ETSI TS 187 016 V3.1.1 (2010-06)

ETSI TS 187 016 V3.1.1 (2010-06)
Technical Specification


Telecommunications and Internet converged Services and
Protocols for Advanced Networking (TISPAN);
NGN Security;
Identity Protection (Protection Profile)

---------------------- Page: 1 ----------------------
2 ETSI TS 187 016 V3.1.1 (2010-06)



Reference
DTS/TISPAN-07035-NGN-R3
Keywords
ID, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2010.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 187 016 V3.1.1 (2010-06)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 10
4 Identity and privacy protection in the NGN . 11
4.1 Identity and privacy in the NGN . 11
4.2 Regulatory requirements for privacy . 11
4.3 Behaviour and identity . 11
4.4 Identity protection objectives . 12
4.5 NGN identity and identifiers . 12
4.5.1 Identifying NGN users . 12
4.5.2 Identifier attributes for identity protection . 12
4.5.3 User Identifiers for non-communication services . 12
4.5.4 User Identifiers for communication services . 13
4.5.5 Device Identifiers . 13
4.5.6 NGN Service Identifiers . 13
4.5.7 Network entity Identifiers within the NGN . 13
5 Analysis of regulatory requirements . 14
5.1 Identification of personal data in the NGN . 14
5.2 Privacy requirements . 14
5.2.1 Privacy exceptions required by regulation . 15
6 Identity protection functional requirements . 15
6.1 Summary of security functional requirements . 15
6.2 Security capabilities required in the NGN for identity protection . 17
6.2.1 Access control measures . 17
6.2.1.1 Authenticity . 17
6.2.2 Privacy measures . 18
6.2.2.1 Pseudonymity . 18
6.2.2.2 Unlinkability . 18
6.2.3 Confidentiality measures . 18
6.2.4 Integrity measures . 18
6.2.4.1 Transmitted data protection (integrity). 18
6.2.5 Credential management . 19
6.2.6 Audit and accounting measures . 19
7 Identity Protection Framework . 20
7.1 PKI-based Framework elements . 20
7.2 Public Key Infrastructure (PKI) . 20
7.2.1 Public Key Certification (PKC) . 20
7.2.1.1 Traceable time-variant pseudonym certificates with authoritative identity . 21
7.2.1.2 Traceable anonymous certificates with authoritative identity . 21
7.2.2 Privilege Management Infrastructure (PMI) . 22
7.2.2.1 ITU-T Recommendation X.509 . 22
7.2.2.2 Kerberos . 22
7.2.2.3 Security Assertion Markup Language (SAML) . 22
7.2.2.4 Access control models in PMI . 23
7.3 Analysis of framework elements . 24
7.3.1 Public Key Infrastructure (PKI) . 24
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 187 016 V3.1.1 (2010-06)
7.3.2 Public Key Certification . 25
7.3.3 Privilege Management Infrastructure (PMI) . 26
7.3.4 Summary of analysis results and recommendations . 27
8 Identity management and protection within the NGN. 27
8.1 NGN identifiers . 27
8.2 Identity protection in SIP (current state) . 28
8.2.1 SIP privacy handling in the NGN . 28
8.3 Identity protection in IMS (IMS-AKA) . 29
8.3.1 Overview . 29
8.3.2 IMS security analysis . 29
8.4 Resolution protocols in NGN . 31
8.4.1 DNS and ENUM . 31
8.5 NGN Authentication, Registration and Authorization . 31
8.5.1 Overview . 31
8.5.2 NGN Authentication and Registration . 31
8.5.3 NGN Authorization. 31
8.6 Gap analysis . 34
8.7 Detailed requirements . 34
Annex A (normative): Protection Profile Proforma for Identity Protection in the NGN . 35
Annex B (informative): Policy and Procedure countermeasures . 38
Annex C (informative): Security terms and concepts . 39
C.1 Security associations . 39
C.2 Confidentiality . 39
C.3 Integrity . 39
C.4 Authenticity . 39
C.5 Authority . 40
Annex D (informative): Privacy in the NGN - TVRA . 41
D.1 Identification of the ToE . 41
D.2 Observations on the ToE . 42
Annex E (informative): Bibliography . 44
History . 46

ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 187 016 V3.1.1 (2010-06)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Telecommunications and Internet
converged Services and Protocols for Advanced Networking (TISPAN).
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 187 016 V3.1.1 (2010-06)
1 Scope
The present document specifies countermeasures to assure that users of the NGN have protection from abuse of
identity. This covers authenticity and integrity countermeasures, including use of existing systems, and credential
management in support of identity protection.
The present document:
• identifies the security objectives;
• defines the functional requirements (including those from ISO/IEC 15408-2 [i.6] that apply);
• defines the detail requirements for protection of identity in the NGN.
In doing so the present document:
• defines measures that provide protection of the NGN user identity from malicious traffic analysis;
• identifies those measures that allow compliance with the privacy legislation in the regions where the NGN is
to be deployed where such legislation is known and public;
• identifies in Annex B a number of countermeasures in the form of policies or procedures.
The present document follows the recommendations of ES 202 382 [2] and provides an IdM PP Proforma which may be
used as a basis for developing a PP for identity protection in an NGN subsystem deployment. The identity protection PP
proforma is provided in Annex A.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI EG 202 387: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method for application of Common
Criteria to ETSI deliverables". .
[2] ETSI ES 202 382: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining
Protection Profiles ".
[3] ITU-T Recommendation X.509: "Information technology - Open Systems Interconnection - The
Directory: Public-key and attribute certificate frameworks".
NOTE: Also available as ISO/IEC 9594-8.
[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications).
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 187 016 V3.1.1 (2010-06)
[5] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the
retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending
Directive 2002/58/EC.
[6] European Union Council Resolution COM 96/C329/01 of 17 January 1995 on the Lawful
Interception of Telecommunications.
[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
[8] ETSI TS 184 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Identifiers (IDs) for NGN". .
[9] ETSI TS 184 009: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Rules covering the use of TV URIs for the Identification of
Television Channels".
[10] IETF RFC 3325: "Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity
within Trusted Networks".
[11] IETF RFC 5636: "Traceable Anonymous Certificate".
[12] OASIS Security Services: "Security Assertion Markup Language (SAML) v2.0".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for
Threat, Risk, Vulnerability Analysis".
[i.2] UK Home Office, R.V.Clark: "Hot Products: understanding, anticipating and reducing demand for
stolen goods", ISBN 1-84082-278-3.
[i.3] ISO/IEC 17799 (2005): "Information technology - Security techniques - Code of practice for
information security management".
[i.4] ISO/IEC 13335: "Information technology - Security techniques - Guidelines for the management
of IT security".
NOTE: ISO/IEC 13335 is a multipart publication and the reference above is used to refer to the series.
[i.5] ISO/IEC 15408-1: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 1: Introduction and general model".
[i.6] ISO/IEC 15408-2: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 2: Security functional requirements".
[i.7] AS/NZS 4360: "Risk Management".
[i.8] United Nations General Assembly resolution 217 A (III) 10 December 1948: "Universal
Declaration of Human Rights".
[i.9] ITU-T Recommendation X.200: "Information technology - Open Systems Interconnection - Basic
Reference Model: The basic model".
NOTE: Also available as ISO/IEC IS 7498-1.
[i.10] ETSI TS 102 165-2: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); Methods and protocols; Part 2: Protocol Framework Definition;
Security Counter Measures".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 187 016 V3.1.1 (2010-06)
[i.11] ETSI TR 187 002: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); TISPAN NGN Security (NGN-SEC); Threat, Vulnerability and
Risk Analysis".
[i.12] Council of Europe European Treaties ETS No. 5: "Convention For Protection Of Human Rights
And Fundamental Freedoms Rome, 4.XI.1950 ".
[i.13] ISO/IEC 15408-3: "Information technology - Security techniques - Evaluation criteria for IT
security - Part 3: Security assurance requirements".
[i.14] ISO/IEC 10181-6: "Information technology - Open Systems Interconnection - Security
frameworks for open systems: Integrity framework".
[i.15] ETSI TS 133 203: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Access security for IP-based services
(3GPP TS 33.203 version 8.6.0 Release 8)".
[i.16] ETSI TS 131 103: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Characteristics of the IP Multimedia Services
Identity Module (ISIM) application (3GPP TS 31.103)".".
[i.17] ETSI TS 133 102: "Universal Mobile Telecommunications System (UMTS); LTE; 3G security;
Security architecture (3GPP TS 33.102)".
[i.18] IETF RFC 3323: "A Privacy Mechanism for the Session Initiation Protocol (SIP)".
[i.19] ETSI TR 187 010: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Report on issues related to security in identity
imanagement and their resolution in the NGN".
[i.20] ETSI TS 133 210: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; 3G security; Network Domain Security (NDS); IP
network layer security (3GPP TS 33.210 version 8.3.0 Release 8)".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in EG 202 387 [11], ISO/IEC 17799 [i.3],
ISO/IEC 13335-1 [i.4] and the following apply:
asset: anything that has value to the organization, its business operations and its continuity
authentication: ensuring that the identity of a subject or resource is the one claimed
availability: property of being accessible and usable on demand by an authorized entity (ISO/IEC 13335-1 [i.4])
call: connection established by means of a publicly available telephone service allowing two-way communication in
real time (Directive 2002/58/EC [4])
communication: any information exchanged or conveyed between a finite number of parties by means of a publicly
available electronic communication service
NOTE: This does not include any information conveyed as part of a broadcasting service to the public over an
electronic communications network except to the extent that the information can be related to the
identifiable subscriber or user receiving the information (Directive 2002/58/EC [4]).
Concealable, Removable, Available, Valuable, Enjoyable, and Disposable (CRAVED): classification scheme to
determine the likelihood that a particular type of item will be the subject of theft [i.2]
confidentiality: ensuring that information is accessible only to those authorized to have access
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 187 016 V3.1.1 (2010-06)
consent (by a user or subscriber): correspond to the data subject's consent in Directive 95/46/EC [7]
(Directive 2002/58/EC [4])
identifier: unique series of digits, letters and/or symbols assigned to a subscriber, user, network element, function or
network entity providing services/applications
identity: set of properties (including identifiers and capabilities) of an entity that distinguishes it from other entities
identity crime: generic term for identity theft, creating a false identity or committing identity fraud
identity fraud: use of an identity normally associated to another person to support unlawful activity
identity theft: the acquisition of sufficient information about an identity to facilitate identity fraud
identity tree: the structured group of identifiers, pseudonyms and addresses associated with a particular user's identity
impact: result of an information security incident caused by a threat and which affects assets
information security incident: event which is the result of access to either stored or transmitted data by persons or
applications unauthorized to access the data
integrity: safeguarding the accuracy and completeness of information and processing methods
location data: any data processed in an electronic communications network, indicating the geographic position of the
terminal equipment of a user of a publicly available electronic communication service (Directive 2002/58/EC [4])
mitigation: limitation of the negative consequences of a particular event
nonce: arbitrary number that is generated for security purposes (such as an initialization vector) that is used only one
time in any security session
non-repudiation: ability to prove an action or event has taken place, so that this event or action cannot be repudiated
later
residual risk: risk remaining after countermeasures have been implemented to reduce the risk associated with a
particular threat
risk: potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the
attacked system or organization
subscriber: entity (associated with one or more users) that is engaged in a subscription with a service provider (refer to
TS 184 002 [8])
subscription: commercial relationship between the subscriber and the service provider (refer to TS 184 002 [8])
threat: potential cause of an incident that may result in harm to a system or organization
NOTE 1: A threat comprises an asset, a threat agent and an adverse action of that threat agent on that asset
(reference [i.5]).
NOTE 2: A threat is enacted by a threat agent and may lead to an unwanted incident breaking certain pre-defined
security objectives.
threat agent: entity that can adversely act on an asset
traffic data: any data processed for the purpose of the conveyance of a communication on an electronic
communications network or for the billing thereof (Directive 2002/58/EC [4])
unwanted incident: incident such as the loss of confidentiality, integrity and/or availability (ITU-T Recommendation
X.200 [i.9])
user: any natural person using a publicly available electronic communications service, for private or business purposes,
without necessarily having subscribed to this service (Directive 2002/58/EC [4])
value added service: any service which requires the processing of traffic data or location data other than traffic data
beyond what is necessary for the transmission of a communication or the billing thereof (Directive 2002/58/EC [4])
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TS 187 016 V3.1.1 (2010-06)
vulnerability: weakness of an asset or group of assets that can be exploited by one or more threats
NOTE: As defined in ISO/IEC 13335 [i.4], a vulnerability is modelled as the combination of a weakness that can
be exploited by one or more threats.
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AA Attribute Authority
AC Attribute Certificate
AKA Authentication and Key Agreement
AMI A
...