ITU-T X 1145-2017 Security framework and requirements for open capabilities of telecommunication services (Study Group 17).pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1145 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Web security Security framework and requirements for open ca

2、pabilities of telecommunication services Recommendation ITU-T X.1145 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.49

3、9 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security managemen

4、t X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179

5、IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 Inte

6、rnet of things (IoT) security X.1360X.1369 Intelligent transportation system (ITS) security X.1370X.1379 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.15

7、59 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.

8、1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1145 (05/2017) i Recommendation ITU-T X.1145 Security framework and requirements for open capabilities of t

9、elecommunication services Summary Recommendation ITU-T X.1145 focuses on an analysis of the security requirements of open capabilities of telecommunication services and provides a security framework. Currently, due to the boom in over-the-top (OTT) services in the information communication technolog

10、y (ICT) domain, operators need to explore innovative ways to cooperate with third-party service providers and especially with information technology (IT) service providers in order to avoid the traffic growth associated with such services without the commensurate income increases. Open capabilities

11、of telecommunication services can bridge the operators telecommunication services capabilities and the third-party service providers customized service requirements, thus becoming a win-win cooperation paradigm. As the core asset for operators, capabilities of telecommunication services should be op

12、ened in a secure way and be fully protected, as both operators business security and users information security are implicated. Without a comprehensive security mechanism, an unsecure/spiteful application/service from a third-party service provider using the capabilities of telecommunication service

13、s may harm the operators transmission network, business system and even users personally identifiable information (PII). Consequently, to offer secure telecommunication service capabilities to cooperative service providers, the security requirements for open capabilities of telecommunication service

14、s need to be analysed exhaustively and an overall security framework needs to be established. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1145 2017-05-14 17 11.1002/1000/13260 Keywords Open capability, security framework, telecommunication service. * To access the Reco

15、mmendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1145 (05/2017) FOREWORD The International Telecommunication Union (ITU) is the United Nations s

16、pecialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on th

17、em with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-

18、T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used

19、 for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the

20、Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of a

21、ny party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Prope

22、rty Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, imp

23、lementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior writ

24、ten permission of ITU. Rec. ITU-T X.1145 (05/2017) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 2 6 Overview . 2 6.1 General model of open capabilities o

25、f telecommunication services 2 6.2 Open capabilities categorization . 3 7 Security threats to open capabilities of telecommunication service . 4 7.1 Disclosure of personally identifiable information 4 7.2 Modification of capability usage 4 7.3 Relationship of security threats to OCTS model 4 7.4 Tro

26、jan and virus attacks 5 7.5 Unauthorized access . 5 8 Security requirements for open capabilities of telecommunication services 5 8.1 Access control 5 8.2 Authentication 6 8.3 Business isolation . 6 8.4 Emergency response for virus/DDoS . 6 8.5 Innovation business security test before online usage 6

27、 8.6 Personally identifiable information protection . 6 8.7 Physical network capability security 6 8.8 Secure audit 6 8.9 Virtual network capability security 6 8.10 Relationship between security requirements and security threats 6 9 Security functions for open capabilities of telecommunication servi

28、ces 7 9.1 Access control 7 9.2 Authentication 8 9.3 Digital signature . 8 9.4 Encipherment 9 9.5 Event detection . 9 9.6 Key exchange . 9 9.7 Security audit trail 10 9.8 Security recovery 10 9.9 Relationship between security functions and security requirements 10 Bibliography. 12 Rec. ITU-T X.1145 (

29、05/2017) 1 Recommendation ITU-T X.1145 Security framework and requirements for open capabilities of telecommunication services 1 Scope This Recommendation provides a security framework and requirements for open capabilities of telecommunication services. This Recommendation analyses the challenges b

30、rought forward by open capabilities of telecommunication services and identifies hence the specific security requirements for the operators. These security requirements specified together form a security framework for operators to manage the security of open capabilities of their telecommunication s

31、ervices. The purpose of this Recommendation is to safeguard operators capabilities of telecommunication services and the business paradigm of open capabilities of telecommunication services, to protect operators telecommunication systems and to enhance user experience. 2 References None. 3 Definitio

32、ns 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 authentication information b-ITU-T X.800

33、: Information used to establish the validity of a claimed identity. 3.1.3 authentication exchange b-ITU-T X.800: A mechanism intended to ensure the identity of an entity by means of information exchange. 3.1.4 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access

34、 based on access rights. 3.1.5 availability b-ITU-T X.800: The property of being accessible and useable upon demand by an authorized entity. 3.1.6 cryptography b-ITU-T X.800: The discipline which embodies principles, means, and methods for the transformation of data in order to hide its information

35、content, prevent its undetected modification and/or prevent its unauthorized use. NOTE Cryptography determines the methods used in encipherment and decipherment. An attack on a cryptographic principle, means, or method is cryptanalysis. 3.1.7 encipherment b-ITU-T X.800: The cryptographic transformat

36、ion of data (see cryptography) to produce ciphertext. NOTE Encipherment may be irreversible, in which case the corresponding decipherment process cannot feasibly be performed. 3.1.8 key b-ITU-T X.800: A sequence of symbols that controls the operations of encipherment and decipherment. 2 Rec. ITU-T X

37、.1145 (05/2017) 3.1.9 personally identifiable information (PII) b-ITU-T X.1252: Any information a) that identifies or can be used to identify, contact, or locate the person to whom such information pertains; b) from which identification or contact information of an individual person can be derived;

38、or c) that is or can be linked to a natural person directly or indirectly. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 authentication: A short form of the term authentication exchange defined as in clause 3.1.3 above. 3.2.2 capability: An ability t

39、hat a system or an equipment provides for offering a service. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: DDoS Distributed Denial-of-Service DoS Denial of Service ICT Information Communication Technology IT Information Technology OCTS Open Capabili

40、ties of Telecommunication Services OSI Open Systems Interconnection OTT Over-The-Top PII Personally Identifiable Information 5 Conventions None. 6 Overview Due to network evolution and communication technology development, applications and services in the telecommunication domain increasingly contai

41、n more and more diverse technologies. Along with the enhancing of communication device capabilities and the boom in applications and services, users usage requirements are becoming more varied. To respond to this over-the-top (OTT) services boom in the domain of information communication technology

42、(ICT) and to satisfy users requirements, operators are exploring the open capabilities of telecommunication services as an innovative business paradigm. Moreover, telecommunication operators own and provide competitive resources and service capabilities for the over-the-top services which can be cat

43、egorized as follows: network capability: enables operators to assign and dynamically adjust specific network resources based on users requirements; business capability: enables operators to assign specific business resources; cooperation capability: enables operators to offer platforms or interfaces

44、 to business partners to create innovation businesses. 6.1 General model of open capabilities of telecommunication services The general model of open capabilities of telecommunication services (OCTS) is shown in Figure 1. Rec. ITU-T X.1145 (05/2017) 3 Figure 1 General model of OCTS There are four en

45、tities in the OCTS model: 1) the telecommunication operator, 2) the business partner, 3) the developer, and 4) the individual user. The telecommunication operator offers open capabilities to the business partner, the developer and the individual user. The business partner generally has its own busin

46、ess rather than an offered telecommunication service, such as an electronic payment service or online education service. The business partner cooperates with the telecommunication operator that uses the open telecommunication capabilities to enhance its customized services. For example, an electroni

47、c payment service provider uses the open short message capability that sends a real-time message to remind a customer about the details of an online payment. The developer generally uses the open capabilities through the open platform or interfaces that are offered by the operator to develop new app

48、lications. The individual user generally uses the open network capability to get personalized services, such as obtaining high network bandwidth during off-work time for their personal mobile devices compared to lower network bandwidth during work time. 6.2 Open capabilities categorization Open capa

49、bilities of telecommunication services can be abstracted into the three categories: network capability, business capability, and cooperation capability. An overview of open capabilities is shown in Figure 2. Figure 2 Overview of open capabilities Network capability is composed of the fixed network capability that offers Internet access/line telephone services and the mobile network capability that offers mobile telecommunication services. Business capability implies the spe