1 / 48

3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals

3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals. Klaas Wierenga Consulting Engineer, Corporate Development. Agenda. Introduction Network access security Network domain security Summary. Intro. Recap session 1.

carney
Download Presentation

3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals Klaas Wierenga Consulting Engineer, Corporate Development

  2. Agenda Introduction Network access security Network domain security Summary

  3. Intro

  4. Recap session 1 • Crypto can be used to provide confidentiality and integrity between 2 entities • 3GPP confidentiality: AES-128-CTR, SNOW 3G • 3GPP integrity: EIA2 (AES-CMAC), EIA1 (SNOW 3G-GMAC) • Key usage needs to be limited • Access • Validity • Context • Key derivation is used to achieve separation • Purpose (integrity, confidentiality) • Identity (network element A, network element B) • Public key certificates issued by a CA to set up trust between entities

  5. Overview of 3GPP LTE/SAE System S1-MME X2 S1-U S5 MME HSS eNodeB PCRF UE eNodeB S-GW PDN-GW Evolved UTRAN(E-UTRAN) Evolved Packet Core (EPC) • UE = User Equipment • MME = Mobility Management Entity • S-GW = Serving Gateway • PDN-GW = PDN Gateway • PCRF = Policy Charging Rule Function

  6. SAE/LTE Security Security implications: Flat architecture (all radio protocols terminate in eNB, eNB ‘speaks’ IP) Interworking with legacy and non-3GPP networks eNB placement in untrusted locations Keep security breaches local Result: Extended Authentication and Key Agreement More complex key hierarchy More complex interworking security Additional security for HeNB

  7. Evolving Security Architecture Handset Authentication GSM Ciphering Handset Authentication + Ciphering GPRS Mutual Authentication 3G Ciphering + Signalling integrity Mutual Authentication SAE/LTE Ciphering + Radio signalling integrity Optional IPSec Core Signalling integrity Radio Controller Core Network

  8. LTE/SAE security architecture (I) Network access security: secure access to services, protect against attacks on (radio) access links (II) Network domain security: enable nodes to securely exchange signaling data & user data (between AN/SN and within AN, protect against attacks wireline network (III) User domain security: secure access to mobile stations (IV) Application domain security: enable applications in the user and in the provider domain to securely exchange messages This session: Network Access and Network Domain security ME = Mobile Equipment USIM = Universal Subscriber Identity Module AN = Access Network HE = Home Environment SN = Serving Network

  9. Network access security

  10. Network access security User identity (and location) confidentiality Entity authentication Confidentiality Data integrity Mobile equipment identification

  11. The use of a SIM Subscription Identification Module SIM holds secret key Ki, Home network holds another Used as Identity & Security key IMSI is used as user identity Benefits Easy to get authentication from home network while in visited network without having to handle Ki Source: ETRI

  12. Authentication and Key Agreement UMTS AKA re-used for SAE HSS generates authN data and provides it to MME Challenge-response authN and key agreement between MME and UE

  13. Confidentiality and Integrity of Signaling RRC signaling between UE and E-UTRAN NAS signaling between UE and MME S1 (and X2) interface signaling (optional) protection not UE-specific For core network (NAS) signaling, integrity and confidentiality protection terminates in MME (Mobile Management Entity) For radio network (RRC) signaling, integrity and confidentiality protection terminates in eNodeB

  14. User Plane Confidentiality Encryption terminates in eNodeB S1-U (optional) protection not UE-specific, based on IPsec Integrity not protected over air interface Overhead with small packets Integrity protected at higher layers (IMS media security)

  15. Summary confidentiality and integrity from the UE perspective

  16. Trust establishment between UE and SN S1-MME X2 S1-U S5 HSS MME MME HSS PCRF eNodeB PCRF PDN-GW S-GW eNodeB S-GW PDN-GW UE S8 K ASME (CK,IK,SN Id) K NASenc, K NASint (K ASME) K eNB (K ASME) K UPenc, K RRCint, K RRCenc (K EnB) • Trust exists between • UE and Home Network • Home Network and Serving Network • Needed: between UE and Serving Network • Derived keys are being ‘passed down’ • e.g. K ASME: HE -> MME, K eNB: MME -> eNB

  17. Key Hierarchy in LTE/SAE Cryptographic network separation Authentication vectors specific to serving network

  18. Key derivation for network nodes

  19. eNB handovers

  20. eNB handovers • Need to compute a new K eNB • With Backward Security (new eNB can not construct old key) and Forward Security (old eNB can not construct new key) • UE and MME derive key NH (Next Hop) that serves as root for new K eNB derivation, NCC (NH Chaining Counter) is a counter that increases after every NH derivation • MME sends {NH, NCC} to eNB • Source eNB sends new key to target eNB and NCC to UE

  21. Target eNB key derivation • Intra eNB • No MME involvement -> no {NH, NCC} pair unless already there • X2 handover • eNB hands over to new eNB and after that sends S1 PATH SWITCH REQUEST to the MME • MME computes fresh {NH, NCC} and sends it to the target eNB (too late for current handover) • S1 handover • MME computes fresh {NH, NCC} and sends it to target eNB

  22. K eNodeB derivation and handovers • Handovers without MME involvement: horizontal • Backward security through one-way function (old eNB, cell-id, freq) • Handovers with MME involvement: vertical • Forward security after handover (rekeying) for X2 • Forward security immediately for S1 • NAS uplink count • to prevent same key being derived every time when switching back and forth between eNB’s

  23. Key derivation for ME

  24. Home eNodeB security threats Compromise HeNB credentials Physical attack HeNB Configuration attack MitM attacks etc. DoS attacks etc. User data and privacy attacks Radio Resources and management attacks

  25. Home eNodeB security measures Mutual AuthN HeNB and home network Secure tunnel for backhaul Trusted environment inside HeNB Access Control OAM security mechanisms Hosting Party authentication (Hosting Party Module)

  26. Network domain security

  27. Network Domain Security Enable nodes to securely exchange signaling data & user data between Access Network and Serving Network, within Access Network and between Security Domains Protect against attacks on wireline network No security in 2G core network Now security is needed: IP used for signaling and user traffic Open and easily accessible protocols New service providers (content, data service, HLR) Network elements can be remote (eNB)

  28. Security Domains Managed by single administrative authority Border between security domains protected by Security Gateway (SEG)

  29. Security Gateway Handle communication over Za interface (SEG-SEG) AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for negotiating, establishing and maintaining secure ESP tunnel Handle communication over (optional) Zb interface (SEG- NE or NE-NE) Implement ESP tunnel and IKEv1 or IKEv2 ESP with AuthN, integrity, optional encryption Shall implement IKEv1 and IKEv2 All traffic flows through SEG before leaving or entering security domain Secure storage of long-term keys used for IKEv1 and IKEv2 Hop-by-hop security (chained tunnels or hub-and-spoke)

  30. Security for Network Elements Services Data integrity Data origin authentication Anti-replay Confidentiality (optional) Using IPsec ESP (Encapsulation Security Payload) Between SEGs: tunnel mode Between NE’s (X2, S1): optional ESP Key management: IKEv1: confidentiality (3DES-CBC/AES-CBC), integrity (SHA-1) IKEv2: confidentiality (3DES-CBC/AES-CBC), integrity (HMAC-SHA1-96) Security associations from NE only to SEG or NE’s in own domain (so no direct SA between NE’s in different domains, always via SEG)

  31. Trust validation with IPsec

  32. Summary • In this session, we reviewed … See you in 2 weeks for the Final Session!

  33. Possible topics for future sessions • Handovers between technologies • UE-USIM interaction • Home eNodeB security • Application Security • WiFi interworking • …

  34. Questions?

  35. References TS 21.133 Security threats and requirements TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 33.120 Security principles and objectives TS 33.210 Network Domain Security: IP-layer TS 33.310 Network Domain Security: Authentication Framework TS 33.401 SAE security architecture TS 33.402 SAE security aspects of non 3GPP access TR 33.820 Security of H(e)NB TS 35.20x Access network algorithm specifications

  36. Acknowledgement Valterri Niemi (3GPP SA3 chair) for some slides and discussions

  37. 37

  38. Backup

  39. UMTS Authentication and Key Agreement (AKA) Procedure to authenticate the user and establish pair of cipher and integrity between VLR/SGSN and USIM Source: ETRI

  40. X2 Routing and Handover 10ms 10ms Target ENB Source ENB SGW Handover Request Handover Request Confirm 30 ms Interruption Time Path Switch Request Path Switch Req. Ack Out of Order Packets Forwarded Data (20ms) Expect out of order packets around handover

  41. Non-3GPP Access (I) Network access security (II) Network domain security (III) Non-3GPP domain security (IV) Application domain security (V) User domain security ME = Mobile Equipment USIM = Universal Subscriber Identity Module AN = Access Network HE = Home Environment SN = Serving Network

  42. Trust validation for TLS

  43. How does all we discussed relate to LTE/SAE architecture? S1-MME X2 S1-U S5/S8 MME HSS eNodeB PCRF UE eNodeB S-GW PDN-GW User Plane: Integrity Protection Not Used Encryption Recommended S1-MME: Integrity Protection Required Security Mechanisms highly recommended for inter-network connections such as for roaming (under study?) Signalling: Integrity Protection Required Encryption Recommended S1-U: ? Authentication Required

  44. User domain security

  45. User domain security Secure access to mobile stations

  46. Application domain security

  47. Application domain security The set of security features that enable applications in the user and in the provider domain to securely exchange messages. Secure messaging between the USIM and the network (TS 22.048) IMS

  48. IMS Security Security/AuthN mechanisms Mutual AuthN using UMTS AKA Typically implemented on UICC (ISIM application) UMTS AKA integrated into HTTP digest (RFC3310) NASS-IMS bundled AuthN SIP Digest based AuthN Access security with TLS Media security Access medium independent Various proposals, work in progress

More Related