· Secure Communication Services ... Extend the application of Biometric systems to the open network...
Transcript of · Secure Communication Services ... Extend the application of Biometric systems to the open network...
Security Study ITU-T SG17(ITU-T SG17 安全研究进展报告)
Dr. Jianyong Chen(陈剑勇博士)
Technical Advisor, ZTE Corporation(中兴通讯、技术顾问)
Vice-Chairman, ITU-T Study Group 17(ITU-T 第17研究组副主席)
Chairman, CCSA, Wire Line Network Security Working Group(中国通讯标准化协会,有线网络安全工作组,组长)
ITU-T Security Manual(ITU-T 安全手册)
October 2004(2004年,12月版)
Describe all the security study activities in ITU-TUntil 2004
(描述到2004年为止,ITU-T所有的安全研究活动)Highlights(重点):
PKI and privilege management with X.509(公钥基础设施x.509的系列技术标准)Applications (VoIP, IPCablecom, Network Management, e-prescriptions)(各种应用所需的安全解决方案,如VoIP、IPCablecom、
医院网络诊断用的电子处方等)
Security terminology and security-related Questions(安全术语,以及各研究方向的安全工作组 )
Catalog of ITU-T security-related Recommendations(列出ITU-T安全相关的标准文档)
www.itu.int/itudoc/itu-t/86435.pdf
ITU-T Study Group 17(ITU-T第17研究组)
www.itu.int/ITU-T/studygroups/com17
Lead Study Group for Telecommunication Security(电信网安全领导研究组)
Coordination/prioritization of security efforts(负责协调ITU-T个研究组安全相关的研究活动)
Development of core security Recommendations(发展核心的安全标准)
Forthcoming meeting: 19-28, April 2006, Korea Jeju(最近一次会议将在4月19-28日,韩国济州岛召开)
Lead ITU-T Workshop on Security(负责领导ITU-T安全论坛)www.itu.int/ITU-T/worksem/security
Initiated the ITU-T Security Project (规划ITU-T安全研究项目)
Provide vision and direction for future work(提供安全技术发展趋势分析)
Reflect situation of current work(反映当前的研究工作)
ITU-T SG17 Structure(ITU-T第17研究组架构)
ITU-T SG17
WP2Telecommunication
security(通信安全)
WP1Frame relay and
data communication(帧中继和数据通讯)
WP3Language and
telecommunication software
(语言和通信软件)
Q. 4Communication system
security project
(通信系统安全项目)
Q.5Security
architecture and
framework(安全架
构)
Q. 6Cyber
security (计算网络
安全)
Q. 7Security
management(安全管理)
Q.8Telebiome
trics(生物测定安全)
Q.9Security
communication
service (安全通信服务)
Q. 17Combating
SPAM (反垃圾信
息)
Study Group 17 Security Questions 2005-2008(2005-2008研究周期,第17研究组安全问题分布)
Cyber Security(计算网络安全)*Incident Handling Operations(安全事件处理)*Security Strategy(安全策略)
Secure Communication Services(通信安全服务)
*Mobile network, home network and security web service security*(移动网络,家庭网络和网页安全)
*X.1121, X.1122
Q.6
Q.9
Q.7Q.5
Q.4 Security project (安全项目) *Vision, Project Roadmap, Compendia, …(安全项目规划)
Telebiometrics (生物测定安全)
*Utilize User’s biological features as authentication tool(利用用户的生物特征做为认证工具)*X.1081
Q.8
SecurityArchitecture& Framework(安全架构)
**X.800 series*X.805
SecurityManagement
(安全管理)
•ISMS-T•(信息系统安全管理)
*Incident Management(事件管理)
*Risk AssessmentMethodology
(风险评估)
*X.1051
Systems(系统)
Systems Users(系统用户)
Counering SPAM(反垃圾信息)*Countering email, VoIP SPAM Q.17
Q.4
Highlights on Contents of Security Recommendations planned for consent later in the study period (2005-2008)
(2005-2008年研究周期内即将完成的安全标准
研究项目,当前研究进展)
Q.8Study areas(研究领域)
BiometricSensors
Matching
Application
Yes/No
Score
NWExtraction
NW
NW: NetworkNW: 网络
NW
NWDecision
NWAcquisition(Capturing)
Storage生物特征传感器
生物特征获取过程 提取过程
匹配过程
计算分数
存储过程
判断过程 应用过程
Q.8Extend the application of Biometric systems to the open network
(将生物测定系统的应用范围扩展到公众网络)
Since Biometric dada is quite sensitive, it is important to protect it during transmission through open network(由于生物特征数据非常敏感,当数据在公网中传输时,需要有安全的解决方案)
Q.9Study areas
(研究领域)
移动安全
移动终端 移动网络 公众网络
应用服务器
网页服务安全
家庭网络
家庭网络安全
基于应用层的安全协议
Q. 9Security of home network based on certificates
(基于证书的家庭网络安全)
Establish the certification management scheme for home network application.(为家庭网络应用建立证书管理体系)
(Simplifier X.509 Certificates and use them in devices of home networks. The project study profiles of the simpler certificates. Necessary profiles includes ( 通过适当简化x.509证书属性内容,应用在家庭网络中。研究证书简化版本,例如需要包括以下方面):
OIDs for device certificate profile for home network (设备身份)
Algorithm identifier for device certificate(算法标识)
Basic field (基本字段域)
Version (版本)
Public key type (公钥类型)
Various extensions for device certificate(扩展字段域)
subjectKeyIdentifierauthorityKeyIdentifierKey UsageBasic constraint
Validity period (有效期)
Certificate security (证书安全)etc…(等等。。)
Class Description Example
Information asset
Valuable data that can be stored, processed, or transferred by computational systems.
Sensitive data, E-transaction data,
Business plan
Service asset Application program that offers the manipulation of data to users.
Web serviceE-mail service
System asset Physical hardware components for supporting services and data processing.
File serverTelnet server
Additional investment for security (安全需要额外的投资)
Different degree of security requirements for various users and applications
(不同的用户和应用所要求的安全不同)
Simple and effective security management for users
(用户需要简单、有效的安全管理)
Q.9Value-added security Service in mobile communication(X.msec-3)
(移动通信增值安全服务)
The classification of assets(资产的分类)
Q.9Value-added security Service in mobile communication(X.msec-3)
(移动通信增值安全服务)
服务器/网关
移动终端
用户
高级安全策略
扩展等级
“非常高”等级
“中”等级
“低”等级
“非常低”等级
基线安全策略
没有安全策略
增值安全服务
普遍安全服务
网络实体 安全策略 服务提供商
Q.9Value-added security Service in mobile communication(X.msec-3)
(移动通信增值安全服务)
Security Gateway
Policy Server
Security GatewayCaller Callee
AAA Server
计费中心安全策略服务器
呼叫方 被叫方安全网关 安全网关
Q.9Authentication architecture for mobile communication (x.msec-4)
(移动通信通用认证架构)
Entity Authentication Center (EAC)
Entity Subscription Database (ESD)
Entity1
(2) (3)
(5)
(6)
Entity2Entity3
(1)
(4)
Architecture
实体认证中心
实体注册数据库
实体1实体2
实体3
Q. 9 Correlative reacting system in mobile communication(X.crs)
(移动通信关联响应系统)
Air interface Network boundary
SCA
CSI
TOS SAS-A
ASP
Mobile Terminal Mobile Network
DSD
NAC SAC
Open Network
TOS-VS
SAS-S
SCS
CSI: CRS Service Interface NAC: Network Access Controller ASC: Application Service Controller DSD: Dedicated Security Device SAS-A: Security Application Software Agent SAS-S: Security Application Software Server TOS-VS: Terminal Operating System Vulnerability Server
CSI
移动终端移动网络 公众网络
应用服务提供商
空中接口 网络边界
关联响应系统服务接口网络接入控制器
应用服务控制器
安全设备安全应用软件代理
安全应用软件服务器终端操作系统漏洞检测服务
Q.17Guideline document on countering SPAM (X.gcs)
(反垃圾信息指引)
Legislation(法律)
Countering Spam
Solution
International Cooperation(国际合作)
Training(培训)
Technology(技术)
Complaint(投诉)
Industrial self-
discipline(工业自律)
反垃圾信息解决方案
Q.17Countering VoIP spam (反垃圾VoIP)
Causing Factors of VoIP Spam (垃圾VoIP形成原因)
Cheap (便宜)
Anonymous (匿名)
Easily automated (大量群发)
Alice Bob
CarolDavid
Emily Frank
has sentemail to
has sentIM to
is this a spammer?
Spreading Power of VoIPSpam: Utility of Spammer
Filtering rate Response rate Spamming cost
Probability of punishmentCost of punishment and number of sent spam
Q.17Countering VoIP spam (反垃圾VoIP)
过滤效果 投诉比率 费用
VoIP垃圾扩散能量
惩罚力度被惩罚概率
Spam processing entity
Spam processing sub-entity
Mail Client
Mail ServerMail Server
Countering Spam model
A
B
C
D
E
垃圾邮件处理设备
垃圾邮件预处理设备
邮件服务器
邮件用户
Q.17Technical framework for countering email spam(X.fgs)
(反垃圾邮件及技术框架)
Signal Spam
@Spam reports
Acknowledgment of sender query
Contact for procedures
Unsubscriptionassistance
Surveys
Report on spam statistics abuse@fai
Provision of detailed information
Semi-automatic alerts on URL phishing
Automatic signalling/IP reportReports of incidents declared
by senders
用户
运营商
(honeypots)
电子邮件服务器
Sending incident report
Automatic signalling/IP report
Semi-automatic alerts on URL phishing
Public authoritiesBanks, brands
Analyse, sort, take action and share
Response:Gentle reminderZombie watchAlert authorities
Q.17Platform of countering SPAM
(反垃圾信息平台)
垃圾报告 事件报告
自动信令/IP报告
蜜罐
分析、排序、行动、分享
向有关机构预警
互相共享反垃圾信息
Conclusion(总结)
The scope of WP2/SG17 on security is unlimited. Any new technologies/solutions on security are highly recommended to be studied on the study group.(WP2/SG17在安全方面的研究范围没有限制,欢迎任何在安全方面的新技术/新解决方案提交到该研究组进行研究)