270 likes | 548 Views
Long Term Evolution and its security infrastructure . Fataneh Safavieh Mobile security Seminar,Bit,07.02.2011. Outline. Introduction: some history &background What is LTE? LTE-SAE Security: some highlights Home(e)Node B Security. Introduction: some history & background.
E N D
Long Term Evolutionandits security infrastructure Fataneh Safavieh Mobile security Seminar,Bit,07.02.2011
Outline • Introduction: some history &background • What is LTE? • LTE-SAE Security: some highlights • Home(e)Node B Security
Introduction: some history & background
Mobile Evolution • Improvements in mobile communication technology during the last two decades • The Mobile Broadband is as important as Internt http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf
User Expectations • Highly desire of broadband acces everywhere 1. Home, Office 2. Train, Aeroplane, Canteen, during the Breake • Ubiquity (anywhere, anytime) • Higher voice quality • Higher speed • Lower prices • Multitude of services http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf
3GPP • The 3rd generation partnership project • A global partnership of six SDOs: • Europe ETSI • USA ATIS • China CCSA • Japan ARIB & TTC • Korea TTA LTE The UMTS Long Term Evolution - Sesia, Toufik, Baker
What is LTE? • The latest standard in the mobile network technology tree • A project of 3GPP & mainly built on 3GPP cellular systems´ family • May be referred as E-UTRA & E-UTRAN • Has advanced new radio interface • Circuit switched networksall-IP networks • Broadband connectivity on the move • 100Mbps(DL), 50Mbps(UL), ~10 ms Latency
UMTS and LTE architecture Extract from ”Towards Global Mobile Broadband” A White Paper from the UMTS Forum
LTE key features • High Spectral Efficiency morecustomers, less costs • Co-existence with other standards • Flexible radio planning (cell size of 5km30/100km) • Reduced Latency less RTT, multi-player gaming, audio/video conferencing • Reduced costs for operators (OPEX & CAPEX) • Increased data rates via enhanced air interface (OFDMA,SC-FDMA,MIMO) • All-IP environment SAE or EPC key advantages of SAE
LTE-SAE Security: some highlights
Security in the LTE-SAE Network Security features in the network (from TS 33.401- Fig.4-1)
Security features in the LTE-SAE Network Five security feature groups defined in TS 33.401 • (I): Network access security • provides users with secure access to services • protects against attacks on the access interface • (II):Network domain security • enables nodes to exchange signaling- & user- data securely • protects against attacks on the wire line network • (III): User domain security • Provides secure access to mobile stations • (IV): Application domain security • enables applications in the user & provider domains to exchnage messages securely • (V): Visibility and configurability of security • allows the users to learn whether a security feature is in operation
Authentication & key agreement • HSS generates authentication data and provides it to MME • Challenge-response authentication and key agreement procedure between MME and UE 4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
Confidentiality & integrity of signaling • RRC signaling between UE and E-UTRAN • NAS signaling between UE and MME • S1 interface signaling • protection is not UE-specific • optional to use 4th ETSI Security Workshop - Sophia- Antipolis,13-14 January 2009
User plane confidentiality • S1-U protection is not UE-specific • (Enhanced) network domain security mechanisms (based on IPsec) • Optional to use • Integrity is not protected for various reasons, e.g.: • performance • limited protection for application layer 4th ETSI Security Workshop - Sophia- Antipolis, 13-14 January 2009
Cryptographic network separation Key hierarchy (TS 33.401 - Figure 6.2-1)
Cryptographic network separation • Authentication vectors are specific to the serving network AV’s usable in UTRAN/GERAN cannot be used in EPS • AV’s usable for UTRAN/GERAN access cannot be used for EUTRAN access • Solution by a “separation bit” • Rel-99 USIM is still sufficient for EPS access ME has to check the “separation bit” (when accessing E-UTRAN) 4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
Operator’s core network UE HNB insecure link SeGW System architecture of H(e)NB • E-UTRAN air interface between UE and HeNB • HeNB accesses operator’s core network via a Security Gateway • The backhaul between HeNB and SeGW may be insecure • Operator’s core network performs mutual authentication with HeNB via SeGW • Security tunnel between HeNB and SeGW to protect information transmitted in backhaul link Figure from draft TR 33.820
Common threats to H(e)NB • Physical tampering with H(e)NB • Fraudulent software update / configuration changes • Denial of service attacks against core network • Eavesdropping of the other user’s UTRAN or E-UTRAN user data • User cloning the H(e)NB authentication Token From TR 33.820
Security requirements to H(e)NB • Unprotected data should never leave a secure domain inside H(e)NB • Software updates and configuration changes for the H(e)NB shall be cryptographically signed (by operator or H(e)NB supplier) and verified configuration changes shall be authorized by H(e)NB operator or supplier • Unauthenticated traffic shall be filtered out on the links between the core network and the H(e)NB • New users should be required to explicitly confirm their acceptance before being joined to an H(e)NB • H(e)NB authentication credentials shall be stored inside a secure domain i.e. from which outsider cannot retrieve or clone the credentials From TR 33.820
References and Resources • A Long Term Evolution Downlink inspired channel simulator using the SUI 3Channel Model, Thesis of Sanjay Kumar Sarkar, August 2009 • LTE The UMTS Long Term Evolution- Sesia, Toufik, Baker (WILEY Publication) 2009 • http://www.nsma.org/conf2008/Presentation/2-1045-MiyaharaLTE_Overview_NMSA%2021March08_final.pdf • Towards Global Mobile Broadband” A White Paper from the UMTS Forum, February 2008 • TS 33.401
References and Resources • 4th ETSI Security Workshop- Sophia-Antipolis , 13-14 January 2009 • TR 33.820 • A Survey of Security Threats on 4G Networks, Yongsuk Park and Taejoon Park • Security in the LTE-SAE Network, www.agilent.com/find/lte • www.3gpp.org • www.radio-electronics.com • http://sites.google.com/site/lteencyclopedia
Thank You For Your Attention!