5 Security Threats and Requirements

advertisement
Draft
1
GISFI TR SP.108 V1.0.0 (2014-06)
GISFI TR SP.108 V1.0.0 (2014-06)
Technical Report
Global ICT Standardisation Forum for India;
Technical Working Group Security and Privacy;
Security Testing - MME (Mobility Management Entity);
(Draft)
The present document has been developed within GISFI and may be further elaborated for the purposes of GISFI.
GISFI
Draft
2
GISFI TR SP.108 V1.0.0 (2014-06)
GISFI
GISFI office address
Suite 303, 3rd Floor, Tirupati Plaza, Plot
No. 4, Sector 11, Dwarka, New Delhi110075, India
Tel.: +91-11-47581800 Fax: +91-1147581801
Internet
http://www.gisfi.org
E-mail: [email protected]
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
© 2014, GISFI
All rights reserved.
GISFI
Draft
3
GISFI TR SP.108 V1.0.0 (2014-06)
Contents
Foreword ............................................................................................................................................................ 4
Introduction ........................................................................................................................................................ 5
1
Scope ....................................................................................................................................................... 6
2
References ............................................................................................................................................... 7
3
Definitions, symbols and abbreviations ................................................................................................... 7
3.1
3.2
4
4.1.
4.2.
4.3.
5
5.1.
5.2.
5.2.1
5.2.2.
5.2.3.
5.3
5.4
5.4.1.
5.4.2.
Definitions ......................................................................................................................................................... 7
Abbreviations..................................................................................................................................................... 7
General..................................................................................................................................................... 9
Functionality of the MME ................................................................................................................................. 9
Standards based network architecture showing the interfaces of MME ............................................................ 9
Protocols in MME.............................................................................................................................................. 9
Security Threats and Requirements ....................................................................................................... 10
General security requirements ......................................................................................................................... 10
Attacker Models .............................................................................................................................................. 10
Inside Attacker .......................................................................................................................................... 10
External Attacker ...................................................................................................................................... 10
Hybrid Attacker ......................................................................................................................................... 10
Security requirements from specifications ....................................................................................................... 11
Threats and requirements from threats ............................................................................................................ 11
Threats on an MME ................................................................................................................................... 11
Requirements for securing MME ............................................................................................................... 11
Annex A:
Heading levels in an annex .......................................................................................................... 13
Annex B: Change history: ................................................................................................................................ 14
GISFI
Draft
4
GISFI TR SP.108 V1.0.0 (2014-06)
Foreword
This Technical Report has been produced by GISFI.
The contents of the present document are subject to continuing work within the Technical Working Group
(TWG) and may change following formal TWG approval. Should the TWG modify the contents of the present
document, it will be re-released by the TWG with an identifying change of release date and an increase in
version number as follows:
Version x.y.z
where:
x the first digit shows the release to which the document belongs
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
GISFI
Draft
5
GISFI TR SP.108 V1.0.0 (2014-06)
Introduction
The MME (Mobility Management Entity) is one of the core network elements of the LTE (Long Term
Evolution) Evolved Packet Core (EPC) architecture. The MME handles a number of functionalities in the LTE
architecture so securing it is crucial for the network. The MME contains a lot of sensitive data which needs to be
protected from being exposed as it might lead to compromising the configuration of the MME platform and
architecture. This document covers the various interfaces of an MME which are exposed to the network and
how they communicate among themselves. The main focus of this document is on the threats posed on an MME
from its exposed interfaces. The nature of threats perceived from such interfaces and the security requirements
of the MME that are under study within the 3GPP SA3 work group. In this document, these threat scenarios
have been studied and based on which the security requirements for MME have been identified.
GISFI
Draft
1
6
GISFI TR SP.108 V1.0.0 (2014-06)
Scope
3GPP LTE is a wireless communication standard providing high-speed data for mobile phones and other user
devices. One of the key control nodes in the LTE EPC architecture is the MME which is responsible for
managing and tracking the User Equipment (UE) in idle mode and other paging procedures including
retransmissions. It has a number of other responsibilities including authentication of the user (by interacting
with Home Subscriber Server (HSS)), authorization of UE with Public Land and Mobile Network (PLMN),
implementing roaming restrictions, etc. Section 4 discusses the main assets and interfaces of an MME which are
exposed to other network elements and need to be protected. Section 5 discusses the various threat models for an
attack on an MME, threats scenarios and requirements of an MME to protect against the identified threats.
GISFI
Draft
2
7
GISFI TR SP.108 V1.0.0 (2014-06)
References
Below reference are available in 3GPP website (Checked as on 04th March 2014)
(http://www.3gpp.org/ftp/tsg_sa/wg3_security/TSGS3_74_Taipei/TdocList_2014-01-27_11h30.htm)
1.
S3-140094 - Assets and external interfaces of MME
2.
S3-140095 - Security threat and requirements with respect to internal attacks on MME
3.
S3-140096 - Security threats of disclosure of sensitive information and security requirement on MME
4.
S3-140097 - Security threats on MME from the compromised or misbehaving UE and related
requirements
5.
S3-140145 - SECAM MME attacker model
6.
S3-140164 - Security threats and requirements on MME software package integrity and anti-virus
7.
S3-140168 - Security threats and requirements on MME management and maintenance access
8.
S3-140170 - Security threats and requirements on MME user account and password management
3
Definitions, symbols and abbreviations
3.1
Definitions
[Editor’s Note: To be filled]
3.2
Abbreviations
3GPP
3rd Generation Partnership Project
ASME
Access Security Management Entity
AuC
Authentication Centre
CA
Certificate Authority
CMP
Certificate Management Protocol
CK
Cipher Key
CP
Control Plane
eNB
Evolved Node B
enc
Encryption
EPC
Evolved Packet Core
GISFI
Draft
8
ePDG
Evolved Packet Data Gateway
EPS
Evolved Packet System
ESP
Encapsulating Security Payload
GRX
GPRS Roaming eXchange Network
GTP-C
GPRS Tunnelling Protocol - Control
GW
Gateway
HeNB
Home eNB
HNB
Home Node B
HSS
Home Subscriber Server
IK
Integrity Key
IMS
IP Multimedia System
IMEI
International Mobile Equipment Identity
IMSI
International Mobile Subscriber Identity
int
Integrity
K
Key
LEA
Law Enforcement Agency
LI
Lawful Interception
LTE
Long Term Evolution
MME
Mobility Management Entity
NAS
Non Access Stratum
PCRF
Policy and Charging Rules Function
PDN
Packet Data Network
PKI
Public Key Infrastructure
PLMN
Public Land Mobile Network
RRC
Radio Resource Control
SAE
System Architecture Evolution
SEG
Security Gateway
SeGW
Security Gateway
Serv.GW
Serving Gateway
UMTS
Universal Mobile Telecommunication System
UP
User Plane
USIM
UMTS Subscriber Identity Module
GISFI
GISFI TR SP.108 V1.0.0 (2014-06)
Draft
4
9
GISFI TR SP.108 V1.0.0 (2014-06)
General
This section describes the functionality of MME from standards as well as practical perspective.
4.1.
Functionality of the MME
[Editor’s Note: To be filled with functionality of MME from standard]
4.2.
Standards based network architecture showing the interfaces
of MME
[Editor’s Note: To be filled with standard based network architecture showing MME interfaces from standard]
4.3.
Protocols in MME
[Editor’s Note: To be filled with the protocols used in MME interfaces]
GISFI
Draft
5
10
GISFI TR SP.108 V1.0.0 (2014-06)
Security Threats and Requirements
This section will discuss security threats and requirements of MME as per applicable 3GPP standards
5.1.
General security requirements
[Editor’s Note: To be filled with general security requirements from standard]
5.2.
5.2.1
Attacker Models
Inside Attacker
An inside attacker is one who has privileged access to the target MME. There are various methods by which an
inside attacker can target the MME [5]:
•
Access and modify configuration files
•
Access and modify subscriber data
•
Access and modify logs files
•
Modify software, firmware and OS
•
Modify MME functionality by an attacker’s modified functionality
•
Make physical modifications to the hardware (eg. Splitters ),etc.
Some conceived attack scenarios for inside attackers are as follows:
•
Attacks during the manufacturing process of MME(eg. Backdoors, rootkits)
•
HSS)
Attacks on MME connections and interfaces within the core network components (eg. S6a interface to
•
Attacks by authorized and authenticated personnel with access and permission to modify the MME
configuration and data.
From the above it can be concluded that attacks from inside cannot be countered against. We can only try to
sufficiently specify access to the various personnel so that it is possible to timely isolate such incidents using
various counter measures for protection and detection (e.g. Access control on the interfaces and logging
mechanisms for configuration changes).
5.2.2.
External Attacker
External attackers are those who don’t have privileged access to the target. Any attacks in such scenarios are via
the exposed interfaces of the MME in the earlier section. The approach of such an attacker varies with every
individual based on interface vulnerabilities and access to MME.
5.2.3.
Hybrid Attacker
An attacker can use a combination of the two attacks to make a more effective attack. By using means like
bribing and blackmailing people on the inside and using them to gain access from the outside. Like any inside
attack it is not possible to protect against such attacks except for properly vetting the personnel in the
management.
GISFI
Draft
5.3
11
GISFI TR SP.108 V1.0.0 (2014-06)
Security requirements from specifications
[Editor’s Note: To be filled with general security requirements from standard]
5.4
5.4.1.
Threats and requirements from threats
Threats on an MME
Protocol/Network based attacks
T1. Internal Attacks[2]
An employee having internal access to the network misuses his privileges to attack the MME intentionally or
coercively. Such an employee poses serious threat to the MME data and/or configuration.
T2. Sensitive Information Disclosure[3]
The MME stores a lot of sensitive information which if available to the attacker can lead to access violations,
failed authentication, fake signaling etc. All such sensitive information like communication keys (i.e KNASenc,
KNASint, KeNB) and administrator password on MME needs to be protected from such tampering by using
effective encryption techniques.
T3. Compromised/Misbehaving UE[4]
The attacker can use a UE or a number of compromised UEs to gain access to one MME at the same time thus
draining all its resources and effectively blocking the MME. The same can also be done by using a fuzzing
engine to send attach/detach requests to the MME and disrupting the MME service This leads to the loss of
service or a degraded service for a legitimate user.
OAM based Attacks
T4. Software package integrity and anti-virus[6]
Software packages/upgrades which are installed in an MME may contain harmful viruses, tampered code,
malware or other such attack vectors. Using such tampered packages can make the LTE core network vulnerable
to attacks and information leakage.
T5. MME management and maintenance[7]
If an attacker can gain unauthorized access to the MME then he can control all the sensitive information
including user and system data. He can also use it to gain access to other core network elements thus
compromising the whole network.
T6. User account and password management[8]
Like any other password protected system the MME user account and password policy needs to be made secure
from the various common case threats like

Default user password may be leaked to gain low privileged access.

Low strength of user password

Brute force attack

Secure storage for passwords using encryption.

Multiple login conflicts and configuration collisions
5.4.2.
Requirements for securing MME
Protocol/Network based attacks
R1. Internal Attacks[2]
GISFI
Draft
12
GISFI TR SP.108 V1.0.0 (2014-06)
Such an attack cannot be stopped but steps can be taken to mitigate the damage.

Using strong and unique authentication mechanisms

Effective logging and auditing of users and configuration changes in MME
R2. Sensitive Information Disclosure[3]
To protect such sensitive information in the MME the following requirements have been identified:

The keys should be physically protected in a secure environment with authorized access

It should be encrypted when stored in files on MME

The password should not be transmitted or stored as clear text values.
R3. Compromised/Misbehaving UE[4]
To protect the MME from such threats:

MME should implement effective signal congestion prevention techniques.

It should include functionality to detect such misbehaving UEs and take preventive action.
OAM based Attacks
R4. Software package integrity and anti-virus[6]
Proper steps need to be followed to mitigate any threats on the MME caused due to software package integrity
and anti-virus updates

Protect software package/patch integrity by using appropriate mechanisms (e.g. hash based check to
find tampering, Digital Signatures to authenticate source, etc.)

Scan the package/updates using multiple anti-virus scanners and maintain logs of the same.
R5. MME management and maintenance interface[7]
Some steps required to protect the management console are:

Mutual authentication between the MME and other network entities for communicating over the
network.

All communication between the MME and other network elements will use TLS(Transport Layer
Security) for authentication and secure tunnel established communication.

Use access control mechanisms to limit MME access control to selective users and terminals.
R6. User account and password management[8]
The various security requirements identified to secure the MME user account are as follows:

A consistent security policy for user accounts and password management

Password management policy (e.g. Initial forced password modification, Password strength level,
password characters permitted, duration for password change, salting of password hashes, etc.)

Password lock-out policy (Maximum number of login attempts, duration till next attempt, timeout, etc.)
GISFI
Draft
Annex A:
13
GISFI TR SP.108 V1.0.0 (2014-06)
Heading levels in an annex
GISFI
Draft
14
GISFI TR SP.108 V1.0.0 (2014-06)
Annex B: Change history:
Change history
Date
2014-28-05
TSG TSG Doc.
#
CR
Rev
Subject/Comment
Initial Draft
GISFI
Old
-
New
Download
Random flashcards
Pastoralists

20 Cards

Radioactivity

30 Cards

Nomads

17 Cards

African nomads

18 Cards

Create flashcards