Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

LTE Security Architecture Fundamentals

3GPP/LTE Security
Session #2: LTE
Security Architecture
Fundamentals
Klaas Wierenga
Consulting Engineer, Corporate Development
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
1
Agenda
 Introduction
 Network access security
 Network domain security
 Summary
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
2
INTRO
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
3
Recap session 1
 Crypto can be used to provide confidentiality and integrity
between 2 entities
 3GPP confidentiality: AES-128-CTR, SNOW 3G
 3GPP integrity: EIA2 (AES-CMAC), EIA1 (SNOW 3G-GMAC)
 Key usage needs to be limited
 Access
 Validity
 Context
 Key derivation is used to achieve separation
 Purpose (integrity, confidentiality)
 Identity (network element A, network element B)
 Public key certificates issued by a CA to set up trust between
entities
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
4
Overview of 3GPP LTE/SAE System
eNodeB
UE
S1-MME
MME
HSS
PCRF
X2
eNodeB
S-GW
S1-U
Evolved UTRAN(E-UTRAN)
PDN-GW
S5
Evolved Packet Core (EPC)
• UE = User Equipment
• MME = Mobility Management Entity
• S-GW = Serving Gateway
• PDN-GW = PDN Gateway
• PCRF = Policy Charging Rule Function
• HSS = Home Subscriber Server
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
5
LTE/SAE Security
 Security implications:
 Flat architecture (all radio protocols terminate in eNB, eNB ‘speaks’ IP)
 Interworking with legacy and non-3GPP networks
 eNB placement in untrusted locations
 Keep security breaches local
 Result:
 Extended Authentication and Key Agreement
 More complex key hierarchy
 More complex interworking security
 Additional security for HeNB
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
6
Evolving Security Architecture
Radio Controller
Core Network
Handset Authentication
GSM
Ciphering
Handset Authentication + Ciphering
GPRS
Mutual Authentication
3G
Ciphering + Signalling integrity
Mutual Authentication
SAE/LTE
Ciphering + Radio
signalling
integrity
Optional IPSec
Core Signalling integrity
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
7
LTE/SAE security architecture
Source: TS 33.401
ME
USIM
AN
HE
SN
=
=
=
=
=
Mobile Equipment
Universal Subscriber Identity Module
Access Network
Home Environment
Serving Network
 (I) Network access security: secure access to services, protect against attacks on
(radio) access links
 (II) Network domain security: enable nodes to securely exchange signaling data &
user data (between HN/SN and within SN, protect against attacks wireline network
 (III) User domain security: secure access to mobile stations
 (IV) Application domain security: enable applications in the user and in the
provider domain to securely exchange messages
 This session: Network Access and Network Domain security
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
8
NETWORK ACCESS SECURITY
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
9
Network access security
 User identity (and location) confidentiality
 Entity authentication
 Confidentiality
 Data integrity
 Mobile equipment identification
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
10
The use of a SIM
 Subscription Identification Module
 SIM holds secret key Ki, Home network holds another
 Used as Identity & Security key
 IMSI is used as user identity
 Benefits
 Easy to get authentication from home network while in visited network without
having to handle Ki
Source: ETRI
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
11
Authentication and Key Agreement
 UMTS AKA re-used for SAE (providing UE and HE with CK and IK)
 HSS generates authentication data and provides it to MME (challenge,
response, K ASME)
 Challenge-response authentication and key agreement between MME
and UE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
12
Confidentiality and Integrity of Signaling
 RRC signaling between UE and E-UTRAN
 NAS signaling between UE and MME
 S1 (and X2) interface signaling (optional) protection not UE-specific
 For core network (NAS) signaling, integrity and confidentiality protection
terminates in MME (Mobile Management Entity)
 For radio network (RRC) signaling, integrity and confidentiality protection
terminates in eNodeB
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
13
User Plane Confidentiality
 Encryption terminates in eNodeB
 S1-U (optional) protection not UE-specific, based on
IPsec
 Integrity not protected over air interface
 Overhead with small packets
 Integrity protected at higher layers (e.g. IMS media security)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
14
Summary confidentiality and integrity
from the UE perspective
Confidentiality
Integrity
NAS Signaling
Required and
terminated in MME
Required and
terminated in MME
RRC
Required and
terminated in eNB
Required and
terminated in eNB
UP
Required and
terminated in eNB
Not required
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
15
Trust establishment between UE and SN
eNodeB
S1MME
HSS
MME
PCRF
PCRF
HSS
MME
X2
eNodeB
UE
S-GW
PDNGW
PDN-GW
S-GW
S5
S1-U
S8
K ASME (CK,IK,SN Id)
K NASenc, K NASint (K ASME)
K eNB (K ASME)
K UPenc, K RRCint, K RRCenc
(K EnB)
• Trust exists between
• UE and Home Network
• Home Network and Serving Network
• Needed: between UE and Serving Network
• Derived keys are being ‘passed down’
• e.g. K ASME: HE -> MME, K eNB: MME -> eNB
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
16
Key Hierarchy in LTE/SAE
Source: TS 33.401
 Cryptographic network separation
 Authentication vectors specific to serving network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
17
Key derivation for network nodes
Source: TS 33.401
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
18
eNB handovers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
19
eNB handovers
Source: TS 36.300
 Need to compute a new K eNB
 With Backward Security (new eNB can not construct old key) and Forward
Security (old eNB can not construct new key)
 UE and MME derive key NH (Next Hop) that serves as root for new K eNB
derivation (i.e. Forward Security), NCC (NH Chaining Counter) is a counter that
increases after every NH derivation
 MME sends {NH, NCC} to target eNB
 Target eNB sends NCC to UE in handover message
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
20
Target eNB key derivation
 Intra eNB
 No MME involvement -> no {NH, NCC} pair available, unless
already there, so eNB needs to compute the new key
 X2 handover
 eNB hands over to new eNB and after that sends S1 PATH
SWITCH REQUEST to the MME
 MME computes fresh {NH, NCC} and sends it to the target
eNB (too late for current handover)
 eNB needs to compute new key
 S1 handover
 MME computes fresh {NH, NCC} and sends it to target eNB
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
21
K eNodeB derivation and handovers
Source: TS 33.401
 Handovers without MME involvement: horizontal
 Backward security through one-way function (old eNB, physical cell-id, freq)
 Handovers with MME involvement: vertical
 Forward security after handover (rekeying) for X2
 Forward security immediately for S1
 NAS uplink count
 to prevent same key being derived every time when switching back
and forth between MME’s
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
22
Key derivation for ME
Source: TS 33.401
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
23
Home eNodeB security threats & measures
SECURITY THREATS
SECURITY MEASURES

Compromise HeNB credentials

Mutual AuthN HeNB and home network

Physical attack HeNB

Secure tunnel for backhaul

Configuration attack

Trusted environment inside HeNB

MitM attacks etc.

Access Control

DoS attacks etc.


User data and privacy attacks
Operations, Administration & Maintenance
security mechanisms

Radio Resources and management
attacks

Hosting Party authentication (Hosting Party
Module, e.g. TPM)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
24
NETWORK DOMAIN SECURITY
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
25
Network Domain Security
 Enable nodes to securely exchange signaling data & user data
 between Access Network and Serving Network, within Access
Network and between Security Domains
 Protect against attacks on wireline network
 No security in 2G core network
 Now security is needed:
 IP used for signaling and user traffic
 Open and easily accessible protocols
 New service providers (content, data service, HLR)
 Network elements can be remote (eNB)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
26
Security Domains
Source: TS 33.310
 Managed by single administrative authority
 Border between security domains protected by
Security Gateway (SEG)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
27
Security Gateway
 Handle communication over Za interface (SEG-SEG)
 AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2
for negotiating, establishing and maintaining secure ESP tunnel
 Handle communication over (optional) Zb interface (SEG- NE or NE-NE)
 Implement ESP tunnel and IKEv1 or IKEv2
 ESP with AuthN, integrity, optional encryption
 Shall implement IKEv1 and IKEv2
 All traffic flows through SEG before leaving or entering security domain
 Secure storage of long-term keys used for IKEv1 and IKEv2
 Hop-by-hop security (chained tunnels or hub-and-spoke)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
28
Security for Network Elements
 Services
 Data integrity
 Data origin authentication
 Anti-replay
 Confidentiality (optional)
 Using IPsec ESP (Encapsulation Security Payload)
 Between SEGs: tunnel mode
 Between NE’s (X2, S1): optional ESP
 Key management:
 IKEv1: confidentiality (3DES-CBC/AES-CBC), integrity (SHA-1)
 IKEv2: confidentiality (3DES-CBC/AES-CBC), integrity (HMAC-SHA1-96)
 Security associations from NE only to SEG or NE’s in own domain (so no
direct SA between NE’s in different domains, always via SEG)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
29
Trust validation with IPsec
Source: TS 33.310
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
30
Summary of this session
 Reviewed the LTE/SAE security architecture, including
confidentiality and integrity in the system
 Discussed Network Access Security
 Illustrated key hierarchy in LTE, and explained how key derivation
is accomplished by the network elements and ME
 Provided example of key derivation and exchange during
handover
 Discussed Network Domain Security and the trust model with
IPSec
See you in 2 weeks for the Final Session!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
31
Possible topics for final session
 Cover any skipped items during this session
 In depth discussion on any previously discussed items
 Security interworking with other technologies (e.g.
untrusted access)?
 UE-USIM interaction?
 HeNB Security?
 Application Security?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
32
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
33
References
 TS 21.133 Security threats and requirements
 TS 33.102 Security architecture
 TS 33.103 Integration guidelines
 TS 33.105 Cryptographic algorithm requirements
 TS 33.120 Security principles and objectives
 TS 33.210 Network Domain Security: IP-layer
 TS 33.310 Network Domain Security: Authentication
Framework
 TS 33.401 SAE security architecture
 TS 33.402 SAE security aspects of non 3GPP access
 TR 33.820 Security of H(e)NB
 TS 35.20x Access network algorithm specifications
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
34
Acknowledgement
 Valterri Niemi (3GPP SA3 chair) for some slides and
discussions
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
35
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
36
36
BACKUP
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
37
UMTS Authentication and Key
Agreement (AKA)
 Procedure to authenticate the user and establish pair
of cipher and integrity between VLR/SGSN and USIM
Source: ETRI
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
38
X2 Routing and Handover
Source
ENB
SGW
Target
ENB
30 ms
Interruption
Time
Out of Order
Packets
Expect out of order packets around handover
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
39
Non-3GPP Access
ME
USIM
AN
HE
SN





=
=
=
=
=
Mobile Equipment
Universal Subscriber Identity Module
Access Network
Home Environment
Serving Network
(I) Network access security
(II) Network domain security
(III) Non-3GPP domain security
(IV) Application domain security
(V) User domain security
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
40
Trust validation for TLS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
41
USER DOMAIN SECURITY
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
42
User domain security
 Secure access to mobile stations
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
43
APPLICATION DOMAIN
SECURITY
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
44
Application domain security
 The set of security features that enable applications in
the user and in the provider domain to securely
exchange messages.
 Secure messaging between the USIM and the network
(TS 22.048)
 IMS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
45
IMS Security
 Security/AuthN mechanisms
 Mutual AuthN using UMTS AKA
 Typically implemented on UICC (ISIM application)
 UMTS AKA integrated into HTTP digest (RFC3310)
 NASS-IMS bundled AuthN
 SIP Digest based AuthN
 Access security with TLS
 Media security
 Access medium independent
 Various proposals, work in progress
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
CISCO PROPRIETARY
46
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
CCENT 640-822 ICND1 Exam Topics Review
CCENT 640-822 ICND1 Exam Topics Review
7 Survival Skills - 21st Century Schools
7 Survival Skills - 21st Century Schools
if not using preferred method of corporate MPLS circuits
if not using preferred method of corporate MPLS circuits
AIR-CAP3702E-EK910
AIR-CAP3702E-EK910
SPN-5300-K9
SPN-5300-K9
if not using preferred method of corporate MPLS circuits
if not using preferred method of corporate MPLS circuits
This PowerPoint primarily consists of the Target Indicators (TIs)
This PowerPoint primarily consists of the Target Indicators (TIs)
IoT EBC Deck - Cisco Communities
IoT EBC Deck - Cisco Communities
Download