1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2017 AT&T Intellectual Property. All rights reserved.
8 The objective of this section is to provide the key security
9 requirements that need to be met by VNFs. The security requirements are
10 grouped into five areas as listed below. Other security areas will be
11 addressed in future updates. These security requirements are applicable
12 to all VNFs. Additional security requirements for specific types of VNFs
13 will be applicable and are outside the scope of these general
16 Section 5.a Security in *VNF Guidelines* outlines
17 the five broad security areas for VNFs that are detailed in the
20 - **VNF General Security**: This section addresses general security
21 requirements for the VNFs that the VNF provider will need to address.
23 - **VNF Identity and Access Management**: This section addresses
24 security requirements with respect to Identity and Access Management
25 as these pertain to generic VNFs.
27 - **VNF API Security**: This section addresses the generic security
28 requirements associated with APIs. These requirements are applicable
29 to those VNFs that use standard APIs for communication and data
32 - **VNF Security Analytics**: This section addresses the security
33 requirements associated with analytics for VNFs that deal with
34 monitoring, data collection and analysis.
36 - **VNF Data Protection**: This section addresses the security
37 requirements associated with data protection.
39 VNF General Security Requirements
40 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
42 This section provides details on the VNF general security requirements
43 on various security areas such as user access control, network security,
44 ACLs, infrastructure security, and vulnerability management. These
45 requirements cover topics associated with compliance, security patching,
46 logging/accounting, authentication, encryption, role-based access
47 control, least privilege access/authorization. The following security
48 requirements need to be met by the solution in a virtual environment:
50 General Security Requirements
52 Integration and operation within a robust security environment is necessary
53 and expected. The security architecture will include one or more of the
54 following: IDAM (Identity and Access Management) for all system and
55 applications access, Code scanning, network vulnerability scans, OS,
56 Database and application patching, malware detection and cleaning,
57 DDOS prevention, network security gateways (internal and external)
58 operating at various layers, host and application based tools for
59 security compliance validation, aggressive security patch application,
60 tightly controlled software distribution and change control processes
61 and other state of the art security solutions. The VNF is expected to
62 function reliably within such an environment and the developer is
63 expected to understand and accommodate such controls and can expected
64 to supply responsive interoperability support and testing throughout
65 the product’s lifecycle.
67 * R-23740 The VNF **MUST** accommodate the security principle of
68 “least privilege” during development, implementation and operation.
69 The importance of “least privilege” cannot be overstated and must be
70 observed in all aspects of VNF development and not limited to security.
71 This is applicable to all sections of this document.
72 * R-61354 The VNF **MUST** implement access control list for OA&M
73 services (e.g., restricting access to certain ports or applications).
74 * R-85633 The VNF **MUST** implement Data Storage Encryption
75 (database/disk encryption) for Sensitive Personal Information (SPI)
76 and other subscriber identifiable data. Note: subscriber’s SPI/data
77 must be encrypted at rest, and other subscriber identifiable data
78 should be encrypted at rest. Other data protection requirements exist
79 and should be well understood by the developer.
80 * R-92207 The VNF **SHOULD** implement a mechanism for automated and
81 frequent "system configuration (automated provisioning / closed loop)"
83 * R-23882 The VNF **SHOULD** be scanned using both network scanning
84 and application scanning security tools on all code, including underlying
85 OS and related configuration. Scan reports shall be provided. Remediation
86 roadmaps shall be made available for any findings.
87 * R-46986 The VNF **SHOULD** have source code scanned using scanning
88 tools (e.g., Fortify) and provide reports.
89 * R-55830 The VNF **MUST** distribute all production code from NCSP
90 internal sources only. No production code, libraries, OS images, etc.
91 shall be distributed from publically accessible depots.
92 * R-99771 The VNF **MUST** provide all code/configuration files in a
93 "Locked down" or hardened state or with documented recommendations for
94 such hardening. All unnecessary services will be disabled. VNF provider
95 default credentials, community strings and other such artifacts will be
96 removed or disclosed so that they can be modified or removed during
98 * R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of
99 traffic by application (dropping packets not belonging to the VPN) (i.e.,
100 AVPN, IPSec VPN for Internet routes).
101 * R-33981 The VNF **SHOULD** interoperate with various access control
102 mechanisms for the Network Cloud execution environment (e.g.,
103 Hypervisors, containers).
104 * R-40813 The VNF **SHOULD** support the use of virtual trusted platform
105 module, hypervisor security testing and standards scanning tools.
106 * R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
107 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
108 routing and forwarding rules.
109 * R-26586 The VNF **SHOULD** support the ability to work with aliases
110 (e.g., gateways, proxies) to protect and encapsulate resources.
111 * R-49956 The VNF **MUST** pass all access to applications (Bearer,
112 signaling and OA&M) through various security tools and platforms from
113 ACLs, stateful firewalls and application layer gateways depending on
114 manner of deployment. The application is expected to function (and in
115 some cases, interwork) with these security tools.
116 * R-69649 The VNF **MUST** have all vulnerabilities patched as soon
117 as possible. Patching shall be controlled via change control process
118 with vulnerabilities disclosed along with mitigation recommendations.
119 * R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification,
120 authentication and access control of customer or VNF application users.
121 * R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with
122 the requirements if not using the NCSP’s IDAM API, for identification,
123 authentication and access control of OA&M and other system level
125 * R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support
126 User-IDs and passwords to uniquely identify the user/application. VNF
127 needs to have appropriate connectors to the Identity, Authentication
128 and Authorization systems that enables access at OS, Database and
129 Application levels as appropriate.
130 * R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide
131 the ability to support Multi-Factor Authentication (e.g., 1st factor =
132 Software token on device (RSA SecureID); 2nd factor = User Name+Password,
134 * R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support
135 Role-Based Access Control to permit/limit the user/application to
136 performing specific activities.
137 * R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support
138 logging via ONAP for a historical view of “who did what and when”.
139 * R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt
140 OA&M access (e.g., SSH, SFTP).
141 * R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce
142 a configurable maximum number of Login attempts policy for the users.
143 VNF provider must comply with "terminate idle sessions" policy.
144 Interactive sessions must be terminated, or a secure, locking screensaver
145 must be activated requiring authentication, after a configurable period
146 of inactivity. The system-based inactivity timeout for the enterprise
147 identity and access management system must also be configurable.
148 * R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
149 with the NCSP’s credential management policy.
150 * R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire
151 passwords at regular configurable intervals.
152 * R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
153 with "password complexity" policy. When passwords are used, they shall
154 be complex and shall at least meet the following password construction
155 requirements: (1) be a minimum configurable number of characters in
156 length, (2) include 3 of the 4 following types of characters:
157 upper-case alphabetic, lower-case alphabetic, numeric, and special,
158 (3) not be the same as the UserID with which they are associated or
159 other common strings as specified by the environment, (4) not contain
160 repeating or sequential characters or numbers, (5) not to use special
161 characters that may have command functions, and (6) new passwords must
162 not contain sequences of three or more characters from the previous
164 * R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
165 with "password changes (includes default passwords)" policy. Products
166 will support password aging, syntax and other credential management
167 practices on a configurable basis.
168 * R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support
169 use of common third party authentication and authorization tools such
171 * R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
172 with "No Self-Signed Certificates" policy. Self-signed certificates
173 must be used for encryption only, using specified and approved
174 encryption protocols such as TLS 1.2 or higher or equivalent security
175 protocols such as IPSec, AES.
176 * R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API,
177 authenticate system to system communications where one system
178 accesses the resources of another system, and must never conceal
179 individual accountability.
181 VNF Identity and Access Management Requirements
182 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
184 The following security requirements for logging, identity, and access
185 management need to be met by the solution in a virtual environment:
188 Identity and Access Management Requirements
190 * R-95105 The VNF **MUST** host connectors for access to the application
192 * R-45496 The VNF **MUST** host connectors for access to the OS
193 (Operating System) layer.
194 * R-05470 The VNF **MUST** host connectors for access to the database layer.
195 * R-99174 The VNF **MUST** comply with Individual Accountability
196 (each person must be assigned a unique ID) when persons or non-person
197 entities access VNFs.
198 * R-42874 The VNF **MUST** comply with Least Privilege (no more
199 privilege than required to perform job functions) when persons
200 or non-person entities access VNFs.
201 * R-71787 The VNF **MUST** comply with Segregation of Duties (access to a
202 single layer and no developer may access production without special
203 oversight) when persons or non-person entities access VNFs.
204 * R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely.
205 * R-49945 The VNF **MUST** authorize VNF provider access through a
206 client application API by the client application owner and the resource
207 owner of the VNF before provisioning authorization through Role Based
208 Access Control (RBAC), Attribute Based Access Control (ABAC), or other
209 policy based mechanism.
210 * R-31751 The VNF **MUST** subject VNF provider access to privilege
211 reconciliation tools to prevent access creep and ensure correct
212 enforcement of access policies.
213 * R-34552 The VNF **MUST** provide or support the Identity and Access
214 Management (IDAM) based threat detection data for OWASP Top 10.
215 * R-29301 The VNF **MUST** provide or support the Identity and Access
216 Management (IDAM) based threat detection data for Password Attacks.
217 * R-72243 The VNF **MUST** provide or support the Identity and Access
218 Management (IDAM) based threat detection data for Phishing / SMishing.
219 * R-58998 The VNF **MUST** provide or support the Identity and Access
220 Management (IDAM) based threat detection data for Malware (Key Logger).
221 * R-14025 The VNF **MUST** provide or support the Identity and Access
222 Management (IDAM) based threat detection data for Session Hijacking.
223 * R-31412 The VNF **MUST** provide or support the Identity and Access
224 Management (IDAM) based threat detection data for XSS / CSRF.
225 * R-51883 The VNF **MUST** provide or support the Identity and Access
226 Management (IDAM) based threat detection data for Replay.
227 * R-44032 The VNF **MUST** provide or support the Identity and Access
228 Management (IDAM) based threat detection data for Man in the Middle (MITM).
229 * R-58977 The VNF **MUST** provide or support the Identity and Access
230 Management (IDAM) based threat detection data for Eavesdropping.
231 * R-24825 The VNF **MUST** provide Context awareness data (device,
232 location, time, etc.) and be able to integrate with threat detection system.
233 * R-59391 The VNF provider **MUST**, where a VNF provider requires
234 the assumption of permissions, such as root or administrator, first
235 log in under their individual user login ID then switch to the other
236 higher level account; or where the individual user login is infeasible,
237 must login with an account with admin privileges in a way that
238 uniquely identifies the individual performing the function.
239 * R-85028 The VNF **MUST** authenticate system to system access and
240 do not conceal a VNF provider user’s individual accountability for
242 * R-80335 The VNF **MUST** make visible a Warning Notice: A formal
243 statement of resource intent, i.e., a warning notice, upon initial
244 access to a VNF provider user who accesses private internal networks
245 or Company computer resources, e.g., upon initial logon to an internal
246 web site, system or application which requires authentication.
247 * R-73541 The VNF **MUST** use access controls for VNFs and their
248 supporting computing systems at all times to restrict access to
249 authorized personnel only, e.g., least privilege. These controls
250 could include the use of system configuration or access control
252 * R-64503 The VNF **MUST** provide minimum privileges for initial
253 and default settings for new user accounts.
254 * R-86835 The VNF **MUST** set the default settings for user access
255 to sensitive commands and data to deny authorization.
256 * R-77157 The VNF **MUST** conform to approved request, workflow
257 authorization, and authorization provisioning requirements when
258 creating privileged users.
259 * R-81147 The VNF **MUST** have greater restrictions for access and
260 execution, such as up to 3 factors of authentication and restricted
261 authorization, for commands affecting network services, such as
262 commands relating to VNFs.
263 * R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2)
264 transmission of data on internal and external networks.
265 * R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
266 * R-15671 The VNF **MUST NOT** provide public or unrestricted access
267 to any data without the permission of the data owner. All data
268 classification and access controls must be followed.
269 * R-89753 The VNF **MUST NOT** install or use systems, tools or
270 utilities capable of capturing or logging data that was not created
271 by them or sent specifically to them in production, without
272 authorization of the VNF system owner.
273 * R-19082 The VNF **MUST NOT** run security testing tools and
274 programs, e.g., password cracker, port scanners, hacking tools
275 in production, without authorization of the VNF system owner.
276 * R-19790 The VNF **MUST NOT** include authentication credentials
277 in security audit logs, even if encrypted.
278 * R-85419 The VNF **SHOULD** use REST APIs exposed to Client
279 Applications for the implementation of OAuth 2.0 Authorization
280 Code Grant and Client Credentials Grant, as the standard interface
282 * R-48080 The VNF **SHOULD** support SCEP (Simple Certificate
283 Enrollment Protocol).
286 VNF API Security Requirements
287 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
289 This section covers API security requirements when these are used by the
290 VNFs. Key security areas covered in API security are Access Control,
291 Authentication, Passwords, PKI Authentication Alarming, Anomaly
292 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
293 Cryptography, Business continuity, Biometric Authentication,
294 Identification, Confidentiality and Integrity, and Denial of Service.
296 The solution in a virtual environment needs to meet the following API
297 security requirements:
302 * R-37608 The VNF **MUST** provide a mechanism to restrict access based
303 on the attributes of the VNF and the attributes of the subject.
304 * R-43884 The VNF **MUST** integrate with external authentication
305 and authorization services (e.g., IDAM).
306 * R-25878 The VNF **MUST** use certificates issued from publicly
307 recognized Certificate Authorities (CA) for the authentication process
308 where PKI-based authentication is used.
309 * R-19804 The VNF **MUST** validate the CA signature on the certificate,
310 ensure that the date is within the validity period of the certificate,
311 check the Certificate Revocation List (CRL), and recognize the identity
312 represented by the certificate where PKI-based authentication is used.
313 * R-47204 The VNF **MUST** protect the confidentiality and integrity of
314 data at rest and in transit from unauthorized access and modification.
315 * R-33488 The VNF **MUST** protect against all denial of service
316 attacks, both volumetric and non-volumetric, or integrate with external
317 denial of service protection tools.
318 * R-21652 The VNF **MUST** implement the following input validation
319 control: Check the size (length) of all input. Do not permit an amount
320 of input so great that it would cause the VNF to fail. Where the input
321 may be a file, the VNF API must enforce a size limit.
322 * R-54930 The VNF **MUST** implement the following input validation
323 control: Do not permit input that contains content or characters
324 inappropriate to the input expected by the design. Inappropriate input,
325 such as SQL insertions, may cause the system to execute undesirable
326 and unauthorized transactions against the database or allow other
327 inappropriate access to the internal network.
328 * R-21210 The VNF **MUST** implement the following input validation
329 control: Validate that any input file has a correct and valid
330 Multipurpose Internet Mail Extensions (MIME) type. Input files
331 should be tested for spoofed MIME types.
332 * R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs.
333 * R-87135 The VNF **MUST** comply with NIST standards and industry
334 best practices for all implementations of cryptography.
335 * R-02137 The VNF **MUST** implement all monitoring and logging as
336 described in the Security Analytics section.
337 * R-15659 The VNF **MUST** restrict changing the criticality level of
338 a system security alarm to administrator(s).
339 * R-19367 The VNF **MUST** monitor API invocation patterns to detect
340 anomalous access patterns that may represent fraudulent access or
341 other types of attacks, or integrate with tools that implement anomaly
343 * R-78066 The VNF **MUST** support requests for information from law
344 enforcement and government agencies.
347 VNF Security Analytics Requirements
348 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
350 This section covers VNF security analytics requirements that are mostly
351 applicable to security monitoring. The VNF Security Analytics cover the
352 collection and analysis of data following key areas of security
355 - Anti-virus software
365 - API based monitoring
367 - Detection and notification
369 - Resource exhaustion detection
371 - Proactive and scalable monitoring
373 - Mobility and guest VNF monitoring
375 - Closed loop monitoring
377 - Interfaces to management and orchestration
379 - Malformed packet detections
383 - Dynamic security control
385 - Dynamic load balancing
387 - Connection attempts to inactive ports (malicious port scanning)
389 The following requirements of security monitoring need to be met by the
390 solution in a virtual environment.
392 Security Analytics Requirements
394 * R-48470 The VNF **MUST** support Real-time detection and
395 notification of security events.
396 * R-22286 The VNF **MUST** support Integration functionality via
397 API/Syslog/SNMP to other functional modules in the network (e.g.,
398 PCRF, PCEF) that enable dynamic security control by blocking the
399 malicious traffic or malicious end users
400 * R-32636 The VNF **MUST** support API-based monitoring to take care of
401 the scenarios where the control interfaces are not exposed, or are
402 optimized and proprietary in nature.
403 * R-61648 The VNF **MUST** support event logging, formats, and delivery
404 tools to provide the required degree of event data to ONAP
405 * R-22367 The VNF **MUST** support detection of malformed packets due to
406 software misconfiguration or software vulnerability.
407 * R-31961 The VNF **MUST** support integrated DPI/monitoring functionality
408 as part of VNFs (e.g., PGW, MME).
409 * R-20912 The VNF **MUST** support alternative monitoring capabilities
410 when VNFs do not expose data or control traffic or use proprietary and
411 optimized protocols for inter VNF communication.
412 * R-73223 The VNF **MUST** support proactive monitoring to detect and
413 report the attacks on resources so that the VNFs and associated VMs can
414 be isolated, such as detection techniques for resource exhaustion, namely
415 OS resource attacks, CPU attacks, consumption of kernel memory, local
417 * R-58370 The VNF **MUST** coexist and operate normally with commercial
418 anti-virus software which shall produce alarms every time when there is a
420 * R-56920 The VNF **MUST** protect all security audit logs (including
421 API, OS and application-generated logs), security audit software, data,
422 and associated documentation from modification, or unauthorized viewing,
423 by standard OS access control mechanisms, by sending to a remote system,
425 * R-54520 The VNF **MUST** log successful and unsuccessful login attempts.
426 * R-55478 The VNF **MUST** log logoffs.
427 * R-08598 The VNF **MUST** log successful and unsuccessful changes to
429 * R-13344 The VNF **MUST** log starting and stopping of security
431 * R-07617 The VNF **MUST** log creating, removing, or changing the
432 inherent privilege level of users.
433 * R-94525 The VNF **MUST** log connections to a network listener of the
435 * R-31614 The VNF **MUST** log the field “event type” in the security
437 * R-97445 The VNF **MUST** log the field “date/time” in the security
439 * R-25547 The VNF **MUST** log the field “protocol” in the security audit logs.
440 * R-06413 The VNF **MUST** log the field “service or program used for
441 access” in the security audit logs.
442 * R-15325 The VNF **MUST** log the field “success/failure” in the
444 * R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs.
445 * R-04982 The VNF **MUST NOT** include an authentication credential,
446 e.g., password, in the security audit logs, even if encrypted.
447 * R-63330 The VNF **MUST** detect when the security audit log storage
448 medium is approaching capacity (configurable) and issue an alarm via
449 SMS or equivalent as to allow time for proper actions to be taken to
450 pre-empt loss of audit data.
451 * R-41252 The VNF **MUST** support the capability of online storage of
453 * R-41825 The VNF **MUST** activate security alarms automatically when
454 the following event is detected: configurable number of consecutive
455 unsuccessful login attempts
456 * R-43332 The VNF **MUST** activate security alarms automatically when
457 the following event is detected: successful modification of critical
458 system or application files
459 * R-74958 The VNF **MUST** activate security alarms automatically when
460 the following event is detected: unsuccessful attempts to gain permissions
461 or assume the identity of another user
462 * R-15884 The VNF **MUST** include the field “date” in the Security alarms
463 (where applicable and technically feasible).
464 * R-23957 The VNF **MUST** include the field “time” in the Security alarms
465 (where applicable and technically feasible).
466 * R-71842 The VNF **MUST** include the field “service or program used for
467 access” in the Security alarms (where applicable and technically feasible).
468 * R-57617 The VNF **MUST** include the field “success/failure” in the
469 Security alarms (where applicable and technically feasible).
470 * R-99730 The VNF **MUST** include the field “Login ID” in the Security
471 alarms (where applicable and technically feasible).
472 * R-29705 The VNF **MUST** restrict changing the criticality level of a
473 system security alarm to administrator(s).
474 * R-13627 The VNF **MUST** monitor API invocation patterns to detect
475 anomalous access patterns that may represent fraudulent access or other
476 types of attacks, or integrate with tools that implement anomaly and
478 * R-21819 The VNF **MUST** support requests for information from law
479 enforcement and government agencies.
480 * R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation
481 (without human intervention) for Known Threats with detection rate in low
483 * R-25094 The VNF **MUST** perform data capture for security functions.
484 * R-04492 The VNF **MUST** generate security audit logs that must be sent
485 to Security Analytics Tools for analysis.
486 * R-19219 The VNF **MUST** provide audit logs that include user ID, dates,
487 times for log-on and log-off, and terminal location at minimum.
488 * R-30932 The VNF **MUST** provide security audit logs including records
489 of successful and rejected system access data and other resource access
491 * R-54816 The VNF **MUST** support the storage of security audit logs
492 for agreed period of time for forensic analysis.
493 * R-57271 The VNF **MUST** provide the capability of generating security
494 audit logs by interacting with the operating system (OS) as appropriate.
495 * R-84160 The VNF **MUST** have security logging for VNFs and their
496 OSs be active from initialization. Audit logging includes automatic
497 routines to maintain activity records and cleanup programs to ensure
498 the integrity of the audit/logging systems.
500 VNF Data Protection Requirements
501 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
503 This section covers VNF data protection requirements that are mostly
504 applicable to security monitoring.
507 Data Protection Requirements
509 * R-58964 The VNF **MUST** provide the capability to restrict read
510 and write access to data.
511 * R-99112 The VNF **MUST** provide the capability to restrict access
512 to data to specific users.
513 * R-83227 The VNF **MUST** Provide the capability to encrypt data in
514 transit on a physical or virtual network.
515 * R-32641 The VNF **MUST** provide the capability to encrypt data on
517 * R-13151 The VNF **SHOULD** disable the paging of the data requiring
518 encryption, if possible, where the encryption of non-transient data is
519 required on a device for which the operating system performs paging to
520 virtual memory. If not possible to disable the paging of the data
521 requiring encryption, the virtual memory should be encrypted.
522 * R-93860 The VNF **MUST** provide the capability to integrate with an
523 external encryption service.
524 * R-73067 The VNF **MUST** use industry standard cryptographic algorithms
525 and standard modes of operations when implementing cryptography.
526 * R-22645 The VNF **SHOULD** use commercial algorithms only when there
527 are no applicable governmental standards for specific cryptographic
528 functions, e.g., public key cryptography, message digests.
529 * R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
530 Skipjack algorithms or other compromised encryption.
531 * R-02170 The VNF **MUST** use, whenever possible, standard implementations
532 of security applications, protocols, and format, e.g., S/MIME, TLS, SSH,
533 IPSec, X.509 digital certificates for cryptographic implementations.
534 These implementations must be purchased from reputable vendors and must
535 not be developed in-house.
536 * R-70933 The VNF **MUST** provide the ability to migrate to newer
537 versions of cryptographic algorithms and protocols with no impact.
538 * R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length.
539 * R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
540 * R-95864 The VNF **MUST** use commercial tools that comply with X.509
541 standards and produce x.509 compliant keys for public/private key generation.
542 * R-12110 The VNF **MUST NOT** use keys generated or derived from
543 predictable functions or values, e.g., values considered predictable
544 include user identity information, time of day, stored/transmitted data.
545 * R-52060 The VNF **MUST** provide the capability to configure encryption
546 algorithms or devices so that they comply with the laws of the jurisdiction
547 in which there are plans to use data encryption.
548 * R-69610 The VNF **MUST** provide the capability of using certificates
549 issued from a Certificate Authority not provided by the VNF provider.
550 * R-83500 The VNF **MUST** provide the capability of allowing certificate
551 renewal and revocation.
552 * R-29977 The VNF **MUST** provide the capability of testing the validity
553 of a digital certificate by validating the CA signature on the certificate.
554 * R-24359 The VNF **MUST** provide the capability of testing the validity
555 of a digital certificate by validating the date the certificate is being
556 used is within the validity period for the certificate.
557 * R-39604 The VNF **MUST** provide the capability of testing the
558 validity of a digital certificate by checking the Certificate Revocation
559 List (CRL) for the certificates of that type to ensure that the
560 certificate has not been revoked.
561 * R-75343 The VNF **MUST** provide the capability of testing the
562 validity of a digital certificate by recognizing the identity represented
563 by the certificate — the "distinguished name".