090911_KW-LTESecurity-VzW-01

advertisement
LTE Security
Agenda
•
•
•
•
•
Intro
…
…
…
…
Intro
• …
The LTE System
• Radio Side (LTE – Long Term
Evolution/Evolved UTRAN EUTRAN)
– Improvements in spectral
efficiency, user throughput,
latency
– Simplification of the radio
network
– Efficient support of packet based
services: Multicast,
VoIP, etc.
• Network Side (SAE – System
Architecture Evolution/Evolved
Packet Core - EPC)
– Improvement in latency, capacity,
throughput, idle to active
transitions
– Simplification of the core
network
– Optimization for IP traffic and
services
– Simplified support and handover
to non-3GPP access technologies
Overview of 3GPP LTE/SAE System
eNodeB
UE
S1-MME
MME
HSS
PCRF
X2
eNodeB
S-GW
S1-U
Evolved UTRAN(E-UTRAN)
PDN-GW
S5
Evolved Packet Core (EPC)
• UE = User Equipment
• MME = Mobility Management Entity, termination point in network for
ciphering/integrity protection for NAS signaling, handles the security key
management, authenticating users
• S-GW = Serving Gateway
• PDN-GW = PDN Gateway
• PCRF = Policy Charging Rule Function
Evolved Packet Core GW
Capabilities
• Serving GW functions include:
– Local Mobility Anchor point for inter-eNodeB handover
(i.e. GTP termination)
– PMIP or GTP support towards PDN Gateway
– Per flow QoS Policy Enforcement
– Lawful Interception
– Traffic Accounting
• Both can be combined if there is a full mesh
between base stations and GWs
Serving
GW
MAC
Security
IP Tunnel
OFDMA
– Policy Enforcement (QoS, charging, mobility)
– Per-user based packet filtering
– Mobility anchoring for intra- and inter-3GPP mobility
(requires GTP and MIP HA)
– Charging Support
– Lawful Interception
IP Tunnel
Layer 3
• PDN GW functions include:
PDN GW
Evolving Security Architecture
Radio Controller
Handset Authentication
GSM
Ciphering
Handset Authentication + Ciphering
GPRS
Mutual Authentication
3G
Ciphering + Signalling integrity
Mutual Authentication
SAE/LTE
Ciphering + Radio
signalling
integrity
Optional IPSec
Core Signalling integrity
Core Network
SAE/LTE Security
• Security implications:
–
–
–
–
Flat architecture
Interworking with legacy and non-3GPP networks
eNB placement in untrusted locations
Keep security breaches local
• Result:
–
–
–
–
Extended Authentication and Key Agreement
More complex key hierarchy
More complex interworking security
Additional security for (home)eNB
LTE/SAE architecture
ME
USIM
AN
HE
SN
=
=
=
=
=
Mobile Equipment
Universal Subscriber Identity Module
Access Network
Home Environment
Serving Network
• (I) Network access security: secure access to services, protect against
attacks on (radio) access links
• (II) Network domain security: enable nodes to securely exchange signaling
data & user data (between AN/SN and within AN, protect against attacks
wireline network
• (III) User domain security: secure access to mobile stations
• (IV) Application domain security: enable applications in the user and in the
provider domain to securely exchange messages
Non-3GPP Access
ME
USIM
AN
HE
SN
•
•
•
•
•
(I) Network access security
(II) Network domain security
(III) Non-3GPP domain security
(IV) Application domain security
(V) User domain security
=
=
=
=
=
Mobile Equipment
Universal Subscriber Identity Module
Access Network
Home Environment
Serving Network
Network access security
•
•
•
•
•
User identity (and location) confidentiality
Entity authentication
Confidentiality
Data integrity
Mobile equipment identification
The use of a SIM
• Subscription Identification Module
– SIM holds secret key Ki, Home network holds another
– Used as Identity & Security key
– IMSI is used as user identity
• Benefits
– Easy to get authentication from home network while in visited
network without having to handle Ki
Source: ETRI
Network Access Protection
• Authentication and key agreement
– UMTS AKA re-used for SAE
– SIM access to LTE explicitly excluded
• Signaling protection
– For core network (NAS) signaling, integrity and confidentiality
protection terminates in MME (Mobile Management Entity)
– For radio network (RRC) signaling, integrity and confidentiality
protection terminates in eNodeB
• User plane protection
– Encryption terminates in eNodeB
• Network domain security for network internal interfaces
Authentication and Key Agreement
• HSS generates authN data and provides it to MME
• Challenge-response authN and key agreement
between MME and UE
Confidentiality and Integrity of
Signaling
• RRC signaling between UE and E-UTRAN
• NAS signaling between UE and MME
• S1 interface signaling (optional) protection not UEspecific
User Plane Confidentiality
• S1-U (optional) protection not UE-specific,
based on IPsec
• Integrity not protected
Key Hierarchy in LTE/SAE
• Cryptographic network separation
– Authentication vectors specific to serving network
Handovers without MME
• Handovers possible between eNB’s
(performance)
• If keys are passed unmodified, compromised
eNB compromises other eNB
– One-way function before passing over
– MME is involved after HO for further key passing
Home eNodeB security threats
•
•
•
•
•
•
•
Compromise HeNB credentials
Physical attack HeNB
Configuration attack
MitM attacks etc.
DoS attacks etc.
User data and privacy attacks
Radio Resources and management attacks
Home ENodeB security measures
•
•
•
•
•
•
Mutual AuthN HeNB and home network
Secure tunnel for backhaul
Trusted environment inside HeNB
Access Control
OAM security mechanisms
Hosting Party authentication (Hosting party
Module)
Network Domain Security
• Enable nodes to securely exchange signaling data &
user data
– between Access Network and Serving Network and within
Access Network
• Protect against attacks on wireline network
• No security in 2G core network
• Now security is needed:
–
–
–
–
IP used for signaling and user traffic
Open and easily accessible protocols
New service providers (content, data service, HLR)
Network elements can be remote (eNB)
Security Domains
• Managed by single administrative authority
• Border between security domains protected
by Security Gateway (SEG)
Security Gateway
• Handle communication over Za interface (SEG-SEG)
– AuthN/integrity mandatory, encryption recommended using IKEv1 or
IKEv2 for negotiating, establishing and maintaining secure ESP tunnel
• Handle communication over (optional) Zb interface (SEG- NE
or NE-NE)
– Implement ESP tunnel and IKEv1 or IKEv2
– ESP with AuthN, integrity, optional encryption
• All traffic flows through SEG before leaving or entering
security domain
• Secure storage of long-term keys used for IKEv1 and IKEv2
• Hop-by-hop security (chained tunnels or hub-and-spoke)
Security for Network Elements
• Services
–
–
–
–
•
•
•
•
Data integrity
Data origin authentication
Anti-replay
Confidentiality (optional)
Using IPsec ESP (Encapsulation Security Payload)
Between SEGs: tunnel mode
Key management: IKEv1 or IKEv2
Security associations from NE only to SEG or NE’s in
own domain
Trust validation with IPsec
Trust validation for TLS
User domain security
• Secure access to mobile stations
• Few slides
Application domain security
• The set of security features that enable
applications in the user and in the provider
domain to securely exchange messages.
• Secure messaging between the USIM and the
network (TS 22.048)
• Slides about IMS, SIP
IMS Security
• Security/AuthN mechnism
– Mutual AuthN using UMTS AKA
– Typically implemented on UICC (ISIM application)
– UMTS AKA integrated into HTTP digest (RFC3310)
– NASS-IMS bundled AuthN
– SIP Digest based AuthN
– Access security with TLS
Interworking with legacy network
• Few slides about CDMA-3GPP interworking
References
• Principles, objectives and requirements
– TS 33.120 Security principles and objectives
– TS 21.133 Security threats and requirements
• Architecture, mechanisms and algorithms
– TS 33.102 Security architecture
– TS 33.103 Integration guidelines
– TS 33.105 Cryptographic algorithm requirements
– TS 35.20x Access network algorithm specifications
References
• TS 33.210 v8.3.0: Network Domain Security: IP-layer
(http://www.3gpp.org/ftp/Specs/archive/33_series/33.210/)
• TS 33.310 V9.0.0: Network Domain Security: Authentication Framework
http://www.3gpp.org/ftp/Specs/archive/33_series/33.310/
• TS 33.401 V9.0.0: SAE security architecture
http://www.3gpp.org/ftp/Specs/archive/33_series/33.401/
• TS 33.402 V9.0.0: SAE security aspects of non 3GPP access
http://www.3gpp.org/ftp/Specs/archive/33_series/33.402/
• TR 33.820 V8.1.0: Security of H(e)NB
http://www.3gpp.org/ftp/Specs/archive/33_series/33.820/33820-810.zip
• 3GPP TS 33.102 V8.3.0: Security architecture
http://www.3gpp.org/ftp/Specs/archive/33_series/33.102/33102-830.zip
Credits
• Valterri Niemi (3GPP SA3 chair)
Backup
UMTS Authentication and Key
Agreement (AKA)
• Procedure to authenticate the user and
establish pair of cipher and integrity between
VLR/SGSN and USIM
Source: ETRI
X2 Routing and Handover
Source
ENB
SGW
Target
ENB
30 ms
Interruption
Time
Out of Order
Packets
Expect out of order packets around handover
Interworking with UTRAN/GERAN
• UE registered in both SGSN and MME
• Keys may be mapped
Download