Professional Documents
Culture Documents
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Outline
Some history about:
Use of crypto in 1G, 2G, 3G mobile communications 3GPP security specifications
Summary
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Core network
Auth (1-way)
IPsec
For Release 4, SA3 was kept busy with GERAN security, MAP
security (later to be replaced by TCAP security) and various extensions to Rel-99
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
UTRAN SGSN GERAN S3 S1-MME MME S6a PCRF S11 S10 LTE-Uu UE E-UTRAN S1-U S12 S4 S7 S5 Rx+ HS
Serving Gateway
PDN Gateway
SGi
E-UTRAN = Evolved UTRAN (LTE radio network) EPC = Evolved Packet Core (SAE core network) EPS = Evolved Packet System ( = RAN + EPC )
10 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN
11
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Implications on security
Flat architecture user plane security terminates in eNodeB
Many different access technologies different kind of networks participate trust models more complex
Extended key hierarchy Weaknesses in one network not to affect others Many inter-working cases to be covered
12
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Security functions
Authentication and key agreement
UMTS AKA re-used for SAE SIM access to LTE is explicitly excluded On the other hand, Rel-99 USIM is sufficient
Signalling protection
For core network (NAS) signalling, integrity and confidentiality protection terminate in MME For radio network (RRC) signalling, integrity and confidentiality protection terminate in eNodeB
13
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
UE / HSS
KASME
UE / ASME
KNASenc KNASint KeNB
UE / MME
KUPenc KRRCint KRRCenc
UE / eNB
14
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
HSS
Ks
network-ID 256
KeNB*
256
256 C-RNTI
256
KeNB
eNB
KDF
256 Physical cell ID 256
KDF
eNB
MME
256
256
KeNB
KASME
256 NAS COUNT
KDF
NAS-enc-alg, Alg-ID
NAS-int-alg, Alg-ID
KDF
256
KDF
256
KDF
256
KDF
256-bit keys
KNASenc
256
KNASint
256
256-bit keys
KRRCenc
256
KRRCint
256
Trunc
128
Trunc
128
Trunc
128
Trunc
128
128-bit keys
KNASenc
KNASint
128-bit keys
KRRCenc
KRRCint
15
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
KDF
KeNB*
256
KDF
Physical cell ID 256 256
256
KDF
256
KeNB
UP-enc-alg, Alg-ID
256
KASME
256 NAS COUNT
KDF
NAS-enc-alg, Alg-ID
NAS-int-alg, Alg-ID
KDF
256
KDF
256
KDF
256
KDF
256
KDF
256
256-bit keys
KNASenc
256
KNASint
256
256-bit keys
KRRCenc
256
KRRCint
256
KUPenc
256
Trunc
128
Trunc
128
Trunc
128
Trunc
128
Trunc
128
128-bit keys
KNASenc
KNASint
128-bit keys
KRRCenc
KRRCint
KUPenc
16
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Crypto-algorithms
Two sets of algorithms from Day One
If one breaks, we still have one standing Should be as different from each other as possible AES and SNOW 3G chosen as basis ETSI SAGE to specify modes
All keys used for crypto-algorithms are 128 bits but included possibility to add 256-bit keys later (if needed)
17
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
time Spec work for algo 3 Algo 3 implemented Majority of terminal base supports algo 3
18
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
time Spec work for algo 3 Algo 3 implemented Majority of terminal base supports algo 3
19
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
20
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
21
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
IPsec tunnel (with evolved Packet Data Gateway) used in case the non-3GPP network is untrusted by the operator (of SAE network)
22
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
23
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Network B
Intermediate IP network
b
NEA
NEB
24
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
IMS visited
PS domain
HSS
GBA
GAA Certificates AP
UE
NE
Zh BSF
Zn NAF
Bootstrapping Server Function (BSF) and the UE run AKA protocol, and agreed session keys are later used between UE and Network Application Function (NAF). After the bootstrapping, the UE and NAF can run some application-specific protocol where security is based on derived session keys
Ub
Ua
UE
28
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Internet
BGW: Bearer Gateway (first hop IP-router) BM-SC: Broadcast/Multicast Service Center BSF: Bootstrapping Server Function
29 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN
GBA used for mutual authentication and distribution of shared secret Three-level key hierarchy for data protection Specified in TS 33.246
30
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Sister spec TS 33.259 provides key management between UICC-hosting device and a (remote) terminal
31
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Lawful interception
3GPP specifies required lawful interception mechanisms for all features Call/message content and related data provided from certain network elements to the law enforcement side
Assumes typically that the content appears in clear in the network element End-to-end encryption is still possible if keys are provided
32
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN
Summary
Number of cryptographic solutions still growing in mobile communications 3GPP has provided 6 releases of security specifications SAE/LTE security
User plane security terminates in base station site Extended key hierarchy Covers interworking with non-3GPP networks Cryptoalgorithms based on AES and SNOW 3G
33
2008 Nokia
Crypto_in_Mobile.ppt / 2008-05-28 / VN