Session 3: Lawful Interception

Transcription

1 Session 3: Lawful Interception Secure, verifiable and intelligible audit logs to support computer forensics in lawful interception 3 rd ETSI Security Workshop Elena de la Calle Vian Ministry of Industry SPAIN ETSI All rights reserved 3rd ETSI Security Workshop - Sophia-Antipolis, January 2008

2 Contents THE PROBLEM A SOLUTION APPROACH WORK IN PROGRESS IN SPAIN 3rd ETSI Security Workshop - Sophia-Antipolis, January

3 Contents THE PROBLEM A SOLUTION APPROACH WORK IN PROGRESS IN SPAIN 3rd ETSI Security Workshop - Sophia-Antipolis, January

4 The Greek telephone tapping case of , involved the illegal tapping of more than 100 mobile phones belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of the 2004 Summer Olympics in August 2004 and were removed in March 2005 without discovering the identity of the perpetrators rd ETSI Security Workshop - Sophia-Antipolis, January

5 We still don't know who committed this crime. A big reason is that the cellular provider bobbled its handling of some key log files. It also reflexively removed the rogue software, instead of letting it continue to run, tipping off the perpetrators that their intrusion had been detected and giving them a chance to run for cover. It s impossible to overstate the importance of logging 3rd ETSI Security Workshop - Sophia-Antipolis, January

6 ETSI TS Requirements of Law Enforcement Agencies In order to prevent or trace misuse of the technical functions integrated in the telecommunication installation enabling interception, any activation or application of these functions in relation to a given identity shall be fully recorded, including any activation or application caused by faulty or unauthorized input. The communication service provider shall ensure that the records are tamper-proof and only accessible to specific nominated staff. 3rd ETSI Security Workshop - Sophia-Antipolis, January

7 The challenges in log management Log Generation and Storage Many Log Sources Inconsistent Log Content Inconsistent Timestamps Inconsistent Log Formats. Log Protection Confidentiality Integrity Availability Log Analysis 3rd ETSI Security Workshop - Sophia-Antipolis, January

8 Meeting the challenges World Class Standards Prioritize log management appropriately throughout the organization Establish policies and procedures for log management. Create and maintain a secure log management infrastructure Provide adequate support for all staff with log management responsibilities. Establish standard log management operational processes 3rd ETSI Security Workshop - Sophia-Antipolis, January

9 Log Management Operational Processes Configure the log sources, including log generation, storage, and security Perform analysis of log data Initiate appropriate responses to identified events Manage the long-term storage of log data. 3rd ETSI Security Workshop - Sophia-Antipolis, January

10 Log security World Class Standards Limit access to log files. Avoid recording unneeded sensitive data. Protect archived log files. Secure the processes that generate the log entries. Configure each log source to behave appropriately when logging errors occur. Implement secure mechanisms for transporting log data from the system to the centralized log management servers, 3rd ETSI Security Workshop - Sophia-Antipolis, January

11 LOG security. Levels of protection Tamper evident Tamper resistant Tamper proof Cryptographic research in secure logging systems aims at building logs that are irrevocably tamper-evident. 3rd ETSI Security Workshop - Sophia-Antipolis, January

12 Contents THE PROBLEM A SOLUTION APPROACH WORK IN PROGRESS IN SPAIN 3rd ETSI Security Workshop - Sophia-Antipolis, January

13 PREVIOUS WORKS Syslog-Sign The Syslog-Sign IETF draft aims to add origin authentication, message integrity and features that would guarantee uniqueness of messages and continuity of the log stream. 3rd ETSI Security Workshop - Sophia-Antipolis, January

14 PREVIOUS WORKS Forward Integrity Forward Integrity (FI) is a property proposed by Bellare and Yee to be associated with logging systems. A logging system can be considered having the FI property if it contains information that is sufficient to confirm or rebuke allegations of log stream modification before the moment of system compromise. 3rd ETSI Security Workshop - Sophia-Antipolis, January

15 3rd ETSI Security Workshop - Sophia-Antipolis, January

16 PREVIOUS WORKS Secure Logs on Untrusted Systems Another scheme proposed by Schneier and Kelsey uses similar Forward Integrity authentication codes for verifying log entries, but also improves the design by building in payload encryption, verification hash chaining and the ability to allow semi-trusted parties to verify the logs. Semi-trusted party verification allows verification of the logs without exposing all log data and the original authentication key to the verifier. 3rd ETSI Security Workshop - Sophia-Antipolis, January

17 3rd ETSI Security Workshop - Sophia-Antipolis, January

18 3rd ETSI Security Workshop - Sophia-Antipolis, January

19 Conceptual guidelines available today Secure logging to ensure authenticity of log data Proposal such as reliable syslog or Schneier/Kelsey s are the only conceptual guidelines available today 3rd ETSI Security Workshop - Sophia-Antipolis, January

20 A software implementation LOGCRYPT Open source implementation of the Schneier and Kelsey system, adding several significant improvements. The most significant is the ability to use public key cryptography 3rd ETSI Security Workshop - Sophia-Antipolis, January

21 3rd ETSI Security Workshop - Sophia-Antipolis, January

22 3rd ETSI Security Workshop - Sophia-Antipolis, January

23 3rd ETSI Security Workshop - Sophia-Antipolis, January

24 A step further 3rd ETSI Security Workshop - Sophia-Antipolis, January

25 A Framework for Secure and Verifiable Logging in Public Communication Networks Our paper is motivated from the recently announced interception case in a mobile telecommunications provider in Greece.As the Greek authorities and the provider itself revealed, part of the core network of the provider was compromised by some unknown trojan-like program. According to published information, the malicious software infected the core network. Then, it activated the Lawful Interception (LI) component in the infected elements, which is by default installed in inactive mode, and made possible the call interception of several subscribers. The malicious program turned off several logging procedures in order not to alarm about its presence or the fact that the LI component had been activated. The underestimation of several security threats and vulnerabilities regarding logging procedures and mechanisms, did not allow the immediate detection of the incident 3rd ETSI Security Workshop - Sophia-Antipolis, January

26 Contents THE PROBLEM A SOLUTION APPROACH WORK IN PROGRESS IN SPAIN 3rd ETSI Security Workshop - Sophia-Antipolis, January

27 PILOT PROJECT The Spanish Ministry of Industry has promoted recently the setting of a test environment to test tools and protocols to help improving log security, verifiability and intelligibility. Cost effectiveness and operational issues are taken into account 3rd ETSI Security Workshop - Sophia-Antipolis, January

28 INTECO The National Communications Technology Institute (INTECO), promoted by the Ministry of Industry, Tourism and Trade, is a platform for the development of the Knowledge Society through projects in the innovation and technology area. 3rd ETSI Security Workshop - Sophia-Antipolis, January

29 The Security Technologies Show-Room for SME The Security Technologies Show-Room for SME offers free and detailed information about the methods that guarantee the security of It equipment in companies and other entities. This service is offered by INTECO and its main objectives are: Implementing different tests with security products. Promote the use of security technologies in Spanish SME s. Promote the international visibility of Spanish security technologies 3rd ETSI Security Workshop - Sophia-Antipolis, January

30 Hellenic Authority for the Assurance of Communications Security and Privacy (ADAE) The Hellenic Authority for the Information and Communication Security and Privacy (ADAE) has been established under article 1 of the law 3115/2003, following the guidelines set in paragraph 2 of the article 19 of the Greek Constitution, in order to protect the secrecy of mailing, the free correspondence or communication in any possible way as well as the security of networks and information. 3rd ETSI Security Workshop - Sophia-Antipolis, January

31 3rd ETSI Security Workshop - Sophia-Antipolis, January

32 3rd ETSI Security Workshop - Sophia-Antipolis, January

33 CONCLUSIONS Logging is a fundamental service in LI Logging security is still a challenge Spain and Greece are collaborating in a project to test and develop new tools and protocols for improving log security New WI DTR/LI Security framework in Lawful Interception and Retained Data environment 3rd ETSI Security Workshop - Sophia-Antipolis, January

34 MUCHAS GRACIAS! 3rd ETSI Security Workshop - Sophia-Antipolis, January