110 likes | 336 Views
S40-20090713-001. FMS/TR-069 File Download Security. Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder ( apg@qualcomm.com ) Yinian Mao ( yinianm@qualcomm.com ) Recommendation: Discuss and adopt. TR-069 Architecture. Managing CPE using remote ACS Layered Architecture.
E N D
S40-20090713-001 FMS/TR-069 File Download Security Source: QUALCOMM IncorporatedContact(s): Anand Palanigounder (apg@qualcomm.com) Yinian Mao (yinianm@qualcomm.com) Recommendation: Discuss and adopt
TR-069 Architecture • Managing CPE using remote ACS • Layered Architecture CPE/ACS Management Application RPC Methods SOAP HTTP SSL/TLS TCP
TR-069 File Transfer • RPC methods define a mechanism to facilitate file downloads or (optionally) uploads • File Transfer protocols • Unicast: HTTP/HTTPS (mandatory), FTP, SFTP and TFTP • Multicast: FLUTE and DSM-CC • Download Options • (1) ACS initiated, providing location or file to be transferred • (2) CPE initiated, CPE first request, then follow (1) • (3) Initiated by an external event, e.g. announce firmware • (4) Signed Package Format for download
TR-069 RPC “Download” • Used by the ACS to cause the CPE to download a specified file from the designated location. • Example Command arguments • CommandKey string(32) • FileType string(64): • 1-Firmware Upgrade Image, 2-Web Content, 3-Vendor Configuration File • URL string(256), FileSize unsignedInt • Username string(256), Password string(256) • This command can be issued by ACS over a secure channel (e.g., TLS) and/or using Signed Package Format (see later slide)
File Transfer Connection Options • When File Transfer is Initiated During a Session • (1) The CPE MAY send the HTTP GET/PUT over the already established connection. • (2) The CPE MAY open a second connection over which to transfer the file, while maintaining the session to the ACS. • (3) The CPE MAY terminate the session to the ACS and then perform the transfer. • (2) & (3) are not necessarily HTTP based • Requirements for HTTP based transfer • CPE shall support TLS for (2) and (3), and use TLS when the download URL is HTTPS
TR-069 Signature Field • A content block using PKCS#7 format • Uses “SignedData” type in PKCS#7 • PKCS#7 typically have data and signature together • Data part can be empty, and the signature is for “external” content • certificates is a set of extended certificates in X.509 certificate format. The certificate can contain chain of trust. • Hash of payload included in commands An Example SignedData format: SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos }
Conclusion • When the FMS is inside operator’s core network: • Many FMS-FAP operations can be secured using IPSec (between the FAP and SeGW) and the use of TLS for FAP-FMS interface • The FAP can download files from the FMS or from other locations indicated by the FMS • If file download location indicated is not inside of SeGW, then Signed Package format shall be used • When the FMS is outside operator’s core network • TLS shall be used for FAP – FMS operations • The FAP can download files from the FMS or from other locations indicated by the FMS • If location indicated is not inside of SeGW, then Signed Package format shall be used • If location indicated for file download is outside of SeGW, the following security requirements shall be met: • The downloaded file shall be in the Signed Package Format according to TR-069 Ammendment 2. • The signature field in the Signed Package Format shall contain at least one signature signed by a trusted entity, together with a certificate or a certificate chain that can be verified by the FAP. • The FAP shall verify both the certificate(s) and the signature of the downloaded file before taking any action using the file. • If signature verification fails, the FAP shall discard the downloaded file and report to FMS. • In order to provide additional security, it is proposed that WG4 also require the use of Signed Package Format even when the FMS/file download server is located inside operator’s network • This is required to prevent certain attacks – e.g., an attacker hacking into the FAP and installing unsigned software by making it appear as though the file is from a server inside operator’s network
Proposal • Incorporate the conclusion/requirements for FMS/File Download security in the S.P0132-0