1 / 22

3GPP SA3 status

ITU-T security workshop Geneva, Switzerland, 9-10 February 2009. 3GPP SA3 status . Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland. Outline. Some history and background SAE/LTE security: some highlights Home (e)NodeB security Other work items.

zubaida
Download Presentation

3GPP SA3 status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T security workshop Geneva, Switzerland, 9-10 February 2009 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland

  2. Outline • Some history and background • SAE/LTE security: some highlights • Home (e)NodeB security • Other work items

  3. Some history and background

  4. Some history (1/2) • For 3GPP Release 99 (frozen 2000), WG SA3 created 19 new specifications, e.g. • TS 33.102 “3G security; Security architecture” • 5 specifications (out of these 19) originated by ETSI SAGE, e.g. TS 35.202 “KASUMI specification” • For Release 4 (frozen 2001), SA3 was kept busy with GERAN security while ETSI SAGE originated again 5 new specifications, e.g. • TS 35.205-208 for MILENAGE algorithm set • Release 5 (frozen 2002): SA3 added 3 new specifications, e.g.: • TS 33.203 “IMS security” • TS 33.210 “Network domain security: IP layer”

  5. Some history (2/2) • Release 6 (frozen 2005): SA3 added 17 new specifications, e.g.: • TS 33.246 “Security of MBMS” • TS 33.220-222 “Generic Authentication Architecture” • Release 7 (frozen 2007): SA3 added 13 new specifications • ETSI SAGE created 5 specifications for UEA2 & UIA2 (incl. SNOW 3G spec) (TS 35.215-218, TR 35.919) • Release 8 (frozen 2008): SA3 has added 5 new specifications, e.g.: • TS 33.401 “SAE: Security architecture” • TS 33.402 “SAE: Security with non-3GPP accesses” • (1-2 more TR’s maybe still be included in Rel-8)

  6. SAE/LTE security (Rel-8): some highlights

  7. SAE/LTE: What and why? SAE = System Architecture Evolution LTE = Long Term Evolution (of radio networks) • LTE offers higher data rates, up to 100 Mb/sec • SAE offers optimized (flat) IP-based architecture • Technical terms: • E-UTRAN = Evolved UTRAN (LTE radio network) • EPC = Evolved Packet Core (SAE core network) • EPS = Evolved Packet System ( = RAN + EPC )

  8. Implications on security • Flat architecture: • All radio access protocols terminate in one node: eNB • IP protocols also visible in eNB • Security implications due to • Architectural design decisions • Interworking with legacy and non-3GPP networks • Allowing eNB placement in untrusted locations • New business environments with less trusted networks involved • Trying to keep security breaches as local as possible • As a result (when compared to UTRAN/GERAN): • Extended Authentication and Key Agreement • More complex key hierarchy • More complex interworking security • Additional security for eNB (compared to NB/BTS/RNC)

  9. Home (e) Node B security

  10. Operator’s core network UE HeNB insecure link SGW OAM Home (e)NB architecture Figure from draft TR 33.820 One of the key concepts: Closed Subscriber Group

  11. Threats • Compromise of HeNB credentials • e.g. cloning of credentials • Physical attacks on HeNB • e.g. physical tampering • Configuration attacks on HeNB • e.g. fraudulent software updates • Protocol attacks on HeNB • e.g. man-in-the-middle attacks • Attacks against the core network • e.g. Denial of service • Attacks against user data and identity privacy • e.g. by eavesdropping • Attacks against radio resources and management

  12. Other features in past releases of 3GPP

  13. IMS home IMS visited PS domain IMS (SIP) security (Rel-5) authentication & key agreement network domain security security mechanism agreement integrity protection R99 access security

  14. Release 6 highlights

  15. WLAN interworking in 3GPP • WLAN access zone can be connected to cellular core network • Shared subscriber database & charging & authentication (WLAN Direct IP access) • Shared services (WLAN 3GPP IP Access) • Service continuity is the next step

  16. BGW: BearerGateway (first hop IP-router) BM-SC: Broadcast/Multicast Service Center BSF: Bootstrapping Server Function MBMS Security Architecture (node layout) Content Server Mobile Operator Network BM-SC Content Server BSF Internet BGW BM-SC can reside in home or visited network

  17. Generic Authentication Architecture (GAA) • GAA consists of three parts (Rel-6): • TS 33.220 Generic Bootstrapping Architecture (GBA) offers generic authentication capability for various applications based on shared secret. Subscriber authentication in GBA is based on HTTP Digest AKA [RFC 3310]. • TS 33.221 Support of subscriber certificates: PKI Portal issues subscriber certificates for UEs and delivers an operator CA certificates. The issuing procedure is secured by using shared keys from GBA. • TS 33.222 Access to Network Application Function using HTTPS is also based on GBA. Figure from 3GPP TR 33.919

  18. Release 7 & 8 highlights

  19. Release 7 & 8: security enhancements • Key establishment for secure UICC-terminal channel (TS 33.110) • Applies, e.g. for secure UICC-terminal channel specified by ETSI SCP • Built on top of GBA • Key establishment between UICC hosting device and a remote device (TS 33.259) • Liberty-3GPP security interworking • GBA push (TS 33.223, Rel-8) • Applies to several OMA specified features (e.g. BCAST) • Network domain security: Authentication Framework (TS 33.310) enhanced for TLS support • Withdrawal of A5/2 algorithm

  20. Work in progress: Rel-9

  21. Rel-9 work items • SAE/LTE: emergence call security • Media security • End-to-end and end-to-middle protection of media independently of access technology • Protection against unsolicited communications in IMS • Remote management of USIM/ISIM for machine-to-machine communications • Security of Earthquake and Tsunami Warning System

  22. For more information: www.3gpp.org

More Related