660 likes | 1.02k Views
3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals. Klaas Wierenga Consulting Engineer, Corporate Development. Agenda. Introduction Network access security Network domain security Summary. Intro. Recap session 1.
E N D
3GPP/LTE Security Session #2: LTE Security Architecture Fundamentals Klaas Wierenga Consulting Engineer, Corporate Development
Agenda Introduction Network access security Network domain security Summary
Recap session 1 • Crypto can be used to provide confidentiality and integrity between 2 entities • 3GPP confidentiality: AES-128-CTR, SNOW 3G • 3GPP integrity: EIA2 (AES-CMAC), EIA1 (SNOW 3G-GMAC) • Key usage needs to be limited • Access • Validity • Context • Key derivation is used to achieve separation • Purpose (integrity, confidentiality) • Identity (network element A, network element B) • Public key certificates issued by a CA to set up trust between entities
Overview of 3GPP LTE/SAE System S1-MME X2 S1-U S5 MME HSS eNodeB PCRF UE eNodeB S-GW PDN-GW Evolved UTRAN(E-UTRAN) Evolved Packet Core (EPC) • UE = User Equipment • MME = Mobility Management Entity • S-GW = Serving Gateway • PDN-GW = PDN Gateway • PCRF = Policy Charging Rule Function • HSS = Home Subscriber Server
LTE/SAE Security Security implications: Flat architecture (all radio protocols terminate in eNB, eNB ‘speaks’ IP) Interworking with legacy and non-3GPP networks eNB placement in untrusted locations Keep security breaches local Result: Extended Authentication and Key Agreement More complex key hierarchy More complex interworking security Additional security for HeNB
Evolving Security Architecture Handset Authentication GSM Ciphering Handset Authentication + Ciphering GPRS Mutual Authentication 3G Ciphering + Signalling integrity Mutual Authentication SAE/LTE Ciphering + Radio signalling integrity Optional IPSec Core Signalling integrity Radio Controller Core Network
LTE/SAE security architecture (I) Network access security: secure access to services, protect against attacks on (radio) access links (II) Network domain security: enable nodes to securely exchange signaling data & user data (between HN/SN and within SN, protect against attacks wireline network (III) User domain security: secure access to mobile stations (IV) Application domain security: enable applications in the user and in the provider domain to securely exchange messages This session: Network Access and Network Domain security Source: TS 33.401 ME = Mobile Equipment USIM = Universal Subscriber Identity Module AN = Access Network HE = Home Environment SN = Serving Network
Network access security User identity (and location) confidentiality Entity authentication Confidentiality Data integrity Mobile equipment identification
The use of a SIM Subscription Identification Module SIM holds secret key Ki, Home network holds another Used as Identity & Security key IMSI is used as user identity Benefits Easy to get authentication from home network while in visited network without having to handle Ki Source: ETRI
Authentication and Key Agreement UMTS AKA re-used for SAE (providing UE and HE with CK and IK) HSS generates authentication data and provides it to MME (challenge, response, K ASME) Challenge-response authentication and key agreement between MME and UE
Confidentiality and Integrity of Signaling RRC signaling between UE and E-UTRAN NAS signaling between UE and MME S1 (and X2) interface signaling (optional) protection not UE-specific For core network (NAS) signaling, integrity and confidentiality protection terminates in MME (Mobile Management Entity) For radio network (RRC) signaling, integrity and confidentiality protection terminates in eNodeB
User Plane Confidentiality Encryption terminates in eNodeB S1-U (optional) protection not UE-specific, based on IPsec Integrity not protected over air interface Overhead with small packets Integrity protected at higher layers (e.g. IMS media security)
Summary confidentiality and integrity from the UE perspective
Trust establishment between UE and SN S1-MME X2 S1-U S5 HSS MME MME HSS PCRF eNodeB PCRF PDN-GW S-GW eNodeB S-GW PDN-GW UE S8 K ASME (CK,IK,SN Id) K NASenc, K NASint (K ASME) K eNB (K ASME) K UPenc, K RRCint, K RRCenc (K EnB) • Trust exists between • UE and Home Network • Home Network and Serving Network • Needed: between UE and Serving Network • Derived keys are being ‘passed down’ • e.g. K ASME: HE -> MME, K eNB: MME -> eNB
Key Hierarchy in LTE/SAE Cryptographic network separation Authentication vectors specific to serving network Source: TS 33.401
Key derivation for network nodes Source: TS 33.401
eNB handovers Source: TS 36.300 • Need to compute a new K eNB • With Backward Security (new eNB can not construct old key) and Forward Security (old eNB can not construct new key) • UE and MME derive key NH (Next Hop) that serves as root for new K eNB derivation (i.e. Forward Security), NCC (NH Chaining Counter) is a counter that increases after every NH derivation • MME sends {NH, NCC} to target eNB • Target eNB sends NCC to UE in handover message
Target eNB key derivation • Intra eNB • No MME involvement -> no {NH, NCC} pair available, unless already there, so eNB needs to compute the new key • X2 handover • eNB hands over to new eNB and after that sends S1 PATH SWITCH REQUEST to the MME • MME computes fresh {NH, NCC} and sends it to the target eNB (too late for current handover) • eNB needs to compute new key • S1 handover • MME computes fresh {NH, NCC} and sends it to target eNB
K eNodeB derivation and handovers • Handovers without MME involvement: horizontal • Backward security through one-way function (old eNB, physical cell-id, freq) • Handovers with MME involvement: vertical • Forward security after handover (rekeying) for X2 • Forward security immediately for S1 • NAS uplink count • to prevent same key being derived every time when switching back and forth between MME’s Source: TS 33.401
Key derivation for ME Source: TS 33.401
Home eNodeB security threats & measures SECURITY THREATS Compromise HeNB credentials Physical attack HeNB Configuration attack MitM attacks etc. DoS attacks etc. User data and privacy attacks Radio Resources and management attacks SECURITY MEASURES • Mutual AuthN HeNB and home network • Secure tunnel for backhaul • Trusted environment inside HeNB • Access Control • Operations, Administration & Maintenance security mechanisms • Hosting Party authentication (Hosting Party Module, e.g. TPM)
Network Domain Security Enable nodes to securely exchange signaling data & user data between Access Network and Serving Network, within Access Network and between Security Domains Protect against attacks on wireline network No security in 2G core network Now security is needed: IP used for signaling and user traffic Open and easily accessible protocols New service providers (content, data service, HLR) Network elements can be remote (eNB)
Security Domains Managed by single administrative authority Border between security domains protected by Security Gateway (SEG) Source: TS 33.310
Security Gateway Handle communication over Za interface (SEG-SEG) AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for negotiating, establishing and maintaining secure ESP tunnel Handle communication over (optional) Zb interface (SEG- NE or NE-NE) Implement ESP tunnel and IKEv1 or IKEv2 ESP with AuthN, integrity, optional encryption Shall implement IKEv1 and IKEv2 All traffic flows through SEG before leaving or entering security domain Secure storage of long-term keys used for IKEv1 and IKEv2 Hop-by-hop security (chained tunnels or hub-and-spoke)
Security for Network Elements Services Data integrity Data origin authentication Anti-replay Confidentiality (optional) Using IPsec ESP (Encapsulation Security Payload) Between SEGs: tunnel mode Between NE’s (X2, S1): optional ESP Key management: IKEv1: confidentiality (3DES-CBC/AES-CBC), integrity (SHA-1) IKEv2: confidentiality (3DES-CBC/AES-CBC), integrity (HMAC-SHA1-96) Security associations from NE only to SEG or NE’s in own domain (so no direct SA between NE’s in different domains, always via SEG)
Trust validation with IPsec Source: TS 33.310
Summary of this session • Reviewed the LTE/SAE security architecture, including confidentiality and integrity in the system • Discussed Network Access Security • Illustrated key hierarchy in LTE, and explained how key derivation is accomplished by the network elements and ME • Provided example of key derivation and exchange during handover • Discussed Network Domain Security and the trust model with IPSec See you in 2 weeks for the Final Session!
Possible topics for final session • Cover any skipped items during this session • In depth discussion on any previously discussed items • Security interworking with other technologies (e.g. untrusted access)? • UE-USIM interaction? • HeNB Security? • Application Security?
References TS 21.133 Security threats and requirements TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 33.120 Security principles and objectives TS 33.210 Network Domain Security: IP-layer TS 33.310 Network Domain Security: Authentication Framework TS 33.401 SAE security architecture TS 33.402 SAE security aspects of non 3GPP access TR 33.820 Security of H(e)NB TS 35.20x Access network algorithm specifications
Acknowledgement Valterri Niemi (3GPP SA3 chair) for some slides and discussions
UMTS Authentication and Key Agreement (AKA) Procedure to authenticate the user and establish pair of cipher and integrity between VLR/SGSN and USIM Source: ETRI
X2 Routing and Handover 10ms 10ms Target ENB Source ENB SGW Handover Request Handover Request Confirm 30 ms Interruption Time Path Switch Request Path Switch Req. Ack Out of Order Packets Forwarded Data (20ms) Expect out of order packets around handover
Non-3GPP Access (I) Network access security (II) Network domain security (III) Non-3GPP domain security (IV) Application domain security (V) User domain security ME = Mobile Equipment USIM = Universal Subscriber Identity Module AN = Access Network HE = Home Environment SN = Serving Network
User domain security Secure access to mobile stations
Application domain security The set of security features that enable applications in the user and in the provider domain to securely exchange messages. Secure messaging between the USIM and the network (TS 22.048) IMS
IMS Security Security/AuthN mechanisms Mutual AuthN using UMTS AKA Typically implemented on UICC (ISIM application) UMTS AKA integrated into HTTP digest (RFC3310) NASS-IMS bundled AuthN SIP Digest based AuthN Access security with TLS Media security Access medium independent Various proposals, work in progress