Study Paper on Security Accreditation Scheme for SIM

Transcription

1 May 2014 MOBILE Study Paper on Security Accreditation Scheme for SIM TEC TELECOMMUNICATION ENGINEERING CENTRE KHURSHID LAL BHAWAN, JANPATH NEW DELHI INDIA

2 1 Introduction Security Threats Security Objective Sensitive Process Environmental Security Security Requirements Policy, strategy and documentation Policy Strategy Business Continuity Planning Organization and Responsibility Organization Responsibility Contracts and liabilities Information Classification Data and media handling Personnel Security Security in job description Recruitment screening Acceptance of security rules Incident response and reporting Contract termination Physical Security Security plan Physical protection Access control Security staff Internal audit and control Production data management Data transfer Access to sensitive data Data generation... 10

3 4.6.4 Encryption keys Auditability and accountability Data integrity Duplicate production Internal audit and control Logistics and Production Management Personnel Order management Raw materials Control, audit and monitoring Destruction Storage Packaging and delivery Internal audit and control Computer and Network Management Policy Segregation of roles and responsibilities Access control Network security Virus controls System back-up Audit and monitoring Insecure terminal access External facilities management Systems development and maintenance Internal audit and control Conclusion References Abbreviations... 17

4 1 Introduction The use of mobile devices has become ubiquitous and the services utilized by the user like value added services, mobile money apart from making calls and messaging are provided by the TSP, who allow the users to access the network and services on the basis of the credentials provided by the SIM or the subscriber identity module. Hence, the SIM is the basis of trust between TSP and user and contains information that identifies a user uniquely. The contents of the SIM include: a) Identification Physical : ICCID, Integrated Chip Circuit IDentification Logical : IMSI, International Mobile Subscriber Identity b) Security Data: PIN1, PIN2 and PUK1, PUK2 Network: Authentication Keys c) Service Related Phonebook : SIM phone book SMS : To store SMS Other functionality: FDN, BDN SDN ect. d) Algorithms and Keys Algorithms : A3A8, DES, 3DES, AES Keys : OTA and applications keys Figure 1. SIM OS architecture The contents of the SIM are sensitive in nature and are a security risk if not stored and transported properly by the SIM manufacturer, as the SIM manufacturer does Operating System development, Keys / PINs generation, SIM personalization. To mitigate some of these risks the TSPs are totally dependent on the processes and the security measure setup with their suppliers. The main objective of Security accreditation scheme from GSMA is to address the security risk introduced by suppliers and the manufacturers during the SIM personalization process.

5 2 Security Threats The following are the possible security threats which can happen in SIM/USIM: a) SIM contains keys such as Ki, OTA keys and K4 Key, and their storage and transfer between different parties is a key security concern. The Data handling related to SIM is not safe. The various security issues are as follows: Transport Key (K4 Key) - Is used for used for encrypting / Decrypting Ki. If it is compromised all cards are at risk. Hence, it is important that the key is transferred in a secure way and is changed at regular intervals. Output Data - The laptops carrying such data received through mail, without any PGP Key, zip file with password protection are out in the field with persons and poses a great security risk. Threat if SIM produced by non trusted party- There are several threats if SIM is manufactured by a non trusted party. Some of the impacted areas are Compromise of Keys and PIN s from personalization centers Malicious code insertion during operating system development Malicious application insertion in value added application SIM activation / De-activation applications OTA Keys- Are being sent as part of non encrypted files, s and zip file with password protection. Because of their low security they can be easily compromised and the party possessing OTA keys may cause malicious changes in the network and the SIM side, like- Different branding (service provider name change) stopping of SIM Loading of silent malware, which might be used to track users location or get personal details sending SMS to various number blocking of calls and services, on a large scale, which might be used for anti national activities. and others b) Asset protection against production of duplicate cards and data theft Fault attack a. Alter the IC s internal working to induce an error in the IC s operations b. Erroneous operation reveals IC s information Side channel attack a. Attacks based on information gained from the physical information of a cryptosystem b. Timing information, power consumption, electromagnetic leaks, or sound which can provide a source of information Invasive or Hardware attack a. Probing the IC with a microprobe or focused ion beam (FIB)

6 b. Reverse engineering, and circuit modification. To protect against duplication of SIM cards and data theft, the SIM production process at SIM/USIM supplier has to be strengthened and regularly audited against a standard method to identify the security breaches. Additionally, hardware protection against invasive or hardware attack might be given. 3 Security Objective A special process should be defined to take care of all possible threats from SIM/USIM supplier. GSMA in its SAS standard has defined the audit process for two areas; sensitive process and Environmental Security. 3.1 Sensitive Process The Sensitive Process represents the security evaluation field, covering the processes and the assets within those processes, some clearly defined concern areas are as follows. The process must: i. control the production process. ii. control, manage and protect data against loss of integrity and confidentiality. iii. guarantee a secure product flow iv. be designed in such a way that independence of different customer files is always achieved. v. Following area identities by SAS as threat in the process a. Customer order reception b. Incoming file reception c. Production data generation and preparation d. Internal and external transfer of production data e. Output data generation and preparation f. Outgoing file delivery g. Incoming material receipt, storage and issue h. Pre personalization i. Material transfer to personalization j. Device personalization k. Confidential document personalization l. Device packaging m. Supplier delivery (finish products) n. Transport between sites 3.2 Environmental Security Environmental security such as people moment, stock moment and also access to various sensitive areas are very important part of security i. The environment must manage the elements that are specifically auditable. ii. The environment must guarantee a secure product flow

7 4 Security Requirements In order to consider the personalization processes secure, certain requirements must be met. These requirements, which are outlined below, are considered as minimum-security requirements applying to the environment. 4.1 Policy, strategy and documentation The security policy and strategy provides the business and its employees with a direction and framework to support and guide security decisions within the company Policy A clear direction should be set and supported by a documented security policy which defines the security objectives and the rules and procedures relating to the security of the process, sensitive information and asset management. Employees should understand and have access to the policy and its application should be checked periodically Strategy A coherent security strategy must be defined based on a clear understanding of the risks. The strategy should use periodic risk assessment as the basis for defining, implementing and updating the site security system. The strategy should be reviewed regularly to ensure that it reflects the changing security environment through ongoing re-assessment of risks Business Continuity Planning Business continuity measures must be in place in the event of disaster. 4.2 Organization and Responsibility Organization To successfully manage security, a defined organization structure should be established with appropriate allocation of security responsibilities. The management structure should maintain and control security through a crossfunctional team that co-ordinates identification, collation, and resolution, of security issues, independent of the business structure Responsibility A security manager should be appointed with overall responsibility for the issues relating to security in the process. Clear responsibility for all aspects of security, whether operational, supervisory or strategic, must be defined within the business as part of the overall security organization.

8 Asset protection procedures and responsibilities should be documented throughout the process Contracts and liabilities In terms of contractual liability responsibility for loss should be documented. Appropriate controls and insurance should be in place. 4.3 Information The management of sensitive information, including its storage, archiving, destruction and transmission, can vary depending on the classification of the asset involved Classification A clear structure for classification of information and other assets should be in place with accompanying guidelines to ensure that assets are appropriately classified and treated throughout their lifecycle Data and media handling Access to sensitive information and assets must always be governed by an overall need to know principle. Guidelines should be in place governing the handling of data and other media, including a clear desk policy. Guidelines should describe the end-to-end lifecycle management for sensitive assets, considering creation, classification, processing, storage, transmission and disposal Personnel Security A number of security requirements should pertain to all personnel working within the process Security in job description Security responsibilities should be clearly defined in job descriptions Recruitment screening An applicant, and employee, screening policy should be in place where local laws allow Acceptance of security rules All recruits should sign a confidentiality agreement. Employees should read the security policy and record their understanding of the contents and the conditions they impose. Adequate training in relevant aspects of the security management system should be provided on an ongoing basis.

9 4.3.7 Incident response and reporting Reporting procedures should be in place where a breach of the security policy has been revealed. A clear disciplinary procedure should be in place in the event that a staff member breaches the security policy Contract termination Clear exit procedures should be in place and observed with the departure of each employee. 4.4 Physical Security A building is part of the site where UICCs or components are produced, personalized and/or stored. Buildings in which sensitive assets are processed should be strongly constructed. Construction and materials should be robust and resistant to outside attack as manufacturers must ensure assets are stored within high security and restricted areas by using recognized security control devices, staff access procedures and audit control logs Security plan Layers of physical security control should be used to protect the process according to a clearly defined and understood strategy. The strategy should apply controls relevant to the assets and risks identified through risk assessment. The strategy should be encapsulated in a security plan that: defines a clear site perimeter / boundary defines one or more levels of secure area within the boundary of the site perimeter maps the creation, storage and processing of sensitive assets to the secure areas defines physical security protection standards for each level of secure area Physical protection The protection standards defined in the security plan should be appropriately deployed throughout the site, to include: deterrent to attack or unauthorized entry physical protection of the building and secure areas capable of resisting attack for an appropriate period mechanisms for early detection of attempted attack against, or unauthorized entry into, the secure areas at vulnerable points control of access through normal entry / exit points into the building and process to prevent unauthorized access effective controls to manage security during times of emergency egress from the secure area and building mechanisms for identifying attempted, or successful, unauthorized access to, or within the site mechanisms for monitoring and providing auditability of, authorised and unauthorised activities within the process

10 Controls deployed should be clearly documented and up-to-date. Controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation Access control Clear entry procedures and policies should exist which cater for the rights of employees, visitors and deliveries to enter the process. These considerations should include the use of identity cards, procedures governing the movement of visitors within the process, delivery/dispatch checking procedures and record maintenance. Access to each secure area should be controlled on a need to be there basis. Appropriate procedures should be in place to control, authorise, and monitor access to each secure area and within secure areas. Regular audits should be undertaken to monitor access control to the secure area. 4.5 Security staff Security staffs are commonly employed by suppliers. Where this is the case the duties should be clearly documented and the necessary tools and training shall be supplied Internal audit and control Physical security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. 4.6 Production data management Suppliers will be responsible for lifecycle management of class 1 data used for personalisation. Information and IT security controls must be appropriately applied to all aspects of lifecycle management to ensure that data is adequately protected. The overall principle should be that all data is appropriately protected from the point of receipt through storage, internal transfer, processing and through to secure deletion of the data Data transfer Suppliers should take responsibility to ensure that electronic data transfer between themselves and other third parties is appropriately secured Access to sensitive data Suppliers should prevent direct access to sensitive production data. User access to sensitive data should be possible only where absolutely necessary. All access must be auditable to identify the date, time, activity and person responsible Data generation As part of the personalisation process secret data may be generated and personalized into the UICC. Where such generation takes place. The quality of the number generator in use should be subject to appropriate testing on a periodic basis. Evidence of testing, and successful results, should be available.

11 Clear, auditable, controls should be in place surrounding the use of the number generator to ensure that data is taken from the appropriate source Encryption keys Encryption keys used for data protection should be generated, exchanged and stored securely Auditability and accountability The production process should be controlled by an audit trail that provides a complete record of, and individual accountability for: data generation and processing personalisation re-personalisation access to sensitive data production of customer output files Auditable dual-control and 4-eyes principle should be applied to sensitive steps of data processing Data integrity Controls should be in place to ensure that the same, authorized, data from the correct source is used for production and supplied to the customer Duplicate production Controls should be in place to prevent duplicate production Internal audit and control Production data controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. 4.7 Logistics and Production Management Personnel Clear security rules should govern the manner in which employees engaged in such activities should operate within the PROCESS. Relevant guidelines should be in place and communicated to all relevant staff Order management The ordering format should be agreed between operator and supplier and rules to preserve the integrity of the ordering process should be in place Raw materials Raw materials classified as lower than class 2 (plastic sheets, GSM generic components, blank mailers, etc.) are not considered to be security sensitive. However, appropriate controls should be established for stock movements. The availability of these assets must be ensured.

12 Raw materials classified as class 2 (e.g. non-personalised devices) are considered to be security sensitive. Controls should be established that: Account for stock movement Prevent unauthorised access Preserve the integrity of batches Prevent availability of class 2 assets within the production environment undermining the quantity control and reconciliation mechanism for class 1 assets Control, audit and monitoring The production process should be controlled by an audit trail that: ensures that the quantities of class 1 assets created, processed, rejected and destroyed are completely accounted for ensures that the responsible individuals are traceable and can be held accountable demands escalation where discrepancies or other security incidents are identified. The stock of all Class 1 assets must be subject to end-to-end reconciliation in order that every element can be accounted for. Auditable dual-control and 4-eyes principle should be applied to sensitive steps of the production process, including: control of the quantity of assets entering the personalisation process authorization of re-personalisation for rejected UICCs control of the quantity of assets packaged for dispatch to customers destruction of rejected assets Application of 4-eyes principle should be auditable through production records and CCTV. Regular audits should be undertaken to ensure the integrity of production controls and the audit trail. Suppliers must demonstrate an ability to prevent unauthorised duplication within the production process during personalisation and re-personalisation. Suppliers must demonstrate an ability to preserve the integrity of batches within the production environment to prevent: cross-contamination of assets between batches uncontrolled assets in the production environment undermining the integrity of the asset control mechanism Destruction Rejected sensitive assets must always be destroyed according to a secure procedure and logs retained.

13 4.7.6 Storage Personalised product should be stored securely prior to dispatch to preserve the integrity of the batches. Where personalised product is stored for extended periods additional controls should be in place Packaging and delivery Packaging of goods should be fit for the intended purpose and strong enough to protect them during shipment. Appropriate measures should be in place to ascertain whether or not goods have been tampered with. Secure delivery procedures should be agreed between the customer and the supplier which should include agreed delivery addresses and the method of delivery. Collection and delivery notes must be positively identified. Goods should only be handed over following the production of the appropriate authority documents. A receipt should be obtained Internal audit and control Production security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. 4.8 Computer and Network Management The secure operation of computer and network facilities is paramount to the security of data. In particular, the processing, storage and transfer of Class 1 information, which if compromised, could have serious consequences for the Operator, must be considered. Operation of computer systems and networks must ensure that comprehensive mechanisms are in place to preserve the confidentiality, integrity and availability of data Policy A documented IT security policy should exist which should be well understood by employees Segregation of roles and responsibilities Responsibilities and procedures for the management and operation of computers and networks should be established. Security related duties should be segregated from operational activities to minimise risk Access control Physical access to sensitive computer facilities should be controlled. An access control policy should be in place and procedures should govern the granting of access rights with a limit placed on the use of special privilege users. Logical access to IT services should be via a secure logon procedure. Passwords should be managed effectively and strong authentication should be deployed where remote access is granted.

14 4.8.4 Network security Systems and data networks used for the processing and storage of sensitive data should be housed in an appropriate environment and logically or physically separated from insecure networks. Data transfer between secure and insecure networks must be strictly controlled according to a documented policy defined on a principle of minimum access Virus controls Comprehensive virus detection and prevention measures should be deployed across all vulnerable systems System back-up Back-up copies of critical business data should be taken regularly. Back-ups should be stored appropriately to ensure confidentiality and availability Audit and monitoring Audit trails of security events should be maintained and procedures established for monitoring use Insecure terminal access Unattended terminals should timeout to prevent unauthorised use and appropriate time limits should be in place External facilities management If external facilities management services are used appropriate security controls should be in place Systems development and maintenance Security requirements of systems should be identified at the outset of their procurement and these factors should be taken into account when sourcing them Internal audit and control IT security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. 5 Conclusion a) SIM is the key to network security and there are several possible threats which can compromise the security of the network and the user. The security accreditation scheme, as mandated by GSMA if implemented shall go a long way in mitigating the following risks: i. Insertion of malicious/ spyware application in SIM ii. Asset protection against production of duplicate cards and data theft iii. Unauthorized access to user data and media iv. Unauthorized location tracking

15 v. Unauthorized downloading of applications like bulk blocking of calls, stopping of SIM, change of operator logo etc. b) As a part of the Annual Action Plan of M Division, SIM/USIM IRs for mandatory testing are planned to be formulated. We may incorporate suitable clauses regarding SIM security as above.

16 6 References 1) GSMA Security Accreditation Scheme Methodology, Version: ) GSMA Security Accreditation Scheme Standard, Version: 4.3 3) GSMA Security Accreditation Scheme Service Agreement 4) 3GPP TS : 3GPP Technical specifications for USIM applications 5) 3GPP TS (2004): 3GPP Technical specifications for USIM Applications Toolkit 6) 3GPP TS : Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface 7) 3GPP TS :Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface 8) 3GPP TS : Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications 9) 3GPP TS : Remote APDU Structure for (U)SIM Toolkit applications

17 7 Abbreviations ADN ADM DES FDN GPRS GSM GSMA IK IMSI Kc Ki MSISDN OTA OS PIN PUK RAND RES SAS SMS TSP UICC USAT USIM Abbreviated Dialling Number Access condition to an EF which is under the control of the authority which creates this file Digital Encryption Standard Fixed Dialling Number General Packet Radio Service Global System for Mobile communications Global System for Mobile Association Integrity Key International Mobile Subscriber Identity Cryptographic key; used by the cipher A5 Subscriber authentication key; the cryptographic key used by the authentication algorithm, A3, cipher key generator, A8 Mobile Subscriber ISDN number Over The Air Operating System Personal Identification Number PIN Unblocking Key A Random challenge issued by the network Response Security Accreditation Scheme Short Message Service Telecom Service Provider Universal Integrated Chip Card USIM Application Toolkit Universal Subscriber Identity Module