TISPAN S. Compans [email protected] Technical Officer © ETSI 2010. All rights reserved April 2010.
Security ETSI · Security @ ETSI S. Compans ETSI Security Week ... more than 5 billion pieces going...
Transcript of Security ETSI · Security @ ETSI S. Compans ETSI Security Week ... more than 5 billion pieces going...
Presented by: For:
© ETSI 2019
17‐21 June 2019
Security @ ETSI
S. Compans ETSI Security Week
© ETSI 2019 2
Security @ ETSI
CROSS‐DOMAIN CYBERSECURITY• Ecosystem• Protection of personal data & coms• IoT security and privacy• Critical infrastructures• Enterprise and individual cybersecurity• Forensics• Information Security Indicators
SECURING TECHNOLOGIES & SYSTEMS• Mobile / wireless systems (5G, TETRA,
DECT, RRS,RFID...)• IoT• Network functions virtualization• Intelligent Transports• Broadcasting
SECURITY TOOLS & TECHNIQUES• Lawful interception & retained data• Digital signatures & trust services• Permissioned distributed ledgers• Smart cards / secure elements
• Security algorithms• Quantum key distribution• Quantum safe cryptography
© ETSI 2019
TC CYBER
© ETSI 2019 4
What is TC CYBER?
TC CYBER is ETSI’s Centre of Excellence for Cyber Security
Created in 2014, TC CYBER works on a range problems – from privacy, to IoT, to protecting personal data and Quantum Cryptography
Works on both industry security challenges and EU security mandates to address global cyber security problems
TC CYBER has fortnightly working calls and meets face‐to‐face four times per year.
© ETSI 2019 5
© ETSI 2019 6
1. Cyber security eco‐system
Informing TC CYBER’s global view of cyber security.
Specifications include:
Technical Report 103 306 Global Cyber Security Ecosystem
Technical Specification CYBER‐0022 (TS 102 165 series) Methods and Protocols for Security
© ETSI 2019 7
2. Protection of personal data and communications
ETSI provides technical support to privacy legislation through standards. In particular:
A technical guide to privacy, which addresses and catalogues relevant standards globally (TR 103 370)
Identity and identity management – applications in IoT and for pseudonymity (TS 103 486)
Mechanisms for privacy assurance and verification of that assurance (TS 103 485)
Attribute‐Based Encryption ABE requirements (TS 103 458)
© ETSI 2019 8
3. IoT security and privacyMany IoT devices, systems, services are insecure from the day they are designed. “Secure by design” means starting to create products, code, and software with security in mind from the start.
TC CYBER published a minimum set of requirements (TS 103 645) aimed at the consumer IoT market. Now working on EN
4. Cyber security for critical infrastructures
Protecting critical infrastructure, through recent work items:TR 103 303 Protection measures for ICT in the context of Critical Infrastructure
WI‐024 Metrics for Identification of CI
WI‐037 Guidelines for increasing smart meter security
© ETSI 2019 9
5. Enterprise and individual securitySeveral standards developed or in development to protect enterprises and individuals from a range of attacks, the Middlebox Security Protocol (TS 103 523)
Critical Security Controls (TR 103 305): Effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks
6. Cyber security tools
Cyber Security Tools – general techniques for use across industry:Threat Information Sharing (TR 103 331)
Security techniques for protecting software in a white box model (TR 103 642)
Attribute‐Based Encryption (TS 103 458 & TS 103 532)
Interface to offload sensitive functions to a trusted domain (TS 103 457)
© ETSI 2019 10
7. Forensic activities
Assuring of Digital Material for legal proceedings, i.e. a “digital evidence bag” covering cryptographic protections, auditable change of data ‐ TS 103 643 Assuring Digital Material
8. Technical support to EU LegislationGuidance on implementing the NIS Directive (TR 103 456)
TR 103 370 Guidance on standards for privacy and GDPR
Mechanisms for privacy assurance and verification of that assurance (TS 103 485) can be used in meeting some of the obligations of GDPR
© ETSI 2019 11
9. Quantum‐Safe Cryptography working group
Specialises in providing practical advice to industry on issues such as risk assessment, migration timelines, architecture and integration issues.
Does not specify algorithms or key distribution techniques.
Realistic quantum‐safe options for important real‐world applications such as code signing, transport security and VPNs should be endorsed by NIST and ETSI over the next few years.
Launched in 2015, QSC became a TC CYBER working group in 2017.
© ETSI 2019
Why TC Cyber?
How can I get involved with TC CYBER?
© ETSI 2019 13
How to get involved with TC CYBER
Find TC CYBER on ETSI’s website: www.etsi.org
TC CYBER:
www.etsi.org/technologies‐clusters/technologies/cyber‐security
QSC:
https://www.etsi.org/technologies‐clusters/technologies/quantum‐safe‐cryptography
Next meetings: QSC#12 26‐27 June 2019CYBER#17 11‐13 September 2019
© ETSI 2019
ETSI TC SCP“Smart Card Platform”
SSP: The solution for tomorrow’s secure world
“Smart Secure Platform”
© ETSI 2019 15
ETSI TC SCP
UICC ‐ the multi‐applicationsmart card platform
ID
Ticketing
Electr. Purse
PublicTransport
SIM
Specifiedby ETSI TC SCP
Application specified by the respective industry sector
Toolkit
Home of the UICC (TS 102 221) – the most widely deployed Secure Element with more than 5 billion pieces going into the market every year just as SIM cardsThe UICC as a platform provides application independent functions and features for the SIM application hosted on the UICC
Separation of lower layers and applicationsUp to 20 logical channels to run applications in parallelNFC, USB, security, … part of SCP specifications
© ETSI 2019 16
The Challenge
The new generation of connected mobile devices and IoT devices pose new challenges concerning security and integration
A system of sensors in an IoT application may not require a fully fledged UICC in very sensor
Can the “traditional” UICC be the solution for the new requirements ?
There are issues related to …Specific smart card protocol from the eightiesLimitation of data structuresLimitation of parallel execution of applicationsSize of the hardwareComplexity and cost of the product
© ETSI 2019 17
The Answer:The Next Generation Smart Secure Platform (SSP)
Objective: better integration of the UICC into the specific use case while retaining its characteristicsThe SSP is designed to be a modular platform offering a core set of features as well as a number of options that need to be selected at the time of implementation based on the intended application
An open platform for multiple applications (multiple issuers can share the same hardware)Choice of interfaces and protocols (SPI, I2C, I3C, …)Faster and more flexibleChoice of hardwareNew filesystemSupport of existing features: Contactless, Toolkit, …
Still supports UICC applications ensuring smooth migration
© ETSI 2019 18
The SSP Specifications
rSSP (removable)
ETSI removable form factors
One rSSP configuration could be the UICC
eSSP (embedded)ETSI TS 103 666‐3 (draft)
One eSSP configuration could be the (e)UICC
MFF2
iSSP (integrated)ETSI TS 103 666‐2 (draft)
SE integrated in the SoC2 parts:
Primary PlatformSecondary Platform
Bundle
General SSP characteristics ‐ ETSI TS 103 666‐1 (draft) General SSP characteristics Security & certification SSP File System Communication protocol (SCL ‐ SSP Common Layer) and communication layers
above Physical layers
SSP classes to address different use cases/ markets physical layer, form
factor (if any) communication protocol
(e.g. SPI, I2C) optional/mandatory
features
SSP general characteristics modular and flexible
platform that offers a core set of features
agnostic of the form factor
SSP (Smart Secure Platform) requirements – ETSI TS 103 465 (published)split into generic and class specific requirements
© ETSI 2019 19
First Technical Realisation: integrated SSP
Priority on iSSP – by common (market) demandIntegration of the functionality of the UICC into a System on Chip (SoC) solution. The iSSP uses an independent secure processor within the SoC.Advantage is the reduction of the number of components in the system, because of the deeper integration and thus a reduction of the space needed in the device for the SIM function.
© ETSI 2019
TC ESI
© ETSI 2019 21
eIDAS Standards Framework:Published Standards
Trust applicationservice providers
x19 5xxTSPs supporting digital signatures
x19 4xx
Trust service status lists119 6xx
General Framework
Trust services for:Issuing certificatesTime Stamping Signature creation servicesSignature validation services
Trust services for:Registered e‐Delivery / e‐MailLong term preservation
Signing Devices
419 2xxCC Protection ProfilesQSCD ‐ Smart CardsHSM used as QSCDHSM used by TSPsRemote QSCD
Signature Creation & Validation
x19 1xx
AdES creation & validationPart 1: proceduresPart 2: signature validation report
Formats:XAdES (XML)CAdES (CMS)PAdES (PDF)ASiC (containers)
Cryptographic suites
119 3xx Signature suites‐ Hash‐ Asymmetric crypto‐ Key generation‐ Lifetime
Standards frameworkCommon definitionsGuides
List of approved QTSPs & services supervised by National Bodies
119 0xx
© ETSI 2019 22
Trust service issuing certificates
•For use by natural personse‐Signatures
•For use by legal personse‐Seals
•For websitesWebsite authentication
© ETSI 2019 23
Signature Enhanced Trust Services
Remote Signing
Validation Services
Long‐term Preservation