8 Security Requirements

21.1333G security3GPPSecurity threats and requirementsTS

8.1 Requirements derived from threat analysis

This subclause gives a complete list of security requirements as derived from the threat analysis. They have not been ordered according to risk evaluation values. The threat or threats directly leading to the requirement or connected to the requirement are given in brackets for each entry.

8.1.1 Requirements on security of 3GPP services

8.1.1.1 Requirements on secure service access

R1a A valid USIM shall be required to access any 3G service except for emergency calls where the network should be allowed to decide whether or not emergency calls should be permitted without a USIM. (T7d, T9a,d)

R1b It shall be possible to prevent intruders from obtaining unauthorised access to 3G services by masquerading as authorised users. (T4a, T9a,c)

R1c It shall be possible for users to be able to verify that serving networks are authorised to offer 3G services on behalf of the user’s home environment at the start of, and during, service delivery. (T1c,e, T3c, T4a, T9b,c)

8.1.1.2 Requirements on secure service provision

R2a It shall be possible for service providers to authenticate users at the start of, and during, service delivery to prevent intruders from obtaining unauthorised access to 3G services by masquerade or misuse of priorities. (T4a, T8a, T9a,d)

R2b It shall be possible to detect and prevent the fraudulent use of services. Alarms will typically need to be raised to alert providers to security-related events. Audit logs of security related events will also need to be produced. (T8a,b,c, T9d,e, T10a,b)

R2c It shall be possible to prevent the use of a particular USIM to access 3G services. (T9a,d, T10a)

R2d It shall be possible for a home environment to cause an immediate termination of all services provided to certain users, also those offered by serving networks. (T9a,d, T10a,b)

R2e It shall be possible for the serving network to be able to authenticate the origin of user traffic, signalling data and control data on radio interfaces. (T8a,b,c, T9c)

Note: It is assumed that user traffic contains sufficient redundancy such that a stream cipher provides a basic level of data origin authentication on the radio interfaces and that, if that is not sufficient and additional measures are required, the application should be aware and measures should be implemented at the application layer.

R2f It shall be possible to prevent intruders from restricting the availability of services by logical means. (T3b,c, T7e)

R2g There shall be a secure infrastructure between network operators, designed such that the need for HE trust in the SN for security functionality is minimised.

8.1.2 Requirements on system integrity

R3a It shall be possible to protect against unauthorised modification of user traffic. (T2a, T6a,c, T7b,c)

Note: It is assumed that user traffic contains sufficient redundancy such that a stream cipher provides a basic level of data integrity protection on the radio interfaces and that, if that is not sufficient and additional measures are required, the application should be aware and measures should be implemented at the application layer.

R3b It shall be possible to protect against unauthorised modification of certain signalling data and control data, particularly on radio interfaces. (T2b, T3b,c, T6b,c, T7a,b,c)

R3c It shall be possible to protect against unauthorised modification of user-related data downloaded to or stored in the terminal or in the USIM. (T6d,e, T6c, T10f,i)

R3d It shall be possible to protect against unauthorised modification of user-related data which is stored or processed by a provider. (T6c,f)

R3e It shall be possible to ensure that the origin and integrity of applications and/or data downloaded to the terminal and/or the UICC can be checked. It may also be necessary to ensure the confidentiality of downloaded applications and/or data. (T6c,d,e,f, T10e,f,i)

R3f It shall be possible to ensure the origin, integrity and freshness of authentication data, particularly of the cipher key on the radio interface. (T1a,b, T2b, T5c, T6c)

R3g It shall be possible to secure infrastructure between operators. (T5a,b,c, T6a,b,c, T7a,b,c, T9b,c)

8.1.3 Requirements on protection of personal data

8.1.3.1 Security of user-related transmitted data

R4a It shall be possible to protect the confidentiality of certain signalling data and control data, particularly on radio interfaces. (T1b,d, T5b,c,d)

R4b It shall be possible to protect the confidentiality of user traffic, particularly on radio interfaces. (T1a, T5a)

R4c It shall be possible to protect the confidentiality of user identity data, particularly on radio interfaces. (T1b,d, T3b, T5b,c,d,e)

R4d It shall be possible to protect the confidentiality of location data about users, particularly on radio interfaces. (T1b, T3b, T5b,c,d,e)

R4e It shall be possible to protect against the unwanted disclosure of location data for a user participating in a particular 3G service to other parties participating in the same 3G service. (T5f)

R4f It shall be possible for the user to check whether or not his user traffic and his call related information is confidentiality protected. This should require minimal user activity. (T1a,b)

8.1.3.2 Security of user-related stored data

R5a It shall be possible to protect the confidentiality of user-related data which is stored or processed by a provider. (T5c,e)

R5b It shall be possible to protect the confidentiality of user-related data stored by the user in the terminal or in the USIM. (T10h,j)

8.1.4 Requirements on the terminal/USIM

8.1.4.1 USIM Security

R6a It shall be possible to control access to a USIM so that it can only be used to access 3G services by the subscriber to whom it was issued or by users explicitly authorised by that subscriber. (T10a, g)

R6b It shall be possible to control access to data in a USIM. For instance, some data may only be accessible by an authorised home environment. (T10h,j, k)

R6c It shall not be possible to access data in a USIM that is only intended to be used within the USIM, e.g. authentication keys and algorithms. (T10h,k)

8.1.4.2 Terminal Security

R7a It shall be possible to deter the theft of terminals. (T10a,c,d)

R7b It shall be possible to bar a particular terminal from accessing 3G services. (T10a,c,d)

R7c It shall be difficult to change the identity of a terminal to circumvent measures taken to bar a particular terminal from accessing 3G services. (T10a,c,d)

8.2 External requirements

8.2.1 Regulator requirements

8.2.1.1 Lawful interception

R8a It shall be possible for law enforcement agencies to monitor and intercept every call and call attempt, and other service or call related user actions, in accordance with national laws. This shall apply to devices and/or via interfaces placed by the serving networks or home environments at the disposal of the national law enforcement agencies according to national law, and intended solely for lawful interception purposes. (Derived from Security Principles and Objectives [1]).

Annex A (Informative):
Threats linked to active attacks on the radio access link

The success of digital mobile communication systems leads to a larger interest for fraudsters, especially as the opportunities for attacking other systems are dwindling. Thus, it can be expected that there will be more investment by the fraudster on more complex equipment which may lead to new active attacks becoming more of a concern. This annex focuses on active attacks in which an attacker manipulates signalling on the radio interface or masquerades as a network element in order to mount various forms of attack (so called "False Base Station" attacks).

This annex analyses a number of threats related to these types of attacks. Extensive analyses have been made of these and similar threats in the baseline document "Countermeasures to active attacks on the radio access link" (see references).