1、3G TS 21 . I33 V3.0.0 (1999-05) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Threats and Requirements (3G TS 21.133 version 3.0.0) The present document has been developed within the 3d Generation Partners
2、hip Project (3GPPm) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Organisational Partners and shall not be implemented. This Specification is provided for future development work within 3GPPonly. The Organisation
3、al Partners accept no liability for any use of this Specification. Specifications and reports for implementation of the 3GPPm system should be obtained via the 3GPP Organisational Partners Publications Offices. 3G TS 21 .I33 version 3.0.0 2 Reference DTS/TSGS0321133U Keywords Security, Threats, Requ
4、irements 3GPP Postal address 3GPP support office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 O0 Fax: +33 4 93 65 47 16 internet htp:lhnrww.3gpp.org 3G TS 21.133 V3.0.0 (1999-05) 3G TS 21 . 133 version 3.0.0 3 36 TS 21.133 V3.0.0 (1999-05) Contents Forewor
5、d 5 1 Scope . 6 2 References . 6 3 Definitions and Abbreviations . 7 3.1 Definitions . 7 3.2 Abbreviations . 8 4 General objectives for 3G security features 8 5 Security context . 9 5.1 System assumptions . 9 5.1.1 Type of services and service management . 9 5.1.2 Access to services . 10 5.1.3 Servi
6、ce provision 10 5.1.4 System architecture 10 5.1.5 Security management . 10 5.1.6 Interworking and compatibility 10 5.1.7 Charging and billing . 11 5.1.8 Supplementary services 11 5.2 3G roles 11 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.3 5.4 5.5 5.5.1 5.5.1.1 5.5.1.2 5.5.1.3 5.5.2 5.5.2.1 6 6.1 6.1.1 6.1.2
7、6.1.3 6.1.4 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.3 User domain . 11 Mastructure domain . 11 Non3G infrastructure domain . 12 Off-line parties . 12 Inuders . 12 3G architecture . 12 3G identities . 13 3G data types and data groups . 13 3G data types 13 User traffic 13 Signalling data 13 Control data 1
8、3 3G data groups . 14 User-related data . 14 Security threats 14 Threats associated with attacks on the radio interface . 15 Unauthorised access to data . 15 Threats to integrity . 15 Denial of service attacks 16 Unauthorised access to services . 16 Threats associated with attacks on other parts of
9、the system . 16 Unauthorised access to data . 16 Threats to integrity . 17 Denial of service attacks 17 Repudiation 17 Unauthorised access to services . 18 Threats associated with attacks on the terminal and UICCUSIM . 18 7 Risk Assessment 19 7.1 Evaluation of threats 19 7.1.1 8 Security Requirement
10、s . 20 8.1 Requirements derived from threat analysis 20 Threats evaluated to be of major or medium value 19 _ - 3G TS 21.133 version 3.0.0 4 36 TS 21.133 V3.0.0 (1999-05) 8.1.1 8.1.1.1 8.1 . 1 . 2 8.1.2 8.1.3 8.1.3.1 8.1.3.2 8.1.4 8.1.4.1 8.1.4.2 8.2 8.2.1 8.2.1.1 Requirements on security of3GPP ser
11、vices . 20 Requirements on secure service access 20 Requirements on system integrity 21 Requirements on protection of personal data . 21 Security of user-related transmitted data 21 Requirements on secure service provision 21 Security of user-related stored data 22 Requirements on the termhal/USIM .
12、 22 USIM Security 22 Terminal Security . 22 External requirements 22 Regulator requirements 22 Lawful interception . 22 Annex A (Informative): Threats linked to active attacks on the radio access link 23 User identity catching 23 A.1 A.2 A.3 A.4 Annex B: Change history 25 History . 26 Suppression of
13、 encryption between target and intruder 23 Compromise of authentication data . 24 Hijacking of services . 24 3G TS 21.133 version 3.0.0 5 36 TS 21.133 V3.0.0 (1999-05) This Technical Specification has been produced by the 3GPP. The contents of the present document are subject to continuing work with
14、in the TSG and may change following foxmal TSG approval. Should the TSG modi the contents of this TS, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version 3.y.z where: x the first digit: 1 presented to TSG for information;
15、 2 presented to TSG for approval; 3 Indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the
16、 specification; 3G TS 21 .I 33 version 3.0.0 6 - 36 TS 21.133 V3.0.0 (1999-05) A Scope This specification takes notice of the Security Principles and Objectives as set out in l. It contains an evaluation of perceived threats to 3GPP and produces subsequently a list of security requirements to addres
17、s these threats. As teleservices and applications will not, in general, be stanardised, it is difficult to predict their exact nature. Therefore, this specification considers all security threats and aims at listing generic security requirements that shall be applicable irrespective of the actual se
18、rvices offered. The list of threats and requirements may however need to be updated as the 3GPP system evolves. The threat analysis performed relies to a large extent on previous experiences with 2G systems, in particular GSM, and takes into account known problems from that area. The security requir
19、ements listed in this specification shall be used as input for the choice of security features and the design of the 3GPP security architecture as specified in 2. The sructure of this technical specification is as follows: clause 2 iists the references used in this specification; clause 3 lists the
20、definitions and abbreviations used in this specification; clause 4 contains a reference to the general objectives for 3G security; clause 5 contains an overview of the context in which the security architecture of 3G is designed; clause 6 contains a list of identified security threats to 3G, and giv
21、es some results from the threat analyses that have been performed; clause 7 contains an overview of the risk assessment resulting from the threat analyses performed clause 8 contains the resulting list of security requirements for 3G and indicates how these requirements relate to the threats and the
22、 security objectives . Finally, Annex A gives some more detailed information on threats and risks connected to so called false base station attacks. 2 Ref e re n ces The following documents contain provisions which, through reference in this text, constitute provisions of the present document. 0 Ref
23、erences are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. 0 For a specific reference, subsequent revisions do not apply. 0 For a non-specific reference, the latest version applies. A non-specific reference to an ETS shall also be taken to
24、refer to later versions published as an EN with the same number. 111 121 3G TS 33.120: “3G Security; Security Principles and Objectives“. 3G TS 33.102: “3G Security; Security Architecture“. 3G TS 21.133 version 3.0.0 7 36 TS 21.133 V3.0.0 (1999-05) Baseline documents: 3GPP s3-99003: UMTS 33.21, vers
25、ion 2.0.0: Vecurity requirements“. 3GPP s3-99016: ARIB, Requirements and Objectives for 3G Mobile Services and System, Annex 8 - Security Design Principles. ETSI SMG10 99CO19: Countermeasures to active attacks on the radio access link. 31 141 ETSI ETR 332: “Security Techniques Advisory Group; Securi
26、ty requirements capture“. ETSI ETR 33 1 : “Defintion of user Requirements for lawful interception of telecommunications; Requirements of the law enforcement agencies“. IS0 7498-2: “Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture“.
27、 ISO/IEC 10181-2: “Information Technology - Open Systems Interconnection - Security Frameworks in Open Systems“. ISO/IEC 1 1770- 1 : “Information Technology - Security Techniques - Key Management, Part 1 : Key Management Framework“. UMTS 22.00: “Universal Mobile Telecommunications System (UMTS): UMT
28、S Phase 1“. UMTS 22.01: “Universal Mobile Telecommunications System (UMTS): Service aspects; service principles“. UMTS 22.2 1 : “Universal Mobile Telecommunications System (UMTS): Virtual Home Environment“. 151 61 71 181 91 lo1 111 UMTS 23.01 : “Universal Mobile Telecommunications System (UMTS): Gen
29、eral UMTS Architecture“. 1121 UMTS 30.01 : “Universal Mobile Telecommunications System (UMTS): UMTS Baseline Document; Positions on UMTS agreed by SMG“. UMTS 33.20: “Universal Mobile Telecommunications System (UMTS): Security Principles“. i31 3 3.1 Definit ions and Abbreviations D efi n it ions For
30、the purposes of the present document, the following defintions apply: Access Control: The prevention of unauthorised use of a resource, including the prevention of use of a resource in an unauthorised manner 5. Authentication: The provision of assurance of the claimed identity of an entity 6. Clonin
31、g: The process of changing the identiy of one entity to that of an entity of the same type, so that there are two entities of the same type with the same identity. Confidentiality: The property of information that it has not been disclosed to unauthorised parties. Integrity: The property of informat
32、ion that it has not been changed by unauthorised parties. Key Management: The administration and use of the generation, registration, certification, deregistration, distribution, installation, storage, archiving, revocation, derivation and destruction of keying material in accordance with a security
33、 policy 7. STD*ETSI 36 TS 21-133-ENGL 1779 3400855 0422b53 Alb W 3G TS 21.1 33 version 3.0.0 a 36 TS 21.133 V3.0.0 (1999-05) Law Enforcement Agency (LEA): An organisation authorised by a lawful authorisation, based on a national law, to receive the results of telecommunication interceptions 4. Lawfu
34、l Authorisation: Permission granted to an LEA under certain conditions to intercept specified telecommunications and requiring co-operation for a network operator or service provider. Typically this refers to a warrant or order issued by a lawfully authorised body 4. Lawful Interception: The action
35、(based on the law), performed by a network operator or service provider, of making available certain information and providing that information to a Law Enforcement Monitoring Facility 4. Non-Repudiation Service: A security service which counters the threat of repudiation. Repudiation: Denial by one
36、 of the parties involved in a communication of having participated in all or part of the communication 151. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: GSM HE IMEI IMT-2000 IMUI IP ISDN ITU N-ISDN PIN PSTN SIM SN TD-CDMA TMN UICC UMTS UPT USIM UTRAN
37、 WIE W-CDMA Global System for Mobile communications Home Environment International Mobile Equipment Identity International Mobile Telecommunications-2000 International Mobile User Identity Internet Protocol Integrated Services Digital Network International Telecommunications Union Narrowband ISDN Pe
38、rsonal Identification Number Public Switched Telephone Network Subscriber Identity Module Serving Network Time Division - Code Division Multiple Access Telecommunications Management Network UMTS Integrated Circuit Card Universal Mobile Telecommunication System Universal Personal Telecommunication Us
39、er Services Identity Module UMTS Terrestrial Radio Access Network Virtual Home Environment Wideband - Code Division Multiple Access 4 General objectives for 3G security features The general objectives for 3G security features have been stated as l: a) to ensure that information generated by or relat
40、ing to a user is adequately protected against misuse 01 misappropriation; b) to ensure that the resources and services provided by serving networks and home environments are adequately protected against misuse or misappropriation; c) to ensure that the security features standardised are compatible w
41、ith world-wide availability (There shall be at least one ciphering algorithm that can be exported on a world-wide basis (in accordance with the Wassenaar agreement); d) to ensure that the security features are adequately standardised to ensure world-wide interoperability and roaming between differen
42、t serving networks; - 36 TS 21 .I 33 version 3.0.0 9 36 TS 21.133 V3.0.0 (1999-05) e) to ensure that the level of protection afforded to users and providers of services is better than that provided in contemporary fmed and mobile networks; f) to ensure that the implementation of 3G security features
43、 and mechanisms can be extended and enhanced as required by new threats and services. Furthermore it has been agreed that the basic security features employed in 2G systems will be retained, or where needed enhanced. These include: - subscriber authentication, - radio interface encryption, - subscri
44、ber identity confidentiality, - use of removable subscriber module, - - transparency of security features, - secure application layer channel between subscriber module and home network, minimised need for trust between HE and SN. In some instances, 3G will need to be equipped with stronger or more f
45、lexible security mechanisms than those which were designed for GSM, due to new or increased threats. These will be treated in the threat analysis. Mechanisms to combating fraud in roaming situations should be included in the 3G specifications from the start. Mechanisms for lawful interception under
46、authorisation should be included in 3G specifications from the start. 5 Security context The purpose of this clause is to describe the context in which the 3G security features are designed. This specification assumes the system assumptions, network architecture and functional roles given in UMTS 23
47、.01 111 and UMTS 30.01 12, the service description given in UMTS 22.01 9 and the UMTS Phase 1 description given in MTS 22.00 Pl. In subclause 5.1 the system assumptions that describe 3G in general and especially those that have a significant bearing on security are listed. in subclause 5.2 roles tha
48、t have a significant bearing on security are defined. In subclause 5.3 various architectural components that have an impact on the design of 3G security features are defined. In subclause 5.4 various identities used in 3G that have an impact on the design of 3G security features are defmed. In subcl
49、ause 5.5 data types and groups that are used to help iden* security threats and requirements are defined. 5. I System assumptions In this subclause 3G system assumptions that have an impact on the design of 3G security features are listed. These assumptions are derived fromUMTS 30.01 12, UMTS 22.01 9 and UMTS 22.00 8. 5.1 .I Type of services and service management a) 3G shall support the full range of services from narrow-band (most important: speech) to wide-band (2 Mbps as target) based upon an advanced highly efficient and