ETSI SR 002 298-2003 Response from CEN and ETSI to the Communication from the Commission to the Council the European Parliament the European Economic and Social Committee and the _1.pdf

1、 ETSI SR 002 298 V1.1.1 (2003-12)Special Report Response from CEN and ETSI to the“Communication from the Commission to the Council,the European Parliament, the European Economic andSocial Committee and the Committee of the Regions:Network and Information Security:Proposal for a European Policy Appro

2、ach“ETSI ETSI SR 002 298 V1.1.1 (2003-12) 2 Reference DSR/BOARD-00004 Keywords security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture d

3、e Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions,

4、 the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revisi

5、on or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized

6、 by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON

7、 logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI SR 002 298 V1.1.1 (2003-12) 3 Contents Intellectual Property Rights7 Foreword.7 1 Scope

8、 8 2 References 8 3 Definitions and abbreviations.9 3.1 Definitions9 3.2 Abbreviations .9 4 Introduction 10 5 Network and information security11 5.1 Definition used in the present document 11 5.2 Other “real world“ issues not covered 12 5.2.1 Legal issues.12 5.2.2 Vetting of personnel12 5.2.3 Inform

9、ation security professional qualifications.12 5.2.4 Longevity of archiving12 6 Electronic business and other contexts.13 7 The structure of the present document .13 8 CEN and ETSI response to proposed actions.14 8.1 Awareness raising.14 8.2 Technology support14 8.3 Support for market oriented standa

10、rdization and certification .14 8.3.1 Interoperability .14 8.3.2 EU initiatives 15 8.3.3 Certification and accreditation15 8.3.4 Participation in standardization activities .15 8.3.5 Stimulation of standardization activities.16 8.3.6 Proposed European Network and Information Security Agency16 8.4 In

11、ternational co-operation 16 9 User requirements 16 9.1 Home users.16 9.1.1 Home working 16 9.1.2 Personal business 17 9.1.3 Microprocessor control of domestic equipment17 9.1.4 General security requirements 17 9.2 Small and medium enterprises18 9.2.1 The SME as a user of e-business services.18 9.2.2

12、 The SME as a supplier of e-business services 18 9.2.3 General security requirements 18 9.3 Large organizations and industries.19 9.3.1 General security requirements 19 9.4 Recommendations 19 10 General threats to network and information security .20 11 Registration and authentication services 21 11

13、.1 Security measures.22 11.1.1 Effective user registration.22 11.1.2 Effective user identification and authentication22 11.1.3 Effective access control 22 11.1.4 Effective user management.22 11.2 Passwords.22 11.3 Biometrics 23 ETSI ETSI SR 002 298 V1.1.1 (2003-12) 4 11.4 Digital certificates 23 11.

14、5 Smart cards.23 11.6 Recommendations 24 11.6.1 Registration.24 11.6.2 Authentication.24 11.6.3 Interoperability and framework considerations 24 11.6.4 Biometrics.24 11.6.5 Other mechanisms 25 12 Confidentiality and privacy services 25 12.1 Security measures.25 12.2 Encryption of stored information

15、.26 12.3 Electronic mail encryption .26 12.4 Network encryption26 12.5 Cryptographic algorithms.27 12.6 Object re-use policy27 12.7 Recommendations 28 12.7.1 Encryption of stored information28 12.7.2 Network and electronic mail encryption.28 12.7.3 Object re-use policy28 13 Trust services28 13.1 Sec

16、urity measures.28 13.1.1 Key management 29 13.1.2 Non-repudiation29 13.1.3 Evidence of receipt .29 13.1.4 Trusted commitment service.30 13.1.5 Integrity 30 13.2 Electronic signatures 30 13.3 Hash functions31 13.4 Time-stamping .31 13.5 Non-repudiation .31 13.6 Public Key Infrastructures (PKI)31 13.7

17、 Harmonization of trust services32 13.8 Recommendations 32 14 Business services32 14.1 Security measures.33 14.1.1 Service availability .33 14.1.2 Information availability 33 14.1.3 Effective accounting and audit33 14.2 Failure impact analysis.34 14.3 Capacity planning.34 14.4 Business continuity pl

18、anning34 14.5 Configuration management 34 14.6 Checksums and cyclic redundancy checks.34 14.7 Recommendations 34 15 Network defence services.35 15.1 Security measures.35 15.1.1 Preventative measures.35 15.1.2 Detection measures.35 15.2 Recommendations 35 16 Assurance services .36 16.1 Security measu

19、res.36 16.2 Risk assessment36 16.3 Evaluation.37 16.4 Certification37 16.5 Information security management standards37 16.6 Accreditation bodies.38 16.7 Recommendations 38 Annex A: Standards for registration and authentication services.39 ETSI ETSI SR 002 298 V1.1.1 (2003-12) 5 A.1 General authentic

20、ation standards39 A.1.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 39 A.1.2 European Telecommunications and Standards Institute (ETSI).39 A.1.3 US National Institute of Standards and Technology 41 A.1.4 Internet Engineering Task Force (IETF) 41 A.1.5 Ins

21、titute of Electrical Engineers .42 A.2 Passwords.42 A.2.1 Internet Engineering Task Force (IETF) 42 A.2.2 US National Institute of Standards and Technology 42 A.2.3 US National Computer Centre42 A.3 Biometrics 42 A.3.1 International Organization for Standardization and Electrotechnical Commission (I

22、SO/IEC) 42 A.3.2 ANSI/NIST.43 A.3.3 Other Organizations/Activities.43 A.4 Digital certificates 43 A.4.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 43 A.4.2 European Standards Committee (CEN)44 A.4.3 European Telecommunications and Standards Institute (ET

23、SI).44 A.4.4 Internet Engineering Task Force (IETF) 44 A.4.5 ANSI 44 A.4.6 US National Institute of Standards and Technology 44 A.4.7 RSA Public Key Cryptography Standards44 A.5 Smart Cards45 A.5.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 45 A.5.2 Euro

24、pean Standards Committee - Information Society Standardization System (CEN/ISSS).45 A.5.3 European Telecommunications and Standards Institute (ETSI).48 A.5.4 Personal Computer Smart Card Workgroup.51 A.5.5 Smart Card alliance 51 A.5.6 e-Europe Smart Card (eESC) Initiative 51 A.5.6 US National Instit

25、ute of Standards and Technology.54 A.5.7 RSA Public key Cryptography Standards.54 A.5.8 Internet Engineering Task Force.54 Annex B: Standards for Confidentiality and privacy services.55 B.1 Encryption 55 B.1.1 Organization for Economic Co-operation and Development (OECD).55 B.1.2 International Organ

26、ization for Standardization and Electrotechnical Commission (ISO/IEC) 55 B.1.3 European Telecommunications Standards Institute (ETSI)56 B.1.4 Internet Engineering Task Force (IETF) 58 B.1.5 American National Standards Institute.58 B.1.6 US National Institute of Standards and Technology.58 B.1.7 RSA

27、Public Key Cryptography Standards59 B.2 Public Key Infrastructure .59 Annex C: Standards for Trust Services .60 C.1 Electronic signatures 60 C.1.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 60 C.1.2 European Standards Committee- Information Society Stand

28、ardization System (CEN/ISSS)60 C.1.3 European Telecommunications Standards Institute (ETSI)61 C.1.4 International Telegraph and Telephone Consultative Committee (CCITT) of the International Telecommunications Union (ITU) .61 C.1.5 Internet Engineering Task Force (IETF) 62 C.1.6 RSA - Public Key Cryp

29、tography Standards .62 C.1.7 American National Standards Institute.62 C.1.8 US National Institute of Standards and Technology 62 C.2 Public Key Infrastructure .62 C.2.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 62 ETSI ETSI SR 002 298 V1.1.1 (2003-12) 6

30、 C.2.2 European Telecommunications Standards Institute (ETSI)62 C.2.3 US National Institute of Standards and Technology 62 C.2.4 Internet Engineering Task Force (IETF) 62 C.3 Hash functions63 C.3.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 63 C.3.2 Inte

31、rnet Engineering Task Force (IETF) 63 C.3.3 American National Standards Institute.63 C.3.4 US National Institute of Standards and Technology 64 C.4 Time-stamping .64 C.4.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 64 C.4.2 European Standards Committee-

32、Information Society Standardization System (CEN/ISSS)64 C.4.3 European Telecommunications Standards Institute (ETSI)64 C.5 Non-repudiation .64 C.5.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 64 C.6 Key management65 C.6.1 International Organization for S

33、tandardization and Electrotechnical Commission (ISO/IEC) 65 Annex D: Standards for Business Services 66 Annex E: Standards for Network Defence Services67 E.1 Anti-virus .67 E.1.1 US National Institute of Standards and Technology 67 E.2 Firewalls.67 E.2.1 International Organization for Standardizatio

34、n and Electrotechnical Commission (ISO/IEC) 67 E.2.2 Internet Engineering Task Force 67 E.2.3 US National Institute of Standards and Technology 67 E.3 Intrusion detection68 E.3.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 68 E.3.2 US National Institute o

35、f Standards and Technology 68 E.4 General Network Security68 E.4.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) 68 Annex F: Standards for Assurance services69 F.1 Information security management and risk assessment .69 F.2 Accreditation and certification .

36、70 F.2.1 European Committee for Standardization (CEN) and International Organization for Standardization and Electrotechnical Commission (ISO/IEC) .70 F.3 Evaluation.72 F.3.1 International Organization for Standardization and Electrotechnical Commission (ISO/IEC) and European Committee for Standardi

37、zation (CEN).72 F.3.2 US National Institute of Standards and Technology 73 F.3.3 US National Computer Security Centre .73 F.3.4 US National Computer Security Centre .73 Annex G: Standards for Microprocessor Control of Domestic Equipment74 G.1 International Organization for Standardization and Electr

38、otechnical Commission (ISO/IEC)74 G.2 Other work74 History 75 ETSI ETSI SR 002 298 V1.1.1 (2003-12) 7 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly a

39、vailable for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web s

40、erver (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may

41、 be, or may become, essential to the present document. Foreword This Special Report (SR) has been produced by a joint CEN-ETSI Network and Information Security standardization group in response to the European Commissions call for “a comprehensive strategy on security of electronic networks includin

42、g practical implementing action“. CEN and ETSI share the aims set forward in the Communication from the Commission. It is agreed that there are comprehensive standards available for secure electronic networks. However, the report notes that there are few security frameworks to guarantee multi-vendor

43、 systems will operate securely together. Also it is noted that there is a lack of appropriate certification in some areas. The result is fragmentation and uneven implementation in real networks and insecurities remain despite some parts being very secure. In support of the Commissions aims, certain

44、key issues are central to the reports recommendations: Interoperability: There are many security standards available. This often leads to problems of interoperability - with potentially annoying consequences for the consumer and perhaps business consequences for the provider of electronic services.

45、A number of mechanisms exist to improve this situation including the use of standards frameworks which can help to identify and incorporate interoperable standards in such a way that users become unaware of interoperability issues. Also interoperability testing can help to ensure equipment conformin

46、g to standards and frameworks does really interoperate. The reports recommendations encourage interoperability testing and the incorporation of “overlapping“ standards within suitable frameworks which unify as far as possible the different technical means of doing certain tasks. Upgradeability: Secu

47、rity is not a static problem: the implementation of a standard in a product may need to be updated as weaknesses are discovered; and new standards will be needed whenever existing ones become ineffective in countering threats to security. Several of the reports recommendations are aimed at ensuring

48、this need is recognized and dealt with in a manner that is as simple as possible for the end user, through the use of frameworks that can handle updates in a transparent manner. Home users and Small and Medium Enterprises: In the near future it is very clear that many home users and many Small and M

49、edium Enterprises will be making new, permanent connections to the Internet for the purposes of e-commerce, information and entertainment. These users will naturally have neither the expertise nor the inclination to apply obscure security measures to consistently prevent security breaches. The report makes recommendations to deal with this issue before it becomes a major problem. It is hoped that the awareness of these issues generated within the European Standards Organizations will encourage the development of high quality security standards and frameworks in close