1、 ETSI TR 1Security Assuracritical assets(3GPP TR 33.9TECHNICAL REPORT 133 926 V13.1.0 (2016LTE; rance Specification (SCAS) thets in 3GPP network product c.926 version 13.1.0 Release 1316-10) threats and t classes 13) ETSI ETSI TR 133 926 V13.1.0 (2016-10)13GPP TR 33.926 version 13.1.0 Release 13Refe
2、rence RTR/TSGS-0333926vd10 Keywords LTE,SECURITY ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notic
3、e The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorizat
4、ion of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aw
5、are that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following s
6、ervices: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version
7、 shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registere
8、d for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 133 926 V13.1.0 (2016-10)23GPP TR 33.926 version
9、13.1.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Inte
10、llectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, incl
11、uding IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been
12、 produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross referen
13、ce between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Dr
14、afting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 926 V13.1.0 (2016-10)33GPP TR 33.926 version 13.1.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal ve
15、rbs terminology 2g3Foreword . 5g31 Scope 6g32 References 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Generic Network Product (GNP) class description 7g34.1 Overview 7g34.2 Minimum set of functions defining the GNP class . 8g34.3 Generic network product model .
16、 8g34.3.1 Generic network product model overview 8g34.3.2 Functions defined by 3GPP 8g34.3.3 Other functions . 8g34.3.4 Operating System (OS) . 8g34.3.5 Hardware 8g34.3.6 Interfaces. 9g34.4 Scope of the present document . 9g34.4.1 Introduction. 9g34.4.2 Scope regarding GNP functions defined by 3GPP
17、. 10g34.4.3 Scope regarding other functions . 10g34.4.4 Scope regarding Operating System (OS) 10g34.4.5 Scope regarding hardware 10g34.4.6 Scope regarding interfaces 10g35 Generic Assets and Threats 10g35.1 Introduction 10g35.2 Generic critical assets . 10g35.3 Generic threats 11g35.3.0 Generic thre
18、ats format . 11g35.3.1 Introduction. 11g35.3.2 Threats relating to 3GPP-defined interfaces . 12g35.3.3 Spoofing identity 12g35.3.3.1 Default Accounts . 12g35.3.3.2 Weak Password Policies . 12g35.3.3.3 Password peek . 13g35.3.3.4 Direct Root Access 13g35.3.3.5 IP Spoofing . 13g35.3.3.6 Malware 13g35.
19、3.3.7 Eavesdropping . 13g35.3.4 Tampering . 14g35.3.4.1 Software Tampering 14g35.3.4.2 Ownership File Misuse . 14g35.3.4.3 External Device Boot 14g35.3.4.4 Log Tampering 14g35.3.4.5 OAM Traffic Tampering . 14g35.3.4.6 File Write Permissions Abuse . 15g35.3.5 Repudiation . 15g35.3.5.1 Lack of User Ac
20、tivity Trace 15g35.3.6 Information disclosure 15g35.3.6.1 Poor key generation. 15g3ETSI ETSI TR 133 926 V13.1.0 (2016-10)43GPP TR 33.926 version 13.1.0 Release 135.3.6.2 Poor key management . 15g35.3.6.3 Weak cryptographic algorithms 16g35.3.6.4 Insecure Data Storage . 16g35.3.6.5 System Fingerprint
21、ing . 16g35.3.6.6 Malware 16g35.3.6.7 Personal Identification Information Violation. 17g35.3.6.8 Insecure Default Configuration . 17g35.3.6.9 File/Directory Read Permissions Misuse 17g35.3.6.10 Insecure Network Services 17g35.3.6.11 Unnecessary Services 17g35.3.6.12 Log Disclosure 18g35.3.6.13 Unnec
22、essary Applications . 18g35.3.6.14 Eavesdropping . 18g35.3.6.15 Security threat caused by lack of GNP traffic isolation 18g35.3.7 Denial of service . 19g35.3.7.1 Compromised/Misbehaving User Equipments 19g35.3.7.2 Implementation Flaw 19g35.3.7.3 Insecure Network Services 19g35.3.7.4 Human Error . 19
23、g35.3.8 Elevation of privilege 20g35.3.8.1 Misuse by authorized users . 20g35.3.8.2 Over-Privileged Processes/Services 20g35.3.8.3 Folder Write Permission Abuse 20g35.3.8.4 Root-Owned File Write Permission Abuse . 20g35.3.8.5 High-Privileged Files 20g35.3.8.6 Insecure Network Services 21g35.3.8.7 El
24、evation of Privilege via Unnecessary Network Services . 21g3Annex A: Aspects specific to the network product class MME . 22g3A.1 Network product class description for the MME . 22g3A.1.1 Introduction 22g3A.1.2 Minimum set of functions defining the MME network product class 22g3A.2 Assets and threats
25、 specific to the MME . 22g3A.2.1 Critical assets 22g3A.2.2 Threats related to AKA procedures 23g3A.2.2.1 Access to 2G . 23g3A.2.2.2 Resynchronization 23g3A.2.2.3 Failed Integrity check of Attach message . 23g3A.2.2.4 Forwarding EPS authentication data to SGSN . 23g3A.2.2.5 Forwarding unused EPS auth
26、entication data between different security domains 23g3A.2.3 Threats related to security mode command procedure . 24g3A.2.3.1 Bidding Down . 24g3A.2.3.2 NAS integrity selection and use 24g3A.2.3.3 NAS NULL integrity protection . 24g3A.2.3.4 NAS confidentiality protection . 24g3A.2.4 Threats related
27、to security in Intra-RAT mobility 24g3A.2.4.1 Bidding down on X2-Handover 24g3A.2.4.2 NAS integrity protection algorithm selection in MME change 25g3A.2.5 Threats related to security in Inter-RAT mobility 25g3A.2.5.1 2G SIM access via idle mode mobility . 25g3A.2.5.2 2G SIM access via handover. 25g3
28、A.2.5. 3 2G SIM access via SRVCC 25g3A.2.6 Threats related to release of non-emergency bearer . 26g3Annex B: Change history 27g3History 28g3ETSI ETSI TR 133 926 V13.1.0 (2016-10)53GPP TR 33.926 version 13.1.0 Release 13Foreword This Technical Report has been produced by the 3rdGeneration Partnership
29、 Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase i
30、n version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. Y the second digit is incremented for all changes of substance, i.e. technical enhancements, co
31、rrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETSI TR 133 926 V13.1.0 (2016-10)63GPP TR 33.926 version 13.1.0 Release 131 Scope The present document captures the network product class descriptions, threats and criti
32、cal assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product
33、class. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference,
34、 subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3
35、GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 2 3GPP TR 33.916: “Security Assurance Methodology for 3GPP network products classes“. 3 3GPP TS 23.401: “General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access“. 4 3GPP TR 33.821: “
36、Rationale and track of security decisions in Long Term Evolution (LTE) RAN/3GPP System Architecture Evolution (SAE)“. 5 3GPP TS 33.116: “Security Assurance Specification for MME network product class“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the term
37、s and definitions given in 3GPP TR 21.905 1 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP TR 21.905 1. GNP Class (Generic Network Product Class): generic network product class is a class of network products that
38、 all implement a common set of 3GPP-defined functionalities for that particular network product 3.2 Abbreviations For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 1 and the following apply. An abbreviation defined in the present document takes precedence over the d
39、efinition of the same abbreviation, if any, in 3GPP TR 21.905 1. GNP Generic Network Product SCAS Security Assurance Specification SECAM Security Assurance MethodologyETSI ETSI TR 133 926 V13.1.0 (2016-10)73GPP TR 33.926 version 13.1.0 Release 134 Generic Network Product (GNP) class description 4.1
40、Overview A 3GPP generic network product class defines a set of functions that are implemented on that product, which includes, but not limited to minimum set of common 3GPP functions for that product covered in 3GPP specifications, other functions not covered by 3GPP specifications, as well as inter
41、faces to access that product. A generic network product also includes hardware, software, and OS components that the product is implemented on. The current document describes the threats and the critical assets in the course of developing 3GPP security assurance specifications for a particular netwo
42、rk product class. Applicability of the GNP security assurance specification to products: Assume a telecom equipment vendor wants to sell a product to an operator, and the latter is interested in following the Security Assurance Methodology as described in TR 33.9162, then, before evaluation accordin
43、g to TR 33.9162 in a testing laboratory can start, it first needs to be determined which security assurance specifications written by 3GPP apply to the given product. Each 3GPP Network Product, is basically a device composed of hardware (e.g. chip, processors, RAM, network cards), software (e.g. ope
44、rating system, drivers, applications, services, protocols), and interfaces (e.g. console interfaces and O and - local logical interfaces. A remote logical interface is an interface which can be used to communicate with the GNP from another network node. The entire protocol stack implementing the com
45、munication is considered to be part of the remote logical interface. Remote Logical Interfaces also include the remote access interfaces to the GNP for its maintenance through e.g. an Element Management System (EMS). A local logical interface is an interface that can be used only via physical connec
46、tion to the GNP. That is, the connection requires physical access to the GNP. The entire protocol stack is considered to be part of the local logical interface. The entire protocol stack and the physical parts of the interface can be used by local connections. Local Logical Interfaces also include t
47、he local hardware interfaces and the Local Maintenance Terminal interface (LMT) of the GNP used for its maintenance through a console. This means that for both, local and remote logical interfaces, the GNP model does not only cover the application layer protocol, for which a GNP function terminates
48、the interface (e.g. S5), but also the protocols (e.g. SCTP, IP, Ethernet, USB) in the protocol stack below the application layer protocol. There are some major differences between local and remote interfaces from security perspective. For example attaching to a local interface may cause execution of
49、 complex internal procedures in the GNP like loading USB device drivers, enumeration of attached devices, mounting file systems etc. A GNP hosts the following interfaces: Remote logical interfaces: - Service interfaces that are defined in pertinent 3GPP specifications - Service interfaces that are not defined by 3GPP - Remote OAM interface - EMS (Element Management System) interface Local logical interfaces: - OAM local console - LMT (Local Maintenance Terminal) interface - GNP local hardware interfaces NOTE: There is some overlap between the present cl
