1、 AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS ATIS-0100001.2004(R2013) User Plane Security Guidelines and Requirements As a leading technology and solutions development organization, ATIS brings together the top global ICT companies to advance the industrys most-pressing business priorities. Th
2、rough ATIS committees and forums, nearly 200 companies address cloud services, device solutions, emergency services, M2M communications, cyber security, ehealth, network evolution, quality of service, billing support, operations, and more. These priorities follow a fast-track development lifecycle f
3、rom design and innovation through solutions that include standards, specifications, requirements, business use cases, software toolkits, and interoperability testing. ATIS is accredited by the American National Standards Institute (ANSI). ATIS is the North American Organizational Partner for the 3rd
4、 Generation Partnership Project (3GPP), a founding Partner of oneM2M, a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications sectors, and a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit. AME
5、RICAN NATIONAL STANDARD Approval of an American National Standard requires review by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review,
6、substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made towards their resolut
7、ion. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The Amer
8、ican National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National S
9、tandards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institu
10、te require that action be taken periodically to reaffirm, revise, or withdraw this standard. Purchasers of American National Standards may receive current information on all standards by calling or writing the American National Standards Institute. Notice of Disclaimer changes cannot be prevented un
11、less the system is perfect (error-free) and no malicious user has access. However, a system that offers data integrity service might also attempt to correct and recover from changes. Relationship between data integrity service and authentication services: Although data integrity service is defined s
12、eparately from data origin authentication service and peer entity authentication service, it is closely related to them. Authentication services depend, by definition, on companion data integrity services. Data origin authentication service provides verification that the identity of the original sou
13、rce of a received data unit is as claimed; there can be no such verification if the data unit has been altered. Peer entity authentication service provides verification that the identity of a peer entity in a current association is as claimed; there can be no such verification if the claimed identit
14、y has been altered. 10 2ATIS-0100001.2004 3.1.8 Emergency Telecommunications Service: A telecommunications service offering available on public communications networks that facilitates the work of authorized emergency personnel in times of disaster, national emergency, or for executive/governmental
15、communications relating to National Security/Emergency Preparedness (NS/EP). 3.2 Acronyms & Abbreviations 3GPP 3rd Generation Partnership Project AES Advanced Encryption Standard ANSI American National Standards Institute ATIS Alliance for Telecommunications Industry Solutions EPA Environmental Prot
16、ection Agency ETS Emergency Telecommunications Service FEMA Federal Emergency Management Agency FIPS Federal Information Processing Standards GETS Government Emergency Telecommunications Service HAZMAT Hazardous Materials HMAC Keyed-Hash Message Authentication Code NS/EP National Security / Emergenc
17、y Preparedness PIN Personal Identification Number PLMN Public Land Mobile Network PSTN Public Switched Telephone Network SHA Secure Hash Algorithm SHS Secure Hash Standard WPS Wireless Priority Service 4 BASIC GUIDELINES FOR SECURITY AND CRYPTOGRAPHIC MECHANISMS AND THEIR IMPLEMENTATION 1. Wherever
18、possible, security protocols will be open source and standardized. 2. Where encryption is used, AES (in its current FIPS equivalent) will be utilized wherever it applies. 3. Where encryption is used for integrity, HMAC (SHA-1) will be used. 4. Simplicity, reliability, and wide-spread implementabilit
19、y will be valued over the inclusion of a plethora of options. 5. Security mechanisms for ETS communications (other than AES and HMAC-SHA1) will be reviewed by qualified security/cryptographic experts before selection. The selected mechanisms (beyond those already provided in the public network) shou
20、ld be implemented by qualified security/cryptographic experts. It should be noted that certain FIPS Standards will be required in applications contracted by the U.S. Government (e.g., AES, HMAC-SHA). 3ATIS-0100001.2004 5 SECURITY LEVELS FOR ETS COMMUNICATIONS In developing security guidelines for ET
21、S, it is useful to ascertain the level of security that is needed for a particular ETS communication. It is recognized that different users of this service will require differing levels of security. While authentication is needed in all cases, some cases may not need data confidentiality. In Annex A
22、, 5 levels (1 is highest) of emergency users/priorities are listed in Table A.1. Annex A also offers descriptive scenarios to further clarify the distinctions between the different levels. These levels are supported in the Wireless Priority Service2. It is expected that the number of priority levels
23、 might be different for other networks (e.g., the Internet). Because they are already part of an existing ETS, the 5 levels defined in Annex A are used to delineate the different levels of security needed for an ETS communication. Even though some network types (e.g., the Internet) may only offer on
24、e priority level for ETS communications, the network may provide different security mechanisms to different classes of users. From a user-plane perspective, security will be end-to-end. 6 SECURITY REQUIREMENTS FOR ETS COMMUNICATIONS 6.1 Authentication Requirements ETS users must be able to be authen
25、ticated by at least one method. Ideally, at least two authentication mechanisms should be supported: one that will be available on any users equipment (generic) and one that will require a specialized piece of user equipment (hardware specific). Once authenticated, the call or session could in some
26、way be labeled as an ETS communication to facilitate ETS handling. Other methods for providing security without labels may be possible. Any call/session entering an ETS enabled network with an ETS label (e.g., from the PSTN) will be authorized by default if it is from a trusted network and the call/
27、session will receive the appropriate priority treatment in the network. Trusted networks are networks that are trusted at the level of security needed for the particular communication session. The recognition of trusted networks will be accomplished in the signaling and control plane and is for furt
28、her study. For networks that are not trusted, one or more of the authentication methods described below will be used. The behavior of ETS labels (if used) on international networks is not part of this Standard. This important topic is for further study. 6.1.1 Generic Authentication Generic authentic
29、ation of calls/sessions originating on an ETS enabled access network, if offered, will be available to an ETS user on any given users equipment. This might be accomplished, for example, by calling a special number and entering a PIN, or accessing a special website and downloading an applet that prom
30、pts for a username and password. If a PIN is used, the length should be at least twelve3characters (numerals and/or letters). For the generic authentication, no special hardware is required nor is any special hardware expected to be in the communications equipment. The intent of this method is that
31、authentication can be accomplished using access to the public network using common consumer premises equipment. 2 See for more information. 3Twelve numerals are used in the current GETS system. ETS must have at least that level of security. This level of security is considered the lowest acceptable
32、level. 4ATIS-0100001.2004 The recognition of ETS enabled networks and how ETS communications will be established across one or more network sections that are not ETS-enabled are for further study and will probably be addressed in the signaling and control plane. 6.1.2 Hardware Specific Authenticatio
33、n Hardware specific methods of authentication may be dependent upon the ETS users equipment. This authentication will only be available on particular pieces of equipment (e.g., phones, computers, etc.), and may additionally require a smartcard, and/or biometrics, and/or a PIN. 6.2 Authorization Requ
34、irements An authenticated ETS user will be authorized to receive special handling of his/her communications consistent with that users priority level. The authorization level determination usually takes place during the authentication process. The authorization level will determine, among other thin
35、gs, the kind of security required for that call/session (i.e., the level of confidentiality and integrity validation needed). 6.3 Data Confidentiality Requirements Authenticated ETS users authorized at certain levels will have their communications encrypted. The required method will incorporate the
36、AES in its current FIPS equivalent using a minimum 256-bit key 8. The encryption for data confidentiality will be done by the user equipment. 6.4 Data Integrity Requirements Authenticated ETS users authorized at certain levels will have their non-realtime (i.e., other than interactive voice and vide
37、o) communications checked for data integrity. The required method will incorporate the HMAC-SHA-256 in its current FIPS equivalent. Security for signaling and control is not addressed in this Standard. 5ATIS-0100001.2004 Annex A (informative) A PRIORITIES FOR NS/EP USERS This Annex defines 5 levels
38、(1 is highest) of emergency users or priorities and offers descriptive scenarios to further clarify the distinctions. These levels will be used in the classification of ETS users regarding their security needs. These levels are supported in the Wireless Priority Service. It is expected that the numb
39、er of priority levels might be different for other networks. For example, some applications may provide 5 levels of priority and security at the access to the network but may support only 1 (or even 0) levels of priority over certain network portions (e.g., backbone networks). Table A.1 - Priorities
40、 for NS/EP Users Priority Level Responsibility Qualifying Criteria 1 Executive Leadership and Policy Makers Users who qualify for the Executive Leadership and Policy Makers priority will be assigned Priority 1. A limited number of PLMN technicians who are essential to restoring the PLMN networks sha
41、ll also receive this highest priority treatment. Wireless carrier may assign Priority 1 to its technicians with operational responsibilities. 2 Disaster Response / Military Command and Control Users who qualify for the Disaster Response/Military Command and Control priority will be assigned Priority
42、 2. Individuals eligible for Priority 2 include personnel key to managing the initial response to an emergency at the local, State, regional, and Federal levels. Personnel selected for this priority should be responsible for ensuring the viability or reconstruction of the basic infrastructure in an
43、emergency area. In addition, personnel essential to the continuity of government and national security functions (e.g., conducting international affairs and intelligence activities) are included. 3 Public Health, Safety, and Law Enforcement Command Users who qualify for the Public Health, Safety, an
44、d Law Enforcement Command priority will be assigned Priority 3. Eligible for this priority are individuals who direct operations critical to life, property, and maintenance of law and order immediately following an event. 4 Public Services / Utilities and Public Welfare Users who qualify for the Pub
45、lic Services/Utilities and Public Welfare priority will be assigned Priority 4. Eligible for this priority are those users whose responsibilities include managing public works and utility infrastructure damage assessment and restoration efforts and transportation to accomplish emergency response act
46、ivities. 5 Disaster Recovery Users who qualify for the Disaster Recovery priority will be assigned Priority 5. Eligible for this priority are those individuals responsible for managing a variety of recovery operations after the initial response has been accomplished. Table 1 is taken from an informa
47、tive annex of a 3GPP draft Technical Report, 3GPP TR 22.9050 V6.2.0 (2003-03) of the 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, Priority Service feasibility study, Release 6, GSM. The following subsections offer illustrative examples of the 5 level
48、s. 6ATIS-0100001.2004 A.1 Level 1 Executive Leadership and Policy Makers In the aftermath of a devastating earthquake in San Francisco, the U.S. President, at an undisclosed location, needs to telephone the Vice President, who is also at an undisclosed location. The substance of the discussion and t
49、he identities of the participants must be cloaked in the strictest confidentiality. A.2 Level 2 Disaster Response/Military Command and Control A huge multi-megawatt power station is incapacitated by a series of upstream accidents and a resulting overload. Bringing it back online successfully requires the coordination of several regional power company facilities. Initial communications among these entities is done over the PSTN using Level 2 priority. If the PSTN congestion increases, the communication is done using WPS. Drawings of the power grid and the sequence of s