1、 ETSI TR 103 167 V1.1.1 (2011-08)Technical Report Machine-to-Machine Communications (M2M);Threat analysis and counter-measures to M2M service layerETSI ETSI TR 103 167 V1.1.1 (2011-08)2Reference DTR/M2M-00012ed111 Keywords M2M, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FR
2、ANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may
3、be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF versi
4、on kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp I
5、f you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to rep
6、roduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of t
7、he 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 167 V1.1.1 (2011-08)3Contents Intellectual Property Rights 6g3Foreword . 6g31 Scope 7g31.1 General . 7g31.2 Specific . 7g32 References 8g32.1 Normative references . 8g3
8、2.2 Informative references 8g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 Methodology Used for Analysis of Threats and Risks . 10g35 System Architecture . 13g35.1 High-Level Architecture . 13g35.2 Layered Model for the M2M System . 14g36 Stakeholders . 15g37 Trus
9、t Model 15g38 Type 1 Threats, Specific to the M2M Service Layer and its Interfaces . 16g38.1 Threat 1: Discovery of Long-Term Service-Layer Keys Stored in M2M Devices or M2M Gateways 16g38.1.1 Description 16g38.1.2 Assessment of Risk . 16g38.1.3 Mitigation of Risk. 17g38.1.3.1 Potential Counter-Meas
10、ures 17g38.1.3.2 Responsibility for Counter-Measures 18g38.2 Threat 2: Deletion of Long-Term Service-Layer Keys Stored in M2M Devices or M2M Gateways 18g38.2.1 Description 18g38.2.2 Assessment of Risk . 19g38.2.3 Mitigation of Risk. 19g38.2.3.1 Potential Counter-Measures 19g38.2.3.2 Responsibility f
11、or Counter-Measures 20g38.3 Threat 3: Replacement of Long-Term Service-Layer Keys Stored in M2M Devices or M2M Gateways . 20g38.3.1 Description 20g38.3.2 Assessment of Risk . 20g38.3.3 Mitigation of Risk. 21g38.3.3.1 Potential Counter-Measures 21g38.3.3.2 Responsibility for Counter-Measures 21g38.4
12、Threat 4: Discovery of Long-Term Service-Layer Keys Stored in the SCs of the M2M Core 21g38.4.1 Description 21g38.4.2 Assessment of Risk . 22g38.4.3 Mitigation of Risk. 22g38.4.3.1 Potential Counter-Measures 22g38.4.3.2 Responsibility for Counter-Measures 23g38.5 Threat 5: Deletion of Long-Term Serv
13、ice-Layer Keys Stored in the SCs of an M2M Core 23g38.5.1 Description 23g38.5.2 Assessment of Risk . 23g38.5.3 Mitigation of Risk. 24g38.5.3.1 Potential Counter-Measures 24g38.5.3.2 Responsibility for Counter-Measures 24g38.6 Threat 6: Discovery of Long-Term Service-Layer Keys Stored in MSBF or MAS
14、. 24g38.6.1 Description 24g38.6.2 Assessment of Risk . 24g3ETSI ETSI TR 103 167 V1.1.1 (2011-08)48.6.3 Mitigation of Risk . 25g38.6.3.1 Potential Counter-Measures 25g38.6.3.2 Responsibility for Counter-Measures 25g38.7 Threat 7: Deletion of Long-Term Service-Layer Keys Stored in the MSBF/MAS 25g38.7
15、.1 Description 25g38.7.2 Assessment of Risk . 26g38.7.3 Mitigation of Risk. 26g38.7.3.1 Potential Counter-Measures 26g38.7.3.2 Responsibility for Counter-Measures 26g38.8 Threat 8: Discover Keys by Eavesdropping on Communications Between Entities 27g38.8.1 Description:. 27g38.8.2 Assessment of Risk
16、. 27g38.8.3 Mitigation of Risk. 28g38.8.3.1 Potential Counter-Measures 28g38.8.3.2 Responsibility for Counter-Measures 30g38.9 Threat 9: Modification of Data Stored in the M2M Service Capabilities . 30g38.9.1 Description:. 30g38.9.2 Assessment of Risk . 30g38.9.3 Mitigation of Risk. 31g38.9.3.1 Pote
17、ntial Counter-Measures 31g38.9.3.2 Responsibility for Counter-Measures 32g38.10 Threat 10: Provisioning of non-Legitimate Keys . 32g38.10.1 Description:. 32g38.10.2 Assessment of Risk . 32g38.10.3 Mitigation of Risk . 33g38.10.3.1 Potential Counter-Measures 33g38.10.3.2 Responsibility for Counter-Me
18、asures 33g38.11 Threat 11: Unauthorised or Corrupted Application and Service-Layer Software in M2M Devices/Gateways 33g38.11.1 Description 33g38.11.2 Assessment of Risk . 34g38.11.3 Mitigation of Risk . 34g38.11.3.1 Potential Counter-Measures 35g38.11.3.2 Responsibility for Counter-Measures 35g38.12
19、 Threat 12: Subverting the M2M Device/Gateway Integrity-Checking Procedures 35g38.12.1 Description 35g38.12.2 Assessment of Risk . 36g38.12.3 Mitigation of Risk . 36g38.12.4 Potential Counter-Measures 36g38.12.4.1 Responsibility for Counter-Measures 37g38.13 Threat 13: Unauthorised or Corrupted Soft
20、ware in M2M Core . 37g38.13.1 Description 37g38.13.2 Assessment of Risk . 37g38.13.3 Mitigation of Risk . 38g38.13.3.1 Potential Counter-Measures 38g38.13.3.2 Responsibility for Counter-Measures 38g38.14 Threat 14: Subverting the Integrity-Checking Procedures in the M2M Core . 38g38.14.1 Description
21、 38g38.14.2 Assessment of Risk . 39g38.14.3 Mitigation of Risk . 39g38.14.3.1 Potential Counter-Measures 39g38.14.3.2 Responsibility for Counter-Measures 40g38.15 Threat 15: General Eavesdropping on M2M Service-Layer Messaging Between Entities 40g38.15.1 Description 40g38.15.2 Assessment of Risk . 4
22、0g38.15.3 Mitigation of Risk . 41g38.15.3.1 Required Counter-Measures 41g38.15.3.2 Responsibility for Counter-Measures 41g38.16 Threat 16: Alteration of M2M Service-Layer Messaging Between Entities 41g38.16.1 Description 41g38.16.2 Assessment of Risk . 42g38.16.3 Mitigation of Risk . 42g3ETSI ETSI T
23、R 103 167 V1.1.1 (2011-08)58.16.3.1 Required Counter-Measures 43g38.16.3.2 Responsibility for Counter-Measures 43g38.17 Threat 17: Replay of M2M Service-Layer Messaging Between Entities . 43g38.17.1 Description 43g38.17.2 Assessment of Risk . 43g38.17.3 Mitigation of Risk . 44g38.17.3.1 Potential Co
24、unter-Measures 44g38.17.3.2 Responsibility for Counter-Measures 44g38.18 Threat 18: Breach of Privacy due to Inter-Application Communications 44g38.18.1 Description 44g38.18.2 Assessment of Risk . 45g38.18.3 Mitigation of Risk . 45g38.18.4 Potential Counter-Measures 46g38.18.5 Responsibility for Cou
25、nter-Measures . 46g38.19 Threat 19: Breach of Privacy due to Attacks on M2M Device/Gateway Service Capabilities 46g38.19.1 Description 46g38.19.2 Assessment of Risk . 46g38.19.3 Mitigation of Risk . 47g38.19.3.1 Potential Counter-Measures 47g38.19.3.2 Responsibility for Counter-Measures 47g39 Type 2
26、 Threats Affecting the M2M Functional Requirements 48g39.1 Threat 20: Discovery of M2M long-term service-layer keys from knowledge of access-network keys. . 48g39.1.1 Description 48g39.1.2 Assessment of Risk . 48g39.1.3 Mitigation of Risk. 49g39.1.3.1 Potential Counter-Measures 49g39.1.3.2 Responsib
27、ility for Counter-Measures 50g39.2 Threat 21: Transfer of Module Containing Access-Network keys and/or M2M long-term keys to a different terminal/Device/Gateway. . 50g39.2.1 Description 50g39.2.2 Assessment of Risk . 50g39.2.3 Mitigation of Risk. 51g39.2.3.1 Potential Counter-Measures 51g39.2.3.2 Re
28、sponsibility for Counter-Measures 52g310 Actions Recommended for ETSI TC M2M . 53g310.1 Assurance of Counter-Measures . 53g310.2 Recommended Mapping of Counter-Measures onto Architectural Features 56g3History 62g3ETSI ETSI TR 103 167 V1.1.1 (2011-08)6Intellectual Property Rights IPRs essential or po
29、tentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essenti
30、al, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can b
31、e given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Machine-to-Machine communicati
32、ons (M2M). The present document may be referenced by other TRs and Technical Standards (TS) developed by ETSI TC M2M. The present document is a TR and therefore, the content is informative. ETSI ETSI TR 103 167 V1.1.1 (2011-08)71 Scope 1.1 General Below are reproduced some of the terms of reference
33、concerning security handling in ETSI TC M2M i.1. “Requirements pertaining to detailed security analysis (such as the analysis of threats, risks and counter-measures) are within the scope of ETSI TC M2M. Wherever possible, detailed solution work based on other SDOs existing mechanisms shall be perfor
34、med by those SDOs, based on input which TC M2M may provide. Identified solution gaps which are not addressed by other SDOs can be handled in ETSI TC M2M. Security aspects which are part of the current architecture document shall remain with the current architecture document for the purpose of Releas
35、e 1, because of the tight integration needed to provide a solid basis for Release 1. Note: this requirement is intended to avoid the creation of separate security architecture specifications for Release 1“. 1.2 Specific Below are the terms of reference in the WI description i.2. In the present docum
36、ent, threats against M2M functional architecture, Service layer and interfaces are identified and analysed for impact and for likelihood. The need for countermeasures is determined. The threat analysis considers only the following two types of threat (with the following order of priority): 1) Type 1
37、 threats: threats that are specific to M2M service layer or interfaces for the service layer. 2) Type 2 threats: threats that may not be specific to M2M service layer but which have a significant impact upon M2M functional requirements. The level of risk (i.e. combined likelihood and impact) of iden
38、tified threats is also evaluated. As a result of that, there is a prioritisation of threats and therefore of countermeasures and security requirements. Concerning countermeasures identified in the present document, the scope includes: consideration of merits and demerits (i.e. pros and cons) of iden
39、tified countermeasures; evaluation of countermeasures to determine: 1) the need for a standardised solution/implementation, 2) availability of existing standardised solutions (e.g. from other SDOs), 3) the need for a new standardised solution (either from another SDO or from ETSI M2M). Additionally:
40、 Threats against, or originating from, any stakeholders may be considered. Countermeasures which are normal practice in IT systems (e.g. maintenance logs, firewalls) are out of scope. Content in the present document may lead to new requirements in future releases of TS 102 689 i.5 and normative text
41、 in TS 102 690 i.6. ETSI ETSI TR 103 167 V1.1.1 (2011-08)82 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version
42、of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI c
43、annot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document
44、 but they assist the user with regard to a particular subject area. i.1 Document M2M(10)0278r1: “Security Handling in ETSI TC M2M“. i.2 Work Item Description for WI00012. i.3 CPNI (Centre for the Protection of National Infrastructure) criteria. NOTE: See http:/www.cpni.gov.uk/. i.4 ETSI TS 102 165-1
45、: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. i.5 ETSI TS 102 689 (V1.1.1): “Machine-to-Machine communications (M2M); M2M service requirements“. i.6 E
46、TSI TS 102 690: “Machine-to-Machine communications (M2M); M2M functional architecture“. i.7 ETSI TR 102 725: “Machine to Machine Communications (M2M); M2M definitions“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply
47、: NOTE: References have been included where definitions have been obtained from other sources. Where appropriate, additional text has been added in square brackets. asset: anything that has value to the stakeholder, its business operations and its continuity i.4 Device Lower Layer (DLL): component o
48、f the Lower Layer in a M2M Device Lower Layer (LL): allows DSCL, GSCL and NSCL Components to exchange data on behalf of applications, and perform other appropriate communication Gateway Lower Layer (GLL): component of the Lower Layer in a M2M Gateway ETSI ETSI TR 103 167 V1.1.1 (2011-08)9impact: res
49、ult of an unwanted information security incident, caused by a threat, which affects assets i.4 incident: event relevant to the analysed system M2M area network layer: provides the communication between DA/GA components and DSCL/GSCL components M2M service providers domain: domain which includes the Network Application Domain and any standardised systems under the control of the M2M Service Provider which interact with the M2M Service Capabilities M2M System: comprises Network Application Domain, M2M Devices Domain and any interfa