3GPP/LTE Security

Session #2: LTE

Security Architecture
Fundamentals
Klaas Wierenga
Consulting Engineer, Corporate Development

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Agenda
Intro

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Intro

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

The LTE System

Radio Side (LTE Long Term
Evolution/Evolved UTRAN EUTRAN)

Presentation_ID

Network Side (SAE System

Architecture Evolution/Evolved
Packet Core - EPC)

Improvements in spectral efficiency,

user throughput, latency
Simplification of the radio network

Improvement in latency, capacity,

throughput, idle to active transitions
Simplification of the core network

Efficient support of packet based

services: Multicast,
VoIP, etc.

Optimization for IP traffic and

services
Simplified support and handover to
non-3GPP access technologies

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Overview of 3GPP LTE/SAE System

eNodeB

UE

S1-MME

MME

HSS

PCRF

X2

eNodeB

S-GW
S1-U

Evolved UTRAN(E-UTRAN)

PDN-GW
S5

Evolved Packet Core (EPC)

UE = User Equipment
MME = Mobility Management Entity, termination point in network for
ciphering/integrity protection for NAS signaling, handles the security key
management, authenticating users
S-GW = Serving Gateway
PDN-GW = PDN Gateway
PCRF = Policy Charging Rule Function
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Evolved Packet Core GW Capabilities

Serving GW functions include:

Local Mobility Anchor point for inter-eNodeB handover (i.e. GTP

termination)
PMIP or GTP support towards PDN Gateway
Per flow QoS Policy Enforcement
Lawful Interception
Traffic Accounting

PDN GW

IP Tunnel

Both can be combined if there is a full mesh between

base stations and GWs

Serving
GW
IP Tunnel

MAC

Policy Enforcement (QoS, charging, mobility)

Per-user based packet filtering
Mobility anchoring for intra- and inter-3GPP mobility (requires GTP and
MIP HA)
Charging Support
Lawful Interception

Security

Layer 3

PDN GW functions include:

OFDMA

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Evolving Security Architecture

Radio Controller

Core Network

Handset Authentication

GSM

Ciphering
Handset Authentication + Ciphering

GPRS

Mutual Authentication

3G

Ciphering + Signalling integrity

Mutual Authentication

SAE/LTE

Ciphering + Radio
signalling
integrity

Optional IPSec

Core Signalling integrity

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

SAE/LTE Security
Security implications:
Flat architecture
Interworking with legacy and non-3GPP networks
eNB placement in untrusted locations
Keep security breaches local

Result:
Extended Authentication and Key Agreement
More complex key hierarchy
More complex interworking security
Additional security for (home)eNB

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

LTE/SAE architecture

ME=MobileEquipment
USIM=UniversalSubscriberIdentityModule
AN=AccessNetwork
HE=HomeEnvironment
SN=ServingNetwork

(I) Network access security: secure access to services, protect against attacks on (radio) access links
(II) Network domain security: enable nodes to securely exchange signaling data & user data (between AN/SN
and within AN, protect against attacks wireline network
(III) User domain security: secure access to mobile stations
(IV) Application domain security: enable applications in the user and in the provider domain to securely
exchange messages

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

Non-3GPP Access

ME=MobileEquipment
USIM=UniversalSubscriberIdentityModule
AN=AccessNetwork
HE=HomeEnvironment
SN=ServingNetwork

(I) Network access security

(II) Network domain security
(III) Non-3GPP domain security
(IV) Application domain security
(V) User domain security

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

10

Network access security

User identity (and location) confidentiality
Entity authentication
Confidentiality
Data integrity
Mobile equipment identification

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

11

The use of a SIM

Subscription Identification Module
SIM holds secret key Ki, Home network holds another
Used as Identity & Security key
IMSI is used as user identity

Benefits
Easy to get authentication from home network while in visited network without
having to handle Ki

Source: ETRI

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

12

Network Access Protection

Authentication and key agreement
UMTS AKA re-used for SAE
SIM access to LTE explicitly excluded

Signaling protection
For core network (NAS) signaling, integrity and confidentiality protection
terminates in MME (Mobile Management Entity)
For radio network (RRC) signaling, integrity and confidentiality protection
terminates in eNodeB

User plane protection

Encryption terminates in eNodeB

Network domain security for network internal interfaces

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

13

Authentication and Key Agreement

HSS generates authN data and provides it to MME

Challenge-response authN and key agreement between MME and UE

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

14

Confidentiality and Integrity of Signaling

RRC signaling between UE and E-UTRAN

NAS signaling between UE and MME
S1 interface signaling (optional) protection not UE-specific

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

15

User Plane Confidentiality

S1-U (optional) protection not UE-specific, based on

IPsec
Integrity not protected
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

16

Key Hierarchy in LTE/SAE

Cryptographic network separation

Authentication vectors specific to serving network

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

17

Handovers without MME

Handovers possible between eNBs (performance)
If keys are passed unmodified, compromised eNB
compromises other eNB
One-way function before passing over
MME is involved after HO for further key passing

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

18

Home eNodeB security threats

Compromise HeNB credentials

Physical attack HeNB
Configuration attack
MitM attacks etc.
DoS attacks etc.
User data and privacy attacks
Radio Resources and management attacks

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

19

Home ENodeB security measures

Mutual AuthN HeNB and home network
Secure tunnel for backhaul
Trusted environment inside HeNB
Access Control
OAM security mechanisms
Hosting Party authentication (Hosting party Module)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

20

Network Domain Security

Enable nodes to securely exchange signaling data & user data
between Access Network and Serving Network and within Access Network

Protect against attacks on wireline network

No security in 2G core network
Now security is needed:
IP used for signaling and user traffic
Open and easily accessible protocols
New service providers (content, data service, HLR)
Network elements can be remote (eNB)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

21

Security Domains

Managed by single administrative authority

Border between security domains protected by Security Gateway (SEG)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

22

Security Gateway
Handle communication over Za interface (SEG-SEG)
AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for
negotiating, establishing and maintaining secure ESP tunnel

Handle communication over (optional) Zb interface (SEG- NE or NE-NE)

Implement ESP tunnel and IKEv1 or IKEv2
ESP with AuthN, integrity, optional encryption

All traffic flows through SEG before leaving or entering security domain
Secure storage of long-term keys used for IKEv1 and IKEv2
Hop-by-hop security (chained tunnels or hub-and-spoke)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

23

Security for Network Elements

Services
Data integrity
Data origin authentication
Anti-replay
Confidentiality (optional)

Using IPsec ESP (Encapsulation Security Payload)

Between SEGs: tunnel mode
Key management: IKEv1 or IKEv2
Security associations from NE only to SEG or NEs in own domain

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

24

Trust validation with IPsec

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

25

Trust validation for TLS

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

26

User domain security

Secure access to mobile stations

Few slides

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

27

Application domain security

The set of security features that enable applications in
the user and in the provider domain to securely
exchange messages.
Secure messaging between the USIM and the network
(TS 22.048)

Slides about IMS, SIP

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

28

IMS Security
Security/AuthN mechnism
Mutual AuthN using UMTS AKA
Typically implemented on UICC (ISIM application)
UMTS AKA integrated into HTTP digest (RFC3310)
NASS-IMS bundled AuthN
SIP Digest based AuthN
Access security with TLS

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

29

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

30

Interworking with legacy network

Few slides about CDMA-3GPP interworking

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

31

References
Principles, objectives and requirements
TS 33.120 Security principles and objectives
TS 21.133 Security threats and requirements

Architecture, mechanisms and algorithms

TS 33.102 Security architecture
TS 33.103 Integration guidelines
TS 33.105 Cryptographic algorithm requirements
TS 35.20x Access network algorithm specifications

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

32

References

TS 33.210 v8.3.0: Network Domain Security: IP-layer

(http://www.3gpp.org/ftp/Specs/archive/33_series/33.210/)

TS 33.310 V9.0.0: Network Domain Security: Authentication Framework

http://www.3gpp.org/ftp/Specs/archive/33_series/33.310/

TS 33.401 V9.0.0: SAE security architecture

http://www.3gpp.org/ftp/Specs/archive/33_series/33.401/

TS 33.402 V9.0.0: SAE security aspects of non 3GPP access

http://www.3gpp.org/ftp/Specs/archive/33_series/33.402/

TR 33.820 V8.1.0: Security of H(e)NB

http://www.3gpp.org/ftp/Specs/archive/33_series/33.820/33820-810.zip

3GPP TS 33.102 V8.3.0: Security architecture

http://www.3gpp.org/ftp/Specs/archive/33_series/33.102/33102-830.zip

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

33

Credits
Valterri Niemi (3GPP SA3 chair)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

34

Backup

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

35

UMTS Authentication and Key

Agreement (AKA)
Procedure to authenticate the user and establish pair
of cipher and integrity between VLR/SGSN and USIM

Source: ETRI
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

36

X2 Routing and Handover

10m
s

s
10m

Source
ENB

Target
ENB

SGW
Handover Reque
st
est Confirm
Handover Requ

30 ms
Interruption
Time

equest
Path Switch R
Path Switch Req
.

Ack

Forwarded D
ata (20ms)

Out of Order
Packets

Expect out of order packets around handover

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

37

Summary
In this session, we reviewed

See you in 2 weeks for the Final Session!

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

38

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

39

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

40
40

How does all we discussed relate to LTE/SAE

architecture?
eNodeB

UE

S1-MME

MME

PCRF

X2

eNodeB

S-GW
S1-U

User Plane: Integrity Protection Not Used

Encryption Recommended

HSS

S5/S8

S1-MME: Integrity Protection Required

Signalling: Integrity Protection Required

Encryption Recommended

PDN-GW

Security Mechanisms highly

recommended for inter-network
connections such as for roaming
(under study?)

S1-U: ?

Authentication Required

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

CISCO PROPRIETARY

41