ETSI TR 103 087 V1.2.1 (2017-11)

ETSI TR 103 087 V1.2.1 (2017-11)






TECHNICAL REPORT
Reconfigurable Radio Systems (RRS);
Security related use cases and threats

---------------------- Page: 1 ----------------------
2 ETSI TR 103 087 V1.2.1 (2017-11)



Reference
RTR/RRS-0313
Keywords
radio, safety, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2017.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM® and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 087 V1.2.1 (2017-11)
Contents
Intellectual Property Rights . 8
Foreword . 8
Modal verbs terminology . 8
Introduction . 8
1 Scope . 9
2 References . 9
2.1 Normative references . 9
2.2 Informative references . 9
3 Definitions and abbreviations . 11
3.1 Definitions . 11
3.2 Abbreviations . 12
4 Method of analysis . 14
5 Security objectives . 19
5.1 Overview . 19
5.2 Assumptions and assertions of RRS . 21
5.3 Objectives arising from RED analysis . 22
5.4 Objectives arising from ComSec analysis . 22
5.5 Objectives arising from the analysis of the RAP as ToE#2 . 23
5.6 Objectives arising from the analysis of the DoC as ToE#3 . 23
6 Stakeholders and assets . 24
6.1 Use cases . 24
6.1.1 Introduction. 24
6.1.2 Timing dependencies between use cases . 27
6.2 Assets . 28
6.2.1 Mobile Device Reconfiguration Classes . 28
6.2.2 Radio Application operating environment . 29
6.2.3 Radio Application and Radio Application Package . 31
6.2.4 Declaration of Conformity and CE marking . 31
6.2.5 External assets . 31
6.3 Cardinalities . 32
7 Identification of ToE for RRS App deployment . 33
7.1 Overview . 33
7.2 ToE#1: communication between the RadioApp Store and the RE . 34
7.2.1 Introduction. 34
7.2.2 Threats . 35
7.2.3 Risk assessment . 36
7.3 ToE#2: Radio Application Package . 36
7.3.1 Introduction. 36
7.3.2 Lifecycle starting from the availability on the RadioApp Store . 36
7.3.3 Other aspects of the lifecycle . 38
7.3.3.1 Withdrawal of a Radio Application from the Radio Market Platform . 38
7.3.3.2 Development and pre-distribution phase . 38
7.3.3.3 RE and RA lifetime . 38
7.3.3.4 Identification of rogue or compromised Radio Applications . 39
7.3.4 ToE#2 environment . 39
7.3.5 Out-of-scope aspects of ToE#2 . 39
7.3.6 Threats . 39
7.4 ToE#3: Declaration of Conformity and CE marking . 39
7.4.1 DoC characteristics . 39
7.4.2 Consequences drawn from characteristics . 41
7.4.3 DoC usage from a market surveillance perspective . 41
7.4.4 ToE#3 environment . 42
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 087 V1.2.1 (2017-11)
7.4.5 Out-of-scope aspects of ToE#3 . 42
7.4.6 Threats . 42
7.5 Conceptual countermeasure framework for RRS to address ToE#1, ToE#2 and ToE#3 . 42
7.5.1 Introduction. 42
7.5.2 Framework elements . 42
7.5.3 Revised risk calculations . 43
7.5.3.1 Application of identity management framework . 43
7.5.3.1.0 Introduction . 43
7.5.3.1.1 Identities in RRS. 43
7.5.3.2 Application of non-repudiation framework . 46
7.5.3.3 Application of integrity verification framework . 46
7.5.4 Summary of threats introduced by countermeasures . 46
8 Modifications applicable to the RRS architecture . 46
8.1 Additional elements . 46
8.2 Additional flow diagrams . 47
8.2.1 RAP endorsement, distribution, and validation . 47
8.2.2 DoC endorsement, distribution, and validation. 48
9 Remote attestation of the Reconfigurable Equipment status (installed RA and DoC) . 50
9.1 Overview of remote attestation use case . 50
9.2 Actors and relationships . 51
9.2.1 The platform . 51
9.2.2 The attesting entity. 51
9.2.3 The verifying entity . 51
9.2.4 The requestor . 52
9.3 Considerations for remote attestation solutions in RRS . 53
9.3.1 Relation to the non-repudiation framework . 53
9.3.2 Implementation . 53
9.4 Direct Anonymous Attestation . 53
10 Configuration enforcement of reconfigurable equipment . 54
10.1 Introduction and scenario . 54
10.2 Scope . 54
10.2.1 Background . 54
10.2.2 Core Command set. 55
10.2.3 Extended Command Set . 55
10.2.4 Actors . 56
10.3 Technical considerations . 57
10.3.1 RAT capabilities . 57
10.3.2 Access control . 57
10.3.3 Default control channel . 57
10.4 Technical implementation . 58
10.4.1 Introduction. 58
10.4.2 Data model and data flows . 58
10.4.3 Delivery mechanisms in selected RAT . 59
10.5 Security objectives . 60
10.6 Threats . 60
11 Long-term management of reconfigurable equipment . 61
11.1 Introduction and scenario . 61
11.2 Scope . 62
11.3 Architecture and Actors . 62
11.3.1 Introduction. 62
11.3.2 The RRS Configuration Profile . 63
11.3.3 The RRS-CP Profile. 63
11.3.4 Transfer of Authority Document (TAD) . 63
11.3.5 Effective transfer of authority . 64
11.4 Verification of profiles and actors, profile updates . 64
11.5 Message flows . 65
11.5.1 Transfer of authority between two RRS-CA . 65
11.5.2 Designation of legitimate RRS-CP by the RRS-CA . 66
11.5.3 Distribution of a new RRS Configuration Profile . 67
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 087 V1.2.1 (2017-11)
11.6 Security objectives . 67
11.7 Threats and limitations . 69
12 Device root of trust for RRS . 70
12.1 Introduction . 70
12.2 Services . 71
12.2.1 Immutable pre-provisioned data . 71
12.2.2 Measurement. 71
12.2.3 Secure cryptographic primitives and execution environment . 71
12.2.4 Secure boot . 71
12.2.5 Secure storage . 72
12.2.6 Policy-based access control . 74
12.2.7 Random number generation . 74
12.2.8 Trusted time . 74
12.2.9 Trusted environmental information . 74
12.2.10 Audit . 74
12.2.11 Mutual authentication and secure communications between entities . 74
12.2.12 (remote) Attestation of platform configuration . 75
Annex A: Impact on RRS Security of European Radio Equipment Directive . 76
A.1 Introduction . 76
A.2 Summary of applicable requirements . 76
A.2.1 Applicability . 76
A.2.2 General principles. 76
A.2.3 Technical and security considerations . 77
A.3 Declaration of Conformity (DoC) . 77
A.3.1 Introduction . 77
A.3.2 Technical and security considerations . 78
A.4 Safekeeping of the Declaration of Conformity . 78
A.4.1 Introduction . 78
A.4.2 Technical and security considerations . 78
A.5 Affixing of Declaration of Conformity . 79
A.5.1 Overview . 79
A.5.2 Technical and security considerations . 79
A.6 Pre-market actors and roles from the Directive 2014/53/EU perspective . 80
A.7 Other information to indicate on the RE . 81
A.7.1 Introduction . 81
A.7.2 Technical and security considerations . 81
A.8 Actions in case of formal non-compliance, or with compliant radio equipment that presents a
risk . 81
A.8.1 Introduction . 81
A.8.2 Technical and security considerations . 81
A.9 Post-market actors and roles from the RED perspective . 82
A.10 Actions in case of RE presenting a risk . 82
A.10.1 Introduction . 82
A.10.2 Technical and security considerations . 83
A.10.3 Additional considerations . 83
Annex B: Summary of security objectives . 84
Annex C: Summary of high level security requirements . 87
Annex D: Completed TVRA pro forma for RRS security . 88
Annex E: TVRA Risk Calculation for selected RRS aspects . 90
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 087 V1.2.1 (2017-11)
Annex F: Void . 93
Annex G: Trust models in RRS app deployment . 94
G.1 Overview of trust . 94
G.2 Role of trust in RRS . 94
G.3 Public Key Infrastructures and Trust . 95
G.4 Models of trust . 97
G.4.1 Overview . 97
G.4.2 Directly delegated trust . 98
G.4.3 Collaborative trust . 98
G.4.4 Transitive trust . 99
G.4.5 Reputational trust . 99
Annex H: Wireless Innovation Forum security considerations for SDRD . 100
H.1 Introduction . 100
H.2 Identification of assets . 100
H.3 Actors (stakeholders) . 101
H.4 Threat analysis . 102
H.4.1 Vulnerability classes. 102
H.4.2 Threat classes . 103
H.4.3 Attacks and exploits . 103
H.5 Identification of security critical processes . 103
H.6 Security services . 104
H.7 Other considerations . 106
H.7.1 Downloadable policies . 106
Annex I: Review of remote control management protocols . 107
I.1 Overview .
...