© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

Network and Information Security ReportICTSB/NISSG

Stefan Goeman

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

Background

Existing NIS-Report from 2003

The new EU Report Communication form the Commission to the

Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: A strategy for a Secure Information Society – “Dialog, partnership and empowerment”

A lot of new developments in Network and Information Security

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

My Expertise

Each member of the team has some specific expertise. In my case, this is:

ICT Industry, Telecom, ISP Authentication protocols Web Service Security

Identity Management

E-government Belgium eID card

Digital Rights Management

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

ICT Industry, Telecom and ISPs

Web Services Security (WS-Sec): E-buisiness environment is based on Web Services. Therefore security for web services is necessary (i.e. securing SOAP messages end-to-end)

The following specifications make up WS-Sec 1.1 OASIS standard:

WS-Security Core Specification 1.1 Username Token Profile 1.1 X.509 Token Profile 1.1 SAML Token Profile 1.1 Kerberos Token Profile 1.1 Rights Expression Language (REL) Token Profile

1.1 SOAP with Attachments (SWA) Profile 1.1

SOAP: SIMPLE Object Access Protocol

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

ICT Industry, Telecom and ISPs

IETF is an important contributor to security standardization.

With respect to network security, following specifications are important, and included in the report:

IPsec protocol suite: (IETF IPsec work group is concluded) RFC4301: Security architecture for the Internet Protocol. RFC4302: Authentication Header security protocol. RFC4303: Encapsulating Security Payload protocol. RFC4306: The Internet Key Exchange (IKEv2) protocol. …

TLS protocol suite: RFC4346: The Transport Layer Security (TLS) Protocol Version 1.1 RFC4366: Transport Layer Security (TLS) Extensions RFC4492: ECC Cipher Suites for Transport Layer Security (TLS) RFC4279: pre-Shared Key Ciphersuites for TLS …

Protocols for securing the infrastructure: DNS security, ENUM security, security of routing protocols (BGP, OSPF)

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

Identity (and Privacy) Management

Form an end-user’s point of view, identity and privacy management is (becoming) very important!

Two initiatives: Industry for a, not really standardization bodies. Rely on other standards

Liberty Alliance Project: Industry forum defining specifications in the area of identity management (single-sign-on, privacy management via pseudonyms, … ) and Identity based web services

Based on Web Services specifications: The web services specifications are more loosely coupled, but it is possible to realize identity management based on specifications like:

WS-Federation Currently not included in the report

SAML: Security Assertion Markup Language

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

E-government

Belgium eID card PKI-based solution: eID card contains 2 certificates. E-government applications:

Request official documents via the Internet (birth certificate, …)

Fill in and sign your tax form. Access to your own personal information (

https://www.mijndossier.rrn.fgov.be) Will replace the electronic health insurance card

(SIS card) …

Other applications (not related to e-government): Secure chat boxes Libraries Hotel room reservation …

Currently not yet included in the report

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

Digital Rights Management

Currently not in scope of new NIS-Report

Many proprietary systems available (Apple iTunes, Windows Media DRM, …) and only few standards available:

OMA DRM v1 and v2

In general DRM system all do more or less the same thing. The differences lie in details like content formats and rights expression languages

OMA: Open Mobile Alliance

© S

iem

en

s N

V/S

A,

Oct

ob

er

20

04

Communications

Contributions to the report

Providing the context for security for Next Generation Networks

Evolution from SS7 based telco systems (closed systems) to VoIP (SIP-based) telco systems (more open systems)

Providing an update of section 9.4 on Network Encryption:

Updates on IPsec Updates on TLS Inclusion of Web Services Security