SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

Transcription

1 International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Security requirements for mobile remote financial transactions in next generation networks Recommendation ITU-T Y.2740

2 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT- GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Services, applications and middleware Network aspects Interfaces and protocols Numbering, addressing and naming Operation, administration and maintenance Security Performances INTERNET PROTOCOL ASPECTS General Services and applications Architecture, access, network capabilities and resource management Transport Interworking Quality of service and network performance Signalling Operation, administration and maintenance Charging IPTV over NGN NEXT GENERATION NETWORKS Frameworks and functional architecture models Quality of Service and performance Service aspects: Service capabilities and service architecture Service aspects: Interoperability of services and networks in NGN Numbering, naming and addressing Network management Network control architectures and protocols Smart ubiquitous networks Security Generalized mobility Carrier grade open environment Future networks Y.100 Y.199 Y.200 Y.299 Y.300 Y.399 Y.400 Y.499 Y.500 Y.599 Y.600 Y.699 Y.700 Y.799 Y.800 Y.899 Y.1000 Y.1099 Y.1100 Y.1199 Y.1200 Y.1299 Y.1300 Y.1399 Y.1400 Y.1499 Y.1500 Y.1599 Y.1600 Y.1699 Y.1700 Y.1799 Y.1800 Y.1899 Y.1900 Y.1999 Y.2000 Y.2099 Y.2100 Y.2199 Y.2200 Y.2249 Y.2250 Y.2299 Y.2300 Y.2399 Y.2400 Y.2499 Y.2500 Y.2599 Y.2600 Y.2699 Y.2700 Y.2799 Y.2800 Y.2899 Y.2900 Y.2999 Y.3000 Y.3099 For further details, please refer to the list of ITU-T Recommendations.

3 Recommendation ITU-T Y.2740 Security requirements for mobile remote financial transactions in next generation networks Summary Within the last few years, a great variety of remote payment networks using mobile networks have been established. While implementing different approaches, quite often they lack of security. At the same time communication networks, including mobile networks, yield substantial changes undergoing transition to the next generation networks (NGN). Recommendation ITU-T Y.2740 elaborates approaches to develop system security for mobile commerce and mobile banking in the next generation networks (NGN). It describes security requirements for the mobile commerce and the mobile banking systems, based on four specified security levels. It outlines probable risks in mobile commerce and mobile banking systems, and specifies means for risk reduction. History Edition Recommendation Approval Study Group 1.0 ITU-T Y Keywords Mobile banking, mobile commerce, mobile payments, remote payments, security. Rec. ITU-T Y.2740 (01/2011) i

4 FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-T's purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression "Administration" is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other obligatory language such as "must" and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at ITU 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ii Rec. ITU-T Y.2740 (01/2011)

5 CONTENTS Page 1 Scope References Definitions Terms defined elsewhere Terms defined in this Recommendation Abbreviations and acronyms Conventions Security considerations for mobile banking and mobile commerce systems in the next generation network Basic risks in mobile remote financial transactions Security goals Security levels and means to support them... 3 Bibliography... 8 Rec. ITU-T Y.2740 (01/2011) iii

6

7 Recommendation ITU-T Y.2740 Security requirements for mobile remote financial transactions in next generation networks 1 Scope This Recommendation describes security risks associated with remote mobile financial transactions supported by the next generation network (NGN) application services and the risk mitigation and counter measures based on four security levels. This Recommendation also specifies the minimum requirements for protecting the privacy of an individual's personal data regarding remote mobile financial transactions. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. [ITU-T X.800] Recommendation ITU-T X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. [ITU-T X.805] Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications. [ITU-T Y.2720] Recommendation ITU-T Y.2720 (2009), NGN identity management framework. [ITU-T Y.2741] Recommendation ITU-T Y.2741 (2011), Architecture of secure mobile financial transactions in next generation networks. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: access control [ITU-T X.800]: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner application [ITU-T Y.2741]: A special mobile banking or mobile commerce application uploaded to Client's (user's) mobile device authentication [ITU-T X.800]: See data origin authentication, and peer entity authentication. NOTE In this Recommendation, the term "authentication" is not used in connection with data integrity, the term "data integrity" is used instead availability [ITU-T X.800]: The property of being accessible and useable upon demand by an authorized entity client [ITU-T Y.2741]: Private individual or corporate entity that has signed a contractual agreement on the use of telecommunication services and the system of mobile commerce. Rec. ITU-T Y.2740 (01/2011) 1

8 3.1.6 confidentiality [ITU-T X.800]: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes data integrity [ITU-T X.800]: The property that data has not been altered or destroyed in an unauthorized manner data origin authentication [ITU-T X.800]: The corroboration that the source of data received is as claimed mobile payment system [ITU-T Y.2741]: Mobile banking and/or mobile commerce System next generation network (NGN) [b-itu-t Y.2001]: A packet-based network able to provide telecommunication services and able to make use of multiple broadband, QoS-enabled transport technologies and in which service-related functions are independent from underlying transport-related technologies. It enables unfettered access for users to networks and to competing service providers and for services of their choice. It supports generalized mobility which will allow consistent and ubiquitous provision of services to users privacy [ITU-T X.800]: The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. NOTE Because this term relates to the right of individuals, it cannot be very precise and its use should be avoided except as a motivation for requiring security repudiation [ITU-T X.800]: Denial by one of the entities involved in a communication of having participated in all or part of the communication security dimension [ITU-T X.805]: A set of security measures designed to address a particular aspect of the network security security layer [ITU-T X.805]: A hierarchy of network equipment and facility groupings security planes [ITU-T X.805]: A certain type of network activity protected by security dimensions. 3.2 Terms defined in this Recommendation This Recommendation uses the following term: security level: Security specification of the system which defines effectiveness of risk protection. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: GSM Global System for Mobile Communications MPS Mobile Payment System MSISDN Mobile Station International ISDN Number NGN Next Generation Network PA-DSS Payment Application Data Security Standard PCI DSS Payment Card Industry Data Security Standard 5 Conventions None. 2 Rec. ITU-T Y.2740 (01/2011)

9 6 Security considerations for mobile banking and mobile commerce systems in the next generation network Mobile payment system (MPS) security in the next generation network (NGN) is based on the MPS architecture and the MPS participants roles specified in [ITU-T Y.2741], Architecture of secure mobile financial transactions in next generation networks as well as on the MPS participants risk analysis, described below. 6.1 Basic risks in mobile remote financial transactions This clause does not consider factors that condition new global and industrial risks run by the participants when implementing the MPS system, strategic, country and sovereign, market, interest, liquidity, legal, reputation risks, etc. The clause touches upon the information risks that may arise directly at time of remote mobile payments and require deciding security issues to minimize the risks: The risk of confidentiality loss which implies unauthorized access to confidential information; The risk of data integrity violation which is the distortion of information when transferring or processing data; The risk of electronic documents forgery (the risk to authenticity) which is when electronic documents are generated by unauthorized participants; The risk of repudiation which involves the denial of authorship of an electronic document; The risk of information destruction, either intended or due to negligence; Transactional risk which involves failure to finish or complete a transaction (e.g., owing to bad transmission quality). 6.2 Security goals To improve the mobile payment security and minimize the risks of the participants, the solution must ensure the realization of the following goals: to reduce the possibility of interception of personal or financial information at time of a transaction; to reduce the possibility of retrieving personal or financial information from databases; to reduce the possibility of substitution or distortion of personal or financial information at time of a transaction; to reduce the possibility to use the solution by unauthorized persons and persons attempting a masquerade by implementation of a unique authentication; to reduce the possibility of using "stolen" information in the solution; to provide the grounds to make it impossible for a transaction initiator or participant to deny his actions after they have been performed; to ensure the compliance with legal rights and duties of all interoperation participants; to ensure the completion of transaction. 6.3 Security levels and means to support them This Recommendation describes four MPS security levels based on MPS participants risk analysis. The System security level is defined by the set of security dimensions implementations (see Table 1). Thus, the fourth (the highest) security level must have the strongest implementations of security dimensions. Nevertheless, requirements for some security dimensions are unified for all security levels. Rec. ITU-T Y.2740 (01/2011) 3

10 Parties using MPS should be aware of the System security level and the System's risks. The acceptable security level for a certain risk of any System component is determined by the party taking this risk. The parties can additionally mitigate the risks of using MPS by operational measures which may include limiting the frequency or monetary value of individual transactions, the availability of the service to users with high loyalty level, etc. The client is identified to the System by using an NGN network public identifier (e.g., MSISDN for GSM networks) Implementation of security dimensions for all security levels The System security is entrusted upon every System participant and is achieved by the physical and the administrative facilities of security assurance at data transfer, processing and storage. The System participants shall ensure the implementation of information security assurance industry standards (e.g., [b-pci DSS], and [b-pa-dss], etc.). Eight security dimensions [ITU-T X.805] that define the MPS security levels are listed below. It is mandatory that all System participants should implement the security dimensions in relation to the information being involved in the data exchange. 1) Access control: the access to each MPS component must be granted only as provided by the System personnel or end-user access level. The requirement is valid for all security levels. 2) Authentication: the authenticity of the claimed identity of the entities participating must be ensured. This is one of the key factors in mitigating the risk of denial of authorship. Due to wide organizational and technical implementation possibilities, each security level defines minimal authentication mechanism requirements. The three factors of client (user) authentication are: the client uses some information which no one else can be aware of, e.g., access password (Something You Know); the client possesses something which is available only for him and performs certain actions uniquely, e.g., generates an electronic signature or a message authentication code (Something You Have); the client uses his biometric data (Something You Are). 3) Non-repudiation: provides means for preventing an individual or an entity from denying having performed a particular action (e.g., sending, transferring or receiving messages). For this purpose, all System personnel and end-user actions shall undergo mandatory registration. Event logs must be change-proof and contain all actions of all users. Compliance with the requirements is achieved by legally stated or reserved in mutual contracts means and accepted authentication mechanisms. The requirement is valid for all security levels. 4) Data confidentiality: data used in the System are protected from unauthorized disclosure and alteration. Requirements to confidentiality are defined by the System data criticality. Each security level specifies certain means of ensuring confidentiality and imposes restrictions on the System data criticality level. 5) Communication security: the guaranteed delivery of the sequence of messages in both directions (to and from the addressee) includes the completion of a transaction (using the protocols that ensure the completion of a transaction), and the protection of the information from an unauthorized disclosure at time of transfer over the communication channels. This requirement is valid for all security levels. 4 Rec. ITU-T Y.2740 (01/2011)

11 6) Data integrity: the correctness, accuracy and integrity of data are ensured by means of protection against unauthorized modification, deletion, creation and replication, as well as the indication of these unauthorized activities. Logical completion of a transaction is guaranteed when certain conditions are satisfied, which is implemented on the application level. Each security level defines certain mechanisms of integrity assurance. Integrity assurance can be achieved by means of data confidentiality and access control. 7) Availability: ensures the preservation of authorized access to MPS data and services. The requirement is valid for all security levels and is to be met by the service provider in a best effort manner. 8) Privacy: ensures the security of the information involved in the data exchange and stored by the system participants. The minimum number of data necessary for the System to operate shall be used in the solution. The System participants shall mitigate against unauthorized data acquisition and transfer. The System shall assure compliance with the financial industry standards. The security dimensions that are equally implemented at all security levels are: access control; non-repudiation; communication security; availability. The following security dimensions have different implementation at different security levels: authentication; data confidentiality; data integrity; privacy Security level 1 MPS can rely on the authentication of the client provided by the NGN operator. Data confidentiality and integrity are ensured by the data transfer environment (communications security), and at their storage and processing by the mechanism of data storage as well as the System access control facilities. The privacy is ensured by the absence of sensitive data in the messages being transferred, as well as by the implementation of the required mechanisms of data storage and the system access control facilities. The System components must not have latent possibilities of unauthorized data acquisition and transfer Security level 2 Authentication when using the System services can be executed by using only one authentication factor and thus can be implemented without the application of cryptographic protocols. One-time-password is used for authentication. One-time-password is generated by means of various tokens (single factor one-time-password device, single factor cryptographic device, etc.). Data confidentiality, integrity and privacy are ensured similarly to level Security level 3 Multifactor client authentication must be used for the access to the System services. The System shall use more than one authentication factor to authenticate the client. Rec. ITU-T Y.2740 (01/2011) 5

12 Data confidentiality, integrity and privacy at message transfer must be ensured by using additional message encryption, together with data transfer protocols that ensure the security of the data being transferred by the interoperation participants (including data integrity verification). During data storage and processing, their confidentiality, integrity and privacy are ensured by additional mechanisms of encryption and masking together with well-defined distribution of access in concordance with privileges and permissions. To meet security requirements at this level, the System shall use special software applications, uploaded to clients' mobile devices. These applications shall implement two-factor authentication and ensure both encryption and decryption of the transferred data. Each authentication shall require entry of the password or other activation data to activate the authentication key and the unencrypted copy of the authentication key shall be erased after each authentication (multifactor software cryptographic token). All MPS interoperation participants shall use security facilities that ensure the system against break-in. In the level 3 solutions, the security of data transferred over the communications channels shall be ensured by means of strong cryptography. The strength of a cryptographic method depends on the cryptographic key being used. The effective key size shall meet the recommendations of the minimal key size choice which ensures its relative strength Security level 4 This is the highest System security level. To meet the security requirements at this level, the System shall use hardware security modules installed in clients' mobile devices. These hardware security modules shall implement two-factor authentication and ensure both encryption and decryption of the transferred data. Each authentication shall require entry of the password or other activation data to activate the authentication key and the unencrypted copy of the authentication key shall be erased after each authentication (multifactor hardware cryptographic token). Both symmetric and asymmetric cryptographic algorithms are applied to message encryption. Implementation of other security dimensions shall fully correspond to level 3. 6 Rec. ITU-T Y.2740 (01/2011)

13 Table 1 Correlation of security levels and security dimensions implementation Security dimension Access control Authentication Nonrepudiation Data confidentiality Data integrity Privacy Communication security Availability Security Level Level 1 Level 2 Level 3 Level 4 The access to every system component shall be granted to authorized system personnel only. The activation of special applications uploaded to mobile terminals should be permitted to the authorized clients only. The authentication in the System is ensured by the NGN data transfer environment. Single-factor authentication at the System services usage. Multifactor authentication at the System services usage. In-person subscription to services where personal data with obligatory identification is used. Multifactor authentication at the System services usage. Obligatory usage of a hardware cryptographic module. The impossibility of a transaction initiator or participant denying his or her actions upon their completion is ensured by explicit and implicit legal contracts legally stated or reserved in mutual contracts means and accepted authentication mechanisms. All system personnel and end-user actions shall be logged. Event logs shall be change-proof and hold all actions of all users. During data transfer, data confidentiality is ensured by the data transfer environment (communications security), and by the mechanism of data storage together with the means of system access control at data storage and processing. Privacy is ensured by the absence of sensitive data in the messages being transferred, as well as by the implementation of the required mechanisms of data storage and the System access control facilities. The System components must not have latent possibilities of unauthorized data acquisition and transfer. During data transfer, data confidentiality is ensured by additional message encryption together with data transfer protocols that ensure the security of the data being transferred by the interoperation participants (including data integrity verification). During data storage and processing, their confidentiality, integrity and privacy are ensured by additional mechanisms of encryption and masking together with well-defined distribution of access in concordance with privileges and permissions. The implementation of the level 3 requirements with the obligatory usage of hardware cryptographic and data security facilities on the client's side (hardware cryptographic module). The delivery of a message to the addressee is ensured as well as the security against unauthorized disclosure at time of transfer over the communications channels. It is ensured by the NGN providers. It ensures that there is no denial of authorized access to the System data and services. Availability is assured by the NGN providers as well as by the MPS service providers. Rec. ITU-T Y.2740 (01/2011) 7

14 Bibliography [b-itu-t Y.2001] Recommendation ITU-T Y.2001 (2004), General overview of NGN. [b-pa-dss] Payment Card Industry (PCI), Payment Application Data Security Standard. Requirements and Security Assessment Procedures, Version 2.0, October [b-pci DSS] Payment Card Industry (PCI), Data Security Standard. Requirements and Security Assessment Procedures, Version 2.0, October Rec. ITU-T Y.2740 (01/2011)

15

16 SERIES OF ITU-T RECOMMENDATIONS Series A Series D Series E Series F Series G Series H Series I Series J Series K Series L Series M Series N Series O Series P Series Q Series R Series S Series T Series U Series V Series X Series Y Series Z Organization of the work of ITU-T General tariff principles Overall network operation, telephone service, service operation and human factors Non-telephone telecommunication services Transmission systems and media, digital systems and networks Audiovisual and multimedia systems Integrated services digital network Cable networks and transmission of television, sound programme and other multimedia signals Protection against interference Construction, installation and protection of cables and other elements of outside plant Telecommunication management, including TMN and network maintenance Maintenance: international sound programme and television transmission circuits Specifications of measuring equipment Terminals and subjective and objective assessment methods Switching and signalling Telegraph transmission Telegraph services terminal equipment Terminals for telematic services Telegraph switching Data communication over the telephone network Data networks, open system communications and security Global information infrastructure, Internet protocol aspects and next-generation networks Languages and general software aspects for telecommunication systems Printed in Switzerland Geneva, 2011