union (ITU) Emergency Telecommunications Workshop February.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.

Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
The need for further standards and technical developments Brian Moore ITU-T Study Group 13 Chairman Lucent Technologies.

The need for further standards and technical developments Brian Moore ITU-T Study Group 13 Chairman Lucent Technologies.
Cryptography and Network Security

Cryptography and Network Security
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
International Telecommunication Union Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003 Security Standardization.

International Telecommunication Union Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003 Security Standardization.

Similar presentations

Ads by Google