1、 ETSI TR 102 661 V1.2.1 (2009-11)Technical Report Lawful Interception (LI);Security framework in Lawful Interceptionand Retained Data environmentETSI ETSI TR 102 661 V1.2.1 (2009-11) 2Reference RTR/LI-00065 Keywords lawful interception, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis C
2、edex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present docu
3、ment may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the
4、PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/sta
5、tus.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction exte
6、nd to reproduction in all media. European Telecommunications Standards Institute 2009. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the be
7、nefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 102 661 V1.2.1 (
8、2009-11) 3Contents Intellectual Property Rights 5g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 The architecture 9g34.1 Functional architecture . 9
9、g34.2 The supervisory role of Regulatory Authority in third party auditing 11g35 Inventory of assets 11g36 Security threats and vulnerabilities 12g36.1 Security threats . 12g36.2 Security vulnerabilities . 14g36.3 Attack scenarios . 14g37 Security measures . 15g37.1 Personnel security. 15g37.2 Incid
10、ent handling 16g37.3 Physical and environmental security 16g37.4 Media handling . 17g37.5 Access control 18g37.6 Confidentiality 19g37.6.1 Confidentiality of stored data 19g37.6.2 Confidentiality of transmitted (INI and HI interfaces) data 19g37.7 Data and system integrity . 20g37.7.1 Integrity of t
11、he LI/DR system software 20g37.7.2 Integrity of stored data 20g37.7.3 Integrity of transmitted data 20g37.8 Non-repudiation . 21g37.9 Availability . 21g37.9.1 Protection against denial of service attacks 21g37.9.2 Fault tolerance 22g37.9.3 Disaster recovery 22g37.10 Secure, verifiable and intelligib
12、le logging 22g37.10.1 Requirements 22g37.11 Secure information destruction. 25g37.12 Development, maintenance and repair . 25g3Annex A: List of security measures 27g3A.1 Introduction 27g3Annex B: Building secure logging. 33g3B.1 A generic methodology for defining and organizing log information in an
13、 LI/DR environment 33g3B.2 Providing secure log files . 34g3B.3 Providing the skeleton for implementing a secure log environment 34g3B.4 References annex B 35g3ETSI ETSI TR 102 661 V1.2.1 (2009-11) 4Annex C: Protection of retained data . 36g3C.1 Introduction 36g3C.2 Overview of the proposed system 3
14、6g3C.3 Encryption and storage of retained data record 37g3C.4 Query and retrieval of retained data . 37g3C.5 Purging of RD Store . 37g3C.6 Discussion of resilience and vulnerability 37g3Annex D: Guide for selecting cryptographic algorithms and minimum key sizes in LI/DR systems . 38g3D.1 Introductio
15、n 38g3D.2 Cryptographic security strength basis and LI/DR systems . 39g3D.2.1 Bits of security . 39g3D.2.2 Bits of security in LI/DR systems 39g3D.3 LI/DR information classification 39g3D.3.1 Classified information 40g3D.3.2 Personal data 40g3D.3.3 Classification levels equivalence 40g3D.4 Cryptogra
16、phic algorithms and key sizes for LI/DR systems 40g3D.4.1 Minimum bits of security . 40g3D.4.2 Symmetric key algorithms 41g3D.4.3 Asymmetric key algorithms . 41g3D.4.4 Hash functions 42g3D.4.5 Summary table 43g3D.4.6 Algorithm suites . 43g3Annex E: Bibliography 44g3Annex F: Change request history .
17、45g3History 46g3ETSI ETSI TR 102 661 V1.2.1 (2009-11) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and
18、can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pur
19、suant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present do
20、cument. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Lawful Interception (LI). Introduction Communication privacy is considered as a valuable asset by the Internet, fixed and mobile telephony providers of electronic communication networks. Indeed, incidents of pr
21、ivacy violations against their subscribers may cause severe impact with commercial and legal consequences. Above considerations are more important when these networks operate critical services in terms of communication privacy, such as, Lawful Interception (LI) and Data Retention (DR) services. Henc
22、e, special state-of-the art technologies and mechanisms together with a range of well-defined technical and procedural measures are recommended to be applied in order to verify and maintain an acceptable security level. ETSI ETSI TR 102 661 V1.2.1 (2009-11) 61 Scope The scope of the present document
23、 is to recommend a framework for the secure provision of Lawful Interception (LI) and Data Retention (DR) services of a Communication Service Provider (CSP) towards the Law Enforcement Agencies. This framework aims to guarantee security in terms of confidentiality, integrity, forward secrecy, forwar
24、d integrity and non-repudiation within CSPs LI and DR systems, operations and CSP internal and external interfaces for the delivery of IRI, CC and DR data towards any LEAs. The present document initially describes the assets to be protected and then analyses the related security threats. Finally it
25、recommends a range of security measures and controls necessary for achieving the desired level of security. The security measures content contains an unbreakable set of security categories where most of the measures, for each category, are indispensable controls while some others can be optionally c
26、hosen for creating a tighter security framework. Annexes are also defined. Annex A lists all recommended measures and controls, associates these measures with the respective systems, services and interfaces and also with the respective threats that aims to overcome. Annex B provides a secure logging
27、 infrastructure. Annex C provides a solution for protecting the retained data during the operation of the DR service while annex D provides a guide for cryptographic algorithms. 2 References References are either specific (identified by date of publication and/or edition number or version number) or
28、 non-specific. For a specific reference, subsequent revisions do not apply. Non-specific reference may be made only to a complete document or a part thereof and only in the following cases: - if it is accepted that it will be possible to use all future changes of the referenced document for the purp
29、oses of the referring document; - for informative references. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI ca
30、nnot guarantee their long term validity. 2.1 Normative references The following referenced documents are indispensable for the application of the present document. For dated references, only the edition cited applies. For non-specific references, the latest edition of the referenced document (includ
31、ing any amendments) applies. Not applicable. 2.2 Informative references The following referenced documents are not essential to the use of the present document but they assist the user with regard to a particular subject area. For non-specific references, the latest version of the referenced documen
32、t (including any amendments) applies. i.1 ETSI TS 101 671: “Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic“. NOTE: Periodically TS 101 671 is published as ES 201 671. A reference to the latest version of the TS as above reflects the latest stab
33、le content from ETSI/TC LI. ETSI ETSI TR 102 661 V1.2.1 (2009-11) 7i.2 ETSI TS 102 232-1: “Lawful Interception (LI); Handover Interface and Service-Specific Details (SSD) for IP delivery; Part 1: Handover specification for IP delivery“. i.3 IETF RFC 2246: “The TLS Protocol Version 1.0“. i.4 ETSI TR
34、101 943: “Lawful Interception (LI); Concepts of Interception in a Generic Network Architecture“. i.5 ETSI TR 102 528: “Lawful Interception (LI) Interception domain Architecture for IP networks“. i.6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. i.7 ETSI TS 102
35、657: “Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data“. i.8 Council decision 2001/264/EC of 19 March 2001 adopting the Councils security regulations. i.9 V. Stathopoulos, P. Kotzanikolaou, E. Magkos, “Secure Log management for privac
36、y assurance in electronic communications“, accepted for publication in Computers and Security, Elsevier journal, 2008. i.10 V. Stathopoulos, P. Kotzanikolaou, E. Magkos, “A Framework for Secure and Verifiable Logging in Public Communication Networks“, J. Lopez (ed.): CRITIS 2006, LNCS4347, pp. 273-2
37、84, 2006, Springer Verlag Berlin Heidelberg, 2006. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following definitions apply: advanced electronic signature: electronic signature that is able to identify the signatory and able to detect any subsequent c
38、hange in the data signed, that is related uniquely to the signatory and the data signed and that has been created by means that the signatory has under his sole control authentication: verification of the claimed identity authorization: action of granting access with a specific set of capabilities t
39、o certain resources based on the identity of the applicant availability: property of being accessible and usable upon demand by an authorized entity and according to performance specifications channel: means of communication used to carry information NOTE: The channels corresponding to the interface
40、s HI1, HI2 and HI3 will be called channel HI1, channel HI2 and channel HI3 respectively. confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities or processes electronic signature: set of data in electronic format, related to another set of
41、data, that can be used as a mean to identify the signatory forward integrity: property that past integrity protected data will not be affected, if all certificates, concerning a specific time period, are revealed to an attacker forward secrecy: property that past confidentiality protected data will
42、not be affected, if all certificates, concerning a specific time period, are revealed to an attacker integrity: property that data has not been changed or destroyed without the requisite authorization ETSI ETSI TR 102 661 V1.2.1 (2009-11) 8least privilege: security principle that demands that it sho
43、uld be granted the minimum set of capabilities to access and use information and resources that allows to carry out those duties to which someone is expressly authorized LI/DR assets: involved hardware, software modules and services that produce and manage sensitive information LI/DR infrastructure:
44、 comprises the LI/DR systems and the Network or IT systems that incorporate LI/DR functionality LI/DR systems: CSP systems that are designed to explicitly operate LI/DR functionality such as Mediator, Administrator and Management functions LI/DR session: LI or DR session describes the execution of a
45、n LI warrant or DR request, and contains all the activities, parameters and actions that are executed within LI/DR systems and services log infrastructure: physical and functional architecture that will be used for implementation of the defined logging procedures need to know: security principle tha
46、t demands that anyone should just know, have access to or posses the information and resources strictly needed to carry out those duties to which she/he is expressly authorized network or IT systems that incorporate LI/DR functionality: any network or IT CSP entity that is involved in the execution
47、of an LI or DR procedure and incorporates either a software module or manage information assets, related to the LI and DR procedure (e.g. database servers, AAA servers, E-mail servers, Routers, Switches, etc.) non-repudiation: property of being able to prove that an action or event took place, so th
48、at that action or event would not be denied later qualified electronic signature: advanced electronic signature based on a recognized certificate and created by means of a secure signature creation device NOTE 1: Even though they could use the same technology, the acts of signing and encrypting are
49、different. NOTE 2: The qualified electronic signature is also able to ensure the integrity of the signed data. regulatory authority: a body or bodies charged by a government with any of the regulatory tasks regarding Data Retention or Lawful Interception. secure authentication device: secure signature creation device that contains a recognized electronic certificate, plus an additional authentication mechanism (like a password or biometric authentication) secure channel: channel that assures state-of-the-art confidentiality, integrity, availability a
