Threat model and security requirements Sample Clauses

Threat model and security requirements. The security goals of the proposed protocol consist of two parts: authentication of the participants and secrecy of sensitive data. As in 5G-AKA, in the authentication of the participants we seek to provide the following: x Authentication between subscribers and HNs x Authentication between subscribers and SNs x Authentication between HNs and SNs As for the secrecy of sensitive data, we investigate the following properties: x & R Q ¿ G H Qf KWSE ALF iDn cOa sLe oWf a\c t iv Re/passive attacks x & R Q ¿ G H Qf SWU PLI iDn cOa sLe oWf a\c t iv Re/passive attacks x & R Q ¿ G H Qf WR2 La nDd OR 3 Li nWc a\s e oRf active/passive attacks x Confidentiality of USIM pre-shared key x Protection against unlinkability in case of active/passive attacks This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2020.30417 ▇. ▇▇▇▇▇▇▇, ▇. ▇▇▇▇▇▇▇▇▇▇▇▇, ▇. Yanikomeroglu: Preparation of Papers for IEEE Access (2020) The c R Q ¿ G H Q f ▇▇ ▇▇▇▇ FDa nOd LS UWP I\ a r eRthe same as 5G- AKA except that we consider both passive and active attacks. The third item considers the confidentiality of random numbers generated by the UE and the HN. Actually, these numbers replace the simple incremental counter, namely SQN, in 5G-AKA which is generated by the HN. The secrecy of SUPI and USIM Internal key aims to preserve the privacy of the end user. As for the features related to ability of the attacker, these can be summarized as follows: x The interface between the SN and HN are considered as a public channel in addition to the radio interface between the UE and SN. This means that an attacker can eavesdrop on all messages exchanged over these channels. x We consider an active attacker model, that is the attacker can inject a new message into a public channel or can save a message for future use. Since both the channels used in the protocol are public, the attacker can act as the HN, the SN or the UE. In practice, an active attacker could set up a fake base station to send and receive signaling messages and thereby impersonating SNs. x The attacker can request to run many instances of the protocol to investigate the interleaving attacks. The only limitation of the attacker is in accessing key materials. That is, the attacker has no access to the pre-shared key in USIM, the private key of the HN, or the private key of the SN. It is worth noting th...
View Source

Related to Threat model and security requirements

  • Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information and cyber security program, including safety, physical, and technical security and resiliency policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract and are at least equal to applicable best industry practices and standards (NIST 800-53).

  • Security Requirements 7.1 The Authority will review the Contractor’s Security Plan when submitted by the Contractor in accordance with the Schedule (Security Requirements and Plan) and at least annually thereafter.

  • New Hampshire Specific Data Security Requirements The Provider agrees to the following privacy and security standards from “the Minimum Standards for Privacy and Security of Student and Employee Data” from the New Hampshire Department of Education. Specifically, the Provider agrees to: (1) Limit system access to the types of transactions and functions that authorized users, such as students, parents, and LEA are permitted to execute; (2) Limit unsuccessful logon attempts; (3) Employ cryptographic mechanisms to protect the confidentiality of remote access sessions; (4) Authorize wireless access prior to allowing such connections; (5) Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity; (6) Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions; (7) Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; (8) Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services; (9) Enforce a minimum password complexity and change of characters when new passwords are created; (10) Perform maintenance on organizational systems; (11) Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance; (12) Ensure equipment removed for off-site maintenance is sanitized of any Student Data in accordance with NIST SP 800-88 Revision 1; (13) Protect (i.e., physically control and securely store) system media containing Student Data, both paper and digital; (14) Sanitize or destroy system media containing Student Data in accordance with NIST SP 800-88 Revision 1 before disposal or release for reuse; (15) Control access to media containing Student Data and maintain accountability for media during transport outside of controlled areas; (16) Periodically assess the security controls in organizational systems to determine if the controls are effective in their application and develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems; (17) Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems; (18) Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception); (19) Protect the confidentiality of Student Data at rest; (20) Identify, report, and correct system flaws in a timely manner; (21) Provide protection from malicious code (i.e. Antivirus and Antimalware) at designated locations within organizational systems; (22) Monitor system security alerts and advisories and take action in response; and (23) Update malicious code protection mechanisms when new releases are available.

  • Facility Requirements 1. Maintain wheelchair accessibility to program activities according to governing law, including the Americans With Disabilities Act (ADA), as applicable. 2. Provide service site(s) that will promote attainment of Contractor’s program objectives. Arrange the physical environment to support those activities. 3. Decrease program costs when possible by procuring items at no cost from County surplus stores and by accepting delivery of such items by County.

  • Federal Medicaid System Security Requirements Compliance Party shall provide a security plan, risk assessment, and security controls review document within three months of the start date of this Agreement (and update it annually thereafter) in order to support audit compliance with 45 CFR 95.621 subpart F, ADP System Security Requirements and Review Process.