LTE Security Agenda • • • • • Intro … … … … Intro • … The LTE System • Radio Side (LTE – Long Term Evolution/Evolved UTRAN EUTRAN) – Improvements in spectral efficiency, user throughput, latency – Simplification of the radio network – Efficient support of packet based services: Multicast, VoIP, etc. • Network Side (SAE – System Architecture Evolution/Evolved Packet Core - EPC) – Improvement in latency, capacity, throughput, idle to active transitions – Simplification of the core network – Optimization for IP traffic and services – Simplified support and handover to non-3GPP access technologies Overview of 3GPP LTE/SAE System eNodeB UE S1-MME MME HSS PCRF X2 eNodeB S-GW S1-U Evolved UTRAN(E-UTRAN) PDN-GW S5 Evolved Packet Core (EPC) • UE = User Equipment • MME = Mobility Management Entity, termination point in network for ciphering/integrity protection for NAS signaling, handles the security key management, authenticating users • S-GW = Serving Gateway • PDN-GW = PDN Gateway • PCRF = Policy Charging Rule Function Evolved Packet Core GW Capabilities • Serving GW functions include: – Local Mobility Anchor point for inter-eNodeB handover (i.e. GTP termination) – PMIP or GTP support towards PDN Gateway – Per flow QoS Policy Enforcement – Lawful Interception – Traffic Accounting • Both can be combined if there is a full mesh between base stations and GWs Serving GW MAC Security IP Tunnel OFDMA – Policy Enforcement (QoS, charging, mobility) – Per-user based packet filtering – Mobility anchoring for intra- and inter-3GPP mobility (requires GTP and MIP HA) – Charging Support – Lawful Interception IP Tunnel Layer 3 • PDN GW functions include: PDN GW Evolving Security Architecture Radio Controller Handset Authentication GSM Ciphering Handset Authentication + Ciphering GPRS Mutual Authentication 3G Ciphering + Signalling integrity Mutual Authentication SAE/LTE Ciphering + Radio signalling integrity Optional IPSec Core Signalling integrity Core Network SAE/LTE Security • Security implications: – – – – Flat architecture Interworking with legacy and non-3GPP networks eNB placement in untrusted locations Keep security breaches local • Result: – – – – Extended Authentication and Key Agreement More complex key hierarchy More complex interworking security Additional security for (home)eNB LTE/SAE architecture ME USIM AN HE SN = = = = = Mobile Equipment Universal Subscriber Identity Module Access Network Home Environment Serving Network • (I) Network access security: secure access to services, protect against attacks on (radio) access links • (II) Network domain security: enable nodes to securely exchange signaling data & user data (between AN/SN and within AN, protect against attacks wireline network • (III) User domain security: secure access to mobile stations • (IV) Application domain security: enable applications in the user and in the provider domain to securely exchange messages Non-3GPP Access ME USIM AN HE SN • • • • • (I) Network access security (II) Network domain security (III) Non-3GPP domain security (IV) Application domain security (V) User domain security = = = = = Mobile Equipment Universal Subscriber Identity Module Access Network Home Environment Serving Network Network access security • • • • • User identity (and location) confidentiality Entity authentication Confidentiality Data integrity Mobile equipment identification The use of a SIM • Subscription Identification Module – SIM holds secret key Ki, Home network holds another – Used as Identity & Security key – IMSI is used as user identity • Benefits – Easy to get authentication from home network while in visited network without having to handle Ki Source: ETRI Network Access Protection • Authentication and key agreement – UMTS AKA re-used for SAE – SIM access to LTE explicitly excluded • Signaling protection – For core network (NAS) signaling, integrity and confidentiality protection terminates in MME (Mobile Management Entity) – For radio network (RRC) signaling, integrity and confidentiality protection terminates in eNodeB • User plane protection – Encryption terminates in eNodeB • Network domain security for network internal interfaces Authentication and Key Agreement • HSS generates authN data and provides it to MME • Challenge-response authN and key agreement between MME and UE Confidentiality and Integrity of Signaling • RRC signaling between UE and E-UTRAN • NAS signaling between UE and MME • S1 interface signaling (optional) protection not UEspecific User Plane Confidentiality • S1-U (optional) protection not UE-specific, based on IPsec • Integrity not protected Key Hierarchy in LTE/SAE • Cryptographic network separation – Authentication vectors specific to serving network Handovers without MME • Handovers possible between eNB’s (performance) • If keys are passed unmodified, compromised eNB compromises other eNB – One-way function before passing over – MME is involved after HO for further key passing Home eNodeB security threats • • • • • • • Compromise HeNB credentials Physical attack HeNB Configuration attack MitM attacks etc. DoS attacks etc. User data and privacy attacks Radio Resources and management attacks Home ENodeB security measures • • • • • • Mutual AuthN HeNB and home network Secure tunnel for backhaul Trusted environment inside HeNB Access Control OAM security mechanisms Hosting Party authentication (Hosting party Module) Network Domain Security • Enable nodes to securely exchange signaling data & user data – between Access Network and Serving Network and within Access Network • Protect against attacks on wireline network • No security in 2G core network • Now security is needed: – – – – IP used for signaling and user traffic Open and easily accessible protocols New service providers (content, data service, HLR) Network elements can be remote (eNB) Security Domains • Managed by single administrative authority • Border between security domains protected by Security Gateway (SEG) Security Gateway • Handle communication over Za interface (SEG-SEG) – AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for negotiating, establishing and maintaining secure ESP tunnel • Handle communication over (optional) Zb interface (SEG- NE or NE-NE) – Implement ESP tunnel and IKEv1 or IKEv2 – ESP with AuthN, integrity, optional encryption • All traffic flows through SEG before leaving or entering security domain • Secure storage of long-term keys used for IKEv1 and IKEv2 • Hop-by-hop security (chained tunnels or hub-and-spoke) Security for Network Elements • Services – – – – • • • • Data integrity Data origin authentication Anti-replay Confidentiality (optional) Using IPsec ESP (Encapsulation Security Payload) Between SEGs: tunnel mode Key management: IKEv1 or IKEv2 Security associations from NE only to SEG or NE’s in own domain Trust validation with IPsec Trust validation for TLS User domain security • Secure access to mobile stations • Few slides Application domain security • The set of security features that enable applications in the user and in the provider domain to securely exchange messages. • Secure messaging between the USIM and the network (TS 22.048) • Slides about IMS, SIP IMS Security • Security/AuthN mechnism – Mutual AuthN using UMTS AKA – Typically implemented on UICC (ISIM application) – UMTS AKA integrated into HTTP digest (RFC3310) – NASS-IMS bundled AuthN – SIP Digest based AuthN – Access security with TLS Interworking with legacy network • Few slides about CDMA-3GPP interworking References • Principles, objectives and requirements – TS 33.120 Security principles and objectives – TS 21.133 Security threats and requirements • Architecture, mechanisms and algorithms – TS 33.102 Security architecture – TS 33.103 Integration guidelines – TS 33.105 Cryptographic algorithm requirements – TS 35.20x Access network algorithm specifications References • TS 33.210 v8.3.0: Network Domain Security: IP-layer (http://www.3gpp.org/ftp/Specs/archive/33_series/33.210/) • TS 33.310 V9.0.0: Network Domain Security: Authentication Framework http://www.3gpp.org/ftp/Specs/archive/33_series/33.310/ • TS 33.401 V9.0.0: SAE security architecture http://www.3gpp.org/ftp/Specs/archive/33_series/33.401/ • TS 33.402 V9.0.0: SAE security aspects of non 3GPP access http://www.3gpp.org/ftp/Specs/archive/33_series/33.402/ • TR 33.820 V8.1.0: Security of H(e)NB http://www.3gpp.org/ftp/Specs/archive/33_series/33.820/33820-810.zip • 3GPP TS 33.102 V8.3.0: Security architecture http://www.3gpp.org/ftp/Specs/archive/33_series/33.102/33102-830.zip Credits • Valterri Niemi (3GPP SA3 chair) Backup UMTS Authentication and Key Agreement (AKA) • Procedure to authenticate the user and establish pair of cipher and integrity between VLR/SGSN and USIM Source: ETRI X2 Routing and Handover Source ENB SGW Target ENB 30 ms Interruption Time Out of Order Packets Expect out of order packets around handover Interworking with UTRAN/GERAN • UE registered in both SGSN and MME • Keys may be mapped