1 / 10

FMS/TR-069 File Download Security

S40-20090713-001. FMS/TR-069 File Download Security. Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder ( apg@qualcomm.com ) Yinian Mao ( yinianm@qualcomm.com ) Recommendation: Discuss and adopt. TR-069 Architecture. Managing CPE using remote ACS Layered Architecture.

alden-mcmahon
Download Presentation

FMS/TR-069 File Download Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S40-20090713-001 FMS/TR-069 File Download Security Source: QUALCOMM IncorporatedContact(s): Anand Palanigounder (apg@qualcomm.com) Yinian Mao (yinianm@qualcomm.com) Recommendation: Discuss and adopt

  2. TR-069 Architecture • Managing CPE using remote ACS • Layered Architecture CPE/ACS Management Application RPC Methods SOAP HTTP SSL/TLS TCP

  3. TR-069 File Transfer • RPC methods define a mechanism to facilitate file downloads or (optionally) uploads • File Transfer protocols • Unicast: HTTP/HTTPS (mandatory), FTP, SFTP and TFTP • Multicast: FLUTE and DSM-CC • Download Options • (1) ACS initiated, providing location or file to be transferred • (2) CPE initiated, CPE first request, then follow (1) • (3) Initiated by an external event, e.g. announce firmware • (4) Signed Package Format for download

  4. TR-069 RPC “Download” • Used by the ACS to cause the CPE to download a specified file from the designated location. • Example Command arguments • CommandKey string(32) • FileType string(64): • 1-Firmware Upgrade Image, 2-Web Content, 3-Vendor Configuration File • URL string(256), FileSize unsignedInt • Username string(256), Password string(256) • This command can be issued by ACS over a secure channel (e.g., TLS) and/or using Signed Package Format (see later slide)

  5. File Transfer Connection Options • When File Transfer is Initiated During a Session • (1) The CPE MAY send the HTTP GET/PUT over the already established connection. • (2) The CPE MAY open a second connection over which to transfer the file, while maintaining the session to the ACS. • (3) The CPE MAY terminate the session to the ACS and then perform the transfer. • (2) & (3) are not necessarily HTTP based • Requirements for HTTP based transfer • CPE shall support TLS for (2) and (3), and use TLS when the download URL is HTTPS

  6. TR-069 Signed Package Format

  7. TR-069 Command Types

  8. TR-069 Signature Field • A content block using PKCS#7 format • Uses “SignedData” type in PKCS#7 • PKCS#7 typically have data and signature together • Data part can be empty, and the signature is for “external” content • certificates is a set of extended certificates in X.509 certificate format. The certificate can contain chain of trust. • Hash of payload included in commands An Example SignedData format: SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos }

  9. Conclusion • When the FMS is inside operator’s core network: • Many FMS-FAP operations can be secured using IPSec (between the FAP and SeGW) and the use of TLS for FAP-FMS interface • The FAP can download files from the FMS or from other locations indicated by the FMS • If file download location indicated is not inside of SeGW, then Signed Package format shall be used • When the FMS is outside operator’s core network • TLS shall be used for FAP – FMS operations • The FAP can download files from the FMS or from other locations indicated by the FMS • If location indicated is not inside of SeGW, then Signed Package format shall be used • If location indicated for file download is outside of SeGW, the following security requirements shall be met: • The downloaded file shall be in the Signed Package Format according to TR-069 Ammendment 2. • The signature field in the Signed Package Format shall contain at least one signature signed by a trusted entity, together with a certificate or a certificate chain that can be verified by the FAP. • The FAP shall verify both the certificate(s) and the signature of the downloaded file before taking any action using the file. • If signature verification fails, the FAP shall discard the downloaded file and report to FMS. • In order to provide additional security, it is proposed that WG4 also require the use of Signed Package Format even when the FMS/file download server is located inside operator’s network • This is required to prevent certain attacks – e.g., an attacker hacking into the FAP and installing unsigned software by making it appear as though the file is from a server inside operator’s network

  10. Proposal • Incorporate the conclusion/requirements for FMS/File Download security in the S.P0132-0

More Related