ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf

上传人:赵齐羽 文档编号:735908 上传时间:2019-01-12 格式:PDF 页数:144 大小:778.72KB
下载 相关 举报
ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf_第1页
第1页 / 共144页
ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf_第2页
第2页 / 共144页
ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf_第3页
第3页 / 共144页
ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf_第4页
第4页 / 共144页
ETSI TR 102 420-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Review of activity on security (V1 1 1)《电信和互联网融合业务及高级网络协议(TIS.pdf_第5页
第5页 / 共144页
点击查看更多>>
资源描述

1、 ETSI TR 102 420 V1.1.1 (2005-05)Technical Report Telecommunications and Internet converged Services andProtocols for Advanced Networking (TISPAN);Review of activity on securityETSI ETSI TR 102 420 V1.1.1 (2005-05) 2 Reference DTR/TISPAN-07011-Tech Keywords management, report, security ETSI 650 Rout

2、e des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded

3、from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall

4、 be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is availab

5、le at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The cop

6、yright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2005. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently

7、 being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 420 V1.1.1 (2005-05) 3 Contents Intellectual Property Rights5 Foreword.5 1 Scope 6 2 References 6 3 Definitions

8、 and abbreviations.8 3.1 Definitions8 3.2 Abbreviations .8 4 Introduction 9 5 Review of other security domain specifications.9 5.1 ISO/IEC 17799.9 6 ENUM Case study9 6.1 Purpose.9 6.2 Overview of ENUM .9 6.3 Security and common criteria in ENUM11 6.3.1 Privacy concerns.11 6.3.2 Security concerns11 6

9、.3.2.1 DNS security mechanisms 12 6.3.3 Security critical ENUM operations.13 6.3.3.1 Registration of an E.164 number in the ENUM database .13 6.3.3.2 Processes for creation, modification and deletion of NAPTR Records in the Tier 2 database .14 6.3.3.3 Processes for removal of E.164 numbers from ENUM

10、 databases.15 6.3.3.4 Processes for changing Registrars.16 6.3.4 ENUM assets 16 6.3.4.1 NAPTR records.16 6.3.4.2 ENUM query.17 6.3.5 Composite security model 17 6.4 CORAS method application in ENUM analysis 18 6.4.1 Introduction.18 6.4.2 CORAS platform and UML profile 18 6.4.3 The risk management pr

11、ocess.21 6.4.4 The risk documentation framework 23 7 UML modelling24 7.1 Introduction 24 7.2 Core security model24 7.3 Development of stereotypes .26 7.4 Application of stereotypes29 Annex A: UML modelling of ISO/IEC 15408-2.30 A.1 Introduction 30 A.2 Structure of the UML model 33 A.3 UML model for

12、ISO/IEC 15408-2 .34 A.3.1 TSF Package Dependency34 A.3.2 Package TSF_FAU.35 A.3.3 Package TSF_FCO.45 A.3.4 Package TSF_FCS50 A.3.5 Package TSF_FIA 76 A.3.6 Package TSF_FMT.86 A.3.7 Package TSF_FPR96 A.3.8 Package TSF_FPT103 A.3.9 Package TSF_FRU.124 ETSI ETSI TR 102 420 V1.1.1 (2005-05) 4 A.3.10 Pac

13、kage TSF_FTA .130 A.3.11 Package TSF_FTP139 History 144 ETSI ETSI TR 102 420 V1.1.1 (2005-05) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly availab

14、le for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server

15、(http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, o

16、r may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). ETSI ETSI TR 102 420 V1.1.1 (2005-05) 6 1 Scope The present document g

17、athers together and presents information regarding the progress of work in the development of guidelines on the use of the Common Criteria for the evaluation of IT security (ISO/IEC 15408 22). The purpose of the present document is to be a repository for information which is of interest but which ha

18、s no clear place in the core guidance documents, thus: notes on information studied in order to prepare the core guidance documents: - method for application of Common Criteria to ETSI deliverables, EG 202 387 1; - method and proforma for defining Protection Profiles, ES 202 382 2; - method and prof

19、orma for defining Security Targets, ES 202 383 3. notes on use of tools and tool development; and notes on the assistance given to TISPAN-WG4 on the ENUM privacy analysis. 2 References For the purposes of this Technical Report (TR), the following references apply: 1 ETSI EG 202 387: “Telecommunicati

20、ons and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method for application of Common Criteria to ETSI deliverables“. 2 ETSI ES 202 382: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security

21、Design Guide; Method and proforma for defining Protection Profiles“. 3 ETSI ES 202 383: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining Security Targets“. 4 IETF RFC 3761 (2004): “The E.164 to

22、 Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)“. 5 ETSI TS 102 051: “ENUM administration in Europe“. 6 ETSI TS 102 172: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Minimum requirements for inte

23、roperability of ENUM implementations“. 7 IETF RFC 2915: “The Naming Authority Pointer (NAPTR) DNS Resource Record“. 8 IETF STD 013: “Domain Names - Concepts And Facilities“. 9 IETF RFC 2535: “Domain Name System Security Extensions“. 10 ETSI TS 102 165-1: “Telecommunications and Internet Protocol Har

24、monization over Networks (TIPHON) Release 4; Protocol Framework Definition; Methods and Protocols for Security; Part 1: Threat Analysis“. 11 IETF RFC 1034 (1987): “Domain names - concepts and facilities“. 12 IETF RFC 1035 (1987): “Domain names - implementation and specification“. 13 Draft-ietf-dnsex

25、t-dns-threats-07 (2004): “Threat Analysis of the Domain Name System“. ETSI ETSI TR 102 420 V1.1.1 (2005-05) 7 14 Draft-ietf-dnsext-dnssec-protocol-06 (2004): “Protocol Modifications for the DNS Security Extensions“. 15 Draft-ietf-dnsext-dnssec-records-08 (2004): “Resource Records for DNS Security Ex

26、tensions“. 16 ITU-T Recommendation E.164 (1997): “The international public telecommunication numbering plan“. 17 Draft-ietf-dnsext-dnssec-intro-11 (2004): “DNS Security Introduction and Requirements“. 18 “DNSSEC: The Protocol, Deployment, and a Bit of Development“ - The Internet Protocol Journal, Vo

27、lume 7, Issue 2, June 2004. 19 ISO/IEC 15408-1: “Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model“. 20 ISO/IEC 15408-2: “Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security fu

28、nctional requirements“. 21 ISO/IEC 15408-3: “Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements“. 22 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. 23 ISO/IEC 17799 (2000):

29、 “Information technology - Code of practice for information security management“. NOTE: BS 7799-1 contains the same information as ISO/IEC 17799. 24 BS 7799-2 (2002): Information security management systems - Specification with guidance for use“. 25 CORAS (2003): “UML profile for security assessment

30、“, Mass Soldal Lund, Ida Hogganvik, Fredrik Seehusen, Ketil Stlen. SINTEF Telecom and Informatics (http:/). 26 ETSI SR 002 211 (2004): “List of standards and/or specifications for electronic communications networks, services and associated facilities and services; in accordance with Article 17 of Di

31、rective 2002/21/EC“. 27 ISO 9000 family: “Quality management systems“, 2000, consisting of: ISO 9000 (2000): “Quality management systems - Fundamentals and vocabulary“; and ISO 9001 (2000): “Quality management systems - Requirements“. 28 ISO/IEC Guide 2: “Standardization and related activities - Voc

32、abulary“; and ISO/IEC DIS 17000: “Vocabulary for conformity assessment“. NOTE: ISO/IEC DIS 17000 is currently in the draft International Standard stage of development; it will replace some of the terminology defined in Guide 2. 29 OMG: “UML Profile for Modeling Quality of Service and Fault Tolerance

33、 Characteristics Protocol Framework Definition; Methods and Protocols for Security; Part 2: Counter Measures“. 31 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directi

34、ve). 32 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). ETSI ETSI TR 102 420 V1.1.1 (2005-05) 8 33

35、 Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector. 34 ISO/IEC 10746 (ODP-RM): “Information technology - Open Distributed Processing“. 35 ETSI EN 300 396-6: “

36、Terrestrial Trunked Radio (TETRA); Direct Mode Operation (DMO); Part 6: Security“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in the ISO/IEC Guide 2 28 and the following apply: accreditation: formal recognition by a speci

37、alized body - an accreditation body - that a certification body is competent to carry out ISO 9000 27 certification in specified business sectors certification: issuing of written assurance (the certificate) by an independent, external body that has audited an organizations management system and ver

38、ified that it conforms to the requirements specified in the standard registration: recording by an auditing body of a particular certification in its client register 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: DNS Domain Name System DNSSEC DNS Secur

39、ity extensions EAL Evaluation Assurance Level ENUM Electronic NUMbering MBRA Model-Based Risk Assessment NAPTR Naming Authority PointeR NNPA National Number Plan Administrator PP Protection Profile PSTN Public Switched Telephone Network RR Resource Record RRSIG Resource Record SIGnature SIP Session

40、Initiation Protocol TLD Top Level Domain TOE Target of Evaluation TSF TOE Security Function TSP Telecommunications Service Provider UDP User Datagram Protocol UML Unified Modelling Language ETSI ETSI TR 102 420 V1.1.1 (2005-05) 9 4 Introduction The present document gathers and presents information r

41、elating to the preparation of a set of ETSI deliverables on the application of the Common Criteria 22 to standardization. Clause 5 presents a review of public specifications relating to the management of security developments and how these relate to ETSI and to Common Criteria specifications. Clause

42、 6 presents the results of a case study looking at a security analysis of ENUM. This clause also introduces and describes the results of applying the CORAS method to risk analysis and security requirements capture. Clause 7 presents the results of using UML in a security modelling environment. 5 Rev

43、iew of other security domain specifications 5.1 ISO/IEC 17799 There are many standards that lead to consistency in the quality of output from an undertaking. The most well known of these is probably the ISO-9000 27 series which comprises standards and guidelines relating to quality management system

44、s with related supporting standards on terminology and specific tools such as auditing (the process of checking that the management system conforms to the standard). In the ISO 9000 27 context, the standardized definition of quality refers to all those features of a product (or service) which are re

45、quired by the customer. ISO/IEC 17799 23 deals with quality for security. It is a “best practise“ type of document which specifies what an organization should do to ensure that its products or services satisfy the customers security requirements and comply with any applicable regulations. Due to the

46、 voluntary nature of standardization, the standards development process is unlikely ever to comply with ISO/IEC 17799 23 whose requirements for personnel security (clause 6) in particular are almost impossible to meet in such an environment. 6 ENUM Case study 6.1 Purpose The purpose of including a c

47、ase study in the work of the preparation of a set of ETSI deliverables on the application of the Common Criteria 22 to standardization was to test and validate the guidance as it evolved in a “live“ environment. A number of case studies were used in the development of the guidance. ES 202 382 2 uses

48、 the TETRA Direct Mode Operation security specification (EN 300 396-6 35) as an example in building a Protection Profile from existing standards. The TIPHON threat analysis (ES 202 165-1 10) and countermeasure (ES 202 165-2 30) documents were examined in the development of guidance to the Vulnerabil

49、ity assurance evaluation class in EG 202 387 1. The use of ENUM as a case study was to examine the security analysis aspects of Common Criteria and in particular to determine how the guidance to the assurance classes of EG 202 387 1 apply to a standard in development. In addition to this one of the tasks in the preparation of a set of ETSI deliverables on the application of the Common Criteria 22 to standardization was to evaluate the COR

展开阅读全文
相关资源
猜你喜欢
  • BS PD IEC TS 62763-2013_5284 Pilot function through a control pilot circuit using PWM (pulse width modulation) and a control pilot wire《通过控制导向线使用PWM (脉冲宽度调制) 的导向功能和控制导向线》.pdf BS PD IEC TS 62763-2013_5284 Pilot function through a control pilot circuit using PWM (pulse width modulation) and a control pilot wire《通过控制导向线使用PWM (脉冲宽度调制) 的导向功能和控制导向线》.pdf
  • BS ISO 8070-2007 Milk and milk products - Determination of calcium sodium potassium and magnesium contents - Atomic absorption spectrometric method《牛奶和奶制品 钙、钠、钾和镁含量的测定 原子吸.pdf BS ISO 8070-2007 Milk and milk products - Determination of calcium sodium potassium and magnesium contents - Atomic absorption spectrometric method《牛奶和奶制品 钙、钠、钾和镁含量的测定 原子吸.pdf
  • BS ISO 8082-1-2009 Self-propelled machinery for forestry - Laboratory tests and performance requirements for roll-over protective structures - General machines《林业用自推进机械 防倾.pdf BS ISO 8082-1-2009 Self-propelled machinery for forestry - Laboratory tests and performance requirements for roll-over protective structures - General machines《林业用自推进机械 防倾.pdf
  • BS ISO 8082-2-2011 Self-propelled machinery for forestry Laboratory tests and performance requirements for roll-over protective structures Machines having a rotating platf.pdf BS ISO 8082-2-2011 Self-propelled machinery for forestry Laboratory tests and performance requirements for roll-over protective structures Machines having a rotating platf.pdf
  • BS ISO 8083-2006 Machinery for forestry - Falling-object protective structures (FOPS) - Laboratory tests and performance requirements《林业机械 落体防护装置(FOPS) 实验室试验和性能要求》.pdf BS ISO 8083-2006 Machinery for forestry - Falling-object protective structures (FOPS) - Laboratory tests and performance requirements《林业机械 落体防护装置(FOPS) 实验室试验和性能要求》.pdf
  • BS ISO 8086-2004 Dairy plant - Hygiene conditions - General guidance on inspection and sampling procedures《乳品厂 卫生条件 检验和取样程序通用指南》.pdf BS ISO 8086-2004 Dairy plant - Hygiene conditions - General guidance on inspection and sampling procedures《乳品厂 卫生条件 检验和取样程序通用指南》.pdf
  • BS ISO 8096-2005 Rubber- or plastics-coated fabrics for water resistant clothing - Specification《雨衣用橡胶或塑料涂覆织物 规范》.pdf BS ISO 8096-2005 Rubber- or plastics-coated fabrics for water resistant clothing - Specification《雨衣用橡胶或塑料涂覆织物 规范》.pdf
  • BS ISO 8097-2001 Aircraft Minimum airworthiness requirements and test conditions for certified air cargo unit load devices《航空器 经认证的航空货运集装单元装置最低适航性要求和试验条件》.pdf BS ISO 8097-2001 Aircraft Minimum airworthiness requirements and test conditions for certified air cargo unit load devices《航空器 经认证的航空货运集装单元装置最低适航性要求和试验条件》.pdf
  • BS ISO 8114-1993 Textile machinery and accessories - Spindles for ring-spinning and doubling machines - List of equivalent terms《纺织机械和附件 环锭纺纱机和并线机用锭子 同义术语表》.pdf BS ISO 8114-1993 Textile machinery and accessories - Spindles for ring-spinning and doubling machines - List of equivalent terms《纺织机械和附件 环锭纺纱机和并线机用锭子 同义术语表》.pdf
  • 相关搜索

    当前位置:首页 > 标准规范 > 国际标准 > 其他

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1