1、 ETSI TR 103 087 V1.2.1 (2017-11) Reconfigurable Radio Systems (RRS); Security related use cases and threats TECHNICAL REPORT ETSI ETSI TR 103 087 V1.2.1 (2017-11) 2 Reference RTR/RRS-0313 Keywords radio, safety, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33
2、4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available i
3、n electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevai
4、ling document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI
5、documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized i
6、n any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reprodu
7、ction in all media. ETSI 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is p
8、rotected for the benefit of its Members. GSM and the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TR 103 087 V1.2.1 (2017-11) 3 Contents Intellectual Property Rights 8g3Foreword . 8g3Modal verbs terminology 8g3Introduction 8g31 Scope 9g32 References 9g32.1 Normative
9、 references 9g32.2 Informative references . 9g33 Definitions and abbreviations . 11g33.1 Definitions . 11g33.2 Abbreviations 12g34 Method of analysis . 14g35 Security objectives . 19g35.1 Overview . 19g35.2 Assumptions and assertions of RRS 21g35.3 Objectives arising from RED analysis . 22g35.4 Obje
10、ctives arising from ComSec analysis . 22g35.5 Objectives arising from the analysis of the RAP as ToE#2 . 23g35.6 Objectives arising from the analysis of the DoC as ToE#3 . 23g36 Stakeholders and assets 24g36.1 Use cases . 24g36.1.1 Introduction 24g36.1.2 Timing dependencies between use cases . 27g36
11、.2 Assets 28g36.2.1 Mobile Device Reconfiguration Classes 28g36.2.2 Radio Application operating environment . 29g36.2.3 Radio Application and Radio Application Package . 31g36.2.4 Declaration of Conformity and CE marking 31g36.2.5 External assets . 31g36.3 Cardinalities 32g37 Identification of ToE f
12、or RRS App deployment 33g37.1 Overview . 33g37.2 ToE#1: communication between the RadioApp Store and the RE 34g37.2.1 Introduction 34g37.2.2 Threats . 35g37.2.3 Risk assessment . 36g37.3 ToE#2: Radio Application Package 36g37.3.1 Introduction 36g37.3.2 Lifecycle starting from the availability on the
13、 RadioApp Store 36g37.3.3 Other aspects of the lifecycle . 38g37.3.3.1 Withdrawal of a Radio Application from the Radio Market Platform . 38g37.3.3.2 Development and pre-distribution phase 38g37.3.3.3 RE and RA lifetime 38g37.3.3.4 Identification of rogue or compromised Radio Applications . 39g37.3.
14、4 ToE#2 environment . 39g37.3.5 Out-of-scope aspects of ToE#2 39g37.3.6 Threats . 39g37.4 ToE#3: Declaration of Conformity and CE marking 39g37.4.1 DoC characteristics 39g37.4.2 Consequences drawn from characteristics . 41g37.4.3 DoC usage from a market surveillance perspective . 41g37.4.4 ToE#3 env
15、ironment . 42g3ETSI ETSI TR 103 087 V1.2.1 (2017-11) 4 7.4.5 Out-of-scope aspects of ToE#3 42g37.4.6 Threats . 42g37.5 Conceptual countermeasure framework for RRS to address ToE#1, ToE#2 and ToE#3 42g37.5.1 Introduction 42g37.5.2 Framework elements 42g37.5.3 Revised risk calculations . 43g37.5.3.1 A
16、pplication of identity management framework 43g37.5.3.1.0 Introduction 43g37.5.3.1.1 Identities in RRS. 43g37.5.3.2 Application of non-repudiation framework 46g37.5.3.3 Application of integrity verification framework 46g37.5.4 Summary of threats introduced by countermeasures . 46g38 Modifications ap
17、plicable to the RRS architecture 46g38.1 Additional elements . 46g38.2 Additional flow diagrams 47g38.2.1 RAP endorsement, distribution, and validation . 47g38.2.2 DoC endorsement, distribution, and validation 48g39 Remote attestation of the Reconfigurable Equipment status (installed RA and DoC) . 5
18、0g39.1 Overview of remote attestation use case . 50g39.2 Actors and relationships 51g39.2.1 The platform 51g39.2.2 The attesting entity. 51g39.2.3 The verifying entity . 51g39.2.4 The requestor . 52g39.3 Considerations for remote attestation solutions in RRS 53g39.3.1 Relation to the non-repudiation
19、 framework . 53g39.3.2 Implementation 53g39.4 Direct Anonymous Attestation 53g310 Configuration enforcement of reconfigurable equipment 54g310.1 Introduction and scenario 54g310.2 Scope . 54g310.2.1 Background 54g310.2.2 Core Command set. 55g310.2.3 Extended Command Set . 55g310.2.4 Actors . 56g310.
20、3 Technical considerations . 57g310.3.1 RAT capabilities 57g310.3.2 Access control 57g310.3.3 Default control channel 57g310.4 Technical implementation . 58g310.4.1 Introduction 58g310.4.2 Data model and data flows . 58g310.4.3 Delivery mechanisms in selected RAT 59g310.5 Security objectives 60g310.
21、6 Threats . 60g311 Long-term management of reconfigurable equipment . 61g311.1 Introduction and scenario 61g311.2 Scope . 62g311.3 Architecture and Actors . 62g311.3.1 Introduction 62g311.3.2 The RRS Configuration Profile . 63g311.3.3 The RRS-CP Profile. 63g311.3.4 Transfer of Authority Document (TA
22、D) 63g311.3.5 Effective transfer of authority 64g311.4 Verification of profiles and actors, profile updates . 64g311.5 Message flows . 65g311.5.1 Transfer of authority between two RRS-CA 65g311.5.2 Designation of legitimate RRS-CP by the RRS-CA 66g311.5.3 Distribution of a new RRS Configuration Prof
23、ile 67g3ETSI ETSI TR 103 087 V1.2.1 (2017-11) 5 11.6 Security objectives 67g311.7 Threats and limitations 69g312 Device root of trust for RRS . 70g312.1 Introduction . 70g312.2 Services . 71g312.2.1 Immutable pre-provisioned data 71g312.2.2 Measurement 71g312.2.3 Secure cryptographic primitives and
24、execution environment 71g312.2.4 Secure boot 71g312.2.5 Secure storage 72g312.2.6 Policy-based access control . 74g312.2.7 Random number generation . 74g312.2.8 Trusted time . 74g312.2.9 Trusted environmental information . 74g312.2.10 Audit 74g312.2.11 Mutual authentication and secure communications
25、 between entities 74g312.2.12 (remote) Attestation of platform configuration 75g3Annex A: Impact on RRS Security of European Radio Equipment Directive . 76g3A.1 Introduction 76g3A.2 Summary of applicable requirements . 76g3A.2.1 Applicability 76g3A.2.2 General principles 76g3A.2.3 Technical and secu
26、rity considerations . 77g3A.3 Declaration of Conformity (DoC) 77g3A.3.1 Introduction . 77g3A.3.2 Technical and security considerations . 78g3A.4 Safekeeping of the Declaration of Conformity 78g3A.4.1 Introduction . 78g3A.4.2 Technical and security considerations . 78g3A.5 Affixing of Declaration of
27、Conformity 79g3A.5.1 Overview . 79g3A.5.2 Technical and security considerations . 79g3A.6 Pre-market actors and roles from the Directive 2014/53/EU perspective 80g3A.7 Other information to indicate on the RE 81g3A.7.1 Introduction . 81g3A.7.2 Technical and security considerations . 81g3A.8 Actions i
28、n case of formal non-compliance, or with compliant radio equipment that presents a risk 81g3A.8.1 Introduction . 81g3A.8.2 Technical and security considerations . 81g3A.9 Post-market actors and roles from the RED perspective 82g3A.10 Actions in case of RE presenting a risk 82g3A.10.1 Introduction .
29、82g3A.10.2 Technical and security considerations . 83g3A.10.3 Additional considerations 83g3Annex B: Summary of security objectives . 84g3Annex C: Summary of high level security requirements 87g3Annex D: Completed TVRA pro forma for RRS security 88g3Annex E: TVRA Risk Calculation for selected RRS as
30、pects . 90g3ETSI ETSI TR 103 087 V1.2.1 (2017-11) 6 Annex F: Void 93g3Annex G: Trust models in RRS app deployment 94g3G.1 Overview of trust 94g3G.2 Role of trust in RRS . 94g3G.3 Public Key Infrastructures and Trust 95g3G.4 Models of trust . 97g3G.4.1 Overview . 97g3G.4.2 Directly delegated trust .
31、98g3G.4.3 Collaborative trust . 98g3G.4.4 Transitive trust . 99g3G.4.5 Reputational trust 99g3Annex H: Wireless Innovation Forum security considerations for SDRD . 100g3H.1 Introduction 100g3H.2 Identification of assets 100g3H.3 Actors (stakeholders) 101g3H.4 Threat analysis 102g3H.4.1 Vulnerability
32、 classes 102g3H.4.2 Threat classes 103g3H.4.3 Attacks and exploits 103g3H.5 Identification of security critical processes 103g3H.6 Security services . 104g3H.7 Other considerations . 106g3H.7.1 Downloadable policies 106g3Annex I: Review of remote control management protocols 107g3I.1 Overview 107g3I
33、.2 OMA Device Management 107g3I.2.1 Introduction . 107g3I.2.2 General principles 107g3I.2.3 Security . 108g3I.2.3.1 Communication security 108g3I.2.3.2 Bootstrap security 108g3I.2.3.3 Access control 108g3I.2.3.4 Other mechanisms . 108g3I.3 OMA LWM2M 108g3I.3.1 Introduction . 108g3I.3.2 General princ
34、iples 108g3I.3.3 Security . 109g3I.3.3.1 Communication security 109g3I.3.3.2 Bootstrap security 109g3I.3.3.3 Access control 110g3I.4 GSMA Service Provider Device Configuration . 110g3I.4.1 Introduction . 110g3I.4.2 General principles 110g3I.4.3 Security . 111g3Annex J: Usage of the DoC and the RE Co
35、nfiguration Policy in RRS . 112g3J.1 Introduction 112g3J.2 Distribution scenarios . 113g3ETSI ETSI TR 103 087 V1.2.1 (2017-11) 7 J.3 Applicability to other regulatory frameworks 114g3Annex K: Implementation guidelines . 115g3K.1 Introduction 115g3K.2 Guidelines for the configuration enforcement fram
36、ework . 115g3K.2.1 APDU identification and anti-replay . 115g3K.2.2 Leveraging the root of trust for management of critical assets 115g3K.3 Guidelines for the long-term lifecycle management framework 116g3K.3.1 Certification paths . 116g3K.3.2 Leveraging the root of trust for management of critical
37、assets 116g3Annex L: Bibliography 118g3History 119g3ETSI ETSI TR 103 087 V1.2.1 (2017-11) 8 Intellectual Property Rights Essential patents IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is pu
38、blicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ET
39、SI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, o
40、r may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to
41、use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee R
42、econfigurable Radio Systems (RRS). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and
43、 “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction The present document presents a security threat analysis of RRS networks and devices for a set of specific use cases and operational scenarios defined in ETSI TC RRS. It is recommended to consider i.1,
44、 i.2, i.3, i.5, i.6, i.7, i.8 and i.18 for further information on the framework related to the solutions in the present document. ETSI ETSI TR 103 087 V1.2.1 (2017-11) 9 1 Scope The present document provides an analysis of the risk of security attacks on the operation of reconfigurable radio systems
45、. It identifies which security threats can disrupt RRS networks and devices or can induce negative impacts on other radio communication services operating in the same radio spectrum. The present document also identifies stakeholder and assets, which can be potentially impacted by the security threat
46、s. The present document extends the set of use cases addressed over those covered by ETSI TR 103 087 (V1.1.1) i.30 to cover the following: Remote attestation of the Reconfigurable Equipment status (installed RA and DoC). Configuration enforcement of reconfigurable equipment. Distribution and enforce
47、ment of mobility policies. Long-term management of devices (in particular orphaned devices). Secure device root of trust. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by da
48、te of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were
49、valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Recommendation ITU-T E.408: “Security in Telecommunications and Information Technology. An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications. Telecommunication networks security requirements“. i.2 L. B. Michael, M. J. Mihaljevic, S. Haruyama and R.