1、 ETSI TS 102 465 V1.1.1 (2006-12)Technical Specification Satellite Earth Stations and Systems (SES);Broadband Satellite Multimedia (BSM)General Security ArchitectureETSI ETSI TS 102 465 V1.1.1 (2006-12) 2 Reference DTS/SES-00105 Keywords broadband, interworking, IP, satellite, security ETSI 650 Rout
2、e des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded
3、from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall
4、 be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is availab
5、le at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The cop
6、yright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently
7、 being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 465 V1.1.1 (2006-12) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 References
8、6 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .7 4 BSM Security Service Requirements.8 4.1 Threats to BSM and counter measure requirements.9 4.1.1 Network threats.9 4.1.2 Software threats 10 4.1.3 Hardware threats.10 4.1.4 Human threats.10 4.2 BSM security services definitio
9、n11 4.3 Security related satellite characteristics11 4.4 Security association scenarios 12 4.4.1 End-to-End security 12 4.4.2 Gateway-to-Gateway security.13 4.4.3 Combined host and gateway security14 4.4.4 Remote host to gateway security 15 4.5 ITU-T Recommendations - X.805 security architecture 15
10、4.6 Summary of security service requirements.16 5 BSM Security Functional Architecture Requirements.17 5.1 Security reference framework 17 5.1.1 Data handling (privacy and integrity) .19 5.1.2 Key management 19 5.1.3 Security policy establishment and enforcement19 5.1.4 Security association descript
11、ion20 5.1.5 BSM security functional elements 21 5.2 BSM Generic Protocol Architecture 21 5.3 Interactions between security and other non BSM entities.23 5.3.1 Using COPS for security policy provisioning.23 5.3.2 Radius/ Diameter 23 5.3.3 Interactions between BSM security and Network Address Translat
12、ion (NAT)24 5.4 Interactions between security and Performance Enhancing Proxies (PEP)24 5.5 Summary of Security Architecture Requirements26 6 BSM security Functional Architecture Definition .26 6.1 Detailed BSM security functional architecture.26 6.1.1 Case 1: IPsec and security entities in BSM.27 6
13、.1.2 Case 2: Mixed link layer security entities in BSM (security manager above SI-SAP and security engine below SI-SAP) 28 6.1.3 Case 3: End-to-end security29 6.1.4 Case 4: Pure link layer security 30 6.2 Generalized interactions between security and other BSM entities30 6.3 Interactions between sec
14、urity and QoS entities 32 6.3.1 Security of QoS signalling in BSM network 32 6.3.2 Using COPS protocol for security policy provisioning 34 6.3.3 Using reliable transfer mechanisms (QoS) to transfer key management messages 36 6.4 Interactions between security and address resolution entities 36 6.4.1
15、Security of address resolution signalling in BSM network.36 6.4.2 Using RADIUS with DHCP servers .37 ETSI ETSI TS 102 465 V1.1.1 (2006-12) 4 Annex A (informative): Existing Security Technologies.38 A.1 Introduction 38 A.2 Link layer ATM and DVB 39 A.2.1 ATM security .39 A.2.2 DVB-S conditional acces
16、s39 A.2.3 DVB-RCS security.40 A.3 Network layer - IPsec.40 A.4 Transport layer - SSL/TLS.41 A.5 Application layer security 42 A.6 Choosing a security technology .42 Annex B (informative): Bibliography .45 History 47 ETSI ETSI TS 102 465 V1.1.1 (2006-12) 5 Intellectual Property Rights IPRs essential
17、or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Es
18、sential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETS
19、I. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Sa
20、tellite Earth Stations and Systems (SES). Introduction Based on the finding of Security Aspects report in BSM TR 102 287 (see bibliography) and the need for providing security services within the BSM systems and interworking with the outside world, there is a need for a BSM security management funct
21、ional entities. These entities may reside above or below the Satellite Independent - Service Access Point (SI-SAP) and defines how data are secured through the BSM. IABG final report. ESA project (see bibliography) provides further information about similar issues. The BSM, security management funct
22、ions are defined for data handling, key management and security policy establishment and enforcement. Although some satellite security specific systems exist today such as DVB-S and DVB-RCS, the main focus of the architecture definition will be on end-to-end security and between satellite terminals
23、and Gateways plus interaction with satellite independent systems such as IPsec and upper layers security systems. ETSI ETSI TS 102 465 V1.1.1 (2006-12) 6 1 Scope The present document defines the security management architecture based on the generic BSM architecture TS 102 292 (see bibliography). The
24、 present document defines the BSM functional architecture required to provide security services to the end user and satellite networks. This architecture identifies the functional elements to allow security provision in BSM systems integrated with heterogeneous networks. Such elements will include s
25、ecure data handling, key management and security policy handling. Interactions with Performance Enhancing Proxies and IPsec are also addressed. Secure multicast is not addressed in the present document, however the mechanisms proposed in the present document may apply to multicast services. However,
26、 security architecture issues related to star and mesh topologies are addressed including the user, control and mgmt planes. Securing management and control messages including OBP management are out of scope for the present document. 2 References The following documents contain provisions which, thr
27、ough reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the lates
28、t version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/ NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 1 ETSI ETR 2
29、32: “Security Techniques Advisory Group (STAG); Glossary of security terminology“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETR 232 1 and the following apply: active attack: realization of an active threat active thr
30、eat: threat of a deliberate unauthorized change to the state of the system authentication: property by which the correct identity of an entity or party is established with a required assurance authentication server: typically a RADIUS/DIAMETER server or others against which the users will authentica
31、te and from which they can even receive their authorization rules authenticator: access device or gateway, which is typically a switch or an access-point or a hub. The device in an authentication system that physically allows or blocks access to the network authorization: permission granted by an ow
32、ner for a specific purpose availability: avoidance of unacceptable delay in obtaining authorized access to information or IT resources ETSI ETSI TS 102 465 V1.1.1 (2006-12) 7 aonfidentiality: avoidance of the disclosure of information without the permission of its owner countermeasures: security ser
33、vices or mechanisms designed to counter a particular threat cryptographic key: parameter used with an algorithm to validate, authenticate, encrypt or decrypt a message hash / message digest: mathematical formula that converts a message of any length into a unique fixed-length string of digits (typic
34、ally 160 bits) known as “message digest“ that represents the original message NOTE: A hash is a one-way function - that is, it is unfeasible to reverse the process to determine the original message. Also, a hash function will not produce the same message digest from two different inputs. digital sig
35、nature: electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document NOTE: It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. digital certificates: electronic documen
36、t that establishes your credentials when doing business or other transactions on the web. They are issued by a certificate authority and contain a user“s name, expiration dates, a copy of the certificate holder“s public key, and the digital signature of the certificate-issuing authority so that a re
37、cipient can verify that the certificate is real. Some digital certificates conform to a standard such as X.509 integrity: avoidance of the unauthorized modification of information message Authentication Code (MAC): data field used to verify the authenticity of a message non-repudiation: a user canno
38、t deny the fact that it has accessed a service or data masquerade: pretence by an entity to be a different entity non repudiation: proof of the sending or delivery of data by communicating IT assemblies which prevent subsequent false denials by a user of transmission or receipt, respectively, of suc
39、h data or its contents plain text: unencrypted source data passive attack: realization of a passive threat passive threat: threat of unauthorized disclosure of information without changing the state of the system privacy: right of individuals to control or influence what information related to them
40、may be collected and stored and by whom and to whom that information may be disclosed security policy: set of criteria for the provision of security services supplicant: client or machine requesting access to the network 3.2 Abbreviations For the purposes of the present document, the following abbre
41、viations apply: AH Authentication Header ATM Asynchronous Transfer Mode BER Bit Error Rates CA Certification Authority COPS Common Open Policy Service CPU Central Processing Unit CW Control Word DCKS Domain Controller and Key Server DES Data Encryption Standard DRM Digital Rights ManagementDSS Digit
42、al Signature Standard DVB Digital Video Broadcast DVB-RCS DVB, Return Channel Satellites DVB-S Digital Video Broadcast by Satellite ESP Encapsulated Security Payload ETSI ETSI TS 102 465 V1.1.1 (2006-12) 8 ETSI European Telecommunications Standards Institute IKE Internet Key Exchange IP Internet Pro
43、tocol IPsec Internet Protocol Security ISAKMP Internet Security Association and Key Management Protocol ISP Internet Service Provider ITU International Telecommunication Union MAC Message Authentication Code MPEG Moving Picture Experts Group MPEG-TS MPEG Transport Stream MSEC Multicast Security grou
44、p in the IETF NAS Network Access Server NAT Network Address Translations NCC Network Control Centre NGN Next Generation Networks OBP On-Board Processor PEP Performance Enhancing Proxy PKI Public Key Infrastructure Policy-PDP Policy - Policy Decision Point Policy-PEP Policy - Policy Enforcement Point
45、 PPV Pay Per View QoS Quality of Service RADIUS Remote Authentication Dial-In User Service RCST Return Channel Satellite Terminal RSA Rivest, Shamir and Adleman RTCP Real time Transport Control Protocol RTP Real time Transport Protocol SA Security Association SAD Security Association Database SAR Se
46、gmentation And ReassemblySID Security association IDentity SI-SAP Satellite Independent - Service Access Point SPD Security Policy Database SPI Security Parameter Index SSL Secure Socket Layer ST Satellite Terminal TC Transmission Convergence TCP Transmission Control Protocol TLS Transport Layer Sec
47、urity ULE Unidirectional Lightweight Encapsulation UTOPIA Universal Test these features can accidentally leave plaintext accessible to un-authorized people. Moreover confidential information of a company or clients should be stored securely at the providers site in order to prevent misuse of confide
48、ntial information of clients. Security requirements for software threats are: Protection against software viruses. Good software design for commercial application that prevents unauthorized access to the system and accidental damage by inexperienced users. Good security software design with strong e
49、ncryption and digital signature algorithms, good random number generators and secure storage of keys and internal data. 4.1.3 Hardware threats All hardware systems including hosts (e.g. client stations), satellite terminals and network equipment (e.g. routers and firewalls) can provide a way of attack if not properly configured, since they will become the entry point of attack. Unauthorized access to these machines also poses a threat since it means access to the system. In addition, if all the major hardware systems are not backed up in case of emergency like
