1、DEUTSCHE NORM Juli 1998 Universelle persnliche Telekommunikation (UPT) Sicherheitsarchitektur fr UPT-Phase 2 Spezifikation Enalische Fassung ETS 300790 : 1997 DIN - ETS 300790 _ ICs 33.040.01 Deskriptoren: UPT, Telekommunikation, Sicherheit Universal Personal Telecommunication (UPT) - Security archi
2、tecture for UPT phase 2 - Specification; English version ETS 300790 : 1997 Die Europische Telekommunikationsnorm ETS 300790 : 1997 hat den Status einer Deutschen Norm. Nationales Vorwort Die vorliegende Norm ist auf der Grundlage der vom Europischen Institut fr Telekommunikationsnormen (ETSI) heraus
3、gegebenen Europischen Telekommunikationsnorm ETS 300790, Ausgabe Oktober 1997, .Universal Personal Telecommunication (UPT) - Security architecture for UPT phase 2 - Specification“, verffentlicht worden. Diese Norm enthlt unter Bercksichtigung des DIN-Prsidialbeschlusses 1311983 den englischen Origin
4、altext der vom Technischen Unterkomitee NA 6 des ETSI erarbeiteten ETC 300790. Fachlich zustndig in Deutschland ist das Unterkomitee 722.4 .Intelligente Netze“ der Deutschen Elektrotechnischen Kommission im DIN und VDE (DKE). Fortsetzung 38 Seiten ETS-Original Deutsche Elektrotechnische Kommission i
5、m DIN und VDE (DKE) 0 DIN Deutsches Institut fr Normung e.V. . Jede Art der Vervielfltigung. auch auszugsweise, Alleinverkauf der Normen durch Beuth Verlag GmbH, 10772 Berlin nur mit Genehmigung des DIN Deutsches Institut fr Normung e.V., Berlin. gestattet. Ref. NL DIN ETS 300790 : 1998-0 Preisgr. 7
6、3 Vertr.-Nr. 771 STD-DIN DIN ETS 300770-GERM 1778 W 2774446 O737404 583 ETS 300 790 October 1997 - Source: NA Reference: DUNA-064006 ICs: 33.020 Key words: UPT, security, card U niversal Personal Telecommunication (UPT); Security architecture for OPT Phase 2; Specification ETSI European Telecommunic
7、ations Standards Institute ETSI Secretariat Postal address: F-O6921 Sophia Antipolis CEDEX - FRANCE Office address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCE X.400: c=fr, a=atlas, p=etsi, s=secretariat - Internet: secretariat et.s.fr Tel.: +33 4 92 94 42 O0 - Fax: +33 4 93 65 47
8、16 Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. O European Telecommunications Standards institute 1997. All rights reserved. STDODIN DIN ETS 300770-GERM I1778 W 2774446 0
9、319405 418 W Page 2 ETS 300 790: October 1997 Whilst every care has been taken in the preparation and publication of this document, errors in content, typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to “ETSI Editing and Committee Support Dept.“ at th
10、e address shown on the title page. STDeDIN DIN ETS 300790-GERfl 1998 2794446 0739406 354 Page 3 ETC 300 790: October 1997 Contents Foreword 5 Introduction . 5 1 Scope . 7 2 Normative references . 7 3 Definition and abbreviations . 8 3.1 Definition . 8 3.2 Abbreviations 8 4 Security requirements and
11、security features 8 4.1 UPT Phase 2 security requirements 9 4.1.1 Requirements from the threat analysis . 9 4.1.2 Personal data integrity issues 11 4.1.3 Additional requirements on UPT interworking with GSM 11 4.1.4 Additional requirements on UPT interworking with ISDN 12 4.1.5 Additional requiremen
12、ts on UPT interworking with data services . 12 4.1.6 UPT Security requirements associated with the use of UPT cards . 12 4.1.6.1 Management requirements 12 4.1.6.2 Operational requirements 13 UPT security features . 14 4.2.1 Authentication features 14 authentication requirements 14 4.2 4.2.1.1 4.2.1
13、.2 Discussion on possible features to meet the Evaluation and choice of security features for authentication 15 4.2.2 Security management . 15 4.2.3 Reset and blocking 15 4.2.4 Security features related to the use of UPT cards 16 4.2.5 Security features available as UPT supplementary services 16 4.3
14、 UPT security limitations 16 5 Security mechanisms . 17 5.1 Access control mechanisms 17 5.1.1 Access control to the services . 17 5.1.2 Access control to the service profile data 17 5.1.3 Access control to the data in the UPT card . 18 User authentication mechanism 18 5.2.1 Two pass strong authenti
15、cation . 19 5.2.2 Authentication of the user to the UPT card . 21 Extra authentication for outgoing calls . 21 5.2 5.3 5.4 Special authentication for called party specified secure answering of incoming calls . 22 5.5 Security management 2 5.5.1 Charging control 22 Warnings about registration side ef
16、fects . 23 5.6 Service limitations . 23 5.7 Security profiles 24 5.5.2 Information management 23 5.5.3 Service restrictions for OCR and for Remote OCR (ROCR) . 23 5.5.4 5.5.5 Security management of the UPT card . 23 5.7.1 5.7.2 5.7.3 Security profile for weak authentication . 25 Security profile for
17、 one pass strong authentication . 25 Security profile for two pass strong authentication 25 6 Parameter sizes and values . 26 Page 4 ETS 300 790: October 1997 7 8 9 10 Functional specification of the UPT card . 26 7.1 Storage of data . 26 7.2 Processing 27 7.2.1 Time-out 27 7.2.2 7.3 User interface
18、. 27 Calculations by the authentication algorithm 27 Functional specification of the security protocol 28 Two pass strong authentication 28 Extra authentication for OCPIN . 28 Special authentication for SAPIN 28 8.1 8.2 8.3 Functional specification of the AE 29 9.1 Check of PU1 and authentication ty
19、pe used 29 9.2 Two-pass strong authentication 29 9.3 SAPIN and OCPIN procedures . 30 9.4 PIN change check 30 Authentication algorithms 30 10.1 The USA4 algorithm 30 10.2 The TESA-7 algorithm 30 10.3 Other algorithms . 31 10.4 Same algorithm for one pass and two pass strong authentication . 31 Annex
20、A (normative): Implementation Conformance Statement (ICs) proformas . 32 A . 1 A.2 A.3 A.4 AS Scope . 32 Abbreviations . 32 ICs proforma for UPT cards used for two pastrong authentication 33 A.3.1 Introduction . 33 A.3.2 Identification of the implementation. product supplier and test laboratory clie
21、nt . 33 A.3.3 Identification of the ETS . 33 A.3.4 Global statement of conformance . . 33 A.3.5 Main features 33 ICs proforma for card reading terminals supporting UPT 34 A.4.1 Introduction . 34 A.4.2 Identification of the implementation. product supplier and test laboratory client . 34 A.4.3 Identi
22、fication of the ETS . 34 A.4.4 Global statement of conformance . 34 A.4.5 Main features 35 ICs proforma for the AE 35 A51 Introduction . 35 A52 Identification of the ETS . 35 A53 Global statement of conformance . 35 A.5.4 Main features 35 Annex B (informative): Bibliography 37 History 38 STD-DIN DIN
23、 ETS 300770-GERM 1778 = 2774446 0719408 127 = Page 5 ETS 300 790: October 1997 Foreword This European Telecommunication Standard (ETS) has been produced by the Network Aspects (NA) Technical Committee of the European Telecommunications Standards Institute (ETSI). This ETS, in association with ETS 30
24、0 791 5, forms the specification of the security architecture for UPT Phase 2. Transposition dates Date of adoption: Date of latest announcement of this ETS (doa): 19 September 1997 31 December 1997 Date of latest publication of new National Standard or endorsement of this ETS (dop/e): 30 June 1998
25、I Date of withdrawal of any conflicting National Standard (dow): 30 June 1998 Introduction Universal Personal Telecommunication (UPT) is a service that enables improved access to telecommunication services by allowing personal mobility. It enables each UPT user to participate in a user defined set o
26、f subscribed services, and to initiate and receive calls on the basis of a unique, personal, network independent UPT number across multiple networks at any terminal, fixed, movable or mobile. Such participation is irrespective of geographic location, limited only by the network capabilities and rest
27、rictions imposed by the Service Provider (SP), the subscriber or the user himself. Calls to a UPT user may also be made by non-UPT users. ETSI TC NA has defined three service scenarios for UPT (ETR 055). This ETS of the security architecture deals with the basic UPT service scenario (UPT Phase 2). T
28、his scenario should cover also the Global System for Mobile communications (GSM) network (whereas Phase 1 covered Public Switched Telephone Network (PSTN) and Integrated Services Digital Network (ISDN), data services (whereas Phase 1 covered the telephony service), Identity Code (IC) cards and IC ca
29、rd reading devices or terminals for authentication (whereas Phase 1 covered only Dual Tone Multi-Frequency (DTMF) signalling for authentication). The UPT Phase 2 also offers a more complete set of service features, including registration for outgoing calls, secure answer, call pick-up and a set of s
30、upplementary UPT features. A high level of security is a necessary condition for a telecommunication service like UPT to become a success. Accountability, incontestable charging, and privacy are important examples on requirements that have to be fulfilled by technical and organizational security mea
31、sures. Security mechanisms can only meet their purpose if they are integrated into the system in an appropriate way. Many of these mechanisms depend on the secure handling of secret information like authentication keys and Personal Identity Numbers (PINS). This ETS in combination with ETS 300 391-1
32、2 specifies the complete security architecture for UPT Phase 2. It should be noted that this ETS is meant to be in addition to the Phase 1 ETS (“delta document“). For instance, a new security mechanism using IC cards is described. For security reasons, authentication should be performed by means of
33、UPT cards, when the infrastructure of UPT card reading terminals has been widely established. It is envisaged that the use of strong authentication will increase. STD-DIN DIN ETS 300790-GERM 1998 2794446 O7L9409 Ob3 M Page 6 ETS 300 790: October 1997 Blank page STD-DIN DIN ETS 300790-GERM L998 27944
34、46 0719410 85 9 Page 7 ETS 300 790: October 1997 1 Scope This European Telecommunication Standard (ETS) provides a description of the additional requirements, features and mechanisms necessary to provide adequate security within the UPT service for Phase 2. It is based on the specification of the Se
35、curity Architecture for UPT Phase 1, given in ETS 300 391 -1 2 and it specifies the additions to Phase 1 only. The specific security requirements, features and mechanisms additionally needed for UPT Phase 2 are specified in detail. Where applicable Phase 1 is referred to. Downwards compatibility to
36、UPT Phase 1 is fulfilled. Both this ETS and ETS 300 391-1 2 are based on the general UPT security architecture given in ETR 083 l, which describes the threat analysis and security requirements. Only aspects of the UPT security architecture that concern the security of the overall UPT service and inf
37、ormation exchange between the user and the network are standardized. Clause 4 summarizes the Phase 2 relevant security requirements and security features. It also specifies the security requirements to provide UPT on GSM, ISDN and other modem networks. Furthermore, the requirements for cards in UPT
38、(either via card reading terminals or card reading devices) and the requirements for data services are specified. Clause 5 specifies the security mechanisms for access control, the two pass strong authentication mechanism, security management measures and security profiles. Clause 6 summarizes the s
39、izes of the parameters used in the mechanisms. The next three clauses give the functional specifications of respectively the UPT card (see clause 7), the security protocol (see clause 8) and the Authenticating Entity (AE), (see clause 9). Clause 10 describes the possible authentication algorithms to
40、 be used in UPT Phase 2, such as UPT Security Algorithm (USA-4) and TE7 Security Algorithm (TESA-7). Three relevant Implementation Conformance Statement (ICs) proformas are specified in annexes. 2 Normative references This ETS incorporates by dated or undated reference, provisions from other publica
41、tions. These normative references are cited at the appropriate places in the text and the publications are listed hereafter. For dated references, subsequent amendments to or revisions of any of these publications apply to this ETS only when incorporated in it by amendment or revision. For undated r
42、eferences, the latest edition of the publication referred to applies. ETR 083 (1 993): “Universal Personal Telecommunication (UPT); General UPT security architecture“. ETS 300 391 -1 (1 995): “Universal Personal Telecommunication (UPT); Specification of the security architecture for UPT Phase 1; Par
43、t 1: Specification“. ISOAEC 9646-7 (1 995): “Information technology - Open systems interconnection - Conformance testing methodology and framework - Part 7: Implementation Conformance Statements“. ETS 300 406 (1 995): “Methods for Testing and Specification (MTS); Protocol and profile conformance tes
44、ting specifications - Standardization methodology“. ETS 300 791 : “ Universal Personal Telecommunication (UPT); Security architecture for UPT Phase 2 Conformance Test Specification (CTS)“. Page 8 ETS 300 790: October 1997 3 Definition and abbreviations 3.1 Definition For the purposes of this ETS, th
45、e following definition applies: UPT card: A UPT card is an IC card used for identification and authentication purposes in a UPT service. UPT cards can be used for one pass strong authentication in the advanced DTMFdevices and for two pass strong authentication in card reading terminals. For the purp
46、ose of this ETS the latter definition applies. 3.2 Abbreviations For the purposes of this ETS, the following abbreviations apply: AC AE ARA CHV CLIP CLIR COLP CT CUG DTMF f GSM IC ICs ISDN K MAC NAP OCPIN OCR PIN PSTN Pul RAND ROCR SA SAPIN SDF SIM SP T TMAX TESA-7 UPT USA-4 Authentication Code, cal
47、culated in the UPT cardand in the AE Authenticating Entity Access Registration Address Card Holder Verification Calling Line Identification Presentation Calling Line Identification Restriction Connected Line identity Presentation Command Type Closed User Group Dual Tone Multi-Frequency authenticatio
48、n algorithm Global System for Mobile communications Identity Code Implementation Conformance Statement Integrated Services Digital Network Authentication Key Message Authentication Code Network Access Point Outgoing Call PIN Outgoing Call Registration Personal Identity Number Public Switched Telepho
49、ne Network Personal User Identity RANdom number Remote Outgoing Call Registration Secure Answer Secure Answer PIN Service Data Function Subscriber Identification Module Service Provider Timer value in the UPT card Maximum value of T TE7 Security Algorithm Universal Personal Telecommunication UPT Security Algorithm 4 Security requirements and security features Security features needed for UPT Phase2 are specified according to the requirements presented in ETR 083 l and other ETSI UPT reports. In ETS 300 391-1 2 are specified the security requirement
